2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
82 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
91 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
93 /* Change the incoming request header to a response. */
94 p->hdr.pkt_type = RPC_RESPONSE;
96 /* Set up rpc header flags. */
97 if (p->data_sent_length == 0)
98 p->hdr.flags = RPC_FLG_FIRST;
103 * Work out how much we can fit in a sigle PDU.
106 data_space_available = sizeof(p->current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
107 if(p->ntlmssp_auth_validated)
108 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
111 * The amount we send is the minimum of the available
112 * space and the amount left to send.
115 data_len_left = prs_offset(&p->rdata) - p->data_sent_length;
118 * Ensure there really is data left to send.
122 DEBUG(0,("create_next_pdu: no data left to send !\n"));
126 data_len = MIN(data_len_left, data_space_available);
129 * Set up the alloc hint. This should be the data left to
133 hdr_resp.alloc_hint = data_len_left;
136 * Set up the header lengths.
139 if (p->ntlmssp_auth_validated) {
140 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
141 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
142 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
144 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
149 * Work out if this PDU will be the last.
152 if(p->data_sent_length + data_len >= prs_offset(&p->rdata))
153 p->hdr.flags |= RPC_FLG_LAST;
156 * Init the parse struct to point at the outgoing
160 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
161 prs_give_memory( &outgoing_pdu, (char *)p->current_pdu, sizeof(p->current_pdu), False);
163 /* Store the header in the data stream. */
164 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
165 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
169 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
170 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
174 /* Store the current offset. */
175 data_pos = prs_offset(&outgoing_pdu);
177 /* Copy the data into the PDU. */
178 data_from = prs_data_p(&p->rdata) + p->data_sent_length;
180 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
181 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
186 * Set data to point to where we copied the data into.
189 data = prs_data_p(&outgoing_pdu) + data_pos;
191 if (p->hdr.auth_len > 0) {
194 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
195 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
198 crc32 = crc32_calc_buffer(data, data_len);
199 NTLMSSPcalc_p(p, (uchar*)data, data_len);
202 if (auth_seal || auth_verify) {
203 RPC_HDR_AUTH auth_info;
205 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
206 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
207 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
208 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
214 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
215 char *auth_data = prs_data_p(&outgoing_pdu);
217 p->ntlmssp_seq_num++;
218 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
219 crc32, p->ntlmssp_seq_num++);
220 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
221 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
222 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
225 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
230 * Setup the counts for this PDU.
233 p->data_sent_length += data_len;
234 p->current_pdu_len = p->hdr.frag_len;
235 p->current_pdu_sent = 0;
240 /*******************************************************************
241 Process an NTLMSSP authentication response.
242 If this function succeeds, the user has been authenticated
243 and their domain, name and calling workstation stored in
245 The initial challenge is stored in p->challenge.
246 *******************************************************************/
248 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
253 fstring unix_user_name;
256 BOOL guest_user = False;
257 struct smb_passwd *smb_pass = NULL;
258 struct passwd *pass = NULL;
259 uchar null_smb_passwd[16];
260 uchar *smb_passwd_ptr = NULL;
262 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
264 memset(p->user_name, '\0', sizeof(p->user_name));
265 memset(p->unix_user_name, '\0', sizeof(p->unix_user_name));
266 memset(p->domain, '\0', sizeof(p->domain));
267 memset(p->wks, '\0', sizeof(p->wks));
270 * Setup an empty password for a guest user.
273 memset(null_smb_passwd,0,16);
276 * We always negotiate UNICODE.
279 if (IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_UNICODE)) {
280 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
281 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
282 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
284 fstrcpy(user_name, ntlmssp_resp->user);
285 fstrcpy(domain, ntlmssp_resp->domain);
286 fstrcpy(wks, ntlmssp_resp->wks);
289 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
291 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
292 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
294 #ifdef DEBUG_PASSWORD
295 DEBUG(100,("lm, nt owfs, chal\n"));
296 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
297 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
298 dump_data(100, (char *)p->challenge, 8);
302 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
305 if((strlen(user_name) == 0) && (ntlmssp_resp->hdr_lm_resp.str_str_len==0) &&
306 (ntlmssp_resp->hdr_nt_resp.str_str_len==0)) {
310 fstrcpy(unix_user_name, lp_guestaccount(-1));
311 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", unix_user_name));
313 smb_passwd_ptr = null_smb_passwd;
318 * Pass the user through the NT -> unix user mapping
322 fstrcpy(unix_user_name, user_name);
323 (void)map_username(unix_user_name);
326 * Do the length checking only if user is not NULL.
329 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
331 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
333 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
335 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
337 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
343 * Find the user in the unix password db.
346 if(!(pass = Get_Pwnam(unix_user_name,True))) {
347 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",unix_user_name));
355 if(!(p->ntlmssp_auth_validated = pass_check_smb(unix_user_name, domain,
356 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
357 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
358 failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name ));
363 if(!(smb_pass = getsmbpwnam(unix_user_name))) {
364 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
372 if (smb_pass == NULL) {
373 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
378 /* Quit if the account was disabled. */
379 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
380 DEBUG(1,("Account for user '%s' was disabled.\n", unix_user_name));
384 if(!smb_pass->smb_nt_passwd) {
385 DEBUG(1,("Account for user '%s' has no NT password hash.\n", unix_user_name));
389 smb_passwd_ptr = smb_pass->smb_passwd;
393 * Set up the sign/seal data.
398 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
410 for (ind = 0; ind < 256; ind++)
411 p->ntlmssp_hash[ind] = (unsigned char)ind;
413 for( ind = 0; ind < 256; ind++) {
416 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
418 tc = p->ntlmssp_hash[ind];
419 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
420 p->ntlmssp_hash[j] = tc;
423 p->ntlmssp_hash[256] = 0;
424 p->ntlmssp_hash[257] = 0;
426 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
427 p->ntlmssp_seq_num = 0;
431 fstrcpy(p->user_name, user_name);
432 fstrcpy(p->unix_user_name, unix_user_name);
433 fstrcpy(p->domain, domain);
434 fstrcpy(p->wks, wks);
437 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
440 p->uid = pass->pw_uid;
441 p->gid = pass->pw_gid;
443 p->ntlmssp_auth_validated = True;
447 /*******************************************************************
448 The switch table for the pipe names and the functions to handle them.
449 *******************************************************************/
453 char * pipe_clnt_name;
454 char * pipe_srv_name;
455 BOOL (*fn) (pipes_struct *, prs_struct *);
458 static struct api_cmd api_fd_commands[] =
460 { "lsarpc", "lsass", api_ntlsa_rpc },
461 { "samr", "lsass", api_samr_rpc },
462 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
463 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
464 { "NETLOGON", "lsass", api_netlog_rpc },
466 { "winreg", "winreg", api_reg_rpc },
471 /*******************************************************************
472 This is the client reply to our challenge for an authenticated
473 bind request. The challenge we sent is in p->challenge.
474 *******************************************************************/
476 static BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *pd)
478 RPC_HDR_AUTHA autha_info;
479 RPC_AUTH_VERIFIER auth_verifier;
480 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
482 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
484 if (p->hdr.auth_len == 0) {
485 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
490 * Decode the authentication verifier response.
493 if(!smb_io_rpc_hdr_autha("", &autha_info, pd, 0)) {
494 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
498 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
499 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
500 (int)autha_info.auth_type, (int)autha_info.auth_level ));
504 if(!smb_io_rpc_auth_verifier("", &auth_verifier, pd, 0)) {
505 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
510 * Ensure this is a NTLMSSP_AUTH packet type.
513 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
514 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
518 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, pd, 0)) {
519 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
524 * The following call actually checks the challenge/response data.
525 * for correctness against the given DOMAIN\user name.
528 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
534 /*******************************************************************
535 Marshall a bind_nak pdu.
536 *******************************************************************/
538 static BOOL setup_bind_nak(pipes_struct *p, prs_struct *pd)
540 prs_struct outgoing_rpc;
545 * Marshall directly into the outgoing PDU space. We
546 * must do this as we need to set to the bind response
547 * header and are never sending more than one PDU here.
550 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
551 prs_give_memory( &outgoing_rpc, (char *)p->current_pdu, sizeof(p->current_pdu), False);
555 * Initialize a bind_nak header.
558 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
559 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
562 * Marshall the header into the outgoing PDU.
565 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
566 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
571 * Now add the reject reason.
574 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero))
577 p->data_sent_length = 0;
578 p->current_pdu_len = prs_offset(&outgoing_rpc);
579 p->current_pdu_sent = 0;
584 /*******************************************************************
585 Respond to a pipe bind request.
586 *******************************************************************/
588 static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd)
592 RPC_HDR_AUTH auth_info;
594 fstring ack_pipe_name;
595 prs_struct out_hdr_ba;
597 prs_struct outgoing_rpc;
601 p->ntlmssp_auth_requested = False;
603 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
606 * Try and find the correct pipe name to ensure
607 * that this is a pipe name we support.
610 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
611 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
612 api_fd_commands[i].fn != NULL) {
613 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
614 api_fd_commands[i].pipe_clnt_name,
615 api_fd_commands[i].pipe_srv_name));
616 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
621 if (api_fd_commands[i].fn == NULL) {
622 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
624 if(!setup_bind_nak(p, pd))
629 /* decode the bind request */
630 if(!smb_io_rpc_hdr_rb("", &hdr_rb, pd, 0)) {
631 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
636 * Check if this is an authenticated request.
639 if (p->hdr.auth_len != 0) {
640 RPC_AUTH_VERIFIER auth_verifier;
641 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
644 * Decode the authentication verifier.
647 if(!smb_io_rpc_hdr_auth("", &auth_info, pd, 0)) {
648 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
653 * We only support NTLMSSP_AUTH_TYPE requests.
656 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
657 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
658 auth_info.auth_type ));
662 if(!smb_io_rpc_auth_verifier("", &auth_verifier, pd, 0)) {
663 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
667 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
668 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
672 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
673 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
674 auth_verifier.msg_type));
678 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, pd, 0)) {
679 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
683 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
684 p->ntlmssp_auth_requested = True;
687 /* name has to be \PIPE\xxxxx */
688 fstrcpy(ack_pipe_name, "\\PIPE\\");
689 fstrcat(ack_pipe_name, p->pipe_srv_name);
691 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
694 * Marshall directly into the outgoing PDU space. We
695 * must do this as we need to set to the bind response
696 * header and are never sending more than one PDU here.
699 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
700 prs_give_memory( &outgoing_rpc, (char *)p->current_pdu, sizeof(p->current_pdu), False);
703 * Setup the memory to marshall the ba header, and the
707 if(!prs_init(&out_hdr_ba, 1024, 4, MARSHALL)) {
708 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
712 if(!prs_init(&out_auth, 1024, 4, MARSHALL)) {
713 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
714 prs_mem_free(&out_hdr_ba);
718 if (p->ntlmssp_auth_requested)
721 assoc_gid = hdr_rb.bba.assoc_gid;
724 * Create the bind response struct.
727 init_rpc_hdr_ba(&hdr_ba,
728 hdr_rb.bba.max_tsize,
729 hdr_rb.bba.max_rsize,
739 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
740 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
745 * Now the authentication.
748 if (p->ntlmssp_auth_requested) {
749 RPC_AUTH_VERIFIER auth_verifier;
750 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
752 generate_random_buffer(p->challenge, 8, False);
754 /*** Authentication info ***/
756 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
757 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
758 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
762 /*** NTLMSSP verifier ***/
764 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
765 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
766 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
770 /* NTLMSSP challenge ***/
772 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
773 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
774 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
778 /* Auth len in the rpc header doesn't include auth_header. */
779 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
783 * Create the header, now we know the length.
786 init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
788 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
792 * Marshall the header into the outgoing PDU.
795 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
796 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
801 * Now add the RPC_HDR_BA and any auth needed.
804 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
805 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
809 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
810 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
815 * Setup the lengths for the initial reply.
818 p->data_sent_length = 0;
819 p->current_pdu_len = prs_offset(&outgoing_rpc);
820 p->current_pdu_sent = 0;
822 prs_mem_free(&out_hdr_ba);
823 prs_mem_free(&out_auth);
829 prs_mem_free(&out_hdr_ba);
830 prs_mem_free(&out_auth);
834 /****************************************************************************
835 Deal with sign & seal processing on an RPC request.
836 ****************************************************************************/
838 static BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
841 * We always negotiate the following two bits....
843 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
844 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
850 auth_len = p->hdr.auth_len;
852 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
853 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
858 * The following is that length of the data we must verify or unseal.
859 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
860 * preceeding the auth_data.
863 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
864 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
866 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
867 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
870 char *data = prs_data_p(rpc_in) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
871 NTLMSSPcalc_p(p, (uchar*)data, data_len);
872 crc32 = crc32_calc_buffer(data, data_len);
875 old_offset = prs_offset(rpc_in);
877 if (auth_seal || auth_verify) {
878 RPC_HDR_AUTH auth_info;
880 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
881 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
882 (unsigned int)old_offset + data_len ));
886 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
887 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
893 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
894 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
896 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
899 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
902 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
903 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
904 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
908 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
909 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
910 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
914 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
915 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
921 * Return the current pointer to the data offset.
924 if(!prs_set_offset(rpc_in, old_offset)) {
925 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
926 (unsigned int)old_offset ));
933 /****************************************************************************
934 Find the correct RPC function to call for this request.
935 If the pipe is authenticated then become the correct UNIX user
936 before doing the call.
937 ****************************************************************************/
939 static BOOL api_pipe_request(pipes_struct *p, prs_struct *rpc_in)
943 BOOL changed_user_id = False;
945 if (p->ntlmssp_auth_validated) {
946 if (!api_pipe_auth_process(p, rpc_in))
949 if(!become_authenticated_pipe_user(p))
952 changed_user_id = True;
955 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
956 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
957 api_fd_commands[i].fn != NULL) {
958 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
959 ret = api_fd_commands[i].fn(p, rpc_in);
964 unbecome_authenticated_pipe_user(p);
969 /****************************************************************************
970 This function is the entry point to processing a DCE/RPC request.
971 All the data for the request (including RPC headers and authentication
972 verifiers) must be linearized in the input_data buffer, with a length
975 The output is placed into the pipes_struct, and handed back to the
977 ****************************************************************************/
979 BOOL rpc_command(pipes_struct *p, char *input_data, int data_len)
984 if (input_data == NULL)
987 prs_init(&rpc_in, 0, 4, UNMARSHALL);
990 * Hand the data to the prs_struct, but don't let
993 prs_give_memory( &rpc_in, input_data, (uint32)data_len, False);
995 /* Unmarshall the rpc header */
996 if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
997 DEBUG(0,("rpc_command: failed to unmarshall RPC_HDR.\n"));
1002 * Create the response data buffer.
1005 if(!pipe_init_outgoing_data(p)) {
1006 DEBUG(0,("rpc_command: failed to unmarshall RPC_HDR.\n"));
1010 switch (p->hdr.pkt_type) {
1012 reply = api_pipe_bind_req(p, &rpc_in);
1015 if (p->ntlmssp_auth_requested && !p->ntlmssp_auth_validated) {
1016 /* authentication _was_ requested
1017 and it failed. sorry, no deal!
1019 DEBUG(0,("rpc_command: RPC request received on pipe %s where \
1020 authentication failed. Denying the request.\n", p->name));
1023 /* read the RPC request header */
1024 if(!smb_io_rpc_hdr_req("req", &p->hdr_req, &rpc_in, 0)) {
1025 DEBUG(0,("rpc_command: failed to unmarshall RPC_HDR_REQ.\n"));
1028 reply = api_pipe_request(p, &rpc_in);
1031 case RPC_BINDRESP: /* not the real name! */
1032 reply = api_pipe_bind_auth_resp(p, &rpc_in);
1037 DEBUG(3,("rpc_command: DCE/RPC fault should be sent here\n"));
1043 /*******************************************************************
1044 Calls the underlying RPC function for a named pipe.
1045 ********************************************************************/
1047 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
1052 /* interpret the command */
1053 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1055 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1056 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1057 DEBUG(3,("api_rpc_command: %s\n", api_rpc_cmds[fn_num].name));
1062 if (api_rpc_cmds[fn_num].name == NULL) {
1063 DEBUG(4, ("unknown\n"));
1067 /* do the actual command */
1068 if(!api_rpc_cmds[fn_num].fn(p->vuid, rpc_in, &p->rdata)) {
1069 DEBUG(0,("api_rpcTNP: %s: failed.\n", rpc_name));
1070 prs_mem_free(&p->rdata);
1074 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));