2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1998.
7 * Copyright (C) Jeremy Allison 1999.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_RPC_CLI
29 extern struct pipe_id_info pipe_names[];
31 /********************************************************************
33 ********************************************************************/
35 static uint32 get_rpc_call_id(void)
37 static uint32 call_id = 0;
41 /*******************************************************************
42 Use SMBreadX to get rest of one fragment's worth of rpc data.
43 ********************************************************************/
45 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
47 size_t size = (size_t)cli->max_recv_frag;
48 int stream_offset = 0;
51 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
53 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
54 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
57 * Grow the buffer if needed to accommodate the data to be read.
60 if (extra_data_size > 0) {
61 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
62 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
65 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
68 pdata = prs_data_p(rdata) + *rdata_offset;
70 do /* read data using SMBreadX */
75 if (size > (size_t)data_to_read)
76 size = (size_t)data_to_read;
78 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
80 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
81 num_read, stream_offset, data_to_read));
83 if (cli_is_dos_error(cli)) {
84 cli_dos_error(cli, &eclass, &ecode);
85 if (eclass != ERRDOS && ecode != ERRmoredata) {
86 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
87 eclass, (unsigned int)ecode));
92 data_to_read -= num_read;
93 stream_offset += num_read;
96 } while (num_read > 0 && data_to_read > 0);
97 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
100 * Update the current offset into rdata by the amount read.
102 *rdata_offset += stream_offset;
107 /****************************************************************************
108 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
109 ****************************************************************************/
111 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
112 BOOL *first, BOOL *last, uint32 *len)
114 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
116 /* Next call sets endian bit. */
118 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
119 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
123 if (prs_offset(rdata) != RPC_HEADER_LEN) {
124 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
128 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
129 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
130 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
132 return (rhdr->pkt_type != RPC_FAULT);
135 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
137 unsigned char *hash = cli->ntlmssp_hash;
138 unsigned char index_i = hash[256];
139 unsigned char index_j = hash[257];
142 for( ind = 0; ind < len; ind++) {
147 index_j += hash[index_i];
150 hash[index_i] = hash[index_j];
153 t = hash[index_i] + hash[index_j];
154 data[ind] = data[ind] ^ hash[t];
161 /****************************************************************************
162 Verify data on an rpc pipe.
163 The VERIFY & SEAL code is only executed on packets that look like this :
165 Request/Response PDU's look like the following...
167 |<------------------PDU len----------------------------------------------->|
168 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
170 +------------+-----------------+-------------+---------------+-------------+
171 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
172 +------------+-----------------+-------------+---------------+-------------+
174 Never on bind requests/responses.
175 ****************************************************************************/
177 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
178 uint32 fragment_start, int len, int auth_len, int *pauth_padding_len)
181 * The following is that length of the data we must sign or seal.
182 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
183 * preceeding the auth_data.
186 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
189 * The start of the data to sign/seal is just after the RPC headers.
191 char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
193 BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
194 BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
195 BOOL auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
197 *pauth_padding_len = 0;
199 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s schannel %s\n",
200 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal), BOOLSTR(auth_schannel)));
203 * Unseal any sealed data in the PDU, not including the
204 * 8 byte auth_header or the auth_data.
208 DEBUG(10,("rpc_auth_pipe: unseal\n"));
209 dump_data(100, reply_data, data_len);
210 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
211 dump_data(100, reply_data, data_len);
214 if (auth_verify || auth_seal) {
215 RPC_HDR_AUTH rhdr_auth;
217 char data[RPC_HDR_AUTH_LEN];
219 * We set dp to be the end of the packet, minus the auth_len
220 * and the length of the header that preceeds the auth_data.
222 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
224 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
225 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
229 memcpy(data, dp, sizeof(data));
231 prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
233 /* The endianness must be preserved... JRA. */
235 prs_set_endian_data(&auth_req, rdata->bigendian_data);
237 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
240 * Unmarshall the 8 byte auth_header that comes before the
244 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
245 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
249 if (!rpc_hdr_auth_chk(&rhdr_auth)) {
250 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
256 * Now unseal and check the auth verifier in the auth_data at
257 * then end of the packet. The 4 bytes skipped in the unseal
258 * seem to be a buffer pointer preceeding the sealed data.
262 RPC_AUTH_NTLMSSP_CHK chk;
264 prs_struct auth_verf;
265 char data[RPC_AUTH_NTLMSSP_CHK_LEN];
266 char *dp = prs_data_p(rdata) + len - auth_len;
268 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
269 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
273 DEBUG(10,("rpc_auth_pipe: verify\n"));
274 dump_data(100, dp, auth_len);
275 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
277 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
278 dump_data(100, data, auth_len);
280 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
282 /* The endinness must be preserved. JRA. */
283 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
285 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
287 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
288 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
292 crc32 = crc32_calc_buffer(reply_data, data_len);
294 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
295 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
298 cli->ntlmssp_seq_num++;
302 RPC_AUTH_NETSEC_CHK chk;
303 RPC_HDR_AUTH rhdr_auth;
304 char data[RPC_HDR_AUTH_LEN+RPC_AUTH_NETSEC_CHK_LEN];
305 char *dp = prs_data_p(rdata) + fragment_start + len -
306 RPC_HDR_AUTH_LEN - RPC_AUTH_NETSEC_CHK_LEN;
307 prs_struct auth_verf;
309 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
310 DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
314 if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
315 DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
319 DEBUG(10,("rpc_auth_pipe: schannel verify netsec\n"));
320 dump_data(100, dp, auth_len);
322 memcpy(data, dp, sizeof(data));
323 dump_data(100, data, sizeof(data));
325 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
327 /* The endinness must be preserved. JRA. */
328 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
330 prs_give_memory(&auth_verf, data, sizeof(data), False);
332 if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) {
333 DEBUG(0, ("rpc_auth_pipe: Could not parse schannel auth header\n"));
337 if ((rhdr_auth.auth_type != NETSEC_AUTH_TYPE) ||
338 (rhdr_auth.auth_level != NETSEC_AUTH_LEVEL)) {
339 DEBUG(0, ("rpc_auth_pipe: Got wrong schannel auth type/level: %d/%d\n",
340 rhdr_auth.auth_type, rhdr_auth.auth_level));
344 if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", &chk, &auth_verf, 0)) {
345 DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
346 "RPC_AUTH_NETSECK_CHK failed\n"));
350 cli->auth_info.seq_num++;
352 if (!netsec_decode(&cli->auth_info, &chk, reply_data, data_len)) {
353 DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
356 *pauth_padding_len = rhdr_auth.padding;
362 /****************************************************************************
363 Send data on an rpc pipe via trans, which *must* be the last fragment.
364 receive response data from an rpc pipe, which may be large...
366 Read the first fragment: unfortunately have to use SMBtrans for the first
367 bit, then SMBreadX for subsequent bits.
369 If first fragment received also wasn't the last fragment, continue
370 getting fragments until we _do_ receive the last fragment.
372 Request/Response PDU's look like the following...
374 |<------------------PDU len----------------------------------------------->|
375 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
377 +------------+-----------------+-------------+---------------+-------------+
378 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
379 +------------+-----------------+-------------+---------------+-------------+
381 Where the presence of the AUTH_HDR and AUTH are dependent on the
382 signing & sealing being negotiated.
384 ****************************************************************************/
386 static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata)
390 uint32 rparam_len = 0;
395 char *pdata = data ? prs_data_p(data) : NULL;
396 uint32 data_len = data ? prs_offset(data) : 0;
398 uint32 rdata_len = 0;
399 uint32 current_offset = 0;
400 uint32 fragment_start = 0;
401 uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
403 /* Create setup parameters - must be in native byte order. */
405 setup[0] = TRANSACT_DCERPCCMD;
406 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
408 DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
410 /* Send the RPC request and receive a response. For short RPC
411 calls (about 1024 bytes or so) the RPC request and response
412 appears in a SMBtrans request and response. Larger RPC
413 responses are received further on. */
415 if (!cli_api_pipe(cli, "\\PIPE\\",
416 setup, 2, 0, /* Setup, length, max */
417 NULL, 0, 0, /* Params, length, max */
418 pdata, data_len, max_data, /* data, length, max */
419 &rparam, &rparam_len, /* return params, len */
420 &prdata, &rdata_len)) /* return data, len */
422 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
426 /* Throw away returned params - we know we won't use them. */
430 if (prdata == NULL) {
431 DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
432 (int)cli->nt_pipe_fnum));
437 * Give this memory as dynamically allocated to the return parse
441 prs_give_memory(rdata, prdata, rdata_len, True);
442 current_offset = rdata_len;
444 /* This next call sets the endian bit correctly in rdata. */
446 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
451 if (rhdr.pkt_type == RPC_BINDACK) {
452 if (!last && !first) {
453 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
459 if (rhdr.pkt_type == RPC_RESPONSE) {
460 RPC_HDR_RESP rhdr_resp;
461 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
462 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
468 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
469 (unsigned int)len, (unsigned int)rdata_len ));
471 /* check if data to be sent back was too large for one SMBtrans */
472 /* err status is only informational: the _real_ check is on the
476 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
478 /* Read the remaining part of the first response fragment */
480 if (!rpc_read(cli, rdata, len, ¤t_offset)) {
487 * Now we have a complete PDU, check the auth struct if any was sent.
490 if (rhdr.auth_len != 0) {
491 int auth_padding_len = 0;
493 if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
494 rhdr.auth_len, &auth_padding_len))
497 * Drop the auth footers from the current offset.
498 * We need this if there are more fragments.
499 * The auth footers consist of the auth_data and the
500 * preceeding 8 byte auth_header.
502 current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
506 * Only one rpc fragment, and it has been read.
510 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
515 * Read more fragments using SMBreadX until we get one with the
520 RPC_HDR_RESP rhdr_resp;
522 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
528 * First read the header of the next PDU.
531 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
532 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
534 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
535 if (cli_is_dos_error(cli)) {
536 cli_dos_error(cli, &eclass, &ecode);
537 if (eclass != ERRDOS && ecode != ERRmoredata) {
538 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
543 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
545 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
546 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
547 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
551 /* This call sets the endianness in hps. */
553 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
556 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
558 if (hps.bigendian_data != rdata->bigendian_data) {
559 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
560 rdata->bigendian_data ? "big" : "little",
561 hps.bigendian_data ? "big" : "little" ));
565 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
566 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
571 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
576 * Now read the rest of the PDU.
579 if (!rpc_read(cli, rdata, len, ¤t_offset))
582 fragment_start = current_offset - len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
585 * Verify any authentication footer.
588 if (rhdr.auth_len != 0 ) {
589 int auth_padding_len = 0;
591 if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
592 rhdr.auth_len, &auth_padding_len))
595 * Drop the auth footers from the current offset.
596 * The auth footers consist of the auth_data and the
597 * preceeding 8 byte auth_header.
598 * We need this if there are more fragments.
600 current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
607 /*******************************************************************
608 creates a DCE/RPC bind request
610 - initialises the parse structure.
611 - dynamically allocates the header data structure
612 - caller is expected to free the header data structure once used.
614 ********************************************************************/
616 static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, BOOL do_netsec, uint32 rpc_call_id,
617 RPC_IFACE *abstract, RPC_IFACE *transfer,
618 const char *my_name, const char *domain, uint32 neg_flags)
623 prs_struct auth_info;
626 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
629 RPC_HDR_AUTH hdr_auth;
630 RPC_AUTH_VERIFIER auth_verifier;
631 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
634 * Create the auth structs we will marshall.
637 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
638 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
639 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
642 * Use the 4k buffer to store the auth info.
645 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
648 * Now marshall the data into the temporary parse_struct.
651 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
652 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
656 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
657 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
661 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
662 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
666 /* Auth len in the rpc header doesn't include auth_header. */
667 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
671 RPC_HDR_AUTH hdr_auth;
672 RPC_AUTH_NETSEC_NEG netsec_neg;
675 * Create the auth structs we will marshall.
678 init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
680 init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
683 * Use the 4k buffer to store the auth info.
686 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
689 * Now marshall the data into the temporary parse_struct.
692 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
693 DEBUG(0,("Failed to marshall RPC_HDR_AUTH.\n"));
697 if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
698 &netsec_neg, &auth_info, 0)) {
699 DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
703 /* Auth len in the rpc header doesn't include auth_header. */
704 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
707 /* create the request RPC_HDR */
708 init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id,
709 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
712 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
713 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
717 /* create the bind request RPC_HDR_RB */
718 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
719 0x1, 0x0, 0x1, abstract, transfer);
721 /* Marshall the bind request data */
722 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
723 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
728 * Grow the outgoing buffer to store any auth info.
731 if(hdr.auth_len != 0) {
732 if(!prs_append_prs_data( rpc_out, &auth_info)) {
733 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
741 /*******************************************************************
742 Creates a DCE/RPC bind authentication response.
743 This is the packet that is sent back to the server once we
744 have received a BIND-ACK, to finish the third leg of
745 the authentication handshake.
746 ********************************************************************/
748 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
749 const char *domain, const char *user_name, const char *my_name,
750 uint32 ntlmssp_cli_flgs,
754 unsigned char lm_owf[24];
755 unsigned char nt_owf[24];
757 RPC_HDR_AUTHA hdr_autha;
758 RPC_AUTH_VERIFIER auth_verifier;
759 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
761 prs_struct auth_info;
764 * Marshall the variable length data into a temporary parse
765 * struct, pointing into a 4k local buffer.
767 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
770 * Use the 4k buffer to store the auth info.
773 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
776 * Create the variable length auth_data.
779 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
781 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
783 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
785 domain, user_name, my_name,
789 * Marshall the variable length auth_data into a temp parse_struct.
792 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
793 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
797 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
798 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
802 /* Create the request RPC_HDR */
803 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
804 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
805 prs_offset(&auth_info) );
808 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
809 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
813 /* Create the request RPC_HDR_AUTHA */
814 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
815 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
817 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
818 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
823 * Append the auth data to the outgoing buffer.
826 if(!prs_append_prs_data(rpc_out, &auth_info)) {
827 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
835 /*******************************************************************
836 Creates a DCE/RPC request.
837 ********************************************************************/
839 static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
844 uint32 callid = oldid ? oldid : get_rpc_call_id();
846 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
848 /* create the rpc header RPC_HDR */
849 init_rpc_hdr(&hdr, RPC_REQUEST, flags,
850 callid, data_len, auth_len);
853 * The alloc hint should be the amount of data, not including
854 * RPC headers & footers.
858 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
860 alloc_hint = data_len - RPC_HEADER_LEN;
862 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
863 data_len, auth_len, alloc_hint));
865 /* Create the rpc request RPC_HDR_REQ */
866 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
869 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
872 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
875 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
881 /*******************************************************************
882 Puts an NTLMSSP auth header into an rpc request.
883 ********************************************************************/
885 static BOOL create_ntlmssp_auth_hdr(prs_struct *outgoing_packet, BOOL auth_verify)
887 RPC_HDR_AUTH hdr_auth;
889 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
890 NTLMSSP_AUTH_LEVEL, 0x08,
891 (auth_verify ? 1 : 0));
892 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
893 outgoing_packet, 0)) {
894 DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
900 /*******************************************************************
901 Puts a NETLOGON schannel auth header into an rpc request.
902 ********************************************************************/
904 static BOOL create_netsec_auth_hdr(prs_struct *outgoing_packet, int padding)
906 RPC_HDR_AUTH hdr_auth;
908 init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE,
909 NETSEC_AUTH_LEVEL, padding, 1);
910 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
911 outgoing_packet, 0)) {
912 DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
918 /*******************************************************************
919 Puts auth data into an rpc request.
920 ********************************************************************/
922 static BOOL create_auth_data(struct cli_state *cli, uint32 crc32,
923 prs_struct *outgoing_packet)
925 char *pdata_out = prs_data_p(outgoing_packet);
926 RPC_AUTH_NTLMSSP_CHK chk;
927 uint32 current_offset = prs_offset(outgoing_packet);
929 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION,
930 crc32, cli->ntlmssp_seq_num++);
931 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk,
932 outgoing_packet, 0)) {
933 DEBUG(0,("create_auth_data: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
936 NTLMSSPcalc_ap(cli, (unsigned char*)
937 &pdata_out[current_offset+4],
938 RPC_AUTH_NTLMSSP_CHK_LEN - 4);
943 * Send a request on an RPC pipe and get a response.
945 * @param data NDR contents of the request to be sent.
946 * @param rdata Unparsed NDR response data.
949 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
950 prs_struct *data, prs_struct *rdata)
952 uint32 auth_len, max_data, data_left, data_sent;
954 BOOL auth_verify, auth_seal, auth_schannel;
957 auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
958 auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
959 auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
964 auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
967 auth_len = RPC_AUTH_NETSEC_CHK_LEN;
970 * calc how much actual data we can send in a PDU fragment
972 max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
973 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len - 8;
975 for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
976 prs_struct outgoing_packet;
977 uint32 data_len, send_size;
981 uint32 auth_padding = 0;
982 RPC_AUTH_NETSEC_CHK verf;
985 * how much will we send this time
987 send_size = MIN(data_left, max_data);
990 * NT expects the data that is sealed to be 8-byte
991 * aligned. The padding must be encrypted as well and
992 * taken into account when generating the
993 * authentication verifier. The amount of padding must
994 * be stored in the auth header.
998 auth_padding = 8 - (send_size & 7);
1000 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + send_size +
1001 ((auth_verify|auth_schannel) ? RPC_HDR_AUTH_LEN : 0) +
1002 auth_len + auth_padding;
1005 * Malloc parse struct to hold it (and enough for alignments).
1007 if(!prs_init(&outgoing_packet, data_len + 8,
1008 cli->mem_ctx, MARSHALL)) {
1009 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
1013 if (data_left == prs_offset(data))
1014 flags |= RPC_FLG_FIRST;
1016 if (data_left < max_data)
1017 flags |= RPC_FLG_LAST;
1019 * Write out the RPC header and the request header.
1021 if(!(callid = create_rpc_request(&outgoing_packet, op_num,
1022 data_len, auth_len, flags,
1023 callid, data_left))) {
1024 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
1025 prs_mem_free(&outgoing_packet);
1030 * Seal the outgoing data if requested.
1033 crc32 = crc32_calc_buffer(prs_data_p(data) + data_sent,
1035 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data) +
1036 data_sent, send_size);
1040 * Now copy the data into the outgoing packet.
1043 if (auth_schannel) {
1044 static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
1045 static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
1047 prs_struct netsec_blob;
1049 if ((cli->auth_info.seq_num & 1) != 0) {
1050 DEBUG(0,("SCHANNEL ERROR: seq_num must be even in client (seq_num=%d)\n",
1051 cli->auth_info.seq_num));
1054 DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
1056 RSIVAL(sign, 0, cli->auth_info.seq_num);
1057 SIVAL(sign, 4, 0x80);
1059 if (!prs_init(&netsec_blob, send_size+auth_padding,
1060 cli->mem_ctx, MARSHALL)) {
1061 DEBUG(0,("Could not malloc %u bytes",
1062 send_size+auth_padding));
1063 prs_mem_free(&outgoing_packet);
1067 if(!prs_append_some_prs_data(&netsec_blob, data,
1068 data_sent, send_size)) {
1069 DEBUG(0,("Failed to append data to netsec blob\n"));
1070 prs_mem_free(&outgoing_packet);
1074 netsec_blob.align = 8;
1076 if (!prs_align(&netsec_blob)) {
1077 DEBUG(0,("Could not align netsec blob\n"));
1078 prs_mem_free(&outgoing_packet);
1082 init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes,
1085 netsec_encode(&cli->auth_info, &verf,
1086 prs_data_p(&netsec_blob),
1087 prs_data_size(&netsec_blob));
1089 prs_append_prs_data(&outgoing_packet, &netsec_blob);
1090 prs_mem_free(&netsec_blob);
1092 cli->auth_info.seq_num++;
1095 if(!prs_append_some_prs_data(&outgoing_packet, data,
1096 data_sent, send_size)) {
1097 DEBUG(0,("rpc_api_pipe_req: Failed to append "
1098 "data to outgoing packet.\n"));
1099 prs_mem_free(&outgoing_packet);
1105 * Add a trailing auth_verifier if needed.
1107 if (auth_seal || auth_verify) {
1108 if(!create_ntlmssp_auth_hdr(&outgoing_packet, auth_verify)) {
1109 prs_mem_free(&outgoing_packet);
1115 * Finally the auth data itself.
1118 if (!create_auth_data(cli, crc32, &outgoing_packet)) {
1119 prs_mem_free(&outgoing_packet);
1124 if (auth_schannel) {
1126 if (!create_netsec_auth_hdr(&outgoing_packet,
1128 prs_mem_free(&outgoing_packet);
1132 if (!smb_io_rpc_auth_netsec_chk("", &verf,
1133 &outgoing_packet, 0)) {
1134 prs_mem_free(&outgoing_packet);
1139 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len,
1140 prs_offset(&outgoing_packet)));
1142 if (flags & RPC_FLG_LAST)
1143 ret = rpc_api_pipe(cli, &outgoing_packet, rdata);
1145 cli_write(cli, cli->nt_pipe_fnum, 0x0008,
1146 prs_data_p(&outgoing_packet),
1147 data_sent, data_len);
1149 prs_mem_free(&outgoing_packet);
1150 data_sent += send_size;
1151 data_left -= send_size;
1153 /* Also capture received data */
1154 slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
1155 cli_pipe_get_name(cli));
1156 prs_dump(dump_name, op_num, rdata);
1161 /****************************************************************************
1162 Set the handle state.
1163 ****************************************************************************/
1165 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
1167 BOOL state_set = False;
1169 uint16 setup[2]; /* only need 2 uint16 setup parameters */
1170 char *rparam = NULL;
1172 uint32 rparam_len, rdata_len;
1174 if (pipe_name == NULL)
1177 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1178 cli->nt_pipe_fnum, pipe_name, device_state));
1180 /* create parameters: device state */
1181 SSVAL(param, 0, device_state);
1183 /* create setup parameters. */
1185 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
1187 /* send the data on \PIPE\ */
1188 if (cli_api_pipe(cli, "\\PIPE\\",
1189 setup, 2, 0, /* setup, length, max */
1190 param, 2, 0, /* param, length, max */
1191 NULL, 0, 1024, /* data, length, max */
1192 &rparam, &rparam_len, /* return param, length */
1193 &rdata, &rdata_len)) /* return data, length */
1195 DEBUG(5, ("Set Handle state: return OK\n"));
1205 /****************************************************************************
1206 check the rpc bind acknowledge response
1207 ****************************************************************************/
1209 int get_pipe_index( const char *pipe_name )
1213 while (pipe_names[pipe_idx].client_pipe != NULL) {
1214 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
1223 /****************************************************************************
1224 check the rpc bind acknowledge response
1225 ****************************************************************************/
1227 const char* get_pipe_name_from_index( const int pipe_index )
1230 if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
1233 return pipe_names[pipe_index].client_pipe;
1236 /****************************************************************************
1237 Check to see if this pipe index points to one of
1238 the pipes only supported by Win2k
1239 ****************************************************************************/
1241 BOOL is_win2k_pipe( const int pipe_idx )
1252 /****************************************************************************
1253 check the rpc bind acknowledge response
1254 ****************************************************************************/
1256 static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
1258 if ( pipe_idx >= PI_MAX_PIPES ) {
1259 DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
1264 DEBUG(5,("Bind Abstract Syntax: "));
1265 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
1266 sizeof(pipe_names[pipe_idx].abstr_syntax));
1267 DEBUG(5,("Bind Transfer Syntax: "));
1268 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
1269 sizeof(pipe_names[pipe_idx].trans_syntax));
1271 /* copy the required syntaxes out so we can do the right bind */
1273 *transfer = pipe_names[pipe_idx].trans_syntax;
1274 *abstract = pipe_names[pipe_idx].abstr_syntax;
1279 /****************************************************************************
1280 check the rpc bind acknowledge response
1281 ****************************************************************************/
1283 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
1287 if ( hdr_ba->addr.len <= 0)
1290 if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe ))
1292 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
1293 pipe_names[i].server_pipe ,hdr_ba->addr.str));
1297 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1299 if (pipe_names[pipe_idx].server_pipe == NULL) {
1300 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1304 /* check the transfer syntax */
1305 if ((hdr_ba->transfer.version != transfer->version) ||
1306 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1307 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1311 /* lkclXXXX only accept one result: check the result(s) */
1312 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1313 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1314 hdr_ba->res.num_results, hdr_ba->res.reason));
1317 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1321 /****************************************************************************
1322 Create and send the third packet in an RPC auth.
1323 ****************************************************************************/
1325 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1327 RPC_HDR_AUTH rhdr_auth;
1328 RPC_AUTH_VERIFIER rhdr_verf;
1329 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
1330 char buffer[MAX_PDU_FRAG_LEN];
1334 unsigned char p24[24];
1335 unsigned char lm_owf[24];
1336 unsigned char lm_hash[16];
1338 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
1339 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1342 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
1343 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1346 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
1347 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1351 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
1353 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
1355 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1357 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1359 create_rpc_bind_resp(&cli->pwd, cli->domain,
1360 cli->user_name, global_myname(),
1361 cli->ntlmssp_cli_flgs, rpc_call_id,
1364 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
1365 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
1367 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
1370 unsigned char j = 0;
1372 unsigned char k2[8];
1379 for (ind = 0; ind < 256; ind++)
1380 cli->ntlmssp_hash[ind] = (unsigned char)ind;
1382 for( ind = 0; ind < 256; ind++) {
1385 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1387 tc = cli->ntlmssp_hash[ind];
1388 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1389 cli->ntlmssp_hash[j] = tc;
1392 cli->ntlmssp_hash[256] = 0;
1393 cli->ntlmssp_hash[257] = 0;
1396 memset((char *)lm_hash, '\0', sizeof(lm_hash));
1398 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1399 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1400 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1404 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1408 /****************************************************************************
1410 ****************************************************************************/
1412 static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name,
1419 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
1421 char buffer[MAX_PDU_FRAG_LEN];
1423 if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
1426 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
1428 if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
1431 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1434 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1437 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1439 rpc_call_id = get_rpc_call_id();
1441 /* Marshall the outgoing data. */
1442 create_rpc_bind_req(&rpc_out, do_auth, do_netsec, rpc_call_id,
1443 &abstract, &transfer,
1444 global_myname(), cli->domain, cli->ntlmssp_cli_flgs);
1446 /* Initialize the incoming data struct. */
1447 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1449 /* send data on \PIPE\. receive a response */
1450 if (rpc_api_pipe(cli, &rpc_out, &rdata)) {
1453 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1455 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1456 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1457 prs_mem_free(&rdata);
1461 if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
1462 DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
1463 prs_mem_free(&rdata);
1467 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1468 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1471 * If we're doing NTLMSSP auth we need to send a reply to
1472 * the bind-ack to complete the 3-way challenge response
1476 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1477 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1478 prs_mem_free(&rdata);
1483 prs_mem_free(&rdata);
1487 /****************************************************************************
1489 ****************************************************************************/
1491 BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
1495 /* At the moment we can't have more than one pipe open over
1496 a cli connection. )-: */
1498 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1500 /* The pipe index must fall within our array */
1502 SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
1504 if (cli->capabilities & CAP_NT_SMBS) {
1505 if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
1506 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1507 &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
1511 cli->nt_pipe_fnum = (uint16)fnum;
1513 if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1514 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1515 pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
1519 cli->nt_pipe_fnum = (uint16)fnum;
1521 /**************** Set Named Pipe State ***************/
1522 if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
1523 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1525 cli_close(cli, cli->nt_pipe_fnum);
1530 /******************* bind request on pipe *****************/
1532 if (!rpc_pipe_bind(cli, pipe_idx, global_myname(), False)) {
1533 DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
1534 get_pipe_name_from_index(pipe_idx)));
1535 cli_close(cli, cli->nt_pipe_fnum);
1540 * Setup the remote server name prefixed by \ and the machine account name.
1543 fstrcpy(cli->srv_name_slash, "\\\\");
1544 fstrcat(cli->srv_name_slash, cli->desthost);
1545 strupper(cli->srv_name_slash);
1547 fstrcpy(cli->clnt_name_slash, "\\\\");
1548 fstrcat(cli->clnt_name_slash, global_myname());
1549 strupper(cli->clnt_name_slash);
1551 fstrcpy(cli->mach_acct, global_myname());
1552 fstrcat(cli->mach_acct, "$");
1553 strupper(cli->mach_acct);
1555 /* Remember which pipe we're talking to */
1556 fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
1562 /****************************************************************************
1563 Open a session to the NETLOGON pipe using schannel.
1564 ****************************************************************************/
1566 BOOL cli_nt_open_netlogon(struct cli_state *cli, const char *trust_password,
1570 uint32 neg_flags = 0x000001ff;
1573 if (lp_client_schannel() != False)
1574 neg_flags |= NETLOGON_NEG_SCHANNEL;
1577 if (!cli_nt_session_open(cli, PI_NETLOGON)) {
1581 if (!secrets_init()) {
1582 DEBUG(3,("Failed to init secrets.tdb\n"));
1586 result = cli_nt_setup_creds(cli, sec_chan, trust_password,
1589 if (!NT_STATUS_IS_OK(result)) {
1590 cli_nt_session_close(cli);
1594 if ((lp_client_schannel() == True) &&
1595 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1597 DEBUG(3, ("Server did not offer schannel\n"));
1598 cli_nt_session_close(cli);
1602 if ((lp_client_schannel() == False) ||
1603 ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1607 /* Server offered schannel, so try it. */
1609 cli->auth_info.seq_num = 0;
1610 memcpy(cli->auth_info.sess_key, cli->sess_key,
1611 sizeof(cli->auth_info.sess_key));
1613 cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
1615 if (cli->capabilities & CAP_NT_SMBS) {
1617 /* If we open \\PIPE\NETLOGON here, NT4SP6
1618 gives us an ACCESS_DENIED. Do I have to
1621 if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
1622 DESIRED_ACCESS_PIPE)) == -1) {
1623 DEBUG(0,("cli_nt_create failed to %s machine %s. "
1625 PIPE_NETLOGON, cli->desthost,
1630 cli->nt_pipe_fnum = (uint16)fnum;
1632 if ((fnum = cli_open(cli, PIPE_NETLOGON,
1633 O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1634 DEBUG(0,("cli_open failed on pipe %s to machine %s. "
1636 PIPE_NETLOGON, cli->desthost,
1641 cli->nt_pipe_fnum = (uint16)fnum;
1643 /**************** Set Named Pipe State ***************/
1644 if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
1645 DEBUG(0,("Pipe hnd state failed. Error was %s\n",
1647 cli_close(cli, cli->nt_pipe_fnum);
1652 if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname(), True)) {
1653 DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
1654 cli_close(cli, cli->nt_pipe_fnum);
1662 const char *cli_pipe_get_name(struct cli_state *cli)
1664 return cli->pipe_name;
1668 /****************************************************************************
1670 ****************************************************************************/
1672 void cli_nt_session_close(struct cli_state *cli)
1674 if (cli->saved_netlogon_pipe_fnum != 0) {
1675 cli_close(cli, cli->saved_netlogon_pipe_fnum);
1676 cli->saved_netlogon_pipe_fnum = 0;
1678 cli_close(cli, cli->nt_pipe_fnum);
1679 cli->nt_pipe_fnum = 0;