2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1998.
7 * Copyright (C) Jeremy Allison 1999.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 extern struct pipe_id_info pipe_names[];
27 extern fstring global_myworkgroup;
28 extern pstring global_myname;
30 /********************************************************************
32 ********************************************************************/
34 static uint32 get_rpc_call_id(void)
36 static uint32 call_id = 0;
40 /*******************************************************************
41 Use SMBreadX to get rest of one fragment's worth of rpc data.
42 ********************************************************************/
44 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
46 size_t size = (size_t)cli->max_recv_frag;
47 int stream_offset = 0;
50 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
52 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
53 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
56 * Grow the buffer if needed to accommodate the data to be read.
59 if (extra_data_size > 0) {
60 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
61 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
64 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
67 pdata = prs_data_p(rdata) + *rdata_offset;
69 do /* read data using SMBreadX */
74 if (size > (size_t)data_to_read)
75 size = (size_t)data_to_read;
77 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
79 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
80 num_read, stream_offset, data_to_read));
82 if (cli_is_dos_error(cli)) {
83 cli_dos_error(cli, &eclass, &ecode);
84 if (eclass != ERRDOS && ecode != ERRmoredata) {
85 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
86 eclass, (unsigned int)ecode));
91 data_to_read -= num_read;
92 stream_offset += num_read;
95 } while (num_read > 0 && data_to_read > 0);
96 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
99 * Update the current offset into rdata by the amount read.
101 *rdata_offset += stream_offset;
106 /****************************************************************************
107 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
108 ****************************************************************************/
110 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
111 BOOL *first, BOOL *last, uint32 *len)
113 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
115 /* Next call sets endian bit. */
117 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
118 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
122 if (prs_offset(rdata) != RPC_HEADER_LEN) {
123 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
127 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
128 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
129 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
131 return (rhdr->pkt_type != RPC_FAULT);
134 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
136 unsigned char *hash = cli->ntlmssp_hash;
137 unsigned char index_i = hash[256];
138 unsigned char index_j = hash[257];
141 for( ind = 0; ind < len; ind++) {
146 index_j += hash[index_i];
149 hash[index_i] = hash[index_j];
152 t = hash[index_i] + hash[index_j];
153 data[ind] = data[ind] ^ hash[t];
160 /****************************************************************************
161 Verify data on an rpc pipe.
162 The VERIFY & SEAL code is only executed on packets that look like this :
164 Request/Response PDU's look like the following...
166 |<------------------PDU len----------------------------------------------->|
167 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
169 +------------+-----------------+-------------+---------------+-------------+
170 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
171 +------------+-----------------+-------------+---------------+-------------+
173 Never on bind requests/responses.
174 ****************************************************************************/
176 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
179 * The following is that length of the data we must sign or seal.
180 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
181 * preceeding the auth_data.
184 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
187 * The start of the data to sign/seal is just after the RPC headers.
189 char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
191 BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
192 BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
194 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
195 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
198 * Unseal any sealed data in the PDU, not including the
199 * 8 byte auth_header or the auth_data.
203 DEBUG(10,("rpc_auth_pipe: unseal\n"));
204 dump_data(100, reply_data, data_len);
205 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
206 dump_data(100, reply_data, data_len);
209 if (auth_verify || auth_seal) {
210 RPC_HDR_AUTH rhdr_auth;
212 char data[RPC_HDR_AUTH_LEN];
214 * We set dp to be the end of the packet, minus the auth_len
215 * and the length of the header that preceeds the auth_data.
217 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
219 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
220 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
224 memcpy(data, dp, sizeof(data));
226 prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
228 /* The endianness must be preserved... JRA. */
230 prs_set_endian_data(&auth_req, rdata->bigendian_data);
232 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
235 * Unmarshall the 8 byte auth_header that comes before the
239 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
240 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
244 if (!rpc_hdr_auth_chk(&rhdr_auth)) {
245 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
251 * Now unseal and check the auth verifier in the auth_data at
252 * then end of the packet. The 4 bytes skipped in the unseal
253 * seem to be a buffer pointer preceeding the sealed data.
257 RPC_AUTH_NTLMSSP_CHK chk;
259 prs_struct auth_verf;
260 char data[RPC_AUTH_NTLMSSP_CHK_LEN];
261 char *dp = prs_data_p(rdata) + len - auth_len;
263 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
264 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
268 DEBUG(10,("rpc_auth_pipe: verify\n"));
269 dump_data(100, dp, auth_len);
270 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
272 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
273 dump_data(100, data, auth_len);
275 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
277 /* The endinness must be preserved. JRA. */
278 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
280 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
282 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
283 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
287 crc32 = crc32_calc_buffer(reply_data, data_len);
289 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
290 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
293 cli->ntlmssp_seq_num++;
299 /****************************************************************************
300 Send data on an rpc pipe, which *must* be in one fragment.
301 receive response data from an rpc pipe, which may be large...
303 Read the first fragment: unfortunately have to use SMBtrans for the first
304 bit, then SMBreadX for subsequent bits.
306 If first fragment received also wasn't the last fragment, continue
307 getting fragments until we _do_ receive the last fragment.
309 Request/Response PDU's look like the following...
311 |<------------------PDU len----------------------------------------------->|
312 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
314 +------------+-----------------+-------------+---------------+-------------+
315 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
316 +------------+-----------------+-------------+---------------+-------------+
318 Where the presence of the AUTH_HDR and AUTH are dependent on the
319 signing & sealing being neogitated.
321 ****************************************************************************/
323 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *data, prs_struct *rdata)
327 uint32 rparam_len = 0;
332 char *pdata = data ? prs_data_p(data) : NULL;
333 uint32 data_len = data ? prs_offset(data) : 0;
335 uint32 rdata_len = 0;
336 uint32 current_offset = 0;
338 /* Create setup parameters - must be in native byte order. */
341 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
343 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd,
344 (int)cli->nt_pipe_fnum));
346 /* Send the RPC request and receive a response. For short RPC
347 calls (about 1024 bytes or so) the RPC request and response
348 appears in a SMBtrans request and response. Larger RPC
349 responses are received further on. */
351 if (!cli_api_pipe(cli, "\\PIPE\\",
352 setup, 2, 0, /* Setup, length, max */
353 NULL, 0, 0, /* Params, length, max */
354 pdata, data_len, data_len, /* data, length, max */
355 &rparam, &rparam_len, /* return params, len */
356 &prdata, &rdata_len)) /* return data, len */
358 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
362 /* Throw away returned params - we know we won't use them. */
366 if (prdata == NULL) {
367 DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n",
368 (int)cmd, (int)cli->nt_pipe_fnum));
373 * Give this memory as dynamically allocated to the return parse
377 prs_give_memory(rdata, prdata, rdata_len, True);
378 current_offset = rdata_len;
380 /* This next call sets the endian bit correctly in rdata. */
382 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
387 if (rhdr.pkt_type == RPC_BINDACK) {
388 if (!last && !first) {
389 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
395 if (rhdr.pkt_type == RPC_RESPONSE) {
396 RPC_HDR_RESP rhdr_resp;
397 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
398 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
404 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
405 (unsigned int)len, (unsigned int)rdata_len ));
407 /* check if data to be sent back was too large for one SMBtrans */
408 /* err status is only informational: the _real_ check is on the
412 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
414 /* Read the remaining part of the first response fragment */
416 if (!rpc_read(cli, rdata, len, ¤t_offset)) {
423 * Now we have a complete PDU, check the auth struct if any was sent.
426 if (rhdr.auth_len != 0) {
427 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
430 * Drop the auth footers from the current offset.
431 * We need this if there are more fragments.
432 * The auth footers consist of the auth_data and the
433 * preceeding 8 byte auth_header.
435 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
439 * Only one rpc fragment, and it has been read.
443 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
448 * Read more fragments using SMBreadX until we get one with the
453 RPC_HDR_RESP rhdr_resp;
455 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
461 * First read the header of the next PDU.
464 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
465 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
467 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
468 if (cli_is_dos_error(cli)) {
469 cli_dos_error(cli, &eclass, &ecode);
470 if (eclass != ERRDOS && ecode != ERRmoredata) {
471 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
476 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
478 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
479 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
480 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
484 /* This call sets the endianness in hps. */
486 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
489 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
491 if (hps.bigendian_data != rdata->bigendian_data) {
492 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
493 rdata->bigendian_data ? "big" : "little",
494 hps.bigendian_data ? "big" : "little" ));
498 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
499 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
504 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
509 * Now read the rest of the PDU.
512 if (!rpc_read(cli, rdata, len, ¤t_offset))
516 * Verify any authentication footer.
519 if (rhdr.auth_len != 0 ) {
520 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
523 * Drop the auth footers from the current offset.
524 * The auth footers consist of the auth_data and the
525 * preceeding 8 byte auth_header.
526 * We need this if there are more fragments.
528 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
535 /*******************************************************************
536 creates a DCE/RPC bind request
538 - initialises the parse structure.
539 - dynamically allocates the header data structure
540 - caller is expected to free the header data structure once used.
542 ********************************************************************/
544 static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id,
545 RPC_IFACE *abstract, RPC_IFACE *transfer,
546 char *my_name, char *domain, uint32 neg_flags)
551 prs_struct auth_info;
554 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
557 RPC_HDR_AUTH hdr_auth;
558 RPC_AUTH_VERIFIER auth_verifier;
559 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
562 * Create the auth structs we will marshall.
565 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
566 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
567 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
570 * Use the 4k buffer to store the auth info.
573 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
576 * Now marshall the data into the temporary parse_struct.
579 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
580 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
584 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
585 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
589 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
590 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
594 /* Auth len in the rpc header doesn't include auth_header. */
595 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
598 /* create the request RPC_HDR */
599 init_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
600 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
603 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
604 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
608 /* create the bind request RPC_HDR_RB */
609 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
610 0x1, 0x0, 0x1, abstract, transfer);
612 /* Marshall the bind request data */
613 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
614 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
619 * Grow the outgoing buffer to store any auth info.
622 if(hdr.auth_len != 0) {
623 if(!prs_append_prs_data( rpc_out, &auth_info)) {
624 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
632 /*******************************************************************
633 Creates a DCE/RPC bind authentication response.
634 This is the packet that is sent back to the server once we
635 have received a BIND-ACK, to finish the third leg of
636 the authentication handshake.
637 ********************************************************************/
639 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
640 char *domain, char *user_name, char *my_name,
641 uint32 ntlmssp_cli_flgs,
645 unsigned char lm_owf[24];
646 unsigned char nt_owf[24];
648 RPC_HDR_AUTHA hdr_autha;
649 RPC_AUTH_VERIFIER auth_verifier;
650 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
652 prs_struct auth_info;
655 * Marshall the variable length data into a temporary parse
656 * struct, pointing into a 4k local buffer.
658 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
661 * Use the 4k buffer to store the auth info.
664 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
667 * Create the variable length auth_data.
670 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
672 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
674 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
676 domain, user_name, my_name,
680 * Marshall the variable length auth_data into a temp parse_struct.
683 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
684 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
688 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
689 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
693 /* Create the request RPC_HDR */
694 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
695 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
696 prs_offset(&auth_info) );
699 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
700 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
704 /* Create the request RPC_HDR_AUTHA */
705 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
706 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
708 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
709 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
714 * Append the auth data to the outgoing buffer.
717 if(!prs_append_prs_data(rpc_out, &auth_info)) {
718 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
726 /*******************************************************************
727 Creates a DCE/RPC request.
728 ********************************************************************/
730 static BOOL create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len)
736 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
738 /* create the rpc header RPC_HDR */
739 init_rpc_hdr(&hdr, RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
740 get_rpc_call_id(), data_len, auth_len);
743 * The alloc hint should be the amount of data, not including
744 * RPC headers & footers.
748 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
750 alloc_hint = data_len - RPC_HEADER_LEN;
752 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
753 data_len, auth_len, alloc_hint));
755 /* Create the rpc request RPC_HDR_REQ */
756 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
759 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
762 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
765 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
773 * Send a request on an RPC pipe and get a response.
775 * @param data NDR contents of the request to be sent.
776 * @param rdata Unparsed NDR response data.
779 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
780 prs_struct *data, prs_struct *rdata)
782 prs_struct outgoing_packet;
789 char *pdata_out = NULL;
792 auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
793 auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
795 /* Optionally capture for use in debugging */
796 slprintf(dump_name, sizeof(dump_name) - 1, "call_%s",
797 cli_pipe_get_name(cli));
798 prs_dump_before(dump_name, op_num, data);
801 * The auth_len doesn't include the RPC_HDR_AUTH_LEN.
804 auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0);
807 * PDU len is header, plus request header, plus data, plus
808 * auth_header_len (if present), plus auth_len (if present).
809 * NB. The auth stuff should be aligned on an 8 byte boundary
810 * to be totally DCE/RPC spec complient. For now we cheat and
811 * hope that the data structs defined are a multiple of 8 bytes.
814 if((prs_offset(data) % 8) != 0) {
815 DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n"));
818 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(data) +
819 (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len;
822 * Malloc a parse struct to hold it (and enough for alignments).
825 if(!prs_init(&outgoing_packet, data_len + 8, cli->mem_ctx, MARSHALL)) {
826 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
830 pdata_out = prs_data_p(&outgoing_packet);
833 * Write out the RPC header and the request header.
836 if(!create_rpc_request(&outgoing_packet, op_num, data_len, auth_len)) {
837 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
838 prs_mem_free(&outgoing_packet);
843 * Seal the outgoing data if requested.
847 crc32 = crc32_calc_buffer(prs_data_p(data), prs_offset(data));
848 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data), prs_offset(data));
852 * Now copy the data into the outgoing packet.
855 if(!prs_append_prs_data( &outgoing_packet, data)) {
856 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n"));
857 prs_mem_free(&outgoing_packet);
862 * Add a trailing auth_verifier if needed.
865 if (auth_seal || auth_verify) {
866 RPC_HDR_AUTH hdr_auth;
868 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
869 NTLMSSP_AUTH_LEVEL, 0x08, (auth_verify ? 1 : 0));
870 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &outgoing_packet, 0)) {
871 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n"));
872 prs_mem_free(&outgoing_packet);
878 * Finally the auth data itself.
882 RPC_AUTH_NTLMSSP_CHK chk;
883 uint32 current_offset = prs_offset(&outgoing_packet);
885 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
886 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &outgoing_packet, 0)) {
887 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
888 prs_mem_free(&outgoing_packet);
891 NTLMSSPcalc_ap(cli, (unsigned char*)&pdata_out[current_offset+4], RPC_AUTH_NTLMSSP_CHK_LEN - 4);
894 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, prs_offset(&outgoing_packet)));
896 ret = rpc_api_pipe(cli, 0x0026, &outgoing_packet, rdata);
898 /* Also capture received data */
899 slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
900 cli_pipe_get_name(cli));
901 prs_dump(dump_name, op_num, rdata);
903 prs_mem_free(&outgoing_packet);
908 /****************************************************************************
909 Set the handle state.
910 ****************************************************************************/
912 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
914 BOOL state_set = False;
916 uint16 setup[2]; /* only need 2 uint16 setup parameters */
919 uint32 rparam_len, rdata_len;
921 if (pipe_name == NULL)
924 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
925 cli->nt_pipe_fnum, pipe_name, device_state));
927 /* create parameters: device state */
928 SSVAL(param, 0, device_state);
930 /* create setup parameters. */
932 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
934 /* send the data on \PIPE\ */
935 if (cli_api_pipe(cli, "\\PIPE\\",
936 setup, 2, 0, /* setup, length, max */
937 param, 2, 0, /* param, length, max */
938 NULL, 0, 1024, /* data, length, max */
939 &rparam, &rparam_len, /* return param, length */
940 &rdata, &rdata_len)) /* return data, length */
942 DEBUG(5, ("Set Handle state: return OK\n"));
952 /****************************************************************************
953 check the rpc bind acknowledge response
954 ****************************************************************************/
956 static BOOL valid_pipe_name(const char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
960 while (pipe_names[pipe_idx].client_pipe != NULL) {
961 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) {
962 DEBUG(5,("Bind Abstract Syntax: "));
963 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
964 sizeof(pipe_names[pipe_idx].abstr_syntax));
965 DEBUG(5,("Bind Transfer Syntax: "));
966 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
967 sizeof(pipe_names[pipe_idx].trans_syntax));
969 /* copy the required syntaxes out so we can do the right bind */
970 *transfer = pipe_names[pipe_idx].trans_syntax;
971 *abstract = pipe_names[pipe_idx].abstr_syntax;
978 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
982 /****************************************************************************
983 check the rpc bind acknowledge response
984 ****************************************************************************/
986 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const char *pipe_name, RPC_IFACE *transfer)
990 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0) {
991 if ((strequal(pipe_name, pipe_names[i].client_pipe ))) {
992 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe )) {
993 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
994 pipe_names[i].server_pipe ));
997 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
998 pipe_names[i].server_pipe ,
1007 if (pipe_names[i].server_pipe == NULL) {
1008 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1012 /* check the transfer syntax */
1013 if ((hdr_ba->transfer.version != transfer->version) ||
1014 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1015 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
1019 /* lkclXXXX only accept one result: check the result(s) */
1020 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1021 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1022 hdr_ba->res.num_results, hdr_ba->res.reason));
1025 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1029 /****************************************************************************
1030 Create and send the third packet in an RPC auth.
1031 ****************************************************************************/
1033 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1035 RPC_HDR_AUTH rhdr_auth;
1036 RPC_AUTH_VERIFIER rhdr_verf;
1037 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
1038 char buffer[MAX_PDU_FRAG_LEN];
1042 unsigned char p24[24];
1043 unsigned char lm_owf[24];
1044 unsigned char lm_hash[16];
1046 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
1047 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1050 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
1051 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1054 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
1055 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1059 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
1061 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
1063 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1065 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1067 create_rpc_bind_resp(&cli->pwd, cli->domain,
1068 cli->user_name, global_myname,
1069 cli->ntlmssp_cli_flgs, rpc_call_id,
1072 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
1073 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
1075 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
1078 unsigned char j = 0;
1080 unsigned char k2[8];
1087 for (ind = 0; ind < 256; ind++)
1088 cli->ntlmssp_hash[ind] = (unsigned char)ind;
1090 for( ind = 0; ind < 256; ind++) {
1093 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1095 tc = cli->ntlmssp_hash[ind];
1096 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1097 cli->ntlmssp_hash[j] = tc;
1100 cli->ntlmssp_hash[256] = 0;
1101 cli->ntlmssp_hash[257] = 0;
1104 memset((char *)lm_hash, '\0', sizeof(lm_hash));
1106 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1107 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1108 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1112 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1116 /****************************************************************************
1118 ****************************************************************************/
1120 BOOL rpc_pipe_bind(struct cli_state *cli, const char *pipe_name, char *my_name)
1126 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
1128 char buffer[MAX_PDU_FRAG_LEN];
1130 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name));
1132 if (!valid_pipe_name(pipe_name, &abstract, &transfer))
1135 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1138 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1141 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1143 rpc_call_id = get_rpc_call_id();
1145 /* Marshall the outgoing data. */
1146 create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id,
1147 &abstract, &transfer,
1148 global_myname, cli->domain, cli->ntlmssp_cli_flgs);
1150 /* Initialize the incoming data struct. */
1151 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1153 /* send data on \PIPE\. receive a response */
1154 if (rpc_api_pipe(cli, 0x0026, &rpc_out, &rdata)) {
1157 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1159 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1160 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1161 prs_mem_free(&rdata);
1165 if(!check_bind_response(&hdr_ba, pipe_name, &transfer)) {
1166 DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n"));
1167 prs_mem_free(&rdata);
1171 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1172 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1175 * If we're doing NTLMSSP auth we need to send a reply to
1176 * the bind-ack to complete the 3-way challenge response
1180 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1181 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1182 prs_mem_free(&rdata);
1187 prs_mem_free(&rdata);
1191 /****************************************************************************
1192 Set ntlmssp negotiation flags.
1193 ****************************************************************************/
1195 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1197 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1201 /****************************************************************************
1203 ****************************************************************************/
1205 BOOL cli_nt_session_open(struct cli_state *cli, const char *pipe_name)
1209 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1211 if (cli->capabilities & CAP_NT_SMBS) {
1212 if ((fnum = cli_nt_create(cli, &pipe_name[5], DESIRED_ACCESS_PIPE)) == -1) {
1213 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1214 &pipe_name[5], cli->desthost, cli_errstr(cli)));
1218 cli->nt_pipe_fnum = (uint16)fnum;
1220 if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1221 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1222 pipe_name, cli->desthost, cli_errstr(cli)));
1226 cli->nt_pipe_fnum = (uint16)fnum;
1228 /**************** Set Named Pipe State ***************/
1229 if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300)) {
1230 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1232 cli_close(cli, cli->nt_pipe_fnum);
1237 /******************* bind request on pipe *****************/
1239 if (!rpc_pipe_bind(cli, pipe_name, global_myname)) {
1240 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1242 cli_close(cli, cli->nt_pipe_fnum);
1247 * Setup the remote server name prefixed by \ and the machine account name.
1250 fstrcpy(cli->srv_name_slash, "\\\\");
1251 fstrcat(cli->srv_name_slash, cli->desthost);
1252 strupper(cli->srv_name_slash);
1254 fstrcpy(cli->clnt_name_slash, "\\\\");
1255 fstrcat(cli->clnt_name_slash, global_myname);
1256 strupper(cli->clnt_name_slash);
1258 fstrcpy(cli->mach_acct, global_myname);
1259 fstrcat(cli->mach_acct, "$");
1260 strupper(cli->mach_acct);
1262 /* Remember which pipe we're talking to */
1263 fstrcpy(cli->pipe_name, pipe_name);
1269 const char *cli_pipe_get_name(struct cli_state *cli)
1271 return cli->pipe_name;
1275 /****************************************************************************
1277 ****************************************************************************/
1279 void cli_nt_session_close(struct cli_state *cli)
1281 cli_close(cli, cli->nt_pipe_fnum);
1282 cli->nt_pipe_fnum = 0;