2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client routines
4 * Largely rewritten by Jeremy Allison 2005.
5 * Heavily modified by Simo Sorce 2010.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "librpc/gen_ndr/cli_epmapper.h"
23 #include "../librpc/gen_ndr/ndr_schannel.h"
24 #include "../librpc/gen_ndr/ndr_dssetup.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
28 #include "../libcli/auth/ntlmssp.h"
29 #include "ntlmssp_wrap.h"
30 #include "librpc/gen_ndr/ndr_dcerpc.h"
31 #include "librpc/rpc/dcerpc.h"
32 #include "librpc/crypto/gse.h"
33 #include "librpc/rpc/dcerpc_spnego.h"
37 #define DBGC_CLASS DBGC_RPC_CLI
39 /********************************************************************
40 Pipe description for a DEBUG
41 ********************************************************************/
42 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
43 struct rpc_pipe_client *cli)
45 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
52 /********************************************************************
54 ********************************************************************/
56 static uint32 get_rpc_call_id(void)
58 static uint32 call_id = 0;
62 /*******************************************************************
63 Use SMBreadX to get rest of one fragment's worth of rpc data.
64 Reads the whole size or give an error message
65 ********************************************************************/
67 struct rpc_read_state {
68 struct event_context *ev;
69 struct rpc_cli_transport *transport;
75 static void rpc_read_done(struct tevent_req *subreq);
77 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
78 struct event_context *ev,
79 struct rpc_cli_transport *transport,
80 uint8_t *data, size_t size)
82 struct tevent_req *req, *subreq;
83 struct rpc_read_state *state;
85 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
90 state->transport = transport;
95 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
97 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
102 tevent_req_set_callback(subreq, rpc_read_done, req);
110 static void rpc_read_done(struct tevent_req *subreq)
112 struct tevent_req *req = tevent_req_callback_data(
113 subreq, struct tevent_req);
114 struct rpc_read_state *state = tevent_req_data(
115 req, struct rpc_read_state);
119 status = state->transport->read_recv(subreq, &received);
121 if (!NT_STATUS_IS_OK(status)) {
122 tevent_req_nterror(req, status);
126 state->num_read += received;
127 if (state->num_read == state->size) {
128 tevent_req_done(req);
132 subreq = state->transport->read_send(state, state->ev,
133 state->data + state->num_read,
134 state->size - state->num_read,
135 state->transport->priv);
136 if (tevent_req_nomem(subreq, req)) {
139 tevent_req_set_callback(subreq, rpc_read_done, req);
142 static NTSTATUS rpc_read_recv(struct tevent_req *req)
144 return tevent_req_simple_recv_ntstatus(req);
147 struct rpc_write_state {
148 struct event_context *ev;
149 struct rpc_cli_transport *transport;
155 static void rpc_write_done(struct tevent_req *subreq);
157 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
158 struct event_context *ev,
159 struct rpc_cli_transport *transport,
160 const uint8_t *data, size_t size)
162 struct tevent_req *req, *subreq;
163 struct rpc_write_state *state;
165 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
170 state->transport = transport;
173 state->num_written = 0;
175 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
177 subreq = transport->write_send(state, ev, data, size, transport->priv);
178 if (subreq == NULL) {
181 tevent_req_set_callback(subreq, rpc_write_done, req);
188 static void rpc_write_done(struct tevent_req *subreq)
190 struct tevent_req *req = tevent_req_callback_data(
191 subreq, struct tevent_req);
192 struct rpc_write_state *state = tevent_req_data(
193 req, struct rpc_write_state);
197 status = state->transport->write_recv(subreq, &written);
199 if (!NT_STATUS_IS_OK(status)) {
200 tevent_req_nterror(req, status);
204 state->num_written += written;
206 if (state->num_written == state->size) {
207 tevent_req_done(req);
211 subreq = state->transport->write_send(state, state->ev,
212 state->data + state->num_written,
213 state->size - state->num_written,
214 state->transport->priv);
215 if (tevent_req_nomem(subreq, req)) {
218 tevent_req_set_callback(subreq, rpc_write_done, req);
221 static NTSTATUS rpc_write_recv(struct tevent_req *req)
223 return tevent_req_simple_recv_ntstatus(req);
227 /****************************************************************************
228 Try and get a PDU's worth of data from current_pdu. If not, then read more
230 ****************************************************************************/
232 struct get_complete_frag_state {
233 struct event_context *ev;
234 struct rpc_pipe_client *cli;
239 static void get_complete_frag_got_header(struct tevent_req *subreq);
240 static void get_complete_frag_got_rest(struct tevent_req *subreq);
242 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
243 struct event_context *ev,
244 struct rpc_pipe_client *cli,
247 struct tevent_req *req, *subreq;
248 struct get_complete_frag_state *state;
252 req = tevent_req_create(mem_ctx, &state,
253 struct get_complete_frag_state);
259 state->frag_len = RPC_HEADER_LEN;
262 received = pdu->length;
263 if (received < RPC_HEADER_LEN) {
264 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
265 status = NT_STATUS_NO_MEMORY;
268 subreq = rpc_read_send(state, state->ev,
269 state->cli->transport,
270 pdu->data + received,
271 RPC_HEADER_LEN - received);
272 if (subreq == NULL) {
273 status = NT_STATUS_NO_MEMORY;
276 tevent_req_set_callback(subreq, get_complete_frag_got_header,
281 state->frag_len = dcerpc_get_frag_length(pdu);
284 * Ensure we have frag_len bytes of data.
286 if (received < state->frag_len) {
287 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
288 status = NT_STATUS_NO_MEMORY;
291 subreq = rpc_read_send(state, state->ev,
292 state->cli->transport,
293 pdu->data + received,
294 state->frag_len - received);
295 if (subreq == NULL) {
296 status = NT_STATUS_NO_MEMORY;
299 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
304 status = NT_STATUS_OK;
306 if (NT_STATUS_IS_OK(status)) {
307 tevent_req_done(req);
309 tevent_req_nterror(req, status);
311 return tevent_req_post(req, ev);
314 static void get_complete_frag_got_header(struct tevent_req *subreq)
316 struct tevent_req *req = tevent_req_callback_data(
317 subreq, struct tevent_req);
318 struct get_complete_frag_state *state = tevent_req_data(
319 req, struct get_complete_frag_state);
322 status = rpc_read_recv(subreq);
324 if (!NT_STATUS_IS_OK(status)) {
325 tevent_req_nterror(req, status);
329 state->frag_len = dcerpc_get_frag_length(state->pdu);
331 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
332 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
337 * We're here in this piece of code because we've read exactly
338 * RPC_HEADER_LEN bytes into state->pdu.
341 subreq = rpc_read_send(state, state->ev, state->cli->transport,
342 state->pdu->data + RPC_HEADER_LEN,
343 state->frag_len - RPC_HEADER_LEN);
344 if (tevent_req_nomem(subreq, req)) {
347 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
350 static void get_complete_frag_got_rest(struct tevent_req *subreq)
352 struct tevent_req *req = tevent_req_callback_data(
353 subreq, struct tevent_req);
356 status = rpc_read_recv(subreq);
358 if (!NT_STATUS_IS_OK(status)) {
359 tevent_req_nterror(req, status);
362 tevent_req_done(req);
365 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
367 return tevent_req_simple_recv_ntstatus(req);
370 /****************************************************************************
371 Do basic authentication checks on an incoming pdu.
372 ****************************************************************************/
374 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
375 struct rpc_pipe_client *cli,
376 struct ncacn_packet *pkt,
378 uint8_t expected_pkt_type,
380 DATA_BLOB *reply_pdu)
382 struct dcerpc_response *r;
383 NTSTATUS ret = NT_STATUS_OK;
387 * Point the return values at the real data including the RPC
388 * header. Just in case the caller wants it.
392 /* Ensure we have the correct type. */
393 switch (pkt->ptype) {
394 case DCERPC_PKT_ALTER_RESP:
395 case DCERPC_PKT_BIND_ACK:
397 /* Client code never receives this kind of packets */
401 case DCERPC_PKT_RESPONSE:
403 r = &pkt->u.response;
405 /* Here's where we deal with incoming sign/seal. */
406 ret = dcerpc_check_auth(cli->auth, pkt,
407 &r->stub_and_verifier,
408 DCERPC_RESPONSE_LENGTH,
410 if (!NT_STATUS_IS_OK(ret)) {
414 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
415 return NT_STATUS_BUFFER_TOO_SMALL;
418 /* Point the return values at the NDR data. */
419 rdata->data = r->stub_and_verifier.data;
421 if (pkt->auth_length) {
422 /* We've already done integer wrap tests in
423 * dcerpc_check_auth(). */
424 rdata->length = r->stub_and_verifier.length
426 - DCERPC_AUTH_TRAILER_LENGTH
429 rdata->length = r->stub_and_verifier.length;
432 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
433 (long unsigned int)pdu->length,
434 (long unsigned int)rdata->length,
435 (unsigned int)pad_len));
438 * If this is the first reply, and the allocation hint is
439 * reasonable, try and set up the reply_pdu DATA_BLOB to the
443 if ((reply_pdu->length == 0) &&
444 r->alloc_hint && (r->alloc_hint < 15*1024*1024)) {
445 if (!data_blob_realloc(mem_ctx, reply_pdu,
447 DEBUG(0, ("reply alloc hint %d too "
448 "large to allocate\n",
449 (int)r->alloc_hint));
450 return NT_STATUS_NO_MEMORY;
456 case DCERPC_PKT_BIND_NAK:
457 DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
458 rpccli_pipe_txt(talloc_tos(), cli)));
459 /* Use this for now... */
460 return NT_STATUS_NETWORK_ACCESS_DENIED;
462 case DCERPC_PKT_FAULT:
464 DEBUG(1, (__location__ ": RPC fault code %s received "
466 dcerpc_errstr(talloc_tos(),
467 pkt->u.fault.status),
468 rpccli_pipe_txt(talloc_tos(), cli)));
470 if (NT_STATUS_IS_OK(NT_STATUS(pkt->u.fault.status))) {
471 return NT_STATUS_UNSUCCESSFUL;
473 return NT_STATUS(pkt->u.fault.status);
477 DEBUG(0, (__location__ "Unknown packet type %u received "
479 (unsigned int)pkt->ptype,
480 rpccli_pipe_txt(talloc_tos(), cli)));
481 return NT_STATUS_INVALID_INFO_CLASS;
484 if (pkt->ptype != expected_pkt_type) {
485 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
486 "RPC packet type - %u, not %u\n",
487 rpccli_pipe_txt(talloc_tos(), cli),
488 pkt->ptype, expected_pkt_type));
489 return NT_STATUS_INVALID_INFO_CLASS;
492 /* Do this just before return - we don't want to modify any rpc header
493 data before now as we may have needed to do cryptographic actions on
496 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
497 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
498 DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
499 "fragment first/last ON.\n"));
500 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
506 /****************************************************************************
507 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
508 ****************************************************************************/
510 struct cli_api_pipe_state {
511 struct event_context *ev;
512 struct rpc_cli_transport *transport;
517 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
518 static void cli_api_pipe_write_done(struct tevent_req *subreq);
519 static void cli_api_pipe_read_done(struct tevent_req *subreq);
521 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
522 struct event_context *ev,
523 struct rpc_cli_transport *transport,
524 uint8_t *data, size_t data_len,
525 uint32_t max_rdata_len)
527 struct tevent_req *req, *subreq;
528 struct cli_api_pipe_state *state;
531 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
536 state->transport = transport;
538 if (max_rdata_len < RPC_HEADER_LEN) {
540 * For a RPC reply we always need at least RPC_HEADER_LEN
541 * bytes. We check this here because we will receive
542 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
544 status = NT_STATUS_INVALID_PARAMETER;
548 if (transport->trans_send != NULL) {
549 subreq = transport->trans_send(state, ev, data, data_len,
550 max_rdata_len, transport->priv);
551 if (subreq == NULL) {
554 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
559 * If the transport does not provide a "trans" routine, i.e. for
560 * example the ncacn_ip_tcp transport, do the write/read step here.
563 subreq = rpc_write_send(state, ev, transport, data, data_len);
564 if (subreq == NULL) {
567 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
571 tevent_req_nterror(req, status);
572 return tevent_req_post(req, ev);
578 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
580 struct tevent_req *req = tevent_req_callback_data(
581 subreq, struct tevent_req);
582 struct cli_api_pipe_state *state = tevent_req_data(
583 req, struct cli_api_pipe_state);
586 status = state->transport->trans_recv(subreq, state, &state->rdata,
589 if (!NT_STATUS_IS_OK(status)) {
590 tevent_req_nterror(req, status);
593 tevent_req_done(req);
596 static void cli_api_pipe_write_done(struct tevent_req *subreq)
598 struct tevent_req *req = tevent_req_callback_data(
599 subreq, struct tevent_req);
600 struct cli_api_pipe_state *state = tevent_req_data(
601 req, struct cli_api_pipe_state);
604 status = rpc_write_recv(subreq);
606 if (!NT_STATUS_IS_OK(status)) {
607 tevent_req_nterror(req, status);
611 state->rdata = TALLOC_ARRAY(state, uint8_t, RPC_HEADER_LEN);
612 if (tevent_req_nomem(state->rdata, req)) {
617 * We don't need to use rpc_read_send here, the upper layer will cope
618 * with a short read, transport->trans_send could also return less
619 * than state->max_rdata_len.
621 subreq = state->transport->read_send(state, state->ev, state->rdata,
623 state->transport->priv);
624 if (tevent_req_nomem(subreq, req)) {
627 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
630 static void cli_api_pipe_read_done(struct tevent_req *subreq)
632 struct tevent_req *req = tevent_req_callback_data(
633 subreq, struct tevent_req);
634 struct cli_api_pipe_state *state = tevent_req_data(
635 req, struct cli_api_pipe_state);
639 status = state->transport->read_recv(subreq, &received);
641 if (!NT_STATUS_IS_OK(status)) {
642 tevent_req_nterror(req, status);
645 state->rdata_len = received;
646 tevent_req_done(req);
649 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
650 uint8_t **prdata, uint32_t *prdata_len)
652 struct cli_api_pipe_state *state = tevent_req_data(
653 req, struct cli_api_pipe_state);
656 if (tevent_req_is_nterror(req, &status)) {
660 *prdata = talloc_move(mem_ctx, &state->rdata);
661 *prdata_len = state->rdata_len;
665 /****************************************************************************
666 Send data on an rpc pipe via trans. The data must be the last
667 pdu fragment of an NDR data stream.
669 Receive response data from an rpc pipe, which may be large...
671 Read the first fragment: unfortunately have to use SMBtrans for the first
672 bit, then SMBreadX for subsequent bits.
674 If first fragment received also wasn't the last fragment, continue
675 getting fragments until we _do_ receive the last fragment.
677 Request/Response PDU's look like the following...
679 |<------------------PDU len----------------------------------------------->|
680 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
682 +------------+-----------------+-------------+---------------+-------------+
683 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
684 +------------+-----------------+-------------+---------------+-------------+
686 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
687 signing & sealing being negotiated.
689 ****************************************************************************/
691 struct rpc_api_pipe_state {
692 struct event_context *ev;
693 struct rpc_pipe_client *cli;
694 uint8_t expected_pkt_type;
696 DATA_BLOB incoming_frag;
697 struct ncacn_packet *pkt;
701 size_t reply_pdu_offset;
705 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
706 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
707 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq);
709 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
710 struct event_context *ev,
711 struct rpc_pipe_client *cli,
712 DATA_BLOB *data, /* Outgoing PDU */
713 uint8_t expected_pkt_type)
715 struct tevent_req *req, *subreq;
716 struct rpc_api_pipe_state *state;
717 uint16_t max_recv_frag;
720 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
726 state->expected_pkt_type = expected_pkt_type;
727 state->incoming_frag = data_blob_null;
728 state->reply_pdu = data_blob_null;
729 state->reply_pdu_offset = 0;
730 state->endianess = DCERPC_DREP_LE;
733 * Ensure we're not sending too much.
735 if (data->length > cli->max_xmit_frag) {
736 status = NT_STATUS_INVALID_PARAMETER;
740 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
742 if (state->expected_pkt_type == DCERPC_PKT_AUTH3) {
743 subreq = rpc_write_send(state, ev, cli->transport,
744 data->data, data->length);
745 if (subreq == NULL) {
748 tevent_req_set_callback(subreq, rpc_api_pipe_auth3_done, req);
752 /* get the header first, then fetch the rest once we have
753 * the frag_length available */
754 max_recv_frag = RPC_HEADER_LEN;
756 subreq = cli_api_pipe_send(state, ev, cli->transport,
757 data->data, data->length, max_recv_frag);
758 if (subreq == NULL) {
761 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
765 tevent_req_nterror(req, status);
766 return tevent_req_post(req, ev);
772 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq)
774 struct tevent_req *req =
775 tevent_req_callback_data(subreq,
779 status = rpc_write_recv(subreq);
781 if (!NT_STATUS_IS_OK(status)) {
782 tevent_req_nterror(req, status);
786 tevent_req_done(req);
789 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
791 struct tevent_req *req = tevent_req_callback_data(
792 subreq, struct tevent_req);
793 struct rpc_api_pipe_state *state = tevent_req_data(
794 req, struct rpc_api_pipe_state);
796 uint8_t *rdata = NULL;
797 uint32_t rdata_len = 0;
799 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
801 if (!NT_STATUS_IS_OK(status)) {
802 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
803 tevent_req_nterror(req, status);
808 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
809 rpccli_pipe_txt(talloc_tos(), state->cli)));
810 tevent_req_done(req);
815 * Move data on state->incoming_frag.
817 state->incoming_frag.data = talloc_move(state, &rdata);
818 state->incoming_frag.length = rdata_len;
819 if (!state->incoming_frag.data) {
820 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
824 /* Ensure we have enough data for a pdu. */
825 subreq = get_complete_frag_send(state, state->ev, state->cli,
826 &state->incoming_frag);
827 if (tevent_req_nomem(subreq, req)) {
830 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
833 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
835 struct tevent_req *req = tevent_req_callback_data(
836 subreq, struct tevent_req);
837 struct rpc_api_pipe_state *state = tevent_req_data(
838 req, struct rpc_api_pipe_state);
840 DATA_BLOB rdata = data_blob_null;
842 status = get_complete_frag_recv(subreq);
844 if (!NT_STATUS_IS_OK(status)) {
845 DEBUG(5, ("get_complete_frag failed: %s\n",
847 tevent_req_nterror(req, status);
851 state->pkt = talloc(state, struct ncacn_packet);
853 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
857 status = dcerpc_pull_ncacn_packet(state->pkt,
858 &state->incoming_frag,
861 if (!NT_STATUS_IS_OK(status)) {
862 tevent_req_nterror(req, status);
866 if (state->incoming_frag.length != state->pkt->frag_length) {
867 DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
868 (unsigned int)state->incoming_frag.length,
869 (unsigned int)state->pkt->frag_length));
870 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
874 status = cli_pipe_validate_current_pdu(state,
875 state->cli, state->pkt,
876 &state->incoming_frag,
877 state->expected_pkt_type,
881 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
882 (unsigned)state->incoming_frag.length,
883 (unsigned)state->reply_pdu_offset,
886 if (!NT_STATUS_IS_OK(status)) {
887 tevent_req_nterror(req, status);
891 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
892 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
894 * Set the data type correctly for big-endian data on the
897 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
899 rpccli_pipe_txt(talloc_tos(), state->cli)));
900 state->endianess = 0x00; /* BIG ENDIAN */
903 * Check endianness on subsequent packets.
905 if (state->endianess != state->pkt->drep[0]) {
906 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
908 state->endianess?"little":"big",
909 state->pkt->drep[0]?"little":"big"));
910 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
914 /* Now copy the data portion out of the pdu into rbuf. */
915 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
916 if (!data_blob_realloc(NULL, &state->reply_pdu,
917 state->reply_pdu_offset + rdata.length)) {
918 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
923 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
924 rdata.data, rdata.length);
925 state->reply_pdu_offset += rdata.length;
927 /* reset state->incoming_frag, there is no need to free it,
928 * it will be reallocated to the right size the next time
930 state->incoming_frag.length = 0;
932 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
933 /* make sure the pdu length is right now that we
934 * have all the data available (alloc hint may
935 * have allocated more than was actually used) */
936 state->reply_pdu.length = state->reply_pdu_offset;
937 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
938 rpccli_pipe_txt(talloc_tos(), state->cli),
939 (unsigned)state->reply_pdu.length));
940 tevent_req_done(req);
944 subreq = get_complete_frag_send(state, state->ev, state->cli,
945 &state->incoming_frag);
946 if (tevent_req_nomem(subreq, req)) {
949 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
952 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
953 struct ncacn_packet **pkt,
954 DATA_BLOB *reply_pdu)
956 struct rpc_api_pipe_state *state = tevent_req_data(
957 req, struct rpc_api_pipe_state);
960 if (tevent_req_is_nterror(req, &status)) {
964 /* return data to caller and assign it ownership of memory */
966 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
967 reply_pdu->length = state->reply_pdu.length;
968 state->reply_pdu.length = 0;
970 data_blob_free(&state->reply_pdu);
974 *pkt = talloc_steal(mem_ctx, state->pkt);
980 /*******************************************************************
981 Creates spnego auth bind.
982 ********************************************************************/
984 static NTSTATUS create_spnego_auth_bind_req(TALLOC_CTX *mem_ctx,
985 struct pipe_auth_data *auth,
986 DATA_BLOB *auth_token)
988 DATA_BLOB in_token = data_blob_null;
991 /* Negotiate the initial auth token */
992 status = spnego_get_client_auth_token(mem_ctx,
993 auth->a_u.spnego_state,
994 &in_token, auth_token);
995 if (!NT_STATUS_IS_OK(status)) {
999 DEBUG(5, ("Created GSS Authentication Token:\n"));
1000 dump_data(5, auth_token->data, auth_token->length);
1002 return NT_STATUS_OK;
1005 /*******************************************************************
1006 Creates krb5 auth bind.
1007 ********************************************************************/
1009 static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
1010 struct pipe_auth_data *auth,
1011 DATA_BLOB *auth_token)
1013 DATA_BLOB in_token = data_blob_null;
1016 /* Negotiate the initial auth token */
1017 status = gse_get_client_auth_token(mem_ctx,
1018 auth->a_u.gssapi_state,
1021 if (!NT_STATUS_IS_OK(status)) {
1025 DEBUG(5, ("Created GSS Authentication Token:\n"));
1026 dump_data(5, auth_token->data, auth_token->length);
1028 return NT_STATUS_OK;
1031 /*******************************************************************
1032 Creates NTLMSSP auth bind.
1033 ********************************************************************/
1035 static NTSTATUS create_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1036 DATA_BLOB *auth_token)
1039 DATA_BLOB null_blob = data_blob_null;
1041 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1042 status = auth_ntlmssp_update(cli->auth->a_u.auth_ntlmssp_state,
1043 null_blob, auth_token);
1045 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1046 data_blob_free(auth_token);
1050 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1051 dump_data(5, auth_token->data, auth_token->length);
1053 return NT_STATUS_OK;
1056 /*******************************************************************
1057 Creates schannel auth bind.
1058 ********************************************************************/
1060 static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1061 DATA_BLOB *auth_token)
1064 struct NL_AUTH_MESSAGE r;
1066 /* Use lp_workgroup() if domain not specified */
1068 if (!cli->auth->domain || !cli->auth->domain[0]) {
1069 cli->auth->domain = talloc_strdup(cli, lp_workgroup());
1070 if (cli->auth->domain == NULL) {
1071 return NT_STATUS_NO_MEMORY;
1076 * Now marshall the data into the auth parse_struct.
1079 r.MessageType = NL_NEGOTIATE_REQUEST;
1080 r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
1081 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
1082 r.oem_netbios_domain.a = cli->auth->domain;
1083 r.oem_netbios_computer.a = global_myname();
1085 status = dcerpc_push_schannel_bind(cli, &r, auth_token);
1086 if (!NT_STATUS_IS_OK(status)) {
1090 return NT_STATUS_OK;
1093 /*******************************************************************
1094 Creates the internals of a DCE/RPC bind request or alter context PDU.
1095 ********************************************************************/
1097 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1098 enum dcerpc_pkt_type ptype,
1100 const struct ndr_syntax_id *abstract,
1101 const struct ndr_syntax_id *transfer,
1102 const DATA_BLOB *auth_info,
1105 uint16 auth_len = auth_info->length;
1107 union dcerpc_payload u;
1108 struct dcerpc_ctx_list ctx_list;
1111 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1114 ctx_list.context_id = 0;
1115 ctx_list.num_transfer_syntaxes = 1;
1116 ctx_list.abstract_syntax = *abstract;
1117 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1119 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1120 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1121 u.bind.assoc_group_id = 0x0;
1122 u.bind.num_contexts = 1;
1123 u.bind.ctx_list = &ctx_list;
1124 u.bind.auth_info = *auth_info;
1126 status = dcerpc_push_ncacn_packet(mem_ctx,
1128 DCERPC_PFC_FLAG_FIRST |
1129 DCERPC_PFC_FLAG_LAST,
1134 if (!NT_STATUS_IS_OK(status)) {
1135 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1139 return NT_STATUS_OK;
1142 /*******************************************************************
1143 Creates a DCE/RPC bind request.
1144 ********************************************************************/
1146 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1147 struct rpc_pipe_client *cli,
1148 struct pipe_auth_data *auth,
1150 const struct ndr_syntax_id *abstract,
1151 const struct ndr_syntax_id *transfer,
1154 DATA_BLOB auth_token = data_blob_null;
1155 DATA_BLOB auth_info = data_blob_null;
1156 NTSTATUS ret = NT_STATUS_OK;
1158 switch (auth->auth_type) {
1159 case DCERPC_AUTH_TYPE_SCHANNEL:
1160 ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
1161 if (!NT_STATUS_IS_OK(ret)) {
1166 case DCERPC_AUTH_TYPE_NTLMSSP:
1167 ret = create_ntlmssp_auth_rpc_bind_req(cli, &auth_token);
1168 if (!NT_STATUS_IS_OK(ret)) {
1173 case DCERPC_AUTH_TYPE_SPNEGO:
1174 ret = create_spnego_auth_bind_req(cli, auth, &auth_token);
1175 if (!NT_STATUS_IS_OK(ret)) {
1180 case DCERPC_AUTH_TYPE_KRB5:
1181 ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_token);
1182 if (!NT_STATUS_IS_OK(ret)) {
1187 case DCERPC_AUTH_TYPE_NONE:
1191 /* "Can't" happen. */
1192 return NT_STATUS_INVALID_INFO_CLASS;
1195 if (auth_token.length != 0) {
1196 ret = dcerpc_push_dcerpc_auth(cli,
1199 0, /* auth_pad_length */
1200 1, /* auth_context_id */
1203 if (!NT_STATUS_IS_OK(ret)) {
1206 data_blob_free(&auth_token);
1209 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1219 /*******************************************************************
1221 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1222 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1223 and deals with signing/sealing details.
1224 ********************************************************************/
1226 struct rpc_api_pipe_req_state {
1227 struct event_context *ev;
1228 struct rpc_pipe_client *cli;
1231 DATA_BLOB *req_data;
1232 uint32_t req_data_sent;
1234 DATA_BLOB reply_pdu;
1237 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1238 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1239 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1240 bool *is_last_frag);
1242 struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1243 struct event_context *ev,
1244 struct rpc_pipe_client *cli,
1246 DATA_BLOB *req_data)
1248 struct tevent_req *req, *subreq;
1249 struct rpc_api_pipe_req_state *state;
1253 req = tevent_req_create(mem_ctx, &state,
1254 struct rpc_api_pipe_req_state);
1260 state->op_num = op_num;
1261 state->req_data = req_data;
1262 state->req_data_sent = 0;
1263 state->call_id = get_rpc_call_id();
1264 state->reply_pdu = data_blob_null;
1265 state->rpc_out = data_blob_null;
1267 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1268 + RPC_MAX_SIGN_SIZE) {
1269 /* Server is screwed up ! */
1270 status = NT_STATUS_INVALID_PARAMETER;
1274 status = prepare_next_frag(state, &is_last_frag);
1275 if (!NT_STATUS_IS_OK(status)) {
1280 subreq = rpc_api_pipe_send(state, ev, state->cli,
1282 DCERPC_PKT_RESPONSE);
1283 if (subreq == NULL) {
1286 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1288 subreq = rpc_write_send(state, ev, cli->transport,
1289 state->rpc_out.data,
1290 state->rpc_out.length);
1291 if (subreq == NULL) {
1294 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1300 tevent_req_nterror(req, status);
1301 return tevent_req_post(req, ev);
1307 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1310 size_t data_sent_thistime;
1317 union dcerpc_payload u;
1319 data_left = state->req_data->length - state->req_data_sent;
1321 status = dcerpc_guess_sizes(state->cli->auth,
1322 DCERPC_REQUEST_LENGTH, data_left,
1323 state->cli->max_xmit_frag,
1324 CLIENT_NDR_PADDING_SIZE,
1325 &data_sent_thistime,
1326 &frag_len, &auth_len, &pad_len);
1327 if (!NT_STATUS_IS_OK(status)) {
1331 if (state->req_data_sent == 0) {
1332 flags = DCERPC_PFC_FLAG_FIRST;
1335 if (data_sent_thistime == data_left) {
1336 flags |= DCERPC_PFC_FLAG_LAST;
1339 data_blob_free(&state->rpc_out);
1341 ZERO_STRUCT(u.request);
1343 u.request.alloc_hint = state->req_data->length;
1344 u.request.context_id = 0;
1345 u.request.opnum = state->op_num;
1347 status = dcerpc_push_ncacn_packet(state,
1354 if (!NT_STATUS_IS_OK(status)) {
1358 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1359 * compute it right for requests because the auth trailer is missing
1361 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1363 /* Copy in the data. */
1364 if (!data_blob_append(NULL, &state->rpc_out,
1365 state->req_data->data + state->req_data_sent,
1366 data_sent_thistime)) {
1367 return NT_STATUS_NO_MEMORY;
1370 switch (state->cli->auth->auth_level) {
1371 case DCERPC_AUTH_LEVEL_NONE:
1372 case DCERPC_AUTH_LEVEL_CONNECT:
1373 case DCERPC_AUTH_LEVEL_PACKET:
1375 case DCERPC_AUTH_LEVEL_INTEGRITY:
1376 case DCERPC_AUTH_LEVEL_PRIVACY:
1377 status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
1379 if (!NT_STATUS_IS_OK(status)) {
1384 return NT_STATUS_INVALID_PARAMETER;
1387 state->req_data_sent += data_sent_thistime;
1388 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1393 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
1395 struct tevent_req *req = tevent_req_callback_data(
1396 subreq, struct tevent_req);
1397 struct rpc_api_pipe_req_state *state = tevent_req_data(
1398 req, struct rpc_api_pipe_req_state);
1402 status = rpc_write_recv(subreq);
1403 TALLOC_FREE(subreq);
1404 if (!NT_STATUS_IS_OK(status)) {
1405 tevent_req_nterror(req, status);
1409 status = prepare_next_frag(state, &is_last_frag);
1410 if (!NT_STATUS_IS_OK(status)) {
1411 tevent_req_nterror(req, status);
1416 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1418 DCERPC_PKT_RESPONSE);
1419 if (tevent_req_nomem(subreq, req)) {
1422 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1424 subreq = rpc_write_send(state, state->ev,
1425 state->cli->transport,
1426 state->rpc_out.data,
1427 state->rpc_out.length);
1428 if (tevent_req_nomem(subreq, req)) {
1431 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1436 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
1438 struct tevent_req *req = tevent_req_callback_data(
1439 subreq, struct tevent_req);
1440 struct rpc_api_pipe_req_state *state = tevent_req_data(
1441 req, struct rpc_api_pipe_req_state);
1444 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
1445 TALLOC_FREE(subreq);
1446 if (!NT_STATUS_IS_OK(status)) {
1447 tevent_req_nterror(req, status);
1450 tevent_req_done(req);
1453 NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1454 DATA_BLOB *reply_pdu)
1456 struct rpc_api_pipe_req_state *state = tevent_req_data(
1457 req, struct rpc_api_pipe_req_state);
1460 if (tevent_req_is_nterror(req, &status)) {
1462 * We always have to initialize to reply pdu, even if there is
1463 * none. The rpccli_* caller routines expect this.
1465 *reply_pdu = data_blob_null;
1469 /* return data to caller and assign it ownership of memory */
1470 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1471 reply_pdu->length = state->reply_pdu.length;
1472 state->reply_pdu.length = 0;
1474 return NT_STATUS_OK;
1477 /****************************************************************************
1478 Check the rpc bind acknowledge response.
1479 ****************************************************************************/
1481 static bool check_bind_response(const struct dcerpc_bind_ack *r,
1482 const struct ndr_syntax_id *transfer)
1484 struct dcerpc_ack_ctx ctx;
1486 if (r->secondary_address_size == 0) {
1487 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1490 if (r->num_results < 1 || !r->ctx_list) {
1494 ctx = r->ctx_list[0];
1496 /* check the transfer syntax */
1497 if ((ctx.syntax.if_version != transfer->if_version) ||
1498 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1499 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1503 if (r->num_results != 0x1 || ctx.result != 0) {
1504 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1505 r->num_results, ctx.reason));
1508 DEBUG(5,("check_bind_response: accepted!\n"));
1512 /*******************************************************************
1513 Creates a DCE/RPC bind authentication response.
1514 This is the packet that is sent back to the server once we
1515 have received a BIND-ACK, to finish the third leg of
1516 the authentication handshake.
1517 ********************************************************************/
1519 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
1520 struct rpc_pipe_client *cli,
1522 enum dcerpc_AuthType auth_type,
1523 enum dcerpc_AuthLevel auth_level,
1524 DATA_BLOB *pauth_blob,
1528 union dcerpc_payload u;
1532 status = dcerpc_push_dcerpc_auth(mem_ctx,
1535 0, /* auth_pad_length */
1536 1, /* auth_context_id */
1538 &u.auth3.auth_info);
1539 if (!NT_STATUS_IS_OK(status)) {
1543 status = dcerpc_push_ncacn_packet(mem_ctx,
1545 DCERPC_PFC_FLAG_FIRST |
1546 DCERPC_PFC_FLAG_LAST,
1551 data_blob_free(&u.auth3.auth_info);
1552 if (!NT_STATUS_IS_OK(status)) {
1553 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1557 return NT_STATUS_OK;
1560 /*******************************************************************
1561 Creates a DCE/RPC bind alter context authentication request which
1562 may contain a spnego auth blobl
1563 ********************************************************************/
1565 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
1566 enum dcerpc_AuthType auth_type,
1567 enum dcerpc_AuthLevel auth_level,
1569 const struct ndr_syntax_id *abstract,
1570 const struct ndr_syntax_id *transfer,
1571 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1574 DATA_BLOB auth_info;
1577 status = dcerpc_push_dcerpc_auth(mem_ctx,
1580 0, /* auth_pad_length */
1581 1, /* auth_context_id */
1584 if (!NT_STATUS_IS_OK(status)) {
1588 status = create_bind_or_alt_ctx_internal(mem_ctx,
1595 data_blob_free(&auth_info);
1599 /****************************************************************************
1601 ****************************************************************************/
1603 struct rpc_pipe_bind_state {
1604 struct event_context *ev;
1605 struct rpc_pipe_client *cli;
1608 uint32_t rpc_call_id;
1611 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
1612 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1613 struct rpc_pipe_bind_state *state,
1614 DATA_BLOB *credentials);
1615 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1616 struct rpc_pipe_bind_state *state,
1617 DATA_BLOB *credentials);
1619 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
1620 struct event_context *ev,
1621 struct rpc_pipe_client *cli,
1622 struct pipe_auth_data *auth)
1624 struct tevent_req *req, *subreq;
1625 struct rpc_pipe_bind_state *state;
1628 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
1633 DEBUG(5,("Bind RPC Pipe: %s auth_type %u(%u), auth_level %u\n",
1634 rpccli_pipe_txt(talloc_tos(), cli),
1635 (unsigned int)auth->auth_type,
1636 (unsigned int)auth->spnego_type,
1637 (unsigned int)auth->auth_level ));
1641 state->rpc_call_id = get_rpc_call_id();
1643 cli->auth = talloc_move(cli, &auth);
1645 /* Marshall the outgoing data. */
1646 status = create_rpc_bind_req(state, cli,
1649 &cli->abstract_syntax,
1650 &cli->transfer_syntax,
1653 if (!NT_STATUS_IS_OK(status)) {
1657 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
1658 DCERPC_PKT_BIND_ACK);
1659 if (subreq == NULL) {
1662 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1666 tevent_req_nterror(req, status);
1667 return tevent_req_post(req, ev);
1673 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1675 struct tevent_req *req = tevent_req_callback_data(
1676 subreq, struct tevent_req);
1677 struct rpc_pipe_bind_state *state = tevent_req_data(
1678 req, struct rpc_pipe_bind_state);
1679 struct pipe_auth_data *pauth = state->cli->auth;
1680 struct ncacn_packet *pkt;
1681 struct dcerpc_auth auth;
1682 DATA_BLOB auth_token = data_blob_null;
1685 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, NULL);
1686 TALLOC_FREE(subreq);
1687 if (!NT_STATUS_IS_OK(status)) {
1688 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
1689 rpccli_pipe_txt(talloc_tos(), state->cli),
1690 nt_errstr(status)));
1691 tevent_req_nterror(req, status);
1696 tevent_req_done(req);
1700 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
1701 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
1702 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
1706 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1707 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1709 switch(pauth->auth_type) {
1711 case DCERPC_AUTH_TYPE_NONE:
1712 case DCERPC_AUTH_TYPE_SCHANNEL:
1713 /* Bind complete. */
1714 tevent_req_done(req);
1717 case DCERPC_AUTH_TYPE_NTLMSSP:
1718 case DCERPC_AUTH_TYPE_SPNEGO:
1719 case DCERPC_AUTH_TYPE_KRB5:
1720 /* Paranoid lenght checks */
1721 if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
1722 + pkt->auth_length) {
1723 tevent_req_nterror(req,
1724 NT_STATUS_INFO_LENGTH_MISMATCH);
1727 /* get auth credentials */
1728 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
1729 &pkt->u.bind_ack.auth_info,
1731 if (!NT_STATUS_IS_OK(status)) {
1732 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
1733 nt_errstr(status)));
1734 tevent_req_nterror(req, status);
1744 * For authenticated binds we may need to do 3 or 4 leg binds.
1747 switch(pauth->auth_type) {
1749 case DCERPC_AUTH_TYPE_NONE:
1750 case DCERPC_AUTH_TYPE_SCHANNEL:
1751 /* Bind complete. */
1752 tevent_req_done(req);
1755 case DCERPC_AUTH_TYPE_NTLMSSP:
1756 status = auth_ntlmssp_update(pauth->a_u.auth_ntlmssp_state,
1757 auth.credentials, &auth_token);
1758 if (NT_STATUS_EQUAL(status,
1759 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1760 status = rpc_bind_next_send(req, state,
1762 } else if (NT_STATUS_IS_OK(status)) {
1763 status = rpc_bind_finish_send(req, state,
1768 case DCERPC_AUTH_TYPE_SPNEGO:
1769 status = spnego_get_client_auth_token(state,
1770 pauth->a_u.spnego_state,
1773 if (!NT_STATUS_IS_OK(status)) {
1776 if (auth_token.length == 0) {
1777 /* Bind complete. */
1778 tevent_req_done(req);
1781 if (spnego_require_more_processing(pauth->a_u.spnego_state)) {
1782 status = rpc_bind_next_send(req, state,
1785 status = rpc_bind_finish_send(req, state,
1790 case DCERPC_AUTH_TYPE_KRB5:
1791 status = gse_get_client_auth_token(state,
1792 pauth->a_u.gssapi_state,
1795 if (!NT_STATUS_IS_OK(status)) {
1799 if (gse_require_more_processing(pauth->a_u.gssapi_state)) {
1800 status = rpc_bind_next_send(req, state, &auth_token);
1802 status = rpc_bind_finish_send(req, state, &auth_token);
1810 if (!NT_STATUS_IS_OK(status)) {
1811 tevent_req_nterror(req, status);
1816 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u(%u)\n",
1817 (unsigned int)state->cli->auth->auth_type,
1818 (unsigned int)state->cli->auth->spnego_type));
1819 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
1822 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1823 struct rpc_pipe_bind_state *state,
1824 DATA_BLOB *auth_token)
1826 struct pipe_auth_data *auth = state->cli->auth;
1827 struct tevent_req *subreq;
1830 /* Now prepare the alter context pdu. */
1831 data_blob_free(&state->rpc_out);
1833 status = create_rpc_alter_context(state,
1837 &state->cli->abstract_syntax,
1838 &state->cli->transfer_syntax,
1841 if (!NT_STATUS_IS_OK(status)) {
1845 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1846 &state->rpc_out, DCERPC_PKT_ALTER_RESP);
1847 if (subreq == NULL) {
1848 return NT_STATUS_NO_MEMORY;
1850 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1851 return NT_STATUS_OK;
1854 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1855 struct rpc_pipe_bind_state *state,
1856 DATA_BLOB *auth_token)
1858 struct pipe_auth_data *auth = state->cli->auth;
1859 struct tevent_req *subreq;
1862 state->auth3 = true;
1864 /* Now prepare the auth3 context pdu. */
1865 data_blob_free(&state->rpc_out);
1867 status = create_rpc_bind_auth3(state, state->cli,
1873 if (!NT_STATUS_IS_OK(status)) {
1877 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1878 &state->rpc_out, DCERPC_PKT_AUTH3);
1879 if (subreq == NULL) {
1880 return NT_STATUS_NO_MEMORY;
1882 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1883 return NT_STATUS_OK;
1886 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
1888 return tevent_req_simple_recv_ntstatus(req);
1891 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
1892 struct pipe_auth_data *auth)
1894 TALLOC_CTX *frame = talloc_stackframe();
1895 struct event_context *ev;
1896 struct tevent_req *req;
1897 NTSTATUS status = NT_STATUS_OK;
1899 ev = event_context_init(frame);
1901 status = NT_STATUS_NO_MEMORY;
1905 req = rpc_pipe_bind_send(frame, ev, cli, auth);
1907 status = NT_STATUS_NO_MEMORY;
1911 if (!tevent_req_poll(req, ev)) {
1912 status = map_nt_error_from_unix(errno);
1916 status = rpc_pipe_bind_recv(req);
1922 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
1924 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
1925 unsigned int timeout)
1929 if (rpc_cli->transport == NULL) {
1930 return RPCCLI_DEFAULT_TIMEOUT;
1933 if (rpc_cli->transport->set_timeout == NULL) {
1934 return RPCCLI_DEFAULT_TIMEOUT;
1937 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
1939 return RPCCLI_DEFAULT_TIMEOUT;
1945 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
1947 if (rpc_cli == NULL) {
1951 if (rpc_cli->transport == NULL) {
1955 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
1958 struct rpccli_bh_state {
1959 struct rpc_pipe_client *rpc_cli;
1962 static bool rpccli_bh_is_connected(struct dcerpc_binding_handle *h)
1964 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
1965 struct rpccli_bh_state);
1967 return rpccli_is_connected(hs->rpc_cli);
1970 static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
1973 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
1974 struct rpccli_bh_state);
1976 return rpccli_set_timeout(hs->rpc_cli, timeout);
1979 struct rpccli_bh_raw_call_state {
1985 static void rpccli_bh_raw_call_done(struct tevent_req *subreq);
1987 static struct tevent_req *rpccli_bh_raw_call_send(TALLOC_CTX *mem_ctx,
1988 struct tevent_context *ev,
1989 struct dcerpc_binding_handle *h,
1990 const struct GUID *object,
1993 const uint8_t *in_data,
1996 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
1997 struct rpccli_bh_state);
1998 struct tevent_req *req;
1999 struct rpccli_bh_raw_call_state *state;
2001 struct tevent_req *subreq;
2003 req = tevent_req_create(mem_ctx, &state,
2004 struct rpccli_bh_raw_call_state);
2008 state->in_data.data = discard_const_p(uint8_t, in_data);
2009 state->in_data.length = in_length;
2011 ok = rpccli_bh_is_connected(h);
2013 tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
2014 return tevent_req_post(req, ev);
2017 subreq = rpc_api_pipe_req_send(state, ev, hs->rpc_cli,
2018 opnum, &state->in_data);
2019 if (tevent_req_nomem(subreq, req)) {
2020 return tevent_req_post(req, ev);
2022 tevent_req_set_callback(subreq, rpccli_bh_raw_call_done, req);
2027 static void rpccli_bh_raw_call_done(struct tevent_req *subreq)
2029 struct tevent_req *req =
2030 tevent_req_callback_data(subreq,
2032 struct rpccli_bh_raw_call_state *state =
2033 tevent_req_data(req,
2034 struct rpccli_bh_raw_call_state);
2037 state->out_flags = 0;
2039 /* TODO: support bigendian responses */
2041 status = rpc_api_pipe_req_recv(subreq, state, &state->out_data);
2042 TALLOC_FREE(subreq);
2043 if (!NT_STATUS_IS_OK(status)) {
2044 tevent_req_nterror(req, status);
2048 tevent_req_done(req);
2051 static NTSTATUS rpccli_bh_raw_call_recv(struct tevent_req *req,
2052 TALLOC_CTX *mem_ctx,
2055 uint32_t *out_flags)
2057 struct rpccli_bh_raw_call_state *state =
2058 tevent_req_data(req,
2059 struct rpccli_bh_raw_call_state);
2062 if (tevent_req_is_nterror(req, &status)) {
2063 tevent_req_received(req);
2067 *out_data = talloc_move(mem_ctx, &state->out_data.data);
2068 *out_length = state->out_data.length;
2069 *out_flags = state->out_flags;
2070 tevent_req_received(req);
2071 return NT_STATUS_OK;
2074 struct rpccli_bh_disconnect_state {
2078 static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
2079 struct tevent_context *ev,
2080 struct dcerpc_binding_handle *h)
2082 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2083 struct rpccli_bh_state);
2084 struct tevent_req *req;
2085 struct rpccli_bh_disconnect_state *state;
2088 req = tevent_req_create(mem_ctx, &state,
2089 struct rpccli_bh_disconnect_state);
2094 ok = rpccli_bh_is_connected(h);
2096 tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
2097 return tevent_req_post(req, ev);
2101 * TODO: do a real async disconnect ...
2103 * For now the caller needs to free rpc_cli
2107 tevent_req_done(req);
2108 return tevent_req_post(req, ev);
2111 static NTSTATUS rpccli_bh_disconnect_recv(struct tevent_req *req)
2115 if (tevent_req_is_nterror(req, &status)) {
2116 tevent_req_received(req);
2120 tevent_req_received(req);
2121 return NT_STATUS_OK;
2124 static bool rpccli_bh_ref_alloc(struct dcerpc_binding_handle *h)
2129 static void rpccli_bh_do_ndr_print(struct dcerpc_binding_handle *h,
2131 const void *_struct_ptr,
2132 const struct ndr_interface_call *call)
2134 void *struct_ptr = discard_const(_struct_ptr);
2136 if (DEBUGLEVEL < 10) {
2140 if (ndr_flags & NDR_IN) {
2141 ndr_print_function_debug(call->ndr_print,
2146 if (ndr_flags & NDR_OUT) {
2147 ndr_print_function_debug(call->ndr_print,
2154 static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
2156 .is_connected = rpccli_bh_is_connected,
2157 .set_timeout = rpccli_bh_set_timeout,
2158 .raw_call_send = rpccli_bh_raw_call_send,
2159 .raw_call_recv = rpccli_bh_raw_call_recv,
2160 .disconnect_send = rpccli_bh_disconnect_send,
2161 .disconnect_recv = rpccli_bh_disconnect_recv,
2163 .ref_alloc = rpccli_bh_ref_alloc,
2164 .do_ndr_print = rpccli_bh_do_ndr_print,
2167 /* initialise a rpc_pipe_client binding handle */
2168 static struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c)
2170 struct dcerpc_binding_handle *h;
2171 struct rpccli_bh_state *hs;
2173 h = dcerpc_binding_handle_create(c,
2178 struct rpccli_bh_state,
2188 bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
2190 struct auth_ntlmssp_state *a = NULL;
2191 struct cli_state *cli;
2193 if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
2194 a = rpc_cli->auth->a_u.auth_ntlmssp_state;
2195 } else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2196 enum dcerpc_AuthType auth_type;
2200 status = spnego_get_negotiated_mech(
2201 rpc_cli->auth->a_u.spnego_state,
2202 &auth_type, &auth_ctx);
2203 if (!NT_STATUS_IS_OK(status)) {
2207 if (auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
2208 a = talloc_get_type(auth_ctx,
2209 struct auth_ntlmssp_state);
2214 memcpy(nt_hash, auth_ntlmssp_get_nt_hash(a), 16);
2218 cli = rpc_pipe_np_smb_conn(rpc_cli);
2222 E_md4hash(cli->password ? cli->password : "", nt_hash);
2226 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2227 struct pipe_auth_data **presult)
2229 struct pipe_auth_data *result;
2231 result = talloc(mem_ctx, struct pipe_auth_data);
2232 if (result == NULL) {
2233 return NT_STATUS_NO_MEMORY;
2236 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2237 result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
2238 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2240 result->user_name = talloc_strdup(result, "");
2241 result->domain = talloc_strdup(result, "");
2242 if ((result->user_name == NULL) || (result->domain == NULL)) {
2243 TALLOC_FREE(result);
2244 return NT_STATUS_NO_MEMORY;
2248 return NT_STATUS_OK;
2251 static int cli_auth_ntlmssp_data_destructor(struct pipe_auth_data *auth)
2253 TALLOC_FREE(auth->a_u.auth_ntlmssp_state);
2257 static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
2258 enum dcerpc_AuthType auth_type,
2259 enum dcerpc_AuthLevel auth_level,
2261 const char *username,
2262 const char *password,
2263 struct pipe_auth_data **presult)
2265 struct pipe_auth_data *result;
2268 result = talloc(mem_ctx, struct pipe_auth_data);
2269 if (result == NULL) {
2270 return NT_STATUS_NO_MEMORY;
2273 result->auth_type = auth_type;
2274 result->auth_level = auth_level;
2276 result->user_name = talloc_strdup(result, username);
2277 result->domain = talloc_strdup(result, domain);
2278 if ((result->user_name == NULL) || (result->domain == NULL)) {
2279 status = NT_STATUS_NO_MEMORY;
2283 status = auth_ntlmssp_client_start(NULL,
2286 lp_client_ntlmv2_auth(),
2287 &result->a_u.auth_ntlmssp_state);
2288 if (!NT_STATUS_IS_OK(status)) {
2292 talloc_set_destructor(result, cli_auth_ntlmssp_data_destructor);
2294 status = auth_ntlmssp_set_username(result->a_u.auth_ntlmssp_state,
2296 if (!NT_STATUS_IS_OK(status)) {
2300 status = auth_ntlmssp_set_domain(result->a_u.auth_ntlmssp_state,
2302 if (!NT_STATUS_IS_OK(status)) {
2306 status = auth_ntlmssp_set_password(result->a_u.auth_ntlmssp_state,
2308 if (!NT_STATUS_IS_OK(status)) {
2313 * Turn off sign+seal to allow selected auth level to turn it back on.
2315 auth_ntlmssp_and_flags(result->a_u.auth_ntlmssp_state,
2316 ~(NTLMSSP_NEGOTIATE_SIGN |
2317 NTLMSSP_NEGOTIATE_SEAL));
2319 if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
2320 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2321 NTLMSSP_NEGOTIATE_SIGN);
2322 } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
2323 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2324 NTLMSSP_NEGOTIATE_SEAL |
2325 NTLMSSP_NEGOTIATE_SIGN);
2329 return NT_STATUS_OK;
2332 TALLOC_FREE(result);
2336 NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2337 enum dcerpc_AuthLevel auth_level,
2338 struct netlogon_creds_CredentialState *creds,
2339 struct pipe_auth_data **presult)
2341 struct pipe_auth_data *result;
2343 result = talloc(mem_ctx, struct pipe_auth_data);
2344 if (result == NULL) {
2345 return NT_STATUS_NO_MEMORY;
2348 result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
2349 result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
2350 result->auth_level = auth_level;
2352 result->user_name = talloc_strdup(result, "");
2353 result->domain = talloc_strdup(result, domain);
2354 if ((result->user_name == NULL) || (result->domain == NULL)) {
2358 result->a_u.schannel_auth = talloc(result, struct schannel_state);
2359 if (result->a_u.schannel_auth == NULL) {
2363 result->a_u.schannel_auth->state = SCHANNEL_STATE_START;
2364 result->a_u.schannel_auth->seq_num = 0;
2365 result->a_u.schannel_auth->initiator = true;
2366 result->a_u.schannel_auth->creds = netlogon_creds_copy(result, creds);
2369 return NT_STATUS_OK;
2372 TALLOC_FREE(result);
2373 return NT_STATUS_NO_MEMORY;
2377 * Create an rpc pipe client struct, connecting to a tcp port.
2379 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2381 const struct ndr_syntax_id *abstract_syntax,
2382 struct rpc_pipe_client **presult)
2384 struct rpc_pipe_client *result;
2385 struct sockaddr_storage addr;
2389 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2390 if (result == NULL) {
2391 return NT_STATUS_NO_MEMORY;
2394 result->abstract_syntax = *abstract_syntax;
2395 result->transfer_syntax = ndr_transfer_syntax;
2397 result->desthost = talloc_strdup(result, host);
2398 result->srv_name_slash = talloc_asprintf_strupper_m(
2399 result, "\\\\%s", result->desthost);
2400 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2401 status = NT_STATUS_NO_MEMORY;
2405 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2406 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2408 if (!resolve_name(host, &addr, 0, false)) {
2409 status = NT_STATUS_NOT_FOUND;
2413 status = open_socket_out(&addr, port, 60, &fd);
2414 if (!NT_STATUS_IS_OK(status)) {
2417 set_socket_options(fd, lp_socket_options());
2419 status = rpc_transport_sock_init(result, fd, &result->transport);
2420 if (!NT_STATUS_IS_OK(status)) {
2425 result->transport->transport = NCACN_IP_TCP;
2427 result->binding_handle = rpccli_bh_create(result);
2428 if (result->binding_handle == NULL) {
2429 TALLOC_FREE(result);
2430 return NT_STATUS_NO_MEMORY;
2434 return NT_STATUS_OK;
2437 TALLOC_FREE(result);
2442 * Determine the tcp port on which a dcerpc interface is listening
2443 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2446 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2447 const struct ndr_syntax_id *abstract_syntax,
2451 struct rpc_pipe_client *epm_pipe = NULL;
2452 struct pipe_auth_data *auth = NULL;
2453 struct dcerpc_binding *map_binding = NULL;
2454 struct dcerpc_binding *res_binding = NULL;
2455 struct epm_twr_t *map_tower = NULL;
2456 struct epm_twr_t *res_towers = NULL;
2457 struct policy_handle *entry_handle = NULL;
2458 uint32_t num_towers = 0;
2459 uint32_t max_towers = 1;
2460 struct epm_twr_p_t towers;
2461 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2463 if (pport == NULL) {
2464 status = NT_STATUS_INVALID_PARAMETER;
2468 /* open the connection to the endpoint mapper */
2469 status = rpc_pipe_open_tcp_port(tmp_ctx, host, 135,
2470 &ndr_table_epmapper.syntax_id,
2473 if (!NT_STATUS_IS_OK(status)) {
2477 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2478 if (!NT_STATUS_IS_OK(status)) {
2482 status = rpc_pipe_bind(epm_pipe, auth);
2483 if (!NT_STATUS_IS_OK(status)) {
2487 /* create tower for asking the epmapper */
2489 map_binding = TALLOC_ZERO_P(tmp_ctx, struct dcerpc_binding);
2490 if (map_binding == NULL) {
2491 status = NT_STATUS_NO_MEMORY;
2495 map_binding->transport = NCACN_IP_TCP;
2496 map_binding->object = *abstract_syntax;
2497 map_binding->host = host; /* needed? */
2498 map_binding->endpoint = "0"; /* correct? needed? */
2500 map_tower = TALLOC_ZERO_P(tmp_ctx, struct epm_twr_t);
2501 if (map_tower == NULL) {
2502 status = NT_STATUS_NO_MEMORY;
2506 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2507 &(map_tower->tower));
2508 if (!NT_STATUS_IS_OK(status)) {
2512 /* allocate further parameters for the epm_Map call */
2514 res_towers = TALLOC_ARRAY(tmp_ctx, struct epm_twr_t, max_towers);
2515 if (res_towers == NULL) {
2516 status = NT_STATUS_NO_MEMORY;
2519 towers.twr = res_towers;
2521 entry_handle = TALLOC_ZERO_P(tmp_ctx, struct policy_handle);
2522 if (entry_handle == NULL) {
2523 status = NT_STATUS_NO_MEMORY;
2527 /* ask the endpoint mapper for the port */
2529 status = rpccli_epm_Map(epm_pipe,
2531 CONST_DISCARD(struct GUID *,
2532 &(abstract_syntax->uuid)),
2539 if (!NT_STATUS_IS_OK(status)) {
2543 if (num_towers != 1) {
2544 status = NT_STATUS_UNSUCCESSFUL;
2548 /* extract the port from the answer */
2550 status = dcerpc_binding_from_tower(tmp_ctx,
2551 &(towers.twr->tower),
2553 if (!NT_STATUS_IS_OK(status)) {
2557 /* are further checks here necessary? */
2558 if (res_binding->transport != NCACN_IP_TCP) {
2559 status = NT_STATUS_UNSUCCESSFUL;
2563 *pport = (uint16_t)atoi(res_binding->endpoint);
2566 TALLOC_FREE(tmp_ctx);
2571 * Create a rpc pipe client struct, connecting to a host via tcp.
2572 * The port is determined by asking the endpoint mapper on the given
2575 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2576 const struct ndr_syntax_id *abstract_syntax,
2577 struct rpc_pipe_client **presult)
2582 status = rpc_pipe_get_tcp_port(host, abstract_syntax, &port);
2583 if (!NT_STATUS_IS_OK(status)) {
2587 return rpc_pipe_open_tcp_port(mem_ctx, host, port,
2588 abstract_syntax, presult);
2591 /********************************************************************
2592 Create a rpc pipe client struct, connecting to a unix domain socket
2593 ********************************************************************/
2594 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2595 const struct ndr_syntax_id *abstract_syntax,
2596 struct rpc_pipe_client **presult)
2598 struct rpc_pipe_client *result;
2599 struct sockaddr_un addr;
2603 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2604 if (result == NULL) {
2605 return NT_STATUS_NO_MEMORY;
2608 result->abstract_syntax = *abstract_syntax;
2609 result->transfer_syntax = ndr_transfer_syntax;
2611 result->desthost = get_myname(result);
2612 result->srv_name_slash = talloc_asprintf_strupper_m(
2613 result, "\\\\%s", result->desthost);
2614 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2615 status = NT_STATUS_NO_MEMORY;
2619 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2620 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2622 fd = socket(AF_UNIX, SOCK_STREAM, 0);
2624 status = map_nt_error_from_unix(errno);
2629 addr.sun_family = AF_UNIX;
2630 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2632 if (sys_connect(fd, (struct sockaddr *)(void *)&addr) == -1) {
2633 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2636 return map_nt_error_from_unix(errno);
2639 status = rpc_transport_sock_init(result, fd, &result->transport);
2640 if (!NT_STATUS_IS_OK(status)) {
2645 result->transport->transport = NCALRPC;
2647 result->binding_handle = rpccli_bh_create(result);
2648 if (result->binding_handle == NULL) {
2649 TALLOC_FREE(result);
2650 return NT_STATUS_NO_MEMORY;
2654 return NT_STATUS_OK;
2657 TALLOC_FREE(result);
2661 struct rpc_pipe_client_np_ref {
2662 struct cli_state *cli;
2663 struct rpc_pipe_client *pipe;
2666 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
2668 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
2672 /****************************************************************************
2673 Open a named pipe over SMB to a remote server.
2675 * CAVEAT CALLER OF THIS FUNCTION:
2676 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2677 * so be sure that this function is called AFTER any structure (vs pointer)
2678 * assignment of the cli. In particular, libsmbclient does structure
2679 * assignments of cli, which invalidates the data in the returned
2680 * rpc_pipe_client if this function is called before the structure assignment
2683 ****************************************************************************/
2685 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
2686 const struct ndr_syntax_id *abstract_syntax,
2687 struct rpc_pipe_client **presult)
2689 struct rpc_pipe_client *result;
2691 struct rpc_pipe_client_np_ref *np_ref;
2693 /* sanity check to protect against crashes */
2696 return NT_STATUS_INVALID_HANDLE;
2699 result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
2700 if (result == NULL) {
2701 return NT_STATUS_NO_MEMORY;
2704 result->abstract_syntax = *abstract_syntax;
2705 result->transfer_syntax = ndr_transfer_syntax;
2706 result->desthost = talloc_strdup(result, cli->desthost);
2707 result->srv_name_slash = talloc_asprintf_strupper_m(
2708 result, "\\\\%s", result->desthost);
2710 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2711 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2713 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2714 TALLOC_FREE(result);
2715 return NT_STATUS_NO_MEMORY;
2718 status = rpc_transport_np_init(result, cli, abstract_syntax,
2719 &result->transport);
2720 if (!NT_STATUS_IS_OK(status)) {
2721 TALLOC_FREE(result);
2725 result->transport->transport = NCACN_NP;
2727 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
2728 if (np_ref == NULL) {
2729 TALLOC_FREE(result);
2730 return NT_STATUS_NO_MEMORY;
2733 np_ref->pipe = result;
2735 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
2736 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
2738 result->binding_handle = rpccli_bh_create(result);
2739 if (result->binding_handle == NULL) {
2740 TALLOC_FREE(result);
2741 return NT_STATUS_NO_MEMORY;
2745 return NT_STATUS_OK;
2748 /****************************************************************************
2749 Open a pipe to a remote server.
2750 ****************************************************************************/
2752 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
2753 enum dcerpc_transport_t transport,
2754 const struct ndr_syntax_id *interface,
2755 struct rpc_pipe_client **presult)
2757 switch (transport) {
2759 return rpc_pipe_open_tcp(NULL, cli->desthost, interface,
2762 return rpc_pipe_open_np(cli, interface, presult);
2764 return NT_STATUS_NOT_IMPLEMENTED;
2768 /****************************************************************************
2769 Open a named pipe to an SMB server and bind anonymously.
2770 ****************************************************************************/
2772 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2773 enum dcerpc_transport_t transport,
2774 const struct ndr_syntax_id *interface,
2775 struct rpc_pipe_client **presult)
2777 struct rpc_pipe_client *result;
2778 struct pipe_auth_data *auth;
2781 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2782 if (!NT_STATUS_IS_OK(status)) {
2786 status = rpccli_anon_bind_data(result, &auth);
2787 if (!NT_STATUS_IS_OK(status)) {
2788 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
2789 nt_errstr(status)));
2790 TALLOC_FREE(result);
2795 * This is a bit of an abstraction violation due to the fact that an
2796 * anonymous bind on an authenticated SMB inherits the user/domain
2797 * from the enclosing SMB creds
2800 TALLOC_FREE(auth->user_name);
2801 TALLOC_FREE(auth->domain);
2803 auth->user_name = talloc_strdup(auth, cli->user_name);
2804 auth->domain = talloc_strdup(auth, cli->domain);
2805 auth->user_session_key = data_blob_talloc(auth,
2806 cli->user_session_key.data,
2807 cli->user_session_key.length);
2809 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
2810 TALLOC_FREE(result);
2811 return NT_STATUS_NO_MEMORY;
2814 status = rpc_pipe_bind(result, auth);
2815 if (!NT_STATUS_IS_OK(status)) {
2817 if (ndr_syntax_id_equal(interface,
2818 &ndr_table_dssetup.syntax_id)) {
2819 /* non AD domains just don't have this pipe, avoid
2820 * level 0 statement in that case - gd */
2823 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
2824 "%s failed with error %s\n",
2825 get_pipe_name_from_syntax(talloc_tos(), interface),
2826 nt_errstr(status) ));
2827 TALLOC_FREE(result);
2831 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
2832 "%s and bound anonymously.\n",
2833 get_pipe_name_from_syntax(talloc_tos(), interface),
2837 return NT_STATUS_OK;
2840 /****************************************************************************
2841 ****************************************************************************/
2843 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2844 const struct ndr_syntax_id *interface,
2845 struct rpc_pipe_client **presult)
2847 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2848 interface, presult);
2851 /****************************************************************************
2852 Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
2853 ****************************************************************************/
2855 NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
2856 const struct ndr_syntax_id *interface,
2857 enum dcerpc_transport_t transport,
2858 enum dcerpc_AuthLevel auth_level,
2860 const char *username,
2861 const char *password,
2862 struct rpc_pipe_client **presult)
2864 struct rpc_pipe_client *result;
2865 struct pipe_auth_data *auth = NULL;
2866 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
2869 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2870 if (!NT_STATUS_IS_OK(status)) {
2874 status = rpccli_ntlmssp_bind_data(result,
2875 auth_type, auth_level,
2876 domain, username, password,
2878 if (!NT_STATUS_IS_OK(status)) {
2879 DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
2880 nt_errstr(status)));
2884 status = rpc_pipe_bind(result, auth);
2885 if (!NT_STATUS_IS_OK(status)) {
2886 DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
2887 nt_errstr(status) ));
2891 DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
2892 "machine %s and bound NTLMSSP as user %s\\%s.\n",
2893 get_pipe_name_from_syntax(talloc_tos(), interface),
2894 cli->desthost, domain, username ));
2897 return NT_STATUS_OK;
2901 TALLOC_FREE(result);
2905 /****************************************************************************
2907 Open a named pipe to an SMB server and bind using schannel (bind type 68)
2908 using session_key. sign and seal.
2910 The *pdc will be stolen onto this new pipe
2911 ****************************************************************************/
2913 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2914 const struct ndr_syntax_id *interface,
2915 enum dcerpc_transport_t transport,
2916 enum dcerpc_AuthLevel auth_level,
2918 struct netlogon_creds_CredentialState **pdc,
2919 struct rpc_pipe_client **presult)
2921 struct rpc_pipe_client *result;
2922 struct pipe_auth_data *auth;
2925 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2926 if (!NT_STATUS_IS_OK(status)) {
2930 status = rpccli_schannel_bind_data(result, domain, auth_level,
2932 if (!NT_STATUS_IS_OK(status)) {
2933 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
2934 nt_errstr(status)));
2935 TALLOC_FREE(result);
2939 status = rpc_pipe_bind(result, auth);
2940 if (!NT_STATUS_IS_OK(status)) {
2941 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
2942 "cli_rpc_pipe_bind failed with error %s\n",
2943 nt_errstr(status) ));
2944 TALLOC_FREE(result);
2949 * The credentials on a new netlogon pipe are the ones we are passed
2950 * in - copy them over
2952 result->dc = netlogon_creds_copy(result, *pdc);
2953 if (result->dc == NULL) {
2954 TALLOC_FREE(result);
2955 return NT_STATUS_NO_MEMORY;
2958 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
2959 "for domain %s and bound using schannel.\n",
2960 get_pipe_name_from_syntax(talloc_tos(), interface),
2961 cli->desthost, domain ));
2964 return NT_STATUS_OK;
2967 /****************************************************************************
2968 Open a named pipe to an SMB server and bind using krb5 (bind type 16).
2969 The idea is this can be called with service_princ, username and password all
2970 NULL so long as the caller has a TGT.
2971 ****************************************************************************/
2973 NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
2974 const struct ndr_syntax_id *interface,
2975 enum dcerpc_transport_t transport,
2976 enum dcerpc_AuthLevel auth_level,
2978 const char *username,
2979 const char *password,
2980 struct rpc_pipe_client **presult)
2982 struct rpc_pipe_client *result;
2983 struct pipe_auth_data *auth;
2986 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2987 if (!NT_STATUS_IS_OK(status)) {
2991 auth = talloc(result, struct pipe_auth_data);
2993 status = NT_STATUS_NO_MEMORY;
2996 auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
2997 auth->auth_level = auth_level;
3002 auth->user_name = talloc_strdup(auth, username);
3003 if (!auth->user_name) {
3004 status = NT_STATUS_NO_MEMORY;
3008 /* Fixme, should we fetch/set the Realm ? */
3009 auth->domain = talloc_strdup(auth, "");
3010 if (!auth->domain) {
3011 status = NT_STATUS_NO_MEMORY;
3015 status = gse_init_client(auth,
3016 (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
3017 (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
3018 NULL, server, "cifs", username, password,
3019 GSS_C_DCE_STYLE, &auth->a_u.gssapi_state);
3021 if (!NT_STATUS_IS_OK(status)) {
3022 DEBUG(0, ("gse_init_client returned %s\n",
3023 nt_errstr(status)));
3027 status = rpc_pipe_bind(result, auth);
3028 if (!NT_STATUS_IS_OK(status)) {
3029 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3030 nt_errstr(status)));
3035 return NT_STATUS_OK;
3038 TALLOC_FREE(result);
3042 NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
3043 const struct ndr_syntax_id *interface,
3044 enum dcerpc_transport_t transport,
3045 enum dcerpc_AuthLevel auth_level,
3047 const char *username,
3048 const char *password,
3049 struct rpc_pipe_client **presult)
3051 struct rpc_pipe_client *result;
3052 struct pipe_auth_data *auth;
3055 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3056 if (!NT_STATUS_IS_OK(status)) {
3060 auth = talloc(result, struct pipe_auth_data);
3062 status = NT_STATUS_NO_MEMORY;
3065 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3066 auth->auth_level = auth_level;
3068 auth->spnego_type = PIPE_AUTH_TYPE_SPNEGO_KRB5;
3073 auth->user_name = talloc_strdup(auth, username);
3074 if (!auth->user_name) {
3075 status = NT_STATUS_NO_MEMORY;
3079 /* Fixme, should we fetch/set the Realm ? */
3080 auth->domain = talloc_strdup(auth, "");
3081 if (!auth->domain) {
3082 status = NT_STATUS_NO_MEMORY;
3086 status = spnego_gssapi_init_client(auth, auth->auth_level,
3087 NULL, server, "cifs",
3090 &auth->a_u.spnego_state);
3091 if (!NT_STATUS_IS_OK(status)) {
3092 DEBUG(0, ("spnego_init_client returned %s\n",
3093 nt_errstr(status)));
3097 status = rpc_pipe_bind(result, auth);
3098 if (!NT_STATUS_IS_OK(status)) {
3099 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3100 nt_errstr(status)));
3105 return NT_STATUS_OK;
3108 TALLOC_FREE(result);
3112 NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
3113 const struct ndr_syntax_id *interface,
3114 enum dcerpc_transport_t transport,
3115 enum dcerpc_AuthLevel auth_level,
3117 const char *username,
3118 const char *password,
3119 struct rpc_pipe_client **presult)
3121 struct rpc_pipe_client *result;
3122 struct pipe_auth_data *auth;
3125 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3126 if (!NT_STATUS_IS_OK(status)) {
3130 auth = talloc(result, struct pipe_auth_data);
3132 status = NT_STATUS_NO_MEMORY;
3135 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3136 auth->auth_level = auth_level;
3141 auth->user_name = talloc_strdup(auth, username);
3142 if (!auth->user_name) {
3143 status = NT_STATUS_NO_MEMORY;
3150 auth->domain = talloc_strdup(auth, domain);
3151 if (!auth->domain) {
3152 status = NT_STATUS_NO_MEMORY;
3156 status = spnego_ntlmssp_init_client(auth, auth->auth_level,
3157 domain, username, password,
3158 &auth->a_u.spnego_state);
3159 if (!NT_STATUS_IS_OK(status)) {
3160 DEBUG(0, ("spnego_init_client returned %s\n",
3161 nt_errstr(status)));
3165 status = rpc_pipe_bind(result, auth);
3166 if (!NT_STATUS_IS_OK(status)) {
3167 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3168 nt_errstr(status)));
3173 return NT_STATUS_OK;
3176 TALLOC_FREE(result);
3180 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3181 struct rpc_pipe_client *cli,
3182 DATA_BLOB *session_key)
3184 struct pipe_auth_data *a = cli->auth;
3185 DATA_BLOB sk = data_blob_null;
3186 bool make_dup = false;
3188 if (!session_key || !cli) {
3189 return NT_STATUS_INVALID_PARAMETER;
3193 return NT_STATUS_INVALID_PARAMETER;
3196 switch (cli->auth->auth_type) {
3197 case DCERPC_AUTH_TYPE_SCHANNEL:
3198 sk = data_blob_const(a->a_u.schannel_auth->creds->session_key,
3202 case DCERPC_AUTH_TYPE_SPNEGO:
3203 sk = spnego_get_session_key(mem_ctx, a->a_u.spnego_state);
3206 case DCERPC_AUTH_TYPE_NTLMSSP:
3207 sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state);
3210 case DCERPC_AUTH_TYPE_KRB5:
3211 sk = gse_get_session_key(mem_ctx, a->a_u.gssapi_state);
3214 case DCERPC_AUTH_TYPE_NONE:
3215 sk = data_blob_const(a->user_session_key.data,
3216 a->user_session_key.length);
3224 return NT_STATUS_NO_USER_SESSION_KEY;
3228 *session_key = data_blob_dup_talloc(mem_ctx, &sk);
3233 return NT_STATUS_OK;