search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Commit just a little more infrastructure for HAVE_GETDIRENTRIES
[Samba/gebeck_regimport.git] / source3 / rpc_server / srv_pipe.c
blob4c4b3e7af3707e5ec8ac95c31199769a38b0bff5
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
28 *
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
32 *
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
36 *
37 * ... if you read the docs. or stare at packets for weeks on end.
38 *
39 */
40
41 #include "includes.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_RPC_SRV
45
46 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
47 {
48 unsigned char *hash = p->ntlmssp_hash;
49 unsigned char index_i = hash[256];
50 unsigned char index_j = hash[257];
51 int ind;
52
53 for( ind = 0; ind < len; ind++) {
54 unsigned char tc;
55 unsigned char t;
56
57 index_i++;
58 index_j += hash[index_i];
59
60 tc = hash[index_i];
61 hash[index_i] = hash[index_j];
62 hash[index_j] = tc;
63
64 t = hash[index_i] + hash[index_j];
65 data[ind] = data[ind] ^ hash[t];
66 }
67
68 hash[256] = index_i;
69 hash[257] = index_j;
70 }
71
72 /*******************************************************************
73 Generate the next PDU to be returned from the data in p->rdata.
74 We cheat here as this function doesn't handle the special auth
75 footers of the authenticated bind response reply.
76 ********************************************************************/
77
78 BOOL create_next_pdu(pipes_struct *p)
79 {
80 RPC_HDR_RESP hdr_resp;
81 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
82 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
83 uint32 data_len;
84 uint32 data_space_available;
85 uint32 data_len_left;
86 prs_struct outgoing_pdu;
87 char *data;
88 char *data_from;
89 uint32 data_pos;
90
91 /*
92 * If we're in the fault state, keep returning fault PDU's until
93 * the pipe gets closed. JRA.
94 */
95
96 if(p->fault_state) {
97 setup_fault_pdu(p, NT_STATUS(0x1c010002));
98 return True;
99 }
100
101 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
102
103 /* Change the incoming request header to a response. */
104 p->hdr.pkt_type = RPC_RESPONSE;
105
106 /* Set up rpc header flags. */
107 if (p->out_data.data_sent_length == 0)
108 p->hdr.flags = RPC_FLG_FIRST;
109 else
110 p->hdr.flags = 0;
111
112 /*
113 * Work out how much we can fit in a single PDU.
114 */
115
116 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
117 if(p->ntlmssp_auth_validated)
118 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
119
120 /*
121 * The amount we send is the minimum of the available
122 * space and the amount left to send.
123 */
124
125 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
126
127 /*
128 * Ensure there really is data left to send.
129 */
130
131 if(!data_len_left) {
132 DEBUG(0,("create_next_pdu: no data left to send !\n"));
133 return False;
134 }
135
136 data_len = MIN(data_len_left, data_space_available);
137
138 /*
139 * Set up the alloc hint. This should be the data left to
140 * send.
141 */
142
143 hdr_resp.alloc_hint = data_len_left;
144
145 /*
146 * Set up the header lengths.
147 */
148
149 if (p->ntlmssp_auth_validated) {
150 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
151 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
152 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
153 } else {
154 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
155 p->hdr.auth_len = 0;
156 }
157
158 /*
159 * Work out if this PDU will be the last.
160 */
161
162 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
163 p->hdr.flags |= RPC_FLG_LAST;
164
165 /*
166 * Init the parse struct to point at the outgoing
167 * data.
168 */
169
170 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
171 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
172
173 /* Store the header in the data stream. */
174 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
175 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
176 prs_mem_free(&outgoing_pdu);
177 return False;
178 }
179
180 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
181 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
182 prs_mem_free(&outgoing_pdu);
183 return False;
184 }
185
186 /* Store the current offset. */
187 data_pos = prs_offset(&outgoing_pdu);
188
189 /* Copy the data into the PDU. */
190 data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
191
192 if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
193 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
194 prs_mem_free(&outgoing_pdu);
195 return False;
196 }
197
198 /*
199 * Set data to point to where we copied the data into.
200 */
201
202 data = prs_data_p(&outgoing_pdu) + data_pos;
203
204 if (p->hdr.auth_len > 0) {
205 uint32 crc32 = 0;
206
207 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
208 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
209
210 if (auth_seal) {
211 crc32 = crc32_calc_buffer(data, data_len);
212 NTLMSSPcalc_p(p, (uchar*)data, data_len);
213 }
214
215 if (auth_seal || auth_verify) {
216 RPC_HDR_AUTH auth_info;
217
218 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL,
219 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
220 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
221 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
222 prs_mem_free(&outgoing_pdu);
223 return False;
224 }
225 }
226
227 if (auth_verify) {
228 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
229 char *auth_data = prs_data_p(&outgoing_pdu);
230
231 p->ntlmssp_seq_num++;
232 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
233 crc32, p->ntlmssp_seq_num++);
234 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
235 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
236 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
237 prs_mem_free(&outgoing_pdu);
238 return False;
239 }
240 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
241 }
242 }
243
244 /*
245 * Setup the counts for this PDU.
246 */
247
248 p->out_data.data_sent_length += data_len;
249 p->out_data.current_pdu_len = p->hdr.frag_len;
250 p->out_data.current_pdu_sent = 0;
251
252 prs_mem_free(&outgoing_pdu);
253 return True;
254 }
255
256 /*******************************************************************
257 Process an NTLMSSP authentication response.
258 If this function succeeds, the user has been authenticated
259 and their domain, name and calling workstation stored in
260 the pipe struct.
261 The initial challenge is stored in p->challenge.
262 *******************************************************************/
263
264 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
265 {
266 uchar lm_owf[24];
267 uchar nt_owf[128];
268 int nt_pw_len;
269 int lm_pw_len;
270 fstring user_name;
271 fstring domain;
272 fstring wks;
273
274 NTSTATUS nt_status;
275
276 struct auth_context *auth_context = NULL;
277 auth_usersupplied_info *user_info = NULL;
278 auth_serversupplied_info *server_info = NULL;
279
280 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
281
282 memset(p->user_name, '\0', sizeof(p->user_name));
283 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
284 memset(p->domain, '\0', sizeof(p->domain));
285 memset(p->wks, '\0', sizeof(p->wks));
286
287 /* Set up for non-authenticated user. */
288 delete_nt_token(&p->pipe_user.nt_user_token);
289 p->pipe_user.ngroups = 0;
290 SAFE_FREE( p->pipe_user.groups);
291
292 /*
293 * Setup an empty password for a guest user.
294 */
295
296 /*
297 * We always negotiate UNICODE.
298 */
299
300 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
301 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
302 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
303 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
304 } else {
305 pull_ascii_fstring(user_name, ntlmssp_resp->user);
306 pull_ascii_fstring(domain, ntlmssp_resp->domain);
307 pull_ascii_fstring(wks, ntlmssp_resp->wks);
308 }
309
310 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
311
312 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
313 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
314
315 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
316 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
317
318 #ifdef DEBUG_PASSWORD
319 DEBUG(100,("lm, nt owfs, chal\n"));
320 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
321 dump_data(100, (char *)nt_owf, nt_pw_len);
322 dump_data(100, (char *)p->challenge, 8);
323 #endif
324
325 /*
326 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
327 */
328
329 if (*user_name) {
330
331 /*
332 * Do the length checking only if user is not NULL.
333 */
334
335 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
336 return False;
337 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
338 return False;
339 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
340 return False;
341 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
342 return False;
343 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
344 return False;
345
346 }
347
348 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
349
350 if (!make_user_info_netlogon_network(&user_info,
351 user_name, domain, wks,
352 lm_owf, lm_pw_len,
353 nt_owf, nt_pw_len)) {
354 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
355 return False;
356 }
357
358 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
359
360 (auth_context->free)(&auth_context);
361 free_user_info(&user_info);
362
363 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
364
365 if (!p->ntlmssp_auth_validated) {
366 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
367 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
368 free_server_info(&server_info);
369 return False;
370 }
371
372 /*
373 * Set up the sign/seal data.
374 */
375
376 {
377 uchar p24[24];
378 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
379 {
380 unsigned char j = 0;
381 int ind;
382
383 unsigned char k2[8];
384
385 memcpy(k2, p24, 5);
386 k2[5] = 0xe5;
387 k2[6] = 0x38;
388 k2[7] = 0xb0;
389
390 for (ind = 0; ind < 256; ind++)
391 p->ntlmssp_hash[ind] = (unsigned char)ind;
392
393 for( ind = 0; ind < 256; ind++) {
394 unsigned char tc;
395
396 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
397
398 tc = p->ntlmssp_hash[ind];
399 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
400 p->ntlmssp_hash[j] = tc;
401 }
402
403 p->ntlmssp_hash[256] = 0;
404 p->ntlmssp_hash[257] = 0;
405 }
406 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
407 p->ntlmssp_seq_num = 0;
408
409 }
410
411 fstrcpy(p->user_name, user_name);
412 fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
413 fstrcpy(p->domain, domain);
414 fstrcpy(p->wks, wks);
415
416 /*
417 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
418 */
419
420 if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
421 DEBUG(0,("Attempted authenticated pipe with invalid user. No uid/gid in SAM_ACCOUNT\n"));
422 free_server_info(&server_info);
423 return False;
424 }
425
426 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
427
428 p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
429 p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
430
431 p->pipe_user.ngroups = server_info->n_groups;
432 if (p->pipe_user.ngroups) {
433 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
434 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
435 free_server_info(&server_info);
436 return False;
437 }
438 }
439
440 if (server_info->ptok)
441 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
442 else {
443 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
444 p->pipe_user.nt_user_token = NULL;
445 free_server_info(&server_info);
446 return False;
447 }
448
449 p->ntlmssp_auth_validated = True;
450
451 free_server_info(&server_info);
452 return True;
453 }
454
455 /*******************************************************************
456 The switch table for the pipe names and the functions to handle them.
457 *******************************************************************/
458
459 struct api_cmd
460 {
461 const char *name;
462 int (*init)(void);
463 };
464
465 static struct api_cmd api_fd_commands[] =
466 {
467 #ifndef RPC_LSA_DYNAMIC
468 { "lsarpc", rpc_lsa_init },
469 #endif
470 #ifndef RPC_SAMR_DYNAMIC
471 { "samr", rpc_samr_init },
472 #endif
473 #ifndef RPC_SVC_DYNAMIC
474 { "srvsvc", rpc_srv_init },
475 #endif
476 #ifndef RPC_WKS_DYNAMIC
477 { "wkssvc", rpc_wks_init },
478 #endif
479 #ifndef RPC_NETLOG_DYNAMIC
480 { "NETLOGON", rpc_net_init },
481 #endif
482 #ifndef RPC_REG_DYNAMIC
483 { "winreg", rpc_reg_init },
484 #endif
485 #ifndef RPC_SPOOLSS_DYNAMIC
486 { "spoolss", rpc_spoolss_init },
487 #endif
488 #ifndef RPC_DFS_DYNAMIC
489 { "netdfs", rpc_dfs_init },
490 #endif
491 { NULL, NULL }
492 };
493
494 struct rpc_table
495 {
496 struct
497 {
498 const char *clnt;
499 const char *srv;
500 } pipe;
501 struct api_struct *cmds;
502 int n_cmds;
503 };
504
505 static struct rpc_table *rpc_lookup;
506 static int rpc_lookup_size;
507
508 /*******************************************************************
509 This is the client reply to our challenge for an authenticated
510 bind request. The challenge we sent is in p->challenge.
511 *******************************************************************/
512
513 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
514 {
515 RPC_HDR_AUTHA autha_info;
516 RPC_AUTH_VERIFIER auth_verifier;
517 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
518
519 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
520
521 if (p->hdr.auth_len == 0) {
522 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
523 return False;
524 }
525
526 /*
527 * Decode the authentication verifier response.
528 */
529
530 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
531 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
532 return False;
533 }
534
535 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
536 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
537 (int)autha_info.auth_type, (int)autha_info.auth_level ));
538 return False;
539 }
540
541 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
542 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
543 return False;
544 }
545
546 /*
547 * Ensure this is a NTLMSSP_AUTH packet type.
548 */
549
550 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
551 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
552 return False;
553 }
554
555 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
556 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
557 return False;
558 }
559
560 /*
561 * The following call actually checks the challenge/response data.
562 * for correctness against the given DOMAIN\user name.
563 */
564
565 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
566 return False;
567
568 p->pipe_bound = True
569 ;
570 return True;
571 }
572
573 /*******************************************************************
574 Marshall a bind_nak pdu.
575 *******************************************************************/
576
577 static BOOL setup_bind_nak(pipes_struct *p)
578 {
579 prs_struct outgoing_rpc;
580 RPC_HDR nak_hdr;
581 uint16 zero = 0;
582
583 /* Free any memory in the current return data buffer. */
584 prs_mem_free(&p->out_data.rdata);
585
586 /*
587 * Marshall directly into the outgoing PDU space. We
588 * must do this as we need to set to the bind response
589 * header and are never sending more than one PDU here.
590 */
591
592 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
593 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
594
595
596 /*
597 * Initialize a bind_nak header.
598 */
599
600 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
601 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
602
603 /*
604 * Marshall the header into the outgoing PDU.
605 */
606
607 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
608 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
609 prs_mem_free(&outgoing_rpc);
610 return False;
611 }
612
613 /*
614 * Now add the reject reason.
615 */
616
617 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
618 prs_mem_free(&outgoing_rpc);
619 return False;
620 }
621
622 p->out_data.data_sent_length = 0;
623 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
624 p->out_data.current_pdu_sent = 0;
625
626 p->pipe_bound = False;
627
628 return True;
629 }
630
631 /*******************************************************************
632 Marshall a fault pdu.
633 *******************************************************************/
634
635 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
636 {
637 prs_struct outgoing_pdu;
638 RPC_HDR fault_hdr;
639 RPC_HDR_RESP hdr_resp;
640 RPC_HDR_FAULT fault_resp;
641
642 /* Free any memory in the current return data buffer. */
643 prs_mem_free(&p->out_data.rdata);
644
645 /*
646 * Marshall directly into the outgoing PDU space. We
647 * must do this as we need to set to the bind response
648 * header and are never sending more than one PDU here.
649 */
650
651 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
652 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
653
654 /*
655 * Initialize a fault header.
656 */
657
658 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
659 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
660
661 /*
662 * Initialize the HDR_RESP and FAULT parts of the PDU.
663 */
664
665 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
666
667 fault_resp.status = status;
668 fault_resp.reserved = 0;
669
670 /*
671 * Marshall the header into the outgoing PDU.
672 */
673
674 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
675 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
676 prs_mem_free(&outgoing_pdu);
677 return False;
678 }
679
680 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
681 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
682 prs_mem_free(&outgoing_pdu);
683 return False;
684 }
685
686 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
687 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
688 prs_mem_free(&outgoing_pdu);
689 return False;
690 }
691
692 p->out_data.data_sent_length = 0;
693 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
694 p->out_data.current_pdu_sent = 0;
695
696 prs_mem_free(&outgoing_pdu);
697 return True;
698 }
699
700 /*******************************************************************
701 Ensure a bind request has the correct abstract & transfer interface.
702 Used to reject unknown binds from Win2k.
703 *******************************************************************/
704
705 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
706 RPC_IFACE* transfer)
707 {
708 extern struct pipe_id_info pipe_names[];
709 int i=0;
710 fstring pname;
711 fstrcpy(pname,"\\PIPE\\");
712 fstrcat(pname,pipe_name);
713
714 DEBUG(3,("check_bind_req for %s\n", pname));
715
716 #ifndef SUPPORT_NEW_LSARPC_UUID
717
718 /* check for the first pipe matching the name */
719
720 for ( i=0; pipe_names[i].client_pipe; i++ ) {
721 if ( strequal(pipe_names[i].client_pipe, pname) )
722 break;
723 }
724 #else
725 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
726
727 for ( i=0; pipe_names[i].client_pipe; i++ )
728 {
729 if ( strequal(pipe_names[i].client_pipe, pname)
730 && (abstract->version == pipe_names[i].abstr_syntax.version)
731 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
732 && (transfer->version == pipe_names[i].trans_syntax.version)
733 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
734 {
735 break;
736 }
737 }
738 #endif
739
740 if(pipe_names[i].client_pipe == NULL)
741 return False;
742
743 #ifndef SUPPORT_NEW_LSARPC_UUID
744 /* check the abstract interface */
745 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
746 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
747 {
748 return False;
749 }
750
751 /* check the transfer interface */
752 if ( (transfer->version != pipe_names[i].trans_syntax.version)
753 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
754 {
755 return False;
756 }
757 #endif
758 return True;
759 }
760
761 /*******************************************************************
762 Register commands to an RPC pipe
763 *******************************************************************/
764 int rpc_pipe_register_commands(const char *clnt, const char *srv, const struct api_struct *cmds, int size)
765 {
766 struct rpc_table *rpc_entry;
767
768
769 /* We use a temporary variable because this call can fail and
770 rpc_lookup will still be valid afterwards. It could then succeed if
771 called again later */
772 rpc_entry = realloc(rpc_lookup,
773 ++rpc_lookup_size*sizeof(struct rpc_table));
774 if (NULL == rpc_entry) {
775 rpc_lookup_size--;
776 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
777 return 0;
778 } else {
779 rpc_lookup = rpc_entry;
780 }
781
782 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
783 ZERO_STRUCTP(rpc_entry);
784 rpc_entry->pipe.clnt = strdup(clnt);
785 rpc_entry->pipe.srv = strdup(srv);
786 rpc_entry->cmds = realloc(rpc_entry->cmds,
787 (rpc_entry->n_cmds + size) *
788 sizeof(struct api_struct));
789 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
790 size * sizeof(struct api_struct));
791 rpc_entry->n_cmds += size;
792
793 return size;
794 }
795
796 /*******************************************************************
797 Register commands to an RPC pipe
798 *******************************************************************/
799 int rpc_load_module(const char *module)
800 {
801 #ifdef HAVE_DLOPEN
802 void *handle;
803 int (*module_init)(void);
804 pstring full_path;
805 char *error;
806
807 pstrcpy(full_path, lib_path("rpc"));
808 pstrcat(full_path, "/librpc_");
809 pstrcat(full_path, module);
810 pstrcat(full_path, ".");
811 pstrcat(full_path, shlib_ext());
812
813 handle = sys_dlopen(full_path, RTLD_LAZY);
814 if (!handle) {
815 DEBUG(0, ("Could not load requested pipe %s as %s\n",
816 module, full_path));
817 DEBUG(0, (" Error: %s\n", dlerror()));
818 return 0;
819 }
820
821 DEBUG(3, ("Module '%s' loaded\n", full_path));
822
823 module_init = sys_dlsym(handle, "rpc_pipe_init");
824 if ((error = sys_dlerror()) != NULL) {
825 DEBUG(0, ("Error trying to resolve symbol 'rpc_pipe_init' in %s: %s\n",
826 full_path, error));
827 return 0;
828 }
829
830 return module_init();
831 #else
832 DEBUG(0,("Attempting to load a dynamic RPC pipe when dlopen isn't available\n"));
833 return 0;
834 #endif
835 }
836
837 /*******************************************************************
838 Respond to a pipe bind request.
839 *******************************************************************/
840
841 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
842 {
843 RPC_HDR_BA hdr_ba;
844 RPC_HDR_RB hdr_rb;
845 RPC_HDR_AUTH auth_info;
846 uint16 assoc_gid;
847 fstring ack_pipe_name;
848 prs_struct out_hdr_ba;
849 prs_struct out_auth;
850 prs_struct outgoing_rpc;
851 int i = 0;
852 int auth_len = 0;
853 enum RPC_PKT_TYPE reply_pkt_type;
854
855 p->ntlmssp_auth_requested = False;
856
857 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
858
859 /*
860 * Try and find the correct pipe name to ensure
861 * that this is a pipe name we support.
862 */
863
864
865 for (i = 0; i < rpc_lookup_size; i++) {
866 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
867 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
868 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
869 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
870 break;
871 }
872 }
873
874 if (i == rpc_lookup_size) {
875 for (i = 0; api_fd_commands[i].name; i++) {
876 if (strequal(api_fd_commands[i].name, p->name)) {
877 api_fd_commands[i].init();
878 break;
879 }
880 }
881
882 if (!api_fd_commands[i].name && !rpc_load_module(p->name)) {
883 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
884 p->name ));
885 if(!setup_bind_nak(p))
886 return False;
887 return True;
888 }
889
890 for (i = 0; i < rpc_lookup_size; i++) {
891 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
892 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
893 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
894 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
895 break;
896 }
897 }
898 }
899
900 /* decode the bind request */
901 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
902 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
903 return False;
904 }
905
906 /*
907 * Check if this is an authenticated request.
908 */
909
910 if (p->hdr.auth_len != 0) {
911 RPC_AUTH_VERIFIER auth_verifier;
912 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
913
914 /*
915 * Decode the authentication verifier.
916 */
917
918 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
919 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
920 return False;
921 }
922
923 /*
924 * We only support NTLMSSP_AUTH_TYPE requests.
925 */
926
927 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
928 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
929 auth_info.auth_type ));
930 return False;
931 }
932
933 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
934 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
935 return False;
936 }
937
938 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
939 DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
940 return False;
941 }
942
943 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
944 DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
945 auth_verifier.msg_type));
946 return False;
947 }
948
949 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
950 DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
951 return False;
952 }
953
954 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
955 p->ntlmssp_auth_requested = True;
956 }
957
958 switch(p->hdr.pkt_type) {
959 case RPC_BIND:
960 /* name has to be \PIPE\xxxxx */
961 fstrcpy(ack_pipe_name, "\\PIPE\\");
962 fstrcat(ack_pipe_name, p->pipe_srv_name);
963 reply_pkt_type = RPC_BINDACK;
964 break;
965 case RPC_ALTCONT:
966 /* secondary address CAN be NULL
967 * as the specs say it's ignored.
968 * It MUST NULL to have the spoolss working.
969 */
970 fstrcpy(ack_pipe_name,"");
971 reply_pkt_type = RPC_ALTCONTRESP;
972 break;
973 default:
974 return False;
975 }
976
977 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
978
979 /*
980 * Marshall directly into the outgoing PDU space. We
981 * must do this as we need to set to the bind response
982 * header and are never sending more than one PDU here.
983 */
984
985 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
986 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
987
988 /*
989 * Setup the memory to marshall the ba header, and the
990 * auth footers.
991 */
992
993 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
994 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
995 prs_mem_free(&outgoing_rpc);
996 return False;
997 }
998
999 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1000 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1001 prs_mem_free(&outgoing_rpc);
1002 prs_mem_free(&out_hdr_ba);
1003 return False;
1004 }
1005
1006 if (p->ntlmssp_auth_requested)
1007 assoc_gid = 0x7a77;
1008 else
1009 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1010
1011 /*
1012 * Create the bind response struct.
1013 */
1014
1015 /* If the requested abstract synt uuid doesn't match our client pipe,
1016 reject the bind_ack & set the transfer interface synt to all 0's,
1017 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1018 unknown to NT4)
1019 Needed when adding entries to a DACL from NT5 - SK */
1020
1021 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1022 init_rpc_hdr_ba(&hdr_ba,
1023 MAX_PDU_FRAG_LEN,
1024 MAX_PDU_FRAG_LEN,
1025 assoc_gid,
1026 ack_pipe_name,
1027 0x1, 0x0, 0x0,
1028 &hdr_rb.transfer);
1029 } else {
1030 RPC_IFACE null_interface;
1031 ZERO_STRUCT(null_interface);
1032 /* Rejection reason: abstract syntax not supported */
1033 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1034 MAX_PDU_FRAG_LEN, assoc_gid,
1035 ack_pipe_name, 0x1, 0x2, 0x1,
1036 &null_interface);
1037 }
1038
1039 /*
1040 * and marshall it.
1041 */
1042
1043 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1044 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1045 goto err_exit;
1046 }
1047
1048 /*
1049 * Now the authentication.
1050 */
1051
1052 if (p->ntlmssp_auth_requested) {
1053 RPC_AUTH_VERIFIER auth_verifier;
1054 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1055
1056 generate_random_buffer(p->challenge, 8, False);
1057
1058 /*** Authentication info ***/
1059
1060 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
1061 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1062 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1063 goto err_exit;
1064 }
1065
1066 /*** NTLMSSP verifier ***/
1067
1068 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1069 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1070 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1071 goto err_exit;
1072 }
1073
1074 /* NTLMSSP challenge ***/
1075
1076 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1077 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1078 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1079 goto err_exit;
1080 }
1081
1082 /* Auth len in the rpc header doesn't include auth_header. */
1083 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1084 }
1085
1086 /*
1087 * Create the header, now we know the length.
1088 */
1089
1090 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1091 p->hdr.call_id,
1092 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1093 auth_len);
1094
1095 /*
1096 * Marshall the header into the outgoing PDU.
1097 */
1098
1099 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1100 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1101 goto err_exit;
1102 }
1103
1104 /*
1105 * Now add the RPC_HDR_BA and any auth needed.
1106 */
1107
1108 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1109 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1110 goto err_exit;
1111 }
1112
1113 if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1114 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1115 goto err_exit;
1116 }
1117
1118 if(!p->ntlmssp_auth_requested)
1119 p->pipe_bound = True;
1120
1121 /*
1122 * Setup the lengths for the initial reply.
1123 */
1124
1125 p->out_data.data_sent_length = 0;
1126 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1127 p->out_data.current_pdu_sent = 0;
1128
1129 prs_mem_free(&out_hdr_ba);
1130 prs_mem_free(&out_auth);
1131
1132 return True;
1133
1134 err_exit:
1135
1136 prs_mem_free(&outgoing_rpc);
1137 prs_mem_free(&out_hdr_ba);
1138 prs_mem_free(&out_auth);
1139 return False;
1140 }
1141
1142 /****************************************************************************
1143 Deal with sign & seal processing on an RPC request.
1144 ****************************************************************************/
1145
1146 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1147 {
1148 /*
1149 * We always negotiate the following two bits....
1150 */
1151 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1152 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1153 int data_len;
1154 int auth_len;
1155 uint32 old_offset;
1156 uint32 crc32 = 0;
1157
1158 auth_len = p->hdr.auth_len;
1159
1160 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1161 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1162 return False;
1163 }
1164
1165 /*
1166 * The following is that length of the data we must verify or unseal.
1167 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1168 * preceeding the auth_data.
1169 */
1170
1171 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1172 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1173
1174 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1175 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1176
1177 if (auth_seal) {
1178 /*
1179 * The data in rpc_in doesn't contain the RPC_HEADER as this
1180 * has already been consumed.
1181 */
1182 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1183 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1184 crc32 = crc32_calc_buffer(data, data_len);
1185 }
1186
1187 old_offset = prs_offset(rpc_in);
1188
1189 if (auth_seal || auth_verify) {
1190 RPC_HDR_AUTH auth_info;
1191
1192 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1193 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1194 (unsigned int)old_offset + data_len ));
1195 return False;
1196 }
1197
1198 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1199 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1200 return False;
1201 }
1202 }
1203
1204 if (auth_verify) {
1205 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1206 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1207
1208 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1209
1210 /*
1211 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1212 * incoming buffer.
1213 */
1214 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1215 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1216 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1217 return False;
1218 }
1219
1220 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1221 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1222 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1223 return False;
1224 }
1225
1226 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1227 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1228 return False;
1229 }
1230 }
1231
1232 /*
1233 * Return the current pointer to the data offset.
1234 */
1235
1236 if(!prs_set_offset(rpc_in, old_offset)) {
1237 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1238 (unsigned int)old_offset ));
1239 return False;
1240 }
1241
1242 return True;
1243 }
1244
1245 /****************************************************************************
1246 Return a user struct for a pipe user.
1247 ****************************************************************************/
1248
1249 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1250 {
1251 if (p->ntlmssp_auth_validated) {
1252 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1253 } else {
1254 extern struct current_user current_user;
1255 memcpy(user, &current_user, sizeof(struct current_user));
1256 }
1257
1258 return user;
1259 }
1260
1261 /****************************************************************************
1262 Find the correct RPC function to call for this request.
1263 If the pipe is authenticated then become the correct UNIX user
1264 before doing the call.
1265 ****************************************************************************/
1266
1267 BOOL api_pipe_request(pipes_struct *p)
1268 {
1269 int i = 0;
1270 BOOL ret = False;
1271
1272 if (p->ntlmssp_auth_validated) {
1273
1274 if(!become_authenticated_pipe_user(p)) {
1275 prs_mem_free(&p->out_data.rdata);
1276 return False;
1277 }
1278 }
1279
1280 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1281
1282 for (i = 0; i < rpc_lookup_size; i++) {
1283 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1284 DEBUG(3,("Doing \\PIPE\\%s\n",
1285 rpc_lookup[i].pipe.clnt));
1286 set_current_rpc_talloc(p->mem_ctx);
1287 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1288 rpc_lookup[i].cmds,
1289 rpc_lookup[i].n_cmds);
1290 set_current_rpc_talloc(NULL);
1291 break;
1292 }
1293 }
1294
1295
1296 if (i == rpc_lookup_size) {
1297 for (i = 0; api_fd_commands[i].name; i++) {
1298 if (strequal(api_fd_commands[i].name, p->name)) {
1299 api_fd_commands[i].init();
1300 break;
1301 }
1302 }
1303
1304 if (!api_fd_commands[i].name) {
1305 rpc_load_module(p->name);
1306 }
1307
1308 for (i = 0; i < rpc_lookup_size; i++) {
1309 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1310 DEBUG(3,("Doing \\PIPE\\%s\n",
1311 rpc_lookup[i].pipe.clnt));
1312 set_current_rpc_talloc(p->mem_ctx);
1313 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1314 rpc_lookup[i].cmds,
1315 rpc_lookup[i].n_cmds);
1316 set_current_rpc_talloc(NULL);
1317 break;
1318 }
1319 }
1320 }
1321
1322 if(p->ntlmssp_auth_validated)
1323 unbecome_authenticated_pipe_user();
1324
1325 return ret;
1326 }
1327
1328 /*******************************************************************
1329 Calls the underlying RPC function for a named pipe.
1330 ********************************************************************/
1331
1332 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1333 const struct api_struct *api_rpc_cmds, int n_cmds)
1334 {
1335 int fn_num;
1336 fstring name;
1337 uint32 offset1, offset2;
1338
1339 /* interpret the command */
1340 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1341
1342 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1343 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1344
1345 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1346 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1347 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1348 break;
1349 }
1350 }
1351
1352 if (fn_num == n_cmds) {
1353 /*
1354 * For an unknown RPC just return a fault PDU but
1355 * return True to allow RPC's on the pipe to continue
1356 * and not put the pipe into fault state. JRA.
1357 */
1358 DEBUG(4, ("unknown\n"));
1359 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1360 return True;
1361 }
1362
1363 offset1 = prs_offset(&p->out_data.rdata);
1364
1365 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1366 fn_num, api_rpc_cmds[fn_num].fn));
1367 /* do the actual command */
1368 if(!api_rpc_cmds[fn_num].fn(p)) {
1369 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1370 prs_mem_free(&p->out_data.rdata);
1371 return False;
1372 }
1373
1374 if (p->bad_handle_fault_state) {
1375 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1376 p->bad_handle_fault_state = False;
1377 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1378 return True;
1379 }
1380
1381 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1382 offset2 = prs_offset(&p->out_data.rdata);
1383 prs_set_offset(&p->out_data.rdata, offset1);
1384 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1385 prs_set_offset(&p->out_data.rdata, offset2);
1386
1387 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1388
1389 /* Check for buffer underflow in rpc parsing */
1390
1391 if ((DEBUGLEVEL >= 10) &&
1392 (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1393 int data_len = p->in_data.data.buffer_size -
1394 p->in_data.data.data_offset;
1395 char *data;
1396
1397 data = malloc(data_len);
1398
1399 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1400 if (data) {
1401 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
1402 data_len);
1403 SAFE_FREE(data);
1404 }
1405
1406 }
1407
1408 return True;
1409 }
reg import