2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client routines
4 * Largely rewritten by Jeremy Allison 2005.
5 * Heavily modified by Simo Sorce 2010.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "librpc/gen_ndr/cli_epmapper.h"
23 #include "../librpc/gen_ndr/ndr_schannel.h"
24 #include "../librpc/gen_ndr/ndr_dssetup.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
28 #include "../libcli/auth/ntlmssp.h"
29 #include "ntlmssp_wrap.h"
30 #include "librpc/gen_ndr/ndr_dcerpc.h"
31 #include "librpc/rpc/dcerpc.h"
32 #include "librpc/crypto/gse.h"
33 #include "librpc/crypto/spnego.h"
37 #define DBGC_CLASS DBGC_RPC_CLI
39 /********************************************************************
40 Pipe description for a DEBUG
41 ********************************************************************/
42 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
43 struct rpc_pipe_client *cli)
45 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
52 /********************************************************************
54 ********************************************************************/
56 static uint32 get_rpc_call_id(void)
58 static uint32 call_id = 0;
62 /*******************************************************************
63 Use SMBreadX to get rest of one fragment's worth of rpc data.
64 Reads the whole size or give an error message
65 ********************************************************************/
67 struct rpc_read_state {
68 struct event_context *ev;
69 struct rpc_cli_transport *transport;
75 static void rpc_read_done(struct tevent_req *subreq);
77 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
78 struct event_context *ev,
79 struct rpc_cli_transport *transport,
80 uint8_t *data, size_t size)
82 struct tevent_req *req, *subreq;
83 struct rpc_read_state *state;
85 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
90 state->transport = transport;
95 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
97 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
102 tevent_req_set_callback(subreq, rpc_read_done, req);
110 static void rpc_read_done(struct tevent_req *subreq)
112 struct tevent_req *req = tevent_req_callback_data(
113 subreq, struct tevent_req);
114 struct rpc_read_state *state = tevent_req_data(
115 req, struct rpc_read_state);
119 status = state->transport->read_recv(subreq, &received);
121 if (!NT_STATUS_IS_OK(status)) {
122 tevent_req_nterror(req, status);
126 state->num_read += received;
127 if (state->num_read == state->size) {
128 tevent_req_done(req);
132 subreq = state->transport->read_send(state, state->ev,
133 state->data + state->num_read,
134 state->size - state->num_read,
135 state->transport->priv);
136 if (tevent_req_nomem(subreq, req)) {
139 tevent_req_set_callback(subreq, rpc_read_done, req);
142 static NTSTATUS rpc_read_recv(struct tevent_req *req)
144 return tevent_req_simple_recv_ntstatus(req);
147 struct rpc_write_state {
148 struct event_context *ev;
149 struct rpc_cli_transport *transport;
155 static void rpc_write_done(struct tevent_req *subreq);
157 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
158 struct event_context *ev,
159 struct rpc_cli_transport *transport,
160 const uint8_t *data, size_t size)
162 struct tevent_req *req, *subreq;
163 struct rpc_write_state *state;
165 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
170 state->transport = transport;
173 state->num_written = 0;
175 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
177 subreq = transport->write_send(state, ev, data, size, transport->priv);
178 if (subreq == NULL) {
181 tevent_req_set_callback(subreq, rpc_write_done, req);
188 static void rpc_write_done(struct tevent_req *subreq)
190 struct tevent_req *req = tevent_req_callback_data(
191 subreq, struct tevent_req);
192 struct rpc_write_state *state = tevent_req_data(
193 req, struct rpc_write_state);
197 status = state->transport->write_recv(subreq, &written);
199 if (!NT_STATUS_IS_OK(status)) {
200 tevent_req_nterror(req, status);
204 state->num_written += written;
206 if (state->num_written == state->size) {
207 tevent_req_done(req);
211 subreq = state->transport->write_send(state, state->ev,
212 state->data + state->num_written,
213 state->size - state->num_written,
214 state->transport->priv);
215 if (tevent_req_nomem(subreq, req)) {
218 tevent_req_set_callback(subreq, rpc_write_done, req);
221 static NTSTATUS rpc_write_recv(struct tevent_req *req)
223 return tevent_req_simple_recv_ntstatus(req);
227 /****************************************************************************
228 Try and get a PDU's worth of data from current_pdu. If not, then read more
230 ****************************************************************************/
232 struct get_complete_frag_state {
233 struct event_context *ev;
234 struct rpc_pipe_client *cli;
239 static void get_complete_frag_got_header(struct tevent_req *subreq);
240 static void get_complete_frag_got_rest(struct tevent_req *subreq);
242 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
243 struct event_context *ev,
244 struct rpc_pipe_client *cli,
247 struct tevent_req *req, *subreq;
248 struct get_complete_frag_state *state;
252 req = tevent_req_create(mem_ctx, &state,
253 struct get_complete_frag_state);
259 state->frag_len = RPC_HEADER_LEN;
262 received = pdu->length;
263 if (received < RPC_HEADER_LEN) {
264 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
265 status = NT_STATUS_NO_MEMORY;
268 subreq = rpc_read_send(state, state->ev,
269 state->cli->transport,
270 pdu->data + received,
271 RPC_HEADER_LEN - received);
272 if (subreq == NULL) {
273 status = NT_STATUS_NO_MEMORY;
276 tevent_req_set_callback(subreq, get_complete_frag_got_header,
281 state->frag_len = dcerpc_get_frag_length(pdu);
284 * Ensure we have frag_len bytes of data.
286 if (received < state->frag_len) {
287 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
288 status = NT_STATUS_NO_MEMORY;
291 subreq = rpc_read_send(state, state->ev,
292 state->cli->transport,
293 pdu->data + received,
294 state->frag_len - received);
295 if (subreq == NULL) {
296 status = NT_STATUS_NO_MEMORY;
299 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
304 status = NT_STATUS_OK;
306 if (NT_STATUS_IS_OK(status)) {
307 tevent_req_done(req);
309 tevent_req_nterror(req, status);
311 return tevent_req_post(req, ev);
314 static void get_complete_frag_got_header(struct tevent_req *subreq)
316 struct tevent_req *req = tevent_req_callback_data(
317 subreq, struct tevent_req);
318 struct get_complete_frag_state *state = tevent_req_data(
319 req, struct get_complete_frag_state);
322 status = rpc_read_recv(subreq);
324 if (!NT_STATUS_IS_OK(status)) {
325 tevent_req_nterror(req, status);
329 state->frag_len = dcerpc_get_frag_length(state->pdu);
331 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
332 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
337 * We're here in this piece of code because we've read exactly
338 * RPC_HEADER_LEN bytes into state->pdu.
341 subreq = rpc_read_send(state, state->ev, state->cli->transport,
342 state->pdu->data + RPC_HEADER_LEN,
343 state->frag_len - RPC_HEADER_LEN);
344 if (tevent_req_nomem(subreq, req)) {
347 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
350 static void get_complete_frag_got_rest(struct tevent_req *subreq)
352 struct tevent_req *req = tevent_req_callback_data(
353 subreq, struct tevent_req);
356 status = rpc_read_recv(subreq);
358 if (!NT_STATUS_IS_OK(status)) {
359 tevent_req_nterror(req, status);
362 tevent_req_done(req);
365 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
367 return tevent_req_simple_recv_ntstatus(req);
370 /****************************************************************************
371 Do basic authentication checks on an incoming pdu.
372 ****************************************************************************/
374 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
375 struct rpc_pipe_client *cli,
376 struct ncacn_packet *pkt,
378 uint8_t expected_pkt_type,
380 DATA_BLOB *reply_pdu)
382 struct dcerpc_response *r;
383 NTSTATUS ret = NT_STATUS_OK;
387 * Point the return values at the real data including the RPC
388 * header. Just in case the caller wants it.
392 /* Ensure we have the correct type. */
393 switch (pkt->ptype) {
394 case DCERPC_PKT_ALTER_RESP:
395 case DCERPC_PKT_BIND_ACK:
397 /* Client code never receives this kind of packets */
401 case DCERPC_PKT_RESPONSE:
403 r = &pkt->u.response;
405 /* Here's where we deal with incoming sign/seal. */
406 ret = dcerpc_check_auth(cli->auth, pkt,
407 &r->stub_and_verifier,
408 DCERPC_RESPONSE_LENGTH,
410 if (!NT_STATUS_IS_OK(ret)) {
414 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
415 return NT_STATUS_BUFFER_TOO_SMALL;
418 /* Point the return values at the NDR data. */
419 rdata->data = r->stub_and_verifier.data;
421 if (pkt->auth_length) {
422 /* We've already done integer wrap tests in
423 * dcerpc_check_auth(). */
424 rdata->length = r->stub_and_verifier.length
426 - DCERPC_AUTH_TRAILER_LENGTH
429 rdata->length = r->stub_and_verifier.length;
432 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
433 (long unsigned int)pdu->length,
434 (long unsigned int)rdata->length,
435 (unsigned int)pad_len));
438 * If this is the first reply, and the allocation hint is
439 * reasonable, try and set up the reply_pdu DATA_BLOB to the
443 if ((reply_pdu->length == 0) &&
444 r->alloc_hint && (r->alloc_hint < 15*1024*1024)) {
445 if (!data_blob_realloc(mem_ctx, reply_pdu,
447 DEBUG(0, ("reply alloc hint %d too "
448 "large to allocate\n",
449 (int)r->alloc_hint));
450 return NT_STATUS_NO_MEMORY;
456 case DCERPC_PKT_BIND_NAK:
457 DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
458 rpccli_pipe_txt(talloc_tos(), cli)));
459 /* Use this for now... */
460 return NT_STATUS_NETWORK_ACCESS_DENIED;
462 case DCERPC_PKT_FAULT:
464 DEBUG(1, (__location__ ": RPC fault code %s received "
466 dcerpc_errstr(talloc_tos(),
467 pkt->u.fault.status),
468 rpccli_pipe_txt(talloc_tos(), cli)));
470 if (NT_STATUS_IS_OK(NT_STATUS(pkt->u.fault.status))) {
471 return NT_STATUS_UNSUCCESSFUL;
473 return NT_STATUS(pkt->u.fault.status);
477 DEBUG(0, (__location__ "Unknown packet type %u received "
479 (unsigned int)pkt->ptype,
480 rpccli_pipe_txt(talloc_tos(), cli)));
481 return NT_STATUS_INVALID_INFO_CLASS;
484 if (pkt->ptype != expected_pkt_type) {
485 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
486 "RPC packet type - %u, not %u\n",
487 rpccli_pipe_txt(talloc_tos(), cli),
488 pkt->ptype, expected_pkt_type));
489 return NT_STATUS_INVALID_INFO_CLASS;
492 /* Do this just before return - we don't want to modify any rpc header
493 data before now as we may have needed to do cryptographic actions on
496 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
497 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
498 DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
499 "fragment first/last ON.\n"));
500 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
506 /****************************************************************************
507 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
508 ****************************************************************************/
510 struct cli_api_pipe_state {
511 struct event_context *ev;
512 struct rpc_cli_transport *transport;
517 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
518 static void cli_api_pipe_write_done(struct tevent_req *subreq);
519 static void cli_api_pipe_read_done(struct tevent_req *subreq);
521 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
522 struct event_context *ev,
523 struct rpc_cli_transport *transport,
524 uint8_t *data, size_t data_len,
525 uint32_t max_rdata_len)
527 struct tevent_req *req, *subreq;
528 struct cli_api_pipe_state *state;
531 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
536 state->transport = transport;
538 if (max_rdata_len < RPC_HEADER_LEN) {
540 * For a RPC reply we always need at least RPC_HEADER_LEN
541 * bytes. We check this here because we will receive
542 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
544 status = NT_STATUS_INVALID_PARAMETER;
548 if (transport->trans_send != NULL) {
549 subreq = transport->trans_send(state, ev, data, data_len,
550 max_rdata_len, transport->priv);
551 if (subreq == NULL) {
554 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
559 * If the transport does not provide a "trans" routine, i.e. for
560 * example the ncacn_ip_tcp transport, do the write/read step here.
563 subreq = rpc_write_send(state, ev, transport, data, data_len);
564 if (subreq == NULL) {
567 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
571 tevent_req_nterror(req, status);
572 return tevent_req_post(req, ev);
578 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
580 struct tevent_req *req = tevent_req_callback_data(
581 subreq, struct tevent_req);
582 struct cli_api_pipe_state *state = tevent_req_data(
583 req, struct cli_api_pipe_state);
586 status = state->transport->trans_recv(subreq, state, &state->rdata,
589 if (!NT_STATUS_IS_OK(status)) {
590 tevent_req_nterror(req, status);
593 tevent_req_done(req);
596 static void cli_api_pipe_write_done(struct tevent_req *subreq)
598 struct tevent_req *req = tevent_req_callback_data(
599 subreq, struct tevent_req);
600 struct cli_api_pipe_state *state = tevent_req_data(
601 req, struct cli_api_pipe_state);
604 status = rpc_write_recv(subreq);
606 if (!NT_STATUS_IS_OK(status)) {
607 tevent_req_nterror(req, status);
611 state->rdata = TALLOC_ARRAY(state, uint8_t, RPC_HEADER_LEN);
612 if (tevent_req_nomem(state->rdata, req)) {
617 * We don't need to use rpc_read_send here, the upper layer will cope
618 * with a short read, transport->trans_send could also return less
619 * than state->max_rdata_len.
621 subreq = state->transport->read_send(state, state->ev, state->rdata,
623 state->transport->priv);
624 if (tevent_req_nomem(subreq, req)) {
627 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
630 static void cli_api_pipe_read_done(struct tevent_req *subreq)
632 struct tevent_req *req = tevent_req_callback_data(
633 subreq, struct tevent_req);
634 struct cli_api_pipe_state *state = tevent_req_data(
635 req, struct cli_api_pipe_state);
639 status = state->transport->read_recv(subreq, &received);
641 if (!NT_STATUS_IS_OK(status)) {
642 tevent_req_nterror(req, status);
645 state->rdata_len = received;
646 tevent_req_done(req);
649 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
650 uint8_t **prdata, uint32_t *prdata_len)
652 struct cli_api_pipe_state *state = tevent_req_data(
653 req, struct cli_api_pipe_state);
656 if (tevent_req_is_nterror(req, &status)) {
660 *prdata = talloc_move(mem_ctx, &state->rdata);
661 *prdata_len = state->rdata_len;
665 /****************************************************************************
666 Send data on an rpc pipe via trans. The data must be the last
667 pdu fragment of an NDR data stream.
669 Receive response data from an rpc pipe, which may be large...
671 Read the first fragment: unfortunately have to use SMBtrans for the first
672 bit, then SMBreadX for subsequent bits.
674 If first fragment received also wasn't the last fragment, continue
675 getting fragments until we _do_ receive the last fragment.
677 Request/Response PDU's look like the following...
679 |<------------------PDU len----------------------------------------------->|
680 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
682 +------------+-----------------+-------------+---------------+-------------+
683 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
684 +------------+-----------------+-------------+---------------+-------------+
686 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
687 signing & sealing being negotiated.
689 ****************************************************************************/
691 struct rpc_api_pipe_state {
692 struct event_context *ev;
693 struct rpc_pipe_client *cli;
694 uint8_t expected_pkt_type;
696 DATA_BLOB incoming_frag;
697 struct ncacn_packet *pkt;
701 size_t reply_pdu_offset;
705 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
706 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
707 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq);
709 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
710 struct event_context *ev,
711 struct rpc_pipe_client *cli,
712 DATA_BLOB *data, /* Outgoing PDU */
713 uint8_t expected_pkt_type)
715 struct tevent_req *req, *subreq;
716 struct rpc_api_pipe_state *state;
717 uint16_t max_recv_frag;
720 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
726 state->expected_pkt_type = expected_pkt_type;
727 state->incoming_frag = data_blob_null;
728 state->reply_pdu = data_blob_null;
729 state->reply_pdu_offset = 0;
730 state->endianess = DCERPC_DREP_LE;
733 * Ensure we're not sending too much.
735 if (data->length > cli->max_xmit_frag) {
736 status = NT_STATUS_INVALID_PARAMETER;
740 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
742 if (state->expected_pkt_type == DCERPC_PKT_AUTH3) {
743 subreq = rpc_write_send(state, ev, cli->transport,
744 data->data, data->length);
745 if (subreq == NULL) {
748 tevent_req_set_callback(subreq, rpc_api_pipe_auth3_done, req);
752 /* get the header first, then fetch the rest once we have
753 * the frag_length available */
754 max_recv_frag = RPC_HEADER_LEN;
756 subreq = cli_api_pipe_send(state, ev, cli->transport,
757 data->data, data->length, max_recv_frag);
758 if (subreq == NULL) {
761 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
765 tevent_req_nterror(req, status);
766 return tevent_req_post(req, ev);
772 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq)
774 struct tevent_req *req =
775 tevent_req_callback_data(subreq,
779 status = rpc_write_recv(subreq);
781 if (!NT_STATUS_IS_OK(status)) {
782 tevent_req_nterror(req, status);
786 tevent_req_done(req);
789 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
791 struct tevent_req *req = tevent_req_callback_data(
792 subreq, struct tevent_req);
793 struct rpc_api_pipe_state *state = tevent_req_data(
794 req, struct rpc_api_pipe_state);
796 uint8_t *rdata = NULL;
797 uint32_t rdata_len = 0;
799 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
801 if (!NT_STATUS_IS_OK(status)) {
802 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
803 tevent_req_nterror(req, status);
808 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
809 rpccli_pipe_txt(talloc_tos(), state->cli)));
810 tevent_req_done(req);
815 * Move data on state->incoming_frag.
817 state->incoming_frag.data = talloc_move(state, &rdata);
818 state->incoming_frag.length = rdata_len;
819 if (!state->incoming_frag.data) {
820 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
824 /* Ensure we have enough data for a pdu. */
825 subreq = get_complete_frag_send(state, state->ev, state->cli,
826 &state->incoming_frag);
827 if (tevent_req_nomem(subreq, req)) {
830 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
833 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
835 struct tevent_req *req = tevent_req_callback_data(
836 subreq, struct tevent_req);
837 struct rpc_api_pipe_state *state = tevent_req_data(
838 req, struct rpc_api_pipe_state);
840 DATA_BLOB rdata = data_blob_null;
842 status = get_complete_frag_recv(subreq);
844 if (!NT_STATUS_IS_OK(status)) {
845 DEBUG(5, ("get_complete_frag failed: %s\n",
847 tevent_req_nterror(req, status);
851 state->pkt = talloc(state, struct ncacn_packet);
853 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
857 status = dcerpc_pull_ncacn_packet(state->pkt,
858 &state->incoming_frag,
861 if (!NT_STATUS_IS_OK(status)) {
862 tevent_req_nterror(req, status);
866 if (state->incoming_frag.length != state->pkt->frag_length) {
867 DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
868 (unsigned int)state->incoming_frag.length,
869 (unsigned int)state->pkt->frag_length));
870 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
874 status = cli_pipe_validate_current_pdu(state,
875 state->cli, state->pkt,
876 &state->incoming_frag,
877 state->expected_pkt_type,
881 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
882 (unsigned)state->incoming_frag.length,
883 (unsigned)state->reply_pdu_offset,
886 if (!NT_STATUS_IS_OK(status)) {
887 tevent_req_nterror(req, status);
891 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
892 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
894 * Set the data type correctly for big-endian data on the
897 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
899 rpccli_pipe_txt(talloc_tos(), state->cli)));
900 state->endianess = 0x00; /* BIG ENDIAN */
903 * Check endianness on subsequent packets.
905 if (state->endianess != state->pkt->drep[0]) {
906 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
908 state->endianess?"little":"big",
909 state->pkt->drep[0]?"little":"big"));
910 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
914 /* Now copy the data portion out of the pdu into rbuf. */
915 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
916 if (!data_blob_realloc(NULL, &state->reply_pdu,
917 state->reply_pdu_offset + rdata.length)) {
918 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
923 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
924 rdata.data, rdata.length);
925 state->reply_pdu_offset += rdata.length;
927 /* reset state->incoming_frag, there is no need to free it,
928 * it will be reallocated to the right size the next time
930 state->incoming_frag.length = 0;
932 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
933 /* make sure the pdu length is right now that we
934 * have all the data available (alloc hint may
935 * have allocated more than was actually used) */
936 state->reply_pdu.length = state->reply_pdu_offset;
937 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
938 rpccli_pipe_txt(talloc_tos(), state->cli),
939 (unsigned)state->reply_pdu.length));
940 tevent_req_done(req);
944 subreq = get_complete_frag_send(state, state->ev, state->cli,
945 &state->incoming_frag);
946 if (tevent_req_nomem(subreq, req)) {
949 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
952 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
953 struct ncacn_packet **pkt,
954 DATA_BLOB *reply_pdu)
956 struct rpc_api_pipe_state *state = tevent_req_data(
957 req, struct rpc_api_pipe_state);
960 if (tevent_req_is_nterror(req, &status)) {
964 /* return data to caller and assign it ownership of memory */
966 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
967 reply_pdu->length = state->reply_pdu.length;
968 state->reply_pdu.length = 0;
970 data_blob_free(&state->reply_pdu);
974 *pkt = talloc_steal(mem_ctx, state->pkt);
980 /*******************************************************************
981 Creates spnego auth bind.
982 ********************************************************************/
984 static NTSTATUS create_spnego_auth_bind_req(TALLOC_CTX *mem_ctx,
985 struct pipe_auth_data *auth,
986 DATA_BLOB *auth_token)
988 struct spnego_context *spnego_ctx;
989 DATA_BLOB in_token = data_blob_null;
992 spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
993 struct spnego_context);
995 /* Negotiate the initial auth token */
996 status = spnego_get_client_auth_token(mem_ctx, spnego_ctx,
997 &in_token, auth_token);
998 if (!NT_STATUS_IS_OK(status)) {
1002 DEBUG(5, ("Created GSS Authentication Token:\n"));
1003 dump_data(5, auth_token->data, auth_token->length);
1005 return NT_STATUS_OK;
1008 /*******************************************************************
1009 Creates krb5 auth bind.
1010 ********************************************************************/
1012 static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
1013 struct pipe_auth_data *auth,
1014 DATA_BLOB *auth_token)
1016 struct gse_context *gse_ctx;
1017 DATA_BLOB in_token = data_blob_null;
1020 gse_ctx = talloc_get_type_abort(auth->auth_ctx,
1021 struct gse_context);
1023 /* Negotiate the initial auth token */
1024 status = gse_get_client_auth_token(mem_ctx, gse_ctx,
1027 if (!NT_STATUS_IS_OK(status)) {
1031 DEBUG(5, ("Created GSS Authentication Token:\n"));
1032 dump_data(5, auth_token->data, auth_token->length);
1034 return NT_STATUS_OK;
1037 /*******************************************************************
1038 Creates NTLMSSP auth bind.
1039 ********************************************************************/
1041 static NTSTATUS create_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1042 DATA_BLOB *auth_token)
1044 struct auth_ntlmssp_state *ntlmssp_ctx;
1045 DATA_BLOB null_blob = data_blob_null;
1048 ntlmssp_ctx = talloc_get_type_abort(cli->auth->auth_ctx,
1049 struct auth_ntlmssp_state);
1051 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1052 status = auth_ntlmssp_update(ntlmssp_ctx, null_blob, auth_token);
1054 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1055 data_blob_free(auth_token);
1059 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1060 dump_data(5, auth_token->data, auth_token->length);
1062 return NT_STATUS_OK;
1065 /*******************************************************************
1066 Creates schannel auth bind.
1067 ********************************************************************/
1069 static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1070 DATA_BLOB *auth_token)
1073 struct NL_AUTH_MESSAGE r;
1075 /* Use lp_workgroup() if domain not specified */
1077 if (!cli->auth->domain || !cli->auth->domain[0]) {
1078 cli->auth->domain = talloc_strdup(cli, lp_workgroup());
1079 if (cli->auth->domain == NULL) {
1080 return NT_STATUS_NO_MEMORY;
1085 * Now marshall the data into the auth parse_struct.
1088 r.MessageType = NL_NEGOTIATE_REQUEST;
1089 r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
1090 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
1091 r.oem_netbios_domain.a = cli->auth->domain;
1092 r.oem_netbios_computer.a = global_myname();
1094 status = dcerpc_push_schannel_bind(cli, &r, auth_token);
1095 if (!NT_STATUS_IS_OK(status)) {
1099 return NT_STATUS_OK;
1102 /*******************************************************************
1103 Creates the internals of a DCE/RPC bind request or alter context PDU.
1104 ********************************************************************/
1106 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1107 enum dcerpc_pkt_type ptype,
1109 const struct ndr_syntax_id *abstract,
1110 const struct ndr_syntax_id *transfer,
1111 const DATA_BLOB *auth_info,
1114 uint16 auth_len = auth_info->length;
1116 union dcerpc_payload u;
1117 struct dcerpc_ctx_list ctx_list;
1120 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1123 ctx_list.context_id = 0;
1124 ctx_list.num_transfer_syntaxes = 1;
1125 ctx_list.abstract_syntax = *abstract;
1126 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1128 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1129 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1130 u.bind.assoc_group_id = 0x0;
1131 u.bind.num_contexts = 1;
1132 u.bind.ctx_list = &ctx_list;
1133 u.bind.auth_info = *auth_info;
1135 status = dcerpc_push_ncacn_packet(mem_ctx,
1137 DCERPC_PFC_FLAG_FIRST |
1138 DCERPC_PFC_FLAG_LAST,
1143 if (!NT_STATUS_IS_OK(status)) {
1144 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1148 return NT_STATUS_OK;
1151 /*******************************************************************
1152 Creates a DCE/RPC bind request.
1153 ********************************************************************/
1155 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1156 struct rpc_pipe_client *cli,
1157 struct pipe_auth_data *auth,
1159 const struct ndr_syntax_id *abstract,
1160 const struct ndr_syntax_id *transfer,
1163 DATA_BLOB auth_token = data_blob_null;
1164 DATA_BLOB auth_info = data_blob_null;
1165 NTSTATUS ret = NT_STATUS_OK;
1167 switch (auth->auth_type) {
1168 case DCERPC_AUTH_TYPE_SCHANNEL:
1169 ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
1170 if (!NT_STATUS_IS_OK(ret)) {
1175 case DCERPC_AUTH_TYPE_NTLMSSP:
1176 ret = create_ntlmssp_auth_rpc_bind_req(cli, &auth_token);
1177 if (!NT_STATUS_IS_OK(ret)) {
1182 case DCERPC_AUTH_TYPE_SPNEGO:
1183 ret = create_spnego_auth_bind_req(cli, auth, &auth_token);
1184 if (!NT_STATUS_IS_OK(ret)) {
1189 case DCERPC_AUTH_TYPE_KRB5:
1190 ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_token);
1191 if (!NT_STATUS_IS_OK(ret)) {
1196 case DCERPC_AUTH_TYPE_NONE:
1200 /* "Can't" happen. */
1201 return NT_STATUS_INVALID_INFO_CLASS;
1204 if (auth_token.length != 0) {
1205 ret = dcerpc_push_dcerpc_auth(cli,
1208 0, /* auth_pad_length */
1209 1, /* auth_context_id */
1212 if (!NT_STATUS_IS_OK(ret)) {
1215 data_blob_free(&auth_token);
1218 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1228 /*******************************************************************
1230 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1231 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1232 and deals with signing/sealing details.
1233 ********************************************************************/
1235 struct rpc_api_pipe_req_state {
1236 struct event_context *ev;
1237 struct rpc_pipe_client *cli;
1240 DATA_BLOB *req_data;
1241 uint32_t req_data_sent;
1243 DATA_BLOB reply_pdu;
1246 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1247 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1248 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1249 bool *is_last_frag);
1251 struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1252 struct event_context *ev,
1253 struct rpc_pipe_client *cli,
1255 DATA_BLOB *req_data)
1257 struct tevent_req *req, *subreq;
1258 struct rpc_api_pipe_req_state *state;
1262 req = tevent_req_create(mem_ctx, &state,
1263 struct rpc_api_pipe_req_state);
1269 state->op_num = op_num;
1270 state->req_data = req_data;
1271 state->req_data_sent = 0;
1272 state->call_id = get_rpc_call_id();
1273 state->reply_pdu = data_blob_null;
1274 state->rpc_out = data_blob_null;
1276 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1277 + RPC_MAX_SIGN_SIZE) {
1278 /* Server is screwed up ! */
1279 status = NT_STATUS_INVALID_PARAMETER;
1283 status = prepare_next_frag(state, &is_last_frag);
1284 if (!NT_STATUS_IS_OK(status)) {
1289 subreq = rpc_api_pipe_send(state, ev, state->cli,
1291 DCERPC_PKT_RESPONSE);
1292 if (subreq == NULL) {
1295 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1297 subreq = rpc_write_send(state, ev, cli->transport,
1298 state->rpc_out.data,
1299 state->rpc_out.length);
1300 if (subreq == NULL) {
1303 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1309 tevent_req_nterror(req, status);
1310 return tevent_req_post(req, ev);
1316 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1319 size_t data_sent_thistime;
1326 union dcerpc_payload u;
1328 data_left = state->req_data->length - state->req_data_sent;
1330 status = dcerpc_guess_sizes(state->cli->auth,
1331 DCERPC_REQUEST_LENGTH, data_left,
1332 state->cli->max_xmit_frag,
1333 CLIENT_NDR_PADDING_SIZE,
1334 &data_sent_thistime,
1335 &frag_len, &auth_len, &pad_len);
1336 if (!NT_STATUS_IS_OK(status)) {
1340 if (state->req_data_sent == 0) {
1341 flags = DCERPC_PFC_FLAG_FIRST;
1344 if (data_sent_thistime == data_left) {
1345 flags |= DCERPC_PFC_FLAG_LAST;
1348 data_blob_free(&state->rpc_out);
1350 ZERO_STRUCT(u.request);
1352 u.request.alloc_hint = state->req_data->length;
1353 u.request.context_id = 0;
1354 u.request.opnum = state->op_num;
1356 status = dcerpc_push_ncacn_packet(state,
1363 if (!NT_STATUS_IS_OK(status)) {
1367 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1368 * compute it right for requests because the auth trailer is missing
1370 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1372 /* Copy in the data. */
1373 if (!data_blob_append(NULL, &state->rpc_out,
1374 state->req_data->data + state->req_data_sent,
1375 data_sent_thistime)) {
1376 return NT_STATUS_NO_MEMORY;
1379 switch (state->cli->auth->auth_level) {
1380 case DCERPC_AUTH_LEVEL_NONE:
1381 case DCERPC_AUTH_LEVEL_CONNECT:
1382 case DCERPC_AUTH_LEVEL_PACKET:
1384 case DCERPC_AUTH_LEVEL_INTEGRITY:
1385 case DCERPC_AUTH_LEVEL_PRIVACY:
1386 status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
1388 if (!NT_STATUS_IS_OK(status)) {
1393 return NT_STATUS_INVALID_PARAMETER;
1396 state->req_data_sent += data_sent_thistime;
1397 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1402 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
1404 struct tevent_req *req = tevent_req_callback_data(
1405 subreq, struct tevent_req);
1406 struct rpc_api_pipe_req_state *state = tevent_req_data(
1407 req, struct rpc_api_pipe_req_state);
1411 status = rpc_write_recv(subreq);
1412 TALLOC_FREE(subreq);
1413 if (!NT_STATUS_IS_OK(status)) {
1414 tevent_req_nterror(req, status);
1418 status = prepare_next_frag(state, &is_last_frag);
1419 if (!NT_STATUS_IS_OK(status)) {
1420 tevent_req_nterror(req, status);
1425 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1427 DCERPC_PKT_RESPONSE);
1428 if (tevent_req_nomem(subreq, req)) {
1431 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1433 subreq = rpc_write_send(state, state->ev,
1434 state->cli->transport,
1435 state->rpc_out.data,
1436 state->rpc_out.length);
1437 if (tevent_req_nomem(subreq, req)) {
1440 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1445 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
1447 struct tevent_req *req = tevent_req_callback_data(
1448 subreq, struct tevent_req);
1449 struct rpc_api_pipe_req_state *state = tevent_req_data(
1450 req, struct rpc_api_pipe_req_state);
1453 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
1454 TALLOC_FREE(subreq);
1455 if (!NT_STATUS_IS_OK(status)) {
1456 tevent_req_nterror(req, status);
1459 tevent_req_done(req);
1462 NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1463 DATA_BLOB *reply_pdu)
1465 struct rpc_api_pipe_req_state *state = tevent_req_data(
1466 req, struct rpc_api_pipe_req_state);
1469 if (tevent_req_is_nterror(req, &status)) {
1471 * We always have to initialize to reply pdu, even if there is
1472 * none. The rpccli_* caller routines expect this.
1474 *reply_pdu = data_blob_null;
1478 /* return data to caller and assign it ownership of memory */
1479 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1480 reply_pdu->length = state->reply_pdu.length;
1481 state->reply_pdu.length = 0;
1483 return NT_STATUS_OK;
1486 /****************************************************************************
1487 Check the rpc bind acknowledge response.
1488 ****************************************************************************/
1490 static bool check_bind_response(const struct dcerpc_bind_ack *r,
1491 const struct ndr_syntax_id *transfer)
1493 struct dcerpc_ack_ctx ctx;
1495 if (r->secondary_address_size == 0) {
1496 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1499 if (r->num_results < 1 || !r->ctx_list) {
1503 ctx = r->ctx_list[0];
1505 /* check the transfer syntax */
1506 if ((ctx.syntax.if_version != transfer->if_version) ||
1507 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1508 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1512 if (r->num_results != 0x1 || ctx.result != 0) {
1513 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1514 r->num_results, ctx.reason));
1517 DEBUG(5,("check_bind_response: accepted!\n"));
1521 /*******************************************************************
1522 Creates a DCE/RPC bind authentication response.
1523 This is the packet that is sent back to the server once we
1524 have received a BIND-ACK, to finish the third leg of
1525 the authentication handshake.
1526 ********************************************************************/
1528 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
1529 struct rpc_pipe_client *cli,
1531 enum dcerpc_AuthType auth_type,
1532 enum dcerpc_AuthLevel auth_level,
1533 DATA_BLOB *pauth_blob,
1537 union dcerpc_payload u;
1541 status = dcerpc_push_dcerpc_auth(mem_ctx,
1544 0, /* auth_pad_length */
1545 1, /* auth_context_id */
1547 &u.auth3.auth_info);
1548 if (!NT_STATUS_IS_OK(status)) {
1552 status = dcerpc_push_ncacn_packet(mem_ctx,
1554 DCERPC_PFC_FLAG_FIRST |
1555 DCERPC_PFC_FLAG_LAST,
1560 data_blob_free(&u.auth3.auth_info);
1561 if (!NT_STATUS_IS_OK(status)) {
1562 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1566 return NT_STATUS_OK;
1569 /*******************************************************************
1570 Creates a DCE/RPC bind alter context authentication request which
1571 may contain a spnego auth blobl
1572 ********************************************************************/
1574 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
1575 enum dcerpc_AuthType auth_type,
1576 enum dcerpc_AuthLevel auth_level,
1578 const struct ndr_syntax_id *abstract,
1579 const struct ndr_syntax_id *transfer,
1580 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1583 DATA_BLOB auth_info;
1586 status = dcerpc_push_dcerpc_auth(mem_ctx,
1589 0, /* auth_pad_length */
1590 1, /* auth_context_id */
1593 if (!NT_STATUS_IS_OK(status)) {
1597 status = create_bind_or_alt_ctx_internal(mem_ctx,
1604 data_blob_free(&auth_info);
1608 /****************************************************************************
1610 ****************************************************************************/
1612 struct rpc_pipe_bind_state {
1613 struct event_context *ev;
1614 struct rpc_pipe_client *cli;
1617 uint32_t rpc_call_id;
1620 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
1621 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1622 struct rpc_pipe_bind_state *state,
1623 DATA_BLOB *credentials);
1624 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1625 struct rpc_pipe_bind_state *state,
1626 DATA_BLOB *credentials);
1628 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
1629 struct event_context *ev,
1630 struct rpc_pipe_client *cli,
1631 struct pipe_auth_data *auth)
1633 struct tevent_req *req, *subreq;
1634 struct rpc_pipe_bind_state *state;
1637 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
1642 DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
1643 rpccli_pipe_txt(talloc_tos(), cli),
1644 (unsigned int)auth->auth_type,
1645 (unsigned int)auth->auth_level ));
1649 state->rpc_call_id = get_rpc_call_id();
1651 cli->auth = talloc_move(cli, &auth);
1653 /* Marshall the outgoing data. */
1654 status = create_rpc_bind_req(state, cli,
1657 &cli->abstract_syntax,
1658 &cli->transfer_syntax,
1661 if (!NT_STATUS_IS_OK(status)) {
1665 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
1666 DCERPC_PKT_BIND_ACK);
1667 if (subreq == NULL) {
1670 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1674 tevent_req_nterror(req, status);
1675 return tevent_req_post(req, ev);
1681 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1683 struct tevent_req *req = tevent_req_callback_data(
1684 subreq, struct tevent_req);
1685 struct rpc_pipe_bind_state *state = tevent_req_data(
1686 req, struct rpc_pipe_bind_state);
1687 struct pipe_auth_data *pauth = state->cli->auth;
1688 struct auth_ntlmssp_state *ntlmssp_ctx;
1689 struct spnego_context *spnego_ctx;
1690 struct gse_context *gse_ctx;
1691 struct ncacn_packet *pkt;
1692 struct dcerpc_auth auth;
1693 DATA_BLOB auth_token = data_blob_null;
1696 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, NULL);
1697 TALLOC_FREE(subreq);
1698 if (!NT_STATUS_IS_OK(status)) {
1699 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
1700 rpccli_pipe_txt(talloc_tos(), state->cli),
1701 nt_errstr(status)));
1702 tevent_req_nterror(req, status);
1707 tevent_req_done(req);
1711 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
1712 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
1713 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
1717 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1718 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1720 switch(pauth->auth_type) {
1722 case DCERPC_AUTH_TYPE_NONE:
1723 case DCERPC_AUTH_TYPE_SCHANNEL:
1724 /* Bind complete. */
1725 tevent_req_done(req);
1728 case DCERPC_AUTH_TYPE_NTLMSSP:
1729 case DCERPC_AUTH_TYPE_SPNEGO:
1730 case DCERPC_AUTH_TYPE_KRB5:
1731 /* Paranoid lenght checks */
1732 if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
1733 + pkt->auth_length) {
1734 tevent_req_nterror(req,
1735 NT_STATUS_INFO_LENGTH_MISMATCH);
1738 /* get auth credentials */
1739 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
1740 &pkt->u.bind_ack.auth_info,
1742 if (!NT_STATUS_IS_OK(status)) {
1743 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
1744 nt_errstr(status)));
1745 tevent_req_nterror(req, status);
1755 * For authenticated binds we may need to do 3 or 4 leg binds.
1758 switch(pauth->auth_type) {
1760 case DCERPC_AUTH_TYPE_NONE:
1761 case DCERPC_AUTH_TYPE_SCHANNEL:
1762 /* Bind complete. */
1763 tevent_req_done(req);
1766 case DCERPC_AUTH_TYPE_NTLMSSP:
1767 ntlmssp_ctx = talloc_get_type_abort(pauth->auth_ctx,
1768 struct auth_ntlmssp_state);
1769 status = auth_ntlmssp_update(ntlmssp_ctx,
1770 auth.credentials, &auth_token);
1771 if (NT_STATUS_EQUAL(status,
1772 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1773 status = rpc_bind_next_send(req, state,
1775 } else if (NT_STATUS_IS_OK(status)) {
1776 status = rpc_bind_finish_send(req, state,
1781 case DCERPC_AUTH_TYPE_SPNEGO:
1782 spnego_ctx = talloc_get_type_abort(pauth->auth_ctx,
1783 struct spnego_context);
1784 status = spnego_get_client_auth_token(state,
1788 if (!NT_STATUS_IS_OK(status)) {
1791 if (auth_token.length == 0) {
1792 /* Bind complete. */
1793 tevent_req_done(req);
1796 if (spnego_require_more_processing(spnego_ctx)) {
1797 status = rpc_bind_next_send(req, state,
1800 status = rpc_bind_finish_send(req, state,
1805 case DCERPC_AUTH_TYPE_KRB5:
1806 gse_ctx = talloc_get_type_abort(pauth->auth_ctx,
1807 struct gse_context);
1808 status = gse_get_client_auth_token(state,
1812 if (!NT_STATUS_IS_OK(status)) {
1816 if (gse_require_more_processing(gse_ctx)) {
1817 status = rpc_bind_next_send(req, state, &auth_token);
1819 status = rpc_bind_finish_send(req, state, &auth_token);
1827 if (!NT_STATUS_IS_OK(status)) {
1828 tevent_req_nterror(req, status);
1833 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
1834 (unsigned int)state->cli->auth->auth_type));
1835 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
1838 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1839 struct rpc_pipe_bind_state *state,
1840 DATA_BLOB *auth_token)
1842 struct pipe_auth_data *auth = state->cli->auth;
1843 struct tevent_req *subreq;
1846 /* Now prepare the alter context pdu. */
1847 data_blob_free(&state->rpc_out);
1849 status = create_rpc_alter_context(state,
1853 &state->cli->abstract_syntax,
1854 &state->cli->transfer_syntax,
1857 if (!NT_STATUS_IS_OK(status)) {
1861 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1862 &state->rpc_out, DCERPC_PKT_ALTER_RESP);
1863 if (subreq == NULL) {
1864 return NT_STATUS_NO_MEMORY;
1866 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1867 return NT_STATUS_OK;
1870 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1871 struct rpc_pipe_bind_state *state,
1872 DATA_BLOB *auth_token)
1874 struct pipe_auth_data *auth = state->cli->auth;
1875 struct tevent_req *subreq;
1878 state->auth3 = true;
1880 /* Now prepare the auth3 context pdu. */
1881 data_blob_free(&state->rpc_out);
1883 status = create_rpc_bind_auth3(state, state->cli,
1889 if (!NT_STATUS_IS_OK(status)) {
1893 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1894 &state->rpc_out, DCERPC_PKT_AUTH3);
1895 if (subreq == NULL) {
1896 return NT_STATUS_NO_MEMORY;
1898 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1899 return NT_STATUS_OK;
1902 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
1904 return tevent_req_simple_recv_ntstatus(req);
1907 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
1908 struct pipe_auth_data *auth)
1910 TALLOC_CTX *frame = talloc_stackframe();
1911 struct event_context *ev;
1912 struct tevent_req *req;
1913 NTSTATUS status = NT_STATUS_OK;
1915 ev = event_context_init(frame);
1917 status = NT_STATUS_NO_MEMORY;
1921 req = rpc_pipe_bind_send(frame, ev, cli, auth);
1923 status = NT_STATUS_NO_MEMORY;
1927 if (!tevent_req_poll(req, ev)) {
1928 status = map_nt_error_from_unix(errno);
1932 status = rpc_pipe_bind_recv(req);
1938 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
1940 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
1941 unsigned int timeout)
1945 if (rpc_cli->transport == NULL) {
1946 return RPCCLI_DEFAULT_TIMEOUT;
1949 if (rpc_cli->transport->set_timeout == NULL) {
1950 return RPCCLI_DEFAULT_TIMEOUT;
1953 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
1955 return RPCCLI_DEFAULT_TIMEOUT;
1961 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
1963 if (rpc_cli == NULL) {
1967 if (rpc_cli->transport == NULL) {
1971 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
1974 struct rpccli_bh_state {
1975 struct rpc_pipe_client *rpc_cli;
1978 static bool rpccli_bh_is_connected(struct dcerpc_binding_handle *h)
1980 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
1981 struct rpccli_bh_state);
1983 return rpccli_is_connected(hs->rpc_cli);
1986 static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
1989 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
1990 struct rpccli_bh_state);
1992 return rpccli_set_timeout(hs->rpc_cli, timeout);
1995 struct rpccli_bh_raw_call_state {
2001 static void rpccli_bh_raw_call_done(struct tevent_req *subreq);
2003 static struct tevent_req *rpccli_bh_raw_call_send(TALLOC_CTX *mem_ctx,
2004 struct tevent_context *ev,
2005 struct dcerpc_binding_handle *h,
2006 const struct GUID *object,
2009 const uint8_t *in_data,
2012 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2013 struct rpccli_bh_state);
2014 struct tevent_req *req;
2015 struct rpccli_bh_raw_call_state *state;
2017 struct tevent_req *subreq;
2019 req = tevent_req_create(mem_ctx, &state,
2020 struct rpccli_bh_raw_call_state);
2024 state->in_data.data = discard_const_p(uint8_t, in_data);
2025 state->in_data.length = in_length;
2027 ok = rpccli_bh_is_connected(h);
2029 tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
2030 return tevent_req_post(req, ev);
2033 subreq = rpc_api_pipe_req_send(state, ev, hs->rpc_cli,
2034 opnum, &state->in_data);
2035 if (tevent_req_nomem(subreq, req)) {
2036 return tevent_req_post(req, ev);
2038 tevent_req_set_callback(subreq, rpccli_bh_raw_call_done, req);
2043 static void rpccli_bh_raw_call_done(struct tevent_req *subreq)
2045 struct tevent_req *req =
2046 tevent_req_callback_data(subreq,
2048 struct rpccli_bh_raw_call_state *state =
2049 tevent_req_data(req,
2050 struct rpccli_bh_raw_call_state);
2053 state->out_flags = 0;
2055 /* TODO: support bigendian responses */
2057 status = rpc_api_pipe_req_recv(subreq, state, &state->out_data);
2058 TALLOC_FREE(subreq);
2059 if (!NT_STATUS_IS_OK(status)) {
2060 tevent_req_nterror(req, status);
2064 tevent_req_done(req);
2067 static NTSTATUS rpccli_bh_raw_call_recv(struct tevent_req *req,
2068 TALLOC_CTX *mem_ctx,
2071 uint32_t *out_flags)
2073 struct rpccli_bh_raw_call_state *state =
2074 tevent_req_data(req,
2075 struct rpccli_bh_raw_call_state);
2078 if (tevent_req_is_nterror(req, &status)) {
2079 tevent_req_received(req);
2083 *out_data = talloc_move(mem_ctx, &state->out_data.data);
2084 *out_length = state->out_data.length;
2085 *out_flags = state->out_flags;
2086 tevent_req_received(req);
2087 return NT_STATUS_OK;
2090 struct rpccli_bh_disconnect_state {
2094 static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
2095 struct tevent_context *ev,
2096 struct dcerpc_binding_handle *h)
2098 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2099 struct rpccli_bh_state);
2100 struct tevent_req *req;
2101 struct rpccli_bh_disconnect_state *state;
2104 req = tevent_req_create(mem_ctx, &state,
2105 struct rpccli_bh_disconnect_state);
2110 ok = rpccli_bh_is_connected(h);
2112 tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
2113 return tevent_req_post(req, ev);
2117 * TODO: do a real async disconnect ...
2119 * For now the caller needs to free rpc_cli
2123 tevent_req_done(req);
2124 return tevent_req_post(req, ev);
2127 static NTSTATUS rpccli_bh_disconnect_recv(struct tevent_req *req)
2131 if (tevent_req_is_nterror(req, &status)) {
2132 tevent_req_received(req);
2136 tevent_req_received(req);
2137 return NT_STATUS_OK;
2140 static bool rpccli_bh_ref_alloc(struct dcerpc_binding_handle *h)
2145 static void rpccli_bh_do_ndr_print(struct dcerpc_binding_handle *h,
2147 const void *_struct_ptr,
2148 const struct ndr_interface_call *call)
2150 void *struct_ptr = discard_const(_struct_ptr);
2152 if (DEBUGLEVEL < 10) {
2156 if (ndr_flags & NDR_IN) {
2157 ndr_print_function_debug(call->ndr_print,
2162 if (ndr_flags & NDR_OUT) {
2163 ndr_print_function_debug(call->ndr_print,
2170 static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
2172 .is_connected = rpccli_bh_is_connected,
2173 .set_timeout = rpccli_bh_set_timeout,
2174 .raw_call_send = rpccli_bh_raw_call_send,
2175 .raw_call_recv = rpccli_bh_raw_call_recv,
2176 .disconnect_send = rpccli_bh_disconnect_send,
2177 .disconnect_recv = rpccli_bh_disconnect_recv,
2179 .ref_alloc = rpccli_bh_ref_alloc,
2180 .do_ndr_print = rpccli_bh_do_ndr_print,
2183 /* initialise a rpc_pipe_client binding handle */
2184 static struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c)
2186 struct dcerpc_binding_handle *h;
2187 struct rpccli_bh_state *hs;
2189 h = dcerpc_binding_handle_create(c,
2194 struct rpccli_bh_state,
2204 bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
2206 struct auth_ntlmssp_state *a = NULL;
2207 struct cli_state *cli;
2209 if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
2210 a = talloc_get_type_abort(rpc_cli->auth->auth_ctx,
2211 struct auth_ntlmssp_state);
2212 } else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2213 struct spnego_context *spnego_ctx;
2214 enum spnego_mech auth_type;
2218 spnego_ctx = talloc_get_type_abort(rpc_cli->auth->auth_ctx,
2219 struct spnego_context);
2220 status = spnego_get_negotiated_mech(spnego_ctx,
2221 &auth_type, &auth_ctx);
2222 if (!NT_STATUS_IS_OK(status)) {
2226 if (auth_type == SPNEGO_NTLMSSP) {
2227 a = talloc_get_type_abort(auth_ctx,
2228 struct auth_ntlmssp_state);
2233 memcpy(nt_hash, auth_ntlmssp_get_nt_hash(a), 16);
2237 cli = rpc_pipe_np_smb_conn(rpc_cli);
2241 E_md4hash(cli->password ? cli->password : "", nt_hash);
2245 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2246 struct pipe_auth_data **presult)
2248 struct pipe_auth_data *result;
2250 result = talloc(mem_ctx, struct pipe_auth_data);
2251 if (result == NULL) {
2252 return NT_STATUS_NO_MEMORY;
2255 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2256 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2258 result->user_name = talloc_strdup(result, "");
2259 result->domain = talloc_strdup(result, "");
2260 if ((result->user_name == NULL) || (result->domain == NULL)) {
2261 TALLOC_FREE(result);
2262 return NT_STATUS_NO_MEMORY;
2266 return NT_STATUS_OK;
2269 static int cli_auth_ntlmssp_data_destructor(struct pipe_auth_data *auth)
2271 TALLOC_FREE(auth->auth_ctx);
2275 static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
2276 enum dcerpc_AuthType auth_type,
2277 enum dcerpc_AuthLevel auth_level,
2279 const char *username,
2280 const char *password,
2281 struct pipe_auth_data **presult)
2283 struct auth_ntlmssp_state *ntlmssp_ctx;
2284 struct pipe_auth_data *result;
2287 result = talloc(mem_ctx, struct pipe_auth_data);
2288 if (result == NULL) {
2289 return NT_STATUS_NO_MEMORY;
2292 result->auth_type = auth_type;
2293 result->auth_level = auth_level;
2295 result->user_name = talloc_strdup(result, username);
2296 result->domain = talloc_strdup(result, domain);
2297 if ((result->user_name == NULL) || (result->domain == NULL)) {
2298 status = NT_STATUS_NO_MEMORY;
2302 status = auth_ntlmssp_client_start(NULL,
2305 lp_client_ntlmv2_auth(),
2307 if (!NT_STATUS_IS_OK(status)) {
2311 talloc_set_destructor(result, cli_auth_ntlmssp_data_destructor);
2313 status = auth_ntlmssp_set_username(ntlmssp_ctx, username);
2314 if (!NT_STATUS_IS_OK(status)) {
2318 status = auth_ntlmssp_set_domain(ntlmssp_ctx, domain);
2319 if (!NT_STATUS_IS_OK(status)) {
2323 status = auth_ntlmssp_set_password(ntlmssp_ctx, password);
2324 if (!NT_STATUS_IS_OK(status)) {
2329 * Turn off sign+seal to allow selected auth level to turn it back on.
2331 auth_ntlmssp_and_flags(ntlmssp_ctx, ~(NTLMSSP_NEGOTIATE_SIGN |
2332 NTLMSSP_NEGOTIATE_SEAL));
2334 if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
2335 auth_ntlmssp_or_flags(ntlmssp_ctx, NTLMSSP_NEGOTIATE_SIGN);
2336 } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
2337 auth_ntlmssp_or_flags(ntlmssp_ctx, NTLMSSP_NEGOTIATE_SEAL |
2338 NTLMSSP_NEGOTIATE_SIGN);
2341 result->auth_ctx = ntlmssp_ctx;
2343 return NT_STATUS_OK;
2346 TALLOC_FREE(result);
2350 NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2351 enum dcerpc_AuthLevel auth_level,
2352 struct netlogon_creds_CredentialState *creds,
2353 struct pipe_auth_data **presult)
2355 struct schannel_state *schannel_auth;
2356 struct pipe_auth_data *result;
2358 result = talloc(mem_ctx, struct pipe_auth_data);
2359 if (result == NULL) {
2360 return NT_STATUS_NO_MEMORY;
2363 result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
2364 result->auth_level = auth_level;
2366 result->user_name = talloc_strdup(result, "");
2367 result->domain = talloc_strdup(result, domain);
2368 if ((result->user_name == NULL) || (result->domain == NULL)) {
2372 schannel_auth = talloc(result, struct schannel_state);
2373 if (schannel_auth == NULL) {
2377 schannel_auth->state = SCHANNEL_STATE_START;
2378 schannel_auth->seq_num = 0;
2379 schannel_auth->initiator = true;
2380 schannel_auth->creds = netlogon_creds_copy(result, creds);
2382 result->auth_ctx = schannel_auth;
2384 return NT_STATUS_OK;
2387 TALLOC_FREE(result);
2388 return NT_STATUS_NO_MEMORY;
2392 * Create an rpc pipe client struct, connecting to a tcp port.
2394 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2396 const struct ndr_syntax_id *abstract_syntax,
2397 struct rpc_pipe_client **presult)
2399 struct rpc_pipe_client *result;
2400 struct sockaddr_storage addr;
2404 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2405 if (result == NULL) {
2406 return NT_STATUS_NO_MEMORY;
2409 result->abstract_syntax = *abstract_syntax;
2410 result->transfer_syntax = ndr_transfer_syntax;
2412 result->desthost = talloc_strdup(result, host);
2413 result->srv_name_slash = talloc_asprintf_strupper_m(
2414 result, "\\\\%s", result->desthost);
2415 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2416 status = NT_STATUS_NO_MEMORY;
2420 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2421 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2423 if (!resolve_name(host, &addr, 0, false)) {
2424 status = NT_STATUS_NOT_FOUND;
2428 status = open_socket_out(&addr, port, 60, &fd);
2429 if (!NT_STATUS_IS_OK(status)) {
2432 set_socket_options(fd, lp_socket_options());
2434 status = rpc_transport_sock_init(result, fd, &result->transport);
2435 if (!NT_STATUS_IS_OK(status)) {
2440 result->transport->transport = NCACN_IP_TCP;
2442 result->binding_handle = rpccli_bh_create(result);
2443 if (result->binding_handle == NULL) {
2444 TALLOC_FREE(result);
2445 return NT_STATUS_NO_MEMORY;
2449 return NT_STATUS_OK;
2452 TALLOC_FREE(result);
2457 * Determine the tcp port on which a dcerpc interface is listening
2458 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2461 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2462 const struct ndr_syntax_id *abstract_syntax,
2466 struct rpc_pipe_client *epm_pipe = NULL;
2467 struct dcerpc_binding_handle *epm_handle = NULL;
2468 struct pipe_auth_data *auth = NULL;
2469 struct dcerpc_binding *map_binding = NULL;
2470 struct dcerpc_binding *res_binding = NULL;
2471 struct epm_twr_t *map_tower = NULL;
2472 struct epm_twr_t *res_towers = NULL;
2473 struct policy_handle *entry_handle = NULL;
2474 uint32_t num_towers = 0;
2475 uint32_t max_towers = 1;
2476 struct epm_twr_p_t towers;
2477 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2478 uint32_t result = 0;
2480 if (pport == NULL) {
2481 status = NT_STATUS_INVALID_PARAMETER;
2485 /* open the connection to the endpoint mapper */
2486 status = rpc_pipe_open_tcp_port(tmp_ctx, host, 135,
2487 &ndr_table_epmapper.syntax_id,
2490 if (!NT_STATUS_IS_OK(status)) {
2493 epm_handle = epm_pipe->binding_handle;
2495 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2496 if (!NT_STATUS_IS_OK(status)) {
2500 status = rpc_pipe_bind(epm_pipe, auth);
2501 if (!NT_STATUS_IS_OK(status)) {
2505 /* create tower for asking the epmapper */
2507 map_binding = TALLOC_ZERO_P(tmp_ctx, struct dcerpc_binding);
2508 if (map_binding == NULL) {
2509 status = NT_STATUS_NO_MEMORY;
2513 map_binding->transport = NCACN_IP_TCP;
2514 map_binding->object = *abstract_syntax;
2515 map_binding->host = host; /* needed? */
2516 map_binding->endpoint = "0"; /* correct? needed? */
2518 map_tower = TALLOC_ZERO_P(tmp_ctx, struct epm_twr_t);
2519 if (map_tower == NULL) {
2520 status = NT_STATUS_NO_MEMORY;
2524 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2525 &(map_tower->tower));
2526 if (!NT_STATUS_IS_OK(status)) {
2530 /* allocate further parameters for the epm_Map call */
2532 res_towers = TALLOC_ARRAY(tmp_ctx, struct epm_twr_t, max_towers);
2533 if (res_towers == NULL) {
2534 status = NT_STATUS_NO_MEMORY;
2537 towers.twr = res_towers;
2539 entry_handle = TALLOC_ZERO_P(tmp_ctx, struct policy_handle);
2540 if (entry_handle == NULL) {
2541 status = NT_STATUS_NO_MEMORY;
2545 /* ask the endpoint mapper for the port */
2547 status = dcerpc_epm_Map(epm_handle,
2549 CONST_DISCARD(struct GUID *,
2550 &(abstract_syntax->uuid)),
2558 if (!NT_STATUS_IS_OK(status)) {
2562 if (result != EPMAPPER_STATUS_OK) {
2563 status = NT_STATUS_UNSUCCESSFUL;
2567 if (num_towers != 1) {
2568 status = NT_STATUS_UNSUCCESSFUL;
2572 /* extract the port from the answer */
2574 status = dcerpc_binding_from_tower(tmp_ctx,
2575 &(towers.twr->tower),
2577 if (!NT_STATUS_IS_OK(status)) {
2581 /* are further checks here necessary? */
2582 if (res_binding->transport != NCACN_IP_TCP) {
2583 status = NT_STATUS_UNSUCCESSFUL;
2587 *pport = (uint16_t)atoi(res_binding->endpoint);
2590 TALLOC_FREE(tmp_ctx);
2595 * Create a rpc pipe client struct, connecting to a host via tcp.
2596 * The port is determined by asking the endpoint mapper on the given
2599 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2600 const struct ndr_syntax_id *abstract_syntax,
2601 struct rpc_pipe_client **presult)
2606 status = rpc_pipe_get_tcp_port(host, abstract_syntax, &port);
2607 if (!NT_STATUS_IS_OK(status)) {
2611 return rpc_pipe_open_tcp_port(mem_ctx, host, port,
2612 abstract_syntax, presult);
2615 /********************************************************************
2616 Create a rpc pipe client struct, connecting to a unix domain socket
2617 ********************************************************************/
2618 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2619 const struct ndr_syntax_id *abstract_syntax,
2620 struct rpc_pipe_client **presult)
2622 struct rpc_pipe_client *result;
2623 struct sockaddr_un addr;
2627 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2628 if (result == NULL) {
2629 return NT_STATUS_NO_MEMORY;
2632 result->abstract_syntax = *abstract_syntax;
2633 result->transfer_syntax = ndr_transfer_syntax;
2635 result->desthost = get_myname(result);
2636 result->srv_name_slash = talloc_asprintf_strupper_m(
2637 result, "\\\\%s", result->desthost);
2638 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2639 status = NT_STATUS_NO_MEMORY;
2643 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2644 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2646 fd = socket(AF_UNIX, SOCK_STREAM, 0);
2648 status = map_nt_error_from_unix(errno);
2653 addr.sun_family = AF_UNIX;
2654 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2656 if (sys_connect(fd, (struct sockaddr *)(void *)&addr) == -1) {
2657 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2660 return map_nt_error_from_unix(errno);
2663 status = rpc_transport_sock_init(result, fd, &result->transport);
2664 if (!NT_STATUS_IS_OK(status)) {
2669 result->transport->transport = NCALRPC;
2671 result->binding_handle = rpccli_bh_create(result);
2672 if (result->binding_handle == NULL) {
2673 TALLOC_FREE(result);
2674 return NT_STATUS_NO_MEMORY;
2678 return NT_STATUS_OK;
2681 TALLOC_FREE(result);
2685 struct rpc_pipe_client_np_ref {
2686 struct cli_state *cli;
2687 struct rpc_pipe_client *pipe;
2690 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
2692 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
2696 /****************************************************************************
2697 Open a named pipe over SMB to a remote server.
2699 * CAVEAT CALLER OF THIS FUNCTION:
2700 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2701 * so be sure that this function is called AFTER any structure (vs pointer)
2702 * assignment of the cli. In particular, libsmbclient does structure
2703 * assignments of cli, which invalidates the data in the returned
2704 * rpc_pipe_client if this function is called before the structure assignment
2707 ****************************************************************************/
2709 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
2710 const struct ndr_syntax_id *abstract_syntax,
2711 struct rpc_pipe_client **presult)
2713 struct rpc_pipe_client *result;
2715 struct rpc_pipe_client_np_ref *np_ref;
2717 /* sanity check to protect against crashes */
2720 return NT_STATUS_INVALID_HANDLE;
2723 result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
2724 if (result == NULL) {
2725 return NT_STATUS_NO_MEMORY;
2728 result->abstract_syntax = *abstract_syntax;
2729 result->transfer_syntax = ndr_transfer_syntax;
2730 result->desthost = talloc_strdup(result, cli->desthost);
2731 result->srv_name_slash = talloc_asprintf_strupper_m(
2732 result, "\\\\%s", result->desthost);
2734 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2735 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2737 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2738 TALLOC_FREE(result);
2739 return NT_STATUS_NO_MEMORY;
2742 status = rpc_transport_np_init(result, cli, abstract_syntax,
2743 &result->transport);
2744 if (!NT_STATUS_IS_OK(status)) {
2745 TALLOC_FREE(result);
2749 result->transport->transport = NCACN_NP;
2751 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
2752 if (np_ref == NULL) {
2753 TALLOC_FREE(result);
2754 return NT_STATUS_NO_MEMORY;
2757 np_ref->pipe = result;
2759 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
2760 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
2762 result->binding_handle = rpccli_bh_create(result);
2763 if (result->binding_handle == NULL) {
2764 TALLOC_FREE(result);
2765 return NT_STATUS_NO_MEMORY;
2769 return NT_STATUS_OK;
2772 /****************************************************************************
2773 Open a pipe to a remote server.
2774 ****************************************************************************/
2776 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
2777 enum dcerpc_transport_t transport,
2778 const struct ndr_syntax_id *interface,
2779 struct rpc_pipe_client **presult)
2781 switch (transport) {
2783 return rpc_pipe_open_tcp(NULL, cli->desthost, interface,
2786 return rpc_pipe_open_np(cli, interface, presult);
2788 return NT_STATUS_NOT_IMPLEMENTED;
2792 /****************************************************************************
2793 Open a named pipe to an SMB server and bind anonymously.
2794 ****************************************************************************/
2796 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2797 enum dcerpc_transport_t transport,
2798 const struct ndr_syntax_id *interface,
2799 struct rpc_pipe_client **presult)
2801 struct rpc_pipe_client *result;
2802 struct pipe_auth_data *auth;
2805 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2806 if (!NT_STATUS_IS_OK(status)) {
2810 status = rpccli_anon_bind_data(result, &auth);
2811 if (!NT_STATUS_IS_OK(status)) {
2812 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
2813 nt_errstr(status)));
2814 TALLOC_FREE(result);
2819 * This is a bit of an abstraction violation due to the fact that an
2820 * anonymous bind on an authenticated SMB inherits the user/domain
2821 * from the enclosing SMB creds
2824 TALLOC_FREE(auth->user_name);
2825 TALLOC_FREE(auth->domain);
2827 auth->user_name = talloc_strdup(auth, cli->user_name);
2828 auth->domain = talloc_strdup(auth, cli->domain);
2829 auth->user_session_key = data_blob_talloc(auth,
2830 cli->user_session_key.data,
2831 cli->user_session_key.length);
2833 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
2834 TALLOC_FREE(result);
2835 return NT_STATUS_NO_MEMORY;
2838 status = rpc_pipe_bind(result, auth);
2839 if (!NT_STATUS_IS_OK(status)) {
2841 if (ndr_syntax_id_equal(interface,
2842 &ndr_table_dssetup.syntax_id)) {
2843 /* non AD domains just don't have this pipe, avoid
2844 * level 0 statement in that case - gd */
2847 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
2848 "%s failed with error %s\n",
2849 get_pipe_name_from_syntax(talloc_tos(), interface),
2850 nt_errstr(status) ));
2851 TALLOC_FREE(result);
2855 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
2856 "%s and bound anonymously.\n",
2857 get_pipe_name_from_syntax(talloc_tos(), interface),
2861 return NT_STATUS_OK;
2864 /****************************************************************************
2865 ****************************************************************************/
2867 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2868 const struct ndr_syntax_id *interface,
2869 struct rpc_pipe_client **presult)
2871 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2872 interface, presult);
2875 /****************************************************************************
2876 Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
2877 ****************************************************************************/
2879 NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
2880 const struct ndr_syntax_id *interface,
2881 enum dcerpc_transport_t transport,
2882 enum dcerpc_AuthLevel auth_level,
2884 const char *username,
2885 const char *password,
2886 struct rpc_pipe_client **presult)
2888 struct rpc_pipe_client *result;
2889 struct pipe_auth_data *auth = NULL;
2890 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
2893 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2894 if (!NT_STATUS_IS_OK(status)) {
2898 status = rpccli_ntlmssp_bind_data(result,
2899 auth_type, auth_level,
2900 domain, username, password,
2902 if (!NT_STATUS_IS_OK(status)) {
2903 DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
2904 nt_errstr(status)));
2908 status = rpc_pipe_bind(result, auth);
2909 if (!NT_STATUS_IS_OK(status)) {
2910 DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
2911 nt_errstr(status) ));
2915 DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
2916 "machine %s and bound NTLMSSP as user %s\\%s.\n",
2917 get_pipe_name_from_syntax(talloc_tos(), interface),
2918 cli->desthost, domain, username ));
2921 return NT_STATUS_OK;
2925 TALLOC_FREE(result);
2929 /****************************************************************************
2931 Open a named pipe to an SMB server and bind using schannel (bind type 68)
2932 using session_key. sign and seal.
2934 The *pdc will be stolen onto this new pipe
2935 ****************************************************************************/
2937 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2938 const struct ndr_syntax_id *interface,
2939 enum dcerpc_transport_t transport,
2940 enum dcerpc_AuthLevel auth_level,
2942 struct netlogon_creds_CredentialState **pdc,
2943 struct rpc_pipe_client **presult)
2945 struct rpc_pipe_client *result;
2946 struct pipe_auth_data *auth;
2949 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2950 if (!NT_STATUS_IS_OK(status)) {
2954 status = rpccli_schannel_bind_data(result, domain, auth_level,
2956 if (!NT_STATUS_IS_OK(status)) {
2957 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
2958 nt_errstr(status)));
2959 TALLOC_FREE(result);
2963 status = rpc_pipe_bind(result, auth);
2964 if (!NT_STATUS_IS_OK(status)) {
2965 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
2966 "cli_rpc_pipe_bind failed with error %s\n",
2967 nt_errstr(status) ));
2968 TALLOC_FREE(result);
2973 * The credentials on a new netlogon pipe are the ones we are passed
2974 * in - copy them over
2976 result->dc = netlogon_creds_copy(result, *pdc);
2977 if (result->dc == NULL) {
2978 TALLOC_FREE(result);
2979 return NT_STATUS_NO_MEMORY;
2982 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
2983 "for domain %s and bound using schannel.\n",
2984 get_pipe_name_from_syntax(talloc_tos(), interface),
2985 cli->desthost, domain ));
2988 return NT_STATUS_OK;
2991 /****************************************************************************
2992 Open a named pipe to an SMB server and bind using krb5 (bind type 16).
2993 The idea is this can be called with service_princ, username and password all
2994 NULL so long as the caller has a TGT.
2995 ****************************************************************************/
2997 NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
2998 const struct ndr_syntax_id *interface,
2999 enum dcerpc_transport_t transport,
3000 enum dcerpc_AuthLevel auth_level,
3002 const char *username,
3003 const char *password,
3004 struct rpc_pipe_client **presult)
3006 struct rpc_pipe_client *result;
3007 struct pipe_auth_data *auth;
3008 struct gse_context *gse_ctx;
3011 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3012 if (!NT_STATUS_IS_OK(status)) {
3016 auth = talloc(result, struct pipe_auth_data);
3018 status = NT_STATUS_NO_MEMORY;
3021 auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
3022 auth->auth_level = auth_level;
3027 auth->user_name = talloc_strdup(auth, username);
3028 if (!auth->user_name) {
3029 status = NT_STATUS_NO_MEMORY;
3033 /* Fixme, should we fetch/set the Realm ? */
3034 auth->domain = talloc_strdup(auth, "");
3035 if (!auth->domain) {
3036 status = NT_STATUS_NO_MEMORY;
3040 status = gse_init_client(auth,
3041 (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
3042 (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
3043 NULL, server, "cifs", username, password,
3044 GSS_C_DCE_STYLE, &gse_ctx);
3045 if (!NT_STATUS_IS_OK(status)) {
3046 DEBUG(0, ("gse_init_client returned %s\n",
3047 nt_errstr(status)));
3050 auth->auth_ctx = gse_ctx;
3052 status = rpc_pipe_bind(result, auth);
3053 if (!NT_STATUS_IS_OK(status)) {
3054 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3055 nt_errstr(status)));
3060 return NT_STATUS_OK;
3063 TALLOC_FREE(result);
3067 NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
3068 const struct ndr_syntax_id *interface,
3069 enum dcerpc_transport_t transport,
3070 enum dcerpc_AuthLevel auth_level,
3072 const char *username,
3073 const char *password,
3074 struct rpc_pipe_client **presult)
3076 struct rpc_pipe_client *result;
3077 struct pipe_auth_data *auth;
3078 struct spnego_context *spnego_ctx;
3081 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3082 if (!NT_STATUS_IS_OK(status)) {
3086 auth = talloc(result, struct pipe_auth_data);
3088 status = NT_STATUS_NO_MEMORY;
3091 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3092 auth->auth_level = auth_level;
3097 auth->user_name = talloc_strdup(auth, username);
3098 if (!auth->user_name) {
3099 status = NT_STATUS_NO_MEMORY;
3103 /* Fixme, should we fetch/set the Realm ? */
3104 auth->domain = talloc_strdup(auth, "");
3105 if (!auth->domain) {
3106 status = NT_STATUS_NO_MEMORY;
3110 status = spnego_gssapi_init_client(auth,
3111 (auth->auth_level ==
3112 DCERPC_AUTH_LEVEL_INTEGRITY),
3113 (auth->auth_level ==
3114 DCERPC_AUTH_LEVEL_PRIVACY),
3116 NULL, server, "cifs",
3119 if (!NT_STATUS_IS_OK(status)) {
3120 DEBUG(0, ("spnego_init_client returned %s\n",
3121 nt_errstr(status)));
3124 auth->auth_ctx = spnego_ctx;
3126 status = rpc_pipe_bind(result, auth);
3127 if (!NT_STATUS_IS_OK(status)) {
3128 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3129 nt_errstr(status)));
3134 return NT_STATUS_OK;
3137 TALLOC_FREE(result);
3141 NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
3142 const struct ndr_syntax_id *interface,
3143 enum dcerpc_transport_t transport,
3144 enum dcerpc_AuthLevel auth_level,
3146 const char *username,
3147 const char *password,
3148 struct rpc_pipe_client **presult)
3150 struct rpc_pipe_client *result;
3151 struct pipe_auth_data *auth;
3152 struct spnego_context *spnego_ctx;
3155 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3156 if (!NT_STATUS_IS_OK(status)) {
3160 auth = talloc(result, struct pipe_auth_data);
3162 status = NT_STATUS_NO_MEMORY;
3165 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3166 auth->auth_level = auth_level;
3171 auth->user_name = talloc_strdup(auth, username);
3172 if (!auth->user_name) {
3173 status = NT_STATUS_NO_MEMORY;
3180 auth->domain = talloc_strdup(auth, domain);
3181 if (!auth->domain) {
3182 status = NT_STATUS_NO_MEMORY;
3186 status = spnego_ntlmssp_init_client(auth,
3187 (auth->auth_level ==
3188 DCERPC_AUTH_LEVEL_INTEGRITY),
3189 (auth->auth_level ==
3190 DCERPC_AUTH_LEVEL_PRIVACY),
3192 domain, username, password,
3194 if (!NT_STATUS_IS_OK(status)) {
3195 DEBUG(0, ("spnego_init_client returned %s\n",
3196 nt_errstr(status)));
3199 auth->auth_ctx = spnego_ctx;
3201 status = rpc_pipe_bind(result, auth);
3202 if (!NT_STATUS_IS_OK(status)) {
3203 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3204 nt_errstr(status)));
3209 return NT_STATUS_OK;
3212 TALLOC_FREE(result);
3216 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3217 struct rpc_pipe_client *cli,
3218 DATA_BLOB *session_key)
3220 struct pipe_auth_data *a = cli->auth;
3221 struct schannel_state *schannel_auth;
3222 struct auth_ntlmssp_state *ntlmssp_ctx;
3223 struct spnego_context *spnego_ctx;
3224 struct gse_context *gse_ctx;
3225 DATA_BLOB sk = data_blob_null;
3226 bool make_dup = false;
3228 if (!session_key || !cli) {
3229 return NT_STATUS_INVALID_PARAMETER;
3233 return NT_STATUS_INVALID_PARAMETER;
3236 switch (cli->auth->auth_type) {
3237 case DCERPC_AUTH_TYPE_SCHANNEL:
3238 schannel_auth = talloc_get_type_abort(a->auth_ctx,
3239 struct schannel_state);
3240 sk = data_blob_const(schannel_auth->creds->session_key, 16);
3243 case DCERPC_AUTH_TYPE_SPNEGO:
3244 spnego_ctx = talloc_get_type_abort(a->auth_ctx,
3245 struct spnego_context);
3246 sk = spnego_get_session_key(mem_ctx, spnego_ctx);
3249 case DCERPC_AUTH_TYPE_NTLMSSP:
3250 ntlmssp_ctx = talloc_get_type_abort(a->auth_ctx,
3251 struct auth_ntlmssp_state);
3252 sk = auth_ntlmssp_get_session_key(ntlmssp_ctx);
3255 case DCERPC_AUTH_TYPE_KRB5:
3256 gse_ctx = talloc_get_type_abort(a->auth_ctx,
3257 struct gse_context);
3258 sk = gse_get_session_key(mem_ctx, gse_ctx);
3261 case DCERPC_AUTH_TYPE_NONE:
3262 sk = data_blob_const(a->user_session_key.data,
3263 a->user_session_key.length);
3271 return NT_STATUS_NO_USER_SESSION_KEY;
3275 *session_key = data_blob_dup_talloc(mem_ctx, &sk);
3280 return NT_STATUS_OK;