3 * Unix SMB/Netbios implementation.
5 * RPC Pipe client / server routines
6 * Copyright (C) Andrew Tridgell 1992-1998,
7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
8 * Copyright (C) Paul Ashton 1998.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
32 extern int DEBUGLEVEL;
33 extern struct pipe_id_info pipe_names[];
34 extern pstring global_myname;
36 /********************************************************************
38 ********************************************************************/
39 static uint32 get_rpc_call_id(void)
41 static uint32 call_id = 0;
45 /*******************************************************************
46 uses SMBreadX to get rest of rpc data
47 ********************************************************************/
49 static BOOL rpc_read(struct cli_state *cli, uint16 fnum,
50 prs_struct *rdata, uint32 data_to_read,
51 uint32 rdata_offset, BOOL one_only)
53 size_t size = cli->max_recv_frag;
57 uint32 new_data_size = rdata_offset + data_to_read;
61 DEBUG(5,("rpc_read: data_to_read: %d data offset: %d file offset: %d\n",
62 data_to_read, rdata_offset, file_offset));
64 if (new_data_size > rdata->data->data_size)
66 mem_grow_data(&rdata->data, True, new_data_size, True);
67 DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
70 data = rdata->data->data + rdata_offset;
72 do /* read data using SMBreadX */
74 if (size > data_to_read)
79 num_read = cli_read(cli, fnum, data, file_offset, size);
81 DEBUG(5,("rpc_read: read offset: %d read: %d to read: %d\n",
82 file_offset, num_read, data_to_read));
84 data_to_read -= num_read;
85 file_offset += num_read;
88 if (cli_error(cli, &cls, &type))
90 if (cls != ERRDOS || type != ERRmoredata)
96 } while (!one_only && num_read > 0 && data_to_read > 0);
98 rdata->data->offset.end = new_data_size;
100 DEBUG(5,("rpc_read: offset end: 0x%x. data left to read:0x%x\n",
101 rdata->data->offset.end, data_to_read));
106 /****************************************************************************
108 ****************************************************************************/
109 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
110 BOOL *first, BOOL *last, int *len)
112 DEBUG(5,("rpc_check_hdr: rdata->data->data_used: %d\n", rdata->data->data_used));
114 smb_io_rpc_hdr ("rpc_hdr ", rhdr , rdata, 0);
116 if (!rdata->offset || rdata->offset != 0x10)
118 DEBUG(0,("cli_pipe: error in rpc header\n"));
122 DEBUG(5,("rpc_check_hdr: (after smb_io_rpc_hdr call) rdata->data->data_used: %d\n",
123 rdata->data->data_used));
125 (*first ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST);
126 (*last ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST );
127 (*len ) = rhdr->frag_len - rdata->data->data_used;
129 return rhdr->pkt_type != RPC_FAULT;
132 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, int len)
134 unsigned char *hash = cli->ntlmssp_hash;
135 unsigned char index_i = hash[256];
136 unsigned char index_j = hash[257];
139 for( ind = 0; ind < len; ind++)
145 index_j += hash[index_i];
148 hash[index_i] = hash[index_j];
151 t = hash[index_i] + hash[index_j];
152 data[ind] = data[ind] ^ hash[t];
159 /****************************************************************************
160 decrypt data on an rpc pipe
161 ****************************************************************************/
163 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
164 int len, int auth_len)
166 RPC_AUTH_NTLMSSP_CHK chk;
168 int data_len = len - 0x18 - auth_len - 8;
169 char *reply_data = mem_data(&rdata->data, 0x18);
171 BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
172 BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
174 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
175 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
177 if (reply_data == NULL) return False;
181 DEBUG(10,("rpc_auth_pipe: seal\n"));
182 dump_data(100, reply_data, data_len);
183 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
184 dump_data(100, reply_data, data_len);
187 if (auth_verify || auth_seal)
189 RPC_HDR_AUTH rhdr_auth;
191 char *data = mem_data(&rdata->data, len - auth_len - 8);
192 prs_init(&auth_req , 0x08, 4, 0, True);
193 memcpy(auth_req.data->data, data, 8);
194 smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0);
195 prs_mem_free(&auth_req);
197 if (!rpc_hdr_auth_chk(&rhdr_auth))
205 prs_struct auth_verf;
206 char *data = mem_data(&rdata->data, len - auth_len);
207 if (data == NULL) return False;
209 DEBUG(10,("rpc_auth_pipe: verify\n"));
210 dump_data(100, data, auth_len);
211 NTLMSSPcalc_ap(cli, (uchar*)(data+4), auth_len - 4);
212 prs_init(&auth_verf, 0x08, 4, 0, True);
213 memcpy(auth_verf.data->data, data, 16);
214 smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
215 dump_data(100, data, auth_len);
216 prs_mem_free(&auth_verf);
221 crc32 = crc32_calc_buffer(data_len, reply_data);
222 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num))
226 cli->ntlmssp_seq_num++;
232 /****************************************************************************
233 send data on an rpc pipe, which *must* be in one fragment.
234 receive response data from an rpc pipe, which may be large...
236 read the first fragment: unfortunately have to use SMBtrans for the first
237 bit, then SMBreadX for subsequent bits.
239 if first fragment received also wasn't the last fragment, continue
240 getting fragments until we _do_ receive the last fragment.
242 [note: from a data abstraction viewpoint, this function is marginally
243 complicated by the return side of cli_api_pipe getting in the way
244 (i.e, the SMB header stuff). the proper way to do this is to split
245 cli_api_pipe down into receive / transmit. oh, and split cli_readx
246 down. in other words, state-based (kernel) techniques...]
248 ****************************************************************************/
250 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 fnum,
251 BOOL bind_rq, uint16 cmd,
252 prs_struct *param , prs_struct *data,
253 prs_struct *rparam, prs_struct *rdata)
257 uint16 setup[2]; /* only need 2 uint16 setup parameters */
262 BOOL used_smb_trans = False;
266 * Setup the pointers from the incoming.
268 char *pparams = param ? param->data->data : NULL;
269 int params_len = param ? param->data->data_used : 0;
270 char *pdata = data ? data->data->data : NULL;
271 int data_len = data ? data->data->data_used : 0;
274 * Setup the pointers to the outgoing.
276 char **pp_ret_params = rparam ? &rparam->data->data : NULL;
277 uint32 *p_ret_params_len = rparam ? &rparam->data->data_used : NULL;
279 char **pp_ret_data = rdata ? &rdata->data->data : NULL;
280 uint32 *p_ret_data_len = rdata ? &rdata->data->data_used : NULL;
282 /* create setup parameters. */
284 setup[1] = fnum; /* pipe file handle. got this from an SMBOpenX. */
286 if (data_len > 2048 && !bind_rq)
290 DEBUG(5,("rpc_api_pipe: cli_write %d\n", data_len));
292 written = cli_write(cli, fnum, 0x0008, pdata, 0, data_len);
294 if (written != data_len)
298 cli_safe_errstr(cli, errstr, sizeof(errstr)-1);
299 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", errstr));
303 DEBUG(5,("rpc_api_pipe: rpc_read after write\n"));
310 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", cmd, fnum));
311 used_smb_trans = True;
313 /* send the data: receive a response. */
314 if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
315 setup, 2, 0, /* Setup, length, max */
316 pparams, params_len, 0, /* Params, length, max */
317 pdata, data_len, 2048, /* data, length, max */
318 pp_ret_params, p_ret_params_len, /* return params, len */
319 pp_ret_data, p_ret_data_len)) /* return data, len */
322 cli_safe_errstr(cli, errstr, sizeof(errstr)-1);
323 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", errstr));
327 if (rdata->data->data == NULL) return False;
329 /**** parse the header: check it's a response record */
331 rdata->data->offset.start = 0;
332 rdata->data->offset.end = rdata->data->data_used;
335 /* cli_api_pipe does an ordinary Realloc - we have no margins now. */
336 rdata->data->margin = 0;
337 if (rparam) rparam->data->margin = 0;
339 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len))
344 if (rhdr.pkt_type == RPC_BINDACK)
348 DEBUG(5,("rpc_api_pipe: bug in AS/U, setting fragment first/last ON\n"));
354 if (rhdr.pkt_type == RPC_RESPONSE)
356 RPC_HDR_RESP rhdr_resp;
357 smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0);
360 DEBUG(5,("rpc_api_pipe: len left: %d smbtrans read: %d\n",
361 len, rdata->data->data_used));
363 /* check if data to be sent back was too large for one SMB. */
364 /* err status is only informational: the _real_ check is on the length */
365 if (len > 0) /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
367 if (!rpc_read(cli, fnum, rdata, len, rdata->data->data_used, False))
373 if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
378 /* only one rpc fragment, and it has been read */
381 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
387 while (!last) /* read more fragments until we get the last one */
389 RPC_HDR_RESP rhdr_resp;
393 prs_init(&hps, 0x18, 4, 0, True);
395 num_read = cli_read(cli, fnum, hps.data->data, 0, 0x18);
396 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
398 if (num_read != 0x18) return False;
400 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
405 smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0);
409 if (cli_error(cli, &cls, &type))
411 if (cls != ERRDOS || type != ERRmoredata)
417 if (first && used_smb_trans)
419 DEBUG(0,("rpc_api_pipe: wierd rpc header received\n"));
423 if (!rpc_read(cli, fnum, rdata, len, rdata->data->data_used, False))
428 if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
437 /*******************************************************************
438 creates a DCE/RPC bind request
440 - initialises the parse structure.
441 - dynamically allocates the header data structure
442 - caller is expected to free the header data structure once used.
444 ********************************************************************/
445 static BOOL create_rpc_bind_req(prs_struct *rhdr,
447 prs_struct *rhdr_auth,
448 prs_struct *auth_req,
449 prs_struct *auth_ntlm,
451 RPC_IFACE *abstract, RPC_IFACE *transfer,
452 char *my_name, char *domain, uint32 neg_flags)
456 RPC_HDR_AUTH hdr_auth;
457 RPC_AUTH_NTLMSSP_VERIFIER auth_verifier;
458 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
460 /* create the bind request RPC_HDR_RB */
461 make_rpc_hdr_rb(&hdr_rb, 0x1630, 0x1630, 0x0,
462 0x1, 0x0, 0x1, abstract, transfer);
464 /* stream the bind request data */
465 smb_io_rpc_hdr_rb("", &hdr_rb, rhdr_rb, 0);
466 mem_realloc_data(rhdr_rb->data, rhdr_rb->offset);
468 if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL)
470 make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00, 1);
471 smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0);
472 mem_realloc_data(rhdr_auth->data, rhdr_auth->offset);
474 make_rpc_auth_ntlmssp_verifier(&auth_verifier,
475 "NTLMSSP", NTLMSSP_NEGOTIATE);
477 smb_io_rpc_auth_ntlmssp_verifier("auth_verifier", &auth_verifier, auth_req, 0);
478 mem_realloc_data(auth_req->data, auth_req->offset);
480 make_rpc_auth_ntlmssp_neg(&ntlmssp_neg,
481 neg_flags, my_name, domain);
483 smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, auth_req, 0);
484 mem_realloc_data(auth_req->data, auth_req->offset);
487 /* create the request RPC_HDR */
488 make_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
489 (auth_req != NULL ? auth_req ->offset : 0) +
490 (auth_ntlm != NULL ? auth_ntlm->offset : 0) +
491 (rhdr_auth != NULL ? rhdr_auth->offset : 0) +
492 rhdr_rb->offset + 0x10,
493 (auth_req != NULL ? auth_req ->offset : 0) +
494 (auth_ntlm != NULL ? auth_ntlm->offset : 0));
496 smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
497 mem_realloc_data(rhdr->data, rhdr->offset);
499 if (rhdr->data == NULL || rhdr_rb->data == NULL) return False;
502 /*** link rpc header, bind acknowledgment and authentication responses ***/
505 if (auth_req != NULL)
507 prs_link(NULL , rhdr , rhdr_rb );
508 prs_link(rhdr , rhdr_rb , rhdr_auth);
509 prs_link(rhdr_rb , rhdr_auth , auth_req );
510 prs_link(rhdr_auth, auth_req , auth_ntlm);
511 prs_link(auth_req , auth_ntlm , NULL );
515 prs_link(NULL, rhdr , rhdr_rb);
516 prs_link(rhdr, rhdr_rb, NULL );
522 /*******************************************************************
523 creates a DCE/RPC bind authentication response
525 - initialises the parse structure.
526 - dynamically allocates the header data structure
527 - caller is expected to free the header data structure once used.
529 ********************************************************************/
530 BOOL create_rpc_bind_resp(struct pwd_info *pwd,
531 char *domain, char *user_name, char *my_name,
532 uint32 ntlmssp_cli_flgs,
535 prs_struct *rhdr_autha,
536 prs_struct *auth_resp)
539 RPC_HDR_AUTHA hdr_autha;
540 RPC_AUTH_NTLMSSP_VERIFIER auth_verifier;
542 make_rpc_hdr_autha(&hdr_autha, 0x1630, 0x1630, 0x0a, 0x06, 0x00);
543 smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rhdr_autha, 0);
544 mem_realloc_data(rhdr_autha->data, rhdr_autha->offset);
546 make_rpc_auth_ntlmssp_verifier(&auth_verifier,
547 "NTLMSSP", NTLMSSP_AUTH);
549 smb_io_rpc_auth_ntlmssp_verifier("auth_verifier", &auth_verifier, auth_resp, 0);
550 mem_realloc_data(auth_resp->data, auth_resp->offset);
552 create_ntlmssp_resp(pwd, domain, user_name, my_name, ntlmssp_cli_flgs,
555 /* create the request RPC_HDR */
556 make_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
557 auth_resp->offset + rhdr_autha->offset + 0x10,
560 smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
561 mem_realloc_data(rhdr->data, rhdr->offset);
563 if (rhdr->data == NULL || rhdr_autha->data == NULL) return False;
566 /*** link rpc header and authentication responses ***/
569 prs_link(NULL , rhdr , rhdr_autha);
570 prs_link(rhdr , rhdr_autha , auth_resp );
571 prs_link(rhdr_autha, auth_resp , NULL );
577 /*******************************************************************
578 creates a DCE/RPC bind request
580 - initialises the parse structure.
581 - dynamically allocates the header data structure
582 - caller is expected to free the header data structure once used.
584 ********************************************************************/
586 static BOOL create_rpc_request(prs_struct *rhdr, uint8 op_num, int data_len,
593 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n",
596 /* create the rpc header RPC_HDR */
597 make_rpc_hdr(&hdr , RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
598 get_rpc_call_id(), data_len, auth_len);
602 alloc_hint = data_len - 0x18 - auth_len - 16;
606 alloc_hint = data_len - 0x18;
609 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
610 data_len, auth_len, alloc_hint));
612 /* create the rpc request RPC_HDR_REQ */
613 make_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
616 smb_io_rpc_hdr ("hdr ", &hdr , rhdr, 0);
617 smb_io_rpc_hdr_req("hdr_req", &hdr_req, rhdr, 0);
619 if (rhdr->data == NULL || rhdr->offset != 0x18) return False;
621 rhdr->data->offset.start = 0;
622 rhdr->data->offset.end = rhdr->offset;
628 /****************************************************************************
629 send a request on an rpc pipe.
630 ****************************************************************************/
631 BOOL rpc_api_pipe_req(struct cli_state *cli, uint16 fnum, uint8 op_num,
632 prs_struct *data, prs_struct *rdata)
634 /* fudge this, at the moment: create the header; memcpy the data. oops. */
639 prs_struct auth_verf;
647 auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
648 auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
650 /* happen to know that NTLMSSP authentication verifier is 16 bytes */
651 auth_len = (auth_verify ? 16 : 0);
652 data_len = data->offset + auth_len + (auth_verify ? 8 : 0) + 0x18;
653 data->data->offset.end = data->offset;
655 prs_init(&hdr , data_len, 4, SAFETY_MARGIN, False);
656 prs_init(&hdr_auth , 8 , 4, SAFETY_MARGIN, False);
657 prs_init(&auth_verf, auth_len, 4, SAFETY_MARGIN, False);
658 prs_init(&rparam , 0 , 4, 0 , True );
660 create_rpc_request(&hdr, op_num, data_len, auth_len);
664 crc32 = crc32_calc_buffer(data->offset, mem_data(&data->data, 0));
665 NTLMSSPcalc_ap(cli, (uchar*)mem_data(&data->data, 0), data->offset);
668 if (auth_seal || auth_verify)
670 RPC_HDR_AUTH rhdr_auth;
672 make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08, (auth_verify ? 1 : 0));
673 smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0);
678 RPC_AUTH_NTLMSSP_CHK chk;
680 make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
681 smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
682 NTLMSSPcalc_ap(cli, (uchar*)mem_data(&auth_verf.data, 4), 12);
685 if (auth_seal || auth_verify)
687 prs_link(NULL , &hdr , data );
688 prs_link(&hdr , data , &hdr_auth );
689 prs_link(data , &hdr_auth , &auth_verf);
690 prs_link(&hdr_auth, &auth_verf, NULL );
694 prs_link(NULL, &hdr, data);
695 prs_link(&hdr, data, NULL);
698 mem_realloc_data(hdr.data, data_len);
700 DEBUG(100,("data_len: %x data_calc_len: %x\n",
701 data_len, mem_buf_len(data->data)));
703 /* this is a hack due to limitations in rpc_api_pipe */
704 prs_init(&dataa, mem_buf_len(hdr.data), 4, 0x0, False);
705 mem_buf_copy(dataa.data->data, hdr.data, 0, mem_buf_len(hdr.data));
707 ret = rpc_api_pipe(cli, fnum, False, 0x0026, NULL, &dataa, &rparam, rdata);
709 prs_mem_free(&hdr_auth );
710 prs_mem_free(&auth_verf);
711 prs_mem_free(&rparam );
713 prs_mem_free(&dataa );
718 /****************************************************************************
720 ****************************************************************************/
722 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 fnum,
723 const char *pipe_name, uint16 device_state)
725 BOOL state_set = False;
727 uint16 setup[2]; /* only need 2 uint16 setup parameters */
730 uint32 rparam_len, rdata_len;
732 if (pipe_name == NULL) return False;
734 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
735 fnum, pipe_name, device_state));
737 /* create parameters: device state */
738 SSVAL(param, 0, device_state);
740 /* create setup parameters. */
742 setup[1] = fnum; /* pipe file handle. got this from an SMBOpenX. */
744 /* send the data on \PIPE\ */
745 if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
746 setup, 2, 0, /* setup, length, max */
747 param, 2, 0, /* param, length, max */
748 NULL, 0, 1024, /* data, length, max */
749 &rparam, &rparam_len, /* return param, length */
750 &rdata, &rdata_len)) /* return data, length */
752 DEBUG(5, ("Set Handle state: return OK\n"));
756 if (rparam) free(rparam);
757 if (rdata ) free(rdata );
762 /****************************************************************************
763 check the rpc bind acknowledge response
764 ****************************************************************************/
766 static BOOL valid_pipe_name(const char *pipe_name,
767 RPC_IFACE *abstract, RPC_IFACE *transfer)
771 while (pipe_names[pipe_idx].client_pipe != NULL)
773 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
775 DEBUG(5,("Bind Abstract Syntax:\n"));
776 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
777 sizeof(pipe_names[pipe_idx].abstr_syntax));
778 DEBUG(5,("Bind Transfer Syntax:\n"));
779 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
780 sizeof(pipe_names[pipe_idx].trans_syntax));
782 /* copy the required syntaxes out so we can do the right bind */
783 memcpy(transfer, &(pipe_names[pipe_idx].trans_syntax),
784 sizeof(pipe_names[pipe_idx].trans_syntax));
785 memcpy(abstract, &(pipe_names[pipe_idx].abstr_syntax),
786 sizeof(pipe_names[pipe_idx].abstr_syntax));
793 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
797 /****************************************************************************
798 check the rpc bind acknowledge response
799 ****************************************************************************/
801 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const char *pipe_name,
806 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0)
808 DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n",
809 pipe_names[i].client_pipe , pipe_names[i].server_pipe ));
811 if ((strequal(pipe_name, pipe_names[i].client_pipe )))
813 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe ))
815 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
816 pipe_names[i].server_pipe ));
821 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
822 pipe_names[i].server_pipe ,
833 if (pipe_names[i].server_pipe == NULL)
835 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
839 /* check the transfer syntax */
840 if (!((hdr_ba->transfer.version == transfer->version) &&
841 (memcmp(hdr_ba->transfer.data, transfer->data,
842 sizeof(transfer->version)) ==0)))
844 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
848 /* lkclXXXX only accept one result: check the result(s) */
849 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0)
851 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
852 hdr_ba->res.num_results, hdr_ba->res.reason));
855 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
859 /****************************************************************************
861 ****************************************************************************/
863 static BOOL rpc_pipe_bind(struct cli_state *cli, uint16 fnum,
864 const char *pipe_name,
865 RPC_IFACE *abstract, RPC_IFACE *transfer,
872 prs_struct auth_ntlm;
877 BOOL valid_ack = False;
878 BOOL ntlmssp_auth = cli->ntlmssp_cli_flgs != 0;
881 if (pipe_name == NULL || abstract == NULL || transfer == NULL)
886 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", fnum, pipe_name));
888 if (!valid_pipe_name(pipe_name, abstract, transfer)) return False;
890 prs_init(&hdr , 0x10 , 4, 0x0 , False);
891 prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False);
892 prs_init(&hdr_auth , (ntlmssp_auth ? 8 : 0), 4, SAFETY_MARGIN, False);
893 prs_init(&auth_req , (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
894 prs_init(&auth_ntlm, (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
896 prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True);
897 prs_init(&rparam , 0 , 4, SAFETY_MARGIN, True);
899 rpc_call_id = get_rpc_call_id();
900 create_rpc_bind_req(&hdr, &hdr_rb,
901 ntlmssp_auth ? &hdr_auth : NULL,
902 ntlmssp_auth ? &auth_req : NULL,
903 ntlmssp_auth ? &auth_ntlm : NULL,
906 global_myname, cli->usr.domain, cli->usr.ntlmssp_flags);
908 /* this is a hack due to limitations in rpc_api_pipe */
909 prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
910 mem_buf_copy(data.data->data, hdr.data, 0, mem_buf_len(hdr.data));
912 cli->max_recv_frag = 0x1000;
914 /* send data on \PIPE\. receive a response */
915 if (rpc_api_pipe(cli, fnum, True, 0x0026, NULL, &data, &rparam, &rdata))
918 RPC_HDR_AUTH rhdr_auth;
919 RPC_AUTH_NTLMSSP_VERIFIER rhdr_verf;
920 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
922 DEBUG(5, ("rpc_api_pipe: return OK\n"));
924 smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0);
926 if (rdata.offset != 0)
928 valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer);
933 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
934 cli->max_recv_frag = hdr_ba.bba.max_rsize;
937 if (valid_ack && ntlmssp_auth)
939 smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0);
940 if (rdata.offset == 0) valid_ack = False;
943 if (valid_ack && ntlmssp_auth)
945 smb_io_rpc_auth_ntlmssp_verifier("", &rhdr_verf, &rdata, 0);
946 if (rdata.offset == 0) valid_ack = False;
948 if (valid_ack && ntlmssp_auth)
950 smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0);
951 if (rdata.offset == 0) valid_ack = False;
953 if (valid_ack && ntlmssp_auth)
955 unsigned char p24[24];
956 unsigned char lm_owf[24];
957 unsigned char lm_hash[16];
960 prs_struct hdr_autha;
961 prs_struct auth_resp;
964 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
966 prs_init(&hdra , 0x10, 4, 0x0 , False);
967 prs_init(&hdr_autha, 1024, 4, SAFETY_MARGIN, False);
968 prs_init(&auth_resp, 1024, 4, SAFETY_MARGIN, False);
970 pwd_make_lm_nt_owf(&cli->usr.pwd, rhdr_chal.challenge);
972 create_rpc_bind_resp(&cli->usr.pwd, cli->usr.domain,
973 cli->usr.user_name, global_myname,
974 cli->ntlmssp_cli_flgs,
976 &hdra, &hdr_autha, &auth_resp);
978 pwd_get_lm_nt_owf(&cli->usr.pwd, lm_owf, NULL, NULL, NULL);
979 pwd_get_lm_nt_16(&cli->usr.pwd, lm_hash, NULL);
980 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
991 for (ind = 0; ind < 256; ind++)
993 cli->ntlmssp_hash[ind] = (unsigned char)ind;
996 for( ind = 0; ind < 256; ind++)
1000 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1002 tc = cli->ntlmssp_hash[ind];
1003 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1004 cli->ntlmssp_hash[j] = tc;
1007 cli->ntlmssp_hash[256] = 0;
1008 cli->ntlmssp_hash[257] = 0;
1010 /* NTLMSSPhash(cli->ntlmssp_hash, p24); */
1011 bzero(lm_hash, sizeof(lm_hash));
1013 /* this is a hack due to limitations in rpc_api_pipe */
1014 prs_init(&dataa, mem_buf_len(hdra.data), 4, 0x0, False);
1015 mem_buf_copy(dataa.data->data, hdra.data, 0, mem_buf_len(hdra.data));
1017 if (cli_write(cli, fnum, 0x0008,
1018 dataa.data->data, 0,
1019 dataa.data->data_used) < 0)
1026 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1029 prs_mem_free(&hdra);
1030 prs_mem_free(&dataa);
1031 prs_mem_free(&hdr_autha);
1032 prs_mem_free(&auth_resp);
1036 prs_mem_free(&data );
1037 prs_mem_free(&hdr );
1038 prs_mem_free(&hdr_rb );
1039 prs_mem_free(&hdr_auth );
1040 prs_mem_free(&auth_req );
1041 prs_mem_free(&auth_ntlm);
1042 prs_mem_free(&rdata );
1043 prs_mem_free(&rparam );
1048 /****************************************************************************
1049 set ntlmssp negotiation flags
1050 ****************************************************************************/
1052 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1054 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1058 /****************************************************************************
1060 ****************************************************************************/
1062 BOOL cli_nt_session_open(struct cli_state *cli, const char *pipe_name,
1068 /******************* open the pipe *****************/
1069 if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS))
1072 f = cli_nt_create(cli, &(pipe_name[5]));
1076 cli_safe_errstr(cli, errstr, sizeof(errstr)-1);
1077 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1078 &(pipe_name[5]), cli->desthost, errstr));
1086 f = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE);
1090 cli_safe_errstr(cli, errstr, sizeof(errstr)-1);
1091 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1092 pipe_name, cli->desthost, errstr));
1097 /**************** Set Named Pipe State ***************/
1098 if (!rpc_pipe_set_hnd_state(cli, *fnum, pipe_name, 0x4300))
1101 cli_safe_errstr(cli, errstr, sizeof(errstr)-1);
1102 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1104 cli_close(cli, *fnum);
1110 /******************* bind request on pipe *****************/
1112 if (!rpc_pipe_bind(cli, *fnum, pipe_name,
1113 &abstract, &transfer,
1117 cli_safe_errstr(cli, errstr, sizeof(errstr)-1);
1118 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1120 cli_close(cli, *fnum);
1125 * Setup the remote server name prefixed by \ and the machine account name.
1128 fstrcpy(cli->srv_name_slash, "\\\\");
1129 fstrcat(cli->srv_name_slash, cli->desthost);
1130 strupper(cli->srv_name_slash);
1132 fstrcpy(cli->clnt_name_slash, "\\\\");
1133 fstrcat(cli->clnt_name_slash, global_myname);
1134 strupper(cli->clnt_name_slash);
1136 fstrcpy(cli->mach_acct, global_myname);
1137 fstrcat(cli->mach_acct, "$");
1138 strupper(cli->mach_acct);
1143 /****************************************************************************
1145 ****************************************************************************/
1147 void cli_nt_session_close(struct cli_state *cli, uint16 fnum)
1149 cli_close(cli, fnum);