2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1998.
7 * Copyright (C) Jeremy Allison 1999.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_RPC_CLI
29 extern struct pipe_id_info pipe_names[];
30 extern fstring global_myworkgroup;
31 extern pstring global_myname;
33 /********************************************************************
35 ********************************************************************/
37 static uint32 get_rpc_call_id(void)
39 static uint32 call_id = 0;
43 /*******************************************************************
44 Use SMBreadX to get rest of one fragment's worth of rpc data.
45 ********************************************************************/
47 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
49 size_t size = (size_t)cli->max_recv_frag;
50 int stream_offset = 0;
53 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
55 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
56 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
59 * Grow the buffer if needed to accommodate the data to be read.
62 if (extra_data_size > 0) {
63 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
64 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
67 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
70 pdata = prs_data_p(rdata) + *rdata_offset;
72 do /* read data using SMBreadX */
77 if (size > (size_t)data_to_read)
78 size = (size_t)data_to_read;
80 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
82 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
83 num_read, stream_offset, data_to_read));
85 if (cli_is_dos_error(cli)) {
86 cli_dos_error(cli, &eclass, &ecode);
87 if (eclass != ERRDOS && ecode != ERRmoredata) {
88 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
89 eclass, (unsigned int)ecode));
94 data_to_read -= num_read;
95 stream_offset += num_read;
98 } while (num_read > 0 && data_to_read > 0);
99 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
102 * Update the current offset into rdata by the amount read.
104 *rdata_offset += stream_offset;
109 /****************************************************************************
110 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
111 ****************************************************************************/
113 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
114 BOOL *first, BOOL *last, uint32 *len)
116 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
118 /* Next call sets endian bit. */
120 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
121 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
125 if (prs_offset(rdata) != RPC_HEADER_LEN) {
126 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
130 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
131 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
132 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
134 return (rhdr->pkt_type != RPC_FAULT);
137 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
139 unsigned char *hash = cli->ntlmssp_hash;
140 unsigned char index_i = hash[256];
141 unsigned char index_j = hash[257];
144 for( ind = 0; ind < len; ind++) {
149 index_j += hash[index_i];
152 hash[index_i] = hash[index_j];
155 t = hash[index_i] + hash[index_j];
156 data[ind] = data[ind] ^ hash[t];
163 /****************************************************************************
164 Verify data on an rpc pipe.
165 The VERIFY & SEAL code is only executed on packets that look like this :
167 Request/Response PDU's look like the following...
169 |<------------------PDU len----------------------------------------------->|
170 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
172 +------------+-----------------+-------------+---------------+-------------+
173 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
174 +------------+-----------------+-------------+---------------+-------------+
176 Never on bind requests/responses.
177 ****************************************************************************/
179 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
182 * The following is that length of the data we must sign or seal.
183 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
184 * preceeding the auth_data.
187 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
190 * The start of the data to sign/seal is just after the RPC headers.
192 char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
194 BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
195 BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
197 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
198 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
201 * Unseal any sealed data in the PDU, not including the
202 * 8 byte auth_header or the auth_data.
206 DEBUG(10,("rpc_auth_pipe: unseal\n"));
207 dump_data(100, reply_data, data_len);
208 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
209 dump_data(100, reply_data, data_len);
212 if (auth_verify || auth_seal) {
213 RPC_HDR_AUTH rhdr_auth;
215 char data[RPC_HDR_AUTH_LEN];
217 * We set dp to be the end of the packet, minus the auth_len
218 * and the length of the header that preceeds the auth_data.
220 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
222 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
223 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
227 memcpy(data, dp, sizeof(data));
229 prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
231 /* The endianness must be preserved... JRA. */
233 prs_set_endian_data(&auth_req, rdata->bigendian_data);
235 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
238 * Unmarshall the 8 byte auth_header that comes before the
242 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
243 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
247 if (!rpc_hdr_auth_chk(&rhdr_auth)) {
248 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
254 * Now unseal and check the auth verifier in the auth_data at
255 * then end of the packet. The 4 bytes skipped in the unseal
256 * seem to be a buffer pointer preceeding the sealed data.
260 RPC_AUTH_NTLMSSP_CHK chk;
262 prs_struct auth_verf;
263 char data[RPC_AUTH_NTLMSSP_CHK_LEN];
264 char *dp = prs_data_p(rdata) + len - auth_len;
266 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
267 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
271 DEBUG(10,("rpc_auth_pipe: verify\n"));
272 dump_data(100, dp, auth_len);
273 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
275 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
276 dump_data(100, data, auth_len);
278 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
280 /* The endinness must be preserved. JRA. */
281 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
283 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
285 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
286 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
290 crc32 = crc32_calc_buffer(reply_data, data_len);
292 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
293 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
296 cli->ntlmssp_seq_num++;
302 /****************************************************************************
303 Send data on an rpc pipe, which *must* be in one fragment.
304 receive response data from an rpc pipe, which may be large...
306 Read the first fragment: unfortunately have to use SMBtrans for the first
307 bit, then SMBreadX for subsequent bits.
309 If first fragment received also wasn't the last fragment, continue
310 getting fragments until we _do_ receive the last fragment.
312 Request/Response PDU's look like the following...
314 |<------------------PDU len----------------------------------------------->|
315 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
317 +------------+-----------------+-------------+---------------+-------------+
318 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
319 +------------+-----------------+-------------+---------------+-------------+
321 Where the presence of the AUTH_HDR and AUTH are dependent on the
322 signing & sealing being neogitated.
324 ****************************************************************************/
326 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *data, prs_struct *rdata)
330 uint32 rparam_len = 0;
335 char *pdata = data ? prs_data_p(data) : NULL;
336 uint32 data_len = data ? prs_offset(data) : 0;
338 uint32 rdata_len = 0;
339 uint32 current_offset = 0;
341 /* Create setup parameters - must be in native byte order. */
344 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
346 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd,
347 (int)cli->nt_pipe_fnum));
349 /* Send the RPC request and receive a response. For short RPC
350 calls (about 1024 bytes or so) the RPC request and response
351 appears in a SMBtrans request and response. Larger RPC
352 responses are received further on. */
354 if (!cli_api_pipe(cli, "\\PIPE\\",
355 setup, 2, 0, /* Setup, length, max */
356 NULL, 0, 0, /* Params, length, max */
357 pdata, data_len, 1024, /* data, length, max */
358 &rparam, &rparam_len, /* return params, len */
359 &prdata, &rdata_len)) /* return data, len */
361 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
365 /* Throw away returned params - we know we won't use them. */
369 if (prdata == NULL) {
370 DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n",
371 (int)cmd, (int)cli->nt_pipe_fnum));
376 * Give this memory as dynamically allocated to the return parse
380 prs_give_memory(rdata, prdata, rdata_len, True);
381 current_offset = rdata_len;
383 /* This next call sets the endian bit correctly in rdata. */
385 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
390 if (rhdr.pkt_type == RPC_BINDACK) {
391 if (!last && !first) {
392 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
398 if (rhdr.pkt_type == RPC_RESPONSE) {
399 RPC_HDR_RESP rhdr_resp;
400 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
401 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
407 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
408 (unsigned int)len, (unsigned int)rdata_len ));
410 /* check if data to be sent back was too large for one SMBtrans */
411 /* err status is only informational: the _real_ check is on the
415 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
417 /* Read the remaining part of the first response fragment */
419 if (!rpc_read(cli, rdata, len, ¤t_offset)) {
426 * Now we have a complete PDU, check the auth struct if any was sent.
429 if (rhdr.auth_len != 0) {
430 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
433 * Drop the auth footers from the current offset.
434 * We need this if there are more fragments.
435 * The auth footers consist of the auth_data and the
436 * preceeding 8 byte auth_header.
438 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
442 * Only one rpc fragment, and it has been read.
446 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
451 * Read more fragments using SMBreadX until we get one with the
456 RPC_HDR_RESP rhdr_resp;
458 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
464 * First read the header of the next PDU.
467 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
468 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
470 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
471 if (cli_is_dos_error(cli)) {
472 cli_dos_error(cli, &eclass, &ecode);
473 if (eclass != ERRDOS && ecode != ERRmoredata) {
474 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
479 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
481 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
482 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
483 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
487 /* This call sets the endianness in hps. */
489 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
492 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
494 if (hps.bigendian_data != rdata->bigendian_data) {
495 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
496 rdata->bigendian_data ? "big" : "little",
497 hps.bigendian_data ? "big" : "little" ));
501 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
502 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
507 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
512 * Now read the rest of the PDU.
515 if (!rpc_read(cli, rdata, len, ¤t_offset))
519 * Verify any authentication footer.
522 if (rhdr.auth_len != 0 ) {
523 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
526 * Drop the auth footers from the current offset.
527 * The auth footers consist of the auth_data and the
528 * preceeding 8 byte auth_header.
529 * We need this if there are more fragments.
531 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
538 /*******************************************************************
539 creates a DCE/RPC bind request
541 - initialises the parse structure.
542 - dynamically allocates the header data structure
543 - caller is expected to free the header data structure once used.
545 ********************************************************************/
547 static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id,
548 RPC_IFACE *abstract, RPC_IFACE *transfer,
549 char *my_name, char *domain, uint32 neg_flags)
554 prs_struct auth_info;
557 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
560 RPC_HDR_AUTH hdr_auth;
561 RPC_AUTH_VERIFIER auth_verifier;
562 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
565 * Create the auth structs we will marshall.
568 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
569 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
570 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
573 * Use the 4k buffer to store the auth info.
576 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
579 * Now marshall the data into the temporary parse_struct.
582 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
583 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
587 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
588 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
592 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
593 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
597 /* Auth len in the rpc header doesn't include auth_header. */
598 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
601 /* create the request RPC_HDR */
602 init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id,
603 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
606 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
607 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
611 /* create the bind request RPC_HDR_RB */
612 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
613 0x1, 0x0, 0x1, abstract, transfer);
615 /* Marshall the bind request data */
616 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
617 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
622 * Grow the outgoing buffer to store any auth info.
625 if(hdr.auth_len != 0) {
626 if(!prs_append_prs_data( rpc_out, &auth_info)) {
627 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
635 /*******************************************************************
636 Creates a DCE/RPC bind authentication response.
637 This is the packet that is sent back to the server once we
638 have received a BIND-ACK, to finish the third leg of
639 the authentication handshake.
640 ********************************************************************/
642 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
643 char *domain, char *user_name, char *my_name,
644 uint32 ntlmssp_cli_flgs,
648 unsigned char lm_owf[24];
649 unsigned char nt_owf[24];
651 RPC_HDR_AUTHA hdr_autha;
652 RPC_AUTH_VERIFIER auth_verifier;
653 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
655 prs_struct auth_info;
658 * Marshall the variable length data into a temporary parse
659 * struct, pointing into a 4k local buffer.
661 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
664 * Use the 4k buffer to store the auth info.
667 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
670 * Create the variable length auth_data.
673 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
675 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
677 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
679 domain, user_name, my_name,
683 * Marshall the variable length auth_data into a temp parse_struct.
686 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
687 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
691 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
692 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
696 /* Create the request RPC_HDR */
697 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
698 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
699 prs_offset(&auth_info) );
702 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
703 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
707 /* Create the request RPC_HDR_AUTHA */
708 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
709 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
711 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
712 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
717 * Append the auth data to the outgoing buffer.
720 if(!prs_append_prs_data(rpc_out, &auth_info)) {
721 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
729 /*******************************************************************
730 Creates a DCE/RPC request.
731 ********************************************************************/
733 static BOOL create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len)
739 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
741 /* create the rpc header RPC_HDR */
742 init_rpc_hdr(&hdr, RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
743 get_rpc_call_id(), data_len, auth_len);
746 * The alloc hint should be the amount of data, not including
747 * RPC headers & footers.
751 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
753 alloc_hint = data_len - RPC_HEADER_LEN;
755 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
756 data_len, auth_len, alloc_hint));
758 /* Create the rpc request RPC_HDR_REQ */
759 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
762 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
765 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
768 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
776 * Send a request on an RPC pipe and get a response.
778 * @param data NDR contents of the request to be sent.
779 * @param rdata Unparsed NDR response data.
782 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
783 prs_struct *data, prs_struct *rdata)
785 prs_struct outgoing_packet;
792 char *pdata_out = NULL;
795 auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
796 auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
798 /* Optionally capture for use in debugging */
799 slprintf(dump_name, sizeof(dump_name) - 1, "call_%s",
800 cli_pipe_get_name(cli));
801 prs_dump_before(dump_name, op_num, data);
804 * The auth_len doesn't include the RPC_HDR_AUTH_LEN.
807 auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0);
810 * PDU len is header, plus request header, plus data, plus
811 * auth_header_len (if present), plus auth_len (if present).
812 * NB. The auth stuff should be aligned on an 8 byte boundary
813 * to be totally DCE/RPC spec complient. For now we cheat and
814 * hope that the data structs defined are a multiple of 8 bytes.
817 if((prs_offset(data) % 8) != 0) {
818 DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n"));
821 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(data) +
822 (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len;
825 * Malloc a parse struct to hold it (and enough for alignments).
828 if(!prs_init(&outgoing_packet, data_len + 8, cli->mem_ctx, MARSHALL)) {
829 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
833 pdata_out = prs_data_p(&outgoing_packet);
836 * Write out the RPC header and the request header.
839 if(!create_rpc_request(&outgoing_packet, op_num, data_len, auth_len)) {
840 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
841 prs_mem_free(&outgoing_packet);
846 * Seal the outgoing data if requested.
850 crc32 = crc32_calc_buffer(prs_data_p(data), prs_offset(data));
851 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data), prs_offset(data));
855 * Now copy the data into the outgoing packet.
858 if(!prs_append_prs_data( &outgoing_packet, data)) {
859 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n"));
860 prs_mem_free(&outgoing_packet);
865 * Add a trailing auth_verifier if needed.
868 if (auth_seal || auth_verify) {
869 RPC_HDR_AUTH hdr_auth;
871 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
872 NTLMSSP_AUTH_LEVEL, 0x08, (auth_verify ? 1 : 0));
873 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &outgoing_packet, 0)) {
874 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n"));
875 prs_mem_free(&outgoing_packet);
881 * Finally the auth data itself.
885 RPC_AUTH_NTLMSSP_CHK chk;
886 uint32 current_offset = prs_offset(&outgoing_packet);
888 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
889 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &outgoing_packet, 0)) {
890 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
891 prs_mem_free(&outgoing_packet);
894 NTLMSSPcalc_ap(cli, (unsigned char*)&pdata_out[current_offset+4], RPC_AUTH_NTLMSSP_CHK_LEN - 4);
897 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, prs_offset(&outgoing_packet)));
899 ret = rpc_api_pipe(cli, 0x0026, &outgoing_packet, rdata);
901 /* Also capture received data */
902 slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
903 cli_pipe_get_name(cli));
904 prs_dump(dump_name, op_num, rdata);
906 prs_mem_free(&outgoing_packet);
911 /****************************************************************************
912 Set the handle state.
913 ****************************************************************************/
915 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
917 BOOL state_set = False;
919 uint16 setup[2]; /* only need 2 uint16 setup parameters */
922 uint32 rparam_len, rdata_len;
924 if (pipe_name == NULL)
927 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
928 cli->nt_pipe_fnum, pipe_name, device_state));
930 /* create parameters: device state */
931 SSVAL(param, 0, device_state);
933 /* create setup parameters. */
935 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
937 /* send the data on \PIPE\ */
938 if (cli_api_pipe(cli, "\\PIPE\\",
939 setup, 2, 0, /* setup, length, max */
940 param, 2, 0, /* param, length, max */
941 NULL, 0, 1024, /* data, length, max */
942 &rparam, &rparam_len, /* return param, length */
943 &rdata, &rdata_len)) /* return data, length */
945 DEBUG(5, ("Set Handle state: return OK\n"));
957 /****************************************************************************
958 check the rpc bind acknowledge response
959 ****************************************************************************/
961 static BOOL valid_pipe_name(const char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
965 while (pipe_names[pipe_idx].client_pipe != NULL) {
966 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) {
967 DEBUG(5,("Bind Abstract Syntax: "));
968 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
969 sizeof(pipe_names[pipe_idx].abstr_syntax));
970 DEBUG(5,("Bind Transfer Syntax: "));
971 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
972 sizeof(pipe_names[pipe_idx].trans_syntax));
974 /* copy the required syntaxes out so we can do the right bind */
975 *transfer = pipe_names[pipe_idx].trans_syntax;
976 *abstract = pipe_names[pipe_idx].abstr_syntax;
983 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
989 /****************************************************************************
990 check the rpc bind acknowledge response
991 ****************************************************************************/
993 int get_pipe_index( const char *pipe_name )
997 while (pipe_names[pipe_idx].client_pipe != NULL) {
998 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
1006 /****************************************************************************
1007 check the rpc bind acknowledge response
1008 ****************************************************************************/
1010 static BOOL valid_pipe_name_by_idx(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
1012 if ( pipe_idx >= PI_MAX_PIPES ) {
1013 DEBUG(0,("valid_pipe_name_by_idx: Programmer error! Invalid pipe index [%d]\n",
1018 DEBUG(5,("Bind Abstract Syntax: "));
1019 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
1020 sizeof(pipe_names[pipe_idx].abstr_syntax));
1021 DEBUG(5,("Bind Transfer Syntax: "));
1022 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
1023 sizeof(pipe_names[pipe_idx].trans_syntax));
1025 /* copy the required syntaxes out so we can do the right bind */
1027 *transfer = pipe_names[pipe_idx].trans_syntax;
1028 *abstract = pipe_names[pipe_idx].abstr_syntax;
1033 /****************************************************************************
1034 check the rpc bind acknowledge response
1035 ****************************************************************************/
1037 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
1041 if ( hdr_ba->addr.len <= 0)
1044 if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe ))
1046 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
1047 pipe_names[i].server_pipe ,hdr_ba->addr.str));
1051 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1053 if (pipe_names[pipe_idx].server_pipe == NULL) {
1054 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1058 /* check the transfer syntax */
1059 if ((hdr_ba->transfer.version != transfer->version) ||
1060 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1061 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
1065 /* lkclXXXX only accept one result: check the result(s) */
1066 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1067 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1068 hdr_ba->res.num_results, hdr_ba->res.reason));
1071 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1075 /****************************************************************************
1076 Create and send the third packet in an RPC auth.
1077 ****************************************************************************/
1079 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1081 RPC_HDR_AUTH rhdr_auth;
1082 RPC_AUTH_VERIFIER rhdr_verf;
1083 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
1084 char buffer[MAX_PDU_FRAG_LEN];
1088 unsigned char p24[24];
1089 unsigned char lm_owf[24];
1090 unsigned char lm_hash[16];
1092 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
1093 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1096 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
1097 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1100 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
1101 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1105 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
1107 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
1109 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1111 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1113 create_rpc_bind_resp(&cli->pwd, cli->domain,
1114 cli->user_name, global_myname,
1115 cli->ntlmssp_cli_flgs, rpc_call_id,
1118 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
1119 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
1121 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
1124 unsigned char j = 0;
1126 unsigned char k2[8];
1133 for (ind = 0; ind < 256; ind++)
1134 cli->ntlmssp_hash[ind] = (unsigned char)ind;
1136 for( ind = 0; ind < 256; ind++) {
1139 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1141 tc = cli->ntlmssp_hash[ind];
1142 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1143 cli->ntlmssp_hash[j] = tc;
1146 cli->ntlmssp_hash[256] = 0;
1147 cli->ntlmssp_hash[257] = 0;
1150 memset((char *)lm_hash, '\0', sizeof(lm_hash));
1152 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1153 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1154 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1158 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1162 /****************************************************************************
1164 ****************************************************************************/
1166 BOOL rpc_pipe_bind(struct cli_state *cli, const int pipe_idx, char *my_name)
1172 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
1174 char buffer[MAX_PDU_FRAG_LEN];
1176 if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
1179 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
1181 if (!valid_pipe_name_by_idx(pipe_idx, &abstract, &transfer))
1184 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1187 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1190 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1192 rpc_call_id = get_rpc_call_id();
1194 /* Marshall the outgoing data. */
1195 create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id,
1196 &abstract, &transfer,
1197 global_myname, cli->domain, cli->ntlmssp_cli_flgs);
1199 /* Initialize the incoming data struct. */
1200 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1202 /* send data on \PIPE\. receive a response */
1203 if (rpc_api_pipe(cli, 0x0026, &rpc_out, &rdata)) {
1206 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1208 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1209 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1210 prs_mem_free(&rdata);
1214 if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
1215 DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n"));
1216 prs_mem_free(&rdata);
1220 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1221 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1224 * If we're doing NTLMSSP auth we need to send a reply to
1225 * the bind-ack to complete the 3-way challenge response
1229 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1230 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1231 prs_mem_free(&rdata);
1236 prs_mem_free(&rdata);
1240 /****************************************************************************
1241 Set ntlmssp negotiation flags.
1242 ****************************************************************************/
1244 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1246 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1250 /****************************************************************************
1252 ****************************************************************************/
1254 BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
1258 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1260 if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
1263 if (cli->capabilities & CAP_NT_SMBS) {
1264 if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
1265 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1266 &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
1270 cli->nt_pipe_fnum = (uint16)fnum;
1272 if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1273 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1274 pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
1278 cli->nt_pipe_fnum = (uint16)fnum;
1280 /**************** Set Named Pipe State ***************/
1281 if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
1282 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1284 cli_close(cli, cli->nt_pipe_fnum);
1289 /******************* bind request on pipe *****************/
1291 if (!rpc_pipe_bind(cli, pipe_idx, global_myname)) {
1292 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1294 cli_close(cli, cli->nt_pipe_fnum);
1299 * Setup the remote server name prefixed by \ and the machine account name.
1302 fstrcpy(cli->srv_name_slash, "\\\\");
1303 fstrcat(cli->srv_name_slash, cli->desthost);
1304 strupper(cli->srv_name_slash);
1306 fstrcpy(cli->clnt_name_slash, "\\\\");
1307 fstrcat(cli->clnt_name_slash, global_myname);
1308 strupper(cli->clnt_name_slash);
1310 fstrcpy(cli->mach_acct, global_myname);
1311 fstrcat(cli->mach_acct, "$");
1312 strupper(cli->mach_acct);
1314 /* Remember which pipe we're talking to */
1315 fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
1321 const char *cli_pipe_get_name(struct cli_state *cli)
1323 return cli->pipe_name;
1327 /****************************************************************************
1329 ****************************************************************************/
1331 void cli_nt_session_close(struct cli_state *cli)
1333 cli_close(cli, cli->nt_pipe_fnum);
1334 cli->nt_pipe_fnum = 0;