3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998,
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1998.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 extern int DEBUGLEVEL;
33 extern struct pipe_id_info pipe_names[];
34 extern fstring global_myworkgroup;
35 extern pstring global_myname;
37 /********************************************************************
39 ********************************************************************/
40 static uint32 get_rpc_call_id(void)
42 static uint32 call_id = 0;
46 /*******************************************************************
47 uses SMBreadX to get rest of rpc data
48 ********************************************************************/
50 static BOOL rpc_read(struct cli_state *cli,
51 prs_struct *rdata, uint32 data_to_read,
54 int size = cli->max_recv_frag;
55 int file_offset = rdata_offset;
57 char *data = rdata->data->data;
59 uint32 new_data_size = rdata->data->data_used + data_to_read;
63 file_offset -= rdata_offset;
65 DEBUG(5,("rpc_read: data_to_read: %d data offset: %d file offset: %d\n",
66 data_to_read, rdata_offset, file_offset));
68 if (new_data_size > rdata->data->data_size)
70 mem_grow_data(&rdata->data, True, new_data_size, True);
71 DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
74 do /* read data using SMBreadX */
76 if (size > data_to_read)
79 new_data_size = rdata->data->data_used + size;
81 if (new_data_size > rdata->data->data_size)
83 mem_grow_data(&rdata->data, True, new_data_size, True);
84 DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
87 num_read = cli_read(cli, cli->nt_pipe_fnum, data, file_offset + 0x100000, size);
89 DEBUG(5,("rpc_read: read offset: %d read: %d to read: %d\n",
90 file_offset, num_read, data_to_read));
92 data_to_read -= num_read;
93 file_offset += num_read;
96 if (cli_error(cli, NULL, &err)) return False;
98 } while (num_read > 0 && data_to_read > 0);
99 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
101 mem_realloc_data(rdata->data, file_offset + rdata_offset);
102 rdata->data->offset.end = file_offset + rdata_offset;
104 DEBUG(5,("rpc_read: data supposedly left to read:0x%x\n", data_to_read));
106 return data_to_read == 0;
109 /****************************************************************************
111 ****************************************************************************/
112 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
113 BOOL *first, BOOL *last, int *len)
115 DEBUG(5,("rpc_check_hdr: rdata->data->data_used: %d\n", rdata->data->data_used));
117 smb_io_rpc_hdr ("rpc_hdr ", rhdr , rdata, 0);
119 if (!rdata->offset || rdata->offset != 0x10)
121 DEBUG(0,("cli_pipe: error in rpc header\n"));
125 DEBUG(5,("rpc_check_hdr: (after smb_io_rpc_hdr call) rdata->data->data_used: %d\n",
126 rdata->data->data_used));
128 (*first ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST);
129 (*last ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST );
130 (*len ) = rhdr->frag_len - rdata->data->data_used;
135 /****************************************************************************
136 decrypt data on an rpc pipe
137 ****************************************************************************/
139 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
140 int len, int auth_len)
142 RPC_AUTH_NTLMSSP_CHK chk;
144 int data_len = len - 0x18 - auth_len - 8;
145 char *reply_data = (uchar*)mem_data(&rdata->data, 0x18);
147 BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
148 BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
150 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
151 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
153 /* RPC_HDR_AUTH rhdr_auth;
155 prs_init(&auth_req , 0x10, 4, 0, True);
156 smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0);
157 prs_mem_free(&auth_req);
162 DEBUG(10,("rpc_auth_pipe: seal\n"));
163 dump_data(100, reply_data, data_len);
164 NTLMSSPcalc(cli->ntlmssp_hash, reply_data, data_len);
165 dump_data(100, reply_data, data_len);
170 prs_struct auth_verf;
171 char *data = (uchar*)mem_data(&rdata->data, len - auth_len);
172 prs_init(&auth_verf, 0x08, 4, 0, True);
173 DEBUG(10,("rpc_auth_pipe: verify\n"));
174 dump_data(100, data, auth_len);
175 NTLMSSPcalc(cli->ntlmssp_hash, data + 4, auth_len - 4);
176 memcpy(auth_verf.data->data, data, 16);
177 smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
178 dump_data(100, data, auth_len);
179 prs_mem_free(&auth_verf);
184 crc32 = crc32_calc_buffer(data_len, reply_data);
185 if (chk.crc32 != crc32 ||
186 chk.ver != NTLMSSP_SIGN_VERSION ||
187 chk.seq_num != cli->ntlmssp_seq_num++)
189 DEBUG(5,("rpc_auth_pipe: verify failed - crc %x ver %x seq %d\n",
190 crc32, NTLMSSP_SIGN_VERSION, cli->ntlmssp_seq_num));
191 DEBUG(5,("rpc_auth_pipe: verify expect - crc %x ver %x seq %d\n",
192 chk.crc32, chk.ver, chk.seq_num));
200 /****************************************************************************
201 send data on an rpc pipe, which *must* be in one fragment.
202 receive response data from an rpc pipe, which may be large...
204 read the first fragment: unfortunately have to use SMBtrans for the first
205 bit, then SMBreadX for subsequent bits.
207 if first fragment received also wasn't the last fragment, continue
208 getting fragments until we _do_ receive the last fragment.
210 [note: from a data abstraction viewpoint, this function is marginally
211 complicated by the return side of cli_api_pipe getting in the way
212 (i.e, the SMB header stuff). the proper way to do this is to split
213 cli_api_pipe down into receive / transmit. oh, and split cli_readx
214 down. in other words, state-based (kernel) techniques...]
216 ****************************************************************************/
218 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd,
219 prs_struct *param , prs_struct *data,
220 prs_struct *rparam, prs_struct *rdata)
225 uint16 setup[2]; /* only need 2 uint16 setup parameters */
232 * Setup the pointers from the incoming.
234 char *pparams = param ? param->data->data : NULL;
235 int params_len = param ? param->data->data_used : 0;
236 char *pdata = data ? data->data->data : NULL;
237 int data_len = data ? data->data->data_used : 0;
240 * Setup the pointers to the outgoing.
242 char **pp_ret_params = rparam ? &rparam->data->data : NULL;
243 uint32 *p_ret_params_len = rparam ? &rparam->data->data_used : NULL;
245 char **pp_ret_data = rdata ? &rdata->data->data : NULL;
246 uint32 *p_ret_data_len = rdata ? &rdata->data->data_used : NULL;
248 /* create setup parameters. */
250 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
252 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", cmd, cli->nt_pipe_fnum));
254 /* send the data: receive a response. */
255 if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
256 setup, 2, 0, /* Setup, length, max */
257 pparams, params_len, 0, /* Params, length, max */
258 pdata, data_len, 1024, /* data, length, max */
259 pp_ret_params, p_ret_params_len, /* return params, len */
260 pp_ret_data, p_ret_data_len)) /* return data, len */
262 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
266 if (rdata->data->data == NULL) return False;
268 /**** parse the header: check it's a response record */
270 rdata->data->offset.start = 0;
271 rdata->data->offset.end = rdata->data->data_used;
274 /* cli_api_pipe does an ordinary Realloc - we have no margins now. */
275 rdata->data->margin = 0;
276 if (rparam) rparam->data->margin = 0;
278 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len))
283 if (rhdr.pkt_type == RPC_BINDACK)
287 DEBUG(5,("rpc_api_pipe: bug in AS/U, setting fragment first/last ON\n"));
293 if (rhdr.pkt_type == RPC_RESPONSE)
295 RPC_HDR_RESP rhdr_resp;
296 smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0);
297 alloc_hint = rhdr_resp.alloc_hint;
300 DEBUG(5,("rpc_api_pipe: len left: %d smbtrans read: %d\n",
301 len, rdata->data->data_used));
303 /* check if data to be sent back was too large for one SMB. */
304 /* err status is only informational: the _real_ check is on the length */
305 if (len > 0) /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
307 if (!rpc_read(cli, rdata, len, rdata->data->data_used))
313 if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
318 /* only one rpc fragment, and it has been read */
321 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
325 while (!last) /* read more fragments until we get the last one */
327 RPC_HDR_RESP rhdr_resp;
331 prs_init(&hps, 0x8, 4, 0, True);
333 num_read = cli_read(cli, cli->nt_pipe_fnum, hps.data->data, 0, 0x18);
334 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
336 if (num_read != 0x18) return False;
338 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
343 smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0);
347 if (cli_error(cli, NULL, &err)) return False;
351 DEBUG(0,("rpc_api_pipe: wierd rpc header received\n"));
355 if (!rpc_read(cli, rdata, len, rdata->data->data_used))
360 if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
369 /*******************************************************************
370 creates a DCE/RPC bind request
372 - initialises the parse structure.
373 - dynamically allocates the header data structure
374 - caller is expected to free the header data structure once used.
376 ********************************************************************/
377 static BOOL create_rpc_bind_req(prs_struct *rhdr,
379 prs_struct *rhdr_auth,
380 prs_struct *auth_req,
381 prs_struct *auth_ntlm,
383 RPC_IFACE *abstract, RPC_IFACE *transfer,
384 char *my_name, char *domain, uint32 neg_flags)
388 RPC_HDR_AUTH hdr_auth;
389 RPC_AUTH_VERIFIER auth_verifier;
390 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
392 /* create the bind request RPC_HDR_RB */
393 make_rpc_hdr_rb(&hdr_rb, 0x1630, 0x1630, 0x0,
394 0x1, 0x0, 0x1, abstract, transfer);
396 /* stream the bind request data */
397 smb_io_rpc_hdr_rb("", &hdr_rb, rhdr_rb, 0);
398 mem_realloc_data(rhdr_rb->data, rhdr_rb->offset);
400 if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL)
402 make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00, 1);
403 smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0);
404 mem_realloc_data(rhdr_auth->data, rhdr_auth->offset);
406 make_rpc_auth_verifier(&auth_verifier,
407 "NTLMSSP", NTLMSSP_NEGOTIATE);
409 smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_req, 0);
410 mem_realloc_data(auth_req->data, auth_req->offset);
412 make_rpc_auth_ntlmssp_neg(&ntlmssp_neg,
413 neg_flags, my_name, domain);
415 smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, auth_req, 0);
416 mem_realloc_data(auth_req->data, auth_req->offset);
419 /* create the request RPC_HDR */
420 make_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
421 (auth_req != NULL ? auth_req ->offset : 0) +
422 (auth_ntlm != NULL ? auth_ntlm->offset : 0) +
423 (rhdr_auth != NULL ? rhdr_auth->offset : 0) +
424 rhdr_rb->offset + 0x10,
425 (auth_req != NULL ? auth_req ->offset : 0) +
426 (auth_ntlm != NULL ? auth_ntlm->offset : 0));
428 smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
429 mem_realloc_data(rhdr->data, rhdr->offset);
431 if (rhdr->data == NULL || rhdr_rb->data == NULL) return False;
434 /*** link rpc header, bind acknowledgment and authentication responses ***/
437 if (auth_req != NULL)
439 prs_link(NULL , rhdr , rhdr_rb );
440 prs_link(rhdr , rhdr_rb , rhdr_auth);
441 prs_link(rhdr_rb , rhdr_auth , auth_req );
442 prs_link(rhdr_auth, auth_req , auth_ntlm);
443 prs_link(auth_req , auth_ntlm , NULL );
447 prs_link(NULL, rhdr , rhdr_rb);
448 prs_link(rhdr, rhdr_rb, NULL );
455 /*******************************************************************
456 creates a DCE/RPC bind authentication response
458 - initialises the parse structure.
459 - dynamically allocates the header data structure
460 - caller is expected to free the header data structure once used.
462 ********************************************************************/
463 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
464 char *domain, char *user_name, char *my_name,
465 uint32 ntlmssp_cli_flgs,
468 prs_struct *rhdr_autha,
469 prs_struct *auth_resp)
471 unsigned char lm_owf[24];
472 unsigned char nt_owf[24];
474 RPC_HDR_AUTHA hdr_autha;
475 RPC_AUTH_VERIFIER auth_verifier;
476 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
478 make_rpc_hdr_autha(&hdr_autha, 0x1630, 0x1630, 0x0a, 0x06, 0x00);
479 smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rhdr_autha, 0);
480 mem_realloc_data(rhdr_autha->data, rhdr_autha->offset);
482 make_rpc_auth_verifier(&auth_verifier,
483 "NTLMSSP", NTLMSSP_AUTH);
485 smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_resp, 0);
486 mem_realloc_data(auth_resp->data, auth_resp->offset);
488 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
490 make_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
492 domain, user_name, my_name,
495 smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, auth_resp, 0);
496 mem_realloc_data(auth_resp->data, auth_resp->offset);
498 /* create the request RPC_HDR */
499 make_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
500 auth_resp->offset + rhdr_autha->offset + 0x10,
503 smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
504 mem_realloc_data(rhdr->data, rhdr->offset);
506 if (rhdr->data == NULL || rhdr_autha->data == NULL) return False;
509 /*** link rpc header and authentication responses ***/
512 prs_link(NULL , rhdr , rhdr_autha);
513 prs_link(rhdr , rhdr_autha , auth_resp );
514 prs_link(rhdr_autha, auth_resp , NULL );
520 /*******************************************************************
521 creates a DCE/RPC bind request
523 - initialises the parse structure.
524 - dynamically allocates the header data structure
525 - caller is expected to free the header data structure once used.
527 ********************************************************************/
529 static BOOL create_rpc_request(prs_struct *rhdr, uint8 op_num, int data_len,
536 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n",
539 /* create the rpc header RPC_HDR */
540 make_rpc_hdr(&hdr , RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
541 get_rpc_call_id(), data_len, auth_len);
545 alloc_hint = data_len - 0x18 - auth_len - 16;
549 alloc_hint = data_len - 0x18;
552 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
553 data_len, auth_len, alloc_hint));
555 /* create the rpc request RPC_HDR_REQ */
556 make_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
559 smb_io_rpc_hdr ("hdr ", &hdr , rhdr, 0);
560 smb_io_rpc_hdr_req("hdr_req", &hdr_req, rhdr, 0);
562 if (rhdr->data == NULL || rhdr->offset != 0x18) return False;
564 rhdr->data->offset.start = 0;
565 rhdr->data->offset.end = rhdr->offset;
571 /****************************************************************************
572 send a request on an rpc pipe.
573 ****************************************************************************/
574 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
575 prs_struct *data, prs_struct *rdata)
577 /* fudge this, at the moment: create the header; memcpy the data. oops. */
582 prs_struct auth_verf;
590 auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
591 auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
593 /* happen to know that NTLMSSP authentication verifier is 16 bytes */
594 auth_len = (auth_verify ? 16 : 0);
595 data_len = data->offset + auth_len + (auth_verify ? 8 : 0) + 0x18;
596 data->data->offset.end = data->offset;
598 prs_init(&hdr , data_len, 4, SAFETY_MARGIN, False);
599 prs_init(&hdr_auth , 8 , 4, SAFETY_MARGIN, False);
600 prs_init(&auth_verf, auth_len, 4, SAFETY_MARGIN, False);
601 prs_init(&rparam , 0 , 4, 0 , True );
603 create_rpc_request(&hdr, op_num, data_len, auth_len);
607 crc32 = crc32_calc_buffer(data->offset, mem_data(&data->data, 0));
608 NTLMSSPcalc(cli->ntlmssp_hash, (uchar*)mem_data(&data->data, 0), data->offset);
611 if (auth_seal || auth_verify)
613 RPC_HDR_AUTH rhdr_auth;
615 make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08, (auth_verify ? 1 : 0));
616 smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0);
621 RPC_AUTH_NTLMSSP_CHK chk;
623 make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
624 smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
625 NTLMSSPcalc(cli->ntlmssp_hash, (uchar*)mem_data(&auth_verf.data, 4), 12);
628 if (auth_seal || auth_verify)
630 prs_link(NULL , &hdr , data );
631 prs_link(&hdr , data , &hdr_auth );
632 prs_link(data , &hdr_auth , &auth_verf);
633 prs_link(&hdr_auth, &auth_verf, NULL );
637 prs_link(NULL, &hdr, data);
638 prs_link(&hdr, data, NULL);
641 mem_realloc_data(hdr.data, data_len);
643 DEBUG(100,("data_len: %x data_calc_len: %x\n",
644 data_len, mem_buf_len(data->data)));
646 /* this is a hack due to limitations in rpc_api_pipe */
647 prs_init(&dataa, mem_buf_len(hdr.data), 4, 0x0, False);
648 mem_buf_copy(dataa.data->data, hdr.data, 0, mem_buf_len(hdr.data));
650 ret = rpc_api_pipe(cli, 0x0026, NULL, &dataa, &rparam, rdata);
652 prs_mem_free(&hdr_auth );
653 prs_mem_free(&auth_verf);
654 prs_mem_free(&rparam );
656 prs_mem_free(&dataa );
661 /****************************************************************************
663 ****************************************************************************/
665 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint16 device_state)
667 BOOL state_set = False;
669 uint16 setup[2]; /* only need 2 uint16 setup parameters */
672 uint32 rparam_len, rdata_len;
674 if (pipe_name == NULL) return False;
676 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
677 cli->nt_pipe_fnum, pipe_name, device_state));
679 /* create parameters: device state */
680 SSVAL(param, 0, device_state);
682 /* create setup parameters. */
684 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
686 /* send the data on \PIPE\ */
687 if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
688 setup, 2, 0, /* setup, length, max */
689 param, 2, 0, /* param, length, max */
690 NULL, 0, 1024, /* data, length, max */
691 &rparam, &rparam_len, /* return param, length */
692 &rdata, &rdata_len)) /* return data, length */
694 DEBUG(5, ("Set Handle state: return OK\n"));
698 if (rparam) free(rparam);
699 if (rdata ) free(rdata );
704 /****************************************************************************
705 check the rpc bind acknowledge response
706 ****************************************************************************/
708 static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
712 while (pipe_names[pipe_idx].client_pipe != NULL)
714 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
716 DEBUG(5,("Bind Abstract Syntax: "));
717 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
718 sizeof(pipe_names[pipe_idx].abstr_syntax));
719 DEBUG(5,("Bind Transfer Syntax: "));
720 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
721 sizeof(pipe_names[pipe_idx].trans_syntax));
723 /* copy the required syntaxes out so we can do the right bind */
724 memcpy(transfer, &(pipe_names[pipe_idx].trans_syntax),
725 sizeof(pipe_names[pipe_idx].trans_syntax));
726 memcpy(abstract, &(pipe_names[pipe_idx].abstr_syntax),
727 sizeof(pipe_names[pipe_idx].abstr_syntax));
734 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
738 /****************************************************************************
739 check the rpc bind acknowledge response
740 ****************************************************************************/
742 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer)
746 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0)
748 DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n",
749 pipe_names[i].client_pipe , pipe_names[i].server_pipe ));
751 if ((strequal(pipe_name, pipe_names[i].client_pipe )))
753 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe ))
755 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
756 pipe_names[i].server_pipe ));
761 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
762 pipe_names[i].server_pipe ,
773 if (pipe_names[i].server_pipe == NULL)
775 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
779 /* check the transfer syntax */
780 if (!((hdr_ba->transfer.version == transfer->version) &&
781 (memcmp(hdr_ba->transfer.data, transfer->data,
782 sizeof(transfer->version)) ==0)))
784 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
788 /* lkclXXXX only accept one result: check the result(s) */
789 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0)
791 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
792 hdr_ba->res.num_results, hdr_ba->res.reason));
795 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
799 /****************************************************************************
801 ****************************************************************************/
803 static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
804 RPC_IFACE *abstract, RPC_IFACE *transfer,
811 prs_struct auth_ntlm;
816 BOOL valid_ack = False;
817 BOOL ntlmssp_auth = cli->ntlmssp_cli_flgs != 0;
820 if (pipe_name == NULL || abstract == NULL || transfer == NULL)
825 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name));
827 if (!valid_pipe_name(pipe_name, abstract, transfer)) return False;
829 prs_init(&hdr , 0x10 , 4, 0x0 , False);
830 prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False);
831 prs_init(&hdr_auth , (ntlmssp_auth ? 8 : 0), 4, SAFETY_MARGIN, False);
832 prs_init(&auth_req , (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
833 prs_init(&auth_ntlm, (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
835 prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True);
836 prs_init(&rparam , 0 , 4, SAFETY_MARGIN, True);
838 rpc_call_id = get_rpc_call_id();
839 create_rpc_bind_req(&hdr, &hdr_rb,
840 ntlmssp_auth ? &hdr_auth : NULL,
841 ntlmssp_auth ? &auth_req : NULL,
842 ntlmssp_auth ? &auth_ntlm : NULL,
845 global_myname, cli->domain, cli->ntlmssp_cli_flgs);
847 /* this is a hack due to limitations in rpc_api_pipe */
848 prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
849 mem_buf_copy(data.data->data, hdr.data, 0, mem_buf_len(hdr.data));
851 /* send data on \PIPE\. receive a response */
852 if (rpc_api_pipe(cli, 0x0026, NULL, &data, &rparam, &rdata))
855 RPC_HDR_AUTH rhdr_auth;
856 RPC_AUTH_VERIFIER rhdr_verf;
857 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
859 DEBUG(5, ("rpc_api_pipe: return OK\n"));
861 smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0);
863 if (rdata.offset != 0)
865 valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer);
870 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
871 cli->max_recv_frag = hdr_ba.bba.max_rsize;
874 if (valid_ack && ntlmssp_auth)
876 smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0);
877 if (rdata.offset == 0) valid_ack = False;
880 if (valid_ack && ntlmssp_auth)
882 smb_io_rpc_auth_verifier("", &rhdr_verf, &rdata, 0);
883 if (rdata.offset == 0) valid_ack = False;
885 if (valid_ack && ntlmssp_auth)
887 smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0);
888 if (rdata.offset == 0) valid_ack = False;
890 if (valid_ack && ntlmssp_auth)
892 unsigned char p24[24];
893 unsigned char lm_owf[24];
894 unsigned char lm_hash[16];
897 prs_struct hdr_autha;
898 prs_struct auth_resp;
901 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
903 prs_init(&hdra , 0x10, 4, 0x0 , False);
904 prs_init(&hdr_autha, 1024, 4, SAFETY_MARGIN, False);
905 prs_init(&auth_resp, 1024, 4, SAFETY_MARGIN, False);
907 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
909 create_rpc_bind_resp(&cli->pwd, cli->domain,
910 cli->user_name, global_myname,
911 cli->ntlmssp_cli_flgs,
913 &hdra, &hdr_autha, &auth_resp);
915 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
916 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
917 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
918 bzero(lm_hash, sizeof(lm_hash));
919 NTLMSSPhash(cli->ntlmssp_hash, p24);
921 /* this is a hack due to limitations in rpc_api_pipe */
922 prs_init(&dataa, mem_buf_len(hdra.data), 4, 0x0, False);
923 mem_buf_copy(dataa.data->data, hdra.data, 0, mem_buf_len(hdra.data));
925 if (cli_write(cli, cli->nt_pipe_fnum, 0x0008,
927 dataa.data->data_used) < 0)
934 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
938 prs_mem_free(&dataa);
939 prs_mem_free(&hdr_autha);
940 prs_mem_free(&auth_resp);
944 prs_mem_free(&data );
946 prs_mem_free(&hdr_rb );
947 prs_mem_free(&hdr_auth );
948 prs_mem_free(&auth_req );
949 prs_mem_free(&auth_ntlm);
950 prs_mem_free(&rdata );
951 prs_mem_free(&rparam );
956 /****************************************************************************
957 set ntlmssp negotiation flags
958 ****************************************************************************/
960 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
962 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
966 /****************************************************************************
968 ****************************************************************************/
970 BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name)
976 /******************* open the pipe *****************/
977 if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS))
979 if ((fnum = cli_nt_create(cli, &(pipe_name[5]))) == -1)
981 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
982 &(pipe_name[5]), cli->desthost, cli_errstr(cli)));
986 cli->nt_pipe_fnum = (uint16)fnum;
990 if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1)
992 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
993 pipe_name, cli->desthost, cli_errstr(cli)));
997 cli->nt_pipe_fnum = (uint16)fnum;
999 /**************** Set Named Pipe State ***************/
1000 if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300))
1002 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1004 cli_close(cli, cli->nt_pipe_fnum);
1010 /******************* bind request on pipe *****************/
1012 if (!rpc_pipe_bind(cli, pipe_name,
1013 &abstract, &transfer,
1016 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1018 cli_close(cli, cli->nt_pipe_fnum);
1023 * Setup the remote server name prefixed by \ and the machine account name.
1026 fstrcpy(cli->srv_name_slash, "\\\\");
1027 fstrcat(cli->srv_name_slash, cli->desthost);
1028 strupper(cli->srv_name_slash);
1030 fstrcpy(cli->clnt_name_slash, "\\\\");
1031 fstrcat(cli->clnt_name_slash, global_myname);
1032 strupper(cli->clnt_name_slash);
1034 fstrcpy(cli->mach_acct, global_myname);
1035 fstrcat(cli->mach_acct, "$");
1036 strupper(cli->mach_acct);
1041 /****************************************************************************
1043 ****************************************************************************/
1045 void cli_nt_session_close(struct cli_state *cli)
1047 cli_close(cli, cli->nt_pipe_fnum);