2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1998.
7 * Copyright (C) Jeremy Allison 1999.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_RPC_CLI
29 extern struct pipe_id_info pipe_names[];
31 /********************************************************************
33 ********************************************************************/
35 static uint32 get_rpc_call_id(void)
37 static uint32 call_id = 0;
41 /*******************************************************************
42 Use SMBreadX to get rest of one fragment's worth of rpc data.
43 ********************************************************************/
45 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
47 size_t size = (size_t)cli->max_recv_frag;
48 int stream_offset = 0;
51 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
53 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
54 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
57 * Grow the buffer if needed to accommodate the data to be read.
60 if (extra_data_size > 0) {
61 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
62 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
65 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
68 pdata = prs_data_p(rdata) + *rdata_offset;
70 do /* read data using SMBreadX */
75 if (size > (size_t)data_to_read)
76 size = (size_t)data_to_read;
78 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
80 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
81 num_read, stream_offset, data_to_read));
83 if (cli_is_dos_error(cli)) {
84 cli_dos_error(cli, &eclass, &ecode);
85 if (eclass != ERRDOS && ecode != ERRmoredata) {
86 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
87 eclass, (unsigned int)ecode));
92 data_to_read -= num_read;
93 stream_offset += num_read;
96 } while (num_read > 0 && data_to_read > 0);
97 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
100 * Update the current offset into rdata by the amount read.
102 *rdata_offset += stream_offset;
107 /****************************************************************************
108 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
109 ****************************************************************************/
111 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
112 BOOL *first, BOOL *last, uint32 *len)
114 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
116 /* Next call sets endian bit. */
118 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
119 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
123 if (prs_offset(rdata) != RPC_HEADER_LEN) {
124 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
128 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
129 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
130 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
132 return (rhdr->pkt_type != RPC_FAULT);
135 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
137 unsigned char *hash = cli->ntlmssp_hash;
138 unsigned char index_i = hash[256];
139 unsigned char index_j = hash[257];
142 for( ind = 0; ind < len; ind++) {
147 index_j += hash[index_i];
150 hash[index_i] = hash[index_j];
153 t = hash[index_i] + hash[index_j];
154 data[ind] = data[ind] ^ hash[t];
161 /****************************************************************************
162 Verify data on an rpc pipe.
163 The VERIFY & SEAL code is only executed on packets that look like this :
165 Request/Response PDU's look like the following...
167 |<------------------PDU len----------------------------------------------->|
168 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
170 +------------+-----------------+-------------+---------------+-------------+
171 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
172 +------------+-----------------+-------------+---------------+-------------+
174 Never on bind requests/responses.
175 ****************************************************************************/
177 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
180 * The following is that length of the data we must sign or seal.
181 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
182 * preceeding the auth_data.
185 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
188 * The start of the data to sign/seal is just after the RPC headers.
190 char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
192 BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
193 BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
195 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
196 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
199 * Unseal any sealed data in the PDU, not including the
200 * 8 byte auth_header or the auth_data.
204 DEBUG(10,("rpc_auth_pipe: unseal\n"));
205 dump_data(100, reply_data, data_len);
206 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
207 dump_data(100, reply_data, data_len);
210 if (auth_verify || auth_seal) {
211 RPC_HDR_AUTH rhdr_auth;
213 char data[RPC_HDR_AUTH_LEN];
215 * We set dp to be the end of the packet, minus the auth_len
216 * and the length of the header that preceeds the auth_data.
218 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
220 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
221 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
225 memcpy(data, dp, sizeof(data));
227 prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
229 /* The endianness must be preserved... JRA. */
231 prs_set_endian_data(&auth_req, rdata->bigendian_data);
233 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
236 * Unmarshall the 8 byte auth_header that comes before the
240 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
241 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
245 if (!rpc_hdr_auth_chk(&rhdr_auth)) {
246 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
252 * Now unseal and check the auth verifier in the auth_data at
253 * then end of the packet. The 4 bytes skipped in the unseal
254 * seem to be a buffer pointer preceeding the sealed data.
258 RPC_AUTH_NTLMSSP_CHK chk;
260 prs_struct auth_verf;
261 char data[RPC_AUTH_NTLMSSP_CHK_LEN];
262 char *dp = prs_data_p(rdata) + len - auth_len;
264 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
265 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
269 DEBUG(10,("rpc_auth_pipe: verify\n"));
270 dump_data(100, dp, auth_len);
271 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
273 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
274 dump_data(100, data, auth_len);
276 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
278 /* The endinness must be preserved. JRA. */
279 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
281 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
283 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
284 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
288 crc32 = crc32_calc_buffer(reply_data, data_len);
290 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
291 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
294 cli->ntlmssp_seq_num++;
300 /****************************************************************************
301 Send data on an rpc pipe via trans, which *must* be the last fragment.
302 receive response data from an rpc pipe, which may be large...
304 Read the first fragment: unfortunately have to use SMBtrans for the first
305 bit, then SMBreadX for subsequent bits.
307 If first fragment received also wasn't the last fragment, continue
308 getting fragments until we _do_ receive the last fragment.
310 Request/Response PDU's look like the following...
312 |<------------------PDU len----------------------------------------------->|
313 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
315 +------------+-----------------+-------------+---------------+-------------+
316 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
317 +------------+-----------------+-------------+---------------+-------------+
319 Where the presence of the AUTH_HDR and AUTH are dependent on the
320 signing & sealing being neogitated.
322 ****************************************************************************/
324 static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata)
328 uint32 rparam_len = 0;
333 char *pdata = data ? prs_data_p(data) : NULL;
334 uint32 data_len = data ? prs_offset(data) : 0;
336 uint32 rdata_len = 0;
337 uint32 current_offset = 0;
338 uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
340 /* Create setup parameters - must be in native byte order. */
342 setup[0] = TRANSACT_DCERPCCMD;
343 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
345 DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
347 /* Send the RPC request and receive a response. For short RPC
348 calls (about 1024 bytes or so) the RPC request and response
349 appears in a SMBtrans request and response. Larger RPC
350 responses are received further on. */
352 if (!cli_api_pipe(cli, "\\PIPE\\",
353 setup, 2, 0, /* Setup, length, max */
354 NULL, 0, 0, /* Params, length, max */
355 pdata, data_len, max_data, /* data, length, max */
356 &rparam, &rparam_len, /* return params, len */
357 &prdata, &rdata_len)) /* return data, len */
359 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
363 /* Throw away returned params - we know we won't use them. */
367 if (prdata == NULL) {
368 DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
369 (int)cli->nt_pipe_fnum));
374 * Give this memory as dynamically allocated to the return parse
378 prs_give_memory(rdata, prdata, rdata_len, True);
379 current_offset = rdata_len;
381 /* This next call sets the endian bit correctly in rdata. */
383 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
388 if (rhdr.pkt_type == RPC_BINDACK) {
389 if (!last && !first) {
390 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
396 if (rhdr.pkt_type == RPC_RESPONSE) {
397 RPC_HDR_RESP rhdr_resp;
398 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
399 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
405 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
406 (unsigned int)len, (unsigned int)rdata_len ));
408 /* check if data to be sent back was too large for one SMBtrans */
409 /* err status is only informational: the _real_ check is on the
413 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
415 /* Read the remaining part of the first response fragment */
417 if (!rpc_read(cli, rdata, len, ¤t_offset)) {
424 * Now we have a complete PDU, check the auth struct if any was sent.
427 if (rhdr.auth_len != 0) {
428 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
431 * Drop the auth footers from the current offset.
432 * We need this if there are more fragments.
433 * The auth footers consist of the auth_data and the
434 * preceeding 8 byte auth_header.
436 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
440 * Only one rpc fragment, and it has been read.
444 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
449 * Read more fragments using SMBreadX until we get one with the
454 RPC_HDR_RESP rhdr_resp;
456 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
462 * First read the header of the next PDU.
465 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
466 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
468 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
469 if (cli_is_dos_error(cli)) {
470 cli_dos_error(cli, &eclass, &ecode);
471 if (eclass != ERRDOS && ecode != ERRmoredata) {
472 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
477 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
479 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
480 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
481 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
485 /* This call sets the endianness in hps. */
487 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
490 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
492 if (hps.bigendian_data != rdata->bigendian_data) {
493 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
494 rdata->bigendian_data ? "big" : "little",
495 hps.bigendian_data ? "big" : "little" ));
499 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
500 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
505 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
510 * Now read the rest of the PDU.
513 if (!rpc_read(cli, rdata, len, ¤t_offset))
517 * Verify any authentication footer.
520 if (rhdr.auth_len != 0 ) {
521 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
524 * Drop the auth footers from the current offset.
525 * The auth footers consist of the auth_data and the
526 * preceeding 8 byte auth_header.
527 * We need this if there are more fragments.
529 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
536 /*******************************************************************
537 creates a DCE/RPC bind request
539 - initialises the parse structure.
540 - dynamically allocates the header data structure
541 - caller is expected to free the header data structure once used.
543 ********************************************************************/
545 static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id,
546 RPC_IFACE *abstract, RPC_IFACE *transfer,
547 const char *my_name, const char *domain, uint32 neg_flags)
552 prs_struct auth_info;
555 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
558 RPC_HDR_AUTH hdr_auth;
559 RPC_AUTH_VERIFIER auth_verifier;
560 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
563 * Create the auth structs we will marshall.
566 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
567 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
568 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
571 * Use the 4k buffer to store the auth info.
574 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
577 * Now marshall the data into the temporary parse_struct.
580 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
581 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
585 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
586 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
590 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
591 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
595 /* Auth len in the rpc header doesn't include auth_header. */
596 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
599 /* create the request RPC_HDR */
600 init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id,
601 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
604 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
605 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
609 /* create the bind request RPC_HDR_RB */
610 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
611 0x1, 0x0, 0x1, abstract, transfer);
613 /* Marshall the bind request data */
614 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
615 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
620 * Grow the outgoing buffer to store any auth info.
623 if(hdr.auth_len != 0) {
624 if(!prs_append_prs_data( rpc_out, &auth_info)) {
625 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
633 /*******************************************************************
634 Creates a DCE/RPC bind authentication response.
635 This is the packet that is sent back to the server once we
636 have received a BIND-ACK, to finish the third leg of
637 the authentication handshake.
638 ********************************************************************/
640 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
641 const char *domain, const char *user_name, const char *my_name,
642 uint32 ntlmssp_cli_flgs,
646 unsigned char lm_owf[24];
647 unsigned char nt_owf[24];
649 RPC_HDR_AUTHA hdr_autha;
650 RPC_AUTH_VERIFIER auth_verifier;
651 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
653 prs_struct auth_info;
656 * Marshall the variable length data into a temporary parse
657 * struct, pointing into a 4k local buffer.
659 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
662 * Use the 4k buffer to store the auth info.
665 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
668 * Create the variable length auth_data.
671 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
673 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
675 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
677 domain, user_name, my_name,
681 * Marshall the variable length auth_data into a temp parse_struct.
684 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
685 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
689 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
690 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
694 /* Create the request RPC_HDR */
695 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
696 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
697 prs_offset(&auth_info) );
700 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
701 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
705 /* Create the request RPC_HDR_AUTHA */
706 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
707 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
709 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
710 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
715 * Append the auth data to the outgoing buffer.
718 if(!prs_append_prs_data(rpc_out, &auth_info)) {
719 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
727 /*******************************************************************
728 Creates a DCE/RPC request.
729 ********************************************************************/
731 static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
736 uint32 callid = oldid ? oldid : get_rpc_call_id();
738 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
740 /* create the rpc header RPC_HDR */
741 init_rpc_hdr(&hdr, RPC_REQUEST, flags,
742 callid, data_len, auth_len);
745 * The alloc hint should be the amount of data, not including
746 * RPC headers & footers.
750 alloc_hint = data_left - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
752 alloc_hint = data_left - RPC_HEADER_LEN;
754 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
755 data_len, auth_len, alloc_hint));
757 /* Create the rpc request RPC_HDR_REQ */
758 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
761 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
764 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
767 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
773 /*******************************************************************
774 Puts an auth header into an rpc request.
775 ********************************************************************/
777 static BOOL create_auth_hdr(prs_struct *outgoing_packet, BOOL auth_verify)
779 RPC_HDR_AUTH hdr_auth;
781 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
782 NTLMSSP_AUTH_LEVEL, 0x08,
783 (auth_verify ? 1 : 0));
784 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth,
785 outgoing_packet, 0)) {
786 DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
792 /*******************************************************************
793 Puts auth data into an rpc request.
794 ********************************************************************/
796 static BOOL create_auth_data(struct cli_state *cli, uint32 crc32,
797 prs_struct *outgoing_packet)
799 char *pdata_out = prs_data_p(outgoing_packet);
800 RPC_AUTH_NTLMSSP_CHK chk;
801 uint32 current_offset = prs_offset(outgoing_packet);
803 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION,
804 crc32, cli->ntlmssp_seq_num++);
805 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk,
806 outgoing_packet, 0)) {
807 DEBUG(0,("create_auth_data: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
810 NTLMSSPcalc_ap(cli, (unsigned char*)
811 &pdata_out[current_offset+4],
812 RPC_AUTH_NTLMSSP_CHK_LEN - 4);
817 * Send a request on an RPC pipe and get a response.
819 * @param data NDR contents of the request to be sent.
820 * @param rdata Unparsed NDR response data.
823 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
824 prs_struct *data, prs_struct *rdata)
826 uint32 auth_len, max_data, data_left, data_sent;
828 BOOL auth_verify, auth_seal;
831 auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
832 auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
834 auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0);
837 * calc how much actual data we can send in a PDU fragment
839 max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
840 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
842 for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
843 prs_struct outgoing_packet;
844 uint32 data_len, send_size;
850 * how much will we send this time
852 send_size = MIN(data_left, max_data);
853 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + send_size +
854 (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len;
857 * Malloc parse struct to hold it (and enough for alignments).
859 if(!prs_init(&outgoing_packet, data_len + 8,
860 cli->mem_ctx, MARSHALL)) {
861 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
865 if (data_left == prs_offset(data))
866 flags |= RPC_FLG_FIRST;
868 if (data_left < max_data)
869 flags |= RPC_FLG_LAST;
871 * Write out the RPC header and the request header.
873 if(!(callid = create_rpc_request(&outgoing_packet, op_num,
874 data_len, auth_len, flags,
875 callid, data_left))) {
876 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
877 prs_mem_free(&outgoing_packet);
882 * Seal the outgoing data if requested.
885 crc32 = crc32_calc_buffer(prs_data_p(data) + data_sent,
887 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data) +
888 data_sent, send_size);
892 * Now copy the data into the outgoing packet.
894 if(!prs_append_some_prs_data(&outgoing_packet, data,
895 data_sent, send_size)) {
896 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n"));
897 prs_mem_free(&outgoing_packet);
902 * Add a trailing auth_verifier if needed.
904 if (auth_seal || auth_verify) {
905 if(!create_auth_hdr(&outgoing_packet, auth_verify)) {
906 prs_mem_free(&outgoing_packet);
912 * Finally the auth data itself.
915 if (!create_auth_data(cli, crc32, &outgoing_packet)) {
916 prs_mem_free(&outgoing_packet);
921 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len,
922 prs_offset(&outgoing_packet)));
924 if (flags & RPC_FLG_LAST)
925 ret = rpc_api_pipe(cli, &outgoing_packet, rdata);
927 cli_write(cli, cli->nt_pipe_fnum, 0x0008,
928 prs_data_p(&outgoing_packet),
929 data_sent, data_len);
931 prs_mem_free(&outgoing_packet);
932 data_sent += send_size;
933 data_left -= send_size;
935 /* Also capture received data */
936 slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
937 cli_pipe_get_name(cli));
938 prs_dump(dump_name, op_num, rdata);
943 /****************************************************************************
944 Set the handle state.
945 ****************************************************************************/
947 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
949 BOOL state_set = False;
951 uint16 setup[2]; /* only need 2 uint16 setup parameters */
954 uint32 rparam_len, rdata_len;
956 if (pipe_name == NULL)
959 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
960 cli->nt_pipe_fnum, pipe_name, device_state));
962 /* create parameters: device state */
963 SSVAL(param, 0, device_state);
965 /* create setup parameters. */
967 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
969 /* send the data on \PIPE\ */
970 if (cli_api_pipe(cli, "\\PIPE\\",
971 setup, 2, 0, /* setup, length, max */
972 param, 2, 0, /* param, length, max */
973 NULL, 0, 1024, /* data, length, max */
974 &rparam, &rparam_len, /* return param, length */
975 &rdata, &rdata_len)) /* return data, length */
977 DEBUG(5, ("Set Handle state: return OK\n"));
987 /****************************************************************************
988 check the rpc bind acknowledge response
989 ****************************************************************************/
991 int get_pipe_index( const char *pipe_name )
995 while (pipe_names[pipe_idx].client_pipe != NULL) {
996 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
1005 /****************************************************************************
1006 check the rpc bind acknowledge response
1007 ****************************************************************************/
1009 const char* get_pipe_name_from_index( const int pipe_index )
1012 if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
1015 return pipe_names[pipe_index].client_pipe;
1018 /****************************************************************************
1019 Check to see if this pipe index points to one of
1020 the pipes only supported by Win2k
1021 ****************************************************************************/
1023 BOOL is_win2k_pipe( const int pipe_idx )
1034 /****************************************************************************
1035 check the rpc bind acknowledge response
1036 ****************************************************************************/
1038 static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
1040 if ( pipe_idx >= PI_MAX_PIPES ) {
1041 DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
1046 DEBUG(5,("Bind Abstract Syntax: "));
1047 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
1048 sizeof(pipe_names[pipe_idx].abstr_syntax));
1049 DEBUG(5,("Bind Transfer Syntax: "));
1050 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
1051 sizeof(pipe_names[pipe_idx].trans_syntax));
1053 /* copy the required syntaxes out so we can do the right bind */
1055 *transfer = pipe_names[pipe_idx].trans_syntax;
1056 *abstract = pipe_names[pipe_idx].abstr_syntax;
1061 /****************************************************************************
1062 check the rpc bind acknowledge response
1063 ****************************************************************************/
1065 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
1069 if ( hdr_ba->addr.len <= 0)
1072 if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe ))
1074 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
1075 pipe_names[i].server_pipe ,hdr_ba->addr.str));
1079 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1081 if (pipe_names[pipe_idx].server_pipe == NULL) {
1082 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1086 /* check the transfer syntax */
1087 if ((hdr_ba->transfer.version != transfer->version) ||
1088 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1089 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1093 /* lkclXXXX only accept one result: check the result(s) */
1094 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1095 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1096 hdr_ba->res.num_results, hdr_ba->res.reason));
1099 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1103 /****************************************************************************
1104 Create and send the third packet in an RPC auth.
1105 ****************************************************************************/
1107 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1109 RPC_HDR_AUTH rhdr_auth;
1110 RPC_AUTH_VERIFIER rhdr_verf;
1111 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
1112 char buffer[MAX_PDU_FRAG_LEN];
1116 unsigned char p24[24];
1117 unsigned char lm_owf[24];
1118 unsigned char lm_hash[16];
1120 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
1121 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1124 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
1125 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1128 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
1129 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1133 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
1135 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
1137 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1139 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1141 create_rpc_bind_resp(&cli->pwd, cli->domain,
1142 cli->user_name, global_myname(),
1143 cli->ntlmssp_cli_flgs, rpc_call_id,
1146 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
1147 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
1149 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
1152 unsigned char j = 0;
1154 unsigned char k2[8];
1161 for (ind = 0; ind < 256; ind++)
1162 cli->ntlmssp_hash[ind] = (unsigned char)ind;
1164 for( ind = 0; ind < 256; ind++) {
1167 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1169 tc = cli->ntlmssp_hash[ind];
1170 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1171 cli->ntlmssp_hash[j] = tc;
1174 cli->ntlmssp_hash[256] = 0;
1175 cli->ntlmssp_hash[257] = 0;
1178 memset((char *)lm_hash, '\0', sizeof(lm_hash));
1180 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1181 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1182 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1186 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1190 /****************************************************************************
1192 ****************************************************************************/
1194 BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name)
1200 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
1202 char buffer[MAX_PDU_FRAG_LEN];
1204 if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
1207 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
1209 if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
1212 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1215 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1218 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1220 rpc_call_id = get_rpc_call_id();
1222 /* Marshall the outgoing data. */
1223 create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id,
1224 &abstract, &transfer,
1225 global_myname(), cli->domain, cli->ntlmssp_cli_flgs);
1227 /* Initialize the incoming data struct. */
1228 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1230 /* send data on \PIPE\. receive a response */
1231 if (rpc_api_pipe(cli, &rpc_out, &rdata)) {
1234 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1236 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1237 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1238 prs_mem_free(&rdata);
1242 if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
1243 DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
1244 prs_mem_free(&rdata);
1248 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1249 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1252 * If we're doing NTLMSSP auth we need to send a reply to
1253 * the bind-ack to complete the 3-way challenge response
1257 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1258 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1259 prs_mem_free(&rdata);
1264 prs_mem_free(&rdata);
1268 /****************************************************************************
1269 Set ntlmssp negotiation flags.
1270 ****************************************************************************/
1272 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1274 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1278 /****************************************************************************
1280 ****************************************************************************/
1282 BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
1286 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1288 /* The pipe index must fall within our array */
1290 SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
1292 if (cli->capabilities & CAP_NT_SMBS) {
1293 if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
1294 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1295 &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
1299 cli->nt_pipe_fnum = (uint16)fnum;
1301 if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1302 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1303 pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
1307 cli->nt_pipe_fnum = (uint16)fnum;
1309 /**************** Set Named Pipe State ***************/
1310 if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
1311 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1313 cli_close(cli, cli->nt_pipe_fnum);
1318 /******************* bind request on pipe *****************/
1320 if (!rpc_pipe_bind(cli, pipe_idx, global_myname())) {
1321 DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
1322 get_pipe_name_from_index(pipe_idx)));
1323 cli_close(cli, cli->nt_pipe_fnum);
1328 * Setup the remote server name prefixed by \ and the machine account name.
1331 fstrcpy(cli->srv_name_slash, "\\\\");
1332 fstrcat(cli->srv_name_slash, cli->desthost);
1333 strupper(cli->srv_name_slash);
1335 fstrcpy(cli->clnt_name_slash, "\\\\");
1336 fstrcat(cli->clnt_name_slash, global_myname());
1337 strupper(cli->clnt_name_slash);
1339 fstrcpy(cli->mach_acct, global_myname());
1340 fstrcat(cli->mach_acct, "$");
1341 strupper(cli->mach_acct);
1343 /* Remember which pipe we're talking to */
1344 fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
1350 const char *cli_pipe_get_name(struct cli_state *cli)
1352 return cli->pipe_name;
1356 /****************************************************************************
1358 ****************************************************************************/
1360 void cli_nt_session_close(struct cli_state *cli)
1362 cli_close(cli, cli->nt_pipe_fnum);
1363 cli->nt_pipe_fnum = 0;
git.samba.org / tprouty / samba.git / blob