2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client routines
4 * Largely rewritten by Jeremy Allison 2005.
5 * Heavily modified by Simo Sorce 2010.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "librpc/gen_ndr/cli_epmapper.h"
23 #include "../librpc/gen_ndr/ndr_schannel.h"
24 #include "../librpc/gen_ndr/ndr_dssetup.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
28 #include "../libcli/auth/ntlmssp.h"
29 #include "ntlmssp_wrap.h"
30 #include "librpc/gen_ndr/ndr_dcerpc.h"
31 #include "librpc/rpc/dcerpc.h"
32 #include "librpc/rpc/dcerpc_gssapi.h"
33 #include "librpc/rpc/dcerpc_spnego.h"
37 #define DBGC_CLASS DBGC_RPC_CLI
39 /********************************************************************
40 Pipe description for a DEBUG
41 ********************************************************************/
42 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
43 struct rpc_pipe_client *cli)
45 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
52 /********************************************************************
54 ********************************************************************/
56 static uint32 get_rpc_call_id(void)
58 static uint32 call_id = 0;
62 /*******************************************************************
63 Use SMBreadX to get rest of one fragment's worth of rpc data.
64 Reads the whole size or give an error message
65 ********************************************************************/
67 struct rpc_read_state {
68 struct event_context *ev;
69 struct rpc_cli_transport *transport;
75 static void rpc_read_done(struct tevent_req *subreq);
77 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
78 struct event_context *ev,
79 struct rpc_cli_transport *transport,
80 uint8_t *data, size_t size)
82 struct tevent_req *req, *subreq;
83 struct rpc_read_state *state;
85 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
90 state->transport = transport;
95 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
97 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
102 tevent_req_set_callback(subreq, rpc_read_done, req);
110 static void rpc_read_done(struct tevent_req *subreq)
112 struct tevent_req *req = tevent_req_callback_data(
113 subreq, struct tevent_req);
114 struct rpc_read_state *state = tevent_req_data(
115 req, struct rpc_read_state);
119 status = state->transport->read_recv(subreq, &received);
121 if (!NT_STATUS_IS_OK(status)) {
122 tevent_req_nterror(req, status);
126 state->num_read += received;
127 if (state->num_read == state->size) {
128 tevent_req_done(req);
132 subreq = state->transport->read_send(state, state->ev,
133 state->data + state->num_read,
134 state->size - state->num_read,
135 state->transport->priv);
136 if (tevent_req_nomem(subreq, req)) {
139 tevent_req_set_callback(subreq, rpc_read_done, req);
142 static NTSTATUS rpc_read_recv(struct tevent_req *req)
144 return tevent_req_simple_recv_ntstatus(req);
147 struct rpc_write_state {
148 struct event_context *ev;
149 struct rpc_cli_transport *transport;
155 static void rpc_write_done(struct tevent_req *subreq);
157 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
158 struct event_context *ev,
159 struct rpc_cli_transport *transport,
160 const uint8_t *data, size_t size)
162 struct tevent_req *req, *subreq;
163 struct rpc_write_state *state;
165 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
170 state->transport = transport;
173 state->num_written = 0;
175 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
177 subreq = transport->write_send(state, ev, data, size, transport->priv);
178 if (subreq == NULL) {
181 tevent_req_set_callback(subreq, rpc_write_done, req);
188 static void rpc_write_done(struct tevent_req *subreq)
190 struct tevent_req *req = tevent_req_callback_data(
191 subreq, struct tevent_req);
192 struct rpc_write_state *state = tevent_req_data(
193 req, struct rpc_write_state);
197 status = state->transport->write_recv(subreq, &written);
199 if (!NT_STATUS_IS_OK(status)) {
200 tevent_req_nterror(req, status);
204 state->num_written += written;
206 if (state->num_written == state->size) {
207 tevent_req_done(req);
211 subreq = state->transport->write_send(state, state->ev,
212 state->data + state->num_written,
213 state->size - state->num_written,
214 state->transport->priv);
215 if (tevent_req_nomem(subreq, req)) {
218 tevent_req_set_callback(subreq, rpc_write_done, req);
221 static NTSTATUS rpc_write_recv(struct tevent_req *req)
223 return tevent_req_simple_recv_ntstatus(req);
227 /****************************************************************************
228 Try and get a PDU's worth of data from current_pdu. If not, then read more
230 ****************************************************************************/
232 struct get_complete_frag_state {
233 struct event_context *ev;
234 struct rpc_pipe_client *cli;
239 static void get_complete_frag_got_header(struct tevent_req *subreq);
240 static void get_complete_frag_got_rest(struct tevent_req *subreq);
242 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
243 struct event_context *ev,
244 struct rpc_pipe_client *cli,
247 struct tevent_req *req, *subreq;
248 struct get_complete_frag_state *state;
252 req = tevent_req_create(mem_ctx, &state,
253 struct get_complete_frag_state);
259 state->frag_len = RPC_HEADER_LEN;
262 received = pdu->length;
263 if (received < RPC_HEADER_LEN) {
264 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
265 status = NT_STATUS_NO_MEMORY;
268 subreq = rpc_read_send(state, state->ev,
269 state->cli->transport,
270 pdu->data + received,
271 RPC_HEADER_LEN - received);
272 if (subreq == NULL) {
273 status = NT_STATUS_NO_MEMORY;
276 tevent_req_set_callback(subreq, get_complete_frag_got_header,
281 state->frag_len = dcerpc_get_frag_length(pdu);
284 * Ensure we have frag_len bytes of data.
286 if (received < state->frag_len) {
287 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
288 status = NT_STATUS_NO_MEMORY;
291 subreq = rpc_read_send(state, state->ev,
292 state->cli->transport,
293 pdu->data + received,
294 state->frag_len - received);
295 if (subreq == NULL) {
296 status = NT_STATUS_NO_MEMORY;
299 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
304 status = NT_STATUS_OK;
306 if (NT_STATUS_IS_OK(status)) {
307 tevent_req_done(req);
309 tevent_req_nterror(req, status);
311 return tevent_req_post(req, ev);
314 static void get_complete_frag_got_header(struct tevent_req *subreq)
316 struct tevent_req *req = tevent_req_callback_data(
317 subreq, struct tevent_req);
318 struct get_complete_frag_state *state = tevent_req_data(
319 req, struct get_complete_frag_state);
322 status = rpc_read_recv(subreq);
324 if (!NT_STATUS_IS_OK(status)) {
325 tevent_req_nterror(req, status);
329 state->frag_len = dcerpc_get_frag_length(state->pdu);
331 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
332 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
337 * We're here in this piece of code because we've read exactly
338 * RPC_HEADER_LEN bytes into state->pdu.
341 subreq = rpc_read_send(state, state->ev, state->cli->transport,
342 state->pdu->data + RPC_HEADER_LEN,
343 state->frag_len - RPC_HEADER_LEN);
344 if (tevent_req_nomem(subreq, req)) {
347 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
350 static void get_complete_frag_got_rest(struct tevent_req *subreq)
352 struct tevent_req *req = tevent_req_callback_data(
353 subreq, struct tevent_req);
356 status = rpc_read_recv(subreq);
358 if (!NT_STATUS_IS_OK(status)) {
359 tevent_req_nterror(req, status);
362 tevent_req_done(req);
365 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
367 return tevent_req_simple_recv_ntstatus(req);
370 /****************************************************************************
371 Do basic authentication checks on an incoming pdu.
372 ****************************************************************************/
374 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
375 struct rpc_pipe_client *cli,
376 struct ncacn_packet *pkt,
378 uint8_t expected_pkt_type,
380 DATA_BLOB *reply_pdu)
382 struct dcerpc_response *r;
383 NTSTATUS ret = NT_STATUS_OK;
387 * Point the return values at the real data including the RPC
388 * header. Just in case the caller wants it.
392 /* Ensure we have the correct type. */
393 switch (pkt->ptype) {
394 case DCERPC_PKT_ALTER_RESP:
395 case DCERPC_PKT_BIND_ACK:
397 /* Client code never receives this kind of packets */
401 case DCERPC_PKT_RESPONSE:
403 r = &pkt->u.response;
405 /* Here's where we deal with incoming sign/seal. */
406 ret = dcerpc_check_auth(cli->auth, pkt,
407 &r->stub_and_verifier,
408 DCERPC_RESPONSE_LENGTH,
410 if (!NT_STATUS_IS_OK(ret)) {
414 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
415 return NT_STATUS_BUFFER_TOO_SMALL;
418 /* Point the return values at the NDR data. */
419 rdata->data = r->stub_and_verifier.data;
421 if (pkt->auth_length) {
422 /* We've already done integer wrap tests in
423 * dcerpc_check_auth(). */
424 rdata->length = r->stub_and_verifier.length
426 - DCERPC_AUTH_TRAILER_LENGTH
429 rdata->length = r->stub_and_verifier.length;
432 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
433 (long unsigned int)pdu->length,
434 (long unsigned int)rdata->length,
435 (unsigned int)pad_len));
438 * If this is the first reply, and the allocation hint is
439 * reasonable, try and set up the reply_pdu DATA_BLOB to the
443 if ((reply_pdu->length == 0) &&
444 r->alloc_hint && (r->alloc_hint < 15*1024*1024)) {
445 if (!data_blob_realloc(mem_ctx, reply_pdu,
447 DEBUG(0, ("reply alloc hint %d too "
448 "large to allocate\n",
449 (int)r->alloc_hint));
450 return NT_STATUS_NO_MEMORY;
456 case DCERPC_PKT_BIND_NAK:
457 DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
458 rpccli_pipe_txt(talloc_tos(), cli)));
459 /* Use this for now... */
460 return NT_STATUS_NETWORK_ACCESS_DENIED;
462 case DCERPC_PKT_FAULT:
464 DEBUG(1, (__location__ ": RPC fault code %s received "
466 dcerpc_errstr(talloc_tos(),
467 pkt->u.fault.status),
468 rpccli_pipe_txt(talloc_tos(), cli)));
470 if (NT_STATUS_IS_OK(NT_STATUS(pkt->u.fault.status))) {
471 return NT_STATUS_UNSUCCESSFUL;
473 return NT_STATUS(pkt->u.fault.status);
477 DEBUG(0, (__location__ "Unknown packet type %u received "
479 (unsigned int)pkt->ptype,
480 rpccli_pipe_txt(talloc_tos(), cli)));
481 return NT_STATUS_INVALID_INFO_CLASS;
484 if (pkt->ptype != expected_pkt_type) {
485 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
486 "RPC packet type - %u, not %u\n",
487 rpccli_pipe_txt(talloc_tos(), cli),
488 pkt->ptype, expected_pkt_type));
489 return NT_STATUS_INVALID_INFO_CLASS;
492 /* Do this just before return - we don't want to modify any rpc header
493 data before now as we may have needed to do cryptographic actions on
496 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
497 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
498 DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
499 "fragment first/last ON.\n"));
500 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
506 /****************************************************************************
507 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
508 ****************************************************************************/
510 struct cli_api_pipe_state {
511 struct event_context *ev;
512 struct rpc_cli_transport *transport;
517 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
518 static void cli_api_pipe_write_done(struct tevent_req *subreq);
519 static void cli_api_pipe_read_done(struct tevent_req *subreq);
521 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
522 struct event_context *ev,
523 struct rpc_cli_transport *transport,
524 uint8_t *data, size_t data_len,
525 uint32_t max_rdata_len)
527 struct tevent_req *req, *subreq;
528 struct cli_api_pipe_state *state;
531 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
536 state->transport = transport;
538 if (max_rdata_len < RPC_HEADER_LEN) {
540 * For a RPC reply we always need at least RPC_HEADER_LEN
541 * bytes. We check this here because we will receive
542 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
544 status = NT_STATUS_INVALID_PARAMETER;
548 if (transport->trans_send != NULL) {
549 subreq = transport->trans_send(state, ev, data, data_len,
550 max_rdata_len, transport->priv);
551 if (subreq == NULL) {
554 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
559 * If the transport does not provide a "trans" routine, i.e. for
560 * example the ncacn_ip_tcp transport, do the write/read step here.
563 subreq = rpc_write_send(state, ev, transport, data, data_len);
564 if (subreq == NULL) {
567 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
571 tevent_req_nterror(req, status);
572 return tevent_req_post(req, ev);
578 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
580 struct tevent_req *req = tevent_req_callback_data(
581 subreq, struct tevent_req);
582 struct cli_api_pipe_state *state = tevent_req_data(
583 req, struct cli_api_pipe_state);
586 status = state->transport->trans_recv(subreq, state, &state->rdata,
589 if (!NT_STATUS_IS_OK(status)) {
590 tevent_req_nterror(req, status);
593 tevent_req_done(req);
596 static void cli_api_pipe_write_done(struct tevent_req *subreq)
598 struct tevent_req *req = tevent_req_callback_data(
599 subreq, struct tevent_req);
600 struct cli_api_pipe_state *state = tevent_req_data(
601 req, struct cli_api_pipe_state);
604 status = rpc_write_recv(subreq);
606 if (!NT_STATUS_IS_OK(status)) {
607 tevent_req_nterror(req, status);
611 state->rdata = TALLOC_ARRAY(state, uint8_t, RPC_HEADER_LEN);
612 if (tevent_req_nomem(state->rdata, req)) {
617 * We don't need to use rpc_read_send here, the upper layer will cope
618 * with a short read, transport->trans_send could also return less
619 * than state->max_rdata_len.
621 subreq = state->transport->read_send(state, state->ev, state->rdata,
623 state->transport->priv);
624 if (tevent_req_nomem(subreq, req)) {
627 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
630 static void cli_api_pipe_read_done(struct tevent_req *subreq)
632 struct tevent_req *req = tevent_req_callback_data(
633 subreq, struct tevent_req);
634 struct cli_api_pipe_state *state = tevent_req_data(
635 req, struct cli_api_pipe_state);
639 status = state->transport->read_recv(subreq, &received);
641 if (!NT_STATUS_IS_OK(status)) {
642 tevent_req_nterror(req, status);
645 state->rdata_len = received;
646 tevent_req_done(req);
649 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
650 uint8_t **prdata, uint32_t *prdata_len)
652 struct cli_api_pipe_state *state = tevent_req_data(
653 req, struct cli_api_pipe_state);
656 if (tevent_req_is_nterror(req, &status)) {
660 *prdata = talloc_move(mem_ctx, &state->rdata);
661 *prdata_len = state->rdata_len;
665 /****************************************************************************
666 Send data on an rpc pipe via trans. The data must be the last
667 pdu fragment of an NDR data stream.
669 Receive response data from an rpc pipe, which may be large...
671 Read the first fragment: unfortunately have to use SMBtrans for the first
672 bit, then SMBreadX for subsequent bits.
674 If first fragment received also wasn't the last fragment, continue
675 getting fragments until we _do_ receive the last fragment.
677 Request/Response PDU's look like the following...
679 |<------------------PDU len----------------------------------------------->|
680 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
682 +------------+-----------------+-------------+---------------+-------------+
683 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
684 +------------+-----------------+-------------+---------------+-------------+
686 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
687 signing & sealing being negotiated.
689 ****************************************************************************/
691 struct rpc_api_pipe_state {
692 struct event_context *ev;
693 struct rpc_pipe_client *cli;
694 uint8_t expected_pkt_type;
696 DATA_BLOB incoming_frag;
697 struct ncacn_packet *pkt;
701 size_t reply_pdu_offset;
705 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
706 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
707 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq);
709 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
710 struct event_context *ev,
711 struct rpc_pipe_client *cli,
712 DATA_BLOB *data, /* Outgoing PDU */
713 uint8_t expected_pkt_type)
715 struct tevent_req *req, *subreq;
716 struct rpc_api_pipe_state *state;
717 uint16_t max_recv_frag;
720 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
726 state->expected_pkt_type = expected_pkt_type;
727 state->incoming_frag = data_blob_null;
728 state->reply_pdu = data_blob_null;
729 state->reply_pdu_offset = 0;
730 state->endianess = DCERPC_DREP_LE;
733 * Ensure we're not sending too much.
735 if (data->length > cli->max_xmit_frag) {
736 status = NT_STATUS_INVALID_PARAMETER;
740 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
742 if (state->expected_pkt_type == DCERPC_PKT_AUTH3) {
743 subreq = rpc_write_send(state, ev, cli->transport,
744 data->data, data->length);
745 if (subreq == NULL) {
748 tevent_req_set_callback(subreq, rpc_api_pipe_auth3_done, req);
752 /* get the header first, then fetch the rest once we have
753 * the frag_length available */
754 max_recv_frag = RPC_HEADER_LEN;
756 subreq = cli_api_pipe_send(state, ev, cli->transport,
757 data->data, data->length, max_recv_frag);
758 if (subreq == NULL) {
761 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
765 tevent_req_nterror(req, status);
766 return tevent_req_post(req, ev);
772 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq)
774 struct tevent_req *req =
775 tevent_req_callback_data(subreq,
779 status = rpc_write_recv(subreq);
781 if (!NT_STATUS_IS_OK(status)) {
782 tevent_req_nterror(req, status);
786 tevent_req_done(req);
789 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
791 struct tevent_req *req = tevent_req_callback_data(
792 subreq, struct tevent_req);
793 struct rpc_api_pipe_state *state = tevent_req_data(
794 req, struct rpc_api_pipe_state);
796 uint8_t *rdata = NULL;
797 uint32_t rdata_len = 0;
799 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
801 if (!NT_STATUS_IS_OK(status)) {
802 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
803 tevent_req_nterror(req, status);
808 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
809 rpccli_pipe_txt(talloc_tos(), state->cli)));
810 tevent_req_done(req);
815 * Move data on state->incoming_frag.
817 state->incoming_frag.data = talloc_move(state, &rdata);
818 state->incoming_frag.length = rdata_len;
819 if (!state->incoming_frag.data) {
820 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
824 /* Ensure we have enough data for a pdu. */
825 subreq = get_complete_frag_send(state, state->ev, state->cli,
826 &state->incoming_frag);
827 if (tevent_req_nomem(subreq, req)) {
830 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
833 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
835 struct tevent_req *req = tevent_req_callback_data(
836 subreq, struct tevent_req);
837 struct rpc_api_pipe_state *state = tevent_req_data(
838 req, struct rpc_api_pipe_state);
840 DATA_BLOB rdata = data_blob_null;
842 status = get_complete_frag_recv(subreq);
844 if (!NT_STATUS_IS_OK(status)) {
845 DEBUG(5, ("get_complete_frag failed: %s\n",
847 tevent_req_nterror(req, status);
851 state->pkt = talloc(state, struct ncacn_packet);
853 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
857 status = dcerpc_pull_ncacn_packet(state->pkt,
858 &state->incoming_frag,
861 if (!NT_STATUS_IS_OK(status)) {
862 tevent_req_nterror(req, status);
866 if (state->incoming_frag.length != state->pkt->frag_length) {
867 DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
868 (unsigned int)state->incoming_frag.length,
869 (unsigned int)state->pkt->frag_length));
870 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
874 status = cli_pipe_validate_current_pdu(state,
875 state->cli, state->pkt,
876 &state->incoming_frag,
877 state->expected_pkt_type,
881 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
882 (unsigned)state->incoming_frag.length,
883 (unsigned)state->reply_pdu_offset,
886 if (!NT_STATUS_IS_OK(status)) {
887 tevent_req_nterror(req, status);
891 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
892 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
894 * Set the data type correctly for big-endian data on the
897 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
899 rpccli_pipe_txt(talloc_tos(), state->cli)));
900 state->endianess = 0x00; /* BIG ENDIAN */
903 * Check endianness on subsequent packets.
905 if (state->endianess != state->pkt->drep[0]) {
906 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
908 state->endianess?"little":"big",
909 state->pkt->drep[0]?"little":"big"));
910 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
914 /* Now copy the data portion out of the pdu into rbuf. */
915 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
916 if (!data_blob_realloc(NULL, &state->reply_pdu,
917 state->reply_pdu_offset + rdata.length)) {
918 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
923 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
924 rdata.data, rdata.length);
925 state->reply_pdu_offset += rdata.length;
927 /* reset state->incoming_frag, there is no need to free it,
928 * it will be reallocated to the right size the next time
930 state->incoming_frag.length = 0;
932 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
933 /* make sure the pdu length is right now that we
934 * have all the data available (alloc hint may
935 * have allocated more than was actually used) */
936 state->reply_pdu.length = state->reply_pdu_offset;
937 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
938 rpccli_pipe_txt(talloc_tos(), state->cli),
939 (unsigned)state->reply_pdu.length));
940 tevent_req_done(req);
944 subreq = get_complete_frag_send(state, state->ev, state->cli,
945 &state->incoming_frag);
946 if (tevent_req_nomem(subreq, req)) {
949 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
952 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
953 struct ncacn_packet **pkt,
954 DATA_BLOB *reply_pdu)
956 struct rpc_api_pipe_state *state = tevent_req_data(
957 req, struct rpc_api_pipe_state);
960 if (tevent_req_is_nterror(req, &status)) {
964 /* return data to caller and assign it ownership of memory */
966 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
967 reply_pdu->length = state->reply_pdu.length;
968 state->reply_pdu.length = 0;
970 data_blob_free(&state->reply_pdu);
974 *pkt = talloc_steal(mem_ctx, state->pkt);
980 /*******************************************************************
981 Creates spnego auth bind.
982 ********************************************************************/
984 static NTSTATUS create_spnego_auth_bind_req(TALLOC_CTX *mem_ctx,
985 struct pipe_auth_data *auth,
986 DATA_BLOB *auth_token)
988 DATA_BLOB in_token = data_blob_null;
991 /* Negotiate the initial auth token */
992 status = spnego_get_client_auth_token(mem_ctx,
993 auth->a_u.spnego_state,
994 &in_token, auth_token);
995 if (!NT_STATUS_IS_OK(status)) {
999 DEBUG(5, ("Created GSS Authentication Token:\n"));
1000 dump_data(5, auth_token->data, auth_token->length);
1002 return NT_STATUS_OK;
1005 /*******************************************************************
1006 Creates krb5 auth bind.
1007 ********************************************************************/
1009 static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
1010 struct pipe_auth_data *auth,
1011 DATA_BLOB *auth_token)
1013 DATA_BLOB in_token = data_blob_null;
1016 /* Negotiate the initial auth token */
1017 status = gse_get_client_auth_token(mem_ctx,
1018 auth->a_u.gssapi_state,
1021 if (!NT_STATUS_IS_OK(status)) {
1025 DEBUG(5, ("Created GSS Authentication Token:\n"));
1026 dump_data(5, auth_token->data, auth_token->length);
1028 return NT_STATUS_OK;
1031 /*******************************************************************
1032 Creates NTLMSSP auth bind.
1033 ********************************************************************/
1035 static NTSTATUS create_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1036 DATA_BLOB *auth_token)
1039 DATA_BLOB null_blob = data_blob_null;
1041 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1042 status = auth_ntlmssp_update(cli->auth->a_u.auth_ntlmssp_state,
1043 null_blob, auth_token);
1045 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1046 data_blob_free(auth_token);
1050 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1051 dump_data(5, auth_token->data, auth_token->length);
1053 return NT_STATUS_OK;
1056 /*******************************************************************
1057 Creates schannel auth bind.
1058 ********************************************************************/
1060 static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1061 DATA_BLOB *auth_token)
1064 struct NL_AUTH_MESSAGE r;
1066 /* Use lp_workgroup() if domain not specified */
1068 if (!cli->auth->domain || !cli->auth->domain[0]) {
1069 cli->auth->domain = talloc_strdup(cli, lp_workgroup());
1070 if (cli->auth->domain == NULL) {
1071 return NT_STATUS_NO_MEMORY;
1076 * Now marshall the data into the auth parse_struct.
1079 r.MessageType = NL_NEGOTIATE_REQUEST;
1080 r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
1081 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
1082 r.oem_netbios_domain.a = cli->auth->domain;
1083 r.oem_netbios_computer.a = global_myname();
1085 status = dcerpc_push_schannel_bind(cli, &r, auth_token);
1086 if (!NT_STATUS_IS_OK(status)) {
1090 return NT_STATUS_OK;
1093 /*******************************************************************
1094 Creates the internals of a DCE/RPC bind request or alter context PDU.
1095 ********************************************************************/
1097 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1098 enum dcerpc_pkt_type ptype,
1100 const struct ndr_syntax_id *abstract,
1101 const struct ndr_syntax_id *transfer,
1102 const DATA_BLOB *auth_info,
1105 uint16 auth_len = auth_info->length;
1107 union dcerpc_payload u;
1108 struct dcerpc_ctx_list ctx_list;
1111 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1114 ctx_list.context_id = 0;
1115 ctx_list.num_transfer_syntaxes = 1;
1116 ctx_list.abstract_syntax = *abstract;
1117 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1119 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1120 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1121 u.bind.assoc_group_id = 0x0;
1122 u.bind.num_contexts = 1;
1123 u.bind.ctx_list = &ctx_list;
1124 u.bind.auth_info = *auth_info;
1126 status = dcerpc_push_ncacn_packet(mem_ctx,
1128 DCERPC_PFC_FLAG_FIRST |
1129 DCERPC_PFC_FLAG_LAST,
1134 if (!NT_STATUS_IS_OK(status)) {
1135 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1139 return NT_STATUS_OK;
1142 /*******************************************************************
1143 Creates a DCE/RPC bind request.
1144 ********************************************************************/
1146 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1147 struct rpc_pipe_client *cli,
1148 struct pipe_auth_data *auth,
1150 const struct ndr_syntax_id *abstract,
1151 const struct ndr_syntax_id *transfer,
1154 DATA_BLOB auth_token = data_blob_null;
1155 DATA_BLOB auth_info = data_blob_null;
1156 NTSTATUS ret = NT_STATUS_OK;
1158 switch (auth->auth_type) {
1159 case DCERPC_AUTH_TYPE_SCHANNEL:
1160 ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
1161 if (!NT_STATUS_IS_OK(ret)) {
1166 case DCERPC_AUTH_TYPE_NTLMSSP:
1167 ret = create_ntlmssp_auth_rpc_bind_req(cli, &auth_token);
1168 if (!NT_STATUS_IS_OK(ret)) {
1173 case DCERPC_AUTH_TYPE_SPNEGO:
1174 ret = create_spnego_auth_bind_req(cli, auth, &auth_token);
1175 if (!NT_STATUS_IS_OK(ret)) {
1180 case DCERPC_AUTH_TYPE_KRB5:
1181 ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_token);
1182 if (!NT_STATUS_IS_OK(ret)) {
1187 case DCERPC_AUTH_TYPE_NONE:
1191 /* "Can't" happen. */
1192 return NT_STATUS_INVALID_INFO_CLASS;
1195 if (auth_token.length != 0) {
1196 ret = dcerpc_push_dcerpc_auth(cli,
1199 0, /* auth_pad_length */
1200 1, /* auth_context_id */
1203 if (!NT_STATUS_IS_OK(ret)) {
1206 data_blob_free(&auth_token);
1209 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1219 /*******************************************************************
1221 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1222 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1223 and deals with signing/sealing details.
1224 ********************************************************************/
1226 struct rpc_api_pipe_req_state {
1227 struct event_context *ev;
1228 struct rpc_pipe_client *cli;
1231 DATA_BLOB *req_data;
1232 uint32_t req_data_sent;
1234 DATA_BLOB reply_pdu;
1237 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1238 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1239 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1240 bool *is_last_frag);
1242 struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1243 struct event_context *ev,
1244 struct rpc_pipe_client *cli,
1246 DATA_BLOB *req_data)
1248 struct tevent_req *req, *subreq;
1249 struct rpc_api_pipe_req_state *state;
1253 req = tevent_req_create(mem_ctx, &state,
1254 struct rpc_api_pipe_req_state);
1260 state->op_num = op_num;
1261 state->req_data = req_data;
1262 state->req_data_sent = 0;
1263 state->call_id = get_rpc_call_id();
1264 state->reply_pdu = data_blob_null;
1265 state->rpc_out = data_blob_null;
1267 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1268 + RPC_MAX_SIGN_SIZE) {
1269 /* Server is screwed up ! */
1270 status = NT_STATUS_INVALID_PARAMETER;
1274 status = prepare_next_frag(state, &is_last_frag);
1275 if (!NT_STATUS_IS_OK(status)) {
1280 subreq = rpc_api_pipe_send(state, ev, state->cli,
1282 DCERPC_PKT_RESPONSE);
1283 if (subreq == NULL) {
1286 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1288 subreq = rpc_write_send(state, ev, cli->transport,
1289 state->rpc_out.data,
1290 state->rpc_out.length);
1291 if (subreq == NULL) {
1294 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1300 tevent_req_nterror(req, status);
1301 return tevent_req_post(req, ev);
1307 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1310 size_t data_sent_thistime;
1317 union dcerpc_payload u;
1319 data_left = state->req_data->length - state->req_data_sent;
1321 status = dcerpc_guess_sizes(state->cli->auth,
1322 DCERPC_REQUEST_LENGTH, data_left,
1323 state->cli->max_xmit_frag,
1324 CLIENT_NDR_PADDING_SIZE,
1325 &data_sent_thistime,
1326 &frag_len, &auth_len, &pad_len);
1327 if (!NT_STATUS_IS_OK(status)) {
1331 if (state->req_data_sent == 0) {
1332 flags = DCERPC_PFC_FLAG_FIRST;
1335 if (data_sent_thistime == data_left) {
1336 flags |= DCERPC_PFC_FLAG_LAST;
1339 data_blob_free(&state->rpc_out);
1341 ZERO_STRUCT(u.request);
1343 u.request.alloc_hint = state->req_data->length;
1344 u.request.context_id = 0;
1345 u.request.opnum = state->op_num;
1347 status = dcerpc_push_ncacn_packet(state,
1354 if (!NT_STATUS_IS_OK(status)) {
1358 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1359 * compute it right for requests because the auth trailer is missing
1361 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1363 /* Copy in the data. */
1364 if (!data_blob_append(NULL, &state->rpc_out,
1365 state->req_data->data + state->req_data_sent,
1366 data_sent_thistime)) {
1367 return NT_STATUS_NO_MEMORY;
1370 switch (state->cli->auth->auth_level) {
1371 case DCERPC_AUTH_LEVEL_NONE:
1372 case DCERPC_AUTH_LEVEL_CONNECT:
1373 case DCERPC_AUTH_LEVEL_PACKET:
1375 case DCERPC_AUTH_LEVEL_INTEGRITY:
1376 case DCERPC_AUTH_LEVEL_PRIVACY:
1377 status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
1379 if (!NT_STATUS_IS_OK(status)) {
1384 return NT_STATUS_INVALID_PARAMETER;
1387 state->req_data_sent += data_sent_thistime;
1388 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1393 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
1395 struct tevent_req *req = tevent_req_callback_data(
1396 subreq, struct tevent_req);
1397 struct rpc_api_pipe_req_state *state = tevent_req_data(
1398 req, struct rpc_api_pipe_req_state);
1402 status = rpc_write_recv(subreq);
1403 TALLOC_FREE(subreq);
1404 if (!NT_STATUS_IS_OK(status)) {
1405 tevent_req_nterror(req, status);
1409 status = prepare_next_frag(state, &is_last_frag);
1410 if (!NT_STATUS_IS_OK(status)) {
1411 tevent_req_nterror(req, status);
1416 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1418 DCERPC_PKT_RESPONSE);
1419 if (tevent_req_nomem(subreq, req)) {
1422 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1424 subreq = rpc_write_send(state, state->ev,
1425 state->cli->transport,
1426 state->rpc_out.data,
1427 state->rpc_out.length);
1428 if (tevent_req_nomem(subreq, req)) {
1431 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1436 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
1438 struct tevent_req *req = tevent_req_callback_data(
1439 subreq, struct tevent_req);
1440 struct rpc_api_pipe_req_state *state = tevent_req_data(
1441 req, struct rpc_api_pipe_req_state);
1444 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
1445 TALLOC_FREE(subreq);
1446 if (!NT_STATUS_IS_OK(status)) {
1447 tevent_req_nterror(req, status);
1450 tevent_req_done(req);
1453 NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1454 DATA_BLOB *reply_pdu)
1456 struct rpc_api_pipe_req_state *state = tevent_req_data(
1457 req, struct rpc_api_pipe_req_state);
1460 if (tevent_req_is_nterror(req, &status)) {
1462 * We always have to initialize to reply pdu, even if there is
1463 * none. The rpccli_* caller routines expect this.
1465 *reply_pdu = data_blob_null;
1469 /* return data to caller and assign it ownership of memory */
1470 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1471 reply_pdu->length = state->reply_pdu.length;
1472 state->reply_pdu.length = 0;
1474 return NT_STATUS_OK;
1478 /****************************************************************************
1479 Set the handle state.
1480 ****************************************************************************/
1482 static bool rpc_pipe_set_hnd_state(struct rpc_pipe_client *cli,
1483 const char *pipe_name, uint16 device_state)
1485 bool state_set = False;
1487 uint16 setup[2]; /* only need 2 uint16 setup parameters */
1488 char *rparam = NULL;
1490 uint32 rparam_len, rdata_len;
1492 if (pipe_name == NULL)
1495 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1496 cli->fnum, pipe_name, device_state));
1498 /* create parameters: device state */
1499 SSVAL(param, 0, device_state);
1501 /* create setup parameters. */
1503 setup[1] = cli->fnum; /* pipe file handle. got this from an SMBOpenX. */
1505 /* send the data on \PIPE\ */
1506 if (cli_api_pipe(cli->cli, "\\PIPE\\",
1507 setup, 2, 0, /* setup, length, max */
1508 param, 2, 0, /* param, length, max */
1509 NULL, 0, 1024, /* data, length, max */
1510 &rparam, &rparam_len, /* return param, length */
1511 &rdata, &rdata_len)) /* return data, length */
1513 DEBUG(5, ("Set Handle state: return OK\n"));
1524 /****************************************************************************
1525 Check the rpc bind acknowledge response.
1526 ****************************************************************************/
1528 static bool check_bind_response(const struct dcerpc_bind_ack *r,
1529 const struct ndr_syntax_id *transfer)
1531 struct dcerpc_ack_ctx ctx;
1533 if (r->secondary_address_size == 0) {
1534 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1537 if (r->num_results < 1 || !r->ctx_list) {
1541 ctx = r->ctx_list[0];
1543 /* check the transfer syntax */
1544 if ((ctx.syntax.if_version != transfer->if_version) ||
1545 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1546 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1550 if (r->num_results != 0x1 || ctx.result != 0) {
1551 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1552 r->num_results, ctx.reason));
1555 DEBUG(5,("check_bind_response: accepted!\n"));
1559 /*******************************************************************
1560 Creates a DCE/RPC bind authentication response.
1561 This is the packet that is sent back to the server once we
1562 have received a BIND-ACK, to finish the third leg of
1563 the authentication handshake.
1564 ********************************************************************/
1566 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
1567 struct rpc_pipe_client *cli,
1569 enum dcerpc_AuthType auth_type,
1570 enum dcerpc_AuthLevel auth_level,
1571 DATA_BLOB *pauth_blob,
1575 union dcerpc_payload u;
1579 status = dcerpc_push_dcerpc_auth(mem_ctx,
1582 0, /* auth_pad_length */
1583 1, /* auth_context_id */
1585 &u.auth3.auth_info);
1586 if (!NT_STATUS_IS_OK(status)) {
1590 status = dcerpc_push_ncacn_packet(mem_ctx,
1592 DCERPC_PFC_FLAG_FIRST |
1593 DCERPC_PFC_FLAG_LAST,
1598 data_blob_free(&u.auth3.auth_info);
1599 if (!NT_STATUS_IS_OK(status)) {
1600 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1604 return NT_STATUS_OK;
1607 /*******************************************************************
1608 Creates a DCE/RPC bind alter context authentication request which
1609 may contain a spnego auth blobl
1610 ********************************************************************/
1612 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
1613 enum dcerpc_AuthType auth_type,
1614 enum dcerpc_AuthLevel auth_level,
1616 const struct ndr_syntax_id *abstract,
1617 const struct ndr_syntax_id *transfer,
1618 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1621 DATA_BLOB auth_info;
1624 status = dcerpc_push_dcerpc_auth(mem_ctx,
1627 0, /* auth_pad_length */
1628 1, /* auth_context_id */
1631 if (!NT_STATUS_IS_OK(status)) {
1635 status = create_bind_or_alt_ctx_internal(mem_ctx,
1642 data_blob_free(&auth_info);
1646 /****************************************************************************
1648 ****************************************************************************/
1650 struct rpc_pipe_bind_state {
1651 struct event_context *ev;
1652 struct rpc_pipe_client *cli;
1655 uint32_t rpc_call_id;
1658 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
1659 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1660 struct rpc_pipe_bind_state *state,
1661 DATA_BLOB *credentials);
1662 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1663 struct rpc_pipe_bind_state *state,
1664 DATA_BLOB *credentials);
1666 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
1667 struct event_context *ev,
1668 struct rpc_pipe_client *cli,
1669 struct pipe_auth_data *auth)
1671 struct tevent_req *req, *subreq;
1672 struct rpc_pipe_bind_state *state;
1675 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
1680 DEBUG(5,("Bind RPC Pipe: %s auth_type %u(%u), auth_level %u\n",
1681 rpccli_pipe_txt(talloc_tos(), cli),
1682 (unsigned int)auth->auth_type,
1683 (unsigned int)auth->spnego_type,
1684 (unsigned int)auth->auth_level ));
1688 state->rpc_call_id = get_rpc_call_id();
1690 cli->auth = talloc_move(cli, &auth);
1692 /* Marshall the outgoing data. */
1693 status = create_rpc_bind_req(state, cli,
1696 &cli->abstract_syntax,
1697 &cli->transfer_syntax,
1700 if (!NT_STATUS_IS_OK(status)) {
1704 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
1705 DCERPC_PKT_BIND_ACK);
1706 if (subreq == NULL) {
1709 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1713 tevent_req_nterror(req, status);
1714 return tevent_req_post(req, ev);
1720 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1722 struct tevent_req *req = tevent_req_callback_data(
1723 subreq, struct tevent_req);
1724 struct rpc_pipe_bind_state *state = tevent_req_data(
1725 req, struct rpc_pipe_bind_state);
1726 struct pipe_auth_data *pauth = state->cli->auth;
1727 struct ncacn_packet *pkt;
1728 struct dcerpc_auth auth;
1729 DATA_BLOB auth_token = data_blob_null;
1732 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, NULL);
1733 TALLOC_FREE(subreq);
1734 if (!NT_STATUS_IS_OK(status)) {
1735 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
1736 rpccli_pipe_txt(talloc_tos(), state->cli),
1737 nt_errstr(status)));
1738 tevent_req_nterror(req, status);
1743 tevent_req_done(req);
1747 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
1748 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
1749 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
1753 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1754 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1756 switch(pauth->auth_type) {
1758 case DCERPC_AUTH_TYPE_NONE:
1759 case DCERPC_AUTH_TYPE_SCHANNEL:
1760 /* Bind complete. */
1761 tevent_req_done(req);
1764 case DCERPC_AUTH_TYPE_NTLMSSP:
1765 case DCERPC_AUTH_TYPE_SPNEGO:
1766 case DCERPC_AUTH_TYPE_KRB5:
1767 /* Paranoid lenght checks */
1768 if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
1769 + pkt->auth_length) {
1770 tevent_req_nterror(req,
1771 NT_STATUS_INFO_LENGTH_MISMATCH);
1774 /* get auth credentials */
1775 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
1776 &pkt->u.bind_ack.auth_info,
1778 if (!NT_STATUS_IS_OK(status)) {
1779 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
1780 nt_errstr(status)));
1781 tevent_req_nterror(req, status);
1791 * For authenticated binds we may need to do 3 or 4 leg binds.
1794 switch(pauth->auth_type) {
1796 case DCERPC_AUTH_TYPE_NONE:
1797 case DCERPC_AUTH_TYPE_SCHANNEL:
1798 /* Bind complete. */
1799 tevent_req_done(req);
1802 case DCERPC_AUTH_TYPE_NTLMSSP:
1803 status = auth_ntlmssp_update(pauth->a_u.auth_ntlmssp_state,
1804 auth.credentials, &auth_token);
1805 if (NT_STATUS_EQUAL(status,
1806 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1807 status = rpc_bind_next_send(req, state,
1809 } else if (NT_STATUS_IS_OK(status)) {
1810 status = rpc_bind_finish_send(req, state,
1815 case DCERPC_AUTH_TYPE_SPNEGO:
1816 status = spnego_get_client_auth_token(state,
1817 pauth->a_u.spnego_state,
1820 if (!NT_STATUS_IS_OK(status)) {
1823 if (auth_token.length == 0) {
1824 /* Bind complete. */
1825 tevent_req_done(req);
1828 if (spnego_require_more_processing(pauth->a_u.spnego_state)) {
1829 status = rpc_bind_next_send(req, state,
1832 status = rpc_bind_finish_send(req, state,
1837 case DCERPC_AUTH_TYPE_KRB5:
1838 status = gse_get_client_auth_token(state,
1839 pauth->a_u.gssapi_state,
1842 if (!NT_STATUS_IS_OK(status)) {
1846 if (gse_require_more_processing(pauth->a_u.gssapi_state)) {
1847 status = rpc_bind_next_send(req, state, &auth_token);
1849 status = rpc_bind_finish_send(req, state, &auth_token);
1857 if (!NT_STATUS_IS_OK(status)) {
1858 tevent_req_nterror(req, status);
1863 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u(%u)\n",
1864 (unsigned int)state->cli->auth->auth_type,
1865 (unsigned int)state->cli->auth->spnego_type));
1866 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
1869 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1870 struct rpc_pipe_bind_state *state,
1871 DATA_BLOB *auth_token)
1873 struct pipe_auth_data *auth = state->cli->auth;
1874 struct tevent_req *subreq;
1877 /* Now prepare the alter context pdu. */
1878 data_blob_free(&state->rpc_out);
1880 status = create_rpc_alter_context(state,
1884 &state->cli->abstract_syntax,
1885 &state->cli->transfer_syntax,
1888 if (!NT_STATUS_IS_OK(status)) {
1892 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1893 &state->rpc_out, DCERPC_PKT_ALTER_RESP);
1894 if (subreq == NULL) {
1895 return NT_STATUS_NO_MEMORY;
1897 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1898 return NT_STATUS_OK;
1901 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1902 struct rpc_pipe_bind_state *state,
1903 DATA_BLOB *auth_token)
1905 struct pipe_auth_data *auth = state->cli->auth;
1906 struct tevent_req *subreq;
1909 state->auth3 = true;
1911 /* Now prepare the auth3 context pdu. */
1912 data_blob_free(&state->rpc_out);
1914 status = create_rpc_bind_auth3(state, state->cli,
1920 if (!NT_STATUS_IS_OK(status)) {
1924 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1925 &state->rpc_out, DCERPC_PKT_AUTH3);
1926 if (subreq == NULL) {
1927 return NT_STATUS_NO_MEMORY;
1929 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1930 return NT_STATUS_OK;
1933 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
1935 return tevent_req_simple_recv_ntstatus(req);
1938 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
1939 struct pipe_auth_data *auth)
1941 TALLOC_CTX *frame = talloc_stackframe();
1942 struct event_context *ev;
1943 struct tevent_req *req;
1944 NTSTATUS status = NT_STATUS_OK;
1946 ev = event_context_init(frame);
1948 status = NT_STATUS_NO_MEMORY;
1952 req = rpc_pipe_bind_send(frame, ev, cli, auth);
1954 status = NT_STATUS_NO_MEMORY;
1958 if (!tevent_req_poll(req, ev)) {
1959 status = map_nt_error_from_unix(errno);
1963 status = rpc_pipe_bind_recv(req);
1969 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
1971 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
1972 unsigned int timeout)
1976 if (rpc_cli->transport == NULL) {
1977 return RPCCLI_DEFAULT_TIMEOUT;
1980 if (rpc_cli->transport->set_timeout == NULL) {
1981 return RPCCLI_DEFAULT_TIMEOUT;
1984 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
1986 return RPCCLI_DEFAULT_TIMEOUT;
1992 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
1994 if (rpc_cli == NULL) {
1998 if (rpc_cli->transport == NULL) {
2002 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
2005 struct rpccli_bh_state {
2006 struct rpc_pipe_client *rpc_cli;
2009 static bool rpccli_bh_is_connected(struct dcerpc_binding_handle *h)
2011 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2012 struct rpccli_bh_state);
2014 return rpccli_is_connected(hs->rpc_cli);
2017 static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
2020 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2021 struct rpccli_bh_state);
2023 return rpccli_set_timeout(hs->rpc_cli, timeout);
2026 struct rpccli_bh_raw_call_state {
2032 static void rpccli_bh_raw_call_done(struct tevent_req *subreq);
2034 static struct tevent_req *rpccli_bh_raw_call_send(TALLOC_CTX *mem_ctx,
2035 struct tevent_context *ev,
2036 struct dcerpc_binding_handle *h,
2037 const struct GUID *object,
2040 const uint8_t *in_data,
2043 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2044 struct rpccli_bh_state);
2045 struct tevent_req *req;
2046 struct rpccli_bh_raw_call_state *state;
2048 struct tevent_req *subreq;
2050 req = tevent_req_create(mem_ctx, &state,
2051 struct rpccli_bh_raw_call_state);
2055 state->in_data.data = discard_const_p(uint8_t, in_data);
2056 state->in_data.length = in_length;
2058 ok = rpccli_bh_is_connected(h);
2060 tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
2061 return tevent_req_post(req, ev);
2064 subreq = rpc_api_pipe_req_send(state, ev, hs->rpc_cli,
2065 opnum, &state->in_data);
2066 if (tevent_req_nomem(subreq, req)) {
2067 return tevent_req_post(req, ev);
2069 tevent_req_set_callback(subreq, rpccli_bh_raw_call_done, req);
2074 static void rpccli_bh_raw_call_done(struct tevent_req *subreq)
2076 struct tevent_req *req =
2077 tevent_req_callback_data(subreq,
2079 struct rpccli_bh_raw_call_state *state =
2080 tevent_req_data(req,
2081 struct rpccli_bh_raw_call_state);
2084 state->out_flags = 0;
2086 /* TODO: support bigendian responses */
2088 status = rpc_api_pipe_req_recv(subreq, state, &state->out_data);
2089 TALLOC_FREE(subreq);
2090 if (!NT_STATUS_IS_OK(status)) {
2091 tevent_req_nterror(req, status);
2095 tevent_req_done(req);
2098 static NTSTATUS rpccli_bh_raw_call_recv(struct tevent_req *req,
2099 TALLOC_CTX *mem_ctx,
2102 uint32_t *out_flags)
2104 struct rpccli_bh_raw_call_state *state =
2105 tevent_req_data(req,
2106 struct rpccli_bh_raw_call_state);
2109 if (tevent_req_is_nterror(req, &status)) {
2110 tevent_req_received(req);
2114 *out_data = talloc_move(mem_ctx, &state->out_data.data);
2115 *out_length = state->out_data.length;
2116 *out_flags = state->out_flags;
2117 tevent_req_received(req);
2118 return NT_STATUS_OK;
2121 struct rpccli_bh_disconnect_state {
2125 static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
2126 struct tevent_context *ev,
2127 struct dcerpc_binding_handle *h)
2129 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2130 struct rpccli_bh_state);
2131 struct tevent_req *req;
2132 struct rpccli_bh_disconnect_state *state;
2135 req = tevent_req_create(mem_ctx, &state,
2136 struct rpccli_bh_disconnect_state);
2141 ok = rpccli_bh_is_connected(h);
2143 tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
2144 return tevent_req_post(req, ev);
2148 * TODO: do a real async disconnect ...
2150 * For now the caller needs to free rpc_cli
2154 tevent_req_done(req);
2155 return tevent_req_post(req, ev);
2158 static NTSTATUS rpccli_bh_disconnect_recv(struct tevent_req *req)
2162 if (tevent_req_is_nterror(req, &status)) {
2163 tevent_req_received(req);
2167 tevent_req_received(req);
2168 return NT_STATUS_OK;
2171 static bool rpccli_bh_ref_alloc(struct dcerpc_binding_handle *h)
2176 static void rpccli_bh_do_ndr_print(struct dcerpc_binding_handle *h,
2178 const void *_struct_ptr,
2179 const struct ndr_interface_call *call)
2181 void *struct_ptr = discard_const(_struct_ptr);
2183 if (DEBUGLEVEL < 10) {
2187 if (ndr_flags & NDR_IN) {
2188 ndr_print_function_debug(call->ndr_print,
2193 if (ndr_flags & NDR_OUT) {
2194 ndr_print_function_debug(call->ndr_print,
2201 static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
2203 .is_connected = rpccli_bh_is_connected,
2204 .set_timeout = rpccli_bh_set_timeout,
2205 .raw_call_send = rpccli_bh_raw_call_send,
2206 .raw_call_recv = rpccli_bh_raw_call_recv,
2207 .disconnect_send = rpccli_bh_disconnect_send,
2208 .disconnect_recv = rpccli_bh_disconnect_recv,
2210 .ref_alloc = rpccli_bh_ref_alloc,
2211 .do_ndr_print = rpccli_bh_do_ndr_print,
2214 /* initialise a rpc_pipe_client binding handle */
2215 static struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c)
2217 struct dcerpc_binding_handle *h;
2218 struct rpccli_bh_state *hs;
2220 h = dcerpc_binding_handle_create(c,
2225 struct rpccli_bh_state,
2235 bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
2237 struct auth_ntlmssp_state *a = NULL;
2238 struct cli_state *cli;
2240 if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
2241 a = rpc_cli->auth->a_u.auth_ntlmssp_state;
2242 } else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2243 enum dcerpc_AuthType auth_type;
2247 status = spnego_get_negotiated_mech(
2248 rpc_cli->auth->a_u.spnego_state,
2249 &auth_type, &auth_ctx);
2250 if (!NT_STATUS_IS_OK(status)) {
2254 if (auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
2255 a = talloc_get_type(auth_ctx,
2256 struct auth_ntlmssp_state);
2261 memcpy(nt_hash, auth_ntlmssp_get_nt_hash(a), 16);
2265 cli = rpc_pipe_np_smb_conn(rpc_cli);
2269 E_md4hash(cli->password ? cli->password : "", nt_hash);
2273 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2274 struct pipe_auth_data **presult)
2276 struct pipe_auth_data *result;
2278 result = talloc(mem_ctx, struct pipe_auth_data);
2279 if (result == NULL) {
2280 return NT_STATUS_NO_MEMORY;
2283 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2284 result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
2285 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2287 result->user_name = talloc_strdup(result, "");
2288 result->domain = talloc_strdup(result, "");
2289 if ((result->user_name == NULL) || (result->domain == NULL)) {
2290 TALLOC_FREE(result);
2291 return NT_STATUS_NO_MEMORY;
2295 return NT_STATUS_OK;
2298 static int cli_auth_ntlmssp_data_destructor(struct pipe_auth_data *auth)
2300 TALLOC_FREE(auth->a_u.auth_ntlmssp_state);
2304 static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
2305 enum dcerpc_AuthType auth_type,
2306 enum dcerpc_AuthLevel auth_level,
2308 const char *username,
2309 const char *password,
2310 struct pipe_auth_data **presult)
2312 struct pipe_auth_data *result;
2315 result = talloc(mem_ctx, struct pipe_auth_data);
2316 if (result == NULL) {
2317 return NT_STATUS_NO_MEMORY;
2320 result->auth_type = auth_type;
2321 result->auth_level = auth_level;
2323 result->user_name = talloc_strdup(result, username);
2324 result->domain = talloc_strdup(result, domain);
2325 if ((result->user_name == NULL) || (result->domain == NULL)) {
2326 status = NT_STATUS_NO_MEMORY;
2330 status = auth_ntlmssp_client_start(NULL,
2333 lp_client_ntlmv2_auth(),
2334 &result->a_u.auth_ntlmssp_state);
2335 if (!NT_STATUS_IS_OK(status)) {
2339 talloc_set_destructor(result, cli_auth_ntlmssp_data_destructor);
2341 status = auth_ntlmssp_set_username(result->a_u.auth_ntlmssp_state,
2343 if (!NT_STATUS_IS_OK(status)) {
2347 status = auth_ntlmssp_set_domain(result->a_u.auth_ntlmssp_state,
2349 if (!NT_STATUS_IS_OK(status)) {
2353 status = auth_ntlmssp_set_password(result->a_u.auth_ntlmssp_state,
2355 if (!NT_STATUS_IS_OK(status)) {
2360 * Turn off sign+seal to allow selected auth level to turn it back on.
2362 auth_ntlmssp_and_flags(result->a_u.auth_ntlmssp_state,
2363 ~(NTLMSSP_NEGOTIATE_SIGN |
2364 NTLMSSP_NEGOTIATE_SEAL));
2366 if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
2367 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2368 NTLMSSP_NEGOTIATE_SIGN);
2369 } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
2370 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2371 NTLMSSP_NEGOTIATE_SEAL |
2372 NTLMSSP_NEGOTIATE_SIGN);
2376 return NT_STATUS_OK;
2379 TALLOC_FREE(result);
2383 NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2384 enum dcerpc_AuthLevel auth_level,
2385 struct netlogon_creds_CredentialState *creds,
2386 struct pipe_auth_data **presult)
2388 struct pipe_auth_data *result;
2390 result = talloc(mem_ctx, struct pipe_auth_data);
2391 if (result == NULL) {
2392 return NT_STATUS_NO_MEMORY;
2395 result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
2396 result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
2397 result->auth_level = auth_level;
2399 result->user_name = talloc_strdup(result, "");
2400 result->domain = talloc_strdup(result, domain);
2401 if ((result->user_name == NULL) || (result->domain == NULL)) {
2405 result->a_u.schannel_auth = talloc(result, struct schannel_state);
2406 if (result->a_u.schannel_auth == NULL) {
2410 result->a_u.schannel_auth->state = SCHANNEL_STATE_START;
2411 result->a_u.schannel_auth->seq_num = 0;
2412 result->a_u.schannel_auth->initiator = true;
2413 result->a_u.schannel_auth->creds = netlogon_creds_copy(result, creds);
2416 return NT_STATUS_OK;
2419 TALLOC_FREE(result);
2420 return NT_STATUS_NO_MEMORY;
2424 * Create an rpc pipe client struct, connecting to a tcp port.
2426 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2428 const struct ndr_syntax_id *abstract_syntax,
2429 struct rpc_pipe_client **presult)
2431 struct rpc_pipe_client *result;
2432 struct sockaddr_storage addr;
2436 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2437 if (result == NULL) {
2438 return NT_STATUS_NO_MEMORY;
2441 result->abstract_syntax = *abstract_syntax;
2442 result->transfer_syntax = ndr_transfer_syntax;
2444 result->desthost = talloc_strdup(result, host);
2445 result->srv_name_slash = talloc_asprintf_strupper_m(
2446 result, "\\\\%s", result->desthost);
2447 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2448 status = NT_STATUS_NO_MEMORY;
2452 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2453 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2455 if (!resolve_name(host, &addr, 0, false)) {
2456 status = NT_STATUS_NOT_FOUND;
2460 status = open_socket_out(&addr, port, 60, &fd);
2461 if (!NT_STATUS_IS_OK(status)) {
2464 set_socket_options(fd, lp_socket_options());
2466 status = rpc_transport_sock_init(result, fd, &result->transport);
2467 if (!NT_STATUS_IS_OK(status)) {
2472 result->transport->transport = NCACN_IP_TCP;
2474 result->binding_handle = rpccli_bh_create(result);
2475 if (result->binding_handle == NULL) {
2476 TALLOC_FREE(result);
2477 return NT_STATUS_NO_MEMORY;
2481 return NT_STATUS_OK;
2484 TALLOC_FREE(result);
2489 * Determine the tcp port on which a dcerpc interface is listening
2490 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2493 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2494 const struct ndr_syntax_id *abstract_syntax,
2498 struct rpc_pipe_client *epm_pipe = NULL;
2499 struct pipe_auth_data *auth = NULL;
2500 struct dcerpc_binding *map_binding = NULL;
2501 struct dcerpc_binding *res_binding = NULL;
2502 struct epm_twr_t *map_tower = NULL;
2503 struct epm_twr_t *res_towers = NULL;
2504 struct policy_handle *entry_handle = NULL;
2505 uint32_t num_towers = 0;
2506 uint32_t max_towers = 1;
2507 struct epm_twr_p_t towers;
2508 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2510 if (pport == NULL) {
2511 status = NT_STATUS_INVALID_PARAMETER;
2515 /* open the connection to the endpoint mapper */
2516 status = rpc_pipe_open_tcp_port(tmp_ctx, host, 135,
2517 &ndr_table_epmapper.syntax_id,
2520 if (!NT_STATUS_IS_OK(status)) {
2524 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2525 if (!NT_STATUS_IS_OK(status)) {
2529 status = rpc_pipe_bind(epm_pipe, auth);
2530 if (!NT_STATUS_IS_OK(status)) {
2534 /* create tower for asking the epmapper */
2536 map_binding = TALLOC_ZERO_P(tmp_ctx, struct dcerpc_binding);
2537 if (map_binding == NULL) {
2538 status = NT_STATUS_NO_MEMORY;
2542 map_binding->transport = NCACN_IP_TCP;
2543 map_binding->object = *abstract_syntax;
2544 map_binding->host = host; /* needed? */
2545 map_binding->endpoint = "0"; /* correct? needed? */
2547 map_tower = TALLOC_ZERO_P(tmp_ctx, struct epm_twr_t);
2548 if (map_tower == NULL) {
2549 status = NT_STATUS_NO_MEMORY;
2553 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2554 &(map_tower->tower));
2555 if (!NT_STATUS_IS_OK(status)) {
2559 /* allocate further parameters for the epm_Map call */
2561 res_towers = TALLOC_ARRAY(tmp_ctx, struct epm_twr_t, max_towers);
2562 if (res_towers == NULL) {
2563 status = NT_STATUS_NO_MEMORY;
2566 towers.twr = res_towers;
2568 entry_handle = TALLOC_ZERO_P(tmp_ctx, struct policy_handle);
2569 if (entry_handle == NULL) {
2570 status = NT_STATUS_NO_MEMORY;
2574 /* ask the endpoint mapper for the port */
2576 status = rpccli_epm_Map(epm_pipe,
2578 CONST_DISCARD(struct GUID *,
2579 &(abstract_syntax->uuid)),
2586 if (!NT_STATUS_IS_OK(status)) {
2590 if (num_towers != 1) {
2591 status = NT_STATUS_UNSUCCESSFUL;
2595 /* extract the port from the answer */
2597 status = dcerpc_binding_from_tower(tmp_ctx,
2598 &(towers.twr->tower),
2600 if (!NT_STATUS_IS_OK(status)) {
2604 /* are further checks here necessary? */
2605 if (res_binding->transport != NCACN_IP_TCP) {
2606 status = NT_STATUS_UNSUCCESSFUL;
2610 *pport = (uint16_t)atoi(res_binding->endpoint);
2613 TALLOC_FREE(tmp_ctx);
2618 * Create a rpc pipe client struct, connecting to a host via tcp.
2619 * The port is determined by asking the endpoint mapper on the given
2622 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2623 const struct ndr_syntax_id *abstract_syntax,
2624 struct rpc_pipe_client **presult)
2629 status = rpc_pipe_get_tcp_port(host, abstract_syntax, &port);
2630 if (!NT_STATUS_IS_OK(status)) {
2634 return rpc_pipe_open_tcp_port(mem_ctx, host, port,
2635 abstract_syntax, presult);
2638 /********************************************************************
2639 Create a rpc pipe client struct, connecting to a unix domain socket
2640 ********************************************************************/
2641 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2642 const struct ndr_syntax_id *abstract_syntax,
2643 struct rpc_pipe_client **presult)
2645 struct rpc_pipe_client *result;
2646 struct sockaddr_un addr;
2650 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2651 if (result == NULL) {
2652 return NT_STATUS_NO_MEMORY;
2655 result->abstract_syntax = *abstract_syntax;
2656 result->transfer_syntax = ndr_transfer_syntax;
2658 result->desthost = get_myname(result);
2659 result->srv_name_slash = talloc_asprintf_strupper_m(
2660 result, "\\\\%s", result->desthost);
2661 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2662 status = NT_STATUS_NO_MEMORY;
2666 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2667 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2669 fd = socket(AF_UNIX, SOCK_STREAM, 0);
2671 status = map_nt_error_from_unix(errno);
2676 addr.sun_family = AF_UNIX;
2677 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2679 if (sys_connect(fd, (struct sockaddr *)(void *)&addr) == -1) {
2680 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2683 return map_nt_error_from_unix(errno);
2686 status = rpc_transport_sock_init(result, fd, &result->transport);
2687 if (!NT_STATUS_IS_OK(status)) {
2692 result->transport->transport = NCALRPC;
2694 result->binding_handle = rpccli_bh_create(result);
2695 if (result->binding_handle == NULL) {
2696 TALLOC_FREE(result);
2697 return NT_STATUS_NO_MEMORY;
2701 return NT_STATUS_OK;
2704 TALLOC_FREE(result);
2708 struct rpc_pipe_client_np_ref {
2709 struct cli_state *cli;
2710 struct rpc_pipe_client *pipe;
2713 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
2715 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
2719 /****************************************************************************
2720 Open a named pipe over SMB to a remote server.
2722 * CAVEAT CALLER OF THIS FUNCTION:
2723 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2724 * so be sure that this function is called AFTER any structure (vs pointer)
2725 * assignment of the cli. In particular, libsmbclient does structure
2726 * assignments of cli, which invalidates the data in the returned
2727 * rpc_pipe_client if this function is called before the structure assignment
2730 ****************************************************************************/
2732 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
2733 const struct ndr_syntax_id *abstract_syntax,
2734 struct rpc_pipe_client **presult)
2736 struct rpc_pipe_client *result;
2738 struct rpc_pipe_client_np_ref *np_ref;
2740 /* sanity check to protect against crashes */
2743 return NT_STATUS_INVALID_HANDLE;
2746 result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
2747 if (result == NULL) {
2748 return NT_STATUS_NO_MEMORY;
2751 result->abstract_syntax = *abstract_syntax;
2752 result->transfer_syntax = ndr_transfer_syntax;
2753 result->desthost = talloc_strdup(result, cli->desthost);
2754 result->srv_name_slash = talloc_asprintf_strupper_m(
2755 result, "\\\\%s", result->desthost);
2757 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2758 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2760 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2761 TALLOC_FREE(result);
2762 return NT_STATUS_NO_MEMORY;
2765 status = rpc_transport_np_init(result, cli, abstract_syntax,
2766 &result->transport);
2767 if (!NT_STATUS_IS_OK(status)) {
2768 TALLOC_FREE(result);
2772 result->transport->transport = NCACN_NP;
2774 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
2775 if (np_ref == NULL) {
2776 TALLOC_FREE(result);
2777 return NT_STATUS_NO_MEMORY;
2780 np_ref->pipe = result;
2782 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
2783 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
2785 result->binding_handle = rpccli_bh_create(result);
2786 if (result->binding_handle == NULL) {
2787 TALLOC_FREE(result);
2788 return NT_STATUS_NO_MEMORY;
2792 return NT_STATUS_OK;
2795 /****************************************************************************
2796 Open a pipe to a remote server.
2797 ****************************************************************************/
2799 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
2800 enum dcerpc_transport_t transport,
2801 const struct ndr_syntax_id *interface,
2802 struct rpc_pipe_client **presult)
2804 switch (transport) {
2806 return rpc_pipe_open_tcp(NULL, cli->desthost, interface,
2809 return rpc_pipe_open_np(cli, interface, presult);
2811 return NT_STATUS_NOT_IMPLEMENTED;
2815 /****************************************************************************
2816 Open a named pipe to an SMB server and bind anonymously.
2817 ****************************************************************************/
2819 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2820 enum dcerpc_transport_t transport,
2821 const struct ndr_syntax_id *interface,
2822 struct rpc_pipe_client **presult)
2824 struct rpc_pipe_client *result;
2825 struct pipe_auth_data *auth;
2828 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2829 if (!NT_STATUS_IS_OK(status)) {
2833 status = rpccli_anon_bind_data(result, &auth);
2834 if (!NT_STATUS_IS_OK(status)) {
2835 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
2836 nt_errstr(status)));
2837 TALLOC_FREE(result);
2842 * This is a bit of an abstraction violation due to the fact that an
2843 * anonymous bind on an authenticated SMB inherits the user/domain
2844 * from the enclosing SMB creds
2847 TALLOC_FREE(auth->user_name);
2848 TALLOC_FREE(auth->domain);
2850 auth->user_name = talloc_strdup(auth, cli->user_name);
2851 auth->domain = talloc_strdup(auth, cli->domain);
2852 auth->user_session_key = data_blob_talloc(auth,
2853 cli->user_session_key.data,
2854 cli->user_session_key.length);
2856 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
2857 TALLOC_FREE(result);
2858 return NT_STATUS_NO_MEMORY;
2861 status = rpc_pipe_bind(result, auth);
2862 if (!NT_STATUS_IS_OK(status)) {
2864 if (ndr_syntax_id_equal(interface,
2865 &ndr_table_dssetup.syntax_id)) {
2866 /* non AD domains just don't have this pipe, avoid
2867 * level 0 statement in that case - gd */
2870 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
2871 "%s failed with error %s\n",
2872 get_pipe_name_from_syntax(talloc_tos(), interface),
2873 nt_errstr(status) ));
2874 TALLOC_FREE(result);
2878 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
2879 "%s and bound anonymously.\n",
2880 get_pipe_name_from_syntax(talloc_tos(), interface),
2884 return NT_STATUS_OK;
2887 /****************************************************************************
2888 ****************************************************************************/
2890 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2891 const struct ndr_syntax_id *interface,
2892 struct rpc_pipe_client **presult)
2894 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2895 interface, presult);
2898 /****************************************************************************
2899 Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
2900 ****************************************************************************/
2902 NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
2903 const struct ndr_syntax_id *interface,
2904 enum dcerpc_transport_t transport,
2905 enum dcerpc_AuthLevel auth_level,
2907 const char *username,
2908 const char *password,
2909 struct rpc_pipe_client **presult)
2911 struct rpc_pipe_client *result;
2912 struct pipe_auth_data *auth = NULL;
2913 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
2916 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2917 if (!NT_STATUS_IS_OK(status)) {
2921 status = rpccli_ntlmssp_bind_data(result,
2922 auth_type, auth_level,
2923 domain, username, password,
2925 if (!NT_STATUS_IS_OK(status)) {
2926 DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
2927 nt_errstr(status)));
2931 status = rpc_pipe_bind(result, auth);
2932 if (!NT_STATUS_IS_OK(status)) {
2933 DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
2934 nt_errstr(status) ));
2938 DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
2939 "machine %s and bound NTLMSSP as user %s\\%s.\n",
2940 get_pipe_name_from_syntax(talloc_tos(), interface),
2941 cli->desthost, domain, username ));
2944 return NT_STATUS_OK;
2948 TALLOC_FREE(result);
2952 /****************************************************************************
2954 Open a named pipe to an SMB server and bind using schannel (bind type 68)
2955 using session_key. sign and seal.
2957 The *pdc will be stolen onto this new pipe
2958 ****************************************************************************/
2960 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2961 const struct ndr_syntax_id *interface,
2962 enum dcerpc_transport_t transport,
2963 enum dcerpc_AuthLevel auth_level,
2965 struct netlogon_creds_CredentialState **pdc,
2966 struct rpc_pipe_client **presult)
2968 struct rpc_pipe_client *result;
2969 struct pipe_auth_data *auth;
2972 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2973 if (!NT_STATUS_IS_OK(status)) {
2977 status = rpccli_schannel_bind_data(result, domain, auth_level,
2979 if (!NT_STATUS_IS_OK(status)) {
2980 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
2981 nt_errstr(status)));
2982 TALLOC_FREE(result);
2986 status = rpc_pipe_bind(result, auth);
2987 if (!NT_STATUS_IS_OK(status)) {
2988 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
2989 "cli_rpc_pipe_bind failed with error %s\n",
2990 nt_errstr(status) ));
2991 TALLOC_FREE(result);
2996 * The credentials on a new netlogon pipe are the ones we are passed
2997 * in - copy them over
2999 result->dc = netlogon_creds_copy(result, *pdc);
3000 if (result->dc == NULL) {
3001 TALLOC_FREE(result);
3002 return NT_STATUS_NO_MEMORY;
3005 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
3006 "for domain %s and bound using schannel.\n",
3007 get_pipe_name_from_syntax(talloc_tos(), interface),
3008 cli->desthost, domain ));
3011 return NT_STATUS_OK;
3014 /****************************************************************************
3015 Open a named pipe to an SMB server and bind using krb5 (bind type 16).
3016 The idea is this can be called with service_princ, username and password all
3017 NULL so long as the caller has a TGT.
3018 ****************************************************************************/
3020 NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
3021 const struct ndr_syntax_id *interface,
3022 enum dcerpc_transport_t transport,
3023 enum dcerpc_AuthLevel auth_level,
3025 const char *username,
3026 const char *password,
3027 struct rpc_pipe_client **presult)
3029 struct rpc_pipe_client *result;
3030 struct pipe_auth_data *auth;
3033 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3034 if (!NT_STATUS_IS_OK(status)) {
3038 auth = talloc(result, struct pipe_auth_data);
3040 status = NT_STATUS_NO_MEMORY;
3043 auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
3044 auth->auth_level = auth_level;
3049 auth->user_name = talloc_strdup(auth, username);
3050 if (!auth->user_name) {
3051 status = NT_STATUS_NO_MEMORY;
3055 /* Fixme, should we fetch/set the Realm ? */
3056 auth->domain = talloc_strdup(auth, "");
3057 if (!auth->domain) {
3058 status = NT_STATUS_NO_MEMORY;
3062 status = gse_init_client(auth, auth->auth_type, auth->auth_level,
3063 NULL, server, "cifs", username, password,
3064 GSS_C_DCE_STYLE, &auth->a_u.gssapi_state);
3066 if (!NT_STATUS_IS_OK(status)) {
3067 DEBUG(0, ("gse_init_client returned %s\n",
3068 nt_errstr(status)));
3072 status = rpc_pipe_bind(result, auth);
3073 if (!NT_STATUS_IS_OK(status)) {
3074 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3075 nt_errstr(status)));
3080 return NT_STATUS_OK;
3083 TALLOC_FREE(result);
3087 NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
3088 const struct ndr_syntax_id *interface,
3089 enum dcerpc_transport_t transport,
3090 enum dcerpc_AuthLevel auth_level,
3092 const char *username,
3093 const char *password,
3094 struct rpc_pipe_client **presult)
3096 struct rpc_pipe_client *result;
3097 struct pipe_auth_data *auth;
3100 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3101 if (!NT_STATUS_IS_OK(status)) {
3105 auth = talloc(result, struct pipe_auth_data);
3107 status = NT_STATUS_NO_MEMORY;
3110 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3111 auth->auth_level = auth_level;
3113 auth->spnego_type = PIPE_AUTH_TYPE_SPNEGO_KRB5;
3118 auth->user_name = talloc_strdup(auth, username);
3119 if (!auth->user_name) {
3120 status = NT_STATUS_NO_MEMORY;
3124 /* Fixme, should we fetch/set the Realm ? */
3125 auth->domain = talloc_strdup(auth, "");
3126 if (!auth->domain) {
3127 status = NT_STATUS_NO_MEMORY;
3131 status = spnego_gssapi_init_client(auth, auth->auth_level,
3132 NULL, server, "cifs",
3135 &auth->a_u.spnego_state);
3136 if (!NT_STATUS_IS_OK(status)) {
3137 DEBUG(0, ("spnego_init_client returned %s\n",
3138 nt_errstr(status)));
3142 status = rpc_pipe_bind(result, auth);
3143 if (!NT_STATUS_IS_OK(status)) {
3144 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3145 nt_errstr(status)));
3150 return NT_STATUS_OK;
3153 TALLOC_FREE(result);
3157 NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
3158 const struct ndr_syntax_id *interface,
3159 enum dcerpc_transport_t transport,
3160 enum dcerpc_AuthLevel auth_level,
3162 const char *username,
3163 const char *password,
3164 struct rpc_pipe_client **presult)
3166 struct rpc_pipe_client *result;
3167 struct pipe_auth_data *auth;
3170 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3171 if (!NT_STATUS_IS_OK(status)) {
3175 auth = talloc(result, struct pipe_auth_data);
3177 status = NT_STATUS_NO_MEMORY;
3180 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3181 auth->auth_level = auth_level;
3186 auth->user_name = talloc_strdup(auth, username);
3187 if (!auth->user_name) {
3188 status = NT_STATUS_NO_MEMORY;
3195 auth->domain = talloc_strdup(auth, domain);
3196 if (!auth->domain) {
3197 status = NT_STATUS_NO_MEMORY;
3201 status = spnego_ntlmssp_init_client(auth, auth->auth_level,
3202 domain, username, password,
3203 &auth->a_u.spnego_state);
3204 if (!NT_STATUS_IS_OK(status)) {
3205 DEBUG(0, ("spnego_init_client returned %s\n",
3206 nt_errstr(status)));
3210 status = rpc_pipe_bind(result, auth);
3211 if (!NT_STATUS_IS_OK(status)) {
3212 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3213 nt_errstr(status)));
3218 return NT_STATUS_OK;
3221 TALLOC_FREE(result);
3225 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3226 struct rpc_pipe_client *cli,
3227 DATA_BLOB *session_key)
3229 struct pipe_auth_data *a = cli->auth;
3230 DATA_BLOB sk = data_blob_null;
3231 bool make_dup = false;
3233 if (!session_key || !cli) {
3234 return NT_STATUS_INVALID_PARAMETER;
3238 return NT_STATUS_INVALID_PARAMETER;
3241 switch (cli->auth->auth_type) {
3242 case DCERPC_AUTH_TYPE_SCHANNEL:
3243 sk = data_blob_const(a->a_u.schannel_auth->creds->session_key,
3247 case DCERPC_AUTH_TYPE_SPNEGO:
3248 sk = spnego_get_session_key(mem_ctx, a->a_u.spnego_state);
3251 case DCERPC_AUTH_TYPE_NTLMSSP:
3252 sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state);
3255 case DCERPC_AUTH_TYPE_KRB5:
3256 sk = gse_get_session_key(mem_ctx, a->a_u.gssapi_state);
3259 case DCERPC_AUTH_TYPE_NONE:
3260 sk = data_blob_const(a->user_session_key.data,
3261 a->user_session_key.length);
3269 return NT_STATUS_NO_USER_SESSION_KEY;
3273 *session_key = data_blob_dup_talloc(mem_ctx, &sk);
3278 return NT_STATUS_OK;