missed some of Derrel's changes
[samba.git] / source3 / rpc_client / cli_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1998,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6  *  Copyright (C) Paul Ashton                       1998.
7  *  Copyright (C) Jeremy Allison                    1999.
8  *  Copyright (C) Andrew Bartlett                   2003.
9  *  
10  *  This program is free software; you can redistribute it and/or modify
11  *  it under the terms of the GNU General Public License as published by
12  *  the Free Software Foundation; either version 2 of the License, or
13  *  (at your option) any later version.
14  *  
15  *  This program is distributed in the hope that it will be useful,
16  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
17  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18  *  GNU General Public License for more details.
19  *  
20  *  You should have received a copy of the GNU General Public License
21  *  along with this program; if not, write to the Free Software
22  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23  */
24
25 #include "includes.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_RPC_CLI
29
30 extern struct pipe_id_info pipe_names[];
31
32 /* convert pipe auth flags into the RPC auth type and level */
33
34 void get_auth_type_level(int pipe_auth_flags, int *auth_type, int *auth_level) 
35 {
36         *auth_type = 0;
37         *auth_level = 0;
38         if (pipe_auth_flags & AUTH_PIPE_SEAL) {
39                 *auth_level = RPC_PIPE_AUTH_SEAL_LEVEL;
40         } else if (pipe_auth_flags & AUTH_PIPE_SIGN) {
41                 *auth_level = RPC_PIPE_AUTH_SIGN_LEVEL;
42         }
43         
44         if (pipe_auth_flags & AUTH_PIPE_NETSEC) {
45                 *auth_type = NETSEC_AUTH_TYPE;
46         } else if (pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
47                 *auth_type = NTLMSSP_AUTH_TYPE;
48         }
49 }
50
51 /********************************************************************
52  Rpc pipe call id.
53  ********************************************************************/
54
55 static uint32 get_rpc_call_id(void)
56 {
57         static uint32 call_id = 0;
58         return ++call_id;
59 }
60
61 /*******************************************************************
62  Use SMBreadX to get rest of one fragment's worth of rpc data.
63  ********************************************************************/
64
65 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
66 {
67         size_t size = (size_t)cli->max_recv_frag;
68         int stream_offset = 0;
69         int num_read;
70         char *pdata;
71         int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
72
73         DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
74                 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
75
76         /*
77          * Grow the buffer if needed to accommodate the data to be read.
78          */
79
80         if (extra_data_size > 0) {
81                 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
82                         DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
83                         return False;
84                 }
85                 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
86         }
87
88         pdata = prs_data_p(rdata) + *rdata_offset;
89
90         do /* read data using SMBreadX */
91         {
92                 uint32 ecode;
93                 uint8 eclass;
94
95                 if (size > (size_t)data_to_read)
96                         size = (size_t)data_to_read;
97
98                 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
99
100                 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
101                           num_read, stream_offset, data_to_read));
102
103                 if (cli_is_dos_error(cli)) {
104                         cli_dos_error(cli, &eclass, &ecode);
105                         if (eclass != ERRDOS && ecode != ERRmoredata) {
106                                 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
107                                          eclass, (unsigned int)ecode));
108                                 return False;
109                         }
110                 }
111
112                 data_to_read -= num_read;
113                 stream_offset += num_read;
114                 pdata += num_read;
115
116         } while (num_read > 0 && data_to_read > 0);
117         /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
118
119         /*
120          * Update the current offset into rdata by the amount read.
121          */
122         *rdata_offset += stream_offset;
123
124         return True;
125 }
126
127 /****************************************************************************
128  Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
129  ****************************************************************************/
130
131 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr, 
132                           BOOL *first, BOOL *last, uint32 *len)
133 {
134         DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
135
136         /* Next call sets endian bit. */
137
138         if(!smb_io_rpc_hdr("rpc_hdr   ", rhdr, rdata, 0)) {
139                 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
140                 return False;
141         }
142
143         if (prs_offset(rdata) != RPC_HEADER_LEN) {
144                 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
145                 return False;
146         }
147
148         (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
149         (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
150         (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
151
152         return (rhdr->pkt_type != RPC_FAULT);
153 }
154
155 /****************************************************************************
156  Verify data on an rpc pipe.
157  The VERIFY & SEAL code is only executed on packets that look like this :
158
159  Request/Response PDU's look like the following...
160
161  |<------------------PDU len----------------------------------------------->|
162  |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
163
164  +------------+-----------------+-------------+---------------+-------------+
165  | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR      | AUTH DATA   |
166  +------------+-----------------+-------------+---------------+-------------+
167
168  Never on bind requests/responses.
169  ****************************************************************************/
170
171 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
172                           uint32 fragment_start, int len, int auth_len, uint8 pkt_type,
173                           int *pauth_padding_len)
174 {
175         
176         /*
177          * The following is that length of the data we must sign or seal.
178          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
179          * preceeding the auth_data.
180          */
181
182         int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
183
184         /*
185          * The start of the data to sign/seal is just after the RPC headers.
186          */
187         char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
188
189         RPC_HDR_AUTH rhdr_auth; 
190
191         char *dp = prs_data_p(rdata) + fragment_start + len -
192                 RPC_HDR_AUTH_LEN - auth_len;
193         prs_struct auth_verf;
194
195         *pauth_padding_len = 0;
196
197         if (auth_len == 0) {
198                 if (cli->pipe_auth_flags == 0) {
199                         /* move along, nothing to see here */
200                         return True;
201                 }
202
203                 DEBUG(2, ("No authenticaton header recienved on reply, but this pipe is authenticated\n"));
204                 return False;
205         }
206
207         DEBUG(5,("rpc_auth_pipe: pkt_type: %d len: %d auth_len: %d NTLMSSP %s schannel %s sign %s seal %s \n",
208                  pkt_type, len, auth_len, 
209                  BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP), 
210                  BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NETSEC), 
211                  BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SIGN), 
212                  BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SEAL)));
213
214         if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
215                 DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
216                 return False;
217         }
218
219         DEBUG(10,("rpc_auth_pipe: packet:\n"));
220         dump_data(100, dp, auth_len);
221
222         prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
223         
224         /* The endinness must be preserved. JRA. */
225         prs_set_endian_data( &auth_verf, rdata->bigendian_data);
226         
227         /* Point this new parse struct at the auth section of the main 
228            parse struct - rather than copying it.  Avoids needing to
229            free it on every error
230         */
231         prs_give_memory(&auth_verf, dp, RPC_HDR_AUTH_LEN + auth_len, False /* not dynamic */);
232         prs_set_offset(&auth_verf, 0);
233
234         {
235                 int auth_type;
236                 int auth_level;
237                 if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) {
238                         DEBUG(0, ("rpc_auth_pipe: Could not parse auth header\n"));
239                         return False;
240                 }
241
242                 /* Let the caller know how much padding at the end of the data */
243                 *pauth_padding_len = rhdr_auth.padding;
244                 
245                 /* Check it's the type of reply we were expecting to decode */
246
247                 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
248                 if (rhdr_auth.auth_type != auth_type) {
249                         DEBUG(0, ("BAD auth type %d (should be %d)\n",
250                                   rhdr_auth.auth_type, auth_type));
251                         return False;
252                 }
253                 
254                 if (rhdr_auth.auth_level != auth_level) {
255                         DEBUG(0, ("BAD auth level %d (should be %d)\n", 
256                                   rhdr_auth.auth_level, auth_level));
257                         return False;
258                 }
259         }
260
261         if (pkt_type == RPC_BINDACK) {
262                 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
263                         /* copy the next auth_len bytes into a buffer for 
264                            later use */
265
266                         DATA_BLOB ntlmssp_verf = data_blob(NULL, auth_len);
267                         BOOL store_ok;
268
269                         /* save the reply away, for use a little later */
270                         prs_copy_data_out((char *)ntlmssp_verf.data, &auth_verf, auth_len);
271
272                         store_ok = (NT_STATUS_IS_OK(ntlmssp_store_response(cli->ntlmssp_pipe_state, 
273                                                                            ntlmssp_verf)));
274
275                         data_blob_free(&ntlmssp_verf);
276                         return store_ok;
277                 } 
278                 else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
279                         /* nothing to do here - we don't seem to be able to 
280                            validate the bindack based on VL's comments */
281                         return True;
282                 }
283         }
284         
285         if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
286                 NTSTATUS nt_status;
287                 DATA_BLOB sig;
288                 if ((cli->pipe_auth_flags & AUTH_PIPE_SIGN) ||
289                     (cli->pipe_auth_flags & AUTH_PIPE_SEAL)) {
290                         if (auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) {
291                                 DEBUG(0,("rpc_auth_pipe: wrong ntlmssp auth len %d\n", auth_len));
292                                 return False;
293                         }
294                         sig = data_blob(NULL, auth_len);
295                         prs_copy_data_out((char *)sig.data, &auth_verf, auth_len);
296                 }
297         
298                 /*
299                  * Unseal any sealed data in the PDU, not including the
300                  * 8 byte auth_header or the auth_data.
301                  */
302
303                 /*
304                  * Now unseal and check the auth verifier in the auth_data at
305                  * the end of the packet. 
306                  */
307
308                 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
309                         if (data_len < 0) {
310                                 DEBUG(1, ("Can't unseal - data_len < 0!!\n"));
311                                 return False;
312                         }
313                         nt_status = ntlmssp_unseal_packet(cli->ntlmssp_pipe_state, 
314                                                                  (unsigned char *)reply_data, data_len,
315                                                                  &sig);
316                 } 
317                 else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
318                         nt_status = ntlmssp_check_packet(cli->ntlmssp_pipe_state, 
319                                                                 (const unsigned char *)reply_data, data_len,
320                                                                 &sig);
321                 }
322
323                 data_blob_free(&sig);
324
325                 if (!NT_STATUS_IS_OK(nt_status)) {
326                         DEBUG(0, ("rpc_auth_pipe: could not validate "
327                                   "incoming NTLMSSP packet!\n"));
328                         return False;
329                 }
330         }
331
332         if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
333                 RPC_AUTH_NETSEC_CHK chk;
334
335                 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
336                         DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
337                         return False;
338                 }
339
340                 if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", 
341                                                 &chk, &auth_verf, 0)) {
342                         DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
343                                   "RPC_AUTH_NETSECK_CHK failed\n"));
344                         return False;
345                 }
346
347                 if (!netsec_decode(&cli->auth_info,
348                                    cli->pipe_auth_flags,
349                                    SENDER_IS_ACCEPTOR,
350                                    &chk, reply_data, data_len)) {
351                         DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
352                         return False;
353                 }
354
355                 cli->auth_info.seq_num++;
356
357         }
358         return True;
359 }
360
361
362 /****************************************************************************
363  Send data on an rpc pipe via trans, which *must* be the last fragment.
364  receive response data from an rpc pipe, which may be large...
365
366  Read the first fragment: unfortunately have to use SMBtrans for the first
367  bit, then SMBreadX for subsequent bits.
368
369  If first fragment received also wasn't the last fragment, continue
370  getting fragments until we _do_ receive the last fragment.
371
372  Request/Response PDU's look like the following...
373
374  |<------------------PDU len----------------------------------------------->|
375  |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
376
377  +------------+-----------------+-------------+---------------+-------------+
378  | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR      | AUTH DATA   |
379  +------------+-----------------+-------------+---------------+-------------+
380
381  Where the presence of the AUTH_HDR and AUTH are dependent on the
382  signing & sealing being negotiated.
383
384  ****************************************************************************/
385
386 static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata,
387                          uint8 expected_pkt_type)
388 {
389         uint32 len;
390         char *rparam = NULL;
391         uint32 rparam_len = 0;
392         uint16 setup[2];
393         BOOL first = True;
394         BOOL last  = True;
395         RPC_HDR rhdr;
396         char *pdata = data ? prs_data_p(data) : NULL;
397         uint32 data_len = data ? prs_offset(data) : 0;
398         char *prdata = NULL;
399         uint32 rdata_len = 0;
400         uint32 current_offset = 0;
401         uint32 fragment_start = 0;
402         uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
403         int auth_padding_len = 0;
404
405         /* Create setup parameters - must be in native byte order. */
406
407         setup[0] = TRANSACT_DCERPCCMD; 
408         setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
409
410         DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
411
412         /* Send the RPC request and receive a response.  For short RPC
413            calls (about 1024 bytes or so) the RPC request and response
414            appears in a SMBtrans request and response.  Larger RPC
415            responses are received further on. */
416
417         if (!cli_api_pipe(cli, "\\PIPE\\",
418                   setup, 2, 0,                     /* Setup, length, max */
419                   NULL, 0, 0,                      /* Params, length, max */
420                   pdata, data_len, max_data,       /* data, length, max */
421                   &rparam, &rparam_len,            /* return params, len */
422                   &prdata, &rdata_len))            /* return data, len */
423         {
424                 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
425                 return False;
426         }
427
428         /* Throw away returned params - we know we won't use them. */
429
430         SAFE_FREE(rparam);
431
432         if (prdata == NULL) {
433                 DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
434                         (int)cli->nt_pipe_fnum));
435                 return False;
436         }
437
438         /*
439          * Give this memory as dynamically allocated to the return parse
440          * struct.  
441          */
442
443         prs_give_memory(rdata, prdata, rdata_len, True);
444         current_offset = rdata_len;
445
446         /* This next call sets the endian bit correctly in rdata. */
447
448         if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
449                 prs_mem_free(rdata);
450                 return False;
451         }
452
453         if (rhdr.pkt_type == RPC_BINDACK) {
454                 if (!last && !first) {
455                         DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
456                         first = True;
457                         last = True;
458                 }
459         }
460
461         if (rhdr.pkt_type == RPC_BINDNACK) {
462                 DEBUG(3, ("Bind NACK received on pipe %x!\n", (int)cli->nt_pipe_fnum));
463                 prs_mem_free(rdata);
464                 return False;
465         }
466
467         if (rhdr.pkt_type == RPC_RESPONSE) {
468                 RPC_HDR_RESP rhdr_resp;
469                 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
470                         DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
471                         prs_mem_free(rdata);
472                         return False;
473                 }
474         }
475
476         if (rhdr.pkt_type != expected_pkt_type) {
477                 DEBUG(3, ("Connection to pipe %x got an unexpected RPC packet type - %d, not %d\n", (int)cli->nt_pipe_fnum, rhdr.pkt_type, expected_pkt_type));
478                 prs_mem_free(rdata);
479                 return False;
480         }
481
482         DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
483                   (unsigned int)len, (unsigned int)rdata_len ));
484
485         /* check if data to be sent back was too large for one SMBtrans */
486         /* err status is only informational: the _real_ check is on the
487            length */
488
489         if (len > 0) { 
490                 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
491
492                 /* Read the remaining part of the first response fragment */
493
494                 if (!rpc_read(cli, rdata, len, &current_offset)) {
495                         prs_mem_free(rdata);
496                         return False;
497                 }
498         }
499
500         /*
501          * Now we have a complete PDU, check the auth struct if any was sent.
502          */
503
504         if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
505                           rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
506                 prs_mem_free(rdata);
507                 return False;
508         }
509
510         if (rhdr.auth_len != 0) {
511                 /*
512                  * Drop the auth footers from the current offset.
513                  * We need this if there are more fragments.
514                  * The auth footers consist of the auth_data and the
515                  * preceeding 8 byte auth_header.
516                  */
517                 current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
518         }
519         
520         /* 
521          * Only one rpc fragment, and it has been read.
522          */
523
524         if (first && last) {
525                 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
526                 return True;
527         }
528
529         /*
530          * Read more fragments using SMBreadX until we get one with the
531          * last bit set.
532          */
533
534         while (!last) {
535                 RPC_HDR_RESP rhdr_resp;
536                 int num_read;
537                 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
538                 prs_struct hps;
539                 uint8 eclass;
540                 uint32 ecode;
541                 
542                 /*
543                  * First read the header of the next PDU.
544                  */
545
546                 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
547                 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
548
549                 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
550                 if (cli_is_dos_error(cli)) {
551                         cli_dos_error(cli, &eclass, &ecode);
552                         if (eclass != ERRDOS && ecode != ERRmoredata) {
553                                 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
554                                 return False;
555                         }
556                 }
557
558                 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
559
560                 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
561                         DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
562                                 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
563                         return False;
564                 }
565
566                 /* This call sets the endianness in hps. */
567
568                 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
569                         return False;
570
571                 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
572
573                 if (hps.bigendian_data != rdata->bigendian_data) {
574                         DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
575                                 rdata->bigendian_data ? "big" : "little",
576                                 hps.bigendian_data ? "big" : "little" ));
577                         return False;
578                 }
579
580                 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
581                         DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
582                         return False;
583                 }
584
585                 if (first) {
586                         DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
587                         return False;
588                 }
589
590                 /*
591                  * Now read the rest of the PDU.
592                  */
593
594                 if (!rpc_read(cli, rdata, len, &current_offset)) {
595                         prs_mem_free(rdata);
596                         return False;
597                 }
598
599                 fragment_start = current_offset - len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
600
601                 /*
602                  * Verify any authentication footer.
603                  */
604
605                 
606                 if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
607                                   rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
608                         prs_mem_free(rdata);
609                         return False;
610                 }
611                 
612                 if (rhdr.auth_len != 0 ) {
613                         
614                         /*
615                          * Drop the auth footers from the current offset.
616                          * The auth footers consist of the auth_data and the
617                          * preceeding 8 byte auth_header.
618                          * We need this if there are more fragments.
619                          */
620                         current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
621                 }
622         }
623
624         return True;
625 }
626
627 /*******************************************************************
628  creates a DCE/RPC bind request
629
630  - initialises the parse structure.
631  - dynamically allocates the header data structure
632  - caller is expected to free the header data structure once used.
633
634  ********************************************************************/
635
636 static NTSTATUS create_rpc_bind_req(struct cli_state *cli, prs_struct *rpc_out, 
637                                     uint32 rpc_call_id,
638                                     RPC_IFACE *abstract, RPC_IFACE *transfer,
639                                     const char *my_name, const char *domain)
640 {
641         RPC_HDR hdr;
642         RPC_HDR_RB hdr_rb;
643         RPC_HDR_AUTH hdr_auth;
644         int auth_len = 0;
645         int auth_type, auth_level;
646         size_t saved_hdr_offset = 0;
647
648         prs_struct auth_info;
649         prs_init(&auth_info, RPC_HDR_AUTH_LEN, /* we will need at least this much */
650                 prs_get_mem_context(rpc_out), MARSHALL);
651
652         if (cli->pipe_auth_flags) {
653                 get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
654                 
655                 /*
656                  * Create the auth structs we will marshall.
657                  */
658                 
659                 init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level, 0x00, 1);
660                 
661                 /*
662                  * Now marshall the data into the temporary parse_struct.
663                  */
664                 
665                 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
666                         DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
667                         prs_mem_free(&auth_info);
668                         return NT_STATUS_NO_MEMORY;
669                 }
670                 saved_hdr_offset = prs_offset(&auth_info);
671         }
672         
673         if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
674
675                 NTSTATUS nt_status;
676                 DATA_BLOB null_blob = data_blob(NULL, 0);
677                 DATA_BLOB request;
678
679                 DEBUG(5, ("Processing NTLMSSP Negotiate\n"));
680                 nt_status = ntlmssp_update(cli->ntlmssp_pipe_state,
681                                            null_blob,
682                                            &request);
683
684                 if (!NT_STATUS_EQUAL(nt_status, 
685                                      NT_STATUS_MORE_PROCESSING_REQUIRED)) {
686                         prs_mem_free(&auth_info);
687                         return nt_status;
688                 }
689
690                 /* Auth len in the rpc header doesn't include auth_header. */
691                 auth_len = request.length;
692                 prs_copy_data_in(&auth_info, (char *)request.data, request.length);
693
694                 DEBUG(5, ("NTLMSSP Negotiate:\n"));
695                 dump_data(5, (const char *)request.data, request.length);
696
697                 data_blob_free(&request);
698
699         } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
700                 RPC_AUTH_NETSEC_NEG netsec_neg;
701
702                 /* Use lp_workgroup() if domain not specified */
703
704                 if (!domain || !domain[0]) {
705                         DEBUG(10,("create_rpc_bind_req: no domain; assuming my own\n"));
706                         domain = lp_workgroup();
707                 }
708
709                 init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
710
711                 /*
712                  * Now marshall the data into the temporary parse_struct.
713                  */
714
715                 if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
716                                                &netsec_neg, &auth_info, 0)) {
717                         DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
718                         prs_mem_free(&auth_info);
719                         return NT_STATUS_NO_MEMORY;
720                 }
721
722                 /* Auth len in the rpc header doesn't include auth_header. */
723                 auth_len = prs_offset(&auth_info) - saved_hdr_offset;
724         }
725
726         /* Create the request RPC_HDR */
727         init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id, 
728                 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
729                 auth_len);
730
731         if(!smb_io_rpc_hdr("hdr"   , &hdr, rpc_out, 0)) {
732                 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
733                 prs_mem_free(&auth_info);
734                 return NT_STATUS_NO_MEMORY;
735         }
736
737         /* create the bind request RPC_HDR_RB */
738         init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
739                         0x1, 0x0, 0x1, abstract, transfer);
740
741         /* Marshall the bind request data */
742         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
743                 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
744                 prs_mem_free(&auth_info);
745                 return NT_STATUS_NO_MEMORY;
746         }
747
748         /*
749          * Grow the outgoing buffer to store any auth info.
750          */
751
752         if(auth_len != 0) {
753                 if(!prs_append_prs_data( rpc_out, &auth_info)) {
754                         DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
755                         prs_mem_free(&auth_info);
756                         return NT_STATUS_NO_MEMORY;
757                 }
758         }
759         prs_mem_free(&auth_info);
760         return NT_STATUS_OK;
761 }
762
763 /*******************************************************************
764  Creates a DCE/RPC bind authentication response.
765  This is the packet that is sent back to the server once we
766  have received a BIND-ACK, to finish the third leg of
767  the authentication handshake.
768  ********************************************************************/
769
770 static NTSTATUS create_rpc_bind_resp(struct cli_state *cli,
771                                  uint32 rpc_call_id,
772                                  prs_struct *rpc_out)
773 {
774         NTSTATUS nt_status;
775         RPC_HDR hdr;
776         RPC_HDR_AUTHA hdr_autha;
777         DATA_BLOB ntlmssp_null_response = data_blob(NULL, 0);
778         DATA_BLOB ntlmssp_reply;
779         int auth_type, auth_level;
780
781         /* The response is picked up from the internal cache,
782            where it was placed by the rpc_auth_pipe() code */
783         nt_status = ntlmssp_update(cli->ntlmssp_pipe_state,
784                                    ntlmssp_null_response,
785                                    &ntlmssp_reply);
786         
787         if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
788                 return nt_status;
789         }
790
791         /* Create the request RPC_HDR */
792         init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
793                      RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + ntlmssp_reply.length,
794                      ntlmssp_reply.length );
795         
796         /* Marshall it. */
797         if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
798                 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
799                 data_blob_free(&ntlmssp_reply);
800                 return NT_STATUS_NO_MEMORY;
801         }
802
803         get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
804         
805         /* Create the request RPC_HDR_AUTHA */
806         init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
807                            auth_type, auth_level, 0x00);
808
809         if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
810                 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
811                 data_blob_free(&ntlmssp_reply);
812                 return NT_STATUS_NO_MEMORY;
813         }
814
815         /*
816          * Append the auth data to the outgoing buffer.
817          */
818
819         if(!prs_copy_data_in(rpc_out, (char *)ntlmssp_reply.data, ntlmssp_reply.length)) {
820                 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
821                 data_blob_free(&ntlmssp_reply);
822                 return NT_STATUS_NO_MEMORY;
823         }
824
825         data_blob_free(&ntlmssp_reply);
826         return NT_STATUS_OK;
827 }
828
829
830 /*******************************************************************
831  Creates a DCE/RPC request.
832  ********************************************************************/
833
834 static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
835 {
836         uint32 alloc_hint;
837         RPC_HDR     hdr;
838         RPC_HDR_REQ hdr_req;
839         uint32 callid = oldid ? oldid : get_rpc_call_id();
840
841         DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
842
843         /* create the rpc header RPC_HDR */
844         init_rpc_hdr(&hdr, RPC_REQUEST, flags,
845                      callid, data_len, auth_len);
846
847         /*
848          * The alloc hint should be the amount of data, not including 
849          * RPC headers & footers.
850          */
851
852         if (auth_len != 0)
853                 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
854         else
855                 alloc_hint = data_len - RPC_HEADER_LEN;
856
857         DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
858                    data_len, auth_len, alloc_hint));
859
860         /* Create the rpc request RPC_HDR_REQ */
861         init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
862
863         /* stream-time... */
864         if(!smb_io_rpc_hdr("hdr    ", &hdr, rpc_out, 0))
865                 return 0;
866
867         if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
868                 return 0;
869
870         if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
871                 return 0;
872
873         return callid;
874 }
875
876 /*******************************************************************
877  Puts an auth header into an rpc request.
878  ********************************************************************/
879
880 static BOOL create_auth_hdr(prs_struct *outgoing_packet, 
881                             int auth_type, 
882                             int auth_level, int padding)
883 {
884         RPC_HDR_AUTH hdr_auth;
885
886         init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level,
887                           padding, 1);
888         if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, 
889                                 outgoing_packet, 0)) {
890                 DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
891                 return False;
892         }
893         return True;
894 }
895
896 /**
897  * Send a request on an RPC pipe and get a response.
898  *
899  * @param data NDR contents of the request to be sent.
900  * @param rdata Unparsed NDR response data.
901 **/
902
903 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
904                       prs_struct *data, prs_struct *rdata)
905 {
906         uint32 auth_len, real_auth_len, auth_hdr_len, max_data, data_left, data_sent;
907         NTSTATUS nt_status;
908         BOOL ret = False;
909         uint32 callid = 0;
910         fstring dump_name;
911
912         auth_len = 0;
913         real_auth_len = 0;
914         auth_hdr_len = 0;
915
916         if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {    
917                 if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) { 
918                         auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
919                 }
920                 if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {  
921                         auth_len = RPC_AUTH_NETSEC_CHK_LEN;
922                 }
923                 auth_hdr_len = RPC_HDR_AUTH_LEN;
924         }
925
926         /*
927          * calc how much actual data we can send in a PDU fragment
928          */
929         max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
930                 auth_hdr_len - auth_len - 8;
931         
932         for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
933                 prs_struct outgoing_packet;
934                 prs_struct sec_blob;
935                 uint32 data_len, send_size;
936                 uint8 flags = 0;
937                 uint32 auth_padding = 0;
938                 DATA_BLOB sign_blob;
939
940                 /*
941                  * how much will we send this time
942                  */
943                 send_size = MIN(data_left, max_data);
944
945                 if (!prs_init(&sec_blob, send_size, /* will need at least this much */
946                               cli->mem_ctx, MARSHALL)) {
947                         DEBUG(0,("Could not malloc %u bytes",
948                                  send_size+auth_padding));
949                         return False;
950                 }
951
952                 if(!prs_append_some_prs_data(&sec_blob, data, 
953                                              data_sent, send_size)) {
954                         DEBUG(0,("Failed to append data to netsec blob\n"));
955                         prs_mem_free(&sec_blob);
956                         return False;
957                 }
958
959                 /*
960                  * NT expects the data that is sealed to be 8-byte
961                  * aligned. The padding must be encrypted as well and
962                  * taken into account when generating the
963                  * authentication verifier. The amount of padding must
964                  * be stored in the auth header.
965                  */
966
967                 if (cli->pipe_auth_flags) {
968                         size_t data_and_padding_size;
969                         int auth_type;
970                         int auth_level;
971                         prs_align_uint64(&sec_blob);
972
973                         get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
974
975                         data_and_padding_size = prs_offset(&sec_blob);
976                         auth_padding = data_and_padding_size - send_size;
977
978                         /* insert the auth header */
979                         
980                         if(!create_auth_hdr(&sec_blob, auth_type, auth_level, auth_padding)) {
981                                 prs_mem_free(&sec_blob);
982                                 return False;
983                         }
984                         
985                         /* create an NTLMSSP signature */
986                         if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
987                                 /*
988                                  * Seal the outgoing data if requested.
989                                  */
990                                 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
991                                         
992                                         nt_status = ntlmssp_seal_packet(cli->ntlmssp_pipe_state,
993                                                                                (unsigned char*)prs_data_p(&sec_blob),
994                                                                                data_and_padding_size,
995                                                                                &sign_blob);
996                                         if (!NT_STATUS_IS_OK(nt_status)) {
997                                                 prs_mem_free(&sec_blob);
998                                                 return False;
999                                         }
1000                                 } 
1001                                 else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
1002                                         
1003                                         nt_status = ntlmssp_sign_packet(cli->ntlmssp_pipe_state,
1004                                                                                (unsigned char*)prs_data_p(&sec_blob),
1005                                                                                data_and_padding_size, &sign_blob);
1006                                         if (!NT_STATUS_IS_OK(nt_status)) {
1007                                                 prs_mem_free(&sec_blob);
1008                                                 return False;
1009                                         }
1010                                 }
1011                                 
1012
1013                                 /* write auth footer onto the packet */
1014                                 real_auth_len = sign_blob.length;
1015                                 
1016                                 prs_copy_data_in(&sec_blob, (char *)sign_blob.data, sign_blob.length);
1017                                 data_blob_free(&sign_blob);
1018
1019                         }
1020                         else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {     
1021                                 size_t parse_offset_marker;
1022                                 RPC_AUTH_NETSEC_CHK verf;
1023                                 DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
1024                                 
1025                                 netsec_encode(&cli->auth_info, 
1026                                               cli->pipe_auth_flags,
1027                                               SENDER_IS_INITIATOR,
1028                                               &verf,
1029                                               prs_data_p(&sec_blob),
1030                                               data_and_padding_size);
1031
1032                                 cli->auth_info.seq_num++;
1033
1034                                 /* write auth footer onto the packet */
1035                                 
1036                                 parse_offset_marker = prs_offset(&sec_blob);
1037                                 if (!smb_io_rpc_auth_netsec_chk("", &verf,
1038                                                                 &sec_blob, 0)) {
1039                                         prs_mem_free(&sec_blob);
1040                                         return False;
1041                                 }
1042                                 real_auth_len = prs_offset(&sec_blob) - parse_offset_marker;
1043                         }
1044                 }
1045
1046                 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(&sec_blob);
1047
1048                 /*
1049                  * Malloc parse struct to hold it (and enough for alignments).
1050                  */
1051                 if(!prs_init(&outgoing_packet, data_len + 8, 
1052                              cli->mem_ctx, MARSHALL)) {
1053                         DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
1054                         return False;
1055                 }
1056
1057                 if (data_left == prs_offset(data))
1058                         flags |= RPC_FLG_FIRST;
1059
1060                 if (data_left <= max_data)
1061                         flags |= RPC_FLG_LAST;
1062                 /*
1063                  * Write out the RPC header and the request header.
1064                  */
1065                 if(!(callid = create_rpc_request(&outgoing_packet, op_num, 
1066                                                  data_len, real_auth_len, flags, 
1067                                                  callid, data_left))) {
1068                         DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
1069                         prs_mem_free(&outgoing_packet);
1070                         prs_mem_free(&sec_blob);
1071                         return False;
1072                 }
1073
1074                 prs_append_prs_data(&outgoing_packet, &sec_blob);
1075                 prs_mem_free(&sec_blob);
1076
1077                 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, 
1078                            prs_offset(&outgoing_packet)));
1079                 
1080                 if (flags & RPC_FLG_LAST)
1081                         ret = rpc_api_pipe(cli, &outgoing_packet, 
1082                                            rdata, RPC_RESPONSE);
1083                 else {
1084                         cli_write(cli, cli->nt_pipe_fnum, 0x0008,
1085                                    prs_data_p(&outgoing_packet),
1086                                    data_sent, data_len);
1087                 }
1088                 prs_mem_free(&outgoing_packet);
1089                 data_sent += send_size;
1090                 data_left -= send_size;
1091         }
1092         /* Also capture received data */
1093         slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
1094                  cli_pipe_get_name(cli));
1095         prs_dump(dump_name, op_num, rdata);
1096
1097         return ret;
1098 }
1099
1100 /****************************************************************************
1101  Set the handle state.
1102 ****************************************************************************/
1103
1104 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
1105 {
1106         BOOL state_set = False;
1107         char param[2];
1108         uint16 setup[2]; /* only need 2 uint16 setup parameters */
1109         char *rparam = NULL;
1110         char *rdata = NULL;
1111         uint32 rparam_len, rdata_len;
1112
1113         if (pipe_name == NULL)
1114                 return False;
1115
1116         DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1117         cli->nt_pipe_fnum, pipe_name, device_state));
1118
1119         /* create parameters: device state */
1120         SSVAL(param, 0, device_state);
1121
1122         /* create setup parameters. */
1123         setup[0] = 0x0001; 
1124         setup[1] = cli->nt_pipe_fnum; /* pipe file handle.  got this from an SMBOpenX. */
1125
1126         /* send the data on \PIPE\ */
1127         if (cli_api_pipe(cli, "\\PIPE\\",
1128                     setup, 2, 0,                /* setup, length, max */
1129                     param, 2, 0,                /* param, length, max */
1130                     NULL, 0, 1024,              /* data, length, max */
1131                     &rparam, &rparam_len,        /* return param, length */
1132                     &rdata, &rdata_len))         /* return data, length */
1133         {
1134                 DEBUG(5, ("Set Handle state: return OK\n"));
1135                 state_set = True;
1136         }
1137
1138         SAFE_FREE(rparam);
1139         SAFE_FREE(rdata);
1140
1141         return state_set;
1142 }
1143
1144 /****************************************************************************
1145  check the rpc bind acknowledge response
1146 ****************************************************************************/
1147
1148 int get_pipe_index( const char *pipe_name )
1149 {
1150         int pipe_idx = 0;
1151
1152         while (pipe_names[pipe_idx].client_pipe != NULL) {
1153                 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) 
1154                         return pipe_idx;
1155                 pipe_idx++;
1156         };
1157
1158         return -1;
1159 }
1160
1161
1162 /****************************************************************************
1163  check the rpc bind acknowledge response
1164 ****************************************************************************/
1165
1166 const char* get_pipe_name_from_index( const int pipe_index )
1167 {
1168
1169         if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
1170                 return NULL;
1171
1172         return pipe_names[pipe_index].client_pipe;              
1173 }
1174
1175 /****************************************************************************
1176  Check to see if this pipe index points to one of 
1177  the pipes only supported by Win2k
1178  ****************************************************************************/
1179
1180 BOOL is_win2k_pipe( const int pipe_idx )
1181 {
1182         switch ( pipe_idx )
1183         {
1184                 case PI_LSARPC_DS:
1185                         return True;
1186         }
1187         
1188         return False;
1189 }
1190
1191 /****************************************************************************
1192  check the rpc bind acknowledge response
1193 ****************************************************************************/
1194
1195 static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
1196 {
1197         if ( pipe_idx >= PI_MAX_PIPES ) {
1198                 DEBUG(0,("valid_pipe_name: Programmer error!  Invalid pipe index [%d]\n",
1199                         pipe_idx));
1200                 return False;
1201         }
1202
1203         DEBUG(5,("Bind Abstract Syntax: "));    
1204         dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), 
1205                   sizeof(pipe_names[pipe_idx].abstr_syntax));
1206         DEBUG(5,("Bind Transfer Syntax: "));
1207         dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
1208                   sizeof(pipe_names[pipe_idx].trans_syntax));
1209
1210         /* copy the required syntaxes out so we can do the right bind */
1211         
1212         *transfer = pipe_names[pipe_idx].trans_syntax;
1213         *abstract = pipe_names[pipe_idx].abstr_syntax;
1214
1215         return True;
1216 }
1217
1218 /****************************************************************************
1219  check the rpc bind acknowledge response
1220 ****************************************************************************/
1221
1222 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
1223 {
1224         int i = 0;
1225
1226 # if 0  /* JERRY -- apparently ASU forgets to fill in the server pipe name sometimes */
1227         if ( hdr_ba->addr.len <= 0)
1228                 return False;
1229                 
1230         if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].client_pipe) &&
1231              !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe) )
1232         {
1233                 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s.  oh well!\n",
1234                          pipe_names[i].server_pipe ,hdr_ba->addr.str));
1235                 return False;
1236         }
1237         
1238         DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1239
1240         if (pipe_names[pipe_idx].server_pipe == NULL) {
1241                 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1242                 return False;
1243         }
1244 #endif  /* JERRY */
1245
1246         /* check the transfer syntax */
1247         if ((hdr_ba->transfer.version != transfer->version) ||
1248              (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1249                 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1250                 return False;
1251         }
1252
1253         /* lkclXXXX only accept one result: check the result(s) */
1254         if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1255                 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1256                           hdr_ba->res.num_results, hdr_ba->res.reason));
1257         }
1258
1259         DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1260         return True;
1261 }
1262
1263 /****************************************************************************
1264  Create and send the third packet in an RPC auth.
1265 ****************************************************************************/
1266
1267 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1268 {
1269         prs_struct rpc_out;
1270         ssize_t ret;
1271
1272         prs_init(&rpc_out, RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN, /* need at least this much */ 
1273                  cli->mem_ctx, MARSHALL);
1274
1275         if (!NT_STATUS_IS_OK(create_rpc_bind_resp(cli, rpc_call_id,
1276                                                   &rpc_out))) {
1277                 return False;
1278         }
1279
1280         if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out), 
1281                         0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1282                 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1283                 prs_mem_free(&rpc_out);
1284                 return False;
1285         }
1286
1287         prs_mem_free(&rpc_out);
1288         return True;
1289 }
1290
1291 /****************************************************************************
1292  Do an rpc bind.
1293 ****************************************************************************/
1294
1295 static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name)
1296 {
1297         RPC_IFACE abstract;
1298         RPC_IFACE transfer;
1299         prs_struct rpc_out;
1300         prs_struct rdata;
1301         uint32 rpc_call_id;
1302         char buffer[MAX_PDU_FRAG_LEN];
1303
1304         if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
1305                 return False;
1306
1307         DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
1308
1309         if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
1310                 return False;
1311
1312         prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1313
1314         /*
1315          * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1316          */
1317
1318         prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1319
1320         rpc_call_id = get_rpc_call_id();
1321
1322         if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
1323                 NTSTATUS nt_status;
1324                 fstring password;
1325
1326                 DEBUG(5, ("NTLMSSP authenticated pipe selected\n"));
1327
1328                 nt_status = ntlmssp_client_start(&cli->ntlmssp_pipe_state);
1329                 
1330                 if (!NT_STATUS_IS_OK(nt_status))
1331                         return False;
1332
1333                 /* Currently the NTLMSSP code does not implement NTLM2 correctly for signing or sealing */
1334
1335                 cli->ntlmssp_pipe_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
1336
1337                 nt_status = ntlmssp_set_username(cli->ntlmssp_pipe_state, 
1338                                                  cli->user_name);
1339                 if (!NT_STATUS_IS_OK(nt_status))
1340                         return False;
1341
1342                 nt_status = ntlmssp_set_domain(cli->ntlmssp_pipe_state, 
1343                                                cli->domain);    
1344                 if (!NT_STATUS_IS_OK(nt_status))
1345                         return False;
1346
1347                 if (cli->pwd.null_pwd) {
1348                         nt_status = ntlmssp_set_password(cli->ntlmssp_pipe_state, 
1349                                                          NULL);
1350                         if (!NT_STATUS_IS_OK(nt_status))
1351                                 return False;
1352                 } else {
1353                         pwd_get_cleartext(&cli->pwd, password);
1354                         nt_status = ntlmssp_set_password(cli->ntlmssp_pipe_state, 
1355                                                          password);
1356                         if (!NT_STATUS_IS_OK(nt_status))
1357                                 return False;
1358                 }
1359
1360                 if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
1361                         cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
1362                 }
1363
1364                 if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
1365                         cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
1366                 }
1367         } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
1368                 cli->auth_info.seq_num = 0;
1369         }
1370
1371         /* Marshall the outgoing data. */
1372         create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
1373                             &abstract, &transfer,
1374                             global_myname(), cli->domain);
1375
1376         /* Initialize the incoming data struct. */
1377         prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1378
1379         /* send data on \PIPE\.  receive a response */
1380         if (rpc_api_pipe(cli, &rpc_out, &rdata, RPC_BINDACK)) {
1381                 RPC_HDR_BA   hdr_ba;
1382
1383                 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1384
1385                 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1386                         DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1387                         prs_mem_free(&rdata);
1388                         return False;
1389                 }
1390
1391                 if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
1392                         DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
1393                         prs_mem_free(&rdata);
1394                         return False;
1395                 }
1396
1397                 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1398                 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1399
1400                 /*
1401                  * If we're doing NTLMSSP auth we need to send a reply to
1402                  * the bind-ack to complete the 3-way challenge response
1403                  * handshake.
1404                  */
1405
1406                 if ((cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) 
1407                     && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1408                         DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1409                         prs_mem_free(&rdata);
1410                         return False;
1411                 }
1412                 prs_mem_free(&rdata);
1413                 return True;
1414         }
1415
1416         return False;
1417 }
1418
1419 /****************************************************************************
1420  Open a session.
1421  ****************************************************************************/
1422
1423 BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
1424 {
1425         int fnum;
1426
1427         /* At the moment we can't have more than one pipe open over
1428            a cli connection. )-: */
1429
1430         SMB_ASSERT(cli->nt_pipe_fnum == 0);
1431         
1432         /* The pipe index must fall within our array */
1433
1434         SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
1435
1436         if (cli->capabilities & CAP_NT_SMBS) {
1437                 if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
1438                         DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s.  Error was %s\n",
1439                                  &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
1440                         return False;
1441                 }
1442
1443                 cli->nt_pipe_fnum = (uint16)fnum;
1444         } else {
1445                 if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1446                         DEBUG(1,("cli_nt_session_open: cli_open failed on pipe %s to machine %s.  Error was %s\n",
1447                                  pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
1448                         return False;
1449                 }
1450
1451                 cli->nt_pipe_fnum = (uint16)fnum;
1452
1453                 /**************** Set Named Pipe State ***************/
1454                 if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
1455                         DEBUG(0,("cli_nt_session_open: pipe hnd state failed.  Error was %s\n",
1456                                   cli_errstr(cli)));
1457                         cli_close(cli, cli->nt_pipe_fnum);
1458                         return False;
1459                 }
1460         }
1461
1462         /******************* bind request on pipe *****************/
1463
1464         if (!rpc_pipe_bind(cli, pipe_idx, global_myname())) {
1465                 DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
1466                          get_pipe_name_from_index(pipe_idx)));
1467                 cli_close(cli, cli->nt_pipe_fnum);
1468                 return False;
1469         }
1470
1471         cli->pipe_idx = pipe_idx;
1472
1473         /* 
1474          * Setup the remote server name prefixed by \ and the machine account name.
1475          */
1476
1477         fstrcpy(cli->srv_name_slash, "\\\\");
1478         fstrcat(cli->srv_name_slash, cli->desthost);
1479         strupper_m(cli->srv_name_slash);
1480
1481         fstrcpy(cli->clnt_name_slash, "\\\\");
1482         fstrcat(cli->clnt_name_slash, global_myname());
1483         strupper_m(cli->clnt_name_slash);
1484
1485         fstrcpy(cli->mach_acct, global_myname());
1486         fstrcat(cli->mach_acct, "$");
1487         strupper_m(cli->mach_acct);
1488
1489         /* Remember which pipe we're talking to */
1490         fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
1491
1492         return True;
1493 }
1494
1495
1496 /****************************************************************************
1497  Open a session to the NETLOGON pipe using schannel.
1498
1499  (Assumes that the netlogon pipe is already open)
1500  ****************************************************************************/
1501
1502 NTSTATUS cli_nt_establish_netlogon(struct cli_state *cli, int sec_chan,
1503                                    const uchar trust_password[16])
1504 {
1505         NTSTATUS result;        
1506         uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
1507         int fnum;
1508
1509         cli_nt_netlogon_netsec_session_close(cli);
1510
1511         if (lp_client_schannel() != False)
1512                 neg_flags |= NETLOGON_NEG_SCHANNEL;
1513
1514         result = cli_nt_setup_creds(cli, sec_chan, trust_password,
1515                                     &neg_flags, 2);
1516
1517         if (!NT_STATUS_IS_OK(result)) {
1518                 cli_nt_session_close(cli);
1519                 return result;
1520         }
1521
1522         if ((lp_client_schannel() == True) &&
1523             ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1524
1525                 DEBUG(3, ("Server did not offer schannel\n"));
1526                 cli_nt_session_close(cli);
1527                 return NT_STATUS_UNSUCCESSFUL;
1528         }
1529
1530         if ((lp_client_schannel() == False) ||
1531             ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
1532                 return NT_STATUS_OK;
1533                 
1534                 /* keep the existing connection to NETLOGON open */
1535
1536         }
1537
1538         /* Server offered schannel, so try it. */
1539
1540         memcpy(cli->auth_info.sess_key, cli->sess_key,
1541                sizeof(cli->auth_info.sess_key));
1542
1543         cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
1544
1545         cli->pipe_auth_flags = AUTH_PIPE_NETSEC;
1546         cli->pipe_auth_flags |= AUTH_PIPE_SIGN;
1547         cli->pipe_auth_flags |= AUTH_PIPE_SEAL;
1548
1549         if (cli->capabilities & CAP_NT_SMBS) {
1550
1551                 /* The secure channel connection must be opened on the same 
1552                    session (TCP connection) as the one the challenge was
1553                    requested from. */
1554                 if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
1555                                           DESIRED_ACCESS_PIPE)) == -1) {
1556                         DEBUG(0,("cli_nt_create failed to %s machine %s. "
1557                                  "Error was %s\n",
1558                                  PIPE_NETLOGON, cli->desthost,
1559                                  cli_errstr(cli)));
1560                         return NT_STATUS_UNSUCCESSFUL;
1561                 }
1562                 
1563                 cli->nt_pipe_fnum = (uint16)fnum;
1564         } else {
1565                 if ((fnum = cli_open(cli, PIPE_NETLOGON,
1566                                      O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1567                         DEBUG(0,("cli_open failed on pipe %s to machine %s. "
1568                                  "Error was %s\n",
1569                                  PIPE_NETLOGON, cli->desthost,
1570                                  cli_errstr(cli)));
1571                         return NT_STATUS_UNSUCCESSFUL;
1572                 }
1573
1574                 cli->nt_pipe_fnum = (uint16)fnum;
1575
1576                 /**************** Set Named Pipe State ***************/
1577                 if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
1578                         DEBUG(0,("Pipe hnd state failed.  Error was %s\n",
1579                                   cli_errstr(cli)));
1580                         cli_close(cli, cli->nt_pipe_fnum);
1581                         return NT_STATUS_UNSUCCESSFUL;
1582                 }
1583         }
1584         
1585         if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname())) {
1586                 DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
1587                 cli_close(cli, cli->nt_pipe_fnum);
1588                 return NT_STATUS_UNSUCCESSFUL;
1589         }
1590
1591         return NT_STATUS_OK;
1592 }
1593
1594
1595 NTSTATUS cli_nt_setup_netsec(struct cli_state *cli, int sec_chan, int auth_flags,
1596                              const uchar trust_password[16])
1597 {
1598         NTSTATUS result;        
1599         uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
1600         cli->pipe_auth_flags = 0;
1601
1602         if (lp_client_schannel() == False) {
1603                 return NT_STATUS_OK;
1604         }
1605
1606         if (!cli_nt_session_open(cli, PI_NETLOGON)) {
1607                 DEBUG(0, ("Could not initialise %s\n",
1608                           get_pipe_name_from_index(PI_NETLOGON)));
1609                 return NT_STATUS_UNSUCCESSFUL;
1610         }
1611
1612         if (lp_client_schannel() != False)
1613                 neg_flags |= NETLOGON_NEG_SCHANNEL;
1614
1615         neg_flags |= NETLOGON_NEG_SCHANNEL;
1616
1617         result = cli_nt_setup_creds(cli, sec_chan, trust_password,
1618                                     &neg_flags, 2);
1619
1620         if (!(neg_flags & NETLOGON_NEG_SCHANNEL) 
1621             && lp_client_schannel() == True) {
1622                 DEBUG(1, ("Could not negotiate SCHANNEL with the DC!\n"));
1623                 result = NT_STATUS_UNSUCCESSFUL;
1624         }
1625
1626         if (!NT_STATUS_IS_OK(result)) {
1627                 ZERO_STRUCT(cli->auth_info.sess_key);
1628                 ZERO_STRUCT(cli->sess_key);
1629                 cli->pipe_auth_flags = 0;
1630                 cli_nt_session_close(cli);
1631                 return result;
1632         }
1633
1634         memcpy(cli->auth_info.sess_key, cli->sess_key,
1635                sizeof(cli->auth_info.sess_key));
1636
1637         cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
1638         cli->nt_pipe_fnum = 0;
1639
1640         /* doing schannel, not per-user auth */
1641         cli->pipe_auth_flags = auth_flags;
1642
1643         return NT_STATUS_OK;
1644 }
1645
1646 const char *cli_pipe_get_name(struct cli_state *cli)
1647 {
1648         return cli->pipe_name;
1649 }
1650
1651