3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1997-1998.
9 * Copyright (C) Jeremy Allison 1999.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 /* this module apparently provides an implementation of DCE/RPC over a
27 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
28 * documentation are available (in on-line form) from the X-Open group.
30 * this module should provide a level of abstraction between SMB
31 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
32 * data copies, and network traffic.
34 * in this version, which takes a "let's learn what's going on and
35 * get something running" approach, there is additional network
36 * traffic generated, but the code should be easier to understand...
38 * ... if you read the docs. or stare at packets for weeks on end.
44 extern int DEBUGLEVEL;
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
82 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
113 * Work out how much we can fit in a sigle PDU.
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
128 * Ensure there really is data left to send.
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
136 data_len = MIN(data_len_left, data_space_available);
139 * Set up the alloc hint. This should be the data left to
143 hdr_resp.alloc_hint = data_len_left;
146 * Set up the header lengths.
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
159 * Work out if this PDU will be the last.
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
166 * Init the parse struct to point at the outgoing
170 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
179 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
180 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
187 /* Copy the data into the PDU. */
188 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
190 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
191 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
196 * Set data to point to where we copied the data into.
199 data = prs_data_p(&outgoing_pdu) + data_pos;
201 if (p->hdr.auth_len > 0) {
204 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
205 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
208 crc32 = crc32_calc_buffer(data, data_len);
209 NTLMSSPcalc_p(p, (uchar*)data, data_len);
212 if (auth_seal || auth_verify) {
213 RPC_HDR_AUTH auth_info;
215 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
216 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
217 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
218 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
224 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
225 char *auth_data = prs_data_p(&outgoing_pdu);
227 p->ntlmssp_seq_num++;
228 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
229 crc32, p->ntlmssp_seq_num++);
230 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
231 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
232 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
235 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
240 * Setup the counts for this PDU.
243 p->out_data.data_sent_length += data_len;
244 p->out_data.current_pdu_len = p->hdr.frag_len;
245 p->out_data.current_pdu_sent = 0;
250 /*******************************************************************
251 Process an NTLMSSP authentication response.
252 If this function succeeds, the user has been authenticated
253 and their domain, name and calling workstation stored in
255 The initial challenge is stored in p->challenge.
256 *******************************************************************/
258 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
263 fstring unix_user_name;
266 BOOL guest_user = False;
267 struct smb_passwd *smb_pass = NULL;
268 struct passwd *pass = NULL;
269 uchar null_smb_passwd[16];
270 uchar *smb_passwd_ptr = NULL;
272 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
274 memset(p->user_name, '\0', sizeof(p->user_name));
275 memset(p->unix_user_name, '\0', sizeof(p->unix_user_name));
276 memset(p->domain, '\0', sizeof(p->domain));
277 memset(p->wks, '\0', sizeof(p->wks));
280 * Setup an empty password for a guest user.
283 memset(null_smb_passwd,0,16);
286 * We always negotiate UNICODE.
289 if (IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_UNICODE)) {
290 fstrcpy(user_name, dos_unistrn2((uint16*)ntlmssp_resp->user, ntlmssp_resp->hdr_usr.str_str_len/2));
291 fstrcpy(domain, dos_unistrn2((uint16*)ntlmssp_resp->domain, ntlmssp_resp->hdr_domain.str_str_len/2));
292 fstrcpy(wks, dos_unistrn2((uint16*)ntlmssp_resp->wks, ntlmssp_resp->hdr_wks.str_str_len/2));
294 fstrcpy(user_name, ntlmssp_resp->user);
295 fstrcpy(domain, ntlmssp_resp->domain);
296 fstrcpy(wks, ntlmssp_resp->wks);
299 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
301 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
302 memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf));
304 #ifdef DEBUG_PASSWORD
305 DEBUG(100,("lm, nt owfs, chal\n"));
306 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
307 dump_data(100, (char *)nt_owf, sizeof(nt_owf));
308 dump_data(100, (char *)p->challenge, 8);
312 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
315 if((strlen(user_name) == 0) &&
316 (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
320 fstrcpy(unix_user_name, lp_guestaccount(-1));
321 DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", unix_user_name));
323 smb_passwd_ptr = null_smb_passwd;
328 * Pass the user through the NT -> unix user mapping
332 fstrcpy(unix_user_name, user_name);
333 (void)map_username(unix_user_name);
336 * Do the length checking only if user is not NULL.
339 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
341 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
343 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
345 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
347 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
353 * Find the user in the unix password db.
356 if(!(pass = Get_Pwnam(unix_user_name,True))) {
357 DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",unix_user_name));
365 if(!(p->ntlmssp_auth_validated = pass_check_smb(unix_user_name, domain,
366 (uchar*)p->challenge, lm_owf, nt_owf, NULL))) {
367 DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
368 failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name ));
373 if(!(smb_pass = getsmbpwnam(unix_user_name))) {
374 DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n",
382 if (smb_pass == NULL) {
383 DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n",
388 /* Quit if the account was disabled. */
389 if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) {
390 DEBUG(1,("Account for user '%s' was disabled.\n", unix_user_name));
394 if(!smb_pass->smb_nt_passwd) {
395 DEBUG(1,("Account for user '%s' has no NT password hash.\n", unix_user_name));
399 smb_passwd_ptr = smb_pass->smb_passwd;
403 * Set up the sign/seal data.
408 NTLMSSPOWFencrypt(smb_passwd_ptr, lm_owf, p24);
420 for (ind = 0; ind < 256; ind++)
421 p->ntlmssp_hash[ind] = (unsigned char)ind;
423 for( ind = 0; ind < 256; ind++) {
426 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
428 tc = p->ntlmssp_hash[ind];
429 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
430 p->ntlmssp_hash[j] = tc;
433 p->ntlmssp_hash[256] = 0;
434 p->ntlmssp_hash[257] = 0;
436 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
437 p->ntlmssp_seq_num = 0;
441 fstrcpy(p->user_name, user_name);
442 fstrcpy(p->unix_user_name, unix_user_name);
443 fstrcpy(p->domain, domain);
444 fstrcpy(p->wks, wks);
447 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
450 p->uid = pass->pw_uid;
451 p->gid = pass->pw_gid;
453 p->ntlmssp_auth_validated = True;
457 /*******************************************************************
458 The switch table for the pipe names and the functions to handle them.
459 *******************************************************************/
463 char * pipe_clnt_name;
464 char * pipe_srv_name;
465 BOOL (*fn) (pipes_struct *, prs_struct *);
468 static struct api_cmd api_fd_commands[] =
470 { "lsarpc", "lsass", api_ntlsa_rpc },
471 { "samr", "lsass", api_samr_rpc },
472 { "srvsvc", "ntsvcs", api_srvsvc_rpc },
473 { "wkssvc", "ntsvcs", api_wkssvc_rpc },
474 { "NETLOGON", "lsass", api_netlog_rpc },
475 #if 1 /* DISABLED_IN_2_0 JRATEST */
476 { "winreg", "winreg", api_reg_rpc },
478 { "spoolss", "spoolss", api_spoolss_rpc },
482 /*******************************************************************
483 This is the client reply to our challenge for an authenticated
484 bind request. The challenge we sent is in p->challenge.
485 *******************************************************************/
487 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
489 RPC_HDR_AUTHA autha_info;
490 RPC_AUTH_VERIFIER auth_verifier;
491 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
493 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
495 if (p->hdr.auth_len == 0) {
496 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
501 * Decode the authentication verifier response.
504 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
505 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
509 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
510 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
511 (int)autha_info.auth_type, (int)autha_info.auth_level ));
515 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
516 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
521 * Ensure this is a NTLMSSP_AUTH packet type.
524 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
525 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
529 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
530 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
535 * The following call actually checks the challenge/response data.
536 * for correctness against the given DOMAIN\user name.
539 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
547 /*******************************************************************
548 Marshall a bind_nak pdu.
549 *******************************************************************/
551 static BOOL setup_bind_nak(pipes_struct *p)
553 prs_struct outgoing_rpc;
557 /* Free any memory in the current return data buffer. */
558 prs_mem_free(&p->out_data.rdata);
561 * Marshall directly into the outgoing PDU space. We
562 * must do this as we need to set to the bind response
563 * header and are never sending more than one PDU here.
566 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
567 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
571 * Initialize a bind_nak header.
574 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
575 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
578 * Marshall the header into the outgoing PDU.
581 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
582 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
587 * Now add the reject reason.
590 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero))
593 p->out_data.data_sent_length = 0;
594 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
595 p->out_data.current_pdu_sent = 0;
597 p->pipe_bound = False;
602 /*******************************************************************
603 Marshall a fault pdu.
604 *******************************************************************/
606 BOOL setup_fault_pdu(pipes_struct *p)
608 prs_struct outgoing_pdu;
610 RPC_HDR_RESP hdr_resp;
611 RPC_HDR_FAULT fault_resp;
613 /* Free any memory in the current return data buffer. */
614 prs_mem_free(&p->out_data.rdata);
617 * Marshall directly into the outgoing PDU space. We
618 * must do this as we need to set to the bind response
619 * header and are never sending more than one PDU here.
622 prs_init( &outgoing_pdu, 0, 4, MARSHALL);
623 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
626 * Initialize a fault header.
629 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
630 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
633 * Initialize the HDR_RESP and FAULT parts of the PDU.
636 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
638 fault_resp.status = 0x1c010002;
639 fault_resp.reserved = 0;
642 * Marshall the header into the outgoing PDU.
645 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
646 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
650 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
651 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
655 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
656 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
660 p->out_data.data_sent_length = 0;
661 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
662 p->out_data.current_pdu_sent = 0;
667 /*******************************************************************
668 Respond to a pipe bind request.
669 *******************************************************************/
671 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
675 RPC_HDR_AUTH auth_info;
677 fstring ack_pipe_name;
678 prs_struct out_hdr_ba;
680 prs_struct outgoing_rpc;
683 enum RPC_PKT_TYPE reply_pkt_type;
685 p->ntlmssp_auth_requested = False;
687 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
690 * Try and find the correct pipe name to ensure
691 * that this is a pipe name we support.
694 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
695 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
696 api_fd_commands[i].fn != NULL) {
697 DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
698 api_fd_commands[i].pipe_clnt_name,
699 api_fd_commands[i].pipe_srv_name));
700 fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
705 if (api_fd_commands[i].fn == NULL) {
706 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
708 if(!setup_bind_nak(p))
713 /* decode the bind request */
714 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
715 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
720 * Check if this is an authenticated request.
723 if (p->hdr.auth_len != 0) {
724 RPC_AUTH_VERIFIER auth_verifier;
725 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
728 * Decode the authentication verifier.
731 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
732 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
737 * We only support NTLMSSP_AUTH_TYPE requests.
740 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
741 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
742 auth_info.auth_type ));
746 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
747 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
751 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
752 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
756 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
757 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
758 auth_verifier.msg_type));
762 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
763 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
767 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
768 p->ntlmssp_auth_requested = True;
771 switch(p->hdr.pkt_type) {
773 /* name has to be \PIPE\xxxxx */
774 fstrcpy(ack_pipe_name, "\\PIPE\\");
775 fstrcat(ack_pipe_name, p->pipe_srv_name);
776 reply_pkt_type = RPC_BINDACK;
779 /* secondary address CAN be NULL
780 * as the specs say it's ignored.
781 * It MUST NULL to have the spoolss working.
783 fstrcpy(ack_pipe_name,"");
784 reply_pkt_type = RPC_ALTCONTRESP;
790 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
793 * Marshall directly into the outgoing PDU space. We
794 * must do this as we need to set to the bind response
795 * header and are never sending more than one PDU here.
798 prs_init( &outgoing_rpc, 0, 4, MARSHALL);
799 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
802 * Setup the memory to marshall the ba header, and the
806 if(!prs_init(&out_hdr_ba, 1024, 4, MARSHALL)) {
807 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
811 if(!prs_init(&out_auth, 1024, 4, MARSHALL)) {
812 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
813 prs_mem_free(&out_hdr_ba);
817 if (p->ntlmssp_auth_requested)
820 assoc_gid = hdr_rb.bba.assoc_gid;
823 * Create the bind response struct.
826 init_rpc_hdr_ba(&hdr_ba,
838 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
839 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
844 * Now the authentication.
847 if (p->ntlmssp_auth_requested) {
848 RPC_AUTH_VERIFIER auth_verifier;
849 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
851 generate_random_buffer(p->challenge, 8, False);
853 /*** Authentication info ***/
855 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
856 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
857 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
861 /*** NTLMSSP verifier ***/
863 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
864 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
865 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
869 /* NTLMSSP challenge ***/
871 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
872 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
873 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
877 /* Auth len in the rpc header doesn't include auth_header. */
878 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
882 * Create the header, now we know the length.
885 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
887 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
891 * Marshall the header into the outgoing PDU.
894 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
895 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
900 * Now add the RPC_HDR_BA and any auth needed.
903 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
904 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
908 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
909 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
913 if(!p->ntlmssp_auth_requested)
914 p->pipe_bound = True;
917 * Setup the lengths for the initial reply.
920 p->out_data.data_sent_length = 0;
921 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
922 p->out_data.current_pdu_sent = 0;
924 prs_mem_free(&out_hdr_ba);
925 prs_mem_free(&out_auth);
931 prs_mem_free(&out_hdr_ba);
932 prs_mem_free(&out_auth);
936 /****************************************************************************
937 Deal with sign & seal processing on an RPC request.
938 ****************************************************************************/
940 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
943 * We always negotiate the following two bits....
945 BOOL auth_verify = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SIGN);
946 BOOL auth_seal = IS_BITS_SET_ALL(p->ntlmssp_chal_flags, NTLMSSP_NEGOTIATE_SEAL);
952 auth_len = p->hdr.auth_len;
954 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
955 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
960 * The following is that length of the data we must verify or unseal.
961 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
962 * preceeding the auth_data.
965 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
966 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
968 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
969 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
973 * The data in rpc_in doesn't contain the RPC_HEADER as this
974 * has already been consumed.
976 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
977 NTLMSSPcalc_p(p, (uchar*)data, data_len);
978 crc32 = crc32_calc_buffer(data, data_len);
981 old_offset = prs_offset(rpc_in);
983 if (auth_seal || auth_verify) {
984 RPC_HDR_AUTH auth_info;
986 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
987 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
988 (unsigned int)old_offset + data_len ));
992 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
993 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
999 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1000 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1002 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1005 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1008 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1009 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1010 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1014 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1015 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1016 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1020 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1021 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1027 * Return the current pointer to the data offset.
1030 if(!prs_set_offset(rpc_in, old_offset)) {
1031 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1032 (unsigned int)old_offset ));
1039 /****************************************************************************
1040 Find the correct RPC function to call for this request.
1041 If the pipe is authenticated then become the correct UNIX user
1042 before doing the call.
1043 ****************************************************************************/
1045 BOOL api_pipe_request(pipes_struct *p)
1049 BOOL changed_user_id = False;
1051 if (p->ntlmssp_auth_validated) {
1053 if(!become_authenticated_pipe_user(p)) {
1054 prs_mem_free(&p->out_data.rdata);
1058 changed_user_id = True;
1061 for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1062 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1063 api_fd_commands[i].fn != NULL) {
1064 DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1065 ret = api_fd_commands[i].fn(p, &p->in_data.data);
1070 unbecome_authenticated_pipe_user(p);
1075 /*******************************************************************
1076 Calls the underlying RPC function for a named pipe.
1077 ********************************************************************/
1079 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
1084 uint32 offset1, offset2;
1086 /* interpret the command */
1087 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1089 slprintf(name, sizeof(name), "in_%s", rpc_name);
1090 prs_dump(name, p->hdr_req.opnum, rpc_in);
1092 for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1093 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1094 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1099 if (api_rpc_cmds[fn_num].name == NULL) {
1101 * For an unknown RPC just return a fault PDU but
1102 * return True to allow RPC's on the pipe to continue
1103 * and not put the pipe into fault state. JRA.
1105 DEBUG(4, ("unknown\n"));
1110 offset1 = prs_offset(&p->out_data.rdata);
1112 /* do the actual command */
1113 if(!api_rpc_cmds[fn_num].fn(rpc_in, &p->out_data.rdata)) {
1114 DEBUG(0,("api_rpcTNP: %s: failed.\n", rpc_name));
1115 prs_mem_free(&p->out_data.rdata);
1119 slprintf(name, sizeof(name), "out_%s", rpc_name);
1120 offset2 = prs_offset(&p->out_data.rdata);
1121 prs_set_offset(&p->out_data.rdata, offset1);
1122 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1123 prs_set_offset(&p->out_data.rdata, offset2);
1125 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));