2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 static void NTLMSSPcalc_p( pipes_struct
*p
, unsigned char *data
, int len
)
48 unsigned char *hash
= p
->ntlmssp_hash
;
49 unsigned char index_i
= hash
[256];
50 unsigned char index_j
= hash
[257];
53 for( ind
= 0; ind
< len
; ind
++) {
58 index_j
+= hash
[index_i
];
61 hash
[index_i
] = hash
[index_j
];
64 t
= hash
[index_i
] + hash
[index_j
];
65 data
[ind
] = data
[ind
] ^ hash
[t
];
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
78 BOOL
create_next_pdu(pipes_struct
*p
)
80 RPC_HDR_RESP hdr_resp
;
81 BOOL auth_verify
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SIGN
) != 0);
82 BOOL auth_seal
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SEAL
) != 0);
84 uint32 data_space_available
;
86 prs_struct outgoing_pdu
;
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
97 setup_fault_pdu(p
, NT_STATUS(0x1c010002));
101 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
103 /* Change the incoming request header to a response. */
104 p
->hdr
.pkt_type
= RPC_RESPONSE
;
106 /* Set up rpc header flags. */
107 if (p
->out_data
.data_sent_length
== 0)
108 p
->hdr
.flags
= RPC_FLG_FIRST
;
113 * Work out how much we can fit in a single PDU.
116 data_space_available
= sizeof(p
->out_data
.current_pdu
) - RPC_HEADER_LEN
- RPC_HDR_RESP_LEN
;
117 if(p
->ntlmssp_auth_validated
)
118 data_space_available
-= (RPC_HDR_AUTH_LEN
+ RPC_AUTH_NTLMSSP_CHK_LEN
);
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
125 data_len_left
= prs_offset(&p
->out_data
.rdata
) - p
->out_data
.data_sent_length
;
128 * Ensure there really is data left to send.
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
136 data_len
= MIN(data_len_left
, data_space_available
);
139 * Set up the alloc hint. This should be the data left to
143 hdr_resp
.alloc_hint
= data_len_left
;
146 * Set up the header lengths.
149 if (p
->ntlmssp_auth_validated
) {
150 p
->hdr
.frag_len
= RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ data_len
+
151 RPC_HDR_AUTH_LEN
+ RPC_AUTH_NTLMSSP_CHK_LEN
;
152 p
->hdr
.auth_len
= RPC_AUTH_NTLMSSP_CHK_LEN
;
154 p
->hdr
.frag_len
= RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ data_len
;
159 * Work out if this PDU will be the last.
162 if(p
->out_data
.data_sent_length
+ data_len
>= prs_offset(&p
->out_data
.rdata
))
163 p
->hdr
.flags
|= RPC_FLG_LAST
;
166 * Init the parse struct to point at the outgoing
170 prs_init( &outgoing_pdu
, 0, p
->mem_ctx
, MARSHALL
);
171 prs_give_memory( &outgoing_pdu
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p
->hdr
, &outgoing_pdu
, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176 prs_mem_free(&outgoing_pdu
);
180 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &outgoing_pdu
, 0)) {
181 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
182 prs_mem_free(&outgoing_pdu
);
186 /* Store the current offset. */
187 data_pos
= prs_offset(&outgoing_pdu
);
189 /* Copy the data into the PDU. */
190 data_from
= prs_data_p(&p
->out_data
.rdata
) + p
->out_data
.data_sent_length
;
192 if(!prs_append_data(&outgoing_pdu
, data_from
, data_len
)) {
193 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len
));
194 prs_mem_free(&outgoing_pdu
);
199 * Set data to point to where we copied the data into.
202 data
= prs_data_p(&outgoing_pdu
) + data_pos
;
204 if (p
->hdr
.auth_len
> 0) {
207 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
208 BOOLSTR(auth_verify
), BOOLSTR(auth_seal
), data_len
, p
->hdr
.auth_len
));
211 crc32
= crc32_calc_buffer(data
, data_len
);
212 NTLMSSPcalc_p(p
, (uchar
*)data
, data_len
);
215 if (auth_seal
|| auth_verify
) {
216 RPC_HDR_AUTH auth_info
;
218 init_rpc_hdr_auth(&auth_info
, NTLMSSP_AUTH_TYPE
, NTLMSSP_AUTH_LEVEL
,
219 (auth_verify
? RPC_HDR_AUTH_LEN
: 0), (auth_verify
? 1 : 0));
220 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
, &outgoing_pdu
, 0)) {
221 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
222 prs_mem_free(&outgoing_pdu
);
228 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk
;
229 char *auth_data
= prs_data_p(&outgoing_pdu
);
231 p
->ntlmssp_seq_num
++;
232 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk
, NTLMSSP_SIGN_VERSION
,
233 crc32
, p
->ntlmssp_seq_num
++);
234 auth_data
= prs_data_p(&outgoing_pdu
) + prs_offset(&outgoing_pdu
) + 4;
235 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk
, &outgoing_pdu
, 0)) {
236 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
237 prs_mem_free(&outgoing_pdu
);
240 NTLMSSPcalc_p(p
, (uchar
*)auth_data
, RPC_AUTH_NTLMSSP_CHK_LEN
- 4);
245 * Setup the counts for this PDU.
248 p
->out_data
.data_sent_length
+= data_len
;
249 p
->out_data
.current_pdu_len
= p
->hdr
.frag_len
;
250 p
->out_data
.current_pdu_sent
= 0;
252 prs_mem_free(&outgoing_pdu
);
256 /*******************************************************************
257 Process an NTLMSSP authentication response.
258 If this function succeeds, the user has been authenticated
259 and their domain, name and calling workstation stored in
261 The initial challenge is stored in p->challenge.
262 *******************************************************************/
264 static BOOL
api_pipe_ntlmssp_verify(pipes_struct
*p
, RPC_AUTH_NTLMSSP_RESP
*ntlmssp_resp
)
276 struct auth_context
*auth_context
= NULL
;
277 auth_usersupplied_info
*user_info
= NULL
;
278 auth_serversupplied_info
*server_info
= NULL
;
280 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
282 memset(p
->user_name
, '\0', sizeof(p
->user_name
));
283 memset(p
->pipe_user_name
, '\0', sizeof(p
->pipe_user_name
));
284 memset(p
->domain
, '\0', sizeof(p
->domain
));
285 memset(p
->wks
, '\0', sizeof(p
->wks
));
287 /* Set up for non-authenticated user. */
288 delete_nt_token(&p
->pipe_user
.nt_user_token
);
289 p
->pipe_user
.ngroups
= 0;
290 SAFE_FREE( p
->pipe_user
.groups
);
293 * Setup an empty password for a guest user.
297 * We always negotiate UNICODE.
300 if (p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_UNICODE
) {
301 rpcstr_pull(user_name
, ntlmssp_resp
->user
, sizeof(fstring
), ntlmssp_resp
->hdr_usr
.str_str_len
*2, 0 );
302 rpcstr_pull(domain
, ntlmssp_resp
->domain
, sizeof(fstring
), ntlmssp_resp
->hdr_domain
.str_str_len
*2, 0);
303 rpcstr_pull(wks
, ntlmssp_resp
->wks
, sizeof(fstring
), ntlmssp_resp
->hdr_wks
.str_str_len
*2, 0);
305 pull_ascii_fstring(user_name
, ntlmssp_resp
->user
);
306 pull_ascii_fstring(domain
, ntlmssp_resp
->domain
);
307 pull_ascii_fstring(wks
, ntlmssp_resp
->wks
);
310 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name
, domain
, wks
));
312 nt_pw_len
= MIN(sizeof(nt_owf
), ntlmssp_resp
->hdr_nt_resp
.str_str_len
);
313 lm_pw_len
= MIN(sizeof(lm_owf
), ntlmssp_resp
->hdr_lm_resp
.str_str_len
);
315 memcpy(lm_owf
, ntlmssp_resp
->lm_resp
, sizeof(lm_owf
));
316 memcpy(nt_owf
, ntlmssp_resp
->nt_resp
, nt_pw_len
);
318 #ifdef DEBUG_PASSWORD
319 DEBUG(100,("lm, nt owfs, chal\n"));
320 dump_data(100, (char *)lm_owf
, sizeof(lm_owf
));
321 dump_data(100, (char *)nt_owf
, nt_pw_len
);
322 dump_data(100, (char *)p
->challenge
, 8);
326 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
332 * Do the length checking only if user is not NULL.
335 if (ntlmssp_resp
->hdr_lm_resp
.str_str_len
== 0)
337 if (ntlmssp_resp
->hdr_nt_resp
.str_str_len
== 0)
339 if (ntlmssp_resp
->hdr_usr
.str_str_len
== 0)
341 if (ntlmssp_resp
->hdr_domain
.str_str_len
== 0)
343 if (ntlmssp_resp
->hdr_wks
.str_str_len
== 0)
348 make_auth_context_fixed(&auth_context
, (uchar
*)p
->challenge
);
350 if (!make_user_info_netlogon_network(&user_info
,
351 user_name
, domain
, wks
,
353 nt_owf
, nt_pw_len
)) {
354 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
358 nt_status
= auth_context
->check_ntlm_password(auth_context
, user_info
, &server_info
);
360 (auth_context
->free
)(&auth_context
);
361 free_user_info(&user_info
);
363 p
->ntlmssp_auth_validated
= NT_STATUS_IS_OK(nt_status
);
365 if (!p
->ntlmssp_auth_validated
) {
366 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
367 failed authentication on named pipe %s.\n", domain
, user_name
, wks
, p
->name
));
368 free_server_info(&server_info
);
373 * Set up the sign/seal data.
378 NTLMSSPOWFencrypt(server_info
->first_8_lm_hash
, lm_owf
, p24
);
390 for (ind
= 0; ind
< 256; ind
++)
391 p
->ntlmssp_hash
[ind
] = (unsigned char)ind
;
393 for( ind
= 0; ind
< 256; ind
++) {
396 j
+= (p
->ntlmssp_hash
[ind
] + k2
[ind
%8]);
398 tc
= p
->ntlmssp_hash
[ind
];
399 p
->ntlmssp_hash
[ind
] = p
->ntlmssp_hash
[j
];
400 p
->ntlmssp_hash
[j
] = tc
;
403 p
->ntlmssp_hash
[256] = 0;
404 p
->ntlmssp_hash
[257] = 0;
406 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
407 p
->ntlmssp_seq_num
= 0;
411 fstrcpy(p
->user_name
, user_name
);
412 fstrcpy(p
->pipe_user_name
, pdb_get_username(server_info
->sam_account
));
413 fstrcpy(p
->domain
, domain
);
414 fstrcpy(p
->wks
, wks
);
417 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
420 if (!IS_SAM_UNIX_USER(server_info
->sam_account
)) {
421 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
422 free_server_info(&server_info
);
426 memcpy(p
->session_key
, server_info
->session_key
, sizeof(p
->session_key
));
428 p
->pipe_user
.uid
= pdb_get_uid(server_info
->sam_account
);
429 p
->pipe_user
.gid
= pdb_get_gid(server_info
->sam_account
);
431 p
->pipe_user
.ngroups
= server_info
->n_groups
;
432 if (p
->pipe_user
.ngroups
) {
433 if (!(p
->pipe_user
.groups
= memdup(server_info
->groups
, sizeof(gid_t
) * p
->pipe_user
.ngroups
))) {
434 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
435 free_server_info(&server_info
);
440 if (server_info
->ptok
)
441 p
->pipe_user
.nt_user_token
= dup_nt_token(server_info
->ptok
);
443 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
444 p
->pipe_user
.nt_user_token
= NULL
;
445 free_server_info(&server_info
);
449 p
->ntlmssp_auth_validated
= True
;
451 free_server_info(&server_info
);
455 /*******************************************************************
456 The switch table for the pipe names and the functions to handle them.
457 *******************************************************************/
465 static struct api_cmd api_fd_commands
[] =
467 #ifndef RPC_LSA_DYNAMIC
468 { "lsarpc", rpc_lsa_init
},
470 #ifndef RPC_SAMR_DYNAMIC
471 { "samr", rpc_samr_init
},
473 #ifndef RPC_SVC_DYNAMIC
474 { "srvsvc", rpc_srv_init
},
476 #ifndef RPC_WKS_DYNAMIC
477 { "wkssvc", rpc_wks_init
},
479 #ifndef RPC_NETLOG_DYNAMIC
480 { "NETLOGON", rpc_net_init
},
482 #ifndef RPC_REG_DYNAMIC
483 { "winreg", rpc_reg_init
},
485 #ifndef RPC_SPOOLSS_DYNAMIC
486 { "spoolss", rpc_spoolss_init
},
488 #ifndef RPC_DFS_DYNAMIC
489 { "netdfs", rpc_dfs_init
},
501 struct api_struct
*cmds
;
505 static struct rpc_table
*rpc_lookup
;
506 static int rpc_lookup_size
;
508 /*******************************************************************
509 This is the client reply to our challenge for an authenticated
510 bind request. The challenge we sent is in p->challenge.
511 *******************************************************************/
513 BOOL
api_pipe_bind_auth_resp(pipes_struct
*p
, prs_struct
*rpc_in_p
)
515 RPC_HDR_AUTHA autha_info
;
516 RPC_AUTH_VERIFIER auth_verifier
;
517 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp
;
519 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__
));
521 if (p
->hdr
.auth_len
== 0) {
522 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
527 * Decode the authentication verifier response.
530 if(!smb_io_rpc_hdr_autha("", &autha_info
, rpc_in_p
, 0)) {
531 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
535 if (autha_info
.auth_type
!= NTLMSSP_AUTH_TYPE
|| autha_info
.auth_level
!= NTLMSSP_AUTH_LEVEL
) {
536 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
537 (int)autha_info
.auth_type
, (int)autha_info
.auth_level
));
541 if(!smb_io_rpc_auth_verifier("", &auth_verifier
, rpc_in_p
, 0)) {
542 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
547 * Ensure this is a NTLMSSP_AUTH packet type.
550 if (!rpc_auth_verifier_chk(&auth_verifier
, "NTLMSSP", NTLMSSP_AUTH
)) {
551 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
555 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp
, rpc_in_p
, 0)) {
556 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
561 * The following call actually checks the challenge/response data.
562 * for correctness against the given DOMAIN\user name.
565 if (!api_pipe_ntlmssp_verify(p
, &ntlmssp_resp
))
573 /*******************************************************************
574 Marshall a bind_nak pdu.
575 *******************************************************************/
577 static BOOL
setup_bind_nak(pipes_struct
*p
)
579 prs_struct outgoing_rpc
;
583 /* Free any memory in the current return data buffer. */
584 prs_mem_free(&p
->out_data
.rdata
);
587 * Marshall directly into the outgoing PDU space. We
588 * must do this as we need to set to the bind response
589 * header and are never sending more than one PDU here.
592 prs_init( &outgoing_rpc
, 0, p
->mem_ctx
, MARSHALL
);
593 prs_give_memory( &outgoing_rpc
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
597 * Initialize a bind_nak header.
600 init_rpc_hdr(&nak_hdr
, RPC_BINDNACK
, RPC_FLG_FIRST
| RPC_FLG_LAST
,
601 p
->hdr
.call_id
, RPC_HEADER_LEN
+ sizeof(uint16
), 0);
604 * Marshall the header into the outgoing PDU.
607 if(!smb_io_rpc_hdr("", &nak_hdr
, &outgoing_rpc
, 0)) {
608 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
609 prs_mem_free(&outgoing_rpc
);
614 * Now add the reject reason.
617 if(!prs_uint16("reject code", &outgoing_rpc
, 0, &zero
)) {
618 prs_mem_free(&outgoing_rpc
);
622 p
->out_data
.data_sent_length
= 0;
623 p
->out_data
.current_pdu_len
= prs_offset(&outgoing_rpc
);
624 p
->out_data
.current_pdu_sent
= 0;
626 p
->pipe_bound
= False
;
631 /*******************************************************************
632 Marshall a fault pdu.
633 *******************************************************************/
635 BOOL
setup_fault_pdu(pipes_struct
*p
, NTSTATUS status
)
637 prs_struct outgoing_pdu
;
639 RPC_HDR_RESP hdr_resp
;
640 RPC_HDR_FAULT fault_resp
;
642 /* Free any memory in the current return data buffer. */
643 prs_mem_free(&p
->out_data
.rdata
);
646 * Marshall directly into the outgoing PDU space. We
647 * must do this as we need to set to the bind response
648 * header and are never sending more than one PDU here.
651 prs_init( &outgoing_pdu
, 0, p
->mem_ctx
, MARSHALL
);
652 prs_give_memory( &outgoing_pdu
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
655 * Initialize a fault header.
658 init_rpc_hdr(&fault_hdr
, RPC_FAULT
, RPC_FLG_FIRST
| RPC_FLG_LAST
| RPC_FLG_NOCALL
,
659 p
->hdr
.call_id
, RPC_HEADER_LEN
+ RPC_HDR_RESP_LEN
+ RPC_HDR_FAULT_LEN
, 0);
662 * Initialize the HDR_RESP and FAULT parts of the PDU.
665 memset((char *)&hdr_resp
, '\0', sizeof(hdr_resp
));
667 fault_resp
.status
= status
;
668 fault_resp
.reserved
= 0;
671 * Marshall the header into the outgoing PDU.
674 if(!smb_io_rpc_hdr("", &fault_hdr
, &outgoing_pdu
, 0)) {
675 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
676 prs_mem_free(&outgoing_pdu
);
680 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp
, &outgoing_pdu
, 0)) {
681 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
682 prs_mem_free(&outgoing_pdu
);
686 if(!smb_io_rpc_hdr_fault("fault", &fault_resp
, &outgoing_pdu
, 0)) {
687 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
688 prs_mem_free(&outgoing_pdu
);
692 p
->out_data
.data_sent_length
= 0;
693 p
->out_data
.current_pdu_len
= prs_offset(&outgoing_pdu
);
694 p
->out_data
.current_pdu_sent
= 0;
696 prs_mem_free(&outgoing_pdu
);
700 /*******************************************************************
701 Ensure a bind request has the correct abstract & transfer interface.
702 Used to reject unknown binds from Win2k.
703 *******************************************************************/
705 BOOL
check_bind_req(char* pipe_name
, RPC_IFACE
* abstract
,
708 extern struct pipe_id_info pipe_names
[];
711 fstrcpy(pname
,"\\PIPE\\");
712 fstrcat(pname
,pipe_name
);
714 DEBUG(3,("check_bind_req for %s\n", pname
));
716 #ifndef SUPPORT_NEW_LSARPC_UUID
718 /* check for the first pipe matching the name */
720 for ( i
=0; pipe_names
[i
].client_pipe
; i
++ ) {
721 if ( strequal(pipe_names
[i
].client_pipe
, pname
) )
725 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
727 for ( i
=0; pipe_names
[i
].client_pipe
; i
++ )
729 if ( strequal(pipe_names
[i
].client_pipe
, pname
)
730 && (abstract
->version
== pipe_names
[i
].abstr_syntax
.version
)
731 && (memcmp(&abstract
->uuid
, &pipe_names
[i
].abstr_syntax
.uuid
, sizeof(RPC_UUID
)) == 0)
732 && (transfer
->version
== pipe_names
[i
].trans_syntax
.version
)
733 && (memcmp(&transfer
->uuid
, &pipe_names
[i
].trans_syntax
.uuid
, sizeof(RPC_UUID
)) == 0) )
740 if(pipe_names
[i
].client_pipe
== NULL
)
743 #ifndef SUPPORT_NEW_LSARPC_UUID
744 /* check the abstract interface */
745 if ( (abstract
->version
!= pipe_names
[i
].abstr_syntax
.version
)
746 || (memcmp(&abstract
->uuid
, &pipe_names
[i
].abstr_syntax
.uuid
, sizeof(RPC_UUID
)) != 0) )
751 /* check the transfer interface */
752 if ( (transfer
->version
!= pipe_names
[i
].trans_syntax
.version
)
753 || (memcmp(&transfer
->uuid
, &pipe_names
[i
].trans_syntax
.uuid
, sizeof(RPC_UUID
)) != 0) )
761 /*******************************************************************
762 Register commands to an RPC pipe
763 *******************************************************************/
764 int rpc_pipe_register_commands(const char *clnt
, const char *srv
, const struct api_struct
*cmds
, int size
)
766 struct rpc_table
*rpc_entry
;
769 /* We use a temporary variable because this call can fail and
770 rpc_lookup will still be valid afterwards. It could then succeed if
771 called again later */
772 rpc_entry
= realloc(rpc_lookup
,
773 ++rpc_lookup_size
*sizeof(struct rpc_table
));
774 if (NULL
== rpc_entry
) {
776 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
779 rpc_lookup
= rpc_entry
;
782 rpc_entry
= rpc_lookup
+ (rpc_lookup_size
- 1);
783 ZERO_STRUCTP(rpc_entry
);
784 rpc_entry
->pipe
.clnt
= strdup(clnt
);
785 rpc_entry
->pipe
.srv
= strdup(srv
);
786 rpc_entry
->cmds
= realloc(rpc_entry
->cmds
,
787 (rpc_entry
->n_cmds
+ size
) *
788 sizeof(struct api_struct
));
789 memcpy(rpc_entry
->cmds
+ rpc_entry
->n_cmds
, cmds
,
790 size
* sizeof(struct api_struct
));
791 rpc_entry
->n_cmds
+= size
;
796 /*******************************************************************
797 Register commands to an RPC pipe
798 *******************************************************************/
799 int rpc_load_module(const char *module
)
803 int (*module_init
)(void);
807 pstrcpy(full_path
, lib_path("rpc"));
808 pstrcat(full_path
, "/librpc_");
809 pstrcat(full_path
, module
);
810 pstrcat(full_path
, ".");
811 pstrcat(full_path
, shlib_ext());
813 handle
= sys_dlopen(full_path
, RTLD_LAZY
);
815 DEBUG(0, ("Could not load requested pipe %s as %s\n",
817 DEBUG(0, (" Error: %s\n", dlerror()));
821 DEBUG(3, ("Module '%s' loaded\n", full_path
));
823 module_init
= sys_dlsym(handle
, "rpc_pipe_init");
824 if ((error
= sys_dlerror()) != NULL
) {
825 DEBUG(0, ("Error trying to resolve symbol 'rpc_pipe_init' in %s: %s\n",
830 return module_init();
832 DEBUG(0,("Attempting to load a dynamic RPC pipe when dlopen isn't available\n"));
837 /*******************************************************************
838 Respond to a pipe bind request.
839 *******************************************************************/
841 BOOL
api_pipe_bind_req(pipes_struct
*p
, prs_struct
*rpc_in_p
)
845 RPC_HDR_AUTH auth_info
;
847 fstring ack_pipe_name
;
848 prs_struct out_hdr_ba
;
850 prs_struct outgoing_rpc
;
853 enum RPC_PKT_TYPE reply_pkt_type
;
855 p
->ntlmssp_auth_requested
= False
;
857 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__
));
860 * Try and find the correct pipe name to ensure
861 * that this is a pipe name we support.
865 for (i
= 0; i
< rpc_lookup_size
; i
++) {
866 if (strequal(rpc_lookup
[i
].pipe
.clnt
, p
->name
)) {
867 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
868 rpc_lookup
[i
].pipe
.clnt
, rpc_lookup
[i
].pipe
.srv
));
869 fstrcpy(p
->pipe_srv_name
, rpc_lookup
[i
].pipe
.srv
);
874 if (i
== rpc_lookup_size
) {
875 for (i
= 0; api_fd_commands
[i
].name
; i
++) {
876 if (strequal(api_fd_commands
[i
].name
, p
->name
)) {
877 api_fd_commands
[i
].init();
882 if (!api_fd_commands
[i
].name
&& !rpc_load_module(p
->name
)) {
883 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
885 if(!setup_bind_nak(p
))
890 for (i
= 0; i
< rpc_lookup_size
; i
++) {
891 if (strequal(rpc_lookup
[i
].pipe
.clnt
, p
->name
)) {
892 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
893 rpc_lookup
[i
].pipe
.clnt
, rpc_lookup
[i
].pipe
.srv
));
894 fstrcpy(p
->pipe_srv_name
, rpc_lookup
[i
].pipe
.srv
);
900 /* decode the bind request */
901 if(!smb_io_rpc_hdr_rb("", &hdr_rb
, rpc_in_p
, 0)) {
902 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
907 * Check if this is an authenticated request.
910 if (p
->hdr
.auth_len
!= 0) {
911 RPC_AUTH_VERIFIER auth_verifier
;
912 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg
;
915 * Decode the authentication verifier.
918 if(!smb_io_rpc_hdr_auth("", &auth_info
, rpc_in_p
, 0)) {
919 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
924 * We only support NTLMSSP_AUTH_TYPE requests.
927 if(auth_info
.auth_type
!= NTLMSSP_AUTH_TYPE
) {
928 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
929 auth_info
.auth_type
));
933 if(!smb_io_rpc_auth_verifier("", &auth_verifier
, rpc_in_p
, 0)) {
934 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
938 if(!strequal(auth_verifier
.signature
, "NTLMSSP")) {
939 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
943 if(auth_verifier
.msg_type
!= NTLMSSP_NEGOTIATE
) {
944 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
945 auth_verifier
.msg_type
));
949 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg
, rpc_in_p
, 0)) {
950 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
954 p
->ntlmssp_chal_flags
= SMBD_NTLMSSP_NEG_FLAGS
;
955 p
->ntlmssp_auth_requested
= True
;
958 switch(p
->hdr
.pkt_type
) {
960 /* name has to be \PIPE\xxxxx */
961 fstrcpy(ack_pipe_name
, "\\PIPE\\");
962 fstrcat(ack_pipe_name
, p
->pipe_srv_name
);
963 reply_pkt_type
= RPC_BINDACK
;
966 /* secondary address CAN be NULL
967 * as the specs say it's ignored.
968 * It MUST NULL to have the spoolss working.
970 fstrcpy(ack_pipe_name
,"");
971 reply_pkt_type
= RPC_ALTCONTRESP
;
977 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__
));
980 * Marshall directly into the outgoing PDU space. We
981 * must do this as we need to set to the bind response
982 * header and are never sending more than one PDU here.
985 prs_init( &outgoing_rpc
, 0, p
->mem_ctx
, MARSHALL
);
986 prs_give_memory( &outgoing_rpc
, (char *)p
->out_data
.current_pdu
, sizeof(p
->out_data
.current_pdu
), False
);
989 * Setup the memory to marshall the ba header, and the
993 if(!prs_init(&out_hdr_ba
, 1024, p
->mem_ctx
, MARSHALL
)) {
994 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
995 prs_mem_free(&outgoing_rpc
);
999 if(!prs_init(&out_auth
, 1024, p
->mem_ctx
, MARSHALL
)) {
1000 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1001 prs_mem_free(&outgoing_rpc
);
1002 prs_mem_free(&out_hdr_ba
);
1006 if (p
->ntlmssp_auth_requested
)
1009 assoc_gid
= hdr_rb
.bba
.assoc_gid
? hdr_rb
.bba
.assoc_gid
: 0x53f0;
1012 * Create the bind response struct.
1015 /* If the requested abstract synt uuid doesn't match our client pipe,
1016 reject the bind_ack & set the transfer interface synt to all 0's,
1017 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1019 Needed when adding entries to a DACL from NT5 - SK */
1021 if(check_bind_req(p
->name
, &hdr_rb
.abstract
, &hdr_rb
.transfer
)) {
1022 init_rpc_hdr_ba(&hdr_ba
,
1030 RPC_IFACE null_interface
;
1031 ZERO_STRUCT(null_interface
);
1032 /* Rejection reason: abstract syntax not supported */
1033 init_rpc_hdr_ba(&hdr_ba
, MAX_PDU_FRAG_LEN
,
1034 MAX_PDU_FRAG_LEN
, assoc_gid
,
1035 ack_pipe_name
, 0x1, 0x2, 0x1,
1043 if(!smb_io_rpc_hdr_ba("", &hdr_ba
, &out_hdr_ba
, 0)) {
1044 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1049 * Now the authentication.
1052 if (p
->ntlmssp_auth_requested
) {
1053 RPC_AUTH_VERIFIER auth_verifier
;
1054 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal
;
1056 generate_random_buffer(p
->challenge
, 8, False
);
1058 /*** Authentication info ***/
1060 init_rpc_hdr_auth(&auth_info
, NTLMSSP_AUTH_TYPE
, NTLMSSP_AUTH_LEVEL
, RPC_HDR_AUTH_LEN
, 1);
1061 if(!smb_io_rpc_hdr_auth("", &auth_info
, &out_auth
, 0)) {
1062 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1066 /*** NTLMSSP verifier ***/
1068 init_rpc_auth_verifier(&auth_verifier
, "NTLMSSP", NTLMSSP_CHALLENGE
);
1069 if(!smb_io_rpc_auth_verifier("", &auth_verifier
, &out_auth
, 0)) {
1070 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1074 /* NTLMSSP challenge ***/
1076 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal
, p
->ntlmssp_chal_flags
, p
->challenge
);
1077 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal
, &out_auth
, 0)) {
1078 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1082 /* Auth len in the rpc header doesn't include auth_header. */
1083 auth_len
= prs_offset(&out_auth
) - RPC_HDR_AUTH_LEN
;
1087 * Create the header, now we know the length.
1090 init_rpc_hdr(&p
->hdr
, reply_pkt_type
, RPC_FLG_FIRST
| RPC_FLG_LAST
,
1092 RPC_HEADER_LEN
+ prs_offset(&out_hdr_ba
) + prs_offset(&out_auth
),
1096 * Marshall the header into the outgoing PDU.
1099 if(!smb_io_rpc_hdr("", &p
->hdr
, &outgoing_rpc
, 0)) {
1100 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1105 * Now add the RPC_HDR_BA and any auth needed.
1108 if(!prs_append_prs_data( &outgoing_rpc
, &out_hdr_ba
)) {
1109 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1113 if(p
->ntlmssp_auth_requested
&& !prs_append_prs_data( &outgoing_rpc
, &out_auth
)) {
1114 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1118 if(!p
->ntlmssp_auth_requested
)
1119 p
->pipe_bound
= True
;
1122 * Setup the lengths for the initial reply.
1125 p
->out_data
.data_sent_length
= 0;
1126 p
->out_data
.current_pdu_len
= prs_offset(&outgoing_rpc
);
1127 p
->out_data
.current_pdu_sent
= 0;
1129 prs_mem_free(&out_hdr_ba
);
1130 prs_mem_free(&out_auth
);
1136 prs_mem_free(&outgoing_rpc
);
1137 prs_mem_free(&out_hdr_ba
);
1138 prs_mem_free(&out_auth
);
1142 /****************************************************************************
1143 Deal with sign & seal processing on an RPC request.
1144 ****************************************************************************/
1146 BOOL
api_pipe_auth_process(pipes_struct
*p
, prs_struct
*rpc_in
)
1149 * We always negotiate the following two bits....
1151 BOOL auth_verify
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SIGN
) != 0);
1152 BOOL auth_seal
= ((p
->ntlmssp_chal_flags
& NTLMSSP_NEGOTIATE_SEAL
) != 0);
1158 auth_len
= p
->hdr
.auth_len
;
1160 if ((auth_len
!= RPC_AUTH_NTLMSSP_CHK_LEN
) && auth_verify
) {
1161 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len
));
1166 * The following is that length of the data we must verify or unseal.
1167 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1168 * preceeding the auth_data.
1171 data_len
= p
->hdr
.frag_len
- RPC_HEADER_LEN
- RPC_HDR_REQ_LEN
-
1172 (auth_verify
? RPC_HDR_AUTH_LEN
: 0) - auth_len
;
1174 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1175 BOOLSTR(auth_verify
), BOOLSTR(auth_seal
), data_len
, auth_len
));
1179 * The data in rpc_in doesn't contain the RPC_HEADER as this
1180 * has already been consumed.
1182 char *data
= prs_data_p(rpc_in
) + RPC_HDR_REQ_LEN
;
1183 NTLMSSPcalc_p(p
, (uchar
*)data
, data_len
);
1184 crc32
= crc32_calc_buffer(data
, data_len
);
1187 old_offset
= prs_offset(rpc_in
);
1189 if (auth_seal
|| auth_verify
) {
1190 RPC_HDR_AUTH auth_info
;
1192 if(!prs_set_offset(rpc_in
, old_offset
+ data_len
)) {
1193 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1194 (unsigned int)old_offset
+ data_len
));
1198 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info
, rpc_in
, 0)) {
1199 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1205 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk
;
1206 char *req_data
= prs_data_p(rpc_in
) + prs_offset(rpc_in
) + 4;
1208 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in
) + 4));
1211 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1214 if(prs_mem_get(rpc_in
, RPC_AUTH_NTLMSSP_CHK_LEN
- 4) == NULL
) {
1215 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1216 RPC_AUTH_NTLMSSP_CHK_LEN
- 4 ));
1220 NTLMSSPcalc_p(p
, (uchar
*)req_data
, RPC_AUTH_NTLMSSP_CHK_LEN
- 4);
1221 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk
, rpc_in
, 0)) {
1222 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1226 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk
, crc32
, p
->ntlmssp_seq_num
)) {
1227 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1233 * Return the current pointer to the data offset.
1236 if(!prs_set_offset(rpc_in
, old_offset
)) {
1237 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1238 (unsigned int)old_offset
));
1245 /****************************************************************************
1246 Return a user struct for a pipe user.
1247 ****************************************************************************/
1249 struct current_user
*get_current_user(struct current_user
*user
, pipes_struct
*p
)
1251 if (p
->ntlmssp_auth_validated
) {
1252 memcpy(user
, &p
->pipe_user
, sizeof(struct current_user
));
1254 extern struct current_user current_user
;
1255 memcpy(user
, ¤t_user
, sizeof(struct current_user
));
1261 /****************************************************************************
1262 Find the correct RPC function to call for this request.
1263 If the pipe is authenticated then become the correct UNIX user
1264 before doing the call.
1265 ****************************************************************************/
1267 BOOL
api_pipe_request(pipes_struct
*p
)
1272 if (p
->ntlmssp_auth_validated
) {
1274 if(!become_authenticated_pipe_user(p
)) {
1275 prs_mem_free(&p
->out_data
.rdata
);
1280 DEBUG(5, ("Requested \\PIPE\\%s\n", p
->name
));
1282 for (i
= 0; i
< rpc_lookup_size
; i
++) {
1283 if (strequal(rpc_lookup
[i
].pipe
.clnt
, p
->name
)) {
1284 DEBUG(3,("Doing \\PIPE\\%s\n",
1285 rpc_lookup
[i
].pipe
.clnt
));
1286 set_current_rpc_talloc(p
->mem_ctx
);
1287 ret
= api_rpcTNP(p
, rpc_lookup
[i
].pipe
.clnt
,
1289 rpc_lookup
[i
].n_cmds
);
1290 set_current_rpc_talloc(NULL
);
1296 if (i
== rpc_lookup_size
) {
1297 for (i
= 0; api_fd_commands
[i
].name
; i
++) {
1298 if (strequal(api_fd_commands
[i
].name
, p
->name
)) {
1299 api_fd_commands
[i
].init();
1304 if (!api_fd_commands
[i
].name
) {
1305 rpc_load_module(p
->name
);
1308 for (i
= 0; i
< rpc_lookup_size
; i
++) {
1309 if (strequal(rpc_lookup
[i
].pipe
.clnt
, p
->name
)) {
1310 DEBUG(3,("Doing \\PIPE\\%s\n",
1311 rpc_lookup
[i
].pipe
.clnt
));
1312 set_current_rpc_talloc(p
->mem_ctx
);
1313 ret
= api_rpcTNP(p
, rpc_lookup
[i
].pipe
.clnt
,
1315 rpc_lookup
[i
].n_cmds
);
1316 set_current_rpc_talloc(NULL
);
1322 if(p
->ntlmssp_auth_validated
)
1323 unbecome_authenticated_pipe_user();
1328 /*******************************************************************
1329 Calls the underlying RPC function for a named pipe.
1330 ********************************************************************/
1332 BOOL
api_rpcTNP(pipes_struct
*p
, const char *rpc_name
,
1333 const struct api_struct
*api_rpc_cmds
, int n_cmds
)
1337 uint32 offset1
, offset2
;
1339 /* interpret the command */
1340 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name
, p
->hdr_req
.opnum
));
1342 slprintf(name
, sizeof(name
)-1, "in_%s", rpc_name
);
1343 prs_dump(name
, p
->hdr_req
.opnum
, &p
->in_data
.data
);
1345 for (fn_num
= 0; fn_num
< n_cmds
; fn_num
++) {
1346 if (api_rpc_cmds
[fn_num
].opnum
== p
->hdr_req
.opnum
&& api_rpc_cmds
[fn_num
].fn
!= NULL
) {
1347 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds
[fn_num
].name
));
1352 if (fn_num
== n_cmds
) {
1354 * For an unknown RPC just return a fault PDU but
1355 * return True to allow RPC's on the pipe to continue
1356 * and not put the pipe into fault state. JRA.
1358 DEBUG(4, ("unknown\n"));
1359 setup_fault_pdu(p
, NT_STATUS(0x1c010002));
1363 offset1
= prs_offset(&p
->out_data
.rdata
);
1365 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1366 fn_num
, api_rpc_cmds
[fn_num
].fn
));
1367 /* do the actual command */
1368 if(!api_rpc_cmds
[fn_num
].fn(p
)) {
1369 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name
, api_rpc_cmds
[fn_num
].name
));
1370 prs_mem_free(&p
->out_data
.rdata
);
1374 if (p
->bad_handle_fault_state
) {
1375 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1376 p
->bad_handle_fault_state
= False
;
1377 setup_fault_pdu(p
, NT_STATUS(0x1C00001A));
1381 slprintf(name
, sizeof(name
)-1, "out_%s", rpc_name
);
1382 offset2
= prs_offset(&p
->out_data
.rdata
);
1383 prs_set_offset(&p
->out_data
.rdata
, offset1
);
1384 prs_dump(name
, p
->hdr_req
.opnum
, &p
->out_data
.rdata
);
1385 prs_set_offset(&p
->out_data
.rdata
, offset2
);
1387 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name
));
1389 /* Check for buffer underflow in rpc parsing */
1391 if ((DEBUGLEVEL
>= 10) &&
1392 (p
->in_data
.data
.data_offset
!= p
->in_data
.data
.buffer_size
)) {
1393 int data_len
= p
->in_data
.data
.buffer_size
-
1394 p
->in_data
.data
.data_offset
;
1397 data
= malloc(data_len
);
1399 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1401 prs_uint8s(False
, "", &p
->in_data
.data
, 0, (unsigned char *)data
,