summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--source3/include/ntdomain.h6
-rw-r--r--source3/include/proto.h17
-rw-r--r--source3/include/rpc_dce.h40
-rw-r--r--source3/libsmb/smbdes.c55
-rw-r--r--source3/libsmb/smbencrypt.c12
-rw-r--r--source3/rpc_client/cli_pipe.c87
-rw-r--r--source3/rpc_parse/parse_prs.c10
-rw-r--r--source3/rpc_parse/parse_rpc.c210
-rw-r--r--source3/rpc_server/srv_pipe_hnd.c20
-rw-r--r--source3/rpc_server/srv_util.c280
-rw-r--r--source3/smbd/ipc.c251
-rw-r--r--source3/smbd/pipes.c2
12 files changed, 657 insertions, 333 deletions
diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
index 5fb7f8a089..261cc3dfe3 100644
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -67,6 +67,7 @@ typedef struct pipes_struct
prs_struct rhdr; /* output header */
prs_struct rdata; /* output data */
prs_struct rauth; /* output authentication verifier */
+ prs_struct rverf; /* output verifier */
prs_struct rntlm; /* output ntlmssp */
RPC_HDR hdr;
@@ -74,12 +75,17 @@ typedef struct pipes_struct
RPC_HDR_RB hdr_rb;
RPC_HDR_REQ hdr_req;
RPC_HDR_RESP hdr_resp;
+ RPC_HDR_AUTH auth_info;
+ RPC_HDR_AUTHA autha_info;
RPC_AUTH_VERIFIER auth_verifier;
RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
+ BOOL ntlmssp_auth;
+ unsigned char ntlmssp_hash[256];
+
uint32 file_offset;
uint32 hdr_offsets;
uint32 frag_len_left;
diff --git a/source3/include/proto.h b/source3/include/proto.h
index f7fb2a47c1..64d586f6c0 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -496,6 +496,8 @@ void E_old_pw_hash( unsigned char *p14, unsigned char *in, unsigned char *out);
void cred_hash1(unsigned char *out,unsigned char *in,unsigned char *key);
void cred_hash2(unsigned char *out,unsigned char *in,unsigned char *key);
void cred_hash3(unsigned char *out,unsigned char *in,unsigned char *key, int forw);
+void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5]);
+void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len);
void SamOEMhash( unsigned char *data, unsigned char *key, int val);
/*The following definitions come from libsmb/smbencrypt.c */
@@ -504,6 +506,7 @@ void SMBencrypt(uchar *passwd, uchar *c8, uchar *p24);
void E_md4hash(uchar *passwd, uchar *p16);
void nt_lm_owf_gen(char *pwd, uchar nt_p16[16], uchar p16[16]);
void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24]);
+void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24]);
void SMBNTencrypt(uchar *passwd, uchar *c8, uchar *p24);
/*The following definitions come from libsmb/smberr.c */
@@ -1489,7 +1492,7 @@ void prs_init(prs_struct *ps, uint32 size,
uint8 align, uint32 margin,
BOOL io);
void prs_mem_free(prs_struct *ps);
-void prs_link(prs_struct *ps, prs_struct const *const to);
+void prs_link(prs_struct *prev, prs_struct *ps, prs_struct *next);
void prs_align(prs_struct *ps);
BOOL prs_grow(prs_struct *ps);
BOOL prs_uint8(char *name, prs_struct *ps, int depth, uint8 *data8);
@@ -1539,13 +1542,20 @@ void smb_io_rpc_hdr_ba(char *desc, RPC_HDR_BA *rpc, prs_struct *ps, int depth);
void make_rpc_hdr_req(RPC_HDR_REQ *hdr, uint32 data_len, uint16 opnum);
void smb_io_rpc_hdr_req(char *desc, RPC_HDR_REQ *rpc, prs_struct *ps, int depth);
void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int depth);
+void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai,
+ uint16 max_tsize, uint16 max_rsize,
+ uint8 auth_type, uint8 auth_level,
+ uint8 stub_type_len);
+void smb_io_rpc_hdr_autha(char *desc, RPC_HDR_AUTHA *rai, prs_struct *ps, int depth);
+void make_rpc_hdr_auth(RPC_HDR_AUTH *rai,
+ uint8 auth_type, uint8 auth_level,
+ uint8 stub_type_len);
+void smb_io_rpc_hdr_auth(char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth);
void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg,
uint32 neg_flgs,
fstring myname, fstring domain);
void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_struct *ps, int depth);
void make_rpc_auth_verifier(RPC_AUTH_VERIFIER *rav,
- uint8 auth_type, uint8 auth_level,
- uint8 stub_type_len,
char *signature, uint32 msg_type);
void smb_io_rpc_auth_verifier(char *desc, RPC_AUTH_VERIFIER *rav, prs_struct *ps, int depth);
void make_rpc_auth_ntlmssp_chal(RPC_AUTH_NTLMSSP_CHAL *chl,
@@ -1852,6 +1862,7 @@ BOOL api_srvsvc_rpc(pipes_struct *p, prs_struct *data);
int make_dom_gids(char *gids_str, DOM_GID **ppgids);
BOOL create_rpc_reply(pipes_struct *p,
uint32 data_start, uint32 data_end);
+BOOL rpc_command(pipes_struct *p, prs_struct *pd);
BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
prs_struct *data);
void get_domain_user_groups(char *domain_groups, char *user);
diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h
index a599abb19c..51a7631c4e 100644
--- a/source3/include/rpc_dce.h
+++ b/source3/include/rpc_dce.h
@@ -34,7 +34,8 @@ enum RPC_PKT_TYPE
RPC_REQUEST = 0x00,
RPC_RESPONSE = 0x02,
RPC_BIND = 0x0B,
- RPC_BINDACK = 0x0C
+ RPC_BINDACK = 0x0C,
+ RPC_BINDRESP = 0x10 /* not the real name! this is undocumented! */
};
/* DCE/RPC flags */
@@ -140,6 +141,33 @@ typedef struct rpc_hdr_bba_info
} RPC_HDR_BBA;
+/* RPC_HDR_AUTHA */
+typedef struct rpc_hdr_autha_info
+{
+ uint16 max_tsize; /* maximum transmission fragment size (0x1630) */
+ uint16 max_rsize; /* max receive fragment size (0x1630) */
+
+ uint8 auth_type; /* 0x0a */
+ uint8 auth_level; /* 0x06 */
+ uint8 stub_type_len; /* don't know */
+ uint8 padding; /* padding */
+
+ uint32 unknown; /* 0x0014a0c0 */
+
+} RPC_HDR_AUTHA;
+
+/* RPC_HDR_AUTH */
+typedef struct rpc_hdr_auth_info
+{
+ uint8 auth_type; /* 0x0a */
+ uint8 auth_level; /* 0x06 */
+ uint8 stub_type_len; /* don't know */
+ uint8 padding; /* padding */
+
+ uint32 unknown; /* 0x0014a0c0 */
+
+} RPC_HDR_AUTH;
+
/* RPC_BIND_REQ - ms req bind */
typedef struct rpc_bind_req_info
{
@@ -179,17 +207,9 @@ typedef struct rpc_hdr_ba_info
} RPC_HDR_BA;
-/* this is TEMPORARY */
/* RPC_AUTH_VERIFIER */
typedef struct rpc_auth_verif_info
{
- uint8 auth_type; /* 0x0a */
- uint8 auth_level; /* 0x06 */
- uint8 stub_type_len; /* don't know */
- uint8 padding; /* padding */
-
- uint32 ptr_0; /* non-zero pointer to something */
-
fstring signature; /* "NTLMSSP" */
uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) */
@@ -220,9 +240,7 @@ typedef struct rpc_auth_ntlmssp_chal_info
uint32 neg_flags; /* 0x0000 82b1 */
uint8 challenge[8]; /* ntlm challenge */
-#if 0
uint8 reserved [8]; /* zeros */
-#endif
} RPC_AUTH_NTLMSSP_CHAL;
diff --git a/source3/libsmb/smbdes.c b/source3/libsmb/smbdes.c
index eebe0dc54f..e9f2329550 100644
--- a/source3/libsmb/smbdes.c
+++ b/source3/libsmb/smbdes.c
@@ -357,6 +357,58 @@ void cred_hash3(unsigned char *out,unsigned char *in,unsigned char *key, int for
smbhash(out + 8, in + 8, key2, forw);
}
+void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5])
+{
+ unsigned char j = 0;
+ int ind;
+
+ unsigned char k2[8];
+
+ memcpy(k2, key, sizeof(key));
+ k2[5] = 0xe5;
+ k2[6] = 0xb8;
+ k2[6] = 0xb0;
+
+ for (ind = 0; ind < 256; ind++)
+ {
+ hash[ind] = (unsigned char)ind;
+ }
+
+ for( ind = 0; ind < 256; ind++)
+ {
+ unsigned char tc;
+
+ j += (hash[ind] + k2[ind%8]);
+
+ tc = hash[ind];
+ hash[ind] = hash[j];
+ hash[j] = tc;
+ }
+}
+
+void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len)
+{
+ unsigned char index_i = 0;
+ unsigned char index_j = 0;
+ int ind;
+
+ for( ind = 0; ind < len; ind++)
+ {
+ unsigned char tc;
+ unsigned char t;
+
+ index_i++;
+ index_j += hash[index_i];
+
+ tc = hash[index_i];
+ hash[index_i] = hash[index_j];
+ hash[index_j] = tc;
+
+ t = hash[index_i] + hash[index_j];
+ data[ind] ^= hash[t];
+ }
+}
+
void SamOEMhash( unsigned char *data, unsigned char *key, int val)
{
unsigned char s_box[256];
@@ -380,8 +432,7 @@ void SamOEMhash( unsigned char *data, unsigned char *key, int val)
s_box[ind] = s_box[j];
s_box[j] = tc;
}
-
- for( ind = 0; ind < (val ? 516 : 16); ind++)
+ for( ind = 0; ind < val ? 516 : 8; ind++)
{
unsigned char tc;
unsigned char t;
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index bf9736d724..44dcbd5e05 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -152,6 +152,18 @@ void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24])
E_P24(p21, c8, p24);
}
+/* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */
+void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24])
+{
+ uchar p21[21];
+
+ memset(p21,'\0',21);
+ memcpy(p21, passwd, 8);
+ memset(p21 + 8, 0xbd, 8);
+
+ E_P24(p21, ntlmchalresp, p24);
+}
+
/* Does the NT MD4 hash then des encryption. */
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 392877f2dc..44440d9fba 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -289,12 +289,15 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd,
static BOOL create_rpc_bind_req(prs_struct *rhdr,
prs_struct *rhdr_rb,
+ prs_struct *rhdr_auth,
prs_struct *auth_req,
+ prs_struct *auth_ntlm,
RPC_IFACE *abstract, RPC_IFACE *transfer,
char *my_name, char *domain)
{
RPC_HDR_RB hdr_rb;
RPC_HDR hdr;
+ RPC_HDR_AUTH hdr_auth;
RPC_AUTH_VERIFIER auth_verifier;
RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
@@ -306,10 +309,13 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr,
smb_io_rpc_hdr_rb("", &hdr_rb, rhdr_rb, 0);
mem_realloc_data(rhdr_rb->data, rhdr_rb->offset);
- if (auth_req != NULL)
+ if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL)
{
+ make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00);
+ smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0);
+ mem_realloc_data(rhdr_auth->data, rhdr_auth->offset);
+
make_rpc_auth_verifier(&auth_verifier,
- 0x0a, 0x06, 0x00,
"NTLMSSP", NTLMSSP_NEGOTIATE);
smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_req, 0);
@@ -325,7 +331,8 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr,
/* create the request RPC_HDR */
make_rpc_hdr(&hdr, RPC_BIND, 0x0, get_rpc_call_id(),
rhdr_rb->offset + 0x10,
- auth_req != NULL ? auth_req->offset : 0);
+ auth_req != NULL ? auth_req ->offset : 0 +
+ auth_ntlm != NULL ? auth_ntlm->offset : 0);
smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
mem_realloc_data(rhdr->data, rhdr->offset);
@@ -336,25 +343,18 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr,
/*** link rpc header, bind acknowledgment and authentication responses ***/
/***/
- rhdr->data->offset.start = 0;
- rhdr->data->offset.end = rhdr->offset;
- rhdr->data->next = rhdr_rb->data;
-
if (auth_req != NULL)
{
- rhdr_rb->data->offset.start = rhdr->offset;
- rhdr_rb->data->offset.end = rhdr->offset + rhdr_rb->offset;
- rhdr_rb->data->next = auth_req->data;
-
- auth_req->data->offset.start = rhdr->offset + rhdr_rb->offset;
- auth_req->data->offset.end = rhdr->offset + auth_req->offset + rhdr_rb->offset;
- auth_req->data->next = NULL;
+ prs_link(NULL , rhdr , rhdr_rb );
+ prs_link(rhdr , rhdr_rb , rhdr_auth);
+ prs_link(rhdr_rb , rhdr_auth , auth_req );
+ prs_link(rhdr_auth, auth_req , auth_ntlm);
+ prs_link(auth_req , auth_ntlm , NULL );
}
else
{
- rhdr_rb->data->offset.start = rhdr->offset;
- rhdr_rb->data->offset.end = rhdr->offset + rhdr_rb->offset;
- rhdr_rb->data->next = NULL;
+ prs_link(NULL, rhdr , rhdr_rb);
+ prs_link(rhdr, rhdr_rb, NULL );
}
return True;
@@ -578,7 +578,9 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
{
prs_struct hdr;
prs_struct hdr_rb;
+ prs_struct hdr_auth;
prs_struct auth_req;
+ prs_struct auth_ntlm;
prs_struct data;
prs_struct rdata;
prs_struct rparam;
@@ -592,15 +594,20 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
if (!valid_pipe_name(pipe_name, abstract, transfer)) return False;
- prs_init(&hdr , 0x10 , 4, 0x0 , False);
- prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False);
- prs_init(&auth_req, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False);
+ prs_init(&hdr , 0x10 , 4, 0x0 , False);
+ prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False);
+ prs_init(&hdr_auth , ntlmssp_auth ? 8 : 0, 4, SAFETY_MARGIN, False);
+ prs_init(&auth_req , ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False);
+ prs_init(&auth_ntlm, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False);
prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True );
prs_init(&rparam, 0 , 4, SAFETY_MARGIN, True );
- create_rpc_bind_req(&hdr, &hdr_rb, ntlmssp_auth ? &auth_req : NULL,
- abstract, transfer, global_myname, global_myworkgroup);
+ create_rpc_bind_req(&hdr, &hdr_rb,
+ ntlmssp_auth ? &hdr_auth : NULL,
+ ntlmssp_auth ? &auth_req : NULL,
+ ntlmssp_auth ? &auth_ntlm : NULL,
+ abstract, transfer, global_myname, global_myworkgroup);
/* this is a hack due to limitations in rpc_api_pipe */
prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
@@ -609,7 +616,10 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
/* send data on \PIPE\. receive a response */
if (rpc_api_pipe(cli, 0x0026, NULL, &data, &rparam, &rdata))
{
- RPC_HDR_BA hdr_ba;
+ RPC_HDR_BA hdr_ba;
+ RPC_HDR_AUTH rhdr_auth;
+ RPC_AUTH_VERIFIER rhdr_verf;
+ RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
DEBUG(5, ("rpc_api_pipe: return OK\n"));
@@ -619,14 +629,33 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
{
valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer);
}
+
+ if (valid_ack && ntlmssp_auth)
+ {
+ smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0);
+ if (rdata.offset == 0) valid_ack = False;
+ }
+
+ if (valid_ack && ntlmssp_auth)
+ {
+ smb_io_rpc_auth_verifier("", &rhdr_verf, &rdata, 0);
+ if (rdata.offset == 0) valid_ack = False;
+ }
+ if (valid_ack && ntlmssp_auth)
+ {
+ smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0);
+ if (rdata.offset == 0) valid_ack = False;
+ }
}
- prs_mem_free(&data );
- prs_mem_free(&hdr );
- prs_mem_free(&hdr_rb );
- prs_mem_free(&auth_req);
- prs_mem_free(&rdata );
- prs_mem_free(&rparam );
+ prs_mem_free(&data );
+ prs_mem_free(&hdr );
+ prs_mem_free(&hdr_rb );
+ prs_mem_free(&hdr_auth );
+ prs_mem_free(&auth_req );
+ prs_mem_free(&auth_ntlm);
+ prs_mem_free(&rdata );
+ prs_mem_free(&rparam );
return valid_ack;
}
diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c
index 34f72596ce..d031a828f1 100644
--- a/source3/rpc_parse/parse_prs.c
+++ b/source3/rpc_parse/parse_prs.c
@@ -69,9 +69,11 @@ void prs_mem_free(prs_struct *ps)
/*******************************************************************
link one parsing structure to another
********************************************************************/
-void prs_link(prs_struct *ps, prs_struct const *const to)
+void prs_link(prs_struct *prev, prs_struct *ps, prs_struct *next)
{
- DEBUG(0,("NOT IMPLEMENTED\n"));
+ ps->data->offset.start = prev != NULL ? prev->data->offset.end : 0;
+ ps->data->offset.end = ps->data->offset.start + ps->offset;
+ ps->data->next = next != NULL ? next->data : NULL;
}
/*******************************************************************
@@ -236,7 +238,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str)
ps->offset += i*2;
- dump_data(5+depth, (char *)start, ps->offset);
+ dump_data(5+depth, (char *)start, i * 2);
return True;
}
@@ -277,7 +279,7 @@ BOOL prs_string(char *name, prs_struct *ps, int depth, char *str, uint16 len, ui
ps->offset += i+1;
- dump_data(5+depth, (char *)start, ps->offset);
+ dump_data(5+depth, (char *)start, i);
return True;
}
diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c
index 90a013dc12..a1773bb827 100644
--- a/source3/rpc_parse/parse_rpc.c
+++ b/source3/rpc_parse/parse_rpc.c
@@ -416,6 +416,83 @@ void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int dep
}
/*******************************************************************
+creates an RPC_HDR_AUTHA structure.
+********************************************************************/
+void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai,
+ uint16 max_tsize, uint16 max_rsize,
+ uint8 auth_type, uint8 auth_level,
+ uint8 stub_type_len)
+{
+ if (rai == NULL) return;
+
+ rai->max_tsize = max_tsize; /* maximum transmission fragment size (0x1630) */
+ rai->max_rsize = max_rsize; /* max receive fragment size (0x1630) */
+
+ rai->auth_type = auth_type; /* nt lm ssp 0x0a */
+ rai->auth_level = auth_level; /* 0x06 */
+ rai->stub_type_len = stub_type_len; /* 0x00 */
+ rai->padding = 0; /* padding 0x00 */
+
+ rai->unknown = 0x0014a0c0; /* non-zero pointer to something */
+}
+
+/*******************************************************************
+reads or writes an RPC_HDR_AUTHA structure.
+********************************************************************/
+void smb_io_rpc_hdr_autha(char *desc, RPC_HDR_AUTHA *rai, prs_struct *ps, int depth)
+{
+ if (rai == NULL) return;
+
+ prs_debug(ps, depth, desc, "smb_io_rpc_hdr_autha");
+ depth++;
+
+ prs_uint16("max_tsize ", ps, depth, &(rai->max_tsize));
+ prs_uint16("max_rsize ", ps, depth, &(rai->max_rsize));
+
+ prs_uint8 ("auth_type ", ps, depth, &(rai->auth_type )); /* 0x0a nt lm ssp */
+ prs_uint8 ("auth_level ", ps, depth, &(rai->auth_level ));/* 0x06 */
+ prs_uint8 ("stub_type_len", ps, depth, &(rai->stub_type_len));
+ prs_uint8 ("padding ", ps, depth, &(rai->padding ));
+
+ prs_uint32("unknown ", ps, depth, &(rai->unknown )); /* 0x0014a0c0 */
+}
+
+/*******************************************************************
+creates an RPC_HDR_AUTH structure.
+********************************************************************/
+void make_rpc_hdr_auth(RPC_HDR_AUTH *rai,
+ uint8 auth_type, uint8 auth_level,
+ uint8 stub_type_len)
+{
+ if (rai == NULL) return;
+
+ rai->auth_type = auth_type; /* nt lm ssp 0x0a */
+ rai->auth_level = auth_level; /* 0x06 */
+ rai->stub_type_len = stub_type_len; /* 0x00 */
+ rai->padding = 0; /* padding 0x00 */
+
+ rai->unknown = 0x0014a0c0; /* non-zero pointer to something */
+}
+
+/*******************************************************************
+reads or writes an RPC_HDR_AUTH structure.
+********************************************************************/
+void smb_io_rpc_hdr_auth(char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth)
+{
+ if (rai == NULL) return;
+
+ prs_debug(ps, depth, desc, "smb_io_rpc_hdr_auth");
+ depth++;
+
+ prs_uint8 ("auth_type ", ps, depth, &(rai->auth_type )); /* 0x0a nt lm ssp */
+ prs_uint8 ("auth_level ", ps, depth, &(rai->auth_level ));/* 0x06 */
+ prs_uint8 ("stub_type_len", ps, depth, &(rai->stub_type_len));
+ prs_uint8 ("padding ", ps, depth, &(rai->padding ));
+
+ prs_uint32("unknown ", ps, depth, &(rai->unknown )); /* 0x0014a0c0 */
+}
+
+/*******************************************************************
creates an RPC_AUTH_NTLMSSP_NEG structure.
********************************************************************/
void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg,
@@ -459,19 +536,10 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru
creates an RPC_AUTH_VERIFIER structure.
********************************************************************/
void make_rpc_auth_verifier(RPC_AUTH_VERIFIER *rav,
- uint8 auth_type, uint8 auth_level,
- uint8 stub_type_len,
char *signature, uint32 msg_type)
{
if (rav == NULL) return;
- rav->auth_type = auth_type; /* nt lm ssp 0x0a */
- rav->auth_level = auth_level; /* 0x06 */
- rav->stub_type_len = stub_type_len; /* 0x00 */
- rav->padding = 0; /* padding 0x00 */
-
- rav->ptr_0 = 0x0014a0c0; /* non-zero pointer to something */
-
fstrcpy(rav->signature, signature); /* "NTLMSSP" */
rav->msg_type = msg_type; /* NTLMSSP_MESSAGE_TYPE */
}
@@ -486,13 +554,6 @@ void smb_io_rpc_auth_verifier(char *desc, RPC_AUTH_VERIFIER *rav, prs_struct *ps
prs_debug(ps, depth, desc, "smb_io_rpc_auth_verifier");
depth++;
- prs_uint8("auth_type ", ps, depth, &(rav->auth_type)); /* nt lm ssp 0x0a */
- prs_uint8("auth_level ", ps, depth, &(rav->auth_level));/* 0x06 */
- prs_uint8("stub_type_len", ps, depth, &(rav->stub_type_len));
- prs_uint8("padding ", ps, depth, &(rav->padding));
-
- prs_uint32("ptr_0", ps, depth, &(rav->ptr_0 )); /* non-zero pointer to something */
-
prs_string("signature", ps, depth, rav->signature, 0, sizeof(rav->signature)); /* "NTLMSSP" */
prs_uint32("msg_type ", ps, depth, &(rav->msg_type )); /* NTLMSSP_MESSAGE_TYPE */
}
@@ -511,9 +572,7 @@ void make_rpc_auth_ntlmssp_chal(RPC_AUTH_NTLMSSP_CHAL *chl,
chl->neg_flags = neg_flags; /* 0x0082b1 */
memcpy(chl->challenge, challenge, sizeof(chl->challenge));
-/*
bzero (chl->reserved , sizeof(chl->reserved));
- */
}
/*******************************************************************
@@ -531,19 +590,22 @@ void smb_io_rpc_auth_ntlmssp_chal(char *desc, RPC_AUTH_NTLMSSP_CHAL *chl, prs_st
prs_uint32("neg_flags", ps, depth, &(chl->neg_flags)); /* 0x0000 82b1 */
prs_uint8s (False, "challenge", ps, depth, chl->challenge, sizeof(chl->challenge));
-/*
prs_uint8s (False, "reserved ", ps, depth, chl->reserved , sizeof(chl->reserved ));
- */
}
/*******************************************************************
creates an RPC_AUTH_NTLMSSP_RESP structure.
+
+*** lkclXXXX FUDGE! HAVE TO MANUALLY SPECIFY OFFSET HERE (0x1c bytes) ***
+*** lkclXXXX the actual offset is at the start of the auth verifier ***
+
********************************************************************/
void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
uchar lm_resp[24], uchar nt_resp[24],
char *domain, char *user, char *wks,
uint32 neg_flags)
{
+ uint32 offset;
int dom_len = strlen(domain) * 2;
int wks_len = strlen(wks ) * 2;
int usr_len = strlen(user ) * 2;
@@ -552,12 +614,24 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
if (rsp == NULL) return;
- make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, 1);
- make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, 1);
- make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, 1);
- make_str_hdr(&rsp->hdr_usr , usr_len, usr_len, 1);
- make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, 1);
- make_str_hdr(&rsp->hdr_sess_key, 0, 0, 1);
+ offset = 0x40;
+
+ make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, offset);
+ offset += lm_len * 2;
+
+ make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, offset);
+ offset += nt_len * 2;
+
+ make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, offset);
+ offset += dom_len * 2;
+
+ make_str_hdr(&rsp->hdr_usr , usr_len, usr_len, offset);
+ offset += usr_len * 2;
+
+ make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, offset);
+ offset += wks_len * 2;
+
+ make_str_hdr(&rsp->hdr_sess_key, 0, 0, offset);
rsp->neg_flags = neg_flags;
@@ -573,6 +647,10 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
/*******************************************************************
reads or writes an RPC_AUTH_NTLMSSP_RESP structure.
+
+*** lkclXXXX FUDGE! HAVE TO MANUALLY SPECIFY OFFSET HERE (0x1c bytes) ***
+*** lkclXXXX the actual offset is at the start of the auth verifier ***
+
********************************************************************/
void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_struct *ps, int depth)
{
@@ -581,21 +659,71 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st
prs_debug(ps, depth, desc, "smb_io_rpc_auth_ntlmssp_resp");
depth++;
- smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth);
- smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth);
- smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth);
- smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth);
- smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth);
- smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth);
-
- prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */
-
- prs_string("sess_key", ps, depth, rsp->sess_key, rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key));
- prs_string("wks ", ps, depth, rsp->wks , rsp->hdr_wks .str_str_len, sizeof(rsp->wks ));
- prs_string("user ", ps, depth, rsp->user , rsp->hdr_usr .str_str_len, sizeof(rsp->user ));
- prs_string("domain ", ps, depth, rsp->domain , rsp->hdr_domain .str_str_len, sizeof(rsp->domain ));
- prs_string("nt_resp ", ps, depth, rsp->nt_resp , rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ));
- prs_string("lm_resp ", ps, depth, rsp->lm_resp , rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ));
+ ZERO_STRUCTP(rsp);
+
+ if (ps->io)
+ {
+ uint32 old_offset;
+ /* reading */
+ smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth);
+ smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth);
+ smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth);
+ smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth);
+ smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth);
+ smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth);
+
+ prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */
+
+ old_offset = ps->offset;
+
+ ps->offset = rsp->hdr_lm_resp .buffer + 0x1c;
+ prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
+ old_offset += rsp->hdr_lm_resp .str_str_len;
+
+ ps->offset = rsp->hdr_nt_resp .buffer + 0x1c;
+ prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
+ old_offset += rsp->hdr_nt_resp .str_str_len;
+
+ ps->offset = rsp->hdr_domain .buffer + 0x1c;
+ prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain )));
+ old_offset += rsp->hdr_domain .str_str_len;
+
+ ps->offset = rsp->hdr_usr .buffer + 0x1c;
+ prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user )));
+ old_offset += rsp->hdr_usr .str_str_len;
+
+ ps->offset = rsp->hdr_wks .buffer + 0x1c;
+ prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks )));
+ old_offset += rsp->hdr_wks .str_str_len;
+
+ if (rsp->hdr_sess_key.str_str_len != 0)
+ {
+ ps->offset = rsp->hdr_sess_key.buffer + 0x1c;
+ old_offset += rsp->hdr_sess_key.str_str_len;
+ prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key)));
+ }
+
+ ps->offset = old_offset;
+ }
+ else
+ {
+ /* writing */
+ smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth);
+ smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth);
+ smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth);
+ smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth);
+ smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth);
+ smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth);
+
+ prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */
+
+ prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key)));
+ prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks )));
+ prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user )));
+ prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain )));
+ prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
+ prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
+ }
}
#if 0
diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index e898a8606f..31ca1a7c20 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -155,15 +155,33 @@ pipes_struct *open_rpc_pipe_p(char *pipe_name,
/****************************************************************************
writes data to a pipe.
+
+ SERIOUSLY ALPHA CODE!
****************************************************************************/
int write_pipe(pipes_struct *p, char *data, int n)
{
+ prs_struct pd;
+ struct mem_buf data_buf;
+
DEBUG(6,("write_pipe: %x", p->pnum));
DEBUG(6,("name: %s open: %s len: %d",
p->name, BOOLSTR(p->open), n));
- return -1;
+ dump_data(50, data, n);
+
+ /* fake up a data buffer from the write_pipe data parameters */
+ mem_create(&data_buf, data, n, 0, False);
+ data_buf.offset.start = 0;
+ data_buf.offset.end = n;
+
+ /* fake up a parsing structure */
+ pd.data = &data_buf;
+ pd.align = 4;
+ pd.io = True;
+ pd.offset = 0;
+
+ return rpc_command(p, &pd) ? n : -1;
}
diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c
index fc78c656fd..520a9cc02a 100644
--- a/source3/rpc_server/srv_util.c
+++ b/source3/rpc_server/srv_util.c
@@ -209,6 +209,284 @@ BOOL create_rpc_reply(pipes_struct *p,
}
+static BOOL api_pipe_ntlmssp(pipes_struct *p, prs_struct *pd)
+{
+ /* receive a negotiate; send a challenge; receive a response */
+ switch (p->auth_verifier.msg_type)
+ {
+ case NTLMSSP_NEGOTIATE:
+ {
+ smb_io_rpc_auth_ntlmssp_neg("", &p->ntlmssp_neg, pd, 0);
+ break;
+ }
+ case NTLMSSP_AUTH:
+ {
+ smb_io_rpc_auth_ntlmssp_resp("", &p->ntlmssp_resp, pd, 0);
+ break;
+ }
+ default:
+ {
+ /* NTLMSSP expected: unexpected message type */
+ DEBUG(3,("unexpected message type in NTLMSSP %d\n",
+ p->auth_verifier.msg_type));
+ return False;
+ }
+ }
+
+ return (pd->offset != 0);
+}
+
+struct api_cmd
+{
+ char * pipe_clnt_name;
+ char * pipe_srv_name;
+ BOOL (*fn) (pipes_struct *, prs_struct *);
+};
+
+static struct api_cmd api_fd_commands[] =
+{
+ { "lsarpc", "lsass", api_ntlsa_rpc },
+ { "samr", "lsass", api_samr_rpc },
+ { "srvsvc", "ntsvcs", api_srvsvc_rpc },
+ { "wkssvc", "ntsvcs", api_wkssvc_rpc },
+ { "NETLOGON", "lsass", api_netlog_rpc },
+ { "winreg", "winreg", api_reg_rpc },
+ { NULL, NULL, NULL }
+};
+
+static BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *pd)
+{
+ p->ntlmssp_auth = False;
+
+ DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
+
+ if (p->hdr.auth_len != 0)
+ {
+ /* decode the authentication verifier response */
+ smb_io_rpc_hdr_autha("", &p->autha_info, pd, 0);
+ if (pd->offset == 0) return False;
+
+ p->ntlmssp_auth = p->auth_info.auth_type = 0x0a;
+
+ if (p->ntlmssp_auth)
+ {
+ smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
+ if (pd->offset == 0) return False;
+
+ p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
+ }
+
+ if (p->ntlmssp_auth)
+ {
+ if (!api_pipe_ntlmssp(p, pd)) return False;
+ }
+ }
+
+ return p->ntlmssp_auth;
+}
+
+static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd)
+{
+ uint16 assoc_gid;
+ fstring ack_pipe_name;
+ int i = 0;
+
+ p->ntlmssp_auth = False;
+
+ DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
+
+ for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
+ {
+ if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
+ api_fd_commands[i].fn != NULL)
+ {
+ DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
+ api_fd_commands[i].pipe_clnt_name,
+ api_fd_commands[i].pipe_srv_name));
+ fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
+ break;
+ }
+ }
+
+ if (api_fd_commands[i].fn == NULL) return False;
+
+ /* decode the bind request */
+ smb_io_rpc_hdr_rb("", &p->hdr_rb, pd, 0);
+
+ if (pd->offset == 0) return False;
+
+ if (p->hdr.auth_len != 0)
+ {
+ /* decode the authentication verifier */
+ smb_io_rpc_hdr_auth ("", &p->auth_info , pd, 0);
+ if (pd->offset == 0) return False;
+
+ p->ntlmssp_auth = p->auth_info.auth_type = 0x0a;
+
+ if (p->ntlmssp_auth)
+ {
+ smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
+ if (pd->offset == 0) return False;
+
+ p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
+ }
+
+ if (p->ntlmssp_auth)
+ {
+ if (!api_pipe_ntlmssp(p, pd)) return False;
+ }
+ }
+
+ /* name has to be \PIPE\xxxxx */
+ fstrcpy(ack_pipe_name, "\\PIPE\\");
+ fstrcat(ack_pipe_name, p->pipe_srv_name);
+
+ DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
+
+ prs_init(&(p->rdata), 1024, 4, 0, False);
+ prs_init(&(p->rhdr ), 0x10, 4, 0, False);
+ prs_init(&(p->rauth), 1024, 4, 0, False);
+ prs_init(&(p->rverf), 0x08, 4, 0, False);
+ prs_init(&(p->rntlm), 1024, 4, 0, False);
+
+ /***/
+ /*** do the bind ack first ***/
+ /***/
+
+ if (p->ntlmssp_auth)
+ {
+ assoc_gid = 0x7a77;
+ }
+ else
+ {
+ assoc_gid = p->hdr_rb.bba.assoc_gid;
+ }
+
+ make_rpc_hdr_ba(&p->hdr_ba,
+ p->hdr_rb.bba.max_tsize,
+ p->hdr_rb.bba.max_rsize,
+ assoc_gid,
+ ack_pipe_name,
+ 0x1, 0x0, 0x0,
+ &(p->hdr_rb.transfer));
+
+ smb_io_rpc_hdr_ba("", &p->hdr_ba, &p->rdata, 0);
+ mem_realloc_data(p->rdata.data, p->rdata.offset);
+
+ /***/
+ /*** now the authentication ***/
+ /***/
+
+ if (p->ntlmssp_auth)
+ {
+ uint8 challenge[8];
+ generate_random_buffer(challenge, 8, False);
+
+ /*** authentication info ***/
+
+ make_rpc_hdr_auth(&p->auth_info,
+ 0x0a, 0x06, 0);
+ smb_io_rpc_hdr_auth("", &p->auth_info, &p->rverf, 0);
+ mem_realloc_data(p->rverf.data, p->rverf.offset);
+
+ /*** NTLMSSP verifier ***/
+
+ make_rpc_auth_verifier(&p->auth_verifier,
+ "NTLMSSP", NTLMSSP_CHALLENGE);
+ smb_io_rpc_auth_verifier("", &p->auth_verifier, &p->rauth, 0);
+ mem_realloc_data(p->rauth.data, p->rauth.offset);
+
+ /* NTLMSSP challenge ***/
+
+ make_rpc_auth_ntlmssp_chal(&p->ntlmssp_chal,
+ 0x000082b1, challenge);
+ smb_io_rpc_auth_ntlmssp_chal("", &p->ntlmssp_chal, &p->rntlm, 0);
+ mem_realloc_data(p->rntlm.data, p->rntlm.offset);
+ }
+
+ /***/
+ /*** then do the header, now we know the length ***/
+ /***/
+
+ make_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
+ p->hdr.call_id,
+ p->rdata.offset + p->rverf.offset + p->rauth.offset + p->rntlm.offset + 0x10,
+ p->rauth.offset + p->rntlm.offset);
+
+ smb_io_rpc_hdr("", &p->hdr, &p->rhdr, 0);
+ mem_realloc_data(p->rhdr.data, p->rdata.offset);
+
+ /***/
+ /*** link rpc header, bind acknowledgment and authentication responses ***/
+ /***/
+
+ if (p->ntlmssp_auth)
+ {
+ prs_link(NULL , &p->rhdr , &p->rdata);
+ prs_link(&p->rhdr , &p->rdata, &p->rverf);
+ prs_link(&p->rdata, &p->rverf, &p->rauth);
+ prs_link(&p->rverf, &p->rauth, &p->rntlm);
+ prs_link(&p->rauth, &p->rntlm, NULL );
+ }
+ else
+ {
+ prs_link(NULL , &p->rhdr , &p->rdata);
+ prs_link(&p->rhdr, &p->rdata, NULL );
+ }
+
+ return True;
+}
+
+static BOOL api_pipe_request(pipes_struct *p, prs_struct *pd)
+{
+ int i = 0;
+
+ for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
+ {
+ if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
+ api_fd_commands[i].fn != NULL)
+ {
+ DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
+ return api_fd_commands[i].fn(p, pd);
+ }
+ }
+ return False;
+}
+
+BOOL rpc_command(pipes_struct *p, prs_struct *pd)
+{
+ BOOL reply = False;
+ if (pd->data == NULL) return False;
+
+ /* process the rpc header */
+ smb_io_rpc_hdr("", &p->hdr, pd, 0);
+
+ if (pd->offset == 0) return False;
+
+ switch (p->hdr.pkt_type)
+ {
+ case RPC_BIND :
+ {
+ reply = api_pipe_bind_req(p, pd);
+ break;
+ }
+ case RPC_REQUEST:
+ {
+ reply = api_pipe_request (p, pd);
+ break;
+ }
+ case RPC_BINDRESP: /* not the real name! */
+ {
+ reply = api_pipe_bind_auth_resp(p, pd);
+ break;
+ }
+ }
+
+
+ return reply;
+}
+
+
/*******************************************************************
receives a netlogon pipe and responds.
********************************************************************/
@@ -256,7 +534,7 @@ static BOOL api_rpc_command(pipes_struct *p,
mem_realloc_data(p->rdata.data, p->rdata.offset);
- DEBUG(10,("called %s\n", rpc_name));
+ DEBUG(10,("called %s\n", rpc_name));
return True;
}
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index c0ce190023..c647a5de3e 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -3110,251 +3110,18 @@ static BOOL api_WPrintPortEnum(connection_struct *conn,uint16 vuid, char *param,
return(True);
}
-static BOOL api_pipe_ntlmssp(pipes_struct *p, prs_struct *pd)
-{
- /* receive a negotiate; send a challenge; receive a response */
- switch (p->auth_verifier.msg_type)
- {
- case NTLMSSP_NEGOTIATE:
- {
- smb_io_rpc_auth_ntlmssp_neg("", &p->ntlmssp_neg, pd, 0);
- break;
- }
- case NTLMSSP_AUTH:
- {
- smb_io_rpc_auth_ntlmssp_resp("", &p->ntlmssp_resp, pd, 0);
- break;
- }
- default:
- {
- /* NTLMSSP expected: unexpected message type */
- DEBUG(3,("unexpected message type in NTLMSSP %d\n",
- p->auth_verifier.msg_type));
- return False;
- }
- }
-
- return (pd->offset != 0);
-}
-
-struct api_cmd
-{
- char * pipe_clnt_name;
- char * pipe_srv_name;
- BOOL (*fn) (pipes_struct *, prs_struct *);
-};
-
-static struct api_cmd api_fd_commands[] =
-{
- { "lsarpc", "lsass", api_ntlsa_rpc },
- { "samr", "lsass", api_samr_rpc },
- { "srvsvc", "ntsvcs", api_srvsvc_rpc },
- { "wkssvc", "ntsvcs", api_wkssvc_rpc },
- { "NETLOGON", "lsass", api_netlog_rpc },
- { "winreg", "winreg", api_reg_rpc },
- { NULL, NULL, NULL }
-};
-
-static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd)
-{
- BOOL ntlmssp_auth = False;
- uint16 assoc_gid;
- fstring ack_pipe_name;
- int i = 0;
-
- DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
-
- for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
- {
- if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
- api_fd_commands[i].fn != NULL)
- {
- DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
- api_fd_commands[i].pipe_clnt_name,
- api_fd_commands[i].pipe_srv_name));
- fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
- break;
- }
- }
-
- if (api_fd_commands[i].fn == NULL) return False;
-
- /* decode the bind request */
- smb_io_rpc_hdr_rb("", &p->hdr_rb, pd, 0);
-
- if (pd->offset == 0) return False;
-
- if (p->hdr.auth_len != 0)
- {
- /* decode the authentication verifier */
- smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
-
- if (pd->offset == 0) return False;
-
- ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
-
- if (ntlmssp_auth)
- {
- if (!api_pipe_ntlmssp(p, pd)) return False;
- }
- }
-
- /* name has to be \PIPE\xxxxx */
- fstrcpy(ack_pipe_name, "\\PIPE\\");
- fstrcat(ack_pipe_name, p->pipe_srv_name);
-
- DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
-
- prs_init(&(p->rdata), 1024, 4, 0, False);
- prs_init(&(p->rhdr ), 0x10, 4, 0, False);
- prs_init(&(p->rauth), 1024, 4, 0, False);
- prs_init(&(p->rntlm), 1024, 4, 0, False);
-
- /***/
- /*** do the bind ack first ***/
- /***/
-
- if (ntlmssp_auth)
- {
- assoc_gid = 0x7a77;
- }
- else
- {
- assoc_gid = p->hdr_rb.bba.assoc_gid;
- }
-
- make_rpc_hdr_ba(&p->hdr_ba,
- p->hdr_rb.bba.max_tsize,
- p->hdr_rb.bba.max_rsize,
- assoc_gid,
- ack_pipe_name,
- 0x1, 0x0, 0x0,
- &(p->hdr_rb.transfer));
-
- smb_io_rpc_hdr_ba("", &p->hdr_ba, &p->rdata, 0);
- mem_realloc_data(p->rdata.data, p->rdata.offset);
-
- /***/
- /*** now the authentication ***/
- /***/
-
- if (ntlmssp_auth)
- {
- uint8 challenge[8];
- generate_random_buffer(challenge, 8, False);
-
- make_rpc_auth_verifier(&p->auth_verifier,
- 0x0a, 0x06, 0,
- "NTLMSSP", NTLMSSP_CHALLENGE);
- smb_io_rpc_auth_verifier("", &p->auth_verifier, &p->rauth, 0);
- mem_realloc_data(p->rauth.data, p->rauth.offset);
-
- make_rpc_auth_ntlmssp_chal(&p->ntlmssp_chal,
- 0x000082b1, challenge);
- smb_io_rpc_auth_ntlmssp_chal("", &p->ntlmssp_chal, &p->rntlm, 0);
- mem_realloc_data(p->rntlm.data, p->rntlm.offset);
- }
-
- /***/
- /*** then do the header, now we know the length ***/
- /***/
-
- make_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
- p->hdr.call_id,
- p->rdata.offset + p->rauth.offset + p->rntlm.offset + 0x10,
- p->rauth.offset + p->rntlm.offset);
-
- smb_io_rpc_hdr("", &p->hdr, &p->rhdr, 0);
- mem_realloc_data(p->rhdr.data, p->rdata.offset);
-
- /***/
- /*** link rpc header, bind acknowledgment and authentication responses ***/
- /***/
-
- p->rhdr.data->offset.start = 0;
- p->rhdr.data->offset.end = p->rhdr.offset;
- p->rhdr.data->next = p->rdata.data;
-
- if (ntlmssp_auth)
- {
- p->rdata.data->offset.start = p->rhdr.offset;
- p->rdata.data->offset.end = p->rhdr.offset + p->rdata.offset;
- p->rdata.data->next = p->rauth.data;
-
- p->rauth.data->offset.start = p->rhdr.offset + p->rdata.offset;
- p->rauth.data->offset.end = p->rhdr.offset + p->rdata.offset + p->rauth.offset;
- p->rauth.data->next = p->rntlm.data;
-
- p->rntlm.data->offset.start = p->rhdr.offset + p->rdata.offset + p->rauth.offset;
- p->rntlm.data->offset.end = p->rhdr.offset + p->rdata.offset + p->rauth.offset + p->rntlm.offset;
- p->rntlm.data->next = NULL;
- }
- else
- {
- p->rdata.data->offset.start = p->rhdr.offset;
- p->rdata.data->offset.end = p->rhdr.offset + p->rdata.offset;
- p->rdata.data->next = NULL;
- }
-
- return True;
-}
-
-static BOOL api_pipe_request(pipes_struct *p, prs_struct *pd)
-{
- int i = 0;
-
- for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
- {
- if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
- api_fd_commands[i].fn != NULL)
- {
- DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
- return api_fd_commands[i].fn(p, pd);
- }
- }
- return False;
-}
-
-static BOOL api_dce_rpc_command(char *outbuf,
+static void api_rpc_trans_reply(char *outbuf,
pipes_struct *p,
prs_struct *pd)
{
- BOOL reply = False;
- if (pd->data == NULL) return False;
-
- /* process the rpc header */
- smb_io_rpc_hdr("", &p->hdr, pd, 0);
-
- if (pd->offset == 0) return False;
+ send_trans_reply(outbuf, p->rhdr.data, NULL, NULL, 0, p->file_offset);
- switch (p->hdr.pkt_type)
+ if (mem_buf_len(p->rhdr.data) <= p->file_offset)
{
- case RPC_BIND :
- {
- reply = api_pipe_bind_req(p, pd);
- break;
- }
- case RPC_REQUEST:
- {
- reply = api_pipe_request (p, pd);
- break;
- }
+ /* all of data was sent: no need to wait for SMBreadX calls */
+ mem_free_data(p->rhdr .data);
+ mem_free_data(p->rdata.data);
}
-
- if (reply)
- {
- /* now send the reply */
- send_trans_reply(outbuf, p->rhdr.data, NULL, NULL, 0, p->file_offset);
-
- if (mem_buf_len(p->rhdr.data) <= p->file_offset)
- {
- /* all of data was sent: no need to wait for SMBreadX calls */
- mem_free_data(p->rhdr .data);
- mem_free_data(p->rdata.data);
- }
- }
-
- return reply;
}
/****************************************************************************
@@ -3463,7 +3230,11 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf,
case 0x26:
{
/* dce/rpc command */
- reply = api_dce_rpc_command(outbuf, p, &pd);
+ reply = rpc_command(p, &pd);
+ if (reply)
+ {
+ api_rpc_trans_reply(outbuf, p, &pd);
+ }
break;
}
case 0x01:
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c
index 00eec4e0e3..65da9337b2 100644
--- a/source3/smbd/pipes.c
+++ b/source3/smbd/pipes.c
@@ -123,7 +123,7 @@ int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize)
if (!p) return(ERROR(ERRDOS,ERRbadfid));
- data = smb_buf(inbuf) + smb_doff;
+ data = smb_base(inbuf) + smb_doff;
if (numtowrite == 0)
{
generated by cgit (git 2.34.1) at 2024-07-03 19:39:51 +0000