2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Largely rewritten by Jeremy Allison 2005.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "librpc/gen_ndr/cli_epmapper.h"
22 #include "../librpc/gen_ndr/ndr_schannel.h"
23 #include "../librpc/gen_ndr/ndr_dssetup.h"
24 #include "../librpc/gen_ndr/ndr_netlogon.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
28 #include "../libcli/auth/ntlmssp.h"
29 #include "ntlmssp_wrap.h"
30 #include "rpc_client/cli_netlogon.h"
31 #include "librpc/gen_ndr/ndr_dcerpc.h"
32 #include "librpc/rpc/dcerpc.h"
33 #include "librpc/rpc/dcerpc_gssapi.h"
34 #include "librpc/rpc/dcerpc_spnego.h"
37 #define DBGC_CLASS DBGC_RPC_CLI
39 /********************************************************************
40 Pipe description for a DEBUG
41 ********************************************************************/
42 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
43 struct rpc_pipe_client *cli)
45 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
52 /********************************************************************
54 ********************************************************************/
56 static uint32 get_rpc_call_id(void)
58 static uint32 call_id = 0;
62 /*******************************************************************
63 Use SMBreadX to get rest of one fragment's worth of rpc data.
64 Reads the whole size or give an error message
65 ********************************************************************/
67 struct rpc_read_state {
68 struct event_context *ev;
69 struct rpc_cli_transport *transport;
75 static void rpc_read_done(struct tevent_req *subreq);
77 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
78 struct event_context *ev,
79 struct rpc_cli_transport *transport,
80 uint8_t *data, size_t size)
82 struct tevent_req *req, *subreq;
83 struct rpc_read_state *state;
85 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
90 state->transport = transport;
95 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
97 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
102 tevent_req_set_callback(subreq, rpc_read_done, req);
110 static void rpc_read_done(struct tevent_req *subreq)
112 struct tevent_req *req = tevent_req_callback_data(
113 subreq, struct tevent_req);
114 struct rpc_read_state *state = tevent_req_data(
115 req, struct rpc_read_state);
119 status = state->transport->read_recv(subreq, &received);
121 if (!NT_STATUS_IS_OK(status)) {
122 tevent_req_nterror(req, status);
126 state->num_read += received;
127 if (state->num_read == state->size) {
128 tevent_req_done(req);
132 subreq = state->transport->read_send(state, state->ev,
133 state->data + state->num_read,
134 state->size - state->num_read,
135 state->transport->priv);
136 if (tevent_req_nomem(subreq, req)) {
139 tevent_req_set_callback(subreq, rpc_read_done, req);
142 static NTSTATUS rpc_read_recv(struct tevent_req *req)
144 return tevent_req_simple_recv_ntstatus(req);
147 struct rpc_write_state {
148 struct event_context *ev;
149 struct rpc_cli_transport *transport;
155 static void rpc_write_done(struct tevent_req *subreq);
157 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
158 struct event_context *ev,
159 struct rpc_cli_transport *transport,
160 const uint8_t *data, size_t size)
162 struct tevent_req *req, *subreq;
163 struct rpc_write_state *state;
165 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
170 state->transport = transport;
173 state->num_written = 0;
175 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
177 subreq = transport->write_send(state, ev, data, size, transport->priv);
178 if (subreq == NULL) {
181 tevent_req_set_callback(subreq, rpc_write_done, req);
188 static void rpc_write_done(struct tevent_req *subreq)
190 struct tevent_req *req = tevent_req_callback_data(
191 subreq, struct tevent_req);
192 struct rpc_write_state *state = tevent_req_data(
193 req, struct rpc_write_state);
197 status = state->transport->write_recv(subreq, &written);
199 if (!NT_STATUS_IS_OK(status)) {
200 tevent_req_nterror(req, status);
204 state->num_written += written;
206 if (state->num_written == state->size) {
207 tevent_req_done(req);
211 subreq = state->transport->write_send(state, state->ev,
212 state->data + state->num_written,
213 state->size - state->num_written,
214 state->transport->priv);
215 if (tevent_req_nomem(subreq, req)) {
218 tevent_req_set_callback(subreq, rpc_write_done, req);
221 static NTSTATUS rpc_write_recv(struct tevent_req *req)
223 return tevent_req_simple_recv_ntstatus(req);
227 /****************************************************************************
228 Try and get a PDU's worth of data from current_pdu. If not, then read more
230 ****************************************************************************/
232 struct get_complete_frag_state {
233 struct event_context *ev;
234 struct rpc_pipe_client *cli;
239 static void get_complete_frag_got_header(struct tevent_req *subreq);
240 static void get_complete_frag_got_rest(struct tevent_req *subreq);
242 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
243 struct event_context *ev,
244 struct rpc_pipe_client *cli,
247 struct tevent_req *req, *subreq;
248 struct get_complete_frag_state *state;
252 req = tevent_req_create(mem_ctx, &state,
253 struct get_complete_frag_state);
259 state->frag_len = RPC_HEADER_LEN;
262 received = pdu->length;
263 if (received < RPC_HEADER_LEN) {
264 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
265 status = NT_STATUS_NO_MEMORY;
268 subreq = rpc_read_send(state, state->ev,
269 state->cli->transport,
270 pdu->data + received,
271 RPC_HEADER_LEN - received);
272 if (subreq == NULL) {
273 status = NT_STATUS_NO_MEMORY;
276 tevent_req_set_callback(subreq, get_complete_frag_got_header,
281 state->frag_len = dcerpc_get_frag_length(pdu);
284 * Ensure we have frag_len bytes of data.
286 if (received < state->frag_len) {
287 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
288 status = NT_STATUS_NO_MEMORY;
291 subreq = rpc_read_send(state, state->ev,
292 state->cli->transport,
293 pdu->data + received,
294 state->frag_len - received);
295 if (subreq == NULL) {
296 status = NT_STATUS_NO_MEMORY;
299 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
304 status = NT_STATUS_OK;
306 if (NT_STATUS_IS_OK(status)) {
307 tevent_req_done(req);
309 tevent_req_nterror(req, status);
311 return tevent_req_post(req, ev);
314 static void get_complete_frag_got_header(struct tevent_req *subreq)
316 struct tevent_req *req = tevent_req_callback_data(
317 subreq, struct tevent_req);
318 struct get_complete_frag_state *state = tevent_req_data(
319 req, struct get_complete_frag_state);
322 status = rpc_read_recv(subreq);
324 if (!NT_STATUS_IS_OK(status)) {
325 tevent_req_nterror(req, status);
329 state->frag_len = dcerpc_get_frag_length(state->pdu);
331 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
332 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
337 * We're here in this piece of code because we've read exactly
338 * RPC_HEADER_LEN bytes into state->pdu.
341 subreq = rpc_read_send(state, state->ev, state->cli->transport,
342 state->pdu->data + RPC_HEADER_LEN,
343 state->frag_len - RPC_HEADER_LEN);
344 if (tevent_req_nomem(subreq, req)) {
347 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
350 static void get_complete_frag_got_rest(struct tevent_req *subreq)
352 struct tevent_req *req = tevent_req_callback_data(
353 subreq, struct tevent_req);
356 status = rpc_read_recv(subreq);
358 if (!NT_STATUS_IS_OK(status)) {
359 tevent_req_nterror(req, status);
362 tevent_req_done(req);
365 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
367 return tevent_req_simple_recv_ntstatus(req);
370 /****************************************************************************
371 Do basic authentication checks on an incoming pdu.
372 ****************************************************************************/
374 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
375 struct rpc_pipe_client *cli,
376 struct ncacn_packet *pkt,
378 uint8_t expected_pkt_type,
380 DATA_BLOB *reply_pdu)
382 NTSTATUS ret = NT_STATUS_OK;
385 ret = dcerpc_pull_ncacn_packet(cli, pdu, pkt, false);
386 if (!NT_STATUS_IS_OK(ret)) {
390 if (pdu->length != pkt->frag_length) {
391 DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
392 (unsigned int)pdu->length,
393 (unsigned int)pkt->frag_length));
394 return NT_STATUS_INVALID_PARAMETER;
398 * Point the return values at the real data including the RPC
399 * header. Just in case the caller wants it.
403 /* Ensure we have the correct type. */
404 switch (pkt->ptype) {
405 case DCERPC_PKT_ALTER_RESP:
406 case DCERPC_PKT_BIND_ACK:
408 /* Alter context and bind ack share the same packet definitions. */
412 case DCERPC_PKT_RESPONSE:
414 /* Here's where we deal with incoming sign/seal. */
415 ret = dcerpc_check_auth(cli->auth, pkt,
416 &pkt->u.response.stub_and_verifier,
417 DCERPC_RESPONSE_LENGTH,
419 if (!NT_STATUS_IS_OK(ret)) {
423 if (pdu->length < DCERPC_RESPONSE_LENGTH + pad_len) {
424 return NT_STATUS_BUFFER_TOO_SMALL;
427 /* Point the return values at the NDR data. */
428 rdata->data = pdu->data + DCERPC_RESPONSE_LENGTH;
430 if (pkt->auth_length) {
431 /* We've already done integer wrap tests in
432 * dcerpc_check_auth(). */
433 rdata->length = pdu->length
434 - DCERPC_RESPONSE_LENGTH
436 - DCERPC_AUTH_TRAILER_LENGTH
439 rdata->length = pdu->length - DCERPC_RESPONSE_LENGTH;
442 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
443 (long unsigned int)pdu->length,
444 (long unsigned int)rdata->length,
445 (unsigned int)pad_len));
448 * If this is the first reply, and the allocation hint is
449 * reasonable, try and set up the reply_pdu DATA_BLOB to the
453 if ((reply_pdu->length == 0) &&
454 pkt->u.response.alloc_hint &&
455 (pkt->u.response.alloc_hint < 15*1024*1024)) {
456 if (!data_blob_realloc(mem_ctx, reply_pdu,
457 pkt->u.response.alloc_hint)) {
458 DEBUG(0, ("reply alloc hint %d too "
459 "large to allocate\n",
460 (int)pkt->u.response.alloc_hint));
461 return NT_STATUS_NO_MEMORY;
467 case DCERPC_PKT_BIND_NAK:
468 DEBUG(1, ("cli_pipe_validate_current_pdu: Bind NACK "
469 "received from %s!\n",
470 rpccli_pipe_txt(talloc_tos(), cli)));
471 /* Use this for now... */
472 return NT_STATUS_NETWORK_ACCESS_DENIED;
474 case DCERPC_PKT_FAULT:
476 DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault "
477 "code %s received from %s!\n",
478 dcerpc_errstr(talloc_tos(),
479 pkt->u.fault.status),
480 rpccli_pipe_txt(talloc_tos(), cli)));
482 if (NT_STATUS_IS_OK(NT_STATUS(pkt->u.fault.status))) {
483 return NT_STATUS_UNSUCCESSFUL;
485 return NT_STATUS(pkt->u.fault.status);
489 DEBUG(0, ("Unknown packet type %u received from %s!\n",
490 (unsigned int)pkt->ptype,
491 rpccli_pipe_txt(talloc_tos(), cli)));
492 return NT_STATUS_INVALID_INFO_CLASS;
495 if (pkt->ptype != expected_pkt_type) {
496 DEBUG(3, ("cli_pipe_validate_current_pdu: Connection to %s "
497 "got an unexpected RPC packet type - %u, not %u\n",
498 rpccli_pipe_txt(talloc_tos(), cli),
501 return NT_STATUS_INVALID_INFO_CLASS;
504 /* Do this just before return - we don't want to modify any rpc header
505 data before now as we may have needed to do cryptographic actions on
508 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
509 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
510 DEBUG(5,("cli_pipe_validate_current_pdu: bug in server (AS/U?), "
511 "setting fragment first/last ON.\n"));
512 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST |
513 DCERPC_PFC_FLAG_LAST;
519 /****************************************************************************
520 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
521 ****************************************************************************/
523 struct cli_api_pipe_state {
524 struct event_context *ev;
525 struct rpc_cli_transport *transport;
530 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
531 static void cli_api_pipe_write_done(struct tevent_req *subreq);
532 static void cli_api_pipe_read_done(struct tevent_req *subreq);
534 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
535 struct event_context *ev,
536 struct rpc_cli_transport *transport,
537 uint8_t *data, size_t data_len,
538 uint32_t max_rdata_len)
540 struct tevent_req *req, *subreq;
541 struct cli_api_pipe_state *state;
544 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
549 state->transport = transport;
551 if (max_rdata_len < RPC_HEADER_LEN) {
553 * For a RPC reply we always need at least RPC_HEADER_LEN
554 * bytes. We check this here because we will receive
555 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
557 status = NT_STATUS_INVALID_PARAMETER;
561 if (transport->trans_send != NULL) {
562 subreq = transport->trans_send(state, ev, data, data_len,
563 max_rdata_len, transport->priv);
564 if (subreq == NULL) {
567 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
572 * If the transport does not provide a "trans" routine, i.e. for
573 * example the ncacn_ip_tcp transport, do the write/read step here.
576 subreq = rpc_write_send(state, ev, transport, data, data_len);
577 if (subreq == NULL) {
580 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
584 tevent_req_nterror(req, status);
585 return tevent_req_post(req, ev);
591 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
593 struct tevent_req *req = tevent_req_callback_data(
594 subreq, struct tevent_req);
595 struct cli_api_pipe_state *state = tevent_req_data(
596 req, struct cli_api_pipe_state);
599 status = state->transport->trans_recv(subreq, state, &state->rdata,
602 if (!NT_STATUS_IS_OK(status)) {
603 tevent_req_nterror(req, status);
606 tevent_req_done(req);
609 static void cli_api_pipe_write_done(struct tevent_req *subreq)
611 struct tevent_req *req = tevent_req_callback_data(
612 subreq, struct tevent_req);
613 struct cli_api_pipe_state *state = tevent_req_data(
614 req, struct cli_api_pipe_state);
617 status = rpc_write_recv(subreq);
619 if (!NT_STATUS_IS_OK(status)) {
620 tevent_req_nterror(req, status);
624 state->rdata = TALLOC_ARRAY(state, uint8_t, RPC_HEADER_LEN);
625 if (tevent_req_nomem(state->rdata, req)) {
630 * We don't need to use rpc_read_send here, the upper layer will cope
631 * with a short read, transport->trans_send could also return less
632 * than state->max_rdata_len.
634 subreq = state->transport->read_send(state, state->ev, state->rdata,
636 state->transport->priv);
637 if (tevent_req_nomem(subreq, req)) {
640 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
643 static void cli_api_pipe_read_done(struct tevent_req *subreq)
645 struct tevent_req *req = tevent_req_callback_data(
646 subreq, struct tevent_req);
647 struct cli_api_pipe_state *state = tevent_req_data(
648 req, struct cli_api_pipe_state);
652 status = state->transport->read_recv(subreq, &received);
654 if (!NT_STATUS_IS_OK(status)) {
655 tevent_req_nterror(req, status);
658 state->rdata_len = received;
659 tevent_req_done(req);
662 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
663 uint8_t **prdata, uint32_t *prdata_len)
665 struct cli_api_pipe_state *state = tevent_req_data(
666 req, struct cli_api_pipe_state);
669 if (tevent_req_is_nterror(req, &status)) {
673 *prdata = talloc_move(mem_ctx, &state->rdata);
674 *prdata_len = state->rdata_len;
678 /****************************************************************************
679 Send data on an rpc pipe via trans. The data must be the last
680 pdu fragment of an NDR data stream.
682 Receive response data from an rpc pipe, which may be large...
684 Read the first fragment: unfortunately have to use SMBtrans for the first
685 bit, then SMBreadX for subsequent bits.
687 If first fragment received also wasn't the last fragment, continue
688 getting fragments until we _do_ receive the last fragment.
690 Request/Response PDU's look like the following...
692 |<------------------PDU len----------------------------------------------->|
693 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
695 +------------+-----------------+-------------+---------------+-------------+
696 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
697 +------------+-----------------+-------------+---------------+-------------+
699 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
700 signing & sealing being negotiated.
702 ****************************************************************************/
704 struct rpc_api_pipe_state {
705 struct event_context *ev;
706 struct rpc_pipe_client *cli;
707 uint8_t expected_pkt_type;
709 DATA_BLOB incoming_frag;
710 struct ncacn_packet *pkt;
714 size_t reply_pdu_offset;
718 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
719 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
721 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
722 struct event_context *ev,
723 struct rpc_pipe_client *cli,
724 DATA_BLOB *data, /* Outgoing PDU */
725 uint8_t expected_pkt_type)
727 struct tevent_req *req, *subreq;
728 struct rpc_api_pipe_state *state;
729 uint16_t max_recv_frag;
732 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
738 state->expected_pkt_type = expected_pkt_type;
739 state->incoming_frag = data_blob_null;
740 state->reply_pdu = data_blob_null;
741 state->reply_pdu_offset = 0;
742 state->endianess = DCERPC_DREP_LE;
745 * Ensure we're not sending too much.
747 if (data->length > cli->max_xmit_frag) {
748 status = NT_STATUS_INVALID_PARAMETER;
752 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
754 /* get the header first, then fetch the rest once we have
755 * the frag_length available */
756 max_recv_frag = RPC_HEADER_LEN;
758 subreq = cli_api_pipe_send(state, ev, cli->transport,
759 data->data, data->length, max_recv_frag);
760 if (subreq == NULL) {
763 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
767 tevent_req_nterror(req, status);
768 return tevent_req_post(req, ev);
774 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
776 struct tevent_req *req = tevent_req_callback_data(
777 subreq, struct tevent_req);
778 struct rpc_api_pipe_state *state = tevent_req_data(
779 req, struct rpc_api_pipe_state);
781 uint8_t *rdata = NULL;
782 uint32_t rdata_len = 0;
784 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
786 if (!NT_STATUS_IS_OK(status)) {
787 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
788 tevent_req_nterror(req, status);
793 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
794 rpccli_pipe_txt(talloc_tos(), state->cli)));
795 tevent_req_done(req);
800 * Move data on state->incoming_frag.
802 state->incoming_frag.data = talloc_move(state, &rdata);
803 state->incoming_frag.length = rdata_len;
804 if (!state->incoming_frag.data) {
805 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
809 /* Ensure we have enough data for a pdu. */
810 subreq = get_complete_frag_send(state, state->ev, state->cli,
811 &state->incoming_frag);
812 if (tevent_req_nomem(subreq, req)) {
815 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
818 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
820 struct tevent_req *req = tevent_req_callback_data(
821 subreq, struct tevent_req);
822 struct rpc_api_pipe_state *state = tevent_req_data(
823 req, struct rpc_api_pipe_state);
825 DATA_BLOB rdata = data_blob_null;
827 status = get_complete_frag_recv(subreq);
829 if (!NT_STATUS_IS_OK(status)) {
830 DEBUG(5, ("get_complete_frag failed: %s\n",
832 tevent_req_nterror(req, status);
836 state->pkt = talloc(state, struct ncacn_packet);
838 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
842 status = cli_pipe_validate_current_pdu(state,
843 state->cli, state->pkt,
844 &state->incoming_frag,
845 state->expected_pkt_type,
849 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
850 (unsigned)state->incoming_frag.length,
851 (unsigned)state->reply_pdu_offset,
854 if (!NT_STATUS_IS_OK(status)) {
855 tevent_req_nterror(req, status);
859 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
860 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
862 * Set the data type correctly for big-endian data on the
865 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
867 rpccli_pipe_txt(talloc_tos(), state->cli)));
868 state->endianess = 0x00; /* BIG ENDIAN */
871 * Check endianness on subsequent packets.
873 if (state->endianess != state->pkt->drep[0]) {
874 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
876 state->endianess?"little":"big",
877 state->pkt->drep[0]?"little":"big"));
878 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
882 /* Now copy the data portion out of the pdu into rbuf. */
883 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
884 if (!data_blob_realloc(NULL, &state->reply_pdu,
885 state->reply_pdu_offset + rdata.length)) {
886 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
891 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
892 rdata.data, rdata.length);
893 state->reply_pdu_offset += rdata.length;
895 /* reset state->incoming_frag, there is no need to free it,
896 * it will be reallocated to the right size the next time
898 state->incoming_frag.length = 0;
900 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
901 /* make sure the pdu length is right now that we
902 * have all the data available (alloc hint may
903 * have allocated more than was actually used) */
904 state->reply_pdu.length = state->reply_pdu_offset;
905 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
906 rpccli_pipe_txt(talloc_tos(), state->cli),
907 (unsigned)state->reply_pdu.length));
908 tevent_req_done(req);
912 subreq = get_complete_frag_send(state, state->ev, state->cli,
913 &state->incoming_frag);
914 if (tevent_req_nomem(subreq, req)) {
917 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
920 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
921 struct ncacn_packet **pkt,
922 DATA_BLOB *reply_pdu)
924 struct rpc_api_pipe_state *state = tevent_req_data(
925 req, struct rpc_api_pipe_state);
928 if (tevent_req_is_nterror(req, &status)) {
932 /* return data to caller and assign it ownership of memory */
934 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
935 reply_pdu->length = state->reply_pdu.length;
936 state->reply_pdu.length = 0;
938 data_blob_free(&state->reply_pdu);
942 *pkt = talloc_steal(mem_ctx, state->pkt);
948 /*******************************************************************
949 Creates spnego auth bind.
950 ********************************************************************/
952 static NTSTATUS create_spnego_auth_bind_req(TALLOC_CTX *mem_ctx,
953 struct pipe_auth_data *auth,
954 DATA_BLOB *auth_token)
956 DATA_BLOB in_token = data_blob_null;
959 /* Negotiate the initial auth token */
960 status = spnego_get_client_auth_token(mem_ctx,
961 auth->a_u.spnego_state,
962 &in_token, auth_token);
963 if (!NT_STATUS_IS_OK(status)) {
967 DEBUG(5, ("Created GSS Authentication Token:\n"));
968 dump_data(5, auth_token->data, auth_token->length);
973 /*******************************************************************
974 Creates krb5 auth bind.
975 ********************************************************************/
977 static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
978 struct pipe_auth_data *auth,
979 DATA_BLOB *auth_token)
981 DATA_BLOB in_token = data_blob_null;
984 /* Negotiate the initial auth token */
985 status = gse_get_client_auth_token(mem_ctx,
986 auth->a_u.gssapi_state,
989 if (!NT_STATUS_IS_OK(status)) {
993 DEBUG(5, ("Created GSS Authentication Token:\n"));
994 dump_data(5, auth_token->data, auth_token->length);
999 /*******************************************************************
1000 Creates NTLMSSP auth bind.
1001 ********************************************************************/
1003 static NTSTATUS create_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1004 DATA_BLOB *auth_token)
1007 DATA_BLOB null_blob = data_blob_null;
1009 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1010 status = auth_ntlmssp_update(cli->auth->a_u.auth_ntlmssp_state,
1011 null_blob, auth_token);
1013 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1014 data_blob_free(auth_token);
1018 DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1019 dump_data(5, auth_token->data, auth_token->length);
1021 return NT_STATUS_OK;
1024 /*******************************************************************
1025 Creates schannel auth bind.
1026 ********************************************************************/
1028 static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1029 DATA_BLOB *auth_token)
1032 struct NL_AUTH_MESSAGE r;
1034 /* Use lp_workgroup() if domain not specified */
1036 if (!cli->auth->domain || !cli->auth->domain[0]) {
1037 cli->auth->domain = talloc_strdup(cli, lp_workgroup());
1038 if (cli->auth->domain == NULL) {
1039 return NT_STATUS_NO_MEMORY;
1044 * Now marshall the data into the auth parse_struct.
1047 r.MessageType = NL_NEGOTIATE_REQUEST;
1048 r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
1049 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
1050 r.oem_netbios_domain.a = cli->auth->domain;
1051 r.oem_netbios_computer.a = global_myname();
1053 status = dcerpc_push_schannel_bind(cli, &r, auth_token);
1054 if (!NT_STATUS_IS_OK(status)) {
1058 return NT_STATUS_OK;
1061 /*******************************************************************
1062 Creates the internals of a DCE/RPC bind request or alter context PDU.
1063 ********************************************************************/
1065 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1066 enum dcerpc_pkt_type ptype,
1068 const struct ndr_syntax_id *abstract,
1069 const struct ndr_syntax_id *transfer,
1070 const DATA_BLOB *auth_info,
1073 uint16 auth_len = auth_info->length;
1075 union dcerpc_payload u;
1076 struct dcerpc_ctx_list ctx_list;
1079 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1082 ctx_list.context_id = 0;
1083 ctx_list.num_transfer_syntaxes = 1;
1084 ctx_list.abstract_syntax = *abstract;
1085 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1087 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1088 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1089 u.bind.assoc_group_id = 0x0;
1090 u.bind.num_contexts = 1;
1091 u.bind.ctx_list = &ctx_list;
1092 u.bind.auth_info = *auth_info;
1094 status = dcerpc_push_ncacn_packet(mem_ctx,
1096 DCERPC_PFC_FLAG_FIRST |
1097 DCERPC_PFC_FLAG_LAST,
1102 if (!NT_STATUS_IS_OK(status)) {
1103 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1107 return NT_STATUS_OK;
1110 /*******************************************************************
1111 Creates a DCE/RPC bind request.
1112 ********************************************************************/
1114 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1115 struct rpc_pipe_client *cli,
1116 struct pipe_auth_data *auth,
1118 const struct ndr_syntax_id *abstract,
1119 const struct ndr_syntax_id *transfer,
1122 DATA_BLOB auth_token = data_blob_null;
1123 DATA_BLOB auth_info = data_blob_null;
1124 NTSTATUS ret = NT_STATUS_OK;
1126 switch (auth->auth_type) {
1127 case DCERPC_AUTH_TYPE_SCHANNEL:
1128 ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
1129 if (!NT_STATUS_IS_OK(ret)) {
1134 case DCERPC_AUTH_TYPE_NTLMSSP:
1135 ret = create_ntlmssp_auth_rpc_bind_req(cli, &auth_token);
1136 if (!NT_STATUS_IS_OK(ret)) {
1141 case DCERPC_AUTH_TYPE_SPNEGO:
1142 ret = create_spnego_auth_bind_req(cli, auth, &auth_token);
1143 if (!NT_STATUS_IS_OK(ret)) {
1148 case DCERPC_AUTH_TYPE_KRB5:
1149 ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_token);
1150 if (!NT_STATUS_IS_OK(ret)) {
1155 case DCERPC_AUTH_TYPE_NONE:
1159 /* "Can't" happen. */
1160 return NT_STATUS_INVALID_INFO_CLASS;
1163 if (auth_token.length != 0) {
1164 ret = dcerpc_push_dcerpc_auth(cli,
1167 0, /* auth_pad_length */
1168 1, /* auth_context_id */
1171 if (!NT_STATUS_IS_OK(ret)) {
1174 data_blob_free(&auth_token);
1177 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1187 /*******************************************************************
1189 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1190 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1191 and deals with signing/sealing details.
1192 ********************************************************************/
1194 struct rpc_api_pipe_req_state {
1195 struct event_context *ev;
1196 struct rpc_pipe_client *cli;
1199 DATA_BLOB *req_data;
1200 uint32_t req_data_sent;
1202 DATA_BLOB reply_pdu;
1205 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1206 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1207 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1208 bool *is_last_frag);
1210 struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1211 struct event_context *ev,
1212 struct rpc_pipe_client *cli,
1214 DATA_BLOB *req_data)
1216 struct tevent_req *req, *subreq;
1217 struct rpc_api_pipe_req_state *state;
1221 req = tevent_req_create(mem_ctx, &state,
1222 struct rpc_api_pipe_req_state);
1228 state->op_num = op_num;
1229 state->req_data = req_data;
1230 state->req_data_sent = 0;
1231 state->call_id = get_rpc_call_id();
1232 state->reply_pdu = data_blob_null;
1233 state->rpc_out = data_blob_null;
1235 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1236 + RPC_MAX_SIGN_SIZE) {
1237 /* Server is screwed up ! */
1238 status = NT_STATUS_INVALID_PARAMETER;
1242 status = prepare_next_frag(state, &is_last_frag);
1243 if (!NT_STATUS_IS_OK(status)) {
1248 subreq = rpc_api_pipe_send(state, ev, state->cli,
1250 DCERPC_PKT_RESPONSE);
1251 if (subreq == NULL) {
1254 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1256 subreq = rpc_write_send(state, ev, cli->transport,
1257 state->rpc_out.data,
1258 state->rpc_out.length);
1259 if (subreq == NULL) {
1262 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1268 tevent_req_nterror(req, status);
1269 return tevent_req_post(req, ev);
1275 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1278 size_t data_sent_thistime;
1285 union dcerpc_payload u;
1287 data_left = state->req_data->length - state->req_data_sent;
1289 status = dcerpc_guess_sizes(state->cli->auth,
1290 DCERPC_REQUEST_LENGTH, data_left,
1291 state->cli->max_xmit_frag,
1292 CLIENT_NDR_PADDING_SIZE,
1293 &data_sent_thistime,
1294 &frag_len, &auth_len, &pad_len);
1295 if (!NT_STATUS_IS_OK(status)) {
1299 if (state->req_data_sent == 0) {
1300 flags = DCERPC_PFC_FLAG_FIRST;
1303 if (data_sent_thistime == data_left) {
1304 flags |= DCERPC_PFC_FLAG_LAST;
1307 data_blob_free(&state->rpc_out);
1309 ZERO_STRUCT(u.request);
1311 u.request.alloc_hint = state->req_data->length;
1312 u.request.context_id = 0;
1313 u.request.opnum = state->op_num;
1315 status = dcerpc_push_ncacn_packet(state,
1322 if (!NT_STATUS_IS_OK(status)) {
1326 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1327 * compute it right for requests because the auth trailer is missing
1329 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1331 /* Copy in the data. */
1332 if (!data_blob_append(NULL, &state->rpc_out,
1333 state->req_data->data + state->req_data_sent,
1334 data_sent_thistime)) {
1335 return NT_STATUS_NO_MEMORY;
1338 switch (state->cli->auth->auth_level) {
1339 case DCERPC_AUTH_LEVEL_NONE:
1340 case DCERPC_AUTH_LEVEL_CONNECT:
1341 case DCERPC_AUTH_LEVEL_PACKET:
1343 case DCERPC_AUTH_LEVEL_INTEGRITY:
1344 case DCERPC_AUTH_LEVEL_PRIVACY:
1345 status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
1347 if (!NT_STATUS_IS_OK(status)) {
1352 return NT_STATUS_INVALID_PARAMETER;
1355 state->req_data_sent += data_sent_thistime;
1356 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1361 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
1363 struct tevent_req *req = tevent_req_callback_data(
1364 subreq, struct tevent_req);
1365 struct rpc_api_pipe_req_state *state = tevent_req_data(
1366 req, struct rpc_api_pipe_req_state);
1370 status = rpc_write_recv(subreq);
1371 TALLOC_FREE(subreq);
1372 if (!NT_STATUS_IS_OK(status)) {
1373 tevent_req_nterror(req, status);
1377 status = prepare_next_frag(state, &is_last_frag);
1378 if (!NT_STATUS_IS_OK(status)) {
1379 tevent_req_nterror(req, status);
1384 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1386 DCERPC_PKT_RESPONSE);
1387 if (tevent_req_nomem(subreq, req)) {
1390 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1392 subreq = rpc_write_send(state, state->ev,
1393 state->cli->transport,
1394 state->rpc_out.data,
1395 state->rpc_out.length);
1396 if (tevent_req_nomem(subreq, req)) {
1399 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1404 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
1406 struct tevent_req *req = tevent_req_callback_data(
1407 subreq, struct tevent_req);
1408 struct rpc_api_pipe_req_state *state = tevent_req_data(
1409 req, struct rpc_api_pipe_req_state);
1412 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
1413 TALLOC_FREE(subreq);
1414 if (!NT_STATUS_IS_OK(status)) {
1415 tevent_req_nterror(req, status);
1418 tevent_req_done(req);
1421 NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1422 DATA_BLOB *reply_pdu)
1424 struct rpc_api_pipe_req_state *state = tevent_req_data(
1425 req, struct rpc_api_pipe_req_state);
1428 if (tevent_req_is_nterror(req, &status)) {
1430 * We always have to initialize to reply pdu, even if there is
1431 * none. The rpccli_* caller routines expect this.
1433 *reply_pdu = data_blob_null;
1437 /* return data to caller and assign it ownership of memory */
1438 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1439 reply_pdu->length = state->reply_pdu.length;
1440 state->reply_pdu.length = 0;
1442 return NT_STATUS_OK;
1446 /****************************************************************************
1447 Set the handle state.
1448 ****************************************************************************/
1450 static bool rpc_pipe_set_hnd_state(struct rpc_pipe_client *cli,
1451 const char *pipe_name, uint16 device_state)
1453 bool state_set = False;
1455 uint16 setup[2]; /* only need 2 uint16 setup parameters */
1456 char *rparam = NULL;
1458 uint32 rparam_len, rdata_len;
1460 if (pipe_name == NULL)
1463 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1464 cli->fnum, pipe_name, device_state));
1466 /* create parameters: device state */
1467 SSVAL(param, 0, device_state);
1469 /* create setup parameters. */
1471 setup[1] = cli->fnum; /* pipe file handle. got this from an SMBOpenX. */
1473 /* send the data on \PIPE\ */
1474 if (cli_api_pipe(cli->cli, "\\PIPE\\",
1475 setup, 2, 0, /* setup, length, max */
1476 param, 2, 0, /* param, length, max */
1477 NULL, 0, 1024, /* data, length, max */
1478 &rparam, &rparam_len, /* return param, length */
1479 &rdata, &rdata_len)) /* return data, length */
1481 DEBUG(5, ("Set Handle state: return OK\n"));
1492 /****************************************************************************
1493 Check the rpc bind acknowledge response.
1494 ****************************************************************************/
1496 static bool check_bind_response(const struct dcerpc_bind_ack *r,
1497 const struct ndr_syntax_id *transfer)
1499 struct dcerpc_ack_ctx ctx;
1501 if (r->secondary_address_size == 0) {
1502 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1505 if (r->num_results < 1 || !r->ctx_list) {
1509 ctx = r->ctx_list[0];
1511 /* check the transfer syntax */
1512 if ((ctx.syntax.if_version != transfer->if_version) ||
1513 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1514 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1518 if (r->num_results != 0x1 || ctx.result != 0) {
1519 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1520 r->num_results, ctx.reason));
1523 DEBUG(5,("check_bind_response: accepted!\n"));
1527 /*******************************************************************
1528 Creates a DCE/RPC bind authentication response.
1529 This is the packet that is sent back to the server once we
1530 have received a BIND-ACK, to finish the third leg of
1531 the authentication handshake.
1532 ********************************************************************/
1534 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
1535 struct rpc_pipe_client *cli,
1537 enum dcerpc_AuthType auth_type,
1538 enum dcerpc_AuthLevel auth_level,
1539 DATA_BLOB *pauth_blob,
1543 union dcerpc_payload u;
1547 status = dcerpc_push_dcerpc_auth(mem_ctx,
1550 0, /* auth_pad_length */
1551 1, /* auth_context_id */
1553 &u.auth3.auth_info);
1554 if (!NT_STATUS_IS_OK(status)) {
1558 status = dcerpc_push_ncacn_packet(mem_ctx,
1560 DCERPC_PFC_FLAG_FIRST |
1561 DCERPC_PFC_FLAG_LAST,
1566 data_blob_free(&u.auth3.auth_info);
1567 if (!NT_STATUS_IS_OK(status)) {
1568 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1572 return NT_STATUS_OK;
1575 /*******************************************************************
1576 Creates a DCE/RPC bind alter context authentication request which
1577 may contain a spnego auth blobl
1578 ********************************************************************/
1580 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
1581 enum dcerpc_AuthType auth_type,
1582 enum dcerpc_AuthLevel auth_level,
1584 const struct ndr_syntax_id *abstract,
1585 const struct ndr_syntax_id *transfer,
1586 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1589 DATA_BLOB auth_info;
1592 status = dcerpc_push_dcerpc_auth(mem_ctx,
1595 0, /* auth_pad_length */
1596 1, /* auth_context_id */
1599 if (!NT_STATUS_IS_OK(status)) {
1603 status = create_bind_or_alt_ctx_internal(mem_ctx,
1610 data_blob_free(&auth_info);
1614 /****************************************************************************
1616 ****************************************************************************/
1618 struct rpc_pipe_bind_state {
1619 struct event_context *ev;
1620 struct rpc_pipe_client *cli;
1622 uint32_t rpc_call_id;
1625 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
1626 static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
1627 struct rpc_pipe_bind_state *state,
1628 DATA_BLOB *credentials);
1629 static void rpc_bind_auth3_write_done(struct tevent_req *subreq);
1630 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1631 struct rpc_pipe_bind_state *state,
1632 DATA_BLOB *credentials);
1633 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1634 struct rpc_pipe_bind_state *state,
1635 DATA_BLOB *credentials);
1637 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
1638 struct event_context *ev,
1639 struct rpc_pipe_client *cli,
1640 struct pipe_auth_data *auth)
1642 struct tevent_req *req, *subreq;
1643 struct rpc_pipe_bind_state *state;
1646 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
1651 DEBUG(5,("Bind RPC Pipe: %s auth_type %u(%u), auth_level %u\n",
1652 rpccli_pipe_txt(talloc_tos(), cli),
1653 (unsigned int)auth->auth_type,
1654 (unsigned int)auth->spnego_type,
1655 (unsigned int)auth->auth_level ));
1659 state->rpc_call_id = get_rpc_call_id();
1660 state->rpc_out = data_blob_null;
1662 cli->auth = talloc_move(cli, &auth);
1664 /* Marshall the outgoing data. */
1665 status = create_rpc_bind_req(state, cli,
1668 &cli->abstract_syntax,
1669 &cli->transfer_syntax,
1672 if (!NT_STATUS_IS_OK(status)) {
1676 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
1677 DCERPC_PKT_BIND_ACK);
1678 if (subreq == NULL) {
1681 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1685 tevent_req_nterror(req, status);
1686 return tevent_req_post(req, ev);
1692 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1694 struct tevent_req *req = tevent_req_callback_data(
1695 subreq, struct tevent_req);
1696 struct rpc_pipe_bind_state *state = tevent_req_data(
1697 req, struct rpc_pipe_bind_state);
1698 struct pipe_auth_data *pauth = state->cli->auth;
1699 DATA_BLOB reply_pdu;
1700 struct ncacn_packet *pkt;
1701 struct dcerpc_auth auth;
1702 DATA_BLOB auth_token = data_blob_null;
1705 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, &reply_pdu);
1706 TALLOC_FREE(subreq);
1707 if (!NT_STATUS_IS_OK(status)) {
1708 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
1709 rpccli_pipe_txt(talloc_tos(), state->cli),
1710 nt_errstr(status)));
1711 tevent_req_nterror(req, status);
1715 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
1716 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
1717 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
1721 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1722 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1724 switch(state->cli->auth->auth_type) {
1726 case DCERPC_AUTH_TYPE_NONE:
1727 case DCERPC_AUTH_TYPE_SCHANNEL:
1728 /* Bind complete. */
1729 tevent_req_done(req);
1732 case DCERPC_AUTH_TYPE_NTLMSSP:
1733 case DCERPC_AUTH_TYPE_SPNEGO:
1734 case DCERPC_AUTH_TYPE_KRB5:
1735 /* Paranoid lenght checks */
1736 if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
1737 + pkt->auth_length) {
1738 tevent_req_nterror(req,
1739 NT_STATUS_INFO_LENGTH_MISMATCH);
1742 /* get auth credentials */
1743 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
1744 &pkt->u.bind_ack.auth_info,
1746 if (!NT_STATUS_IS_OK(status)) {
1747 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
1748 nt_errstr(status)));
1749 tevent_req_nterror(req, status);
1759 * For authenticated binds we may need to do 3 or 4 leg binds.
1762 switch(state->cli->auth->auth_type) {
1764 case DCERPC_AUTH_TYPE_NONE:
1765 case DCERPC_AUTH_TYPE_SCHANNEL:
1766 /* Bind complete. */
1767 tevent_req_done(req);
1770 case DCERPC_AUTH_TYPE_NTLMSSP:
1771 /* Need to send AUTH3 packet - no reply. */
1772 status = rpc_finish_auth3_bind_send(req, state,
1776 case DCERPC_AUTH_TYPE_SPNEGO:
1777 status = spnego_get_client_auth_token(state,
1778 pauth->a_u.spnego_state,
1781 if (!NT_STATUS_IS_OK(status)) {
1784 if (auth_token.length == 0) {
1785 /* Bind complete. */
1786 tevent_req_done(req);
1789 if (spnego_require_more_processing(pauth->a_u.spnego_state)) {
1790 status = rpc_bind_next_send(req, state,
1793 status = rpc_bind_finish_send(req, state,
1798 case DCERPC_AUTH_TYPE_KRB5:
1799 status = gse_get_client_auth_token(state,
1800 pauth->a_u.gssapi_state,
1803 if (!NT_STATUS_IS_OK(status)) {
1807 if (gse_require_more_processing(pauth->a_u.gssapi_state)) {
1808 status = rpc_bind_next_send(req, state, &auth_token);
1810 status = rpc_bind_finish_send(req, state, &auth_token);
1818 if (!NT_STATUS_IS_OK(status)) {
1819 tevent_req_nterror(req, status);
1824 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u(%u)\n",
1825 (unsigned int)state->cli->auth->auth_type,
1826 (unsigned int)state->cli->auth->spnego_type));
1827 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
1830 static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
1831 struct rpc_pipe_bind_state *state,
1832 DATA_BLOB *credentials)
1834 struct pipe_auth_data *auth = state->cli->auth;
1835 DATA_BLOB client_reply = data_blob_null;
1836 struct tevent_req *subreq;
1839 /* TODO - check auth_type/auth_level match. */
1841 status = auth_ntlmssp_update(auth->a_u.auth_ntlmssp_state,
1842 *credentials, &client_reply);
1844 if (!NT_STATUS_IS_OK(status)) {
1845 DEBUG(0, ("rpc_finish_auth3_bind: NTLMSSP update using server "
1846 "blob failed: %s.\n", nt_errstr(status)));
1850 data_blob_free(&state->rpc_out);
1852 status = create_rpc_bind_auth3(state, state->cli,
1858 data_blob_free(&client_reply);
1860 if (!NT_STATUS_IS_OK(status)) {
1864 subreq = rpc_write_send(state, state->ev, state->cli->transport,
1865 state->rpc_out.data, state->rpc_out.length);
1866 if (subreq == NULL) {
1867 return NT_STATUS_NO_MEMORY;
1869 tevent_req_set_callback(subreq, rpc_bind_auth3_write_done, req);
1870 return NT_STATUS_OK;
1873 static void rpc_bind_auth3_write_done(struct tevent_req *subreq)
1875 struct tevent_req *req = tevent_req_callback_data(
1876 subreq, struct tevent_req);
1879 status = rpc_write_recv(subreq);
1880 TALLOC_FREE(subreq);
1881 if (!NT_STATUS_IS_OK(status)) {
1882 tevent_req_nterror(req, status);
1885 tevent_req_done(req);
1888 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1889 struct rpc_pipe_bind_state *state,
1890 DATA_BLOB *auth_token)
1892 struct pipe_auth_data *auth = state->cli->auth;
1893 struct tevent_req *subreq;
1896 /* Now prepare the alter context pdu. */
1897 data_blob_free(&state->rpc_out);
1899 status = create_rpc_alter_context(state,
1903 &state->cli->abstract_syntax,
1904 &state->cli->transfer_syntax,
1907 if (!NT_STATUS_IS_OK(status)) {
1911 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1912 &state->rpc_out, DCERPC_PKT_ALTER_RESP);
1913 if (subreq == NULL) {
1914 return NT_STATUS_NO_MEMORY;
1916 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1917 return NT_STATUS_OK;
1920 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1921 struct rpc_pipe_bind_state *state,
1922 DATA_BLOB *auth_token)
1924 struct pipe_auth_data *auth = state->cli->auth;
1925 struct tevent_req *subreq;
1928 /* Now prepare the auth3 context pdu. */
1929 data_blob_free(&state->rpc_out);
1931 status = create_rpc_bind_auth3(state, state->cli,
1937 if (!NT_STATUS_IS_OK(status)) {
1941 subreq = rpc_write_send(state, state->ev, state->cli->transport,
1942 state->rpc_out.data, state->rpc_out.length);
1943 if (subreq == NULL) {
1944 return NT_STATUS_NO_MEMORY;
1946 tevent_req_set_callback(subreq, rpc_bind_auth3_write_done, req);
1947 return NT_STATUS_OK;
1950 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
1952 return tevent_req_simple_recv_ntstatus(req);
1955 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
1956 struct pipe_auth_data *auth)
1958 TALLOC_CTX *frame = talloc_stackframe();
1959 struct event_context *ev;
1960 struct tevent_req *req;
1961 NTSTATUS status = NT_STATUS_OK;
1963 ev = event_context_init(frame);
1965 status = NT_STATUS_NO_MEMORY;
1969 req = rpc_pipe_bind_send(frame, ev, cli, auth);
1971 status = NT_STATUS_NO_MEMORY;
1975 if (!tevent_req_poll(req, ev)) {
1976 status = map_nt_error_from_unix(errno);
1980 status = rpc_pipe_bind_recv(req);
1986 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
1988 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
1989 unsigned int timeout)
1993 if (rpc_cli->transport == NULL) {
1994 return RPCCLI_DEFAULT_TIMEOUT;
1997 if (rpc_cli->transport->set_timeout == NULL) {
1998 return RPCCLI_DEFAULT_TIMEOUT;
2001 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
2003 return RPCCLI_DEFAULT_TIMEOUT;
2009 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
2011 if (rpc_cli == NULL) {
2015 if (rpc_cli->transport == NULL) {
2019 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
2022 bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
2024 struct auth_ntlmssp_state *a = NULL;
2025 struct cli_state *cli;
2027 if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
2028 a = rpc_cli->auth->a_u.auth_ntlmssp_state;
2029 } else if (rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2030 enum dcerpc_AuthType auth_type;
2034 status = spnego_get_negotiated_mech(
2035 rpc_cli->auth->a_u.spnego_state,
2036 &auth_type, &auth_ctx);
2037 if (!NT_STATUS_IS_OK(status)) {
2041 if (auth_type == DCERPC_AUTH_TYPE_NTLMSSP) {
2042 a = talloc_get_type(auth_ctx,
2043 struct auth_ntlmssp_state);
2048 memcpy(nt_hash, auth_ntlmssp_get_nt_hash(a), 16);
2052 cli = rpc_pipe_np_smb_conn(rpc_cli);
2056 E_md4hash(cli->password ? cli->password : "", nt_hash);
2060 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2061 struct pipe_auth_data **presult)
2063 struct pipe_auth_data *result;
2065 result = talloc(mem_ctx, struct pipe_auth_data);
2066 if (result == NULL) {
2067 return NT_STATUS_NO_MEMORY;
2070 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2071 result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
2072 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2074 result->user_name = talloc_strdup(result, "");
2075 result->domain = talloc_strdup(result, "");
2076 if ((result->user_name == NULL) || (result->domain == NULL)) {
2077 TALLOC_FREE(result);
2078 return NT_STATUS_NO_MEMORY;
2082 return NT_STATUS_OK;
2085 static int cli_auth_ntlmssp_data_destructor(struct pipe_auth_data *auth)
2087 TALLOC_FREE(auth->a_u.auth_ntlmssp_state);
2091 static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
2092 enum dcerpc_AuthType auth_type,
2093 enum dcerpc_AuthLevel auth_level,
2095 const char *username,
2096 const char *password,
2097 struct pipe_auth_data **presult)
2099 struct pipe_auth_data *result;
2102 result = talloc(mem_ctx, struct pipe_auth_data);
2103 if (result == NULL) {
2104 return NT_STATUS_NO_MEMORY;
2107 result->auth_type = auth_type;
2108 result->auth_level = auth_level;
2110 result->user_name = talloc_strdup(result, username);
2111 result->domain = talloc_strdup(result, domain);
2112 if ((result->user_name == NULL) || (result->domain == NULL)) {
2113 status = NT_STATUS_NO_MEMORY;
2117 status = auth_ntlmssp_client_start(NULL,
2120 lp_client_ntlmv2_auth(),
2121 &result->a_u.auth_ntlmssp_state);
2122 if (!NT_STATUS_IS_OK(status)) {
2126 talloc_set_destructor(result, cli_auth_ntlmssp_data_destructor);
2128 status = auth_ntlmssp_set_username(result->a_u.auth_ntlmssp_state,
2130 if (!NT_STATUS_IS_OK(status)) {
2134 status = auth_ntlmssp_set_domain(result->a_u.auth_ntlmssp_state,
2136 if (!NT_STATUS_IS_OK(status)) {
2140 status = auth_ntlmssp_set_password(result->a_u.auth_ntlmssp_state,
2142 if (!NT_STATUS_IS_OK(status)) {
2147 * Turn off sign+seal to allow selected auth level to turn it back on.
2149 auth_ntlmssp_and_flags(result->a_u.auth_ntlmssp_state,
2150 ~(NTLMSSP_NEGOTIATE_SIGN |
2151 NTLMSSP_NEGOTIATE_SEAL));
2153 if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
2154 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2155 NTLMSSP_NEGOTIATE_SIGN);
2156 } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
2157 auth_ntlmssp_or_flags(result->a_u.auth_ntlmssp_state,
2158 NTLMSSP_NEGOTIATE_SEAL |
2159 NTLMSSP_NEGOTIATE_SIGN);
2163 return NT_STATUS_OK;
2166 TALLOC_FREE(result);
2170 NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2171 enum dcerpc_AuthLevel auth_level,
2172 struct netlogon_creds_CredentialState *creds,
2173 struct pipe_auth_data **presult)
2175 struct pipe_auth_data *result;
2177 result = talloc(mem_ctx, struct pipe_auth_data);
2178 if (result == NULL) {
2179 return NT_STATUS_NO_MEMORY;
2182 result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
2183 result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
2184 result->auth_level = auth_level;
2186 result->user_name = talloc_strdup(result, "");
2187 result->domain = talloc_strdup(result, domain);
2188 if ((result->user_name == NULL) || (result->domain == NULL)) {
2192 result->a_u.schannel_auth = talloc(result, struct schannel_state);
2193 if (result->a_u.schannel_auth == NULL) {
2197 result->a_u.schannel_auth->state = SCHANNEL_STATE_START;
2198 result->a_u.schannel_auth->seq_num = 0;
2199 result->a_u.schannel_auth->initiator = true;
2200 result->a_u.schannel_auth->creds = creds;
2203 return NT_STATUS_OK;
2206 TALLOC_FREE(result);
2207 return NT_STATUS_NO_MEMORY;
2211 * Create an rpc pipe client struct, connecting to a tcp port.
2213 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2215 const struct ndr_syntax_id *abstract_syntax,
2216 struct rpc_pipe_client **presult)
2218 struct rpc_pipe_client *result;
2219 struct sockaddr_storage addr;
2223 result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2224 if (result == NULL) {
2225 return NT_STATUS_NO_MEMORY;
2228 result->abstract_syntax = *abstract_syntax;
2229 result->transfer_syntax = ndr_transfer_syntax;
2230 result->dispatch = cli_do_rpc_ndr;
2231 result->dispatch_send = cli_do_rpc_ndr_send;
2232 result->dispatch_recv = cli_do_rpc_ndr_recv;
2234 result->desthost = talloc_strdup(result, host);
2235 result->srv_name_slash = talloc_asprintf_strupper_m(
2236 result, "\\\\%s", result->desthost);
2237 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2238 status = NT_STATUS_NO_MEMORY;
2242 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2243 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2245 if (!resolve_name(host, &addr, 0, false)) {
2246 status = NT_STATUS_NOT_FOUND;
2250 status = open_socket_out(&addr, port, 60, &fd);
2251 if (!NT_STATUS_IS_OK(status)) {
2254 set_socket_options(fd, lp_socket_options());
2256 status = rpc_transport_sock_init(result, fd, &result->transport);
2257 if (!NT_STATUS_IS_OK(status)) {
2262 result->transport->transport = NCACN_IP_TCP;
2265 return NT_STATUS_OK;
2268 TALLOC_FREE(result);
2273 * Determine the tcp port on which a dcerpc interface is listening
2274 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2277 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2278 const struct ndr_syntax_id *abstract_syntax,
2282 struct rpc_pipe_client *epm_pipe = NULL;
2283 struct pipe_auth_data *auth = NULL;
2284 struct dcerpc_binding *map_binding = NULL;
2285 struct dcerpc_binding *res_binding = NULL;
2286 struct epm_twr_t *map_tower = NULL;
2287 struct epm_twr_t *res_towers = NULL;
2288 struct policy_handle *entry_handle = NULL;
2289 uint32_t num_towers = 0;
2290 uint32_t max_towers = 1;
2291 struct epm_twr_p_t towers;
2292 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2294 if (pport == NULL) {
2295 status = NT_STATUS_INVALID_PARAMETER;
2299 /* open the connection to the endpoint mapper */
2300 status = rpc_pipe_open_tcp_port(tmp_ctx, host, 135,
2301 &ndr_table_epmapper.syntax_id,
2304 if (!NT_STATUS_IS_OK(status)) {
2308 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2309 if (!NT_STATUS_IS_OK(status)) {
2313 status = rpc_pipe_bind(epm_pipe, auth);
2314 if (!NT_STATUS_IS_OK(status)) {
2318 /* create tower for asking the epmapper */
2320 map_binding = TALLOC_ZERO_P(tmp_ctx, struct dcerpc_binding);
2321 if (map_binding == NULL) {
2322 status = NT_STATUS_NO_MEMORY;
2326 map_binding->transport = NCACN_IP_TCP;
2327 map_binding->object = *abstract_syntax;
2328 map_binding->host = host; /* needed? */
2329 map_binding->endpoint = "0"; /* correct? needed? */
2331 map_tower = TALLOC_ZERO_P(tmp_ctx, struct epm_twr_t);
2332 if (map_tower == NULL) {
2333 status = NT_STATUS_NO_MEMORY;
2337 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2338 &(map_tower->tower));
2339 if (!NT_STATUS_IS_OK(status)) {
2343 /* allocate further parameters for the epm_Map call */
2345 res_towers = TALLOC_ARRAY(tmp_ctx, struct epm_twr_t, max_towers);
2346 if (res_towers == NULL) {
2347 status = NT_STATUS_NO_MEMORY;
2350 towers.twr = res_towers;
2352 entry_handle = TALLOC_ZERO_P(tmp_ctx, struct policy_handle);
2353 if (entry_handle == NULL) {
2354 status = NT_STATUS_NO_MEMORY;
2358 /* ask the endpoint mapper for the port */
2360 status = rpccli_epm_Map(epm_pipe,
2362 CONST_DISCARD(struct GUID *,
2363 &(abstract_syntax->uuid)),
2370 if (!NT_STATUS_IS_OK(status)) {
2374 if (num_towers != 1) {
2375 status = NT_STATUS_UNSUCCESSFUL;
2379 /* extract the port from the answer */
2381 status = dcerpc_binding_from_tower(tmp_ctx,
2382 &(towers.twr->tower),
2384 if (!NT_STATUS_IS_OK(status)) {
2388 /* are further checks here necessary? */
2389 if (res_binding->transport != NCACN_IP_TCP) {
2390 status = NT_STATUS_UNSUCCESSFUL;
2394 *pport = (uint16_t)atoi(res_binding->endpoint);
2397 TALLOC_FREE(tmp_ctx);
2402 * Create a rpc pipe client struct, connecting to a host via tcp.
2403 * The port is determined by asking the endpoint mapper on the given
2406 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2407 const struct ndr_syntax_id *abstract_syntax,
2408 struct rpc_pipe_client **presult)
2413 status = rpc_pipe_get_tcp_port(host, abstract_syntax, &port);
2414 if (!NT_STATUS_IS_OK(status)) {
2418 return rpc_pipe_open_tcp_port(mem_ctx, host, port,
2419 abstract_syntax, presult);
2422 /********************************************************************
2423 Create a rpc pipe client struct, connecting to a unix domain socket
2424 ********************************************************************/
2425 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2426 const struct ndr_syntax_id *abstract_syntax,
2427 struct rpc_pipe_client **presult)
2429 struct rpc_pipe_client *result;
2430 struct sockaddr_un addr;
2434 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2435 if (result == NULL) {
2436 return NT_STATUS_NO_MEMORY;
2439 result->abstract_syntax = *abstract_syntax;
2440 result->transfer_syntax = ndr_transfer_syntax;
2441 result->dispatch = cli_do_rpc_ndr;
2442 result->dispatch_send = cli_do_rpc_ndr_send;
2443 result->dispatch_recv = cli_do_rpc_ndr_recv;
2445 result->desthost = get_myname(result);
2446 result->srv_name_slash = talloc_asprintf_strupper_m(
2447 result, "\\\\%s", result->desthost);
2448 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2449 status = NT_STATUS_NO_MEMORY;
2453 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2454 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2456 fd = socket(AF_UNIX, SOCK_STREAM, 0);
2458 status = map_nt_error_from_unix(errno);
2463 addr.sun_family = AF_UNIX;
2464 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2466 if (sys_connect(fd, (struct sockaddr *)(void *)&addr) == -1) {
2467 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2470 return map_nt_error_from_unix(errno);
2473 status = rpc_transport_sock_init(result, fd, &result->transport);
2474 if (!NT_STATUS_IS_OK(status)) {
2479 result->transport->transport = NCALRPC;
2482 return NT_STATUS_OK;
2485 TALLOC_FREE(result);
2489 struct rpc_pipe_client_np_ref {
2490 struct cli_state *cli;
2491 struct rpc_pipe_client *pipe;
2494 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
2496 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
2500 /****************************************************************************
2501 Open a named pipe over SMB to a remote server.
2503 * CAVEAT CALLER OF THIS FUNCTION:
2504 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2505 * so be sure that this function is called AFTER any structure (vs pointer)
2506 * assignment of the cli. In particular, libsmbclient does structure
2507 * assignments of cli, which invalidates the data in the returned
2508 * rpc_pipe_client if this function is called before the structure assignment
2511 ****************************************************************************/
2513 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
2514 const struct ndr_syntax_id *abstract_syntax,
2515 struct rpc_pipe_client **presult)
2517 struct rpc_pipe_client *result;
2519 struct rpc_pipe_client_np_ref *np_ref;
2521 /* sanity check to protect against crashes */
2524 return NT_STATUS_INVALID_HANDLE;
2527 result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
2528 if (result == NULL) {
2529 return NT_STATUS_NO_MEMORY;
2532 result->abstract_syntax = *abstract_syntax;
2533 result->transfer_syntax = ndr_transfer_syntax;
2534 result->dispatch = cli_do_rpc_ndr;
2535 result->dispatch_send = cli_do_rpc_ndr_send;
2536 result->dispatch_recv = cli_do_rpc_ndr_recv;
2537 result->desthost = talloc_strdup(result, cli->desthost);
2538 result->srv_name_slash = talloc_asprintf_strupper_m(
2539 result, "\\\\%s", result->desthost);
2541 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2542 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2544 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2545 TALLOC_FREE(result);
2546 return NT_STATUS_NO_MEMORY;
2549 status = rpc_transport_np_init(result, cli, abstract_syntax,
2550 &result->transport);
2551 if (!NT_STATUS_IS_OK(status)) {
2552 TALLOC_FREE(result);
2556 result->transport->transport = NCACN_NP;
2558 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
2559 if (np_ref == NULL) {
2560 TALLOC_FREE(result);
2561 return NT_STATUS_NO_MEMORY;
2564 np_ref->pipe = result;
2566 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
2567 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
2570 return NT_STATUS_OK;
2573 NTSTATUS rpc_pipe_open_local(TALLOC_CTX *mem_ctx,
2574 struct rpc_cli_smbd_conn *conn,
2575 const struct ndr_syntax_id *syntax,
2576 struct rpc_pipe_client **presult)
2578 struct rpc_pipe_client *result;
2579 struct pipe_auth_data *auth;
2582 result = talloc(mem_ctx, struct rpc_pipe_client);
2583 if (result == NULL) {
2584 return NT_STATUS_NO_MEMORY;
2586 result->abstract_syntax = *syntax;
2587 result->transfer_syntax = ndr_transfer_syntax;
2588 result->dispatch = cli_do_rpc_ndr;
2589 result->dispatch_send = cli_do_rpc_ndr_send;
2590 result->dispatch_recv = cli_do_rpc_ndr_recv;
2591 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2592 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2594 result->desthost = talloc_strdup(result, global_myname());
2595 result->srv_name_slash = talloc_asprintf_strupper_m(
2596 result, "\\\\%s", global_myname());
2597 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2598 TALLOC_FREE(result);
2599 return NT_STATUS_NO_MEMORY;
2602 status = rpc_transport_smbd_init(result, conn, syntax,
2603 &result->transport);
2604 if (!NT_STATUS_IS_OK(status)) {
2605 DEBUG(1, ("rpc_transport_smbd_init failed: %s\n",
2606 nt_errstr(status)));
2607 TALLOC_FREE(result);
2611 status = rpccli_anon_bind_data(result, &auth);
2612 if (!NT_STATUS_IS_OK(status)) {
2613 DEBUG(1, ("rpccli_anon_bind_data failed: %s\n",
2614 nt_errstr(status)));
2615 TALLOC_FREE(result);
2619 status = rpc_pipe_bind(result, auth);
2620 if (!NT_STATUS_IS_OK(status)) {
2621 DEBUG(1, ("rpc_pipe_bind failed: %s\n", nt_errstr(status)));
2622 TALLOC_FREE(result);
2626 result->transport->transport = NCACN_INTERNAL;
2629 return NT_STATUS_OK;
2632 /****************************************************************************
2633 Open a pipe to a remote server.
2634 ****************************************************************************/
2636 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
2637 enum dcerpc_transport_t transport,
2638 const struct ndr_syntax_id *interface,
2639 struct rpc_pipe_client **presult)
2641 switch (transport) {
2643 return rpc_pipe_open_tcp(NULL, cli->desthost, interface,
2646 return rpc_pipe_open_np(cli, interface, presult);
2648 return NT_STATUS_NOT_IMPLEMENTED;
2652 /****************************************************************************
2653 Open a named pipe to an SMB server and bind anonymously.
2654 ****************************************************************************/
2656 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2657 enum dcerpc_transport_t transport,
2658 const struct ndr_syntax_id *interface,
2659 struct rpc_pipe_client **presult)
2661 struct rpc_pipe_client *result;
2662 struct pipe_auth_data *auth;
2665 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2666 if (!NT_STATUS_IS_OK(status)) {
2670 status = rpccli_anon_bind_data(result, &auth);
2671 if (!NT_STATUS_IS_OK(status)) {
2672 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
2673 nt_errstr(status)));
2674 TALLOC_FREE(result);
2679 * This is a bit of an abstraction violation due to the fact that an
2680 * anonymous bind on an authenticated SMB inherits the user/domain
2681 * from the enclosing SMB creds
2684 TALLOC_FREE(auth->user_name);
2685 TALLOC_FREE(auth->domain);
2687 auth->user_name = talloc_strdup(auth, cli->user_name);
2688 auth->domain = talloc_strdup(auth, cli->domain);
2689 auth->user_session_key = data_blob_talloc(auth,
2690 cli->user_session_key.data,
2691 cli->user_session_key.length);
2693 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
2694 TALLOC_FREE(result);
2695 return NT_STATUS_NO_MEMORY;
2698 status = rpc_pipe_bind(result, auth);
2699 if (!NT_STATUS_IS_OK(status)) {
2701 if (ndr_syntax_id_equal(interface,
2702 &ndr_table_dssetup.syntax_id)) {
2703 /* non AD domains just don't have this pipe, avoid
2704 * level 0 statement in that case - gd */
2707 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
2708 "%s failed with error %s\n",
2709 get_pipe_name_from_syntax(talloc_tos(), interface),
2710 nt_errstr(status) ));
2711 TALLOC_FREE(result);
2715 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
2716 "%s and bound anonymously.\n",
2717 get_pipe_name_from_syntax(talloc_tos(), interface),
2721 return NT_STATUS_OK;
2724 /****************************************************************************
2725 ****************************************************************************/
2727 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2728 const struct ndr_syntax_id *interface,
2729 struct rpc_pipe_client **presult)
2731 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2732 interface, presult);
2735 /****************************************************************************
2736 Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
2737 ****************************************************************************/
2739 NTSTATUS cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
2740 const struct ndr_syntax_id *interface,
2741 enum dcerpc_transport_t transport,
2742 enum dcerpc_AuthLevel auth_level,
2744 const char *username,
2745 const char *password,
2746 struct rpc_pipe_client **presult)
2748 struct rpc_pipe_client *result;
2749 struct pipe_auth_data *auth;
2750 enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
2753 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2754 if (!NT_STATUS_IS_OK(status)) {
2758 status = rpccli_ntlmssp_bind_data(result,
2759 auth_type, auth_level,
2760 domain, username, password,
2762 if (!NT_STATUS_IS_OK(status)) {
2763 DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
2764 nt_errstr(status)));
2768 status = rpc_pipe_bind(result, auth);
2769 if (!NT_STATUS_IS_OK(status)) {
2770 DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
2771 nt_errstr(status) ));
2775 DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
2776 "machine %s and bound NTLMSSP as user %s\\%s.\n",
2777 get_pipe_name_from_syntax(talloc_tos(), interface),
2778 cli->desthost, domain, username ));
2781 return NT_STATUS_OK;
2785 TALLOC_FREE(result);
2789 /****************************************************************************
2790 Get a the schannel session key out of an already opened netlogon pipe.
2791 ****************************************************************************/
2792 static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
2793 struct cli_state *cli,
2797 enum netr_SchannelType sec_chan_type = 0;
2798 unsigned char machine_pwd[16];
2799 const char *machine_account;
2802 /* Get the machine account credentials from secrets.tdb. */
2803 if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
2806 DEBUG(0, ("get_schannel_session_key: could not fetch "
2807 "trust account password for domain '%s'\n",
2809 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2812 status = rpccli_netlogon_setup_creds(netlogon_pipe,
2813 cli->desthost, /* server name */
2814 domain, /* domain */
2815 global_myname(), /* client name */
2816 machine_account, /* machine account name */
2821 if (!NT_STATUS_IS_OK(status)) {
2822 DEBUG(3, ("get_schannel_session_key_common: "
2823 "rpccli_netlogon_setup_creds failed with result %s "
2824 "to server %s, domain %s, machine account %s.\n",
2825 nt_errstr(status), cli->desthost, domain,
2830 if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
2831 DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
2833 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2836 return NT_STATUS_OK;;
2839 /****************************************************************************
2840 Open a netlogon pipe and get the schannel session key.
2841 Now exposed to external callers.
2842 ****************************************************************************/
2845 NTSTATUS get_schannel_session_key(struct cli_state *cli,
2848 struct rpc_pipe_client **presult)
2850 struct rpc_pipe_client *netlogon_pipe = NULL;
2853 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
2855 if (!NT_STATUS_IS_OK(status)) {
2859 status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
2861 if (!NT_STATUS_IS_OK(status)) {
2862 TALLOC_FREE(netlogon_pipe);
2866 *presult = netlogon_pipe;
2867 return NT_STATUS_OK;
2870 /****************************************************************************
2872 Open a named pipe to an SMB server and bind using schannel (bind type 68)
2873 using session_key. sign and seal.
2875 The *pdc will be stolen onto this new pipe
2876 ****************************************************************************/
2878 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2879 const struct ndr_syntax_id *interface,
2880 enum dcerpc_transport_t transport,
2881 enum dcerpc_AuthLevel auth_level,
2883 struct netlogon_creds_CredentialState **pdc,
2884 struct rpc_pipe_client **presult)
2886 struct rpc_pipe_client *result;
2887 struct pipe_auth_data *auth;
2890 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2891 if (!NT_STATUS_IS_OK(status)) {
2895 status = rpccli_schannel_bind_data(result, domain, auth_level,
2897 if (!NT_STATUS_IS_OK(status)) {
2898 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
2899 nt_errstr(status)));
2900 TALLOC_FREE(result);
2904 status = rpc_pipe_bind(result, auth);
2905 if (!NT_STATUS_IS_OK(status)) {
2906 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
2907 "cli_rpc_pipe_bind failed with error %s\n",
2908 nt_errstr(status) ));
2909 TALLOC_FREE(result);
2914 * The credentials on a new netlogon pipe are the ones we are passed
2915 * in - reference them in
2917 result->dc = talloc_move(result, pdc);
2919 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
2920 "for domain %s and bound using schannel.\n",
2921 get_pipe_name_from_syntax(talloc_tos(), interface),
2922 cli->desthost, domain ));
2925 return NT_STATUS_OK;
2928 /****************************************************************************
2929 Open a named pipe to an SMB server and bind using schannel (bind type 68).
2930 Fetch the session key ourselves using a temporary netlogon pipe. This
2931 version uses an ntlmssp auth bound netlogon pipe to get the key.
2932 ****************************************************************************/
2934 static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
2936 const char *username,
2937 const char *password,
2939 struct rpc_pipe_client **presult)
2941 struct rpc_pipe_client *netlogon_pipe = NULL;
2944 status = cli_rpc_pipe_open_spnego_ntlmssp(
2945 cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
2946 DCERPC_AUTH_LEVEL_PRIVACY,
2947 domain, username, password, &netlogon_pipe);
2948 if (!NT_STATUS_IS_OK(status)) {
2952 status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
2954 if (!NT_STATUS_IS_OK(status)) {
2955 TALLOC_FREE(netlogon_pipe);
2959 *presult = netlogon_pipe;
2960 return NT_STATUS_OK;
2963 /****************************************************************************
2964 Open a named pipe to an SMB server and bind using schannel (bind type 68).
2965 Fetch the session key ourselves using a temporary netlogon pipe. This version
2966 uses an ntlmssp bind to get the session key.
2967 ****************************************************************************/
2969 NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
2970 const struct ndr_syntax_id *interface,
2971 enum dcerpc_transport_t transport,
2972 enum dcerpc_AuthLevel auth_level,
2974 const char *username,
2975 const char *password,
2976 struct rpc_pipe_client **presult)
2978 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2979 struct rpc_pipe_client *netlogon_pipe = NULL;
2980 struct rpc_pipe_client *result = NULL;
2983 status = get_schannel_session_key_auth_ntlmssp(
2984 cli, domain, username, password, &neg_flags, &netlogon_pipe);
2985 if (!NT_STATUS_IS_OK(status)) {
2986 DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
2987 "key from server %s for domain %s.\n",
2988 cli->desthost, domain ));
2992 status = cli_rpc_pipe_open_schannel_with_key(
2993 cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
2996 /* Now we've bound using the session key we can close the netlog pipe. */
2997 TALLOC_FREE(netlogon_pipe);
2999 if (NT_STATUS_IS_OK(status)) {
3005 /****************************************************************************
3006 Open a named pipe to an SMB server and bind using schannel (bind type 68).
3007 Fetch the session key ourselves using a temporary netlogon pipe.
3008 ****************************************************************************/
3010 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
3011 const struct ndr_syntax_id *interface,
3012 enum dcerpc_transport_t transport,
3013 enum dcerpc_AuthLevel auth_level,
3015 struct rpc_pipe_client **presult)
3017 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
3018 struct rpc_pipe_client *netlogon_pipe = NULL;
3019 struct rpc_pipe_client *result = NULL;
3022 status = get_schannel_session_key(cli, domain, &neg_flags,
3024 if (!NT_STATUS_IS_OK(status)) {
3025 DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
3026 "key from server %s for domain %s.\n",
3027 cli->desthost, domain ));
3031 status = cli_rpc_pipe_open_schannel_with_key(
3032 cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
3035 /* Now we've bound using the session key we can close the netlog pipe. */
3036 TALLOC_FREE(netlogon_pipe);
3038 if (NT_STATUS_IS_OK(status)) {
3045 /****************************************************************************
3046 Open a named pipe to an SMB server and bind using krb5 (bind type 16).
3047 The idea is this can be called with service_princ, username and password all
3048 NULL so long as the caller has a TGT.
3049 ****************************************************************************/
3051 NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
3052 const struct ndr_syntax_id *interface,
3053 enum dcerpc_transport_t transport,
3054 enum dcerpc_AuthLevel auth_level,
3056 const char *username,
3057 const char *password,
3058 struct rpc_pipe_client **presult)
3060 struct rpc_pipe_client *result;
3061 struct pipe_auth_data *auth;
3064 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3065 if (!NT_STATUS_IS_OK(status)) {
3069 auth = talloc(result, struct pipe_auth_data);
3071 status = NT_STATUS_NO_MEMORY;
3074 auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
3075 auth->auth_level = auth_level;
3080 auth->user_name = talloc_strdup(auth, username);
3081 if (!auth->user_name) {
3082 status = NT_STATUS_NO_MEMORY;
3086 /* Fixme, should we fetch/set the Realm ? */
3087 auth->domain = talloc_strdup(auth, "");
3088 if (!auth->domain) {
3089 status = NT_STATUS_NO_MEMORY;
3093 status = gse_init_client(auth, auth->auth_type, auth->auth_level,
3094 NULL, server, "cifs", username, password,
3095 GSS_C_DCE_STYLE, &auth->a_u.gssapi_state);
3097 if (!NT_STATUS_IS_OK(status)) {
3098 DEBUG(0, ("gse_init_client returned %s\n",
3099 nt_errstr(status)));
3103 status = rpc_pipe_bind(result, auth);
3104 if (!NT_STATUS_IS_OK(status)) {
3105 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3106 nt_errstr(status)));
3111 return NT_STATUS_OK;
3114 TALLOC_FREE(result);
3118 NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
3119 const struct ndr_syntax_id *interface,
3120 enum dcerpc_transport_t transport,
3121 enum dcerpc_AuthLevel auth_level,
3123 const char *username,
3124 const char *password,
3125 struct rpc_pipe_client **presult)
3127 struct rpc_pipe_client *result;
3128 struct pipe_auth_data *auth;
3131 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3132 if (!NT_STATUS_IS_OK(status)) {
3136 auth = talloc(result, struct pipe_auth_data);
3138 status = NT_STATUS_NO_MEMORY;
3141 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3142 auth->auth_level = auth_level;
3144 auth->spnego_type = PIPE_AUTH_TYPE_SPNEGO_KRB5;
3149 auth->user_name = talloc_strdup(auth, username);
3150 if (!auth->user_name) {
3151 status = NT_STATUS_NO_MEMORY;
3155 /* Fixme, should we fetch/set the Realm ? */
3156 auth->domain = talloc_strdup(auth, "");
3157 if (!auth->domain) {
3158 status = NT_STATUS_NO_MEMORY;
3162 status = spnego_gssapi_init_client(auth, auth->auth_level,
3163 NULL, server, "cifs",
3166 &auth->a_u.spnego_state);
3167 if (!NT_STATUS_IS_OK(status)) {
3168 DEBUG(0, ("spnego_init_client returned %s\n",
3169 nt_errstr(status)));
3173 status = rpc_pipe_bind(result, auth);
3174 if (!NT_STATUS_IS_OK(status)) {
3175 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3176 nt_errstr(status)));
3181 return NT_STATUS_OK;
3184 TALLOC_FREE(result);
3188 NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
3189 const struct ndr_syntax_id *interface,
3190 enum dcerpc_transport_t transport,
3191 enum dcerpc_AuthLevel auth_level,
3193 const char *username,
3194 const char *password,
3195 struct rpc_pipe_client **presult)
3197 struct rpc_pipe_client *result;
3198 struct pipe_auth_data *auth;
3201 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3202 if (!NT_STATUS_IS_OK(status)) {
3206 auth = talloc(result, struct pipe_auth_data);
3208 status = NT_STATUS_NO_MEMORY;
3211 auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
3212 auth->auth_level = auth_level;
3217 auth->user_name = talloc_strdup(auth, username);
3218 if (!auth->user_name) {
3219 status = NT_STATUS_NO_MEMORY;
3226 auth->domain = talloc_strdup(auth, domain);
3227 if (!auth->domain) {
3228 status = NT_STATUS_NO_MEMORY;
3232 status = spnego_ntlmssp_init_client(auth, auth->auth_level,
3233 domain, username, password,
3234 &auth->a_u.spnego_state);
3235 if (!NT_STATUS_IS_OK(status)) {
3236 DEBUG(0, ("spnego_init_client returned %s\n",
3237 nt_errstr(status)));
3241 status = rpc_pipe_bind(result, auth);
3242 if (!NT_STATUS_IS_OK(status)) {
3243 DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
3244 nt_errstr(status)));
3249 return NT_STATUS_OK;
3252 TALLOC_FREE(result);
3256 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3257 struct rpc_pipe_client *cli,
3258 DATA_BLOB *session_key)
3260 struct pipe_auth_data *a = cli->auth;
3263 if (!session_key || !cli) {
3264 return NT_STATUS_INVALID_PARAMETER;
3268 return NT_STATUS_INVALID_PARAMETER;
3271 switch (cli->auth->auth_type) {
3272 case DCERPC_AUTH_TYPE_SCHANNEL:
3273 sk = data_blob_const(a->a_u.schannel_auth->creds->session_key,
3276 case DCERPC_AUTH_TYPE_SPNEGO:
3277 sk = spnego_get_session_key(a->a_u.spnego_state);
3278 if (sk.length == 0) {
3279 return NT_STATUS_NO_USER_SESSION_KEY;
3282 case DCERPC_AUTH_TYPE_NTLMSSP:
3283 sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state);
3285 case DCERPC_AUTH_TYPE_KRB5:
3286 sk = gse_get_session_key(a->a_u.gssapi_state);
3288 case DCERPC_AUTH_TYPE_NONE:
3289 sk = data_blob_const(a->user_session_key.data,
3290 a->user_session_key.length);
3293 return NT_STATUS_NO_USER_SESSION_KEY;
3296 *session_key = data_blob_dup_talloc(mem_ctx, &sk);
3297 return NT_STATUS_OK;