2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 /*************************************************************
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
60 for( ind = 0; ind < len; ind++) {
65 index_j += hash[index_i];
68 hash[index_i] = hash[index_j];
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
85 BOOL create_next_pdu(pipes_struct *p)
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
91 uint32 data_space_available;
93 prs_struct outgoing_pdu;
97 * If we're in the fault state, keep returning fault PDU's until
98 * the pipe gets closed. JRA.
102 setup_fault_pdu(p, NT_STATUS(0x1c010002));
106 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
108 /* Change the incoming request header to a response. */
109 p->hdr.pkt_type = RPC_RESPONSE;
111 /* Set up rpc header flags. */
112 if (p->out_data.data_sent_length == 0)
113 p->hdr.flags = RPC_FLG_FIRST;
118 * Work out how much we can fit in a single PDU.
121 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
122 if(p->ntlmssp_auth_validated)
123 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
125 if(p->netsec_auth_validated)
126 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
129 * The amount we send is the minimum of the available
130 * space and the amount left to send.
133 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
136 * Ensure there really is data left to send.
140 DEBUG(0,("create_next_pdu: no data left to send !\n"));
144 data_len = MIN(data_len_left, data_space_available);
147 * Set up the alloc hint. This should be the data left to
151 hdr_resp.alloc_hint = data_len_left;
154 * Set up the header lengths.
157 if (p->ntlmssp_auth_validated) {
158 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
159 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
160 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
161 } else if (p->netsec_auth_validated) {
162 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
163 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
164 p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
166 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
171 * Work out if this PDU will be the last.
174 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
175 p->hdr.flags |= RPC_FLG_LAST;
178 * Init the parse struct to point at the outgoing
182 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
183 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
185 /* Store the header in the data stream. */
186 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
187 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
188 prs_mem_free(&outgoing_pdu);
192 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
193 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
194 prs_mem_free(&outgoing_pdu);
198 /* Store the current offset. */
199 data_pos = prs_offset(&outgoing_pdu);
201 /* Copy the data into the PDU. */
203 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
204 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
205 prs_mem_free(&outgoing_pdu);
209 if (p->ntlmssp_auth_validated) {
213 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
214 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
217 * Set data to point to where we copied the data into.
220 data = prs_data_p(&outgoing_pdu) + data_pos;
223 crc32 = crc32_calc_buffer(data, data_len);
224 NTLMSSPcalc_p(p, (uchar*)data, data_len);
227 if (auth_seal || auth_verify) {
228 RPC_HDR_AUTH auth_info;
230 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
231 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
232 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
234 prs_mem_free(&outgoing_pdu);
240 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
241 char *auth_data = prs_data_p(&outgoing_pdu);
243 p->ntlmssp_seq_num++;
244 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
245 crc32, p->ntlmssp_seq_num++);
246 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
247 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
248 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
249 prs_mem_free(&outgoing_pdu);
252 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
256 if (p->netsec_auth_validated) {
258 RPC_HDR_AUTH auth_info;
259 static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
260 static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
262 RPC_AUTH_NETSEC_CHK verf;
268 data = prs_data_p(&outgoing_pdu) + data_pos;
270 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
271 RPC_HDR_AUTH_LEN, 1);
273 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
274 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
275 prs_mem_free(&outgoing_pdu);
279 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
280 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
282 memset(sign, 0, sizeof(sign));
285 init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes, sign, nullbytes);
287 netsec_encode(&p->netsec_auth, &verf, data, data_len);
289 smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
291 p->netsec_auth.seq_num++;
295 * Setup the counts for this PDU.
298 p->out_data.data_sent_length += data_len;
299 p->out_data.current_pdu_len = p->hdr.frag_len;
300 p->out_data.current_pdu_sent = 0;
302 prs_mem_free(&outgoing_pdu);
306 /*******************************************************************
307 Process an NTLMSSP authentication response.
308 If this function succeeds, the user has been authenticated
309 and their domain, name and calling workstation stored in
311 The initial challenge is stored in p->challenge.
312 *******************************************************************/
314 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
326 struct auth_context *auth_context = NULL;
327 auth_usersupplied_info *user_info = NULL;
328 auth_serversupplied_info *server_info = NULL;
330 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
332 memset(p->user_name, '\0', sizeof(p->user_name));
333 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
334 memset(p->domain, '\0', sizeof(p->domain));
335 memset(p->wks, '\0', sizeof(p->wks));
337 /* Set up for non-authenticated user. */
338 delete_nt_token(&p->pipe_user.nt_user_token);
339 p->pipe_user.ngroups = 0;
340 SAFE_FREE( p->pipe_user.groups);
343 * Setup an empty password for a guest user.
347 * We always negotiate UNICODE.
350 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
351 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
352 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
353 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
355 pull_ascii_fstring(user_name, ntlmssp_resp->user);
356 pull_ascii_fstring(domain, ntlmssp_resp->domain);
357 pull_ascii_fstring(wks, ntlmssp_resp->wks);
360 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
362 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
363 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
365 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
366 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
368 #ifdef DEBUG_PASSWORD
369 DEBUG(100,("lm, nt owfs, chal\n"));
370 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
371 dump_data(100, (char *)nt_owf, nt_pw_len);
372 dump_data(100, (char *)p->challenge, 8);
376 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
382 * Do the length checking only if user is not NULL.
385 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
387 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
389 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
391 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
393 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
398 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
400 if (!make_user_info_netlogon_network(&user_info,
401 user_name, domain, wks,
403 nt_owf, nt_pw_len)) {
404 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
408 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
410 (auth_context->free)(&auth_context);
411 free_user_info(&user_info);
413 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
415 if (!p->ntlmssp_auth_validated) {
416 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
417 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
418 free_server_info(&server_info);
423 * Set up the sign/seal data.
428 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
440 for (ind = 0; ind < 256; ind++)
441 p->ntlmssp_hash[ind] = (unsigned char)ind;
443 for( ind = 0; ind < 256; ind++) {
446 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
448 tc = p->ntlmssp_hash[ind];
449 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
450 p->ntlmssp_hash[j] = tc;
453 p->ntlmssp_hash[256] = 0;
454 p->ntlmssp_hash[257] = 0;
456 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
457 p->ntlmssp_seq_num = 0;
461 fstrcpy(p->user_name, user_name);
462 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
463 fstrcpy(p->domain, domain);
464 fstrcpy(p->wks, wks);
467 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
470 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
471 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
472 free_server_info(&server_info);
476 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
478 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
479 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
481 p->pipe_user.ngroups = server_info->n_groups;
482 if (p->pipe_user.ngroups) {
483 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
484 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
485 free_server_info(&server_info);
490 if (server_info->ptok)
491 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
493 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
494 p->pipe_user.nt_user_token = NULL;
495 free_server_info(&server_info);
499 p->ntlmssp_auth_validated = True;
501 free_server_info(&server_info);
505 /*******************************************************************
506 The switch table for the pipe names and the functions to handle them.
507 *******************************************************************/
515 static struct api_cmd api_fd_commands[] =
517 #ifndef RPC_LSA_DYNAMIC
518 { "lsarpc", rpc_lsa_init },
520 #ifndef RPC_SAMR_DYNAMIC
521 { "samr", rpc_samr_init },
523 #ifndef RPC_SVC_DYNAMIC
524 { "srvsvc", rpc_srv_init },
526 #ifndef RPC_WKS_DYNAMIC
527 { "wkssvc", rpc_wks_init },
529 #ifndef RPC_NETLOG_DYNAMIC
530 { "NETLOGON", rpc_net_init },
532 #ifndef RPC_REG_DYNAMIC
533 { "winreg", rpc_reg_init },
535 #ifndef RPC_SPOOLSS_DYNAMIC
536 { "spoolss", rpc_spoolss_init },
538 #ifndef RPC_DFS_DYNAMIC
539 { "netdfs", rpc_dfs_init },
542 #ifndef RPC_ECHO_DYNAMIC
543 { "rpcecho", rpc_echo_init },
556 struct api_struct *cmds;
560 static struct rpc_table *rpc_lookup;
561 static int rpc_lookup_size;
563 /*******************************************************************
564 This is the client reply to our challenge for an authenticated
565 bind request. The challenge we sent is in p->challenge.
566 *******************************************************************/
568 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
570 RPC_HDR_AUTHA autha_info;
571 RPC_AUTH_VERIFIER auth_verifier;
572 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
574 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
576 if (p->hdr.auth_len == 0) {
577 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
582 * Decode the authentication verifier response.
585 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
586 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
590 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
591 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
592 (int)autha_info.auth_type, (int)autha_info.auth_level ));
596 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
597 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
602 * Ensure this is a NTLMSSP_AUTH packet type.
605 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
606 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
610 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
611 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
616 * The following call actually checks the challenge/response data.
617 * for correctness against the given DOMAIN\user name.
620 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
628 /*******************************************************************
629 Marshall a bind_nak pdu.
630 *******************************************************************/
632 static BOOL setup_bind_nak(pipes_struct *p)
634 prs_struct outgoing_rpc;
638 /* Free any memory in the current return data buffer. */
639 prs_mem_free(&p->out_data.rdata);
642 * Marshall directly into the outgoing PDU space. We
643 * must do this as we need to set to the bind response
644 * header and are never sending more than one PDU here.
647 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
648 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
652 * Initialize a bind_nak header.
655 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
656 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
659 * Marshall the header into the outgoing PDU.
662 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
663 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
664 prs_mem_free(&outgoing_rpc);
669 * Now add the reject reason.
672 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
673 prs_mem_free(&outgoing_rpc);
677 p->out_data.data_sent_length = 0;
678 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
679 p->out_data.current_pdu_sent = 0;
681 p->pipe_bound = False;
686 /*******************************************************************
687 Marshall a fault pdu.
688 *******************************************************************/
690 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
692 prs_struct outgoing_pdu;
694 RPC_HDR_RESP hdr_resp;
695 RPC_HDR_FAULT fault_resp;
697 /* Free any memory in the current return data buffer. */
698 prs_mem_free(&p->out_data.rdata);
701 * Marshall directly into the outgoing PDU space. We
702 * must do this as we need to set to the bind response
703 * header and are never sending more than one PDU here.
706 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
707 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
710 * Initialize a fault header.
713 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
714 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
717 * Initialize the HDR_RESP and FAULT parts of the PDU.
720 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
722 fault_resp.status = status;
723 fault_resp.reserved = 0;
726 * Marshall the header into the outgoing PDU.
729 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
730 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
731 prs_mem_free(&outgoing_pdu);
735 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
736 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
737 prs_mem_free(&outgoing_pdu);
741 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
742 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
743 prs_mem_free(&outgoing_pdu);
747 p->out_data.data_sent_length = 0;
748 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
749 p->out_data.current_pdu_sent = 0;
751 prs_mem_free(&outgoing_pdu);
755 /*******************************************************************
756 Ensure a bind request has the correct abstract & transfer interface.
757 Used to reject unknown binds from Win2k.
758 *******************************************************************/
760 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
763 extern struct pipe_id_info pipe_names[];
766 fstrcpy(pname,"\\PIPE\\");
767 fstrcat(pname,pipe_name);
769 DEBUG(3,("check_bind_req for %s\n", pname));
771 #ifndef SUPPORT_NEW_LSARPC_UUID
773 /* check for the first pipe matching the name */
775 for ( i=0; pipe_names[i].client_pipe; i++ ) {
776 if ( strequal(pipe_names[i].client_pipe, pname) )
780 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
782 for ( i=0; pipe_names[i].client_pipe; i++ )
784 if ( strequal(pipe_names[i].client_pipe, pname)
785 && (abstract->version == pipe_names[i].abstr_syntax.version)
786 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
787 && (transfer->version == pipe_names[i].trans_syntax.version)
788 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
795 if(pipe_names[i].client_pipe == NULL)
798 #ifndef SUPPORT_NEW_LSARPC_UUID
799 /* check the abstract interface */
800 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
801 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
806 /* check the transfer interface */
807 if ( (transfer->version != pipe_names[i].trans_syntax.version)
808 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
816 /*******************************************************************
817 Register commands to an RPC pipe
818 *******************************************************************/
819 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
821 struct rpc_table *rpc_entry;
824 /* We use a temporary variable because this call can fail and
825 rpc_lookup will still be valid afterwards. It could then succeed if
826 called again later */
827 rpc_entry = realloc(rpc_lookup,
828 ++rpc_lookup_size*sizeof(struct rpc_table));
829 if (NULL == rpc_entry) {
831 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
834 rpc_lookup = rpc_entry;
837 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
838 ZERO_STRUCTP(rpc_entry);
839 rpc_entry->pipe.clnt = strdup(clnt);
840 rpc_entry->pipe.srv = strdup(srv);
841 rpc_entry->cmds = realloc(rpc_entry->cmds,
842 (rpc_entry->n_cmds + size) *
843 sizeof(struct api_struct));
844 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
845 size * sizeof(struct api_struct));
846 rpc_entry->n_cmds += size;
851 /*******************************************************************
852 Register commands to an RPC pipe
853 *******************************************************************/
854 int rpc_load_module(const char *module)
858 int (*module_init)(void);
862 pstrcpy(full_path, lib_path("rpc"));
863 pstrcat(full_path, "/librpc_");
864 pstrcat(full_path, module);
865 pstrcat(full_path, ".");
866 pstrcat(full_path, shlib_ext());
868 handle = sys_dlopen(full_path, RTLD_LAZY);
870 DEBUG(0, ("Could not load requested pipe %s as %s\n",
872 DEBUG(0, (" Error: %s\n", dlerror()));
876 DEBUG(3, ("Module '%s' loaded\n", full_path));
878 module_init = sys_dlsym(handle, "rpc_pipe_init");
879 if ((error = sys_dlerror()) != NULL) {
880 DEBUG(0, ("Error trying to resolve symbol 'rpc_pipe_init' in %s: %s\n",
885 return module_init();
887 DEBUG(0,("Attempting to load a dynamic RPC pipe when dlopen isn't available\n"));
892 /*******************************************************************
893 Respond to a pipe bind request.
894 *******************************************************************/
896 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
900 RPC_HDR_AUTH auth_info;
902 fstring ack_pipe_name;
903 prs_struct out_hdr_ba;
905 prs_struct outgoing_rpc;
908 enum RPC_PKT_TYPE reply_pkt_type;
910 p->ntlmssp_auth_requested = False;
911 p->netsec_auth_validated = False;
913 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
916 * Try and find the correct pipe name to ensure
917 * that this is a pipe name we support.
921 for (i = 0; i < rpc_lookup_size; i++) {
922 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
923 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
924 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
925 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
930 if (i == rpc_lookup_size) {
931 for (i = 0; api_fd_commands[i].name; i++) {
932 if (strequal(api_fd_commands[i].name, p->name)) {
933 api_fd_commands[i].init();
938 if (!api_fd_commands[i].name && !rpc_load_module(p->name)) {
939 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
941 if(!setup_bind_nak(p))
946 for (i = 0; i < rpc_lookup_size; i++) {
947 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
948 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
949 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
950 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
956 /* decode the bind request */
957 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
958 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
963 * Check if this is an authenticated request.
966 if (p->hdr.auth_len != 0) {
967 RPC_AUTH_VERIFIER auth_verifier;
968 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
971 * Decode the authentication verifier.
974 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
975 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
979 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
981 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
982 DEBUG(0,("api_pipe_bind_req: unable to "
983 "unmarshall RPC_HDR_AUTH struct.\n"));
987 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
988 DEBUG(0,("api_pipe_bind_req: "
989 "auth_verifier.signature != NTLMSSP\n"));
993 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
994 DEBUG(0,("api_pipe_bind_req: "
995 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
996 auth_verifier.msg_type));
1000 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
1001 DEBUG(0,("api_pipe_bind_req: "
1002 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
1006 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
1007 p->ntlmssp_auth_requested = True;
1009 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
1011 RPC_AUTH_NETSEC_NEG neg;
1012 struct netsec_auth_struct *a = &(p->netsec_auth);
1014 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
1015 DEBUG(0,("api_pipe_bind_req: "
1016 "Could not unmarshal SCHANNEL auth neg\n"));
1020 p->netsec_auth_validated = True;
1022 memset(a->sess_key, 0, sizeof(a->sess_key));
1023 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
1027 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
1028 neg.domain, neg.myname));
1031 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
1032 auth_info.auth_type ));
1037 switch(p->hdr.pkt_type) {
1039 /* name has to be \PIPE\xxxxx */
1040 fstrcpy(ack_pipe_name, "\\PIPE\\");
1041 fstrcat(ack_pipe_name, p->pipe_srv_name);
1042 reply_pkt_type = RPC_BINDACK;
1045 /* secondary address CAN be NULL
1046 * as the specs say it's ignored.
1047 * It MUST NULL to have the spoolss working.
1049 fstrcpy(ack_pipe_name,"");
1050 reply_pkt_type = RPC_ALTCONTRESP;
1056 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1059 * Marshall directly into the outgoing PDU space. We
1060 * must do this as we need to set to the bind response
1061 * header and are never sending more than one PDU here.
1064 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1065 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1068 * Setup the memory to marshall the ba header, and the
1072 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1073 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1074 prs_mem_free(&outgoing_rpc);
1078 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1079 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1080 prs_mem_free(&outgoing_rpc);
1081 prs_mem_free(&out_hdr_ba);
1085 if (p->ntlmssp_auth_requested)
1088 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1091 * Create the bind response struct.
1094 /* If the requested abstract synt uuid doesn't match our client pipe,
1095 reject the bind_ack & set the transfer interface synt to all 0's,
1096 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1098 Needed when adding entries to a DACL from NT5 - SK */
1100 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1101 init_rpc_hdr_ba(&hdr_ba,
1109 RPC_IFACE null_interface;
1110 ZERO_STRUCT(null_interface);
1111 /* Rejection reason: abstract syntax not supported */
1112 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1113 MAX_PDU_FRAG_LEN, assoc_gid,
1114 ack_pipe_name, 0x1, 0x2, 0x1,
1122 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1123 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1128 * Now the authentication.
1131 if (p->ntlmssp_auth_requested) {
1132 RPC_AUTH_VERIFIER auth_verifier;
1133 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1135 generate_random_buffer(p->challenge, 8, False);
1137 /*** Authentication info ***/
1139 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1140 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1141 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1145 /*** NTLMSSP verifier ***/
1147 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1148 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1149 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1153 /* NTLMSSP challenge ***/
1155 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1156 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1157 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1161 /* Auth len in the rpc header doesn't include auth_header. */
1162 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1165 if (p->netsec_auth_validated) {
1166 RPC_AUTH_VERIFIER auth_verifier;
1169 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1170 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1171 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1175 /*** NETSEC verifier ***/
1177 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1178 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1179 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1183 prs_align(&out_auth);
1186 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1189 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1193 * Create the header, now we know the length.
1196 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1198 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1202 * Marshall the header into the outgoing PDU.
1205 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1206 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1211 * Now add the RPC_HDR_BA and any auth needed.
1214 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1215 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1219 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1220 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1221 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1225 if(!p->ntlmssp_auth_requested)
1226 p->pipe_bound = True;
1229 * Setup the lengths for the initial reply.
1232 p->out_data.data_sent_length = 0;
1233 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1234 p->out_data.current_pdu_sent = 0;
1236 prs_mem_free(&out_hdr_ba);
1237 prs_mem_free(&out_auth);
1243 prs_mem_free(&outgoing_rpc);
1244 prs_mem_free(&out_hdr_ba);
1245 prs_mem_free(&out_auth);
1249 /****************************************************************************
1250 Deal with sign & seal processing on an RPC request.
1251 ****************************************************************************/
1253 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1256 * We always negotiate the following two bits....
1258 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1259 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1265 auth_len = p->hdr.auth_len;
1267 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1268 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1273 * The following is that length of the data we must verify or unseal.
1274 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1275 * preceeding the auth_data.
1278 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1279 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1281 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1282 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1286 * The data in rpc_in doesn't contain the RPC_HEADER as this
1287 * has already been consumed.
1289 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1290 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1291 crc32 = crc32_calc_buffer(data, data_len);
1294 old_offset = prs_offset(rpc_in);
1296 if (auth_seal || auth_verify) {
1297 RPC_HDR_AUTH auth_info;
1299 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1300 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1301 (unsigned int)old_offset + data_len ));
1305 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1306 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1312 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1313 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1315 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1318 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1321 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1322 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1323 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1327 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1328 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1329 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1333 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1334 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1340 * Return the current pointer to the data offset.
1343 if(!prs_set_offset(rpc_in, old_offset)) {
1344 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1345 (unsigned int)old_offset ));
1352 /****************************************************************************
1353 Deal with schannel processing on an RPC request.
1354 ****************************************************************************/
1355 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1358 * We always negotiate the following two bits....
1363 RPC_HDR_AUTH auth_info;
1364 RPC_AUTH_NETSEC_CHK netsec_chk;
1367 auth_len = p->hdr.auth_len;
1369 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
1370 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1375 * The following is that length of the data we must verify or unseal.
1376 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1377 * preceeding the auth_data.
1380 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1381 RPC_HDR_AUTH_LEN - auth_len;
1383 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1385 old_offset = prs_offset(rpc_in);
1387 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1388 DEBUG(0,("cannot move offset to %u.\n",
1389 (unsigned int)old_offset + data_len ));
1393 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1394 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1398 if ((auth_info.auth_type != NETSEC_AUTH_TYPE) ||
1399 (auth_info.auth_level != NETSEC_AUTH_LEVEL)) {
1400 DEBUG(0,("Invalid auth info %d or level %d on schannel\n",
1401 auth_info.auth_type, auth_info.auth_level));
1405 if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
1406 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1410 if (!netsec_decode(&p->netsec_auth, &netsec_chk,
1411 prs_data_p(rpc_in)+old_offset, data_len)) {
1412 DEBUG(0,("failed to decode PDU\n"));
1417 * Return the current pointer to the data offset.
1420 if(!prs_set_offset(rpc_in, old_offset)) {
1421 DEBUG(0,("failed to set offset back to %u\n",
1422 (unsigned int)old_offset ));
1429 /****************************************************************************
1430 Return a user struct for a pipe user.
1431 ****************************************************************************/
1433 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1435 if (p->ntlmssp_auth_validated) {
1436 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1438 extern struct current_user current_user;
1439 memcpy(user, ¤t_user, sizeof(struct current_user));
1445 /****************************************************************************
1446 Find the correct RPC function to call for this request.
1447 If the pipe is authenticated then become the correct UNIX user
1448 before doing the call.
1449 ****************************************************************************/
1451 BOOL api_pipe_request(pipes_struct *p)
1456 if (p->ntlmssp_auth_validated) {
1458 if(!become_authenticated_pipe_user(p)) {
1459 prs_mem_free(&p->out_data.rdata);
1464 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1466 for (i = 0; i < rpc_lookup_size; i++) {
1467 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1468 DEBUG(3,("Doing \\PIPE\\%s\n",
1469 rpc_lookup[i].pipe.clnt));
1470 set_current_rpc_talloc(p->mem_ctx);
1471 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1473 rpc_lookup[i].n_cmds);
1474 set_current_rpc_talloc(NULL);
1480 if (i == rpc_lookup_size) {
1481 for (i = 0; api_fd_commands[i].name; i++) {
1482 if (strequal(api_fd_commands[i].name, p->name)) {
1483 api_fd_commands[i].init();
1488 if (!api_fd_commands[i].name) {
1489 rpc_load_module(p->name);
1492 for (i = 0; i < rpc_lookup_size; i++) {
1493 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1494 DEBUG(3,("Doing \\PIPE\\%s\n",
1495 rpc_lookup[i].pipe.clnt));
1496 set_current_rpc_talloc(p->mem_ctx);
1497 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1499 rpc_lookup[i].n_cmds);
1500 set_current_rpc_talloc(NULL);
1506 if(p->ntlmssp_auth_validated)
1507 unbecome_authenticated_pipe_user();
1512 /*******************************************************************
1513 Calls the underlying RPC function for a named pipe.
1514 ********************************************************************/
1516 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1517 const struct api_struct *api_rpc_cmds, int n_cmds)
1521 uint32 offset1, offset2;
1523 /* interpret the command */
1524 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1526 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1527 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1529 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1530 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1531 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1536 if (fn_num == n_cmds) {
1538 * For an unknown RPC just return a fault PDU but
1539 * return True to allow RPC's on the pipe to continue
1540 * and not put the pipe into fault state. JRA.
1542 DEBUG(4, ("unknown\n"));
1543 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1547 offset1 = prs_offset(&p->out_data.rdata);
1549 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1550 fn_num, api_rpc_cmds[fn_num].fn));
1551 /* do the actual command */
1552 if(!api_rpc_cmds[fn_num].fn(p)) {
1553 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1554 prs_mem_free(&p->out_data.rdata);
1558 if (p->bad_handle_fault_state) {
1559 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1560 p->bad_handle_fault_state = False;
1561 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1565 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1566 offset2 = prs_offset(&p->out_data.rdata);
1567 prs_set_offset(&p->out_data.rdata, offset1);
1568 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1569 prs_set_offset(&p->out_data.rdata, offset2);
1571 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1573 /* Check for buffer underflow in rpc parsing */
1575 if ((DEBUGLEVEL >= 10) &&
1576 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1577 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1580 data = malloc(data_len);
1582 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1584 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);