3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998,
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1998.
9 * Copyright (C) Jeremy Allison 1999.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
33 extern int DEBUGLEVEL
;
34 extern struct pipe_id_info pipe_names
[];
35 extern fstring global_myworkgroup
;
36 extern pstring global_myname
;
38 /********************************************************************
40 ********************************************************************/
42 static uint32
get_rpc_call_id(void)
44 static uint32 call_id
= 0;
48 /*******************************************************************
49 Use SMBreadX to get rest of one fragment's worth of rpc data.
50 ********************************************************************/
52 static BOOL
rpc_read(struct cli_state
*cli
, prs_struct
*rdata
, uint32 data_to_read
, uint32
*rdata_offset
)
54 size_t size
= (size_t)cli
->max_recv_frag
;
55 int stream_offset
= 0;
59 int extra_data_size
= ((int)*rdata_offset
) + ((int)data_to_read
) - (int)prs_data_size(rdata
);
61 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
62 (int)data_to_read
, (unsigned int)*rdata_offset
, extra_data_size
));
65 * Grow the buffer if needed to accommodate the data to be read.
68 if (extra_data_size
> 0) {
69 if(!prs_force_grow(rdata
, (uint32
)extra_data_size
)) {
70 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size
));
73 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size
, prs_data_size(rdata
) ));
76 pdata
= prs_data_p(rdata
) + *rdata_offset
;
78 do /* read data using SMBreadX */
80 if (size
> (size_t)data_to_read
)
81 size
= (size_t)data_to_read
;
83 num_read
= (int)cli_read(cli
, cli
->nt_pipe_fnum
, pdata
, (off_t
)stream_offset
, size
);
85 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
86 num_read
, stream_offset
, data_to_read
));
88 if (cli_error(cli
, NULL
, &err
, NULL
)) {
89 DEBUG(0,("rpc_read: Error %u in cli_read\n", (unsigned int)err
));
93 data_to_read
-= num_read
;
94 stream_offset
+= num_read
;
97 } while (num_read
> 0 && data_to_read
> 0);
98 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
101 * Update the current offset into rdata by the amount read.
103 *rdata_offset
+= stream_offset
;
108 /****************************************************************************
109 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
110 ****************************************************************************/
112 static BOOL
rpc_check_hdr(prs_struct
*rdata
, RPC_HDR
*rhdr
,
113 BOOL
*first
, BOOL
*last
, uint32
*len
)
115 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32
)prs_data_size(rdata
) ));
117 /* Next call sets endian bit. */
119 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr
, rdata
, 0)) {
120 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
124 if (prs_offset(rdata
) != RPC_HEADER_LEN
) {
125 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata
), RPC_HEADER_LEN
));
129 (*first
) = ((rhdr
->flags
& RPC_FLG_FIRST
) != 0);
130 (*last
) = ((rhdr
->flags
& RPC_FLG_LAST
) != 0);
131 (*len
) = (uint32
)rhdr
->frag_len
- prs_data_size(rdata
);
133 return (rhdr
->pkt_type
!= RPC_FAULT
);
136 static void NTLMSSPcalc_ap( struct cli_state
*cli
, unsigned char *data
, uint32 len
)
138 unsigned char *hash
= cli
->ntlmssp_hash
;
139 unsigned char index_i
= hash
[256];
140 unsigned char index_j
= hash
[257];
143 for( ind
= 0; ind
< len
; ind
++) {
148 index_j
+= hash
[index_i
];
151 hash
[index_i
] = hash
[index_j
];
154 t
= hash
[index_i
] + hash
[index_j
];
155 data
[ind
] = data
[ind
] ^ hash
[t
];
162 /****************************************************************************
163 Verify data on an rpc pipe.
164 The VERIFY & SEAL code is only executed on packets that look like this :
166 Request/Response PDU's look like the following...
168 |<------------------PDU len----------------------------------------------->|
169 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
171 +------------+-----------------+-------------+---------------+-------------+
172 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
173 +------------+-----------------+-------------+---------------+-------------+
175 Never on bind requests/responses.
176 ****************************************************************************/
178 static BOOL
rpc_auth_pipe(struct cli_state
*cli
, prs_struct
*rdata
, int len
, int auth_len
)
181 * The following is that length of the data we must sign or seal.
182 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
183 * preceeding the auth_data.
186 int data_len
= len
- RPC_HEADER_LEN
- RPC_HDR_RESP_LEN
- RPC_HDR_AUTH_LEN
- auth_len
;
189 * The start of the data to sign/seal is just after the RPC headers.
191 char *reply_data
= prs_data_p(rdata
) + RPC_HEADER_LEN
+ RPC_HDR_REQ_LEN
;
193 BOOL auth_verify
= ((cli
->ntlmssp_srv_flgs
& NTLMSSP_NEGOTIATE_SIGN
) != 0);
194 BOOL auth_seal
= ((cli
->ntlmssp_srv_flgs
& NTLMSSP_NEGOTIATE_SEAL
) != 0);
196 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
197 len
, auth_len
, BOOLSTR(auth_verify
), BOOLSTR(auth_seal
)));
200 * Unseal any sealed data in the PDU, not including the
201 * 8 byte auth_header or the auth_data.
205 DEBUG(10,("rpc_auth_pipe: unseal\n"));
206 dump_data(100, reply_data
, data_len
);
207 NTLMSSPcalc_ap(cli
, (uchar
*)reply_data
, data_len
);
208 dump_data(100, reply_data
, data_len
);
211 if (auth_verify
|| auth_seal
) {
212 RPC_HDR_AUTH rhdr_auth
;
214 char data
[RPC_HDR_AUTH_LEN
];
216 * We set dp to be the end of the packet, minus the auth_len
217 * and the length of the header that preceeds the auth_data.
219 char *dp
= prs_data_p(rdata
) + len
- auth_len
- RPC_HDR_AUTH_LEN
;
221 if(dp
- prs_data_p(rdata
) > prs_data_size(rdata
)) {
222 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
226 memcpy(data
, dp
, sizeof(data
));
228 prs_init(&auth_req
, 0, cli
->mem_ctx
, UNMARSHALL
);
230 /* The endianness must be preserved... JRA. */
232 prs_set_endian_data(&auth_req
, rdata
->bigendian_data
);
234 prs_give_memory(&auth_req
, data
, RPC_HDR_AUTH_LEN
, False
);
237 * Unmarshall the 8 byte auth_header that comes before the
241 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth
, &auth_req
, 0)) {
242 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
246 if (!rpc_hdr_auth_chk(&rhdr_auth
)) {
247 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
253 * Now unseal and check the auth verifier in the auth_data at
254 * then end of the packet. The 4 bytes skipped in the unseal
255 * seem to be a buffer pointer preceeding the sealed data.
259 RPC_AUTH_NTLMSSP_CHK chk
;
261 prs_struct auth_verf
;
262 char data
[RPC_AUTH_NTLMSSP_CHK_LEN
];
263 char *dp
= prs_data_p(rdata
) + len
- auth_len
;
265 if(dp
- prs_data_p(rdata
) > prs_data_size(rdata
)) {
266 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
270 DEBUG(10,("rpc_auth_pipe: verify\n"));
271 dump_data(100, dp
, auth_len
);
272 NTLMSSPcalc_ap(cli
, (uchar
*)(dp
+4), auth_len
- 4);
274 memcpy(data
, dp
, RPC_AUTH_NTLMSSP_CHK_LEN
);
275 dump_data(100, data
, auth_len
);
277 prs_init(&auth_verf
, 0, cli
->mem_ctx
, UNMARSHALL
);
279 /* The endinness must be preserved. JRA. */
280 prs_set_endian_data( &auth_verf
, rdata
->bigendian_data
);
282 prs_give_memory(&auth_verf
, data
, RPC_AUTH_NTLMSSP_CHK_LEN
, False
);
284 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk
, &auth_verf
, 0)) {
285 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
289 crc32
= crc32_calc_buffer(reply_data
, data_len
);
291 if (!rpc_auth_ntlmssp_chk(&chk
, crc32
, cli
->ntlmssp_seq_num
)) {
292 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
295 cli
->ntlmssp_seq_num
++;
301 /****************************************************************************
302 Send data on an rpc pipe, which *must* be in one fragment.
303 receive response data from an rpc pipe, which may be large...
305 Read the first fragment: unfortunately have to use SMBtrans for the first
306 bit, then SMBreadX for subsequent bits.
308 If first fragment received also wasn't the last fragment, continue
309 getting fragments until we _do_ receive the last fragment.
311 Request/Response PDU's look like the following...
313 |<------------------PDU len----------------------------------------------->|
314 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
316 +------------+-----------------+-------------+---------------+-------------+
317 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
318 +------------+-----------------+-------------+---------------+-------------+
320 Where the presence of the AUTH_HDR and AUTH are dependent on the
321 signing & sealing being neogitated.
323 ****************************************************************************/
325 static BOOL
rpc_api_pipe(struct cli_state
*cli
, uint16 cmd
, prs_struct
*data
, prs_struct
*rdata
)
329 uint32 rparam_len
= 0;
335 char *pdata
= data
? prs_data_p(data
) : NULL
;
336 uint32 data_len
= data
? prs_offset(data
) : 0;
338 uint32 rdata_len
= 0;
339 uint32 current_offset
= 0;
342 * Create setup parameters - must be in native byte order.
345 setup
[1] = cli
->nt_pipe_fnum
; /* Pipe file handle. */
347 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd
, (int)cli
->nt_pipe_fnum
));
349 /* send the data: receive a response. */
350 if (!cli_api_pipe(cli
, "\\PIPE\\",
351 setup
, 2, 0, /* Setup, length, max */
352 NULL
, 0, 0, /* Params, length, max */
353 pdata
, data_len
, data_len
, /* data, length, max */
354 &rparam
, &rparam_len
, /* return params, len */
355 &prdata
, &rdata_len
)) /* return data, len */
357 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli
)));
362 * Throw away returned params - we know we won't use them.
370 if (prdata
== NULL
) {
371 DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n",
372 (int)cmd
, (int)cli
->nt_pipe_fnum
));
377 * Give this memory as dynamically allocated to the return parse struct.
380 prs_give_memory(rdata
, prdata
, rdata_len
, True
);
381 current_offset
= rdata_len
;
383 /* This next call sets the endian bit correctly in rdata. */
385 if (!rpc_check_hdr(rdata
, &rhdr
, &first
, &last
, &len
)) {
390 if (rhdr
.pkt_type
== RPC_BINDACK
) {
391 if (!last
&& !first
) {
392 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
398 if (rhdr
.pkt_type
== RPC_RESPONSE
) {
399 RPC_HDR_RESP rhdr_resp
;
400 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp
, rdata
, 0)) {
401 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
407 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
408 (unsigned int)len
, (unsigned int)rdata_len
));
410 /* check if data to be sent back was too large for one SMB. */
411 /* err status is only informational: the _real_ check is on the length */
413 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
415 * Read the rest of the first response PDU.
417 if (!rpc_read(cli
, rdata
, len
, ¤t_offset
)) {
424 * Now we have a complete PDU, check the auth struct if any was sent.
427 if (rhdr
.auth_len
!= 0) {
428 if(!rpc_auth_pipe(cli
, rdata
, rhdr
.frag_len
, rhdr
.auth_len
))
431 * Drop the auth footers from the current offset.
432 * We need this if there are more fragments.
433 * The auth footers consist of the auth_data and the
434 * preceeding 8 byte auth_header.
436 current_offset
-= (rhdr
.auth_len
+ RPC_HDR_AUTH_LEN
);
440 * Only one rpc fragment, and it has been read.
444 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
449 * Read more fragments until we get the last one.
453 RPC_HDR_RESP rhdr_resp
;
455 char hdr_data
[RPC_HEADER_LEN
+RPC_HDR_RESP_LEN
];
459 * First read the header of the next PDU.
462 prs_init(&hps
, 0, cli
->mem_ctx
, UNMARSHALL
);
463 prs_give_memory(&hps
, hdr_data
, sizeof(hdr_data
), False
);
465 num_read
= cli_read(cli
, cli
->nt_pipe_fnum
, hdr_data
, 0, RPC_HEADER_LEN
+RPC_HDR_RESP_LEN
);
466 if (cli_error(cli
, NULL
, &err
, NULL
)) {
467 DEBUG(0,("rpc_api_pipe: cli_read error : %d\n", err
));
471 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read
));
473 if (num_read
!= RPC_HEADER_LEN
+RPC_HDR_RESP_LEN
) {
474 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
475 RPC_HEADER_LEN
+RPC_HDR_RESP_LEN
, num_read
));
479 /* This call sets the endianness in hps. */
481 if (!rpc_check_hdr(&hps
, &rhdr
, &first
, &last
, &len
))
484 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
486 if (hps
.bigendian_data
!= rdata
->bigendian_data
) {
487 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
488 rdata
->bigendian_data
? "big" : "little",
489 hps
.bigendian_data
? "big" : "little" ));
493 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp
, &hps
, 0)) {
494 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
499 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
504 * Now read the rest of the PDU.
507 if (!rpc_read(cli
, rdata
, len
, ¤t_offset
))
511 * Verify any authentication footer.
514 if (rhdr
.auth_len
!= 0 ) {
515 if(!rpc_auth_pipe(cli
, rdata
, rhdr
.frag_len
, rhdr
.auth_len
))
518 * Drop the auth footers from the current offset.
519 * The auth footers consist of the auth_data and the
520 * preceeding 8 byte auth_header.
521 * We need this if there are more fragments.
523 current_offset
-= (rhdr
.auth_len
+ RPC_HDR_AUTH_LEN
);
530 /*******************************************************************
531 creates a DCE/RPC bind request
533 - initialises the parse structure.
534 - dynamically allocates the header data structure
535 - caller is expected to free the header data structure once used.
537 ********************************************************************/
539 static BOOL
create_rpc_bind_req(prs_struct
*rpc_out
, BOOL do_auth
, uint32 rpc_call_id
,
540 RPC_IFACE
*abstract
, RPC_IFACE
*transfer
,
541 char *my_name
, char *domain
, uint32 neg_flags
)
546 prs_struct auth_info
;
549 prs_init(&auth_info
, 0, prs_get_mem_context(rpc_out
), MARSHALL
);
552 RPC_HDR_AUTH hdr_auth
;
553 RPC_AUTH_VERIFIER auth_verifier
;
554 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg
;
557 * Create the auth structs we will marshall.
560 init_rpc_hdr_auth(&hdr_auth
, NTLMSSP_AUTH_TYPE
, NTLMSSP_AUTH_LEVEL
, 0x00, 1);
561 init_rpc_auth_verifier(&auth_verifier
, "NTLMSSP", NTLMSSP_NEGOTIATE
);
562 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg
, neg_flags
, my_name
, domain
);
565 * Use the 4k buffer to store the auth info.
568 prs_give_memory( &auth_info
, buffer
, sizeof(buffer
), False
);
571 * Now marshall the data into the temporary parse_struct.
574 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth
, &auth_info
, 0)) {
575 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
579 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier
, &auth_info
, 0)) {
580 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
584 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg
, &auth_info
, 0)) {
585 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
589 /* Auth len in the rpc header doesn't include auth_header. */
590 auth_len
= prs_offset(&auth_info
) - RPC_HDR_AUTH_LEN
;
593 /* create the request RPC_HDR */
594 init_rpc_hdr(&hdr
, RPC_BIND
, 0x0, rpc_call_id
,
595 RPC_HEADER_LEN
+ RPC_HDR_RB_LEN
+ prs_offset(&auth_info
),
598 if(!smb_io_rpc_hdr("hdr" , &hdr
, rpc_out
, 0)) {
599 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
603 /* create the bind request RPC_HDR_RB */
604 init_rpc_hdr_rb(&hdr_rb
, MAX_PDU_FRAG_LEN
, MAX_PDU_FRAG_LEN
, 0x0,
605 0x1, 0x0, 0x1, abstract
, transfer
);
607 /* Marshall the bind request data */
608 if(!smb_io_rpc_hdr_rb("", &hdr_rb
, rpc_out
, 0)) {
609 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
614 * Grow the outgoing buffer to store any auth info.
617 if(hdr
.auth_len
!= 0) {
618 if(!prs_append_prs_data( rpc_out
, &auth_info
)) {
619 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
627 /*******************************************************************
628 Creates a DCE/RPC bind authentication response.
629 This is the packet that is sent back to the server once we
630 have received a BIND-ACK, to finish the third leg of
631 the authentication handshake.
632 ********************************************************************/
634 static BOOL
create_rpc_bind_resp(struct pwd_info
*pwd
,
635 char *domain
, char *user_name
, char *my_name
,
636 uint32 ntlmssp_cli_flgs
,
640 unsigned char lm_owf
[24];
641 unsigned char nt_owf
[24];
643 RPC_HDR_AUTHA hdr_autha
;
644 RPC_AUTH_VERIFIER auth_verifier
;
645 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp
;
647 prs_struct auth_info
;
650 * Marshall the variable length data into a temporary parse
651 * struct, pointing into a 4k local buffer.
653 prs_init(&auth_info
, 0, prs_get_mem_context(rpc_out
), MARSHALL
);
656 * Use the 4k buffer to store the auth info.
659 prs_give_memory( &auth_info
, buffer
, sizeof(buffer
), False
);
662 * Create the variable length auth_data.
665 init_rpc_auth_verifier(&auth_verifier
, "NTLMSSP", NTLMSSP_AUTH
);
667 pwd_get_lm_nt_owf(pwd
, lm_owf
, nt_owf
);
669 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp
,
671 domain
, user_name
, my_name
,
675 * Marshall the variable length auth_data into a temp parse_struct.
678 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier
, &auth_info
, 0)) {
679 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
683 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp
, &auth_info
, 0)) {
684 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
688 /* Create the request RPC_HDR */
689 init_rpc_hdr(&hdr
, RPC_BINDRESP
, 0x0, rpc_call_id
,
690 RPC_HEADER_LEN
+ RPC_HDR_AUTHA_LEN
+ prs_offset(&auth_info
),
691 prs_offset(&auth_info
) );
694 if(!smb_io_rpc_hdr("hdr", &hdr
, rpc_out
, 0)) {
695 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
699 /* Create the request RPC_HDR_AUTHA */
700 init_rpc_hdr_autha(&hdr_autha
, MAX_PDU_FRAG_LEN
, MAX_PDU_FRAG_LEN
,
701 NTLMSSP_AUTH_TYPE
, NTLMSSP_AUTH_LEVEL
, 0x00);
703 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha
, rpc_out
, 0)) {
704 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
709 * Append the auth data to the outgoing buffer.
712 if(!prs_append_prs_data(rpc_out
, &auth_info
)) {
713 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
721 /*******************************************************************
722 Creates a DCE/RPC request.
723 ********************************************************************/
725 static BOOL
create_rpc_request(prs_struct
*rpc_out
, uint8 op_num
, int data_len
, int auth_len
)
731 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num
, data_len
));
733 /* create the rpc header RPC_HDR */
734 init_rpc_hdr(&hdr
, RPC_REQUEST
, RPC_FLG_FIRST
| RPC_FLG_LAST
,
735 get_rpc_call_id(), data_len
, auth_len
);
738 * The alloc hint should be the amount of data, not including
739 * RPC headers & footers.
743 alloc_hint
= data_len
- RPC_HEADER_LEN
- RPC_HDR_AUTH_LEN
- auth_len
;
745 alloc_hint
= data_len
- RPC_HEADER_LEN
;
747 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
748 data_len
, auth_len
, alloc_hint
));
750 /* Create the rpc request RPC_HDR_REQ */
751 init_rpc_hdr_req(&hdr_req
, alloc_hint
, op_num
);
754 if(!smb_io_rpc_hdr("hdr ", &hdr
, rpc_out
, 0))
757 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req
, rpc_out
, 0))
760 if (prs_offset(rpc_out
) != RPC_HEADER_LEN
+ RPC_HDR_REQ_LEN
)
767 /****************************************************************************
768 Send a request on an rpc pipe.
769 ****************************************************************************/
771 BOOL
rpc_api_pipe_req(struct cli_state
*cli
, uint8 op_num
,
772 prs_struct
*data
, prs_struct
*rdata
)
774 prs_struct outgoing_packet
;
781 char *pdata_out
= NULL
;
783 auth_verify
= ((cli
->ntlmssp_srv_flgs
& NTLMSSP_NEGOTIATE_SIGN
) != 0);
784 auth_seal
= ((cli
->ntlmssp_srv_flgs
& NTLMSSP_NEGOTIATE_SEAL
) != 0);
787 * The auth_len doesn't include the RPC_HDR_AUTH_LEN.
790 auth_len
= (auth_verify
? RPC_AUTH_NTLMSSP_CHK_LEN
: 0);
793 * PDU len is header, plus request header, plus data, plus
794 * auth_header_len (if present), plus auth_len (if present).
795 * NB. The auth stuff should be aligned on an 8 byte boundary
796 * to be totally DCE/RPC spec complient. For now we cheat and
797 * hope that the data structs defined are a multiple of 8 bytes.
800 if((prs_offset(data
) % 8) != 0) {
801 DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n"));
804 data_len
= RPC_HEADER_LEN
+ RPC_HDR_REQ_LEN
+ prs_offset(data
) +
805 (auth_verify
? RPC_HDR_AUTH_LEN
: 0) + auth_len
;
808 * Malloc a parse struct to hold it (and enough for alignments).
811 if(!prs_init(&outgoing_packet
, data_len
+ 8, cli
->mem_ctx
, MARSHALL
)) {
812 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len
));
816 pdata_out
= prs_data_p(&outgoing_packet
);
819 * Write out the RPC header and the request header.
822 if(!create_rpc_request(&outgoing_packet
, op_num
, data_len
, auth_len
)) {
823 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
824 prs_mem_free(&outgoing_packet
);
829 * Seal the outgoing data if requested.
833 crc32
= crc32_calc_buffer(prs_data_p(data
), prs_offset(data
));
834 NTLMSSPcalc_ap(cli
, (unsigned char*)prs_data_p(data
), prs_offset(data
));
838 * Now copy the data into the outgoing packet.
841 if(!prs_append_prs_data( &outgoing_packet
, data
)) {
842 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n"));
843 prs_mem_free(&outgoing_packet
);
848 * Add a trailing auth_verifier if needed.
851 if (auth_seal
|| auth_verify
) {
852 RPC_HDR_AUTH hdr_auth
;
854 init_rpc_hdr_auth(&hdr_auth
, NTLMSSP_AUTH_TYPE
,
855 NTLMSSP_AUTH_LEVEL
, 0x08, (auth_verify
? 1 : 0));
856 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth
, &outgoing_packet
, 0)) {
857 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n"));
858 prs_mem_free(&outgoing_packet
);
864 * Finally the auth data itself.
868 RPC_AUTH_NTLMSSP_CHK chk
;
869 uint32 current_offset
= prs_offset(&outgoing_packet
);
871 init_rpc_auth_ntlmssp_chk(&chk
, NTLMSSP_SIGN_VERSION
, crc32
, cli
->ntlmssp_seq_num
++);
872 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk
, &outgoing_packet
, 0)) {
873 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
874 prs_mem_free(&outgoing_packet
);
877 NTLMSSPcalc_ap(cli
, (unsigned char*)&pdata_out
[current_offset
+4], RPC_AUTH_NTLMSSP_CHK_LEN
- 4);
880 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len
, prs_offset(&outgoing_packet
)));
882 ret
= rpc_api_pipe(cli
, 0x0026, &outgoing_packet
, rdata
);
884 prs_mem_free(&outgoing_packet
);
889 /****************************************************************************
890 Set the handle state.
891 ****************************************************************************/
893 static BOOL
rpc_pipe_set_hnd_state(struct cli_state
*cli
, char *pipe_name
, uint16 device_state
)
895 BOOL state_set
= False
;
897 uint16 setup
[2]; /* only need 2 uint16 setup parameters */
900 uint32 rparam_len
, rdata_len
;
902 if (pipe_name
== NULL
)
905 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
906 cli
->nt_pipe_fnum
, pipe_name
, device_state
));
908 /* create parameters: device state */
909 SSVAL(param
, 0, device_state
);
911 /* create setup parameters. */
913 setup
[1] = cli
->nt_pipe_fnum
; /* pipe file handle. got this from an SMBOpenX. */
915 /* send the data on \PIPE\ */
916 if (cli_api_pipe(cli
, "\\PIPE\\",
917 setup
, 2, 0, /* setup, length, max */
918 param
, 2, 0, /* param, length, max */
919 NULL
, 0, 1024, /* data, length, max */
920 &rparam
, &rparam_len
, /* return param, length */
921 &rdata
, &rdata_len
)) /* return data, length */
923 DEBUG(5, ("Set Handle state: return OK\n"));
935 /****************************************************************************
936 check the rpc bind acknowledge response
937 ****************************************************************************/
939 static BOOL
valid_pipe_name(char *pipe_name
, RPC_IFACE
*abstract
, RPC_IFACE
*transfer
)
943 while (pipe_names
[pipe_idx
].client_pipe
!= NULL
) {
944 if (strequal(pipe_name
, pipe_names
[pipe_idx
].client_pipe
)) {
945 DEBUG(5,("Bind Abstract Syntax: "));
946 dump_data(5, (char*)&(pipe_names
[pipe_idx
].abstr_syntax
),
947 sizeof(pipe_names
[pipe_idx
].abstr_syntax
));
948 DEBUG(5,("Bind Transfer Syntax: "));
949 dump_data(5, (char*)&(pipe_names
[pipe_idx
].trans_syntax
),
950 sizeof(pipe_names
[pipe_idx
].trans_syntax
));
952 /* copy the required syntaxes out so we can do the right bind */
953 *transfer
= pipe_names
[pipe_idx
].trans_syntax
;
954 *abstract
= pipe_names
[pipe_idx
].abstr_syntax
;
961 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name
));
965 /****************************************************************************
966 check the rpc bind acknowledge response
967 ****************************************************************************/
969 static BOOL
check_bind_response(RPC_HDR_BA
*hdr_ba
, char *pipe_name
, RPC_IFACE
*transfer
)
973 while ((pipe_names
[i
].client_pipe
!= NULL
) && hdr_ba
->addr
.len
> 0) {
974 if ((strequal(pipe_name
, pipe_names
[i
].client_pipe
))) {
975 if (strequal(hdr_ba
->addr
.str
, pipe_names
[i
].server_pipe
)) {
976 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
977 pipe_names
[i
].server_pipe
));
980 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
981 pipe_names
[i
].server_pipe
,
990 if (pipe_names
[i
].server_pipe
== NULL
) {
991 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba
->addr
.str
));
995 /* check the transfer syntax */
996 if ((hdr_ba
->transfer
.version
!= transfer
->version
) ||
997 (memcmp(&hdr_ba
->transfer
.uuid
, &transfer
->uuid
, sizeof(transfer
->uuid
)) !=0)) {
998 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
1002 /* lkclXXXX only accept one result: check the result(s) */
1003 if (hdr_ba
->res
.num_results
!= 0x1 || hdr_ba
->res
.result
!= 0) {
1004 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1005 hdr_ba
->res
.num_results
, hdr_ba
->res
.reason
));
1008 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1012 /****************************************************************************
1013 Create and send the third packet in an RPC auth.
1014 ****************************************************************************/
1016 static BOOL
rpc_send_auth_reply(struct cli_state
*cli
, prs_struct
*rdata
, uint32 rpc_call_id
)
1018 RPC_HDR_AUTH rhdr_auth
;
1019 RPC_AUTH_VERIFIER rhdr_verf
;
1020 RPC_AUTH_NTLMSSP_CHAL rhdr_chal
;
1021 char buffer
[MAX_PDU_FRAG_LEN
];
1025 unsigned char p24
[24];
1026 unsigned char lm_owf
[24];
1027 unsigned char lm_hash
[16];
1029 if(!smb_io_rpc_hdr_auth("", &rhdr_auth
, rdata
, 0)) {
1030 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1033 if(!smb_io_rpc_auth_verifier("", &rhdr_verf
, rdata
, 0)) {
1034 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1037 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal
, rdata
, 0)) {
1038 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1042 cli
->ntlmssp_cli_flgs
= rhdr_chal
.neg_flags
;
1044 pwd_make_lm_nt_owf(&cli
->pwd
, rhdr_chal
.challenge
);
1046 prs_init(&rpc_out
, 0, cli
->mem_ctx
, MARSHALL
);
1048 prs_give_memory( &rpc_out
, buffer
, sizeof(buffer
), False
);
1050 create_rpc_bind_resp(&cli
->pwd
, cli
->domain
,
1051 cli
->user_name
, global_myname
,
1052 cli
->ntlmssp_cli_flgs
, rpc_call_id
,
1055 pwd_get_lm_nt_owf(&cli
->pwd
, lm_owf
, NULL
);
1056 pwd_get_lm_nt_16(&cli
->pwd
, lm_hash
, NULL
);
1058 NTLMSSPOWFencrypt(lm_hash
, lm_owf
, p24
);
1061 unsigned char j
= 0;
1063 unsigned char k2
[8];
1070 for (ind
= 0; ind
< 256; ind
++)
1071 cli
->ntlmssp_hash
[ind
] = (unsigned char)ind
;
1073 for( ind
= 0; ind
< 256; ind
++) {
1076 j
+= (cli
->ntlmssp_hash
[ind
] + k2
[ind
%8]);
1078 tc
= cli
->ntlmssp_hash
[ind
];
1079 cli
->ntlmssp_hash
[ind
] = cli
->ntlmssp_hash
[j
];
1080 cli
->ntlmssp_hash
[j
] = tc
;
1083 cli
->ntlmssp_hash
[256] = 0;
1084 cli
->ntlmssp_hash
[257] = 0;
1087 memset((char *)lm_hash
, '\0', sizeof(lm_hash
));
1089 if ((ret
= cli_write(cli
, cli
->nt_pipe_fnum
, 0x8, prs_data_p(&rpc_out
),
1090 0, (size_t)prs_offset(&rpc_out
))) != (ssize_t
)prs_offset(&rpc_out
)) {
1091 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret
));
1095 cli
->ntlmssp_srv_flgs
= rhdr_chal
.neg_flags
;
1099 /****************************************************************************
1101 ****************************************************************************/
1103 BOOL
rpc_pipe_bind(struct cli_state
*cli
, char *pipe_name
, char *my_name
)
1109 BOOL do_auth
= (cli
->ntlmssp_cli_flgs
!= 0);
1111 char buffer
[MAX_PDU_FRAG_LEN
];
1113 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli
->nt_pipe_fnum
, pipe_name
));
1115 if (!valid_pipe_name(pipe_name
, &abstract
, &transfer
))
1118 prs_init(&rpc_out
, 0, cli
->mem_ctx
, MARSHALL
);
1121 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1124 prs_give_memory( &rpc_out
, buffer
, sizeof(buffer
), False
);
1126 rpc_call_id
= get_rpc_call_id();
1128 /* Marshall the outgoing data. */
1129 create_rpc_bind_req(&rpc_out
, do_auth
, rpc_call_id
,
1130 &abstract
, &transfer
,
1131 global_myname
, cli
->domain
, cli
->ntlmssp_cli_flgs
);
1133 /* Initialize the incoming data struct. */
1134 prs_init(&rdata
, 0, cli
->mem_ctx
, UNMARSHALL
);
1136 /* send data on \PIPE\. receive a response */
1137 if (rpc_api_pipe(cli
, 0x0026, &rpc_out
, &rdata
)) {
1140 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1142 if(!smb_io_rpc_hdr_ba("", &hdr_ba
, &rdata
, 0)) {
1143 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1144 prs_mem_free(&rdata
);
1148 if(!check_bind_response(&hdr_ba
, pipe_name
, &transfer
)) {
1149 DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n"));
1150 prs_mem_free(&rdata
);
1154 cli
->max_xmit_frag
= hdr_ba
.bba
.max_tsize
;
1155 cli
->max_recv_frag
= hdr_ba
.bba
.max_rsize
;
1158 * If we're doing NTLMSSP auth we need to send a reply to
1159 * the bind-ack to complete the 3-way challenge response
1163 if (do_auth
&& !rpc_send_auth_reply(cli
, &rdata
, rpc_call_id
)) {
1164 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1165 prs_mem_free(&rdata
);
1170 prs_mem_free(&rdata
);
1174 /****************************************************************************
1175 Set ntlmssp negotiation flags.
1176 ****************************************************************************/
1178 void cli_nt_set_ntlmssp_flgs(struct cli_state
*cli
, uint32 ntlmssp_flgs
)
1180 cli
->ntlmssp_cli_flgs
= ntlmssp_flgs
;
1184 /****************************************************************************
1186 ****************************************************************************/
1188 BOOL
cli_nt_session_open(struct cli_state
*cli
, char *pipe_name
)
1192 SMB_ASSERT(cli
->nt_pipe_fnum
== 0);
1194 if (cli
->capabilities
& CAP_NT_SMBS
) {
1195 if ((fnum
= cli_nt_create(cli
, &(pipe_name
[5]), DESIRED_ACCESS_PIPE
)) == -1) {
1196 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1197 &(pipe_name
[5]), cli
->desthost
, cli_errstr(cli
)));
1201 cli
->nt_pipe_fnum
= (uint16
)fnum
;
1203 if ((fnum
= cli_open(cli
, pipe_name
, O_CREAT
|O_RDWR
, DENY_NONE
)) == -1) {
1204 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1205 pipe_name
, cli
->desthost
, cli_errstr(cli
)));
1209 cli
->nt_pipe_fnum
= (uint16
)fnum
;
1211 /**************** Set Named Pipe State ***************/
1212 if (!rpc_pipe_set_hnd_state(cli
, pipe_name
, 0x4300)) {
1213 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1215 cli_close(cli
, cli
->nt_pipe_fnum
);
1220 /******************* bind request on pipe *****************/
1222 if (!rpc_pipe_bind(cli
, pipe_name
, global_myname
)) {
1223 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1225 cli_close(cli
, cli
->nt_pipe_fnum
);
1230 * Setup the remote server name prefixed by \ and the machine account name.
1233 fstrcpy(cli
->srv_name_slash
, "\\\\");
1234 fstrcat(cli
->srv_name_slash
, cli
->desthost
);
1235 strupper(cli
->srv_name_slash
);
1237 fstrcpy(cli
->clnt_name_slash
, "\\\\");
1238 fstrcat(cli
->clnt_name_slash
, global_myname
);
1239 strupper(cli
->clnt_name_slash
);
1241 fstrcpy(cli
->mach_acct
, global_myname
);
1242 fstrcat(cli
->mach_acct
, "$");
1243 strupper(cli
->mach_acct
);
1248 /****************************************************************************
1250 ****************************************************************************/
1252 void cli_nt_session_close(struct cli_state
*cli
)
1254 cli_close(cli
, cli
->nt_pipe_fnum
);
1255 cli
->nt_pipe_fnum
= 0;