search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
This fixes a bug when establishing trust against a german W2k3 AD server. In
[Samba/gebeck_regimport.git] / source3 / rpc_client / cli_pipe.c
blobfdd9d3c3b1aa66600fde2d451df8a8ce14413686
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1998.
7 * Copyright (C) Jeremy Allison 1999.
8 * Copyright (C) Andrew Bartlett 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_RPC_CLI
29
30 extern struct pipe_id_info pipe_names[];
31
32 /* convert pipe auth flags into the RPC auth type and level */
33
34 void get_auth_type_level(int pipe_auth_flags, int *auth_type, int *auth_level)
35 {
36 *auth_type = 0;
37 *auth_level = 0;
38 if (pipe_auth_flags & AUTH_PIPE_SEAL) {
39 *auth_level = RPC_PIPE_AUTH_SEAL_LEVEL;
40 } else if (pipe_auth_flags & AUTH_PIPE_SIGN) {
41 *auth_level = RPC_PIPE_AUTH_SIGN_LEVEL;
42 }
43
44 if (pipe_auth_flags & AUTH_PIPE_NETSEC) {
45 *auth_type = NETSEC_AUTH_TYPE;
46 } else if (pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
47 *auth_type = NTLMSSP_AUTH_TYPE;
48 }
49 }
50
51 /********************************************************************
52 Rpc pipe call id.
53 ********************************************************************/
54
55 static uint32 get_rpc_call_id(void)
56 {
57 static uint32 call_id = 0;
58 return ++call_id;
59 }
60
61 /*******************************************************************
62 Use SMBreadX to get rest of one fragment's worth of rpc data.
63 ********************************************************************/
64
65 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
66 {
67 size_t size = (size_t)cli->max_recv_frag;
68 int stream_offset = 0;
69 int num_read;
70 char *pdata;
71 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
72
73 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
74 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
75
76 /*
77 * Grow the buffer if needed to accommodate the data to be read.
78 */
79
80 if (extra_data_size > 0) {
81 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
82 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
83 return False;
84 }
85 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
86 }
87
88 pdata = prs_data_p(rdata) + *rdata_offset;
89
90 do /* read data using SMBreadX */
91 {
92 uint32 ecode;
93 uint8 eclass;
94
95 if (size > (size_t)data_to_read)
96 size = (size_t)data_to_read;
97
98 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
99
100 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
101 num_read, stream_offset, data_to_read));
102
103 if (cli_is_dos_error(cli)) {
104 cli_dos_error(cli, &eclass, &ecode);
105 if (eclass != ERRDOS && ecode != ERRmoredata) {
106 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
107 eclass, (unsigned int)ecode));
108 return False;
109 }
110 }
111
112 data_to_read -= num_read;
113 stream_offset += num_read;
114 pdata += num_read;
115
116 } while (num_read > 0 && data_to_read > 0);
117 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
118
119 /*
120 * Update the current offset into rdata by the amount read.
121 */
122 *rdata_offset += stream_offset;
123
124 return True;
125 }
126
127 /****************************************************************************
128 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
129 ****************************************************************************/
130
131 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
132 BOOL *first, BOOL *last, uint32 *len)
133 {
134 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
135
136 /* Next call sets endian bit. */
137
138 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
139 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
140 return False;
141 }
142
143 if (prs_offset(rdata) != RPC_HEADER_LEN) {
144 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
145 return False;
146 }
147
148 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
149 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
150 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
151
152 return (rhdr->pkt_type != RPC_FAULT);
153 }
154
155 /****************************************************************************
156 Verify data on an rpc pipe.
157 The VERIFY & SEAL code is only executed on packets that look like this :
158
159 Request/Response PDU's look like the following...
160
161 |<------------------PDU len----------------------------------------------->|
162 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
163
164 +------------+-----------------+-------------+---------------+-------------+
165 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
166 +------------+-----------------+-------------+---------------+-------------+
167
168 Never on bind requests/responses.
169 ****************************************************************************/
170
171 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
172 uint32 fragment_start, int len, int auth_len, uint8 pkt_type,
173 int *pauth_padding_len)
174 {
175
176 /*
177 * The following is that length of the data we must sign or seal.
178 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
179 * preceeding the auth_data.
180 */
181
182 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
183
184 /*
185 * The start of the data to sign/seal is just after the RPC headers.
186 */
187 char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
188
189 RPC_HDR_AUTH rhdr_auth;
190
191 char *dp = prs_data_p(rdata) + fragment_start + len -
192 RPC_HDR_AUTH_LEN - auth_len;
193 prs_struct auth_verf;
194
195 *pauth_padding_len = 0;
196
197 if (auth_len == 0) {
198 if (cli->pipe_auth_flags == 0) {
199 /* move along, nothing to see here */
200 return True;
201 }
202
203 DEBUG(2, ("No authenticaton header recienved on reply, but this pipe is authenticated\n"));
204 return False;
205 }
206
207 DEBUG(5,("rpc_auth_pipe: pkt_type: %d len: %d auth_len: %d NTLMSSP %s schannel %s sign %s seal %s \n",
208 pkt_type, len, auth_len,
209 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP),
210 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NETSEC),
211 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SIGN),
212 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SEAL)));
213
214 if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
215 DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
216 return False;
217 }
218
219 DEBUG(10,("rpc_auth_pipe: packet:\n"));
220 dump_data(100, dp, auth_len);
221
222 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
223
224 /* The endinness must be preserved. JRA. */
225 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
226
227 /* Point this new parse struct at the auth section of the main
228 parse struct - rather than copying it. Avoids needing to
229 free it on every error
230 */
231 prs_give_memory(&auth_verf, dp, RPC_HDR_AUTH_LEN + auth_len, False /* not dynamic */);
232 prs_set_offset(&auth_verf, 0);
233
234 {
235 int auth_type;
236 int auth_level;
237 if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) {
238 DEBUG(0, ("rpc_auth_pipe: Could not parse auth header\n"));
239 return False;
240 }
241
242 /* Let the caller know how much padding at the end of the data */
243 *pauth_padding_len = rhdr_auth.padding;
244
245 /* Check it's the type of reply we were expecting to decode */
246
247 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
248 if (rhdr_auth.auth_type != auth_type) {
249 DEBUG(0, ("BAD auth type %d (should be %d)\n",
250 rhdr_auth.auth_type, auth_type));
251 return False;
252 }
253
254 if (rhdr_auth.auth_level != auth_level) {
255 DEBUG(0, ("BAD auth level %d (should be %d)\n",
256 rhdr_auth.auth_level, auth_level));
257 return False;
258 }
259 }
260
261 if (pkt_type == RPC_BINDACK) {
262 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
263 /* copy the next auth_len bytes into a buffer for
264 later use */
265
266 DATA_BLOB ntlmssp_verf = data_blob(NULL, auth_len);
267
268 /* save the reply away, for use a little later */
269 prs_copy_data_out((char *)ntlmssp_verf.data, &auth_verf, auth_len);
270
271
272 return (NT_STATUS_IS_OK(ntlmssp_client_store_response(cli->ntlmssp_pipe_state,
273 ntlmssp_verf)));
274 }
275 else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
276 /* nothing to do here - we don't seem to be able to
277 validate the bindack based on VL's comments */
278 return True;
279 }
280 }
281
282 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
283 NTSTATUS nt_status;
284 DATA_BLOB sig;
285 if ((cli->pipe_auth_flags & AUTH_PIPE_SIGN) ||
286 (cli->pipe_auth_flags & AUTH_PIPE_SEAL)) {
287 if (auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) {
288 DEBUG(0,("rpc_auth_pipe: wrong ntlmssp auth len %d\n", auth_len));
289 return False;
290 }
291 sig = data_blob(NULL, auth_len);
292 prs_copy_data_out((char *)sig.data, &auth_verf, auth_len);
293 }
294
295 /*
296 * Unseal any sealed data in the PDU, not including the
297 * 8 byte auth_header or the auth_data.
298 */
299
300 /*
301 * Now unseal and check the auth verifier in the auth_data at
302 * the end of the packet.
303 */
304
305 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
306 if (data_len < 0) {
307 DEBUG(1, ("Can't unseal - data_len < 0!!\n"));
308 return False;
309 }
310 nt_status = ntlmssp_client_unseal_packet(cli->ntlmssp_pipe_state,
311 (unsigned char *)reply_data, data_len,
312 &sig);
313 }
314 else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
315 nt_status = ntlmssp_client_check_packet(cli->ntlmssp_pipe_state,
316 (const unsigned char *)reply_data, data_len,
317 &sig);
318 }
319
320 data_blob_free(&sig);
321
322 if (!NT_STATUS_IS_OK(nt_status)) {
323 DEBUG(0, ("rpc_auth_pipe: could not validate "
324 "incoming NTLMSSP packet!\n"));
325 return False;
326 }
327 }
328
329 if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
330 RPC_AUTH_NETSEC_CHK chk;
331
332 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
333 DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
334 return False;
335 }
336
337 if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign",
338 &chk, &auth_verf, 0)) {
339 DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
340 "RPC_AUTH_NETSECK_CHK failed\n"));
341 return False;
342 }
343
344 if (!netsec_decode(&cli->auth_info,
345 cli->pipe_auth_flags,
346 SENDER_IS_ACCEPTOR,
347 &chk, reply_data, data_len)) {
348 DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
349 return False;
350 }
351
352 cli->auth_info.seq_num++;
353
354 }
355 return True;
356 }
357
358
359 /****************************************************************************
360 Send data on an rpc pipe via trans, which *must* be the last fragment.
361 receive response data from an rpc pipe, which may be large...
362
363 Read the first fragment: unfortunately have to use SMBtrans for the first
364 bit, then SMBreadX for subsequent bits.
365
366 If first fragment received also wasn't the last fragment, continue
367 getting fragments until we _do_ receive the last fragment.
368
369 Request/Response PDU's look like the following...
370
371 |<------------------PDU len----------------------------------------------->|
372 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
373
374 +------------+-----------------+-------------+---------------+-------------+
375 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
376 +------------+-----------------+-------------+---------------+-------------+
377
378 Where the presence of the AUTH_HDR and AUTH are dependent on the
379 signing & sealing being negotiated.
380
381 ****************************************************************************/
382
383 static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata,
384 uint8 expected_pkt_type)
385 {
386 uint32 len;
387 char *rparam = NULL;
388 uint32 rparam_len = 0;
389 uint16 setup[2];
390 BOOL first = True;
391 BOOL last = True;
392 RPC_HDR rhdr;
393 char *pdata = data ? prs_data_p(data) : NULL;
394 uint32 data_len = data ? prs_offset(data) : 0;
395 char *prdata = NULL;
396 uint32 rdata_len = 0;
397 uint32 current_offset = 0;
398 uint32 fragment_start = 0;
399 uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
400 int auth_padding_len = 0;
401
402 /* Create setup parameters - must be in native byte order. */
403
404 setup[0] = TRANSACT_DCERPCCMD;
405 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
406
407 DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
408
409 /* Send the RPC request and receive a response. For short RPC
410 calls (about 1024 bytes or so) the RPC request and response
411 appears in a SMBtrans request and response. Larger RPC
412 responses are received further on. */
413
414 if (!cli_api_pipe(cli, "\\PIPE\\",
415 setup, 2, 0, /* Setup, length, max */
416 NULL, 0, 0, /* Params, length, max */
417 pdata, data_len, max_data, /* data, length, max */
418 &rparam, &rparam_len, /* return params, len */
419 &prdata, &rdata_len)) /* return data, len */
420 {
421 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
422 return False;
423 }
424
425 /* Throw away returned params - we know we won't use them. */
426
427 SAFE_FREE(rparam);
428
429 if (prdata == NULL) {
430 DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
431 (int)cli->nt_pipe_fnum));
432 return False;
433 }
434
435 /*
436 * Give this memory as dynamically allocated to the return parse
437 * struct.
438 */
439
440 prs_give_memory(rdata, prdata, rdata_len, True);
441 current_offset = rdata_len;
442
443 /* This next call sets the endian bit correctly in rdata. */
444
445 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
446 prs_mem_free(rdata);
447 return False;
448 }
449
450 if (rhdr.pkt_type == RPC_BINDACK) {
451 if (!last && !first) {
452 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
453 first = True;
454 last = True;
455 }
456 }
457
458 if (rhdr.pkt_type == RPC_BINDNACK) {
459 DEBUG(3, ("Bind NACK received on pipe %x!\n", (int)cli->nt_pipe_fnum));
460 prs_mem_free(rdata);
461 return False;
462 }
463
464 if (rhdr.pkt_type == RPC_RESPONSE) {
465 RPC_HDR_RESP rhdr_resp;
466 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
467 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
468 prs_mem_free(rdata);
469 return False;
470 }
471 }
472
473 if (rhdr.pkt_type != expected_pkt_type) {
474 DEBUG(3, ("Connection to pipe %x got an unexpected RPC packet type - %d, not %d\n", (int)cli->nt_pipe_fnum, rhdr.pkt_type, expected_pkt_type));
475 prs_mem_free(rdata);
476 return False;
477 }
478
479 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
480 (unsigned int)len, (unsigned int)rdata_len ));
481
482 /* check if data to be sent back was too large for one SMBtrans */
483 /* err status is only informational: the _real_ check is on the
484 length */
485
486 if (len > 0) {
487 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
488
489 /* Read the remaining part of the first response fragment */
490
491 if (!rpc_read(cli, rdata, len, &current_offset)) {
492 prs_mem_free(rdata);
493 return False;
494 }
495 }
496
497 /*
498 * Now we have a complete PDU, check the auth struct if any was sent.
499 */
500
501 if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
502 rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
503 prs_mem_free(rdata);
504 return False;
505 }
506
507 if (rhdr.auth_len != 0) {
508 /*
509 * Drop the auth footers from the current offset.
510 * We need this if there are more fragments.
511 * The auth footers consist of the auth_data and the
512 * preceeding 8 byte auth_header.
513 */
514 current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
515 }
516
517 /*
518 * Only one rpc fragment, and it has been read.
519 */
520
521 if (first && last) {
522 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
523 return True;
524 }
525
526 /*
527 * Read more fragments using SMBreadX until we get one with the
528 * last bit set.
529 */
530
531 while (!last) {
532 RPC_HDR_RESP rhdr_resp;
533 int num_read;
534 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
535 prs_struct hps;
536 uint8 eclass;
537 uint32 ecode;
538
539 /*
540 * First read the header of the next PDU.
541 */
542
543 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
544 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
545
546 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
547 if (cli_is_dos_error(cli)) {
548 cli_dos_error(cli, &eclass, &ecode);
549 if (eclass != ERRDOS && ecode != ERRmoredata) {
550 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
551 return False;
552 }
553 }
554
555 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
556
557 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
558 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
559 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
560 return False;
561 }
562
563 /* This call sets the endianness in hps. */
564
565 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
566 return False;
567
568 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
569
570 if (hps.bigendian_data != rdata->bigendian_data) {
571 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
572 rdata->bigendian_data ? "big" : "little",
573 hps.bigendian_data ? "big" : "little" ));
574 return False;
575 }
576
577 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
578 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
579 return False;
580 }
581
582 if (first) {
583 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
584 return False;
585 }
586
587 /*
588 * Now read the rest of the PDU.
589 */
590
591 if (!rpc_read(cli, rdata, len, &current_offset)) {
592 prs_mem_free(rdata);
593 return False;
594 }
595
596 fragment_start = current_offset - len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
597
598 /*
599 * Verify any authentication footer.
600 */
601
602
603 if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
604 rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
605 prs_mem_free(rdata);
606 return False;
607 }
608
609 if (rhdr.auth_len != 0 ) {
610
611 /*
612 * Drop the auth footers from the current offset.
613 * The auth footers consist of the auth_data and the
614 * preceeding 8 byte auth_header.
615 * We need this if there are more fragments.
616 */
617 current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
618 }
619 }
620
621 return True;
622 }
623
624 /*******************************************************************
625 creates a DCE/RPC bind request
626
627 - initialises the parse structure.
628 - dynamically allocates the header data structure
629 - caller is expected to free the header data structure once used.
630
631 ********************************************************************/
632
633 static NTSTATUS create_rpc_bind_req(struct cli_state *cli, prs_struct *rpc_out,
634 uint32 rpc_call_id,
635 RPC_IFACE *abstract, RPC_IFACE *transfer,
636 const char *my_name, const char *domain)
637 {
638 RPC_HDR hdr;
639 RPC_HDR_RB hdr_rb;
640 RPC_HDR_AUTH hdr_auth;
641 int auth_len = 0;
642 int auth_type, auth_level;
643 size_t saved_hdr_offset = 0;
644
645 prs_struct auth_info;
646 prs_init(&auth_info, RPC_HDR_AUTH_LEN, /* we will need at least this much */
647 prs_get_mem_context(rpc_out), MARSHALL);
648
649 if (cli->pipe_auth_flags) {
650 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
651
652 /*
653 * Create the auth structs we will marshall.
654 */
655
656 init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level, 0x00, 1);
657
658 /*
659 * Now marshall the data into the temporary parse_struct.
660 */
661
662 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
663 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
664 prs_mem_free(&auth_info);
665 return NT_STATUS_NO_MEMORY;
666 }
667 saved_hdr_offset = prs_offset(&auth_info);
668 }
669
670 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
671
672 NTSTATUS nt_status;
673 DATA_BLOB null_blob = data_blob(NULL, 0);
674 DATA_BLOB request;
675
676 DEBUG(5, ("Processing NTLMSSP Negotiate\n"));
677 nt_status = ntlmssp_client_update(cli->ntlmssp_pipe_state,
678 null_blob,
679 &request);
680
681 if (!NT_STATUS_EQUAL(nt_status,
682 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
683 prs_mem_free(&auth_info);
684 return nt_status;
685 }
686
687 /* Auth len in the rpc header doesn't include auth_header. */
688 auth_len = request.length;
689 prs_copy_data_in(&auth_info, (char *)request.data, request.length);
690
691 DEBUG(5, ("NTLMSSP Negotiate:\n"));
692 dump_data(5, (const char *)request.data, request.length);
693
694 data_blob_free(&request);
695
696 } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
697 RPC_AUTH_NETSEC_NEG netsec_neg;
698
699 /* Use lp_workgroup() if domain not specified */
700
701 if (!domain || !domain[0]) {
702 DEBUG(10,("create_rpc_bind_req: no domain; assuming my own\n"));
703 domain = lp_workgroup();
704 }
705
706 init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
707
708 /*
709 * Now marshall the data into the temporary parse_struct.
710 */
711
712 if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
713 &netsec_neg, &auth_info, 0)) {
714 DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
715 prs_mem_free(&auth_info);
716 return NT_STATUS_NO_MEMORY;
717 }
718
719 /* Auth len in the rpc header doesn't include auth_header. */
720 auth_len = prs_offset(&auth_info) - saved_hdr_offset;
721 }
722
723 /* Create the request RPC_HDR */
724 init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id,
725 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
726 auth_len);
727
728 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
729 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
730 prs_mem_free(&auth_info);
731 return NT_STATUS_NO_MEMORY;
732 }
733
734 /* create the bind request RPC_HDR_RB */
735 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
736 0x1, 0x0, 0x1, abstract, transfer);
737
738 /* Marshall the bind request data */
739 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
740 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
741 prs_mem_free(&auth_info);
742 return NT_STATUS_NO_MEMORY;
743 }
744
745 /*
746 * Grow the outgoing buffer to store any auth info.
747 */
748
749 if(auth_len != 0) {
750 if(!prs_append_prs_data( rpc_out, &auth_info)) {
751 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
752 prs_mem_free(&auth_info);
753 return NT_STATUS_NO_MEMORY;
754 }
755 }
756 prs_mem_free(&auth_info);
757 return NT_STATUS_OK;
758 }
759
760 /*******************************************************************
761 Creates a DCE/RPC bind authentication response.
762 This is the packet that is sent back to the server once we
763 have received a BIND-ACK, to finish the third leg of
764 the authentication handshake.
765 ********************************************************************/
766
767 static NTSTATUS create_rpc_bind_resp(struct cli_state *cli,
768 uint32 rpc_call_id,
769 prs_struct *rpc_out)
770 {
771 NTSTATUS nt_status;
772 RPC_HDR hdr;
773 RPC_HDR_AUTHA hdr_autha;
774 DATA_BLOB ntlmssp_null_response = data_blob(NULL, 0);
775 DATA_BLOB ntlmssp_reply;
776 int auth_type, auth_level;
777
778 /* The response is picked up from the internal cache,
779 where it was placed by the rpc_auth_pipe() code */
780 nt_status = ntlmssp_client_update(cli->ntlmssp_pipe_state,
781 ntlmssp_null_response,
782 &ntlmssp_reply);
783
784 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
785 return nt_status;
786 }
787
788 /* Create the request RPC_HDR */
789 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
790 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + ntlmssp_reply.length,
791 ntlmssp_reply.length );
792
793 /* Marshall it. */
794 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
795 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
796 data_blob_free(&ntlmssp_reply);
797 return NT_STATUS_NO_MEMORY;
798 }
799
800 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
801
802 /* Create the request RPC_HDR_AUTHA */
803 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
804 auth_type, auth_level, 0x00);
805
806 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
807 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
808 data_blob_free(&ntlmssp_reply);
809 return NT_STATUS_NO_MEMORY;
810 }
811
812 /*
813 * Append the auth data to the outgoing buffer.
814 */
815
816 if(!prs_copy_data_in(rpc_out, (char *)ntlmssp_reply.data, ntlmssp_reply.length)) {
817 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
818 data_blob_free(&ntlmssp_reply);
819 return NT_STATUS_NO_MEMORY;
820 }
821
822 if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
823 nt_status = ntlmssp_client_sign_init(cli->ntlmssp_pipe_state);
824
825 if (!NT_STATUS_IS_OK(nt_status)) {
826 return nt_status;
827 }
828 }
829
830 data_blob_free(&ntlmssp_reply);
831 return NT_STATUS_OK;
832 }
833
834
835 /*******************************************************************
836 Creates a DCE/RPC request.
837 ********************************************************************/
838
839 static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
840 {
841 uint32 alloc_hint;
842 RPC_HDR hdr;
843 RPC_HDR_REQ hdr_req;
844 uint32 callid = oldid ? oldid : get_rpc_call_id();
845
846 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
847
848 /* create the rpc header RPC_HDR */
849 init_rpc_hdr(&hdr, RPC_REQUEST, flags,
850 callid, data_len, auth_len);
851
852 /*
853 * The alloc hint should be the amount of data, not including
854 * RPC headers & footers.
855 */
856
857 if (auth_len != 0)
858 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
859 else
860 alloc_hint = data_len - RPC_HEADER_LEN;
861
862 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
863 data_len, auth_len, alloc_hint));
864
865 /* Create the rpc request RPC_HDR_REQ */
866 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
867
868 /* stream-time... */
869 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
870 return 0;
871
872 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
873 return 0;
874
875 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
876 return 0;
877
878 return callid;
879 }
880
881 /*******************************************************************
882 Puts an auth header into an rpc request.
883 ********************************************************************/
884
885 static BOOL create_auth_hdr(prs_struct *outgoing_packet,
886 int auth_type,
887 int auth_level, int padding)
888 {
889 RPC_HDR_AUTH hdr_auth;
890
891 init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level,
892 padding, 1);
893 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
894 outgoing_packet, 0)) {
895 DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
896 return False;
897 }
898 return True;
899 }
900
901 /**
902 * Send a request on an RPC pipe and get a response.
903 *
904 * @param data NDR contents of the request to be sent.
905 * @param rdata Unparsed NDR response data.
906 **/
907
908 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
909 prs_struct *data, prs_struct *rdata)
910 {
911 uint32 auth_len, real_auth_len, auth_hdr_len, max_data, data_left, data_sent;
912 NTSTATUS nt_status;
913 BOOL ret = False;
914 uint32 callid = 0;
915 fstring dump_name;
916
917 auth_len = 0;
918 real_auth_len = 0;
919 auth_hdr_len = 0;
920
921 if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
922 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
923 auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
924 }
925 if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
926 auth_len = RPC_AUTH_NETSEC_CHK_LEN;
927 }
928 auth_hdr_len = RPC_HDR_AUTH_LEN;
929 }
930
931 /*
932 * calc how much actual data we can send in a PDU fragment
933 */
934 max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
935 auth_hdr_len - auth_len - 8;
936
937 for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
938 prs_struct outgoing_packet;
939 prs_struct sec_blob;
940 uint32 data_len, send_size;
941 uint8 flags = 0;
942 uint32 auth_padding = 0;
943 DATA_BLOB sign_blob;
944
945 /*
946 * how much will we send this time
947 */
948 send_size = MIN(data_left, max_data);
949
950 if (!prs_init(&sec_blob, send_size, /* will need at least this much */
951 cli->mem_ctx, MARSHALL)) {
952 DEBUG(0,("Could not malloc %u bytes",
953 send_size+auth_padding));
954 return False;
955 }
956
957 if(!prs_append_some_prs_data(&sec_blob, data,
958 data_sent, send_size)) {
959 DEBUG(0,("Failed to append data to netsec blob\n"));
960 prs_mem_free(&sec_blob);
961 return False;
962 }
963
964 /*
965 * NT expects the data that is sealed to be 8-byte
966 * aligned. The padding must be encrypted as well and
967 * taken into account when generating the
968 * authentication verifier. The amount of padding must
969 * be stored in the auth header.
970 */
971
972 if (cli->pipe_auth_flags) {
973 size_t data_and_padding_size;
974 int auth_type;
975 int auth_level;
976 prs_align_uint64(&sec_blob);
977
978 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
979
980 data_and_padding_size = prs_offset(&sec_blob);
981 auth_padding = data_and_padding_size - send_size;
982
983 /* insert the auth header */
984
985 if(!create_auth_hdr(&sec_blob, auth_type, auth_level, auth_padding)) {
986 prs_mem_free(&sec_blob);
987 return False;
988 }
989
990 /* create an NTLMSSP signature */
991 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
992 /*
993 * Seal the outgoing data if requested.
994 */
995 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
996
997 nt_status = ntlmssp_client_seal_packet(cli->ntlmssp_pipe_state,
998 (unsigned char*)prs_data_p(&sec_blob),
999 data_and_padding_size,
1000 &sign_blob);
1001 if (!NT_STATUS_IS_OK(nt_status)) {
1002 prs_mem_free(&sec_blob);
1003 return False;
1004 }
1005 }
1006 else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
1007
1008 nt_status = ntlmssp_client_sign_packet(cli->ntlmssp_pipe_state,
1009 (unsigned char*)prs_data_p(&sec_blob),
1010 data_and_padding_size, &sign_blob);
1011 if (!NT_STATUS_IS_OK(nt_status)) {
1012 prs_mem_free(&sec_blob);
1013 return False;
1014 }
1015 }
1016
1017
1018 /* write auth footer onto the packet */
1019 real_auth_len = sign_blob.length;
1020
1021 prs_copy_data_in(&sec_blob, (char *)sign_blob.data, sign_blob.length);
1022 data_blob_free(&sign_blob);
1023
1024 }
1025 else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
1026 size_t parse_offset_marker;
1027 RPC_AUTH_NETSEC_CHK verf;
1028 DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
1029
1030 netsec_encode(&cli->auth_info,
1031 cli->pipe_auth_flags,
1032 SENDER_IS_INITIATOR,
1033 &verf,
1034 prs_data_p(&sec_blob),
1035 data_and_padding_size);
1036
1037 cli->auth_info.seq_num++;
1038
1039 /* write auth footer onto the packet */
1040
1041 parse_offset_marker = prs_offset(&sec_blob);
1042 if (!smb_io_rpc_auth_netsec_chk("", &verf,
1043 &sec_blob, 0)) {
1044 prs_mem_free(&sec_blob);
1045 return False;
1046 }
1047 real_auth_len = prs_offset(&sec_blob) - parse_offset_marker;
1048 }
1049 }
1050
1051 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(&sec_blob);
1052
1053 /*
1054 * Malloc parse struct to hold it (and enough for alignments).
1055 */
1056 if(!prs_init(&outgoing_packet, data_len + 8,
1057 cli->mem_ctx, MARSHALL)) {
1058 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
1059 return False;
1060 }
1061
1062 if (data_left == prs_offset(data))
1063 flags |= RPC_FLG_FIRST;
1064
1065 if (data_left <= max_data)
1066 flags |= RPC_FLG_LAST;
1067 /*
1068 * Write out the RPC header and the request header.
1069 */
1070 if(!(callid = create_rpc_request(&outgoing_packet, op_num,
1071 data_len, real_auth_len, flags,
1072 callid, data_left))) {
1073 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
1074 prs_mem_free(&outgoing_packet);
1075 prs_mem_free(&sec_blob);
1076 return False;
1077 }
1078
1079 prs_append_prs_data(&outgoing_packet, &sec_blob);
1080 prs_mem_free(&sec_blob);
1081
1082 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len,
1083 prs_offset(&outgoing_packet)));
1084
1085 if (flags & RPC_FLG_LAST)
1086 ret = rpc_api_pipe(cli, &outgoing_packet,
1087 rdata, RPC_RESPONSE);
1088 else {
1089 cli_write(cli, cli->nt_pipe_fnum, 0x0008,
1090 prs_data_p(&outgoing_packet),
1091 data_sent, data_len);
1092 }
1093 prs_mem_free(&outgoing_packet);
1094 data_sent += send_size;
1095 data_left -= send_size;
1096 }
1097 /* Also capture received data */
1098 slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
1099 cli_pipe_get_name(cli));
1100 prs_dump(dump_name, op_num, rdata);
1101
1102 return ret;
1103 }
1104
1105 /****************************************************************************
1106 Set the handle state.
1107 ****************************************************************************/
1108
1109 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
1110 {
1111 BOOL state_set = False;
1112 char param[2];
1113 uint16 setup[2]; /* only need 2 uint16 setup parameters */
1114 char *rparam = NULL;
1115 char *rdata = NULL;
1116 uint32 rparam_len, rdata_len;
1117
1118 if (pipe_name == NULL)
1119 return False;
1120
1121 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1122 cli->nt_pipe_fnum, pipe_name, device_state));
1123
1124 /* create parameters: device state */
1125 SSVAL(param, 0, device_state);
1126
1127 /* create setup parameters. */
1128 setup[0] = 0x0001;
1129 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
1130
1131 /* send the data on \PIPE\ */
1132 if (cli_api_pipe(cli, "\\PIPE\\",
1133 setup, 2, 0, /* setup, length, max */
1134 param, 2, 0, /* param, length, max */
1135 NULL, 0, 1024, /* data, length, max */
1136 &rparam, &rparam_len, /* return param, length */
1137 &rdata, &rdata_len)) /* return data, length */
1138 {
1139 DEBUG(5, ("Set Handle state: return OK\n"));
1140 state_set = True;
1141 }
1142
1143 SAFE_FREE(rparam);
1144 SAFE_FREE(rdata);
1145
1146 return state_set;
1147 }
1148
1149 /****************************************************************************
1150 check the rpc bind acknowledge response
1151 ****************************************************************************/
1152
1153 int get_pipe_index( const char *pipe_name )
1154 {
1155 int pipe_idx = 0;
1156
1157 while (pipe_names[pipe_idx].client_pipe != NULL) {
1158 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
1159 return pipe_idx;
1160 pipe_idx++;
1161 };
1162
1163 return -1;
1164 }
1165
1166
1167 /****************************************************************************
1168 check the rpc bind acknowledge response
1169 ****************************************************************************/
1170
1171 const char* get_pipe_name_from_index( const int pipe_index )
1172 {
1173
1174 if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
1175 return NULL;
1176
1177 return pipe_names[pipe_index].client_pipe;
1178 }
1179
1180 /****************************************************************************
1181 Check to see if this pipe index points to one of
1182 the pipes only supported by Win2k
1183 ****************************************************************************/
1184
1185 BOOL is_win2k_pipe( const int pipe_idx )
1186 {
1187 switch ( pipe_idx )
1188 {
1189 case PI_LSARPC_DS:
1190 return True;
1191 }
1192
1193 return False;
1194 }
1195
1196 /****************************************************************************
1197 check the rpc bind acknowledge response
1198 ****************************************************************************/
1199
1200 static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
1201 {
1202 if ( pipe_idx >= PI_MAX_PIPES ) {
1203 DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
1204 pipe_idx));
1205 return False;
1206 }
1207
1208 DEBUG(5,("Bind Abstract Syntax: "));
1209 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
1210 sizeof(pipe_names[pipe_idx].abstr_syntax));
1211 DEBUG(5,("Bind Transfer Syntax: "));
1212 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
1213 sizeof(pipe_names[pipe_idx].trans_syntax));
1214
1215 /* copy the required syntaxes out so we can do the right bind */
1216
1217 *transfer = pipe_names[pipe_idx].trans_syntax;
1218 *abstract = pipe_names[pipe_idx].abstr_syntax;
1219
1220 return True;
1221 }
1222
1223 /****************************************************************************
1224 check the rpc bind acknowledge response
1225 ****************************************************************************/
1226
1227 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
1228 {
1229 int i = 0;
1230
1231 if ( hdr_ba->addr.len <= 0)
1232 return False;
1233
1234 if ( (strequal(hdr_ba->addr.str, pipe_names[pipe_idx].client_pipe) != 0) &&
1235 (strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe) != 0) )
1236 {
1237 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
1238 pipe_names[i].server_pipe ,hdr_ba->addr.str));
1239 return False;
1240 }
1241
1242 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1243
1244 if (pipe_names[pipe_idx].server_pipe == NULL) {
1245 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1246 return False;
1247 }
1248
1249 /* check the transfer syntax */
1250 if ((hdr_ba->transfer.version != transfer->version) ||
1251 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1252 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1253 return False;
1254 }
1255
1256 /* lkclXXXX only accept one result: check the result(s) */
1257 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1258 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1259 hdr_ba->res.num_results, hdr_ba->res.reason));
1260 }
1261
1262 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1263 return True;
1264 }
1265
1266 /****************************************************************************
1267 Create and send the third packet in an RPC auth.
1268 ****************************************************************************/
1269
1270 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1271 {
1272 prs_struct rpc_out;
1273 ssize_t ret;
1274
1275 prs_init(&rpc_out, RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN, /* need at least this much */
1276 cli->mem_ctx, MARSHALL);
1277
1278 if (!NT_STATUS_IS_OK(create_rpc_bind_resp(cli, rpc_call_id,
1279 &rpc_out))) {
1280 return False;
1281 }
1282
1283 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1284 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1285 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1286 prs_mem_free(&rpc_out);
1287 return False;
1288 }
1289
1290 prs_mem_free(&rpc_out);
1291 return True;
1292 }
1293
1294 /****************************************************************************
1295 Do an rpc bind.
1296 ****************************************************************************/
1297
1298 static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name)
1299 {
1300 RPC_IFACE abstract;
1301 RPC_IFACE transfer;
1302 prs_struct rpc_out;
1303 prs_struct rdata;
1304 uint32 rpc_call_id;
1305 char buffer[MAX_PDU_FRAG_LEN];
1306
1307 if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
1308 return False;
1309
1310 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
1311
1312 if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
1313 return False;
1314
1315 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1316
1317 /*
1318 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1319 */
1320
1321 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1322
1323 rpc_call_id = get_rpc_call_id();
1324
1325 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
1326 NTSTATUS nt_status;
1327 fstring password;
1328
1329 DEBUG(5, ("NTLMSSP authenticated pipe selected\n"));
1330
1331 nt_status = ntlmssp_client_start(&cli->ntlmssp_pipe_state);
1332
1333 if (!NT_STATUS_IS_OK(nt_status))
1334 return False;
1335
1336 nt_status = ntlmssp_set_username(cli->ntlmssp_pipe_state,
1337 cli->user_name);
1338 if (!NT_STATUS_IS_OK(nt_status))
1339 return False;
1340
1341 nt_status = ntlmssp_set_domain(cli->ntlmssp_pipe_state,
1342 cli->domain);
1343 if (!NT_STATUS_IS_OK(nt_status))
1344 return False;
1345
1346 pwd_get_cleartext(&cli->pwd, password);
1347 nt_status = ntlmssp_set_password(cli->ntlmssp_pipe_state,
1348 password);
1349 if (!NT_STATUS_IS_OK(nt_status))
1350 return False;
1351
1352 if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
1353 cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
1354 }
1355
1356 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
1357 cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
1358 }
1359 } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
1360 cli->auth_info.seq_num = 0;
1361 }
1362
1363 /* Marshall the outgoing data. */
1364 create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
1365 &abstract, &transfer,
1366 global_myname(), cli->domain);
1367
1368 /* Initialize the incoming data struct. */
1369 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1370
1371 /* send data on \PIPE\. receive a response */
1372 if (rpc_api_pipe(cli, &rpc_out, &rdata, RPC_BINDACK)) {
1373 RPC_HDR_BA hdr_ba;
1374
1375 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1376
1377 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1378 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1379 prs_mem_free(&rdata);
1380 return False;
1381 }
1382
1383 if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
1384 DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
1385 prs_mem_free(&rdata);
1386 return False;
1387 }
1388
1389 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1390 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1391
1392 /*
1393 * If we're doing NTLMSSP auth we need to send a reply to
1394 * the bind-ack to complete the 3-way challenge response
1395 * handshake.
1396 */
1397
1398 if ((cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP)
1399 && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1400 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1401 prs_mem_free(&rdata);
1402 return False;
1403 }
1404 prs_mem_free(&rdata);
1405 return True;
1406 }
1407
1408 return False;
1409 }
1410
1411 /****************************************************************************
1412 Open a session.
1413 ****************************************************************************/
1414
1415 BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
1416 {
1417 int fnum;
1418
1419 /* At the moment we can't have more than one pipe open over
1420 a cli connection. )-: */
1421
1422 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1423
1424 /* The pipe index must fall within our array */
1425
1426 SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
1427
1428 if (cli->capabilities & CAP_NT_SMBS) {
1429 if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
1430 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1431 &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
1432 return False;
1433 }
1434
1435 cli->nt_pipe_fnum = (uint16)fnum;
1436 } else {
1437 if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1438 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1439 pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
1440 return False;
1441 }
1442
1443 cli->nt_pipe_fnum = (uint16)fnum;
1444
1445 /**************** Set Named Pipe State ***************/
1446 if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
1447 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1448 cli_errstr(cli)));
1449 cli_close(cli, cli->nt_pipe_fnum);
1450 return False;
1451 }
1452 }
1453
1454 /******************* bind request on pipe *****************/
1455
1456 if (!rpc_pipe_bind(cli, pipe_idx, global_myname())) {
1457 DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
1458 get_pipe_name_from_index(pipe_idx)));
1459 cli_close(cli, cli->nt_pipe_fnum);
1460 return False;
1461 }
1462
1463 /*
1464 * Setup the remote server name prefixed by \ and the machine account name.
1465 */
1466
1467 fstrcpy(cli->srv_name_slash, "\\\\");
1468 fstrcat(cli->srv_name_slash, cli->desthost);
1469 strupper_m(cli->srv_name_slash);
1470
1471 fstrcpy(cli->clnt_name_slash, "\\\\");
1472 fstrcat(cli->clnt_name_slash, global_myname());
1473 strupper_m(cli->clnt_name_slash);
1474
1475 fstrcpy(cli->mach_acct, global_myname());
1476 fstrcat(cli->mach_acct, "$");
1477 strupper_m(cli->mach_acct);
1478
1479 /* Remember which pipe we're talking to */
1480 fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
1481
1482 return True;
1483 }
1484
1485
1486 /****************************************************************************
1487 Open a session to the NETLOGON pipe using schannel.
1488
1489 (Assumes that the netlogon pipe is already open)
1490 ****************************************************************************/
1491
1492 NTSTATUS cli_nt_establish_netlogon(struct cli_state *cli, int sec_chan,
1493 const uchar trust_password[16])
1494 {
1495 NTSTATUS result;
1496 uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
1497 int fnum;
1498
1499 cli_nt_netlogon_netsec_session_close(cli);
1500
1501 if (lp_client_schannel() != False)
1502 neg_flags |= NETLOGON_NEG_SCHANNEL;
1503
1504 result = cli_nt_setup_creds(cli, sec_chan, trust_password,
1505 &neg_flags, 2);
1506
1507 if (!NT_STATUS_IS_OK(result)) {
1508 cli_nt_session_close(cli);
1509 return result;
1510 }
1511
1512 if ((lp_client_schannel() == True) &&
1513 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1514
1515 DEBUG(3, ("Server did not offer schannel\n"));
1516 cli_nt_session_close(cli);
1517 return NT_STATUS_UNSUCCESSFUL;
1518 }
1519
1520 if ((lp_client_schannel() == False) ||
1521 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1522 return NT_STATUS_OK;
1523
1524 /* keep the existing connection to NETLOGON open */
1525
1526 }
1527
1528 /* Server offered schannel, so try it. */
1529
1530 memcpy(cli->auth_info.sess_key, cli->sess_key,
1531 sizeof(cli->auth_info.sess_key));
1532
1533 cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
1534
1535 cli->pipe_auth_flags = AUTH_PIPE_NETSEC;
1536 cli->pipe_auth_flags |= AUTH_PIPE_SIGN;
1537 cli->pipe_auth_flags |= AUTH_PIPE_SEAL;
1538
1539 if (cli->capabilities & CAP_NT_SMBS) {
1540
1541 /* The secure channel connection must be opened on the same
1542 session (TCP connection) as the one the challenge was
1543 requested from. */
1544 if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
1545 DESIRED_ACCESS_PIPE)) == -1) {
1546 DEBUG(0,("cli_nt_create failed to %s machine %s. "
1547 "Error was %s\n",
1548 PIPE_NETLOGON, cli->desthost,
1549 cli_errstr(cli)));
1550 return NT_STATUS_UNSUCCESSFUL;
1551 }
1552
1553 cli->nt_pipe_fnum = (uint16)fnum;
1554 } else {
1555 if ((fnum = cli_open(cli, PIPE_NETLOGON,
1556 O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1557 DEBUG(0,("cli_open failed on pipe %s to machine %s. "
1558 "Error was %s\n",
1559 PIPE_NETLOGON, cli->desthost,
1560 cli_errstr(cli)));
1561 return NT_STATUS_UNSUCCESSFUL;
1562 }
1563
1564 cli->nt_pipe_fnum = (uint16)fnum;
1565
1566 /**************** Set Named Pipe State ***************/
1567 if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
1568 DEBUG(0,("Pipe hnd state failed. Error was %s\n",
1569 cli_errstr(cli)));
1570 cli_close(cli, cli->nt_pipe_fnum);
1571 return NT_STATUS_UNSUCCESSFUL;
1572 }
1573 }
1574
1575 if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname())) {
1576 DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
1577 cli_close(cli, cli->nt_pipe_fnum);
1578 return NT_STATUS_UNSUCCESSFUL;
1579 }
1580
1581 return NT_STATUS_OK;
1582 }
1583
1584
1585 NTSTATUS cli_nt_setup_netsec(struct cli_state *cli, int sec_chan, int auth_flags,
1586 const uchar trust_password[16])
1587 {
1588 NTSTATUS result;
1589 uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
1590 cli->pipe_auth_flags = 0;
1591
1592 if (lp_client_schannel() == False) {
1593 return NT_STATUS_OK;
1594 }
1595
1596 if (!cli_nt_session_open(cli, PI_NETLOGON)) {
1597 DEBUG(0, ("Could not initialise %s\n",
1598 get_pipe_name_from_index(PI_NETLOGON)));
1599 return NT_STATUS_UNSUCCESSFUL;
1600 }
1601
1602 if (lp_client_schannel() != False)
1603 neg_flags |= NETLOGON_NEG_SCHANNEL;
1604
1605 neg_flags |= NETLOGON_NEG_SCHANNEL;
1606
1607 result = cli_nt_setup_creds(cli, sec_chan, trust_password,
1608 &neg_flags, 2);
1609
1610 if (!(neg_flags & NETLOGON_NEG_SCHANNEL)
1611 && lp_client_schannel() == True) {
1612 DEBUG(1, ("Could not negotiate SCHANNEL with the DC!\n"));
1613 result = NT_STATUS_UNSUCCESSFUL;
1614 }
1615
1616 if (!NT_STATUS_IS_OK(result)) {
1617 ZERO_STRUCT(cli->auth_info.sess_key);
1618 ZERO_STRUCT(cli->sess_key);
1619 cli->pipe_auth_flags = 0;
1620 cli_nt_session_close(cli);
1621 return result;
1622 }
1623
1624 memcpy(cli->auth_info.sess_key, cli->sess_key,
1625 sizeof(cli->auth_info.sess_key));
1626
1627 cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
1628 cli->nt_pipe_fnum = 0;
1629
1630 /* doing schannel, not per-user auth */
1631 cli->pipe_auth_flags = auth_flags;
1632
1633 return NT_STATUS_OK;
1634 }
1635
1636 const char *cli_pipe_get_name(struct cli_state *cli)
1637 {
1638 return cli->pipe_name;
1639 }
1640
1641
reg import