2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
45 unsigned char *hash = p->ntlmssp_hash;
46 unsigned char index_i = hash[256];
47 unsigned char index_j = hash[257];
50 for( ind = 0; ind < len; ind++) {
55 index_j += hash[index_i];
58 hash[index_i] = hash[index_j];
61 t = hash[index_i] + hash[index_j];
62 data[ind] = data[ind] ^ hash[t];
69 /*******************************************************************
70 Generate the next PDU to be returned from the data in p->rdata.
71 We cheat here as this function doesn't handle the special auth
72 footers of the authenticated bind response reply.
73 ********************************************************************/
75 BOOL create_next_pdu(pipes_struct *p)
77 RPC_HDR_RESP hdr_resp;
78 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
79 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
81 uint32 data_space_available;
83 prs_struct outgoing_pdu;
89 * If we're in the fault state, keep returning fault PDU's until
90 * the pipe gets closed. JRA.
94 setup_fault_pdu(p, NT_STATUS(0x1c010002));
98 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
100 /* Change the incoming request header to a response. */
101 p->hdr.pkt_type = RPC_RESPONSE;
103 /* Set up rpc header flags. */
104 if (p->out_data.data_sent_length == 0)
105 p->hdr.flags = RPC_FLG_FIRST;
110 * Work out how much we can fit in a single PDU.
113 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
114 if(p->ntlmssp_auth_validated)
115 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
122 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
125 * Ensure there really is data left to send.
129 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 data_len = MIN(data_len_left, data_space_available);
136 * Set up the alloc hint. This should be the data left to
140 hdr_resp.alloc_hint = data_len_left;
143 * Set up the header lengths.
146 if (p->ntlmssp_auth_validated) {
147 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
148 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
149 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
151 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
156 * Work out if this PDU will be the last.
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
160 p->hdr.flags |= RPC_FLG_LAST;
163 * Init the parse struct to point at the outgoing
167 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
168 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
170 /* Store the header in the data stream. */
171 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
172 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173 prs_mem_free(&outgoing_pdu);
177 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
178 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179 prs_mem_free(&outgoing_pdu);
183 /* Store the current offset. */
184 data_pos = prs_offset(&outgoing_pdu);
186 /* Copy the data into the PDU. */
187 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
189 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&outgoing_pdu);
225 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
226 char *auth_data = prs_data_p(&outgoing_pdu);
228 p->ntlmssp_seq_num++;
229 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
230 crc32, p->ntlmssp_seq_num++);
231 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
232 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234 prs_mem_free(&outgoing_pdu);
237 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
242 * Setup the counts for this PDU.
245 p->out_data.data_sent_length += data_len;
246 p->out_data.current_pdu_len = p->hdr.frag_len;
247 p->out_data.current_pdu_sent = 0;
249 prs_mem_free(&outgoing_pdu);
253 /*******************************************************************
254 Process an NTLMSSP authentication response.
255 If this function succeeds, the user has been authenticated
256 and their domain, name and calling workstation stored in
258 The initial challenge is stored in p->challenge.
259 *******************************************************************/
261 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
268 fstring pipe_user_name;
271 BOOL guest_user = False;
272 SAM_ACCOUNT *sampass = NULL;
273 uchar null_smb_passwd[16];
274 uchar *smb_passwd_ptr = NULL;
276 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
278 memset(p->user_name, '\0', sizeof(p->user_name));
279 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
280 memset(p->domain, '\0', sizeof(p->domain));
281 memset(p->wks, '\0', sizeof(p->wks));
283 /* Set up for non-authenticated user. */
284 delete_nt_token(&p->pipe_user.nt_user_token);
285 p->pipe_user.ngroups = 0;
286 SAFE_FREE( p->pipe_user.groups);
289 * Setup an empty password for a guest user.
292 memset(null_smb_passwd,0,16);
295 * We always negotiate UNICODE.
298 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
299 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
300 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
301 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
303 pull_ascii_fstring(user_name, ntlmssp_resp->user);
304 pull_ascii_fstring(domain, ntlmssp_resp->domain);
305 pull_ascii_fstring(wks, ntlmssp_resp->wks);
308 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
311 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
313 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
314 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
316 #ifdef DEBUG_PASSWORD
317 DEBUG(100,("lm, nt owfs, chal\n"));
318 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
319 dump_data(100, (char *)nt_owf, nt_pw_len);
320 dump_data(100, (char *)p->challenge, 8);
324 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
327 if((strlen(user_name) == 0) &&
328 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
332 fstrcpy(pipe_user_name, lp_guestaccount(-1));
333 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
335 smb_passwd_ptr = null_smb_passwd;
340 * Pass the user through the NT -> unix user mapping
344 fstrcpy(pipe_user_name, user_name);
345 (void)map_username(pipe_user_name);
348 * Do the length checking only if user is not NULL.
351 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
353 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
355 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
357 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
359 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
368 p->ntlmssp_auth_validated =
369 NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL,
371 (uchar*)p->challenge,
374 if (!p->ntlmssp_auth_validated) {
375 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
376 failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
381 pdb_init_sam(&sampass);
383 if(!pdb_getsampwnam(sampass, pipe_user_name)) {
384 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
386 pdb_free_sam(&sampass);
393 if(!pdb_get_nt_passwd(sampass)) {
394 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
395 pdb_free_sam(&sampass);
399 smb_passwd_ptr = pdb_get_lanman_passwd(sampass);
403 * Set up the sign/seal data.
408 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
420 for (ind = 0; ind < 256; ind++)
421 p->ntlmssp_hash[ind] = (unsigned char)ind;
423 for( ind = 0; ind < 256; ind++) {
426 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
428 tc = p->ntlmssp_hash[ind];
429 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
430 p->ntlmssp_hash[j] = tc;
433 p->ntlmssp_hash[256] = 0;
434 p->ntlmssp_hash[257] = 0;
436 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
437 p->ntlmssp_seq_num = 0;
441 fstrcpy(p->user_name, user_name);
442 fstrcpy(p->pipe_user_name, pipe_user_name);
443 fstrcpy(p->domain, domain);
444 fstrcpy(p->wks, wks);
447 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
450 p->pipe_user.uid = pdb_get_uid(sampass);
451 p->pipe_user.gid = pdb_get_gid(sampass);
453 /* Set up pipe user group membership. */
454 initialise_groups(pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
455 get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
457 /* Create an NT_USER_TOKEN struct for this user. */
458 p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
459 p->pipe_user.ngroups, p->pipe_user.groups,
462 p->ntlmssp_auth_validated = True;
464 pdb_free_sam(&sampass);
468 /*******************************************************************
469 The switch table for the pipe names and the functions to handle them.
470 *******************************************************************/
474 char * pipe_clnt_name;
475 char * pipe_srv_name;
476 BOOL (*fn) (pipes_struct *);
479 static struct api_cmd api_fd_commands[] =
481 { "lsarpc", "lsass", api_ntlsa_rpc },
482 { "samr", "lsass", api_samr_rpc },
483 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
484 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
485 { "NETLOGON", "lsass", api_netlog_rpc },
486 { "winreg", "winreg", api_reg_rpc },
487 { "spoolss", "spoolss", api_spoolss_rpc },
488 { "netdfs", "netdfs" , api_netdfs_rpc },
492 /*******************************************************************
493 This is the client reply to our challenge for an authenticated
494 bind request. The challenge we sent is in p->challenge.
495 *******************************************************************/
497 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
499 RPC_HDR_AUTHA autha_info;
500 RPC_AUTH_VERIFIER auth_verifier;
501 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
503 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
505 if (p->hdr.auth_len == 0) {
506 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
511 * Decode the authentication verifier response.
514 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
515 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
519 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
520 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
521 (int)autha_info.auth_type, (int)autha_info.auth_level ));
525 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
526 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
531 * Ensure this is a NTLMSSP_AUTH packet type.
534 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
535 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
539 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
540 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
545 * The following call actually checks the challenge/response data.
546 * for correctness against the given DOMAIN\user name.
549 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
557 /*******************************************************************
558 Marshall a bind_nak pdu.
559 *******************************************************************/
561 static BOOL setup_bind_nak(pipes_struct *p)
563 prs_struct outgoing_rpc;
567 /* Free any memory in the current return data buffer. */
568 prs_mem_free(&p->out_data.rdata);
571 * Marshall directly into the outgoing PDU space. We
572 * must do this as we need to set to the bind response
573 * header and are never sending more than one PDU here.
576 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
577 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
581 * Initialize a bind_nak header.
584 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
585 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
588 * Marshall the header into the outgoing PDU.
591 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
592 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
593 prs_mem_free(&outgoing_rpc);
598 * Now add the reject reason.
601 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
602 prs_mem_free(&outgoing_rpc);
606 p->out_data.data_sent_length = 0;
607 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
608 p->out_data.current_pdu_sent = 0;
610 p->pipe_bound = False;
615 /*******************************************************************
616 Marshall a fault pdu.
617 *******************************************************************/
619 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
621 prs_struct outgoing_pdu;
623 RPC_HDR_RESP hdr_resp;
624 RPC_HDR_FAULT fault_resp;
626 /* Free any memory in the current return data buffer. */
627 prs_mem_free(&p->out_data.rdata);
630 * Marshall directly into the outgoing PDU space. We
631 * must do this as we need to set to the bind response
632 * header and are never sending more than one PDU here.
635 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
636 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
639 * Initialize a fault header.
642 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
643 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
646 * Initialize the HDR_RESP and FAULT parts of the PDU.
649 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
651 fault_resp.status = status;
652 fault_resp.reserved = 0;
655 * Marshall the header into the outgoing PDU.
658 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
659 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
660 prs_mem_free(&outgoing_pdu);
664 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
665 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
666 prs_mem_free(&outgoing_pdu);
670 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
671 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
672 prs_mem_free(&outgoing_pdu);
676 p->out_data.data_sent_length = 0;
677 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
678 p->out_data.current_pdu_sent = 0;
680 prs_mem_free(&outgoing_pdu);
684 /*******************************************************************
685 Ensure a bind request has the correct abstract & transfer interface.
686 Used to reject unknown binds from Win2k.
687 *******************************************************************/
689 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
692 extern struct pipe_id_info pipe_names[];
695 fstrcpy(pname,"\\PIPE\\");
696 fstrcat(pname,pipe_name);
698 for(i=0;pipe_names[i].client_pipe; i++) {
699 if(strequal(pipe_names[i].client_pipe, pname))
703 if(pipe_names[i].client_pipe == NULL)
706 /* check the abstract interface */
707 if((abstract->version != pipe_names[i].abstr_syntax.version) ||
708 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
709 sizeof(RPC_UUID)) != 0))
712 /* check the transfer interface */
713 if((transfer->version != pipe_names[i].trans_syntax.version) ||
714 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
715 sizeof(RPC_UUID)) != 0))
721 /*******************************************************************
722 Respond to a pipe bind request.
723 *******************************************************************/
725 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
729 RPC_HDR_AUTH auth_info;
731 fstring ack_pipe_name;
732 prs_struct out_hdr_ba;
734 prs_struct outgoing_rpc;
737 enum RPC_PKT_TYPE reply_pkt_type;
739 p->ntlmssp_auth_requested = False;
741 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
744 * Try and find the correct pipe name to ensure
745 * that this is a pipe name we support.
748 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
749 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
750 api_fd_commands[i].fn != NULL) {
751 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
752 api_fd_commands[i].pipe_clnt_name,
753 api_fd_commands[i].pipe_srv_name));
754 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
759 if (api_fd_commands[i].fn == NULL) {
760 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
762 if(!setup_bind_nak(p))
767 /* decode the bind request */
768 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
769 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
774 * Check if this is an authenticated request.
777 if (p->hdr.auth_len != 0) {
778 RPC_AUTH_VERIFIER auth_verifier;
779 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
782 * Decode the authentication verifier.
785 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
786 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
791 * We only support NTLMSSP_AUTH_TYPE requests.
794 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
795 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
796 auth_info.auth_type ));
800 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
801 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
805 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
806 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
810 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
811 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
812 auth_verifier.msg_type));
816 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
817 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
821 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
822 p->ntlmssp_auth_requested = True;
825 switch(p->hdr.pkt_type) {
827 /* name has to be \PIPE\xxxxx */
828 fstrcpy(ack_pipe_name, "\\PIPE\\");
829 fstrcat(ack_pipe_name, p->pipe_srv_name);
830 reply_pkt_type = RPC_BINDACK;
833 /* secondary address CAN be NULL
834 * as the specs say it's ignored.
835 * It MUST NULL to have the spoolss working.
837 fstrcpy(ack_pipe_name,"");
838 reply_pkt_type = RPC_ALTCONTRESP;
844 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
847 * Marshall directly into the outgoing PDU space. We
848 * must do this as we need to set to the bind response
849 * header and are never sending more than one PDU here.
852 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
853 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
856 * Setup the memory to marshall the ba header, and the
860 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
861 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
862 prs_mem_free(&outgoing_rpc);
866 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
867 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
868 prs_mem_free(&outgoing_rpc);
869 prs_mem_free(&out_hdr_ba);
873 if (p->ntlmssp_auth_requested)
876 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
879 * Create the bind response struct.
882 /* If the requested abstract synt uuid doesn't match our client pipe,
883 reject the bind_ack & set the transfer interface synt to all 0's,
884 ver 0 (observed when NT5 attempts to bind to abstract interfaces
886 Needed when adding entries to a DACL from NT5 - SK */
888 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
889 init_rpc_hdr_ba(&hdr_ba,
897 RPC_IFACE null_interface;
898 ZERO_STRUCT(null_interface);
899 /* Rejection reason: abstract syntax not supported */
900 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
901 MAX_PDU_FRAG_LEN, assoc_gid,
902 ack_pipe_name, 0x1, 0x2, 0x1,
910 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
911 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
916 * Now the authentication.
919 if (p->ntlmssp_auth_requested) {
920 RPC_AUTH_VERIFIER auth_verifier;
921 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
923 generate_random_buffer(p->challenge, 8, False);
925 /*** Authentication info ***/
927 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
928 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
929 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
933 /*** NTLMSSP verifier ***/
935 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
936 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
937 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
941 /* NTLMSSP challenge ***/
943 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
944 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
945 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
949 /* Auth len in the rpc header doesn't include auth_header. */
950 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
954 * Create the header, now we know the length.
957 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
959 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
963 * Marshall the header into the outgoing PDU.
966 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
967 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
972 * Now add the RPC_HDR_BA and any auth needed.
975 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
976 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
980 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
981 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
985 if(!p->ntlmssp_auth_requested)
986 p->pipe_bound = True;
989 * Setup the lengths for the initial reply.
992 p->out_data.data_sent_length = 0;
993 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
994 p->out_data.current_pdu_sent = 0;
996 prs_mem_free(&out_hdr_ba);
997 prs_mem_free(&out_auth);
1003 prs_mem_free(&outgoing_rpc);
1004 prs_mem_free(&out_hdr_ba);
1005 prs_mem_free(&out_auth);
1009 /****************************************************************************
1010 Deal with sign & seal processing on an RPC request.
1011 ****************************************************************************/
1013 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1016 * We always negotiate the following two bits....
1018 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1019 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1025 auth_len = p->hdr.auth_len;
1027 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1028 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1033 * The following is that length of the data we must verify or unseal.
1034 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1035 * preceeding the auth_data.
1038 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1039 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1041 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1042 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1046 * The data in rpc_in doesn't contain the RPC_HEADER as this
1047 * has already been consumed.
1049 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1050 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1051 crc32 = crc32_calc_buffer(data, data_len);
1054 old_offset = prs_offset(rpc_in);
1056 if (auth_seal || auth_verify) {
1057 RPC_HDR_AUTH auth_info;
1059 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1060 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1061 (unsigned int)old_offset + data_len ));
1065 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1066 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1072 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1073 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1075 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1078 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1081 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1082 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1083 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1087 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1088 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1089 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1093 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1094 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1100 * Return the current pointer to the data offset.
1103 if(!prs_set_offset(rpc_in, old_offset)) {
1104 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1105 (unsigned int)old_offset ));
1112 /****************************************************************************
1113 Return a user struct for a pipe user.
1114 ****************************************************************************/
1116 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1118 if (p->ntlmssp_auth_validated) {
1119 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1121 extern struct current_user current_user;
1122 memcpy(user, ¤t_user, sizeof(struct current_user));
1128 /****************************************************************************
1129 Find the correct RPC function to call for this request.
1130 If the pipe is authenticated then become the correct UNIX user
1131 before doing the call.
1132 ****************************************************************************/
1134 BOOL api_pipe_request(pipes_struct *p)
1138 BOOL changed_user_id = False;
1140 if (p->ntlmssp_auth_validated) {
1142 if(!become_authenticated_pipe_user(p)) {
1143 prs_mem_free(&p->out_data.rdata);
1147 changed_user_id = True;
1150 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1151 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1152 api_fd_commands[i].fn != NULL) {
1153 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1154 set_current_rpc_talloc(p->mem_ctx);
1155 ret = api_fd_commands[i].fn(p);
1156 set_current_rpc_talloc(NULL);
1161 unbecome_authenticated_pipe_user(p);
1166 /*******************************************************************
1167 Calls the underlying RPC function for a named pipe.
1168 ********************************************************************/
1170 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name,
1171 struct api_struct *api_rpc_cmds)
1175 uint32 offset1, offset2;
1177 /* interpret the command */
1178 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1180 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1181 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1183 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1184 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1185 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1190 if (api_rpc_cmds[fn_num].name == NULL) {
1192 * For an unknown RPC just return a fault PDU but
1193 * return True to allow RPC's on the pipe to continue
1194 * and not put the pipe into fault state. JRA.
1196 DEBUG(4, ("unknown\n"));
1197 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1201 offset1 = prs_offset(&p->out_data.rdata);
1203 /* do the actual command */
1204 if(!api_rpc_cmds[fn_num].fn(p)) {
1205 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1206 prs_mem_free(&p->out_data.rdata);
1210 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1211 offset2 = prs_offset(&p->out_data.rdata);
1212 prs_set_offset(&p->out_data.rdata, offset1);
1213 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1214 prs_set_offset(&p->out_data.rdata, offset2);
1216 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1218 /* Check for buffer underflow in rpc parsing */
1220 if ((DEBUGLEVEL >= 10) &&
1221 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1222 int data_len = p->in_data.data.buffer_size -
1223 p->in_data.data.data_offset;
1226 data = malloc(data_len);
1228 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1230 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,