3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998,
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1998.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 extern int DEBUGLEVEL;
33 extern struct pipe_id_info pipe_names[];
34 extern pstring global_myname;
36 /********************************************************************
38 ********************************************************************/
39 static uint32 get_rpc_call_id(void)
41 static uint32 call_id = 0;
45 /*******************************************************************
46 uses SMBreadX to get rest of rpc data
47 ********************************************************************/
49 static BOOL rpc_read(struct cli_state *cli, uint16 nt_pipe_fnum,
50 prs_struct *rdata, uint32 data_to_read,
53 int size = cli->max_recv_frag;
54 int file_offset = rdata_offset;
58 uint32 new_data_size = rdata->data->data_used + data_to_read;
60 file_offset -= rdata_offset;
62 DEBUG(5,("rpc_read: data_to_read: %d data offset: %d file offset: %d\n",
63 data_to_read, rdata_offset, file_offset));
65 if (new_data_size > rdata->data->data_size)
67 mem_grow_data(&rdata->data, True, new_data_size, True);
68 DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
71 data = rdata->data->data + rdata_offset;
73 do /* read data using SMBreadX */
75 if (size > data_to_read)
78 new_data_size = rdata->data->data_used + size;
80 if (new_data_size > rdata->data->data_size)
82 mem_grow_data(&rdata->data, True, new_data_size, True);
83 DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
86 num_read = cli_read(cli, nt_pipe_fnum, data, file_offset, size);
88 DEBUG(5,("rpc_read: read offset: %d read: %d to read: %d\n",
89 file_offset, num_read, data_to_read));
91 data_to_read -= num_read;
92 file_offset += num_read;
95 if (cli_error(cli, NULL, &err)) return False;
97 } while (num_read > 0 && data_to_read > 0);
98 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
100 mem_realloc_data(rdata->data, file_offset + rdata_offset);
101 rdata->data->offset.end = file_offset + rdata_offset;
103 DEBUG(5,("rpc_read: offset end: 0x%x. data left to read:0x%x\n",
104 rdata->data->offset.end, data_to_read));
109 /****************************************************************************
111 ****************************************************************************/
112 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
113 BOOL *first, BOOL *last, int *len)
115 DEBUG(5,("rpc_check_hdr: rdata->data->data_used: %d\n", rdata->data->data_used));
117 smb_io_rpc_hdr ("rpc_hdr ", rhdr , rdata, 0);
119 if (!rdata->offset || rdata->offset != 0x10)
121 DEBUG(0,("cli_pipe: error in rpc header\n"));
125 DEBUG(5,("rpc_check_hdr: (after smb_io_rpc_hdr call) rdata->data->data_used: %d\n",
126 rdata->data->data_used));
128 (*first ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST);
129 (*last ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST );
130 (*len ) = rhdr->frag_len - rdata->data->data_used;
132 return rhdr->pkt_type != RPC_FAULT;
135 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, int len)
137 unsigned char *hash = cli->ntlmssp_hash;
138 unsigned char index_i = hash[256];
139 unsigned char index_j = hash[257];
142 for( ind = 0; ind < len; ind++)
148 index_j += hash[index_i];
151 hash[index_i] = hash[index_j];
154 t = hash[index_i] + hash[index_j];
155 data[ind] = data[ind] ^ hash[t];
162 /****************************************************************************
163 decrypt data on an rpc pipe
164 ****************************************************************************/
166 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
167 int len, int auth_len)
169 RPC_AUTH_NTLMSSP_CHK chk;
171 int data_len = len - 0x18 - auth_len - 8;
172 char *reply_data = mem_data(&rdata->data, 0x18);
174 BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
175 BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
177 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
178 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
180 if (reply_data == NULL) return False;
184 DEBUG(10,("rpc_auth_pipe: seal\n"));
185 dump_data(100, reply_data, data_len);
186 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
187 dump_data(100, reply_data, data_len);
190 if (auth_verify || auth_seal)
192 RPC_HDR_AUTH rhdr_auth;
194 char *data = mem_data(&rdata->data, len - auth_len - 8);
195 prs_init(&auth_req , 0x08, 4, 0, True);
196 memcpy(auth_req.data->data, data, 8);
197 smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0);
198 prs_mem_free(&auth_req);
200 if (!rpc_hdr_auth_chk(&rhdr_auth))
208 prs_struct auth_verf;
209 char *data = mem_data(&rdata->data, len - auth_len);
210 if (data == NULL) return False;
212 DEBUG(10,("rpc_auth_pipe: verify\n"));
213 dump_data(100, data, auth_len);
214 NTLMSSPcalc_ap(cli, (uchar*)(data+4), auth_len - 4);
215 prs_init(&auth_verf, 0x08, 4, 0, True);
216 memcpy(auth_verf.data->data, data, 16);
217 smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
218 dump_data(100, data, auth_len);
219 prs_mem_free(&auth_verf);
224 crc32 = crc32_calc_buffer(data_len, reply_data);
225 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num))
229 cli->ntlmssp_seq_num++;
235 /****************************************************************************
236 send data on an rpc pipe, which *must* be in one fragment.
237 receive response data from an rpc pipe, which may be large...
239 read the first fragment: unfortunately have to use SMBtrans for the first
240 bit, then SMBreadX for subsequent bits.
242 if first fragment received also wasn't the last fragment, continue
243 getting fragments until we _do_ receive the last fragment.
245 [note: from a data abstraction viewpoint, this function is marginally
246 complicated by the return side of cli_api_pipe getting in the way
247 (i.e, the SMB header stuff). the proper way to do this is to split
248 cli_api_pipe down into receive / transmit. oh, and split cli_readx
249 down. in other words, state-based (kernel) techniques...]
251 ****************************************************************************/
253 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 nt_pipe_fnum, uint16 cmd,
254 prs_struct *param , prs_struct *data,
255 prs_struct *rparam, prs_struct *rdata)
259 uint16 setup[2]; /* only need 2 uint16 setup parameters */
266 * Setup the pointers from the incoming.
268 char *pparams = param ? param->data->data : NULL;
269 int params_len = param ? param->data->data_used : 0;
270 char *pdata = data ? data->data->data : NULL;
271 int data_len = data ? data->data->data_used : 0;
274 * Setup the pointers to the outgoing.
276 char **pp_ret_params = rparam ? &rparam->data->data : NULL;
277 uint32 *p_ret_params_len = rparam ? &rparam->data->data_used : NULL;
279 char **pp_ret_data = rdata ? &rdata->data->data : NULL;
280 uint32 *p_ret_data_len = rdata ? &rdata->data->data_used : NULL;
282 /* create setup parameters. */
284 setup[1] = nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
286 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", cmd, nt_pipe_fnum));
288 /* send the data: receive a response. */
289 if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
290 setup, 2, 0, /* Setup, length, max */
291 pparams, params_len, 0, /* Params, length, max */
292 pdata, data_len, 1024, /* data, length, max */
293 pp_ret_params, p_ret_params_len, /* return params, len */
294 pp_ret_data, p_ret_data_len)) /* return data, len */
296 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
300 if (rdata->data->data == NULL) return False;
302 /**** parse the header: check it's a response record */
304 rdata->data->offset.start = 0;
305 rdata->data->offset.end = rdata->data->data_used;
308 /* cli_api_pipe does an ordinary Realloc - we have no margins now. */
309 rdata->data->margin = 0;
310 if (rparam) rparam->data->margin = 0;
312 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len))
317 if (rhdr.pkt_type == RPC_BINDACK)
321 DEBUG(5,("rpc_api_pipe: bug in AS/U, setting fragment first/last ON\n"));
327 if (rhdr.pkt_type == RPC_RESPONSE)
329 RPC_HDR_RESP rhdr_resp;
330 smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0);
333 DEBUG(5,("rpc_api_pipe: len left: %d smbtrans read: %d\n",
334 len, rdata->data->data_used));
336 /* check if data to be sent back was too large for one SMB. */
337 /* err status is only informational: the _real_ check is on the length */
338 if (len > 0) /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
340 if (!rpc_read(cli, nt_pipe_fnum, rdata, len, rdata->data->data_used))
346 if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
351 /* only one rpc fragment, and it has been read */
354 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
358 while (!last) /* read more fragments until we get the last one */
360 RPC_HDR_RESP rhdr_resp;
364 prs_init(&hps, 0x18, 4, 0, True);
366 num_read = cli_read(cli, nt_pipe_fnum, hps.data->data, 0, 0x18);
367 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
369 if (num_read != 0x18) return False;
371 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
376 smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0);
380 if (cli_error(cli, NULL, &err)) return False;
384 DEBUG(0,("rpc_api_pipe: wierd rpc header received\n"));
388 if (!rpc_read(cli, nt_pipe_fnum, rdata, len, rdata->data->data_used))
393 if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
402 /*******************************************************************
403 creates a DCE/RPC bind request
405 - initialises the parse structure.
406 - dynamically allocates the header data structure
407 - caller is expected to free the header data structure once used.
409 ********************************************************************/
410 static BOOL create_rpc_bind_req(prs_struct *rhdr,
412 prs_struct *rhdr_auth,
413 prs_struct *auth_req,
414 prs_struct *auth_ntlm,
416 RPC_IFACE *abstract, RPC_IFACE *transfer,
417 char *my_name, char *domain, uint32 neg_flags)
421 RPC_HDR_AUTH hdr_auth;
422 RPC_AUTH_VERIFIER auth_verifier;
423 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
425 /* create the bind request RPC_HDR_RB */
426 make_rpc_hdr_rb(&hdr_rb, 0x1630, 0x1630, 0x0,
427 0x1, 0x0, 0x1, abstract, transfer);
429 /* stream the bind request data */
430 smb_io_rpc_hdr_rb("", &hdr_rb, rhdr_rb, 0);
431 mem_realloc_data(rhdr_rb->data, rhdr_rb->offset);
433 if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL)
435 make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00, 1);
436 smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0);
437 mem_realloc_data(rhdr_auth->data, rhdr_auth->offset);
439 make_rpc_auth_verifier(&auth_verifier,
440 "NTLMSSP", NTLMSSP_NEGOTIATE);
442 smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_req, 0);
443 mem_realloc_data(auth_req->data, auth_req->offset);
445 make_rpc_auth_ntlmssp_neg(&ntlmssp_neg,
446 neg_flags, my_name, domain);
448 smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, auth_req, 0);
449 mem_realloc_data(auth_req->data, auth_req->offset);
452 /* create the request RPC_HDR */
453 make_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
454 (auth_req != NULL ? auth_req ->offset : 0) +
455 (auth_ntlm != NULL ? auth_ntlm->offset : 0) +
456 (rhdr_auth != NULL ? rhdr_auth->offset : 0) +
457 rhdr_rb->offset + 0x10,
458 (auth_req != NULL ? auth_req ->offset : 0) +
459 (auth_ntlm != NULL ? auth_ntlm->offset : 0));
461 smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
462 mem_realloc_data(rhdr->data, rhdr->offset);
464 if (rhdr->data == NULL || rhdr_rb->data == NULL) return False;
467 /*** link rpc header, bind acknowledgment and authentication responses ***/
470 if (auth_req != NULL)
472 prs_link(NULL , rhdr , rhdr_rb );
473 prs_link(rhdr , rhdr_rb , rhdr_auth);
474 prs_link(rhdr_rb , rhdr_auth , auth_req );
475 prs_link(rhdr_auth, auth_req , auth_ntlm);
476 prs_link(auth_req , auth_ntlm , NULL );
480 prs_link(NULL, rhdr , rhdr_rb);
481 prs_link(rhdr, rhdr_rb, NULL );
488 /*******************************************************************
489 creates a DCE/RPC bind authentication response
491 - initialises the parse structure.
492 - dynamically allocates the header data structure
493 - caller is expected to free the header data structure once used.
495 ********************************************************************/
496 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
497 char *domain, char *user_name, char *my_name,
498 uint32 ntlmssp_cli_flgs,
501 prs_struct *rhdr_autha,
502 prs_struct *auth_resp)
504 unsigned char lm_owf[24];
505 unsigned char nt_owf[128];
508 RPC_HDR_AUTHA hdr_autha;
509 RPC_AUTH_VERIFIER auth_verifier;
510 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
512 make_rpc_hdr_autha(&hdr_autha, 0x1630, 0x1630, 0x0a, 0x06, 0x00);
513 smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rhdr_autha, 0);
514 mem_realloc_data(rhdr_autha->data, rhdr_autha->offset);
516 make_rpc_auth_verifier(&auth_verifier,
517 "NTLMSSP", NTLMSSP_AUTH);
519 smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_resp, 0);
520 mem_realloc_data(auth_resp->data, auth_resp->offset);
522 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf, &nt_owf_len);
524 make_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
525 lm_owf, nt_owf, nt_owf_len,
526 domain, user_name, my_name,
529 smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, auth_resp, 0);
530 mem_realloc_data(auth_resp->data, auth_resp->offset);
532 /* create the request RPC_HDR */
533 make_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
534 auth_resp->offset + rhdr_autha->offset + 0x10,
537 smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
538 mem_realloc_data(rhdr->data, rhdr->offset);
540 if (rhdr->data == NULL || rhdr_autha->data == NULL) return False;
543 /*** link rpc header and authentication responses ***/
546 prs_link(NULL , rhdr , rhdr_autha);
547 prs_link(rhdr , rhdr_autha , auth_resp );
548 prs_link(rhdr_autha, auth_resp , NULL );
554 /*******************************************************************
555 creates a DCE/RPC bind request
557 - initialises the parse structure.
558 - dynamically allocates the header data structure
559 - caller is expected to free the header data structure once used.
561 ********************************************************************/
563 static BOOL create_rpc_request(prs_struct *rhdr, uint8 op_num, int data_len,
570 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n",
573 /* create the rpc header RPC_HDR */
574 make_rpc_hdr(&hdr , RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
575 get_rpc_call_id(), data_len, auth_len);
579 alloc_hint = data_len - 0x18 - auth_len - 16;
583 alloc_hint = data_len - 0x18;
586 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
587 data_len, auth_len, alloc_hint));
589 /* create the rpc request RPC_HDR_REQ */
590 make_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
593 smb_io_rpc_hdr ("hdr ", &hdr , rhdr, 0);
594 smb_io_rpc_hdr_req("hdr_req", &hdr_req, rhdr, 0);
596 if (rhdr->data == NULL || rhdr->offset != 0x18) return False;
598 rhdr->data->offset.start = 0;
599 rhdr->data->offset.end = rhdr->offset;
605 /****************************************************************************
606 send a request on an rpc pipe.
607 ****************************************************************************/
608 BOOL rpc_api_pipe_req(struct cli_state *cli, uint16 nt_pipe_fnum, uint8 op_num,
609 prs_struct *data, prs_struct *rdata)
611 /* fudge this, at the moment: create the header; memcpy the data. oops. */
616 prs_struct auth_verf;
624 auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
625 auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
627 /* happen to know that NTLMSSP authentication verifier is 16 bytes */
628 auth_len = (auth_verify ? 16 : 0);
629 data_len = data->offset + auth_len + (auth_verify ? 8 : 0) + 0x18;
630 data->data->offset.end = data->offset;
632 prs_init(&hdr , data_len, 4, SAFETY_MARGIN, False);
633 prs_init(&hdr_auth , 8 , 4, SAFETY_MARGIN, False);
634 prs_init(&auth_verf, auth_len, 4, SAFETY_MARGIN, False);
635 prs_init(&rparam , 0 , 4, 0 , True );
637 create_rpc_request(&hdr, op_num, data_len, auth_len);
641 crc32 = crc32_calc_buffer(data->offset, mem_data(&data->data, 0));
642 NTLMSSPcalc_ap(cli, (uchar*)mem_data(&data->data, 0), data->offset);
645 if (auth_seal || auth_verify)
647 RPC_HDR_AUTH rhdr_auth;
649 make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08, (auth_verify ? 1 : 0));
650 smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0);
655 RPC_AUTH_NTLMSSP_CHK chk;
657 make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
658 smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
659 NTLMSSPcalc_ap(cli, (uchar*)mem_data(&auth_verf.data, 4), 12);
662 if (auth_seal || auth_verify)
664 prs_link(NULL , &hdr , data );
665 prs_link(&hdr , data , &hdr_auth );
666 prs_link(data , &hdr_auth , &auth_verf);
667 prs_link(&hdr_auth, &auth_verf, NULL );
671 prs_link(NULL, &hdr, data);
672 prs_link(&hdr, data, NULL);
675 mem_realloc_data(hdr.data, data_len);
677 DEBUG(100,("data_len: %x data_calc_len: %x\n",
678 data_len, mem_buf_len(data->data)));
680 /* this is a hack due to limitations in rpc_api_pipe */
681 prs_init(&dataa, mem_buf_len(hdr.data), 4, 0x0, False);
682 mem_buf_copy(dataa.data->data, hdr.data, 0, mem_buf_len(hdr.data));
684 ret = rpc_api_pipe(cli, nt_pipe_fnum, 0x0026, NULL, &dataa, &rparam, rdata);
686 prs_mem_free(&hdr_auth );
687 prs_mem_free(&auth_verf);
688 prs_mem_free(&rparam );
690 prs_mem_free(&dataa );
695 /****************************************************************************
697 ****************************************************************************/
699 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 nt_pipe_fnum,
700 char *pipe_name, uint16 device_state)
702 BOOL state_set = False;
704 uint16 setup[2]; /* only need 2 uint16 setup parameters */
707 uint32 rparam_len, rdata_len;
709 if (pipe_name == NULL) return False;
711 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
712 nt_pipe_fnum, pipe_name, device_state));
714 /* create parameters: device state */
715 SSVAL(param, 0, device_state);
717 /* create setup parameters. */
719 setup[1] = nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
721 /* send the data on \PIPE\ */
722 if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
723 setup, 2, 0, /* setup, length, max */
724 param, 2, 0, /* param, length, max */
725 NULL, 0, 1024, /* data, length, max */
726 &rparam, &rparam_len, /* return param, length */
727 &rdata, &rdata_len)) /* return data, length */
729 DEBUG(5, ("Set Handle state: return OK\n"));
733 if (rparam) free(rparam);
734 if (rdata ) free(rdata );
739 /****************************************************************************
740 check the rpc bind acknowledge response
741 ****************************************************************************/
743 static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
747 while (pipe_names[pipe_idx].client_pipe != NULL)
749 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
751 DEBUG(5,("Bind Abstract Syntax: "));
752 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
753 sizeof(pipe_names[pipe_idx].abstr_syntax));
754 DEBUG(5,("Bind Transfer Syntax: "));
755 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
756 sizeof(pipe_names[pipe_idx].trans_syntax));
758 /* copy the required syntaxes out so we can do the right bind */
759 memcpy(transfer, &(pipe_names[pipe_idx].trans_syntax),
760 sizeof(pipe_names[pipe_idx].trans_syntax));
761 memcpy(abstract, &(pipe_names[pipe_idx].abstr_syntax),
762 sizeof(pipe_names[pipe_idx].abstr_syntax));
769 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
773 /****************************************************************************
774 check the rpc bind acknowledge response
775 ****************************************************************************/
777 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer)
781 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0)
783 DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n",
784 pipe_names[i].client_pipe , pipe_names[i].server_pipe ));
786 if ((strequal(pipe_name, pipe_names[i].client_pipe )))
788 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe ))
790 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
791 pipe_names[i].server_pipe ));
796 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
797 pipe_names[i].server_pipe ,
808 if (pipe_names[i].server_pipe == NULL)
810 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
814 /* check the transfer syntax */
815 if (!((hdr_ba->transfer.version == transfer->version) &&
816 (memcmp(hdr_ba->transfer.data, transfer->data,
817 sizeof(transfer->version)) ==0)))
819 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
823 /* lkclXXXX only accept one result: check the result(s) */
824 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0)
826 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
827 hdr_ba->res.num_results, hdr_ba->res.reason));
830 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
834 /****************************************************************************
836 ****************************************************************************/
838 static BOOL rpc_pipe_bind(struct cli_state *cli, uint16 nt_pipe_fnum,
840 RPC_IFACE *abstract, RPC_IFACE *transfer,
847 prs_struct auth_ntlm;
852 BOOL valid_ack = False;
853 BOOL ntlmssp_auth = cli->ntlmssp_cli_flgs != 0;
856 if (pipe_name == NULL || abstract == NULL || transfer == NULL)
861 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", nt_pipe_fnum, pipe_name));
863 if (!valid_pipe_name(pipe_name, abstract, transfer)) return False;
865 prs_init(&hdr , 0x10 , 4, 0x0 , False);
866 prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False);
867 prs_init(&hdr_auth , (ntlmssp_auth ? 8 : 0), 4, SAFETY_MARGIN, False);
868 prs_init(&auth_req , (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
869 prs_init(&auth_ntlm, (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
871 prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True);
872 prs_init(&rparam , 0 , 4, SAFETY_MARGIN, True);
874 rpc_call_id = get_rpc_call_id();
875 create_rpc_bind_req(&hdr, &hdr_rb,
876 ntlmssp_auth ? &hdr_auth : NULL,
877 ntlmssp_auth ? &auth_req : NULL,
878 ntlmssp_auth ? &auth_ntlm : NULL,
881 global_myname, cli->domain, cli->ntlmssp_cli_flgs);
883 /* this is a hack due to limitations in rpc_api_pipe */
884 prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
885 mem_buf_copy(data.data->data, hdr.data, 0, mem_buf_len(hdr.data));
887 /* send data on \PIPE\. receive a response */
888 if (rpc_api_pipe(cli, nt_pipe_fnum, 0x0026, NULL, &data, &rparam, &rdata))
891 RPC_HDR_AUTH rhdr_auth;
892 RPC_AUTH_VERIFIER rhdr_verf;
893 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
895 DEBUG(5, ("rpc_api_pipe: return OK\n"));
897 smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0);
899 if (rdata.offset != 0)
901 valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer);
906 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
907 cli->max_recv_frag = hdr_ba.bba.max_rsize;
910 if (valid_ack && ntlmssp_auth)
912 smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0);
913 if (rdata.offset == 0) valid_ack = False;
916 if (valid_ack && ntlmssp_auth)
918 smb_io_rpc_auth_verifier("", &rhdr_verf, &rdata, 0);
919 if (rdata.offset == 0) valid_ack = False;
921 if (valid_ack && ntlmssp_auth)
923 smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0);
924 if (rdata.offset == 0) valid_ack = False;
926 if (valid_ack && ntlmssp_auth)
928 unsigned char p24[24];
929 unsigned char lm_owf[24];
930 unsigned char lm_hash[16];
933 prs_struct hdr_autha;
934 prs_struct auth_resp;
937 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
939 prs_init(&hdra , 0x10, 4, 0x0 , False);
940 prs_init(&hdr_autha, 1024, 4, SAFETY_MARGIN, False);
941 prs_init(&auth_resp, 1024, 4, SAFETY_MARGIN, False);
943 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
945 create_rpc_bind_resp(&cli->pwd, cli->domain,
946 cli->user_name, global_myname,
947 cli->ntlmssp_cli_flgs,
949 &hdra, &hdr_autha, &auth_resp);
951 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL, NULL);
952 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
953 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
964 for (ind = 0; ind < 256; ind++)
966 cli->ntlmssp_hash[ind] = (unsigned char)ind;
969 for( ind = 0; ind < 256; ind++)
973 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
975 tc = cli->ntlmssp_hash[ind];
976 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
977 cli->ntlmssp_hash[j] = tc;
980 cli->ntlmssp_hash[256] = 0;
981 cli->ntlmssp_hash[257] = 0;
983 /* NTLMSSPhash(cli->ntlmssp_hash, p24); */
984 bzero(lm_hash, sizeof(lm_hash));
986 /* this is a hack due to limitations in rpc_api_pipe */
987 prs_init(&dataa, mem_buf_len(hdra.data), 4, 0x0, False);
988 mem_buf_copy(dataa.data->data, hdra.data, 0, mem_buf_len(hdra.data));
990 if (cli_write(cli, nt_pipe_fnum, 0x0008,
992 dataa.data->data_used) < 0)
999 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1002 prs_mem_free(&hdra);
1003 prs_mem_free(&dataa);
1004 prs_mem_free(&hdr_autha);
1005 prs_mem_free(&auth_resp);
1009 prs_mem_free(&data );
1010 prs_mem_free(&hdr );
1011 prs_mem_free(&hdr_rb );
1012 prs_mem_free(&hdr_auth );
1013 prs_mem_free(&auth_req );
1014 prs_mem_free(&auth_ntlm);
1015 prs_mem_free(&rdata );
1016 prs_mem_free(&rparam );
1021 /****************************************************************************
1022 set ntlmssp negotiation flags
1023 ****************************************************************************/
1025 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1027 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1031 /****************************************************************************
1033 ****************************************************************************/
1035 BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name, uint16* nt_pipe_fnum)
1041 /******************* open the pipe *****************/
1042 if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS))
1044 if ((fnum = cli_nt_create(cli, &(pipe_name[5]))) == -1)
1046 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1047 &(pipe_name[5]), cli->desthost, cli_errstr(cli)));
1051 *nt_pipe_fnum = (uint16)fnum;
1055 if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1)
1057 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1058 pipe_name, cli->desthost, cli_errstr(cli)));
1062 *nt_pipe_fnum = (uint16)fnum;
1064 /**************** Set Named Pipe State ***************/
1065 if (!rpc_pipe_set_hnd_state(cli, *nt_pipe_fnum, pipe_name, 0x4300))
1067 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1069 cli_close(cli, *nt_pipe_fnum);
1075 /******************* bind request on pipe *****************/
1077 if (!rpc_pipe_bind(cli, *nt_pipe_fnum, pipe_name,
1078 &abstract, &transfer,
1081 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1083 cli_close(cli, *nt_pipe_fnum);
1088 * Setup the remote server name prefixed by \ and the machine account name.
1091 fstrcpy(cli->srv_name_slash, "\\\\");
1092 fstrcat(cli->srv_name_slash, cli->desthost);
1093 strupper(cli->srv_name_slash);
1095 fstrcpy(cli->clnt_name_slash, "\\\\");
1096 fstrcat(cli->clnt_name_slash, global_myname);
1097 strupper(cli->clnt_name_slash);
1099 fstrcpy(cli->mach_acct, global_myname);
1100 fstrcat(cli->mach_acct, "$");
1101 strupper(cli->mach_acct);
1106 /****************************************************************************
1108 ****************************************************************************/
1110 void cli_nt_session_close(struct cli_state *cli, uint16 nt_pipe_fnum)
1112 cli_close(cli, nt_pipe_fnum);