2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
82 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
113 * Work out how much we can fit in a sigle PDU.
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
128 * Ensure there really is data left to send.
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
136 data_len = MIN(data_len_left, data_space_available);
139 * Set up the alloc hint. This should be the data left to
143 hdr_resp.alloc_hint = data_len_left;
146 * Set up the header lengths.
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
159 * Work out if this PDU will be the last.
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
166 * Init the parse struct to point at the outgoing
170 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
187 /* Copy the data into the PDU. */
188 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
190 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
191 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
224 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
225 char *auth_data = prs_data_p(&outgoing_pdu);
227 p->ntlmssp_seq_num++;
228 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
229 crc32, p->ntlmssp_seq_num++);
230 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
231 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
232 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
235 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
240 * Setup the counts for this PDU.
243 p->out_data.data_sent_length += data_len;
244 p->out_data.current_pdu_len = p->hdr.frag_len;
245 p->out_data.current_pdu_sent = 0;
250 /*******************************************************************
251 Process an NTLMSSP authentication response.
252 If this function succeeds, the user has been authenticated
253 and their domain, name and calling workstation stored in
255 The initial challenge is stored in p->challenge.
256 *******************************************************************/
258 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
263 fstring unix_user_name;
266 BOOL guest_user = False;
267 struct smb_passwd *smb_pass = NULL;
268 struct passwd *pass = NULL;
269 uchar null_smb_passwd[16];
270 uchar *smb_passwd_ptr = NULL;
272 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
274 memset(p->user_name, '\0', sizeof(p->user_name));
275 memset(p->unix_user_name, '\0', sizeof(p->unix_user_name));
276 memset(p->domain, '\0', sizeof(p->domain));
277 memset(p->wks, '\0', sizeof(p->wks));
280 * Setup an empty password for a guest user.
283 memset(null_smb_passwd,0,16);
286 * We always negotiate UNICODE.
289 if (IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_UNICODE)) {
290 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
291 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
292 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
294 fstrcpy(user_name, ntlmssp_resp->user);
295 fstrcpy(domain, ntlmssp_resp->domain);
296 fstrcpy(wks, ntlmssp_resp->wks);
299 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
301 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
302 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
304 #ifdef DEBUG_PASSWORD
305 DEBUG(100,("lm, nt owfs, chal\n"));
306 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
307 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
308 dump_data(100, (char *)p->challenge, 8);
312 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
315 if((strlen(user_name) == 0) && (ntlmssp_resp->hdr_lm_resp.str_str_len==0) &&
316 (ntlmssp_resp->hdr_nt_resp.str_str_len==0)) {
320 fstrcpy(unix_user_name, lp_guestaccount(-1));
321 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", unix_user_name));
323 smb_passwd_ptr = null_smb_passwd;
328 * Pass the user through the NT -> unix user mapping
332 fstrcpy(unix_user_name, user_name);
333 (void)map_username(unix_user_name);
336 * Do the length checking only if user is not NULL.
339 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
341 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
343 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
345 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
347 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
353 * Find the user in the unix password db.
356 if(!(pass = Get_Pwnam(unix_user_name,True))) {
357 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",unix_user_name));
365 if(!(p->ntlmssp_auth_validated = pass_check_smb(unix_user_name, domain,
366 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
367 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
368 failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name ));
373 if(!(smb_pass = getsmbpwnam(unix_user_name))) {
374 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
382 if (smb_pass == NULL) {
383 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
388 /* Quit if the account was disabled. */
389 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
390 DEBUG(1,("Account for user '%s' was disabled.\n", unix_user_name));
394 if(!smb_pass->smb_nt_passwd) {
395 DEBUG(1,("Account for user '%s' has no NT password hash.\n", unix_user_name));
399 smb_passwd_ptr = smb_pass->smb_passwd;
403 * Set up the sign/seal data.
408 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
420 for (ind = 0; ind < 256; ind++)
421 p->ntlmssp_hash[ind] = (unsigned char)ind;
423 for( ind = 0; ind < 256; ind++) {
426 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
428 tc = p->ntlmssp_hash[ind];
429 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
430 p->ntlmssp_hash[j] = tc;
433 p->ntlmssp_hash[256] = 0;
434 p->ntlmssp_hash[257] = 0;
436 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
437 p->ntlmssp_seq_num = 0;
441 fstrcpy(p->user_name, user_name);
442 fstrcpy(p->unix_user_name, unix_user_name);
443 fstrcpy(p->domain, domain);
444 fstrcpy(p->wks, wks);
447 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
450 p->uid = pass->pw_uid;
451 p->gid = pass->pw_gid;
453 p->ntlmssp_auth_validated = True;
457 /*******************************************************************
458 The switch table for the pipe names and the functions to handle them.
459 *******************************************************************/
463 char * pipe_clnt_name;
464 char * pipe_srv_name;
465 BOOL (*fn) (pipes_struct *, prs_struct *);
468 static struct api_cmd api_fd_commands[] =
470 { "lsarpc", "lsass", api_ntlsa_rpc },
471 { "samr", "lsass", api_samr_rpc },
472 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
473 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
474 { "NETLOGON", "lsass", api_netlog_rpc },
475 #if 1 /* DISABLED_IN_2_0 JRATEST */
476 { "winreg", "winreg", api_reg_rpc },
481 /*******************************************************************
482 This is the client reply to our challenge for an authenticated
483 bind request. The challenge we sent is in p->challenge.
484 *******************************************************************/
486 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
488 RPC_HDR_AUTHA autha_info;
489 RPC_AUTH_VERIFIER auth_verifier;
490 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
492 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
495 * Create the response data buffer.
498 if(!pipe_init_outgoing_data(&p->out_data)) {
499 DEBUG(0,("api_pipe_bind_auth_resp: failed to create outgoing buffer.\n"));
503 if (p->hdr.auth_len == 0) {
504 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
509 * Decode the authentication verifier response.
512 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
513 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
517 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
518 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
519 (int)autha_info.auth_type, (int)autha_info.auth_level ));
523 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
524 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
529 * Ensure this is a NTLMSSP_AUTH packet type.
532 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
533 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
537 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
538 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
543 * The following call actually checks the challenge/response data.
544 * for correctness against the given DOMAIN\user name.
547 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
555 /*******************************************************************
556 Marshall a bind_nak pdu.
557 *******************************************************************/
559 static BOOL setup_bind_nak(pipes_struct *p)
561 prs_struct outgoing_rpc;
565 /* Free any memory in the current return data buffer. */
566 prs_mem_free(&p->out_data.rdata);
569 * Marshall directly into the outgoing PDU space. We
570 * must do this as we need to set to the bind response
571 * header and are never sending more than one PDU here.
574 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
575 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
579 * Initialize a bind_nak header.
582 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
583 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
586 * Marshall the header into the outgoing PDU.
589 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
590 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
595 * Now add the reject reason.
598 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero))
601 p->out_data.data_sent_length = 0;
602 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
603 p->out_data.current_pdu_sent = 0;
605 p->pipe_bound = False;
610 /*******************************************************************
611 Marshall a fault pdu.
612 *******************************************************************/
614 BOOL setup_fault_pdu(pipes_struct *p)
616 prs_struct outgoing_pdu;
618 RPC_HDR_RESP hdr_resp;
619 RPC_HDR_FAULT fault_resp;
621 /* Free any memory in the current return data buffer. */
622 prs_mem_free(&p->out_data.rdata);
625 * Marshall directly into the outgoing PDU space. We
626 * must do this as we need to set to the bind response
627 * header and are never sending more than one PDU here.
630 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
631 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
634 * Initialize a fault header.
637 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
638 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
641 * Initialize the HDR_RESP and FAULT parts of the PDU.
644 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
646 fault_resp.status = 0x1c010002;
647 fault_resp.reserved = 0;
650 * Marshall the header into the outgoing PDU.
653 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
654 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
658 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
659 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
663 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
664 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
668 p->out_data.data_sent_length = 0;
669 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
670 p->out_data.current_pdu_sent = 0;
675 /*******************************************************************
676 Respond to a pipe bind request.
677 *******************************************************************/
679 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
683 RPC_HDR_AUTH auth_info;
685 fstring ack_pipe_name;
686 prs_struct out_hdr_ba;
688 prs_struct outgoing_rpc;
691 enum RPC_PKT_TYPE reply_pkt_type;
693 p->ntlmssp_auth_requested = False;
695 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
698 * Create the response data buffer.
701 if(!pipe_init_outgoing_data(&p->out_data)) {
702 DEBUG(0,("api_pipe_bind_req: failed to create outgoing buffer.\n"));
707 * Try and find the correct pipe name to ensure
708 * that this is a pipe name we support.
711 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
712 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
713 api_fd_commands[i].fn != NULL) {
714 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
715 api_fd_commands[i].pipe_clnt_name,
716 api_fd_commands[i].pipe_srv_name));
717 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
722 if (api_fd_commands[i].fn == NULL) {
723 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
725 if(!setup_bind_nak(p))
730 /* decode the bind request */
731 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
732 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
737 * Check if this is an authenticated request.
740 if (p->hdr.auth_len != 0) {
741 RPC_AUTH_VERIFIER auth_verifier;
742 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
745 * Decode the authentication verifier.
748 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
749 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
754 * We only support NTLMSSP_AUTH_TYPE requests.
757 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
758 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
759 auth_info.auth_type ));
763 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
764 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
768 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
769 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
773 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
774 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
775 auth_verifier.msg_type));
779 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
780 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
784 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
785 p->ntlmssp_auth_requested = True;
788 switch(p->hdr.pkt_type) {
790 /* name has to be \PIPE\xxxxx */
791 fstrcpy(ack_pipe_name, "\\PIPE\\");
792 fstrcat(ack_pipe_name, p->pipe_srv_name);
793 reply_pkt_type = RPC_BINDACK;
796 /* secondary address CAN be NULL
797 * as the specs say it's ignored.
798 * It MUST NULL to have the spoolss working.
800 fstrcpy(ack_pipe_name,"");
801 reply_pkt_type = RPC_ALTCONTRESP;
807 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
810 * Marshall directly into the outgoing PDU space. We
811 * must do this as we need to set to the bind response
812 * header and are never sending more than one PDU here.
815 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
816 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
819 * Setup the memory to marshall the ba header, and the
823 if(!prs_init(&out_hdr_ba, 1024, 4, MARSHALL)) {
824 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
828 if(!prs_init(&out_auth, 1024, 4, MARSHALL)) {
829 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
830 prs_mem_free(&out_hdr_ba);
834 if (p->ntlmssp_auth_requested)
837 assoc_gid = hdr_rb.bba.assoc_gid;
840 * Create the bind response struct.
843 init_rpc_hdr_ba(&hdr_ba,
855 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
856 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
861 * Now the authentication.
864 if (p->ntlmssp_auth_requested) {
865 RPC_AUTH_VERIFIER auth_verifier;
866 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
868 generate_random_buffer(p->challenge, 8, False);
870 /*** Authentication info ***/
872 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
873 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
874 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
878 /*** NTLMSSP verifier ***/
880 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
881 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
882 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
886 /* NTLMSSP challenge ***/
888 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
889 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
890 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
894 /* Auth len in the rpc header doesn't include auth_header. */
895 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
899 * Create the header, now we know the length.
902 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
904 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
908 * Marshall the header into the outgoing PDU.
911 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
912 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
917 * Now add the RPC_HDR_BA and any auth needed.
920 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
921 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
925 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
926 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
930 if(!p->ntlmssp_auth_requested)
931 p->pipe_bound = True;
934 * Setup the lengths for the initial reply.
937 p->out_data.data_sent_length = 0;
938 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
939 p->out_data.current_pdu_sent = 0;
941 prs_mem_free(&out_hdr_ba);
942 prs_mem_free(&out_auth);
948 prs_mem_free(&out_hdr_ba);
949 prs_mem_free(&out_auth);
953 /****************************************************************************
954 Deal with sign & seal processing on an RPC request.
955 ****************************************************************************/
957 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
960 * We always negotiate the following two bits....
962 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
963 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
969 auth_len = p->hdr.auth_len;
971 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
972 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
977 * The following is that length of the data we must verify or unseal.
978 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
979 * preceeding the auth_data.
982 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
983 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
985 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
986 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
989 char *data = prs_data_p(rpc_in) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
990 NTLMSSPcalc_p(p, (uchar*)data, data_len);
991 crc32 = crc32_calc_buffer(data, data_len);
994 old_offset = prs_offset(rpc_in);
996 if (auth_seal || auth_verify) {
997 RPC_HDR_AUTH auth_info;
999 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1000 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1001 (unsigned int)old_offset + data_len ));
1005 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1006 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1012 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1013 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1015 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1018 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1021 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1022 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1023 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1027 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1028 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1029 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1033 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1034 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1040 * Return the current pointer to the data offset.
1043 if(!prs_set_offset(rpc_in, old_offset)) {
1044 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1045 (unsigned int)old_offset ));
1052 /****************************************************************************
1053 Find the correct RPC function to call for this request.
1054 If the pipe is authenticated then become the correct UNIX user
1055 before doing the call.
1056 ****************************************************************************/
1058 BOOL api_pipe_request(pipes_struct *p)
1062 BOOL changed_user_id = False;
1065 * Create the response data buffer.
1068 if(!pipe_init_outgoing_data(&p->out_data)) {
1069 DEBUG(0,("api_pipe_request: failed to create outgoing buffer.\n"));
1073 if (p->ntlmssp_auth_validated) {
1075 if(!become_authenticated_pipe_user(p)) {
1076 prs_mem_free(&p->out_data.rdata);
1080 changed_user_id = True;
1083 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1084 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1085 api_fd_commands[i].fn != NULL) {
1086 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1087 ret = api_fd_commands[i].fn(p, &p->in_data.data);
1092 unbecome_authenticated_pipe_user(p);
1097 /*******************************************************************
1098 Calls the underlying RPC function for a named pipe.
1099 ********************************************************************/
1101 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
1106 /* interpret the command */
1107 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1109 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1110 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1111 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1116 if (api_rpc_cmds[fn_num].name == NULL) {
1118 * For an unknown RPC just return a fault PDU but
1119 * return True to allow RPC's on the pipe to continue
1120 * and not put the pipe into fault state. JRA.
1122 DEBUG(4, ("unknown\n"));
1127 /* do the actual command */
1128 if(!api_rpc_cmds[fn_num].fn(p->vuid, rpc_in, &p->out_data.rdata)) {
1129 DEBUG(0,("api_rpcTNP: %s: failed.\n", rpc_name));
1130 prs_mem_free(&p->out_data.rdata);
1134 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));