/*
* Unix SMB/CIFS implementation.
* RPC Pipe client / server routines
- * Copyright (C) Andrew Tridgell 1992-1998,
- * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
- * Copyright (C) Paul Ashton 1998.
- * Copyright (C) Jeremy Allison 1999.
- * Copyright (C) Andrew Bartlett 2003.
+ * Largely rewritten by Jeremy Allison 2005.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
extern struct pipe_id_info pipe_names[];
-/* convert pipe auth flags into the RPC auth type and level */
+/********************************************************************
+ Map internal value to wire value.
+ ********************************************************************/
-void get_auth_type_level(int pipe_auth_flags, int *auth_type, int *auth_level)
+static int map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type)
{
- *auth_type = 0;
- *auth_level = 0;
- if (pipe_auth_flags & AUTH_PIPE_SEAL) {
- *auth_level = RPC_PIPE_AUTH_SEAL_LEVEL;
- } else if (pipe_auth_flags & AUTH_PIPE_SIGN) {
- *auth_level = RPC_PIPE_AUTH_SIGN_LEVEL;
- }
-
- if (pipe_auth_flags & AUTH_PIPE_NETSEC) {
- *auth_type = NETSEC_AUTH_TYPE;
- } else if (pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
- *auth_type = NTLMSSP_AUTH_TYPE;
+ switch (auth_type) {
+
+ case PIPE_AUTH_TYPE_NONE:
+ return RPC_ANONYMOUS_AUTH_TYPE;
+
+ case PIPE_AUTH_TYPE_NTLMSSP:
+ return RPC_NTLMSSP_AUTH_TYPE;
+
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case PIPE_AUTH_TYPE_SPNEGO_KRB5:
+ return RPC_SPNEGO_AUTH_TYPE;
+
+ case PIPE_AUTH_TYPE_SCHANNEL:
+ return RPC_SCHANNEL_AUTH_TYPE;
+
+ case PIPE_AUTH_TYPE_KRB5:
+ return RPC_KRB5_AUTH_TYPE;
+
+ default:
+ DEBUG(0,("map_pipe_auth_type_to_rpc_type: unknown pipe "
+ "auth type %u\n",
+ (unsigned int)auth_type ));
+ break;
}
+ return -1;
}
/********************************************************************
/*******************************************************************
Use SMBreadX to get rest of one fragment's worth of rpc data.
+ Will expand the current_pdu struct to the correct size.
********************************************************************/
-static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
+static NTSTATUS rpc_read(struct rpc_pipe_client *cli,
+ prs_struct *current_pdu,
+ uint32 data_to_read,
+ uint32 *current_pdu_offset)
{
size_t size = (size_t)cli->max_recv_frag;
- int stream_offset = 0;
- int num_read;
+ uint32 stream_offset = 0;
+ ssize_t num_read;
char *pdata;
- int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
+ ssize_t extra_data_size = ((ssize_t)*current_pdu_offset) + ((ssize_t)data_to_read) - (ssize_t)prs_data_size(current_pdu);
- DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
- (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
+ DEBUG(5,("rpc_read: data_to_read: %u current_pdu offset: %u extra_data_size: %d\n",
+ (unsigned int)data_to_read, (unsigned int)*current_pdu_offset, (int)extra_data_size ));
/*
* Grow the buffer if needed to accommodate the data to be read.
*/
if (extra_data_size > 0) {
- if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
- DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
- return False;
+ if(!prs_force_grow(current_pdu, (uint32)extra_data_size)) {
+ DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", (int)extra_data_size ));
+ return NT_STATUS_NO_MEMORY;
}
- DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
+ DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", (int)extra_data_size, prs_data_size(current_pdu) ));
}
- pdata = prs_data_p(rdata) + *rdata_offset;
-
- do /* read data using SMBreadX */
- {
- uint32 ecode;
- uint8 eclass;
+ pdata = prs_data_p(current_pdu) + *current_pdu_offset;
- if (size > (size_t)data_to_read)
+ do {
+ /* read data using SMBreadX */
+ if (size > (size_t)data_to_read) {
size = (size_t)data_to_read;
+ }
+
+ num_read = cli_read(cli->cli, cli->fnum, pdata,
+ (off_t)stream_offset, size);
- num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
+ DEBUG(5,("rpc_read: num_read = %d, read offset: %u, to read: %u\n",
+ (int)num_read, (unsigned int)stream_offset, (unsigned int)data_to_read));
+
+ /*
+ * A dos error of ERRDOS/ERRmoredata is not an error.
+ */
+ if (cli_is_dos_error(cli->cli)) {
+ uint32 ecode;
+ uint8 eclass;
+ cli_dos_error(cli->cli, &eclass, &ecode);
+ if (eclass != ERRDOS && ecode != ERRmoredata) {
+ DEBUG(0,("rpc_read: DOS Error %d/%u (%s) in cli_read on pipe %s\n",
+ eclass, (unsigned int)ecode,
+ cli_errstr(cli->cli),
+ cli->pipe_name ));
+ return dos_to_ntstatus(eclass, ecode);
+ }
+ }
- DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
- num_read, stream_offset, data_to_read));
+ /*
+ * Likewise for NT_STATUS_BUFFER_TOO_SMALL
+ */
+ if (cli_is_nt_error(cli->cli)) {
+ if (!NT_STATUS_EQUAL(cli_nt_error(cli->cli), NT_STATUS_BUFFER_TOO_SMALL)) {
+ DEBUG(0,("rpc_read: Error (%s) in cli_read on pipe %s\n",
+ nt_errstr(cli_nt_error(cli->cli)),
+ cli->pipe_name ));
+ return cli_nt_error(cli->cli);
+ }
+ }
- if (cli_is_dos_error(cli)) {
- cli_dos_error(cli, &eclass, &ecode);
- if (eclass != ERRDOS && ecode != ERRmoredata) {
- DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
- eclass, (unsigned int)ecode));
- return False;
- }
+ if (num_read == -1) {
+ DEBUG(0,("rpc_read: Error - cli_read on pipe %s returned -1\n",
+ cli->pipe_name ));
+ return cli_get_nt_error(cli->cli);
}
data_to_read -= num_read;
/* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
/*
- * Update the current offset into rdata by the amount read.
+ * Update the current offset into current_pdu by the amount read.
*/
- *rdata_offset += stream_offset;
-
- return True;
+ *current_pdu_offset += stream_offset;
+ return NT_STATUS_OK;
}
/****************************************************************************
- Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
+ Try and get a PDU's worth of data from current_pdu. If not, then read more
+ from the wire.
****************************************************************************/
-static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
- BOOL *first, BOOL *last, uint32 *len)
+static NTSTATUS cli_pipe_get_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr, prs_struct *current_pdu)
{
- DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
-
- /* Next call sets endian bit. */
+ NTSTATUS ret = NT_STATUS_OK;
+ uint32 current_pdu_len = prs_data_size(current_pdu);
+
+ /* Ensure we have at least RPC_HEADER_LEN worth of data to parse. */
+ if (current_pdu_len < RPC_HEADER_LEN) {
+ /* rpc_read expands the current_pdu struct as neccessary. */
+ ret = rpc_read(cli, current_pdu, RPC_HEADER_LEN - current_pdu_len, ¤t_pdu_len);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
+ }
- if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
- DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
- return False;
+ /* This next call sets the endian bit correctly in current_pdu. */
+ /* We will propagate this to rbuf later. */
+ if(!smb_io_rpc_hdr("rpc_hdr ", prhdr, current_pdu, 0)) {
+ DEBUG(0,("cli_pipe_get_current_pdu: Failed to unmarshall RPC_HDR.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
- if (prs_offset(rdata) != RPC_HEADER_LEN) {
- DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
- return False;
+ /* Ensure we have frag_len bytes of data. */
+ if (current_pdu_len < prhdr->frag_len) {
+ /* rpc_read expands the current_pdu struct as neccessary. */
+ ret = rpc_read(cli, current_pdu, (uint32)prhdr->frag_len - current_pdu_len, ¤t_pdu_len);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
}
- (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
- (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
- (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
+ if (current_pdu_len < prhdr->frag_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- return (rhdr->pkt_type != RPC_FAULT);
+ return NT_STATUS_OK;
}
/****************************************************************************
- Verify data on an rpc pipe.
- The VERIFY & SEAL code is only executed on packets that look like this :
+ NTLMSSP specific sign/seal.
+ Virtually identical to rpc_server/srv_pipe.c:api_pipe_ntlmssp_auth_process.
+ In fact I should probably abstract these into identical pieces of code... JRA.
+ ****************************************************************************/
- Request/Response PDU's look like the following...
+static NTSTATUS cli_pipe_verify_ntlmssp(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
+ prs_struct *current_pdu,
+ uint8 *p_ss_padding_len)
+{
+ RPC_HDR_AUTH auth_info;
+ uint32 save_offset = prs_offset(current_pdu);
+ uint32 auth_len = prhdr->auth_len;
+ NTLMSSP_STATE *ntlmssp_state = cli->auth.a_u.ntlmssp_state;
+ unsigned char *data = NULL;
+ size_t data_len;
+ unsigned char *full_packet_data = NULL;
+ size_t full_packet_data_len;
+ DATA_BLOB auth_blob;
+ NTSTATUS status;
+
+ if (cli->auth.auth_level == PIPE_AUTH_LEVEL_NONE || cli->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
+ return NT_STATUS_OK;
+ }
- |<------------------PDU len----------------------------------------------->|
- |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
+ if (!ntlmssp_state) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- +------------+-----------------+-------------+---------------+-------------+
- | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
- +------------+-----------------+-------------+---------------+-------------+
+ /* Ensure there's enough data for an authenticated response. */
+ if ((auth_len > RPC_MAX_SIGN_SIZE) ||
+ (RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
+ DEBUG(0,("cli_pipe_verify_ntlmssp: auth_len %u is too large.\n",
+ (unsigned int)auth_len ));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- Never on bind requests/responses.
- ****************************************************************************/
+ /*
+ * We need the full packet data + length (minus auth stuff) as well as the packet data + length
+ * after the RPC header.
+ * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
+ * functions as NTLMv2 checks the rpc headers also.
+ */
+
+ data = (unsigned char *)(prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN);
+ data_len = (size_t)(prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len);
+
+ full_packet_data = (unsigned char *)prs_data_p(current_pdu);
+ full_packet_data_len = prhdr->frag_len - auth_len;
+
+ /* Pull the auth header and the following data into a blob. */
+ if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
+ DEBUG(0,("cli_pipe_verify_ntlmssp: cannot move offset to %u.\n",
+ (unsigned int)RPC_HEADER_LEN + (unsigned int)RPC_HDR_RESP_LEN + (unsigned int)data_len ));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
+ DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall RPC_HDR_AUTH.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ auth_blob.data = (unsigned char *)prs_data_p(current_pdu) + prs_offset(current_pdu);
+ auth_blob.length = auth_len;
+
+ switch (cli->auth.auth_level) {
+ case PIPE_AUTH_LEVEL_PRIVACY:
+ /* Data is encrypted. */
+ status = ntlmssp_unseal_packet(ntlmssp_state,
+ data, data_len,
+ full_packet_data,
+ full_packet_data_len,
+ &auth_blob);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unseal "
+ "packet from remote machine %s on pipe %s "
+ "fnum 0x%x. Error was %s.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum,
+ nt_errstr(status) ));
+ return status;
+ }
+ break;
+ case PIPE_AUTH_LEVEL_INTEGRITY:
+ /* Data is signed. */
+ status = ntlmssp_check_packet(ntlmssp_state,
+ data, data_len,
+ full_packet_data,
+ full_packet_data_len,
+ &auth_blob);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("cli_pipe_verify_ntlmssp: check signing failed on "
+ "packet from remote machine %s on pipe %s "
+ "fnum 0x%x. Error was %s.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum,
+ nt_errstr(status) ));
+ return status;
+ }
+ break;
+ default:
+ DEBUG(0,("cli_pipe_verify_ntlmssp: unknown internal auth level %d\n",
+ cli->auth.auth_level ));
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
-static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
- uint32 fragment_start, int len, int auth_len, uint8 pkt_type,
- int *pauth_padding_len)
-{
-
/*
- * The following is that length of the data we must sign or seal.
- * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
- * preceeding the auth_data.
+ * Return the current pointer to the data offset.
*/
- int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
+ if(!prs_set_offset(current_pdu, save_offset)) {
+ DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
+ (unsigned int)save_offset ));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
/*
- * The start of the data to sign/seal is just after the RPC headers.
+ * Remember the padding length. We must remove it from the real data
+ * stream once the sign/seal is done.
*/
- char *reply_data = prs_data_p(rdata) + fragment_start + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
- RPC_HDR_AUTH rhdr_auth;
+ *p_ss_padding_len = auth_info.auth_pad_len;
- char *dp = prs_data_p(rdata) + fragment_start + len -
- RPC_HDR_AUTH_LEN - auth_len;
- prs_struct auth_verf;
+ return NT_STATUS_OK;
+}
- *pauth_padding_len = 0;
+/****************************************************************************
+ schannel specific sign/seal.
+ ****************************************************************************/
- if (auth_len == 0) {
- if (cli->pipe_auth_flags == 0) {
- /* move along, nothing to see here */
- return True;
- }
+static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
+ prs_struct *current_pdu,
+ uint8 *p_ss_padding_len)
+{
+ RPC_HDR_AUTH auth_info;
+ RPC_AUTH_SCHANNEL_CHK schannel_chk;
+ uint32 auth_len = prhdr->auth_len;
+ uint32 save_offset = prs_offset(current_pdu);
+ struct schannel_auth_struct *schannel_auth = cli->auth.a_u.schannel_auth;
+ uint32 data_len;
+
+ if (cli->auth.auth_level == PIPE_AUTH_LEVEL_NONE || cli->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
+ return NT_STATUS_OK;
+ }
- DEBUG(2, ("No authenticaton header recienved on reply, but this pipe is authenticated\n"));
- return False;
+ if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+ DEBUG(0,("cli_pipe_verify_schannel: auth_len %u.\n", (unsigned int)auth_len ));
+ return NT_STATUS_INVALID_PARAMETER;
}
- DEBUG(5,("rpc_auth_pipe: pkt_type: %d len: %d auth_len: %d NTLMSSP %s schannel %s sign %s seal %s \n",
- pkt_type, len, auth_len,
- BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP),
- BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_NETSEC),
- BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SIGN),
- BOOLSTR(cli->pipe_auth_flags & AUTH_PIPE_SEAL)));
+ if (!schannel_auth) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
- DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
- return False;
+ /* Ensure there's enough data for an authenticated response. */
+ if ((auth_len > RPC_MAX_SIGN_SIZE) ||
+ (RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
+ DEBUG(0,("cli_pipe_verify_schannel: auth_len %u is too large.\n",
+ (unsigned int)auth_len ));
+ return NT_STATUS_INVALID_PARAMETER;
}
- DEBUG(10,("rpc_auth_pipe: packet:\n"));
- dump_data(100, dp, auth_len);
+ data_len = prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
- prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
-
- /* The endinness must be preserved. JRA. */
- prs_set_endian_data( &auth_verf, rdata->bigendian_data);
-
- /* Point this new parse struct at the auth section of the main
- parse struct - rather than copying it. Avoids needing to
- free it on every error
- */
- prs_give_memory(&auth_verf, dp, RPC_HDR_AUTH_LEN + auth_len, False /* not dynamic */);
- prs_set_offset(&auth_verf, 0);
+ if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
+ DEBUG(0,("cli_pipe_verify_schannel: cannot move offset to %u.\n",
+ (unsigned int)RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len ));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- {
- int auth_type;
- int auth_level;
- if (!smb_io_rpc_hdr_auth("auth_hdr", &rhdr_auth, &auth_verf, 0)) {
- DEBUG(0, ("rpc_auth_pipe: Could not parse auth header\n"));
- return False;
- }
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
+ DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshall RPC_HDR_AUTH.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
+ DEBUG(0,("cli_pipe_verify_schannel: Invalid auth info %d on schannel\n",
+ auth_info.auth_type));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- /* Let the caller know how much padding at the end of the data */
- *pauth_padding_len = rhdr_auth.padding;
-
- /* Check it's the type of reply we were expecting to decode */
+ if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
+ &schannel_chk, current_pdu, 0)) {
+ DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
- if (rhdr_auth.auth_type != auth_type) {
- DEBUG(0, ("BAD auth type %d (should be %d)\n",
- rhdr_auth.auth_type, auth_type));
- return False;
- }
-
- if (rhdr_auth.auth_level != auth_level) {
- DEBUG(0, ("BAD auth level %d (should be %d)\n",
- rhdr_auth.auth_level, auth_level));
- return False;
- }
+ if (!schannel_decode(schannel_auth,
+ cli->auth.auth_level,
+ SENDER_IS_ACCEPTOR,
+ &schannel_chk,
+ prs_data_p(current_pdu)+RPC_HEADER_LEN+RPC_HDR_RESP_LEN,
+ data_len)) {
+ DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
+ "Connection to remote machine %s "
+ "pipe %s fnum 0x%x.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum ));
+ return NT_STATUS_INVALID_PARAMETER;
}
- if (pkt_type == RPC_BINDACK) {
- if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
- /* copy the next auth_len bytes into a buffer for
- later use */
+ /* The sequence number gets incremented on both send and receive. */
+ schannel_auth->seq_num++;
- DATA_BLOB ntlmssp_verf = data_blob(NULL, auth_len);
- BOOL store_ok;
+ /*
+ * Return the current pointer to the data offset.
+ */
+
+ if(!prs_set_offset(current_pdu, save_offset)) {
+ DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
+ (unsigned int)save_offset ));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ /*
+ * Remember the padding length. We must remove it from the real data
+ * stream once the sign/seal is done.
+ */
+
+ *p_ss_padding_len = auth_info.auth_pad_len;
- /* save the reply away, for use a little later */
- prs_copy_data_out((char *)ntlmssp_verf.data, &auth_verf, auth_len);
+ return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Do the authentication checks on an incoming pdu. Check sign and unseal etc.
+ ****************************************************************************/
+
+static NTSTATUS cli_pipe_validate_rpc_response(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
+ prs_struct *current_pdu,
+ uint8 *p_ss_padding_len)
+{
+ NTSTATUS ret = NT_STATUS_OK;
- store_ok = (NT_STATUS_IS_OK(ntlmssp_store_response(cli->ntlmssp_pipe_state,
- ntlmssp_verf)));
+ /* Paranioa checks for auth_len. */
+ if (prhdr->auth_len) {
+ if (prhdr->auth_len > prhdr->frag_len) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- data_blob_free(&ntlmssp_verf);
- return store_ok;
- }
- else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
- /* nothing to do here - we don't seem to be able to
- validate the bindack based on VL's comments */
- return True;
+ if (prhdr->auth_len + RPC_HDR_AUTH_LEN < prhdr->auth_len ||
+ prhdr->auth_len + RPC_HDR_AUTH_LEN < RPC_HDR_AUTH_LEN) {
+ /* Integer wrap attempt. */
+ return NT_STATUS_INVALID_PARAMETER;
}
}
-
- if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
- NTSTATUS nt_status;
- DATA_BLOB sig;
- if ((cli->pipe_auth_flags & AUTH_PIPE_SIGN) ||
- (cli->pipe_auth_flags & AUTH_PIPE_SEAL)) {
- if (auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) {
- DEBUG(0,("rpc_auth_pipe: wrong ntlmssp auth len %d\n", auth_len));
- return False;
+
+ /*
+ * Now we have a complete RPC request PDU fragment, try and verify any auth data.
+ */
+
+ switch(cli->auth.auth_type) {
+ case PIPE_AUTH_TYPE_NONE:
+ if (prhdr->auth_len) {
+ DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
+ "pipe %s fnum 0x%x - got non-zero auth len %u.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum,
+ (unsigned int)prhdr->auth_len ));
+ return NT_STATUS_INVALID_PARAMETER;
}
- sig = data_blob(NULL, auth_len);
- prs_copy_data_out((char *)sig.data, &auth_verf, auth_len);
- }
-
- /*
- * Unseal any sealed data in the PDU, not including the
- * 8 byte auth_header or the auth_data.
- */
+ break;
- /*
- * Now unseal and check the auth verifier in the auth_data at
- * the end of the packet.
- */
+ case PIPE_AUTH_TYPE_NTLMSSP:
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ ret = cli_pipe_verify_ntlmssp(cli, prhdr, current_pdu, p_ss_padding_len);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
+ break;
- if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
- if (data_len < 0) {
- DEBUG(1, ("Can't unseal - data_len < 0!!\n"));
- return False;
+ case PIPE_AUTH_TYPE_SCHANNEL:
+ ret = cli_pipe_verify_schannel(cli, prhdr, current_pdu, p_ss_padding_len);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
}
- nt_status = ntlmssp_unseal_packet(cli->ntlmssp_pipe_state,
- (unsigned char *)reply_data, data_len,
- &sig);
- }
- else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
- nt_status = ntlmssp_check_packet(cli->ntlmssp_pipe_state,
- (const unsigned char *)reply_data, data_len,
- &sig);
- }
+ break;
+
+ case PIPE_AUTH_TYPE_KRB5:
+ case PIPE_AUTH_TYPE_SPNEGO_KRB5:
+ default:
+ DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
+ "pipe %s fnum %x - unknown internal auth type %u.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum,
+ cli->auth.auth_type ));
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+ return NT_STATUS_OK;
+}
- data_blob_free(&sig);
+/****************************************************************************
+ Do basic authentication checks on an incoming pdu.
+ ****************************************************************************/
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("rpc_auth_pipe: could not validate "
- "incoming NTLMSSP packet!\n"));
- return False;
- }
+static NTSTATUS cli_pipe_validate_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr,
+ prs_struct *current_pdu,
+ uint8 expected_pkt_type,
+ char **ppdata,
+ uint32 *pdata_len,
+ prs_struct *return_data)
+{
+
+ NTSTATUS ret = NT_STATUS_OK;
+ uint32 current_pdu_len = prs_data_size(current_pdu);
+
+ if (current_pdu_len != prhdr->frag_len) {
+ DEBUG(5,("cli_pipe_validate_current_pdu: incorrect pdu length %u, expected %u\n",
+ (unsigned int)current_pdu_len, (unsigned int)prhdr->frag_len ));
+ return NT_STATUS_INVALID_PARAMETER;
}
- if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
- RPC_AUTH_NETSEC_CHK chk;
+ /*
+ * Point the return values at the real data including the RPC
+ * header. Just in case the caller wants it.
+ */
+ *ppdata = prs_data_p(current_pdu);
+ *pdata_len = current_pdu_len;
+
+ /* Ensure we have the correct type. */
+ switch (prhdr->pkt_type) {
+ case RPC_ALTCONTRESP:
+ case RPC_BINDACK:
- if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
- DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
- return False;
- }
+ /* Alter context and bind ack share the same packet definitions. */
+ break;
+
+
+ case RPC_RESPONSE:
+ {
+ RPC_HDR_RESP rhdr_resp;
+ uint8 ss_padding_len = 0;
+
+ if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
+ DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ /* Here's where we deal with incoming sign/seal. */
+ ret = cli_pipe_validate_rpc_response(cli, prhdr,
+ current_pdu, &ss_padding_len);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return ret;
+ }
+
+ /* Point the return values at the NDR data. Remember to remove any ss padding. */
+ *ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
+
+ if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN + ss_padding_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign",
- &chk, &auth_verf, 0)) {
- DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
- "RPC_AUTH_NETSECK_CHK failed\n"));
- return False;
+ *pdata_len = current_pdu_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - ss_padding_len;
+
+ /* Remember to remove the auth footer. */
+ if (prhdr->auth_len) {
+ /* We've already done integer wrap tests on auth_len in
+ cli_pipe_validate_rpc_response(). */
+ if (*pdata_len < RPC_HDR_AUTH_LEN + prhdr->auth_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+ *pdata_len -= (RPC_HDR_AUTH_LEN + prhdr->auth_len);
+ }
+
+ DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len %u, data_len %u, ss_len %u\n",
+ current_pdu_len, *pdata_len, ss_padding_len ));
+
+ /*
+ * If this is the first reply, and the allocation hint is reasonably, try and
+ * set up the return_data parse_struct to the correct size.
+ */
+
+ if ((prs_data_size(return_data) == 0) && rhdr_resp.alloc_hint && (rhdr_resp.alloc_hint < 15*1024*1024)) {
+ if (!prs_set_buffer_size(return_data, rhdr_resp.alloc_hint)) {
+ DEBUG(0,("cli_pipe_validate_current_pdu: reply alloc hint %u "
+ "too large to allocate\n",
+ (unsigned int)rhdr_resp.alloc_hint ));
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ break;
}
- if (!netsec_decode(&cli->auth_info,
- cli->pipe_auth_flags,
- SENDER_IS_ACCEPTOR,
- &chk, reply_data, data_len)) {
- DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
- return False;
+ case RPC_BINDNACK:
+ DEBUG(1, ("cli_pipe_validate_current_pdu: Bind NACK received from remote machine %s "
+ "pipe %s fnum 0x%x!\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+ /* Use this for now... */
+ return NT_STATUS_NETWORK_ACCESS_DENIED;
+
+ case RPC_FAULT:
+ {
+ RPC_HDR_RESP rhdr_resp;
+ RPC_HDR_FAULT fault_resp;
+
+ if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
+ DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ if(!smb_io_rpc_hdr_fault("fault", &fault_resp, current_pdu, 0)) {
+ DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_FAULT.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault code %s received from remote machine %s "
+ "pipe %s fnum 0x%x!\n",
+ dcerpc_errstr(NT_STATUS_V(fault_resp.status)),
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+ if (NT_STATUS_IS_OK(fault_resp.status)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ } else {
+ return fault_resp.status;
+ }
}
- cli->auth_info.seq_num++;
+ default:
+ DEBUG(0, ("cli_pipe_validate_current_pdu: unknown packet type %u received "
+ "from remote machine %s pipe %s fnum 0x%x!\n",
+ (unsigned int)prhdr->pkt_type,
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+ if (prhdr->pkt_type != expected_pkt_type) {
+ DEBUG(3, ("cli_pipe_validate_current_pdu: Connection to remote machine %s "
+ "pipe %s fnum %x got an unexpected RPC packet "
+ "type - %u, not %u\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum,
+ prhdr->pkt_type,
+ expected_pkt_type));
+ return NT_STATUS_INVALID_INFO_CLASS;
}
- return True;
+
+ /* Do this just before return - we don't want to modify any rpc header
+ data before now as we may have needed to do cryptographic actions on
+ it before. */
+
+ if ((prhdr->pkt_type == RPC_BINDACK) && !(prhdr->flags & RPC_FLG_LAST)) {
+ DEBUG(5,("cli_pipe_validate_current_pdu: bug in server (AS/U?), "
+ "setting fragment first/last ON.\n"));
+ prhdr->flags |= RPC_FLG_FIRST|RPC_FLG_LAST;
+ }
+
+ return NT_STATUS_OK;
}
+/****************************************************************************
+ Ensure we eat the just processed pdu from the current_pdu prs_struct.
+ Normally the frag_len and buffer size will match, but on the first trans
+ reply there is a theoretical chance that buffer size > frag_len, so we must
+ deal with that.
+ ****************************************************************************/
+
+static NTSTATUS cli_pipe_reset_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *prhdr, prs_struct *current_pdu)
+{
+ uint32 current_pdu_len = prs_data_size(current_pdu);
+
+ if (current_pdu_len < prhdr->frag_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ /* Common case. */
+ if (current_pdu_len == (uint32)prhdr->frag_len) {
+ prs_mem_free(current_pdu);
+ prs_init_empty(current_pdu, prs_get_mem_context(current_pdu), UNMARSHALL);
+ /* Make current_pdu dynamic with no memory. */
+ prs_give_memory(current_pdu, 0, 0, True);
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * Oh no ! More data in buffer than we processed in current pdu.
+ * Cheat. Move the data down and shrink the buffer.
+ */
+
+ memcpy(prs_data_p(current_pdu), prs_data_p(current_pdu) + prhdr->frag_len,
+ current_pdu_len - prhdr->frag_len);
+
+ /* Remember to set the read offset back to zero. */
+ prs_set_offset(current_pdu, 0);
+
+ /* Shrink the buffer. */
+ if (!prs_set_buffer_size(current_pdu, current_pdu_len - prhdr->frag_len)) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+ return NT_STATUS_OK;
+}
/****************************************************************************
- Send data on an rpc pipe via trans, which *must* be the last fragment.
- receive response data from an rpc pipe, which may be large...
+ Send data on an rpc pipe via trans. The prs_struct data must be the last
+ pdu fragment of an NDR data stream.
+
+ Receive response data from an rpc pipe, which may be large...
Read the first fragment: unfortunately have to use SMBtrans for the first
bit, then SMBreadX for subsequent bits.
| RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
+------------+-----------------+-------------+---------------+-------------+
- Where the presence of the AUTH_HDR and AUTH are dependent on the
+ Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
signing & sealing being negotiated.
****************************************************************************/
-static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata,
- uint8 expected_pkt_type)
+static NTSTATUS rpc_api_pipe(struct rpc_pipe_client *cli,
+ prs_struct *data, /* Outgoing pdu fragment, already formatted for send. */
+ prs_struct *rbuf, /* Incoming reply - return as an NDR stream. */
+ uint8 expected_pkt_type)
{
- uint32 len;
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
char *rparam = NULL;
uint32 rparam_len = 0;
uint16 setup[2];
- BOOL first = True;
- BOOL last = True;
- RPC_HDR rhdr;
- char *pdata = data ? prs_data_p(data) : NULL;
- uint32 data_len = data ? prs_offset(data) : 0;
+ char *pdata = prs_data_p(data);
+ uint32 data_len = prs_offset(data);
char *prdata = NULL;
uint32 rdata_len = 0;
- uint32 current_offset = 0;
- uint32 fragment_start = 0;
- uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
- int auth_padding_len = 0;
+ uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : RPC_MAX_PDU_FRAG_LEN;
+ uint32 current_rbuf_offset = 0;
+ prs_struct current_pdu;
- /* Create setup parameters - must be in native byte order. */
+#ifdef DEVELOPER
+ /* Ensure we're not sending too much. */
+ SMB_ASSERT(data_len <= max_data);
+#endif
+ /* Set up the current pdu parse struct. */
+ prs_init_empty(¤t_pdu, prs_get_mem_context(rbuf), UNMARSHALL);
+
+ /* Create setup parameters - must be in native byte order. */
setup[0] = TRANSACT_DCERPCCMD;
- setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
+ setup[1] = cli->fnum; /* Pipe file handle. */
- DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
+ DEBUG(5,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum ));
- /* Send the RPC request and receive a response. For short RPC
- calls (about 1024 bytes or so) the RPC request and response
- appears in a SMBtrans request and response. Larger RPC
- responses are received further on. */
+ /*
+ * Send the last (or only) fragment of an RPC request. For small
+ * amounts of data (about 1024 bytes or so) the RPC request and response
+ * appears in a SMBtrans request and response.
+ */
- if (!cli_api_pipe(cli, "\\PIPE\\",
+ if (!cli_api_pipe(cli->cli, "\\PIPE\\",
setup, 2, 0, /* Setup, length, max */
NULL, 0, 0, /* Params, length, max */
pdata, data_len, max_data, /* data, length, max */
&rparam, &rparam_len, /* return params, len */
&prdata, &rdata_len)) /* return data, len */
{
- DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
- return False;
+ DEBUG(0, ("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x "
+ "returned critical error. Error was %s\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum,
+ cli_errstr(cli->cli)));
+ ret = cli_get_nt_error(cli->cli);
+ SAFE_FREE(rparam);
+ SAFE_FREE(prdata);
+ goto err;
}
/* Throw away returned params - we know we won't use them. */
SAFE_FREE(rparam);
if (prdata == NULL) {
- DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
- (int)cli->nt_pipe_fnum));
- return False;
+ DEBUG(3,("rpc_api_pipe: Remote machine %s pipe %s "
+ "fnum 0x%x failed to return data.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+ /* Yes - some calls can truely return no data... */
+ prs_mem_free(¤t_pdu);
+ return NT_STATUS_OK;
}
/*
- * Give this memory as dynamically allocated to the return parse
- * struct.
+ * Give this memory as dynamic to the current pdu.
*/
- prs_give_memory(rdata, prdata, rdata_len, True);
- current_offset = rdata_len;
-
- /* This next call sets the endian bit correctly in rdata. */
+ prs_give_memory(¤t_pdu, prdata, rdata_len, True);
- if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
- prs_mem_free(rdata);
- return False;
- }
+ /* Ensure we can mess with the return prs_struct. */
+ SMB_ASSERT(UNMARSHALLING(rbuf));
+ SMB_ASSERT(prs_data_size(rbuf) == 0);
- if (rhdr.pkt_type == RPC_BINDACK) {
- if (!last && !first) {
- DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
- first = True;
- last = True;
- }
- }
+ /* Make rbuf dynamic with no memory. */
+ prs_give_memory(rbuf, 0, 0, True);
- if (rhdr.pkt_type == RPC_BINDNACK) {
- DEBUG(3, ("Bind NACK received on pipe %x!\n", (int)cli->nt_pipe_fnum));
- prs_mem_free(rdata);
- return False;
- }
+ while(1) {
+ RPC_HDR rhdr;
+ char *ret_data;
+ uint32 ret_data_len;
- if (rhdr.pkt_type == RPC_RESPONSE) {
- RPC_HDR_RESP rhdr_resp;
- if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
- DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
- prs_mem_free(rdata);
- return False;
+ /* Ensure we have enough data for a pdu. */
+ ret = cli_pipe_get_current_pdu(cli, &rhdr, ¤t_pdu);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto err;
}
- }
-
- if (rhdr.pkt_type != expected_pkt_type) {
- DEBUG(3, ("Connection to pipe %x got an unexpected RPC packet type - %d, not %d\n", (int)cli->nt_pipe_fnum, rhdr.pkt_type, expected_pkt_type));
- prs_mem_free(rdata);
- return False;
- }
- DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
- (unsigned int)len, (unsigned int)rdata_len ));
+ /* We pass in rbuf here so if the alloc hint is set correctly
+ we can set the output size and avoid reallocs. */
- /* check if data to be sent back was too large for one SMBtrans */
- /* err status is only informational: the _real_ check is on the
- length */
+ ret = cli_pipe_validate_current_pdu(cli, &rhdr, ¤t_pdu, expected_pkt_type,
+ &ret_data, &ret_data_len, rbuf);
- if (len > 0) {
- /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
+ DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n",
+ prs_data_size(¤t_pdu), current_rbuf_offset ));
- /* Read the remaining part of the first response fragment */
-
- if (!rpc_read(cli, rdata, len, ¤t_offset)) {
- prs_mem_free(rdata);
- return False;
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto err;
}
- }
- /*
- * Now we have a complete PDU, check the auth struct if any was sent.
- */
-
- if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
- rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
- prs_mem_free(rdata);
- return False;
- }
+ if ((rhdr.flags & RPC_FLG_FIRST)) {
+ if (rhdr.pack_type[0] == 0) {
+ /* Set the data type correctly for big-endian data on the first packet. */
+ DEBUG(10,("rpc_api_pipe: On machine %s pipe %s fnum 0x%x "
+ "PDU data format is big-endian.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+
+ prs_set_endian_data(rbuf, RPC_BIG_ENDIAN);
+ } else {
+ /* Check endianness on subsequent packets. */
+ if (current_pdu.bigendian_data != rbuf->bigendian_data) {
+ DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
+ rbuf->bigendian_data ? "big" : "little",
+ current_pdu.bigendian_data ? "big" : "little" ));
+ ret = NT_STATUS_INVALID_PARAMETER;
+ goto err;
+ }
+ }
+ }
- if (rhdr.auth_len != 0) {
- /*
- * Drop the auth footers from the current offset.
- * We need this if there are more fragments.
- * The auth footers consist of the auth_data and the
- * preceeding 8 byte auth_header.
- */
- current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
- }
-
- /*
- * Only one rpc fragment, and it has been read.
- */
+ /* Now copy the data portion out of the pdu into rbuf. */
+ if (!prs_force_grow(rbuf, ret_data_len)) {
+ ret = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
+ memcpy(prs_data_p(rbuf)+current_rbuf_offset, ret_data, (size_t)ret_data_len);
+ current_rbuf_offset += ret_data_len;
+
+ /* See if we've finished with all the data in current_pdu yet ? */
+ ret = cli_pipe_reset_current_pdu(cli, &rhdr, ¤t_pdu);
+ if (!NT_STATUS_IS_OK(ret)) {
+ goto err;
+ }
- if (first && last) {
- DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
- return True;
+ if (rhdr.flags & RPC_FLG_LAST) {
+ break; /* We're done. */
+ }
}
- /*
- * Read more fragments using SMBreadX until we get one with the
- * last bit set.
- */
-
- while (!last) {
- RPC_HDR_RESP rhdr_resp;
- int num_read;
- char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
- prs_struct hps;
- uint8 eclass;
- uint32 ecode;
-
- /*
- * First read the header of the next PDU.
- */
-
- prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
- prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
+ DEBUG(10,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x returned %u bytes.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum,
+ (unsigned int)prs_data_size(rbuf) ));
- num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
- if (cli_is_dos_error(cli)) {
- cli_dos_error(cli, &eclass, &ecode);
- if (eclass != ERRDOS && ecode != ERRmoredata) {
- DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
- return False;
- }
- }
+ prs_mem_free(¤t_pdu);
+ return NT_STATUS_OK;
- DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
+ err:
- if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
- DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
- RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
- return False;
- }
+ prs_mem_free(¤t_pdu);
+ prs_mem_free(rbuf);
+ return ret;
+}
- /* This call sets the endianness in hps. */
+/*******************************************************************
+ Creates krb5 auth bind.
+ ********************************************************************/
- if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
- return False;
+static NTSTATUS create_krb5_auth_bind_req( struct rpc_pipe_client *cli,
+ enum pipe_auth_level auth_level,
+ RPC_HDR_AUTH *pauth_out,
+ prs_struct *auth_data)
+{
+#ifdef HAVE_KRB5
+ int ret;
+ struct kerberos_auth_struct *a = cli->auth.a_u.kerberos_auth;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
- /* Ensure the endianness in rdata is set correctly - must be same as hps. */
+ /* We may change the pad length before marshalling. */
+ init_rpc_hdr_auth(pauth_out, RPC_KRB5_AUTH_TYPE, (int)auth_level, 0, 1);
- if (hps.bigendian_data != rdata->bigendian_data) {
- DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
- rdata->bigendian_data ? "big" : "little",
- hps.bigendian_data ? "big" : "little" ));
- return False;
- }
+ DEBUG(5, ("create_krb5_auth_bind_req: creating a service ticket for principal %s\n",
+ a->service_principal ));
- if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
- DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
- return False;
- }
+ /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
- if (first) {
- DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
- return False;
- }
+ ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
+ &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL);
- /*
- * Now read the rest of the PDU.
- */
+ if (ret) {
+ DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
+ "failed with %s\n",
+ a->service_principal,
+ error_message(ret) ));
- if (!rpc_read(cli, rdata, len, ¤t_offset)) {
- prs_mem_free(rdata);
- return False;
- }
+ data_blob_free(&tkt);
+ prs_mem_free(auth_data);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- fragment_start = current_offset - len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
+ /* wrap that up in a nice GSS-API wrapping */
+ tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
- /*
- * Verify any authentication footer.
- */
+ data_blob_free(&tkt);
-
- if(!rpc_auth_pipe(cli, rdata, fragment_start, rhdr.frag_len,
- rhdr.auth_len, rhdr.pkt_type, &auth_padding_len)) {
- prs_mem_free(rdata);
- return False;
- }
-
- if (rhdr.auth_len != 0 ) {
-
- /*
- * Drop the auth footers from the current offset.
- * The auth footers consist of the auth_data and the
- * preceeding 8 byte auth_header.
- * We need this if there are more fragments.
- */
- current_offset -= (auth_padding_len + RPC_HDR_AUTH_LEN + rhdr.auth_len);
- }
+ /* Auth len in the rpc header doesn't include auth_header. */
+ if (!prs_copy_data_in(auth_data, (char *)tkt_wrapped.data, tkt_wrapped.length)) {
+ data_blob_free(&tkt_wrapped);
+ prs_mem_free(auth_data);
+ return NT_STATUS_NO_MEMORY;
}
- return True;
+ DEBUG(5, ("create_krb5_auth_bind_req: Created krb5 GSS blob :\n"));
+ dump_data(5, tkt_wrapped.data, tkt_wrapped.length);
+
+ data_blob_free(&tkt_wrapped);
+ return NT_STATUS_OK;
+#else
+ return NT_STATUS_INVALID_PARAMETER;
+#endif
}
/*******************************************************************
- creates a DCE/RPC bind request
-
- - initialises the parse structure.
- - dynamically allocates the header data structure
- - caller is expected to free the header data structure once used.
-
+ Creates SPNEGO NTLMSSP auth bind.
********************************************************************/
-static NTSTATUS create_rpc_bind_req(struct cli_state *cli, prs_struct *rpc_out,
- uint32 rpc_call_id,
- RPC_IFACE *abstract, RPC_IFACE *transfer,
- const char *my_name, const char *domain)
+static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
+ enum pipe_auth_level auth_level,
+ RPC_HDR_AUTH *pauth_out,
+ prs_struct *auth_data)
{
- RPC_HDR hdr;
- RPC_HDR_RB hdr_rb;
- RPC_HDR_AUTH hdr_auth;
- int auth_len = 0;
- int auth_type, auth_level;
- size_t saved_hdr_offset = 0;
-
- prs_struct auth_info;
- prs_init(&auth_info, RPC_HDR_AUTH_LEN, /* we will need at least this much */
- prs_get_mem_context(rpc_out), MARSHALL);
-
- if (cli->pipe_auth_flags) {
- get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
-
- /*
- * Create the auth structs we will marshall.
- */
-
- init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level, 0x00, 1);
-
- /*
- * Now marshall the data into the temporary parse_struct.
- */
-
- if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
- DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
- prs_mem_free(&auth_info);
- return NT_STATUS_NO_MEMORY;
- }
- saved_hdr_offset = prs_offset(&auth_info);
- }
-
- if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
+ NTSTATUS nt_status;
+ DATA_BLOB null_blob = data_blob_null;
+ DATA_BLOB request = data_blob_null;
+ DATA_BLOB spnego_msg = data_blob_null;
- NTSTATUS nt_status;
- DATA_BLOB null_blob = data_blob(NULL, 0);
- DATA_BLOB request;
+ /* We may change the pad length before marshalling. */
+ init_rpc_hdr_auth(pauth_out, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
- DEBUG(5, ("Processing NTLMSSP Negotiate\n"));
- nt_status = ntlmssp_update(cli->ntlmssp_pipe_state,
- null_blob,
- &request);
+ DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
+ nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
+ null_blob,
+ &request);
- if (!NT_STATUS_EQUAL(nt_status,
- NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- prs_mem_free(&auth_info);
- return nt_status;
- }
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ data_blob_free(&request);
+ prs_mem_free(auth_data);
+ return nt_status;
+ }
- /* Auth len in the rpc header doesn't include auth_header. */
- auth_len = request.length;
- prs_copy_data_in(&auth_info, (char *)request.data, request.length);
+ /* Wrap this in SPNEGO. */
+ spnego_msg = gen_negTokenInit(OID_NTLMSSP, request);
- DEBUG(5, ("NTLMSSP Negotiate:\n"));
- dump_data(5, (const char *)request.data, request.length);
+ data_blob_free(&request);
- data_blob_free(&request);
+ /* Auth len in the rpc header doesn't include auth_header. */
+ if (!prs_copy_data_in(auth_data, (char *)spnego_msg.data, spnego_msg.length)) {
+ data_blob_free(&spnego_msg);
+ prs_mem_free(auth_data);
+ return NT_STATUS_NO_MEMORY;
+ }
- } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
- RPC_AUTH_NETSEC_NEG netsec_neg;
+ DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
+ dump_data(5, spnego_msg.data, spnego_msg.length);
- /* Use lp_workgroup() if domain not specified */
+ data_blob_free(&spnego_msg);
+ return NT_STATUS_OK;
+}
- if (!domain || !domain[0]) {
- DEBUG(10,("create_rpc_bind_req: no domain; assuming my own\n"));
- domain = lp_workgroup();
- }
+/*******************************************************************
+ Creates NTLMSSP auth bind.
+ ********************************************************************/
- init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
+static NTSTATUS create_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
+ enum pipe_auth_level auth_level,
+ RPC_HDR_AUTH *pauth_out,
+ prs_struct *auth_data)
+{
+ NTSTATUS nt_status;
+ DATA_BLOB null_blob = data_blob_null;
+ DATA_BLOB request = data_blob_null;
- /*
- * Now marshall the data into the temporary parse_struct.
- */
+ /* We may change the pad length before marshalling. */
+ init_rpc_hdr_auth(pauth_out, RPC_NTLMSSP_AUTH_TYPE, (int)auth_level, 0, 1);
- if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
- &netsec_neg, &auth_info, 0)) {
- DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
- prs_mem_free(&auth_info);
+ DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
+ nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
+ null_blob,
+ &request);
+
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ data_blob_free(&request);
+ prs_mem_free(auth_data);
+ return nt_status;
+ }
+
+ /* Auth len in the rpc header doesn't include auth_header. */
+ if (!prs_copy_data_in(auth_data, (char *)request.data, request.length)) {
+ data_blob_free(&request);
+ prs_mem_free(auth_data);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
+ dump_data(5, request.data, request.length);
+
+ data_blob_free(&request);
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Creates schannel auth bind.
+ ********************************************************************/
+
+static NTSTATUS create_schannel_auth_rpc_bind_req( struct rpc_pipe_client *cli,
+ enum pipe_auth_level auth_level,
+ RPC_HDR_AUTH *pauth_out,
+ prs_struct *auth_data)
+{
+ RPC_AUTH_SCHANNEL_NEG schannel_neg;
+
+ /* We may change the pad length before marshalling. */
+ init_rpc_hdr_auth(pauth_out, RPC_SCHANNEL_AUTH_TYPE, (int)auth_level, 0, 1);
+
+ /* Use lp_workgroup() if domain not specified */
+
+ if (!cli->domain || !cli->domain[0]) {
+ cli->domain = talloc_strdup(cli, lp_workgroup());
+ if (cli->domain == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ }
+
+ init_rpc_auth_schannel_neg(&schannel_neg, cli->domain, global_myname());
- /* Auth len in the rpc header doesn't include auth_header. */
- auth_len = prs_offset(&auth_info) - saved_hdr_offset;
+ /*
+ * Now marshall the data into the auth parse_struct.
+ */
+
+ if(!smb_io_rpc_auth_schannel_neg("schannel_neg",
+ &schannel_neg, auth_data, 0)) {
+ DEBUG(0,("Failed to marshall RPC_AUTH_SCHANNEL_NEG.\n"));
+ prs_mem_free(auth_data);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Creates the internals of a DCE/RPC bind request or alter context PDU.
+ ********************************************************************/
+
+static NTSTATUS create_bind_or_alt_ctx_internal(enum RPC_PKT_TYPE pkt_type,
+ prs_struct *rpc_out,
+ uint32 rpc_call_id,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
+ RPC_HDR_AUTH *phdr_auth,
+ prs_struct *pauth_info)
+{
+ RPC_HDR hdr;
+ RPC_HDR_RB hdr_rb;
+ RPC_CONTEXT rpc_ctx;
+ uint16 auth_len = prs_offset(pauth_info);
+ uint8 ss_padding_len = 0;
+ uint16 frag_len = 0;
+
+ /* create the RPC context. */
+ init_rpc_context(&rpc_ctx, 0 /* context id */, abstract, transfer);
+
+ /* create the bind request RPC_HDR_RB */
+ init_rpc_hdr_rb(&hdr_rb, RPC_MAX_PDU_FRAG_LEN, RPC_MAX_PDU_FRAG_LEN, 0x0, &rpc_ctx);
+
+ /* Start building the frag length. */
+ frag_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
+
+ /* Do we need to pad ? */
+ if (auth_len) {
+ uint16 data_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
+ if (data_len % 8) {
+ ss_padding_len = 8 - (data_len % 8);
+ phdr_auth->auth_pad_len = ss_padding_len;
+ }
+ frag_len += RPC_HDR_AUTH_LEN + auth_len + ss_padding_len;
}
/* Create the request RPC_HDR */
- init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id,
- RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
- auth_len);
+ init_rpc_hdr(&hdr, pkt_type, RPC_FLG_FIRST|RPC_FLG_LAST, rpc_call_id, frag_len, auth_len);
+ /* Marshall the RPC header */
if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
- DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
- prs_mem_free(&auth_info);
+ DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR.\n"));
return NT_STATUS_NO_MEMORY;
}
- /* create the bind request RPC_HDR_RB */
- init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
- 0x1, 0x0, 0x1, abstract, transfer);
-
/* Marshall the bind request data */
if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
- DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
- prs_mem_free(&auth_info);
+ DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
return NT_STATUS_NO_MEMORY;
}
*/
if(auth_len != 0) {
- if(!prs_append_prs_data( rpc_out, &auth_info)) {
- DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
- prs_mem_free(&auth_info);
+ if (ss_padding_len) {
+ char pad[8];
+ memset(pad, '\0', 8);
+ if (!prs_copy_data_in(rpc_out, pad, ss_padding_len)) {
+ DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall padding.\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if(!smb_io_rpc_hdr_auth("hdr_auth", phdr_auth, rpc_out, 0)) {
+ DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_AUTH.\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+
+ if(!prs_append_prs_data( rpc_out, pauth_info)) {
+ DEBUG(0,("create_bind_or_alt_ctx_internal: failed to grow parse struct to add auth.\n"));
return NT_STATUS_NO_MEMORY;
}
}
- prs_mem_free(&auth_info);
+
return NT_STATUS_OK;
}
/*******************************************************************
- Creates a DCE/RPC bind authentication response.
- This is the packet that is sent back to the server once we
- have received a BIND-ACK, to finish the third leg of
- the authentication handshake.
+ Creates a DCE/RPC bind request.
********************************************************************/
-static NTSTATUS create_rpc_bind_resp(struct cli_state *cli,
- uint32 rpc_call_id,
- prs_struct *rpc_out)
+static NTSTATUS create_rpc_bind_req(struct rpc_pipe_client *cli,
+ prs_struct *rpc_out,
+ uint32 rpc_call_id,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
+ enum pipe_auth_type auth_type,
+ enum pipe_auth_level auth_level)
{
- NTSTATUS nt_status;
- RPC_HDR hdr;
- RPC_HDR_AUTHA hdr_autha;
- DATA_BLOB ntlmssp_null_response = data_blob(NULL, 0);
- DATA_BLOB ntlmssp_reply;
- int auth_type, auth_level;
-
- /* The response is picked up from the internal cache,
- where it was placed by the rpc_auth_pipe() code */
- nt_status = ntlmssp_update(cli->ntlmssp_pipe_state,
- ntlmssp_null_response,
- &ntlmssp_reply);
-
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- return nt_status;
- }
+ RPC_HDR_AUTH hdr_auth;
+ prs_struct auth_info;
+ NTSTATUS ret = NT_STATUS_OK;
- /* Create the request RPC_HDR */
- init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
- RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + ntlmssp_reply.length,
- ntlmssp_reply.length );
-
- /* Marshall it. */
- if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
- DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
- data_blob_free(&ntlmssp_reply);
+ ZERO_STRUCT(hdr_auth);
+ if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
return NT_STATUS_NO_MEMORY;
- }
- get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
-
- /* Create the request RPC_HDR_AUTHA */
- init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
- auth_type, auth_level, 0x00);
+ switch (auth_type) {
+ case PIPE_AUTH_TYPE_SCHANNEL:
+ ret = create_schannel_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ prs_mem_free(&auth_info);
+ return ret;
+ }
+ break;
- if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
- DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
- data_blob_free(&ntlmssp_reply);
- return NT_STATUS_NO_MEMORY;
- }
+ case PIPE_AUTH_TYPE_NTLMSSP:
+ ret = create_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ prs_mem_free(&auth_info);
+ return ret;
+ }
+ break;
- /*
- * Append the auth data to the outgoing buffer.
- */
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ prs_mem_free(&auth_info);
+ return ret;
+ }
+ break;
- if(!prs_copy_data_in(rpc_out, (char *)ntlmssp_reply.data, ntlmssp_reply.length)) {
- DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
- data_blob_free(&ntlmssp_reply);
- return NT_STATUS_NO_MEMORY;
+ case PIPE_AUTH_TYPE_KRB5:
+ ret = create_krb5_auth_bind_req(cli, auth_level, &hdr_auth, &auth_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ prs_mem_free(&auth_info);
+ return ret;
+ }
+ break;
+
+ case PIPE_AUTH_TYPE_NONE:
+ break;
+
+ default:
+ /* "Can't" happen. */
+ return NT_STATUS_INVALID_INFO_CLASS;
}
- data_blob_free(&ntlmssp_reply);
- return NT_STATUS_OK;
-}
+ ret = create_bind_or_alt_ctx_internal(RPC_BIND,
+ rpc_out,
+ rpc_call_id,
+ abstract,
+ transfer,
+ &hdr_auth,
+ &auth_info);
+ prs_mem_free(&auth_info);
+ return ret;
+}
/*******************************************************************
- Creates a DCE/RPC request.
+ Create and add the NTLMSSP sign/seal auth header and data.
********************************************************************/
-static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
+static NTSTATUS add_ntlmssp_auth_footer(struct rpc_pipe_client *cli,
+ RPC_HDR *phdr,
+ uint32 ss_padding_len,
+ prs_struct *outgoing_pdu)
{
- uint32 alloc_hint;
- RPC_HDR hdr;
- RPC_HDR_REQ hdr_req;
- uint32 callid = oldid ? oldid : get_rpc_call_id();
-
- DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
-
- /* create the rpc header RPC_HDR */
- init_rpc_hdr(&hdr, RPC_REQUEST, flags,
- callid, data_len, auth_len);
+ RPC_HDR_AUTH auth_info;
+ NTSTATUS status;
+ DATA_BLOB auth_blob = data_blob_null;
+ uint16 data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
- /*
- * The alloc hint should be the amount of data, not including
- * RPC headers & footers.
- */
+ if (!cli->auth.a_u.ntlmssp_state) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (auth_len != 0)
- alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
- else
- alloc_hint = data_len - RPC_HEADER_LEN;
+ /* Init and marshall the auth header. */
+ init_rpc_hdr_auth(&auth_info,
+ map_pipe_auth_type_to_rpc_auth_type(cli->auth.auth_type),
+ cli->auth.auth_level,
+ ss_padding_len,
+ 1 /* context id. */);
- DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
- data_len, auth_len, alloc_hint));
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
+ DEBUG(0,("add_ntlmssp_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
+ data_blob_free(&auth_blob);
+ return NT_STATUS_NO_MEMORY;
+ }
- /* Create the rpc request RPC_HDR_REQ */
- init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
+ switch (cli->auth.auth_level) {
+ case PIPE_AUTH_LEVEL_PRIVACY:
+ /* Data portion is encrypted. */
+ status = ntlmssp_seal_packet(cli->auth.a_u.ntlmssp_state,
+ (unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
+ data_and_pad_len,
+ (unsigned char *)prs_data_p(outgoing_pdu),
+ (size_t)prs_offset(outgoing_pdu),
+ &auth_blob);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth_blob);
+ return status;
+ }
+ break;
+
+ case PIPE_AUTH_LEVEL_INTEGRITY:
+ /* Data is signed. */
+ status = ntlmssp_sign_packet(cli->auth.a_u.ntlmssp_state,
+ (unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
+ data_and_pad_len,
+ (unsigned char *)prs_data_p(outgoing_pdu),
+ (size_t)prs_offset(outgoing_pdu),
+ &auth_blob);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth_blob);
+ return status;
+ }
+ break;
- /* stream-time... */
- if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
- return 0;
+ default:
+ /* Can't happen. */
+ smb_panic("bad auth level");
+ /* Notreached. */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
- return 0;
+ /* Finally marshall the blob. */
- if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
- return 0;
+ if (!prs_copy_data_in(outgoing_pdu, (const char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
+ DEBUG(0,("add_ntlmssp_auth_footer: failed to add %u bytes auth blob.\n",
+ (unsigned int)NTLMSSP_SIG_SIZE));
+ data_blob_free(&auth_blob);
+ return NT_STATUS_NO_MEMORY;
+ }
- return callid;
+ data_blob_free(&auth_blob);
+ return NT_STATUS_OK;
}
/*******************************************************************
- Puts an auth header into an rpc request.
+ Create and add the schannel sign/seal auth header and data.
********************************************************************/
-static BOOL create_auth_hdr(prs_struct *outgoing_packet,
- int auth_type,
- int auth_level, int padding)
+static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
+ RPC_HDR *phdr,
+ uint32 ss_padding_len,
+ prs_struct *outgoing_pdu)
{
- RPC_HDR_AUTH hdr_auth;
+ RPC_HDR_AUTH auth_info;
+ RPC_AUTH_SCHANNEL_CHK verf;
+ struct schannel_auth_struct *sas = cli->auth.a_u.schannel_auth;
+ char *data_p = prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
+ size_t data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
+
+ if (!sas) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- init_rpc_hdr_auth(&hdr_auth, auth_type, auth_level,
- padding, 1);
- if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
- outgoing_packet, 0)) {
- DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
- return False;
+ /* Init and marshall the auth header. */
+ init_rpc_hdr_auth(&auth_info,
+ map_pipe_auth_type_to_rpc_auth_type(cli->auth.auth_type),
+ cli->auth.auth_level,
+ ss_padding_len,
+ 1 /* context id. */);
+
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
+ DEBUG(0,("add_schannel_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
+ return NT_STATUS_NO_MEMORY;
}
- return True;
+
+ switch (cli->auth.auth_level) {
+ case PIPE_AUTH_LEVEL_PRIVACY:
+ case PIPE_AUTH_LEVEL_INTEGRITY:
+ DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
+ sas->seq_num));
+
+ schannel_encode(sas,
+ cli->auth.auth_level,
+ SENDER_IS_INITIATOR,
+ &verf,
+ data_p,
+ data_and_pad_len);
+
+ sas->seq_num++;
+ break;
+
+ default:
+ /* Can't happen. */
+ smb_panic("bad auth level");
+ /* Notreached. */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* Finally marshall the blob. */
+ smb_io_rpc_auth_schannel_chk("",
+ RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
+ &verf,
+ outgoing_pdu,
+ 0);
+
+ return NT_STATUS_OK;
}
-/**
- * Send a request on an RPC pipe and get a response.
- *
- * @param data NDR contents of the request to be sent.
- * @param rdata Unparsed NDR response data.
-**/
+/*******************************************************************
+ Calculate how much data we're going to send in this packet, also
+ work out any sign/seal padding length.
+ ********************************************************************/
-BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
- prs_struct *data, prs_struct *rdata)
+static uint32 calculate_data_len_tosend(struct rpc_pipe_client *cli,
+ uint32 data_left,
+ uint16 *p_frag_len,
+ uint16 *p_auth_len,
+ uint32 *p_ss_padding)
{
- uint32 auth_len, real_auth_len, auth_hdr_len, max_data, data_left, data_sent;
- NTSTATUS nt_status;
- BOOL ret = False;
- uint32 callid = 0;
- fstring dump_name;
+ uint32 data_space, data_len;
+
+ switch (cli->auth.auth_level) {
+ case PIPE_AUTH_LEVEL_NONE:
+ case PIPE_AUTH_LEVEL_CONNECT:
+ data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN;
+ data_len = MIN(data_space, data_left);
+ *p_ss_padding = 0;
+ *p_auth_len = 0;
+ *p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + data_len;
+ return data_len;
+
+ case PIPE_AUTH_LEVEL_INTEGRITY:
+ case PIPE_AUTH_LEVEL_PRIVACY:
+ /* Treat the same for all authenticated rpc requests. */
+ switch(cli->auth.auth_type) {
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case PIPE_AUTH_TYPE_NTLMSSP:
+ *p_auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ case PIPE_AUTH_TYPE_SCHANNEL:
+ *p_auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
+ break;
+ default:
+ smb_panic("bad auth type");
+ break;
+ }
- auth_len = 0;
- real_auth_len = 0;
- auth_hdr_len = 0;
+ data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
+ RPC_HDR_AUTH_LEN - *p_auth_len;
- if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
- if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
- auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
- }
- if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
- auth_len = RPC_AUTH_NETSEC_CHK_LEN;
- }
- auth_hdr_len = RPC_HDR_AUTH_LEN;
+ data_len = MIN(data_space, data_left);
+ if (data_len % 8) {
+ *p_ss_padding = 8 - (data_len % 8);
+ }
+ *p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + /* Normal headers. */
+ data_len + *p_ss_padding + /* data plus padding. */
+ RPC_HDR_AUTH_LEN + *p_auth_len; /* Auth header and auth data. */
+ return data_len;
+
+ default:
+ smb_panic("bad auth level");
+ /* Notreached. */
+ return 0;
}
+}
- /*
- * calc how much actual data we can send in a PDU fragment
- */
- max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
- auth_hdr_len - auth_len - 8;
-
- for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
- prs_struct outgoing_packet;
- prs_struct sec_blob;
- uint32 data_len, send_size;
+/*******************************************************************
+ External interface.
+ Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
+ Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
+ and deals with signing/sealing details.
+ ********************************************************************/
+
+NTSTATUS rpc_api_pipe_req(struct rpc_pipe_client *cli,
+ uint8 op_num,
+ prs_struct *in_data,
+ prs_struct *out_data)
+{
+ NTSTATUS ret;
+ uint32 data_left = prs_offset(in_data);
+ uint32 alloc_hint = prs_offset(in_data);
+ uint32 data_sent_thistime = 0;
+ uint32 current_data_offset = 0;
+ uint32 call_id = get_rpc_call_id();
+ char pad[8];
+ prs_struct outgoing_pdu;
+
+ memset(pad, '\0', 8);
+
+ if (cli->max_xmit_frag < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_MAX_SIGN_SIZE) {
+ /* Server is screwed up ! */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!prs_init(&outgoing_pdu, cli->max_xmit_frag, prs_get_mem_context(in_data), MARSHALL))
+ return NT_STATUS_NO_MEMORY;
+
+ while (1) {
+ RPC_HDR hdr;
+ RPC_HDR_REQ hdr_req;
+ uint16 auth_len = 0;
+ uint16 frag_len = 0;
uint8 flags = 0;
- uint32 auth_padding = 0;
- DATA_BLOB sign_blob;
+ uint32 ss_padding = 0;
- /*
- * how much will we send this time
- */
- send_size = MIN(data_left, max_data);
+ data_sent_thistime = calculate_data_len_tosend(cli, data_left,
+ &frag_len, &auth_len, &ss_padding);
- if (!prs_init(&sec_blob, send_size, /* will need at least this much */
- cli->mem_ctx, MARSHALL)) {
- DEBUG(0,("Could not malloc %u bytes",
- send_size+auth_padding));
- return False;
+ if (current_data_offset == 0) {
+ flags = RPC_FLG_FIRST;
}
- if(!prs_append_some_prs_data(&sec_blob, data,
- data_sent, send_size)) {
- DEBUG(0,("Failed to append data to netsec blob\n"));
- prs_mem_free(&sec_blob);
- return False;
+ if (data_sent_thistime == data_left) {
+ flags |= RPC_FLG_LAST;
}
- /*
- * NT expects the data that is sealed to be 8-byte
- * aligned. The padding must be encrypted as well and
- * taken into account when generating the
- * authentication verifier. The amount of padding must
- * be stored in the auth header.
- */
+ /* Create and marshall the header and request header. */
+ init_rpc_hdr(&hdr, RPC_REQUEST, flags, call_id, frag_len, auth_len);
- if (cli->pipe_auth_flags) {
- size_t data_and_padding_size;
- int auth_type;
- int auth_level;
- prs_align_uint64(&sec_blob);
+ if(!smb_io_rpc_hdr("hdr ", &hdr, &outgoing_pdu, 0)) {
+ prs_mem_free(&outgoing_pdu);
+ return NT_STATUS_NO_MEMORY;
+ }
- get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
+ /* Create the rpc request RPC_HDR_REQ */
+ init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
+
+ if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, &outgoing_pdu, 0)) {
+ prs_mem_free(&outgoing_pdu);
+ return NT_STATUS_NO_MEMORY;
+ }
- data_and_padding_size = prs_offset(&sec_blob);
- auth_padding = data_and_padding_size - send_size;
+ /* Copy in the data, plus any ss padding. */
+ if (!prs_append_some_prs_data(&outgoing_pdu, in_data, current_data_offset, data_sent_thistime)) {
+ prs_mem_free(&outgoing_pdu);
+ return NT_STATUS_NO_MEMORY;
+ }
- /* insert the auth header */
-
- if(!create_auth_hdr(&sec_blob, auth_type, auth_level, auth_padding)) {
- prs_mem_free(&sec_blob);
- return False;
+ /* Copy the sign/seal padding data. */
+ if (ss_padding) {
+ if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding)) {
+ prs_mem_free(&outgoing_pdu);
+ return NT_STATUS_NO_MEMORY;
}
-
- /* create an NTLMSSP signature */
- if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
- /*
- * Seal the outgoing data if requested.
- */
- if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
-
- nt_status = ntlmssp_seal_packet(cli->ntlmssp_pipe_state,
- (unsigned char*)prs_data_p(&sec_blob),
- data_and_padding_size,
- &sign_blob);
- if (!NT_STATUS_IS_OK(nt_status)) {
- prs_mem_free(&sec_blob);
- return False;
+ }
+
+ /* Generate any auth sign/seal and add the auth footer. */
+ if (auth_len) {
+ switch (cli->auth.auth_type) {
+ case PIPE_AUTH_TYPE_NONE:
+ break;
+ case PIPE_AUTH_TYPE_NTLMSSP:
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ ret = add_ntlmssp_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
+ if (!NT_STATUS_IS_OK(ret)) {
+ prs_mem_free(&outgoing_pdu);
+ return ret;
}
- }
- else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
-
- nt_status = ntlmssp_sign_packet(cli->ntlmssp_pipe_state,
- (unsigned char*)prs_data_p(&sec_blob),
- data_and_padding_size, &sign_blob);
- if (!NT_STATUS_IS_OK(nt_status)) {
- prs_mem_free(&sec_blob);
- return False;
+ break;
+ case PIPE_AUTH_TYPE_SCHANNEL:
+ ret = add_schannel_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
+ if (!NT_STATUS_IS_OK(ret)) {
+ prs_mem_free(&outgoing_pdu);
+ return ret;
}
- }
-
-
- /* write auth footer onto the packet */
- real_auth_len = sign_blob.length;
-
- prs_copy_data_in(&sec_blob, (char *)sign_blob.data, sign_blob.length);
- data_blob_free(&sign_blob);
-
- }
- else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
- size_t parse_offset_marker;
- RPC_AUTH_NETSEC_CHK verf;
- DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
-
- netsec_encode(&cli->auth_info,
- cli->pipe_auth_flags,
- SENDER_IS_INITIATOR,
- &verf,
- prs_data_p(&sec_blob),
- data_and_padding_size);
-
- cli->auth_info.seq_num++;
-
- /* write auth footer onto the packet */
-
- parse_offset_marker = prs_offset(&sec_blob);
- if (!smb_io_rpc_auth_netsec_chk("", &verf,
- &sec_blob, 0)) {
- prs_mem_free(&sec_blob);
- return False;
- }
- real_auth_len = prs_offset(&sec_blob) - parse_offset_marker;
+ break;
+ default:
+ smb_panic("bad auth type");
+ break; /* notreached */
}
}
- data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(&sec_blob);
+ /* Actually send the packet. */
+ if (flags & RPC_FLG_LAST) {
+ /* Last packet - send the data, get the reply and return. */
+ ret = rpc_api_pipe(cli, &outgoing_pdu, out_data, RPC_RESPONSE);
+ prs_mem_free(&outgoing_pdu);
+
+ if (DEBUGLEVEL >= 50) {
+ char *dump_name = NULL;
+ /* Also capture received data */
+ if (asprintf(&dump_name, "%s/reply_%s_%d",
+ get_dyn_LOGFILEBASE(), cli->pipe_name,
+ op_num) > 0) {
+ prs_dump(dump_name, op_num, out_data);
+ SAFE_FREE(dump_name);
+ }
+ }
- /*
- * Malloc parse struct to hold it (and enough for alignments).
- */
- if(!prs_init(&outgoing_packet, data_len + 8,
- cli->mem_ctx, MARSHALL)) {
- DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
- return False;
+ return ret;
+ } else {
+ /* More packets to come - write and continue. */
+ ssize_t num_written = cli_write(cli->cli, cli->fnum, 8, /* 8 means message mode. */
+ prs_data_p(&outgoing_pdu),
+ (off_t)0,
+ (size_t)hdr.frag_len);
+
+ if (num_written != hdr.frag_len) {
+ prs_mem_free(&outgoing_pdu);
+ return cli_get_nt_error(cli->cli);
+ }
}
- if (data_left == prs_offset(data))
- flags |= RPC_FLG_FIRST;
-
- if (data_left <= max_data)
- flags |= RPC_FLG_LAST;
- /*
- * Write out the RPC header and the request header.
- */
- if(!(callid = create_rpc_request(&outgoing_packet, op_num,
- data_len, real_auth_len, flags,
- callid, data_left))) {
- DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
- prs_mem_free(&outgoing_packet);
- prs_mem_free(&sec_blob);
- return False;
- }
+ current_data_offset += data_sent_thistime;
+ data_left -= data_sent_thistime;
- prs_append_prs_data(&outgoing_packet, &sec_blob);
- prs_mem_free(&sec_blob);
-
- DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len,
- prs_offset(&outgoing_packet)));
-
- if (flags & RPC_FLG_LAST)
- ret = rpc_api_pipe(cli, &outgoing_packet,
- rdata, RPC_RESPONSE);
- else {
- cli_write(cli, cli->nt_pipe_fnum, 0x0008,
- prs_data_p(&outgoing_packet),
- data_sent, data_len);
+ /* Reset the marshalling position back to zero. */
+ if (!prs_set_offset(&outgoing_pdu, 0)) {
+ prs_mem_free(&outgoing_pdu);
+ return NT_STATUS_NO_MEMORY;
}
- prs_mem_free(&outgoing_packet);
- data_sent += send_size;
- data_left -= send_size;
}
- /* Also capture received data */
- slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
- cli_pipe_get_name(cli));
- prs_dump(dump_name, op_num, rdata);
-
- return ret;
}
-
+#if 0
/****************************************************************************
Set the handle state.
****************************************************************************/
-static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
+static bool rpc_pipe_set_hnd_state(struct rpc_pipe_client *cli,
+ const char *pipe_name, uint16 device_state)
{
- BOOL state_set = False;
+ bool state_set = False;
char param[2];
uint16 setup[2]; /* only need 2 uint16 setup parameters */
char *rparam = NULL;
return False;
DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
- cli->nt_pipe_fnum, pipe_name, device_state));
+ cli->fnum, pipe_name, device_state));
/* create parameters: device state */
SSVAL(param, 0, device_state);
/* create setup parameters. */
setup[0] = 0x0001;
- setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
+ setup[1] = cli->fnum; /* pipe file handle. got this from an SMBOpenX. */
/* send the data on \PIPE\ */
- if (cli_api_pipe(cli, "\\PIPE\\",
+ if (cli_api_pipe(cli->cli, "\\PIPE\\",
setup, 2, 0, /* setup, length, max */
param, 2, 0, /* param, length, max */
NULL, 0, 1024, /* data, length, max */
return state_set;
}
+#endif
/****************************************************************************
- check the rpc bind acknowledge response
+ Check the rpc bind acknowledge response.
****************************************************************************/
-int get_pipe_index( const char *pipe_name )
+static bool check_bind_response(RPC_HDR_BA *hdr_ba, const RPC_IFACE *transfer)
{
- int pipe_idx = 0;
+ if ( hdr_ba->addr.len == 0) {
+ DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
+ }
+
+ /* check the transfer syntax */
+ if ((hdr_ba->transfer.if_version != transfer->if_version) ||
+ (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
+ DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
+ return False;
+ }
- while (pipe_names[pipe_idx].client_pipe != NULL) {
- if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
- return pipe_idx;
- pipe_idx++;
- };
+ if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
+ DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
+ hdr_ba->res.num_results, hdr_ba->res.reason));
+ }
- return -1;
+ DEBUG(5,("check_bind_response: accepted!\n"));
+ return True;
}
+/*******************************************************************
+ Creates a DCE/RPC bind authentication response.
+ This is the packet that is sent back to the server once we
+ have received a BIND-ACK, to finish the third leg of
+ the authentication handshake.
+ ********************************************************************/
-/****************************************************************************
- check the rpc bind acknowledge response
-****************************************************************************/
-
-const char* get_pipe_name_from_index( const int pipe_index )
+static NTSTATUS create_rpc_bind_auth3(struct rpc_pipe_client *cli,
+ uint32 rpc_call_id,
+ enum pipe_auth_type auth_type,
+ enum pipe_auth_level auth_level,
+ DATA_BLOB *pauth_blob,
+ prs_struct *rpc_out)
{
+ RPC_HDR hdr;
+ RPC_HDR_AUTH hdr_auth;
+ uint32 pad = 0;
- if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
- return NULL;
+ /* Create the request RPC_HDR */
+ init_rpc_hdr(&hdr, RPC_AUTH3, RPC_FLG_FIRST|RPC_FLG_LAST, rpc_call_id,
+ RPC_HEADER_LEN + 4 /* pad */ + RPC_HDR_AUTH_LEN + pauth_blob->length,
+ pauth_blob->length );
- return pipe_names[pipe_index].client_pipe;
-}
+ /* Marshall it. */
+ if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
+ DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR.\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
-/****************************************************************************
- Check to see if this pipe index points to one of
- the pipes only supported by Win2k
- ****************************************************************************/
+ /*
+ I'm puzzled about this - seems to violate the DCE RPC auth rules,
+ about padding - shouldn't this pad to length 8 ? JRA.
+ */
-BOOL is_win2k_pipe( const int pipe_idx )
-{
- switch ( pipe_idx )
- {
- case PI_LSARPC_DS:
- return True;
+ /* 4 bytes padding. */
+ if (!prs_uint32("pad", rpc_out, 0, &pad)) {
+ DEBUG(0,("create_rpc_bind_auth3: failed to marshall 4 byte pad.\n"));
+ return NT_STATUS_NO_MEMORY;
}
-
- return False;
-}
-/****************************************************************************
- check the rpc bind acknowledge response
-****************************************************************************/
+ /* Create the request RPC_HDR_AUTHA */
+ init_rpc_hdr_auth(&hdr_auth,
+ map_pipe_auth_type_to_rpc_auth_type(auth_type),
+ auth_level, 0, 1);
-static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
-{
- if ( pipe_idx >= PI_MAX_PIPES ) {
- DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
- pipe_idx));
- return False;
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rpc_out, 0)) {
+ DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR_AUTHA.\n"));
+ return NT_STATUS_NO_MEMORY;
}
- DEBUG(5,("Bind Abstract Syntax: "));
- dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
- sizeof(pipe_names[pipe_idx].abstr_syntax));
- DEBUG(5,("Bind Transfer Syntax: "));
- dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
- sizeof(pipe_names[pipe_idx].trans_syntax));
+ /*
+ * Append the auth data to the outgoing buffer.
+ */
- /* copy the required syntaxes out so we can do the right bind */
-
- *transfer = pipe_names[pipe_idx].trans_syntax;
- *abstract = pipe_names[pipe_idx].abstr_syntax;
+ if(!prs_copy_data_in(rpc_out, (char *)pauth_blob->data, pauth_blob->length)) {
+ DEBUG(0,("create_rpc_bind_auth3: failed to marshall auth blob.\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
- return True;
+ return NT_STATUS_OK;
}
/****************************************************************************
- check the rpc bind acknowledge response
+ Create and send the third packet in an RPC auth.
****************************************************************************/
-static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
+static NTSTATUS rpc_finish_auth3_bind(struct rpc_pipe_client *cli,
+ RPC_HDR *phdr,
+ prs_struct *rbuf,
+ uint32 rpc_call_id,
+ enum pipe_auth_type auth_type,
+ enum pipe_auth_level auth_level)
{
- int i = 0;
+ DATA_BLOB server_response = data_blob_null;
+ DATA_BLOB client_reply = data_blob_null;
+ RPC_HDR_AUTH hdr_auth;
+ NTSTATUS nt_status;
+ prs_struct rpc_out;
+ ssize_t ret;
-# if 0 /* JERRY -- apparently ASU forgets to fill in the server pipe name sometimes */
- if ( hdr_ba->addr.len <= 0)
- return False;
-
- if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].client_pipe) &&
- !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe) )
- {
- DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
- pipe_names[i].server_pipe ,hdr_ba->addr.str));
- return False;
+ if (!phdr->auth_len || (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
+ return NT_STATUS_INVALID_PARAMETER;
}
-
- DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
- if (pipe_names[pipe_idx].server_pipe == NULL) {
- DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
- return False;
+ /* Process the returned NTLMSSP blob first. */
+ if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
+ return NT_STATUS_INVALID_PARAMETER;
}
-#endif /* JERRY */
- /* check the transfer syntax */
- if ((hdr_ba->transfer.version != transfer->version) ||
- (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
- DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
- return False;
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
+ return NT_STATUS_INVALID_PARAMETER;
}
- /* lkclXXXX only accept one result: check the result(s) */
- if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
- DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
- hdr_ba->res.num_results, hdr_ba->res.reason));
- }
+ /* TODO - check auth_type/auth_level match. */
- DEBUG(5,("bind_rpc_pipe: accepted!\n"));
- return True;
-}
+ server_response = data_blob(NULL, phdr->auth_len);
+ prs_copy_data_out((char *)server_response.data, rbuf, phdr->auth_len);
-/****************************************************************************
- Create and send the third packet in an RPC auth.
-****************************************************************************/
+ nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
+ server_response,
+ &client_reply);
-static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
-{
- prs_struct rpc_out;
- ssize_t ret;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("rpc_finish_auth3_bind: NTLMSSP update using server blob failed.\n"));
+ data_blob_free(&server_response);
+ return nt_status;
+ }
- prs_init(&rpc_out, RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN, /* need at least this much */
- cli->mem_ctx, MARSHALL);
+ prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
- if (!NT_STATUS_IS_OK(create_rpc_bind_resp(cli, rpc_call_id,
- &rpc_out))) {
- return False;
+ nt_status = create_rpc_bind_auth3(cli, rpc_call_id,
+ auth_type, auth_level,
+ &client_reply, &rpc_out);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ prs_mem_free(&rpc_out);
+ data_blob_free(&client_reply);
+ data_blob_free(&server_response);
+ return nt_status;
}
- if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
- 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
- DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
+ /* 8 here is named pipe message mode. */
+ ret = cli_write(cli->cli, cli->fnum, 0x8, prs_data_p(&rpc_out), 0,
+ (size_t)prs_offset(&rpc_out));
+
+ if (ret != (ssize_t)prs_offset(&rpc_out)) {
+ DEBUG(0,("rpc_send_auth_auth3: cli_write failed. Return was %d\n", (int)ret));
prs_mem_free(&rpc_out);
- return False;
+ data_blob_free(&client_reply);
+ data_blob_free(&server_response);
+ return cli_get_nt_error(cli->cli);
}
+ DEBUG(5,("rpc_send_auth_auth3: Remote machine %s pipe %s "
+ "fnum 0x%x sent auth3 response ok.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+
prs_mem_free(&rpc_out);
- return True;
+ data_blob_free(&client_reply);
+ data_blob_free(&server_response);
+ return NT_STATUS_OK;
}
-/****************************************************************************
- Do an rpc bind.
-****************************************************************************/
+/*******************************************************************
+ Creates a DCE/RPC bind alter context authentication request which
+ may contain a spnego auth blobl
+ ********************************************************************/
+
+static NTSTATUS create_rpc_alter_context(uint32 rpc_call_id,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
+ enum pipe_auth_level auth_level,
+ const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
+ prs_struct *rpc_out)
+{
+ RPC_HDR_AUTH hdr_auth;
+ prs_struct auth_info;
+ NTSTATUS ret = NT_STATUS_OK;
+
+ ZERO_STRUCT(hdr_auth);
+ if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
+ return NT_STATUS_NO_MEMORY;
+
+ /* We may change the pad length before marshalling. */
+ init_rpc_hdr_auth(&hdr_auth, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
+
+ if (pauth_blob->length) {
+ if (!prs_copy_data_in(&auth_info, (const char *)pauth_blob->data, pauth_blob->length)) {
+ prs_mem_free(&auth_info);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ ret = create_bind_or_alt_ctx_internal(RPC_ALTCONT,
+ rpc_out,
+ rpc_call_id,
+ abstract,
+ transfer,
+ &hdr_auth,
+ &auth_info);
+ prs_mem_free(&auth_info);
+ return ret;
+}
+
+/*******************************************************************
+ Third leg of the SPNEGO bind mechanism - sends alter context PDU
+ and gets a response.
+ ********************************************************************/
-static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name)
+static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli,
+ RPC_HDR *phdr,
+ prs_struct *rbuf,
+ uint32 rpc_call_id,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
+ enum pipe_auth_type auth_type,
+ enum pipe_auth_level auth_level)
{
- RPC_IFACE abstract;
- RPC_IFACE transfer;
+ DATA_BLOB server_spnego_response = data_blob_null;
+ DATA_BLOB server_ntlm_response = data_blob_null;
+ DATA_BLOB client_reply = data_blob_null;
+ DATA_BLOB tmp_blob = data_blob_null;
+ RPC_HDR_AUTH hdr_auth;
+ NTSTATUS nt_status;
prs_struct rpc_out;
- prs_struct rdata;
- uint32 rpc_call_id;
- char buffer[MAX_PDU_FRAG_LEN];
- if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
- return False;
+ if (!phdr->auth_len || (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
+ /* Process the returned NTLMSSP blob first. */
+ if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
- return False;
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
+ server_spnego_response = data_blob(NULL, phdr->auth_len);
+ prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
- /*
- * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
- */
+ /* The server might give us back two challenges - tmp_blob is for the second. */
+ if (!spnego_parse_challenge(server_spnego_response, &server_ntlm_response, &tmp_blob)) {
+ data_blob_free(&server_spnego_response);
+ data_blob_free(&server_ntlm_response);
+ data_blob_free(&tmp_blob);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
+ /* We're finished with the server spnego response and the tmp_blob. */
+ data_blob_free(&server_spnego_response);
+ data_blob_free(&tmp_blob);
- rpc_call_id = get_rpc_call_id();
+ nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
+ server_ntlm_response,
+ &client_reply);
- if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
- NTSTATUS nt_status;
- fstring password;
+ /* Finished with the server_ntlm response */
+ data_blob_free(&server_ntlm_response);
- DEBUG(5, ("NTLMSSP authenticated pipe selected\n"));
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: NTLMSSP update using server blob failed.\n"));
+ data_blob_free(&client_reply);
+ return nt_status;
+ }
- nt_status = ntlmssp_client_start(&cli->ntlmssp_pipe_state);
-
- if (!NT_STATUS_IS_OK(nt_status))
- return False;
+ /* SPNEGO wrap the client reply. */
+ tmp_blob = spnego_gen_auth(client_reply);
+ data_blob_free(&client_reply);
+ client_reply = tmp_blob;
+ tmp_blob = data_blob_null; /* Ensure it's safe to free this just in case. */
- /* Currently the NTLMSSP code does not implement NTLM2 correctly for signing or sealing */
+ /* Now prepare the alter context pdu. */
+ prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
- cli->ntlmssp_pipe_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ nt_status = create_rpc_alter_context(rpc_call_id,
+ abstract,
+ transfer,
+ auth_level,
+ &client_reply,
+ &rpc_out);
- nt_status = ntlmssp_set_username(cli->ntlmssp_pipe_state,
- cli->user_name);
- if (!NT_STATUS_IS_OK(nt_status))
- return False;
+ data_blob_free(&client_reply);
- nt_status = ntlmssp_set_domain(cli->ntlmssp_pipe_state,
- cli->domain);
- if (!NT_STATUS_IS_OK(nt_status))
- return False;
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ prs_mem_free(&rpc_out);
+ return nt_status;
+ }
- if (cli->pwd.null_pwd) {
- nt_status = ntlmssp_set_password(cli->ntlmssp_pipe_state,
- NULL);
- if (!NT_STATUS_IS_OK(nt_status))
- return False;
- } else {
- pwd_get_cleartext(&cli->pwd, password);
- nt_status = ntlmssp_set_password(cli->ntlmssp_pipe_state,
- password);
- if (!NT_STATUS_IS_OK(nt_status))
- return False;
- }
+ /* Initialize the returning data struct. */
+ prs_mem_free(rbuf);
+ prs_init_empty(rbuf, talloc_tos(), UNMARSHALL);
- if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
- cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
- }
+ nt_status = rpc_api_pipe(cli, &rpc_out, rbuf, RPC_ALTCONTRESP);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ prs_mem_free(&rpc_out);
+ return nt_status;
+ }
- if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
- cli->ntlmssp_pipe_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
- }
- } else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
- cli->auth_info.seq_num = 0;
+ prs_mem_free(&rpc_out);
+
+ /* Get the auth blob from the reply. */
+ if(!smb_io_rpc_hdr("rpc_hdr ", phdr, rbuf, 0)) {
+ DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: Failed to unmarshall RPC_HDR.\n"));
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
+ if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ server_spnego_response = data_blob(NULL, phdr->auth_len);
+ prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
+
+ /* Check we got a valid auth response. */
+ if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) {
+ data_blob_free(&server_spnego_response);
+ data_blob_free(&tmp_blob);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ data_blob_free(&server_spnego_response);
+ data_blob_free(&tmp_blob);
+
+ DEBUG(5,("rpc_finish_spnego_ntlmssp_bind: alter context request to "
+ "remote machine %s pipe %s fnum 0x%x.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Do an rpc bind.
+****************************************************************************/
+
+static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
+ enum pipe_auth_type auth_type,
+ enum pipe_auth_level auth_level)
+{
+ RPC_HDR hdr;
+ RPC_HDR_BA hdr_ba;
+ prs_struct rpc_out;
+ prs_struct rbuf;
+ uint32 rpc_call_id;
+ NTSTATUS status;
+
+ DEBUG(5,("Bind RPC Pipe[%x]: %s auth_type %u, auth_level %u\n",
+ (unsigned int)cli->fnum,
+ cli->pipe_name,
+ (unsigned int)auth_type,
+ (unsigned int)auth_level ));
+
+ prs_init_empty(&rpc_out, talloc_tos(), MARSHALL);
+
+ rpc_call_id = get_rpc_call_id();
+
/* Marshall the outgoing data. */
- create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
- &abstract, &transfer,
- global_myname(), cli->domain);
+ status = create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
+ cli->abstract_syntax,
+ cli->transfer_syntax,
+ auth_type,
+ auth_level);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ prs_mem_free(&rpc_out);
+ return status;
+ }
/* Initialize the incoming data struct. */
- prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
+ prs_init_empty(&rbuf, talloc_tos(), UNMARSHALL);
/* send data on \PIPE\. receive a response */
- if (rpc_api_pipe(cli, &rpc_out, &rdata, RPC_BINDACK)) {
- RPC_HDR_BA hdr_ba;
+ status = rpc_api_pipe(cli, &rpc_out, &rbuf, RPC_BINDACK);
+ if (!NT_STATUS_IS_OK(status)) {
+ prs_mem_free(&rpc_out);
+ return status;
+ }
- DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
+ prs_mem_free(&rpc_out);
- if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
- DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
- prs_mem_free(&rdata);
- return False;
- }
+ DEBUG(3,("rpc_pipe_bind: Remote machine %s pipe %s "
+ "fnum 0x%x bind request returned ok.\n",
+ cli->desthost,
+ cli->pipe_name,
+ (unsigned int)cli->fnum));
+
+ /* Unmarshall the RPC header */
+ if(!smb_io_rpc_hdr("hdr" , &hdr, &rbuf, 0)) {
+ DEBUG(0,("rpc_pipe_bind: failed to unmarshall RPC_HDR.\n"));
+ prs_mem_free(&rbuf);
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
- DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
- prs_mem_free(&rdata);
- return False;
- }
+ if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rbuf, 0)) {
+ DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
+ prs_mem_free(&rbuf);
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- cli->max_xmit_frag = hdr_ba.bba.max_tsize;
- cli->max_recv_frag = hdr_ba.bba.max_rsize;
+ if(!check_bind_response(&hdr_ba, cli->transfer_syntax)) {
+ DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
+ prs_mem_free(&rbuf);
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
- /*
- * If we're doing NTLMSSP auth we need to send a reply to
- * the bind-ack to complete the 3-way challenge response
- * handshake.
- */
+ cli->max_xmit_frag = hdr_ba.bba.max_tsize;
+ cli->max_recv_frag = hdr_ba.bba.max_rsize;
+
+ /* For authenticated binds we may need to do 3 or 4 leg binds. */
+ switch(auth_type) {
+
+ case PIPE_AUTH_TYPE_NONE:
+ case PIPE_AUTH_TYPE_SCHANNEL:
+ /* Bind complete. */
+ break;
+
+ case PIPE_AUTH_TYPE_NTLMSSP:
+ /* Need to send AUTH3 packet - no reply. */
+ status = rpc_finish_auth3_bind(cli, &hdr, &rbuf, rpc_call_id,
+ auth_type, auth_level);
+ if (!NT_STATUS_IS_OK(status)) {
+ prs_mem_free(&rbuf);
+ return status;
+ }
+ break;
+
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ /* Need to send alter context request and reply. */
+ status = rpc_finish_spnego_ntlmssp_bind(cli, &hdr, &rbuf, rpc_call_id,
+ cli->abstract_syntax,
+ cli->transfer_syntax,
+ auth_type, auth_level);
+ if (!NT_STATUS_IS_OK(status)) {
+ prs_mem_free(&rbuf);
+ return status;
+ }
+ break;
+
+ case PIPE_AUTH_TYPE_KRB5:
+ /* */
+
+ default:
+ DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
+ (unsigned int)auth_type ));
+ prs_mem_free(&rbuf);
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
- if ((cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP)
- && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
- DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
- prs_mem_free(&rdata);
- return False;
+ /* For NTLMSSP ensure the server gave us the auth_level we wanted. */
+ if (auth_type == PIPE_AUTH_TYPE_NTLMSSP || auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+ if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+ DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n"));
+ prs_mem_free(&rbuf);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+ if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+ if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
+ DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n"));
+ prs_mem_free(&rbuf);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
}
- prs_mem_free(&rdata);
- return True;
}
- return False;
+ /* Pipe is bound - set up auth_type and auth_level data. */
+
+ cli->auth.auth_type = auth_type;
+ cli->auth.auth_level = auth_level;
+
+ prs_mem_free(&rbuf);
+ return NT_STATUS_OK;
+}
+
+unsigned int rpccli_set_timeout(struct rpc_pipe_client *cli,
+ unsigned int timeout)
+{
+ return cli_set_timeout(cli->cli, timeout);
+}
+
+bool rpccli_is_pipe_idx(struct rpc_pipe_client *cli, int pipe_idx)
+{
+ return (cli->abstract_syntax == pipe_names[pipe_idx].abstr_syntax);
+}
+
+struct cli_state *rpc_pipe_np_smb_conn(struct rpc_pipe_client *p)
+{
+ return p->cli;
+}
+
+static int rpc_pipe_destructor(struct rpc_pipe_client *p)
+{
+ bool ret;
+
+ ret = cli_close(p->cli, p->fnum);
+ if (!ret) {
+ DEBUG(1, ("rpc_pipe_destructor: cli_close failed on pipe %s, "
+ "fnum 0x%x to machine %s. Error was %s\n",
+ p->pipe_name, (int) p->fnum,
+ p->desthost, cli_errstr(p->cli)));
+ }
+
+ if (p->auth.cli_auth_data_free_func) {
+ (*p->auth.cli_auth_data_free_func)(&p->auth);
+ }
+
+ DEBUG(10, ("rpc_pipe_destructor: closed pipe %s to machine %s\n",
+ p->pipe_name, p->desthost ));
+
+ DLIST_REMOVE(p->cli->pipe_list, p);
+
+ return ret ? -1 : 0;
}
/****************************************************************************
- Open a session.
+ Open a named pipe over SMB to a remote server.
+ *
+ * CAVEAT CALLER OF THIS FUNCTION:
+ * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
+ * so be sure that this function is called AFTER any structure (vs pointer)
+ * assignment of the cli. In particular, libsmbclient does structure
+ * assignments of cli, which invalidates the data in the returned
+ * rpc_pipe_client if this function is called before the structure assignment
+ * of cli.
+ *
****************************************************************************/
-BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
+static struct rpc_pipe_client *cli_rpc_pipe_open(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
{
+ struct rpc_pipe_client *result;
int fnum;
- /* At the moment we can't have more than one pipe open over
- a cli connection. )-: */
+ *perr = NT_STATUS_NO_MEMORY;
- SMB_ASSERT(cli->nt_pipe_fnum == 0);
-
- /* The pipe index must fall within our array */
+ /* sanity check to protect against crashes */
- SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
+ if ( !cli ) {
+ *perr = NT_STATUS_INVALID_HANDLE;
+ return NULL;
+ }
- if (cli->capabilities & CAP_NT_SMBS) {
- if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
- DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
- &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
- return False;
- }
+ /* The pipe name index must fall within our array */
+ SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
- cli->nt_pipe_fnum = (uint16)fnum;
- } else {
- if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
- DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
- pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
- return False;
- }
+ result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
+ if (result == NULL) {
+ *perr = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
- cli->nt_pipe_fnum = (uint16)fnum;
+ result->pipe_name = cli_get_pipe_name(pipe_idx);
+
+ result->cli = cli;
+ result->abstract_syntax = pipe_names[pipe_idx].abstr_syntax;
+ result->transfer_syntax = pipe_names[pipe_idx].trans_syntax;
+ result->auth.auth_type = PIPE_AUTH_TYPE_NONE;
+ result->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
+
+ result->domain = talloc_strdup(result, cli->domain);
+ result->user_name = talloc_strdup(result, cli->user_name);
+ result->desthost = talloc_strdup(result, cli->desthost);
+ result->srv_name_slash = talloc_asprintf_strupper_m(
+ result, "\\\\%s", result->desthost);
+
+ if ((result->domain == NULL)
+ || (result->user_name == NULL)
+ || (result->desthost == NULL)
+ || (result->srv_name_slash == NULL)) {
+ *perr = NT_STATUS_NO_MEMORY;
+ TALLOC_FREE(result);
+ return NULL;
+ }
- /**************** Set Named Pipe State ***************/
- if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
- DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
- cli_errstr(cli)));
- cli_close(cli, cli->nt_pipe_fnum);
- return False;
+ if (pipe_idx == PI_NETLOGON) {
+ /* Set up a netlogon credential chain for a netlogon pipe. */
+ result->dc = TALLOC_ZERO_P(result, struct dcinfo);
+ if (result->dc == NULL) {
+ *perr = NT_STATUS_NO_MEMORY;
+ TALLOC_FREE(result);
+ return NULL;
}
}
- /******************* bind request on pipe *****************/
-
- if (!rpc_pipe_bind(cli, pipe_idx, global_myname())) {
- DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
- get_pipe_name_from_index(pipe_idx)));
- cli_close(cli, cli->nt_pipe_fnum);
- return False;
+ fnum = cli_nt_create(cli, result->pipe_name, DESIRED_ACCESS_PIPE);
+ if (fnum == -1) {
+ DEBUG(1,("cli_rpc_pipe_open: cli_nt_create failed on pipe %s "
+ "to machine %s. Error was %s\n",
+ result->pipe_name, cli->desthost,
+ cli_errstr(cli)));
+ *perr = cli_get_nt_error(cli);
+ talloc_destroy(result);
+ return NULL;
}
- cli->pipe_idx = pipe_idx;
+ result->fnum = fnum;
- /*
- * Setup the remote server name prefixed by \ and the machine account name.
- */
+ DLIST_ADD(cli->pipe_list, result);
+ talloc_set_destructor(result, rpc_pipe_destructor);
- fstrcpy(cli->srv_name_slash, "\\\\");
- fstrcat(cli->srv_name_slash, cli->desthost);
- strupper_m(cli->srv_name_slash);
+ *perr = NT_STATUS_OK;
- fstrcpy(cli->clnt_name_slash, "\\\\");
- fstrcat(cli->clnt_name_slash, global_myname());
- strupper_m(cli->clnt_name_slash);
+ return result;
+}
- fstrcpy(cli->mach_acct, global_myname());
- fstrcat(cli->mach_acct, "$");
- strupper_m(cli->mach_acct);
+/****************************************************************************
+ Open a named pipe to an SMB server and bind anonymously.
+ ****************************************************************************/
- /* Remember which pipe we're talking to */
- fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
+struct rpc_pipe_client *cli_rpc_pipe_open_noauth(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
+{
+ struct rpc_pipe_client *result;
- return True;
-}
+ result = cli_rpc_pipe_open(cli, pipe_idx, perr);
+ if (result == NULL) {
+ return NULL;
+ }
+ *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_NONE, PIPE_AUTH_LEVEL_NONE);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ int lvl = 0;
+ if (rpccli_is_pipe_idx(result, PI_DSSETUP)) {
+ /* non AD domains just don't have this pipe, avoid
+ * level 0 statement in that case - gd */
+ lvl = 3;
+ }
+ DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe %s failed with error %s\n",
+ cli_get_pipe_name(pipe_idx), nt_errstr(*perr) ));
+ TALLOC_FREE(result);
+ return NULL;
+ }
-/****************************************************************************
- Open a session to the NETLOGON pipe using schannel.
+ DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine %s and bound anonymously.\n",
+ result->pipe_name, cli->desthost ));
- (Assumes that the netlogon pipe is already open)
+ return result;
+}
+
+/****************************************************************************
+ Free function for NTLMSSP auth.
****************************************************************************/
-NTSTATUS cli_nt_establish_netlogon(struct cli_state *cli, int sec_chan,
- const uchar trust_password[16])
+static void cli_ntlmssp_auth_free(struct cli_pipe_auth_data *auth)
{
- NTSTATUS result;
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
- int fnum;
-
- cli_nt_netlogon_netsec_session_close(cli);
+ if (auth->a_u.ntlmssp_state) {
+ ntlmssp_end(&auth->a_u.ntlmssp_state);
+ auth->a_u.ntlmssp_state = NULL;
+ }
+}
- if (lp_client_schannel() != False)
- neg_flags |= NETLOGON_NEG_SCHANNEL;
+/****************************************************************************
+ Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
+ ****************************************************************************/
- result = cli_nt_setup_creds(cli, sec_chan, trust_password,
- &neg_flags, 2);
+static struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
+ int pipe_idx,
+ enum pipe_auth_type auth_type,
+ enum pipe_auth_level auth_level,
+ const char *domain,
+ const char *username,
+ const char *password,
+ NTSTATUS *perr)
+{
+ struct rpc_pipe_client *result;
+ NTLMSSP_STATE *ntlmssp_state = NULL;
- if (!NT_STATUS_IS_OK(result)) {
- cli_nt_session_close(cli);
- return result;
+ result = cli_rpc_pipe_open(cli, pipe_idx, perr);
+ if (result == NULL) {
+ return NULL;
}
- if ((lp_client_schannel() == True) &&
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ result->auth.cli_auth_data_free_func = cli_ntlmssp_auth_free;
- DEBUG(3, ("Server did not offer schannel\n"));
- cli_nt_session_close(cli);
- return NT_STATUS_UNSUCCESSFUL;
- }
+ TALLOC_FREE(result->domain);
+ TALLOC_FREE(result->user_name);
- if ((lp_client_schannel() == False) ||
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
- return NT_STATUS_OK;
-
- /* keep the existing connection to NETLOGON open */
+ result->domain = talloc_strdup(result, domain);
+ result->user_name = talloc_strdup(result, username);
+ if ((result->domain == NULL) || (result->user_name == NULL)) {
+ *perr = NT_STATUS_NO_MEMORY;
+ goto err;
}
- /* Server offered schannel, so try it. */
+ pwd_set_cleartext(&result->pwd, password);
- memcpy(cli->auth_info.sess_key, cli->sess_key,
- sizeof(cli->auth_info.sess_key));
+ *perr = ntlmssp_client_start(&ntlmssp_state);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ goto err;
+ }
- cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
+ result->auth.a_u.ntlmssp_state = ntlmssp_state;
- cli->pipe_auth_flags = AUTH_PIPE_NETSEC;
- cli->pipe_auth_flags |= AUTH_PIPE_SIGN;
- cli->pipe_auth_flags |= AUTH_PIPE_SEAL;
+ *perr = ntlmssp_set_username(ntlmssp_state, username);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ goto err;
+ }
- if (cli->capabilities & CAP_NT_SMBS) {
+ *perr = ntlmssp_set_domain(ntlmssp_state, domain);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ goto err;
+ }
- /* The secure channel connection must be opened on the same
- session (TCP connection) as the one the challenge was
- requested from. */
- if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
- DESIRED_ACCESS_PIPE)) == -1) {
- DEBUG(0,("cli_nt_create failed to %s machine %s. "
- "Error was %s\n",
- PIPE_NETLOGON, cli->desthost,
- cli_errstr(cli)));
- return NT_STATUS_UNSUCCESSFUL;
+ if (cli->pwd.null_pwd) {
+ *perr = ntlmssp_set_password(ntlmssp_state, NULL);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ goto err;
}
-
- cli->nt_pipe_fnum = (uint16)fnum;
} else {
- if ((fnum = cli_open(cli, PIPE_NETLOGON,
- O_CREAT|O_RDWR, DENY_NONE)) == -1) {
- DEBUG(0,("cli_open failed on pipe %s to machine %s. "
- "Error was %s\n",
- PIPE_NETLOGON, cli->desthost,
- cli_errstr(cli)));
- return NT_STATUS_UNSUCCESSFUL;
+ *perr = ntlmssp_set_password(ntlmssp_state, password);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ goto err;
}
+ }
- cli->nt_pipe_fnum = (uint16)fnum;
+ /* Turn off sign+seal to allow selected auth level to turn it back on. */
+ ntlmssp_state->neg_flags &= ~(NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
- /**************** Set Named Pipe State ***************/
- if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
- DEBUG(0,("Pipe hnd state failed. Error was %s\n",
- cli_errstr(cli)));
- cli_close(cli, cli->nt_pipe_fnum);
- return NT_STATUS_UNSUCCESSFUL;
- }
+ if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ } else if (auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN;
}
-
- if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname())) {
- DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
- cli_close(cli, cli->nt_pipe_fnum);
- return NT_STATUS_UNSUCCESSFUL;
+
+ *perr = rpc_pipe_bind(result, auth_type, auth_level);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
+ nt_errstr(*perr) ));
+ goto err;
}
- return NT_STATUS_OK;
+ DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
+ "machine %s and bound NTLMSSP as user %s\\%s.\n",
+ result->pipe_name, cli->desthost,
+ domain, username ));
+
+ return result;
+
+ err:
+
+ TALLOC_FREE(result);
+ return NULL;
+}
+
+/****************************************************************************
+ External interface.
+ Open a named pipe to an SMB server and bind using NTLMSSP (bind type 10)
+ ****************************************************************************/
+
+struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp(struct cli_state *cli,
+ int pipe_idx,
+ enum pipe_auth_level auth_level,
+ const char *domain,
+ const char *username,
+ const char *password,
+ NTSTATUS *perr)
+{
+ return cli_rpc_pipe_open_ntlmssp_internal(cli,
+ pipe_idx,
+ PIPE_AUTH_TYPE_NTLMSSP,
+ auth_level,
+ domain,
+ username,
+ password,
+ perr);
}
+/****************************************************************************
+ External interface.
+ Open a named pipe to an SMB server and bind using spnego NTLMSSP (bind type 9)
+ ****************************************************************************/
-NTSTATUS cli_nt_setup_netsec(struct cli_state *cli, int sec_chan, int auth_flags,
- const uchar trust_password[16])
+struct rpc_pipe_client *cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
+ int pipe_idx,
+ enum pipe_auth_level auth_level,
+ const char *domain,
+ const char *username,
+ const char *password,
+ NTSTATUS *perr)
{
- NTSTATUS result;
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
- cli->pipe_auth_flags = 0;
+ return cli_rpc_pipe_open_ntlmssp_internal(cli,
+ pipe_idx,
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
+ auth_level,
+ domain,
+ username,
+ password,
+ perr);
+}
- if (lp_client_schannel() == False) {
- return NT_STATUS_OK;
+/****************************************************************************
+ Get a the schannel session key out of an already opened netlogon pipe.
+ ****************************************************************************/
+static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
+ struct cli_state *cli,
+ const char *domain,
+ uint32 *pneg_flags,
+ NTSTATUS *perr)
+{
+ uint32 sec_chan_type = 0;
+ unsigned char machine_pwd[16];
+ const char *machine_account;
+
+ /* Get the machine account credentials from secrets.tdb. */
+ if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
+ &sec_chan_type))
+ {
+ DEBUG(0, ("get_schannel_session_key: could not fetch "
+ "trust account password for domain '%s'\n",
+ domain));
+ *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ return false;
}
- if (!cli_nt_session_open(cli, PI_NETLOGON)) {
- DEBUG(0, ("Could not initialise %s\n",
- get_pipe_name_from_index(PI_NETLOGON)));
- return NT_STATUS_UNSUCCESSFUL;
+ *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
+ cli->desthost, /* server name */
+ domain, /* domain */
+ global_myname(), /* client name */
+ machine_account, /* machine account name */
+ machine_pwd,
+ sec_chan_type,
+ pneg_flags);
+
+ if (!NT_STATUS_IS_OK(*perr)) {
+ DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
+ "failed with result %s to server %s, domain %s, machine account %s.\n",
+ nt_errstr(*perr), cli->desthost, domain, machine_account ));
+ return false;
}
- if (lp_client_schannel() != False)
- neg_flags |= NETLOGON_NEG_SCHANNEL;
+ if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
+ DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
+ cli->desthost));
+ *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ return false;
+ }
- neg_flags |= NETLOGON_NEG_SCHANNEL;
+ return true;
+}
- result = cli_nt_setup_creds(cli, sec_chan, trust_password,
- &neg_flags, 2);
+/****************************************************************************
+ Open a netlogon pipe and get the schannel session key.
+ Now exposed to external callers.
+ ****************************************************************************/
- if (!(neg_flags & NETLOGON_NEG_SCHANNEL)
- && lp_client_schannel() == True) {
- DEBUG(1, ("Could not negotiate SCHANNEL with the DC!\n"));
- result = NT_STATUS_UNSUCCESSFUL;
+
+struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
+ const char *domain,
+ uint32 *pneg_flags,
+ NTSTATUS *perr)
+{
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+
+ netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
+ if (!netlogon_pipe) {
+ return NULL;
}
- if (!NT_STATUS_IS_OK(result)) {
- ZERO_STRUCT(cli->auth_info.sess_key);
- ZERO_STRUCT(cli->sess_key);
- cli->pipe_auth_flags = 0;
- cli_nt_session_close(cli);
- return result;
+ if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+ pneg_flags, perr))
+ {
+ TALLOC_FREE(netlogon_pipe);
+ return NULL;
}
- memcpy(cli->auth_info.sess_key, cli->sess_key,
- sizeof(cli->auth_info.sess_key));
+ return netlogon_pipe;
+}
- cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
- cli->nt_pipe_fnum = 0;
+/****************************************************************************
+ External interface.
+ Open a named pipe to an SMB server and bind using schannel (bind type 68)
+ using session_key. sign and seal.
+ ****************************************************************************/
- /* doing schannel, not per-user auth */
- cli->pipe_auth_flags = auth_flags;
+struct rpc_pipe_client *cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ int pipe_idx,
+ enum pipe_auth_level auth_level,
+ const char *domain,
+ const struct dcinfo *pdc,
+ NTSTATUS *perr)
+{
+ struct rpc_pipe_client *result;
- return NT_STATUS_OK;
+ result = cli_rpc_pipe_open(cli, pipe_idx, perr);
+ if (result == NULL) {
+ return NULL;
+ }
+
+ result->auth.a_u.schannel_auth = TALLOC_ZERO_P(
+ result, struct schannel_auth_struct);
+ if (!result->auth.a_u.schannel_auth) {
+ TALLOC_FREE(result);
+ *perr = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
+
+ TALLOC_FREE(result->domain);
+ result->domain = talloc_strdup(result, domain);
+ if (result->domain == NULL) {
+ TALLOC_FREE(result);
+ *perr = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
+
+ memcpy(result->auth.a_u.schannel_auth->sess_key, pdc->sess_key, 16);
+
+ *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_SCHANNEL, auth_level);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed with error %s\n",
+ nt_errstr(*perr) ));
+ TALLOC_FREE(result);
+ return NULL;
+ }
+
+ /* The credentials on a new netlogon pipe are the ones we are passed in - copy them over. */
+ if (result->dc) {
+ *result->dc = *pdc;
+ }
+
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+ "for domain %s "
+ "and bound using schannel.\n",
+ result->pipe_name, cli->desthost, domain ));
+
+ return result;
+}
+
+/****************************************************************************
+ Open a named pipe to an SMB server and bind using schannel (bind type 68).
+ Fetch the session key ourselves using a temporary netlogon pipe. This
+ version uses an ntlmssp auth bound netlogon pipe to get the key.
+ ****************************************************************************/
+
+static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
+ const char *domain,
+ const char *username,
+ const char *password,
+ uint32 *pneg_flags,
+ NTSTATUS *perr)
+{
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+
+ netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
+ if (!netlogon_pipe) {
+ return NULL;
+ }
+
+ if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+ pneg_flags, perr))
+ {
+ TALLOC_FREE(netlogon_pipe);
+ return NULL;
+ }
+
+ return netlogon_pipe;
+}
+
+/****************************************************************************
+ Open a named pipe to an SMB server and bind using schannel (bind type 68).
+ Fetch the session key ourselves using a temporary netlogon pipe. This version
+ uses an ntlmssp bind to get the session key.
+ ****************************************************************************/
+
+struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+ int pipe_idx,
+ enum pipe_auth_level auth_level,
+ const char *domain,
+ const char *username,
+ const char *password,
+ NTSTATUS *perr)
+{
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct rpc_pipe_client *result = NULL;
+
+ netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username,
+ password, &neg_flags, perr);
+ if (!netlogon_pipe) {
+ DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
+ "key from server %s for domain %s.\n",
+ cli->desthost, domain ));
+ return NULL;
+ }
+
+ result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
+ auth_level,
+ domain, netlogon_pipe->dc, perr);
+
+ /* Now we've bound using the session key we can close the netlog pipe. */
+ TALLOC_FREE(netlogon_pipe);
+
+ return result;
+}
+
+/****************************************************************************
+ Open a named pipe to an SMB server and bind using schannel (bind type 68).
+ Fetch the session key ourselves using a temporary netlogon pipe.
+ ****************************************************************************/
+
+struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ int pipe_idx,
+ enum pipe_auth_level auth_level,
+ const char *domain,
+ NTSTATUS *perr)
+{
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct rpc_pipe_client *result = NULL;
+
+ netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, perr);
+ if (!netlogon_pipe) {
+ DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
+ "key from server %s for domain %s.\n",
+ cli->desthost, domain ));
+ return NULL;
+ }
+
+ result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
+ auth_level,
+ domain, netlogon_pipe->dc, perr);
+
+ /* Now we've bound using the session key we can close the netlog pipe. */
+ TALLOC_FREE(netlogon_pipe);
+
+ return result;
}
-const char *cli_pipe_get_name(struct cli_state *cli)
+#ifdef HAVE_KRB5
+
+/****************************************************************************
+ Free function for the kerberos spcific data.
+ ****************************************************************************/
+
+static void kerberos_auth_struct_free(struct cli_pipe_auth_data *a)
{
- return cli->pipe_name;
+ data_blob_free(&a->a_u.kerberos_auth->session_key);
}
+#endif
+
+/****************************************************************************
+ Open a named pipe to an SMB server and bind using krb5 (bind type 16).
+ The idea is this can be called with service_princ, username and password all
+ NULL so long as the caller has a TGT.
+ ****************************************************************************/
+
+struct rpc_pipe_client *cli_rpc_pipe_open_krb5(struct cli_state *cli,
+ int pipe_idx,
+ enum pipe_auth_level auth_level,
+ const char *service_princ,
+ const char *username,
+ const char *password,
+ NTSTATUS *perr)
+{
+#ifdef HAVE_KRB5
+ struct rpc_pipe_client *result;
+ result = cli_rpc_pipe_open(cli, pipe_idx, perr);
+ if (result == NULL) {
+ return NULL;
+ }
+
+ /* Default service principal is "desthost$@realm" */
+ if (!service_princ) {
+ service_princ = talloc_asprintf(result, "%s$@%s",
+ cli->desthost, lp_realm() );
+ if (!service_princ) {
+ TALLOC_FREE(result);
+ return NULL;
+ }
+ }
+
+ /* Only get a new TGT if username/password are given. */
+ if (username && password) {
+ int ret = kerberos_kinit_password(username, password, 0, NULL);
+ if (ret) {
+ TALLOC_FREE(result);
+ return NULL;
+ }
+ }
+
+ result->auth.a_u.kerberos_auth = TALLOC_ZERO_P(
+ result, struct kerberos_auth_struct);
+ if (!result->auth.a_u.kerberos_auth) {
+ TALLOC_FREE(result);
+ *perr = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
+
+ result->auth.a_u.kerberos_auth->service_principal = service_princ;
+ result->auth.cli_auth_data_free_func = kerberos_auth_struct_free;
+
+ *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_KRB5, auth_level);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ DEBUG(0, ("cli_rpc_pipe_open_krb5: cli_rpc_pipe_bind failed with error %s\n",
+ nt_errstr(*perr) ));
+ TALLOC_FREE(result);
+ return NULL;
+ }
+
+ return result;
+#else
+ DEBUG(0,("cli_rpc_pipe_open_krb5: kerberos not found at compile time.\n"));
+ return NULL;
+#endif
+}