2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998,
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1998.
8 * Copyright (C) Jeremy Allison 1999.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 extern int DEBUGLEVEL;
28 extern struct pipe_id_info pipe_names[];
29 extern fstring global_myworkgroup;
30 extern pstring global_myname;
32 /********************************************************************
34 ********************************************************************/
36 static uint32 get_rpc_call_id(void)
38 static uint32 call_id = 0;
42 /*******************************************************************
43 Use SMBreadX to get rest of one fragment's worth of rpc data.
44 ********************************************************************/
46 static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
48 size_t size = (size_t)cli->max_recv_frag;
49 int stream_offset = 0;
52 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
54 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
55 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
58 * Grow the buffer if needed to accommodate the data to be read.
61 if (extra_data_size > 0) {
62 if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
63 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
66 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
69 pdata = prs_data_p(rdata) + *rdata_offset;
71 do /* read data using SMBreadX */
76 if (size > (size_t)data_to_read)
77 size = (size_t)data_to_read;
79 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
81 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
82 num_read, stream_offset, data_to_read));
84 if (cli_is_dos_error(cli)) {
85 cli_dos_error(cli, &eclass, &ecode);
86 if (eclass != ERRDOS && ecode != ERRmoredata) {
87 DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
88 eclass, (unsigned int)ecode));
93 data_to_read -= num_read;
94 stream_offset += num_read;
97 } while (num_read > 0 && data_to_read > 0);
98 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
101 * Update the current offset into rdata by the amount read.
103 *rdata_offset += stream_offset;
108 /****************************************************************************
109 Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
110 ****************************************************************************/
112 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr,
113 BOOL *first, BOOL *last, uint32 *len)
115 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
117 /* Next call sets endian bit. */
119 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) {
120 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
124 if (prs_offset(rdata) != RPC_HEADER_LEN) {
125 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
129 (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
130 (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
131 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
133 return (rhdr->pkt_type != RPC_FAULT);
136 static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
138 unsigned char *hash = cli->ntlmssp_hash;
139 unsigned char index_i = hash[256];
140 unsigned char index_j = hash[257];
143 for( ind = 0; ind < len; ind++) {
148 index_j += hash[index_i];
151 hash[index_i] = hash[index_j];
154 t = hash[index_i] + hash[index_j];
155 data[ind] = data[ind] ^ hash[t];
162 /****************************************************************************
163 Verify data on an rpc pipe.
164 The VERIFY & SEAL code is only executed on packets that look like this :
166 Request/Response PDU's look like the following...
168 |<------------------PDU len----------------------------------------------->|
169 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
171 +------------+-----------------+-------------+---------------+-------------+
172 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
173 +------------+-----------------+-------------+---------------+-------------+
175 Never on bind requests/responses.
176 ****************************************************************************/
178 static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
181 * The following is that length of the data we must sign or seal.
182 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
183 * preceeding the auth_data.
186 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
189 * The start of the data to sign/seal is just after the RPC headers.
191 char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
193 BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
194 BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
196 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
197 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
200 * Unseal any sealed data in the PDU, not including the
201 * 8 byte auth_header or the auth_data.
205 DEBUG(10,("rpc_auth_pipe: unseal\n"));
206 dump_data(100, reply_data, data_len);
207 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
208 dump_data(100, reply_data, data_len);
211 if (auth_verify || auth_seal) {
212 RPC_HDR_AUTH rhdr_auth;
214 char data[RPC_HDR_AUTH_LEN];
216 * We set dp to be the end of the packet, minus the auth_len
217 * and the length of the header that preceeds the auth_data.
219 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
221 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
222 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
226 memcpy(data, dp, sizeof(data));
228 prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
230 /* The endianness must be preserved... JRA. */
232 prs_set_endian_data(&auth_req, rdata->bigendian_data);
234 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
237 * Unmarshall the 8 byte auth_header that comes before the
241 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
242 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
246 if (!rpc_hdr_auth_chk(&rhdr_auth)) {
247 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
253 * Now unseal and check the auth verifier in the auth_data at
254 * then end of the packet. The 4 bytes skipped in the unseal
255 * seem to be a buffer pointer preceeding the sealed data.
259 RPC_AUTH_NTLMSSP_CHK chk;
261 prs_struct auth_verf;
262 char data[RPC_AUTH_NTLMSSP_CHK_LEN];
263 char *dp = prs_data_p(rdata) + len - auth_len;
265 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
266 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
270 DEBUG(10,("rpc_auth_pipe: verify\n"));
271 dump_data(100, dp, auth_len);
272 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
274 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
275 dump_data(100, data, auth_len);
277 prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
279 /* The endinness must be preserved. JRA. */
280 prs_set_endian_data( &auth_verf, rdata->bigendian_data);
282 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
284 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
285 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
289 crc32 = crc32_calc_buffer(reply_data, data_len);
291 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
292 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
295 cli->ntlmssp_seq_num++;
301 /****************************************************************************
302 Send data on an rpc pipe, which *must* be in one fragment.
303 receive response data from an rpc pipe, which may be large...
305 Read the first fragment: unfortunately have to use SMBtrans for the first
306 bit, then SMBreadX for subsequent bits.
308 If first fragment received also wasn't the last fragment, continue
309 getting fragments until we _do_ receive the last fragment.
311 Request/Response PDU's look like the following...
313 |<------------------PDU len----------------------------------------------->|
314 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
316 +------------+-----------------+-------------+---------------+-------------+
317 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
318 +------------+-----------------+-------------+---------------+-------------+
320 Where the presence of the AUTH_HDR and AUTH are dependent on the
321 signing & sealing being neogitated.
323 ****************************************************************************/
325 static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *data, prs_struct *rdata)
329 uint32 rparam_len = 0;
334 char *pdata = data ? prs_data_p(data) : NULL;
335 uint32 data_len = data ? prs_offset(data) : 0;
337 uint32 rdata_len = 0;
338 uint32 current_offset = 0;
340 /* Create setup parameters - must be in native byte order. */
343 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
345 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd,
346 (int)cli->nt_pipe_fnum));
348 /* Send the RPC request and receive a response. For short RPC
349 calls (about 1024 bytes or so) the RPC request and response
350 appears in a SMBtrans request and response. Larger RPC
351 responses are received further on. */
353 if (!cli_api_pipe(cli, "\\PIPE\\",
354 setup, 2, 0, /* Setup, length, max */
355 NULL, 0, 0, /* Params, length, max */
356 pdata, data_len, data_len, /* data, length, max */
357 &rparam, &rparam_len, /* return params, len */
358 &prdata, &rdata_len)) /* return data, len */
360 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
364 /* Throw away returned params - we know we won't use them. */
368 if (prdata == NULL) {
369 DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n",
370 (int)cmd, (int)cli->nt_pipe_fnum));
375 * Give this memory as dynamically allocated to the return parse
379 prs_give_memory(rdata, prdata, rdata_len, True);
380 current_offset = rdata_len;
382 /* This next call sets the endian bit correctly in rdata. */
384 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
389 if (rhdr.pkt_type == RPC_BINDACK) {
390 if (!last && !first) {
391 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
397 if (rhdr.pkt_type == RPC_RESPONSE) {
398 RPC_HDR_RESP rhdr_resp;
399 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
400 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
406 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
407 (unsigned int)len, (unsigned int)rdata_len ));
409 /* check if data to be sent back was too large for one SMBtrans */
410 /* err status is only informational: the _real_ check is on the
414 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
416 /* Read the remaining part of the first response fragment */
418 if (!rpc_read(cli, rdata, len, ¤t_offset)) {
425 * Now we have a complete PDU, check the auth struct if any was sent.
428 if (rhdr.auth_len != 0) {
429 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
432 * Drop the auth footers from the current offset.
433 * We need this if there are more fragments.
434 * The auth footers consist of the auth_data and the
435 * preceeding 8 byte auth_header.
437 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
441 * Only one rpc fragment, and it has been read.
445 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
450 * Read more fragments using SMBreadX until we get one with the
455 RPC_HDR_RESP rhdr_resp;
457 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
463 * First read the header of the next PDU.
466 prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
467 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
469 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
470 if (cli_is_dos_error(cli)) {
471 cli_dos_error(cli, &eclass, &ecode);
472 if (eclass != ERRDOS && ecode != ERRmoredata) {
473 DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
478 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
480 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
481 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
482 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
486 /* This call sets the endianness in hps. */
488 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
491 /* Ensure the endianness in rdata is set correctly - must be same as hps. */
493 if (hps.bigendian_data != rdata->bigendian_data) {
494 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
495 rdata->bigendian_data ? "big" : "little",
496 hps.bigendian_data ? "big" : "little" ));
500 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
501 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
506 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
511 * Now read the rest of the PDU.
514 if (!rpc_read(cli, rdata, len, ¤t_offset))
518 * Verify any authentication footer.
521 if (rhdr.auth_len != 0 ) {
522 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
525 * Drop the auth footers from the current offset.
526 * The auth footers consist of the auth_data and the
527 * preceeding 8 byte auth_header.
528 * We need this if there are more fragments.
530 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
537 /*******************************************************************
538 creates a DCE/RPC bind request
540 - initialises the parse structure.
541 - dynamically allocates the header data structure
542 - caller is expected to free the header data structure once used.
544 ********************************************************************/
546 static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id,
547 RPC_IFACE *abstract, RPC_IFACE *transfer,
548 char *my_name, char *domain, uint32 neg_flags)
553 prs_struct auth_info;
556 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
559 RPC_HDR_AUTH hdr_auth;
560 RPC_AUTH_VERIFIER auth_verifier;
561 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
564 * Create the auth structs we will marshall.
567 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
568 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
569 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
572 * Use the 4k buffer to store the auth info.
575 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
578 * Now marshall the data into the temporary parse_struct.
581 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
582 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
586 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
587 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
591 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
592 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
596 /* Auth len in the rpc header doesn't include auth_header. */
597 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
600 /* create the request RPC_HDR */
601 init_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
602 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
605 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
606 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
610 /* create the bind request RPC_HDR_RB */
611 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
612 0x1, 0x0, 0x1, abstract, transfer);
614 /* Marshall the bind request data */
615 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
616 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
621 * Grow the outgoing buffer to store any auth info.
624 if(hdr.auth_len != 0) {
625 if(!prs_append_prs_data( rpc_out, &auth_info)) {
626 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
634 /*******************************************************************
635 Creates a DCE/RPC bind authentication response.
636 This is the packet that is sent back to the server once we
637 have received a BIND-ACK, to finish the third leg of
638 the authentication handshake.
639 ********************************************************************/
641 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
642 char *domain, char *user_name, char *my_name,
643 uint32 ntlmssp_cli_flgs,
647 unsigned char lm_owf[24];
648 unsigned char nt_owf[24];
650 RPC_HDR_AUTHA hdr_autha;
651 RPC_AUTH_VERIFIER auth_verifier;
652 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
654 prs_struct auth_info;
657 * Marshall the variable length data into a temporary parse
658 * struct, pointing into a 4k local buffer.
660 prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
663 * Use the 4k buffer to store the auth info.
666 prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
669 * Create the variable length auth_data.
672 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
674 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
676 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
678 domain, user_name, my_name,
682 * Marshall the variable length auth_data into a temp parse_struct.
685 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
686 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
690 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
691 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
695 /* Create the request RPC_HDR */
696 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
697 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
698 prs_offset(&auth_info) );
701 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
702 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
706 /* Create the request RPC_HDR_AUTHA */
707 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
708 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
710 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
711 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
716 * Append the auth data to the outgoing buffer.
719 if(!prs_append_prs_data(rpc_out, &auth_info)) {
720 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
728 /*******************************************************************
729 Creates a DCE/RPC request.
730 ********************************************************************/
732 static BOOL create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len)
738 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
740 /* create the rpc header RPC_HDR */
741 init_rpc_hdr(&hdr, RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
742 get_rpc_call_id(), data_len, auth_len);
745 * The alloc hint should be the amount of data, not including
746 * RPC headers & footers.
750 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
752 alloc_hint = data_len - RPC_HEADER_LEN;
754 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
755 data_len, auth_len, alloc_hint));
757 /* Create the rpc request RPC_HDR_REQ */
758 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
761 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0))
764 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
767 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
774 /****************************************************************************
775 Send a request on an rpc pipe.
776 ****************************************************************************/
778 BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
779 prs_struct *data, prs_struct *rdata)
781 prs_struct outgoing_packet;
788 char *pdata_out = NULL;
790 auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
791 auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
794 * The auth_len doesn't include the RPC_HDR_AUTH_LEN.
797 auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0);
800 * PDU len is header, plus request header, plus data, plus
801 * auth_header_len (if present), plus auth_len (if present).
802 * NB. The auth stuff should be aligned on an 8 byte boundary
803 * to be totally DCE/RPC spec complient. For now we cheat and
804 * hope that the data structs defined are a multiple of 8 bytes.
807 if((prs_offset(data) % 8) != 0) {
808 DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n"));
811 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(data) +
812 (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len;
815 * Malloc a parse struct to hold it (and enough for alignments).
818 if(!prs_init(&outgoing_packet, data_len + 8, cli->mem_ctx, MARSHALL)) {
819 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
823 pdata_out = prs_data_p(&outgoing_packet);
826 * Write out the RPC header and the request header.
829 if(!create_rpc_request(&outgoing_packet, op_num, data_len, auth_len)) {
830 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
831 prs_mem_free(&outgoing_packet);
836 * Seal the outgoing data if requested.
840 crc32 = crc32_calc_buffer(prs_data_p(data), prs_offset(data));
841 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data), prs_offset(data));
845 * Now copy the data into the outgoing packet.
848 if(!prs_append_prs_data( &outgoing_packet, data)) {
849 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n"));
850 prs_mem_free(&outgoing_packet);
855 * Add a trailing auth_verifier if needed.
858 if (auth_seal || auth_verify) {
859 RPC_HDR_AUTH hdr_auth;
861 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
862 NTLMSSP_AUTH_LEVEL, 0x08, (auth_verify ? 1 : 0));
863 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &outgoing_packet, 0)) {
864 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n"));
865 prs_mem_free(&outgoing_packet);
871 * Finally the auth data itself.
875 RPC_AUTH_NTLMSSP_CHK chk;
876 uint32 current_offset = prs_offset(&outgoing_packet);
878 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
879 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &outgoing_packet, 0)) {
880 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
881 prs_mem_free(&outgoing_packet);
884 NTLMSSPcalc_ap(cli, (unsigned char*)&pdata_out[current_offset+4], RPC_AUTH_NTLMSSP_CHK_LEN - 4);
887 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, prs_offset(&outgoing_packet)));
889 ret = rpc_api_pipe(cli, 0x0026, &outgoing_packet, rdata);
891 prs_mem_free(&outgoing_packet);
896 /****************************************************************************
897 Set the handle state.
898 ****************************************************************************/
900 static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint16 device_state)
902 BOOL state_set = False;
904 uint16 setup[2]; /* only need 2 uint16 setup parameters */
907 uint32 rparam_len, rdata_len;
909 if (pipe_name == NULL)
912 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
913 cli->nt_pipe_fnum, pipe_name, device_state));
915 /* create parameters: device state */
916 SSVAL(param, 0, device_state);
918 /* create setup parameters. */
920 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */
922 /* send the data on \PIPE\ */
923 if (cli_api_pipe(cli, "\\PIPE\\",
924 setup, 2, 0, /* setup, length, max */
925 param, 2, 0, /* param, length, max */
926 NULL, 0, 1024, /* data, length, max */
927 &rparam, &rparam_len, /* return param, length */
928 &rdata, &rdata_len)) /* return data, length */
930 DEBUG(5, ("Set Handle state: return OK\n"));
940 /****************************************************************************
941 check the rpc bind acknowledge response
942 ****************************************************************************/
944 static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
948 while (pipe_names[pipe_idx].client_pipe != NULL) {
949 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) {
950 DEBUG(5,("Bind Abstract Syntax: "));
951 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax),
952 sizeof(pipe_names[pipe_idx].abstr_syntax));
953 DEBUG(5,("Bind Transfer Syntax: "));
954 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
955 sizeof(pipe_names[pipe_idx].trans_syntax));
957 /* copy the required syntaxes out so we can do the right bind */
958 *transfer = pipe_names[pipe_idx].trans_syntax;
959 *abstract = pipe_names[pipe_idx].abstr_syntax;
966 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
970 /****************************************************************************
971 check the rpc bind acknowledge response
972 ****************************************************************************/
974 static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer)
978 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0) {
979 if ((strequal(pipe_name, pipe_names[i].client_pipe ))) {
980 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe )) {
981 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
982 pipe_names[i].server_pipe ));
985 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
986 pipe_names[i].server_pipe ,
995 if (pipe_names[i].server_pipe == NULL) {
996 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1000 /* check the transfer syntax */
1001 if ((hdr_ba->transfer.version != transfer->version) ||
1002 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1003 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
1007 /* lkclXXXX only accept one result: check the result(s) */
1008 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
1009 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1010 hdr_ba->res.num_results, hdr_ba->res.reason));
1013 DEBUG(5,("bind_rpc_pipe: accepted!\n"));
1017 /****************************************************************************
1018 Create and send the third packet in an RPC auth.
1019 ****************************************************************************/
1021 static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
1023 RPC_HDR_AUTH rhdr_auth;
1024 RPC_AUTH_VERIFIER rhdr_verf;
1025 RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
1026 char buffer[MAX_PDU_FRAG_LEN];
1030 unsigned char p24[24];
1031 unsigned char lm_owf[24];
1032 unsigned char lm_hash[16];
1034 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
1035 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
1038 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
1039 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
1042 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
1043 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
1047 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
1049 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
1051 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1053 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1055 create_rpc_bind_resp(&cli->pwd, cli->domain,
1056 cli->user_name, global_myname,
1057 cli->ntlmssp_cli_flgs, rpc_call_id,
1060 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
1061 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
1063 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
1066 unsigned char j = 0;
1068 unsigned char k2[8];
1075 for (ind = 0; ind < 256; ind++)
1076 cli->ntlmssp_hash[ind] = (unsigned char)ind;
1078 for( ind = 0; ind < 256; ind++) {
1081 j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
1083 tc = cli->ntlmssp_hash[ind];
1084 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
1085 cli->ntlmssp_hash[j] = tc;
1088 cli->ntlmssp_hash[256] = 0;
1089 cli->ntlmssp_hash[257] = 0;
1092 memset((char *)lm_hash, '\0', sizeof(lm_hash));
1094 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out),
1095 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
1096 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
1100 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
1104 /****************************************************************************
1106 ****************************************************************************/
1108 BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, char *my_name)
1114 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
1116 char buffer[MAX_PDU_FRAG_LEN];
1118 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name));
1120 if (!valid_pipe_name(pipe_name, &abstract, &transfer))
1123 prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
1126 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
1129 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
1131 rpc_call_id = get_rpc_call_id();
1133 /* Marshall the outgoing data. */
1134 create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id,
1135 &abstract, &transfer,
1136 global_myname, cli->domain, cli->ntlmssp_cli_flgs);
1138 /* Initialize the incoming data struct. */
1139 prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
1141 /* send data on \PIPE\. receive a response */
1142 if (rpc_api_pipe(cli, 0x0026, &rpc_out, &rdata)) {
1145 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
1147 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
1148 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
1149 prs_mem_free(&rdata);
1153 if(!check_bind_response(&hdr_ba, pipe_name, &transfer)) {
1154 DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n"));
1155 prs_mem_free(&rdata);
1159 cli->max_xmit_frag = hdr_ba.bba.max_tsize;
1160 cli->max_recv_frag = hdr_ba.bba.max_rsize;
1163 * If we're doing NTLMSSP auth we need to send a reply to
1164 * the bind-ack to complete the 3-way challenge response
1168 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
1169 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
1170 prs_mem_free(&rdata);
1175 prs_mem_free(&rdata);
1179 /****************************************************************************
1180 Set ntlmssp negotiation flags.
1181 ****************************************************************************/
1183 void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
1185 cli->ntlmssp_cli_flgs = ntlmssp_flgs;
1189 /****************************************************************************
1191 ****************************************************************************/
1193 BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name)
1197 SMB_ASSERT(cli->nt_pipe_fnum == 0);
1199 if (cli->capabilities & CAP_NT_SMBS) {
1200 if ((fnum = cli_nt_create(cli, &(pipe_name[5]), DESIRED_ACCESS_PIPE)) == -1) {
1201 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n",
1202 &(pipe_name[5]), cli->desthost, cli_errstr(cli)));
1206 cli->nt_pipe_fnum = (uint16)fnum;
1208 if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
1209 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n",
1210 pipe_name, cli->desthost, cli_errstr(cli)));
1214 cli->nt_pipe_fnum = (uint16)fnum;
1216 /**************** Set Named Pipe State ***************/
1217 if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300)) {
1218 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n",
1220 cli_close(cli, cli->nt_pipe_fnum);
1225 /******************* bind request on pipe *****************/
1227 if (!rpc_pipe_bind(cli, pipe_name, global_myname)) {
1228 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
1230 cli_close(cli, cli->nt_pipe_fnum);
1235 * Setup the remote server name prefixed by \ and the machine account name.
1238 fstrcpy(cli->srv_name_slash, "\\\\");
1239 fstrcat(cli->srv_name_slash, cli->desthost);
1240 strupper(cli->srv_name_slash);
1242 fstrcpy(cli->clnt_name_slash, "\\\\");
1243 fstrcat(cli->clnt_name_slash, global_myname);
1244 strupper(cli->clnt_name_slash);
1246 fstrcpy(cli->mach_acct, global_myname);
1247 fstrcat(cli->mach_acct, "$");
1248 strupper(cli->mach_acct);
1253 /****************************************************************************
1255 ****************************************************************************/
1257 void cli_nt_session_close(struct cli_state *cli)
1259 cli_close(cli, cli->nt_pipe_fnum);
1260 cli->nt_pipe_fnum = 0;