search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Commit Derrell Lipman's changes and fixes to libsmbclient. The build but
[Samba/gebeck_regimport.git] / source3 / rpc_client / cli_pipe.c
blob82a4b21754e63e0ccffb76b9cd9e7137aff816a0
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1998.
7 * Copyright (C) Jeremy Allison 1999.
8 * Copyright (C) Andrew Bartlett 2003.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_RPC_CLI
29
30 extern struct pipe_id_info pipe_names[];
31
32 /* convert pipe auth flags into the RPC auth type and level */
33
34 void get_auth_type_level(int pipe_auth_flags, int *auth_type, int *auth_level)
35 {
36 *auth_type = 0;
37 *auth_level = 0;
38 if (pipe_auth_flags & AUTH_PIPE_SEAL) {
39 *auth_level = RPC_PIPE_AUTH_SEAL_LEVEL;
40 } else if (pipe_auth_flags & AUTH_PIPE_SIGN) {
41 *auth_level = RPC_PIPE_AUTH_SIGN_LEVEL;
42 }
43
44 if (pipe_auth_flags & AUTH_PIPE_NETSEC) {
45 *auth_type = NETSEC_AUTH_TYPE;
46 } else if (pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
47 *auth_type = NTLMSSP_AUTH_TYPE;
48 }
49 }
50
51 /********************************************************************
52 Rpc pipe call id.
53 ********************************************************************/
54
55 static uint32 get_rpc_call_id(void)
56 {
57 static uint32 call_id = 0;
58 return ++call_id;
59 }
60
61 /*******************************************************************
62 Use SMBreadX to get rest of one fragment's worth of rpc data.
63 ********************************************************************/
64
65 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
66 {
67 size_t size = (size_t)cli->max_recv_frag;
68 int stream_offset = 0;
69 int num_read;
70 char *pdata;
71 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
72
73 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
74 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
75
76 /*
77 * Grow the buffer if needed to accommodate the data to be read.
78 */
79
80 if (extra_data_size > 0) {
81 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
82 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
83 return False;
84 }
85 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
86 }
87
88 pdata = prs_data_p(rdata) + *rdata_offset;
89
90 do /* read data using SMBreadX */
91 {
92 uint32 ecode;
93 uint8 eclass;
94
95 if (size > (size_t)data_to_read)
96 size = (size_t)data_to_read;
97
98 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
99
100 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
101 num_read, stream_offset, data_to_read));
102
103 if (cli_is_dos_error(cli)) {
104 cli_dos_error(cli, &eclass, &ecode);
105 if (eclass != ERRDOS && ecode != ERRmoredata) {
106 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
107 eclass, (unsigned int)ecode));
108 return False;
109 }
110 }
111
112 data_to_read -= num_read;
113 stream_offset += num_read;
114 pdata += num_read;
115
116 } while (num_read > 0 && data_to_read > 0);
117 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
118
119 /*
120 * Update the current offset into rdata by the amount read.
121 */
122 *rdata_offset += stream_offset;
123
124 return True;
125 }
126
127 /****************************************************************************
128 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
129 ****************************************************************************/
130
131 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
132 BOOL *first, BOOL *last, uint32 *len)
133 {
134 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
135
136 /* Next call sets endian bit. */
137
138 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
139 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
140 return False;
141 }
142
143 if (prs_offset(rdata) != RPC_HEADER_LEN) {
144 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
145 return False;
146 }
147
148 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
149 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
150 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
151
152 return (rhdr->pkt_type != RPC_FAULT);
153 }
154
155 /****************************************************************************
156 Verify data on an rpc pipe.
157 The VERIFY & SEAL code is only executed on packets that look like this :
158
159 Request/Response PDU's look like the following...
160
161 |<------------------PDU len----------------------------------------------->|
162 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
163
164 +------------+-----------------+-------------+---------------+-------------+
165 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
166 +------------+-----------------+-------------+---------------+-------------+
167
168 Never on bind requests/responses.
169 ****************************************************************************/
170
171 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
172 uint32 fragment_start, int len, int auth_len, uint8 pkt_type,
173 int *pauth_padding_len)
174 {
175
176 /*
177 * The following is that length of the data we must sign or seal.
178 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
179 * preceeding the auth_data.
180 */
181
182 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
183
184 /*
185 * The start of the data to sign/seal is just after the RPC headers.
186 */
187 char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
188
189 RPC_HDR_AUTH rhdr_auth;
190
191 char *dp = prs_data_p(rdata) + fragment_start + len -
192 RPC_HDR_AUTH_LEN - auth_len;
193 prs_struct auth_verf;
194
195 *pauth_padding_len = 0;
196
197 if (auth_len == 0) {
198 if (cli->pipe_auth_flags == 0) {
199 /* move along, nothing to see here */
200 return True;
201 }
202
203 DEBUG(2, ("No authenticaton header recienved on reply, but this pipe is authenticated\n"));
204 return False;
205 }
206
207 DEBUG(5,("rpc_auth_pipe: pkt_type: %d len: %d auth_len: %d NTLMSSP %s schannel %s sign %s seal %s \n",
208 pkt_type, len, auth_len,
209 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP),
210 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NETSEC),
211 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SIGN),
212 BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SEAL)));
213
214 if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
215 DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
216 return False;
217 }
218
219 DEBUG(10,("rpc_auth_pipe: packet:\n"));
220 dump_data(100, dp, auth_len);
221
222 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
223
224 /* The endinness must be preserved. JRA. */
225 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
226
227 /* Point this new parse struct at the auth section of the main
228 parse struct - rather than copying it. Avoids needing to
229 free it on every error
230 */
231 prs_give_memory(&auth_verf, dp, RPC_HDR_AUTH_LEN + auth_len, False /* not dynamic */);
232 prs_set_offset(&auth_verf, 0);
233
234 {
235 int auth_type;
236 int auth_level;
237 if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) {
238 DEBUG(0, ("rpc_auth_pipe: Could not parse auth header\n"));
239 return False;
240 }
241
242 /* Let the caller know how much padding at the end of the data */
243 *pauth_padding_len = rhdr_auth.padding;
244
245 /* Check it's the type of reply we were expecting to decode */
246
247 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
248 if (rhdr_auth.auth_type != auth_type) {
249 DEBUG(0, ("BAD auth type %d (should be %d)\n",
250 rhdr_auth.auth_type, auth_type));
251 return False;
252 }
253
254 if (rhdr_auth.auth_level != auth_level) {
255 DEBUG(0, ("BAD auth level %d (should be %d)\n",
256 rhdr_auth.auth_level, auth_level));
257 return False;
258 }
259 }
260
261 if (pkt_type == RPC_BINDACK) {
262 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
263 /* copy the next auth_len bytes into a buffer for
264 later use */
265
266 DATA_BLOB ntlmssp_verf = data_blob(NULL, auth_len);
267 BOOL store_ok;
268
269 /* save the reply away, for use a little later */
270 prs_copy_data_out((char *)ntlmssp_verf.data, &auth_verf, auth_len);
271
272 store_ok = (NT_STATUS_IS_OK(ntlmssp_store_response(cli->ntlmssp_pipe_state,
273 ntlmssp_verf)));
274
275 data_blob_free(&ntlmssp_verf);
276 return store_ok;
277 }
278 else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
279 /* nothing to do here - we don't seem to be able to
280 validate the bindack based on VL's comments */
281 return True;
282 }
283 }
284
285 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
286 NTSTATUS nt_status;
287 DATA_BLOB sig;
288 if ((cli->pipe_auth_flags & AUTH_PIPE_SIGN) ||
289 (cli->pipe_auth_flags & AUTH_PIPE_SEAL)) {
290 if (auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) {
291 DEBUG(0,("rpc_auth_pipe: wrong ntlmssp auth len %d\n", auth_len));
292 return False;
293 }
294 sig = data_blob(NULL, auth_len);
295 prs_copy_data_out((char *)sig.data, &auth_verf, auth_len);
296 }
297
298 /*
299 * Unseal any sealed data in the PDU, not including the
300 * 8 byte auth_header or the auth_data.
301 */
302
303 /*
304 * Now unseal and check the auth verifier in the auth_data at
305 * the end of the packet.
306 */
307
308 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
309 if (data_len < 0) {
310 DEBUG(1, ("Can't unseal - data_len < 0!!\n"));
311 return False;
312 }
313 nt_status = ntlmssp_unseal_packet(cli->ntlmssp_pipe_state,
314 (unsigned char *)reply_data, data_len,
315 &sig);
316 }
317 else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
318 nt_status = ntlmssp_check_packet(cli->ntlmssp_pipe_state,
319 (const unsigned char *)reply_data, data_len,
320 &sig);
321 }
322
323 data_blob_free(&sig);
324
325 if (!NT_STATUS_IS_OK(nt_status)) {
326 DEBUG(0, ("rpc_auth_pipe: could not validate "
327 "incoming NTLMSSP packet!\n"));
328 return False;
329 }
330 }
331
332 if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
333 RPC_AUTH_NETSEC_CHK chk;
334
335 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
336 DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
337 return False;
338 }
339
340 if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign",
341 &chk, &auth_verf, 0)) {
342 DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
343 "RPC_AUTH_NETSECK_CHK failed\n"));
344 return False;
345 }
346
347 if (!netsec_decode(&cli->auth_info,
348 cli->pipe_auth_flags,
349 SENDER_IS_ACCEPTOR,
350 &chk, reply_data, data_len)) {
351 DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
352 return False;
353 }
354
355 cli->auth_info.seq_num++;
356
357 }
358 return True;
359 }
360
361
362 /****************************************************************************
363 Send data on an rpc pipe via trans, which *must* be the last fragment.
364 receive response data from an rpc pipe, which may be large...
365
366 Read the first fragment: unfortunately have to use SMBtrans for the first
367 bit, then SMBreadX for subsequent bits.
368
369 If first fragment received also wasn't the last fragment, continue
370 getting fragments until we _do_ receive the last fragment.
371
372 Request/Response PDU's look like the following...
373
374 |<------------------PDU len----------------------------------------------->|
375 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
376
377 +------------+-----------------+-------------+---------------+-------------+
378 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
379 +------------+-----------------+-------------+---------------+-------------+
380
381 Where the presence of the AUTH_HDR and AUTH are dependent on the
382 signing & sealing being negotiated.
383
384 ****************************************************************************/
385
386 static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata,
387 uint8 expected_pkt_type)
388 {
389 uint32 len;
390 char *rparam = NULL;
391 uint32 rparam_len = 0;
392 uint16 setup[2];
393 BOOL first = True;
394 BOOL last = True;
395 RPC_HDR rhdr;
396 char *pdata = data ? prs_data_p(data) : NULL;
397 uint32 data_len = data ? prs_offset(data) : 0;
398 char *prdata = NULL;
399 uint32 rdata_len = 0;
400 uint32 current_offset = 0;
401 uint32 fragment_start = 0;
402 uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
403 int auth_padding_len = 0;
404
405 /* Create setup parameters - must be in native byte order. */
406
407 setup[0] = TRANSACT_DCERPCCMD;
408 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
409
410 DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
411
412 /* Send the RPC request and receive a response. For short RPC
413 calls (about 1024 bytes or so) the RPC request and response
414 appears in a SMBtrans request and response. Larger RPC
415 responses are received further on. */
416
417 if (!cli_api_pipe(cli, "\\PIPE\\",
418 setup, 2, 0, /* Setup, length, max */
419 NULL, 0, 0, /* Params, length, max */
420 pdata, data_len, max_data, /* data, length, max */
421 &rparam, &rparam_len, /* return params, len */
422 &prdata, &rdata_len)) /* return data, len */
423 {
424 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
425 return False;
426 }
427
428 /* Throw away returned params - we know we won't use them. */
429
430 SAFE_FREE(rparam);
431
432 if (prdata == NULL) {
433 DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
434 (int)cli->nt_pipe_fnum));
435 return False;
436 }
437
438 /*
439 * Give this memory as dynamically allocated to the return parse
440 * struct.
441 */
442
443 prs_give_memory(rdata, prdata, rdata_len, True);
444 current_offset = rdata_len;
445
446 /* This next call sets the endian bit correctly in rdata. */
447
448 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
449 prs_mem_free(rdata);
450 return False;
451 }
452
453 if (rhdr.pkt_type == RPC_BINDACK) {
454 if (!last && !first) {
455 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
456 first = True;
457 last = True;
458 }
459 }
460
461 if (rhdr.pkt_type == RPC_BINDNACK) {
462 DEBUG(3, ("Bind NACK received on pipe %x!\n", (int)cli->nt_pipe_fnum));
463 prs_mem_free(rdata);
464 return False;
465 }
466
467 if (rhdr.pkt_type == RPC_RESPONSE) {
468 RPC_HDR_RESP rhdr_resp;
469 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
470 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
471 prs_mem_free(rdata);
472 return False;
473 }
474 }
475
476 if (rhdr.pkt_type != expected_pkt_type) {
477 DEBUG(3, ("Connection to pipe %x got an unexpected RPC packet type - %d, not %d\n", (int)cli->nt_pipe_fnum, rhdr.pkt_type, expected_pkt_type));
478 prs_mem_free(rdata);
479 return False;
480 }
481
482 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
483 (unsigned int)len, (unsigned int)rdata_len ));
484
485 /* check if data to be sent back was too large for one SMBtrans */
486 /* err status is only informational: the _real_ check is on the
487 length */
488
489 if (len > 0) {
490 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
491
492 /* Read the remaining part of the first response fragment */
493
494 if (!rpc_read(cli, rdata, len, &current_offset)) {
495 prs_mem_free(rdata);
496 return False;
497 }
498 }
499
500 /*
501 * Now we have a complete PDU, check the auth struct if any was sent.
502 */
503
504 if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
505 rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
506 prs_mem_free(rdata);
507 return False;
508 }
509
510 if (rhdr.auth_len != 0) {
511 /*
512 * Drop the auth footers from the current offset.
513 * We need this if there are more fragments.
514 * The auth footers consist of the auth_data and the
515 * preceeding 8 byte auth_header.
516 */
517 current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
518 }
519
520 /*
521 * Only one rpc fragment, and it has been read.
522 */
523
524 if (first && last) {
525 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
526 return True;
527 }
528
529 /*
530 * Read more fragments using SMBreadX until we get one with the
531 * last bit set.
532 */
533
534 while (!last) {
535 RPC_HDR_RESP rhdr_resp;
536 int num_read;
537 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
538 prs_struct hps;
539 uint8 eclass;
540 uint32 ecode;
541
542 /*
543 * First read the header of the next PDU.
544 */
545
546 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
547 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
548
549 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
550 if (cli_is_dos_error(cli)) {
551 cli_dos_error(cli, &eclass, &ecode);
552 if (eclass != ERRDOS && ecode != ERRmoredata) {
553 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
554 return False;
555 }
556 }
557
558 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
559
560 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
561 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
562 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
563 return False;
564 }
565
566 /* This call sets the endianness in hps. */
567
568 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
569 return False;
570
571 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
572
573 if (hps.bigendian_data != rdata->bigendian_data) {
574 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
575 rdata->bigendian_data ? "big" : "little",
576 hps.bigendian_data ? "big" : "little" ));
577 return False;
578 }
579
580 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
581 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
582 return False;
583 }
584
585 if (first) {
586 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
587 return False;
588 }
589
590 /*
591 * Now read the rest of the PDU.
592 */
593
594 if (!rpc_read(cli, rdata, len, &current_offset)) {
595 prs_mem_free(rdata);
596 return False;
597 }
598
599 fragment_start = current_offset - len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
600
601 /*
602 * Verify any authentication footer.
603 */
604
605
606 if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
607 rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
608 prs_mem_free(rdata);
609 return False;
610 }
611
612 if (rhdr.auth_len != 0 ) {
613
614 /*
615 * Drop the auth footers from the current offset.
616 * The auth footers consist of the auth_data and the
617 * preceeding 8 byte auth_header.
618 * We need this if there are more fragments.
619 */
620 current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
621 }
622 }
623
624 return True;
625 }
626
627 /*******************************************************************
628 creates a DCE/RPC bind request
629
630 - initialises the parse structure.
631 - dynamically allocates the header data structure
632 - caller is expected to free the header data structure once used.
633
634 ********************************************************************/
635
636 static NTSTATUS create_rpc_bind_req(struct cli_state *cli, prs_struct *rpc_out,
637 uint32 rpc_call_id,
638 RPC_IFACE *abstract, RPC_IFACE *transfer,
639 const char *my_name, const char *domain)
640 {
641 RPC_HDR hdr;
642 RPC_HDR_RB hdr_rb;
643 RPC_HDR_AUTH hdr_auth;
644 int auth_len = 0;
645 int auth_type, auth_level;
646 size_t saved_hdr_offset = 0;
647
648 prs_struct auth_info;
649 prs_init(&auth_info, RPC_HDR_AUTH_LEN, /* we will need at least this much */
650 prs_get_mem_context(rpc_out), MARSHALL);
651
652 if (cli->pipe_auth_flags) {
653 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
654
655 /*
656 * Create the auth structs we will marshall.
657 */
658
659 init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level, 0x00, 1);
660
661 /*
662 * Now marshall the data into the temporary parse_struct.
663 */
664
665 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
666 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
667 prs_mem_free(&auth_info);
668 return NT_STATUS_NO_MEMORY;
669 }
670 saved_hdr_offset = prs_offset(&auth_info);
671 }
672
673 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
674
675 NTSTATUS nt_status;
676 DATA_BLOB null_blob = data_blob(NULL, 0);
677 DATA_BLOB request;
678
679 DEBUG(5, ("Processing NTLMSSP Negotiate\n"));
680 nt_status = ntlmssp_update(cli->ntlmssp_pipe_state,
681 null_blob,
682 &request);
683
684 if (!NT_STATUS_EQUAL(nt_status,
685 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
686 prs_mem_free(&auth_info);
687 return nt_status;
688 }
689
690 /* Auth len in the rpc header doesn't include auth_header. */
691 auth_len = request.length;
692 prs_copy_data_in(&auth_info, (char *)request.data, request.length);
693
694 DEBUG(5, ("NTLMSSP Negotiate:\n"));
695 dump_data(5, (const char *)request.data, request.length);
696
697 data_blob_free(&request);
698
699 } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
700 RPC_AUTH_NETSEC_NEG netsec_neg;
701
702 /* Use lp_workgroup() if domain not specified */
703
704 if (!domain || !domain[0]) {
705 DEBUG(10,("create_rpc_bind_req: no domain; assuming my own\n"));
706 domain = lp_workgroup();
707 }
708
709 init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
710
711 /*
712 * Now marshall the data into the temporary parse_struct.
713 */
714
715 if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
716 &netsec_neg, &auth_info, 0)) {
717 DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
718 prs_mem_free(&auth_info);
719 return NT_STATUS_NO_MEMORY;
720 }
721
722 /* Auth len in the rpc header doesn't include auth_header. */
723 auth_len = prs_offset(&auth_info) - saved_hdr_offset;
724 }
725
726 /* Create the request RPC_HDR */
727 init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id,
728 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
729 auth_len);
730
731 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
732 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
733 prs_mem_free(&auth_info);
734 return NT_STATUS_NO_MEMORY;
735 }
736
737 /* create the bind request RPC_HDR_RB */
738 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
739 0x1, 0x0, 0x1, abstract, transfer);
740
741 /* Marshall the bind request data */
742 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
743 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
744 prs_mem_free(&auth_info);
745 return NT_STATUS_NO_MEMORY;
746 }
747
748 /*
749 * Grow the outgoing buffer to store any auth info.
750 */
751
752 if(auth_len != 0) {
753 if(!prs_append_prs_data( rpc_out, &auth_info)) {
754 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
755 prs_mem_free(&auth_info);
756 return NT_STATUS_NO_MEMORY;
757 }
758 }
759 prs_mem_free(&auth_info);
760 return NT_STATUS_OK;
761 }
762
763 /*******************************************************************
764 Creates a DCE/RPC bind authentication response.
765 This is the packet that is sent back to the server once we
766 have received a BIND-ACK, to finish the third leg of
767 the authentication handshake.
768 ********************************************************************/
769
770 static NTSTATUS create_rpc_bind_resp(struct cli_state *cli,
771 uint32 rpc_call_id,
772 prs_struct *rpc_out)
773 {
774 NTSTATUS nt_status;
775 RPC_HDR hdr;
776 RPC_HDR_AUTHA hdr_autha;
777 DATA_BLOB ntlmssp_null_response = data_blob(NULL, 0);
778 DATA_BLOB ntlmssp_reply;
779 int auth_type, auth_level;
780
781 /* The response is picked up from the internal cache,
782 where it was placed by the rpc_auth_pipe() code */
783 nt_status = ntlmssp_update(cli->ntlmssp_pipe_state,
784 ntlmssp_null_response,
785 &ntlmssp_reply);
786
787 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
788 return nt_status;
789 }
790
791 /* Create the request RPC_HDR */
792 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
793 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + ntlmssp_reply.length,
794 ntlmssp_reply.length );
795
796 /* Marshall it. */
797 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
798 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
799 data_blob_free(&ntlmssp_reply);
800 return NT_STATUS_NO_MEMORY;
801 }
802
803 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
804
805 /* Create the request RPC_HDR_AUTHA */
806 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
807 auth_type, auth_level, 0x00);
808
809 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
810 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
811 data_blob_free(&ntlmssp_reply);
812 return NT_STATUS_NO_MEMORY;
813 }
814
815 /*
816 * Append the auth data to the outgoing buffer.
817 */
818
819 if(!prs_copy_data_in(rpc_out, (char *)ntlmssp_reply.data, ntlmssp_reply.length)) {
820 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
821 data_blob_free(&ntlmssp_reply);
822 return NT_STATUS_NO_MEMORY;
823 }
824
825 data_blob_free(&ntlmssp_reply);
826 return NT_STATUS_OK;
827 }
828
829
830 /*******************************************************************
831 Creates a DCE/RPC request.
832 ********************************************************************/
833
834 static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
835 {
836 uint32 alloc_hint;
837 RPC_HDR hdr;
838 RPC_HDR_REQ hdr_req;
839 uint32 callid = oldid ? oldid : get_rpc_call_id();
840
841 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
842
843 /* create the rpc header RPC_HDR */
844 init_rpc_hdr(&hdr, RPC_REQUEST, flags,
845 callid, data_len, auth_len);
846
847 /*
848 * The alloc hint should be the amount of data, not including
849 * RPC headers & footers.
850 */
851
852 if (auth_len != 0)
853 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
854 else
855 alloc_hint = data_len - RPC_HEADER_LEN;
856
857 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
858 data_len, auth_len, alloc_hint));
859
860 /* Create the rpc request RPC_HDR_REQ */
861 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
862
863 /* stream-time... */
864 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
865 return 0;
866
867 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
868 return 0;
869
870 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
871 return 0;
872
873 return callid;
874 }
875
876 /*******************************************************************
877 Puts an auth header into an rpc request.
878 ********************************************************************/
879
880 static BOOL create_auth_hdr(prs_struct *outgoing_packet,
881 int auth_type,
882 int auth_level, int padding)
883 {
884 RPC_HDR_AUTH hdr_auth;
885
886 init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level,
887 padding, 1);
888 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
889 outgoing_packet, 0)) {
890 DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
891 return False;
892 }
893 return True;
894 }
895
896 /**
897 * Send a request on an RPC pipe and get a response.
898 *
899 * @param data NDR contents of the request to be sent.
900 * @param rdata Unparsed NDR response data.
901 **/
902
903 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
904 prs_struct *data, prs_struct *rdata)
905 {
906 uint32 auth_len, real_auth_len, auth_hdr_len, max_data, data_left, data_sent;
907 NTSTATUS nt_status;
908 BOOL ret = False;
909 uint32 callid = 0;
910 fstring dump_name;
911
912 auth_len = 0;
913 real_auth_len = 0;
914 auth_hdr_len = 0;
915
916 if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
917 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
918 auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
919 }
920 if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
921 auth_len = RPC_AUTH_NETSEC_CHK_LEN;
922 }
923 auth_hdr_len = RPC_HDR_AUTH_LEN;
924 }
925
926 /*
927 * calc how much actual data we can send in a PDU fragment
928 */
929 max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
930 auth_hdr_len - auth_len - 8;
931
932 for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
933 prs_struct outgoing_packet;
934 prs_struct sec_blob;
935 uint32 data_len, send_size;
936 uint8 flags = 0;
937 uint32 auth_padding = 0;
938 DATA_BLOB sign_blob;
939
940 /*
941 * how much will we send this time
942 */
943 send_size = MIN(data_left, max_data);
944
945 if (!prs_init(&sec_blob, send_size, /* will need at least this much */
946 cli->mem_ctx, MARSHALL)) {
947 DEBUG(0,("Could not malloc %u bytes",
948 send_size+auth_padding));
949 return False;
950 }
951
952 if(!prs_append_some_prs_data(&sec_blob, data,
953 data_sent, send_size)) {
954 DEBUG(0,("Failed to append data to netsec blob\n"));
955 prs_mem_free(&sec_blob);
956 return False;
957 }
958
959 /*
960 * NT expects the data that is sealed to be 8-byte
961 * aligned. The padding must be encrypted as well and
962 * taken into account when generating the
963 * authentication verifier. The amount of padding must
964 * be stored in the auth header.
965 */
966
967 if (cli->pipe_auth_flags) {
968 size_t data_and_padding_size;
969 int auth_type;
970 int auth_level;
971 prs_align_uint64(&sec_blob);
972
973 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
974
975 data_and_padding_size = prs_offset(&sec_blob);
976 auth_padding = data_and_padding_size - send_size;
977
978 /* insert the auth header */
979
980 if(!create_auth_hdr(&sec_blob, auth_type, auth_level, auth_padding)) {
981 prs_mem_free(&sec_blob);
982 return False;
983 }
984
985 /* create an NTLMSSP signature */
986 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
987 /*
988 * Seal the outgoing data if requested.
989 */
990 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
991
992 nt_status = ntlmssp_seal_packet(cli->ntlmssp_pipe_state,
993 (unsigned char*)prs_data_p(&sec_blob),
994 data_and_padding_size,
995 &sign_blob);
996 if (!NT_STATUS_IS_OK(nt_status)) {
997 prs_mem_free(&sec_blob);
998 return False;
999 }
1000 }
1001 else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
1002
1003 nt_status = ntlmssp_sign_packet(cli->ntlmssp_pipe_state,
1004 (unsigned char*)prs_data_p(&sec_blob),
1005 data_and_padding_size, &sign_blob);
1006 if (!NT_STATUS_IS_OK(nt_status)) {
1007 prs_mem_free(&sec_blob);
1008 return False;
1009 }
1010 }
1011
1012
1013 /* write auth footer onto the packet */
1014 real_auth_len = sign_blob.length;
1015
1016 prs_copy_data_in(&sec_blob, (char *)sign_blob.data, sign_blob.length);
1017 data_blob_free(&sign_blob);
1018
1019 }
1020 else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
1021 size_t parse_offset_marker;
1022 RPC_AUTH_NETSEC_CHK verf;
1023 DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
1024
1025 netsec_encode(&cli->auth_info,
1026 cli->pipe_auth_flags,
1027 SENDER_IS_INITIATOR,
1028 &verf,
1029 prs_data_p(&sec_blob),
1030 data_and_padding_size);
1031
1032 cli->auth_info.seq_num++;
1033
1034 /* write auth footer onto the packet */
1035
1036 parse_offset_marker = prs_offset(&sec_blob);
1037 if (!smb_io_rpc_auth_netsec_chk("", &verf,
1038 &sec_blob, 0)) {
1039 prs_mem_free(&sec_blob);
1040 return False;
1041 }
1042 real_auth_len = prs_offset(&sec_blob) - parse_offset_marker;
1043 }
1044 }
1045
1046 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(&sec_blob);
1047
1048 /*
1049 * Malloc parse struct to hold it (and enough for alignments).
1050 */
1051 if(!prs_init(&outgoing_packet, data_len + 8,
1052 cli->mem_ctx, MARSHALL)) {
1053 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
1054 return False;
1055 }
1056
1057 if (data_left == prs_offset(data))
1058 flags |= RPC_FLG_FIRST;
1059
1060 if (data_left <= max_data)
1061 flags |= RPC_FLG_LAST;
1062 /*
1063 * Write out the RPC header and the request header.
1064 */
1065 if(!(callid = create_rpc_request(&outgoing_packet, op_num,
1066 data_len, real_auth_len, flags,
1067 callid, data_left))) {
1068 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
1069 prs_mem_free(&outgoing_packet);
1070 prs_mem_free(&sec_blob);
1071 return False;
1072 }
1073
1074 prs_append_prs_data(&outgoing_packet, &sec_blob);
1075 prs_mem_free(&sec_blob);
1076
1077 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len,
1078 prs_offset(&outgoing_packet)));
1079
1080 if (flags & RPC_FLG_LAST)
1081 ret = rpc_api_pipe(cli, &outgoing_packet,
1082 rdata, RPC_RESPONSE);
1083 else {
1084 cli_write(cli, cli->nt_pipe_fnum, 0x0008,
1085 prs_data_p(&outgoing_packet),
1086 data_sent, data_len);
1087 }
1088 prs_mem_free(&outgoing_packet);
1089 data_sent += send_size;
1090 data_left -= send_size;
1091 }
1092 /* Also capture received data */
1093 slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
1094 cli_pipe_get_name(cli));
1095 prs_dump(dump_name, op_num, rdata);
1096
1097 return ret;
1098 }
1099
1100 /****************************************************************************
1101 Set the handle state.
1102 ****************************************************************************/
1103
1104 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
1105 {
1106 BOOL state_set = False;
1107 char param[2];
1108 uint16 setup[2]; /* only need 2 uint16 setup parameters */
1109 char *rparam = NULL;
1110 char *rdata = NULL;
1111 uint32 rparam_len, rdata_len;
1112
1113 if (pipe_name == NULL)
1114 return False;
1115
1116 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1117 cli->nt_pipe_fnum, pipe_name, device_state));
1118
1119 /* create parameters: device state */
1120 SSVAL(param, 0, device_state);
1121
1122 /* create setup parameters. */
1123 setup[0] = 0x0001;
1124 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
1125
1126 /* send the data on \PIPE\ */
1127 if (cli_api_pipe(cli, "\\PIPE\\",
1128 setup, 2, 0, /* setup, length, max */
1129 param, 2, 0, /* param, length, max */
1130 NULL, 0, 1024, /* data, length, max */
1131 &rparam, &rparam_len, /* return param, length */
1132 &rdata, &rdata_len)) /* return data, length */
1133 {
1134 DEBUG(5, ("Set Handle state: return OK\n"));
1135 state_set = True;
1136 }
1137
1138 SAFE_FREE(rparam);
1139 SAFE_FREE(rdata);
1140
1141 return state_set;
1142 }
1143
1144 /****************************************************************************
1145 check the rpc bind acknowledge response
1146 ****************************************************************************/
1147
1148 int get_pipe_index( const char *pipe_name )
1149 {
1150 int pipe_idx = 0;
1151
1152 while (pipe_names[pipe_idx].client_pipe != NULL) {
1153 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
1154 return pipe_idx;
1155 pipe_idx++;
1156 };
1157
1158 return -1;
1159 }
1160
1161
1162 /****************************************************************************
1163 check the rpc bind acknowledge response
1164 ****************************************************************************/
1165
1166 const char* get_pipe_name_from_index( const int pipe_index )
1167 {
1168
1169 if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
1170 return NULL;
1171
1172 return pipe_names[pipe_index].client_pipe;
1173 }
1174
1175 /****************************************************************************
1176 Check to see if this pipe index points to one of
1177 the pipes only supported by Win2k
1178 ****************************************************************************/
1179
1180 BOOL is_win2k_pipe( const int pipe_idx )
1181 {
1182 switch ( pipe_idx )
1183 {
1184 case PI_LSARPC_DS:
1185 return True;
1186 }
1187
1188 return False;
1189 }
1190
1191 /****************************************************************************
1192 check the rpc bind acknowledge response
1193 ****************************************************************************/
1194
1195 static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
1196 {
1197 if ( pipe_idx >= PI_MAX_PIPES ) {
1198 DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
1199 pipe_idx));
1200 return False;
1201 }
1202
1203 DEBUG(5,("Bind Abstract Syntax: "));
1204 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
1205 sizeof(pipe_names[pipe_idx].abstr_syntax));
1206 DEBUG(5,("Bind Transfer Syntax: "));
1207 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
1208 sizeof(pipe_names[pipe_idx].trans_syntax));
1209
1210 /* copy the required syntaxes out so we can do the right bind */
1211
1212 *transfer = pipe_names[pipe_idx].trans_syntax;
1213 *abstract = pipe_names[pipe_idx].abstr_syntax;
1214
1215 return True;
1216 }
1217
1218 /****************************************************************************
1219 check the rpc bind acknowledge response
1220 ****************************************************************************/
1221
1222 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
1223 {
1224 int i = 0;
1225
1226 # if 0 /* JERRY -- apparently ASU forgets to fill in the server pipe name sometimes */
1227 if ( hdr_ba->addr.len <= 0)
1228 return False;
1229
1230 if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].client_pipe) &&
1231 !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe) )
1232 {
1233 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
1234 pipe_names[i].server_pipe ,hdr_ba->addr.str));
1235 return False;
1236 }
1237
1238 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1239
1240 if (pipe_names[pipe_idx].server_pipe == NULL) {
1241 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1242 return False;
1243 }
1244 #endif /* JERRY */
1245
1246 /* check the transfer syntax */
1247 if ((hdr_ba->transfer.version != transfer->version) ||
1248 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1249 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1250 return False;
1251 }
1252
1253 /* lkclXXXX only accept one result: check the result(s) */
1254 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1255 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1256 hdr_ba->res.num_results, hdr_ba->res.reason));
1257 }
1258
1259 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1260 return True;
1261 }
1262
1263 /****************************************************************************
1264 Create and send the third packet in an RPC auth.
1265 ****************************************************************************/
1266
1267 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1268 {
1269 prs_struct rpc_out;
1270 ssize_t ret;
1271
1272 prs_init(&rpc_out, RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN, /* need at least this much */
1273 cli->mem_ctx, MARSHALL);
1274
1275 if (!NT_STATUS_IS_OK(create_rpc_bind_resp(cli, rpc_call_id,
1276 &rpc_out))) {
1277 return False;
1278 }
1279
1280 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1281 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1282 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1283 prs_mem_free(&rpc_out);
1284 return False;
1285 }
1286
1287 prs_mem_free(&rpc_out);
1288 return True;
1289 }
1290
1291 /****************************************************************************
1292 Do an rpc bind.
1293 ****************************************************************************/
1294
1295 static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name)
1296 {
1297 RPC_IFACE abstract;
1298 RPC_IFACE transfer;
1299 prs_struct rpc_out;
1300 prs_struct rdata;
1301 uint32 rpc_call_id;
1302 char buffer[MAX_PDU_FRAG_LEN];
1303
1304 if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
1305 return False;
1306
1307 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
1308
1309 if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
1310 return False;
1311
1312 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1313
1314 /*
1315 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1316 */
1317
1318 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1319
1320 rpc_call_id = get_rpc_call_id();
1321
1322 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
1323 NTSTATUS nt_status;
1324 fstring password;
1325
1326 DEBUG(5, ("NTLMSSP authenticated pipe selected\n"));
1327
1328 nt_status = ntlmssp_client_start(&cli->ntlmssp_pipe_state);
1329
1330 if (!NT_STATUS_IS_OK(nt_status))
1331 return False;
1332
1333 /* Currently the NTLMSSP code does not implement NTLM2 correctly for signing or sealing */
1334
1335 cli->ntlmssp_pipe_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
1336
1337 nt_status = ntlmssp_set_username(cli->ntlmssp_pipe_state,
1338 cli->user_name);
1339 if (!NT_STATUS_IS_OK(nt_status))
1340 return False;
1341
1342 nt_status = ntlmssp_set_domain(cli->ntlmssp_pipe_state,
1343 cli->domain);
1344 if (!NT_STATUS_IS_OK(nt_status))
1345 return False;
1346
1347 if (cli->pwd.null_pwd) {
1348 nt_status = ntlmssp_set_password(cli->ntlmssp_pipe_state,
1349 NULL);
1350 if (!NT_STATUS_IS_OK(nt_status))
1351 return False;
1352 } else {
1353 pwd_get_cleartext(&cli->pwd, password);
1354 nt_status = ntlmssp_set_password(cli->ntlmssp_pipe_state,
1355 password);
1356 if (!NT_STATUS_IS_OK(nt_status))
1357 return False;
1358 }
1359
1360 if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
1361 cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
1362 }
1363
1364 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
1365 cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
1366 }
1367 } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
1368 cli->auth_info.seq_num = 0;
1369 }
1370
1371 /* Marshall the outgoing data. */
1372 create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
1373 &abstract, &transfer,
1374 global_myname(), cli->domain);
1375
1376 /* Initialize the incoming data struct. */
1377 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1378
1379 /* send data on \PIPE\. receive a response */
1380 if (rpc_api_pipe(cli, &rpc_out, &rdata, RPC_BINDACK)) {
1381 RPC_HDR_BA hdr_ba;
1382
1383 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1384
1385 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1386 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1387 prs_mem_free(&rdata);
1388 return False;
1389 }
1390
1391 if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
1392 DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
1393 prs_mem_free(&rdata);
1394 return False;
1395 }
1396
1397 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1398 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1399
1400 /*
1401 * If we're doing NTLMSSP auth we need to send a reply to
1402 * the bind-ack to complete the 3-way challenge response
1403 * handshake.
1404 */
1405
1406 if ((cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP)
1407 && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1408 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1409 prs_mem_free(&rdata);
1410 return False;
1411 }
1412 prs_mem_free(&rdata);
1413 return True;
1414 }
1415
1416 return False;
1417 }
1418
1419 /****************************************************************************
1420 Open a session.
1421 ****************************************************************************/
1422
1423 BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
1424 {
1425 int fnum;
1426
1427 /* At the moment we can't have more than one pipe open over
1428 a cli connection. )-: */
1429
1430 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1431
1432 /* The pipe index must fall within our array */
1433
1434 SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
1435
1436 if (cli->capabilities & CAP_NT_SMBS) {
1437 if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
1438 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1439 &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
1440 return False;
1441 }
1442
1443 cli->nt_pipe_fnum = (uint16)fnum;
1444 } else {
1445 if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1446 DEBUG(1,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1447 pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
1448 return False;
1449 }
1450
1451 cli->nt_pipe_fnum = (uint16)fnum;
1452
1453 /**************** Set Named Pipe State ***************/
1454 if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
1455 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1456 cli_errstr(cli)));
1457 cli_close(cli, cli->nt_pipe_fnum);
1458 return False;
1459 }
1460 }
1461
1462 /******************* bind request on pipe *****************/
1463
1464 if (!rpc_pipe_bind(cli, pipe_idx, global_myname())) {
1465 DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
1466 get_pipe_name_from_index(pipe_idx)));
1467 cli_close(cli, cli->nt_pipe_fnum);
1468 return False;
1469 }
1470
1471 cli->pipe_idx = pipe_idx;
1472
1473 /*
1474 * Setup the remote server name prefixed by \ and the machine account name.
1475 */
1476
1477 fstrcpy(cli->srv_name_slash, "\\\\");
1478 fstrcat(cli->srv_name_slash, cli->desthost);
1479 strupper_m(cli->srv_name_slash);
1480
1481 fstrcpy(cli->clnt_name_slash, "\\\\");
1482 fstrcat(cli->clnt_name_slash, global_myname());
1483 strupper_m(cli->clnt_name_slash);
1484
1485 fstrcpy(cli->mach_acct, global_myname());
1486 fstrcat(cli->mach_acct, "$");
1487 strupper_m(cli->mach_acct);
1488
1489 /* Remember which pipe we're talking to */
1490 fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
1491
1492 return True;
1493 }
1494
1495
1496 /****************************************************************************
1497 Open a session to the NETLOGON pipe using schannel.
1498
1499 (Assumes that the netlogon pipe is already open)
1500 ****************************************************************************/
1501
1502 NTSTATUS cli_nt_establish_netlogon(struct cli_state *cli, int sec_chan,
1503 const uchar trust_password[16])
1504 {
1505 NTSTATUS result;
1506 uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
1507 int fnum;
1508
1509 cli_nt_netlogon_netsec_session_close(cli);
1510
1511 if (lp_client_schannel() != False)
1512 neg_flags |= NETLOGON_NEG_SCHANNEL;
1513
1514 result = cli_nt_setup_creds(cli, sec_chan, trust_password,
1515 &neg_flags, 2);
1516
1517 if (!NT_STATUS_IS_OK(result)) {
1518 cli_nt_session_close(cli);
1519 return result;
1520 }
1521
1522 if ((lp_client_schannel() == True) &&
1523 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1524
1525 DEBUG(3, ("Server did not offer schannel\n"));
1526 cli_nt_session_close(cli);
1527 return NT_STATUS_UNSUCCESSFUL;
1528 }
1529
1530 if ((lp_client_schannel() == False) ||
1531 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1532 return NT_STATUS_OK;
1533
1534 /* keep the existing connection to NETLOGON open */
1535
1536 }
1537
1538 /* Server offered schannel, so try it. */
1539
1540 memcpy(cli->auth_info.sess_key, cli->sess_key,
1541 sizeof(cli->auth_info.sess_key));
1542
1543 cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
1544
1545 cli->pipe_auth_flags = AUTH_PIPE_NETSEC;
1546 cli->pipe_auth_flags |= AUTH_PIPE_SIGN;
1547 cli->pipe_auth_flags |= AUTH_PIPE_SEAL;
1548
1549 if (cli->capabilities & CAP_NT_SMBS) {
1550
1551 /* The secure channel connection must be opened on the same
1552 session (TCP connection) as the one the challenge was
1553 requested from. */
1554 if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
1555 DESIRED_ACCESS_PIPE)) == -1) {
1556 DEBUG(0,("cli_nt_create failed to %s machine %s. "
1557 "Error was %s\n",
1558 PIPE_NETLOGON, cli->desthost,
1559 cli_errstr(cli)));
1560 return NT_STATUS_UNSUCCESSFUL;
1561 }
1562
1563 cli->nt_pipe_fnum = (uint16)fnum;
1564 } else {
1565 if ((fnum = cli_open(cli, PIPE_NETLOGON,
1566 O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1567 DEBUG(0,("cli_open failed on pipe %s to machine %s. "
1568 "Error was %s\n",
1569 PIPE_NETLOGON, cli->desthost,
1570 cli_errstr(cli)));
1571 return NT_STATUS_UNSUCCESSFUL;
1572 }
1573
1574 cli->nt_pipe_fnum = (uint16)fnum;
1575
1576 /**************** Set Named Pipe State ***************/
1577 if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
1578 DEBUG(0,("Pipe hnd state failed. Error was %s\n",
1579 cli_errstr(cli)));
1580 cli_close(cli, cli->nt_pipe_fnum);
1581 return NT_STATUS_UNSUCCESSFUL;
1582 }
1583 }
1584
1585 if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname())) {
1586 DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
1587 cli_close(cli, cli->nt_pipe_fnum);
1588 return NT_STATUS_UNSUCCESSFUL;
1589 }
1590
1591 return NT_STATUS_OK;
1592 }
1593
1594
1595 NTSTATUS cli_nt_setup_netsec(struct cli_state *cli, int sec_chan, int auth_flags,
1596 const uchar trust_password[16])
1597 {
1598 NTSTATUS result;
1599 uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
1600 cli->pipe_auth_flags = 0;
1601
1602 if (lp_client_schannel() == False) {
1603 return NT_STATUS_OK;
1604 }
1605
1606 if (!cli_nt_session_open(cli, PI_NETLOGON)) {
1607 DEBUG(0, ("Could not initialise %s\n",
1608 get_pipe_name_from_index(PI_NETLOGON)));
1609 return NT_STATUS_UNSUCCESSFUL;
1610 }
1611
1612 if (lp_client_schannel() != False)
1613 neg_flags |= NETLOGON_NEG_SCHANNEL;
1614
1615 neg_flags |= NETLOGON_NEG_SCHANNEL;
1616
1617 result = cli_nt_setup_creds(cli, sec_chan, trust_password,
1618 &neg_flags, 2);
1619
1620 if (!(neg_flags & NETLOGON_NEG_SCHANNEL)
1621 && lp_client_schannel() == True) {
1622 DEBUG(1, ("Could not negotiate SCHANNEL with the DC!\n"));
1623 result = NT_STATUS_UNSUCCESSFUL;
1624 }
1625
1626 if (!NT_STATUS_IS_OK(result)) {
1627 ZERO_STRUCT(cli->auth_info.sess_key);
1628 ZERO_STRUCT(cli->sess_key);
1629 cli->pipe_auth_flags = 0;
1630 cli_nt_session_close(cli);
1631 return result;
1632 }
1633
1634 memcpy(cli->auth_info.sess_key, cli->sess_key,
1635 sizeof(cli->auth_info.sess_key));
1636
1637 cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
1638 cli->nt_pipe_fnum = 0;
1639
1640 /* doing schannel, not per-user auth */
1641 cli->pipe_auth_flags = auth_flags;
1642
1643 return NT_STATUS_OK;
1644 }
1645
1646 const char *cli_pipe_get_name(struct cli_state *cli)
1647 {
1648 return cli->pipe_name;
1649 }
1650
1651
reg import