2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 /*************************************************************
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
60 for( ind = 0; ind < len; ind++) {
65 index_j += hash[index_i];
68 hash[index_i] = hash[index_j];
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
85 BOOL create_next_pdu(pipes_struct *p)
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
91 uint32 data_space_available;
93 prs_struct outgoing_pdu;
97 * If we're in the fault state, keep returning fault PDU's until
98 * the pipe gets closed. JRA.
102 setup_fault_pdu(p, NT_STATUS(0x1c010002));
106 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
108 /* Change the incoming request header to a response. */
109 p->hdr.pkt_type = RPC_RESPONSE;
111 /* Set up rpc header flags. */
112 if (p->out_data.data_sent_length == 0)
113 p->hdr.flags = RPC_FLG_FIRST;
118 * Work out how much we can fit in a single PDU.
121 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
122 if(p->ntlmssp_auth_validated)
123 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
125 if(p->netsec_auth_validated)
126 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
129 * The amount we send is the minimum of the available
130 * space and the amount left to send.
133 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
136 * Ensure there really is data left to send.
140 DEBUG(0,("create_next_pdu: no data left to send !\n"));
144 data_len = MIN(data_len_left, data_space_available);
147 * Set up the alloc hint. This should be the data left to
151 hdr_resp.alloc_hint = data_len_left;
154 * Set up the header lengths.
157 if (p->ntlmssp_auth_validated) {
158 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
159 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
160 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
161 } else if (p->netsec_auth_validated) {
162 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
163 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
164 p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
166 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
171 * Work out if this PDU will be the last.
174 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
175 p->hdr.flags |= RPC_FLG_LAST;
178 * Init the parse struct to point at the outgoing
182 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
183 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
185 /* Store the header in the data stream. */
186 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
187 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
188 prs_mem_free(&outgoing_pdu);
192 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
193 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
194 prs_mem_free(&outgoing_pdu);
198 /* Store the current offset. */
199 data_pos = prs_offset(&outgoing_pdu);
201 /* Copy the data into the PDU. */
203 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
204 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
205 prs_mem_free(&outgoing_pdu);
209 if (p->ntlmssp_auth_validated) {
213 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
214 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
217 * Set data to point to where we copied the data into.
220 data = prs_data_p(&outgoing_pdu) + data_pos;
223 crc32 = crc32_calc_buffer(data, data_len);
224 NTLMSSPcalc_p(p, (uchar*)data, data_len);
227 if (auth_seal || auth_verify) {
228 RPC_HDR_AUTH auth_info;
230 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
231 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
232 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
234 prs_mem_free(&outgoing_pdu);
240 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
241 char *auth_data = prs_data_p(&outgoing_pdu);
243 p->ntlmssp_seq_num++;
244 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
245 crc32, p->ntlmssp_seq_num++);
246 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
247 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
248 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
249 prs_mem_free(&outgoing_pdu);
252 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
256 if (p->netsec_auth_validated) {
258 RPC_HDR_AUTH auth_info;
259 static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
260 static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
262 RPC_AUTH_NETSEC_CHK verf;
268 data = prs_data_p(&outgoing_pdu) + data_pos;
270 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
271 RPC_HDR_AUTH_LEN, 1);
273 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
274 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
275 prs_mem_free(&outgoing_pdu);
279 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
280 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
282 memset(sign, 0, sizeof(sign));
285 init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes, sign, nullbytes);
287 if (!netsec_encode(&p->netsec_auth, &verf, data, data_len)) {
288 DEBUG(0,("create_next_pdu: failed encode data.\n"));
289 prs_mem_free(&outgoing_pdu);
293 smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
294 p->netsec_auth.seq_num++;
298 * Setup the counts for this PDU.
301 p->out_data.data_sent_length += data_len;
302 p->out_data.current_pdu_len = p->hdr.frag_len;
303 p->out_data.current_pdu_sent = 0;
305 prs_mem_free(&outgoing_pdu);
309 /*******************************************************************
310 Process an NTLMSSP authentication response.
311 If this function succeeds, the user has been authenticated
312 and their domain, name and calling workstation stored in
314 The initial challenge is stored in p->challenge.
315 *******************************************************************/
317 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
329 struct auth_context *auth_context = NULL;
330 auth_usersupplied_info *user_info = NULL;
331 auth_serversupplied_info *server_info = NULL;
333 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
335 memset(p->user_name, '\0', sizeof(p->user_name));
336 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
337 memset(p->domain, '\0', sizeof(p->domain));
338 memset(p->wks, '\0', sizeof(p->wks));
340 /* Set up for non-authenticated user. */
341 delete_nt_token(&p->pipe_user.nt_user_token);
342 p->pipe_user.ngroups = 0;
343 SAFE_FREE( p->pipe_user.groups);
346 * Setup an empty password for a guest user.
350 * We always negotiate UNICODE.
353 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
354 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
355 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
356 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
358 pull_ascii_fstring(user_name, ntlmssp_resp->user);
359 pull_ascii_fstring(domain, ntlmssp_resp->domain);
360 pull_ascii_fstring(wks, ntlmssp_resp->wks);
363 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
365 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
366 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
368 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
369 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
371 #ifdef DEBUG_PASSWORD
372 DEBUG(100,("lm, nt owfs, chal\n"));
373 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
374 dump_data(100, (char *)nt_owf, nt_pw_len);
375 dump_data(100, (char *)p->challenge, 8);
379 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
385 * Do the length checking only if user is not NULL.
388 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
390 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
392 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
394 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
396 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
401 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
403 if (!make_user_info_netlogon_network(&user_info,
404 user_name, domain, wks,
406 nt_owf, nt_pw_len)) {
407 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
411 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
413 (auth_context->free)(&auth_context);
414 free_user_info(&user_info);
416 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
418 if (!p->ntlmssp_auth_validated) {
419 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
420 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
421 free_server_info(&server_info);
426 * Set up the sign/seal data.
431 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
443 for (ind = 0; ind < 256; ind++)
444 p->ntlmssp_hash[ind] = (unsigned char)ind;
446 for( ind = 0; ind < 256; ind++) {
449 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
451 tc = p->ntlmssp_hash[ind];
452 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
453 p->ntlmssp_hash[j] = tc;
456 p->ntlmssp_hash[256] = 0;
457 p->ntlmssp_hash[257] = 0;
459 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
460 p->ntlmssp_seq_num = 0;
464 fstrcpy(p->user_name, user_name);
465 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
466 fstrcpy(p->domain, domain);
467 fstrcpy(p->wks, wks);
470 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
473 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
474 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
475 free_server_info(&server_info);
479 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
481 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
482 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
484 p->pipe_user.ngroups = server_info->n_groups;
485 if (p->pipe_user.ngroups) {
486 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
487 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
488 free_server_info(&server_info);
493 if (server_info->ptok)
494 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
496 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
497 p->pipe_user.nt_user_token = NULL;
498 free_server_info(&server_info);
502 p->ntlmssp_auth_validated = True;
504 free_server_info(&server_info);
508 /*******************************************************************
509 The switch table for the pipe names and the functions to handle them.
510 *******************************************************************/
518 static struct api_cmd api_fd_commands[] =
520 #ifndef RPC_LSA_DYNAMIC
521 { "lsarpc", rpc_lsa_init },
523 #ifndef RPC_SAMR_DYNAMIC
524 { "samr", rpc_samr_init },
526 #ifndef RPC_SVC_DYNAMIC
527 { "srvsvc", rpc_srv_init },
529 #ifndef RPC_WKS_DYNAMIC
530 { "wkssvc", rpc_wks_init },
532 #ifndef RPC_NETLOG_DYNAMIC
533 { "NETLOGON", rpc_net_init },
535 #ifndef RPC_REG_DYNAMIC
536 { "winreg", rpc_reg_init },
538 #ifndef RPC_SPOOLSS_DYNAMIC
539 { "spoolss", rpc_spoolss_init },
541 #ifndef RPC_DFS_DYNAMIC
542 { "netdfs", rpc_dfs_init },
554 struct api_struct *cmds;
558 static struct rpc_table *rpc_lookup;
559 static int rpc_lookup_size;
561 /*******************************************************************
562 This is the client reply to our challenge for an authenticated
563 bind request. The challenge we sent is in p->challenge.
564 *******************************************************************/
566 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
568 RPC_HDR_AUTHA autha_info;
569 RPC_AUTH_VERIFIER auth_verifier;
570 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
572 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
574 if (p->hdr.auth_len == 0) {
575 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
580 * Decode the authentication verifier response.
583 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
584 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
588 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
589 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
590 (int)autha_info.auth_type, (int)autha_info.auth_level ));
594 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
595 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
600 * Ensure this is a NTLMSSP_AUTH packet type.
603 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
604 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
608 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
609 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
614 * The following call actually checks the challenge/response data.
615 * for correctness against the given DOMAIN\user name.
618 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
626 /*******************************************************************
627 Marshall a bind_nak pdu.
628 *******************************************************************/
630 static BOOL setup_bind_nak(pipes_struct *p)
632 prs_struct outgoing_rpc;
636 /* Free any memory in the current return data buffer. */
637 prs_mem_free(&p->out_data.rdata);
640 * Marshall directly into the outgoing PDU space. We
641 * must do this as we need to set to the bind response
642 * header and are never sending more than one PDU here.
645 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
646 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
650 * Initialize a bind_nak header.
653 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
654 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
657 * Marshall the header into the outgoing PDU.
660 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
661 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
662 prs_mem_free(&outgoing_rpc);
667 * Now add the reject reason.
670 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
671 prs_mem_free(&outgoing_rpc);
675 p->out_data.data_sent_length = 0;
676 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
677 p->out_data.current_pdu_sent = 0;
679 p->pipe_bound = False;
684 /*******************************************************************
685 Marshall a fault pdu.
686 *******************************************************************/
688 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
690 prs_struct outgoing_pdu;
692 RPC_HDR_RESP hdr_resp;
693 RPC_HDR_FAULT fault_resp;
695 /* Free any memory in the current return data buffer. */
696 prs_mem_free(&p->out_data.rdata);
699 * Marshall directly into the outgoing PDU space. We
700 * must do this as we need to set to the bind response
701 * header and are never sending more than one PDU here.
704 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
705 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
708 * Initialize a fault header.
711 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
712 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
715 * Initialize the HDR_RESP and FAULT parts of the PDU.
718 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
720 fault_resp.status = status;
721 fault_resp.reserved = 0;
724 * Marshall the header into the outgoing PDU.
727 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
728 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
729 prs_mem_free(&outgoing_pdu);
733 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
734 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
735 prs_mem_free(&outgoing_pdu);
739 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
740 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
741 prs_mem_free(&outgoing_pdu);
745 p->out_data.data_sent_length = 0;
746 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
747 p->out_data.current_pdu_sent = 0;
749 prs_mem_free(&outgoing_pdu);
753 /*******************************************************************
754 Ensure a bind request has the correct abstract & transfer interface.
755 Used to reject unknown binds from Win2k.
756 *******************************************************************/
758 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
761 extern struct pipe_id_info pipe_names[];
764 fstrcpy(pname,"\\PIPE\\");
765 fstrcat(pname,pipe_name);
767 DEBUG(3,("check_bind_req for %s\n", pname));
769 #ifndef SUPPORT_NEW_LSARPC_UUID
771 /* check for the first pipe matching the name */
773 for ( i=0; pipe_names[i].client_pipe; i++ ) {
774 if ( strequal(pipe_names[i].client_pipe, pname) )
778 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
780 for ( i=0; pipe_names[i].client_pipe; i++ )
782 if ( strequal(pipe_names[i].client_pipe, pname)
783 && (abstract->version == pipe_names[i].abstr_syntax.version)
784 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
785 && (transfer->version == pipe_names[i].trans_syntax.version)
786 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
793 if(pipe_names[i].client_pipe == NULL)
796 #ifndef SUPPORT_NEW_LSARPC_UUID
797 /* check the abstract interface */
798 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
799 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
804 /* check the transfer interface */
805 if ( (transfer->version != pipe_names[i].trans_syntax.version)
806 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
814 /*******************************************************************
815 Register commands to an RPC pipe
816 *******************************************************************/
817 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
819 struct rpc_table *rpc_entry;
822 /* We use a temporary variable because this call can fail and
823 rpc_lookup will still be valid afterwards. It could then succeed if
824 called again later */
825 rpc_entry = realloc(rpc_lookup,
826 ++rpc_lookup_size*sizeof(struct rpc_table));
827 if (NULL == rpc_entry) {
829 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
832 rpc_lookup = rpc_entry;
835 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
836 ZERO_STRUCTP(rpc_entry);
837 rpc_entry->pipe.clnt = strdup(clnt);
838 rpc_entry->pipe.srv = strdup(srv);
839 rpc_entry->cmds = realloc(rpc_entry->cmds,
840 (rpc_entry->n_cmds + size) *
841 sizeof(struct api_struct));
842 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
843 size * sizeof(struct api_struct));
844 rpc_entry->n_cmds += size;
849 /*******************************************************************
850 Register commands to an RPC pipe
851 *******************************************************************/
852 int rpc_load_module(const char *module)
856 int (*module_init)(void);
860 pstrcpy(full_path, lib_path("rpc"));
861 pstrcat(full_path, "/librpc_");
862 pstrcat(full_path, module);
863 pstrcat(full_path, ".");
864 pstrcat(full_path, shlib_ext());
866 handle = sys_dlopen(full_path, RTLD_LAZY);
868 DEBUG(0, ("Could not load requested pipe %s as %s\n",
870 DEBUG(0, (" Error: %s\n", dlerror()));
874 DEBUG(3, ("Module '%s' loaded\n", full_path));
876 module_init = sys_dlsym(handle, "rpc_pipe_init");
877 if ((error = sys_dlerror()) != NULL) {
878 DEBUG(0, ("Error trying to resolve symbol 'rpc_pipe_init' in %s: %s\n",
883 return module_init();
885 DEBUG(0,("Attempting to load a dynamic RPC pipe when dlopen isn't available\n"));
890 /*******************************************************************
891 Respond to a pipe bind request.
892 *******************************************************************/
894 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
898 RPC_HDR_AUTH auth_info;
900 fstring ack_pipe_name;
901 prs_struct out_hdr_ba;
903 prs_struct outgoing_rpc;
906 enum RPC_PKT_TYPE reply_pkt_type;
908 p->ntlmssp_auth_requested = False;
909 p->netsec_auth_validated = False;
911 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
914 * Try and find the correct pipe name to ensure
915 * that this is a pipe name we support.
919 for (i = 0; i < rpc_lookup_size; i++) {
920 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
921 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
922 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
923 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
928 if (i == rpc_lookup_size) {
929 for (i = 0; api_fd_commands[i].name; i++) {
930 if (strequal(api_fd_commands[i].name, p->name)) {
931 api_fd_commands[i].init();
936 if (!api_fd_commands[i].name && !rpc_load_module(p->name)) {
937 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
939 if(!setup_bind_nak(p))
944 for (i = 0; i < rpc_lookup_size; i++) {
945 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
946 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
947 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
948 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
954 /* decode the bind request */
955 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
956 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
961 * Check if this is an authenticated request.
964 if (p->hdr.auth_len != 0) {
965 RPC_AUTH_VERIFIER auth_verifier;
966 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
969 * Decode the authentication verifier.
972 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
973 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
977 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
979 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
980 DEBUG(0,("api_pipe_bind_req: unable to "
981 "unmarshall RPC_HDR_AUTH struct.\n"));
985 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
986 DEBUG(0,("api_pipe_bind_req: "
987 "auth_verifier.signature != NTLMSSP\n"));
991 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
992 DEBUG(0,("api_pipe_bind_req: "
993 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
994 auth_verifier.msg_type));
998 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
999 DEBUG(0,("api_pipe_bind_req: "
1000 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
1004 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
1005 p->ntlmssp_auth_requested = True;
1007 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
1009 RPC_AUTH_NETSEC_NEG neg;
1010 struct netsec_auth_struct *a = &(p->netsec_auth);
1012 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
1013 DEBUG(0,("api_pipe_bind_req: "
1014 "Could not unmarshal SCHANNEL auth neg\n"));
1018 p->netsec_auth_validated = True;
1020 memset(a->sess_key, 0, sizeof(a->sess_key));
1021 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
1025 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
1026 neg.domain, neg.myname));
1029 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
1030 auth_info.auth_type ));
1035 switch(p->hdr.pkt_type) {
1037 /* name has to be \PIPE\xxxxx */
1038 fstrcpy(ack_pipe_name, "\\PIPE\\");
1039 fstrcat(ack_pipe_name, p->pipe_srv_name);
1040 reply_pkt_type = RPC_BINDACK;
1043 /* secondary address CAN be NULL
1044 * as the specs say it's ignored.
1045 * It MUST NULL to have the spoolss working.
1047 fstrcpy(ack_pipe_name,"");
1048 reply_pkt_type = RPC_ALTCONTRESP;
1054 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1057 * Marshall directly into the outgoing PDU space. We
1058 * must do this as we need to set to the bind response
1059 * header and are never sending more than one PDU here.
1062 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1063 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1066 * Setup the memory to marshall the ba header, and the
1070 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1071 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1072 prs_mem_free(&outgoing_rpc);
1076 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1077 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1078 prs_mem_free(&outgoing_rpc);
1079 prs_mem_free(&out_hdr_ba);
1083 if (p->ntlmssp_auth_requested)
1086 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1089 * Create the bind response struct.
1092 /* If the requested abstract synt uuid doesn't match our client pipe,
1093 reject the bind_ack & set the transfer interface synt to all 0's,
1094 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1096 Needed when adding entries to a DACL from NT5 - SK */
1098 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1099 init_rpc_hdr_ba(&hdr_ba,
1107 RPC_IFACE null_interface;
1108 ZERO_STRUCT(null_interface);
1109 /* Rejection reason: abstract syntax not supported */
1110 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1111 MAX_PDU_FRAG_LEN, assoc_gid,
1112 ack_pipe_name, 0x1, 0x2, 0x1,
1120 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1121 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1126 * Now the authentication.
1129 if (p->ntlmssp_auth_requested) {
1130 RPC_AUTH_VERIFIER auth_verifier;
1131 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1133 generate_random_buffer(p->challenge, 8, False);
1135 /*** Authentication info ***/
1137 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1138 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1139 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1143 /*** NTLMSSP verifier ***/
1145 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1146 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1147 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1151 /* NTLMSSP challenge ***/
1153 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1154 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1155 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1159 /* Auth len in the rpc header doesn't include auth_header. */
1160 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1163 if (p->netsec_auth_validated) {
1164 RPC_AUTH_VERIFIER auth_verifier;
1167 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1168 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1169 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1173 /*** NETSEC verifier ***/
1175 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1176 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1177 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1181 prs_align(&out_auth);
1184 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1187 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1191 * Create the header, now we know the length.
1194 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1196 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1200 * Marshall the header into the outgoing PDU.
1203 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1204 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1209 * Now add the RPC_HDR_BA and any auth needed.
1212 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1213 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1217 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1218 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1219 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1223 if(!p->ntlmssp_auth_requested)
1224 p->pipe_bound = True;
1227 * Setup the lengths for the initial reply.
1230 p->out_data.data_sent_length = 0;
1231 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1232 p->out_data.current_pdu_sent = 0;
1234 prs_mem_free(&out_hdr_ba);
1235 prs_mem_free(&out_auth);
1241 prs_mem_free(&outgoing_rpc);
1242 prs_mem_free(&out_hdr_ba);
1243 prs_mem_free(&out_auth);
1247 /****************************************************************************
1248 Deal with sign & seal processing on an RPC request.
1249 ****************************************************************************/
1251 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1254 * We always negotiate the following two bits....
1256 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1257 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1263 auth_len = p->hdr.auth_len;
1265 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1266 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1271 * The following is that length of the data we must verify or unseal.
1272 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1273 * preceeding the auth_data.
1276 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1277 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1279 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1280 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1284 * The data in rpc_in doesn't contain the RPC_HEADER as this
1285 * has already been consumed.
1287 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1288 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1289 crc32 = crc32_calc_buffer(data, data_len);
1292 old_offset = prs_offset(rpc_in);
1294 if (auth_seal || auth_verify) {
1295 RPC_HDR_AUTH auth_info;
1297 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1298 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1299 (unsigned int)old_offset + data_len ));
1303 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1304 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1310 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1311 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1313 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1316 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1319 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1320 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1321 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1325 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1326 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1327 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1331 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1332 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1338 * Return the current pointer to the data offset.
1341 if(!prs_set_offset(rpc_in, old_offset)) {
1342 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1343 (unsigned int)old_offset ));
1350 static void netsechash(uchar * key, uchar * data, int data_len)
1358 for (ind = 0; ind < 256; ind++)
1360 hash[ind] = (uchar) ind;
1363 for (ind = 0; ind < 256; ind++)
1367 j += (hash[ind] + key[ind % 16]);
1370 hash[ind] = hash[j];
1374 for (ind = 0; ind < data_len; ind++)
1380 index_j += hash[index_i];
1383 hash[index_i] = hash[index_j];
1386 t = hash[index_i] + hash[index_j];
1387 data[ind] ^= hash[t];
1391 void dump_data_pw(const char *msg, const uchar * data, size_t len)
1393 #ifdef DEBUG_PASSWORD
1394 DEBUG(11, ("%s", msg));
1395 if (data != NULL && len > 0)
1397 dump_data(11, data, len);
1402 BOOL netsec_encode(struct netsec_auth_struct *a,
1403 RPC_AUTH_NETSEC_CHK * verf, char *data, size_t data_len)
1407 struct MD5Context ctx3;
1411 /* store the sequence number */
1412 SIVAL(dataN, 0, a->seq_num);
1414 for (i = 0; i < sizeof(sess_kf0); i++)
1416 sess_kf0[i] = a->sess_key[i] ^ 0xf0;
1419 dump_data_pw("a->sess_key:\n", a->sess_key, sizeof(a->sess_key));
1420 dump_data_pw("a->seq_num :\n", dataN, sizeof(dataN));
1423 MD5Update(&ctx3, dataN, 0x4);
1424 MD5Update(&ctx3, verf->sig, 8);
1426 MD5Update(&ctx3, verf->data8, 8);
1428 dump_data_pw("verf->data8:\n", verf->data8, sizeof(verf->data8));
1429 dump_data_pw("sess_kf0:\n", sess_kf0, sizeof(sess_kf0));
1431 hmac_md5(sess_kf0, dataN, 0x4, digest1);
1432 dump_data_pw("digest1 (ebp-8):\n", digest1, sizeof(digest1));
1433 hmac_md5(digest1, verf->data3, 8, digest1);
1434 dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1));
1435 netsechash(digest1, verf->data8, 8);
1437 dump_data_pw("verf->data8:\n", verf->data8, sizeof(verf->data8));
1439 dump_data_pw("data :\n", data, data_len);
1440 MD5Update(&ctx3, data, data_len);
1443 char digest_tmp[16];
1445 MD5Final(digest_tmp, &ctx3);
1446 hmac_md5(a->sess_key, digest_tmp, 16, digest2);
1447 dump_data_pw("digest_tmp:\n", digest_tmp, sizeof(digest_tmp));
1448 dump_data_pw("digest:\n", digest2, sizeof(digest2));
1449 memcpy(verf->data1, digest2, sizeof(verf->data1));
1452 netsechash(digest1, data, data_len);
1453 dump_data_pw("data:\n", data, data_len);
1455 hmac_md5(a->sess_key, dataN, 0x4, digest1);
1456 dump_data_pw("ctx:\n", digest1, sizeof(digest1));
1458 hmac_md5(digest1, verf->data1, 8, digest1);
1460 dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1));
1462 dump_data_pw("verf->data3:\n", verf->data3, sizeof(verf->data3));
1463 netsechash(digest1, verf->data3, 8);
1464 dump_data_pw("verf->data3:\n", verf->data3, sizeof(verf->data3));
1469 BOOL netsec_decode(struct netsec_auth_struct *a,
1470 RPC_AUTH_NETSEC_CHK * verf, char *data, size_t data_len)
1474 struct MD5Context ctx3;
1478 /* store the sequence number */
1479 SIVAL(dataN, 0, a->seq_num);
1481 for (i = 0; i < sizeof(sess_kf0); i++)
1483 sess_kf0[i] = a->sess_key[i] ^ 0xf0;
1486 dump_data_pw("a->sess_key:\n", a->sess_key, sizeof(a->sess_key));
1487 dump_data_pw("a->seq_num :\n", dataN, sizeof(dataN));
1488 hmac_md5(a->sess_key, dataN, 0x4, digest1);
1489 dump_data_pw("ctx:\n", digest1, sizeof(digest1));
1491 hmac_md5(digest1, verf->data1, 8, digest1);
1493 dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1));
1494 dump_data_pw("verf->data3:\n", verf->data3, sizeof(verf->data3));
1495 netsechash(digest1, verf->data3, 8);
1496 dump_data_pw("verf->data3_dec:\n", verf->data3, sizeof(verf->data3));
1499 MD5Update(&ctx3, dataN, 0x4);
1500 MD5Update(&ctx3, verf->sig, 8);
1502 dump_data_pw("sess_kf0:\n", sess_kf0, sizeof(sess_kf0));
1504 hmac_md5(sess_kf0, dataN, 0x4, digest1);
1505 dump_data_pw("digest1 (ebp-8):\n", digest1, sizeof(digest1));
1506 hmac_md5(digest1, verf->data3, 8, digest1);
1507 dump_data_pw("netsechashkey:\n", digest1, sizeof(digest1));
1509 dump_data_pw("verf->data8:\n", verf->data8, sizeof(verf->data8));
1510 netsechash(digest1, verf->data8, 8);
1511 dump_data_pw("verf->data8_dec:\n", verf->data8, sizeof(verf->data8));
1512 MD5Update(&ctx3, verf->data8, 8);
1514 dump_data_pw("data :\n", data, data_len);
1515 netsechash(digest1, data, data_len);
1516 dump_data_pw("datadec:\n", data, data_len);
1518 MD5Update(&ctx3, data, data_len);
1520 uchar digest_tmp[16];
1521 MD5Final(digest_tmp, &ctx3);
1522 hmac_md5(a->sess_key, digest_tmp, 16, digest1);
1523 dump_data_pw("digest_tmp:\n", digest_tmp, sizeof(digest_tmp));
1526 dump_data_pw("digest:\n", digest1, sizeof(digest1));
1527 dump_data_pw("verf->data1:\n", verf->data1, sizeof(verf->data1));
1529 return memcmp(digest1, verf->data1, sizeof(verf->data1)) == 0;
1532 /****************************************************************************
1533 Deal with schannel processing on an RPC request.
1534 ****************************************************************************/
1535 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1538 * We always negotiate the following two bits....
1543 RPC_HDR_AUTH auth_info;
1544 RPC_AUTH_NETSEC_CHK netsec_chk;
1547 auth_len = p->hdr.auth_len;
1549 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
1550 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1555 * The following is that length of the data we must verify or unseal.
1556 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1557 * preceeding the auth_data.
1560 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1561 RPC_HDR_AUTH_LEN - auth_len;
1563 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1565 old_offset = prs_offset(rpc_in);
1567 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1568 DEBUG(0,("cannot move offset to %u.\n",
1569 (unsigned int)old_offset + data_len ));
1573 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1574 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1578 if ((auth_info.auth_type != NETSEC_AUTH_TYPE) ||
1579 (auth_info.auth_level != NETSEC_AUTH_LEVEL)) {
1580 DEBUG(0,("Invalid auth info %d or level %d on schannel\n",
1581 auth_info.auth_type, auth_info.auth_level));
1585 if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
1586 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1590 if (!netsec_decode(&p->netsec_auth, &netsec_chk,
1591 prs_data_p(rpc_in)+old_offset, data_len)) {
1592 DEBUG(0,("failed to decode PDU\n"));
1597 * Return the current pointer to the data offset.
1600 if(!prs_set_offset(rpc_in, old_offset)) {
1601 DEBUG(0,("failed to set offset back to %u\n",
1602 (unsigned int)old_offset ));
1609 /****************************************************************************
1610 Return a user struct for a pipe user.
1611 ****************************************************************************/
1613 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1615 if (p->ntlmssp_auth_validated) {
1616 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1618 extern struct current_user current_user;
1619 memcpy(user, ¤t_user, sizeof(struct current_user));
1625 /****************************************************************************
1626 Find the correct RPC function to call for this request.
1627 If the pipe is authenticated then become the correct UNIX user
1628 before doing the call.
1629 ****************************************************************************/
1631 BOOL api_pipe_request(pipes_struct *p)
1636 if (p->ntlmssp_auth_validated) {
1638 if(!become_authenticated_pipe_user(p)) {
1639 prs_mem_free(&p->out_data.rdata);
1644 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1646 for (i = 0; i < rpc_lookup_size; i++) {
1647 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1648 DEBUG(3,("Doing \\PIPE\\%s\n",
1649 rpc_lookup[i].pipe.clnt));
1650 set_current_rpc_talloc(p->mem_ctx);
1651 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1653 rpc_lookup[i].n_cmds);
1654 set_current_rpc_talloc(NULL);
1660 if (i == rpc_lookup_size) {
1661 for (i = 0; api_fd_commands[i].name; i++) {
1662 if (strequal(api_fd_commands[i].name, p->name)) {
1663 api_fd_commands[i].init();
1668 if (!api_fd_commands[i].name) {
1669 rpc_load_module(p->name);
1672 for (i = 0; i < rpc_lookup_size; i++) {
1673 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1674 DEBUG(3,("Doing \\PIPE\\%s\n",
1675 rpc_lookup[i].pipe.clnt));
1676 set_current_rpc_talloc(p->mem_ctx);
1677 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1679 rpc_lookup[i].n_cmds);
1680 set_current_rpc_talloc(NULL);
1686 if(p->ntlmssp_auth_validated)
1687 unbecome_authenticated_pipe_user();
1692 /*******************************************************************
1693 Calls the underlying RPC function for a named pipe.
1694 ********************************************************************/
1696 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1697 const struct api_struct *api_rpc_cmds, int n_cmds)
1701 uint32 offset1, offset2;
1703 /* interpret the command */
1704 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1706 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1707 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1709 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1710 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1711 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1716 if (fn_num == n_cmds) {
1718 * For an unknown RPC just return a fault PDU but
1719 * return True to allow RPC's on the pipe to continue
1720 * and not put the pipe into fault state. JRA.
1722 DEBUG(4, ("unknown\n"));
1723 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1727 offset1 = prs_offset(&p->out_data.rdata);
1729 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1730 fn_num, api_rpc_cmds[fn_num].fn));
1731 /* do the actual command */
1732 if(!api_rpc_cmds[fn_num].fn(p)) {
1733 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1734 prs_mem_free(&p->out_data.rdata);
1738 if (p->bad_handle_fault_state) {
1739 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1740 p->bad_handle_fault_state = False;
1741 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1745 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1746 offset2 = prs_offset(&p->out_data.rdata);
1747 prs_set_offset(&p->out_data.rdata, offset1);
1748 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1749 prs_set_offset(&p->out_data.rdata, offset2);
1751 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1753 /* Check for buffer underflow in rpc parsing */
1755 if ((DEBUGLEVEL >= 10) &&
1756 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1757 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1760 data = malloc(data_len);
1762 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1764 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);