2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
90 * If we're in the fault state, keep returning fault PDU's until
91 * the pipe gets closed. JRA.
95 setup_fault_pdu(p, NT_STATUS(0x1c010002));
99 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
101 /* Change the incoming request header to a response. */
102 p->hdr.pkt_type = RPC_RESPONSE;
104 /* Set up rpc header flags. */
105 if (p->out_data.data_sent_length == 0)
106 p->hdr.flags = RPC_FLG_FIRST;
111 * Work out how much we can fit in a single PDU.
114 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
115 if(p->ntlmssp_auth_validated)
116 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119 * The amount we send is the minimum of the available
120 * space and the amount left to send.
123 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126 * Ensure there really is data left to send.
130 DEBUG(0,("create_next_pdu: no data left to send !\n"));
134 data_len = MIN(data_len_left, data_space_available);
137 * Set up the alloc hint. This should be the data left to
141 hdr_resp.alloc_hint = data_len_left;
144 * Set up the header lengths.
147 if (p->ntlmssp_auth_validated) {
148 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
149 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
150 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
157 * Work out if this PDU will be the last.
160 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
161 p->hdr.flags |= RPC_FLG_LAST;
164 * Init the parse struct to point at the outgoing
168 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
169 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
171 /* Store the header in the data stream. */
172 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
173 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
174 prs_mem_free(&outgoing_pdu);
178 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
179 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
180 prs_mem_free(&outgoing_pdu);
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
187 /* Copy the data into the PDU. */
189 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
195 if (p->hdr.auth_len > 0) {
199 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
200 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
203 * Set data to point to where we copied the data into.
206 data = prs_data_p(&outgoing_pdu) + data_pos;
209 crc32 = crc32_calc_buffer(data, data_len);
210 NTLMSSPcalc_p(p, (uchar*)data, data_len);
213 if (auth_seal || auth_verify) {
214 RPC_HDR_AUTH auth_info;
216 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
217 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
218 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
219 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
220 prs_mem_free(&outgoing_pdu);
226 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
227 char *auth_data = prs_data_p(&outgoing_pdu);
229 p->ntlmssp_seq_num++;
230 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
231 crc32, p->ntlmssp_seq_num++);
232 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
233 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
234 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
235 prs_mem_free(&outgoing_pdu);
238 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
243 * Setup the counts for this PDU.
246 p->out_data.data_sent_length += data_len;
247 p->out_data.current_pdu_len = p->hdr.frag_len;
248 p->out_data.current_pdu_sent = 0;
250 prs_mem_free(&outgoing_pdu);
254 /*******************************************************************
255 Process an NTLMSSP authentication response.
256 If this function succeeds, the user has been authenticated
257 and their domain, name and calling workstation stored in
259 The initial challenge is stored in p->challenge.
260 *******************************************************************/
262 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
274 struct auth_context *auth_context = NULL;
275 auth_usersupplied_info *user_info = NULL;
276 auth_serversupplied_info *server_info = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
285 /* Set up for non-authenticated user. */
286 delete_nt_token(&p->pipe_user.nt_user_token);
287 p->pipe_user.ngroups = 0;
288 SAFE_FREE( p->pipe_user.groups);
291 * Setup an empty password for a guest user.
295 * We always negotiate UNICODE.
298 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
299 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
300 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
301 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
303 pull_ascii_fstring(user_name, ntlmssp_resp->user);
304 pull_ascii_fstring(domain, ntlmssp_resp->domain);
305 pull_ascii_fstring(wks, ntlmssp_resp->wks);
308 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
311 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
313 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
314 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
316 #ifdef DEBUG_PASSWORD
317 DEBUG(100,("lm, nt owfs, chal\n"));
318 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
319 dump_data(100, (char *)nt_owf, nt_pw_len);
320 dump_data(100, (char *)p->challenge, 8);
324 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
330 * Do the length checking only if user is not NULL.
333 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
335 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
337 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
339 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
341 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
346 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
348 if (!make_user_info_netlogon_network(&user_info,
349 user_name, domain, wks,
351 nt_owf, nt_pw_len)) {
352 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
356 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
358 (auth_context->free)(&auth_context);
359 free_user_info(&user_info);
361 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
363 if (!p->ntlmssp_auth_validated) {
364 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
365 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
366 free_server_info(&server_info);
371 * Set up the sign/seal data.
376 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
388 for (ind = 0; ind < 256; ind++)
389 p->ntlmssp_hash[ind] = (unsigned char)ind;
391 for( ind = 0; ind < 256; ind++) {
394 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
396 tc = p->ntlmssp_hash[ind];
397 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
398 p->ntlmssp_hash[j] = tc;
401 p->ntlmssp_hash[256] = 0;
402 p->ntlmssp_hash[257] = 0;
404 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
405 p->ntlmssp_seq_num = 0;
409 fstrcpy(p->user_name, user_name);
410 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
411 fstrcpy(p->domain, domain);
412 fstrcpy(p->wks, wks);
415 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
418 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
419 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
420 free_server_info(&server_info);
424 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
426 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
427 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
429 p->pipe_user.ngroups = server_info->n_groups;
430 if (p->pipe_user.ngroups) {
431 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
432 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
433 free_server_info(&server_info);
438 if (server_info->ptok)
439 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
441 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
442 p->pipe_user.nt_user_token = NULL;
443 free_server_info(&server_info);
447 p->ntlmssp_auth_validated = True;
449 free_server_info(&server_info);
453 /*******************************************************************
454 The switch table for the pipe names and the functions to handle them.
455 *******************************************************************/
464 struct api_struct *cmds;
468 static struct rpc_table *rpc_lookup;
469 static int rpc_lookup_size;
471 /*******************************************************************
472 This is the client reply to our challenge for an authenticated
473 bind request. The challenge we sent is in p->challenge.
474 *******************************************************************/
476 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
478 RPC_HDR_AUTHA autha_info;
479 RPC_AUTH_VERIFIER auth_verifier;
480 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
482 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
484 if (p->hdr.auth_len == 0) {
485 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
490 * Decode the authentication verifier response.
493 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
494 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
498 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
499 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
500 (int)autha_info.auth_type, (int)autha_info.auth_level ));
504 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
505 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
510 * Ensure this is a NTLMSSP_AUTH packet type.
513 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
514 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
518 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
519 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
524 * The following call actually checks the challenge/response data.
525 * for correctness against the given DOMAIN\user name.
528 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
536 /*******************************************************************
537 Marshall a bind_nak pdu.
538 *******************************************************************/
540 static BOOL setup_bind_nak(pipes_struct *p)
542 prs_struct outgoing_rpc;
546 /* Free any memory in the current return data buffer. */
547 prs_mem_free(&p->out_data.rdata);
550 * Marshall directly into the outgoing PDU space. We
551 * must do this as we need to set to the bind response
552 * header and are never sending more than one PDU here.
555 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
556 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
560 * Initialize a bind_nak header.
563 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
564 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
567 * Marshall the header into the outgoing PDU.
570 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
571 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
572 prs_mem_free(&outgoing_rpc);
577 * Now add the reject reason.
580 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
581 prs_mem_free(&outgoing_rpc);
585 p->out_data.data_sent_length = 0;
586 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
587 p->out_data.current_pdu_sent = 0;
589 p->pipe_bound = False;
594 /*******************************************************************
595 Marshall a fault pdu.
596 *******************************************************************/
598 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
600 prs_struct outgoing_pdu;
602 RPC_HDR_RESP hdr_resp;
603 RPC_HDR_FAULT fault_resp;
605 /* Free any memory in the current return data buffer. */
606 prs_mem_free(&p->out_data.rdata);
609 * Marshall directly into the outgoing PDU space. We
610 * must do this as we need to set to the bind response
611 * header and are never sending more than one PDU here.
614 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
615 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
618 * Initialize a fault header.
621 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
622 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
625 * Initialize the HDR_RESP and FAULT parts of the PDU.
628 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
630 fault_resp.status = status;
631 fault_resp.reserved = 0;
634 * Marshall the header into the outgoing PDU.
637 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
638 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
639 prs_mem_free(&outgoing_pdu);
643 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
644 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
645 prs_mem_free(&outgoing_pdu);
649 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
650 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
651 prs_mem_free(&outgoing_pdu);
655 p->out_data.data_sent_length = 0;
656 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
657 p->out_data.current_pdu_sent = 0;
659 prs_mem_free(&outgoing_pdu);
663 /*******************************************************************
664 Ensure a bind request has the correct abstract & transfer interface.
665 Used to reject unknown binds from Win2k.
666 *******************************************************************/
668 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
671 extern struct pipe_id_info pipe_names[];
674 fstrcpy(pname,"\\PIPE\\");
675 fstrcat(pname,pipe_name);
677 DEBUG(3,("check_bind_req for %s\n", pname));
679 #ifndef SUPPORT_NEW_LSARPC_UUID
681 /* check for the first pipe matching the name */
683 for ( i=0; pipe_names[i].client_pipe; i++ ) {
684 if ( strequal(pipe_names[i].client_pipe, pname) )
688 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
690 for ( i=0; pipe_names[i].client_pipe; i++ )
692 if ( strequal(pipe_names[i].client_pipe, pname)
693 && (abstract->version == pipe_names[i].abstr_syntax.version)
694 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
695 && (transfer->version == pipe_names[i].trans_syntax.version)
696 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
703 if(pipe_names[i].client_pipe == NULL)
706 #ifndef SUPPORT_NEW_LSARPC_UUID
707 /* check the abstract interface */
708 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
709 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
714 /* check the transfer interface */
715 if ( (transfer->version != pipe_names[i].trans_syntax.version)
716 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
724 /*******************************************************************
725 Register commands to an RPC pipe
726 *******************************************************************/
727 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
729 struct rpc_table *rpc_entry;
732 /* We use a temporary variable because this call can fail and
733 rpc_lookup will still be valid afterwards. It could then succeed if
734 called again later */
735 rpc_entry = realloc(rpc_lookup,
736 ++rpc_lookup_size*sizeof(struct rpc_table));
737 if (NULL == rpc_entry) {
739 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
742 rpc_lookup = rpc_entry;
745 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
746 ZERO_STRUCTP(rpc_entry);
747 rpc_entry->pipe.clnt = strdup(clnt);
748 rpc_entry->pipe.srv = strdup(srv);
749 rpc_entry->cmds = realloc(rpc_entry->cmds,
750 (rpc_entry->n_cmds + size) *
751 sizeof(struct api_struct));
752 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
753 size * sizeof(struct api_struct));
754 rpc_entry->n_cmds += size;
759 /*******************************************************************
760 Respond to a pipe bind request.
761 *******************************************************************/
763 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
767 RPC_HDR_AUTH auth_info;
769 fstring ack_pipe_name;
770 prs_struct out_hdr_ba;
772 prs_struct outgoing_rpc;
775 enum RPC_PKT_TYPE reply_pkt_type;
777 p->ntlmssp_auth_requested = False;
779 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
782 * Try and find the correct pipe name to ensure
783 * that this is a pipe name we support.
787 for (i = 0; i < rpc_lookup_size; i++) {
788 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
789 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
790 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
791 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
796 if (i == rpc_lookup_size) {
797 if (!smb_probe_module("rpc", p->name)) {
798 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
800 if(!setup_bind_nak(p))
805 for (i = 0; i < rpc_lookup_size; i++) {
806 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
807 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
808 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
809 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
815 /* decode the bind request */
816 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
817 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
822 * Check if this is an authenticated request.
825 if (p->hdr.auth_len != 0) {
826 RPC_AUTH_VERIFIER auth_verifier;
827 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
830 * Decode the authentication verifier.
833 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
834 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
839 * We only support NTLMSSP_AUTH_TYPE requests.
842 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
843 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
844 auth_info.auth_type ));
848 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
849 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
853 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
854 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
858 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
859 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
860 auth_verifier.msg_type));
864 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
865 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
869 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
870 p->ntlmssp_auth_requested = True;
873 switch(p->hdr.pkt_type) {
875 /* name has to be \PIPE\xxxxx */
876 fstrcpy(ack_pipe_name, "\\PIPE\\");
877 fstrcat(ack_pipe_name, p->pipe_srv_name);
878 reply_pkt_type = RPC_BINDACK;
881 /* secondary address CAN be NULL
882 * as the specs say it's ignored.
883 * It MUST NULL to have the spoolss working.
885 fstrcpy(ack_pipe_name,"");
886 reply_pkt_type = RPC_ALTCONTRESP;
892 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
895 * Marshall directly into the outgoing PDU space. We
896 * must do this as we need to set to the bind response
897 * header and are never sending more than one PDU here.
900 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
901 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
904 * Setup the memory to marshall the ba header, and the
908 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
909 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
910 prs_mem_free(&outgoing_rpc);
914 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
915 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
916 prs_mem_free(&outgoing_rpc);
917 prs_mem_free(&out_hdr_ba);
921 if (p->ntlmssp_auth_requested)
924 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
927 * Create the bind response struct.
930 /* If the requested abstract synt uuid doesn't match our client pipe,
931 reject the bind_ack & set the transfer interface synt to all 0's,
932 ver 0 (observed when NT5 attempts to bind to abstract interfaces
934 Needed when adding entries to a DACL from NT5 - SK */
936 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
937 init_rpc_hdr_ba(&hdr_ba,
945 RPC_IFACE null_interface;
946 ZERO_STRUCT(null_interface);
947 /* Rejection reason: abstract syntax not supported */
948 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
949 MAX_PDU_FRAG_LEN, assoc_gid,
950 ack_pipe_name, 0x1, 0x2, 0x1,
958 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
959 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
964 * Now the authentication.
967 if (p->ntlmssp_auth_requested) {
968 RPC_AUTH_VERIFIER auth_verifier;
969 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
971 generate_random_buffer(p->challenge, 8, False);
973 /*** Authentication info ***/
975 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
976 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
977 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
981 /*** NTLMSSP verifier ***/
983 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
984 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
985 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
989 /* NTLMSSP challenge ***/
991 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
992 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
993 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
997 /* Auth len in the rpc header doesn't include auth_header. */
998 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1002 * Create the header, now we know the length.
1005 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1007 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1011 * Marshall the header into the outgoing PDU.
1014 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1015 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1020 * Now add the RPC_HDR_BA and any auth needed.
1023 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1024 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1028 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1029 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1033 if(!p->ntlmssp_auth_requested)
1034 p->pipe_bound = True;
1037 * Setup the lengths for the initial reply.
1040 p->out_data.data_sent_length = 0;
1041 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1042 p->out_data.current_pdu_sent = 0;
1044 prs_mem_free(&out_hdr_ba);
1045 prs_mem_free(&out_auth);
1051 prs_mem_free(&outgoing_rpc);
1052 prs_mem_free(&out_hdr_ba);
1053 prs_mem_free(&out_auth);
1057 /****************************************************************************
1058 Deal with sign & seal processing on an RPC request.
1059 ****************************************************************************/
1061 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1064 * We always negotiate the following two bits....
1066 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1067 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1073 auth_len = p->hdr.auth_len;
1075 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1076 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1081 * The following is that length of the data we must verify or unseal.
1082 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1083 * preceeding the auth_data.
1086 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1087 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1089 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1090 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1094 * The data in rpc_in doesn't contain the RPC_HEADER as this
1095 * has already been consumed.
1097 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1098 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1099 crc32 = crc32_calc_buffer(data, data_len);
1102 old_offset = prs_offset(rpc_in);
1104 if (auth_seal || auth_verify) {
1105 RPC_HDR_AUTH auth_info;
1107 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1108 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1109 (unsigned int)old_offset + data_len ));
1113 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1114 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1120 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1121 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1123 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1126 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1129 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1130 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1131 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1135 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1136 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1137 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1141 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1142 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1148 * Return the current pointer to the data offset.
1151 if(!prs_set_offset(rpc_in, old_offset)) {
1152 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1153 (unsigned int)old_offset ));
1160 /****************************************************************************
1161 Return a user struct for a pipe user.
1162 ****************************************************************************/
1164 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1166 if (p->ntlmssp_auth_validated) {
1167 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1169 extern struct current_user current_user;
1170 memcpy(user, ¤t_user, sizeof(struct current_user));
1176 /****************************************************************************
1177 Find the correct RPC function to call for this request.
1178 If the pipe is authenticated then become the correct UNIX user
1179 before doing the call.
1180 ****************************************************************************/
1182 BOOL api_pipe_request(pipes_struct *p)
1187 if (p->ntlmssp_auth_validated) {
1189 if(!become_authenticated_pipe_user(p)) {
1190 prs_mem_free(&p->out_data.rdata);
1195 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1197 for (i = 0; i < rpc_lookup_size; i++) {
1198 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1199 DEBUG(3,("Doing \\PIPE\\%s\n",
1200 rpc_lookup[i].pipe.clnt));
1201 set_current_rpc_talloc(p->mem_ctx);
1202 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1204 rpc_lookup[i].n_cmds);
1205 set_current_rpc_talloc(NULL);
1211 if (i == rpc_lookup_size) {
1212 smb_probe_module("rpc", p->name);
1214 for (i = 0; i < rpc_lookup_size; i++) {
1215 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1216 DEBUG(3,("Doing \\PIPE\\%s\n",
1217 rpc_lookup[i].pipe.clnt));
1218 set_current_rpc_talloc(p->mem_ctx);
1219 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1221 rpc_lookup[i].n_cmds);
1222 set_current_rpc_talloc(NULL);
1228 if(p->ntlmssp_auth_validated)
1229 unbecome_authenticated_pipe_user();
1234 /*******************************************************************
1235 Calls the underlying RPC function for a named pipe.
1236 ********************************************************************/
1238 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1239 const struct api_struct *api_rpc_cmds, int n_cmds)
1243 uint32 offset1, offset2;
1245 /* interpret the command */
1246 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1248 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1249 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1251 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1252 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1253 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1258 if (fn_num == n_cmds) {
1260 * For an unknown RPC just return a fault PDU but
1261 * return True to allow RPC's on the pipe to continue
1262 * and not put the pipe into fault state. JRA.
1264 DEBUG(4, ("unknown\n"));
1265 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1269 offset1 = prs_offset(&p->out_data.rdata);
1271 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1272 fn_num, api_rpc_cmds[fn_num].fn));
1273 /* do the actual command */
1274 if(!api_rpc_cmds[fn_num].fn(p)) {
1275 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1276 prs_mem_free(&p->out_data.rdata);
1280 if (p->bad_handle_fault_state) {
1281 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1282 p->bad_handle_fault_state = False;
1283 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1287 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1288 offset2 = prs_offset(&p->out_data.rdata);
1289 prs_set_offset(&p->out_data.rdata, offset1);
1290 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1291 prs_set_offset(&p->out_data.rdata, offset2);
1293 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1295 /* Check for buffer underflow in rpc parsing */
1297 if ((DEBUGLEVEL >= 10) &&
1298 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1299 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1302 data = malloc(data_len);
1304 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1306 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);