2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
90 * If we're in the fault state, keep returning fault PDU's until
91 * the pipe gets closed. JRA.
95 setup_fault_pdu(p, NT_STATUS(0x1c010002));
99 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
101 /* Change the incoming request header to a response. */
102 p->hdr.pkt_type = RPC_RESPONSE;
104 /* Set up rpc header flags. */
105 if (p->out_data.data_sent_length == 0)
106 p->hdr.flags = RPC_FLG_FIRST;
111 * Work out how much we can fit in a single PDU.
114 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
115 if(p->ntlmssp_auth_validated)
116 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119 * The amount we send is the minimum of the available
120 * space and the amount left to send.
123 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126 * Ensure there really is data left to send.
130 DEBUG(0,("create_next_pdu: no data left to send !\n"));
134 data_len = MIN(data_len_left, data_space_available);
137 * Set up the alloc hint. This should be the data left to
141 hdr_resp.alloc_hint = data_len_left;
144 * Set up the header lengths.
147 if (p->ntlmssp_auth_validated) {
148 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
149 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
150 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
157 * Work out if this PDU will be the last.
160 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
161 p->hdr.flags |= RPC_FLG_LAST;
164 * Init the parse struct to point at the outgoing
168 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
169 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
171 /* Store the header in the data stream. */
172 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
173 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
174 prs_mem_free(&outgoing_pdu);
178 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
179 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
180 prs_mem_free(&outgoing_pdu);
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
187 /* Copy the data into the PDU. */
189 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
195 if (p->hdr.auth_len > 0) {
199 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
200 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
203 * Set data to point to where we copied the data into.
206 data = prs_data_p(&outgoing_pdu) + data_pos;
209 crc32 = crc32_calc_buffer(data, data_len);
210 NTLMSSPcalc_p(p, (uchar*)data, data_len);
213 if (auth_seal || auth_verify) {
214 RPC_HDR_AUTH auth_info;
216 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
217 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
218 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
219 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
220 prs_mem_free(&outgoing_pdu);
226 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
227 char *auth_data = prs_data_p(&outgoing_pdu);
229 p->ntlmssp_seq_num++;
230 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
231 crc32, p->ntlmssp_seq_num++);
232 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
233 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
234 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
235 prs_mem_free(&outgoing_pdu);
238 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
243 * Setup the counts for this PDU.
246 p->out_data.data_sent_length += data_len;
247 p->out_data.current_pdu_len = p->hdr.frag_len;
248 p->out_data.current_pdu_sent = 0;
250 prs_mem_free(&outgoing_pdu);
254 /*******************************************************************
255 Process an NTLMSSP authentication response.
256 If this function succeeds, the user has been authenticated
257 and their domain, name and calling workstation stored in
259 The initial challenge is stored in p->challenge.
260 *******************************************************************/
262 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
274 struct auth_context *auth_context = NULL;
275 auth_usersupplied_info *user_info = NULL;
276 auth_serversupplied_info *server_info = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
285 /* Set up for non-authenticated user. */
286 delete_nt_token(&p->pipe_user.nt_user_token);
287 p->pipe_user.ngroups = 0;
288 SAFE_FREE( p->pipe_user.groups);
291 * Setup an empty password for a guest user.
295 * We always negotiate UNICODE.
298 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
299 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
300 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
301 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
303 pull_ascii_fstring(user_name, ntlmssp_resp->user);
304 pull_ascii_fstring(domain, ntlmssp_resp->domain);
305 pull_ascii_fstring(wks, ntlmssp_resp->wks);
308 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
311 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
313 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
314 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
316 #ifdef DEBUG_PASSWORD
317 DEBUG(100,("lm, nt owfs, chal\n"));
318 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
319 dump_data(100, (char *)nt_owf, nt_pw_len);
320 dump_data(100, (char *)p->challenge, 8);
324 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
330 * Do the length checking only if user is not NULL.
333 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
335 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
337 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
339 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
341 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
346 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
348 if (!make_user_info_netlogon_network(&user_info,
349 user_name, domain, wks,
351 nt_owf, nt_pw_len)) {
352 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
356 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
358 (auth_context->free)(&auth_context);
359 free_user_info(&user_info);
361 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
363 if (!p->ntlmssp_auth_validated) {
364 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
365 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
366 free_server_info(&server_info);
371 * Set up the sign/seal data.
376 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
388 for (ind = 0; ind < 256; ind++)
389 p->ntlmssp_hash[ind] = (unsigned char)ind;
391 for( ind = 0; ind < 256; ind++) {
394 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
396 tc = p->ntlmssp_hash[ind];
397 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
398 p->ntlmssp_hash[j] = tc;
401 p->ntlmssp_hash[256] = 0;
402 p->ntlmssp_hash[257] = 0;
404 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
405 p->ntlmssp_seq_num = 0;
409 fstrcpy(p->user_name, user_name);
410 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
411 fstrcpy(p->domain, domain);
412 fstrcpy(p->wks, wks);
415 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
418 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
419 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
420 free_server_info(&server_info);
424 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
426 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
427 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
429 p->pipe_user.ngroups = server_info->n_groups;
430 if (p->pipe_user.ngroups) {
431 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
432 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
433 free_server_info(&server_info);
438 if (server_info->ptok)
439 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
441 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
442 p->pipe_user.nt_user_token = NULL;
443 free_server_info(&server_info);
447 p->ntlmssp_auth_validated = True;
449 free_server_info(&server_info);
453 /*******************************************************************
454 The switch table for the pipe names and the functions to handle them.
455 *******************************************************************/
463 static struct api_cmd api_fd_commands[] =
465 #ifndef RPC_LSA_DYNAMIC
466 { "lsarpc", rpc_lsa_init },
468 #ifndef RPC_SAMR_DYNAMIC
469 { "samr", rpc_samr_init },
471 #ifndef RPC_SVC_DYNAMIC
472 { "srvsvc", rpc_srv_init },
474 #ifndef RPC_WKS_DYNAMIC
475 { "wkssvc", rpc_wks_init },
477 #ifndef RPC_NETLOG_DYNAMIC
478 { "NETLOGON", rpc_net_init },
480 #ifndef RPC_REG_DYNAMIC
481 { "winreg", rpc_reg_init },
483 #ifndef RPC_SPOOLSS_DYNAMIC
484 { "spoolss", rpc_spoolss_init },
486 #ifndef RPC_DFS_DYNAMIC
487 { "netdfs", rpc_dfs_init },
499 struct api_struct *cmds;
503 static struct rpc_table *rpc_lookup;
504 static int rpc_lookup_size;
506 /*******************************************************************
507 This is the client reply to our challenge for an authenticated
508 bind request. The challenge we sent is in p->challenge.
509 *******************************************************************/
511 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
513 RPC_HDR_AUTHA autha_info;
514 RPC_AUTH_VERIFIER auth_verifier;
515 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
517 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
519 if (p->hdr.auth_len == 0) {
520 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
525 * Decode the authentication verifier response.
528 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
529 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
533 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
534 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
535 (int)autha_info.auth_type, (int)autha_info.auth_level ));
539 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
540 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
545 * Ensure this is a NTLMSSP_AUTH packet type.
548 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
549 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
553 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
554 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
559 * The following call actually checks the challenge/response data.
560 * for correctness against the given DOMAIN\user name.
563 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
571 /*******************************************************************
572 Marshall a bind_nak pdu.
573 *******************************************************************/
575 static BOOL setup_bind_nak(pipes_struct *p)
577 prs_struct outgoing_rpc;
581 /* Free any memory in the current return data buffer. */
582 prs_mem_free(&p->out_data.rdata);
585 * Marshall directly into the outgoing PDU space. We
586 * must do this as we need to set to the bind response
587 * header and are never sending more than one PDU here.
590 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
591 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
595 * Initialize a bind_nak header.
598 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
599 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
602 * Marshall the header into the outgoing PDU.
605 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
606 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
607 prs_mem_free(&outgoing_rpc);
612 * Now add the reject reason.
615 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
616 prs_mem_free(&outgoing_rpc);
620 p->out_data.data_sent_length = 0;
621 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
622 p->out_data.current_pdu_sent = 0;
624 p->pipe_bound = False;
629 /*******************************************************************
630 Marshall a fault pdu.
631 *******************************************************************/
633 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
635 prs_struct outgoing_pdu;
637 RPC_HDR_RESP hdr_resp;
638 RPC_HDR_FAULT fault_resp;
640 /* Free any memory in the current return data buffer. */
641 prs_mem_free(&p->out_data.rdata);
644 * Marshall directly into the outgoing PDU space. We
645 * must do this as we need to set to the bind response
646 * header and are never sending more than one PDU here.
649 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
650 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
653 * Initialize a fault header.
656 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
657 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
660 * Initialize the HDR_RESP and FAULT parts of the PDU.
663 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
665 fault_resp.status = status;
666 fault_resp.reserved = 0;
669 * Marshall the header into the outgoing PDU.
672 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
673 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
674 prs_mem_free(&outgoing_pdu);
678 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
679 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
680 prs_mem_free(&outgoing_pdu);
684 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
685 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
686 prs_mem_free(&outgoing_pdu);
690 p->out_data.data_sent_length = 0;
691 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
692 p->out_data.current_pdu_sent = 0;
694 prs_mem_free(&outgoing_pdu);
698 /*******************************************************************
699 Ensure a bind request has the correct abstract & transfer interface.
700 Used to reject unknown binds from Win2k.
701 *******************************************************************/
703 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
706 extern struct pipe_id_info pipe_names[];
709 fstrcpy(pname,"\\PIPE\\");
710 fstrcat(pname,pipe_name);
712 DEBUG(3,("check_bind_req for %s\n", pname));
714 #ifndef SUPPORT_NEW_LSARPC_UUID
716 /* check for the first pipe matching the name */
718 for ( i=0; pipe_names[i].client_pipe; i++ ) {
719 if ( strequal(pipe_names[i].client_pipe, pname) )
723 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
725 for ( i=0; pipe_names[i].client_pipe; i++ )
727 if ( strequal(pipe_names[i].client_pipe, pname)
728 && (abstract->version == pipe_names[i].abstr_syntax.version)
729 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
730 && (transfer->version == pipe_names[i].trans_syntax.version)
731 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
738 if(pipe_names[i].client_pipe == NULL)
741 #ifndef SUPPORT_NEW_LSARPC_UUID
742 /* check the abstract interface */
743 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
744 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
749 /* check the transfer interface */
750 if ( (transfer->version != pipe_names[i].trans_syntax.version)
751 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
759 /*******************************************************************
760 Register commands to an RPC pipe
761 *******************************************************************/
762 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
764 struct rpc_table *rpc_entry;
767 /* We use a temporary variable because this call can fail and
768 rpc_lookup will still be valid afterwards. It could then succeed if
769 called again later */
770 rpc_entry = realloc(rpc_lookup,
771 ++rpc_lookup_size*sizeof(struct rpc_table));
772 if (NULL == rpc_entry) {
774 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
777 rpc_lookup = rpc_entry;
780 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
781 ZERO_STRUCTP(rpc_entry);
782 rpc_entry->pipe.clnt = strdup(clnt);
783 rpc_entry->pipe.srv = strdup(srv);
784 rpc_entry->cmds = realloc(rpc_entry->cmds,
785 (rpc_entry->n_cmds + size) *
786 sizeof(struct api_struct));
787 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
788 size * sizeof(struct api_struct));
789 rpc_entry->n_cmds += size;
794 /*******************************************************************
795 Register commands to an RPC pipe
796 *******************************************************************/
797 int rpc_load_module(const char *module)
802 pstrcpy(full_path, lib_path("rpc"));
803 pstrcat(full_path, "/librpc_");
804 pstrcat(full_path, module);
805 pstrcat(full_path, ".");
806 pstrcat(full_path, shlib_ext());
808 if (!(status = smb_load_module(full_path))) {
809 DEBUG(0, ("Could not load requested pipe %s as %s\n",
816 /*******************************************************************
817 Respond to a pipe bind request.
818 *******************************************************************/
820 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
824 RPC_HDR_AUTH auth_info;
826 fstring ack_pipe_name;
827 prs_struct out_hdr_ba;
829 prs_struct outgoing_rpc;
832 enum RPC_PKT_TYPE reply_pkt_type;
834 p->ntlmssp_auth_requested = False;
836 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
839 * Try and find the correct pipe name to ensure
840 * that this is a pipe name we support.
844 for (i = 0; i < rpc_lookup_size; i++) {
845 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
846 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
847 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
848 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
853 if (i == rpc_lookup_size) {
854 for (i = 0; api_fd_commands[i].name; i++) {
855 if (strequal(api_fd_commands[i].name, p->name)) {
856 api_fd_commands[i].init();
861 if (!api_fd_commands[i].name && !rpc_load_module(p->name)) {
862 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
864 if(!setup_bind_nak(p))
869 for (i = 0; i < rpc_lookup_size; i++) {
870 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
871 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
872 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
873 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
879 /* decode the bind request */
880 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
881 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
886 * Check if this is an authenticated request.
889 if (p->hdr.auth_len != 0) {
890 RPC_AUTH_VERIFIER auth_verifier;
891 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
894 * Decode the authentication verifier.
897 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
898 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
903 * We only support NTLMSSP_AUTH_TYPE requests.
906 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
907 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
908 auth_info.auth_type ));
912 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
913 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
917 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
918 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
922 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
923 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
924 auth_verifier.msg_type));
928 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
929 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
933 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
934 p->ntlmssp_auth_requested = True;
937 switch(p->hdr.pkt_type) {
939 /* name has to be \PIPE\xxxxx */
940 fstrcpy(ack_pipe_name, "\\PIPE\\");
941 fstrcat(ack_pipe_name, p->pipe_srv_name);
942 reply_pkt_type = RPC_BINDACK;
945 /* secondary address CAN be NULL
946 * as the specs say it's ignored.
947 * It MUST NULL to have the spoolss working.
949 fstrcpy(ack_pipe_name,"");
950 reply_pkt_type = RPC_ALTCONTRESP;
956 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
959 * Marshall directly into the outgoing PDU space. We
960 * must do this as we need to set to the bind response
961 * header and are never sending more than one PDU here.
964 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
965 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
968 * Setup the memory to marshall the ba header, and the
972 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
973 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
974 prs_mem_free(&outgoing_rpc);
978 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
979 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
980 prs_mem_free(&outgoing_rpc);
981 prs_mem_free(&out_hdr_ba);
985 if (p->ntlmssp_auth_requested)
988 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
991 * Create the bind response struct.
994 /* If the requested abstract synt uuid doesn't match our client pipe,
995 reject the bind_ack & set the transfer interface synt to all 0's,
996 ver 0 (observed when NT5 attempts to bind to abstract interfaces
998 Needed when adding entries to a DACL from NT5 - SK */
1000 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1001 init_rpc_hdr_ba(&hdr_ba,
1009 RPC_IFACE null_interface;
1010 ZERO_STRUCT(null_interface);
1011 /* Rejection reason: abstract syntax not supported */
1012 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1013 MAX_PDU_FRAG_LEN, assoc_gid,
1014 ack_pipe_name, 0x1, 0x2, 0x1,
1022 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1023 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1028 * Now the authentication.
1031 if (p->ntlmssp_auth_requested) {
1032 RPC_AUTH_VERIFIER auth_verifier;
1033 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1035 generate_random_buffer(p->challenge, 8, False);
1037 /*** Authentication info ***/
1039 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1040 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1041 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1045 /*** NTLMSSP verifier ***/
1047 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1048 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1049 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1053 /* NTLMSSP challenge ***/
1055 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1056 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1057 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1061 /* Auth len in the rpc header doesn't include auth_header. */
1062 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1066 * Create the header, now we know the length.
1069 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1071 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1075 * Marshall the header into the outgoing PDU.
1078 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1079 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1084 * Now add the RPC_HDR_BA and any auth needed.
1087 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1088 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1092 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1093 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1097 if(!p->ntlmssp_auth_requested)
1098 p->pipe_bound = True;
1101 * Setup the lengths for the initial reply.
1104 p->out_data.data_sent_length = 0;
1105 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1106 p->out_data.current_pdu_sent = 0;
1108 prs_mem_free(&out_hdr_ba);
1109 prs_mem_free(&out_auth);
1115 prs_mem_free(&outgoing_rpc);
1116 prs_mem_free(&out_hdr_ba);
1117 prs_mem_free(&out_auth);
1121 /****************************************************************************
1122 Deal with sign & seal processing on an RPC request.
1123 ****************************************************************************/
1125 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1128 * We always negotiate the following two bits....
1130 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1131 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1137 auth_len = p->hdr.auth_len;
1139 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1140 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1145 * The following is that length of the data we must verify or unseal.
1146 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1147 * preceeding the auth_data.
1150 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1151 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1153 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1154 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1158 * The data in rpc_in doesn't contain the RPC_HEADER as this
1159 * has already been consumed.
1161 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1162 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1163 crc32 = crc32_calc_buffer(data, data_len);
1166 old_offset = prs_offset(rpc_in);
1168 if (auth_seal || auth_verify) {
1169 RPC_HDR_AUTH auth_info;
1171 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1172 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1173 (unsigned int)old_offset + data_len ));
1177 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1178 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1184 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1185 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1187 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1190 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1193 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1194 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1195 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1199 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1200 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1201 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1205 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1206 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1212 * Return the current pointer to the data offset.
1215 if(!prs_set_offset(rpc_in, old_offset)) {
1216 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1217 (unsigned int)old_offset ));
1224 /****************************************************************************
1225 Return a user struct for a pipe user.
1226 ****************************************************************************/
1228 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1230 if (p->ntlmssp_auth_validated) {
1231 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1233 extern struct current_user current_user;
1234 memcpy(user, ¤t_user, sizeof(struct current_user));
1240 /****************************************************************************
1241 Find the correct RPC function to call for this request.
1242 If the pipe is authenticated then become the correct UNIX user
1243 before doing the call.
1244 ****************************************************************************/
1246 BOOL api_pipe_request(pipes_struct *p)
1251 if (p->ntlmssp_auth_validated) {
1253 if(!become_authenticated_pipe_user(p)) {
1254 prs_mem_free(&p->out_data.rdata);
1259 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1261 for (i = 0; i < rpc_lookup_size; i++) {
1262 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1263 DEBUG(3,("Doing \\PIPE\\%s\n",
1264 rpc_lookup[i].pipe.clnt));
1265 set_current_rpc_talloc(p->mem_ctx);
1266 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1268 rpc_lookup[i].n_cmds);
1269 set_current_rpc_talloc(NULL);
1275 if (i == rpc_lookup_size) {
1276 for (i = 0; api_fd_commands[i].name; i++) {
1277 if (strequal(api_fd_commands[i].name, p->name)) {
1278 api_fd_commands[i].init();
1283 if (!api_fd_commands[i].name) {
1284 rpc_load_module(p->name);
1287 for (i = 0; i < rpc_lookup_size; i++) {
1288 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1289 DEBUG(3,("Doing \\PIPE\\%s\n",
1290 rpc_lookup[i].pipe.clnt));
1291 set_current_rpc_talloc(p->mem_ctx);
1292 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1294 rpc_lookup[i].n_cmds);
1295 set_current_rpc_talloc(NULL);
1301 if(p->ntlmssp_auth_validated)
1302 unbecome_authenticated_pipe_user();
1307 /*******************************************************************
1308 Calls the underlying RPC function for a named pipe.
1309 ********************************************************************/
1311 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1312 const struct api_struct *api_rpc_cmds, int n_cmds)
1316 uint32 offset1, offset2;
1318 /* interpret the command */
1319 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1321 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1322 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1324 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1325 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1326 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1331 if (fn_num == n_cmds) {
1333 * For an unknown RPC just return a fault PDU but
1334 * return True to allow RPC's on the pipe to continue
1335 * and not put the pipe into fault state. JRA.
1337 DEBUG(4, ("unknown\n"));
1338 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1342 offset1 = prs_offset(&p->out_data.rdata);
1344 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1345 fn_num, api_rpc_cmds[fn_num].fn));
1346 /* do the actual command */
1347 if(!api_rpc_cmds[fn_num].fn(p)) {
1348 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1349 prs_mem_free(&p->out_data.rdata);
1353 if (p->bad_handle_fault_state) {
1354 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1355 p->bad_handle_fault_state = False;
1356 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1360 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1361 offset2 = prs_offset(&p->out_data.rdata);
1362 prs_set_offset(&p->out_data.rdata, offset1);
1363 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1364 prs_set_offset(&p->out_data.rdata, offset2);
1366 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1368 /* Check for buffer underflow in rpc parsing */
1370 if ((DEBUGLEVEL >= 10) &&
1371 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1372 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1375 data = malloc(data_len);
1377 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1379 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);