3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998,
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1998.
9 * Copyright (C) Jeremy Allison 1999.
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
33 extern int DEBUGLEVEL;
34 extern struct pipe_id_info pipe_names[];
35 extern fstring global_myworkgroup;
36 extern pstring global_myname;
38 /********************************************************************
40 ********************************************************************/
42 static uint32 get_rpc_call_id(void)
44 static uint32 call_id = 0;
48 /*******************************************************************
49 Use SMBreadX to get rest of one fragment's worth of rpc data.
50 ********************************************************************/
52 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
54 size_t size = (size_t)cli->max_recv_frag;
55 int stream_offset = 0;
59 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
61 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
62 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
65 * Grow the buffer if needed to accommodate the data to be read.
68 if (extra_data_size > 0) {
69 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
70 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
73 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
76 pdata = prs_data_p(rdata) + *rdata_offset;
78 do /* read data using SMBreadX */
80 if (size > (size_t)data_to_read)
81 size = (size_t)data_to_read;
83 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
85 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
86 num_read, stream_offset, data_to_read));
88 if (cli_error(cli, NULL, &err, NULL)) {
89 DEBUG(0,("rpc_read: Error %u in cli_read\n", (unsigned int)err ));
93 data_to_read -= num_read;
94 stream_offset += num_read;
97 } while (num_read > 0 && data_to_read > 0);
98 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
101 * Update the current offset into rdata by the amount read.
103 *rdata_offset += stream_offset;
108 /****************************************************************************
110 ****************************************************************************/
112 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
113 BOOL *first, BOOL *last, uint32 *len)
115 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
117 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
118 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
122 if (prs_offset(rdata) != RPC_HEADER_LEN) {
123 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
127 (*first) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST);
128 (*last) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST );
129 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
131 return (rhdr->pkt_type != RPC_FAULT);
134 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
136 unsigned char *hash = cli->ntlmssp_hash;
137 unsigned char index_i = hash[256];
138 unsigned char index_j = hash[257];
141 for( ind = 0; ind < len; ind++) {
146 index_j += hash[index_i];
149 hash[index_i] = hash[index_j];
152 t = hash[index_i] + hash[index_j];
153 data[ind] = data[ind] ^ hash[t];
160 /****************************************************************************
161 Verify data on an rpc pipe.
162 The VERIFY & SEAL code is only executed on packets that look like this :
164 Request/Response PDU's look like the following...
166 |<------------------PDU len----------------------------------------------->|
167 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
169 +------------+-----------------+-------------+---------------+-------------+
170 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
171 +------------+-----------------+-------------+---------------+-------------+
173 Never on bind requests/responses.
174 ****************************************************************************/
176 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
179 * The following is that length of the data we must sign or seal.
180 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
181 * preceeding the auth_data.
184 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
187 * The start of the data to sign/seal is just after the RPC headers.
189 char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
191 BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
192 BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
194 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
195 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
198 * Unseal any sealed data in the PDU, not including the
199 * 8 byte auth_header or the auth_data.
203 DEBUG(10,("rpc_auth_pipe: unseal\n"));
204 dump_data(100, reply_data, data_len);
205 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
206 dump_data(100, reply_data, data_len);
209 if (auth_verify || auth_seal) {
210 RPC_HDR_AUTH rhdr_auth;
212 char data[RPC_HDR_AUTH_LEN];
214 * We set dp to be the end of the packet, minus the auth_len
215 * and the length of the header that preceeds the auth_data.
217 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
219 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
220 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
224 memcpy(data, dp, sizeof(data));
226 prs_init(&auth_req , 0, 4, UNMARSHALL);
227 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
230 * Unmarshall the 8 byte auth_header that comes before the
234 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
235 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
239 if (!rpc_hdr_auth_chk(&rhdr_auth)) {
240 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
246 * Now unseal and check the auth verifier in the auth_data at
247 * then end of the packet. The 4 bytes skipped in the unseal
248 * seem to be a buffer pointer preceeding the sealed data.
252 RPC_AUTH_NTLMSSP_CHK chk;
254 prs_struct auth_verf;
255 char data[RPC_AUTH_NTLMSSP_CHK_LEN];
256 char *dp = prs_data_p(rdata) + len - auth_len;
258 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
259 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
263 DEBUG(10,("rpc_auth_pipe: verify\n"));
264 dump_data(100, dp, auth_len);
265 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
267 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
268 dump_data(100, data, auth_len);
270 prs_init(&auth_verf, 0, 4, UNMARSHALL);
271 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
273 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
274 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
278 crc32 = crc32_calc_buffer(reply_data, data_len);
280 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
281 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
284 cli->ntlmssp_seq_num++;
290 /****************************************************************************
291 Send data on an rpc pipe, which *must* be in one fragment.
292 receive response data from an rpc pipe, which may be large...
294 Read the first fragment: unfortunately have to use SMBtrans for the first
295 bit, then SMBreadX for subsequent bits.
297 If first fragment received also wasn't the last fragment, continue
298 getting fragments until we _do_ receive the last fragment.
300 Request/Response PDU's look like the following...
302 |<------------------PDU len----------------------------------------------->|
303 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
305 +------------+-----------------+-------------+---------------+-------------+
306 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
307 +------------+-----------------+-------------+---------------+-------------+
309 Where the presence of the AUTH_HDR and AUTH are dependent on the
310 signing & sealing being neogitated.
312 ****************************************************************************/
314 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *data, prs_struct *rdata)
318 uint32 rparam_len = 0;
324 char *pdata = data ? prs_data_p(data) : NULL;
325 uint32 data_len = data ? prs_offset(data) : 0;
327 uint32 rdata_len = 0;
328 uint32 current_offset = 0;
331 * Create setup parameters - must be in native byte order.
334 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
336 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd, (int)cli->nt_pipe_fnum));
338 /* send the data: receive a response. */
339 if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
340 setup, 2, 0, /* Setup, length, max */
341 NULL, 0, 0, /* Params, length, max */
342 pdata, data_len, data_len, /* data, length, max */
343 &rparam, &rparam_len, /* return params, len */
344 &prdata, &rdata_len)) /* return data, len */
346 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
351 * Throw away returned params - we know we won't use them.
359 if (prdata == NULL) {
360 DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n",
361 (int)cmd, (int)cli->nt_pipe_fnum));
366 * Give this memory as dynamically allocated to the return parse struct.
369 prs_give_memory(rdata, prdata, rdata_len, True);
370 current_offset = rdata_len;
372 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
377 if (rhdr.pkt_type == RPC_BINDACK) {
378 if (!last && !first) {
379 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
385 if (rhdr.pkt_type == RPC_RESPONSE) {
386 RPC_HDR_RESP rhdr_resp;
387 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
388 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
394 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
395 (unsigned int)len, (unsigned int)rdata_len ));
397 /* check if data to be sent back was too large for one SMB. */
398 /* err status is only informational: the _real_ check is on the length */
400 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
402 * Read the rest of the first response PDU.
404 if (!rpc_read(cli, rdata, len, ¤t_offset)) {
411 * Now we have a complete PDU, check the auth struct if any was sent.
414 if (rhdr.auth_len != 0) {
415 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
418 * Drop the auth footers from the current offset.
419 * We need this if there are more fragments.
420 * The auth footers consist of the auth_data and the
421 * preceeding 8 byte auth_header.
423 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
427 * Only one rpc fragment, and it has been read.
431 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
436 * Read more fragments until we get the last one.
440 RPC_HDR_RESP rhdr_resp;
442 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
446 * First read the header of the next PDU.
449 prs_init(&hps, 0, 4, UNMARSHALL);
450 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
452 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
453 if (cli_error(cli, NULL, &err, NULL)) {
454 DEBUG(0,("rpc_api_pipe: cli_read error : %d\n", err ));
458 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
460 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
461 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
462 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
466 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
469 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
470 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
475 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
480 * Now read the rest of the PDU.
483 if (!rpc_read(cli, rdata, len, ¤t_offset))
487 * Verify any authentication footer.
490 if (rhdr.auth_len != 0 ) {
491 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
494 * Drop the auth footers from the current offset.
495 * The auth footers consist of the auth_data and the
496 * preceeding 8 byte auth_header.
497 * We need this if there are more fragments.
499 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
506 /*******************************************************************
507 creates a DCE/RPC bind request
509 - initialises the parse structure.
510 - dynamically allocates the header data structure
511 - caller is expected to free the header data structure once used.
513 ********************************************************************/
515 static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id,
516 RPC_IFACE *abstract, RPC_IFACE *transfer,
517 char *my_name, char *domain, uint32 neg_flags)
522 prs_struct auth_info;
525 prs_init(&auth_info, 0, 4, MARSHALL);
528 RPC_HDR_AUTH hdr_auth;
529 RPC_AUTH_VERIFIER auth_verifier;
530 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
533 * Create the auth structs we will marshall.
536 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
537 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
538 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
541 * Use the 4k buffer to store the auth info.
544 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
547 * Now marshall the data into the temporary parse_struct.
550 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
551 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
555 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
556 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
560 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
561 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
565 /* Auth len in the rpc header doesn't include auth_header. */
566 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
569 /* create the request RPC_HDR */
570 init_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
571 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
574 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
575 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
579 /* create the bind request RPC_HDR_RB */
580 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
581 0x1, 0x0, 0x1, abstract, transfer);
583 /* Marshall the bind request data */
584 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
585 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
590 * Grow the outgoing buffer to store any auth info.
593 if(hdr.auth_len != 0) {
594 if(!prs_append_prs_data( rpc_out, &auth_info)) {
595 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
603 /*******************************************************************
604 Creates a DCE/RPC bind authentication response.
605 This is the packet that is sent back to the server once we
606 have received a BIND-ACK, to finish the third leg of
607 the authentication handshake.
608 ********************************************************************/
610 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
611 char *domain, char *user_name, char *my_name,
612 uint32 ntlmssp_cli_flgs,
616 unsigned char lm_owf[24];
617 unsigned char nt_owf[24];
619 RPC_HDR_AUTHA hdr_autha;
620 RPC_AUTH_VERIFIER auth_verifier;
621 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
623 prs_struct auth_info;
626 * Marshall the variable length data into a temporary parse
627 * struct, pointing into a 4k local buffer.
629 prs_init(&auth_info, 0, 4, MARSHALL);
632 * Use the 4k buffer to store the auth info.
635 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
638 * Create the variable length auth_data.
641 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
643 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
645 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
647 domain, user_name, my_name,
651 * Marshall the variable length auth_data into a temp parse_struct.
654 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
655 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
659 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
660 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
664 /* Create the request RPC_HDR */
665 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
666 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
667 prs_offset(&auth_info) );
670 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
671 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
675 /* Create the request RPC_HDR_AUTHA */
676 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
677 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
679 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
680 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
685 * Append the auth data to the outgoing buffer.
688 if(!prs_append_prs_data(rpc_out, &auth_info)) {
689 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
697 /*******************************************************************
698 Creates a DCE/RPC request.
699 ********************************************************************/
701 static BOOL create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len)
707 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
709 /* create the rpc header RPC_HDR */
710 init_rpc_hdr(&hdr, RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
711 get_rpc_call_id(), data_len, auth_len);
714 * The alloc hint should be the amount of data, not including
715 * RPC headers & footers.
719 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
721 alloc_hint = data_len - RPC_HEADER_LEN;
723 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
724 data_len, auth_len, alloc_hint));
726 /* Create the rpc request RPC_HDR_REQ */
727 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
730 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
733 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
736 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
743 /****************************************************************************
744 Send a request on an rpc pipe.
745 ****************************************************************************/
747 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
748 prs_struct *data, prs_struct *rdata)
750 prs_struct outgoing_packet;
757 char *pdata_out = NULL;
759 auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
760 auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
763 * The auth_len doesn't include the RPC_HDR_AUTH_LEN.
766 auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0);
769 * PDU len is header, plus request header, plus data, plus
770 * auth_header_len (if present), plus auth_len (if present).
771 * NB. The auth stuff should be aligned on an 8 byte boundary
772 * to be totally DCE/RPC spec complient. For now we cheat and
773 * hope that the data structs defined are a multiple of 8 bytes.
776 if((prs_offset(data) % 8) != 0) {
777 DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n"));
780 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(data) +
781 (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len;
784 * Malloc a parse struct to hold it (and enough for alignments).
787 if(!prs_init(&outgoing_packet, data_len + 8, 4, MARSHALL)) {
788 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
792 pdata_out = prs_data_p(&outgoing_packet);
795 * Write out the RPC header and the request header.
798 if(!create_rpc_request(&outgoing_packet, op_num, data_len, auth_len)) {
799 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
800 prs_mem_free(&outgoing_packet);
805 * Seal the outgoing data if requested.
809 crc32 = crc32_calc_buffer(prs_data_p(data), prs_offset(data));
810 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data), prs_offset(data));
814 * Now copy the data into the outgoing packet.
817 if(!prs_append_prs_data( &outgoing_packet, data)) {
818 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n"));
819 prs_mem_free(&outgoing_packet);
824 * Add a trailing auth_verifier if needed.
827 if (auth_seal || auth_verify) {
828 RPC_HDR_AUTH hdr_auth;
830 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
831 NTLMSSP_AUTH_LEVEL, 0x08, (auth_verify ? 1 : 0));
832 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &outgoing_packet, 0)) {
833 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n"));
834 prs_mem_free(&outgoing_packet);
840 * Finally the auth data itself.
844 RPC_AUTH_NTLMSSP_CHK chk;
845 uint32 current_offset = prs_offset(&outgoing_packet);
847 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
848 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &outgoing_packet, 0)) {
849 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
850 prs_mem_free(&outgoing_packet);
853 NTLMSSPcalc_ap(cli, (unsigned char*)&pdata_out[current_offset+4], RPC_AUTH_NTLMSSP_CHK_LEN - 4);
856 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, prs_offset(&outgoing_packet)));
858 ret = rpc_api_pipe(cli, 0x0026, &outgoing_packet, rdata);
860 prs_mem_free(&outgoing_packet);
865 /****************************************************************************
866 Set the handle state.
867 ****************************************************************************/
869 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint16 device_state)
871 BOOL state_set = False;
873 uint16 setup[2]; /* only need 2 uint16 setup parameters */
876 uint32 rparam_len, rdata_len;
878 if (pipe_name == NULL)
881 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
882 cli->nt_pipe_fnum, pipe_name, device_state));
884 /* create parameters: device state */
885 SSVAL(param, 0, device_state);
887 /* create setup parameters. */
889 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
891 /* send the data on \PIPE\ */
892 if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
893 setup, 2, 0, /* setup, length, max */
894 param, 2, 0, /* param, length, max */
895 NULL, 0, 1024, /* data, length, max */
896 &rparam, &rparam_len, /* return param, length */
897 &rdata, &rdata_len)) /* return data, length */
899 DEBUG(5, ("Set Handle state: return OK\n"));
911 /****************************************************************************
912 check the rpc bind acknowledge response
913 ****************************************************************************/
915 static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
919 while (pipe_names[pipe_idx].client_pipe != NULL) {
920 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) {
921 DEBUG(5,("Bind Abstract Syntax: "));
922 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
923 sizeof(pipe_names[pipe_idx].abstr_syntax));
924 DEBUG(5,("Bind Transfer Syntax: "));
925 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
926 sizeof(pipe_names[pipe_idx].trans_syntax));
928 /* copy the required syntaxes out so we can do the right bind */
929 *transfer = pipe_names[pipe_idx].trans_syntax;
930 *abstract = pipe_names[pipe_idx].abstr_syntax;
937 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
941 /****************************************************************************
942 check the rpc bind acknowledge response
943 ****************************************************************************/
945 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer)
949 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0) {
950 DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n",
951 pipe_names[i].client_pipe , pipe_names[i].server_pipe ));
953 if ((strequal(pipe_name, pipe_names[i].client_pipe ))) {
954 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe )) {
955 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
956 pipe_names[i].server_pipe ));
959 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
960 pipe_names[i].server_pipe ,
969 if (pipe_names[i].server_pipe == NULL) {
970 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
974 /* check the transfer syntax */
975 if ((hdr_ba->transfer.version != transfer->version) ||
976 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
977 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
981 /* lkclXXXX only accept one result: check the result(s) */
982 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
983 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
984 hdr_ba->res.num_results, hdr_ba->res.reason));
987 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
991 /****************************************************************************
992 Create and send the third packet in an RPC auth.
993 ****************************************************************************/
995 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
997 RPC_HDR_AUTH rhdr_auth;
998 RPC_AUTH_VERIFIER rhdr_verf;
999 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
1000 char buffer[MAX_PDU_FRAG_LEN];
1004 unsigned char p24[24];
1005 unsigned char lm_owf[24];
1006 unsigned char lm_hash[16];
1008 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
1009 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1012 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
1013 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1016 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
1017 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1021 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
1023 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
1025 prs_init(&rpc_out, 0, 4, MARSHALL);
1027 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1029 create_rpc_bind_resp(&cli->pwd, cli->domain,
1030 cli->user_name, global_myname,
1031 cli->ntlmssp_cli_flgs, rpc_call_id,
1034 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
1035 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
1037 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
1040 unsigned char j = 0;
1042 unsigned char k2[8];
1049 for (ind = 0; ind < 256; ind++)
1050 cli->ntlmssp_hash[ind] = (unsigned char)ind;
1052 for( ind = 0; ind < 256; ind++) {
1055 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1057 tc = cli->ntlmssp_hash[ind];
1058 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1059 cli->ntlmssp_hash[j] = tc;
1062 cli->ntlmssp_hash[256] = 0;
1063 cli->ntlmssp_hash[257] = 0;
1066 memset((char *)lm_hash, '\0', sizeof(lm_hash));
1068 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1069 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1070 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1074 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1078 /****************************************************************************
1080 ****************************************************************************/
1082 static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, char *my_name)
1088 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
1090 char buffer[MAX_PDU_FRAG_LEN];
1092 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name));
1094 if (!valid_pipe_name(pipe_name, &abstract, &transfer))
1097 prs_init(&rpc_out, 0, 4, MARSHALL);
1100 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1103 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1105 rpc_call_id = get_rpc_call_id();
1107 /* Marshall the outgoing data. */
1108 create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id,
1109 &abstract, &transfer,
1110 global_myname, cli->domain, cli->ntlmssp_cli_flgs);
1112 /* Initialize the incoming data struct. */
1113 prs_init(&rdata, 0, 4, UNMARSHALL);
1115 /* send data on \PIPE\. receive a response */
1116 if (rpc_api_pipe(cli, 0x0026, &rpc_out, &rdata)) {
1119 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1121 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1122 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1123 prs_mem_free(&rdata);
1127 if(!check_bind_response(&hdr_ba, pipe_name, &transfer)) {
1128 DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n"));
1129 prs_mem_free(&rdata);
1133 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1134 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1137 * If we're doing NTLMSSP auth we need to send a reply to
1138 * the bind-ack to complete the 3-way challenge response
1142 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1143 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1144 prs_mem_free(&rdata);
1149 prs_mem_free(&rdata);
1153 /****************************************************************************
1154 Set ntlmssp negotiation flags.
1155 ****************************************************************************/
1157 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1159 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1163 /****************************************************************************
1165 ****************************************************************************/
1167 BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name)
1171 if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS)) {
1172 if ((fnum = cli_nt_create(cli, &(pipe_name[5]))) == -1) {
1173 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1174 &(pipe_name[5]), cli->desthost, cli_errstr(cli)));
1178 cli->nt_pipe_fnum = (uint16)fnum;
1180 if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1181 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1182 pipe_name, cli->desthost, cli_errstr(cli)));
1186 cli->nt_pipe_fnum = (uint16)fnum;
1188 /**************** Set Named Pipe State ***************/
1189 if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300)) {
1190 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1192 cli_close(cli, cli->nt_pipe_fnum);
1197 /******************* bind request on pipe *****************/
1199 if (!rpc_pipe_bind(cli, pipe_name, global_myname)) {
1200 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1202 cli_close(cli, cli->nt_pipe_fnum);
1207 * Setup the remote server name prefixed by \ and the machine account name.
1210 fstrcpy(cli->srv_name_slash, "\\\\");
1211 fstrcat(cli->srv_name_slash, cli->desthost);
1212 strupper(cli->srv_name_slash);
1214 fstrcpy(cli->clnt_name_slash, "\\\\");
1215 fstrcat(cli->clnt_name_slash, global_myname);
1216 strupper(cli->clnt_name_slash);
1218 fstrcpy(cli->mach_acct, global_myname);
1219 fstrcat(cli->mach_acct, "$");
1220 strupper(cli->mach_acct);
1225 /****************************************************************************
1227 ****************************************************************************/
1229 void cli_nt_session_close(struct cli_state *cli)
1231 cli_close(cli, cli->nt_pipe_fnum);