2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998,
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 extern int DEBUGLEVEL;
28 extern struct pipe_id_info pipe_names[];
29 extern fstring global_myworkgroup;
30 extern pstring global_myname;
32 /********************************************************************
34 ********************************************************************/
36 static uint32 get_rpc_call_id(void)
38 static uint32 call_id = 0;
42 /*******************************************************************
43 Use SMBreadX to get rest of one fragment's worth of rpc data.
44 ********************************************************************/
46 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
48 size_t size = (size_t)cli->max_recv_frag;
49 int stream_offset = 0;
52 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
54 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
55 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
58 * Grow the buffer if needed to accommodate the data to be read.
61 if (extra_data_size > 0) {
62 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
63 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
66 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
69 pdata = prs_data_p(rdata) + *rdata_offset;
71 do /* read data using SMBreadX */
76 if (size > (size_t)data_to_read)
77 size = (size_t)data_to_read;
79 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
81 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
82 num_read, stream_offset, data_to_read));
84 if (cli_is_dos_error(cli) &&
85 cli_dos_error(cli, &eclass, &ecode) &&
86 (eclass != ERRDOS && ecode != ERRmoredata)) {
87 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
88 eclass, (unsigned int)ecode));
92 data_to_read -= num_read;
93 stream_offset += num_read;
96 } while (num_read > 0 && data_to_read > 0);
97 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
100 * Update the current offset into rdata by the amount read.
102 *rdata_offset += stream_offset;
107 /****************************************************************************
108 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
109 ****************************************************************************/
111 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
112 BOOL *first, BOOL *last, uint32 *len)
114 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
116 /* Next call sets endian bit. */
118 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
119 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
123 if (prs_offset(rdata) != RPC_HEADER_LEN) {
124 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
128 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
129 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
130 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
132 return (rhdr->pkt_type != RPC_FAULT);
135 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
137 unsigned char *hash = cli->ntlmssp_hash;
138 unsigned char index_i = hash[256];
139 unsigned char index_j = hash[257];
142 for( ind = 0; ind < len; ind++) {
147 index_j += hash[index_i];
150 hash[index_i] = hash[index_j];
153 t = hash[index_i] + hash[index_j];
154 data[ind] = data[ind] ^ hash[t];
161 /****************************************************************************
162 Verify data on an rpc pipe.
163 The VERIFY & SEAL code is only executed on packets that look like this :
165 Request/Response PDU's look like the following...
167 |<------------------PDU len----------------------------------------------->|
168 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
170 +------------+-----------------+-------------+---------------+-------------+
171 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
172 +------------+-----------------+-------------+---------------+-------------+
174 Never on bind requests/responses.
175 ****************************************************************************/
177 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
180 * The following is that length of the data we must sign or seal.
181 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
182 * preceeding the auth_data.
185 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
188 * The start of the data to sign/seal is just after the RPC headers.
190 char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
192 BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
193 BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
195 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
196 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
199 * Unseal any sealed data in the PDU, not including the
200 * 8 byte auth_header or the auth_data.
204 DEBUG(10,("rpc_auth_pipe: unseal\n"));
205 dump_data(100, reply_data, data_len);
206 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
207 dump_data(100, reply_data, data_len);
210 if (auth_verify || auth_seal) {
211 RPC_HDR_AUTH rhdr_auth;
213 char data[RPC_HDR_AUTH_LEN];
215 * We set dp to be the end of the packet, minus the auth_len
216 * and the length of the header that preceeds the auth_data.
218 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
220 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
221 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
225 memcpy(data, dp, sizeof(data));
227 prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
229 /* The endianness must be preserved... JRA. */
231 prs_set_endian_data(&auth_req, rdata->bigendian_data);
233 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
236 * Unmarshall the 8 byte auth_header that comes before the
240 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
241 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
245 if (!rpc_hdr_auth_chk(&rhdr_auth)) {
246 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
252 * Now unseal and check the auth verifier in the auth_data at
253 * then end of the packet. The 4 bytes skipped in the unseal
254 * seem to be a buffer pointer preceeding the sealed data.
258 RPC_AUTH_NTLMSSP_CHK chk;
260 prs_struct auth_verf;
261 char data[RPC_AUTH_NTLMSSP_CHK_LEN];
262 char *dp = prs_data_p(rdata) + len - auth_len;
264 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
265 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
269 DEBUG(10,("rpc_auth_pipe: verify\n"));
270 dump_data(100, dp, auth_len);
271 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
273 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
274 dump_data(100, data, auth_len);
276 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
278 /* The endinness must be preserved. JRA. */
279 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
281 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
283 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
284 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
288 crc32 = crc32_calc_buffer(reply_data, data_len);
290 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
291 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
294 cli->ntlmssp_seq_num++;
300 /****************************************************************************
301 Send data on an rpc pipe, which *must* be in one fragment.
302 receive response data from an rpc pipe, which may be large...
304 Read the first fragment: unfortunately have to use SMBtrans for the first
305 bit, then SMBreadX for subsequent bits.
307 If first fragment received also wasn't the last fragment, continue
308 getting fragments until we _do_ receive the last fragment.
310 Request/Response PDU's look like the following...
312 |<------------------PDU len----------------------------------------------->|
313 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
315 +------------+-----------------+-------------+---------------+-------------+
316 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
317 +------------+-----------------+-------------+---------------+-------------+
319 Where the presence of the AUTH_HDR and AUTH are dependent on the
320 signing & sealing being neogitated.
322 ****************************************************************************/
324 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *data, prs_struct *rdata)
328 uint32 rparam_len = 0;
333 char *pdata = data ? prs_data_p(data) : NULL;
334 uint32 data_len = data ? prs_offset(data) : 0;
336 uint32 rdata_len = 0;
337 uint32 current_offset = 0;
339 /* Create setup parameters - must be in native byte order. */
342 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
344 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd,
345 (int)cli->nt_pipe_fnum));
347 /* Send the RPC request and receive a response. For short RPC
348 calls (about 1024 bytes or so) the RPC request and response
349 appears in a SMBtrans request and response. Larger RPC
350 responses are received further on. */
352 if (!cli_api_pipe(cli, "\\PIPE\\",
353 setup, 2, 0, /* Setup, length, max */
354 NULL, 0, 0, /* Params, length, max */
355 pdata, data_len, data_len, /* data, length, max */
356 &rparam, &rparam_len, /* return params, len */
357 &prdata, &rdata_len)) /* return data, len */
359 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
363 /* Throw away returned params - we know we won't use them. */
370 if (prdata == NULL) {
371 DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n",
372 (int)cmd, (int)cli->nt_pipe_fnum));
377 * Give this memory as dynamically allocated to the return parse
381 prs_give_memory(rdata, prdata, rdata_len, True);
382 current_offset = rdata_len;
384 /* This next call sets the endian bit correctly in rdata. */
386 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
391 if (rhdr.pkt_type == RPC_BINDACK) {
392 if (!last && !first) {
393 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
399 if (rhdr.pkt_type == RPC_RESPONSE) {
400 RPC_HDR_RESP rhdr_resp;
401 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
402 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
408 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
409 (unsigned int)len, (unsigned int)rdata_len ));
411 /* check if data to be sent back was too large for one SMBtrans */
412 /* err status is only informational: the _real_ check is on the
416 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
418 /* Read the remaining part of the first response fragment */
420 if (!rpc_read(cli, rdata, len, ¤t_offset)) {
427 * Now we have a complete PDU, check the auth struct if any was sent.
430 if (rhdr.auth_len != 0) {
431 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
434 * Drop the auth footers from the current offset.
435 * We need this if there are more fragments.
436 * The auth footers consist of the auth_data and the
437 * preceeding 8 byte auth_header.
439 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
443 * Only one rpc fragment, and it has been read.
447 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
452 * Read more fragments using SMBreadX until we get one with the
457 RPC_HDR_RESP rhdr_resp;
459 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
465 * First read the header of the next PDU.
468 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
469 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
471 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
472 if (cli_is_dos_error(cli) &&
473 cli_dos_error(cli, &eclass, &ecode) &&
474 (eclass != ERRDOS && ecode != ERRmoredata)) {
475 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n",
480 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
482 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
483 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
484 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
488 /* This call sets the endianness in hps. */
490 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
493 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
495 if (hps.bigendian_data != rdata->bigendian_data) {
496 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
497 rdata->bigendian_data ? "big" : "little",
498 hps.bigendian_data ? "big" : "little" ));
502 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
503 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
508 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
513 * Now read the rest of the PDU.
516 if (!rpc_read(cli, rdata, len, ¤t_offset))
520 * Verify any authentication footer.
523 if (rhdr.auth_len != 0 ) {
524 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
527 * Drop the auth footers from the current offset.
528 * The auth footers consist of the auth_data and the
529 * preceeding 8 byte auth_header.
530 * We need this if there are more fragments.
532 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
539 /*******************************************************************
540 creates a DCE/RPC bind request
542 - initialises the parse structure.
543 - dynamically allocates the header data structure
544 - caller is expected to free the header data structure once used.
546 ********************************************************************/
548 static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id,
549 RPC_IFACE *abstract, RPC_IFACE *transfer,
550 char *my_name, char *domain, uint32 neg_flags)
555 prs_struct auth_info;
558 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
561 RPC_HDR_AUTH hdr_auth;
562 RPC_AUTH_VERIFIER auth_verifier;
563 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
566 * Create the auth structs we will marshall.
569 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
570 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
571 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
574 * Use the 4k buffer to store the auth info.
577 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
580 * Now marshall the data into the temporary parse_struct.
583 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
584 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
588 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
589 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
593 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
594 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
598 /* Auth len in the rpc header doesn't include auth_header. */
599 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
602 /* create the request RPC_HDR */
603 init_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
604 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
607 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
608 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
612 /* create the bind request RPC_HDR_RB */
613 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
614 0x1, 0x0, 0x1, abstract, transfer);
616 /* Marshall the bind request data */
617 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
618 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
623 * Grow the outgoing buffer to store any auth info.
626 if(hdr.auth_len != 0) {
627 if(!prs_append_prs_data( rpc_out, &auth_info)) {
628 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
636 /*******************************************************************
637 Creates a DCE/RPC bind authentication response.
638 This is the packet that is sent back to the server once we
639 have received a BIND-ACK, to finish the third leg of
640 the authentication handshake.
641 ********************************************************************/
643 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
644 char *domain, char *user_name, char *my_name,
645 uint32 ntlmssp_cli_flgs,
649 unsigned char lm_owf[24];
650 unsigned char nt_owf[24];
652 RPC_HDR_AUTHA hdr_autha;
653 RPC_AUTH_VERIFIER auth_verifier;
654 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
656 prs_struct auth_info;
659 * Marshall the variable length data into a temporary parse
660 * struct, pointing into a 4k local buffer.
662 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
665 * Use the 4k buffer to store the auth info.
668 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
671 * Create the variable length auth_data.
674 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
676 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
678 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
680 domain, user_name, my_name,
684 * Marshall the variable length auth_data into a temp parse_struct.
687 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
688 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
692 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
693 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
697 /* Create the request RPC_HDR */
698 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
699 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
700 prs_offset(&auth_info) );
703 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
704 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
708 /* Create the request RPC_HDR_AUTHA */
709 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
710 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
712 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
713 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
718 * Append the auth data to the outgoing buffer.
721 if(!prs_append_prs_data(rpc_out, &auth_info)) {
722 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
730 /*******************************************************************
731 Creates a DCE/RPC request.
732 ********************************************************************/
734 static BOOL create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len)
740 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
742 /* create the rpc header RPC_HDR */
743 init_rpc_hdr(&hdr, RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
744 get_rpc_call_id(), data_len, auth_len);
747 * The alloc hint should be the amount of data, not including
748 * RPC headers & footers.
752 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
754 alloc_hint = data_len - RPC_HEADER_LEN;
756 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
757 data_len, auth_len, alloc_hint));
759 /* Create the rpc request RPC_HDR_REQ */
760 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
763 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
766 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
769 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
776 /****************************************************************************
777 Send a request on an rpc pipe.
778 ****************************************************************************/
780 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
781 prs_struct *data, prs_struct *rdata)
783 prs_struct outgoing_packet;
790 char *pdata_out = NULL;
792 auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
793 auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
796 * The auth_len doesn't include the RPC_HDR_AUTH_LEN.
799 auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0);
802 * PDU len is header, plus request header, plus data, plus
803 * auth_header_len (if present), plus auth_len (if present).
804 * NB. The auth stuff should be aligned on an 8 byte boundary
805 * to be totally DCE/RPC spec complient. For now we cheat and
806 * hope that the data structs defined are a multiple of 8 bytes.
809 if((prs_offset(data) % 8) != 0) {
810 DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n"));
813 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(data) +
814 (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len;
817 * Malloc a parse struct to hold it (and enough for alignments).
820 if(!prs_init(&outgoing_packet, data_len + 8, cli->mem_ctx, MARSHALL)) {
821 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
825 pdata_out = prs_data_p(&outgoing_packet);
828 * Write out the RPC header and the request header.
831 if(!create_rpc_request(&outgoing_packet, op_num, data_len, auth_len)) {
832 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
833 prs_mem_free(&outgoing_packet);
838 * Seal the outgoing data if requested.
842 crc32 = crc32_calc_buffer(prs_data_p(data), prs_offset(data));
843 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data), prs_offset(data));
847 * Now copy the data into the outgoing packet.
850 if(!prs_append_prs_data( &outgoing_packet, data)) {
851 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n"));
852 prs_mem_free(&outgoing_packet);
857 * Add a trailing auth_verifier if needed.
860 if (auth_seal || auth_verify) {
861 RPC_HDR_AUTH hdr_auth;
863 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
864 NTLMSSP_AUTH_LEVEL, 0x08, (auth_verify ? 1 : 0));
865 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &outgoing_packet, 0)) {
866 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n"));
867 prs_mem_free(&outgoing_packet);
873 * Finally the auth data itself.
877 RPC_AUTH_NTLMSSP_CHK chk;
878 uint32 current_offset = prs_offset(&outgoing_packet);
880 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
881 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &outgoing_packet, 0)) {
882 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
883 prs_mem_free(&outgoing_packet);
886 NTLMSSPcalc_ap(cli, (unsigned char*)&pdata_out[current_offset+4], RPC_AUTH_NTLMSSP_CHK_LEN - 4);
889 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, prs_offset(&outgoing_packet)));
891 ret = rpc_api_pipe(cli, 0x0026, &outgoing_packet, rdata);
893 prs_mem_free(&outgoing_packet);
898 /****************************************************************************
899 Set the handle state.
900 ****************************************************************************/
902 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint16 device_state)
904 BOOL state_set = False;
906 uint16 setup[2]; /* only need 2 uint16 setup parameters */
909 uint32 rparam_len, rdata_len;
911 if (pipe_name == NULL)
914 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
915 cli->nt_pipe_fnum, pipe_name, device_state));
917 /* create parameters: device state */
918 SSVAL(param, 0, device_state);
920 /* create setup parameters. */
922 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
924 /* send the data on \PIPE\ */
925 if (cli_api_pipe(cli, "\\PIPE\\",
926 setup, 2, 0, /* setup, length, max */
927 param, 2, 0, /* param, length, max */
928 NULL, 0, 1024, /* data, length, max */
929 &rparam, &rparam_len, /* return param, length */
930 &rdata, &rdata_len)) /* return data, length */
932 DEBUG(5, ("Set Handle state: return OK\n"));
944 /****************************************************************************
945 check the rpc bind acknowledge response
946 ****************************************************************************/
948 static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
952 while (pipe_names[pipe_idx].client_pipe != NULL) {
953 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) {
954 DEBUG(5,("Bind Abstract Syntax: "));
955 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
956 sizeof(pipe_names[pipe_idx].abstr_syntax));
957 DEBUG(5,("Bind Transfer Syntax: "));
958 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
959 sizeof(pipe_names[pipe_idx].trans_syntax));
961 /* copy the required syntaxes out so we can do the right bind */
962 *transfer = pipe_names[pipe_idx].trans_syntax;
963 *abstract = pipe_names[pipe_idx].abstr_syntax;
970 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
974 /****************************************************************************
975 check the rpc bind acknowledge response
976 ****************************************************************************/
978 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer)
982 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0) {
983 if ((strequal(pipe_name, pipe_names[i].client_pipe ))) {
984 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe )) {
985 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
986 pipe_names[i].server_pipe ));
989 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
990 pipe_names[i].server_pipe ,
999 if (pipe_names[i].server_pipe == NULL) {
1000 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1004 /* check the transfer syntax */
1005 if ((hdr_ba->transfer.version != transfer->version) ||
1006 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1007 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
1011 /* lkclXXXX only accept one result: check the result(s) */
1012 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1013 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1014 hdr_ba->res.num_results, hdr_ba->res.reason));
1017 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1021 /****************************************************************************
1022 Create and send the third packet in an RPC auth.
1023 ****************************************************************************/
1025 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1027 RPC_HDR_AUTH rhdr_auth;
1028 RPC_AUTH_VERIFIER rhdr_verf;
1029 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
1030 char buffer[MAX_PDU_FRAG_LEN];
1034 unsigned char p24[24];
1035 unsigned char lm_owf[24];
1036 unsigned char lm_hash[16];
1038 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
1039 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1042 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
1043 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1046 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
1047 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1051 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
1053 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
1055 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1057 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1059 create_rpc_bind_resp(&cli->pwd, cli->domain,
1060 cli->user_name, global_myname,
1061 cli->ntlmssp_cli_flgs, rpc_call_id,
1064 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
1065 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
1067 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
1070 unsigned char j = 0;
1072 unsigned char k2[8];
1079 for (ind = 0; ind < 256; ind++)
1080 cli->ntlmssp_hash[ind] = (unsigned char)ind;
1082 for( ind = 0; ind < 256; ind++) {
1085 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1087 tc = cli->ntlmssp_hash[ind];
1088 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1089 cli->ntlmssp_hash[j] = tc;
1092 cli->ntlmssp_hash[256] = 0;
1093 cli->ntlmssp_hash[257] = 0;
1096 memset((char *)lm_hash, '\0', sizeof(lm_hash));
1098 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1099 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1100 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1104 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1108 /****************************************************************************
1110 ****************************************************************************/
1112 BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, char *my_name)
1118 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
1120 char buffer[MAX_PDU_FRAG_LEN];
1122 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name));
1124 if (!valid_pipe_name(pipe_name, &abstract, &transfer))
1127 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1130 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1133 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1135 rpc_call_id = get_rpc_call_id();
1137 /* Marshall the outgoing data. */
1138 create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id,
1139 &abstract, &transfer,
1140 global_myname, cli->domain, cli->ntlmssp_cli_flgs);
1142 /* Initialize the incoming data struct. */
1143 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1145 /* send data on \PIPE\. receive a response */
1146 if (rpc_api_pipe(cli, 0x0026, &rpc_out, &rdata)) {
1149 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1151 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1152 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1153 prs_mem_free(&rdata);
1157 if(!check_bind_response(&hdr_ba, pipe_name, &transfer)) {
1158 DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n"));
1159 prs_mem_free(&rdata);
1163 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1164 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1167 * If we're doing NTLMSSP auth we need to send a reply to
1168 * the bind-ack to complete the 3-way challenge response
1172 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1173 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1174 prs_mem_free(&rdata);
1179 prs_mem_free(&rdata);
1183 /****************************************************************************
1184 Set ntlmssp negotiation flags.
1185 ****************************************************************************/
1187 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1189 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1193 /****************************************************************************
1195 ****************************************************************************/
1197 BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name)
1201 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1203 if (cli->capabilities & CAP_NT_SMBS) {
1204 if ((fnum = cli_nt_create(cli, &(pipe_name[5]), DESIRED_ACCESS_PIPE)) == -1) {
1205 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1206 &(pipe_name[5]), cli->desthost, cli_errstr(cli)));
1210 cli->nt_pipe_fnum = (uint16)fnum;
1212 if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1213 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1214 pipe_name, cli->desthost, cli_errstr(cli)));
1218 cli->nt_pipe_fnum = (uint16)fnum;
1220 /**************** Set Named Pipe State ***************/
1221 if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300)) {
1222 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1224 cli_close(cli, cli->nt_pipe_fnum);
1229 /******************* bind request on pipe *****************/
1231 if (!rpc_pipe_bind(cli, pipe_name, global_myname)) {
1232 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1234 cli_close(cli, cli->nt_pipe_fnum);
1239 * Setup the remote server name prefixed by \ and the machine account name.
1242 fstrcpy(cli->srv_name_slash, "\\\\");
1243 fstrcat(cli->srv_name_slash, cli->desthost);
1244 strupper(cli->srv_name_slash);
1246 fstrcpy(cli->clnt_name_slash, "\\\\");
1247 fstrcat(cli->clnt_name_slash, global_myname);
1248 strupper(cli->clnt_name_slash);
1250 fstrcpy(cli->mach_acct, global_myname);
1251 fstrcat(cli->mach_acct, "$");
1252 strupper(cli->mach_acct);
1257 /****************************************************************************
1259 ****************************************************************************/
1261 void cli_nt_session_close(struct cli_state *cli)
1263 cli_close(cli, cli->nt_pipe_fnum);
1264 cli->nt_pipe_fnum = 0;