2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
53 for( ind = 0; ind < len; ind++) {
58 index_j += hash[index_i];
61 hash[index_i] = hash[index_j];
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL create_next_pdu(pipes_struct *p)
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
84 uint32 data_space_available;
86 prs_struct outgoing_pdu;
90 * If we're in the fault state, keep returning fault PDU's until
91 * the pipe gets closed. JRA.
95 setup_fault_pdu(p, NT_STATUS(0x1c010002));
99 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
101 /* Change the incoming request header to a response. */
102 p->hdr.pkt_type = RPC_RESPONSE;
104 /* Set up rpc header flags. */
105 if (p->out_data.data_sent_length == 0)
106 p->hdr.flags = RPC_FLG_FIRST;
111 * Work out how much we can fit in a single PDU.
114 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
115 if(p->ntlmssp_auth_validated)
116 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119 * The amount we send is the minimum of the available
120 * space and the amount left to send.
123 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126 * Ensure there really is data left to send.
130 DEBUG(0,("create_next_pdu: no data left to send !\n"));
134 data_len = MIN(data_len_left, data_space_available);
137 * Set up the alloc hint. This should be the data left to
141 hdr_resp.alloc_hint = data_len_left;
144 * Set up the header lengths.
147 if (p->ntlmssp_auth_validated) {
148 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
149 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
150 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
157 * Work out if this PDU will be the last.
160 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
161 p->hdr.flags |= RPC_FLG_LAST;
164 * Init the parse struct to point at the outgoing
168 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
169 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
171 /* Store the header in the data stream. */
172 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
173 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
174 prs_mem_free(&outgoing_pdu);
178 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
179 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
180 prs_mem_free(&outgoing_pdu);
184 /* Store the current offset. */
185 data_pos = prs_offset(&outgoing_pdu);
187 /* Copy the data into the PDU. */
189 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
190 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
191 prs_mem_free(&outgoing_pdu);
195 if (p->hdr.auth_len > 0) {
199 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
200 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
203 * Set data to point to where we copied the data into.
206 data = prs_data_p(&outgoing_pdu) + data_pos;
209 crc32 = crc32_calc_buffer(data, data_len);
210 NTLMSSPcalc_p(p, (uchar*)data, data_len);
213 if (auth_seal || auth_verify) {
214 RPC_HDR_AUTH auth_info;
216 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
217 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
218 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
219 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
220 prs_mem_free(&outgoing_pdu);
226 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
227 char *auth_data = prs_data_p(&outgoing_pdu);
229 p->ntlmssp_seq_num++;
230 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
231 crc32, p->ntlmssp_seq_num++);
232 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
233 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
234 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
235 prs_mem_free(&outgoing_pdu);
238 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
243 * Setup the counts for this PDU.
246 p->out_data.data_sent_length += data_len;
247 p->out_data.current_pdu_len = p->hdr.frag_len;
248 p->out_data.current_pdu_sent = 0;
250 prs_mem_free(&outgoing_pdu);
254 /*******************************************************************
255 Process an NTLMSSP authentication response.
256 If this function succeeds, the user has been authenticated
257 and their domain, name and calling workstation stored in
259 The initial challenge is stored in p->challenge.
260 *******************************************************************/
262 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
274 struct auth_context *auth_context = NULL;
275 auth_usersupplied_info *user_info = NULL;
276 auth_serversupplied_info *server_info = NULL;
278 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280 memset(p->user_name, '\0', sizeof(p->user_name));
281 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
282 memset(p->domain, '\0', sizeof(p->domain));
283 memset(p->wks, '\0', sizeof(p->wks));
285 /* Set up for non-authenticated user. */
286 delete_nt_token(&p->pipe_user.nt_user_token);
287 p->pipe_user.ngroups = 0;
288 SAFE_FREE( p->pipe_user.groups);
291 * Setup an empty password for a guest user.
295 * We always negotiate UNICODE.
298 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
299 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
300 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
301 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
303 pull_ascii_fstring(user_name, ntlmssp_resp->user);
304 pull_ascii_fstring(domain, ntlmssp_resp->domain);
305 pull_ascii_fstring(wks, ntlmssp_resp->wks);
308 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
311 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
313 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
314 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
316 #ifdef DEBUG_PASSWORD
317 DEBUG(100,("lm, nt owfs, chal\n"));
318 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
319 dump_data(100, (char *)nt_owf, nt_pw_len);
320 dump_data(100, (char *)p->challenge, 8);
324 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
330 * Do the length checking only if user is not NULL.
333 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
335 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
337 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
339 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
341 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
346 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
348 if (!make_user_info_netlogon_network(&user_info,
349 user_name, domain, wks,
351 nt_owf, nt_pw_len)) {
352 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
356 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
358 (auth_context->free)(&auth_context);
359 free_user_info(&user_info);
361 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
363 if (!p->ntlmssp_auth_validated) {
364 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
365 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
366 free_server_info(&server_info);
371 * Set up the sign/seal data.
376 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
388 for (ind = 0; ind < 256; ind++)
389 p->ntlmssp_hash[ind] = (unsigned char)ind;
391 for( ind = 0; ind < 256; ind++) {
394 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
396 tc = p->ntlmssp_hash[ind];
397 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
398 p->ntlmssp_hash[j] = tc;
401 p->ntlmssp_hash[256] = 0;
402 p->ntlmssp_hash[257] = 0;
404 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
405 p->ntlmssp_seq_num = 0;
409 fstrcpy(p->user_name, user_name);
410 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
411 fstrcpy(p->domain, domain);
412 fstrcpy(p->wks, wks);
415 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
418 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
419 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
420 free_server_info(&server_info);
424 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
426 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
427 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
429 p->pipe_user.ngroups = server_info->n_groups;
430 if (p->pipe_user.ngroups) {
431 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
432 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
433 free_server_info(&server_info);
438 if (server_info->ptok)
439 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
441 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
442 p->pipe_user.nt_user_token = NULL;
443 free_server_info(&server_info);
447 p->ntlmssp_auth_validated = True;
449 free_server_info(&server_info);
453 /*******************************************************************
454 The switch table for the pipe names and the functions to handle them.
455 *******************************************************************/
463 static struct api_cmd api_fd_commands[] =
465 #ifndef RPC_LSA_DYNAMIC
466 { "lsarpc", rpc_lsa_init },
468 #ifndef RPC_SAMR_DYNAMIC
469 { "samr", rpc_samr_init },
471 #ifndef RPC_SVC_DYNAMIC
472 { "srvsvc", rpc_srv_init },
474 #ifndef RPC_WKS_DYNAMIC
475 { "wkssvc", rpc_wks_init },
477 #ifndef RPC_NETLOG_DYNAMIC
478 { "NETLOGON", rpc_net_init },
480 #ifndef RPC_REG_DYNAMIC
481 { "winreg", rpc_reg_init },
483 #ifndef RPC_SPOOLSS_DYNAMIC
484 { "spoolss", rpc_spoolss_init },
486 #ifndef RPC_DFS_DYNAMIC
487 { "netdfs", rpc_dfs_init },
499 struct api_struct *cmds;
503 static struct rpc_table *rpc_lookup;
504 static int rpc_lookup_size;
506 /*******************************************************************
507 This is the client reply to our challenge for an authenticated
508 bind request. The challenge we sent is in p->challenge.
509 *******************************************************************/
511 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
513 RPC_HDR_AUTHA autha_info;
514 RPC_AUTH_VERIFIER auth_verifier;
515 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
517 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
519 if (p->hdr.auth_len == 0) {
520 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
525 * Decode the authentication verifier response.
528 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
529 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
533 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
534 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
535 (int)autha_info.auth_type, (int)autha_info.auth_level ));
539 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
540 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
545 * Ensure this is a NTLMSSP_AUTH packet type.
548 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
549 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
553 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
554 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
559 * The following call actually checks the challenge/response data.
560 * for correctness against the given DOMAIN\user name.
563 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
571 /*******************************************************************
572 Marshall a bind_nak pdu.
573 *******************************************************************/
575 static BOOL setup_bind_nak(pipes_struct *p)
577 prs_struct outgoing_rpc;
581 /* Free any memory in the current return data buffer. */
582 prs_mem_free(&p->out_data.rdata);
585 * Marshall directly into the outgoing PDU space. We
586 * must do this as we need to set to the bind response
587 * header and are never sending more than one PDU here.
590 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
591 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
595 * Initialize a bind_nak header.
598 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
599 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
602 * Marshall the header into the outgoing PDU.
605 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
606 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
607 prs_mem_free(&outgoing_rpc);
612 * Now add the reject reason.
615 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
616 prs_mem_free(&outgoing_rpc);
620 p->out_data.data_sent_length = 0;
621 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
622 p->out_data.current_pdu_sent = 0;
624 p->pipe_bound = False;
629 /*******************************************************************
630 Marshall a fault pdu.
631 *******************************************************************/
633 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
635 prs_struct outgoing_pdu;
637 RPC_HDR_RESP hdr_resp;
638 RPC_HDR_FAULT fault_resp;
640 /* Free any memory in the current return data buffer. */
641 prs_mem_free(&p->out_data.rdata);
644 * Marshall directly into the outgoing PDU space. We
645 * must do this as we need to set to the bind response
646 * header and are never sending more than one PDU here.
649 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
650 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
653 * Initialize a fault header.
656 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
657 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
660 * Initialize the HDR_RESP and FAULT parts of the PDU.
663 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
665 fault_resp.status = status;
666 fault_resp.reserved = 0;
669 * Marshall the header into the outgoing PDU.
672 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
673 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
674 prs_mem_free(&outgoing_pdu);
678 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
679 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
680 prs_mem_free(&outgoing_pdu);
684 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
685 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
686 prs_mem_free(&outgoing_pdu);
690 p->out_data.data_sent_length = 0;
691 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
692 p->out_data.current_pdu_sent = 0;
694 prs_mem_free(&outgoing_pdu);
698 /*******************************************************************
699 Ensure a bind request has the correct abstract & transfer interface.
700 Used to reject unknown binds from Win2k.
701 *******************************************************************/
703 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
706 extern struct pipe_id_info pipe_names[];
709 fstrcpy(pname,"\\PIPE\\");
710 fstrcat(pname,pipe_name);
712 DEBUG(3,("check_bind_req for %s\n", pname));
714 #ifndef SUPPORT_NEW_LSARPC_UUID
716 /* check for the first pipe matching the name */
718 for ( i=0; pipe_names[i].client_pipe; i++ ) {
719 if ( strequal(pipe_names[i].client_pipe, pname) )
723 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
725 for ( i=0; pipe_names[i].client_pipe; i++ )
727 if ( strequal(pipe_names[i].client_pipe, pname)
728 && (abstract->version == pipe_names[i].abstr_syntax.version)
729 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
730 && (transfer->version == pipe_names[i].trans_syntax.version)
731 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
738 if(pipe_names[i].client_pipe == NULL)
741 #ifndef SUPPORT_NEW_LSARPC_UUID
742 /* check the abstract interface */
743 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
744 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
749 /* check the transfer interface */
750 if ( (transfer->version != pipe_names[i].trans_syntax.version)
751 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
759 /*******************************************************************
760 Register commands to an RPC pipe
761 *******************************************************************/
762 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
764 struct rpc_table *rpc_entry;
767 /* We use a temporary variable because this call can fail and
768 rpc_lookup will still be valid afterwards. It could then succeed if
769 called again later */
770 rpc_entry = realloc(rpc_lookup,
771 ++rpc_lookup_size*sizeof(struct rpc_table));
772 if (NULL == rpc_entry) {
774 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
777 rpc_lookup = rpc_entry;
780 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
781 ZERO_STRUCTP(rpc_entry);
782 rpc_entry->pipe.clnt = strdup(clnt);
783 rpc_entry->pipe.srv = strdup(srv);
784 rpc_entry->cmds = realloc(rpc_entry->cmds,
785 (rpc_entry->n_cmds + size) *
786 sizeof(struct api_struct));
787 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
788 size * sizeof(struct api_struct));
789 rpc_entry->n_cmds += size;
794 /*******************************************************************
795 Register commands to an RPC pipe
796 *******************************************************************/
797 int rpc_load_module(const char *module)
801 int (*module_init)(void);
805 pstrcpy(full_path, lib_path("rpc"));
806 pstrcat(full_path, "/librpc_");
807 pstrcat(full_path, module);
808 pstrcat(full_path, ".");
809 pstrcat(full_path, shlib_ext());
811 handle = sys_dlopen(full_path, RTLD_LAZY);
813 DEBUG(0, ("Could not load requested pipe %s as %s\n",
815 DEBUG(0, (" Error: %s\n", dlerror()));
819 DEBUG(3, ("Module '%s' loaded\n", full_path));
821 module_init = sys_dlsym(handle, "rpc_pipe_init");
822 if ((error = sys_dlerror()) != NULL) {
823 DEBUG(0, ("Error trying to resolve symbol 'rpc_pipe_init' in %s: %s\n",
828 return module_init();
830 DEBUG(0,("Attempting to load a dynamic RPC pipe when dlopen isn't available\n"));
835 /*******************************************************************
836 Respond to a pipe bind request.
837 *******************************************************************/
839 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
843 RPC_HDR_AUTH auth_info;
845 fstring ack_pipe_name;
846 prs_struct out_hdr_ba;
848 prs_struct outgoing_rpc;
851 enum RPC_PKT_TYPE reply_pkt_type;
853 p->ntlmssp_auth_requested = False;
855 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
858 * Try and find the correct pipe name to ensure
859 * that this is a pipe name we support.
863 for (i = 0; i < rpc_lookup_size; i++) {
864 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
865 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
866 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
867 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
872 if (i == rpc_lookup_size) {
873 for (i = 0; api_fd_commands[i].name; i++) {
874 if (strequal(api_fd_commands[i].name, p->name)) {
875 api_fd_commands[i].init();
880 if (!api_fd_commands[i].name && !rpc_load_module(p->name)) {
881 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
883 if(!setup_bind_nak(p))
888 for (i = 0; i < rpc_lookup_size; i++) {
889 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
890 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
891 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
892 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
898 /* decode the bind request */
899 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
900 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
905 * Check if this is an authenticated request.
908 if (p->hdr.auth_len != 0) {
909 RPC_AUTH_VERIFIER auth_verifier;
910 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
913 * Decode the authentication verifier.
916 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
917 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
922 * We only support NTLMSSP_AUTH_TYPE requests.
925 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
926 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
927 auth_info.auth_type ));
931 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
932 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
936 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
937 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
941 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
942 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
943 auth_verifier.msg_type));
947 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
948 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
952 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
953 p->ntlmssp_auth_requested = True;
956 switch(p->hdr.pkt_type) {
958 /* name has to be \PIPE\xxxxx */
959 fstrcpy(ack_pipe_name, "\\PIPE\\");
960 fstrcat(ack_pipe_name, p->pipe_srv_name);
961 reply_pkt_type = RPC_BINDACK;
964 /* secondary address CAN be NULL
965 * as the specs say it's ignored.
966 * It MUST NULL to have the spoolss working.
968 fstrcpy(ack_pipe_name,"");
969 reply_pkt_type = RPC_ALTCONTRESP;
975 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
978 * Marshall directly into the outgoing PDU space. We
979 * must do this as we need to set to the bind response
980 * header and are never sending more than one PDU here.
983 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
984 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
987 * Setup the memory to marshall the ba header, and the
991 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
992 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
993 prs_mem_free(&outgoing_rpc);
997 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
998 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
999 prs_mem_free(&outgoing_rpc);
1000 prs_mem_free(&out_hdr_ba);
1004 if (p->ntlmssp_auth_requested)
1007 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1010 * Create the bind response struct.
1013 /* If the requested abstract synt uuid doesn't match our client pipe,
1014 reject the bind_ack & set the transfer interface synt to all 0's,
1015 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1017 Needed when adding entries to a DACL from NT5 - SK */
1019 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1020 init_rpc_hdr_ba(&hdr_ba,
1028 RPC_IFACE null_interface;
1029 ZERO_STRUCT(null_interface);
1030 /* Rejection reason: abstract syntax not supported */
1031 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1032 MAX_PDU_FRAG_LEN, assoc_gid,
1033 ack_pipe_name, 0x1, 0x2, 0x1,
1041 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1042 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1047 * Now the authentication.
1050 if (p->ntlmssp_auth_requested) {
1051 RPC_AUTH_VERIFIER auth_verifier;
1052 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1054 generate_random_buffer(p->challenge, 8, False);
1056 /*** Authentication info ***/
1058 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1059 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1060 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1064 /*** NTLMSSP verifier ***/
1066 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1067 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1068 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1072 /* NTLMSSP challenge ***/
1074 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1075 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1076 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1080 /* Auth len in the rpc header doesn't include auth_header. */
1081 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1085 * Create the header, now we know the length.
1088 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1090 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1094 * Marshall the header into the outgoing PDU.
1097 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1098 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1103 * Now add the RPC_HDR_BA and any auth needed.
1106 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1107 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1111 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1112 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1116 if(!p->ntlmssp_auth_requested)
1117 p->pipe_bound = True;
1120 * Setup the lengths for the initial reply.
1123 p->out_data.data_sent_length = 0;
1124 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1125 p->out_data.current_pdu_sent = 0;
1127 prs_mem_free(&out_hdr_ba);
1128 prs_mem_free(&out_auth);
1134 prs_mem_free(&outgoing_rpc);
1135 prs_mem_free(&out_hdr_ba);
1136 prs_mem_free(&out_auth);
1140 /****************************************************************************
1141 Deal with sign & seal processing on an RPC request.
1142 ****************************************************************************/
1144 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1147 * We always negotiate the following two bits....
1149 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1150 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1156 auth_len = p->hdr.auth_len;
1158 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1159 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1164 * The following is that length of the data we must verify or unseal.
1165 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1166 * preceeding the auth_data.
1169 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1170 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1172 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1173 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1177 * The data in rpc_in doesn't contain the RPC_HEADER as this
1178 * has already been consumed.
1180 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1181 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1182 crc32 = crc32_calc_buffer(data, data_len);
1185 old_offset = prs_offset(rpc_in);
1187 if (auth_seal || auth_verify) {
1188 RPC_HDR_AUTH auth_info;
1190 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1191 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1192 (unsigned int)old_offset + data_len ));
1196 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1197 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1203 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1204 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1206 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1209 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1212 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1213 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1214 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1218 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1219 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1220 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1224 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1225 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1231 * Return the current pointer to the data offset.
1234 if(!prs_set_offset(rpc_in, old_offset)) {
1235 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1236 (unsigned int)old_offset ));
1243 /****************************************************************************
1244 Return a user struct for a pipe user.
1245 ****************************************************************************/
1247 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1249 if (p->ntlmssp_auth_validated) {
1250 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1252 extern struct current_user current_user;
1253 memcpy(user, ¤t_user, sizeof(struct current_user));
1259 /****************************************************************************
1260 Find the correct RPC function to call for this request.
1261 If the pipe is authenticated then become the correct UNIX user
1262 before doing the call.
1263 ****************************************************************************/
1265 BOOL api_pipe_request(pipes_struct *p)
1270 if (p->ntlmssp_auth_validated) {
1272 if(!become_authenticated_pipe_user(p)) {
1273 prs_mem_free(&p->out_data.rdata);
1278 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1280 for (i = 0; i < rpc_lookup_size; i++) {
1281 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1282 DEBUG(3,("Doing \\PIPE\\%s\n",
1283 rpc_lookup[i].pipe.clnt));
1284 set_current_rpc_talloc(p->mem_ctx);
1285 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1287 rpc_lookup[i].n_cmds);
1288 set_current_rpc_talloc(NULL);
1294 if (i == rpc_lookup_size) {
1295 for (i = 0; api_fd_commands[i].name; i++) {
1296 if (strequal(api_fd_commands[i].name, p->name)) {
1297 api_fd_commands[i].init();
1302 if (!api_fd_commands[i].name) {
1303 rpc_load_module(p->name);
1306 for (i = 0; i < rpc_lookup_size; i++) {
1307 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1308 DEBUG(3,("Doing \\PIPE\\%s\n",
1309 rpc_lookup[i].pipe.clnt));
1310 set_current_rpc_talloc(p->mem_ctx);
1311 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1313 rpc_lookup[i].n_cmds);
1314 set_current_rpc_talloc(NULL);
1320 if(p->ntlmssp_auth_validated)
1321 unbecome_authenticated_pipe_user();
1326 /*******************************************************************
1327 Calls the underlying RPC function for a named pipe.
1328 ********************************************************************/
1330 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1331 const struct api_struct *api_rpc_cmds, int n_cmds)
1335 uint32 offset1, offset2;
1337 /* interpret the command */
1338 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1340 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1341 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1343 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1344 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1345 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1350 if (fn_num == n_cmds) {
1352 * For an unknown RPC just return a fault PDU but
1353 * return True to allow RPC's on the pipe to continue
1354 * and not put the pipe into fault state. JRA.
1356 DEBUG(4, ("unknown\n"));
1357 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1361 offset1 = prs_offset(&p->out_data.rdata);
1363 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1364 fn_num, api_rpc_cmds[fn_num].fn));
1365 /* do the actual command */
1366 if(!api_rpc_cmds[fn_num].fn(p)) {
1367 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1368 prs_mem_free(&p->out_data.rdata);
1372 if (p->bad_handle_fault_state) {
1373 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1374 p->bad_handle_fault_state = False;
1375 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1379 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1380 offset2 = prs_offset(&p->out_data.rdata);
1381 prs_set_offset(&p->out_data.rdata, offset1);
1382 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1383 prs_set_offset(&p->out_data.rdata, offset2);
1385 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1387 /* Check for buffer underflow in rpc parsing */
1389 if ((DEBUGLEVEL >= 10) &&
1390 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1391 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1394 data = malloc(data_len);
1396 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1398 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);