2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Largely rewritten by Jeremy Allison 2005.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "librpc/gen_ndr/cli_epmapper.h"
24 #define DBGC_CLASS DBGC_RPC_CLI
26 /*******************************************************************
27 interface/version dce/rpc pipe identification
28 ********************************************************************/
30 static const struct ndr_syntax_id syntax_spoolss = {
32 0x12345678, 0x1234, 0xabcd,
35 0x45, 0x67, 0x89, 0xab }
39 #define PIPE_SRVSVC "\\PIPE\\srvsvc"
40 #define PIPE_SAMR "\\PIPE\\samr"
41 #define PIPE_WINREG "\\PIPE\\winreg"
42 #define PIPE_WKSSVC "\\PIPE\\wkssvc"
43 #define PIPE_NETLOGON "\\PIPE\\NETLOGON"
44 #define PIPE_NTLSA "\\PIPE\\ntlsa"
45 #define PIPE_NTSVCS "\\PIPE\\ntsvcs"
46 #define PIPE_LSASS "\\PIPE\\lsass"
47 #define PIPE_LSARPC "\\PIPE\\lsarpc"
48 #define PIPE_SPOOLSS "\\PIPE\\spoolss"
49 #define PIPE_NETDFS "\\PIPE\\netdfs"
50 #define PIPE_ECHO "\\PIPE\\rpcecho"
51 #define PIPE_SHUTDOWN "\\PIPE\\initshutdown"
52 #define PIPE_EPM "\\PIPE\\epmapper"
53 #define PIPE_SVCCTL "\\PIPE\\svcctl"
54 #define PIPE_EVENTLOG "\\PIPE\\eventlog"
55 #define PIPE_EPMAPPER "\\PIPE\\epmapper"
56 #define PIPE_DRSUAPI "\\PIPE\\drsuapi"
59 * IMPORTANT!! If you update this structure, make sure to
60 * update the index #defines in smb.h.
63 static const struct pipe_id_info {
64 /* the names appear not to matter: the syntaxes _do_ matter */
66 const char *client_pipe;
67 const RPC_IFACE *abstr_syntax; /* this one is the abstract syntax id */
70 { PIPE_LSARPC, &ndr_table_lsarpc.syntax_id },
71 { PIPE_LSARPC, &ndr_table_dssetup.syntax_id },
72 { PIPE_SAMR, &ndr_table_samr.syntax_id },
73 { PIPE_NETLOGON, &ndr_table_netlogon.syntax_id },
74 { PIPE_SRVSVC, &ndr_table_srvsvc.syntax_id },
75 { PIPE_WKSSVC, &ndr_table_wkssvc.syntax_id },
76 { PIPE_WINREG, &ndr_table_winreg.syntax_id },
77 { PIPE_SPOOLSS, &syntax_spoolss },
78 { PIPE_NETDFS, &ndr_table_netdfs.syntax_id },
79 { PIPE_ECHO, &ndr_table_rpcecho.syntax_id },
80 { PIPE_SHUTDOWN, &ndr_table_initshutdown.syntax_id },
81 { PIPE_SVCCTL, &ndr_table_svcctl.syntax_id },
82 { PIPE_EVENTLOG, &ndr_table_eventlog.syntax_id },
83 { PIPE_NTSVCS, &ndr_table_ntsvcs.syntax_id },
84 { PIPE_EPMAPPER, &ndr_table_epmapper.syntax_id },
85 { PIPE_DRSUAPI, &ndr_table_drsuapi.syntax_id },
89 /****************************************************************************
90 Return the pipe name from the index.
91 ****************************************************************************/
93 const char *cli_get_pipe_name(int pipe_idx)
95 return &pipe_names[pipe_idx].client_pipe[5];
98 /****************************************************************************
99 Return the pipe idx from the syntax.
100 ****************************************************************************/
101 int cli_get_pipe_idx(const RPC_IFACE *syntax)
104 for (i = 0; pipe_names[i].client_pipe; i++) {
105 if (ndr_syntax_id_equal(pipe_names[i].abstr_syntax, syntax)) {
113 /********************************************************************
114 Map internal value to wire value.
115 ********************************************************************/
117 static int map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type)
121 case PIPE_AUTH_TYPE_NONE:
122 return RPC_ANONYMOUS_AUTH_TYPE;
124 case PIPE_AUTH_TYPE_NTLMSSP:
125 return RPC_NTLMSSP_AUTH_TYPE;
127 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
128 case PIPE_AUTH_TYPE_SPNEGO_KRB5:
129 return RPC_SPNEGO_AUTH_TYPE;
131 case PIPE_AUTH_TYPE_SCHANNEL:
132 return RPC_SCHANNEL_AUTH_TYPE;
134 case PIPE_AUTH_TYPE_KRB5:
135 return RPC_KRB5_AUTH_TYPE;
138 DEBUG(0,("map_pipe_auth_type_to_rpc_type: unknown pipe "
140 (unsigned int)auth_type ));
146 /********************************************************************
147 Pipe description for a DEBUG
148 ********************************************************************/
149 static char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli)
153 switch (cli->transport_type) {
155 result = talloc_asprintf(mem_ctx, "host %s, pipe %s, "
158 cli->trans.np.pipe_name,
159 (unsigned int)(cli->trans.np.fnum));
162 case NCACN_UNIX_STREAM:
163 result = talloc_asprintf(mem_ctx, "host %s, fd %d",
164 cli->desthost, cli->trans.sock.fd);
167 result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
170 SMB_ASSERT(result != NULL);
174 /********************************************************************
176 ********************************************************************/
178 static uint32 get_rpc_call_id(void)
180 static uint32 call_id = 0;
184 /*******************************************************************
185 Read from a RPC named pipe
186 ********************************************************************/
187 static NTSTATUS rpc_read_np(struct cli_state *cli, const char *pipe_name,
188 int fnum, char *buf, off_t offset, size_t size,
193 num_read = cli_read(cli, fnum, buf, offset, size);
195 DEBUG(5,("rpc_read_np: num_read = %d, read offset: %u, to read: %u\n",
196 (int)num_read, (unsigned int)offset, (unsigned int)size));
199 * A dos error of ERRDOS/ERRmoredata is not an error.
201 if (cli_is_dos_error(cli)) {
204 cli_dos_error(cli, &eclass, &ecode);
205 if (eclass != ERRDOS && ecode != ERRmoredata) {
206 DEBUG(0,("rpc_read: DOS Error %d/%u (%s) in cli_read "
207 "on fnum 0x%x\n", eclass, (unsigned int)ecode,
208 cli_errstr(cli), fnum));
209 return dos_to_ntstatus(eclass, ecode);
214 * Likewise for NT_STATUS_BUFFER_TOO_SMALL
216 if (cli_is_nt_error(cli)) {
217 if (!NT_STATUS_EQUAL(cli_nt_error(cli),
218 NT_STATUS_BUFFER_TOO_SMALL)) {
219 DEBUG(0,("rpc_read: Error (%s) in cli_read on fnum "
220 "0x%x\n", nt_errstr(cli_nt_error(cli)), fnum));
221 return cli_nt_error(cli);
225 if (num_read == -1) {
226 DEBUG(0,("rpc_read: Error - cli_read on fnum 0x%x returned "
228 return cli_get_nt_error(cli);
231 *pnum_read = num_read;
236 /*******************************************************************
237 Use SMBreadX to get rest of one fragment's worth of rpc data.
238 Will expand the current_pdu struct to the correct size.
239 ********************************************************************/
241 static NTSTATUS rpc_read(struct rpc_pipe_client *cli,
242 prs_struct *current_pdu,
244 uint32 *current_pdu_offset)
246 size_t size = (size_t)cli->max_recv_frag;
247 uint32 stream_offset = 0;
248 ssize_t num_read = 0;
250 ssize_t extra_data_size = ((ssize_t)*current_pdu_offset) + ((ssize_t)data_to_read) - (ssize_t)prs_data_size(current_pdu);
252 DEBUG(5,("rpc_read: data_to_read: %u current_pdu offset: %u extra_data_size: %d\n",
253 (unsigned int)data_to_read, (unsigned int)*current_pdu_offset, (int)extra_data_size ));
256 * Grow the buffer if needed to accommodate the data to be read.
259 if (extra_data_size > 0) {
260 if(!prs_force_grow(current_pdu, (uint32)extra_data_size)) {
261 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", (int)extra_data_size ));
262 return NT_STATUS_NO_MEMORY;
264 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", (int)extra_data_size, prs_data_size(current_pdu) ));
267 pdata = prs_data_p(current_pdu) + *current_pdu_offset;
272 /* read data using SMBreadX */
273 if (size > (size_t)data_to_read) {
274 size = (size_t)data_to_read;
277 switch (cli->transport_type) {
279 status = rpc_read_np(cli->trans.np.cli,
280 cli->trans.np.pipe_name,
281 cli->trans.np.fnum, pdata,
282 (off_t)stream_offset, size,
286 case NCACN_UNIX_STREAM:
287 status = NT_STATUS_OK;
288 num_read = sys_read(cli->trans.sock.fd, pdata, size);
289 if (num_read == -1) {
290 status = map_nt_error_from_unix(errno);
293 status = NT_STATUS_END_OF_FILE;
297 DEBUG(0, ("unknown transport type %d\n",
298 cli->transport_type));
299 return NT_STATUS_INTERNAL_ERROR;
302 data_to_read -= num_read;
303 stream_offset += num_read;
306 } while (num_read > 0 && data_to_read > 0);
307 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
310 * Update the current offset into current_pdu by the amount read.
312 *current_pdu_offset += stream_offset;
316 /****************************************************************************
317 Try and get a PDU's worth of data from current_pdu. If not, then read more
319 ****************************************************************************/
321 static NTSTATUS cli_pipe_get_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr, prs_struct *current_pdu)
323 NTSTATUS ret = NT_STATUS_OK;
324 uint32 current_pdu_len = prs_data_size(current_pdu);
326 /* Ensure we have at least RPC_HEADER_LEN worth of data to parse. */
327 if (current_pdu_len < RPC_HEADER_LEN) {
328 /* rpc_read expands the current_pdu struct as neccessary. */
329 ret = rpc_read(cli, current_pdu, RPC_HEADER_LEN - current_pdu_len, ¤t_pdu_len);
330 if (!NT_STATUS_IS_OK(ret)) {
335 /* This next call sets the endian bit correctly in current_pdu. */
336 /* We will propagate this to rbuf later. */
337 if(!smb_io_rpc_hdr("rpc_hdr ", prhdr, current_pdu, 0)) {
338 DEBUG(0,("cli_pipe_get_current_pdu: Failed to unmarshall RPC_HDR.\n"));
339 return NT_STATUS_BUFFER_TOO_SMALL;
342 /* Ensure we have frag_len bytes of data. */
343 if (current_pdu_len < prhdr->frag_len) {
344 /* rpc_read expands the current_pdu struct as neccessary. */
345 ret = rpc_read(cli, current_pdu, (uint32)prhdr->frag_len - current_pdu_len, ¤t_pdu_len);
346 if (!NT_STATUS_IS_OK(ret)) {
351 if (current_pdu_len < prhdr->frag_len) {
352 return NT_STATUS_BUFFER_TOO_SMALL;
358 /****************************************************************************
359 NTLMSSP specific sign/seal.
360 Virtually identical to rpc_server/srv_pipe.c:api_pipe_ntlmssp_auth_process.
361 In fact I should probably abstract these into identical pieces of code... JRA.
362 ****************************************************************************/
364 static NTSTATUS cli_pipe_verify_ntlmssp(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
365 prs_struct *current_pdu,
366 uint8 *p_ss_padding_len)
368 RPC_HDR_AUTH auth_info;
369 uint32 save_offset = prs_offset(current_pdu);
370 uint32 auth_len = prhdr->auth_len;
371 NTLMSSP_STATE *ntlmssp_state = cli->auth->a_u.ntlmssp_state;
372 unsigned char *data = NULL;
374 unsigned char *full_packet_data = NULL;
375 size_t full_packet_data_len;
379 if (cli->auth->auth_level == PIPE_AUTH_LEVEL_NONE
380 || cli->auth->auth_level == PIPE_AUTH_LEVEL_CONNECT) {
384 if (!ntlmssp_state) {
385 return NT_STATUS_INVALID_PARAMETER;
388 /* Ensure there's enough data for an authenticated response. */
389 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
390 (RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
391 DEBUG(0,("cli_pipe_verify_ntlmssp: auth_len %u is too large.\n",
392 (unsigned int)auth_len ));
393 return NT_STATUS_BUFFER_TOO_SMALL;
397 * We need the full packet data + length (minus auth stuff) as well as the packet data + length
398 * after the RPC header.
399 * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
400 * functions as NTLMv2 checks the rpc headers also.
403 data = (unsigned char *)(prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN);
404 data_len = (size_t)(prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len);
406 full_packet_data = (unsigned char *)prs_data_p(current_pdu);
407 full_packet_data_len = prhdr->frag_len - auth_len;
409 /* Pull the auth header and the following data into a blob. */
410 if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
411 DEBUG(0,("cli_pipe_verify_ntlmssp: cannot move offset to %u.\n",
412 (unsigned int)RPC_HEADER_LEN + (unsigned int)RPC_HDR_RESP_LEN + (unsigned int)data_len ));
413 return NT_STATUS_BUFFER_TOO_SMALL;
416 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
417 DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall RPC_HDR_AUTH.\n"));
418 return NT_STATUS_BUFFER_TOO_SMALL;
421 auth_blob.data = (unsigned char *)prs_data_p(current_pdu) + prs_offset(current_pdu);
422 auth_blob.length = auth_len;
424 switch (cli->auth->auth_level) {
425 case PIPE_AUTH_LEVEL_PRIVACY:
426 /* Data is encrypted. */
427 status = ntlmssp_unseal_packet(ntlmssp_state,
430 full_packet_data_len,
432 if (!NT_STATUS_IS_OK(status)) {
433 DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unseal "
434 "packet from %s. Error was %s.\n",
435 rpccli_pipe_txt(debug_ctx(), cli),
436 nt_errstr(status) ));
440 case PIPE_AUTH_LEVEL_INTEGRITY:
441 /* Data is signed. */
442 status = ntlmssp_check_packet(ntlmssp_state,
445 full_packet_data_len,
447 if (!NT_STATUS_IS_OK(status)) {
448 DEBUG(0,("cli_pipe_verify_ntlmssp: check signing failed on "
449 "packet from %s. Error was %s.\n",
450 rpccli_pipe_txt(debug_ctx(), cli),
451 nt_errstr(status) ));
456 DEBUG(0, ("cli_pipe_verify_ntlmssp: unknown internal "
457 "auth level %d\n", cli->auth->auth_level));
458 return NT_STATUS_INVALID_INFO_CLASS;
462 * Return the current pointer to the data offset.
465 if(!prs_set_offset(current_pdu, save_offset)) {
466 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
467 (unsigned int)save_offset ));
468 return NT_STATUS_BUFFER_TOO_SMALL;
472 * Remember the padding length. We must remove it from the real data
473 * stream once the sign/seal is done.
476 *p_ss_padding_len = auth_info.auth_pad_len;
481 /****************************************************************************
482 schannel specific sign/seal.
483 ****************************************************************************/
485 static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
486 prs_struct *current_pdu,
487 uint8 *p_ss_padding_len)
489 RPC_HDR_AUTH auth_info;
490 RPC_AUTH_SCHANNEL_CHK schannel_chk;
491 uint32 auth_len = prhdr->auth_len;
492 uint32 save_offset = prs_offset(current_pdu);
493 struct schannel_auth_struct *schannel_auth =
494 cli->auth->a_u.schannel_auth;
497 if (cli->auth->auth_level == PIPE_AUTH_LEVEL_NONE
498 || cli->auth->auth_level == PIPE_AUTH_LEVEL_CONNECT) {
502 if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
503 DEBUG(0,("cli_pipe_verify_schannel: auth_len %u.\n", (unsigned int)auth_len ));
504 return NT_STATUS_INVALID_PARAMETER;
507 if (!schannel_auth) {
508 return NT_STATUS_INVALID_PARAMETER;
511 /* Ensure there's enough data for an authenticated response. */
512 if ((auth_len > RPC_MAX_SIGN_SIZE) ||
513 (RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
514 DEBUG(0,("cli_pipe_verify_schannel: auth_len %u is too large.\n",
515 (unsigned int)auth_len ));
516 return NT_STATUS_INVALID_PARAMETER;
519 data_len = prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
521 if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
522 DEBUG(0,("cli_pipe_verify_schannel: cannot move offset to %u.\n",
523 (unsigned int)RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len ));
524 return NT_STATUS_BUFFER_TOO_SMALL;
527 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
528 DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshall RPC_HDR_AUTH.\n"));
529 return NT_STATUS_BUFFER_TOO_SMALL;
532 if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
533 DEBUG(0,("cli_pipe_verify_schannel: Invalid auth info %d on schannel\n",
534 auth_info.auth_type));
535 return NT_STATUS_BUFFER_TOO_SMALL;
538 if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
539 &schannel_chk, current_pdu, 0)) {
540 DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
541 return NT_STATUS_BUFFER_TOO_SMALL;
544 if (!schannel_decode(schannel_auth,
545 cli->auth->auth_level,
548 prs_data_p(current_pdu)+RPC_HEADER_LEN+RPC_HDR_RESP_LEN,
550 DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
551 "Connection to %s.\n",
552 rpccli_pipe_txt(debug_ctx(), cli)));
553 return NT_STATUS_INVALID_PARAMETER;
556 /* The sequence number gets incremented on both send and receive. */
557 schannel_auth->seq_num++;
560 * Return the current pointer to the data offset.
563 if(!prs_set_offset(current_pdu, save_offset)) {
564 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
565 (unsigned int)save_offset ));
566 return NT_STATUS_BUFFER_TOO_SMALL;
570 * Remember the padding length. We must remove it from the real data
571 * stream once the sign/seal is done.
574 *p_ss_padding_len = auth_info.auth_pad_len;
579 /****************************************************************************
580 Do the authentication checks on an incoming pdu. Check sign and unseal etc.
581 ****************************************************************************/
583 static NTSTATUS cli_pipe_validate_rpc_response(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
584 prs_struct *current_pdu,
585 uint8 *p_ss_padding_len)
587 NTSTATUS ret = NT_STATUS_OK;
589 /* Paranioa checks for auth_len. */
590 if (prhdr->auth_len) {
591 if (prhdr->auth_len > prhdr->frag_len) {
592 return NT_STATUS_INVALID_PARAMETER;
595 if (prhdr->auth_len + (unsigned int)RPC_HDR_AUTH_LEN < prhdr->auth_len ||
596 prhdr->auth_len + (unsigned int)RPC_HDR_AUTH_LEN < (unsigned int)RPC_HDR_AUTH_LEN) {
597 /* Integer wrap attempt. */
598 return NT_STATUS_INVALID_PARAMETER;
603 * Now we have a complete RPC request PDU fragment, try and verify any auth data.
606 switch(cli->auth->auth_type) {
607 case PIPE_AUTH_TYPE_NONE:
608 if (prhdr->auth_len) {
609 DEBUG(3, ("cli_pipe_validate_rpc_response: "
610 "Connection to %s - got non-zero "
612 rpccli_pipe_txt(debug_ctx(), cli),
613 (unsigned int)prhdr->auth_len ));
614 return NT_STATUS_INVALID_PARAMETER;
618 case PIPE_AUTH_TYPE_NTLMSSP:
619 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
620 ret = cli_pipe_verify_ntlmssp(cli, prhdr, current_pdu, p_ss_padding_len);
621 if (!NT_STATUS_IS_OK(ret)) {
626 case PIPE_AUTH_TYPE_SCHANNEL:
627 ret = cli_pipe_verify_schannel(cli, prhdr, current_pdu, p_ss_padding_len);
628 if (!NT_STATUS_IS_OK(ret)) {
633 case PIPE_AUTH_TYPE_KRB5:
634 case PIPE_AUTH_TYPE_SPNEGO_KRB5:
636 DEBUG(3, ("cli_pipe_validate_rpc_response: Connection "
637 "to %s - unknown internal auth type %u.\n",
638 rpccli_pipe_txt(debug_ctx(), cli),
639 cli->auth->auth_type ));
640 return NT_STATUS_INVALID_INFO_CLASS;
646 /****************************************************************************
647 Do basic authentication checks on an incoming pdu.
648 ****************************************************************************/
650 static NTSTATUS cli_pipe_validate_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
651 prs_struct *current_pdu,
652 uint8 expected_pkt_type,
655 prs_struct *return_data)
658 NTSTATUS ret = NT_STATUS_OK;
659 uint32 current_pdu_len = prs_data_size(current_pdu);
661 if (current_pdu_len != prhdr->frag_len) {
662 DEBUG(5,("cli_pipe_validate_current_pdu: incorrect pdu length %u, expected %u\n",
663 (unsigned int)current_pdu_len, (unsigned int)prhdr->frag_len ));
664 return NT_STATUS_INVALID_PARAMETER;
668 * Point the return values at the real data including the RPC
669 * header. Just in case the caller wants it.
671 *ppdata = prs_data_p(current_pdu);
672 *pdata_len = current_pdu_len;
674 /* Ensure we have the correct type. */
675 switch (prhdr->pkt_type) {
676 case RPC_ALTCONTRESP:
679 /* Alter context and bind ack share the same packet definitions. */
685 RPC_HDR_RESP rhdr_resp;
686 uint8 ss_padding_len = 0;
688 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
689 DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
690 return NT_STATUS_BUFFER_TOO_SMALL;
693 /* Here's where we deal with incoming sign/seal. */
694 ret = cli_pipe_validate_rpc_response(cli, prhdr,
695 current_pdu, &ss_padding_len);
696 if (!NT_STATUS_IS_OK(ret)) {
700 /* Point the return values at the NDR data. Remember to remove any ss padding. */
701 *ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
703 if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN + ss_padding_len) {
704 return NT_STATUS_BUFFER_TOO_SMALL;
707 *pdata_len = current_pdu_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - ss_padding_len;
709 /* Remember to remove the auth footer. */
710 if (prhdr->auth_len) {
711 /* We've already done integer wrap tests on auth_len in
712 cli_pipe_validate_rpc_response(). */
713 if (*pdata_len < RPC_HDR_AUTH_LEN + prhdr->auth_len) {
714 return NT_STATUS_BUFFER_TOO_SMALL;
716 *pdata_len -= (RPC_HDR_AUTH_LEN + prhdr->auth_len);
719 DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len %u, data_len %u, ss_len %u\n",
720 current_pdu_len, *pdata_len, ss_padding_len ));
723 * If this is the first reply, and the allocation hint is reasonably, try and
724 * set up the return_data parse_struct to the correct size.
727 if ((prs_data_size(return_data) == 0) && rhdr_resp.alloc_hint && (rhdr_resp.alloc_hint < 15*1024*1024)) {
728 if (!prs_set_buffer_size(return_data, rhdr_resp.alloc_hint)) {
729 DEBUG(0,("cli_pipe_validate_current_pdu: reply alloc hint %u "
730 "too large to allocate\n",
731 (unsigned int)rhdr_resp.alloc_hint ));
732 return NT_STATUS_NO_MEMORY;
740 DEBUG(1, ("cli_pipe_validate_current_pdu: Bind NACK "
741 "received from %s!\n",
742 rpccli_pipe_txt(debug_ctx(), cli)));
743 /* Use this for now... */
744 return NT_STATUS_NETWORK_ACCESS_DENIED;
748 RPC_HDR_RESP rhdr_resp;
749 RPC_HDR_FAULT fault_resp;
751 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
752 DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
753 return NT_STATUS_BUFFER_TOO_SMALL;
756 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, current_pdu, 0)) {
757 DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_FAULT.\n"));
758 return NT_STATUS_BUFFER_TOO_SMALL;
761 DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault "
762 "code %s received from %s!\n",
763 dcerpc_errstr(NT_STATUS_V(fault_resp.status)),
764 rpccli_pipe_txt(debug_ctx(), cli)));
765 if (NT_STATUS_IS_OK(fault_resp.status)) {
766 return NT_STATUS_UNSUCCESSFUL;
768 return fault_resp.status;
773 DEBUG(0, ("cli_pipe_validate_current_pdu: unknown packet type %u received "
775 (unsigned int)prhdr->pkt_type,
776 rpccli_pipe_txt(debug_ctx(), cli)));
777 return NT_STATUS_INVALID_INFO_CLASS;
780 if (prhdr->pkt_type != expected_pkt_type) {
781 DEBUG(3, ("cli_pipe_validate_current_pdu: Connection to %s "
782 "got an unexpected RPC packet type - %u, not %u\n",
783 rpccli_pipe_txt(debug_ctx(), cli),
786 return NT_STATUS_INVALID_INFO_CLASS;
789 /* Do this just before return - we don't want to modify any rpc header
790 data before now as we may have needed to do cryptographic actions on
793 if ((prhdr->pkt_type == RPC_BINDACK) && !(prhdr->flags & RPC_FLG_LAST)) {
794 DEBUG(5,("cli_pipe_validate_current_pdu: bug in server (AS/U?), "
795 "setting fragment first/last ON.\n"));
796 prhdr->flags |= RPC_FLG_FIRST|RPC_FLG_LAST;
802 /****************************************************************************
803 Ensure we eat the just processed pdu from the current_pdu prs_struct.
804 Normally the frag_len and buffer size will match, but on the first trans
805 reply there is a theoretical chance that buffer size > frag_len, so we must
807 ****************************************************************************/
809 static NTSTATUS cli_pipe_reset_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr, prs_struct *current_pdu)
811 uint32 current_pdu_len = prs_data_size(current_pdu);
813 if (current_pdu_len < prhdr->frag_len) {
814 return NT_STATUS_BUFFER_TOO_SMALL;
818 if (current_pdu_len == (uint32)prhdr->frag_len) {
819 prs_mem_free(current_pdu);
820 prs_init_empty(current_pdu, prs_get_mem_context(current_pdu), UNMARSHALL);
821 /* Make current_pdu dynamic with no memory. */
822 prs_give_memory(current_pdu, 0, 0, True);
827 * Oh no ! More data in buffer than we processed in current pdu.
828 * Cheat. Move the data down and shrink the buffer.
831 memcpy(prs_data_p(current_pdu), prs_data_p(current_pdu) + prhdr->frag_len,
832 current_pdu_len - prhdr->frag_len);
834 /* Remember to set the read offset back to zero. */
835 prs_set_offset(current_pdu, 0);
837 /* Shrink the buffer. */
838 if (!prs_set_buffer_size(current_pdu, current_pdu_len - prhdr->frag_len)) {
839 return NT_STATUS_BUFFER_TOO_SMALL;
845 /****************************************************************************
846 Send data on an rpc pipe via trans. The prs_struct data must be the last
847 pdu fragment of an NDR data stream.
849 Receive response data from an rpc pipe, which may be large...
851 Read the first fragment: unfortunately have to use SMBtrans for the first
852 bit, then SMBreadX for subsequent bits.
854 If first fragment received also wasn't the last fragment, continue
855 getting fragments until we _do_ receive the last fragment.
857 Request/Response PDU's look like the following...
859 |<------------------PDU len----------------------------------------------->|
860 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
862 +------------+-----------------+-------------+---------------+-------------+
863 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
864 +------------+-----------------+-------------+---------------+-------------+
866 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
867 signing & sealing being negotiated.
869 ****************************************************************************/
871 static NTSTATUS rpc_api_pipe(struct rpc_pipe_client *cli,
872 prs_struct *data, /* Outgoing pdu fragment, already formatted for send. */
873 prs_struct *rbuf, /* Incoming reply - return as an NDR stream. */
874 uint8 expected_pkt_type)
876 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
878 uint32 rparam_len = 0;
879 char *pdata = prs_data_p(data);
880 uint32 data_len = prs_offset(data);
882 uint32 rdata_len = 0;
883 uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : RPC_MAX_PDU_FRAG_LEN;
884 uint32 current_rbuf_offset = 0;
885 prs_struct current_pdu;
888 /* Ensure we're not sending too much. */
889 SMB_ASSERT(data_len <= max_data);
892 /* Set up the current pdu parse struct. */
893 prs_init_empty(¤t_pdu, prs_get_mem_context(rbuf), UNMARSHALL);
895 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(debug_ctx(), cli)));
897 switch (cli->transport_type) {
900 /* Create setup parameters - must be in native byte order. */
901 setup[0] = TRANSACT_DCERPCCMD;
902 setup[1] = cli->trans.np.fnum; /* Pipe file handle. */
905 * Send the last (or only) fragment of an RPC request. For
906 * small amounts of data (about 1024 bytes or so) the RPC
907 * request and response appears in a SMBtrans request and
911 if (!cli_api_pipe(cli->trans.np.cli, "\\PIPE\\",
912 setup, 2, 0, /* Setup, length, max */
913 NULL, 0, 0, /* Params, length, max */
914 pdata, data_len, max_data, /* data, length,
916 &rparam, &rparam_len, /* return params,
918 &prdata, &rdata_len)) /* return data, len */
920 DEBUG(0, ("rpc_api_pipe: %s returned critical error. "
922 rpccli_pipe_txt(debug_ctx(), cli),
923 cli_errstr(cli->trans.np.cli)));
924 ret = cli_get_nt_error(cli->trans.np.cli);
932 case NCACN_UNIX_STREAM:
934 ssize_t nwritten, nread;
935 nwritten = write_data(cli->trans.sock.fd, pdata, data_len);
936 if (nwritten == -1) {
937 ret = map_nt_error_from_unix(errno);
938 DEBUG(0, ("rpc_api_pipe: write_data returned %s\n",
943 prdata = SMB_MALLOC_ARRAY(char, 1);
944 if (prdata == NULL) {
945 return NT_STATUS_NO_MEMORY;
947 nread = sys_read(cli->trans.sock.fd, prdata, 1);
952 ret = NT_STATUS_END_OF_FILE;
959 DEBUG(0, ("unknown transport type %d\n",
960 cli->transport_type));
961 return NT_STATUS_INTERNAL_ERROR;
964 /* Throw away returned params - we know we won't use them. */
968 if (prdata == NULL) {
969 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
970 rpccli_pipe_txt(debug_ctx(), cli)));
971 /* Yes - some calls can truely return no data... */
972 prs_mem_free(¤t_pdu);
977 * Give this memory as dynamic to the current pdu.
980 prs_give_memory(¤t_pdu, prdata, rdata_len, True);
982 /* Ensure we can mess with the return prs_struct. */
983 SMB_ASSERT(UNMARSHALLING(rbuf));
984 SMB_ASSERT(prs_data_size(rbuf) == 0);
986 /* Make rbuf dynamic with no memory. */
987 prs_give_memory(rbuf, 0, 0, True);
994 /* Ensure we have enough data for a pdu. */
995 ret = cli_pipe_get_current_pdu(cli, &rhdr, ¤t_pdu);
996 if (!NT_STATUS_IS_OK(ret)) {
1000 /* We pass in rbuf here so if the alloc hint is set correctly
1001 we can set the output size and avoid reallocs. */
1003 ret = cli_pipe_validate_current_pdu(cli, &rhdr, ¤t_pdu, expected_pkt_type,
1004 &ret_data, &ret_data_len, rbuf);
1006 DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n",
1007 prs_data_size(¤t_pdu), current_rbuf_offset ));
1009 if (!NT_STATUS_IS_OK(ret)) {
1013 if ((rhdr.flags & RPC_FLG_FIRST)) {
1014 if (rhdr.pack_type[0] == 0) {
1015 /* Set the data type correctly for big-endian data on the first packet. */
1016 DEBUG(10,("rpc_api_pipe: On %s "
1017 "PDU data format is big-endian.\n",
1018 rpccli_pipe_txt(debug_ctx(), cli)));
1020 prs_set_endian_data(rbuf, RPC_BIG_ENDIAN);
1022 /* Check endianness on subsequent packets. */
1023 if (current_pdu.bigendian_data != rbuf->bigendian_data) {
1024 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
1025 rbuf->bigendian_data ? "big" : "little",
1026 current_pdu.bigendian_data ? "big" : "little" ));
1027 ret = NT_STATUS_INVALID_PARAMETER;
1033 /* Now copy the data portion out of the pdu into rbuf. */
1034 if (!prs_force_grow(rbuf, ret_data_len)) {
1035 ret = NT_STATUS_NO_MEMORY;
1038 memcpy(prs_data_p(rbuf)+current_rbuf_offset, ret_data, (size_t)ret_data_len);
1039 current_rbuf_offset += ret_data_len;
1041 /* See if we've finished with all the data in current_pdu yet ? */
1042 ret = cli_pipe_reset_current_pdu(cli, &rhdr, ¤t_pdu);
1043 if (!NT_STATUS_IS_OK(ret)) {
1047 if (rhdr.flags & RPC_FLG_LAST) {
1048 break; /* We're done. */
1052 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
1053 rpccli_pipe_txt(debug_ctx(), cli),
1054 (unsigned int)prs_data_size(rbuf) ));
1056 prs_mem_free(¤t_pdu);
1057 return NT_STATUS_OK;
1061 prs_mem_free(¤t_pdu);
1066 /*******************************************************************
1067 Creates krb5 auth bind.
1068 ********************************************************************/
1070 static NTSTATUS create_krb5_auth_bind_req( struct rpc_pipe_client *cli,
1071 enum pipe_auth_level auth_level,
1072 RPC_HDR_AUTH *pauth_out,
1073 prs_struct *auth_data)
1077 struct kerberos_auth_struct *a = cli->auth->a_u.kerberos_auth;
1078 DATA_BLOB tkt = data_blob_null;
1079 DATA_BLOB tkt_wrapped = data_blob_null;
1081 /* We may change the pad length before marshalling. */
1082 init_rpc_hdr_auth(pauth_out, RPC_KRB5_AUTH_TYPE, (int)auth_level, 0, 1);
1084 DEBUG(5, ("create_krb5_auth_bind_req: creating a service ticket for principal %s\n",
1085 a->service_principal ));
1087 /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
1089 ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
1090 &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL);
1093 DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
1095 a->service_principal,
1096 error_message(ret) ));
1098 data_blob_free(&tkt);
1099 prs_mem_free(auth_data);
1100 return NT_STATUS_INVALID_PARAMETER;
1103 /* wrap that up in a nice GSS-API wrapping */
1104 tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
1106 data_blob_free(&tkt);
1108 /* Auth len in the rpc header doesn't include auth_header. */
1109 if (!prs_copy_data_in(auth_data, (char *)tkt_wrapped.data, tkt_wrapped.length)) {
1110 data_blob_free(&tkt_wrapped);
1111 prs_mem_free(auth_data);
1112 return NT_STATUS_NO_MEMORY;
1115 DEBUG(5, ("create_krb5_auth_bind_req: Created krb5 GSS blob :\n"));
1116 dump_data(5, tkt_wrapped.data, tkt_wrapped.length);
1118 data_blob_free(&tkt_wrapped);
1119 return NT_STATUS_OK;
1121 return NT_STATUS_INVALID_PARAMETER;
1125 /*******************************************************************
1126 Creates SPNEGO NTLMSSP auth bind.
1127 ********************************************************************/
1129 static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
1130 enum pipe_auth_level auth_level,
1131 RPC_HDR_AUTH *pauth_out,
1132 prs_struct *auth_data)
1135 DATA_BLOB null_blob = data_blob_null;
1136 DATA_BLOB request = data_blob_null;
1137 DATA_BLOB spnego_msg = data_blob_null;
1139 /* We may change the pad length before marshalling. */
1140 init_rpc_hdr_auth(pauth_out, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
1142 DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1143 nt_status = ntlmssp_update(cli->auth->a_u.ntlmssp_state,
1147 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1148 data_blob_free(&request);
1149 prs_mem_free(auth_data);
1153 /* Wrap this in SPNEGO. */
1154 spnego_msg = gen_negTokenInit(OID_NTLMSSP, request);
1156 data_blob_free(&request);
1158 /* Auth len in the rpc header doesn't include auth_header. */
1159 if (!prs_copy_data_in(auth_data, (char *)spnego_msg.data, spnego_msg.length)) {
1160 data_blob_free(&spnego_msg);
1161 prs_mem_free(auth_data);
1162 return NT_STATUS_NO_MEMORY;
1165 DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1166 dump_data(5, spnego_msg.data, spnego_msg.length);
1168 data_blob_free(&spnego_msg);
1169 return NT_STATUS_OK;
1172 /*******************************************************************
1173 Creates NTLMSSP auth bind.
1174 ********************************************************************/
1176 static NTSTATUS create_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
1177 enum pipe_auth_level auth_level,
1178 RPC_HDR_AUTH *pauth_out,
1179 prs_struct *auth_data)
1182 DATA_BLOB null_blob = data_blob_null;
1183 DATA_BLOB request = data_blob_null;
1185 /* We may change the pad length before marshalling. */
1186 init_rpc_hdr_auth(pauth_out, RPC_NTLMSSP_AUTH_TYPE, (int)auth_level, 0, 1);
1188 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1189 nt_status = ntlmssp_update(cli->auth->a_u.ntlmssp_state,
1193 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1194 data_blob_free(&request);
1195 prs_mem_free(auth_data);
1199 /* Auth len in the rpc header doesn't include auth_header. */
1200 if (!prs_copy_data_in(auth_data, (char *)request.data, request.length)) {
1201 data_blob_free(&request);
1202 prs_mem_free(auth_data);
1203 return NT_STATUS_NO_MEMORY;
1206 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1207 dump_data(5, request.data, request.length);
1209 data_blob_free(&request);
1210 return NT_STATUS_OK;
1213 /*******************************************************************
1214 Creates schannel auth bind.
1215 ********************************************************************/
1217 static NTSTATUS create_schannel_auth_rpc_bind_req( struct rpc_pipe_client *cli,
1218 enum pipe_auth_level auth_level,
1219 RPC_HDR_AUTH *pauth_out,
1220 prs_struct *auth_data)
1222 RPC_AUTH_SCHANNEL_NEG schannel_neg;
1224 /* We may change the pad length before marshalling. */
1225 init_rpc_hdr_auth(pauth_out, RPC_SCHANNEL_AUTH_TYPE, (int)auth_level, 0, 1);
1227 /* Use lp_workgroup() if domain not specified */
1229 if (!cli->auth->domain || !cli->auth->domain[0]) {
1230 cli->auth->domain = talloc_strdup(cli, lp_workgroup());
1231 if (cli->auth->domain == NULL) {
1232 return NT_STATUS_NO_MEMORY;
1236 init_rpc_auth_schannel_neg(&schannel_neg, cli->auth->domain,
1240 * Now marshall the data into the auth parse_struct.
1243 if(!smb_io_rpc_auth_schannel_neg("schannel_neg",
1244 &schannel_neg, auth_data, 0)) {
1245 DEBUG(0,("Failed to marshall RPC_AUTH_SCHANNEL_NEG.\n"));
1246 prs_mem_free(auth_data);
1247 return NT_STATUS_NO_MEMORY;
1250 return NT_STATUS_OK;
1253 /*******************************************************************
1254 Creates the internals of a DCE/RPC bind request or alter context PDU.
1255 ********************************************************************/
1257 static NTSTATUS create_bind_or_alt_ctx_internal(enum RPC_PKT_TYPE pkt_type,
1258 prs_struct *rpc_out,
1260 const RPC_IFACE *abstract,
1261 const RPC_IFACE *transfer,
1262 RPC_HDR_AUTH *phdr_auth,
1263 prs_struct *pauth_info)
1267 RPC_CONTEXT rpc_ctx;
1268 uint16 auth_len = prs_offset(pauth_info);
1269 uint8 ss_padding_len = 0;
1270 uint16 frag_len = 0;
1272 /* create the RPC context. */
1273 init_rpc_context(&rpc_ctx, 0 /* context id */, abstract, transfer);
1275 /* create the bind request RPC_HDR_RB */
1276 init_rpc_hdr_rb(&hdr_rb, RPC_MAX_PDU_FRAG_LEN, RPC_MAX_PDU_FRAG_LEN, 0x0, &rpc_ctx);
1278 /* Start building the frag length. */
1279 frag_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
1281 /* Do we need to pad ? */
1283 uint16 data_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
1285 ss_padding_len = 8 - (data_len % 8);
1286 phdr_auth->auth_pad_len = ss_padding_len;
1288 frag_len += RPC_HDR_AUTH_LEN + auth_len + ss_padding_len;
1291 /* Create the request RPC_HDR */
1292 init_rpc_hdr(&hdr, pkt_type, RPC_FLG_FIRST|RPC_FLG_LAST, rpc_call_id, frag_len, auth_len);
1294 /* Marshall the RPC header */
1295 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
1296 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR.\n"));
1297 return NT_STATUS_NO_MEMORY;
1300 /* Marshall the bind request data */
1301 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
1302 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1303 return NT_STATUS_NO_MEMORY;
1307 * Grow the outgoing buffer to store any auth info.
1311 if (ss_padding_len) {
1313 memset(pad, '\0', 8);
1314 if (!prs_copy_data_in(rpc_out, pad, ss_padding_len)) {
1315 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall padding.\n"));
1316 return NT_STATUS_NO_MEMORY;
1320 if(!smb_io_rpc_hdr_auth("hdr_auth", phdr_auth, rpc_out, 0)) {
1321 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_AUTH.\n"));
1322 return NT_STATUS_NO_MEMORY;
1326 if(!prs_append_prs_data( rpc_out, pauth_info)) {
1327 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to grow parse struct to add auth.\n"));
1328 return NT_STATUS_NO_MEMORY;
1332 return NT_STATUS_OK;
1335 /*******************************************************************
1336 Creates a DCE/RPC bind request.
1337 ********************************************************************/
1339 static NTSTATUS create_rpc_bind_req(struct rpc_pipe_client *cli,
1340 prs_struct *rpc_out,
1342 const RPC_IFACE *abstract,
1343 const RPC_IFACE *transfer,
1344 enum pipe_auth_type auth_type,
1345 enum pipe_auth_level auth_level)
1347 RPC_HDR_AUTH hdr_auth;
1348 prs_struct auth_info;
1349 NTSTATUS ret = NT_STATUS_OK;
1351 ZERO_STRUCT(hdr_auth);
1352 if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
1353 return NT_STATUS_NO_MEMORY;
1355 switch (auth_type) {
1356 case PIPE_AUTH_TYPE_SCHANNEL:
1357 ret = create_schannel_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1358 if (!NT_STATUS_IS_OK(ret)) {
1359 prs_mem_free(&auth_info);
1364 case PIPE_AUTH_TYPE_NTLMSSP:
1365 ret = create_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1366 if (!NT_STATUS_IS_OK(ret)) {
1367 prs_mem_free(&auth_info);
1372 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1373 ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1374 if (!NT_STATUS_IS_OK(ret)) {
1375 prs_mem_free(&auth_info);
1380 case PIPE_AUTH_TYPE_KRB5:
1381 ret = create_krb5_auth_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1382 if (!NT_STATUS_IS_OK(ret)) {
1383 prs_mem_free(&auth_info);
1388 case PIPE_AUTH_TYPE_NONE:
1392 /* "Can't" happen. */
1393 return NT_STATUS_INVALID_INFO_CLASS;
1396 ret = create_bind_or_alt_ctx_internal(RPC_BIND,
1404 prs_mem_free(&auth_info);
1408 /*******************************************************************
1409 Create and add the NTLMSSP sign/seal auth header and data.
1410 ********************************************************************/
1412 static NTSTATUS add_ntlmssp_auth_footer(struct rpc_pipe_client *cli,
1414 uint32 ss_padding_len,
1415 prs_struct *outgoing_pdu)
1417 RPC_HDR_AUTH auth_info;
1419 DATA_BLOB auth_blob = data_blob_null;
1420 uint16 data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
1422 if (!cli->auth->a_u.ntlmssp_state) {
1423 return NT_STATUS_INVALID_PARAMETER;
1426 /* Init and marshall the auth header. */
1427 init_rpc_hdr_auth(&auth_info,
1428 map_pipe_auth_type_to_rpc_auth_type(
1429 cli->auth->auth_type),
1430 cli->auth->auth_level,
1432 1 /* context id. */);
1434 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
1435 DEBUG(0,("add_ntlmssp_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
1436 data_blob_free(&auth_blob);
1437 return NT_STATUS_NO_MEMORY;
1440 switch (cli->auth->auth_level) {
1441 case PIPE_AUTH_LEVEL_PRIVACY:
1442 /* Data portion is encrypted. */
1443 status = ntlmssp_seal_packet(cli->auth->a_u.ntlmssp_state,
1444 (unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
1446 (unsigned char *)prs_data_p(outgoing_pdu),
1447 (size_t)prs_offset(outgoing_pdu),
1449 if (!NT_STATUS_IS_OK(status)) {
1450 data_blob_free(&auth_blob);
1455 case PIPE_AUTH_LEVEL_INTEGRITY:
1456 /* Data is signed. */
1457 status = ntlmssp_sign_packet(cli->auth->a_u.ntlmssp_state,
1458 (unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
1460 (unsigned char *)prs_data_p(outgoing_pdu),
1461 (size_t)prs_offset(outgoing_pdu),
1463 if (!NT_STATUS_IS_OK(status)) {
1464 data_blob_free(&auth_blob);
1471 smb_panic("bad auth level");
1473 return NT_STATUS_INVALID_PARAMETER;
1476 /* Finally marshall the blob. */
1478 if (!prs_copy_data_in(outgoing_pdu, (const char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
1479 DEBUG(0,("add_ntlmssp_auth_footer: failed to add %u bytes auth blob.\n",
1480 (unsigned int)NTLMSSP_SIG_SIZE));
1481 data_blob_free(&auth_blob);
1482 return NT_STATUS_NO_MEMORY;
1485 data_blob_free(&auth_blob);
1486 return NT_STATUS_OK;
1489 /*******************************************************************
1490 Create and add the schannel sign/seal auth header and data.
1491 ********************************************************************/
1493 static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
1495 uint32 ss_padding_len,
1496 prs_struct *outgoing_pdu)
1498 RPC_HDR_AUTH auth_info;
1499 RPC_AUTH_SCHANNEL_CHK verf;
1500 struct schannel_auth_struct *sas = cli->auth->a_u.schannel_auth;
1501 char *data_p = prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
1502 size_t data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
1505 return NT_STATUS_INVALID_PARAMETER;
1508 /* Init and marshall the auth header. */
1509 init_rpc_hdr_auth(&auth_info,
1510 map_pipe_auth_type_to_rpc_auth_type(cli->auth->auth_type),
1511 cli->auth->auth_level,
1513 1 /* context id. */);
1515 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
1516 DEBUG(0,("add_schannel_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
1517 return NT_STATUS_NO_MEMORY;
1520 switch (cli->auth->auth_level) {
1521 case PIPE_AUTH_LEVEL_PRIVACY:
1522 case PIPE_AUTH_LEVEL_INTEGRITY:
1523 DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
1526 schannel_encode(sas,
1527 cli->auth->auth_level,
1528 SENDER_IS_INITIATOR,
1538 smb_panic("bad auth level");
1540 return NT_STATUS_INVALID_PARAMETER;
1543 /* Finally marshall the blob. */
1544 smb_io_rpc_auth_schannel_chk("",
1545 RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
1550 return NT_STATUS_OK;
1553 /*******************************************************************
1554 Calculate how much data we're going to send in this packet, also
1555 work out any sign/seal padding length.
1556 ********************************************************************/
1558 static uint32 calculate_data_len_tosend(struct rpc_pipe_client *cli,
1562 uint32 *p_ss_padding)
1564 uint32 data_space, data_len;
1566 switch (cli->auth->auth_level) {
1567 case PIPE_AUTH_LEVEL_NONE:
1568 case PIPE_AUTH_LEVEL_CONNECT:
1569 data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN;
1570 data_len = MIN(data_space, data_left);
1573 *p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + data_len;
1576 case PIPE_AUTH_LEVEL_INTEGRITY:
1577 case PIPE_AUTH_LEVEL_PRIVACY:
1578 /* Treat the same for all authenticated rpc requests. */
1579 switch(cli->auth->auth_type) {
1580 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1581 case PIPE_AUTH_TYPE_NTLMSSP:
1582 *p_auth_len = NTLMSSP_SIG_SIZE;
1584 case PIPE_AUTH_TYPE_SCHANNEL:
1585 *p_auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
1588 smb_panic("bad auth type");
1592 data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1593 RPC_HDR_AUTH_LEN - *p_auth_len;
1595 data_len = MIN(data_space, data_left);
1597 *p_ss_padding = 8 - (data_len % 8);
1599 *p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + /* Normal headers. */
1600 data_len + *p_ss_padding + /* data plus padding. */
1601 RPC_HDR_AUTH_LEN + *p_auth_len; /* Auth header and auth data. */
1605 smb_panic("bad auth level");
1611 /*******************************************************************
1613 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1614 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1615 and deals with signing/sealing details.
1616 ********************************************************************/
1618 NTSTATUS rpc_api_pipe_req(struct rpc_pipe_client *cli,
1620 prs_struct *in_data,
1621 prs_struct *out_data)
1624 uint32 data_left = prs_offset(in_data);
1625 uint32 alloc_hint = prs_offset(in_data);
1626 uint32 data_sent_thistime = 0;
1627 uint32 current_data_offset = 0;
1628 uint32 call_id = get_rpc_call_id();
1630 prs_struct outgoing_pdu;
1632 memset(pad, '\0', 8);
1634 if (cli->max_xmit_frag < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_MAX_SIGN_SIZE) {
1635 /* Server is screwed up ! */
1636 return NT_STATUS_INVALID_PARAMETER;
1639 if (!prs_init(&outgoing_pdu, cli->max_xmit_frag, prs_get_mem_context(in_data), MARSHALL))
1640 return NT_STATUS_NO_MEMORY;
1644 RPC_HDR_REQ hdr_req;
1645 uint16 auth_len = 0;
1646 uint16 frag_len = 0;
1648 uint32 ss_padding = 0;
1650 data_sent_thistime = calculate_data_len_tosend(cli, data_left,
1651 &frag_len, &auth_len, &ss_padding);
1653 if (current_data_offset == 0) {
1654 flags = RPC_FLG_FIRST;
1657 if (data_sent_thistime == data_left) {
1658 flags |= RPC_FLG_LAST;
1661 /* Create and marshall the header and request header. */
1662 init_rpc_hdr(&hdr, RPC_REQUEST, flags, call_id, frag_len, auth_len);
1664 if(!smb_io_rpc_hdr("hdr ", &hdr, &outgoing_pdu, 0)) {
1665 prs_mem_free(&outgoing_pdu);
1666 return NT_STATUS_NO_MEMORY;
1669 /* Create the rpc request RPC_HDR_REQ */
1670 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
1672 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, &outgoing_pdu, 0)) {
1673 prs_mem_free(&outgoing_pdu);
1674 return NT_STATUS_NO_MEMORY;
1677 /* Copy in the data, plus any ss padding. */
1678 if (!prs_append_some_prs_data(&outgoing_pdu, in_data, current_data_offset, data_sent_thistime)) {
1679 prs_mem_free(&outgoing_pdu);
1680 return NT_STATUS_NO_MEMORY;
1683 /* Copy the sign/seal padding data. */
1685 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding)) {
1686 prs_mem_free(&outgoing_pdu);
1687 return NT_STATUS_NO_MEMORY;
1691 /* Generate any auth sign/seal and add the auth footer. */
1693 switch (cli->auth->auth_type) {
1694 case PIPE_AUTH_TYPE_NONE:
1696 case PIPE_AUTH_TYPE_NTLMSSP:
1697 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1698 ret = add_ntlmssp_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
1699 if (!NT_STATUS_IS_OK(ret)) {
1700 prs_mem_free(&outgoing_pdu);
1704 case PIPE_AUTH_TYPE_SCHANNEL:
1705 ret = add_schannel_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
1706 if (!NT_STATUS_IS_OK(ret)) {
1707 prs_mem_free(&outgoing_pdu);
1712 smb_panic("bad auth type");
1713 break; /* notreached */
1717 /* Actually send the packet. */
1718 if (flags & RPC_FLG_LAST) {
1719 /* Last packet - send the data, get the reply and return. */
1720 ret = rpc_api_pipe(cli, &outgoing_pdu, out_data, RPC_RESPONSE);
1721 prs_mem_free(&outgoing_pdu);
1723 if ((DEBUGLEVEL >= 50)
1724 && (cli->transport_type == NCACN_NP)) {
1725 char *dump_name = NULL;
1726 /* Also capture received data */
1727 if (asprintf(&dump_name, "%s/reply_%s_%d",
1728 get_dyn_LOGFILEBASE(),
1729 cli->trans.np.pipe_name, op_num) > 0) {
1730 prs_dump(dump_name, op_num, out_data);
1731 SAFE_FREE(dump_name);
1737 /* More packets to come - write and continue. */
1738 ssize_t num_written;
1740 switch (cli->transport_type) {
1742 num_written = cli_write(cli->trans.np.cli,
1744 8, /* 8 means message mode. */
1745 prs_data_p(&outgoing_pdu),
1747 (size_t)hdr.frag_len);
1749 if (num_written != hdr.frag_len) {
1750 prs_mem_free(&outgoing_pdu);
1751 return cli_get_nt_error(
1756 case NCACN_UNIX_STREAM:
1757 num_written = write_data(
1759 prs_data_p(&outgoing_pdu),
1760 (size_t)hdr.frag_len);
1761 if (num_written != hdr.frag_len) {
1763 status = map_nt_error_from_unix(errno);
1764 prs_mem_free(&outgoing_pdu);
1769 DEBUG(0, ("unknown transport type %d\n",
1770 cli->transport_type));
1771 return NT_STATUS_INTERNAL_ERROR;
1775 current_data_offset += data_sent_thistime;
1776 data_left -= data_sent_thistime;
1778 /* Reset the marshalling position back to zero. */
1779 if (!prs_set_offset(&outgoing_pdu, 0)) {
1780 prs_mem_free(&outgoing_pdu);
1781 return NT_STATUS_NO_MEMORY;
1786 /****************************************************************************
1787 Set the handle state.
1788 ****************************************************************************/
1790 static bool rpc_pipe_set_hnd_state(struct rpc_pipe_client *cli,
1791 const char *pipe_name, uint16 device_state)
1793 bool state_set = False;
1795 uint16 setup[2]; /* only need 2 uint16 setup parameters */
1796 char *rparam = NULL;
1798 uint32 rparam_len, rdata_len;
1800 if (pipe_name == NULL)
1803 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1804 cli->fnum, pipe_name, device_state));
1806 /* create parameters: device state */
1807 SSVAL(param, 0, device_state);
1809 /* create setup parameters. */
1811 setup[1] = cli->fnum; /* pipe file handle. got this from an SMBOpenX. */
1813 /* send the data on \PIPE\ */
1814 if (cli_api_pipe(cli->cli, "\\PIPE\\",
1815 setup, 2, 0, /* setup, length, max */
1816 param, 2, 0, /* param, length, max */
1817 NULL, 0, 1024, /* data, length, max */
1818 &rparam, &rparam_len, /* return param, length */
1819 &rdata, &rdata_len)) /* return data, length */
1821 DEBUG(5, ("Set Handle state: return OK\n"));
1832 /****************************************************************************
1833 Check the rpc bind acknowledge response.
1834 ****************************************************************************/
1836 static bool check_bind_response(RPC_HDR_BA *hdr_ba, const RPC_IFACE *transfer)
1838 if ( hdr_ba->addr.len == 0) {
1839 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1842 /* check the transfer syntax */
1843 if ((hdr_ba->transfer.if_version != transfer->if_version) ||
1844 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1845 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1849 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1850 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1851 hdr_ba->res.num_results, hdr_ba->res.reason));
1854 DEBUG(5,("check_bind_response: accepted!\n"));
1858 /*******************************************************************
1859 Creates a DCE/RPC bind authentication response.
1860 This is the packet that is sent back to the server once we
1861 have received a BIND-ACK, to finish the third leg of
1862 the authentication handshake.
1863 ********************************************************************/
1865 static NTSTATUS create_rpc_bind_auth3(struct rpc_pipe_client *cli,
1867 enum pipe_auth_type auth_type,
1868 enum pipe_auth_level auth_level,
1869 DATA_BLOB *pauth_blob,
1870 prs_struct *rpc_out)
1873 RPC_HDR_AUTH hdr_auth;
1876 /* Create the request RPC_HDR */
1877 init_rpc_hdr(&hdr, RPC_AUTH3, RPC_FLG_FIRST|RPC_FLG_LAST, rpc_call_id,
1878 RPC_HEADER_LEN + 4 /* pad */ + RPC_HDR_AUTH_LEN + pauth_blob->length,
1879 pauth_blob->length );
1882 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
1883 DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR.\n"));
1884 return NT_STATUS_NO_MEMORY;
1888 I'm puzzled about this - seems to violate the DCE RPC auth rules,
1889 about padding - shouldn't this pad to length 8 ? JRA.
1892 /* 4 bytes padding. */
1893 if (!prs_uint32("pad", rpc_out, 0, &pad)) {
1894 DEBUG(0,("create_rpc_bind_auth3: failed to marshall 4 byte pad.\n"));
1895 return NT_STATUS_NO_MEMORY;
1898 /* Create the request RPC_HDR_AUTHA */
1899 init_rpc_hdr_auth(&hdr_auth,
1900 map_pipe_auth_type_to_rpc_auth_type(auth_type),
1903 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rpc_out, 0)) {
1904 DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR_AUTHA.\n"));
1905 return NT_STATUS_NO_MEMORY;
1909 * Append the auth data to the outgoing buffer.
1912 if(!prs_copy_data_in(rpc_out, (char *)pauth_blob->data, pauth_blob->length)) {
1913 DEBUG(0,("create_rpc_bind_auth3: failed to marshall auth blob.\n"));
1914 return NT_STATUS_NO_MEMORY;
1917 return NT_STATUS_OK;
1920 /****************************************************************************
1921 Create and send the third packet in an RPC auth.
1922 ****************************************************************************/
1924 static NTSTATUS rpc_finish_auth3_bind(struct rpc_pipe_client *cli,
1928 enum pipe_auth_type auth_type,
1929 enum pipe_auth_level auth_level)
1931 DATA_BLOB server_response = data_blob_null;
1932 DATA_BLOB client_reply = data_blob_null;
1933 RPC_HDR_AUTH hdr_auth;
1938 if (!phdr->auth_len || (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
1939 return NT_STATUS_INVALID_PARAMETER;
1942 /* Process the returned NTLMSSP blob first. */
1943 if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
1944 return NT_STATUS_INVALID_PARAMETER;
1947 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
1948 return NT_STATUS_INVALID_PARAMETER;
1951 /* TODO - check auth_type/auth_level match. */
1953 server_response = data_blob(NULL, phdr->auth_len);
1954 prs_copy_data_out((char *)server_response.data, rbuf, phdr->auth_len);
1956 nt_status = ntlmssp_update(cli->auth->a_u.ntlmssp_state,
1960 if (!NT_STATUS_IS_OK(nt_status)) {
1961 DEBUG(0,("rpc_finish_auth3_bind: NTLMSSP update using server blob failed.\n"));
1962 data_blob_free(&server_response);
1966 prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
1968 nt_status = create_rpc_bind_auth3(cli, rpc_call_id,
1969 auth_type, auth_level,
1970 &client_reply, &rpc_out);
1972 if (!NT_STATUS_IS_OK(nt_status)) {
1973 prs_mem_free(&rpc_out);
1974 data_blob_free(&client_reply);
1975 data_blob_free(&server_response);
1979 switch (cli->transport_type) {
1981 /* 8 here is named pipe message mode. */
1982 ret = cli_write(cli->trans.np.cli, cli->trans.np.fnum,
1983 0x8, prs_data_p(&rpc_out), 0,
1984 (size_t)prs_offset(&rpc_out));
1987 if (ret != (ssize_t)prs_offset(&rpc_out)) {
1988 nt_status = cli_get_nt_error(cli->trans.np.cli);
1991 case NCACN_UNIX_STREAM:
1992 ret = write_data(cli->trans.sock.fd, prs_data_p(&rpc_out),
1993 (size_t)prs_offset(&rpc_out));
1994 if (ret != (ssize_t)prs_offset(&rpc_out)) {
1995 nt_status = map_nt_error_from_unix(errno);
1999 DEBUG(0, ("unknown transport type %d\n", cli->transport_type));
2000 return NT_STATUS_INTERNAL_ERROR;
2003 if (ret != (ssize_t)prs_offset(&rpc_out)) {
2004 DEBUG(0,("rpc_send_auth_auth3: write failed. Return was %s\n",
2005 nt_errstr(nt_status)));
2006 prs_mem_free(&rpc_out);
2007 data_blob_free(&client_reply);
2008 data_blob_free(&server_response);
2012 DEBUG(5,("rpc_send_auth_auth3: %s sent auth3 response ok.\n",
2013 rpccli_pipe_txt(debug_ctx(), cli)));
2015 prs_mem_free(&rpc_out);
2016 data_blob_free(&client_reply);
2017 data_blob_free(&server_response);
2018 return NT_STATUS_OK;
2021 /*******************************************************************
2022 Creates a DCE/RPC bind alter context authentication request which
2023 may contain a spnego auth blobl
2024 ********************************************************************/
2026 static NTSTATUS create_rpc_alter_context(uint32 rpc_call_id,
2027 const RPC_IFACE *abstract,
2028 const RPC_IFACE *transfer,
2029 enum pipe_auth_level auth_level,
2030 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
2031 prs_struct *rpc_out)
2033 RPC_HDR_AUTH hdr_auth;
2034 prs_struct auth_info;
2035 NTSTATUS ret = NT_STATUS_OK;
2037 ZERO_STRUCT(hdr_auth);
2038 if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
2039 return NT_STATUS_NO_MEMORY;
2041 /* We may change the pad length before marshalling. */
2042 init_rpc_hdr_auth(&hdr_auth, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
2044 if (pauth_blob->length) {
2045 if (!prs_copy_data_in(&auth_info, (const char *)pauth_blob->data, pauth_blob->length)) {
2046 prs_mem_free(&auth_info);
2047 return NT_STATUS_NO_MEMORY;
2051 ret = create_bind_or_alt_ctx_internal(RPC_ALTCONT,
2058 prs_mem_free(&auth_info);
2062 /*******************************************************************
2063 Third leg of the SPNEGO bind mechanism - sends alter context PDU
2064 and gets a response.
2065 ********************************************************************/
2067 static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli,
2071 const RPC_IFACE *abstract,
2072 const RPC_IFACE *transfer,
2073 enum pipe_auth_type auth_type,
2074 enum pipe_auth_level auth_level)
2076 DATA_BLOB server_spnego_response = data_blob_null;
2077 DATA_BLOB server_ntlm_response = data_blob_null;
2078 DATA_BLOB client_reply = data_blob_null;
2079 DATA_BLOB tmp_blob = data_blob_null;
2080 RPC_HDR_AUTH hdr_auth;
2084 if (!phdr->auth_len || (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
2085 return NT_STATUS_INVALID_PARAMETER;
2088 /* Process the returned NTLMSSP blob first. */
2089 if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
2090 return NT_STATUS_INVALID_PARAMETER;
2093 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
2094 return NT_STATUS_INVALID_PARAMETER;
2097 server_spnego_response = data_blob(NULL, phdr->auth_len);
2098 prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
2100 /* The server might give us back two challenges - tmp_blob is for the second. */
2101 if (!spnego_parse_challenge(server_spnego_response, &server_ntlm_response, &tmp_blob)) {
2102 data_blob_free(&server_spnego_response);
2103 data_blob_free(&server_ntlm_response);
2104 data_blob_free(&tmp_blob);
2105 return NT_STATUS_INVALID_PARAMETER;
2108 /* We're finished with the server spnego response and the tmp_blob. */
2109 data_blob_free(&server_spnego_response);
2110 data_blob_free(&tmp_blob);
2112 nt_status = ntlmssp_update(cli->auth->a_u.ntlmssp_state,
2113 server_ntlm_response,
2116 /* Finished with the server_ntlm response */
2117 data_blob_free(&server_ntlm_response);
2119 if (!NT_STATUS_IS_OK(nt_status)) {
2120 DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: NTLMSSP update using server blob failed.\n"));
2121 data_blob_free(&client_reply);
2125 /* SPNEGO wrap the client reply. */
2126 tmp_blob = spnego_gen_auth(client_reply);
2127 data_blob_free(&client_reply);
2128 client_reply = tmp_blob;
2129 tmp_blob = data_blob_null; /* Ensure it's safe to free this just in case. */
2131 /* Now prepare the alter context pdu. */
2132 prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
2134 nt_status = create_rpc_alter_context(rpc_call_id,
2141 data_blob_free(&client_reply);
2143 if (!NT_STATUS_IS_OK(nt_status)) {
2144 prs_mem_free(&rpc_out);
2148 /* Initialize the returning data struct. */
2150 prs_init_empty(rbuf, talloc_tos(), UNMARSHALL);
2152 nt_status = rpc_api_pipe(cli, &rpc_out, rbuf, RPC_ALTCONTRESP);
2153 if (!NT_STATUS_IS_OK(nt_status)) {
2154 prs_mem_free(&rpc_out);
2158 prs_mem_free(&rpc_out);
2160 /* Get the auth blob from the reply. */
2161 if(!smb_io_rpc_hdr("rpc_hdr ", phdr, rbuf, 0)) {
2162 DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: Failed to unmarshall RPC_HDR.\n"));
2163 return NT_STATUS_BUFFER_TOO_SMALL;
2166 if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
2167 return NT_STATUS_INVALID_PARAMETER;
2170 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
2171 return NT_STATUS_INVALID_PARAMETER;
2174 server_spnego_response = data_blob(NULL, phdr->auth_len);
2175 prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
2177 /* Check we got a valid auth response. */
2178 if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) {
2179 data_blob_free(&server_spnego_response);
2180 data_blob_free(&tmp_blob);
2181 return NT_STATUS_INVALID_PARAMETER;
2184 data_blob_free(&server_spnego_response);
2185 data_blob_free(&tmp_blob);
2187 DEBUG(5,("rpc_finish_spnego_ntlmssp_bind: alter context request to "
2188 "%s.\n", rpccli_pipe_txt(debug_ctx(), cli)));
2190 return NT_STATUS_OK;
2193 /****************************************************************************
2195 ****************************************************************************/
2197 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
2198 struct cli_pipe_auth_data *auth)
2207 DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
2208 rpccli_pipe_txt(debug_ctx(), cli),
2209 (unsigned int)auth->auth_type,
2210 (unsigned int)auth->auth_level ));
2212 cli->auth = talloc_move(cli, &auth);
2214 prs_init_empty(&rpc_out, talloc_tos(), MARSHALL);
2216 rpc_call_id = get_rpc_call_id();
2218 /* Marshall the outgoing data. */
2219 status = create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
2220 cli->abstract_syntax,
2221 cli->transfer_syntax,
2222 cli->auth->auth_type,
2223 cli->auth->auth_level);
2225 if (!NT_STATUS_IS_OK(status)) {
2226 prs_mem_free(&rpc_out);
2230 /* Initialize the incoming data struct. */
2231 prs_init_empty(&rbuf, talloc_tos(), UNMARSHALL);
2233 /* send data on \PIPE\. receive a response */
2234 status = rpc_api_pipe(cli, &rpc_out, &rbuf, RPC_BINDACK);
2235 if (!NT_STATUS_IS_OK(status)) {
2236 prs_mem_free(&rpc_out);
2240 prs_mem_free(&rpc_out);
2242 DEBUG(3,("rpc_pipe_bind: %s bind request returned ok.\n",
2243 rpccli_pipe_txt(debug_ctx(), cli)));
2245 /* Unmarshall the RPC header */
2246 if(!smb_io_rpc_hdr("hdr" , &hdr, &rbuf, 0)) {
2247 DEBUG(0,("rpc_pipe_bind: failed to unmarshall RPC_HDR.\n"));
2248 prs_mem_free(&rbuf);
2249 return NT_STATUS_BUFFER_TOO_SMALL;
2252 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rbuf, 0)) {
2253 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
2254 prs_mem_free(&rbuf);
2255 return NT_STATUS_BUFFER_TOO_SMALL;
2258 if(!check_bind_response(&hdr_ba, cli->transfer_syntax)) {
2259 DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
2260 prs_mem_free(&rbuf);
2261 return NT_STATUS_BUFFER_TOO_SMALL;
2264 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
2265 cli->max_recv_frag = hdr_ba.bba.max_rsize;
2267 /* For authenticated binds we may need to do 3 or 4 leg binds. */
2268 switch(cli->auth->auth_type) {
2270 case PIPE_AUTH_TYPE_NONE:
2271 case PIPE_AUTH_TYPE_SCHANNEL:
2272 /* Bind complete. */
2275 case PIPE_AUTH_TYPE_NTLMSSP:
2276 /* Need to send AUTH3 packet - no reply. */
2277 status = rpc_finish_auth3_bind(
2278 cli, &hdr, &rbuf, rpc_call_id,
2279 cli->auth->auth_type,
2280 cli->auth->auth_level);
2281 if (!NT_STATUS_IS_OK(status)) {
2282 prs_mem_free(&rbuf);
2287 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
2288 /* Need to send alter context request and reply. */
2289 status = rpc_finish_spnego_ntlmssp_bind(
2290 cli, &hdr, &rbuf, rpc_call_id,
2291 cli->abstract_syntax, cli->transfer_syntax,
2292 cli->auth->auth_type, cli->auth->auth_level);
2293 if (!NT_STATUS_IS_OK(status)) {
2294 prs_mem_free(&rbuf);
2299 case PIPE_AUTH_TYPE_KRB5:
2303 DEBUG(0,("cli_finish_bind_auth: unknown auth type "
2304 "%u\n", (unsigned int)cli->auth->auth_type));
2305 prs_mem_free(&rbuf);
2306 return NT_STATUS_INVALID_INFO_CLASS;
2309 /* For NTLMSSP ensure the server gave us the auth_level we wanted. */
2310 if (cli->auth->auth_type == PIPE_AUTH_TYPE_NTLMSSP
2311 || cli->auth->auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2312 if (cli->auth->auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2313 if (!(cli->auth->a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
2314 DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n"));
2315 prs_mem_free(&rbuf);
2316 return NT_STATUS_INVALID_PARAMETER;
2319 if (cli->auth->auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2320 if (!(cli->auth->a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
2321 DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n"));
2322 prs_mem_free(&rbuf);
2323 return NT_STATUS_INVALID_PARAMETER;
2328 prs_mem_free(&rbuf);
2329 return NT_STATUS_OK;
2332 unsigned int rpccli_set_timeout(struct rpc_pipe_client *cli,
2333 unsigned int timeout)
2335 return cli_set_timeout(cli->trans.np.cli, timeout);
2338 bool rpccli_is_pipe_idx(struct rpc_pipe_client *cli, int pipe_idx)
2340 return (cli->abstract_syntax == pipe_names[pipe_idx].abstr_syntax);
2343 bool rpccli_get_pwd_hash(struct rpc_pipe_client *cli, uint8_t nt_hash[16])
2345 if ((cli->auth->auth_type == PIPE_AUTH_TYPE_NTLMSSP)
2346 || (cli->auth->auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)) {
2347 memcpy(nt_hash, cli->auth->a_u.ntlmssp_state->nt_hash, 16);
2351 if (cli->transport_type == NCACN_NP) {
2352 E_md4hash(cli->trans.np.cli->pwd.password, nt_hash);
2359 struct cli_state *rpc_pipe_np_smb_conn(struct rpc_pipe_client *p)
2361 if (p->transport_type == NCACN_NP) {
2362 return p->trans.np.cli;
2367 static int rpc_pipe_destructor(struct rpc_pipe_client *p)
2369 if (p->transport_type == NCACN_NP) {
2371 ret = cli_close(p->trans.np.cli, p->trans.np.fnum);
2373 DEBUG(1, ("rpc_pipe_destructor: cli_close failed on "
2374 "pipe %s. Error was %s\n",
2375 rpccli_pipe_txt(debug_ctx(), p),
2376 cli_errstr(p->trans.np.cli)));
2379 DEBUG(10, ("rpc_pipe_destructor: closed %s\n",
2380 rpccli_pipe_txt(debug_ctx(), p)));
2382 DLIST_REMOVE(p->trans.np.cli->pipe_list, p);
2383 return ret ? -1 : 0;
2389 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2390 struct cli_pipe_auth_data **presult)
2392 struct cli_pipe_auth_data *result;
2394 result = talloc(mem_ctx, struct cli_pipe_auth_data);
2395 if (result == NULL) {
2396 return NT_STATUS_NO_MEMORY;
2399 result->auth_type = PIPE_AUTH_TYPE_NONE;
2400 result->auth_level = PIPE_AUTH_LEVEL_NONE;
2402 result->user_name = talloc_strdup(result, "");
2403 result->domain = talloc_strdup(result, "");
2404 if ((result->user_name == NULL) || (result->domain == NULL)) {
2405 TALLOC_FREE(result);
2406 return NT_STATUS_NO_MEMORY;
2410 return NT_STATUS_OK;
2413 static int cli_auth_ntlmssp_data_destructor(struct cli_pipe_auth_data *auth)
2415 ntlmssp_end(&auth->a_u.ntlmssp_state);
2419 NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
2420 enum pipe_auth_type auth_type,
2421 enum pipe_auth_level auth_level,
2423 const char *username,
2424 const char *password,
2425 struct cli_pipe_auth_data **presult)
2427 struct cli_pipe_auth_data *result;
2430 result = talloc(mem_ctx, struct cli_pipe_auth_data);
2431 if (result == NULL) {
2432 return NT_STATUS_NO_MEMORY;
2435 result->auth_type = auth_type;
2436 result->auth_level = auth_level;
2438 result->user_name = talloc_strdup(result, username);
2439 result->domain = talloc_strdup(result, domain);
2440 if ((result->user_name == NULL) || (result->domain == NULL)) {
2441 status = NT_STATUS_NO_MEMORY;
2445 status = ntlmssp_client_start(&result->a_u.ntlmssp_state);
2446 if (!NT_STATUS_IS_OK(status)) {
2450 talloc_set_destructor(result, cli_auth_ntlmssp_data_destructor);
2452 status = ntlmssp_set_username(result->a_u.ntlmssp_state, username);
2453 if (!NT_STATUS_IS_OK(status)) {
2457 status = ntlmssp_set_domain(result->a_u.ntlmssp_state, domain);
2458 if (!NT_STATUS_IS_OK(status)) {
2462 status = ntlmssp_set_password(result->a_u.ntlmssp_state, password);
2463 if (!NT_STATUS_IS_OK(status)) {
2468 * Turn off sign+seal to allow selected auth level to turn it back on.
2470 result->a_u.ntlmssp_state->neg_flags &=
2471 ~(NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL);
2473 if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2474 result->a_u.ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
2475 } else if (auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
2476 result->a_u.ntlmssp_state->neg_flags
2477 |= NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN;
2481 return NT_STATUS_OK;
2484 TALLOC_FREE(result);
2488 NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2489 enum pipe_auth_level auth_level,
2490 const uint8_t sess_key[16],
2491 struct cli_pipe_auth_data **presult)
2493 struct cli_pipe_auth_data *result;
2495 result = talloc(mem_ctx, struct cli_pipe_auth_data);
2496 if (result == NULL) {
2497 return NT_STATUS_NO_MEMORY;
2500 result->auth_type = PIPE_AUTH_TYPE_SCHANNEL;
2501 result->auth_level = auth_level;
2503 result->user_name = talloc_strdup(result, "");
2504 result->domain = talloc_strdup(result, domain);
2505 if ((result->user_name == NULL) || (result->domain == NULL)) {
2509 result->a_u.schannel_auth = talloc(result,
2510 struct schannel_auth_struct);
2511 if (result->a_u.schannel_auth == NULL) {
2515 memcpy(result->a_u.schannel_auth->sess_key, sess_key,
2516 sizeof(result->a_u.schannel_auth->sess_key));
2517 result->a_u.schannel_auth->seq_num = 0;
2520 return NT_STATUS_OK;
2523 TALLOC_FREE(result);
2524 return NT_STATUS_NO_MEMORY;
2528 static int cli_auth_kerberos_data_destructor(struct kerberos_auth_struct *auth)
2530 data_blob_free(&auth->session_key);
2535 NTSTATUS rpccli_kerberos_bind_data(TALLOC_CTX *mem_ctx,
2536 enum pipe_auth_level auth_level,
2537 const char *service_princ,
2538 const char *username,
2539 const char *password,
2540 struct cli_pipe_auth_data **presult)
2543 struct cli_pipe_auth_data *result;
2545 if ((username != NULL) && (password != NULL)) {
2546 int ret = kerberos_kinit_password(username, password, 0, NULL);
2548 return NT_STATUS_ACCESS_DENIED;
2552 result = talloc(mem_ctx, struct cli_pipe_auth_data);
2553 if (result == NULL) {
2554 return NT_STATUS_NO_MEMORY;
2557 result->auth_type = PIPE_AUTH_TYPE_KRB5;
2558 result->auth_level = auth_level;
2561 * Username / domain need fixing!
2563 result->user_name = talloc_strdup(result, "");
2564 result->domain = talloc_strdup(result, "");
2565 if ((result->user_name == NULL) || (result->domain == NULL)) {
2569 result->a_u.kerberos_auth = TALLOC_ZERO_P(
2570 result, struct kerberos_auth_struct);
2571 if (result->a_u.kerberos_auth == NULL) {
2574 talloc_set_destructor(result->a_u.kerberos_auth,
2575 cli_auth_kerberos_data_destructor);
2577 result->a_u.kerberos_auth->service_principal = talloc_strdup(
2578 result, service_princ);
2579 if (result->a_u.kerberos_auth->service_principal == NULL) {
2584 return NT_STATUS_OK;
2587 TALLOC_FREE(result);
2588 return NT_STATUS_NO_MEMORY;
2590 return NT_STATUS_NOT_SUPPORTED;
2594 static int rpc_pipe_sock_destructor(struct rpc_pipe_client *p)
2596 close(p->trans.sock.fd);
2601 * Create an rpc pipe client struct, connecting to a tcp port.
2603 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2605 const struct ndr_syntax_id *abstract_syntax,
2606 struct rpc_pipe_client **presult)
2608 struct rpc_pipe_client *result;
2609 struct sockaddr_storage addr;
2612 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2613 if (result == NULL) {
2614 return NT_STATUS_NO_MEMORY;
2617 result->transport_type = NCACN_IP_TCP;
2619 result->abstract_syntax = abstract_syntax;
2620 result->transfer_syntax = &ndr_transfer_syntax;
2622 result->desthost = talloc_strdup(result, host);
2623 result->srv_name_slash = talloc_asprintf_strupper_m(
2624 result, "\\\\%s", result->desthost);
2625 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2626 status = NT_STATUS_NO_MEMORY;
2630 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2631 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2633 if (!resolve_name(host, &addr, 0)) {
2634 status = NT_STATUS_NOT_FOUND;
2638 result->trans.sock.fd = open_socket_out(SOCK_STREAM, &addr, port, 60);
2639 if (result->trans.sock.fd == -1) {
2640 status = map_nt_error_from_unix(errno);
2644 talloc_set_destructor(result, rpc_pipe_sock_destructor);
2647 return NT_STATUS_OK;
2650 TALLOC_FREE(result);
2655 * Determine the tcp port on which a dcerpc interface is listening
2656 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2659 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2660 const struct ndr_syntax_id *abstract_syntax,
2664 struct rpc_pipe_client *epm_pipe = NULL;
2665 struct cli_pipe_auth_data *auth = NULL;
2666 struct dcerpc_binding *map_binding = NULL;
2667 struct dcerpc_binding *res_binding = NULL;
2668 struct epm_twr_t *map_tower = NULL;
2669 struct epm_twr_t *res_towers = NULL;
2670 struct policy_handle *entry_handle = NULL;
2671 uint32_t num_towers = 0;
2672 uint32_t max_towers = 1;
2673 struct epm_twr_p_t towers;
2674 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2676 if (pport == NULL) {
2677 status = NT_STATUS_INVALID_PARAMETER;
2681 /* open the connection to the endpoint mapper */
2682 status = rpc_pipe_open_tcp_port(tmp_ctx, host, 135,
2683 &ndr_table_epmapper.syntax_id,
2686 if (!NT_STATUS_IS_OK(status)) {
2690 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2691 if (!NT_STATUS_IS_OK(status)) {
2695 status = rpc_pipe_bind(epm_pipe, auth);
2696 if (!NT_STATUS_IS_OK(status)) {
2700 /* create tower for asking the epmapper */
2702 map_binding = TALLOC_ZERO_P(tmp_ctx, struct dcerpc_binding);
2703 if (map_binding == NULL) {
2704 status = NT_STATUS_NO_MEMORY;
2708 map_binding->transport = NCACN_IP_TCP;
2709 map_binding->object = *abstract_syntax;
2710 map_binding->host = host; /* needed? */
2711 map_binding->endpoint = "0"; /* correct? needed? */
2713 map_tower = TALLOC_ZERO_P(tmp_ctx, struct epm_twr_t);
2714 if (map_tower == NULL) {
2715 status = NT_STATUS_NO_MEMORY;
2719 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2720 &(map_tower->tower));
2721 if (!NT_STATUS_IS_OK(status)) {
2725 /* allocate further parameters for the epm_Map call */
2727 res_towers = TALLOC_ARRAY(tmp_ctx, struct epm_twr_t, max_towers);
2728 if (res_towers == NULL) {
2729 status = NT_STATUS_NO_MEMORY;
2732 towers.twr = res_towers;
2734 entry_handle = TALLOC_ZERO_P(tmp_ctx, struct policy_handle);
2735 if (entry_handle == NULL) {
2736 status = NT_STATUS_NO_MEMORY;
2740 /* ask the endpoint mapper for the port */
2742 status = rpccli_epm_Map(epm_pipe,
2744 CONST_DISCARD(struct GUID *,
2745 &(abstract_syntax->uuid)),
2752 if (!NT_STATUS_IS_OK(status)) {
2756 if (num_towers != 1) {
2757 status = NT_STATUS_UNSUCCESSFUL;
2761 /* extract the port from the answer */
2763 status = dcerpc_binding_from_tower(tmp_ctx,
2764 &(towers.twr->tower),
2766 if (!NT_STATUS_IS_OK(status)) {
2770 /* are further checks here necessary? */
2771 if (res_binding->transport != NCACN_IP_TCP) {
2772 status = NT_STATUS_UNSUCCESSFUL;
2776 *pport = (uint16_t)atoi(res_binding->endpoint);
2779 TALLOC_FREE(tmp_ctx);
2784 * Create a rpc pipe client struct, connecting to a host via tcp.
2785 * The port is determined by asking the endpoint mapper on the given
2788 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2789 const struct ndr_syntax_id *abstract_syntax,
2790 struct rpc_pipe_client **presult)
2797 status = rpc_pipe_get_tcp_port(host, abstract_syntax, &port);
2798 if (!NT_STATUS_IS_OK(status)) {
2802 status = rpc_pipe_open_tcp_port(mem_ctx, host, port,
2803 abstract_syntax, presult);
2809 /********************************************************************
2810 Create a rpc pipe client struct, connecting to a unix domain socket
2811 ********************************************************************/
2812 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2813 const struct ndr_syntax_id *abstract_syntax,
2814 struct rpc_pipe_client **presult)
2816 struct rpc_pipe_client *result;
2817 struct sockaddr_un addr;
2820 result = talloc(mem_ctx, struct rpc_pipe_client);
2821 if (result == NULL) {
2822 return NT_STATUS_NO_MEMORY;
2825 result->transport_type = NCACN_UNIX_STREAM;
2827 result->abstract_syntax = abstract_syntax;
2828 result->transfer_syntax = &ndr_transfer_syntax;
2830 result->desthost = get_myname(result);
2831 result->srv_name_slash = talloc_asprintf_strupper_m(
2832 result, "\\\\%s", result->desthost);
2833 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2834 status = NT_STATUS_NO_MEMORY;
2838 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2839 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2841 result->trans.sock.fd = socket(AF_UNIX, SOCK_STREAM, 0);
2842 if (result->trans.sock.fd == -1) {
2843 status = map_nt_error_from_unix(errno);
2847 talloc_set_destructor(result, rpc_pipe_sock_destructor);
2849 result->dc = TALLOC_ZERO_P(result, struct dcinfo);
2850 if (result->dc == NULL) {
2851 status = NT_STATUS_NO_MEMORY;
2856 addr.sun_family = AF_UNIX;
2857 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2859 if (sys_connect(result->trans.sock.fd,
2860 (struct sockaddr *)&addr) == -1) {
2861 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2863 close(result->trans.sock.fd);
2864 return map_nt_error_from_unix(errno);
2868 return NT_STATUS_OK;
2871 TALLOC_FREE(result);
2876 /****************************************************************************
2877 Open a named pipe over SMB to a remote server.
2879 * CAVEAT CALLER OF THIS FUNCTION:
2880 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2881 * so be sure that this function is called AFTER any structure (vs pointer)
2882 * assignment of the cli. In particular, libsmbclient does structure
2883 * assignments of cli, which invalidates the data in the returned
2884 * rpc_pipe_client if this function is called before the structure assignment
2887 ****************************************************************************/
2889 static struct rpc_pipe_client *rpc_pipe_open_np(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
2891 struct rpc_pipe_client *result;
2894 *perr = NT_STATUS_NO_MEMORY;
2896 /* sanity check to protect against crashes */
2899 *perr = NT_STATUS_INVALID_HANDLE;
2903 /* The pipe name index must fall within our array */
2904 SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
2906 result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
2907 if (result == NULL) {
2908 *perr = NT_STATUS_NO_MEMORY;
2912 result->transport_type = NCACN_NP;
2914 result->trans.np.pipe_name = cli_get_pipe_name(pipe_idx);
2916 result->trans.np.cli = cli;
2917 result->abstract_syntax = pipe_names[pipe_idx].abstr_syntax;
2918 result->transfer_syntax = &ndr_transfer_syntax;
2919 result->desthost = talloc_strdup(result, cli->desthost);
2920 result->srv_name_slash = talloc_asprintf_strupper_m(
2921 result, "\\\\%s", result->desthost);
2923 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2924 *perr = NT_STATUS_NO_MEMORY;
2925 TALLOC_FREE(result);
2929 if (pipe_idx == PI_NETLOGON) {
2930 /* Set up a netlogon credential chain for a netlogon pipe. */
2931 result->dc = TALLOC_ZERO_P(result, struct dcinfo);
2932 if (result->dc == NULL) {
2933 *perr = NT_STATUS_NO_MEMORY;
2934 TALLOC_FREE(result);
2939 fnum = cli_nt_create(cli, result->trans.np.pipe_name,
2940 DESIRED_ACCESS_PIPE);
2942 DEBUG(1,("rpc_pipe_open_np: cli_nt_create failed on pipe %s "
2943 "to machine %s. Error was %s\n",
2944 result->trans.np.pipe_name, cli->desthost,
2946 *perr = cli_get_nt_error(cli);
2947 talloc_destroy(result);
2951 result->trans.np.fnum = fnum;
2953 DLIST_ADD(cli->pipe_list, result);
2954 talloc_set_destructor(result, rpc_pipe_destructor);
2956 *perr = NT_STATUS_OK;
2961 /****************************************************************************
2962 Open a pipe to a remote server.
2963 ****************************************************************************/
2965 static struct rpc_pipe_client *cli_rpc_pipe_open(struct cli_state *cli,
2969 struct rpc_pipe_client *result = NULL;
2971 *perr = NT_STATUS_PIPE_NOT_AVAILABLE;
2975 *perr = rpc_pipe_open_tcp(NULL, cli->desthost,
2976 &ndr_table_drsuapi.syntax_id,
2978 if (!NT_STATUS_IS_OK(*perr)) {
2983 result = rpc_pipe_open_np(cli, pipe_idx, perr);
2984 if (result == NULL) {
2990 *perr = NT_STATUS_OK;
2995 /****************************************************************************
2996 Open a named pipe to an SMB server and bind anonymously.
2997 ****************************************************************************/
2999 struct rpc_pipe_client *cli_rpc_pipe_open_noauth(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
3001 struct rpc_pipe_client *result;
3002 struct cli_pipe_auth_data *auth;
3004 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
3005 if (result == NULL) {
3009 *perr = rpccli_anon_bind_data(result, &auth);
3010 if (!NT_STATUS_IS_OK(*perr)) {
3011 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
3013 TALLOC_FREE(result);
3018 * This is a bit of an abstraction violation due to the fact that an
3019 * anonymous bind on an authenticated SMB inherits the user/domain
3020 * from the enclosing SMB creds
3023 TALLOC_FREE(auth->user_name);
3024 TALLOC_FREE(auth->domain);
3026 auth->user_name = talloc_strdup(auth, cli->user_name);
3027 auth->domain = talloc_strdup(auth, cli->domain);
3029 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
3030 *perr = NT_STATUS_NO_MEMORY;
3031 TALLOC_FREE(result);
3035 *perr = rpc_pipe_bind(result, auth);
3036 if (!NT_STATUS_IS_OK(*perr)) {
3038 if (rpccli_is_pipe_idx(result, PI_DSSETUP)) {
3039 /* non AD domains just don't have this pipe, avoid
3040 * level 0 statement in that case - gd */
3043 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe %s failed with error %s\n",
3044 cli_get_pipe_name(pipe_idx), nt_errstr(*perr) ));
3045 TALLOC_FREE(result);
3049 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
3050 "%s and bound anonymously.\n", result->trans.np.pipe_name,
3056 /****************************************************************************
3057 Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
3058 ****************************************************************************/
3060 static struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
3062 enum pipe_auth_type auth_type,
3063 enum pipe_auth_level auth_level,
3065 const char *username,
3066 const char *password,
3069 struct rpc_pipe_client *result;
3070 struct cli_pipe_auth_data *auth;
3072 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
3073 if (result == NULL) {
3077 *perr = rpccli_ntlmssp_bind_data(
3078 result, auth_type, auth_level, domain, username,
3079 cli->pwd.null_pwd ? NULL : password, &auth);
3080 if (!NT_STATUS_IS_OK(*perr)) {
3081 DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
3083 TALLOC_FREE(result);
3087 *perr = rpc_pipe_bind(result, auth);
3088 if (!NT_STATUS_IS_OK(*perr)) {
3089 DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
3090 nt_errstr(*perr) ));
3094 DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
3095 "machine %s and bound NTLMSSP as user %s\\%s.\n",
3096 result->trans.np.pipe_name, cli->desthost,
3097 domain, username ));
3103 TALLOC_FREE(result);
3107 /****************************************************************************
3109 Open a named pipe to an SMB server and bind using NTLMSSP (bind type 10)
3110 ****************************************************************************/
3112 struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
3114 enum pipe_auth_level auth_level,
3116 const char *username,
3117 const char *password,
3120 return cli_rpc_pipe_open_ntlmssp_internal(cli,
3122 PIPE_AUTH_TYPE_NTLMSSP,
3130 /****************************************************************************
3132 Open a named pipe to an SMB server and bind using spnego NTLMSSP (bind type 9)
3133 ****************************************************************************/
3135 struct rpc_pipe_client *cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
3137 enum pipe_auth_level auth_level,
3139 const char *username,
3140 const char *password,
3143 return cli_rpc_pipe_open_ntlmssp_internal(cli,
3145 PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
3153 /****************************************************************************
3154 Get a the schannel session key out of an already opened netlogon pipe.
3155 ****************************************************************************/
3156 static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
3157 struct cli_state *cli,
3162 uint32 sec_chan_type = 0;
3163 unsigned char machine_pwd[16];
3164 const char *machine_account;
3166 /* Get the machine account credentials from secrets.tdb. */
3167 if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
3170 DEBUG(0, ("get_schannel_session_key: could not fetch "
3171 "trust account password for domain '%s'\n",
3173 *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3177 *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
3178 cli->desthost, /* server name */
3179 domain, /* domain */
3180 global_myname(), /* client name */
3181 machine_account, /* machine account name */
3186 if (!NT_STATUS_IS_OK(*perr)) {
3187 DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
3188 "failed with result %s to server %s, domain %s, machine account %s.\n",
3189 nt_errstr(*perr), cli->desthost, domain, machine_account ));
3193 if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
3194 DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
3196 *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
3203 /****************************************************************************
3204 Open a netlogon pipe and get the schannel session key.
3205 Now exposed to external callers.
3206 ****************************************************************************/
3209 struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
3214 struct rpc_pipe_client *netlogon_pipe = NULL;
3216 netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
3217 if (!netlogon_pipe) {
3221 if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
3224 TALLOC_FREE(netlogon_pipe);
3228 return netlogon_pipe;
3231 /****************************************************************************
3233 Open a named pipe to an SMB server and bind using schannel (bind type 68)
3234 using session_key. sign and seal.
3235 ****************************************************************************/
3237 struct rpc_pipe_client *cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
3239 enum pipe_auth_level auth_level,
3241 const struct dcinfo *pdc,
3244 struct rpc_pipe_client *result;
3245 struct cli_pipe_auth_data *auth;
3247 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
3248 if (result == NULL) {
3252 *perr = rpccli_schannel_bind_data(result, domain, auth_level,
3253 pdc->sess_key, &auth);
3254 if (!NT_STATUS_IS_OK(*perr)) {
3255 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
3257 TALLOC_FREE(result);
3261 *perr = rpc_pipe_bind(result, auth);
3262 if (!NT_STATUS_IS_OK(*perr)) {
3263 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed with error %s\n",
3264 nt_errstr(*perr) ));
3265 TALLOC_FREE(result);
3269 /* The credentials on a new netlogon pipe are the ones we are passed in - copy them over. */
3274 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
3276 "and bound using schannel.\n",
3277 result->trans.np.pipe_name, cli->desthost, domain ));
3282 /****************************************************************************
3283 Open a named pipe to an SMB server and bind using schannel (bind type 68).
3284 Fetch the session key ourselves using a temporary netlogon pipe. This
3285 version uses an ntlmssp auth bound netlogon pipe to get the key.
3286 ****************************************************************************/
3288 static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
3290 const char *username,
3291 const char *password,
3295 struct rpc_pipe_client *netlogon_pipe = NULL;
3297 netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
3298 if (!netlogon_pipe) {
3302 if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
3305 TALLOC_FREE(netlogon_pipe);
3309 return netlogon_pipe;
3312 /****************************************************************************
3313 Open a named pipe to an SMB server and bind using schannel (bind type 68).
3314 Fetch the session key ourselves using a temporary netlogon pipe. This version
3315 uses an ntlmssp bind to get the session key.
3316 ****************************************************************************/
3318 struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
3320 enum pipe_auth_level auth_level,
3322 const char *username,
3323 const char *password,
3326 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
3327 struct rpc_pipe_client *netlogon_pipe = NULL;
3328 struct rpc_pipe_client *result = NULL;
3330 netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username,
3331 password, &neg_flags, perr);
3332 if (!netlogon_pipe) {
3333 DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
3334 "key from server %s for domain %s.\n",
3335 cli->desthost, domain ));
3339 result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
3341 domain, netlogon_pipe->dc, perr);
3343 /* Now we've bound using the session key we can close the netlog pipe. */
3344 TALLOC_FREE(netlogon_pipe);
3349 /****************************************************************************
3350 Open a named pipe to an SMB server and bind using schannel (bind type 68).
3351 Fetch the session key ourselves using a temporary netlogon pipe.
3352 ****************************************************************************/
3354 struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
3356 enum pipe_auth_level auth_level,
3360 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
3361 struct rpc_pipe_client *netlogon_pipe = NULL;
3362 struct rpc_pipe_client *result = NULL;
3364 netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, perr);
3365 if (!netlogon_pipe) {
3366 DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
3367 "key from server %s for domain %s.\n",
3368 cli->desthost, domain ));
3372 result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
3374 domain, netlogon_pipe->dc, perr);
3376 /* Now we've bound using the session key we can close the netlog pipe. */
3377 TALLOC_FREE(netlogon_pipe);
3382 /****************************************************************************
3383 Open a named pipe to an SMB server and bind using krb5 (bind type 16).
3384 The idea is this can be called with service_princ, username and password all
3385 NULL so long as the caller has a TGT.
3386 ****************************************************************************/
3388 struct rpc_pipe_client *cli_rpc_pipe_open_krb5(struct cli_state *cli,
3390 enum pipe_auth_level auth_level,
3391 const char *service_princ,
3392 const char *username,
3393 const char *password,
3397 struct rpc_pipe_client *result;
3398 struct cli_pipe_auth_data *auth;
3400 result = cli_rpc_pipe_open(cli, pipe_idx, perr);
3401 if (result == NULL) {
3405 *perr = rpccli_kerberos_bind_data(result, auth_level, service_princ,
3406 username, password, &auth);
3407 if (!NT_STATUS_IS_OK(*perr)) {
3408 DEBUG(0, ("rpccli_kerberos_bind_data returned %s\n",
3410 TALLOC_FREE(result);
3414 *perr = rpc_pipe_bind(result, auth);
3415 if (!NT_STATUS_IS_OK(*perr)) {
3416 DEBUG(0, ("cli_rpc_pipe_open_krb5: cli_rpc_pipe_bind failed with error %s\n",
3417 nt_errstr(*perr) ));
3418 TALLOC_FREE(result);
3424 DEBUG(0,("cli_rpc_pipe_open_krb5: kerberos not found at compile time.\n"));
3429 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3430 struct rpc_pipe_client *cli,
3431 DATA_BLOB *session_key)
3433 if (!session_key || !cli) {
3434 return NT_STATUS_INVALID_PARAMETER;
3438 return NT_STATUS_INVALID_PARAMETER;
3441 switch (cli->auth->auth_type) {
3442 case PIPE_AUTH_TYPE_SCHANNEL:
3443 *session_key = data_blob_talloc(mem_ctx,
3444 cli->auth->a_u.schannel_auth->sess_key, 16);
3446 case PIPE_AUTH_TYPE_NTLMSSP:
3447 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
3448 *session_key = data_blob_talloc(mem_ctx,
3449 cli->auth->a_u.ntlmssp_state->session_key.data,
3450 cli->auth->a_u.ntlmssp_state->session_key.length);
3452 case PIPE_AUTH_TYPE_KRB5:
3453 case PIPE_AUTH_TYPE_SPNEGO_KRB5:
3454 *session_key = data_blob_talloc(mem_ctx,
3455 cli->auth->a_u.kerberos_auth->session_key.data,
3456 cli->auth->a_u.kerberos_auth->session_key.length);
3458 case PIPE_AUTH_TYPE_NONE:
3460 return NT_STATUS_NO_USER_SESSION_KEY;
3463 return NT_STATUS_OK;