2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 static void NTLMSSPcalc_p( pipes_struct
*p
, unsigned char *data
, int len
)
45 unsigned char *hash
= p
->ntlmssp_hash
;
46 unsigned char index_i
= hash
[256];
47 unsigned char index_j
= hash
[257];
50 for( ind
= 0; ind
< len
; ind
++) {
55 index_j
+= hash
[index_i
];
58 hash
[index_i
] = hash
[index_j
];
61 t
= hash
[index_i
] + hash
[index_j
];
62 data
[ind
] = data
[ind
] ^ hash
[t
];
69 /*******************************************************************
70 Generate the next PDU to be returned from the data in p->rdata.
71 We cheat here as this function doesn't handle the special auth
72 footers of the authenticated bind response reply.
73 ********************************************************************/
75 BOOL
create_next_pdu(pipes_struct
*p
)
77 RPC_HDR_RESP hdr_resp
;
78 BOOL auth_verify
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SIGN
) != 0);
79 BOOL auth_seal
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SEAL
) != 0);
81 uint32 data_space_available
;
83 prs_struct outgoing_pdu
;
89 * If we're in the fault state, keep returning fault PDU's until
90 * the pipe gets closed. JRA.
94 setup_fault_pdu(p
, NT_STATUS(0x1c010002));
98 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
100 /* Change the incoming request header to a response. */
101 p
->hdr
.pkt_type
= RPC_RESPONSE
;
103 /* Set up rpc header flags. */
104 if (p
->out_data
.data_sent_length
== 0)
105 p
->hdr
.flags
= RPC_FLG_FIRST
;
110 * Work out how much we can fit in a single PDU.
113 data_space_available
= sizeof(p
->out_data
.current_pdu
) - RPC_HEADER_LEN
- RPC_HDR_RESP_LEN
;
114 if(p
->ntlmssp_auth_validated
)
115 data_space_available
-= (RPC_HDR_AUTH_LEN
+ RPC_AUTH_NTLMSSP_CHK_LEN
);
118 * The amount we send is the minimum of the available
119 * space and the amount left to send.
122 data_len_left
= prs_offset(&p
->out_data
.rdata
) - p
->out_data
.data_sent_length
;
125 * Ensure there really is data left to send.
129 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 data_len
= MIN(data_len_left
, data_space_available
);
136 * Set up the alloc hint. This should be the data left to
140 hdr_resp
.alloc_hint
= data_len_left
;
143 * Set up the header lengths.
146 if (p
->ntlmssp_auth_validated
) {
147 p
->hdr
.frag_len
= RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ data_len
+
148 RPC_HDR_AUTH_LEN
+ RPC_AUTH_NTLMSSP_CHK_LEN
;
149 p
->hdr
.auth_len
= RPC_AUTH_NTLMSSP_CHK_LEN
;
151 p
->hdr
.frag_len
= RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ data_len
;
156 * Work out if this PDU will be the last.
159 if(p
->out_data
.data_sent_length
+ data_len
>= prs_offset(&p
->out_data
.rdata
))
160 p
->hdr
.flags
|= RPC_FLG_LAST
;
163 * Init the parse struct to point at the outgoing
167 prs_init( &outgoing_pdu
, 0, p
->mem_ctx
, MARSHALL
);
168 prs_give_memory( &outgoing_pdu
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
170 /* Store the header in the data stream. */
171 if(!smb_io_rpc_hdr("hdr", &p
->hdr
, &outgoing_pdu
, 0)) {
172 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
173 prs_mem_free(&outgoing_pdu
);
177 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &outgoing_pdu
, 0)) {
178 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
179 prs_mem_free(&outgoing_pdu
);
183 /* Store the current offset. */
184 data_pos
= prs_offset(&outgoing_pdu
);
186 /* Copy the data into the PDU. */
187 data_from
= prs_data_p(&p
->out_data
.rdata
) + p
->out_data
.data_sent_length
;
189 if(!prs_append_data(&outgoing_pdu
, data_from
, data_len
)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len
));
191 prs_mem_free(&outgoing_pdu
);
196 * Set data to point to where we copied the data into.
199 data
= prs_data_p(&outgoing_pdu
) + data_pos
;
201 if (p
->hdr
.auth_len
> 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify
), BOOLSTR(auth_seal
), data_len
, p
->hdr
.auth_len
));
208 crc32
= crc32_calc_buffer(data
, data_len
);
209 NTLMSSPcalc_p(p
, (uchar
*)data
, data_len
);
212 if (auth_seal
|| auth_verify
) {
213 RPC_HDR_AUTH auth_info
;
215 init_rpc_hdr_auth(&auth_info
, NTLMSSP_AUTH_TYPE
, NTLMSSP_AUTH_LEVEL
,
216 (auth_verify
? RPC_HDR_AUTH_LEN
: 0), (auth_verify
? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
, &outgoing_pdu
, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
219 prs_mem_free(&outgoing_pdu
);
225 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk
;
226 char *auth_data
= prs_data_p(&outgoing_pdu
);
228 p
->ntlmssp_seq_num
++;
229 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk
, NTLMSSP_SIGN_VERSION
,
230 crc32
, p
->ntlmssp_seq_num
++);
231 auth_data
= prs_data_p(&outgoing_pdu
) + prs_offset(&outgoing_pdu
) + 4;
232 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk
, &outgoing_pdu
, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
234 prs_mem_free(&outgoing_pdu
);
237 NTLMSSPcalc_p(p
, (uchar
*)auth_data
, RPC_AUTH_NTLMSSP_CHK_LEN
- 4);
242 * Setup the counts for this PDU.
245 p
->out_data
.data_sent_length
+= data_len
;
246 p
->out_data
.current_pdu_len
= p
->hdr
.frag_len
;
247 p
->out_data
.current_pdu_sent
= 0;
249 prs_mem_free(&outgoing_pdu
);
253 /*******************************************************************
254 Process an NTLMSSP authentication response.
255 If this function succeeds, the user has been authenticated
256 and their domain, name and calling workstation stored in
258 The initial challenge is stored in p->challenge.
259 *******************************************************************/
261 static BOOL
api_pipe_ntlmssp_verify(pipes_struct
*p
, RPC_AUTH_NTLMSSP_RESP
*ntlmssp_resp
)
266 fstring pipe_user_name
;
269 BOOL guest_user
= False
;
270 SAM_ACCOUNT
*sampass
= NULL
;
271 uchar null_smb_passwd
[16];
272 uchar
*smb_passwd_ptr
= NULL
;
274 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
276 memset(p
->user_name
, '\0', sizeof(p
->user_name
));
277 memset(p
->pipe_user_name
, '\0', sizeof(p
->pipe_user_name
));
278 memset(p
->domain
, '\0', sizeof(p
->domain
));
279 memset(p
->wks
, '\0', sizeof(p
->wks
));
281 /* Set up for non-authenticated user. */
282 delete_nt_token(&p
->pipe_user
.nt_user_token
);
283 p
->pipe_user
.ngroups
= 0;
284 safe_free( p
->pipe_user
.groups
);
287 * Setup an empty password for a guest user.
290 memset(null_smb_passwd
,0,16);
293 * We always negotiate UNICODE.
296 if (p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_UNICODE
) {
297 fstrcpy(user_name
, dos_unistrn2((uint16
*)ntlmssp_resp
->user
, ntlmssp_resp
->hdr_usr
.str_str_len
/2));
298 fstrcpy(domain
, dos_unistrn2((uint16
*)ntlmssp_resp
->domain
, ntlmssp_resp
->hdr_domain
.str_str_len
/2));
299 fstrcpy(wks
, dos_unistrn2((uint16
*)ntlmssp_resp
->wks
, ntlmssp_resp
->hdr_wks
.str_str_len
/2));
301 fstrcpy(user_name
, ntlmssp_resp
->user
);
302 fstrcpy(domain
, ntlmssp_resp
->domain
);
303 fstrcpy(wks
, ntlmssp_resp
->wks
);
306 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name
, domain
, wks
));
308 memcpy(lm_owf
, ntlmssp_resp
->lm_resp
, sizeof(lm_owf
));
309 memcpy(nt_owf
, ntlmssp_resp
->nt_resp
, sizeof(nt_owf
));
311 #ifdef DEBUG_PASSWORD
312 DEBUG(100,("lm, nt owfs, chal\n"));
313 dump_data(100, (char *)lm_owf
, sizeof(lm_owf
));
314 dump_data(100, (char *)nt_owf
, sizeof(nt_owf
));
315 dump_data(100, (char *)p
->challenge
, 8);
319 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
322 if((strlen(user_name
) == 0) &&
323 (ntlmssp_resp
->hdr_nt_resp
.str_str_len
==0))
327 fstrcpy(pipe_user_name
, lp_guestaccount(-1));
328 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name
));
330 smb_passwd_ptr
= null_smb_passwd
;
335 * Pass the user through the NT -> unix user mapping
339 fstrcpy(pipe_user_name
, user_name
);
340 (void)map_username(pipe_user_name
);
343 * Do the length checking only if user is not NULL.
346 if (ntlmssp_resp
->hdr_lm_resp
.str_str_len
== 0)
348 if (ntlmssp_resp
->hdr_nt_resp
.str_str_len
== 0)
350 if (ntlmssp_resp
->hdr_usr
.str_str_len
== 0)
352 if (ntlmssp_resp
->hdr_domain
.str_str_len
== 0)
354 if (ntlmssp_resp
->hdr_wks
.str_str_len
== 0)
363 if(!(p
->ntlmssp_auth_validated
= pass_check_smb(pipe_user_name
, domain
,
364 (uchar
*)p
->challenge
, lm_owf
, nt_owf
, NULL
))) {
365 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
366 failed authentication on named pipe %s.\n", domain
, pipe_user_name
, wks
, p
->name
));
371 pdb_init_sam(&sampass
);
373 if(!pdb_getsampwnam(sampass
, pipe_user_name
)) {
374 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
376 pdb_free_sam(sampass
);
383 /* Quit if the account was disabled. */
384 if((pdb_get_acct_ctrl(sampass
) & ACB_DISABLED
) || !pdb_get_lanman_passwd(sampass
)) {
385 DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name
));
386 pdb_free_sam(sampass
);
390 if(!pdb_get_nt_passwd(sampass
)) {
391 DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name
));
392 pdb_free_sam(sampass
);
396 smb_passwd_ptr
= pdb_get_lanman_passwd(sampass
);
400 * Set up the sign/seal data.
405 NTLMSSPOWFencrypt(smb_passwd_ptr
, lm_owf
, p24
);
417 for (ind
= 0; ind
< 256; ind
++)
418 p
->ntlmssp_hash
[ind
] = (unsigned char)ind
;
420 for( ind
= 0; ind
< 256; ind
++) {
423 j
+= (p
->ntlmssp_hash
[ind
] + k2
[ind
%8]);
425 tc
= p
->ntlmssp_hash
[ind
];
426 p
->ntlmssp_hash
[ind
] = p
->ntlmssp_hash
[j
];
427 p
->ntlmssp_hash
[j
] = tc
;
430 p
->ntlmssp_hash
[256] = 0;
431 p
->ntlmssp_hash
[257] = 0;
433 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
434 p
->ntlmssp_seq_num
= 0;
438 fstrcpy(p
->user_name
, user_name
);
439 fstrcpy(p
->pipe_user_name
, pipe_user_name
);
440 fstrcpy(p
->domain
, domain
);
441 fstrcpy(p
->wks
, wks
);
444 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
447 p
->pipe_user
.uid
= pdb_get_uid(sampass
);
448 p
->pipe_user
.gid
= pdb_get_gid(sampass
);
450 /* Set up pipe user group membership. */
451 initialise_groups(pipe_user_name
, p
->pipe_user
.uid
, p
->pipe_user
.gid
);
452 get_current_groups( p
->pipe_user
.gid
, &p
->pipe_user
.ngroups
, &p
->pipe_user
.groups
);
454 /* Create an NT_USER_TOKEN struct for this user. */
455 p
->pipe_user
.nt_user_token
= create_nt_token(p
->pipe_user
.uid
,p
->pipe_user
.gid
,
456 p
->pipe_user
.ngroups
, p
->pipe_user
.groups
,
459 p
->ntlmssp_auth_validated
= True
;
460 pdb_free_sam(sampass
);
464 /*******************************************************************
465 The switch table for the pipe names and the functions to handle them.
466 *******************************************************************/
470 char * pipe_clnt_name
;
471 char * pipe_srv_name
;
472 BOOL (*fn
) (pipes_struct
*);
475 static struct api_cmd api_fd_commands
[] =
477 { "lsarpc", "lsass", api_ntlsa_rpc
},
478 { "samr", "lsass", api_samr_rpc
},
479 { "srvsvc", "ntsvcs", api_srvsvc_rpc
},
480 { "wkssvc", "ntsvcs", api_wkssvc_rpc
},
481 { "NETLOGON", "lsass", api_netlog_rpc
},
482 { "winreg", "winreg", api_reg_rpc
},
483 { "spoolss", "spoolss", api_spoolss_rpc
},
485 { "netdfs", "netdfs" , api_netdfs_rpc
},
490 /*******************************************************************
491 This is the client reply to our challenge for an authenticated
492 bind request. The challenge we sent is in p->challenge.
493 *******************************************************************/
495 BOOL
api_pipe_bind_auth_resp(pipes_struct
*p
, prs_struct
*rpc_in_p
)
497 RPC_HDR_AUTHA autha_info
;
498 RPC_AUTH_VERIFIER auth_verifier
;
499 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp
;
501 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__
));
503 if (p
->hdr
.auth_len
== 0) {
504 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
509 * Decode the authentication verifier response.
512 if(!smb_io_rpc_hdr_autha("", &autha_info
, rpc_in_p
, 0)) {
513 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
517 if (autha_info
.auth_type
!= NTLMSSP_AUTH_TYPE
|| autha_info
.auth_level
!= NTLMSSP_AUTH_LEVEL
) {
518 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
519 (int)autha_info
.auth_type
, (int)autha_info
.auth_level
));
523 if(!smb_io_rpc_auth_verifier("", &auth_verifier
, rpc_in_p
, 0)) {
524 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
529 * Ensure this is a NTLMSSP_AUTH packet type.
532 if (!rpc_auth_verifier_chk(&auth_verifier
, "NTLMSSP", NTLMSSP_AUTH
)) {
533 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
537 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp
, rpc_in_p
, 0)) {
538 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
543 * The following call actually checks the challenge/response data.
544 * for correctness against the given DOMAIN\user name.
547 if (!api_pipe_ntlmssp_verify(p
, &ntlmssp_resp
))
555 /*******************************************************************
556 Marshall a bind_nak pdu.
557 *******************************************************************/
559 static BOOL
setup_bind_nak(pipes_struct
*p
)
561 prs_struct outgoing_rpc
;
565 /* Free any memory in the current return data buffer. */
566 prs_mem_free(&p
->out_data
.rdata
);
569 * Marshall directly into the outgoing PDU space. We
570 * must do this as we need to set to the bind response
571 * header and are never sending more than one PDU here.
574 prs_init( &outgoing_rpc
, 0, p
->mem_ctx
, MARSHALL
);
575 prs_give_memory( &outgoing_rpc
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
579 * Initialize a bind_nak header.
582 init_rpc_hdr(&nak_hdr
, RPC_BINDNACK
, RPC_FLG_FIRST
| RPC_FLG_LAST
,
583 p
->hdr
.call_id
, RPC_HEADER_LEN
+ sizeof(uint16
), 0);
586 * Marshall the header into the outgoing PDU.
589 if(!smb_io_rpc_hdr("", &nak_hdr
, &outgoing_rpc
, 0)) {
590 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
591 prs_mem_free(&outgoing_rpc
);
596 * Now add the reject reason.
599 if(!prs_uint16("reject code", &outgoing_rpc
, 0, &zero
)) {
600 prs_mem_free(&outgoing_rpc
);
604 p
->out_data
.data_sent_length
= 0;
605 p
->out_data
.current_pdu_len
= prs_offset(&outgoing_rpc
);
606 p
->out_data
.current_pdu_sent
= 0;
608 p
->pipe_bound
= False
;
613 /*******************************************************************
614 Marshall a fault pdu.
615 *******************************************************************/
617 BOOL
setup_fault_pdu(pipes_struct
*p
, NTSTATUS status
)
619 prs_struct outgoing_pdu
;
621 RPC_HDR_RESP hdr_resp
;
622 RPC_HDR_FAULT fault_resp
;
624 /* Free any memory in the current return data buffer. */
625 prs_mem_free(&p
->out_data
.rdata
);
628 * Marshall directly into the outgoing PDU space. We
629 * must do this as we need to set to the bind response
630 * header and are never sending more than one PDU here.
633 prs_init( &outgoing_pdu
, 0, p
->mem_ctx
, MARSHALL
);
634 prs_give_memory( &outgoing_pdu
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
637 * Initialize a fault header.
640 init_rpc_hdr(&fault_hdr
, RPC_FAULT
, RPC_FLG_FIRST
| RPC_FLG_LAST
| RPC_FLG_NOCALL
,
641 p
->hdr
.call_id
, RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ RPC_HDR_FAULT_LEN
, 0);
644 * Initialize the HDR_RESP and FAULT parts of the PDU.
647 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
649 fault_resp
.status
= status
;
650 fault_resp
.reserved
= 0;
653 * Marshall the header into the outgoing PDU.
656 if(!smb_io_rpc_hdr("", &fault_hdr
, &outgoing_pdu
, 0)) {
657 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
658 prs_mem_free(&outgoing_pdu
);
662 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &outgoing_pdu
, 0)) {
663 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
664 prs_mem_free(&outgoing_pdu
);
668 if(!smb_io_rpc_hdr_fault("fault", &fault_resp
, &outgoing_pdu
, 0)) {
669 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
670 prs_mem_free(&outgoing_pdu
);
674 p
->out_data
.data_sent_length
= 0;
675 p
->out_data
.current_pdu_len
= prs_offset(&outgoing_pdu
);
676 p
->out_data
.current_pdu_sent
= 0;
678 prs_mem_free(&outgoing_pdu
);
682 /*******************************************************************
683 Ensure a bind request has the correct abstract & transfer interface.
684 Used to reject unknown binds from Win2k.
685 *******************************************************************/
687 BOOL
check_bind_req(char* pipe_name
, RPC_IFACE
* abstract
,
690 extern struct pipe_id_info pipe_names
[];
693 fstrcpy(pname
,"\\PIPE\\");
694 fstrcat(pname
,pipe_name
);
696 for(i
=0;pipe_names
[i
].client_pipe
; i
++) {
697 if(strequal(pipe_names
[i
].client_pipe
, pname
))
701 if(pipe_names
[i
].client_pipe
== NULL
)
704 /* check the abstract interface */
705 if((abstract
->version
!= pipe_names
[i
].abstr_syntax
.version
) ||
706 (memcmp(&abstract
->uuid
, &pipe_names
[i
].abstr_syntax
.uuid
,
707 sizeof(RPC_UUID
)) != 0))
710 /* check the transfer interface */
711 if((transfer
->version
!= pipe_names
[i
].trans_syntax
.version
) ||
712 (memcmp(&transfer
->uuid
, &pipe_names
[i
].trans_syntax
.uuid
,
713 sizeof(RPC_UUID
)) != 0))
719 /*******************************************************************
720 Respond to a pipe bind request.
721 *******************************************************************/
723 BOOL
api_pipe_bind_req(pipes_struct
*p
, prs_struct
*rpc_in_p
)
727 RPC_HDR_AUTH auth_info
;
729 fstring ack_pipe_name
;
730 prs_struct out_hdr_ba
;
732 prs_struct outgoing_rpc
;
735 enum RPC_PKT_TYPE reply_pkt_type
;
737 p
->ntlmssp_auth_requested
= False
;
739 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__
));
742 * Try and find the correct pipe name to ensure
743 * that this is a pipe name we support.
746 for (i
= 0; api_fd_commands
[i
].pipe_clnt_name
; i
++) {
747 if (strequal(api_fd_commands
[i
].pipe_clnt_name
, p
->name
) &&
748 api_fd_commands
[i
].fn
!= NULL
) {
749 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
750 api_fd_commands
[i
].pipe_clnt_name
,
751 api_fd_commands
[i
].pipe_srv_name
));
752 fstrcpy(p
->pipe_srv_name
, api_fd_commands
[i
].pipe_srv_name
);
757 if (api_fd_commands
[i
].fn
== NULL
) {
758 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
760 if(!setup_bind_nak(p
))
765 /* decode the bind request */
766 if(!smb_io_rpc_hdr_rb("", &hdr_rb
, rpc_in_p
, 0)) {
767 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
772 * Check if this is an authenticated request.
775 if (p
->hdr
.auth_len
!= 0) {
776 RPC_AUTH_VERIFIER auth_verifier
;
777 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg
;
780 * Decode the authentication verifier.
783 if(!smb_io_rpc_hdr_auth("", &auth_info
, rpc_in_p
, 0)) {
784 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
789 * We only support NTLMSSP_AUTH_TYPE requests.
792 if(auth_info
.auth_type
!= NTLMSSP_AUTH_TYPE
) {
793 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
794 auth_info
.auth_type
));
798 if(!smb_io_rpc_auth_verifier("", &auth_verifier
, rpc_in_p
, 0)) {
799 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
803 if(!strequal(auth_verifier
.signature
, "NTLMSSP")) {
804 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
808 if(auth_verifier
.msg_type
!= NTLMSSP_NEGOTIATE
) {
809 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
810 auth_verifier
.msg_type
));
814 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg
, rpc_in_p
, 0)) {
815 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
819 p
->ntlmssp_chal_flags
= SMBD_NTLMSSP_NEG_FLAGS
;
820 p
->ntlmssp_auth_requested
= True
;
823 switch(p
->hdr
.pkt_type
) {
825 /* name has to be \PIPE\xxxxx */
826 fstrcpy(ack_pipe_name
, "\\PIPE\\");
827 fstrcat(ack_pipe_name
, p
->pipe_srv_name
);
828 reply_pkt_type
= RPC_BINDACK
;
831 /* secondary address CAN be NULL
832 * as the specs say it's ignored.
833 * It MUST NULL to have the spoolss working.
835 fstrcpy(ack_pipe_name
,"");
836 reply_pkt_type
= RPC_ALTCONTRESP
;
842 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__
));
845 * Marshall directly into the outgoing PDU space. We
846 * must do this as we need to set to the bind response
847 * header and are never sending more than one PDU here.
850 prs_init( &outgoing_rpc
, 0, p
->mem_ctx
, MARSHALL
);
851 prs_give_memory( &outgoing_rpc
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
854 * Setup the memory to marshall the ba header, and the
858 if(!prs_init(&out_hdr_ba
, 1024, p
->mem_ctx
, MARSHALL
)) {
859 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
860 prs_mem_free(&outgoing_rpc
);
864 if(!prs_init(&out_auth
, 1024, p
->mem_ctx
, MARSHALL
)) {
865 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
866 prs_mem_free(&outgoing_rpc
);
867 prs_mem_free(&out_hdr_ba
);
871 if (p
->ntlmssp_auth_requested
)
874 assoc_gid
= hdr_rb
.bba
.assoc_gid
? hdr_rb
.bba
.assoc_gid
: 0x53f0;
877 * Create the bind response struct.
880 /* If the requested abstract synt uuid doesn't match our client pipe,
881 reject the bind_ack & set the transfer interface synt to all 0's,
882 ver 0 (observed when NT5 attempts to bind to abstract interfaces
884 Needed when adding entries to a DACL from NT5 - SK */
886 if(check_bind_req(p
->name
, &hdr_rb
.abstract
, &hdr_rb
.transfer
)) {
887 init_rpc_hdr_ba(&hdr_ba
,
895 RPC_IFACE null_interface
;
896 ZERO_STRUCT(null_interface
);
897 /* Rejection reason: abstract syntax not supported */
898 init_rpc_hdr_ba(&hdr_ba
, MAX_PDU_FRAG_LEN
,
899 MAX_PDU_FRAG_LEN
, assoc_gid
,
900 ack_pipe_name
, 0x1, 0x2, 0x1,
908 if(!smb_io_rpc_hdr_ba("", &hdr_ba
, &out_hdr_ba
, 0)) {
909 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
914 * Now the authentication.
917 if (p
->ntlmssp_auth_requested
) {
918 RPC_AUTH_VERIFIER auth_verifier
;
919 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal
;
921 generate_random_buffer(p
->challenge
, 8, False
);
923 /*** Authentication info ***/
925 init_rpc_hdr_auth(&auth_info
, NTLMSSP_AUTH_TYPE
, NTLMSSP_AUTH_LEVEL
, RPC_HDR_AUTH_LEN
, 1);
926 if(!smb_io_rpc_hdr_auth("", &auth_info
, &out_auth
, 0)) {
927 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
931 /*** NTLMSSP verifier ***/
933 init_rpc_auth_verifier(&auth_verifier
, "NTLMSSP", NTLMSSP_CHALLENGE
);
934 if(!smb_io_rpc_auth_verifier("", &auth_verifier
, &out_auth
, 0)) {
935 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
939 /* NTLMSSP challenge ***/
941 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal
, p
->ntlmssp_chal_flags
, p
->challenge
);
942 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal
, &out_auth
, 0)) {
943 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
947 /* Auth len in the rpc header doesn't include auth_header. */
948 auth_len
= prs_offset(&out_auth
) - RPC_HDR_AUTH_LEN
;
952 * Create the header, now we know the length.
955 init_rpc_hdr(&p
->hdr
, reply_pkt_type
, RPC_FLG_FIRST
| RPC_FLG_LAST
,
957 RPC_HEADER_LEN
+ prs_offset(&out_hdr_ba
) + prs_offset(&out_auth
),
961 * Marshall the header into the outgoing PDU.
964 if(!smb_io_rpc_hdr("", &p
->hdr
, &outgoing_rpc
, 0)) {
965 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
970 * Now add the RPC_HDR_BA and any auth needed.
973 if(!prs_append_prs_data( &outgoing_rpc
, &out_hdr_ba
)) {
974 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
978 if(p
->ntlmssp_auth_requested
&& !prs_append_prs_data( &outgoing_rpc
, &out_auth
)) {
979 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
983 if(!p
->ntlmssp_auth_requested
)
984 p
->pipe_bound
= True
;
987 * Setup the lengths for the initial reply.
990 p
->out_data
.data_sent_length
= 0;
991 p
->out_data
.current_pdu_len
= prs_offset(&outgoing_rpc
);
992 p
->out_data
.current_pdu_sent
= 0;
994 prs_mem_free(&out_hdr_ba
);
995 prs_mem_free(&out_auth
);
1001 prs_mem_free(&outgoing_rpc
);
1002 prs_mem_free(&out_hdr_ba
);
1003 prs_mem_free(&out_auth
);
1007 /****************************************************************************
1008 Deal with sign & seal processing on an RPC request.
1009 ****************************************************************************/
1011 BOOL
api_pipe_auth_process(pipes_struct
*p
, prs_struct
*rpc_in
)
1014 * We always negotiate the following two bits....
1016 BOOL auth_verify
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SIGN
) != 0);
1017 BOOL auth_seal
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SEAL
) != 0);
1023 auth_len
= p
->hdr
.auth_len
;
1025 if ((auth_len
!= RPC_AUTH_NTLMSSP_CHK_LEN
) && auth_verify
) {
1026 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len
));
1031 * The following is that length of the data we must verify or unseal.
1032 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1033 * preceeding the auth_data.
1036 data_len
= p
->hdr
.frag_len
- RPC_HEADER_LEN
- RPC_HDR_REQ_LEN
-
1037 (auth_verify
? RPC_HDR_AUTH_LEN
: 0) - auth_len
;
1039 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1040 BOOLSTR(auth_verify
), BOOLSTR(auth_seal
), data_len
, auth_len
));
1044 * The data in rpc_in doesn't contain the RPC_HEADER as this
1045 * has already been consumed.
1047 char *data
= prs_data_p(rpc_in
) + RPC_HDR_REQ_LEN
;
1048 NTLMSSPcalc_p(p
, (uchar
*)data
, data_len
);
1049 crc32
= crc32_calc_buffer(data
, data_len
);
1052 old_offset
= prs_offset(rpc_in
);
1054 if (auth_seal
|| auth_verify
) {
1055 RPC_HDR_AUTH auth_info
;
1057 if(!prs_set_offset(rpc_in
, old_offset
+ data_len
)) {
1058 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1059 (unsigned int)old_offset
+ data_len
));
1063 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
, rpc_in
, 0)) {
1064 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1070 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk
;
1071 char *req_data
= prs_data_p(rpc_in
) + prs_offset(rpc_in
) + 4;
1073 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in
) + 4));
1076 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1079 if(prs_mem_get(rpc_in
, RPC_AUTH_NTLMSSP_CHK_LEN
- 4) == NULL
) {
1080 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1081 RPC_AUTH_NTLMSSP_CHK_LEN
- 4 ));
1085 NTLMSSPcalc_p(p
, (uchar
*)req_data
, RPC_AUTH_NTLMSSP_CHK_LEN
- 4);
1086 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk
, rpc_in
, 0)) {
1087 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1091 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk
, crc32
, p
->ntlmssp_seq_num
)) {
1092 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1098 * Return the current pointer to the data offset.
1101 if(!prs_set_offset(rpc_in
, old_offset
)) {
1102 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1103 (unsigned int)old_offset
));
1110 /****************************************************************************
1111 Return a user struct for a pipe user.
1112 ****************************************************************************/
1114 struct current_user
*get_current_user(struct current_user
*user
, pipes_struct
*p
)
1116 if (p
->ntlmssp_auth_validated
) {
1117 memcpy(user
, &p
->pipe_user
, sizeof(struct current_user
));
1119 extern struct current_user current_user
;
1120 memcpy(user
, ¤t_user
, sizeof(struct current_user
));
1126 /****************************************************************************
1127 Find the correct RPC function to call for this request.
1128 If the pipe is authenticated then become the correct UNIX user
1129 before doing the call.
1130 ****************************************************************************/
1132 BOOL
api_pipe_request(pipes_struct
*p
)
1137 if (p
->ntlmssp_auth_validated
) {
1139 if(!become_authenticated_pipe_user(p
)) {
1140 prs_mem_free(&p
->out_data
.rdata
);
1145 for (i
= 0; api_fd_commands
[i
].pipe_clnt_name
; i
++) {
1146 if (strequal(api_fd_commands
[i
].pipe_clnt_name
, p
->name
) &&
1147 api_fd_commands
[i
].fn
!= NULL
) {
1148 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands
[i
].pipe_clnt_name
));
1149 set_current_rpc_talloc(p
->mem_ctx
);
1150 ret
= api_fd_commands
[i
].fn(p
);
1151 set_current_rpc_talloc(NULL
);
1155 if (p
->ntlmssp_auth_validated
)
1156 unbecome_authenticated_pipe_user();
1161 /*******************************************************************
1162 Calls the underlying RPC function for a named pipe.
1163 ********************************************************************/
1165 BOOL
api_rpcTNP(pipes_struct
*p
, char *rpc_name
,
1166 struct api_struct
*api_rpc_cmds
)
1170 uint32 offset1
, offset2
;
1172 /* interpret the command */
1173 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name
, p
->hdr_req
.opnum
));
1175 slprintf(name
, sizeof(name
)-1, "in_%s", rpc_name
);
1176 prs_dump(name
, p
->hdr_req
.opnum
, &p
->in_data
.data
);
1178 for (fn_num
= 0; api_rpc_cmds
[fn_num
].name
; fn_num
++) {
1179 if (api_rpc_cmds
[fn_num
].opnum
== p
->hdr_req
.opnum
&& api_rpc_cmds
[fn_num
].fn
!= NULL
) {
1180 DEBUG(3,("api_rpcTNP: pipe %u rpc command: %s\n", (unsigned int)p
->pnum
, api_rpc_cmds
[fn_num
].name
));
1185 if (api_rpc_cmds
[fn_num
].name
== NULL
) {
1187 * For an unknown RPC just return a fault PDU but
1188 * return True to allow RPC's on the pipe to continue
1189 * and not put the pipe into fault state. JRA.
1191 DEBUG(4, ("unknown\n"));
1192 setup_fault_pdu(p
, NT_STATUS(0x1c010002));
1196 offset1
= prs_offset(&p
->out_data
.rdata
);
1198 /* do the actual command */
1199 if(!api_rpc_cmds
[fn_num
].fn(p
)) {
1200 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name
, api_rpc_cmds
[fn_num
].name
));
1201 prs_mem_free(&p
->out_data
.rdata
);
1205 if (p
->bad_handle_fault_state
) {
1206 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1207 p
->bad_handle_fault_state
= False
;
1208 setup_fault_pdu(p
, NT_STATUS(0x1C00001A));
1212 slprintf(name
, sizeof(name
)-1, "out_%s", rpc_name
);
1213 offset2
= prs_offset(&p
->out_data
.rdata
);
1214 prs_set_offset(&p
->out_data
.rdata
, offset1
);
1215 prs_dump(name
, p
->hdr_req
.opnum
, &p
->out_data
.rdata
);
1216 prs_set_offset(&p
->out_data
.rdata
, offset2
);
1218 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name
));
1220 /* Check for buffer underflow in rpc parsing */
1222 if ((DEBUGLEVEL
>= 10) &&
1223 (p
->in_data
.data
.data_offset
!= p
->in_data
.data
.buffer_size
)) {
1224 int data_len
= p
->in_data
.data
.buffer_size
-
1225 p
->in_data
.data
.data_offset
;
1228 data
= malloc(data_len
);
1230 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1232 prs_uint8s(False
, "", &p
->in_data
.data
, 0, (unsigned char *)data
,