2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
43 extern struct pipe_id_info pipe_names[];
44 extern struct current_user current_user;
47 #define DBGC_CLASS DBGC_RPC_SRV
49 /*************************************************************
51 We need to transfer the session key from one rpc bind to the
52 next. This is the way the netlogon schannel works.
53 **************************************************************/
54 struct dcinfo last_dcinfo;
55 BOOL server_auth2_negotiated = False;
57 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
59 unsigned char *hash = p->ntlmssp_hash;
60 unsigned char index_i = hash[256];
61 unsigned char index_j = hash[257];
64 for( ind = 0; ind < len; ind++) {
69 index_j += hash[index_i];
72 hash[index_i] = hash[index_j];
75 t = hash[index_i] + hash[index_j];
76 data[ind] = data[ind] ^ hash[t];
83 /*******************************************************************
84 Generate the next PDU to be returned from the data in p->rdata.
85 We cheat here as this function doesn't handle the special auth
86 footers of the authenticated bind response reply.
87 ********************************************************************/
89 BOOL create_next_pdu(pipes_struct *p)
91 RPC_HDR_RESP hdr_resp;
92 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
93 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
94 uint32 ss_padding_len = 0;
96 uint32 data_space_available;
98 prs_struct outgoing_pdu;
102 * If we're in the fault state, keep returning fault PDU's until
103 * the pipe gets closed. JRA.
107 setup_fault_pdu(p, NT_STATUS(0x1c010002));
111 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
113 /* Change the incoming request header to a response. */
114 p->hdr.pkt_type = RPC_RESPONSE;
116 /* Set up rpc header flags. */
117 if (p->out_data.data_sent_length == 0) {
118 p->hdr.flags = RPC_FLG_FIRST;
124 * Work out how much we can fit in a single PDU.
127 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
128 if(p->ntlmssp_auth_validated) {
129 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
130 } else if(p->netsec_auth_validated) {
131 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN);
135 * The amount we send is the minimum of the available
136 * space and the amount left to send.
139 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
142 * Ensure there really is data left to send.
146 DEBUG(0,("create_next_pdu: no data left to send !\n"));
150 data_len = MIN(data_len_left, data_space_available);
153 * Set up the alloc hint. This should be the data left to
157 hdr_resp.alloc_hint = data_len_left;
160 * Work out if this PDU will be the last.
163 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
164 p->hdr.flags |= RPC_FLG_LAST;
165 if ((auth_seal || auth_verify) && (data_len_left % 8)) {
166 ss_padding_len = 8 - (data_len_left % 8);
167 DEBUG(10,("create_next_pdu: adding sign/seal padding of %u\n",
173 * Set up the header lengths.
176 if (p->ntlmssp_auth_validated) {
177 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
178 data_len + ss_padding_len +
179 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
180 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
181 } else if (p->netsec_auth_validated) {
182 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
183 data_len + ss_padding_len +
184 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
185 p->hdr.auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
187 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
192 * Init the parse struct to point at the outgoing
196 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
197 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
199 /* Store the header in the data stream. */
200 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
201 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
202 prs_mem_free(&outgoing_pdu);
206 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
207 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
208 prs_mem_free(&outgoing_pdu);
212 /* Store the current offset. */
213 data_pos = prs_offset(&outgoing_pdu);
215 /* Copy the data into the PDU. */
217 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
218 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
219 prs_mem_free(&outgoing_pdu);
223 /* Copy the sign/seal padding data. */
224 if (ss_padding_len) {
226 memset(pad, '\0', 8);
227 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
228 DEBUG(0,("create_next_pdu: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
229 prs_mem_free(&outgoing_pdu);
234 if (p->ntlmssp_auth_validated) {
236 * NTLMSSP processing. Mutually exclusive with Schannel.
241 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
242 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len + ss_padding_len, p->hdr.auth_len));
245 * Set data to point to where we copied the data into.
248 data = prs_data_p(&outgoing_pdu) + data_pos;
251 crc32 = crc32_calc_buffer(data, data_len + ss_padding_len);
252 NTLMSSPcalc_p(p, (uchar*)data, data_len + ss_padding_len);
255 if (auth_seal || auth_verify) {
256 RPC_HDR_AUTH auth_info;
258 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE,
259 auth_seal ? RPC_PIPE_AUTH_SEAL_LEVEL : RPC_PIPE_AUTH_SIGN_LEVEL,
260 (auth_verify ? ss_padding_len : 0), (auth_verify ? 1 : 0));
261 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
262 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
263 prs_mem_free(&outgoing_pdu);
269 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
270 char *auth_data = prs_data_p(&outgoing_pdu);
272 p->ntlmssp_seq_num++;
273 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
274 crc32, p->ntlmssp_seq_num++);
275 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
276 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
277 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
278 prs_mem_free(&outgoing_pdu);
281 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
283 } else if (p->netsec_auth_validated) {
285 * Schannel processing. Mutually exclusive with NTLMSSP.
287 int auth_type, auth_level;
289 RPC_HDR_AUTH auth_info;
291 RPC_AUTH_NETSEC_CHK verf;
295 data = prs_data_p(&outgoing_pdu) + data_pos;
296 /* Check it's the type of reply we were expecting to decode */
298 get_auth_type_level(p->netsec_auth.auth_flags, &auth_type, &auth_level);
299 init_rpc_hdr_auth(&auth_info, auth_type, auth_level,
302 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
303 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
304 prs_mem_free(&outgoing_pdu);
308 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
309 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
311 netsec_encode(&p->netsec_auth,
312 p->netsec_auth.auth_flags,
314 &verf, data, data_len + ss_padding_len);
316 smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
317 &verf, &outgoing_pdu, 0);
319 p->netsec_auth.seq_num++;
323 * Setup the counts for this PDU.
326 p->out_data.data_sent_length += data_len;
327 p->out_data.current_pdu_len = p->hdr.frag_len;
328 p->out_data.current_pdu_sent = 0;
330 prs_mem_free(&outgoing_pdu);
334 /*******************************************************************
335 Process an NTLMSSP authentication response.
336 If this function succeeds, the user has been authenticated
337 and their domain, name and calling workstation stored in
339 The initial challenge is stored in p->challenge.
340 *******************************************************************/
342 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
354 struct auth_context *auth_context = NULL;
355 auth_usersupplied_info *user_info = NULL;
356 auth_serversupplied_info *server_info = NULL;
358 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
360 memset(p->user_name, '\0', sizeof(p->user_name));
361 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
362 memset(p->domain, '\0', sizeof(p->domain));
363 memset(p->wks, '\0', sizeof(p->wks));
365 /* Set up for non-authenticated user. */
366 delete_nt_token(&p->pipe_user.nt_user_token);
367 p->pipe_user.ngroups = 0;
368 SAFE_FREE( p->pipe_user.groups);
371 * Setup an empty password for a guest user.
375 * We always negotiate UNICODE.
378 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
379 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
380 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
381 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
383 pull_ascii_fstring(user_name, ntlmssp_resp->user);
384 pull_ascii_fstring(domain, ntlmssp_resp->domain);
385 pull_ascii_fstring(wks, ntlmssp_resp->wks);
388 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
390 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
391 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
393 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
394 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
396 #ifdef DEBUG_PASSWORD
397 DEBUG(100,("lm, nt owfs, chal\n"));
398 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
399 dump_data(100, (char *)nt_owf, nt_pw_len);
400 dump_data(100, (char *)p->challenge, 8);
404 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
410 * Do the length checking only if user is not NULL.
413 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
415 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
417 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
419 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
421 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
426 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
428 if (!make_user_info_netlogon_network(&user_info,
429 user_name, domain, wks,
431 nt_owf, nt_pw_len)) {
432 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
436 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
438 (auth_context->free)(&auth_context);
439 free_user_info(&user_info);
441 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
443 if (!p->ntlmssp_auth_validated) {
444 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
445 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
446 free_server_info(&server_info);
451 * Set up the sign/seal data.
454 if (server_info->lm_session_key.length != 16) {
455 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
456 succeeded authentication on named pipe %s, but session key was of incorrect length [%u].\n",
457 domain, user_name, wks, p->name, server_info->lm_session_key.length));
458 free_server_info(&server_info);
462 NTLMSSPOWFencrypt(server_info->lm_session_key.data, lm_owf, p24);
474 for (ind = 0; ind < 256; ind++)
475 p->ntlmssp_hash[ind] = (unsigned char)ind;
477 for( ind = 0; ind < 256; ind++) {
480 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
482 tc = p->ntlmssp_hash[ind];
483 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
484 p->ntlmssp_hash[j] = tc;
487 p->ntlmssp_hash[256] = 0;
488 p->ntlmssp_hash[257] = 0;
491 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
492 sizeof(p->ntlmssp_hash));
494 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
495 p->ntlmssp_seq_num = 0;
499 fstrcpy(p->user_name, user_name);
500 fstrcpy(p->pipe_user_name, server_info->unix_name);
501 fstrcpy(p->domain, domain);
502 fstrcpy(p->wks, wks);
505 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
508 if (p->session_key.data) {
509 data_blob_free(&p->session_key);
511 p->session_key = data_blob(server_info->lm_session_key.data, server_info->lm_session_key.length);
513 p->pipe_user.uid = server_info->uid;
514 p->pipe_user.gid = server_info->gid;
516 p->pipe_user.ngroups = server_info->n_groups;
517 if (p->pipe_user.ngroups) {
518 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
519 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
520 free_server_info(&server_info);
525 if (server_info->ptok)
526 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
528 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
529 p->pipe_user.nt_user_token = NULL;
530 free_server_info(&server_info);
534 p->ntlmssp_auth_validated = True;
536 free_server_info(&server_info);
540 /*******************************************************************
541 The switch table for the pipe names and the functions to handle them.
542 *******************************************************************/
551 struct api_struct *cmds;
555 static struct rpc_table *rpc_lookup;
556 static int rpc_lookup_size;
558 /*******************************************************************
559 This is the client reply to our challenge for an authenticated
560 bind request. The challenge we sent is in p->challenge.
561 *******************************************************************/
563 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
565 RPC_HDR_AUTHA autha_info;
566 RPC_AUTH_VERIFIER auth_verifier;
567 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
569 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
571 if (p->hdr.auth_len == 0) {
572 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
577 * Decode the authentication verifier response.
580 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
581 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
585 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != RPC_PIPE_AUTH_SEAL_LEVEL) {
586 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
587 (int)autha_info.auth_type, (int)autha_info.auth_level ));
591 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
592 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
597 * Ensure this is a NTLMSSP_AUTH packet type.
600 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
601 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
605 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
606 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
611 * The following call actually checks the challenge/response data.
612 * for correctness against the given DOMAIN\user name.
615 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
623 /*******************************************************************
624 Marshall a bind_nak pdu.
625 *******************************************************************/
627 static BOOL setup_bind_nak(pipes_struct *p)
629 prs_struct outgoing_rpc;
633 /* Free any memory in the current return data buffer. */
634 prs_mem_free(&p->out_data.rdata);
637 * Marshall directly into the outgoing PDU space. We
638 * must do this as we need to set to the bind response
639 * header and are never sending more than one PDU here.
642 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
643 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
647 * Initialize a bind_nak header.
650 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
651 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
654 * Marshall the header into the outgoing PDU.
657 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
658 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
659 prs_mem_free(&outgoing_rpc);
664 * Now add the reject reason.
667 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
668 prs_mem_free(&outgoing_rpc);
672 p->out_data.data_sent_length = 0;
673 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
674 p->out_data.current_pdu_sent = 0;
676 p->pipe_bound = False;
681 /*******************************************************************
682 Marshall a fault pdu.
683 *******************************************************************/
685 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
687 prs_struct outgoing_pdu;
689 RPC_HDR_RESP hdr_resp;
690 RPC_HDR_FAULT fault_resp;
692 /* Free any memory in the current return data buffer. */
693 prs_mem_free(&p->out_data.rdata);
696 * Marshall directly into the outgoing PDU space. We
697 * must do this as we need to set to the bind response
698 * header and are never sending more than one PDU here.
701 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
702 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
705 * Initialize a fault header.
708 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
709 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
712 * Initialize the HDR_RESP and FAULT parts of the PDU.
715 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
717 fault_resp.status = status;
718 fault_resp.reserved = 0;
721 * Marshall the header into the outgoing PDU.
724 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
725 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
726 prs_mem_free(&outgoing_pdu);
730 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
731 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
732 prs_mem_free(&outgoing_pdu);
736 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
737 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
738 prs_mem_free(&outgoing_pdu);
742 p->out_data.data_sent_length = 0;
743 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
744 p->out_data.current_pdu_sent = 0;
746 prs_mem_free(&outgoing_pdu);
750 /*******************************************************************
751 Ensure a bind request has the correct abstract & transfer interface.
752 Used to reject unknown binds from Win2k.
753 *******************************************************************/
755 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
756 RPC_IFACE* transfer, uint32 context_id)
758 char *pipe_name = p->name;
762 fstrcpy(pname,"\\PIPE\\");
763 fstrcat(pname,pipe_name);
765 DEBUG(3,("check_bind_req for %s\n", pname));
767 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
769 for ( i=0; pipe_names[i].client_pipe; i++ )
771 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
772 if ( strequal(pipe_names[i].client_pipe, pname)
773 && (abstract->version == pipe_names[i].abstr_syntax.version)
774 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
775 && (transfer->version == pipe_names[i].trans_syntax.version)
776 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) )
778 struct api_struct *fns = NULL;
780 PIPE_RPC_FNS *context_fns;
782 if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
783 DEBUG(0,("check_bind_req: malloc() failed!\n"));
787 /* save the RPC function table associated with this bind */
789 get_pipe_fns(i, &fns, &n_fns);
791 context_fns->cmds = fns;
792 context_fns->n_cmds = n_fns;
793 context_fns->context_id = context_id;
795 /* add to the list of open contexts */
797 DLIST_ADD( p->contexts, context_fns );
803 if(pipe_names[i].client_pipe == NULL)
809 /*******************************************************************
810 Register commands to an RPC pipe
811 *******************************************************************/
812 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
814 struct rpc_table *rpc_entry;
816 if (!clnt || !srv || !cmds) {
817 return NT_STATUS_INVALID_PARAMETER;
820 if (version != SMB_RPC_INTERFACE_VERSION) {
821 DEBUG(0,("Can't register rpc commands!\n"
822 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
823 ", while this version of samba uses version %d!\n",
824 version,SMB_RPC_INTERFACE_VERSION));
825 return NT_STATUS_OBJECT_TYPE_MISMATCH;
830 * we still need to make sure that don't register the same commands twice!!!
835 /* We use a temporary variable because this call can fail and
836 rpc_lookup will still be valid afterwards. It could then succeed if
837 called again later */
839 rpc_entry = SMB_REALLOC_ARRAY(rpc_lookup, struct rpc_table, rpc_lookup_size);
840 if (NULL == rpc_entry) {
842 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
843 return NT_STATUS_NO_MEMORY;
845 rpc_lookup = rpc_entry;
848 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
849 ZERO_STRUCTP(rpc_entry);
850 rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
851 rpc_entry->pipe.srv = SMB_STRDUP(srv);
852 rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
853 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
854 rpc_entry->n_cmds += size;
859 /*******************************************************************
860 Respond to a pipe bind request.
861 *******************************************************************/
863 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
867 RPC_HDR_AUTH auth_info;
869 fstring ack_pipe_name;
870 prs_struct out_hdr_ba;
872 prs_struct outgoing_rpc;
875 enum RPC_PKT_TYPE reply_pkt_type;
877 p->ntlmssp_auth_requested = False;
878 p->netsec_auth_validated = False;
880 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
883 * Try and find the correct pipe name to ensure
884 * that this is a pipe name we support.
888 for (i = 0; i < rpc_lookup_size; i++) {
889 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
890 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
891 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
892 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
897 if (i == rpc_lookup_size) {
898 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
899 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
901 if(!setup_bind_nak(p))
906 for (i = 0; i < rpc_lookup_size; i++) {
907 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
908 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
909 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
910 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
915 if (i == rpc_lookup_size) {
916 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
921 /* decode the bind request */
922 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
923 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
928 * Check if this is an authenticated request.
931 if (p->hdr.auth_len != 0) {
932 RPC_AUTH_VERIFIER auth_verifier;
933 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
936 * Decode the authentication verifier.
939 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
940 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
944 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
946 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
947 DEBUG(0,("api_pipe_bind_req: unable to "
948 "unmarshall RPC_HDR_AUTH struct.\n"));
952 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
953 DEBUG(0,("api_pipe_bind_req: "
954 "auth_verifier.signature != NTLMSSP\n"));
958 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
959 DEBUG(0,("api_pipe_bind_req: "
960 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
961 auth_verifier.msg_type));
965 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
966 DEBUG(0,("api_pipe_bind_req: "
967 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
971 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
972 p->ntlmssp_auth_requested = True;
974 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
976 RPC_AUTH_NETSEC_NEG neg;
977 struct netsec_auth_struct *a = &(p->netsec_auth);
979 if (!server_auth2_negotiated) {
980 DEBUG(0, ("Attempt to bind using schannel "
981 "without successful serverauth2\n"));
985 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
986 DEBUG(0,("api_pipe_bind_req: "
987 "Could not unmarshal SCHANNEL auth neg\n"));
991 p->netsec_auth_validated = True;
993 memset(a->sess_key, 0, sizeof(a->sess_key));
994 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
998 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
999 neg.domain, neg.myname));
1002 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
1003 auth_info.auth_type ));
1008 switch(p->hdr.pkt_type) {
1010 /* name has to be \PIPE\xxxxx */
1011 fstrcpy(ack_pipe_name, "\\PIPE\\");
1012 fstrcat(ack_pipe_name, p->pipe_srv_name);
1013 reply_pkt_type = RPC_BINDACK;
1016 /* secondary address CAN be NULL
1017 * as the specs say it's ignored.
1018 * It MUST NULL to have the spoolss working.
1020 fstrcpy(ack_pipe_name,"");
1021 reply_pkt_type = RPC_ALTCONTRESP;
1027 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1030 * Marshall directly into the outgoing PDU space. We
1031 * must do this as we need to set to the bind response
1032 * header and are never sending more than one PDU here.
1035 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1036 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1039 * Setup the memory to marshall the ba header, and the
1043 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1044 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1045 prs_mem_free(&outgoing_rpc);
1049 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1050 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1051 prs_mem_free(&outgoing_rpc);
1052 prs_mem_free(&out_hdr_ba);
1056 if (p->ntlmssp_auth_requested)
1059 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1062 * Create the bind response struct.
1065 /* If the requested abstract synt uuid doesn't match our client pipe,
1066 reject the bind_ack & set the transfer interface synt to all 0's,
1067 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1069 Needed when adding entries to a DACL from NT5 - SK */
1071 if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1072 hdr_rb.rpc_context[0].context_id )) {
1073 init_rpc_hdr_ba(&hdr_ba,
1079 &hdr_rb.rpc_context[0].transfer[0]);
1081 RPC_IFACE null_interface;
1082 ZERO_STRUCT(null_interface);
1083 /* Rejection reason: abstract syntax not supported */
1084 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1085 MAX_PDU_FRAG_LEN, assoc_gid,
1086 ack_pipe_name, 0x1, 0x2, 0x1,
1094 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1095 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1100 * Now the authentication.
1103 if (p->ntlmssp_auth_requested) {
1104 RPC_AUTH_VERIFIER auth_verifier;
1105 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1107 generate_random_buffer(p->challenge, 8);
1109 /*** Authentication info ***/
1111 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1112 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1113 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1117 /*** NTLMSSP verifier ***/
1119 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1120 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1121 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1125 /* NTLMSSP challenge ***/
1127 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1128 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1129 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1133 /* Auth len in the rpc header doesn't include auth_header. */
1134 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1137 if (p->netsec_auth_validated) {
1138 RPC_AUTH_VERIFIER auth_verifier;
1141 /* The client opens a second RPC NETLOGON pipe without
1142 doing a auth2. The credentials for the schannel are
1143 re-used from the auth2 the client did before. */
1144 p->dc = last_dcinfo;
1146 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, auth_info.auth_level, RPC_HDR_AUTH_LEN, 1);
1147 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1148 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1152 /*** NETSEC verifier ***/
1154 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1155 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1156 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1160 prs_align(&out_auth);
1163 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1166 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1170 * Create the header, now we know the length.
1173 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1175 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1179 * Marshall the header into the outgoing PDU.
1182 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1183 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1188 * Now add the RPC_HDR_BA and any auth needed.
1191 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1192 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1196 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1197 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1198 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1202 if(!p->ntlmssp_auth_requested)
1203 p->pipe_bound = True;
1206 * Setup the lengths for the initial reply.
1209 p->out_data.data_sent_length = 0;
1210 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1211 p->out_data.current_pdu_sent = 0;
1213 prs_mem_free(&out_hdr_ba);
1214 prs_mem_free(&out_auth);
1220 prs_mem_free(&outgoing_rpc);
1221 prs_mem_free(&out_hdr_ba);
1222 prs_mem_free(&out_auth);
1226 /****************************************************************************
1227 Deal with sign & seal processing on an RPC request.
1228 ****************************************************************************/
1230 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1233 * We always negotiate the following two bits....
1235 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1236 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1242 auth_len = p->hdr.auth_len;
1244 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1245 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1250 * The following is that length of the data we must verify or unseal.
1251 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1252 * preceeding the auth_data.
1255 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1256 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1258 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1259 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1263 * The data in rpc_in doesn't contain the RPC_HEADER as this
1264 * has already been consumed.
1266 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1267 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
1268 sizeof(p->ntlmssp_hash));
1270 dump_data_pw("Incoming RPC PDU (NTLMSSP sealed)\n",
1271 (const unsigned char *)data, data_len);
1272 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1273 dump_data_pw("Incoming RPC PDU (NTLMSSP unsealed)\n",
1274 (const unsigned char *)data, data_len);
1275 crc32 = crc32_calc_buffer(data, data_len);
1278 old_offset = prs_offset(rpc_in);
1280 if (auth_seal || auth_verify) {
1281 RPC_HDR_AUTH auth_info;
1283 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1284 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1285 (unsigned int)old_offset + data_len ));
1289 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1290 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1296 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1297 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1299 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1302 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1305 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1306 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1307 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1311 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1312 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1313 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1317 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1318 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1324 * Return the current pointer to the data offset.
1327 if(!prs_set_offset(rpc_in, old_offset)) {
1328 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1329 (unsigned int)old_offset ));
1336 /****************************************************************************
1337 Deal with schannel processing on an RPC request.
1338 ****************************************************************************/
1339 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1342 * We always negotiate the following two bits....
1347 RPC_HDR_AUTH auth_info;
1348 RPC_AUTH_NETSEC_CHK netsec_chk;
1351 auth_len = p->hdr.auth_len;
1353 if (auth_len != RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN) {
1354 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1359 * The following is that length of the data we must verify or unseal.
1360 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1361 * preceeding the auth_data.
1364 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1365 RPC_HDR_AUTH_LEN - auth_len;
1367 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1369 old_offset = prs_offset(rpc_in);
1371 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1372 DEBUG(0,("cannot move offset to %u.\n",
1373 (unsigned int)old_offset + data_len ));
1377 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1378 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1382 if (auth_info.auth_type != NETSEC_AUTH_TYPE) {
1383 DEBUG(0,("Invalid auth info %d on schannel\n",
1384 auth_info.auth_type));
1388 if (auth_info.auth_level == RPC_PIPE_AUTH_SEAL_LEVEL) {
1389 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL;
1390 } else if (auth_info.auth_level == RPC_PIPE_AUTH_SIGN_LEVEL) {
1391 p->netsec_auth.auth_flags = AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN;
1393 DEBUG(0,("Invalid auth level %d on schannel\n",
1394 auth_info.auth_level));
1398 if(!smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
1399 &netsec_chk, rpc_in, 0))
1401 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1405 if (!netsec_decode(&p->netsec_auth,
1406 p->netsec_auth.auth_flags,
1407 SENDER_IS_INITIATOR,
1409 prs_data_p(rpc_in)+old_offset, data_len)) {
1410 DEBUG(3,("failed to decode PDU\n"));
1415 * Return the current pointer to the data offset.
1418 if(!prs_set_offset(rpc_in, old_offset)) {
1419 DEBUG(0,("failed to set offset back to %u\n",
1420 (unsigned int)old_offset ));
1424 /* The sequence number gets incremented on both send and receive. */
1425 p->netsec_auth.seq_num++;
1430 /****************************************************************************
1431 Return a user struct for a pipe user.
1432 ****************************************************************************/
1434 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1436 if (p->ntlmssp_auth_validated) {
1437 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1439 memcpy(user, ¤t_user, sizeof(struct current_user));
1445 /****************************************************************************
1446 Find the set of RPC functions associated with this context_id
1447 ****************************************************************************/
1449 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1451 PIPE_RPC_FNS *fns = NULL;
1452 PIPE_RPC_FNS *tmp = NULL;
1455 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1459 for (tmp=list; tmp; tmp=tmp->next ) {
1460 if ( tmp->context_id == context_id )
1469 /****************************************************************************
1471 ****************************************************************************/
1473 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
1475 PIPE_RPC_FNS *tmp = list;
1487 /****************************************************************************
1488 Find the correct RPC function to call for this request.
1489 If the pipe is authenticated then become the correct UNIX user
1490 before doing the call.
1491 ****************************************************************************/
1493 BOOL api_pipe_request(pipes_struct *p)
1496 PIPE_RPC_FNS *pipe_fns;
1498 if (p->ntlmssp_auth_validated) {
1500 if(!become_authenticated_pipe_user(p)) {
1501 prs_mem_free(&p->out_data.rdata);
1506 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1508 /* get the set of RPC functions for this context */
1510 pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
1513 set_current_rpc_talloc(p->mem_ctx);
1514 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
1515 set_current_rpc_talloc(NULL);
1518 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
1519 p->hdr_req.context_id, p->name));
1522 if(p->ntlmssp_auth_validated)
1523 unbecome_authenticated_pipe_user();
1528 /*******************************************************************
1529 Calls the underlying RPC function for a named pipe.
1530 ********************************************************************/
1532 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1533 const struct api_struct *api_rpc_cmds, int n_cmds)
1537 uint32 offset1, offset2;
1539 /* interpret the command */
1540 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1542 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1543 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1545 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1546 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1547 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1552 if (fn_num == n_cmds) {
1554 * For an unknown RPC just return a fault PDU but
1555 * return True to allow RPC's on the pipe to continue
1556 * and not put the pipe into fault state. JRA.
1558 DEBUG(4, ("unknown\n"));
1559 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1563 offset1 = prs_offset(&p->out_data.rdata);
1565 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1566 fn_num, api_rpc_cmds[fn_num].fn));
1567 /* do the actual command */
1568 if(!api_rpc_cmds[fn_num].fn(p)) {
1569 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1570 prs_mem_free(&p->out_data.rdata);
1574 if (p->bad_handle_fault_state) {
1575 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1576 p->bad_handle_fault_state = False;
1577 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1581 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1582 offset2 = prs_offset(&p->out_data.rdata);
1583 prs_set_offset(&p->out_data.rdata, offset1);
1584 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1585 prs_set_offset(&p->out_data.rdata, offset2);
1587 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1589 /* Check for buffer underflow in rpc parsing */
1591 if ((DEBUGLEVEL >= 10) &&
1592 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1593 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1594 char *data = SMB_MALLOC(data_len);
1596 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1598 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
1607 /*******************************************************************
1608 *******************************************************************/
1610 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
1612 struct api_struct *cmds = NULL;
1617 lsa_get_pipe_fns( &cmds, &n_cmds );
1620 lsa_ds_get_pipe_fns( &cmds, &n_cmds );
1623 samr_get_pipe_fns( &cmds, &n_cmds );
1626 netlog_get_pipe_fns( &cmds, &n_cmds );
1629 srvsvc_get_pipe_fns( &cmds, &n_cmds );
1632 wkssvc_get_pipe_fns( &cmds, &n_cmds );
1635 reg_get_pipe_fns( &cmds, &n_cmds );
1638 spoolss_get_pipe_fns( &cmds, &n_cmds );
1641 netdfs_get_pipe_fns( &cmds, &n_cmds );
1644 svcctl_get_pipe_fns( &cmds, &n_cmds );
1647 eventlog_get_pipe_fns( &cmds, &n_cmds );
1651 echo_get_pipe_fns( &cmds, &n_cmds );
1655 DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));