search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixed build warning "passing arg from incompatible pointer type"
[Samba.git] / source / rpc_client / cli_pipe.c
blob35256d713bd509a28ca35d0da45aabb6e69153fd
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Largely rewritten by Jeremy Allison 2005.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 #undef DBGC_CLASS
23 #define DBGC_CLASS DBGC_RPC_CLI
24
25 extern struct pipe_id_info pipe_names[];
26
27 /********************************************************************
28 Map internal value to wire value.
29 ********************************************************************/
30
31 static int map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type)
32 {
33 switch (auth_type) {
34
35 case PIPE_AUTH_TYPE_NONE:
36 return RPC_ANONYMOUS_AUTH_TYPE;
37
38 case PIPE_AUTH_TYPE_NTLMSSP:
39 return RPC_NTLMSSP_AUTH_TYPE;
40
41 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
42 case PIPE_AUTH_TYPE_SPNEGO_KRB5:
43 return RPC_SPNEGO_AUTH_TYPE;
44
45 case PIPE_AUTH_TYPE_SCHANNEL:
46 return RPC_SCHANNEL_AUTH_TYPE;
47
48 case PIPE_AUTH_TYPE_KRB5:
49 return RPC_KRB5_AUTH_TYPE;
50
51 default:
52 DEBUG(0,("map_pipe_auth_type_to_rpc_type: unknown pipe "
53 "auth type %u\n",
54 (unsigned int)auth_type ));
55 break;
56 }
57 return -1;
58 }
59
60 /********************************************************************
61 Rpc pipe call id.
62 ********************************************************************/
63
64 static uint32 get_rpc_call_id(void)
65 {
66 static uint32 call_id = 0;
67 return ++call_id;
68 }
69
70 /*******************************************************************
71 Use SMBreadX to get rest of one fragment's worth of rpc data.
72 Will expand the current_pdu struct to the correct size.
73 ********************************************************************/
74
75 static NTSTATUS rpc_read(struct rpc_pipe_client *cli,
76 prs_struct *current_pdu,
77 uint32 data_to_read,
78 uint32 *current_pdu_offset)
79 {
80 size_t size = (size_t)cli->max_recv_frag;
81 uint32 stream_offset = 0;
82 ssize_t num_read;
83 char *pdata;
84 ssize_t extra_data_size = ((ssize_t)*current_pdu_offset) + ((ssize_t)data_to_read) - (ssize_t)prs_data_size(current_pdu);
85
86 DEBUG(5,("rpc_read: data_to_read: %u current_pdu offset: %u extra_data_size: %d\n",
87 (unsigned int)data_to_read, (unsigned int)*current_pdu_offset, (int)extra_data_size ));
88
89 /*
90 * Grow the buffer if needed to accommodate the data to be read.
91 */
92
93 if (extra_data_size > 0) {
94 if(!prs_force_grow(current_pdu, (uint32)extra_data_size)) {
95 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", (int)extra_data_size ));
96 return NT_STATUS_NO_MEMORY;
97 }
98 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", (int)extra_data_size, prs_data_size(current_pdu) ));
99 }
100
101 pdata = prs_data_p(current_pdu) + *current_pdu_offset;
102
103 do {
104 /* read data using SMBreadX */
105 if (size > (size_t)data_to_read) {
106 size = (size_t)data_to_read;
107 }
108
109 num_read = cli_read(cli->cli, cli->fnum, pdata,
110 (off_t)stream_offset, size);
111
112 DEBUG(5,("rpc_read: num_read = %d, read offset: %u, to read: %u\n",
113 (int)num_read, (unsigned int)stream_offset, (unsigned int)data_to_read));
114
115 /*
116 * A dos error of ERRDOS/ERRmoredata is not an error.
117 */
118 if (cli_is_dos_error(cli->cli)) {
119 uint32 ecode;
120 uint8 eclass;
121 cli_dos_error(cli->cli, &eclass, &ecode);
122 if (eclass != ERRDOS && ecode != ERRmoredata) {
123 DEBUG(0,("rpc_read: DOS Error %d/%u (%s) in cli_read on pipe %s\n",
124 eclass, (unsigned int)ecode,
125 cli_errstr(cli->cli),
126 cli->pipe_name ));
127 return dos_to_ntstatus(eclass, ecode);
128 }
129 }
130
131 /*
132 * Likewise for NT_STATUS_BUFFER_TOO_SMALL
133 */
134 if (cli_is_nt_error(cli->cli)) {
135 if (!NT_STATUS_EQUAL(cli_nt_error(cli->cli), NT_STATUS_BUFFER_TOO_SMALL)) {
136 DEBUG(0,("rpc_read: Error (%s) in cli_read on pipe %s\n",
137 nt_errstr(cli_nt_error(cli->cli)),
138 cli->pipe_name ));
139 return cli_nt_error(cli->cli);
140 }
141 }
142
143 if (num_read == -1) {
144 DEBUG(0,("rpc_read: Error - cli_read on pipe %s returned -1\n",
145 cli->pipe_name ));
146 return cli_get_nt_error(cli->cli);
147 }
148
149 data_to_read -= num_read;
150 stream_offset += num_read;
151 pdata += num_read;
152
153 } while (num_read > 0 && data_to_read > 0);
154 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
155
156 /*
157 * Update the current offset into current_pdu by the amount read.
158 */
159 *current_pdu_offset += stream_offset;
160 return NT_STATUS_OK;
161 }
162
163 /****************************************************************************
164 Try and get a PDU's worth of data from current_pdu. If not, then read more
165 from the wire.
166 ****************************************************************************/
167
168 static NTSTATUS cli_pipe_get_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr, prs_struct *current_pdu)
169 {
170 NTSTATUS ret = NT_STATUS_OK;
171 uint32 current_pdu_len = prs_data_size(current_pdu);
172
173 /* Ensure we have at least RPC_HEADER_LEN worth of data to parse. */
174 if (current_pdu_len < RPC_HEADER_LEN) {
175 /* rpc_read expands the current_pdu struct as neccessary. */
176 ret = rpc_read(cli, current_pdu, RPC_HEADER_LEN - current_pdu_len, &current_pdu_len);
177 if (!NT_STATUS_IS_OK(ret)) {
178 return ret;
179 }
180 }
181
182 /* This next call sets the endian bit correctly in current_pdu. */
183 /* We will propagate this to rbuf later. */
184 if(!smb_io_rpc_hdr("rpc_hdr ", prhdr, current_pdu, 0)) {
185 DEBUG(0,("cli_pipe_get_current_pdu: Failed to unmarshall RPC_HDR.\n"));
186 return NT_STATUS_BUFFER_TOO_SMALL;
187 }
188
189 /* Ensure we have frag_len bytes of data. */
190 if (current_pdu_len < prhdr->frag_len) {
191 /* rpc_read expands the current_pdu struct as neccessary. */
192 ret = rpc_read(cli, current_pdu, (uint32)prhdr->frag_len - current_pdu_len, &current_pdu_len);
193 if (!NT_STATUS_IS_OK(ret)) {
194 return ret;
195 }
196 }
197
198 if (current_pdu_len < prhdr->frag_len) {
199 return NT_STATUS_BUFFER_TOO_SMALL;
200 }
201
202 return NT_STATUS_OK;
203 }
204
205 /****************************************************************************
206 NTLMSSP specific sign/seal.
207 Virtually identical to rpc_server/srv_pipe.c:api_pipe_ntlmssp_auth_process.
208 In fact I should probably abstract these into identical pieces of code... JRA.
209 ****************************************************************************/
210
211 static NTSTATUS cli_pipe_verify_ntlmssp(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
212 prs_struct *current_pdu,
213 uint8 *p_ss_padding_len)
214 {
215 RPC_HDR_AUTH auth_info;
216 uint32 save_offset = prs_offset(current_pdu);
217 uint32 auth_len = prhdr->auth_len;
218 NTLMSSP_STATE *ntlmssp_state = cli->auth.a_u.ntlmssp_state;
219 unsigned char *data = NULL;
220 size_t data_len;
221 unsigned char *full_packet_data = NULL;
222 size_t full_packet_data_len;
223 DATA_BLOB auth_blob;
224 NTSTATUS status;
225
226 if (cli->auth.auth_level == PIPE_AUTH_LEVEL_NONE || cli->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
227 return NT_STATUS_OK;
228 }
229
230 if (!ntlmssp_state) {
231 return NT_STATUS_INVALID_PARAMETER;
232 }
233
234 /* Ensure there's enough data for an authenticated response. */
235 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
236 (RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
237 DEBUG(0,("cli_pipe_verify_ntlmssp: auth_len %u is too large.\n",
238 (unsigned int)auth_len ));
239 return NT_STATUS_BUFFER_TOO_SMALL;
240 }
241
242 /*
243 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
244 * after the RPC header.
245 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
246 * functions as NTLMv2 checks the rpc headers also.
247 */
248
249 data = (unsigned char *)(prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN);
250 data_len = (size_t)(prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len);
251
252 full_packet_data = (unsigned char *)prs_data_p(current_pdu);
253 full_packet_data_len = prhdr->frag_len - auth_len;
254
255 /* Pull the auth header and the following data into a blob. */
256 if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
257 DEBUG(0,("cli_pipe_verify_ntlmssp: cannot move offset to %u.\n",
258 (unsigned int)RPC_HEADER_LEN + (unsigned int)RPC_HDR_RESP_LEN + (unsigned int)data_len ));
259 return NT_STATUS_BUFFER_TOO_SMALL;
260 }
261
262 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
263 DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall RPC_HDR_AUTH.\n"));
264 return NT_STATUS_BUFFER_TOO_SMALL;
265 }
266
267 auth_blob.data = (unsigned char *)prs_data_p(current_pdu) + prs_offset(current_pdu);
268 auth_blob.length = auth_len;
269
270 switch (cli->auth.auth_level) {
271 case PIPE_AUTH_LEVEL_PRIVACY:
272 /* Data is encrypted. */
273 status = ntlmssp_unseal_packet(ntlmssp_state,
274 data, data_len,
275 full_packet_data,
276 full_packet_data_len,
277 &auth_blob);
278 if (!NT_STATUS_IS_OK(status)) {
279 DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unseal "
280 "packet from remote machine %s on pipe %s "
281 "fnum 0x%x. Error was %s.\n",
282 cli->cli->desthost,
283 cli->pipe_name,
284 (unsigned int)cli->fnum,
285 nt_errstr(status) ));
286 return status;
287 }
288 break;
289 case PIPE_AUTH_LEVEL_INTEGRITY:
290 /* Data is signed. */
291 status = ntlmssp_check_packet(ntlmssp_state,
292 data, data_len,
293 full_packet_data,
294 full_packet_data_len,
295 &auth_blob);
296 if (!NT_STATUS_IS_OK(status)) {
297 DEBUG(0,("cli_pipe_verify_ntlmssp: check signing failed on "
298 "packet from remote machine %s on pipe %s "
299 "fnum 0x%x. Error was %s.\n",
300 cli->cli->desthost,
301 cli->pipe_name,
302 (unsigned int)cli->fnum,
303 nt_errstr(status) ));
304 return status;
305 }
306 break;
307 default:
308 DEBUG(0,("cli_pipe_verify_ntlmssp: unknown internal auth level %d\n",
309 cli->auth.auth_level ));
310 return NT_STATUS_INVALID_INFO_CLASS;
311 }
312
313 /*
314 * Return the current pointer to the data offset.
315 */
316
317 if(!prs_set_offset(current_pdu, save_offset)) {
318 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
319 (unsigned int)save_offset ));
320 return NT_STATUS_BUFFER_TOO_SMALL;
321 }
322
323 /*
324 * Remember the padding length. We must remove it from the real data
325 * stream once the sign/seal is done.
326 */
327
328 *p_ss_padding_len = auth_info.auth_pad_len;
329
330 return NT_STATUS_OK;
331 }
332
333 /****************************************************************************
334 schannel specific sign/seal.
335 ****************************************************************************/
336
337 static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
338 prs_struct *current_pdu,
339 uint8 *p_ss_padding_len)
340 {
341 RPC_HDR_AUTH auth_info;
342 RPC_AUTH_SCHANNEL_CHK schannel_chk;
343 uint32 auth_len = prhdr->auth_len;
344 uint32 save_offset = prs_offset(current_pdu);
345 struct schannel_auth_struct *schannel_auth = cli->auth.a_u.schannel_auth;
346 uint32 data_len;
347
348 if (cli->auth.auth_level == PIPE_AUTH_LEVEL_NONE || cli->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
349 return NT_STATUS_OK;
350 }
351
352 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
353 DEBUG(0,("cli_pipe_verify_schannel: auth_len %u.\n", (unsigned int)auth_len ));
354 return NT_STATUS_INVALID_PARAMETER;
355 }
356
357 if (!schannel_auth) {
358 return NT_STATUS_INVALID_PARAMETER;
359 }
360
361 /* Ensure there's enough data for an authenticated response. */
362 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
363 (RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
364 DEBUG(0,("cli_pipe_verify_schannel: auth_len %u is too large.\n",
365 (unsigned int)auth_len ));
366 return NT_STATUS_INVALID_PARAMETER;
367 }
368
369 data_len = prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
370
371 if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
372 DEBUG(0,("cli_pipe_verify_schannel: cannot move offset to %u.\n",
373 (unsigned int)RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len ));
374 return NT_STATUS_BUFFER_TOO_SMALL;
375 }
376
377 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
378 DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshall RPC_HDR_AUTH.\n"));
379 return NT_STATUS_BUFFER_TOO_SMALL;
380 }
381
382 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
383 DEBUG(0,("cli_pipe_verify_schannel: Invalid auth info %d on schannel\n",
384 auth_info.auth_type));
385 return NT_STATUS_BUFFER_TOO_SMALL;
386 }
387
388 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
389 &schannel_chk, current_pdu, 0)) {
390 DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
391 return NT_STATUS_BUFFER_TOO_SMALL;
392 }
393
394 if (!schannel_decode(schannel_auth,
395 cli->auth.auth_level,
396 SENDER_IS_ACCEPTOR,
397 &schannel_chk,
398 prs_data_p(current_pdu)+RPC_HEADER_LEN+RPC_HDR_RESP_LEN,
399 data_len)) {
400 DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
401 "Connection to remote machine %s "
402 "pipe %s fnum 0x%x.\n",
403 cli->cli->desthost,
404 cli->pipe_name,
405 (unsigned int)cli->fnum ));
406 return NT_STATUS_INVALID_PARAMETER;
407 }
408
409 /* The sequence number gets incremented on both send and receive. */
410 schannel_auth->seq_num++;
411
412 /*
413 * Return the current pointer to the data offset.
414 */
415
416 if(!prs_set_offset(current_pdu, save_offset)) {
417 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
418 (unsigned int)save_offset ));
419 return NT_STATUS_BUFFER_TOO_SMALL;
420 }
421
422 /*
423 * Remember the padding length. We must remove it from the real data
424 * stream once the sign/seal is done.
425 */
426
427 *p_ss_padding_len = auth_info.auth_pad_len;
428
429 return NT_STATUS_OK;
430 }
431
432 /****************************************************************************
433 Do the authentication checks on an incoming pdu. Check sign and unseal etc.
434 ****************************************************************************/
435
436 static NTSTATUS cli_pipe_validate_rpc_response(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
437 prs_struct *current_pdu,
438 uint8 *p_ss_padding_len)
439 {
440 NTSTATUS ret = NT_STATUS_OK;
441
442 /* Paranioa checks for auth_len. */
443 if (prhdr->auth_len) {
444 if (prhdr->auth_len > prhdr->frag_len) {
445 return NT_STATUS_INVALID_PARAMETER;
446 }
447
448 if (prhdr->auth_len + (unsigned int)RPC_HDR_AUTH_LEN < prhdr->auth_len ||
449 prhdr->auth_len + (unsigned int)RPC_HDR_AUTH_LEN < (unsigned int)RPC_HDR_AUTH_LEN) {
450 /* Integer wrap attempt. */
451 return NT_STATUS_INVALID_PARAMETER;
452 }
453 }
454
455 /*
456 * Now we have a complete RPC request PDU fragment, try and verify any auth data.
457 */
458
459 switch(cli->auth.auth_type) {
460 case PIPE_AUTH_TYPE_NONE:
461 if (prhdr->auth_len) {
462 DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
463 "pipe %s fnum 0x%x - got non-zero auth len %u.\n",
464 cli->cli->desthost,
465 cli->pipe_name,
466 (unsigned int)cli->fnum,
467 (unsigned int)prhdr->auth_len ));
468 return NT_STATUS_INVALID_PARAMETER;
469 }
470 break;
471
472 case PIPE_AUTH_TYPE_NTLMSSP:
473 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
474 ret = cli_pipe_verify_ntlmssp(cli, prhdr, current_pdu, p_ss_padding_len);
475 if (!NT_STATUS_IS_OK(ret)) {
476 return ret;
477 }
478 break;
479
480 case PIPE_AUTH_TYPE_SCHANNEL:
481 ret = cli_pipe_verify_schannel(cli, prhdr, current_pdu, p_ss_padding_len);
482 if (!NT_STATUS_IS_OK(ret)) {
483 return ret;
484 }
485 break;
486
487 case PIPE_AUTH_TYPE_KRB5:
488 case PIPE_AUTH_TYPE_SPNEGO_KRB5:
489 default:
490 DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
491 "pipe %s fnum %x - unknown internal auth type %u.\n",
492 cli->cli->desthost,
493 cli->pipe_name,
494 (unsigned int)cli->fnum,
495 cli->auth.auth_type ));
496 return NT_STATUS_INVALID_INFO_CLASS;
497 }
498
499 return NT_STATUS_OK;
500 }
501
502 /****************************************************************************
503 Do basic authentication checks on an incoming pdu.
504 ****************************************************************************/
505
506 static NTSTATUS cli_pipe_validate_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
507 prs_struct *current_pdu,
508 uint8 expected_pkt_type,
509 char **ppdata,
510 uint32 *pdata_len,
511 prs_struct *return_data)
512 {
513
514 NTSTATUS ret = NT_STATUS_OK;
515 uint32 current_pdu_len = prs_data_size(current_pdu);
516
517 if (current_pdu_len != prhdr->frag_len) {
518 DEBUG(5,("cli_pipe_validate_current_pdu: incorrect pdu length %u, expected %u\n",
519 (unsigned int)current_pdu_len, (unsigned int)prhdr->frag_len ));
520 return NT_STATUS_INVALID_PARAMETER;
521 }
522
523 /*
524 * Point the return values at the real data including the RPC
525 * header. Just in case the caller wants it.
526 */
527 *ppdata = prs_data_p(current_pdu);
528 *pdata_len = current_pdu_len;
529
530 /* Ensure we have the correct type. */
531 switch (prhdr->pkt_type) {
532 case RPC_ALTCONTRESP:
533 case RPC_BINDACK:
534
535 /* Alter context and bind ack share the same packet definitions. */
536 break;
537
538
539 case RPC_RESPONSE:
540 {
541 RPC_HDR_RESP rhdr_resp;
542 uint8 ss_padding_len = 0;
543
544 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
545 DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
546 return NT_STATUS_BUFFER_TOO_SMALL;
547 }
548
549 /* Here's where we deal with incoming sign/seal. */
550 ret = cli_pipe_validate_rpc_response(cli, prhdr,
551 current_pdu, &ss_padding_len);
552 if (!NT_STATUS_IS_OK(ret)) {
553 return ret;
554 }
555
556 /* Point the return values at the NDR data. Remember to remove any ss padding. */
557 *ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
558
559 if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN + ss_padding_len) {
560 return NT_STATUS_BUFFER_TOO_SMALL;
561 }
562
563 *pdata_len = current_pdu_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - ss_padding_len;
564
565 /* Remember to remove the auth footer. */
566 if (prhdr->auth_len) {
567 /* We've already done integer wrap tests on auth_len in
568 cli_pipe_validate_rpc_response(). */
569 if (*pdata_len < RPC_HDR_AUTH_LEN + prhdr->auth_len) {
570 return NT_STATUS_BUFFER_TOO_SMALL;
571 }
572 *pdata_len -= (RPC_HDR_AUTH_LEN + prhdr->auth_len);
573 }
574
575 DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len %u, data_len %u, ss_len %u\n",
576 current_pdu_len, *pdata_len, ss_padding_len ));
577
578 /*
579 * If this is the first reply, and the allocation hint is reasonably, try and
580 * set up the return_data parse_struct to the correct size.
581 */
582
583 if ((prs_data_size(return_data) == 0) && rhdr_resp.alloc_hint && (rhdr_resp.alloc_hint < 15*1024*1024)) {
584 if (!prs_set_buffer_size(return_data, rhdr_resp.alloc_hint)) {
585 DEBUG(0,("cli_pipe_validate_current_pdu: reply alloc hint %u "
586 "too large to allocate\n",
587 (unsigned int)rhdr_resp.alloc_hint ));
588 return NT_STATUS_NO_MEMORY;
589 }
590 }
591
592 break;
593 }
594
595 case RPC_BINDNACK:
596 DEBUG(1, ("cli_pipe_validate_current_pdu: Bind NACK received from remote machine %s "
597 "pipe %s fnum 0x%x!\n",
598 cli->cli->desthost,
599 cli->pipe_name,
600 (unsigned int)cli->fnum));
601 /* Use this for now... */
602 return NT_STATUS_NETWORK_ACCESS_DENIED;
603
604 case RPC_FAULT:
605 {
606 RPC_HDR_RESP rhdr_resp;
607 RPC_HDR_FAULT fault_resp;
608
609 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
610 DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
611 return NT_STATUS_BUFFER_TOO_SMALL;
612 }
613
614 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, current_pdu, 0)) {
615 DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_FAULT.\n"));
616 return NT_STATUS_BUFFER_TOO_SMALL;
617 }
618
619 DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault code %s received from remote machine %s "
620 "pipe %s fnum 0x%x!\n",
621 dcerpc_errstr(NT_STATUS_V(fault_resp.status)),
622 cli->cli->desthost,
623 cli->pipe_name,
624 (unsigned int)cli->fnum));
625 if (NT_STATUS_IS_OK(fault_resp.status)) {
626 return NT_STATUS_UNSUCCESSFUL;
627 } else {
628 return fault_resp.status;
629 }
630
631 }
632
633 default:
634 DEBUG(0, ("cli_pipe_validate_current_pdu: unknown packet type %u received "
635 "from remote machine %s pipe %s fnum 0x%x!\n",
636 (unsigned int)prhdr->pkt_type,
637 cli->cli->desthost,
638 cli->pipe_name,
639 (unsigned int)cli->fnum));
640 return NT_STATUS_INVALID_INFO_CLASS;
641 }
642
643 if (prhdr->pkt_type != expected_pkt_type) {
644 DEBUG(3, ("cli_pipe_validate_current_pdu: Connection to remote machine %s "
645 "pipe %s fnum %x got an unexpected RPC packet "
646 "type - %u, not %u\n",
647 cli->cli->desthost,
648 cli->pipe_name,
649 (unsigned int)cli->fnum,
650 prhdr->pkt_type,
651 expected_pkt_type));
652 return NT_STATUS_INVALID_INFO_CLASS;
653 }
654
655 /* Do this just before return - we don't want to modify any rpc header
656 data before now as we may have needed to do cryptographic actions on
657 it before. */
658
659 if ((prhdr->pkt_type == RPC_BINDACK) && !(prhdr->flags & RPC_FLG_LAST)) {
660 DEBUG(5,("cli_pipe_validate_current_pdu: bug in server (AS/U?), "
661 "setting fragment first/last ON.\n"));
662 prhdr->flags |= RPC_FLG_FIRST|RPC_FLG_LAST;
663 }
664
665 return NT_STATUS_OK;
666 }
667
668 /****************************************************************************
669 Ensure we eat the just processed pdu from the current_pdu prs_struct.
670 Normally the frag_len and buffer size will match, but on the first trans
671 reply there is a theoretical chance that buffer size > frag_len, so we must
672 deal with that.
673 ****************************************************************************/
674
675 static NTSTATUS cli_pipe_reset_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr, prs_struct *current_pdu)
676 {
677 uint32 current_pdu_len = prs_data_size(current_pdu);
678
679 if (current_pdu_len < prhdr->frag_len) {
680 return NT_STATUS_BUFFER_TOO_SMALL;
681 }
682
683 /* Common case. */
684 if (current_pdu_len == (uint32)prhdr->frag_len) {
685 prs_mem_free(current_pdu);
686 prs_init_empty(current_pdu, prs_get_mem_context(current_pdu), UNMARSHALL);
687 /* Make current_pdu dynamic with no memory. */
688 prs_give_memory(current_pdu, 0, 0, True);
689 return NT_STATUS_OK;
690 }
691
692 /*
693 * Oh no ! More data in buffer than we processed in current pdu.
694 * Cheat. Move the data down and shrink the buffer.
695 */
696
697 memcpy(prs_data_p(current_pdu), prs_data_p(current_pdu) + prhdr->frag_len,
698 current_pdu_len - prhdr->frag_len);
699
700 /* Remember to set the read offset back to zero. */
701 prs_set_offset(current_pdu, 0);
702
703 /* Shrink the buffer. */
704 if (!prs_set_buffer_size(current_pdu, current_pdu_len - prhdr->frag_len)) {
705 return NT_STATUS_BUFFER_TOO_SMALL;
706 }
707
708 return NT_STATUS_OK;
709 }
710
711 /****************************************************************************
712 Send data on an rpc pipe via trans. The prs_struct data must be the last
713 pdu fragment of an NDR data stream.
714
715 Receive response data from an rpc pipe, which may be large...
716
717 Read the first fragment: unfortunately have to use SMBtrans for the first
718 bit, then SMBreadX for subsequent bits.
719
720 If first fragment received also wasn't the last fragment, continue
721 getting fragments until we _do_ receive the last fragment.
722
723 Request/Response PDU's look like the following...
724
725 |<------------------PDU len----------------------------------------------->|
726 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
727
728 +------------+-----------------+-------------+---------------+-------------+
729 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
730 +------------+-----------------+-------------+---------------+-------------+
731
732 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
733 signing & sealing being negotiated.
734
735 ****************************************************************************/
736
737 static NTSTATUS rpc_api_pipe(struct rpc_pipe_client *cli,
738 prs_struct *data, /* Outgoing pdu fragment, already formatted for send. */
739 prs_struct *rbuf, /* Incoming reply - return as an NDR stream. */
740 uint8 expected_pkt_type)
741 {
742 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
743 char *rparam = NULL;
744 uint32 rparam_len = 0;
745 uint16 setup[2];
746 char *pdata = prs_data_p(data);
747 uint32 data_len = prs_offset(data);
748 char *prdata = NULL;
749 uint32 rdata_len = 0;
750 uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : RPC_MAX_PDU_FRAG_LEN;
751 uint32 current_rbuf_offset = 0;
752 prs_struct current_pdu;
753
754 #ifdef DEVELOPER
755 /* Ensure we're not sending too much. */
756 SMB_ASSERT(data_len <= max_data);
757 #endif
758
759 /* Set up the current pdu parse struct. */
760 prs_init_empty(&current_pdu, prs_get_mem_context(rbuf), UNMARSHALL);
761
762 /* Create setup parameters - must be in native byte order. */
763 setup[0] = TRANSACT_DCERPCCMD;
764 setup[1] = cli->fnum; /* Pipe file handle. */
765
766 DEBUG(5,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x\n",
767 cli->cli->desthost,
768 cli->pipe_name,
769 (unsigned int)cli->fnum ));
770
771 /*
772 * Send the last (or only) fragment of an RPC request. For small
773 * amounts of data (about 1024 bytes or so) the RPC request and response
774 * appears in a SMBtrans request and response.
775 */
776
777 if (!cli_api_pipe(cli->cli, "\\PIPE\\",
778 setup, 2, 0, /* Setup, length, max */
779 NULL, 0, 0, /* Params, length, max */
780 pdata, data_len, max_data, /* data, length, max */
781 &rparam, &rparam_len, /* return params, len */
782 &prdata, &rdata_len)) /* return data, len */
783 {
784 DEBUG(0, ("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x "
785 "returned critical error. Error was %s\n",
786 cli->cli->desthost,
787 cli->pipe_name,
788 (unsigned int)cli->fnum,
789 cli_errstr(cli->cli)));
790 ret = cli_get_nt_error(cli->cli);
791 SAFE_FREE(rparam);
792 SAFE_FREE(prdata);
793 goto err;
794 }
795
796 /* Throw away returned params - we know we won't use them. */
797
798 SAFE_FREE(rparam);
799
800 if (prdata == NULL) {
801 DEBUG(3,("rpc_api_pipe: Remote machine %s pipe %s "
802 "fnum 0x%x failed to return data.\n",
803 cli->cli->desthost,
804 cli->pipe_name,
805 (unsigned int)cli->fnum));
806 /* Yes - some calls can truely return no data... */
807 prs_mem_free(&current_pdu);
808 return NT_STATUS_OK;
809 }
810
811 /*
812 * Give this memory as dynamic to the current pdu.
813 */
814
815 prs_give_memory(&current_pdu, prdata, rdata_len, True);
816
817 /* Ensure we can mess with the return prs_struct. */
818 SMB_ASSERT(UNMARSHALLING(rbuf));
819 SMB_ASSERT(prs_data_size(rbuf) == 0);
820
821 /* Make rbuf dynamic with no memory. */
822 prs_give_memory(rbuf, 0, 0, True);
823
824 while(1) {
825 RPC_HDR rhdr;
826 char *ret_data = NULL;
827 uint32 ret_data_len = 0;
828
829 /* Ensure we have enough data for a pdu. */
830 ret = cli_pipe_get_current_pdu(cli, &rhdr, &current_pdu);
831 if (!NT_STATUS_IS_OK(ret)) {
832 goto err;
833 }
834
835 /* We pass in rbuf here so if the alloc hint is set correctly
836 we can set the output size and avoid reallocs. */
837
838 ret = cli_pipe_validate_current_pdu(cli, &rhdr, &current_pdu, expected_pkt_type,
839 &ret_data, &ret_data_len, rbuf);
840
841 DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n",
842 prs_data_size(&current_pdu), current_rbuf_offset ));
843
844 if (!NT_STATUS_IS_OK(ret)) {
845 goto err;
846 }
847
848 if ((rhdr.flags & RPC_FLG_FIRST)) {
849 if (rhdr.pack_type[0] == 0) {
850 /* Set the data type correctly for big-endian data on the first packet. */
851 DEBUG(10,("rpc_api_pipe: On machine %s pipe %s fnum 0x%x "
852 "PDU data format is big-endian.\n",
853 cli->cli->desthost,
854 cli->pipe_name,
855 (unsigned int)cli->fnum));
856
857 prs_set_endian_data(rbuf, RPC_BIG_ENDIAN);
858 } else {
859 /* Check endianness on subsequent packets. */
860 if (current_pdu.bigendian_data != rbuf->bigendian_data) {
861 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
862 rbuf->bigendian_data ? "big" : "little",
863 current_pdu.bigendian_data ? "big" : "little" ));
864 ret = NT_STATUS_INVALID_PARAMETER;
865 goto err;
866 }
867 }
868 }
869
870 /* Now copy the data portion out of the pdu into rbuf. */
871 if (!prs_force_grow(rbuf, ret_data_len)) {
872 ret = NT_STATUS_NO_MEMORY;
873 goto err;
874 }
875 memcpy(prs_data_p(rbuf)+current_rbuf_offset, ret_data, (size_t)ret_data_len);
876 current_rbuf_offset += ret_data_len;
877
878 /* See if we've finished with all the data in current_pdu yet ? */
879 ret = cli_pipe_reset_current_pdu(cli, &rhdr, &current_pdu);
880 if (!NT_STATUS_IS_OK(ret)) {
881 goto err;
882 }
883
884 if (rhdr.flags & RPC_FLG_LAST) {
885 break; /* We're done. */
886 }
887 }
888
889 DEBUG(10,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x returned %u bytes.\n",
890 cli->cli->desthost,
891 cli->pipe_name,
892 (unsigned int)cli->fnum,
893 (unsigned int)prs_data_size(rbuf) ));
894
895 prs_mem_free(&current_pdu);
896 return NT_STATUS_OK;
897
898 err:
899
900 prs_mem_free(&current_pdu);
901 prs_mem_free(rbuf);
902 return ret;
903 }
904
905 /*******************************************************************
906 Creates krb5 auth bind.
907 ********************************************************************/
908
909 static NTSTATUS create_krb5_auth_bind_req( struct rpc_pipe_client *cli,
910 enum pipe_auth_level auth_level,
911 RPC_HDR_AUTH *pauth_out,
912 prs_struct *auth_data)
913 {
914 #ifdef HAVE_KRB5
915 int ret;
916 struct kerberos_auth_struct *a = cli->auth.a_u.kerberos_auth;
917 DATA_BLOB tkt = data_blob_null;
918 DATA_BLOB tkt_wrapped = data_blob_null;
919
920 /* We may change the pad length before marshalling. */
921 init_rpc_hdr_auth(pauth_out, RPC_KRB5_AUTH_TYPE, (int)auth_level, 0, 1);
922
923 DEBUG(5, ("create_krb5_auth_bind_req: creating a service ticket for principal %s\n",
924 a->service_principal ));
925
926 /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
927
928 ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
929 &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL);
930
931 if (ret) {
932 DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
933 "failed with %s\n",
934 a->service_principal,
935 error_message(ret) ));
936
937 data_blob_free(&tkt);
938 prs_mem_free(auth_data);
939 return NT_STATUS_INVALID_PARAMETER;
940 }
941
942 /* wrap that up in a nice GSS-API wrapping */
943 tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
944
945 data_blob_free(&tkt);
946
947 /* Auth len in the rpc header doesn't include auth_header. */
948 if (!prs_copy_data_in(auth_data, (char *)tkt_wrapped.data, tkt_wrapped.length)) {
949 data_blob_free(&tkt_wrapped);
950 prs_mem_free(auth_data);
951 return NT_STATUS_NO_MEMORY;
952 }
953
954 DEBUG(5, ("create_krb5_auth_bind_req: Created krb5 GSS blob :\n"));
955 dump_data(5, tkt_wrapped.data, tkt_wrapped.length);
956
957 data_blob_free(&tkt_wrapped);
958 return NT_STATUS_OK;
959 #else
960 return NT_STATUS_INVALID_PARAMETER;
961 #endif
962 }
963
964 /*******************************************************************
965 Creates SPNEGO NTLMSSP auth bind.
966 ********************************************************************/
967
968 static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
969 enum pipe_auth_level auth_level,
970 RPC_HDR_AUTH *pauth_out,
971 prs_struct *auth_data)
972 {
973 NTSTATUS nt_status;
974 DATA_BLOB null_blob = data_blob_null;
975 DATA_BLOB request = data_blob_null;
976 DATA_BLOB spnego_msg = data_blob_null;
977
978 /* We may change the pad length before marshalling. */
979 init_rpc_hdr_auth(pauth_out, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
980
981 DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
982 nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
983 null_blob,
984 &request);
985
986 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
987 data_blob_free(&request);
988 prs_mem_free(auth_data);
989 return nt_status;
990 }
991
992 /* Wrap this in SPNEGO. */
993 spnego_msg = gen_negTokenInit(OID_NTLMSSP, request);
994
995 data_blob_free(&request);
996
997 /* Auth len in the rpc header doesn't include auth_header. */
998 if (!prs_copy_data_in(auth_data, (char *)spnego_msg.data, spnego_msg.length)) {
999 data_blob_free(&spnego_msg);
1000 prs_mem_free(auth_data);
1001 return NT_STATUS_NO_MEMORY;
1002 }
1003
1004 DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1005 dump_data(5, spnego_msg.data, spnego_msg.length);
1006
1007 data_blob_free(&spnego_msg);
1008 return NT_STATUS_OK;
1009 }
1010
1011 /*******************************************************************
1012 Creates NTLMSSP auth bind.
1013 ********************************************************************/
1014
1015 static NTSTATUS create_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
1016 enum pipe_auth_level auth_level,
1017 RPC_HDR_AUTH *pauth_out,
1018 prs_struct *auth_data)
1019 {
1020 NTSTATUS nt_status;
1021 DATA_BLOB null_blob = data_blob_null;
1022 DATA_BLOB request = data_blob_null;
1023
1024 /* We may change the pad length before marshalling. */
1025 init_rpc_hdr_auth(pauth_out, RPC_NTLMSSP_AUTH_TYPE, (int)auth_level, 0, 1);
1026
1027 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1028 nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
1029 null_blob,
1030 &request);
1031
1032 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1033 data_blob_free(&request);
1034 prs_mem_free(auth_data);
1035 return nt_status;
1036 }
1037
1038 /* Auth len in the rpc header doesn't include auth_header. */
1039 if (!prs_copy_data_in(auth_data, (char *)request.data, request.length)) {
1040 data_blob_free(&request);
1041 prs_mem_free(auth_data);
1042 return NT_STATUS_NO_MEMORY;
1043 }
1044
1045 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1046 dump_data(5, request.data, request.length);
1047
1048 data_blob_free(&request);
1049 return NT_STATUS_OK;
1050 }
1051
1052 /*******************************************************************
1053 Creates schannel auth bind.
1054 ********************************************************************/
1055
1056 static NTSTATUS create_schannel_auth_rpc_bind_req( struct rpc_pipe_client *cli,
1057 enum pipe_auth_level auth_level,
1058 RPC_HDR_AUTH *pauth_out,
1059 prs_struct *auth_data)
1060 {
1061 RPC_AUTH_SCHANNEL_NEG schannel_neg;
1062
1063 /* We may change the pad length before marshalling. */
1064 init_rpc_hdr_auth(pauth_out, RPC_SCHANNEL_AUTH_TYPE, (int)auth_level, 0, 1);
1065
1066 /* Use lp_workgroup() if domain not specified */
1067
1068 if (!cli->domain || !cli->domain[0]) {
1069 cli->domain = lp_workgroup();
1070 }
1071
1072 init_rpc_auth_schannel_neg(&schannel_neg, cli->domain, global_myname());
1073
1074 /*
1075 * Now marshall the data into the auth parse_struct.
1076 */
1077
1078 if(!smb_io_rpc_auth_schannel_neg("schannel_neg",
1079 &schannel_neg, auth_data, 0)) {
1080 DEBUG(0,("Failed to marshall RPC_AUTH_SCHANNEL_NEG.\n"));
1081 prs_mem_free(auth_data);
1082 return NT_STATUS_NO_MEMORY;
1083 }
1084
1085 return NT_STATUS_OK;
1086 }
1087
1088 /*******************************************************************
1089 Creates the internals of a DCE/RPC bind request or alter context PDU.
1090 ********************************************************************/
1091
1092 static NTSTATUS create_bind_or_alt_ctx_internal(enum RPC_PKT_TYPE pkt_type,
1093 prs_struct *rpc_out,
1094 uint32 rpc_call_id,
1095 RPC_IFACE *abstract,
1096 RPC_IFACE *transfer,
1097 RPC_HDR_AUTH *phdr_auth,
1098 prs_struct *pauth_info)
1099 {
1100 RPC_HDR hdr;
1101 RPC_HDR_RB hdr_rb;
1102 RPC_CONTEXT rpc_ctx;
1103 uint16 auth_len = prs_offset(pauth_info);
1104 uint8 ss_padding_len = 0;
1105 uint16 frag_len = 0;
1106
1107 /* create the RPC context. */
1108 init_rpc_context(&rpc_ctx, 0 /* context id */, abstract, transfer);
1109
1110 /* create the bind request RPC_HDR_RB */
1111 init_rpc_hdr_rb(&hdr_rb, RPC_MAX_PDU_FRAG_LEN, RPC_MAX_PDU_FRAG_LEN, 0x0, &rpc_ctx);
1112
1113 /* Start building the frag length. */
1114 frag_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
1115
1116 /* Do we need to pad ? */
1117 if (auth_len) {
1118 uint16 data_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
1119 if (data_len % 8) {
1120 ss_padding_len = 8 - (data_len % 8);
1121 phdr_auth->auth_pad_len = ss_padding_len;
1122 }
1123 frag_len += RPC_HDR_AUTH_LEN + auth_len + ss_padding_len;
1124 }
1125
1126 /* Create the request RPC_HDR */
1127 init_rpc_hdr(&hdr, pkt_type, RPC_FLG_FIRST|RPC_FLG_LAST, rpc_call_id, frag_len, auth_len);
1128
1129 /* Marshall the RPC header */
1130 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
1131 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR.\n"));
1132 return NT_STATUS_NO_MEMORY;
1133 }
1134
1135 /* Marshall the bind request data */
1136 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
1137 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1138 return NT_STATUS_NO_MEMORY;
1139 }
1140
1141 /*
1142 * Grow the outgoing buffer to store any auth info.
1143 */
1144
1145 if(auth_len != 0) {
1146 if (ss_padding_len) {
1147 char pad[8];
1148 memset(pad, '\0', 8);
1149 if (!prs_copy_data_in(rpc_out, pad, ss_padding_len)) {
1150 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall padding.\n"));
1151 return NT_STATUS_NO_MEMORY;
1152 }
1153 }
1154
1155 if(!smb_io_rpc_hdr_auth("hdr_auth", phdr_auth, rpc_out, 0)) {
1156 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_AUTH.\n"));
1157 return NT_STATUS_NO_MEMORY;
1158 }
1159
1160
1161 if(!prs_append_prs_data( rpc_out, pauth_info)) {
1162 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to grow parse struct to add auth.\n"));
1163 return NT_STATUS_NO_MEMORY;
1164 }
1165 }
1166
1167 return NT_STATUS_OK;
1168 }
1169
1170 /*******************************************************************
1171 Creates a DCE/RPC bind request.
1172 ********************************************************************/
1173
1174 static NTSTATUS create_rpc_bind_req(struct rpc_pipe_client *cli,
1175 prs_struct *rpc_out,
1176 uint32 rpc_call_id,
1177 RPC_IFACE *abstract, RPC_IFACE *transfer,
1178 enum pipe_auth_type auth_type,
1179 enum pipe_auth_level auth_level)
1180 {
1181 RPC_HDR_AUTH hdr_auth;
1182 prs_struct auth_info;
1183 NTSTATUS ret = NT_STATUS_OK;
1184
1185 ZERO_STRUCT(hdr_auth);
1186 if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
1187 return NT_STATUS_NO_MEMORY;
1188
1189 switch (auth_type) {
1190 case PIPE_AUTH_TYPE_SCHANNEL:
1191 ret = create_schannel_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1192 if (!NT_STATUS_IS_OK(ret)) {
1193 prs_mem_free(&auth_info);
1194 return ret;
1195 }
1196 break;
1197
1198 case PIPE_AUTH_TYPE_NTLMSSP:
1199 ret = create_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1200 if (!NT_STATUS_IS_OK(ret)) {
1201 prs_mem_free(&auth_info);
1202 return ret;
1203 }
1204 break;
1205
1206 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1207 ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1208 if (!NT_STATUS_IS_OK(ret)) {
1209 prs_mem_free(&auth_info);
1210 return ret;
1211 }
1212 break;
1213
1214 case PIPE_AUTH_TYPE_KRB5:
1215 ret = create_krb5_auth_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1216 if (!NT_STATUS_IS_OK(ret)) {
1217 prs_mem_free(&auth_info);
1218 return ret;
1219 }
1220 break;
1221
1222 case PIPE_AUTH_TYPE_NONE:
1223 break;
1224
1225 default:
1226 /* "Can't" happen. */
1227 return NT_STATUS_INVALID_INFO_CLASS;
1228 }
1229
1230 ret = create_bind_or_alt_ctx_internal(RPC_BIND,
1231 rpc_out,
1232 rpc_call_id,
1233 abstract,
1234 transfer,
1235 &hdr_auth,
1236 &auth_info);
1237
1238 prs_mem_free(&auth_info);
1239 return ret;
1240 }
1241
1242 /*******************************************************************
1243 Create and add the NTLMSSP sign/seal auth header and data.
1244 ********************************************************************/
1245
1246 static NTSTATUS add_ntlmssp_auth_footer(struct rpc_pipe_client *cli,
1247 RPC_HDR *phdr,
1248 uint32 ss_padding_len,
1249 prs_struct *outgoing_pdu)
1250 {
1251 RPC_HDR_AUTH auth_info;
1252 NTSTATUS status;
1253 DATA_BLOB auth_blob = data_blob_null;
1254 uint16 data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
1255
1256 if (!cli->auth.a_u.ntlmssp_state) {
1257 return NT_STATUS_INVALID_PARAMETER;
1258 }
1259
1260 /* Init and marshall the auth header. */
1261 init_rpc_hdr_auth(&auth_info,
1262 map_pipe_auth_type_to_rpc_auth_type(cli->auth.auth_type),
1263 cli->auth.auth_level,
1264 ss_padding_len,
1265 1 /* context id. */);
1266
1267 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
1268 DEBUG(0,("add_ntlmssp_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
1269 data_blob_free(&auth_blob);
1270 return NT_STATUS_NO_MEMORY;
1271 }
1272
1273 switch (cli->auth.auth_level) {
1274 case PIPE_AUTH_LEVEL_PRIVACY:
1275 /* Data portion is encrypted. */
1276 status = ntlmssp_seal_packet(cli->auth.a_u.ntlmssp_state,
1277 (unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
1278 data_and_pad_len,
1279 (unsigned char *)prs_data_p(outgoing_pdu),
1280 (size_t)prs_offset(outgoing_pdu),
1281 &auth_blob);
1282 if (!NT_STATUS_IS_OK(status)) {
1283 data_blob_free(&auth_blob);
1284 return status;
1285 }
1286 break;
1287
1288 case PIPE_AUTH_LEVEL_INTEGRITY:
1289 /* Data is signed. */
1290 status = ntlmssp_sign_packet(cli->auth.a_u.ntlmssp_state,
1291 (unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
1292 data_and_pad_len,
1293 (unsigned char *)prs_data_p(outgoing_pdu),
1294 (size_t)prs_offset(outgoing_pdu),
1295 &auth_blob);
1296 if (!NT_STATUS_IS_OK(status)) {
1297 data_blob_free(&auth_blob);
1298 return status;
1299 }
1300 break;
1301
1302 default:
1303 /* Can't happen. */
1304 smb_panic("bad auth level");
1305 /* Notreached. */
1306 return NT_STATUS_INVALID_PARAMETER;
1307 }
1308
1309 /* Finally marshall the blob. */
1310
1311 if (!prs_copy_data_in(outgoing_pdu, (const char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
1312 DEBUG(0,("add_ntlmssp_auth_footer: failed to add %u bytes auth blob.\n",
1313 (unsigned int)NTLMSSP_SIG_SIZE));
1314 data_blob_free(&auth_blob);
1315 return NT_STATUS_NO_MEMORY;
1316 }
1317
1318 data_blob_free(&auth_blob);
1319 return NT_STATUS_OK;
1320 }
1321
1322 /*******************************************************************
1323 Create and add the schannel sign/seal auth header and data.
1324 ********************************************************************/
1325
1326 static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
1327 RPC_HDR *phdr,
1328 uint32 ss_padding_len,
1329 prs_struct *outgoing_pdu)
1330 {
1331 RPC_HDR_AUTH auth_info;
1332 RPC_AUTH_SCHANNEL_CHK verf;
1333 struct schannel_auth_struct *sas = cli->auth.a_u.schannel_auth;
1334 char *data_p = prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
1335 size_t data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
1336
1337 if (!sas) {
1338 return NT_STATUS_INVALID_PARAMETER;
1339 }
1340
1341 /* Init and marshall the auth header. */
1342 init_rpc_hdr_auth(&auth_info,
1343 map_pipe_auth_type_to_rpc_auth_type(cli->auth.auth_type),
1344 cli->auth.auth_level,
1345 ss_padding_len,
1346 1 /* context id. */);
1347
1348 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
1349 DEBUG(0,("add_schannel_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
1350 return NT_STATUS_NO_MEMORY;
1351 }
1352
1353 switch (cli->auth.auth_level) {
1354 case PIPE_AUTH_LEVEL_PRIVACY:
1355 case PIPE_AUTH_LEVEL_INTEGRITY:
1356 DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
1357 sas->seq_num));
1358
1359 schannel_encode(sas,
1360 cli->auth.auth_level,
1361 SENDER_IS_INITIATOR,
1362 &verf,
1363 data_p,
1364 data_and_pad_len);
1365
1366 sas->seq_num++;
1367 break;
1368
1369 default:
1370 /* Can't happen. */
1371 smb_panic("bad auth level");
1372 /* Notreached. */
1373 return NT_STATUS_INVALID_PARAMETER;
1374 }
1375
1376 /* Finally marshall the blob. */
1377 smb_io_rpc_auth_schannel_chk("",
1378 RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
1379 &verf,
1380 outgoing_pdu,
1381 0);
1382
1383 return NT_STATUS_OK;
1384 }
1385
1386 /*******************************************************************
1387 Calculate how much data we're going to send in this packet, also
1388 work out any sign/seal padding length.
1389 ********************************************************************/
1390
1391 static uint32 calculate_data_len_tosend(struct rpc_pipe_client *cli,
1392 uint32 data_left,
1393 uint16 *p_frag_len,
1394 uint16 *p_auth_len,
1395 uint32 *p_ss_padding)
1396 {
1397 uint32 data_space, data_len;
1398
1399 switch (cli->auth.auth_level) {
1400 case PIPE_AUTH_LEVEL_NONE:
1401 case PIPE_AUTH_LEVEL_CONNECT:
1402 data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN;
1403 data_len = MIN(data_space, data_left);
1404 *p_ss_padding = 0;
1405 *p_auth_len = 0;
1406 *p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + data_len;
1407 return data_len;
1408
1409 case PIPE_AUTH_LEVEL_INTEGRITY:
1410 case PIPE_AUTH_LEVEL_PRIVACY:
1411 /* Treat the same for all authenticated rpc requests. */
1412 switch(cli->auth.auth_type) {
1413 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1414 case PIPE_AUTH_TYPE_NTLMSSP:
1415 *p_auth_len = NTLMSSP_SIG_SIZE;
1416 break;
1417 case PIPE_AUTH_TYPE_SCHANNEL:
1418 *p_auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
1419 break;
1420 default:
1421 smb_panic("bad auth type");
1422 break;
1423 }
1424
1425 data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1426 RPC_HDR_AUTH_LEN - *p_auth_len;
1427
1428 data_len = MIN(data_space, data_left);
1429 if (data_len % 8) {
1430 *p_ss_padding = 8 - (data_len % 8);
1431 }
1432 *p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + /* Normal headers. */
1433 data_len + *p_ss_padding + /* data plus padding. */
1434 RPC_HDR_AUTH_LEN + *p_auth_len; /* Auth header and auth data. */
1435 return data_len;
1436
1437 default:
1438 smb_panic("bad auth level");
1439 /* Notreached. */
1440 return 0;
1441 }
1442 }
1443
1444 /*******************************************************************
1445 External interface.
1446 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1447 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1448 and deals with signing/sealing details.
1449 ********************************************************************/
1450
1451 NTSTATUS rpc_api_pipe_req(struct rpc_pipe_client *cli,
1452 uint8 op_num,
1453 prs_struct *in_data,
1454 prs_struct *out_data)
1455 {
1456 NTSTATUS ret;
1457 uint32 data_left = prs_offset(in_data);
1458 uint32 alloc_hint = prs_offset(in_data);
1459 uint32 data_sent_thistime = 0;
1460 uint32 current_data_offset = 0;
1461 uint32 call_id = get_rpc_call_id();
1462 char pad[8];
1463 prs_struct outgoing_pdu;
1464
1465 memset(pad, '\0', 8);
1466
1467 if (cli->max_xmit_frag < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_MAX_SIGN_SIZE) {
1468 /* Server is screwed up ! */
1469 return NT_STATUS_INVALID_PARAMETER;
1470 }
1471
1472 if (!prs_init(&outgoing_pdu, cli->max_xmit_frag, prs_get_mem_context(in_data), MARSHALL))
1473 return NT_STATUS_NO_MEMORY;
1474
1475 while (1) {
1476 RPC_HDR hdr;
1477 RPC_HDR_REQ hdr_req;
1478 uint16 auth_len = 0;
1479 uint16 frag_len = 0;
1480 uint8 flags = 0;
1481 uint32 ss_padding = 0;
1482
1483 data_sent_thistime = calculate_data_len_tosend(cli, data_left,
1484 &frag_len, &auth_len, &ss_padding);
1485
1486 if (current_data_offset == 0) {
1487 flags = RPC_FLG_FIRST;
1488 }
1489
1490 if (data_sent_thistime == data_left) {
1491 flags |= RPC_FLG_LAST;
1492 }
1493
1494 /* Create and marshall the header and request header. */
1495 init_rpc_hdr(&hdr, RPC_REQUEST, flags, call_id, frag_len, auth_len);
1496
1497 if(!smb_io_rpc_hdr("hdr ", &hdr, &outgoing_pdu, 0)) {
1498 prs_mem_free(&outgoing_pdu);
1499 return NT_STATUS_NO_MEMORY;
1500 }
1501
1502 /* Create the rpc request RPC_HDR_REQ */
1503 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
1504
1505 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, &outgoing_pdu, 0)) {
1506 prs_mem_free(&outgoing_pdu);
1507 return NT_STATUS_NO_MEMORY;
1508 }
1509
1510 /* Copy in the data, plus any ss padding. */
1511 if (!prs_append_some_prs_data(&outgoing_pdu, in_data, current_data_offset, data_sent_thistime)) {
1512 prs_mem_free(&outgoing_pdu);
1513 return NT_STATUS_NO_MEMORY;
1514 }
1515
1516 /* Copy the sign/seal padding data. */
1517 if (ss_padding) {
1518 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding)) {
1519 prs_mem_free(&outgoing_pdu);
1520 return NT_STATUS_NO_MEMORY;
1521 }
1522 }
1523
1524 /* Generate any auth sign/seal and add the auth footer. */
1525 if (auth_len) {
1526 switch (cli->auth.auth_type) {
1527 case PIPE_AUTH_TYPE_NONE:
1528 break;
1529 case PIPE_AUTH_TYPE_NTLMSSP:
1530 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1531 ret = add_ntlmssp_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
1532 if (!NT_STATUS_IS_OK(ret)) {
1533 prs_mem_free(&outgoing_pdu);
1534 return ret;
1535 }
1536 break;
1537 case PIPE_AUTH_TYPE_SCHANNEL:
1538 ret = add_schannel_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
1539 if (!NT_STATUS_IS_OK(ret)) {
1540 prs_mem_free(&outgoing_pdu);
1541 return ret;
1542 }
1543 break;
1544 default:
1545 smb_panic("bad auth type");
1546 break; /* notreached */
1547 }
1548 }
1549
1550 /* Actually send the packet. */
1551 if (flags & RPC_FLG_LAST) {
1552 /* Last packet - send the data, get the reply and return. */
1553 ret = rpc_api_pipe(cli, &outgoing_pdu, out_data, RPC_RESPONSE);
1554 prs_mem_free(&outgoing_pdu);
1555
1556 if (DEBUGLEVEL >= 50) {
1557 char *dump_name = NULL;
1558 /* Also capture received data */
1559 if (asprintf(&dump_name, "%s/reply_%s_%d",
1560 get_dyn_LOGFILEBASE(), cli->pipe_name,
1561 op_num) > 0) {
1562 prs_dump(dump_name, op_num, out_data);
1563 SAFE_FREE(dump_name);
1564 }
1565 }
1566
1567 return ret;
1568 } else {
1569 /* More packets to come - write and continue. */
1570 ssize_t num_written = cli_write(cli->cli, cli->fnum, 8, /* 8 means message mode. */
1571 prs_data_p(&outgoing_pdu),
1572 (off_t)0,
1573 (size_t)hdr.frag_len);
1574
1575 if (num_written != hdr.frag_len) {
1576 prs_mem_free(&outgoing_pdu);
1577 return cli_get_nt_error(cli->cli);
1578 }
1579 }
1580
1581 current_data_offset += data_sent_thistime;
1582 data_left -= data_sent_thistime;
1583
1584 /* Reset the marshalling position back to zero. */
1585 if (!prs_set_offset(&outgoing_pdu, 0)) {
1586 prs_mem_free(&outgoing_pdu);
1587 return NT_STATUS_NO_MEMORY;
1588 }
1589 }
1590 }
1591 #if 0
1592 /****************************************************************************
1593 Set the handle state.
1594 ****************************************************************************/
1595
1596 static bool rpc_pipe_set_hnd_state(struct rpc_pipe_client *cli,
1597 const char *pipe_name, uint16 device_state)
1598 {
1599 bool state_set = False;
1600 char param[2];
1601 uint16 setup[2]; /* only need 2 uint16 setup parameters */
1602 char *rparam = NULL;
1603 char *rdata = NULL;
1604 uint32 rparam_len, rdata_len;
1605
1606 if (pipe_name == NULL)
1607 return False;
1608
1609 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1610 cli->fnum, pipe_name, device_state));
1611
1612 /* create parameters: device state */
1613 SSVAL(param, 0, device_state);
1614
1615 /* create setup parameters. */
1616 setup[0] = 0x0001;
1617 setup[1] = cli->fnum; /* pipe file handle. got this from an SMBOpenX. */
1618
1619 /* send the data on \PIPE\ */
1620 if (cli_api_pipe(cli->cli, "\\PIPE\\",
1621 setup, 2, 0, /* setup, length, max */
1622 param, 2, 0, /* param, length, max */
1623 NULL, 0, 1024, /* data, length, max */
1624 &rparam, &rparam_len, /* return param, length */
1625 &rdata, &rdata_len)) /* return data, length */
1626 {
1627 DEBUG(5, ("Set Handle state: return OK\n"));
1628 state_set = True;
1629 }
1630
1631 SAFE_FREE(rparam);
1632 SAFE_FREE(rdata);
1633
1634 return state_set;
1635 }
1636 #endif
1637
1638 /****************************************************************************
1639 Check the rpc bind acknowledge response.
1640 ****************************************************************************/
1641
1642 static bool valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
1643 {
1644 if ( pipe_idx >= PI_MAX_PIPES ) {
1645 DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
1646 pipe_idx));
1647 return False;
1648 }
1649
1650 DEBUG(5,("Bind Abstract Syntax: "));
1651 dump_data(5, (uint8 *)&pipe_names[pipe_idx].abstr_syntax,
1652 sizeof(pipe_names[pipe_idx].abstr_syntax));
1653 DEBUG(5,("Bind Transfer Syntax: "));
1654 dump_data(5, (uint8 *)&pipe_names[pipe_idx].trans_syntax,
1655 sizeof(pipe_names[pipe_idx].trans_syntax));
1656
1657 /* copy the required syntaxes out so we can do the right bind */
1658
1659 *transfer = pipe_names[pipe_idx].trans_syntax;
1660 *abstract = pipe_names[pipe_idx].abstr_syntax;
1661
1662 return True;
1663 }
1664
1665 /****************************************************************************
1666 Check the rpc bind acknowledge response.
1667 ****************************************************************************/
1668
1669 static bool check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
1670 {
1671 if ( hdr_ba->addr.len == 0) {
1672 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1673 }
1674
1675 # if 0 /* JERRY -- apparently ASU forgets to fill in the server pipe name sometimes */
1676 if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].client_pipe) &&
1677 !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe) )
1678 {
1679 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
1680 pipe_names[i].server_pipe ,hdr_ba->addr.str));
1681 return False;
1682 }
1683
1684 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1685
1686 if (pipe_names[pipe_idx].server_pipe == NULL) {
1687 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1688 return False;
1689 }
1690 #endif /* JERRY */
1691
1692 /* check the transfer syntax */
1693 if ((hdr_ba->transfer.version != transfer->version) ||
1694 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1695 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1696 return False;
1697 }
1698
1699 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1700 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1701 hdr_ba->res.num_results, hdr_ba->res.reason));
1702 }
1703
1704 DEBUG(5,("check_bind_response: accepted!\n"));
1705 return True;
1706 }
1707
1708 /*******************************************************************
1709 Creates a DCE/RPC bind authentication response.
1710 This is the packet that is sent back to the server once we
1711 have received a BIND-ACK, to finish the third leg of
1712 the authentication handshake.
1713 ********************************************************************/
1714
1715 static NTSTATUS create_rpc_bind_auth3(struct rpc_pipe_client *cli,
1716 uint32 rpc_call_id,
1717 enum pipe_auth_type auth_type,
1718 enum pipe_auth_level auth_level,
1719 DATA_BLOB *pauth_blob,
1720 prs_struct *rpc_out)
1721 {
1722 RPC_HDR hdr;
1723 RPC_HDR_AUTH hdr_auth;
1724 uint32 pad = 0;
1725
1726 /* Create the request RPC_HDR */
1727 init_rpc_hdr(&hdr, RPC_AUTH3, RPC_FLG_FIRST|RPC_FLG_LAST, rpc_call_id,
1728 RPC_HEADER_LEN + 4 /* pad */ + RPC_HDR_AUTH_LEN + pauth_blob->length,
1729 pauth_blob->length );
1730
1731 /* Marshall it. */
1732 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
1733 DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR.\n"));
1734 return NT_STATUS_NO_MEMORY;
1735 }
1736
1737 /*
1738 I'm puzzled about this - seems to violate the DCE RPC auth rules,
1739 about padding - shouldn't this pad to length 8 ? JRA.
1740 */
1741
1742 /* 4 bytes padding. */
1743 if (!prs_uint32("pad", rpc_out, 0, &pad)) {
1744 DEBUG(0,("create_rpc_bind_auth3: failed to marshall 4 byte pad.\n"));
1745 return NT_STATUS_NO_MEMORY;
1746 }
1747
1748 /* Create the request RPC_HDR_AUTHA */
1749 init_rpc_hdr_auth(&hdr_auth,
1750 map_pipe_auth_type_to_rpc_auth_type(auth_type),
1751 auth_level, 0, 1);
1752
1753 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rpc_out, 0)) {
1754 DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR_AUTHA.\n"));
1755 return NT_STATUS_NO_MEMORY;
1756 }
1757
1758 /*
1759 * Append the auth data to the outgoing buffer.
1760 */
1761
1762 if(!prs_copy_data_in(rpc_out, (char *)pauth_blob->data, pauth_blob->length)) {
1763 DEBUG(0,("create_rpc_bind_auth3: failed to marshall auth blob.\n"));
1764 return NT_STATUS_NO_MEMORY;
1765 }
1766
1767 return NT_STATUS_OK;
1768 }
1769
1770 /****************************************************************************
1771 Create and send the third packet in an RPC auth.
1772 ****************************************************************************/
1773
1774 static NTSTATUS rpc_finish_auth3_bind(struct rpc_pipe_client *cli,
1775 RPC_HDR *phdr,
1776 prs_struct *rbuf,
1777 uint32 rpc_call_id,
1778 enum pipe_auth_type auth_type,
1779 enum pipe_auth_level auth_level)
1780 {
1781 DATA_BLOB server_response = data_blob_null;
1782 DATA_BLOB client_reply = data_blob_null;
1783 RPC_HDR_AUTH hdr_auth;
1784 NTSTATUS nt_status;
1785 prs_struct rpc_out;
1786 ssize_t ret;
1787
1788 if (!phdr->auth_len || (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
1789 return NT_STATUS_INVALID_PARAMETER;
1790 }
1791
1792 /* Process the returned NTLMSSP blob first. */
1793 if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
1794 return NT_STATUS_INVALID_PARAMETER;
1795 }
1796
1797 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
1798 return NT_STATUS_INVALID_PARAMETER;
1799 }
1800
1801 /* TODO - check auth_type/auth_level match. */
1802
1803 server_response = data_blob(NULL, phdr->auth_len);
1804 prs_copy_data_out((char *)server_response.data, rbuf, phdr->auth_len);
1805
1806 nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
1807 server_response,
1808 &client_reply);
1809
1810 if (!NT_STATUS_IS_OK(nt_status)) {
1811 DEBUG(0,("rpc_finish_auth3_bind: NTLMSSP update using server blob failed.\n"));
1812 data_blob_free(&server_response);
1813 return nt_status;
1814 }
1815
1816 prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
1817
1818 nt_status = create_rpc_bind_auth3(cli, rpc_call_id,
1819 auth_type, auth_level,
1820 &client_reply, &rpc_out);
1821
1822 if (!NT_STATUS_IS_OK(nt_status)) {
1823 prs_mem_free(&rpc_out);
1824 data_blob_free(&client_reply);
1825 data_blob_free(&server_response);
1826 return nt_status;
1827 }
1828
1829 /* 8 here is named pipe message mode. */
1830 ret = cli_write(cli->cli, cli->fnum, 0x8, prs_data_p(&rpc_out), 0,
1831 (size_t)prs_offset(&rpc_out));
1832
1833 if (ret != (ssize_t)prs_offset(&rpc_out)) {
1834 DEBUG(0,("rpc_send_auth_auth3: cli_write failed. Return was %d\n", (int)ret));
1835 prs_mem_free(&rpc_out);
1836 data_blob_free(&client_reply);
1837 data_blob_free(&server_response);
1838 return cli_get_nt_error(cli->cli);
1839 }
1840
1841 DEBUG(5,("rpc_send_auth_auth3: Remote machine %s pipe %s "
1842 "fnum 0x%x sent auth3 response ok.\n",
1843 cli->cli->desthost,
1844 cli->pipe_name,
1845 (unsigned int)cli->fnum));
1846
1847 prs_mem_free(&rpc_out);
1848 data_blob_free(&client_reply);
1849 data_blob_free(&server_response);
1850 return NT_STATUS_OK;
1851 }
1852
1853 /*******************************************************************
1854 Creates a DCE/RPC bind alter context authentication request which
1855 may contain a spnego auth blobl
1856 ********************************************************************/
1857
1858 static NTSTATUS create_rpc_alter_context(uint32 rpc_call_id,
1859 RPC_IFACE *abstract,
1860 RPC_IFACE *transfer,
1861 enum pipe_auth_level auth_level,
1862 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1863 prs_struct *rpc_out)
1864 {
1865 RPC_HDR_AUTH hdr_auth;
1866 prs_struct auth_info;
1867 NTSTATUS ret = NT_STATUS_OK;
1868
1869 ZERO_STRUCT(hdr_auth);
1870 if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
1871 return NT_STATUS_NO_MEMORY;
1872
1873 /* We may change the pad length before marshalling. */
1874 init_rpc_hdr_auth(&hdr_auth, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
1875
1876 if (pauth_blob->length) {
1877 if (!prs_copy_data_in(&auth_info, (const char *)pauth_blob->data, pauth_blob->length)) {
1878 prs_mem_free(&auth_info);
1879 return NT_STATUS_NO_MEMORY;
1880 }
1881 }
1882
1883 ret = create_bind_or_alt_ctx_internal(RPC_ALTCONT,
1884 rpc_out,
1885 rpc_call_id,
1886 abstract,
1887 transfer,
1888 &hdr_auth,
1889 &auth_info);
1890 prs_mem_free(&auth_info);
1891 return ret;
1892 }
1893
1894 /*******************************************************************
1895 Third leg of the SPNEGO bind mechanism - sends alter context PDU
1896 and gets a response.
1897 ********************************************************************/
1898
1899 static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli,
1900 RPC_HDR *phdr,
1901 prs_struct *rbuf,
1902 uint32 rpc_call_id,
1903 RPC_IFACE *abstract,
1904 RPC_IFACE *transfer,
1905 enum pipe_auth_type auth_type,
1906 enum pipe_auth_level auth_level)
1907 {
1908 DATA_BLOB server_spnego_response = data_blob_null;
1909 DATA_BLOB server_ntlm_response = data_blob_null;
1910 DATA_BLOB client_reply = data_blob_null;
1911 DATA_BLOB tmp_blob = data_blob_null;
1912 RPC_HDR_AUTH hdr_auth;
1913 NTSTATUS nt_status;
1914 prs_struct rpc_out;
1915
1916 if (!phdr->auth_len || (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
1917 return NT_STATUS_INVALID_PARAMETER;
1918 }
1919
1920 /* Process the returned NTLMSSP blob first. */
1921 if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
1922 return NT_STATUS_INVALID_PARAMETER;
1923 }
1924
1925 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
1926 return NT_STATUS_INVALID_PARAMETER;
1927 }
1928
1929 server_spnego_response = data_blob(NULL, phdr->auth_len);
1930 prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
1931
1932 /* The server might give us back two challenges - tmp_blob is for the second. */
1933 if (!spnego_parse_challenge(server_spnego_response, &server_ntlm_response, &tmp_blob)) {
1934 data_blob_free(&server_spnego_response);
1935 data_blob_free(&server_ntlm_response);
1936 data_blob_free(&tmp_blob);
1937 return NT_STATUS_INVALID_PARAMETER;
1938 }
1939
1940 /* We're finished with the server spnego response and the tmp_blob. */
1941 data_blob_free(&server_spnego_response);
1942 data_blob_free(&tmp_blob);
1943
1944 nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
1945 server_ntlm_response,
1946 &client_reply);
1947
1948 /* Finished with the server_ntlm response */
1949 data_blob_free(&server_ntlm_response);
1950
1951 if (!NT_STATUS_IS_OK(nt_status)) {
1952 DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: NTLMSSP update using server blob failed.\n"));
1953 data_blob_free(&client_reply);
1954 return nt_status;
1955 }
1956
1957 /* SPNEGO wrap the client reply. */
1958 tmp_blob = spnego_gen_auth(client_reply);
1959 data_blob_free(&client_reply);
1960 client_reply = tmp_blob;
1961 tmp_blob = data_blob_null; /* Ensure it's safe to free this just in case. */
1962
1963 /* Now prepare the alter context pdu. */
1964 prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
1965
1966 nt_status = create_rpc_alter_context(rpc_call_id,
1967 abstract,
1968 transfer,
1969 auth_level,
1970 &client_reply,
1971 &rpc_out);
1972
1973 data_blob_free(&client_reply);
1974
1975 if (!NT_STATUS_IS_OK(nt_status)) {
1976 prs_mem_free(&rpc_out);
1977 return nt_status;
1978 }
1979
1980 /* Initialize the returning data struct. */
1981 prs_mem_free(rbuf);
1982 prs_init_empty(rbuf, cli->mem_ctx, UNMARSHALL);
1983
1984 nt_status = rpc_api_pipe(cli, &rpc_out, rbuf, RPC_ALTCONTRESP);
1985 if (!NT_STATUS_IS_OK(nt_status)) {
1986 prs_mem_free(&rpc_out);
1987 return nt_status;
1988 }
1989
1990 prs_mem_free(&rpc_out);
1991
1992 /* Get the auth blob from the reply. */
1993 if(!smb_io_rpc_hdr("rpc_hdr ", phdr, rbuf, 0)) {
1994 DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: Failed to unmarshall RPC_HDR.\n"));
1995 return NT_STATUS_BUFFER_TOO_SMALL;
1996 }
1997
1998 if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
1999 return NT_STATUS_INVALID_PARAMETER;
2000 }
2001
2002 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
2003 return NT_STATUS_INVALID_PARAMETER;
2004 }
2005
2006 server_spnego_response = data_blob(NULL, phdr->auth_len);
2007 prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
2008
2009 /* Check we got a valid auth response. */
2010 if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) {
2011 data_blob_free(&server_spnego_response);
2012 data_blob_free(&tmp_blob);
2013 return NT_STATUS_INVALID_PARAMETER;
2014 }
2015
2016 data_blob_free(&server_spnego_response);
2017 data_blob_free(&tmp_blob);
2018
2019 DEBUG(5,("rpc_finish_spnego_ntlmssp_bind: alter context request to "
2020 "remote machine %s pipe %s fnum 0x%x.\n",
2021 cli->cli->desthost,
2022 cli->pipe_name,
2023 (unsigned int)cli->fnum));
2024
2025 return NT_STATUS_OK;
2026 }
2027
2028 /****************************************************************************
2029 Do an rpc bind.
2030 ****************************************************************************/
2031
2032 static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
2033 enum pipe_auth_type auth_type,
2034 enum pipe_auth_level auth_level)
2035 {
2036 RPC_HDR hdr;
2037 RPC_HDR_BA hdr_ba;
2038 RPC_IFACE abstract;
2039 RPC_IFACE transfer;
2040 prs_struct rpc_out;
2041 prs_struct rbuf;
2042 uint32 rpc_call_id;
2043 NTSTATUS status;
2044
2045 DEBUG(5,("Bind RPC Pipe[%x]: %s auth_type %u, auth_level %u\n",
2046 (unsigned int)cli->fnum,
2047 cli->pipe_name,
2048 (unsigned int)auth_type,
2049 (unsigned int)auth_level ));
2050
2051 if (!valid_pipe_name(cli->pipe_idx, &abstract, &transfer)) {
2052 return NT_STATUS_INVALID_PARAMETER;
2053 }
2054
2055 prs_init_empty(&rpc_out, cli->mem_ctx, MARSHALL);
2056
2057 rpc_call_id = get_rpc_call_id();
2058
2059 /* Marshall the outgoing data. */
2060 status = create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
2061 &abstract, &transfer,
2062 auth_type,
2063 auth_level);
2064
2065 if (!NT_STATUS_IS_OK(status)) {
2066 prs_mem_free(&rpc_out);
2067 return status;
2068 }
2069
2070 /* Initialize the incoming data struct. */
2071 prs_init_empty(&rbuf, cli->mem_ctx, UNMARSHALL);
2072
2073 /* send data on \PIPE\. receive a response */
2074 status = rpc_api_pipe(cli, &rpc_out, &rbuf, RPC_BINDACK);
2075 if (!NT_STATUS_IS_OK(status)) {
2076 prs_mem_free(&rpc_out);
2077 return status;
2078 }
2079
2080 prs_mem_free(&rpc_out);
2081
2082 DEBUG(3,("rpc_pipe_bind: Remote machine %s pipe %s "
2083 "fnum 0x%x bind request returned ok.\n",
2084 cli->cli->desthost,
2085 cli->pipe_name,
2086 (unsigned int)cli->fnum));
2087
2088 /* Unmarshall the RPC header */
2089 if(!smb_io_rpc_hdr("hdr" , &hdr, &rbuf, 0)) {
2090 DEBUG(0,("rpc_pipe_bind: failed to unmarshall RPC_HDR.\n"));
2091 prs_mem_free(&rbuf);
2092 return NT_STATUS_BUFFER_TOO_SMALL;
2093 }
2094
2095 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rbuf, 0)) {
2096 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
2097 prs_mem_free(&rbuf);
2098 return NT_STATUS_BUFFER_TOO_SMALL;
2099 }
2100
2101 if(!check_bind_response(&hdr_ba, cli->pipe_idx, &transfer)) {
2102 DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
2103 prs_mem_free(&rbuf);
2104 return NT_STATUS_BUFFER_TOO_SMALL;
2105 }
2106
2107 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
2108 cli->max_recv_frag = hdr_ba.bba.max_rsize;
2109
2110 /* For authenticated binds we may need to do 3 or 4 leg binds. */
2111 switch(auth_type) {
2112
2113 case PIPE_AUTH_TYPE_NONE:
2114 case PIPE_AUTH_TYPE_SCHANNEL:
2115 /* Bind complete. */
2116 break;
2117
2118 case PIPE_AUTH_TYPE_NTLMSSP:
2119 /* Need to send AUTH3 packet - no reply. */
2120 status = rpc_finish_auth3_bind(cli, &hdr, &rbuf, rpc_call_id,
2121 auth_type, auth_level);
2122 if (!NT_STATUS_IS_OK(status)) {
2123 prs_mem_free(&rbuf);
2124 return status;
2125 }
2126 break;
2127
2128 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
2129 /* Need to send alter context request and reply. */
2130 status = rpc_finish_spnego_ntlmssp_bind(cli, &hdr, &rbuf, rpc_call_id,
2131 &abstract, &transfer,
2132 auth_type, auth_level);
2133 if (!NT_STATUS_IS_OK(status)) {
2134 prs_mem_free(&rbuf);
2135 return status;
2136 }
2137 break;
2138
2139 case PIPE_AUTH_TYPE_KRB5:
2140 /* */
2141
2142 default:
2143 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
2144 (unsigned int)auth_type ));
2145 prs_mem_free(&rbuf);
2146 return NT_STATUS_INVALID_INFO_CLASS;
2147 }
2148
2149 /* For NTLMSSP ensure the server gave us the auth_level we wanted. */
2150 if (auth_type == PIPE_AUTH_TYPE_NTLMSSP || auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2151 if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2152 if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
2153 DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n"));
2154 prs_mem_free(&rbuf);
2155 return NT_STATUS_INVALID_PARAMETER;
2156 }
2157 }
2158 if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2159 if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
2160 DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n"));
2161 prs_mem_free(&rbuf);
2162 return NT_STATUS_INVALID_PARAMETER;
2163 }
2164 }
2165 }
2166
2167 /* Pipe is bound - set up auth_type and auth_level data. */
2168
2169 cli->auth.auth_type = auth_type;
2170 cli->auth.auth_level = auth_level;
2171
2172 prs_mem_free(&rbuf);
2173 return NT_STATUS_OK;
2174 }
2175
2176 /****************************************************************************
2177 Open a named pipe over SMB to a remote server.
2178 *
2179 * CAVEAT CALLER OF THIS FUNCTION:
2180 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2181 * so be sure that this function is called AFTER any structure (vs pointer)
2182 * assignment of the cli. In particular, libsmbclient does structure
2183 * assignments of cli, which invalidates the data in the returned
2184 * rpc_pipe_client if this function is called before the structure assignment
2185 * of cli.
2186 *
2187 ****************************************************************************/
2188
2189 static struct rpc_pipe_client *cli_rpc_pipe_open(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
2190 {
2191 TALLOC_CTX *mem_ctx;
2192 struct rpc_pipe_client *result;
2193 int fnum;
2194
2195 *perr = NT_STATUS_NO_MEMORY;
2196
2197 /* sanity check to protect against crashes */
2198
2199 if ( !cli ) {
2200 *perr = NT_STATUS_INVALID_HANDLE;
2201 return NULL;
2202 }
2203
2204 /* The pipe name index must fall within our array */
2205 SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
2206
2207 mem_ctx = talloc_init("struct rpc_pipe_client");
2208 if (mem_ctx == NULL) {
2209 return NULL;
2210 }
2211
2212 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2213 if (result == NULL) {
2214 return NULL;
2215 }
2216
2217 result->mem_ctx = mem_ctx;
2218
2219 result->pipe_name = cli_get_pipe_name(pipe_idx);
2220
2221 fnum = cli_nt_create(cli, result->pipe_name, DESIRED_ACCESS_PIPE);
2222
2223 if (fnum == -1) {
2224 DEBUG(1,("cli_rpc_pipe_open: cli_nt_create failed on pipe %s "
2225 "to machine %s. Error was %s\n",
2226 result->pipe_name, cli->desthost,
2227 cli_errstr(cli)));
2228 *perr = cli_get_nt_error(cli);
2229 talloc_destroy(result->mem_ctx);
2230 return NULL;
2231 }
2232
2233 result->fnum = fnum;
2234 result->cli = cli;
2235 result->pipe_idx = pipe_idx;
2236 result->auth.auth_type = PIPE_AUTH_TYPE_NONE;
2237 result->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
2238
2239 if (pipe_idx == PI_NETLOGON) {
2240 /* Set up a netlogon credential chain for a netlogon pipe. */
2241 result->dc = TALLOC_ZERO_P(mem_ctx, struct dcinfo);
2242 if (result->dc == NULL) {
2243 talloc_destroy(result->mem_ctx);
2244 return NULL;
2245 }
2246 }
2247
2248 DLIST_ADD(cli->pipe_list, result);
2249 *perr = NT_STATUS_OK;
2250
2251 return result;
2252 }
2253
2254 /****************************************************************************
2255 Open a named pipe to an SMB server and bind anonymously.
2256 ****************************************************************************/
2257
2258 struct rpc_pipe_client *cli_rpc_pipe_open_noauth(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
2259 {
2260 struct rpc_pipe_client *result;
2261
2262 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2263 if (result == NULL) {
2264 return NULL;
2265 }
2266
2267 *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_NONE, PIPE_AUTH_LEVEL_NONE);
2268 if (!NT_STATUS_IS_OK(*perr)) {
2269 int lvl = 0;
2270 if (pipe_idx == PI_DSSETUP) {
2271 /* non AD domains just don't have this pipe, avoid
2272 * level 0 statement in that case - gd */
2273 lvl = 3;
2274 }
2275 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe %s failed with error %s\n",
2276 cli_get_pipe_name(pipe_idx), nt_errstr(*perr) ));
2277 cli_rpc_pipe_close(result);
2278 return NULL;
2279 }
2280
2281 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine %s and bound anonymously.\n",
2282 result->pipe_name, cli->desthost ));
2283
2284 return result;
2285 }
2286
2287 /****************************************************************************
2288 Free function for NTLMSSP auth.
2289 ****************************************************************************/
2290
2291 static void cli_ntlmssp_auth_free(struct cli_pipe_auth_data *auth)
2292 {
2293 if (auth->a_u.ntlmssp_state) {
2294 ntlmssp_end(&auth->a_u.ntlmssp_state);
2295 auth->a_u.ntlmssp_state = NULL;
2296 }
2297 }
2298
2299 /****************************************************************************
2300 Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
2301 ****************************************************************************/
2302
2303 static struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
2304 int pipe_idx,
2305 enum pipe_auth_type auth_type,
2306 enum pipe_auth_level auth_level,
2307 const char *domain,
2308 const char *username,
2309 const char *password,
2310 NTSTATUS *perr)
2311 {
2312 struct rpc_pipe_client *result;
2313 NTLMSSP_STATE *ntlmssp_state = NULL;
2314
2315 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2316 if (result == NULL) {
2317 return NULL;
2318 }
2319
2320 result->auth.cli_auth_data_free_func = cli_ntlmssp_auth_free;
2321
2322 result->domain = domain;
2323 result->user_name = username;
2324 pwd_set_cleartext(&result->pwd, password);
2325
2326 *perr = ntlmssp_client_start(&ntlmssp_state);
2327 if (!NT_STATUS_IS_OK(*perr)) {
2328 goto err;
2329 }
2330
2331 result->auth.a_u.ntlmssp_state = ntlmssp_state;
2332
2333 *perr = ntlmssp_set_username(ntlmssp_state, cli->user_name);
2334 if (!NT_STATUS_IS_OK(*perr)) {
2335 goto err;
2336 }
2337
2338 *perr = ntlmssp_set_domain(ntlmssp_state, cli->domain);
2339 if (!NT_STATUS_IS_OK(*perr)) {
2340 goto err;
2341 }
2342
2343 if (cli->pwd.null_pwd) {
2344 *perr = ntlmssp_set_password(ntlmssp_state, NULL);
2345 if (!NT_STATUS_IS_OK(*perr)) {
2346 goto err;
2347 }
2348 } else {
2349 *perr = ntlmssp_set_password(ntlmssp_state, password);
2350 if (!NT_STATUS_IS_OK(*perr)) {
2351 goto err;
2352 }
2353 }
2354
2355 /* Turn off sign+seal to allow selected auth level to turn it back on. */
2356 ntlmssp_state->neg_flags &= ~(NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
2357
2358 if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2359 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
2360 } else if (auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
2361 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN;
2362 }
2363
2364 *perr = rpc_pipe_bind(result, auth_type, auth_level);
2365 if (!NT_STATUS_IS_OK(*perr)) {
2366 DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
2367 nt_errstr(*perr) ));
2368 goto err;
2369 }
2370
2371 DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
2372 "machine %s and bound NTLMSSP as user %s\\%s.\n",
2373 result->pipe_name, cli->desthost,
2374 domain, username ));
2375
2376 return result;
2377
2378 err:
2379
2380 cli_rpc_pipe_close(result);
2381 return NULL;
2382 }
2383
2384 /****************************************************************************
2385 External interface.
2386 Open a named pipe to an SMB server and bind using NTLMSSP (bind type 10)
2387 ****************************************************************************/
2388
2389 struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
2390 int pipe_idx,
2391 enum pipe_auth_level auth_level,
2392 const char *domain,
2393 const char *username,
2394 const char *password,
2395 NTSTATUS *perr)
2396 {
2397 return cli_rpc_pipe_open_ntlmssp_internal(cli,
2398 pipe_idx,
2399 PIPE_AUTH_TYPE_NTLMSSP,
2400 auth_level,
2401 domain,
2402 username,
2403 password,
2404 perr);
2405 }
2406
2407 /****************************************************************************
2408 External interface.
2409 Open a named pipe to an SMB server and bind using spnego NTLMSSP (bind type 9)
2410 ****************************************************************************/
2411
2412 struct rpc_pipe_client *cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
2413 int pipe_idx,
2414 enum pipe_auth_level auth_level,
2415 const char *domain,
2416 const char *username,
2417 const char *password,
2418 NTSTATUS *perr)
2419 {
2420 return cli_rpc_pipe_open_ntlmssp_internal(cli,
2421 pipe_idx,
2422 PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
2423 auth_level,
2424 domain,
2425 username,
2426 password,
2427 perr);
2428 }
2429
2430 /****************************************************************************
2431 Get a the schannel session key out of an already opened netlogon pipe.
2432 ****************************************************************************/
2433 static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
2434 struct cli_state *cli,
2435 const char *domain,
2436 uint32 *pneg_flags,
2437 NTSTATUS *perr)
2438 {
2439 uint32 sec_chan_type = 0;
2440 unsigned char machine_pwd[16];
2441 const char *machine_account;
2442
2443 /* Get the machine account credentials from secrets.tdb. */
2444 if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
2445 &sec_chan_type))
2446 {
2447 DEBUG(0, ("get_schannel_session_key: could not fetch "
2448 "trust account password for domain '%s'\n",
2449 domain));
2450 *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2451 return false;
2452 }
2453
2454 *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
2455 cli->desthost, /* server name */
2456 domain, /* domain */
2457 global_myname(), /* client name */
2458 machine_account, /* machine account name */
2459 machine_pwd,
2460 sec_chan_type,
2461 pneg_flags);
2462
2463 if (!NT_STATUS_IS_OK(*perr)) {
2464 DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
2465 "failed with result %s to server %s, domain %s, machine account %s.\n",
2466 nt_errstr(*perr), cli->desthost, domain, machine_account ));
2467 return false;
2468 }
2469
2470 if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
2471 DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
2472 cli->desthost));
2473 *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
2474 return false;
2475 }
2476
2477 return true;
2478 }
2479
2480 /****************************************************************************
2481 Open a netlogon pipe and get the schannel session key.
2482 Now exposed to external callers.
2483 ****************************************************************************/
2484
2485
2486 struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
2487 const char *domain,
2488 uint32 *pneg_flags,
2489 NTSTATUS *perr)
2490 {
2491 struct rpc_pipe_client *netlogon_pipe = NULL;
2492
2493 netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
2494 if (!netlogon_pipe) {
2495 return NULL;
2496 }
2497
2498 if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
2499 pneg_flags, perr))
2500 {
2501 cli_rpc_pipe_close(netlogon_pipe);
2502 return NULL;
2503 }
2504
2505 return netlogon_pipe;
2506 }
2507
2508 /****************************************************************************
2509 External interface.
2510 Open a named pipe to an SMB server and bind using schannel (bind type 68)
2511 using session_key. sign and seal.
2512 ****************************************************************************/
2513
2514 struct rpc_pipe_client *cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2515 int pipe_idx,
2516 enum pipe_auth_level auth_level,
2517 const char *domain,
2518 const struct dcinfo *pdc,
2519 NTSTATUS *perr)
2520 {
2521 struct rpc_pipe_client *result;
2522
2523 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2524 if (result == NULL) {
2525 return NULL;
2526 }
2527
2528 result->auth.a_u.schannel_auth = TALLOC_ZERO_P(result->mem_ctx, struct schannel_auth_struct);
2529 if (!result->auth.a_u.schannel_auth) {
2530 cli_rpc_pipe_close(result);
2531 *perr = NT_STATUS_NO_MEMORY;
2532 return NULL;
2533 }
2534
2535 result->domain = domain;
2536 memcpy(result->auth.a_u.schannel_auth->sess_key, pdc->sess_key, 16);
2537
2538 *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_SCHANNEL, auth_level);
2539 if (!NT_STATUS_IS_OK(*perr)) {
2540 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed with error %s\n",
2541 nt_errstr(*perr) ));
2542 cli_rpc_pipe_close(result);
2543 return NULL;
2544 }
2545
2546 /* The credentials on a new netlogon pipe are the ones we are passed in - copy them over. */
2547 if (result->dc) {
2548 *result->dc = *pdc;
2549 }
2550
2551 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
2552 "for domain %s "
2553 "and bound using schannel.\n",
2554 result->pipe_name, cli->desthost, domain ));
2555
2556 return result;
2557 }
2558
2559 /****************************************************************************
2560 Open a named pipe to an SMB server and bind using schannel (bind type 68).
2561 Fetch the session key ourselves using a temporary netlogon pipe. This
2562 version uses an ntlmssp auth bound netlogon pipe to get the key.
2563 ****************************************************************************/
2564
2565 static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
2566 const char *domain,
2567 const char *username,
2568 const char *password,
2569 uint32 *pneg_flags,
2570 NTSTATUS *perr)
2571 {
2572 struct rpc_pipe_client *netlogon_pipe = NULL;
2573
2574 netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
2575 if (!netlogon_pipe) {
2576 return NULL;
2577 }
2578
2579 if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
2580 pneg_flags, perr))
2581 {
2582 cli_rpc_pipe_close(netlogon_pipe);
2583 return NULL;
2584 }
2585
2586 return netlogon_pipe;
2587 }
2588
2589 /****************************************************************************
2590 Open a named pipe to an SMB server and bind using schannel (bind type 68).
2591 Fetch the session key ourselves using a temporary netlogon pipe. This version
2592 uses an ntlmssp bind to get the session key.
2593 ****************************************************************************/
2594
2595 struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2596 int pipe_idx,
2597 enum pipe_auth_level auth_level,
2598 const char *domain,
2599 const char *username,
2600 const char *password,
2601 NTSTATUS *perr)
2602 {
2603 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2604 struct rpc_pipe_client *netlogon_pipe = NULL;
2605 struct rpc_pipe_client *result = NULL;
2606
2607 netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username,
2608 password, &neg_flags, perr);
2609 if (!netlogon_pipe) {
2610 DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
2611 "key from server %s for domain %s.\n",
2612 cli->desthost, domain ));
2613 return NULL;
2614 }
2615
2616 result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
2617 auth_level,
2618 domain, netlogon_pipe->dc, perr);
2619
2620 /* Now we've bound using the session key we can close the netlog pipe. */
2621 cli_rpc_pipe_close(netlogon_pipe);
2622
2623 return result;
2624 }
2625
2626 /****************************************************************************
2627 Open a named pipe to an SMB server and bind using schannel (bind type 68).
2628 Fetch the session key ourselves using a temporary netlogon pipe.
2629 ****************************************************************************/
2630
2631 struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
2632 int pipe_idx,
2633 enum pipe_auth_level auth_level,
2634 const char *domain,
2635 NTSTATUS *perr)
2636 {
2637 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2638 struct rpc_pipe_client *netlogon_pipe = NULL;
2639 struct rpc_pipe_client *result = NULL;
2640
2641 netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, perr);
2642 if (!netlogon_pipe) {
2643 DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
2644 "key from server %s for domain %s.\n",
2645 cli->desthost, domain ));
2646 return NULL;
2647 }
2648
2649 result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
2650 auth_level,
2651 domain, netlogon_pipe->dc, perr);
2652
2653 /* Now we've bound using the session key we can close the netlog pipe. */
2654 cli_rpc_pipe_close(netlogon_pipe);
2655
2656 return result;
2657 }
2658
2659 #ifdef HAVE_KRB5
2660
2661 /****************************************************************************
2662 Free function for the kerberos spcific data.
2663 ****************************************************************************/
2664
2665 static void kerberos_auth_struct_free(struct cli_pipe_auth_data *a)
2666 {
2667 data_blob_free(&a->a_u.kerberos_auth->session_key);
2668 }
2669
2670 #endif
2671
2672 /****************************************************************************
2673 Open a named pipe to an SMB server and bind using krb5 (bind type 16).
2674 The idea is this can be called with service_princ, username and password all
2675 NULL so long as the caller has a TGT.
2676 ****************************************************************************/
2677
2678 struct rpc_pipe_client *cli_rpc_pipe_open_krb5(struct cli_state *cli,
2679 int pipe_idx,
2680 enum pipe_auth_level auth_level,
2681 const char *service_princ,
2682 const char *username,
2683 const char *password,
2684 NTSTATUS *perr)
2685 {
2686 #ifdef HAVE_KRB5
2687 struct rpc_pipe_client *result;
2688
2689 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2690 if (result == NULL) {
2691 return NULL;
2692 }
2693
2694 /* Default service principal is "desthost$@realm" */
2695 if (!service_princ) {
2696 service_princ = talloc_asprintf(result->mem_ctx, "%s$@%s",
2697 cli->desthost, lp_realm() );
2698 if (!service_princ) {
2699 cli_rpc_pipe_close(result);
2700 return NULL;
2701 }
2702 }
2703
2704 /* Only get a new TGT if username/password are given. */
2705 if (username && password) {
2706 int ret = kerberos_kinit_password(username, password, 0, NULL);
2707 if (ret) {
2708 cli_rpc_pipe_close(result);
2709 return NULL;
2710 }
2711 }
2712
2713 result->auth.a_u.kerberos_auth = TALLOC_ZERO_P(result->mem_ctx, struct kerberos_auth_struct);
2714 if (!result->auth.a_u.kerberos_auth) {
2715 cli_rpc_pipe_close(result);
2716 *perr = NT_STATUS_NO_MEMORY;
2717 return NULL;
2718 }
2719
2720 result->auth.a_u.kerberos_auth->service_principal = service_princ;
2721 result->auth.cli_auth_data_free_func = kerberos_auth_struct_free;
2722
2723 *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_KRB5, auth_level);
2724 if (!NT_STATUS_IS_OK(*perr)) {
2725 DEBUG(0, ("cli_rpc_pipe_open_krb5: cli_rpc_pipe_bind failed with error %s\n",
2726 nt_errstr(*perr) ));
2727 cli_rpc_pipe_close(result);
2728 return NULL;
2729 }
2730
2731 return result;
2732 #else
2733 DEBUG(0,("cli_rpc_pipe_open_krb5: kerberos not found at compile time.\n"));
2734 return NULL;
2735 #endif
2736 }
Samba GIT mirror