2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Largely rewritten by Jeremy Allison 2005.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "librpc/gen_ndr/cli_epmapper.h"
22 #include "../librpc/gen_ndr/ndr_schannel.h"
23 #include "../librpc/gen_ndr/ndr_dssetup.h"
24 #include "../librpc/gen_ndr/ndr_netlogon.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
28 #include "../libcli/auth/ntlmssp.h"
29 #include "ntlmssp_wrap.h"
30 #include "rpc_client/cli_netlogon.h"
31 #include "librpc/gen_ndr/ndr_dcerpc.h"
32 #include "librpc/rpc/dcerpc.h"
35 #define DBGC_CLASS DBGC_RPC_CLI
37 /********************************************************************
38 Pipe description for a DEBUG
39 ********************************************************************/
40 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
41 struct rpc_pipe_client *cli)
43 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
50 /********************************************************************
52 ********************************************************************/
54 static uint32 get_rpc_call_id(void)
56 static uint32 call_id = 0;
60 /*******************************************************************
61 Use SMBreadX to get rest of one fragment's worth of rpc data.
62 Reads the whole size or give an error message
63 ********************************************************************/
65 struct rpc_read_state {
66 struct event_context *ev;
67 struct rpc_cli_transport *transport;
73 static void rpc_read_done(struct tevent_req *subreq);
75 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
76 struct event_context *ev,
77 struct rpc_cli_transport *transport,
78 uint8_t *data, size_t size)
80 struct tevent_req *req, *subreq;
81 struct rpc_read_state *state;
83 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
88 state->transport = transport;
93 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
95 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
100 tevent_req_set_callback(subreq, rpc_read_done, req);
108 static void rpc_read_done(struct tevent_req *subreq)
110 struct tevent_req *req = tevent_req_callback_data(
111 subreq, struct tevent_req);
112 struct rpc_read_state *state = tevent_req_data(
113 req, struct rpc_read_state);
117 status = state->transport->read_recv(subreq, &received);
119 if (!NT_STATUS_IS_OK(status)) {
120 tevent_req_nterror(req, status);
124 state->num_read += received;
125 if (state->num_read == state->size) {
126 tevent_req_done(req);
130 subreq = state->transport->read_send(state, state->ev,
131 state->data + state->num_read,
132 state->size - state->num_read,
133 state->transport->priv);
134 if (tevent_req_nomem(subreq, req)) {
137 tevent_req_set_callback(subreq, rpc_read_done, req);
140 static NTSTATUS rpc_read_recv(struct tevent_req *req)
142 return tevent_req_simple_recv_ntstatus(req);
145 struct rpc_write_state {
146 struct event_context *ev;
147 struct rpc_cli_transport *transport;
153 static void rpc_write_done(struct tevent_req *subreq);
155 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
156 struct event_context *ev,
157 struct rpc_cli_transport *transport,
158 const uint8_t *data, size_t size)
160 struct tevent_req *req, *subreq;
161 struct rpc_write_state *state;
163 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
168 state->transport = transport;
171 state->num_written = 0;
173 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
175 subreq = transport->write_send(state, ev, data, size, transport->priv);
176 if (subreq == NULL) {
179 tevent_req_set_callback(subreq, rpc_write_done, req);
186 static void rpc_write_done(struct tevent_req *subreq)
188 struct tevent_req *req = tevent_req_callback_data(
189 subreq, struct tevent_req);
190 struct rpc_write_state *state = tevent_req_data(
191 req, struct rpc_write_state);
195 status = state->transport->write_recv(subreq, &written);
197 if (!NT_STATUS_IS_OK(status)) {
198 tevent_req_nterror(req, status);
202 state->num_written += written;
204 if (state->num_written == state->size) {
205 tevent_req_done(req);
209 subreq = state->transport->write_send(state, state->ev,
210 state->data + state->num_written,
211 state->size - state->num_written,
212 state->transport->priv);
213 if (tevent_req_nomem(subreq, req)) {
216 tevent_req_set_callback(subreq, rpc_write_done, req);
219 static NTSTATUS rpc_write_recv(struct tevent_req *req)
221 return tevent_req_simple_recv_ntstatus(req);
225 /****************************************************************************
226 Try and get a PDU's worth of data from current_pdu. If not, then read more
228 ****************************************************************************/
230 struct get_complete_frag_state {
231 struct event_context *ev;
232 struct rpc_pipe_client *cli;
237 static void get_complete_frag_got_header(struct tevent_req *subreq);
238 static void get_complete_frag_got_rest(struct tevent_req *subreq);
240 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
241 struct event_context *ev,
242 struct rpc_pipe_client *cli,
245 struct tevent_req *req, *subreq;
246 struct get_complete_frag_state *state;
250 req = tevent_req_create(mem_ctx, &state,
251 struct get_complete_frag_state);
257 state->frag_len = RPC_HEADER_LEN;
260 received = pdu->length;
261 if (received < RPC_HEADER_LEN) {
262 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
263 status = NT_STATUS_NO_MEMORY;
266 subreq = rpc_read_send(state, state->ev,
267 state->cli->transport,
268 pdu->data + received,
269 RPC_HEADER_LEN - received);
270 if (subreq == NULL) {
271 status = NT_STATUS_NO_MEMORY;
274 tevent_req_set_callback(subreq, get_complete_frag_got_header,
279 state->frag_len = dcerpc_get_frag_length(pdu);
282 * Ensure we have frag_len bytes of data.
284 if (received < state->frag_len) {
285 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
286 status = NT_STATUS_NO_MEMORY;
289 subreq = rpc_read_send(state, state->ev,
290 state->cli->transport,
291 pdu->data + received,
292 state->frag_len - received);
293 if (subreq == NULL) {
294 status = NT_STATUS_NO_MEMORY;
297 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
302 status = NT_STATUS_OK;
304 if (NT_STATUS_IS_OK(status)) {
305 tevent_req_done(req);
307 tevent_req_nterror(req, status);
309 return tevent_req_post(req, ev);
312 static void get_complete_frag_got_header(struct tevent_req *subreq)
314 struct tevent_req *req = tevent_req_callback_data(
315 subreq, struct tevent_req);
316 struct get_complete_frag_state *state = tevent_req_data(
317 req, struct get_complete_frag_state);
320 status = rpc_read_recv(subreq);
322 if (!NT_STATUS_IS_OK(status)) {
323 tevent_req_nterror(req, status);
327 state->frag_len = dcerpc_get_frag_length(state->pdu);
329 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
330 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
335 * We're here in this piece of code because we've read exactly
336 * RPC_HEADER_LEN bytes into state->pdu.
339 subreq = rpc_read_send(state, state->ev, state->cli->transport,
340 state->pdu->data + RPC_HEADER_LEN,
341 state->frag_len - RPC_HEADER_LEN);
342 if (tevent_req_nomem(subreq, req)) {
345 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
348 static void get_complete_frag_got_rest(struct tevent_req *subreq)
350 struct tevent_req *req = tevent_req_callback_data(
351 subreq, struct tevent_req);
354 status = rpc_read_recv(subreq);
356 if (!NT_STATUS_IS_OK(status)) {
357 tevent_req_nterror(req, status);
360 tevent_req_done(req);
363 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
365 return tevent_req_simple_recv_ntstatus(req);
368 /****************************************************************************
369 NTLMSSP specific sign/seal.
370 Virtually identical to rpc_server/srv_pipe.c:api_pipe_ntlmssp_auth_process.
371 In fact I should probably abstract these into identical pieces of code... JRA.
372 ****************************************************************************/
374 static NTSTATUS cli_pipe_verify_ntlmssp(struct rpc_pipe_client *cli,
375 struct ncacn_packet *pkt,
377 uint8 *p_ss_padding_len)
379 struct dcerpc_auth auth_info;
383 if (cli->auth->auth_level == DCERPC_AUTH_LEVEL_NONE
384 || cli->auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
388 if (!cli->auth->a_u.auth_ntlmssp_state) {
389 return NT_STATUS_INVALID_PARAMETER;
392 /* Ensure there's enough data for an authenticated response. */
393 if ((pkt->auth_length > RPC_MAX_PDU_FRAG_LEN) ||
394 (pkt->frag_length < DCERPC_RESPONSE_LENGTH
395 + DCERPC_AUTH_TRAILER_LENGTH
396 + pkt->auth_length)) {
397 DEBUG(0, ("auth_len %u is too long.\n",
398 (unsigned int)pkt->auth_length));
399 return NT_STATUS_BUFFER_TOO_SMALL;
402 /* get the auth blob at the end of the packet */
403 blob = data_blob_const(pdu->data + pkt->frag_length
404 - DCERPC_AUTH_TRAILER_LENGTH
406 DCERPC_AUTH_TRAILER_LENGTH
409 status = dcerpc_pull_dcerpc_auth(cli, &blob, &auth_info, false);
410 if (!NT_STATUS_IS_OK(status)) {
411 DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall dcerpc_auth.\n"));
415 /* Ensure auth_pad_len fits into the packet. */
416 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH
417 + auth_info.auth_pad_length
418 + DCERPC_AUTH_TRAILER_LENGTH
419 + pkt->auth_length) {
420 DEBUG(0,("cli_pipe_verify_ntlmssp: auth_info.auth_pad_len "
421 "too large (%u), auth_len (%u), frag_len = (%u).\n",
422 (unsigned int)auth_info.auth_pad_length,
423 (unsigned int)pkt->auth_length,
424 (unsigned int)pkt->frag_length));
425 return NT_STATUS_BUFFER_TOO_SMALL;
429 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
430 * after the RPC header.
431 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
432 * functions as NTLMv2 checks the rpc headers also.
435 switch (cli->auth->auth_level) {
436 case DCERPC_AUTH_LEVEL_PRIVACY:
437 /* Data is encrypted. */
438 status = auth_ntlmssp_unseal_packet(
439 cli->auth->a_u.auth_ntlmssp_state,
440 pdu->data + DCERPC_RESPONSE_LENGTH,
442 - DCERPC_RESPONSE_LENGTH
443 - DCERPC_AUTH_TRAILER_LENGTH
446 pkt->frag_length - pkt->auth_length,
447 &auth_info.credentials);
448 if (!NT_STATUS_IS_OK(status)) {
449 DEBUG(0, ("failed to unseal packet from %s."
451 rpccli_pipe_txt(talloc_tos(), cli),
457 case DCERPC_AUTH_LEVEL_INTEGRITY:
458 /* Data is signed. */
459 status = auth_ntlmssp_check_packet(
460 cli->auth->a_u.auth_ntlmssp_state,
461 pdu->data + DCERPC_RESPONSE_LENGTH,
463 - DCERPC_RESPONSE_LENGTH
464 - DCERPC_AUTH_TRAILER_LENGTH
467 pkt->frag_length - pkt->auth_length,
468 &auth_info.credentials);
469 if (!NT_STATUS_IS_OK(status)) {
470 DEBUG(0, ("check signing failed on packet from %s."
472 rpccli_pipe_txt(talloc_tos(), cli),
479 DEBUG(0, ("cli_pipe_verify_ntlmssp: unknown internal "
480 "auth level %d\n", cli->auth->auth_level));
481 return NT_STATUS_INVALID_INFO_CLASS;
485 * Remember the padding length. We must remove it from the real data
486 * stream once the sign/seal is done.
489 *p_ss_padding_len = auth_info.auth_pad_length;
494 /****************************************************************************
495 schannel specific sign/seal.
496 ****************************************************************************/
498 static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli,
499 struct ncacn_packet *pkt,
501 uint8 *p_ss_padding_len)
503 struct dcerpc_auth auth_info;
507 if (cli->auth->auth_level == DCERPC_AUTH_LEVEL_NONE
508 || cli->auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
512 if (pkt->auth_length < NL_AUTH_SIGNATURE_SIZE) {
513 DEBUG(0, ("auth_len %u.\n", (unsigned int)pkt->auth_length));
514 return NT_STATUS_INVALID_PARAMETER;
517 if (!cli->auth->a_u.schannel_auth) {
518 return NT_STATUS_INVALID_PARAMETER;
521 /* Ensure there's enough data for an authenticated response. */
522 if ((pkt->auth_length > RPC_MAX_PDU_FRAG_LEN) ||
523 (pkt->frag_length < DCERPC_RESPONSE_LENGTH
524 + DCERPC_AUTH_TRAILER_LENGTH
525 + pkt->auth_length)) {
526 DEBUG(0, ("auth_len %u is too long.\n",
527 (unsigned int)pkt->auth_length));
528 return NT_STATUS_INVALID_PARAMETER;
531 /* get the auth blob at the end of the packet */
532 blob = data_blob_const(pdu->data + pkt->frag_length
533 - DCERPC_AUTH_TRAILER_LENGTH
535 DCERPC_AUTH_TRAILER_LENGTH
539 status = dcerpc_pull_dcerpc_auth(cli, &blob, &auth_info, false);
540 if (!NT_STATUS_IS_OK(status)) {
541 DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall dcerpc_auth.\n"));
545 /* Ensure auth_pad_len fits into the packet. */
546 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH
547 + auth_info.auth_pad_length
548 + DCERPC_AUTH_TRAILER_LENGTH
549 + pkt->auth_length) {
550 DEBUG(0,("cli_pipe_verify_schannel: auth_info.auth_pad_len "
551 "too large (%u), auth_len (%u), frag_len = (%u).\n",
552 (unsigned int)auth_info.auth_pad_length,
553 (unsigned int)pkt->auth_length,
554 (unsigned int)pkt->frag_length));
555 return NT_STATUS_BUFFER_TOO_SMALL;
558 if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
559 DEBUG(0, ("Invalid auth info %d on schannel\n",
560 auth_info.auth_type));
561 return NT_STATUS_BUFFER_TOO_SMALL;
564 if (DEBUGLEVEL >= 10) {
565 dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_info.credentials);
568 switch (cli->auth->auth_level) {
569 case DCERPC_AUTH_LEVEL_PRIVACY:
570 status = netsec_incoming_packet(
571 cli->auth->a_u.schannel_auth,
574 pdu->data + DCERPC_RESPONSE_LENGTH,
576 - DCERPC_RESPONSE_LENGTH
577 - DCERPC_AUTH_TRAILER_LENGTH
579 &auth_info.credentials);
581 case DCERPC_AUTH_LEVEL_INTEGRITY:
582 status = netsec_incoming_packet(
583 cli->auth->a_u.schannel_auth,
586 pdu->data + DCERPC_RESPONSE_LENGTH,
588 - DCERPC_RESPONSE_LENGTH
589 - DCERPC_AUTH_TRAILER_LENGTH
591 &auth_info.credentials);
594 status = NT_STATUS_INTERNAL_ERROR;
598 if (!NT_STATUS_IS_OK(status)) {
599 DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
600 "Connection to %s (%s).\n",
601 rpccli_pipe_txt(talloc_tos(), cli),
603 return NT_STATUS_INVALID_PARAMETER;
607 * Remember the padding length. We must remove it from the real data
608 * stream once the sign/seal is done.
611 *p_ss_padding_len = auth_info.auth_pad_length;
616 /****************************************************************************
617 Do the authentication checks on an incoming pdu. Check sign and unseal etc.
618 ****************************************************************************/
620 static NTSTATUS cli_pipe_validate_rpc_response(struct rpc_pipe_client *cli,
621 struct ncacn_packet *pkt,
623 uint8 *p_ss_padding_len)
625 NTSTATUS ret = NT_STATUS_OK;
627 /* Paranioa checks for auth_len. */
628 if (pkt->auth_length) {
629 if (pkt->auth_length > pkt->frag_length) {
630 return NT_STATUS_INVALID_PARAMETER;
633 if ((pkt->auth_length
634 + (unsigned int)DCERPC_AUTH_TRAILER_LENGTH
635 < pkt->auth_length) ||
637 + (unsigned int)DCERPC_AUTH_TRAILER_LENGTH
638 < (unsigned int)DCERPC_AUTH_TRAILER_LENGTH)) {
639 /* Integer wrap attempt. */
640 return NT_STATUS_INVALID_PARAMETER;
645 * Now we have a complete RPC request PDU fragment, try and verify any auth data.
648 switch(cli->auth->auth_type) {
649 case PIPE_AUTH_TYPE_NONE:
650 if (pkt->auth_length) {
651 DEBUG(3, ("cli_pipe_validate_rpc_response: "
652 "Connection to %s - got non-zero "
654 rpccli_pipe_txt(talloc_tos(), cli),
655 (unsigned int)pkt->auth_length));
656 return NT_STATUS_INVALID_PARAMETER;
660 case PIPE_AUTH_TYPE_NTLMSSP:
661 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
662 ret = cli_pipe_verify_ntlmssp(cli, pkt, pdu,
664 if (!NT_STATUS_IS_OK(ret)) {
669 case PIPE_AUTH_TYPE_SCHANNEL:
670 ret = cli_pipe_verify_schannel(cli, pkt, pdu,
672 if (!NT_STATUS_IS_OK(ret)) {
677 case PIPE_AUTH_TYPE_KRB5:
678 case PIPE_AUTH_TYPE_SPNEGO_KRB5:
680 DEBUG(3, ("cli_pipe_validate_rpc_response: Connection "
681 "to %s - unknown internal auth type %u.\n",
682 rpccli_pipe_txt(talloc_tos(), cli),
683 cli->auth->auth_type ));
684 return NT_STATUS_INVALID_INFO_CLASS;
690 /****************************************************************************
691 Do basic authentication checks on an incoming pdu.
692 ****************************************************************************/
694 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
695 struct rpc_pipe_client *cli,
696 struct ncacn_packet *pkt,
698 uint8_t expected_pkt_type,
700 DATA_BLOB *reply_pdu)
702 NTSTATUS ret = NT_STATUS_OK;
703 uint8 ss_padding_len = 0;
705 ret = dcerpc_pull_ncacn_packet(cli, pdu, pkt, false);
706 if (!NT_STATUS_IS_OK(ret)) {
710 if (pdu->length != pkt->frag_length) {
711 DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
712 (unsigned int)pdu->length,
713 (unsigned int)pkt->frag_length));
714 return NT_STATUS_INVALID_PARAMETER;
718 * Point the return values at the real data including the RPC
719 * header. Just in case the caller wants it.
723 /* Ensure we have the correct type. */
724 switch (pkt->ptype) {
725 case DCERPC_PKT_ALTER_RESP:
726 case DCERPC_PKT_BIND_ACK:
728 /* Alter context and bind ack share the same packet definitions. */
732 case DCERPC_PKT_RESPONSE:
734 /* Here's where we deal with incoming sign/seal. */
735 ret = cli_pipe_validate_rpc_response(cli, pkt, pdu,
737 if (!NT_STATUS_IS_OK(ret)) {
741 /* Point the return values at the NDR data.
742 * Remember to remove any ss padding. */
743 rdata->data = pdu->data + DCERPC_RESPONSE_LENGTH;
745 if (pdu->length < DCERPC_RESPONSE_LENGTH + ss_padding_len) {
746 return NT_STATUS_BUFFER_TOO_SMALL;
749 rdata->length = pdu->length
750 - DCERPC_RESPONSE_LENGTH
753 /* Remember to remove the auth footer. */
754 if (pkt->auth_length) {
755 /* We've already done integer wrap tests on auth_len in
756 cli_pipe_validate_rpc_response(). */
757 if (rdata->length < DCERPC_AUTH_TRAILER_LENGTH
758 + pkt->auth_length) {
759 return NT_STATUS_BUFFER_TOO_SMALL;
761 rdata->length -= (DCERPC_AUTH_TRAILER_LENGTH
765 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
766 (long unsigned int)pdu->length,
767 (long unsigned int)rdata->length,
768 (unsigned int)ss_padding_len));
771 * If this is the first reply, and the allocation hint is
772 * reasonable, try and set up the reply_pdu DATA_BLOB to the
776 if ((reply_pdu->length == 0) &&
777 pkt->u.response.alloc_hint &&
778 (pkt->u.response.alloc_hint < 15*1024*1024)) {
779 if (!data_blob_realloc(mem_ctx, reply_pdu,
780 pkt->u.response.alloc_hint)) {
781 DEBUG(0, ("reply alloc hint %d too "
782 "large to allocate\n",
783 (int)pkt->u.response.alloc_hint));
784 return NT_STATUS_NO_MEMORY;
790 case DCERPC_PKT_BIND_NAK:
791 DEBUG(1, ("cli_pipe_validate_current_pdu: Bind NACK "
792 "received from %s!\n",
793 rpccli_pipe_txt(talloc_tos(), cli)));
794 /* Use this for now... */
795 return NT_STATUS_NETWORK_ACCESS_DENIED;
797 case DCERPC_PKT_FAULT:
799 DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault "
800 "code %s received from %s!\n",
801 dcerpc_errstr(talloc_tos(),
802 pkt->u.fault.status),
803 rpccli_pipe_txt(talloc_tos(), cli)));
805 if (NT_STATUS_IS_OK(NT_STATUS(pkt->u.fault.status))) {
806 return NT_STATUS_UNSUCCESSFUL;
808 return NT_STATUS(pkt->u.fault.status);
812 DEBUG(0, ("Unknown packet type %u received from %s!\n",
813 (unsigned int)pkt->ptype,
814 rpccli_pipe_txt(talloc_tos(), cli)));
815 return NT_STATUS_INVALID_INFO_CLASS;
818 if (pkt->ptype != expected_pkt_type) {
819 DEBUG(3, ("cli_pipe_validate_current_pdu: Connection to %s "
820 "got an unexpected RPC packet type - %u, not %u\n",
821 rpccli_pipe_txt(talloc_tos(), cli),
824 return NT_STATUS_INVALID_INFO_CLASS;
827 /* Do this just before return - we don't want to modify any rpc header
828 data before now as we may have needed to do cryptographic actions on
831 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
832 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
833 DEBUG(5,("cli_pipe_validate_current_pdu: bug in server (AS/U?), "
834 "setting fragment first/last ON.\n"));
835 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST |
836 DCERPC_PFC_FLAG_LAST;
842 /****************************************************************************
843 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
844 ****************************************************************************/
846 struct cli_api_pipe_state {
847 struct event_context *ev;
848 struct rpc_cli_transport *transport;
853 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
854 static void cli_api_pipe_write_done(struct tevent_req *subreq);
855 static void cli_api_pipe_read_done(struct tevent_req *subreq);
857 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
858 struct event_context *ev,
859 struct rpc_cli_transport *transport,
860 uint8_t *data, size_t data_len,
861 uint32_t max_rdata_len)
863 struct tevent_req *req, *subreq;
864 struct cli_api_pipe_state *state;
867 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
872 state->transport = transport;
874 if (max_rdata_len < RPC_HEADER_LEN) {
876 * For a RPC reply we always need at least RPC_HEADER_LEN
877 * bytes. We check this here because we will receive
878 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
880 status = NT_STATUS_INVALID_PARAMETER;
884 if (transport->trans_send != NULL) {
885 subreq = transport->trans_send(state, ev, data, data_len,
886 max_rdata_len, transport->priv);
887 if (subreq == NULL) {
890 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
895 * If the transport does not provide a "trans" routine, i.e. for
896 * example the ncacn_ip_tcp transport, do the write/read step here.
899 subreq = rpc_write_send(state, ev, transport, data, data_len);
900 if (subreq == NULL) {
903 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
907 tevent_req_nterror(req, status);
908 return tevent_req_post(req, ev);
914 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
916 struct tevent_req *req = tevent_req_callback_data(
917 subreq, struct tevent_req);
918 struct cli_api_pipe_state *state = tevent_req_data(
919 req, struct cli_api_pipe_state);
922 status = state->transport->trans_recv(subreq, state, &state->rdata,
925 if (!NT_STATUS_IS_OK(status)) {
926 tevent_req_nterror(req, status);
929 tevent_req_done(req);
932 static void cli_api_pipe_write_done(struct tevent_req *subreq)
934 struct tevent_req *req = tevent_req_callback_data(
935 subreq, struct tevent_req);
936 struct cli_api_pipe_state *state = tevent_req_data(
937 req, struct cli_api_pipe_state);
940 status = rpc_write_recv(subreq);
942 if (!NT_STATUS_IS_OK(status)) {
943 tevent_req_nterror(req, status);
947 state->rdata = TALLOC_ARRAY(state, uint8_t, RPC_HEADER_LEN);
948 if (tevent_req_nomem(state->rdata, req)) {
953 * We don't need to use rpc_read_send here, the upper layer will cope
954 * with a short read, transport->trans_send could also return less
955 * than state->max_rdata_len.
957 subreq = state->transport->read_send(state, state->ev, state->rdata,
959 state->transport->priv);
960 if (tevent_req_nomem(subreq, req)) {
963 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
966 static void cli_api_pipe_read_done(struct tevent_req *subreq)
968 struct tevent_req *req = tevent_req_callback_data(
969 subreq, struct tevent_req);
970 struct cli_api_pipe_state *state = tevent_req_data(
971 req, struct cli_api_pipe_state);
975 status = state->transport->read_recv(subreq, &received);
977 if (!NT_STATUS_IS_OK(status)) {
978 tevent_req_nterror(req, status);
981 state->rdata_len = received;
982 tevent_req_done(req);
985 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
986 uint8_t **prdata, uint32_t *prdata_len)
988 struct cli_api_pipe_state *state = tevent_req_data(
989 req, struct cli_api_pipe_state);
992 if (tevent_req_is_nterror(req, &status)) {
996 *prdata = talloc_move(mem_ctx, &state->rdata);
997 *prdata_len = state->rdata_len;
1001 /****************************************************************************
1002 Send data on an rpc pipe via trans. The data must be the last
1003 pdu fragment of an NDR data stream.
1005 Receive response data from an rpc pipe, which may be large...
1007 Read the first fragment: unfortunately have to use SMBtrans for the first
1008 bit, then SMBreadX for subsequent bits.
1010 If first fragment received also wasn't the last fragment, continue
1011 getting fragments until we _do_ receive the last fragment.
1013 Request/Response PDU's look like the following...
1015 |<------------------PDU len----------------------------------------------->|
1016 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
1018 +------------+-----------------+-------------+---------------+-------------+
1019 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
1020 +------------+-----------------+-------------+---------------+-------------+
1022 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
1023 signing & sealing being negotiated.
1025 ****************************************************************************/
1027 struct rpc_api_pipe_state {
1028 struct event_context *ev;
1029 struct rpc_pipe_client *cli;
1030 uint8_t expected_pkt_type;
1032 DATA_BLOB incoming_frag;
1033 struct ncacn_packet *pkt;
1035 /* Incoming reply */
1036 DATA_BLOB reply_pdu;
1037 size_t reply_pdu_offset;
1041 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
1042 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
1044 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
1045 struct event_context *ev,
1046 struct rpc_pipe_client *cli,
1047 DATA_BLOB *data, /* Outgoing PDU */
1048 uint8_t expected_pkt_type)
1050 struct tevent_req *req, *subreq;
1051 struct rpc_api_pipe_state *state;
1052 uint16_t max_recv_frag;
1055 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
1061 state->expected_pkt_type = expected_pkt_type;
1062 state->incoming_frag = data_blob_null;
1063 state->reply_pdu = data_blob_null;
1064 state->reply_pdu_offset = 0;
1065 state->endianess = DCERPC_DREP_LE;
1068 * Ensure we're not sending too much.
1070 if (data->length > cli->max_xmit_frag) {
1071 status = NT_STATUS_INVALID_PARAMETER;
1075 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
1077 /* get the header first, then fetch the rest once we have
1078 * the frag_length available */
1079 max_recv_frag = RPC_HEADER_LEN;
1081 subreq = cli_api_pipe_send(state, ev, cli->transport,
1082 data->data, data->length, max_recv_frag);
1083 if (subreq == NULL) {
1086 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
1090 tevent_req_nterror(req, status);
1091 return tevent_req_post(req, ev);
1097 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
1099 struct tevent_req *req = tevent_req_callback_data(
1100 subreq, struct tevent_req);
1101 struct rpc_api_pipe_state *state = tevent_req_data(
1102 req, struct rpc_api_pipe_state);
1104 uint8_t *rdata = NULL;
1105 uint32_t rdata_len = 0;
1107 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
1108 TALLOC_FREE(subreq);
1109 if (!NT_STATUS_IS_OK(status)) {
1110 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
1111 tevent_req_nterror(req, status);
1115 if (rdata == NULL) {
1116 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
1117 rpccli_pipe_txt(talloc_tos(), state->cli)));
1118 tevent_req_done(req);
1123 * Move data on state->incoming_frag.
1125 state->incoming_frag.data = talloc_move(state, &rdata);
1126 state->incoming_frag.length = rdata_len;
1127 if (!state->incoming_frag.data) {
1128 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1132 /* Ensure we have enough data for a pdu. */
1133 subreq = get_complete_frag_send(state, state->ev, state->cli,
1134 &state->incoming_frag);
1135 if (tevent_req_nomem(subreq, req)) {
1138 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
1141 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
1143 struct tevent_req *req = tevent_req_callback_data(
1144 subreq, struct tevent_req);
1145 struct rpc_api_pipe_state *state = tevent_req_data(
1146 req, struct rpc_api_pipe_state);
1148 DATA_BLOB rdata = data_blob_null;
1150 status = get_complete_frag_recv(subreq);
1151 TALLOC_FREE(subreq);
1152 if (!NT_STATUS_IS_OK(status)) {
1153 DEBUG(5, ("get_complete_frag failed: %s\n",
1154 nt_errstr(status)));
1155 tevent_req_nterror(req, status);
1159 state->pkt = talloc(state, struct ncacn_packet);
1161 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1165 status = cli_pipe_validate_current_pdu(state,
1166 state->cli, state->pkt,
1167 &state->incoming_frag,
1168 state->expected_pkt_type,
1172 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
1173 (unsigned)state->incoming_frag.length,
1174 (unsigned)state->reply_pdu_offset,
1175 nt_errstr(status)));
1177 if (!NT_STATUS_IS_OK(status)) {
1178 tevent_req_nterror(req, status);
1182 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
1183 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
1185 * Set the data type correctly for big-endian data on the
1188 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
1190 rpccli_pipe_txt(talloc_tos(), state->cli)));
1191 state->endianess = 0x00; /* BIG ENDIAN */
1194 * Check endianness on subsequent packets.
1196 if (state->endianess != state->pkt->drep[0]) {
1197 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
1199 state->endianess?"little":"big",
1200 state->pkt->drep[0]?"little":"big"));
1201 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1205 /* Now copy the data portion out of the pdu into rbuf. */
1206 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
1207 if (!data_blob_realloc(NULL, &state->reply_pdu,
1208 state->reply_pdu_offset + rdata.length)) {
1209 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1214 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
1215 rdata.data, rdata.length);
1216 state->reply_pdu_offset += rdata.length;
1218 /* reset state->incoming_frag, there is no need to free it,
1219 * it will be reallocated to the right size the next time
1221 state->incoming_frag.length = 0;
1223 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1224 /* make sure the pdu length is right now that we
1225 * have all the data available (alloc hint may
1226 * have allocated more than was actually used) */
1227 state->reply_pdu.length = state->reply_pdu_offset;
1228 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
1229 rpccli_pipe_txt(talloc_tos(), state->cli),
1230 (unsigned)state->reply_pdu.length));
1231 tevent_req_done(req);
1235 subreq = get_complete_frag_send(state, state->ev, state->cli,
1236 &state->incoming_frag);
1237 if (tevent_req_nomem(subreq, req)) {
1240 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
1243 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1244 struct ncacn_packet **pkt,
1245 DATA_BLOB *reply_pdu)
1247 struct rpc_api_pipe_state *state = tevent_req_data(
1248 req, struct rpc_api_pipe_state);
1251 if (tevent_req_is_nterror(req, &status)) {
1255 /* return data to caller and assign it ownership of memory */
1257 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1258 reply_pdu->length = state->reply_pdu.length;
1259 state->reply_pdu.length = 0;
1261 data_blob_free(&state->reply_pdu);
1265 *pkt = talloc_steal(mem_ctx, state->pkt);
1268 return NT_STATUS_OK;
1271 /*******************************************************************
1272 Creates krb5 auth bind.
1273 ********************************************************************/
1275 static NTSTATUS create_krb5_auth_bind_req(struct rpc_pipe_client *cli,
1276 enum dcerpc_AuthLevel auth_level,
1277 DATA_BLOB *auth_info)
1282 struct kerberos_auth_struct *a = cli->auth->a_u.kerberos_auth;
1283 DATA_BLOB tkt = data_blob_null;
1284 DATA_BLOB tkt_wrapped = data_blob_null;
1286 DEBUG(5, ("create_krb5_auth_bind_req: creating a service ticket for principal %s\n",
1287 a->service_principal ));
1289 /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
1291 ret = cli_krb5_get_ticket(a, a->service_principal, 0,
1292 &tkt, &a->session_key,
1293 AP_OPTS_MUTUAL_REQUIRED, NULL,
1297 DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
1299 a->service_principal,
1300 error_message(ret) ));
1302 data_blob_free(&tkt);
1303 return NT_STATUS_INVALID_PARAMETER;
1306 /* wrap that up in a nice GSS-API wrapping */
1307 tkt_wrapped = spnego_gen_krb5_wrap(talloc_tos(), tkt, TOK_ID_KRB_AP_REQ);
1309 data_blob_free(&tkt);
1311 status = dcerpc_push_dcerpc_auth(cli,
1312 DCERPC_AUTH_TYPE_KRB5,
1314 0, /* auth_pad_length */
1315 1, /* auth_context_id */
1318 if (!NT_STATUS_IS_OK(status)) {
1319 data_blob_free(&tkt_wrapped);
1323 DEBUG(5, ("create_krb5_auth_bind_req: Created krb5 GSS blob :\n"));
1324 dump_data(5, tkt_wrapped.data, tkt_wrapped.length);
1326 return NT_STATUS_OK;
1328 return NT_STATUS_INVALID_PARAMETER;
1332 /*******************************************************************
1333 Creates SPNEGO NTLMSSP auth bind.
1334 ********************************************************************/
1336 static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1337 enum dcerpc_AuthLevel auth_level,
1338 DATA_BLOB *auth_info)
1341 DATA_BLOB null_blob = data_blob_null;
1342 DATA_BLOB request = data_blob_null;
1343 DATA_BLOB spnego_msg = data_blob_null;
1344 const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL};
1346 DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1347 status = auth_ntlmssp_update(cli->auth->a_u.auth_ntlmssp_state,
1351 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1352 data_blob_free(&request);
1356 /* Wrap this in SPNEGO. */
1357 spnego_msg = spnego_gen_negTokenInit(talloc_tos(), OIDs_ntlm, &request, NULL);
1359 data_blob_free(&request);
1361 status = dcerpc_push_dcerpc_auth(cli,
1362 DCERPC_AUTH_TYPE_SPNEGO,
1364 0, /* auth_pad_length */
1365 1, /* auth_context_id */
1369 if (!NT_STATUS_IS_OK(status)) {
1370 data_blob_free(&spnego_msg);
1374 DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1375 dump_data(5, spnego_msg.data, spnego_msg.length);
1376 data_blob_free(&spnego_msg);
1378 return NT_STATUS_OK;
1381 /*******************************************************************
1382 Creates NTLMSSP auth bind.
1383 ********************************************************************/
1385 static NTSTATUS create_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1386 enum dcerpc_AuthLevel auth_level,
1387 DATA_BLOB *auth_info)
1390 DATA_BLOB null_blob = data_blob_null;
1391 DATA_BLOB request = data_blob_null;
1393 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1394 status = auth_ntlmssp_update(cli->auth->a_u.auth_ntlmssp_state,
1398 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1399 data_blob_free(&request);
1403 status = dcerpc_push_dcerpc_auth(cli,
1404 DCERPC_AUTH_TYPE_NTLMSSP,
1406 0, /* auth_pad_length */
1407 1, /* auth_context_id */
1410 if (!NT_STATUS_IS_OK(status)) {
1411 data_blob_free(&request);
1415 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1416 dump_data(5, request.data, request.length);
1418 return NT_STATUS_OK;
1421 /*******************************************************************
1422 Creates schannel auth bind.
1423 ********************************************************************/
1425 static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1426 enum dcerpc_AuthLevel auth_level,
1427 DATA_BLOB *auth_info)
1430 struct NL_AUTH_MESSAGE r;
1431 DATA_BLOB schannel_blob;
1433 /* Use lp_workgroup() if domain not specified */
1435 if (!cli->auth->domain || !cli->auth->domain[0]) {
1436 cli->auth->domain = talloc_strdup(cli, lp_workgroup());
1437 if (cli->auth->domain == NULL) {
1438 return NT_STATUS_NO_MEMORY;
1443 * Now marshall the data into the auth parse_struct.
1446 r.MessageType = NL_NEGOTIATE_REQUEST;
1447 r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
1448 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
1449 r.oem_netbios_domain.a = cli->auth->domain;
1450 r.oem_netbios_computer.a = global_myname();
1452 status = dcerpc_push_schannel_bind(cli, &r, &schannel_blob);
1453 if (!NT_STATUS_IS_OK(status)) {
1457 status = dcerpc_push_dcerpc_auth(cli,
1458 DCERPC_AUTH_TYPE_SCHANNEL,
1460 0, /* auth_pad_length */
1461 1, /* auth_context_id */
1464 if (!NT_STATUS_IS_OK(status)) {
1468 return NT_STATUS_OK;
1471 /*******************************************************************
1472 Creates the internals of a DCE/RPC bind request or alter context PDU.
1473 ********************************************************************/
1475 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1476 enum dcerpc_pkt_type ptype,
1478 const struct ndr_syntax_id *abstract,
1479 const struct ndr_syntax_id *transfer,
1480 const DATA_BLOB *auth_info,
1483 uint16 auth_len = auth_info->length;
1485 union dcerpc_payload u;
1486 struct dcerpc_ctx_list ctx_list;
1489 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1492 ctx_list.context_id = 0;
1493 ctx_list.num_transfer_syntaxes = 1;
1494 ctx_list.abstract_syntax = *abstract;
1495 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1497 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1498 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1499 u.bind.assoc_group_id = 0x0;
1500 u.bind.num_contexts = 1;
1501 u.bind.ctx_list = &ctx_list;
1502 u.bind.auth_info = *auth_info;
1504 status = dcerpc_push_ncacn_packet(mem_ctx,
1506 DCERPC_PFC_FLAG_FIRST |
1507 DCERPC_PFC_FLAG_LAST,
1512 if (!NT_STATUS_IS_OK(status)) {
1513 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1517 return NT_STATUS_OK;
1520 /*******************************************************************
1521 Creates a DCE/RPC bind request.
1522 ********************************************************************/
1524 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1525 struct rpc_pipe_client *cli,
1527 const struct ndr_syntax_id *abstract,
1528 const struct ndr_syntax_id *transfer,
1529 enum pipe_auth_type auth_type,
1530 enum dcerpc_AuthLevel auth_level,
1533 DATA_BLOB auth_info = data_blob_null;
1534 NTSTATUS ret = NT_STATUS_OK;
1536 switch (auth_type) {
1537 case PIPE_AUTH_TYPE_SCHANNEL:
1538 ret = create_schannel_auth_rpc_bind_req(cli, auth_level, &auth_info);
1539 if (!NT_STATUS_IS_OK(ret)) {
1544 case PIPE_AUTH_TYPE_NTLMSSP:
1545 ret = create_ntlmssp_auth_rpc_bind_req(cli, auth_level, &auth_info);
1546 if (!NT_STATUS_IS_OK(ret)) {
1551 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1552 ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli, auth_level, &auth_info);
1553 if (!NT_STATUS_IS_OK(ret)) {
1558 case PIPE_AUTH_TYPE_KRB5:
1559 ret = create_krb5_auth_bind_req(cli, auth_level, &auth_info);
1560 if (!NT_STATUS_IS_OK(ret)) {
1565 case PIPE_AUTH_TYPE_NONE:
1569 /* "Can't" happen. */
1570 return NT_STATUS_INVALID_INFO_CLASS;
1573 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1583 /*******************************************************************
1584 Create and add the NTLMSSP sign/seal auth header and data.
1585 ********************************************************************/
1587 static NTSTATUS add_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
1588 enum dcerpc_AuthLevel auth_level,
1591 uint16_t data_and_pad_len = rpc_out->length
1592 - DCERPC_RESPONSE_LENGTH
1593 - DCERPC_AUTH_TRAILER_LENGTH;
1594 DATA_BLOB auth_blob;
1598 return NT_STATUS_INVALID_PARAMETER;
1601 switch (auth_level) {
1602 case DCERPC_AUTH_LEVEL_PRIVACY:
1603 /* Data portion is encrypted. */
1604 status = auth_ntlmssp_seal_packet(auth_state,
1607 + DCERPC_RESPONSE_LENGTH,
1612 if (!NT_STATUS_IS_OK(status)) {
1617 case DCERPC_AUTH_LEVEL_INTEGRITY:
1618 /* Data is signed. */
1619 status = auth_ntlmssp_sign_packet(auth_state,
1622 + DCERPC_RESPONSE_LENGTH,
1627 if (!NT_STATUS_IS_OK(status)) {
1634 smb_panic("bad auth level");
1636 return NT_STATUS_INVALID_PARAMETER;
1639 /* Finally attach the blob. */
1640 if (!data_blob_append(NULL, rpc_out,
1641 auth_blob.data, auth_blob.length)) {
1642 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
1643 (unsigned int)auth_blob.length));
1644 return NT_STATUS_NO_MEMORY;
1646 data_blob_free(&auth_blob);
1648 return NT_STATUS_OK;
1651 /*******************************************************************
1652 Create and add the schannel sign/seal auth header and data.
1653 ********************************************************************/
1655 static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
1656 enum dcerpc_AuthLevel auth_level,
1659 uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
1660 size_t data_and_pad_len = rpc_out->length
1661 - DCERPC_RESPONSE_LENGTH
1662 - DCERPC_AUTH_TRAILER_LENGTH;
1663 DATA_BLOB auth_blob;
1667 return NT_STATUS_INVALID_PARAMETER;
1670 DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
1673 switch (auth_level) {
1674 case DCERPC_AUTH_LEVEL_PRIVACY:
1675 status = netsec_outgoing_packet(sas,
1682 case DCERPC_AUTH_LEVEL_INTEGRITY:
1683 status = netsec_outgoing_packet(sas,
1691 status = NT_STATUS_INTERNAL_ERROR;
1695 if (!NT_STATUS_IS_OK(status)) {
1696 DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
1697 nt_errstr(status)));
1701 if (DEBUGLEVEL >= 10) {
1702 dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
1705 /* Finally attach the blob. */
1706 if (!data_blob_append(NULL, rpc_out,
1707 auth_blob.data, auth_blob.length)) {
1708 return NT_STATUS_NO_MEMORY;
1710 data_blob_free(&auth_blob);
1712 return NT_STATUS_OK;
1715 /*******************************************************************
1716 Calculate how much data we're going to send in this packet, also
1717 work out any sign/seal padding length.
1718 ********************************************************************/
1720 static uint32 calculate_data_len_tosend(struct rpc_pipe_client *cli,
1724 uint32 *p_ss_padding)
1726 uint32 data_space, data_len;
1729 if ((data_left > 0) && (sys_random() % 2)) {
1730 data_left = MAX(data_left/2, 1);
1734 switch (cli->auth->auth_level) {
1735 case DCERPC_AUTH_LEVEL_NONE:
1736 case DCERPC_AUTH_LEVEL_CONNECT:
1737 data_space = cli->max_xmit_frag - DCERPC_REQUEST_LENGTH;
1738 data_len = MIN(data_space, data_left);
1741 *p_frag_len = DCERPC_REQUEST_LENGTH + data_len;
1744 case DCERPC_AUTH_LEVEL_INTEGRITY:
1745 case DCERPC_AUTH_LEVEL_PRIVACY:
1746 /* Treat the same for all authenticated rpc requests. */
1747 switch(cli->auth->auth_type) {
1748 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1749 case PIPE_AUTH_TYPE_NTLMSSP:
1750 *p_auth_len = NTLMSSP_SIG_SIZE;
1752 case PIPE_AUTH_TYPE_SCHANNEL:
1753 *p_auth_len = NL_AUTH_SIGNATURE_SIZE;
1756 smb_panic("bad auth type");
1760 data_space = cli->max_xmit_frag
1761 - DCERPC_REQUEST_LENGTH
1762 - DCERPC_AUTH_TRAILER_LENGTH
1765 data_len = MIN(data_space, data_left);
1767 if (data_len % CLIENT_NDR_PADDING_SIZE) {
1768 *p_ss_padding = CLIENT_NDR_PADDING_SIZE - (data_len % CLIENT_NDR_PADDING_SIZE);
1770 *p_frag_len = DCERPC_REQUEST_LENGTH
1771 + data_len + *p_ss_padding
1772 + DCERPC_AUTH_TRAILER_LENGTH
1777 smb_panic("bad auth level");
1783 /*******************************************************************
1785 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1786 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1787 and deals with signing/sealing details.
1788 ********************************************************************/
1790 struct rpc_api_pipe_req_state {
1791 struct event_context *ev;
1792 struct rpc_pipe_client *cli;
1795 DATA_BLOB *req_data;
1796 uint32_t req_data_sent;
1798 DATA_BLOB reply_pdu;
1801 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1802 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1803 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1804 bool *is_last_frag);
1806 struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1807 struct event_context *ev,
1808 struct rpc_pipe_client *cli,
1810 DATA_BLOB *req_data)
1812 struct tevent_req *req, *subreq;
1813 struct rpc_api_pipe_req_state *state;
1817 req = tevent_req_create(mem_ctx, &state,
1818 struct rpc_api_pipe_req_state);
1824 state->op_num = op_num;
1825 state->req_data = req_data;
1826 state->req_data_sent = 0;
1827 state->call_id = get_rpc_call_id();
1828 state->reply_pdu = data_blob_null;
1829 state->rpc_out = data_blob_null;
1831 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1832 + RPC_MAX_SIGN_SIZE) {
1833 /* Server is screwed up ! */
1834 status = NT_STATUS_INVALID_PARAMETER;
1838 status = prepare_next_frag(state, &is_last_frag);
1839 if (!NT_STATUS_IS_OK(status)) {
1844 subreq = rpc_api_pipe_send(state, ev, state->cli,
1846 DCERPC_PKT_RESPONSE);
1847 if (subreq == NULL) {
1850 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1852 subreq = rpc_write_send(state, ev, cli->transport,
1853 state->rpc_out.data,
1854 state->rpc_out.length);
1855 if (subreq == NULL) {
1858 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1864 tevent_req_nterror(req, status);
1865 return tevent_req_post(req, ev);
1871 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1874 uint32_t data_sent_thistime;
1878 uint32_t ss_padding;
1880 char pad[8] = { 0, };
1882 union dcerpc_payload u;
1883 DATA_BLOB auth_info;
1884 DATA_BLOB auth_blob = data_blob_null;
1886 data_left = state->req_data->length - state->req_data_sent;
1888 data_sent_thistime = calculate_data_len_tosend(
1889 state->cli, data_left, &frag_len, &auth_len, &ss_padding);
1891 if (state->req_data_sent == 0) {
1892 flags = DCERPC_PFC_FLAG_FIRST;
1895 if (data_sent_thistime == data_left) {
1896 flags |= DCERPC_PFC_FLAG_LAST;
1899 data_blob_free(&state->rpc_out);
1901 ZERO_STRUCT(u.request);
1903 u.request.alloc_hint = state->req_data->length;
1904 u.request.context_id = 0;
1905 u.request.opnum = state->op_num;
1907 status = dcerpc_push_ncacn_packet(state,
1914 if (!NT_STATUS_IS_OK(status)) {
1918 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1919 * compute it right for requests */
1920 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1922 /* Copy in the data, plus any ss padding. */
1923 if (!data_blob_append(NULL, &state->rpc_out,
1924 state->req_data->data + state->req_data_sent,
1925 data_sent_thistime)) {
1926 return NT_STATUS_NO_MEMORY;
1930 /* Copy the sign/seal padding data. */
1931 if (!data_blob_append(NULL, &state->rpc_out,
1933 return NT_STATUS_NO_MEMORY;
1937 switch (state->cli->auth->auth_type) {
1938 case PIPE_AUTH_TYPE_NONE:
1940 case PIPE_AUTH_TYPE_NTLMSSP:
1941 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1942 case PIPE_AUTH_TYPE_SCHANNEL:
1943 /* marshall the dcerpc_auth with an actually empty auth_blob.
1944 * This is needed because the ntmlssp signature includes the
1946 status = dcerpc_push_dcerpc_auth(state->rpc_out.data,
1947 map_pipe_auth_type_to_rpc_auth_type(state->cli->auth->auth_type),
1948 state->cli->auth->auth_level,
1950 1 /* context id. */,
1953 if (!NT_STATUS_IS_OK(status)) {
1957 /* append the header */
1958 if (!data_blob_append(NULL, &state->rpc_out,
1959 auth_info.data, auth_info.length)) {
1960 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
1961 (unsigned int)auth_info.length));
1962 return NT_STATUS_NO_MEMORY;
1964 data_blob_free(&auth_info);
1971 /* Generate any auth sign/seal and add the auth footer. */
1972 switch (state->cli->auth->auth_type) {
1973 case PIPE_AUTH_TYPE_NONE:
1974 status = NT_STATUS_OK;
1976 case PIPE_AUTH_TYPE_NTLMSSP:
1977 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1978 status = add_ntlmssp_auth_footer(state->cli->auth->a_u.auth_ntlmssp_state,
1979 state->cli->auth->auth_level,
1982 case PIPE_AUTH_TYPE_SCHANNEL:
1983 status = add_schannel_auth_footer(state->cli->auth->a_u.schannel_auth,
1984 state->cli->auth->auth_level,
1988 status = NT_STATUS_INVALID_PARAMETER;
1992 state->req_data_sent += data_sent_thistime;
1993 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1998 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
2000 struct tevent_req *req = tevent_req_callback_data(
2001 subreq, struct tevent_req);
2002 struct rpc_api_pipe_req_state *state = tevent_req_data(
2003 req, struct rpc_api_pipe_req_state);
2007 status = rpc_write_recv(subreq);
2008 TALLOC_FREE(subreq);
2009 if (!NT_STATUS_IS_OK(status)) {
2010 tevent_req_nterror(req, status);
2014 status = prepare_next_frag(state, &is_last_frag);
2015 if (!NT_STATUS_IS_OK(status)) {
2016 tevent_req_nterror(req, status);
2021 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
2023 DCERPC_PKT_RESPONSE);
2024 if (tevent_req_nomem(subreq, req)) {
2027 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
2029 subreq = rpc_write_send(state, state->ev,
2030 state->cli->transport,
2031 state->rpc_out.data,
2032 state->rpc_out.length);
2033 if (tevent_req_nomem(subreq, req)) {
2036 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
2041 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
2043 struct tevent_req *req = tevent_req_callback_data(
2044 subreq, struct tevent_req);
2045 struct rpc_api_pipe_req_state *state = tevent_req_data(
2046 req, struct rpc_api_pipe_req_state);
2049 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
2050 TALLOC_FREE(subreq);
2051 if (!NT_STATUS_IS_OK(status)) {
2052 tevent_req_nterror(req, status);
2055 tevent_req_done(req);
2058 NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
2059 DATA_BLOB *reply_pdu)
2061 struct rpc_api_pipe_req_state *state = tevent_req_data(
2062 req, struct rpc_api_pipe_req_state);
2065 if (tevent_req_is_nterror(req, &status)) {
2067 * We always have to initialize to reply pdu, even if there is
2068 * none. The rpccli_* caller routines expect this.
2070 *reply_pdu = data_blob_null;
2074 /* return data to caller and assign it ownership of memory */
2075 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
2076 reply_pdu->length = state->reply_pdu.length;
2077 state->reply_pdu.length = 0;
2079 return NT_STATUS_OK;
2083 /****************************************************************************
2084 Set the handle state.
2085 ****************************************************************************/
2087 static bool rpc_pipe_set_hnd_state(struct rpc_pipe_client *cli,
2088 const char *pipe_name, uint16 device_state)
2090 bool state_set = False;
2092 uint16 setup[2]; /* only need 2 uint16 setup parameters */
2093 char *rparam = NULL;
2095 uint32 rparam_len, rdata_len;
2097 if (pipe_name == NULL)
2100 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
2101 cli->fnum, pipe_name, device_state));
2103 /* create parameters: device state */
2104 SSVAL(param, 0, device_state);
2106 /* create setup parameters. */
2108 setup[1] = cli->fnum; /* pipe file handle. got this from an SMBOpenX. */
2110 /* send the data on \PIPE\ */
2111 if (cli_api_pipe(cli->cli, "\\PIPE\\",
2112 setup, 2, 0, /* setup, length, max */
2113 param, 2, 0, /* param, length, max */
2114 NULL, 0, 1024, /* data, length, max */
2115 &rparam, &rparam_len, /* return param, length */
2116 &rdata, &rdata_len)) /* return data, length */
2118 DEBUG(5, ("Set Handle state: return OK\n"));
2129 /****************************************************************************
2130 Check the rpc bind acknowledge response.
2131 ****************************************************************************/
2133 static bool check_bind_response(const struct dcerpc_bind_ack *r,
2134 const struct ndr_syntax_id *transfer)
2136 struct dcerpc_ack_ctx ctx;
2138 if (r->secondary_address_size == 0) {
2139 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
2142 if (r->num_results < 1 || !r->ctx_list) {
2146 ctx = r->ctx_list[0];
2148 /* check the transfer syntax */
2149 if ((ctx.syntax.if_version != transfer->if_version) ||
2150 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
2151 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
2155 if (r->num_results != 0x1 || ctx.result != 0) {
2156 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
2157 r->num_results, ctx.reason));
2160 DEBUG(5,("check_bind_response: accepted!\n"));
2164 /*******************************************************************
2165 Creates a DCE/RPC bind authentication response.
2166 This is the packet that is sent back to the server once we
2167 have received a BIND-ACK, to finish the third leg of
2168 the authentication handshake.
2169 ********************************************************************/
2171 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
2172 struct rpc_pipe_client *cli,
2174 enum pipe_auth_type auth_type,
2175 enum dcerpc_AuthLevel auth_level,
2176 DATA_BLOB *pauth_blob,
2180 union dcerpc_payload u;
2184 status = dcerpc_push_dcerpc_auth(mem_ctx,
2185 map_pipe_auth_type_to_rpc_auth_type(auth_type),
2187 0, /* auth_pad_length */
2188 1, /* auth_context_id */
2190 &u.auth3.auth_info);
2191 if (!NT_STATUS_IS_OK(status)) {
2195 status = dcerpc_push_ncacn_packet(mem_ctx,
2197 DCERPC_PFC_FLAG_FIRST |
2198 DCERPC_PFC_FLAG_LAST,
2203 data_blob_free(&u.auth3.auth_info);
2204 if (!NT_STATUS_IS_OK(status)) {
2205 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
2209 return NT_STATUS_OK;
2212 /*******************************************************************
2213 Creates a DCE/RPC bind alter context authentication request which
2214 may contain a spnego auth blobl
2215 ********************************************************************/
2217 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
2219 const struct ndr_syntax_id *abstract,
2220 const struct ndr_syntax_id *transfer,
2221 enum dcerpc_AuthLevel auth_level,
2222 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
2225 DATA_BLOB auth_info;
2228 status = dcerpc_push_dcerpc_auth(mem_ctx,
2229 DCERPC_AUTH_TYPE_SPNEGO,
2231 0, /* auth_pad_length */
2232 1, /* auth_context_id */
2235 if (!NT_STATUS_IS_OK(status)) {
2239 status = create_bind_or_alt_ctx_internal(mem_ctx,
2246 data_blob_free(&auth_info);
2250 /****************************************************************************
2252 ****************************************************************************/
2254 struct rpc_pipe_bind_state {
2255 struct event_context *ev;
2256 struct rpc_pipe_client *cli;
2258 uint32_t rpc_call_id;
2261 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
2262 static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
2263 struct rpc_pipe_bind_state *state,
2264 struct ncacn_packet *r);
2265 static void rpc_bind_auth3_write_done(struct tevent_req *subreq);
2266 static NTSTATUS rpc_finish_spnego_ntlmssp_bind_send(struct tevent_req *req,
2267 struct rpc_pipe_bind_state *state,
2268 struct ncacn_packet *r,
2269 DATA_BLOB *reply_pdu);
2270 static void rpc_bind_ntlmssp_api_done(struct tevent_req *subreq);
2272 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
2273 struct event_context *ev,
2274 struct rpc_pipe_client *cli,
2275 struct pipe_auth_data *auth)
2277 struct tevent_req *req, *subreq;
2278 struct rpc_pipe_bind_state *state;
2281 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
2286 DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
2287 rpccli_pipe_txt(talloc_tos(), cli),
2288 (unsigned int)auth->auth_type,
2289 (unsigned int)auth->auth_level ));
2293 state->rpc_call_id = get_rpc_call_id();
2294 state->rpc_out = data_blob_null;
2296 cli->auth = talloc_move(cli, &auth);
2298 /* Marshall the outgoing data. */
2299 status = create_rpc_bind_req(state, cli,
2301 &cli->abstract_syntax,
2302 &cli->transfer_syntax,
2303 cli->auth->auth_type,
2304 cli->auth->auth_level,
2307 if (!NT_STATUS_IS_OK(status)) {
2311 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
2312 DCERPC_PKT_BIND_ACK);
2313 if (subreq == NULL) {
2316 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
2320 tevent_req_nterror(req, status);
2321 return tevent_req_post(req, ev);
2327 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
2329 struct tevent_req *req = tevent_req_callback_data(
2330 subreq, struct tevent_req);
2331 struct rpc_pipe_bind_state *state = tevent_req_data(
2332 req, struct rpc_pipe_bind_state);
2333 DATA_BLOB reply_pdu;
2334 struct ncacn_packet *pkt;
2337 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, &reply_pdu);
2338 TALLOC_FREE(subreq);
2339 if (!NT_STATUS_IS_OK(status)) {
2340 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
2341 rpccli_pipe_txt(talloc_tos(), state->cli),
2342 nt_errstr(status)));
2343 tevent_req_nterror(req, status);
2347 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
2348 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
2349 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
2353 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
2354 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
2357 * For authenticated binds we may need to do 3 or 4 leg binds.
2360 switch(state->cli->auth->auth_type) {
2362 case PIPE_AUTH_TYPE_NONE:
2363 case PIPE_AUTH_TYPE_SCHANNEL:
2364 /* Bind complete. */
2365 tevent_req_done(req);
2368 case PIPE_AUTH_TYPE_NTLMSSP:
2369 /* Need to send AUTH3 packet - no reply. */
2370 status = rpc_finish_auth3_bind_send(req, state, pkt);
2371 if (!NT_STATUS_IS_OK(status)) {
2372 tevent_req_nterror(req, status);
2376 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
2377 /* Need to send alter context request and reply. */
2378 status = rpc_finish_spnego_ntlmssp_bind_send(req, state, pkt,
2380 if (!NT_STATUS_IS_OK(status)) {
2381 tevent_req_nterror(req, status);
2385 case PIPE_AUTH_TYPE_KRB5:
2389 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
2390 (unsigned int)state->cli->auth->auth_type));
2391 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
2395 static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
2396 struct rpc_pipe_bind_state *state,
2397 struct ncacn_packet *r)
2399 DATA_BLOB client_reply = data_blob_null;
2400 struct dcerpc_auth auth;
2401 struct tevent_req *subreq;
2404 if ((r->auth_length == 0)
2405 || (r->frag_length < DCERPC_AUTH_TRAILER_LENGTH
2406 + r->auth_length)) {
2407 return NT_STATUS_INVALID_PARAMETER;
2410 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
2411 &r->u.bind_ack.auth_info,
2413 if (!NT_STATUS_IS_OK(status)) {
2414 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
2415 nt_errstr(status)));
2419 /* TODO - check auth_type/auth_level match. */
2421 status = auth_ntlmssp_update(state->cli->auth->a_u.auth_ntlmssp_state,
2422 auth.credentials, &client_reply);
2424 if (!NT_STATUS_IS_OK(status)) {
2425 DEBUG(0, ("rpc_finish_auth3_bind: NTLMSSP update using server "
2426 "blob failed: %s.\n", nt_errstr(status)));
2430 data_blob_free(&state->rpc_out);
2432 status = create_rpc_bind_auth3(state,
2433 state->cli, state->rpc_call_id,
2434 state->cli->auth->auth_type,
2435 state->cli->auth->auth_level,
2436 &client_reply, &state->rpc_out);
2437 data_blob_free(&client_reply);
2439 if (!NT_STATUS_IS_OK(status)) {
2443 subreq = rpc_write_send(state, state->ev, state->cli->transport,
2444 state->rpc_out.data, state->rpc_out.length);
2445 if (subreq == NULL) {
2446 return NT_STATUS_NO_MEMORY;
2448 tevent_req_set_callback(subreq, rpc_bind_auth3_write_done, req);
2449 return NT_STATUS_OK;
2452 static void rpc_bind_auth3_write_done(struct tevent_req *subreq)
2454 struct tevent_req *req = tevent_req_callback_data(
2455 subreq, struct tevent_req);
2458 status = rpc_write_recv(subreq);
2459 TALLOC_FREE(subreq);
2460 if (!NT_STATUS_IS_OK(status)) {
2461 tevent_req_nterror(req, status);
2464 tevent_req_done(req);
2467 static NTSTATUS rpc_finish_spnego_ntlmssp_bind_send(struct tevent_req *req,
2468 struct rpc_pipe_bind_state *state,
2469 struct ncacn_packet *r,
2470 DATA_BLOB *reply_pdu)
2472 DATA_BLOB server_ntlm_response = data_blob_null;
2473 DATA_BLOB client_reply = data_blob_null;
2474 DATA_BLOB tmp_blob = data_blob_null;
2475 struct dcerpc_auth auth_info;
2476 DATA_BLOB auth_blob;
2477 struct tevent_req *subreq;
2480 if ((r->auth_length == 0)
2481 || (r->frag_length < DCERPC_AUTH_TRAILER_LENGTH
2482 + r->auth_length)) {
2483 return NT_STATUS_INVALID_PARAMETER;
2486 /* Process the returned NTLMSSP blob first. */
2487 auth_blob = data_blob_const(reply_pdu->data
2489 - DCERPC_AUTH_TRAILER_LENGTH
2491 DCERPC_AUTH_TRAILER_LENGTH
2494 status = dcerpc_pull_dcerpc_auth(state, &auth_blob, &auth_info, false);
2495 if (!NT_STATUS_IS_OK(status)) {
2496 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
2501 * The server might give us back two challenges - tmp_blob is for the
2504 if (!spnego_parse_challenge(state, auth_info.credentials,
2505 &server_ntlm_response, &tmp_blob)) {
2506 data_blob_free(&server_ntlm_response);
2507 data_blob_free(&tmp_blob);
2508 return NT_STATUS_INVALID_PARAMETER;
2511 /* We're finished with the server spnego response and the tmp_blob. */
2512 data_blob_free(&tmp_blob);
2514 status = auth_ntlmssp_update(state->cli->auth->a_u.auth_ntlmssp_state,
2515 server_ntlm_response, &client_reply);
2517 /* Finished with the server_ntlm response */
2518 data_blob_free(&server_ntlm_response);
2520 if (!NT_STATUS_IS_OK(status)) {
2521 DEBUG(0, ("rpc_finish_spnego_ntlmssp_bind: NTLMSSP update "
2522 "using server blob failed.\n"));
2523 data_blob_free(&client_reply);
2527 /* SPNEGO wrap the client reply. */
2528 tmp_blob = spnego_gen_auth(state, client_reply);
2529 data_blob_free(&client_reply);
2530 client_reply = tmp_blob;
2531 tmp_blob = data_blob_null;
2533 /* Now prepare the alter context pdu. */
2534 data_blob_free(&state->rpc_out);
2536 status = create_rpc_alter_context(state,
2538 &state->cli->abstract_syntax,
2539 &state->cli->transfer_syntax,
2540 state->cli->auth->auth_level,
2543 data_blob_free(&client_reply);
2545 if (!NT_STATUS_IS_OK(status)) {
2549 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
2550 &state->rpc_out, DCERPC_PKT_ALTER_RESP);
2551 if (subreq == NULL) {
2552 return NT_STATUS_NO_MEMORY;
2554 tevent_req_set_callback(subreq, rpc_bind_ntlmssp_api_done, req);
2555 return NT_STATUS_OK;
2558 static void rpc_bind_ntlmssp_api_done(struct tevent_req *subreq)
2560 struct tevent_req *req = tevent_req_callback_data(
2561 subreq, struct tevent_req);
2562 struct rpc_pipe_bind_state *state = tevent_req_data(
2563 req, struct rpc_pipe_bind_state);
2564 DATA_BLOB tmp_blob = data_blob_null;
2565 struct ncacn_packet *pkt;
2566 struct dcerpc_auth auth;
2569 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, NULL);
2570 TALLOC_FREE(subreq);
2571 if (!NT_STATUS_IS_OK(status)) {
2572 tevent_req_nterror(req, status);
2576 status = dcerpc_pull_dcerpc_auth(pkt,
2577 &pkt->u.alter_resp.auth_info,
2579 if (!NT_STATUS_IS_OK(status)) {
2580 tevent_req_nterror(req, status);
2584 /* Check we got a valid auth response. */
2585 if (!spnego_parse_auth_response(talloc_tos(), auth.credentials,
2587 OID_NTLMSSP, &tmp_blob)) {
2588 data_blob_free(&tmp_blob);
2589 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
2593 data_blob_free(&tmp_blob);
2595 DEBUG(5,("rpc_finish_spnego_ntlmssp_bind: alter context request to "
2596 "%s.\n", rpccli_pipe_txt(talloc_tos(), state->cli)));
2597 tevent_req_done(req);
2600 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
2602 return tevent_req_simple_recv_ntstatus(req);
2605 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
2606 struct pipe_auth_data *auth)
2608 TALLOC_CTX *frame = talloc_stackframe();
2609 struct event_context *ev;
2610 struct tevent_req *req;
2611 NTSTATUS status = NT_STATUS_OK;
2613 ev = event_context_init(frame);
2615 status = NT_STATUS_NO_MEMORY;
2619 req = rpc_pipe_bind_send(frame, ev, cli, auth);
2621 status = NT_STATUS_NO_MEMORY;
2625 if (!tevent_req_poll(req, ev)) {
2626 status = map_nt_error_from_unix(errno);
2630 status = rpc_pipe_bind_recv(req);
2636 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
2638 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
2639 unsigned int timeout)
2643 if (rpc_cli->transport == NULL) {
2644 return RPCCLI_DEFAULT_TIMEOUT;
2647 if (rpc_cli->transport->set_timeout == NULL) {
2648 return RPCCLI_DEFAULT_TIMEOUT;
2651 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
2653 return RPCCLI_DEFAULT_TIMEOUT;
2659 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
2661 if (rpc_cli == NULL) {
2665 if (rpc_cli->transport == NULL) {
2669 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
2672 bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
2674 struct cli_state *cli;
2676 if ((rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_NTLMSSP)
2677 || (rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)) {
2678 memcpy(nt_hash, auth_ntlmssp_get_nt_hash(rpc_cli->auth->a_u.auth_ntlmssp_state), 16);
2682 cli = rpc_pipe_np_smb_conn(rpc_cli);
2686 E_md4hash(cli->password ? cli->password : "", nt_hash);
2690 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2691 struct pipe_auth_data **presult)
2693 struct pipe_auth_data *result;
2695 result = talloc(mem_ctx, struct pipe_auth_data);
2696 if (result == NULL) {
2697 return NT_STATUS_NO_MEMORY;
2700 result->auth_type = PIPE_AUTH_TYPE_NONE;
2701 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2703 result->user_name = talloc_strdup(result, "");
2704 result->domain = talloc_strdup(result, "");
2705 if ((result->user_name == NULL) || (result->domain == NULL)) {
2706 TALLOC_FREE(result);
2707 return NT_STATUS_NO_MEMORY;
2711 return NT_STATUS_OK;
2714 static int cli_auth_ntlmssp_data_destructor(struct pipe_auth_data *auth)
2716 TALLOC_FREE(auth->a_u.auth_ntlmssp_state);
2720 static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
2721 enum pipe_auth_type auth_type,
2722 enum dcerpc_AuthLevel auth_level,
2724 const char *username,
2725 const char *password,
2726 struct pipe_auth_data **presult)
2728 struct pipe_auth_data *result;
2731 result = talloc(mem_ctx, struct pipe_auth_data);
2732 if (result == NULL) {
2733 return NT_STATUS_NO_MEMORY;
2736 result->auth_type = auth_type;
2737 result->auth_level = auth_level;
2739 result->user_name = talloc_strdup(result, username);
2740 result->domain = talloc_strdup(result, domain);
2741 if ((result->user_name == NULL) || (result->domain == NULL)) {
2742 status = NT_STATUS_NO_MEMORY;
2746 status = auth_ntlmssp_client_start(NULL,
2749 lp_client_ntlmv2_auth(),
2750 &result->a_u.auth_ntlmssp_state);
2751 if (!NT_STATUS_IS_OK(status)) {
2755 talloc_set_destructor(result, cli_auth_ntlmssp_data_destructor);
2757 status = auth_ntlmssp_set_username(result->a_u.auth_ntlmssp_state,
2759 if (!NT_STATUS_IS_OK(status)) {
2763 status = auth_ntlmssp_set_domain(result->a_u.auth_ntlmssp_state,
2765 if (!NT_STATUS_IS_OK(status)) {
2769 status = auth_ntlmssp_set_password(result->a_u.auth_ntlmssp_state,
2771 if (!NT_STATUS_IS_OK(status)) {
2776 * Turn off sign+seal to allow selected auth level to turn it back on.
2778 auth_ntlmssp_and_flags(result->a_u.auth_ntlmssp_state,
2779 ~(NTLMSSP_NEGOTIATE_SIGN |
2780 NTLMSSP_NEGOTIATE_SEAL));
2782 if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
2783 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2784 NTLMSSP_NEGOTIATE_SIGN);
2785 } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
2786 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2787 NTLMSSP_NEGOTIATE_SEAL |
2788 NTLMSSP_NEGOTIATE_SIGN);
2792 return NT_STATUS_OK;
2795 TALLOC_FREE(result);
2799 NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2800 enum dcerpc_AuthLevel auth_level,
2801 struct netlogon_creds_CredentialState *creds,
2802 struct pipe_auth_data **presult)
2804 struct pipe_auth_data *result;
2806 result = talloc(mem_ctx, struct pipe_auth_data);
2807 if (result == NULL) {
2808 return NT_STATUS_NO_MEMORY;
2811 result->auth_type = PIPE_AUTH_TYPE_SCHANNEL;
2812 result->auth_level = auth_level;
2814 result->user_name = talloc_strdup(result, "");
2815 result->domain = talloc_strdup(result, domain);
2816 if ((result->user_name == NULL) || (result->domain == NULL)) {
2820 result->a_u.schannel_auth = talloc(result, struct schannel_state);
2821 if (result->a_u.schannel_auth == NULL) {
2825 result->a_u.schannel_auth->state = SCHANNEL_STATE_START;
2826 result->a_u.schannel_auth->seq_num = 0;
2827 result->a_u.schannel_auth->initiator = true;
2828 result->a_u.schannel_auth->creds = creds;
2831 return NT_STATUS_OK;
2834 TALLOC_FREE(result);
2835 return NT_STATUS_NO_MEMORY;
2839 static int cli_auth_kerberos_data_destructor(struct kerberos_auth_struct *auth)
2841 data_blob_free(&auth->session_key);
2846 static NTSTATUS rpccli_kerberos_bind_data(TALLOC_CTX *mem_ctx,
2847 enum dcerpc_AuthLevel auth_level,
2848 const char *service_princ,
2849 const char *username,
2850 const char *password,
2851 struct pipe_auth_data **presult)
2854 struct pipe_auth_data *result;
2856 if ((username != NULL) && (password != NULL)) {
2857 int ret = kerberos_kinit_password(username, password, 0, NULL);
2859 return NT_STATUS_ACCESS_DENIED;
2863 result = talloc(mem_ctx, struct pipe_auth_data);
2864 if (result == NULL) {
2865 return NT_STATUS_NO_MEMORY;
2868 result->auth_type = PIPE_AUTH_TYPE_KRB5;
2869 result->auth_level = auth_level;
2872 * Username / domain need fixing!
2874 result->user_name = talloc_strdup(result, "");
2875 result->domain = talloc_strdup(result, "");
2876 if ((result->user_name == NULL) || (result->domain == NULL)) {
2880 result->a_u.kerberos_auth = TALLOC_ZERO_P(
2881 result, struct kerberos_auth_struct);
2882 if (result->a_u.kerberos_auth == NULL) {
2885 talloc_set_destructor(result->a_u.kerberos_auth,
2886 cli_auth_kerberos_data_destructor);
2888 result->a_u.kerberos_auth->service_principal = talloc_strdup(
2889 result, service_princ);
2890 if (result->a_u.kerberos_auth->service_principal == NULL) {
2895 return NT_STATUS_OK;
2898 TALLOC_FREE(result);
2899 return NT_STATUS_NO_MEMORY;
2901 return NT_STATUS_NOT_SUPPORTED;
2906 * Create an rpc pipe client struct, connecting to a tcp port.
2908 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2910 const struct ndr_syntax_id *abstract_syntax,
2911 struct rpc_pipe_client **presult)
2913 struct rpc_pipe_client *result;
2914 struct sockaddr_storage addr;
2918 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2919 if (result == NULL) {
2920 return NT_STATUS_NO_MEMORY;
2923 result->abstract_syntax = *abstract_syntax;
2924 result->transfer_syntax = ndr_transfer_syntax;
2925 result->dispatch = cli_do_rpc_ndr;
2926 result->dispatch_send = cli_do_rpc_ndr_send;
2927 result->dispatch_recv = cli_do_rpc_ndr_recv;
2929 result->desthost = talloc_strdup(result, host);
2930 result->srv_name_slash = talloc_asprintf_strupper_m(
2931 result, "\\\\%s", result->desthost);
2932 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2933 status = NT_STATUS_NO_MEMORY;
2937 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2938 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2940 if (!resolve_name(host, &addr, 0, false)) {
2941 status = NT_STATUS_NOT_FOUND;
2945 status = open_socket_out(&addr, port, 60, &fd);
2946 if (!NT_STATUS_IS_OK(status)) {
2949 set_socket_options(fd, lp_socket_options());
2951 status = rpc_transport_sock_init(result, fd, &result->transport);
2952 if (!NT_STATUS_IS_OK(status)) {
2957 result->transport->transport = NCACN_IP_TCP;
2960 return NT_STATUS_OK;
2963 TALLOC_FREE(result);
2968 * Determine the tcp port on which a dcerpc interface is listening
2969 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2972 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2973 const struct ndr_syntax_id *abstract_syntax,
2977 struct rpc_pipe_client *epm_pipe = NULL;
2978 struct pipe_auth_data *auth = NULL;
2979 struct dcerpc_binding *map_binding = NULL;
2980 struct dcerpc_binding *res_binding = NULL;
2981 struct epm_twr_t *map_tower = NULL;
2982 struct epm_twr_t *res_towers = NULL;
2983 struct policy_handle *entry_handle = NULL;
2984 uint32_t num_towers = 0;
2985 uint32_t max_towers = 1;
2986 struct epm_twr_p_t towers;
2987 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2989 if (pport == NULL) {
2990 status = NT_STATUS_INVALID_PARAMETER;
2994 /* open the connection to the endpoint mapper */
2995 status = rpc_pipe_open_tcp_port(tmp_ctx, host, 135,
2996 &ndr_table_epmapper.syntax_id,
2999 if (!NT_STATUS_IS_OK(status)) {
3003 status = rpccli_anon_bind_data(tmp_ctx, &auth);
3004 if (!NT_STATUS_IS_OK(status)) {
3008 status = rpc_pipe_bind(epm_pipe, auth);
3009 if (!NT_STATUS_IS_OK(status)) {
3013 /* create tower for asking the epmapper */
3015 map_binding = TALLOC_ZERO_P(tmp_ctx, struct dcerpc_binding);
3016 if (map_binding == NULL) {
3017 status = NT_STATUS_NO_MEMORY;
3021 map_binding->transport = NCACN_IP_TCP;
3022 map_binding->object = *abstract_syntax;
3023 map_binding->host = host; /* needed? */
3024 map_binding->endpoint = "0"; /* correct? needed? */
3026 map_tower = TALLOC_ZERO_P(tmp_ctx, struct epm_twr_t);
3027 if (map_tower == NULL) {
3028 status = NT_STATUS_NO_MEMORY;
3032 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
3033 &(map_tower->tower));
3034 if (!NT_STATUS_IS_OK(status)) {
3038 /* allocate further parameters for the epm_Map call */
3040 res_towers = TALLOC_ARRAY(tmp_ctx, struct epm_twr_t, max_towers);
3041 if (res_towers == NULL) {
3042 status = NT_STATUS_NO_MEMORY;
3045 towers.twr = res_towers;
3047 entry_handle = TALLOC_ZERO_P(tmp_ctx, struct policy_handle);
3048 if (entry_handle == NULL) {
3049 status = NT_STATUS_NO_MEMORY;
3053 /* ask the endpoint mapper for the port */
3055 status = rpccli_epm_Map(epm_pipe,
3057 CONST_DISCARD(struct GUID *,
3058 &(abstract_syntax->uuid)),
3065 if (!NT_STATUS_IS_OK(status)) {
3069 if (num_towers != 1) {
3070 status = NT_STATUS_UNSUCCESSFUL;
3074 /* extract the port from the answer */
3076 status = dcerpc_binding_from_tower(tmp_ctx,
3077 &(towers.twr->tower),
3079 if (!NT_STATUS_IS_OK(status)) {
3083 /* are further checks here necessary? */
3084 if (res_binding->transport != NCACN_IP_TCP) {
3085 status = NT_STATUS_UNSUCCESSFUL;
3089 *pport = (uint16_t)atoi(res_binding->endpoint);
3092 TALLOC_FREE(tmp_ctx);
3097 * Create a rpc pipe client struct, connecting to a host via tcp.
3098 * The port is determined by asking the endpoint mapper on the given
3101 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
3102 const struct ndr_syntax_id *abstract_syntax,
3103 struct rpc_pipe_client **presult)
3108 status = rpc_pipe_get_tcp_port(host, abstract_syntax, &port);
3109 if (!NT_STATUS_IS_OK(status)) {
3113 return rpc_pipe_open_tcp_port(mem_ctx, host, port,
3114 abstract_syntax, presult);
3117 /********************************************************************
3118 Create a rpc pipe client struct, connecting to a unix domain socket
3119 ********************************************************************/
3120 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
3121 const struct ndr_syntax_id *abstract_syntax,
3122 struct rpc_pipe_client **presult)
3124 struct rpc_pipe_client *result;
3125 struct sockaddr_un addr;
3129 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
3130 if (result == NULL) {
3131 return NT_STATUS_NO_MEMORY;
3134 result->abstract_syntax = *abstract_syntax;
3135 result->transfer_syntax = ndr_transfer_syntax;
3136 result->dispatch = cli_do_rpc_ndr;
3137 result->dispatch_send = cli_do_rpc_ndr_send;
3138 result->dispatch_recv = cli_do_rpc_ndr_recv;
3140 result->desthost = get_myname(result);
3141 result->srv_name_slash = talloc_asprintf_strupper_m(
3142 result, "\\\\%s", result->desthost);
3143 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
3144 status = NT_STATUS_NO_MEMORY;
3148 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
3149 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
3151 fd = socket(AF_UNIX, SOCK_STREAM, 0);
3153 status = map_nt_error_from_unix(errno);
3158 addr.sun_family = AF_UNIX;
3159 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
3161 if (sys_connect(fd, (struct sockaddr *)(void *)&addr) == -1) {
3162 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
3165 return map_nt_error_from_unix(errno);
3168 status = rpc_transport_sock_init(result, fd, &result->transport);
3169 if (!NT_STATUS_IS_OK(status)) {
3174 result->transport->transport = NCALRPC;
3177 return NT_STATUS_OK;
3180 TALLOC_FREE(result);
3184 struct rpc_pipe_client_np_ref {
3185 struct cli_state *cli;
3186 struct rpc_pipe_client *pipe;
3189 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
3191 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
3195 /****************************************************************************
3196 Open a named pipe over SMB to a remote server.
3198 * CAVEAT CALLER OF THIS FUNCTION:
3199 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
3200 * so be sure that this function is called AFTER any structure (vs pointer)
3201 * assignment of the cli. In particular, libsmbclient does structure
3202 * assignments of cli, which invalidates the data in the returned
3203 * rpc_pipe_client if this function is called before the structure assignment
3206 ****************************************************************************/
3208 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
3209 const struct ndr_syntax_id *abstract_syntax,
3210 struct rpc_pipe_client **presult)
3212 struct rpc_pipe_client *result;
3214 struct rpc_pipe_client_np_ref *np_ref;
3216 /* sanity check to protect against crashes */
3219 return NT_STATUS_INVALID_HANDLE;
3222 result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
3223 if (result == NULL) {
3224 return NT_STATUS_NO_MEMORY;
3227 result->abstract_syntax = *abstract_syntax;
3228 result->transfer_syntax = ndr_transfer_syntax;
3229 result->dispatch = cli_do_rpc_ndr;
3230 result->dispatch_send = cli_do_rpc_ndr_send;
3231 result->dispatch_recv = cli_do_rpc_ndr_recv;
3232 result->desthost = talloc_strdup(result, cli->desthost);
3233 result->srv_name_slash = talloc_asprintf_strupper_m(
3234 result, "\\\\%s", result->desthost);
3236 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
3237 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
3239 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
3240 TALLOC_FREE(result);
3241 return NT_STATUS_NO_MEMORY;
3244 status = rpc_transport_np_init(result, cli, abstract_syntax,
3245 &result->transport);
3246 if (!NT_STATUS_IS_OK(status)) {
3247 TALLOC_FREE(result);
3251 result->transport->transport = NCACN_NP;
3253 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
3254 if (np_ref == NULL) {
3255 TALLOC_FREE(result);
3256 return NT_STATUS_NO_MEMORY;
3259 np_ref->pipe = result;
3261 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
3262 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
3265 return NT_STATUS_OK;
3268 NTSTATUS rpc_pipe_open_local(TALLOC_CTX *mem_ctx,
3269 struct rpc_cli_smbd_conn *conn,
3270 const struct ndr_syntax_id *syntax,
3271 struct rpc_pipe_client **presult)
3273 struct rpc_pipe_client *result;
3274 struct pipe_auth_data *auth;
3277 result = talloc(mem_ctx, struct rpc_pipe_client);
3278 if (result == NULL) {
3279 return NT_STATUS_NO_MEMORY;
3281 result->abstract_syntax = *syntax;
3282 result->transfer_syntax = ndr_transfer_syntax;
3283 result->dispatch = cli_do_rpc_ndr;
3284 result->dispatch_send = cli_do_rpc_ndr_send;
3285 result->dispatch_recv = cli_do_rpc_ndr_recv;
3286 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
3287 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
3289 result->desthost = talloc_strdup(result, global_myname());
3290 result->srv_name_slash = talloc_asprintf_strupper_m(
3291 result, "\\\\%s", global_myname());
3292 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
3293 TALLOC_FREE(result);
3294 return NT_STATUS_NO_MEMORY;
3297 status = rpc_transport_smbd_init(result, conn, syntax,
3298 &result->transport);
3299 if (!NT_STATUS_IS_OK(status)) {
3300 DEBUG(1, ("rpc_transport_smbd_init failed: %s\n",
3301 nt_errstr(status)));
3302 TALLOC_FREE(result);
3306 status = rpccli_anon_bind_data(result, &auth);
3307 if (!NT_STATUS_IS_OK(status)) {
3308 DEBUG(1, ("rpccli_anon_bind_data failed: %s\n",
3309 nt_errstr(status)));
3310 TALLOC_FREE(result);
3314 status = rpc_pipe_bind(result, auth);
3315 if (!NT_STATUS_IS_OK(status)) {
3316 DEBUG(1, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
3317 TALLOC_FREE(result);
3321 result->transport->transport = NCACN_INTERNAL;
3324 return NT_STATUS_OK;
3327 /****************************************************************************
3328 Open a pipe to a remote server.
3329 ****************************************************************************/
3331 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
3332 enum dcerpc_transport_t transport,
3333 const struct ndr_syntax_id *interface,
3334 struct rpc_pipe_client **presult)
3336 switch (transport) {
3338 return rpc_pipe_open_tcp(NULL, cli->desthost, interface,
3341 return rpc_pipe_open_np(cli, interface, presult);
3343 return NT_STATUS_NOT_IMPLEMENTED;
3347 /****************************************************************************
3348 Open a named pipe to an SMB server and bind anonymously.
3349 ****************************************************************************/
3351 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
3352 enum dcerpc_transport_t transport,
3353 const struct ndr_syntax_id *interface,
3354 struct rpc_pipe_client **presult)
3356 struct rpc_pipe_client *result;
3357 struct pipe_auth_data *auth;
3360 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3361 if (!NT_STATUS_IS_OK(status)) {
3365 status = rpccli_anon_bind_data(result, &auth);
3366 if (!NT_STATUS_IS_OK(status)) {
3367 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
3368 nt_errstr(status)));
3369 TALLOC_FREE(result);
3374 * This is a bit of an abstraction violation due to the fact that an
3375 * anonymous bind on an authenticated SMB inherits the user/domain
3376 * from the enclosing SMB creds
3379 TALLOC_FREE(auth->user_name);
3380 TALLOC_FREE(auth->domain);
3382 auth->user_name = talloc_strdup(auth, cli->user_name);
3383 auth->domain = talloc_strdup(auth, cli->domain);
3384 auth->user_session_key = data_blob_talloc(auth,
3385 cli->user_session_key.data,
3386 cli->user_session_key.length);
3388 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
3389 TALLOC_FREE(result);
3390 return NT_STATUS_NO_MEMORY;
3393 status = rpc_pipe_bind(result, auth);
3394 if (!NT_STATUS_IS_OK(status)) {
3396 if (ndr_syntax_id_equal(interface,
3397 &ndr_table_dssetup.syntax_id)) {
3398 /* non AD domains just don't have this pipe, avoid
3399 * level 0 statement in that case - gd */
3402 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
3403 "%s failed with error %s\n",
3404 get_pipe_name_from_syntax(talloc_tos(), interface),
3405 nt_errstr(status) ));
3406 TALLOC_FREE(result);
3410 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
3411 "%s and bound anonymously.\n",
3412 get_pipe_name_from_syntax(talloc_tos(), interface),
3416 return NT_STATUS_OK;
3419 /****************************************************************************
3420 ****************************************************************************/
3422 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
3423 const struct ndr_syntax_id *interface,
3424 struct rpc_pipe_client **presult)
3426 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
3427 interface, presult);
3430 /****************************************************************************
3431 Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
3432 ****************************************************************************/
3434 static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
3435 const struct ndr_syntax_id *interface,
3436 enum dcerpc_transport_t transport,
3437 enum pipe_auth_type auth_type,
3438 enum dcerpc_AuthLevel auth_level,
3440 const char *username,
3441 const char *password,
3442 struct rpc_pipe_client **presult)
3444 struct rpc_pipe_client *result;
3445 struct pipe_auth_data *auth;
3448 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3449 if (!NT_STATUS_IS_OK(status)) {
3453 status = rpccli_ntlmssp_bind_data(
3454 result, auth_type, auth_level, domain, username,
3456 if (!NT_STATUS_IS_OK(status)) {
3457 DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
3458 nt_errstr(status)));
3462 status = rpc_pipe_bind(result, auth);
3463 if (!NT_STATUS_IS_OK(status)) {
3464 DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
3465 nt_errstr(status) ));
3469 DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
3470 "machine %s and bound NTLMSSP as user %s\\%s.\n",
3471 get_pipe_name_from_syntax(talloc_tos(), interface),
3472 cli->desthost, domain, username ));
3475 return NT_STATUS_OK;
3479 TALLOC_FREE(result);
3483 /****************************************************************************
3485 Open a named pipe to an SMB server and bind using NTLMSSP (bind type 10)
3486 ****************************************************************************/
3488 NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
3489 const struct ndr_syntax_id *interface,
3490 enum dcerpc_transport_t transport,
3491 enum dcerpc_AuthLevel auth_level,
3493 const char *username,
3494 const char *password,
3495 struct rpc_pipe_client **presult)
3497 return cli_rpc_pipe_open_ntlmssp_internal(cli,
3500 PIPE_AUTH_TYPE_NTLMSSP,
3508 /****************************************************************************
3510 Open a named pipe to an SMB server and bind using spnego NTLMSSP (bind type 9)
3511 ****************************************************************************/
3513 NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
3514 const struct ndr_syntax_id *interface,
3515 enum dcerpc_transport_t transport,
3516 enum dcerpc_AuthLevel auth_level,
3518 const char *username,
3519 const char *password,
3520 struct rpc_pipe_client **presult)
3522 return cli_rpc_pipe_open_ntlmssp_internal(cli,
3525 PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
3533 /****************************************************************************
3534 Get a the schannel session key out of an already opened netlogon pipe.
3535 ****************************************************************************/
3536 static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
3537 struct cli_state *cli,
3541 enum netr_SchannelType sec_chan_type = 0;
3542 unsigned char machine_pwd[16];
3543 const char *machine_account;
3546 /* Get the machine account credentials from secrets.tdb. */
3547 if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
3550 DEBUG(0, ("get_schannel_session_key: could not fetch "
3551 "trust account password for domain '%s'\n",
3553 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3556 status = rpccli_netlogon_setup_creds(netlogon_pipe,
3557 cli->desthost, /* server name */
3558 domain, /* domain */
3559 global_myname(), /* client name */
3560 machine_account, /* machine account name */
3565 if (!NT_STATUS_IS_OK(status)) {
3566 DEBUG(3, ("get_schannel_session_key_common: "
3567 "rpccli_netlogon_setup_creds failed with result %s "
3568 "to server %s, domain %s, machine account %s.\n",
3569 nt_errstr(status), cli->desthost, domain,
3574 if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
3575 DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
3577 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3580 return NT_STATUS_OK;;
3583 /****************************************************************************
3584 Open a netlogon pipe and get the schannel session key.
3585 Now exposed to external callers.
3586 ****************************************************************************/
3589 NTSTATUS get_schannel_session_key(struct cli_state *cli,
3592 struct rpc_pipe_client **presult)
3594 struct rpc_pipe_client *netlogon_pipe = NULL;
3597 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
3599 if (!NT_STATUS_IS_OK(status)) {
3603 status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
3605 if (!NT_STATUS_IS_OK(status)) {
3606 TALLOC_FREE(netlogon_pipe);
3610 *presult = netlogon_pipe;
3611 return NT_STATUS_OK;
3614 /****************************************************************************
3616 Open a named pipe to an SMB server and bind using schannel (bind type 68)
3617 using session_key. sign and seal.
3619 The *pdc will be stolen onto this new pipe
3620 ****************************************************************************/
3622 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
3623 const struct ndr_syntax_id *interface,
3624 enum dcerpc_transport_t transport,
3625 enum dcerpc_AuthLevel auth_level,
3627 struct netlogon_creds_CredentialState **pdc,
3628 struct rpc_pipe_client **presult)
3630 struct rpc_pipe_client *result;
3631 struct pipe_auth_data *auth;
3634 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3635 if (!NT_STATUS_IS_OK(status)) {
3639 status = rpccli_schannel_bind_data(result, domain, auth_level,
3641 if (!NT_STATUS_IS_OK(status)) {
3642 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
3643 nt_errstr(status)));
3644 TALLOC_FREE(result);
3648 status = rpc_pipe_bind(result, auth);
3649 if (!NT_STATUS_IS_OK(status)) {
3650 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
3651 "cli_rpc_pipe_bind failed with error %s\n",
3652 nt_errstr(status) ));
3653 TALLOC_FREE(result);
3658 * The credentials on a new netlogon pipe are the ones we are passed
3659 * in - reference them in
3661 result->dc = talloc_move(result, pdc);
3663 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
3664 "for domain %s and bound using schannel.\n",
3665 get_pipe_name_from_syntax(talloc_tos(), interface),
3666 cli->desthost, domain ));
3669 return NT_STATUS_OK;
3672 /****************************************************************************
3673 Open a named pipe to an SMB server and bind using schannel (bind type 68).
3674 Fetch the session key ourselves using a temporary netlogon pipe. This
3675 version uses an ntlmssp auth bound netlogon pipe to get the key.
3676 ****************************************************************************/
3678 static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
3680 const char *username,
3681 const char *password,
3683 struct rpc_pipe_client **presult)
3685 struct rpc_pipe_client *netlogon_pipe = NULL;
3688 status = cli_rpc_pipe_open_spnego_ntlmssp(
3689 cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
3690 DCERPC_AUTH_LEVEL_PRIVACY,
3691 domain, username, password, &netlogon_pipe);
3692 if (!NT_STATUS_IS_OK(status)) {
3696 status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
3698 if (!NT_STATUS_IS_OK(status)) {
3699 TALLOC_FREE(netlogon_pipe);
3703 *presult = netlogon_pipe;
3704 return NT_STATUS_OK;
3707 /****************************************************************************
3708 Open a named pipe to an SMB server and bind using schannel (bind type 68).
3709 Fetch the session key ourselves using a temporary netlogon pipe. This version
3710 uses an ntlmssp bind to get the session key.
3711 ****************************************************************************/
3713 NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
3714 const struct ndr_syntax_id *interface,
3715 enum dcerpc_transport_t transport,
3716 enum dcerpc_AuthLevel auth_level,
3718 const char *username,
3719 const char *password,
3720 struct rpc_pipe_client **presult)
3722 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
3723 struct rpc_pipe_client *netlogon_pipe = NULL;
3724 struct rpc_pipe_client *result = NULL;
3727 status = get_schannel_session_key_auth_ntlmssp(
3728 cli, domain, username, password, &neg_flags, &netlogon_pipe);
3729 if (!NT_STATUS_IS_OK(status)) {
3730 DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
3731 "key from server %s for domain %s.\n",
3732 cli->desthost, domain ));
3736 status = cli_rpc_pipe_open_schannel_with_key(
3737 cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
3740 /* Now we've bound using the session key we can close the netlog pipe. */
3741 TALLOC_FREE(netlogon_pipe);
3743 if (NT_STATUS_IS_OK(status)) {
3749 /****************************************************************************
3750 Open a named pipe to an SMB server and bind using schannel (bind type 68).
3751 Fetch the session key ourselves using a temporary netlogon pipe.
3752 ****************************************************************************/
3754 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
3755 const struct ndr_syntax_id *interface,
3756 enum dcerpc_transport_t transport,
3757 enum dcerpc_AuthLevel auth_level,
3759 struct rpc_pipe_client **presult)
3761 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
3762 struct rpc_pipe_client *netlogon_pipe = NULL;
3763 struct rpc_pipe_client *result = NULL;
3766 status = get_schannel_session_key(cli, domain, &neg_flags,
3768 if (!NT_STATUS_IS_OK(status)) {
3769 DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
3770 "key from server %s for domain %s.\n",
3771 cli->desthost, domain ));
3775 status = cli_rpc_pipe_open_schannel_with_key(
3776 cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
3779 /* Now we've bound using the session key we can close the netlog pipe. */
3780 TALLOC_FREE(netlogon_pipe);
3782 if (NT_STATUS_IS_OK(status)) {
3789 /****************************************************************************
3790 Open a named pipe to an SMB server and bind using krb5 (bind type 16).
3791 The idea is this can be called with service_princ, username and password all
3792 NULL so long as the caller has a TGT.
3793 ****************************************************************************/
3795 NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
3796 const struct ndr_syntax_id *interface,
3797 enum dcerpc_AuthLevel auth_level,
3798 const char *service_princ,
3799 const char *username,
3800 const char *password,
3801 struct rpc_pipe_client **presult)
3804 struct rpc_pipe_client *result;
3805 struct pipe_auth_data *auth;
3808 status = cli_rpc_pipe_open(cli, NCACN_NP, interface, &result);
3809 if (!NT_STATUS_IS_OK(status)) {
3813 status = rpccli_kerberos_bind_data(result, auth_level, service_princ,
3814 username, password, &auth);
3815 if (!NT_STATUS_IS_OK(status)) {
3816 DEBUG(0, ("rpccli_kerberos_bind_data returned %s\n",
3817 nt_errstr(status)));
3818 TALLOC_FREE(result);
3822 status = rpc_pipe_bind(result, auth);
3823 if (!NT_STATUS_IS_OK(status)) {
3824 DEBUG(0, ("cli_rpc_pipe_open_krb5: cli_rpc_pipe_bind failed "
3825 "with error %s\n", nt_errstr(status)));
3826 TALLOC_FREE(result);
3831 return NT_STATUS_OK;
3833 DEBUG(0,("cli_rpc_pipe_open_krb5: kerberos not found at compile time.\n"));
3834 return NT_STATUS_NOT_IMPLEMENTED;
3838 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3839 struct rpc_pipe_client *cli,
3840 DATA_BLOB *session_key)
3842 struct pipe_auth_data *a = cli->auth;
3845 if (!session_key || !cli) {
3846 return NT_STATUS_INVALID_PARAMETER;
3850 return NT_STATUS_INVALID_PARAMETER;
3853 switch (cli->auth->auth_type) {
3854 case PIPE_AUTH_TYPE_SCHANNEL:
3855 sk = data_blob_const(a->a_u.schannel_auth->creds->session_key,
3858 case PIPE_AUTH_TYPE_NTLMSSP:
3859 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
3860 sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state);
3862 case PIPE_AUTH_TYPE_KRB5:
3863 case PIPE_AUTH_TYPE_SPNEGO_KRB5:
3864 sk = data_blob_const(a->a_u.kerberos_auth->session_key.data,
3865 a->a_u.kerberos_auth->session_key.length);
3867 case PIPE_AUTH_TYPE_NONE:
3868 sk = data_blob_const(a->user_session_key.data,
3869 a->user_session_key.length);
3872 return NT_STATUS_NO_USER_SESSION_KEY;
3875 *session_key = data_blob_dup_talloc(mem_ctx, &sk);
3876 return NT_STATUS_OK;
git.samba.org / samba.git / blob