2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 /*************************************************************
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
60 for( ind = 0; ind < len; ind++) {
65 index_j += hash[index_i];
68 hash[index_i] = hash[index_j];
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
85 BOOL create_next_pdu(pipes_struct *p)
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
90 uint32 ss_padding_len = 0;
92 uint32 data_space_available;
94 prs_struct outgoing_pdu;
98 * If we're in the fault state, keep returning fault PDU's until
99 * the pipe gets closed. JRA.
103 setup_fault_pdu(p, NT_STATUS(0x1c010002));
107 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
109 /* Change the incoming request header to a response. */
110 p->hdr.pkt_type = RPC_RESPONSE;
112 /* Set up rpc header flags. */
113 if (p->out_data.data_sent_length == 0) {
114 p->hdr.flags = RPC_FLG_FIRST;
120 * Work out how much we can fit in a single PDU.
123 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
124 if(p->ntlmssp_auth_validated) {
125 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
126 } else if(p->netsec_auth_validated) {
127 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN);
131 * The amount we send is the minimum of the available
132 * space and the amount left to send.
135 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
138 * Ensure there really is data left to send.
142 DEBUG(0,("create_next_pdu: no data left to send !\n"));
146 data_len = MIN(data_len_left, data_space_available);
149 * Set up the alloc hint. This should be the data left to
153 hdr_resp.alloc_hint = data_len_left;
156 * Work out if this PDU will be the last.
159 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
160 p->hdr.flags |= RPC_FLG_LAST;
161 if ((auth_seal || auth_verify) && (data_len_left % 8)) {
162 ss_padding_len = 8 - (data_len_left % 8);
163 DEBUG(10,("create_next_pdu: adding sign/seal padding of %u\n",
169 * Set up the header lengths.
172 if (p->ntlmssp_auth_validated) {
173 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
174 data_len + ss_padding_len +
175 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
176 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
177 } else if (p->netsec_auth_validated) {
178 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
179 data_len + ss_padding_len +
180 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
181 p->hdr.auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
183 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
188 * Init the parse struct to point at the outgoing
192 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
193 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
195 /* Store the header in the data stream. */
196 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
197 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
198 prs_mem_free(&outgoing_pdu);
202 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
203 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
204 prs_mem_free(&outgoing_pdu);
208 /* Store the current offset. */
209 data_pos = prs_offset(&outgoing_pdu);
211 /* Copy the data into the PDU. */
213 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
214 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
215 prs_mem_free(&outgoing_pdu);
219 /* Copy the sign/seal padding data. */
220 if (ss_padding_len) {
222 memset(pad, '\0', 8);
223 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
224 DEBUG(0,("create_next_pdu: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
225 prs_mem_free(&outgoing_pdu);
230 if (p->ntlmssp_auth_validated) {
232 * NTLMSSP processing. Mutually exclusive with Schannel.
237 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
238 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len + ss_padding_len, p->hdr.auth_len));
241 * Set data to point to where we copied the data into.
244 data = prs_data_p(&outgoing_pdu) + data_pos;
247 crc32 = crc32_calc_buffer(data, data_len + ss_padding_len);
248 NTLMSSPcalc_p(p, (uchar*)data, data_len + ss_padding_len);
251 if (auth_seal || auth_verify) {
252 RPC_HDR_AUTH auth_info;
254 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE,
255 auth_seal ? RPC_PIPE_AUTH_SEAL_LEVEL : RPC_PIPE_AUTH_SIGN_LEVEL,
256 (auth_verify ? ss_padding_len : 0), (auth_verify ? 1 : 0));
257 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
258 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
259 prs_mem_free(&outgoing_pdu);
265 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
266 char *auth_data = prs_data_p(&outgoing_pdu);
268 p->ntlmssp_seq_num++;
269 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
270 crc32, p->ntlmssp_seq_num++);
271 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
272 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
273 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
274 prs_mem_free(&outgoing_pdu);
277 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
279 } else if (p->netsec_auth_validated) {
281 * Schannel processing. Mutually exclusive with NTLMSSP.
283 int auth_type, auth_level;
285 RPC_HDR_AUTH auth_info;
287 RPC_AUTH_NETSEC_CHK verf;
291 data = prs_data_p(&outgoing_pdu) + data_pos;
292 /* Check it's the type of reply we were expecting to decode */
294 get_auth_type_level(p->netsec_auth.auth_flags, &auth_type, &auth_level);
295 init_rpc_hdr_auth(&auth_info, auth_type, auth_level,
298 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
299 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
300 prs_mem_free(&outgoing_pdu);
304 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
305 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
307 netsec_encode(&p->netsec_auth,
308 p->netsec_auth.auth_flags,
310 &verf, data, data_len + ss_padding_len);
312 smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
313 &verf, &outgoing_pdu, 0);
315 p->netsec_auth.seq_num++;
319 * Setup the counts for this PDU.
322 p->out_data.data_sent_length += data_len;
323 p->out_data.current_pdu_len = p->hdr.frag_len;
324 p->out_data.current_pdu_sent = 0;
326 prs_mem_free(&outgoing_pdu);
330 /*******************************************************************
331 Process an NTLMSSP authentication response.
332 If this function succeeds, the user has been authenticated
333 and their domain, name and calling workstation stored in
335 The initial challenge is stored in p->challenge.
336 *******************************************************************/
338 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
350 struct auth_context *auth_context = NULL;
351 auth_usersupplied_info *user_info = NULL;
352 auth_serversupplied_info *server_info = NULL;
354 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
356 memset(p->user_name, '\0', sizeof(p->user_name));
357 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
358 memset(p->domain, '\0', sizeof(p->domain));
359 memset(p->wks, '\0', sizeof(p->wks));
361 /* Set up for non-authenticated user. */
362 delete_nt_token(&p->pipe_user.nt_user_token);
363 p->pipe_user.ngroups = 0;
364 SAFE_FREE( p->pipe_user.groups);
367 * Setup an empty password for a guest user.
371 * We always negotiate UNICODE.
374 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
375 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
376 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
377 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
379 pull_ascii_fstring(user_name, ntlmssp_resp->user);
380 pull_ascii_fstring(domain, ntlmssp_resp->domain);
381 pull_ascii_fstring(wks, ntlmssp_resp->wks);
384 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
386 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
387 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
389 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
390 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
392 #ifdef DEBUG_PASSWORD
393 DEBUG(100,("lm, nt owfs, chal\n"));
394 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
395 dump_data(100, (char *)nt_owf, nt_pw_len);
396 dump_data(100, (char *)p->challenge, 8);
400 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
406 * Do the length checking only if user is not NULL.
409 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
411 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
413 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
415 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
417 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
422 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
424 if (!make_user_info_netlogon_network(&user_info,
425 user_name, domain, wks,
427 nt_owf, nt_pw_len)) {
428 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
432 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
434 (auth_context->free)(&auth_context);
435 free_user_info(&user_info);
437 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
439 if (!p->ntlmssp_auth_validated) {
440 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
441 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
442 free_server_info(&server_info);
447 * Set up the sign/seal data.
450 if (server_info->lm_session_key.length != 16) {
451 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
452 succeeded authentication on named pipe %s, but session key was of incorrect length [%u].\n",
453 domain, user_name, wks, p->name, server_info->lm_session_key.length));
454 free_server_info(&server_info);
458 NTLMSSPOWFencrypt(server_info->lm_session_key.data, lm_owf, p24);
470 for (ind = 0; ind < 256; ind++)
471 p->ntlmssp_hash[ind] = (unsigned char)ind;
473 for( ind = 0; ind < 256; ind++) {
476 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
478 tc = p->ntlmssp_hash[ind];
479 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
480 p->ntlmssp_hash[j] = tc;
483 p->ntlmssp_hash[256] = 0;
484 p->ntlmssp_hash[257] = 0;
487 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
488 sizeof(p->ntlmssp_hash));
490 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
491 p->ntlmssp_seq_num = 0;
495 fstrcpy(p->user_name, user_name);
496 fstrcpy(p->pipe_user_name, server_info->unix_name);
497 fstrcpy(p->domain, domain);
498 fstrcpy(p->wks, wks);
501 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
504 if (p->session_key.data) {
505 data_blob_free(&p->session_key);
507 p->session_key = data_blob(server_info->lm_session_key.data, server_info->lm_session_key.length);
509 p->pipe_user.uid = server_info->uid;
510 p->pipe_user.gid = server_info->gid;
512 p->pipe_user.ngroups = server_info->n_groups;
513 if (p->pipe_user.ngroups) {
514 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
515 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
516 free_server_info(&server_info);
521 if (server_info->ptok)
522 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
524 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
525 p->pipe_user.nt_user_token = NULL;
526 free_server_info(&server_info);
530 p->ntlmssp_auth_validated = True;
532 free_server_info(&server_info);
536 /*******************************************************************
537 The switch table for the pipe names and the functions to handle them.
538 *******************************************************************/
547 struct api_struct *cmds;
551 static struct rpc_table *rpc_lookup;
552 static int rpc_lookup_size;
554 /*******************************************************************
555 This is the client reply to our challenge for an authenticated
556 bind request. The challenge we sent is in p->challenge.
557 *******************************************************************/
559 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
561 RPC_HDR_AUTHA autha_info;
562 RPC_AUTH_VERIFIER auth_verifier;
563 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
565 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
567 if (p->hdr.auth_len == 0) {
568 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
573 * Decode the authentication verifier response.
576 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
577 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
581 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != RPC_PIPE_AUTH_SEAL_LEVEL) {
582 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
583 (int)autha_info.auth_type, (int)autha_info.auth_level ));
587 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
588 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
593 * Ensure this is a NTLMSSP_AUTH packet type.
596 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
597 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
601 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
602 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
607 * The following call actually checks the challenge/response data.
608 * for correctness against the given DOMAIN\user name.
611 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
619 /*******************************************************************
620 Marshall a bind_nak pdu.
621 *******************************************************************/
623 static BOOL setup_bind_nak(pipes_struct *p)
625 prs_struct outgoing_rpc;
629 /* Free any memory in the current return data buffer. */
630 prs_mem_free(&p->out_data.rdata);
633 * Marshall directly into the outgoing PDU space. We
634 * must do this as we need to set to the bind response
635 * header and are never sending more than one PDU here.
638 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
639 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
643 * Initialize a bind_nak header.
646 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
647 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
650 * Marshall the header into the outgoing PDU.
653 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
654 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
655 prs_mem_free(&outgoing_rpc);
660 * Now add the reject reason.
663 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
664 prs_mem_free(&outgoing_rpc);
668 p->out_data.data_sent_length = 0;
669 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
670 p->out_data.current_pdu_sent = 0;
672 p->pipe_bound = False;
677 /*******************************************************************
678 Marshall a fault pdu.
679 *******************************************************************/
681 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
683 prs_struct outgoing_pdu;
685 RPC_HDR_RESP hdr_resp;
686 RPC_HDR_FAULT fault_resp;
688 /* Free any memory in the current return data buffer. */
689 prs_mem_free(&p->out_data.rdata);
692 * Marshall directly into the outgoing PDU space. We
693 * must do this as we need to set to the bind response
694 * header and are never sending more than one PDU here.
697 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
698 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
701 * Initialize a fault header.
704 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
705 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
708 * Initialize the HDR_RESP and FAULT parts of the PDU.
711 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
713 fault_resp.status = status;
714 fault_resp.reserved = 0;
717 * Marshall the header into the outgoing PDU.
720 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
721 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
722 prs_mem_free(&outgoing_pdu);
726 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
727 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
728 prs_mem_free(&outgoing_pdu);
732 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
733 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
734 prs_mem_free(&outgoing_pdu);
738 p->out_data.data_sent_length = 0;
739 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
740 p->out_data.current_pdu_sent = 0;
742 prs_mem_free(&outgoing_pdu);
746 /*******************************************************************
747 Ensure a bind request has the correct abstract & transfer interface.
748 Used to reject unknown binds from Win2k.
749 *******************************************************************/
751 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
752 RPC_IFACE* transfer, uint32 context_id)
754 extern struct pipe_id_info pipe_names[];
755 char *pipe_name = p->name;
759 fstrcpy(pname,"\\PIPE\\");
760 fstrcat(pname,pipe_name);
762 DEBUG(3,("check_bind_req for %s\n", pname));
764 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
766 for ( i=0; pipe_names[i].client_pipe; i++ )
768 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
769 if ( strequal(pipe_names[i].client_pipe, pname)
770 && (abstract->version == pipe_names[i].abstr_syntax.version)
771 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
772 && (transfer->version == pipe_names[i].trans_syntax.version)
773 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) )
775 struct api_struct *fns = NULL;
777 PIPE_RPC_FNS *context_fns;
779 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
780 DEBUG(0,("check_bind_req: malloc() failed!\n"));
784 /* save the RPC function table associated with this bind */
786 get_pipe_fns(i, &fns, &n_fns);
788 context_fns->cmds = fns;
789 context_fns->n_cmds = n_fns;
790 context_fns->context_id = context_id;
792 /* add to the list of open contexts */
794 DLIST_ADD( p->contexts, context_fns );
800 if(pipe_names[i].client_pipe == NULL)
806 /*******************************************************************
807 Register commands to an RPC pipe
808 *******************************************************************/
809 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
811 struct rpc_table *rpc_entry;
813 if (!clnt || !srv || !cmds) {
814 return NT_STATUS_INVALID_PARAMETER;
817 if (version != SMB_RPC_INTERFACE_VERSION) {
818 DEBUG(0,("Can't register rpc commands!\n"
819 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
820 ", while this version of samba uses version %d!\n",
821 version,SMB_RPC_INTERFACE_VERSION));
822 return NT_STATUS_OBJECT_TYPE_MISMATCH;
827 * we still need to make sure that don't register the same commands twice!!!
832 /* We use a temporary variable because this call can fail and
833 rpc_lookup will still be valid afterwards. It could then succeed if
834 called again later */
836 rpc_entry = SMB_REALLOC_ARRAY(rpc_lookup, struct rpc_table, rpc_lookup_size);
837 if (NULL == rpc_entry) {
839 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
840 return NT_STATUS_NO_MEMORY;
842 rpc_lookup = rpc_entry;
845 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
846 ZERO_STRUCTP(rpc_entry);
847 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
848 rpc_entry->pipe.srv = SMB_STRDUP(srv);
849 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
850 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
851 rpc_entry->n_cmds += size;
856 /*******************************************************************
857 Respond to a pipe bind request.
858 *******************************************************************/
860 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
864 RPC_HDR_AUTH auth_info;
866 fstring ack_pipe_name;
867 prs_struct out_hdr_ba;
869 prs_struct outgoing_rpc;
872 enum RPC_PKT_TYPE reply_pkt_type;
874 p->ntlmssp_auth_requested = False;
875 p->netsec_auth_validated = False;
877 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
880 * Try and find the correct pipe name to ensure
881 * that this is a pipe name we support.
885 for (i = 0; i < rpc_lookup_size; i++) {
886 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
887 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
888 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
889 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
894 if (i == rpc_lookup_size) {
895 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
896 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
898 if(!setup_bind_nak(p))
903 for (i = 0; i < rpc_lookup_size; i++) {
904 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
905 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
906 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
907 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
912 if (i == rpc_lookup_size) {
913 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
918 /* decode the bind request */
919 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
920 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
925 * Check if this is an authenticated request.
928 if (p->hdr.auth_len != 0) {
929 RPC_AUTH_VERIFIER auth_verifier;
930 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
933 * Decode the authentication verifier.
936 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
937 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
941 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
943 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
944 DEBUG(0,("api_pipe_bind_req: unable to "
945 "unmarshall RPC_HDR_AUTH struct.\n"));
949 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
950 DEBUG(0,("api_pipe_bind_req: "
951 "auth_verifier.signature != NTLMSSP\n"));
955 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
956 DEBUG(0,("api_pipe_bind_req: "
957 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
958 auth_verifier.msg_type));
962 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
963 DEBUG(0,("api_pipe_bind_req: "
964 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
968 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
969 p->ntlmssp_auth_requested = True;
971 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
973 RPC_AUTH_NETSEC_NEG neg;
974 struct netsec_auth_struct *a = &(p->netsec_auth);
976 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
977 DEBUG(0,("api_pipe_bind_req: "
978 "Could not unmarshal SCHANNEL auth neg\n"));
982 p->netsec_auth_validated = True;
984 memset(a->sess_key, 0, sizeof(a->sess_key));
985 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
989 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
990 neg.domain, neg.myname));
993 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
994 auth_info.auth_type ));
999 switch(p->hdr.pkt_type) {
1001 /* name has to be \PIPE\xxxxx */
1002 fstrcpy(ack_pipe_name, "\\PIPE\\");
1003 fstrcat(ack_pipe_name, p->pipe_srv_name);
1004 reply_pkt_type = RPC_BINDACK;
1007 /* secondary address CAN be NULL
1008 * as the specs say it's ignored.
1009 * It MUST NULL to have the spoolss working.
1011 fstrcpy(ack_pipe_name,"");
1012 reply_pkt_type = RPC_ALTCONTRESP;
1018 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1021 * Marshall directly into the outgoing PDU space. We
1022 * must do this as we need to set to the bind response
1023 * header and are never sending more than one PDU here.
1026 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1027 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1030 * Setup the memory to marshall the ba header, and the
1034 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1035 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1036 prs_mem_free(&outgoing_rpc);
1040 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1041 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1042 prs_mem_free(&outgoing_rpc);
1043 prs_mem_free(&out_hdr_ba);
1047 if (p->ntlmssp_auth_requested)
1050 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1053 * Create the bind response struct.
1056 /* If the requested abstract synt uuid doesn't match our client pipe,
1057 reject the bind_ack & set the transfer interface synt to all 0's,
1058 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1060 Needed when adding entries to a DACL from NT5 - SK */
1062 if(check_bind_req(p, &hdr_rb.abstract, &hdr_rb.transfer, hdr_rb.context_id ))
1064 init_rpc_hdr_ba(&hdr_ba,
1072 RPC_IFACE null_interface;
1073 ZERO_STRUCT(null_interface);
1074 /* Rejection reason: abstract syntax not supported */
1075 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1076 MAX_PDU_FRAG_LEN, assoc_gid,
1077 ack_pipe_name, 0x1, 0x2, 0x1,
1085 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1086 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1091 * Now the authentication.
1094 if (p->ntlmssp_auth_requested) {
1095 RPC_AUTH_VERIFIER auth_verifier;
1096 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1098 generate_random_buffer(p->challenge, 8);
1100 /*** Authentication info ***/
1102 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1103 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1104 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1108 /*** NTLMSSP verifier ***/
1110 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1111 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1112 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1116 /* NTLMSSP challenge ***/
1118 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1119 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1120 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1124 /* Auth len in the rpc header doesn't include auth_header. */
1125 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1128 if (p->netsec_auth_validated) {
1129 RPC_AUTH_VERIFIER auth_verifier;
1132 /* The client opens a second RPC NETLOGON pipe without
1133 doing a auth2. The credentials for the schannel are
1134 re-used from the auth2 the client did before. */
1135 p->dc = last_dcinfo;
1137 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, auth_info.auth_level, RPC_HDR_AUTH_LEN, 1);
1138 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1139 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1143 /*** NETSEC verifier ***/
1145 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1146 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1147 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1151 prs_align(&out_auth);
1154 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1157 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1161 * Create the header, now we know the length.
1164 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1166 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1170 * Marshall the header into the outgoing PDU.
1173 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1174 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1179 * Now add the RPC_HDR_BA and any auth needed.
1182 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1183 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1187 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1188 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1189 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1193 if(!p->ntlmssp_auth_requested)
1194 p->pipe_bound = True;
1197 * Setup the lengths for the initial reply.
1200 p->out_data.data_sent_length = 0;
1201 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1202 p->out_data.current_pdu_sent = 0;
1204 prs_mem_free(&out_hdr_ba);
1205 prs_mem_free(&out_auth);
1211 prs_mem_free(&outgoing_rpc);
1212 prs_mem_free(&out_hdr_ba);
1213 prs_mem_free(&out_auth);
1217 /****************************************************************************
1218 Deal with sign & seal processing on an RPC request.
1219 ****************************************************************************/
1221 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1224 * We always negotiate the following two bits....
1226 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1227 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1233 auth_len = p->hdr.auth_len;
1235 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1236 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1241 * The following is that length of the data we must verify or unseal.
1242 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1243 * preceeding the auth_data.
1246 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1247 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1249 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1250 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1254 * The data in rpc_in doesn't contain the RPC_HEADER as this
1255 * has already been consumed.
1257 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1258 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
1259 sizeof(p->ntlmssp_hash));
1261 dump_data_pw("Incoming RPC PDU (NTLMSSP sealed)\n",
1262 (const unsigned char *)data, data_len);
1263 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1264 dump_data_pw("Incoming RPC PDU (NTLMSSP unsealed)\n",
1265 (const unsigned char *)data, data_len);
1266 crc32 = crc32_calc_buffer(data, data_len);
1269 old_offset = prs_offset(rpc_in);
1271 if (auth_seal || auth_verify) {
1272 RPC_HDR_AUTH auth_info;
1274 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1275 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1276 (unsigned int)old_offset + data_len ));
1280 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1281 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1287 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1288 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1290 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1293 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1296 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1297 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1298 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1302 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1303 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1304 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1308 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1309 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1315 * Return the current pointer to the data offset.
1318 if(!prs_set_offset(rpc_in, old_offset)) {
1319 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1320 (unsigned int)old_offset ));
1327 /****************************************************************************
1328 Deal with schannel processing on an RPC request.
1329 ****************************************************************************/
1330 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1333 * We always negotiate the following two bits....
1338 RPC_HDR_AUTH auth_info;
1339 RPC_AUTH_NETSEC_CHK netsec_chk;
1342 auth_len = p->hdr.auth_len;
1344 if (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) {
1345 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1350 * The following is that length of the data we must verify or unseal.
1351 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1352 * preceeding the auth_data.
1355 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1356 RPC_HDR_AUTH_LEN - auth_len;
1358 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1360 old_offset = prs_offset(rpc_in);
1362 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1363 DEBUG(0,("cannot move offset to %u.\n",
1364 (unsigned int)old_offset + data_len ));
1368 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1369 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1373 if (auth_info.auth_type != NETSEC_AUTH_TYPE) {
1374 DEBUG(0,("Invalid auth info %d on schannel\n",
1375 auth_info.auth_type));
1379 if (auth_info.auth_level == RPC_PIPE_AUTH_SEAL_LEVEL) {
1380 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL;
1381 } else if (auth_info.auth_level == RPC_PIPE_AUTH_SIGN_LEVEL) {
1382 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN;
1384 DEBUG(0,("Invalid auth level %d on schannel\n",
1385 auth_info.auth_level));
1389 if(!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
1390 &netsec_chk, rpc_in, 0))
1392 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1396 if (!netsec_decode(&p->netsec_auth,
1397 p->netsec_auth.auth_flags,
1398 SENDER_IS_INITIATOR,
1400 prs_data_p(rpc_in)+old_offset, data_len)) {
1401 DEBUG(3,("failed to decode PDU\n"));
1406 * Return the current pointer to the data offset.
1409 if(!prs_set_offset(rpc_in, old_offset)) {
1410 DEBUG(0,("failed to set offset back to %u\n",
1411 (unsigned int)old_offset ));
1415 /* The sequence number gets incremented on both send and receive. */
1416 p->netsec_auth.seq_num++;
1421 /****************************************************************************
1422 Return a user struct for a pipe user.
1423 ****************************************************************************/
1425 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1427 if (p->ntlmssp_auth_validated) {
1428 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1430 extern struct current_user current_user;
1431 memcpy(user, ¤t_user, sizeof(struct current_user));
1437 /****************************************************************************
1438 Find the set of RPC functions associated with this context_id
1439 ****************************************************************************/
1441 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1443 PIPE_RPC_FNS *fns = NULL;
1444 PIPE_RPC_FNS *tmp = NULL;
1447 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1451 for (tmp=list; tmp; tmp=tmp->next ) {
1452 if ( tmp->context_id == context_id )
1461 /****************************************************************************
1463 ****************************************************************************/
1465 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
1467 PIPE_RPC_FNS *tmp = list;
1479 /****************************************************************************
1480 Find the correct RPC function to call for this request.
1481 If the pipe is authenticated then become the correct UNIX user
1482 before doing the call.
1483 ****************************************************************************/
1485 BOOL api_pipe_request(pipes_struct *p)
1488 PIPE_RPC_FNS *pipe_fns;
1490 if (p->ntlmssp_auth_validated) {
1492 if(!become_authenticated_pipe_user(p)) {
1493 prs_mem_free(&p->out_data.rdata);
1498 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1500 /* get the set of RPC functions for this context */
1502 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
1505 set_current_rpc_talloc(p->mem_ctx);
1506 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
1507 set_current_rpc_talloc(NULL);
1510 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
1511 p->hdr_req.context_id, p->name));
1514 if(p->ntlmssp_auth_validated)
1515 unbecome_authenticated_pipe_user();
1520 /*******************************************************************
1521 Calls the underlying RPC function for a named pipe.
1522 ********************************************************************/
1524 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1525 const struct api_struct *api_rpc_cmds, int n_cmds)
1529 uint32 offset1, offset2;
1531 /* interpret the command */
1532 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1534 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1535 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1537 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1538 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1539 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1544 if (fn_num == n_cmds) {
1546 * For an unknown RPC just return a fault PDU but
1547 * return True to allow RPC's on the pipe to continue
1548 * and not put the pipe into fault state. JRA.
1550 DEBUG(4, ("unknown\n"));
1551 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1555 offset1 = prs_offset(&p->out_data.rdata);
1557 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1558 fn_num, api_rpc_cmds[fn_num].fn));
1559 /* do the actual command */
1560 if(!api_rpc_cmds[fn_num].fn(p)) {
1561 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1562 prs_mem_free(&p->out_data.rdata);
1566 if (p->bad_handle_fault_state) {
1567 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1568 p->bad_handle_fault_state = False;
1569 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1573 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1574 offset2 = prs_offset(&p->out_data.rdata);
1575 prs_set_offset(&p->out_data.rdata, offset1);
1576 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1577 prs_set_offset(&p->out_data.rdata, offset2);
1579 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1581 /* Check for buffer underflow in rpc parsing */
1583 if ((DEBUGLEVEL >= 10) &&
1584 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1585 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1586 char *data = SMB_MALLOC(data_len);
1588 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1590 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
1599 /*******************************************************************
1600 *******************************************************************/
1602 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
1604 struct api_struct *cmds = NULL;
1609 lsa_get_pipe_fns( &cmds, &n_cmds );
1612 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
1615 samr_get_pipe_fns( &cmds, &n_cmds );
1618 netlog_get_pipe_fns( &cmds, &n_cmds );
1621 srvsvc_get_pipe_fns( &cmds, &n_cmds );
1624 wkssvc_get_pipe_fns( &cmds, &n_cmds );
1627 reg_get_pipe_fns( &cmds, &n_cmds );
1630 spoolss_get_pipe_fns( &cmds, &n_cmds );
1633 netdfs_get_pipe_fns( &cmds, &n_cmds );
1636 svcctl_get_pipe_fns( &cmds, &n_cmds );
1639 eventlog_get_pipe_fns( &cmds, &n_cmds );
1643 echo_get_pipe_fns( &cmds, &n_cmds );
1647 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));