2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client routines
4 * Largely rewritten by Jeremy Allison 2005.
5 * Heavily modified by Simo Sorce 2010.
6 * Copyright Andrew Bartlett 2011.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "../lib/util/tevent_ntstatus.h"
24 #include "librpc/gen_ndr/ndr_epmapper_c.h"
25 #include "../librpc/gen_ndr/ndr_dssetup.h"
26 #include "../libcli/auth/schannel.h"
27 #include "../libcli/auth/netlogon_creds_cli.h"
28 #include "auth_generic.h"
29 #include "librpc/gen_ndr/ndr_dcerpc.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "librpc/rpc/dcerpc.h"
34 #include "libsmb/libsmb.h"
35 #include "auth/gensec/gensec.h"
36 #include "auth/credentials/credentials.h"
37 #include "../libcli/smb/smbXcli_base.h"
40 #define DBGC_CLASS DBGC_RPC_CLI
42 /********************************************************************
43 Pipe description for a DEBUG
44 ********************************************************************/
45 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
46 struct rpc_pipe_client *cli)
48 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
55 /********************************************************************
57 ********************************************************************/
59 static uint32 get_rpc_call_id(void)
61 static uint32 call_id = 0;
65 /*******************************************************************
66 Use SMBreadX to get rest of one fragment's worth of rpc data.
67 Reads the whole size or give an error message
68 ********************************************************************/
70 struct rpc_read_state {
71 struct tevent_context *ev;
72 struct rpc_cli_transport *transport;
78 static void rpc_read_done(struct tevent_req *subreq);
80 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
81 struct tevent_context *ev,
82 struct rpc_cli_transport *transport,
83 uint8_t *data, size_t size)
85 struct tevent_req *req, *subreq;
86 struct rpc_read_state *state;
88 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
93 state->transport = transport;
98 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
100 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
102 if (subreq == NULL) {
105 tevent_req_set_callback(subreq, rpc_read_done, req);
113 static void rpc_read_done(struct tevent_req *subreq)
115 struct tevent_req *req = tevent_req_callback_data(
116 subreq, struct tevent_req);
117 struct rpc_read_state *state = tevent_req_data(
118 req, struct rpc_read_state);
122 status = state->transport->read_recv(subreq, &received);
124 if (!NT_STATUS_IS_OK(status)) {
125 tevent_req_nterror(req, status);
129 state->num_read += received;
130 if (state->num_read == state->size) {
131 tevent_req_done(req);
135 subreq = state->transport->read_send(state, state->ev,
136 state->data + state->num_read,
137 state->size - state->num_read,
138 state->transport->priv);
139 if (tevent_req_nomem(subreq, req)) {
142 tevent_req_set_callback(subreq, rpc_read_done, req);
145 static NTSTATUS rpc_read_recv(struct tevent_req *req)
147 return tevent_req_simple_recv_ntstatus(req);
150 struct rpc_write_state {
151 struct tevent_context *ev;
152 struct rpc_cli_transport *transport;
158 static void rpc_write_done(struct tevent_req *subreq);
160 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
161 struct tevent_context *ev,
162 struct rpc_cli_transport *transport,
163 const uint8_t *data, size_t size)
165 struct tevent_req *req, *subreq;
166 struct rpc_write_state *state;
168 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
173 state->transport = transport;
176 state->num_written = 0;
178 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
180 subreq = transport->write_send(state, ev, data, size, transport->priv);
181 if (subreq == NULL) {
184 tevent_req_set_callback(subreq, rpc_write_done, req);
191 static void rpc_write_done(struct tevent_req *subreq)
193 struct tevent_req *req = tevent_req_callback_data(
194 subreq, struct tevent_req);
195 struct rpc_write_state *state = tevent_req_data(
196 req, struct rpc_write_state);
200 status = state->transport->write_recv(subreq, &written);
202 if (!NT_STATUS_IS_OK(status)) {
203 tevent_req_nterror(req, status);
207 state->num_written += written;
209 if (state->num_written == state->size) {
210 tevent_req_done(req);
214 subreq = state->transport->write_send(state, state->ev,
215 state->data + state->num_written,
216 state->size - state->num_written,
217 state->transport->priv);
218 if (tevent_req_nomem(subreq, req)) {
221 tevent_req_set_callback(subreq, rpc_write_done, req);
224 static NTSTATUS rpc_write_recv(struct tevent_req *req)
226 return tevent_req_simple_recv_ntstatus(req);
230 /****************************************************************************
231 Try and get a PDU's worth of data from current_pdu. If not, then read more
233 ****************************************************************************/
235 struct get_complete_frag_state {
236 struct tevent_context *ev;
237 struct rpc_pipe_client *cli;
242 static void get_complete_frag_got_header(struct tevent_req *subreq);
243 static void get_complete_frag_got_rest(struct tevent_req *subreq);
245 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
246 struct tevent_context *ev,
247 struct rpc_pipe_client *cli,
250 struct tevent_req *req, *subreq;
251 struct get_complete_frag_state *state;
255 req = tevent_req_create(mem_ctx, &state,
256 struct get_complete_frag_state);
262 state->frag_len = RPC_HEADER_LEN;
265 received = pdu->length;
266 if (received < RPC_HEADER_LEN) {
267 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
268 status = NT_STATUS_NO_MEMORY;
271 subreq = rpc_read_send(state, state->ev,
272 state->cli->transport,
273 pdu->data + received,
274 RPC_HEADER_LEN - received);
275 if (subreq == NULL) {
276 status = NT_STATUS_NO_MEMORY;
279 tevent_req_set_callback(subreq, get_complete_frag_got_header,
284 state->frag_len = dcerpc_get_frag_length(pdu);
285 if (state->frag_len < RPC_HEADER_LEN) {
286 tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
287 return tevent_req_post(req, ev);
291 * Ensure we have frag_len bytes of data.
293 if (received < state->frag_len) {
294 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
295 status = NT_STATUS_NO_MEMORY;
298 subreq = rpc_read_send(state, state->ev,
299 state->cli->transport,
300 pdu->data + received,
301 state->frag_len - received);
302 if (subreq == NULL) {
303 status = NT_STATUS_NO_MEMORY;
306 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
311 status = NT_STATUS_OK;
313 if (NT_STATUS_IS_OK(status)) {
314 tevent_req_done(req);
316 tevent_req_nterror(req, status);
318 return tevent_req_post(req, ev);
321 static void get_complete_frag_got_header(struct tevent_req *subreq)
323 struct tevent_req *req = tevent_req_callback_data(
324 subreq, struct tevent_req);
325 struct get_complete_frag_state *state = tevent_req_data(
326 req, struct get_complete_frag_state);
329 status = rpc_read_recv(subreq);
331 if (!NT_STATUS_IS_OK(status)) {
332 tevent_req_nterror(req, status);
336 state->frag_len = dcerpc_get_frag_length(state->pdu);
337 if (state->frag_len < RPC_HEADER_LEN) {
338 tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
342 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
343 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
348 * We're here in this piece of code because we've read exactly
349 * RPC_HEADER_LEN bytes into state->pdu.
352 subreq = rpc_read_send(state, state->ev, state->cli->transport,
353 state->pdu->data + RPC_HEADER_LEN,
354 state->frag_len - RPC_HEADER_LEN);
355 if (tevent_req_nomem(subreq, req)) {
358 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
361 static void get_complete_frag_got_rest(struct tevent_req *subreq)
363 struct tevent_req *req = tevent_req_callback_data(
364 subreq, struct tevent_req);
367 status = rpc_read_recv(subreq);
369 if (!NT_STATUS_IS_OK(status)) {
370 tevent_req_nterror(req, status);
373 tevent_req_done(req);
376 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
378 return tevent_req_simple_recv_ntstatus(req);
381 /****************************************************************************
382 Do basic authentication checks on an incoming pdu.
383 ****************************************************************************/
385 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
386 struct rpc_pipe_client *cli,
387 struct ncacn_packet *pkt,
389 uint8_t expected_pkt_type,
392 DATA_BLOB *reply_pdu)
394 struct dcerpc_response *r;
395 NTSTATUS ret = NT_STATUS_OK;
399 * Point the return values at the real data including the RPC
400 * header. Just in case the caller wants it.
404 /* Ensure we have the correct type. */
405 switch (pkt->ptype) {
406 case DCERPC_PKT_ALTER_RESP:
407 case DCERPC_PKT_BIND_ACK:
409 /* Client code never receives this kind of packets */
413 case DCERPC_PKT_RESPONSE:
415 r = &pkt->u.response;
417 /* Here's where we deal with incoming sign/seal. */
418 ret = dcerpc_check_auth(cli->auth, pkt,
419 &r->stub_and_verifier,
420 DCERPC_RESPONSE_LENGTH,
422 if (!NT_STATUS_IS_OK(ret)) {
426 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
427 return NT_STATUS_BUFFER_TOO_SMALL;
430 /* Point the return values at the NDR data. */
431 rdata->data = r->stub_and_verifier.data;
433 if (pkt->auth_length) {
434 /* We've already done integer wrap tests in
435 * dcerpc_check_auth(). */
436 rdata->length = r->stub_and_verifier.length
438 - DCERPC_AUTH_TRAILER_LENGTH
441 rdata->length = r->stub_and_verifier.length;
444 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
445 (long unsigned int)pdu->length,
446 (long unsigned int)rdata->length,
447 (unsigned int)pad_len));
450 * If this is the first reply, and the allocation hint is
451 * reasonable, try and set up the reply_pdu DATA_BLOB to the
455 if ((reply_pdu->length == 0) &&
456 r->alloc_hint && (r->alloc_hint < 15*1024*1024)) {
457 if (!data_blob_realloc(mem_ctx, reply_pdu,
459 DEBUG(0, ("reply alloc hint %d too "
460 "large to allocate\n",
461 (int)r->alloc_hint));
462 return NT_STATUS_NO_MEMORY;
468 case DCERPC_PKT_BIND_NAK:
469 DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
470 rpccli_pipe_txt(talloc_tos(), cli)));
471 /* Use this for now... */
472 return NT_STATUS_NETWORK_ACCESS_DENIED;
474 case DCERPC_PKT_FAULT:
476 DEBUG(1, (__location__ ": RPC fault code %s received "
478 dcerpc_errstr(talloc_tos(),
479 pkt->u.fault.status),
480 rpccli_pipe_txt(talloc_tos(), cli)));
482 return dcerpc_fault_to_nt_status(pkt->u.fault.status);
485 DEBUG(0, (__location__ "Unknown packet type %u received "
487 (unsigned int)pkt->ptype,
488 rpccli_pipe_txt(talloc_tos(), cli)));
489 return NT_STATUS_RPC_PROTOCOL_ERROR;
492 if (pkt->ptype != expected_pkt_type) {
493 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
494 "RPC packet type - %u, not %u\n",
495 rpccli_pipe_txt(talloc_tos(), cli),
496 pkt->ptype, expected_pkt_type));
497 return NT_STATUS_RPC_PROTOCOL_ERROR;
500 if (pkt->call_id != call_id) {
501 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
502 "RPC call_id - %u, not %u\n",
503 rpccli_pipe_txt(talloc_tos(), cli),
504 pkt->call_id, call_id));
505 return NT_STATUS_RPC_PROTOCOL_ERROR;
508 /* Do this just before return - we don't want to modify any rpc header
509 data before now as we may have needed to do cryptographic actions on
512 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
513 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
514 DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
515 "fragment first/last ON.\n"));
516 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
522 /****************************************************************************
523 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
524 ****************************************************************************/
526 struct cli_api_pipe_state {
527 struct tevent_context *ev;
528 struct rpc_cli_transport *transport;
533 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
534 static void cli_api_pipe_write_done(struct tevent_req *subreq);
535 static void cli_api_pipe_read_done(struct tevent_req *subreq);
537 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
538 struct tevent_context *ev,
539 struct rpc_cli_transport *transport,
540 uint8_t *data, size_t data_len,
541 uint32_t max_rdata_len)
543 struct tevent_req *req, *subreq;
544 struct cli_api_pipe_state *state;
547 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
552 state->transport = transport;
554 if (max_rdata_len < RPC_HEADER_LEN) {
556 * For a RPC reply we always need at least RPC_HEADER_LEN
557 * bytes. We check this here because we will receive
558 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
560 status = NT_STATUS_INVALID_PARAMETER;
564 if (transport->trans_send != NULL) {
565 subreq = transport->trans_send(state, ev, data, data_len,
566 max_rdata_len, transport->priv);
567 if (subreq == NULL) {
570 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
575 * If the transport does not provide a "trans" routine, i.e. for
576 * example the ncacn_ip_tcp transport, do the write/read step here.
579 subreq = rpc_write_send(state, ev, transport, data, data_len);
580 if (subreq == NULL) {
583 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
587 tevent_req_nterror(req, status);
588 return tevent_req_post(req, ev);
594 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
596 struct tevent_req *req = tevent_req_callback_data(
597 subreq, struct tevent_req);
598 struct cli_api_pipe_state *state = tevent_req_data(
599 req, struct cli_api_pipe_state);
602 status = state->transport->trans_recv(subreq, state, &state->rdata,
605 if (!NT_STATUS_IS_OK(status)) {
606 tevent_req_nterror(req, status);
609 tevent_req_done(req);
612 static void cli_api_pipe_write_done(struct tevent_req *subreq)
614 struct tevent_req *req = tevent_req_callback_data(
615 subreq, struct tevent_req);
616 struct cli_api_pipe_state *state = tevent_req_data(
617 req, struct cli_api_pipe_state);
620 status = rpc_write_recv(subreq);
622 if (!NT_STATUS_IS_OK(status)) {
623 tevent_req_nterror(req, status);
627 state->rdata = talloc_array(state, uint8_t, RPC_HEADER_LEN);
628 if (tevent_req_nomem(state->rdata, req)) {
633 * We don't need to use rpc_read_send here, the upper layer will cope
634 * with a short read, transport->trans_send could also return less
635 * than state->max_rdata_len.
637 subreq = state->transport->read_send(state, state->ev, state->rdata,
639 state->transport->priv);
640 if (tevent_req_nomem(subreq, req)) {
643 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
646 static void cli_api_pipe_read_done(struct tevent_req *subreq)
648 struct tevent_req *req = tevent_req_callback_data(
649 subreq, struct tevent_req);
650 struct cli_api_pipe_state *state = tevent_req_data(
651 req, struct cli_api_pipe_state);
655 status = state->transport->read_recv(subreq, &received);
657 if (!NT_STATUS_IS_OK(status)) {
658 tevent_req_nterror(req, status);
661 state->rdata_len = received;
662 tevent_req_done(req);
665 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
666 uint8_t **prdata, uint32_t *prdata_len)
668 struct cli_api_pipe_state *state = tevent_req_data(
669 req, struct cli_api_pipe_state);
672 if (tevent_req_is_nterror(req, &status)) {
676 *prdata = talloc_move(mem_ctx, &state->rdata);
677 *prdata_len = state->rdata_len;
681 /****************************************************************************
682 Send data on an rpc pipe via trans. The data must be the last
683 pdu fragment of an NDR data stream.
685 Receive response data from an rpc pipe, which may be large...
687 Read the first fragment: unfortunately have to use SMBtrans for the first
688 bit, then SMBreadX for subsequent bits.
690 If first fragment received also wasn't the last fragment, continue
691 getting fragments until we _do_ receive the last fragment.
693 Request/Response PDU's look like the following...
695 |<------------------PDU len----------------------------------------------->|
696 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
698 +------------+-----------------+-------------+---------------+-------------+
699 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
700 +------------+-----------------+-------------+---------------+-------------+
702 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
703 signing & sealing being negotiated.
705 ****************************************************************************/
707 struct rpc_api_pipe_state {
708 struct tevent_context *ev;
709 struct rpc_pipe_client *cli;
710 uint8_t expected_pkt_type;
713 DATA_BLOB incoming_frag;
714 struct ncacn_packet *pkt;
718 size_t reply_pdu_offset;
722 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
723 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
724 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq);
726 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
727 struct tevent_context *ev,
728 struct rpc_pipe_client *cli,
729 DATA_BLOB *data, /* Outgoing PDU */
730 uint8_t expected_pkt_type,
733 struct tevent_req *req, *subreq;
734 struct rpc_api_pipe_state *state;
735 uint16_t max_recv_frag;
738 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
744 state->expected_pkt_type = expected_pkt_type;
745 state->call_id = call_id;
746 state->endianess = DCERPC_DREP_LE;
749 * Ensure we're not sending too much.
751 if (data->length > cli->max_xmit_frag) {
752 status = NT_STATUS_INVALID_PARAMETER;
756 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
758 if (state->expected_pkt_type == DCERPC_PKT_AUTH3) {
759 subreq = rpc_write_send(state, ev, cli->transport,
760 data->data, data->length);
761 if (subreq == NULL) {
764 tevent_req_set_callback(subreq, rpc_api_pipe_auth3_done, req);
768 /* get the header first, then fetch the rest once we have
769 * the frag_length available */
770 max_recv_frag = RPC_HEADER_LEN;
772 subreq = cli_api_pipe_send(state, ev, cli->transport,
773 data->data, data->length, max_recv_frag);
774 if (subreq == NULL) {
777 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
781 tevent_req_nterror(req, status);
782 return tevent_req_post(req, ev);
788 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq)
790 struct tevent_req *req =
791 tevent_req_callback_data(subreq,
795 status = rpc_write_recv(subreq);
797 if (!NT_STATUS_IS_OK(status)) {
798 tevent_req_nterror(req, status);
802 tevent_req_done(req);
805 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
807 struct tevent_req *req = tevent_req_callback_data(
808 subreq, struct tevent_req);
809 struct rpc_api_pipe_state *state = tevent_req_data(
810 req, struct rpc_api_pipe_state);
812 uint8_t *rdata = NULL;
813 uint32_t rdata_len = 0;
815 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
817 if (!NT_STATUS_IS_OK(status)) {
818 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
819 tevent_req_nterror(req, status);
824 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
825 rpccli_pipe_txt(talloc_tos(), state->cli)));
826 tevent_req_done(req);
831 * Move data on state->incoming_frag.
833 state->incoming_frag.data = talloc_move(state, &rdata);
834 state->incoming_frag.length = rdata_len;
835 if (!state->incoming_frag.data) {
836 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
840 /* Ensure we have enough data for a pdu. */
841 subreq = get_complete_frag_send(state, state->ev, state->cli,
842 &state->incoming_frag);
843 if (tevent_req_nomem(subreq, req)) {
846 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
849 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
851 struct tevent_req *req = tevent_req_callback_data(
852 subreq, struct tevent_req);
853 struct rpc_api_pipe_state *state = tevent_req_data(
854 req, struct rpc_api_pipe_state);
856 DATA_BLOB rdata = data_blob_null;
858 status = get_complete_frag_recv(subreq);
860 if (!NT_STATUS_IS_OK(status)) {
861 DEBUG(5, ("get_complete_frag failed: %s\n",
863 tevent_req_nterror(req, status);
867 state->pkt = talloc(state, struct ncacn_packet);
869 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
873 status = dcerpc_pull_ncacn_packet(state->pkt,
874 &state->incoming_frag,
877 if (!NT_STATUS_IS_OK(status)) {
878 tevent_req_nterror(req, status);
882 if (state->incoming_frag.length != state->pkt->frag_length) {
883 DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
884 (unsigned int)state->incoming_frag.length,
885 (unsigned int)state->pkt->frag_length));
886 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
890 status = cli_pipe_validate_current_pdu(state,
891 state->cli, state->pkt,
892 &state->incoming_frag,
893 state->expected_pkt_type,
898 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
899 (unsigned)state->incoming_frag.length,
900 (unsigned)state->reply_pdu_offset,
903 if (!NT_STATUS_IS_OK(status)) {
904 tevent_req_nterror(req, status);
908 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
909 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
911 * Set the data type correctly for big-endian data on the
914 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
916 rpccli_pipe_txt(talloc_tos(), state->cli)));
917 state->endianess = 0x00; /* BIG ENDIAN */
920 * Check endianness on subsequent packets.
922 if (state->endianess != state->pkt->drep[0]) {
923 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
925 state->endianess?"little":"big",
926 state->pkt->drep[0]?"little":"big"));
927 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
931 /* Now copy the data portion out of the pdu into rbuf. */
932 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
933 if (!data_blob_realloc(NULL, &state->reply_pdu,
934 state->reply_pdu_offset + rdata.length)) {
935 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
940 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
941 rdata.data, rdata.length);
942 state->reply_pdu_offset += rdata.length;
944 /* reset state->incoming_frag, there is no need to free it,
945 * it will be reallocated to the right size the next time
947 state->incoming_frag.length = 0;
949 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
950 /* make sure the pdu length is right now that we
951 * have all the data available (alloc hint may
952 * have allocated more than was actually used) */
953 state->reply_pdu.length = state->reply_pdu_offset;
954 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
955 rpccli_pipe_txt(talloc_tos(), state->cli),
956 (unsigned)state->reply_pdu.length));
957 tevent_req_done(req);
961 subreq = get_complete_frag_send(state, state->ev, state->cli,
962 &state->incoming_frag);
963 if (tevent_req_nomem(subreq, req)) {
966 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
969 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
970 struct ncacn_packet **pkt,
971 DATA_BLOB *reply_pdu)
973 struct rpc_api_pipe_state *state = tevent_req_data(
974 req, struct rpc_api_pipe_state);
977 if (tevent_req_is_nterror(req, &status)) {
981 /* return data to caller and assign it ownership of memory */
983 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
984 reply_pdu->length = state->reply_pdu.length;
985 state->reply_pdu.length = 0;
987 data_blob_free(&state->reply_pdu);
991 *pkt = talloc_steal(mem_ctx, state->pkt);
997 /*******************************************************************
998 Creates NTLMSSP auth bind.
999 ********************************************************************/
1001 static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1002 TALLOC_CTX *mem_ctx,
1003 DATA_BLOB *auth_token,
1004 bool *client_hdr_signing)
1006 struct gensec_security *gensec_security;
1007 DATA_BLOB null_blob = data_blob_null;
1010 gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
1011 struct gensec_security);
1013 DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
1014 status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
1016 if (!NT_STATUS_IS_OK(status) &&
1017 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
1022 if (client_hdr_signing != NULL) {
1023 *client_hdr_signing = gensec_have_feature(gensec_security,
1024 GENSEC_FEATURE_SIGN_PKT_HEADER);
1030 /*******************************************************************
1031 Creates the internals of a DCE/RPC bind request or alter context PDU.
1032 ********************************************************************/
1034 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1035 enum dcerpc_pkt_type ptype,
1037 const struct ndr_syntax_id *abstract,
1038 const struct ndr_syntax_id *transfer,
1039 const DATA_BLOB *auth_info,
1040 bool client_hdr_signing,
1043 uint16 auth_len = auth_info->length;
1045 union dcerpc_payload u;
1046 struct dcerpc_ctx_list ctx_list;
1047 uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
1050 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1053 if (client_hdr_signing) {
1054 pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
1057 ctx_list.context_id = 0;
1058 ctx_list.num_transfer_syntaxes = 1;
1059 ctx_list.abstract_syntax = *abstract;
1060 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1062 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1063 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1064 u.bind.assoc_group_id = 0x0;
1065 u.bind.num_contexts = 1;
1066 u.bind.ctx_list = &ctx_list;
1067 u.bind.auth_info = *auth_info;
1069 status = dcerpc_push_ncacn_packet(mem_ctx,
1075 if (!NT_STATUS_IS_OK(status)) {
1076 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1080 return NT_STATUS_OK;
1083 /*******************************************************************
1084 Creates a DCE/RPC bind request.
1085 ********************************************************************/
1087 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1088 struct rpc_pipe_client *cli,
1089 struct pipe_auth_data *auth,
1091 const struct ndr_syntax_id *abstract,
1092 const struct ndr_syntax_id *transfer,
1095 DATA_BLOB auth_token = data_blob_null;
1096 DATA_BLOB auth_info = data_blob_null;
1097 NTSTATUS ret = NT_STATUS_OK;
1099 switch (auth->auth_type) {
1100 case DCERPC_AUTH_TYPE_SCHANNEL:
1101 case DCERPC_AUTH_TYPE_NTLMSSP:
1102 case DCERPC_AUTH_TYPE_KRB5:
1103 case DCERPC_AUTH_TYPE_SPNEGO:
1104 ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
1106 &auth->client_hdr_signing);
1108 if (!NT_STATUS_IS_OK(ret) &&
1109 !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1114 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1115 auth_token = data_blob_talloc(mem_ctx,
1116 "NCALRPC_AUTH_TOKEN",
1120 case DCERPC_AUTH_TYPE_NONE:
1124 /* "Can't" happen. */
1125 return NT_STATUS_INVALID_INFO_CLASS;
1128 if (auth_token.length != 0) {
1129 ret = dcerpc_push_dcerpc_auth(cli,
1132 0, /* auth_pad_length */
1133 1, /* auth_context_id */
1136 if (!NT_STATUS_IS_OK(ret)) {
1139 data_blob_free(&auth_token);
1142 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1148 auth->client_hdr_signing,
1153 /*******************************************************************
1155 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1156 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1157 and deals with signing/sealing details.
1158 ********************************************************************/
1160 struct rpc_api_pipe_req_state {
1161 struct tevent_context *ev;
1162 struct rpc_pipe_client *cli;
1165 const DATA_BLOB *req_data;
1166 uint32_t req_data_sent;
1167 DATA_BLOB req_trailer;
1168 uint32_t req_trailer_sent;
1169 bool verify_bitmask1;
1170 bool verify_pcontext;
1172 DATA_BLOB reply_pdu;
1175 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1176 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1177 static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
1178 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1179 bool *is_last_frag);
1181 static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1182 struct tevent_context *ev,
1183 struct rpc_pipe_client *cli,
1185 const DATA_BLOB *req_data)
1187 struct tevent_req *req, *subreq;
1188 struct rpc_api_pipe_req_state *state;
1192 req = tevent_req_create(mem_ctx, &state,
1193 struct rpc_api_pipe_req_state);
1199 state->op_num = op_num;
1200 state->req_data = req_data;
1201 state->req_data_sent = 0;
1202 state->call_id = get_rpc_call_id();
1203 state->reply_pdu = data_blob_null;
1204 state->rpc_out = data_blob_null;
1206 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1207 + RPC_MAX_SIGN_SIZE) {
1208 /* Server is screwed up ! */
1209 status = NT_STATUS_INVALID_PARAMETER;
1213 status = prepare_verification_trailer(state);
1214 if (!NT_STATUS_IS_OK(status)) {
1218 status = prepare_next_frag(state, &is_last_frag);
1219 if (!NT_STATUS_IS_OK(status)) {
1224 subreq = rpc_api_pipe_send(state, ev, state->cli,
1226 DCERPC_PKT_RESPONSE,
1228 if (subreq == NULL) {
1231 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1233 subreq = rpc_write_send(state, ev, cli->transport,
1234 state->rpc_out.data,
1235 state->rpc_out.length);
1236 if (subreq == NULL) {
1239 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1245 tevent_req_nterror(req, status);
1246 return tevent_req_post(req, ev);
1252 static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
1254 struct pipe_auth_data *a = state->cli->auth;
1255 struct dcerpc_sec_verification_trailer *t;
1256 struct dcerpc_sec_vt *c = NULL;
1257 struct ndr_push *ndr = NULL;
1258 enum ndr_err_code ndr_err;
1263 return NT_STATUS_OK;
1266 if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
1267 return NT_STATUS_OK;
1270 t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
1272 return NT_STATUS_NO_MEMORY;
1275 if (!a->verified_bitmask1) {
1276 t->commands = talloc_realloc(t, t->commands,
1277 struct dcerpc_sec_vt,
1278 t->count.count + 1);
1279 if (t->commands == NULL) {
1280 return NT_STATUS_NO_MEMORY;
1282 c = &t->commands[t->count.count++];
1285 c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
1286 if (a->client_hdr_signing) {
1287 c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
1289 state->verify_bitmask1 = true;
1292 if (!state->cli->verified_pcontext) {
1293 t->commands = talloc_realloc(t, t->commands,
1294 struct dcerpc_sec_vt,
1295 t->count.count + 1);
1296 if (t->commands == NULL) {
1297 return NT_STATUS_NO_MEMORY;
1299 c = &t->commands[t->count.count++];
1302 c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
1303 c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
1304 c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
1306 state->verify_pcontext = true;
1309 if (!a->hdr_signing) {
1310 t->commands = talloc_realloc(t, t->commands,
1311 struct dcerpc_sec_vt,
1312 t->count.count + 1);
1313 if (t->commands == NULL) {
1314 return NT_STATUS_NO_MEMORY;
1316 c = &t->commands[t->count.count++];
1319 c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
1320 c->u.header2.ptype = DCERPC_PKT_REQUEST;
1321 c->u.header2.drep[0] = DCERPC_DREP_LE;
1322 c->u.header2.drep[1] = 0;
1323 c->u.header2.drep[2] = 0;
1324 c->u.header2.drep[3] = 0;
1325 c->u.header2.call_id = state->call_id;
1326 c->u.header2.context_id = 0;
1327 c->u.header2.opnum = state->op_num;
1330 if (t->count.count == 0) {
1332 return NT_STATUS_OK;
1335 c = &t->commands[t->count.count - 1];
1336 c->command |= DCERPC_SEC_VT_COMMAND_END;
1338 if (DEBUGLEVEL >= 10) {
1339 NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
1342 ndr = ndr_push_init_ctx(state);
1344 return NT_STATUS_NO_MEMORY;
1347 ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
1348 NDR_SCALARS | NDR_BUFFERS,
1350 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1351 return ndr_map_error2ntstatus(ndr_err);
1353 state->req_trailer = ndr_push_blob(ndr);
1355 align = state->req_data->length & 0x3;
1362 const uint8_t zeros[4] = { 0, };
1364 ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
1366 return NT_STATUS_NO_MEMORY;
1369 /* move the padding to the start */
1370 p = state->req_trailer.data;
1371 memmove(p + pad, p, state->req_trailer.length - pad);
1375 return NT_STATUS_OK;
1378 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1386 size_t data_thistime;
1387 size_t trailer_left;
1388 size_t trailer_thistime = 0;
1390 size_t total_thistime;
1393 union dcerpc_payload u;
1395 data_left = state->req_data->length - state->req_data_sent;
1396 trailer_left = state->req_trailer.length - state->req_trailer_sent;
1397 total_left = data_left + trailer_left;
1398 if ((total_left < data_left) || (total_left < trailer_left)) {
1402 return NT_STATUS_INVALID_PARAMETER_MIX;
1405 status = dcerpc_guess_sizes(state->cli->auth,
1406 DCERPC_REQUEST_LENGTH, total_left,
1407 state->cli->max_xmit_frag,
1408 CLIENT_NDR_PADDING_SIZE,
1410 &frag_len, &auth_len, &pad_len);
1411 if (!NT_STATUS_IS_OK(status)) {
1415 if (state->req_data_sent == 0) {
1416 flags = DCERPC_PFC_FLAG_FIRST;
1419 if (total_thistime == total_left) {
1420 flags |= DCERPC_PFC_FLAG_LAST;
1423 data_thistime = MIN(total_thistime, data_left);
1424 if (data_thistime < total_thistime) {
1425 trailer_thistime = total_thistime - data_thistime;
1428 data_blob_free(&state->rpc_out);
1430 ZERO_STRUCT(u.request);
1432 u.request.alloc_hint = total_left;
1433 u.request.context_id = 0;
1434 u.request.opnum = state->op_num;
1436 status = dcerpc_push_ncacn_packet(state,
1443 if (!NT_STATUS_IS_OK(status)) {
1447 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1448 * compute it right for requests because the auth trailer is missing
1450 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1452 if (data_thistime > 0) {
1453 /* Copy in the data. */
1454 ok = data_blob_append(NULL, &state->rpc_out,
1455 state->req_data->data + state->req_data_sent,
1458 return NT_STATUS_NO_MEMORY;
1460 state->req_data_sent += data_thistime;
1463 if (trailer_thistime > 0) {
1464 /* Copy in the verification trailer. */
1465 ok = data_blob_append(NULL, &state->rpc_out,
1466 state->req_trailer.data + state->req_trailer_sent,
1469 return NT_STATUS_NO_MEMORY;
1471 state->req_trailer_sent += trailer_thistime;
1474 switch (state->cli->auth->auth_level) {
1475 case DCERPC_AUTH_LEVEL_NONE:
1476 case DCERPC_AUTH_LEVEL_CONNECT:
1477 case DCERPC_AUTH_LEVEL_PACKET:
1479 case DCERPC_AUTH_LEVEL_INTEGRITY:
1480 case DCERPC_AUTH_LEVEL_PRIVACY:
1481 status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
1483 if (!NT_STATUS_IS_OK(status)) {
1488 return NT_STATUS_INVALID_PARAMETER;
1491 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1496 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
1498 struct tevent_req *req = tevent_req_callback_data(
1499 subreq, struct tevent_req);
1500 struct rpc_api_pipe_req_state *state = tevent_req_data(
1501 req, struct rpc_api_pipe_req_state);
1505 status = rpc_write_recv(subreq);
1506 TALLOC_FREE(subreq);
1507 if (!NT_STATUS_IS_OK(status)) {
1508 tevent_req_nterror(req, status);
1512 status = prepare_next_frag(state, &is_last_frag);
1513 if (!NT_STATUS_IS_OK(status)) {
1514 tevent_req_nterror(req, status);
1519 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1521 DCERPC_PKT_RESPONSE,
1523 if (tevent_req_nomem(subreq, req)) {
1526 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1528 subreq = rpc_write_send(state, state->ev,
1529 state->cli->transport,
1530 state->rpc_out.data,
1531 state->rpc_out.length);
1532 if (tevent_req_nomem(subreq, req)) {
1535 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1540 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
1542 struct tevent_req *req = tevent_req_callback_data(
1543 subreq, struct tevent_req);
1544 struct rpc_api_pipe_req_state *state = tevent_req_data(
1545 req, struct rpc_api_pipe_req_state);
1548 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
1549 TALLOC_FREE(subreq);
1550 if (!NT_STATUS_IS_OK(status)) {
1551 tevent_req_nterror(req, status);
1555 if (state->cli->auth == NULL) {
1556 tevent_req_done(req);
1560 if (state->verify_bitmask1) {
1561 state->cli->auth->verified_bitmask1 = true;
1564 if (state->verify_pcontext) {
1565 state->cli->verified_pcontext = true;
1568 tevent_req_done(req);
1571 static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1572 DATA_BLOB *reply_pdu)
1574 struct rpc_api_pipe_req_state *state = tevent_req_data(
1575 req, struct rpc_api_pipe_req_state);
1578 if (tevent_req_is_nterror(req, &status)) {
1580 * We always have to initialize to reply pdu, even if there is
1581 * none. The rpccli_* caller routines expect this.
1583 *reply_pdu = data_blob_null;
1587 /* return data to caller and assign it ownership of memory */
1588 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1589 reply_pdu->length = state->reply_pdu.length;
1590 state->reply_pdu.length = 0;
1592 return NT_STATUS_OK;
1595 /****************************************************************************
1596 Check the rpc bind acknowledge response.
1597 ****************************************************************************/
1599 static bool check_bind_response(const struct dcerpc_bind_ack *r,
1600 const struct ndr_syntax_id *transfer)
1602 struct dcerpc_ack_ctx ctx;
1604 if (r->secondary_address_size == 0) {
1605 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1608 if (r->num_results < 1 || !r->ctx_list) {
1612 ctx = r->ctx_list[0];
1614 /* check the transfer syntax */
1615 if ((ctx.syntax.if_version != transfer->if_version) ||
1616 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1617 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1621 if (r->num_results != 0x1 || ctx.result != 0) {
1622 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1623 r->num_results, ctx.reason.value));
1626 DEBUG(5,("check_bind_response: accepted!\n"));
1630 /*******************************************************************
1631 Creates a DCE/RPC bind authentication response.
1632 This is the packet that is sent back to the server once we
1633 have received a BIND-ACK, to finish the third leg of
1634 the authentication handshake.
1635 ********************************************************************/
1637 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
1638 struct rpc_pipe_client *cli,
1640 enum dcerpc_AuthType auth_type,
1641 enum dcerpc_AuthLevel auth_level,
1642 DATA_BLOB *pauth_blob,
1646 union dcerpc_payload u;
1650 status = dcerpc_push_dcerpc_auth(mem_ctx,
1653 0, /* auth_pad_length */
1654 1, /* auth_context_id */
1656 &u.auth3.auth_info);
1657 if (!NT_STATUS_IS_OK(status)) {
1661 status = dcerpc_push_ncacn_packet(mem_ctx,
1663 DCERPC_PFC_FLAG_FIRST |
1664 DCERPC_PFC_FLAG_LAST,
1669 data_blob_free(&u.auth3.auth_info);
1670 if (!NT_STATUS_IS_OK(status)) {
1671 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1675 return NT_STATUS_OK;
1678 /*******************************************************************
1679 Creates a DCE/RPC bind alter context authentication request which
1680 may contain a spnego auth blobl
1681 ********************************************************************/
1683 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
1684 enum dcerpc_AuthType auth_type,
1685 enum dcerpc_AuthLevel auth_level,
1687 const struct ndr_syntax_id *abstract,
1688 const struct ndr_syntax_id *transfer,
1689 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1692 DATA_BLOB auth_info;
1695 status = dcerpc_push_dcerpc_auth(mem_ctx,
1698 0, /* auth_pad_length */
1699 1, /* auth_context_id */
1702 if (!NT_STATUS_IS_OK(status)) {
1706 status = create_bind_or_alt_ctx_internal(mem_ctx,
1712 false, /* client_hdr_signing */
1714 data_blob_free(&auth_info);
1718 /****************************************************************************
1720 ****************************************************************************/
1722 struct rpc_pipe_bind_state {
1723 struct tevent_context *ev;
1724 struct rpc_pipe_client *cli;
1727 uint32_t rpc_call_id;
1730 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
1731 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1732 struct rpc_pipe_bind_state *state,
1733 DATA_BLOB *credentials);
1734 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1735 struct rpc_pipe_bind_state *state,
1736 DATA_BLOB *credentials);
1738 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
1739 struct tevent_context *ev,
1740 struct rpc_pipe_client *cli,
1741 struct pipe_auth_data *auth)
1743 struct tevent_req *req, *subreq;
1744 struct rpc_pipe_bind_state *state;
1747 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
1752 DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
1753 rpccli_pipe_txt(talloc_tos(), cli),
1754 (unsigned int)auth->auth_type,
1755 (unsigned int)auth->auth_level ));
1759 state->rpc_call_id = get_rpc_call_id();
1761 cli->auth = talloc_move(cli, &auth);
1763 /* Marshall the outgoing data. */
1764 status = create_rpc_bind_req(state, cli,
1767 &cli->abstract_syntax,
1768 &cli->transfer_syntax,
1771 if (!NT_STATUS_IS_OK(status) &&
1772 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1776 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
1777 DCERPC_PKT_BIND_ACK, state->rpc_call_id);
1778 if (subreq == NULL) {
1781 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1785 tevent_req_nterror(req, status);
1786 return tevent_req_post(req, ev);
1792 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1794 struct tevent_req *req = tevent_req_callback_data(
1795 subreq, struct tevent_req);
1796 struct rpc_pipe_bind_state *state = tevent_req_data(
1797 req, struct rpc_pipe_bind_state);
1798 struct pipe_auth_data *pauth = state->cli->auth;
1799 struct gensec_security *gensec_security;
1800 struct ncacn_packet *pkt = NULL;
1801 struct dcerpc_auth auth;
1802 DATA_BLOB auth_token = data_blob_null;
1805 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, NULL);
1806 TALLOC_FREE(subreq);
1807 if (!NT_STATUS_IS_OK(status)) {
1808 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
1809 rpccli_pipe_txt(talloc_tos(), state->cli),
1810 nt_errstr(status)));
1811 tevent_req_nterror(req, status);
1816 tevent_req_done(req);
1820 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
1821 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
1822 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
1826 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1827 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1829 switch(pauth->auth_type) {
1831 case DCERPC_AUTH_TYPE_NONE:
1832 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1833 /* Bind complete. */
1834 tevent_req_done(req);
1837 case DCERPC_AUTH_TYPE_SCHANNEL:
1838 case DCERPC_AUTH_TYPE_NTLMSSP:
1839 case DCERPC_AUTH_TYPE_SPNEGO:
1840 case DCERPC_AUTH_TYPE_KRB5:
1841 /* Paranoid lenght checks */
1842 if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
1843 + pkt->auth_length) {
1844 tevent_req_nterror(req,
1845 NT_STATUS_INFO_LENGTH_MISMATCH);
1848 /* get auth credentials */
1849 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
1850 &pkt->u.bind_ack.auth_info,
1852 if (!NT_STATUS_IS_OK(status)) {
1853 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
1854 nt_errstr(status)));
1855 tevent_req_nterror(req, status);
1865 * For authenticated binds we may need to do 3 or 4 leg binds.
1868 switch(pauth->auth_type) {
1870 case DCERPC_AUTH_TYPE_NONE:
1871 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1872 /* Bind complete. */
1873 tevent_req_done(req);
1876 case DCERPC_AUTH_TYPE_SCHANNEL:
1877 case DCERPC_AUTH_TYPE_NTLMSSP:
1878 case DCERPC_AUTH_TYPE_KRB5:
1879 case DCERPC_AUTH_TYPE_SPNEGO:
1880 gensec_security = talloc_get_type_abort(pauth->auth_ctx,
1881 struct gensec_security);
1883 if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
1884 if (pauth->client_hdr_signing) {
1885 pauth->hdr_signing = true;
1886 gensec_want_feature(gensec_security,
1887 GENSEC_FEATURE_SIGN_PKT_HEADER);
1891 status = gensec_update(gensec_security, state, NULL,
1892 auth.credentials, &auth_token);
1893 if (NT_STATUS_EQUAL(status,
1894 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1895 status = rpc_bind_next_send(req, state,
1897 } else if (NT_STATUS_IS_OK(status)) {
1898 if (auth_token.length == 0) {
1899 /* Bind complete. */
1900 tevent_req_done(req);
1903 status = rpc_bind_finish_send(req, state,
1912 if (!NT_STATUS_IS_OK(status)) {
1913 tevent_req_nterror(req, status);
1918 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
1919 (unsigned int)state->cli->auth->auth_type));
1920 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
1923 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1924 struct rpc_pipe_bind_state *state,
1925 DATA_BLOB *auth_token)
1927 struct pipe_auth_data *auth = state->cli->auth;
1928 struct tevent_req *subreq;
1931 /* Now prepare the alter context pdu. */
1932 data_blob_free(&state->rpc_out);
1934 status = create_rpc_alter_context(state,
1938 &state->cli->abstract_syntax,
1939 &state->cli->transfer_syntax,
1942 if (!NT_STATUS_IS_OK(status)) {
1946 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1947 &state->rpc_out, DCERPC_PKT_ALTER_RESP,
1948 state->rpc_call_id);
1949 if (subreq == NULL) {
1950 return NT_STATUS_NO_MEMORY;
1952 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1953 return NT_STATUS_OK;
1956 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1957 struct rpc_pipe_bind_state *state,
1958 DATA_BLOB *auth_token)
1960 struct pipe_auth_data *auth = state->cli->auth;
1961 struct tevent_req *subreq;
1964 state->auth3 = true;
1966 /* Now prepare the auth3 context pdu. */
1967 data_blob_free(&state->rpc_out);
1969 status = create_rpc_bind_auth3(state, state->cli,
1975 if (!NT_STATUS_IS_OK(status)) {
1979 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1980 &state->rpc_out, DCERPC_PKT_AUTH3,
1981 state->rpc_call_id);
1982 if (subreq == NULL) {
1983 return NT_STATUS_NO_MEMORY;
1985 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1986 return NT_STATUS_OK;
1989 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
1991 return tevent_req_simple_recv_ntstatus(req);
1994 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
1995 struct pipe_auth_data *auth)
1997 TALLOC_CTX *frame = talloc_stackframe();
1998 struct tevent_context *ev;
1999 struct tevent_req *req;
2000 NTSTATUS status = NT_STATUS_OK;
2002 ev = samba_tevent_context_init(frame);
2004 status = NT_STATUS_NO_MEMORY;
2008 req = rpc_pipe_bind_send(frame, ev, cli, auth);
2010 status = NT_STATUS_NO_MEMORY;
2014 if (!tevent_req_poll(req, ev)) {
2015 status = map_nt_error_from_unix(errno);
2019 status = rpc_pipe_bind_recv(req);
2025 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
2027 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
2028 unsigned int timeout)
2032 if (rpc_cli->transport == NULL) {
2033 return RPCCLI_DEFAULT_TIMEOUT;
2036 if (rpc_cli->transport->set_timeout == NULL) {
2037 return RPCCLI_DEFAULT_TIMEOUT;
2040 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
2042 return RPCCLI_DEFAULT_TIMEOUT;
2048 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
2050 if (rpc_cli == NULL) {
2054 if (rpc_cli->transport == NULL) {
2058 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
2061 struct rpccli_bh_state {
2062 struct rpc_pipe_client *rpc_cli;
2065 static bool rpccli_bh_is_connected(struct dcerpc_binding_handle *h)
2067 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2068 struct rpccli_bh_state);
2070 return rpccli_is_connected(hs->rpc_cli);
2073 static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
2076 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2077 struct rpccli_bh_state);
2079 return rpccli_set_timeout(hs->rpc_cli, timeout);
2082 static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
2083 enum dcerpc_AuthType *auth_type,
2084 enum dcerpc_AuthLevel *auth_level)
2086 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2087 struct rpccli_bh_state);
2089 if (hs->rpc_cli == NULL) {
2093 if (hs->rpc_cli->auth == NULL) {
2097 *auth_type = hs->rpc_cli->auth->auth_type;
2098 *auth_level = hs->rpc_cli->auth->auth_level;
2101 struct rpccli_bh_raw_call_state {
2107 static void rpccli_bh_raw_call_done(struct tevent_req *subreq);
2109 static struct tevent_req *rpccli_bh_raw_call_send(TALLOC_CTX *mem_ctx,
2110 struct tevent_context *ev,
2111 struct dcerpc_binding_handle *h,
2112 const struct GUID *object,
2115 const uint8_t *in_data,
2118 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2119 struct rpccli_bh_state);
2120 struct tevent_req *req;
2121 struct rpccli_bh_raw_call_state *state;
2123 struct tevent_req *subreq;
2125 req = tevent_req_create(mem_ctx, &state,
2126 struct rpccli_bh_raw_call_state);
2130 state->in_data.data = discard_const_p(uint8_t, in_data);
2131 state->in_data.length = in_length;
2133 ok = rpccli_bh_is_connected(h);
2135 tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
2136 return tevent_req_post(req, ev);
2139 subreq = rpc_api_pipe_req_send(state, ev, hs->rpc_cli,
2140 opnum, &state->in_data);
2141 if (tevent_req_nomem(subreq, req)) {
2142 return tevent_req_post(req, ev);
2144 tevent_req_set_callback(subreq, rpccli_bh_raw_call_done, req);
2149 static void rpccli_bh_raw_call_done(struct tevent_req *subreq)
2151 struct tevent_req *req =
2152 tevent_req_callback_data(subreq,
2154 struct rpccli_bh_raw_call_state *state =
2155 tevent_req_data(req,
2156 struct rpccli_bh_raw_call_state);
2159 state->out_flags = 0;
2161 /* TODO: support bigendian responses */
2163 status = rpc_api_pipe_req_recv(subreq, state, &state->out_data);
2164 TALLOC_FREE(subreq);
2165 if (!NT_STATUS_IS_OK(status)) {
2166 tevent_req_nterror(req, status);
2170 tevent_req_done(req);
2173 static NTSTATUS rpccli_bh_raw_call_recv(struct tevent_req *req,
2174 TALLOC_CTX *mem_ctx,
2177 uint32_t *out_flags)
2179 struct rpccli_bh_raw_call_state *state =
2180 tevent_req_data(req,
2181 struct rpccli_bh_raw_call_state);
2184 if (tevent_req_is_nterror(req, &status)) {
2185 tevent_req_received(req);
2189 *out_data = talloc_move(mem_ctx, &state->out_data.data);
2190 *out_length = state->out_data.length;
2191 *out_flags = state->out_flags;
2192 tevent_req_received(req);
2193 return NT_STATUS_OK;
2196 struct rpccli_bh_disconnect_state {
2200 static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
2201 struct tevent_context *ev,
2202 struct dcerpc_binding_handle *h)
2204 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2205 struct rpccli_bh_state);
2206 struct tevent_req *req;
2207 struct rpccli_bh_disconnect_state *state;
2210 req = tevent_req_create(mem_ctx, &state,
2211 struct rpccli_bh_disconnect_state);
2216 ok = rpccli_bh_is_connected(h);
2218 tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
2219 return tevent_req_post(req, ev);
2223 * TODO: do a real async disconnect ...
2225 * For now the caller needs to free rpc_cli
2229 tevent_req_done(req);
2230 return tevent_req_post(req, ev);
2233 static NTSTATUS rpccli_bh_disconnect_recv(struct tevent_req *req)
2237 if (tevent_req_is_nterror(req, &status)) {
2238 tevent_req_received(req);
2242 tevent_req_received(req);
2243 return NT_STATUS_OK;
2246 static bool rpccli_bh_ref_alloc(struct dcerpc_binding_handle *h)
2251 static void rpccli_bh_do_ndr_print(struct dcerpc_binding_handle *h,
2253 const void *_struct_ptr,
2254 const struct ndr_interface_call *call)
2256 void *struct_ptr = discard_const(_struct_ptr);
2258 if (DEBUGLEVEL < 10) {
2262 if (ndr_flags & NDR_IN) {
2263 ndr_print_function_debug(call->ndr_print,
2268 if (ndr_flags & NDR_OUT) {
2269 ndr_print_function_debug(call->ndr_print,
2276 static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
2278 .is_connected = rpccli_bh_is_connected,
2279 .set_timeout = rpccli_bh_set_timeout,
2280 .auth_info = rpccli_bh_auth_info,
2281 .raw_call_send = rpccli_bh_raw_call_send,
2282 .raw_call_recv = rpccli_bh_raw_call_recv,
2283 .disconnect_send = rpccli_bh_disconnect_send,
2284 .disconnect_recv = rpccli_bh_disconnect_recv,
2286 .ref_alloc = rpccli_bh_ref_alloc,
2287 .do_ndr_print = rpccli_bh_do_ndr_print,
2290 /* initialise a rpc_pipe_client binding handle */
2291 struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c,
2292 const struct GUID *object,
2293 const struct ndr_interface_table *table)
2295 struct dcerpc_binding_handle *h;
2296 struct rpccli_bh_state *hs;
2298 h = dcerpc_binding_handle_create(c,
2303 struct rpccli_bh_state,
2313 NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
2314 struct pipe_auth_data **presult)
2316 struct pipe_auth_data *result;
2318 result = talloc_zero(mem_ctx, struct pipe_auth_data);
2319 if (result == NULL) {
2320 return NT_STATUS_NO_MEMORY;
2323 result->auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
2324 result->auth_level = DCERPC_AUTH_LEVEL_CONNECT;
2326 result->user_name = talloc_strdup(result, "");
2327 result->domain = talloc_strdup(result, "");
2328 if ((result->user_name == NULL) || (result->domain == NULL)) {
2329 TALLOC_FREE(result);
2330 return NT_STATUS_NO_MEMORY;
2334 return NT_STATUS_OK;
2337 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2338 struct pipe_auth_data **presult)
2340 struct pipe_auth_data *result;
2342 result = talloc_zero(mem_ctx, struct pipe_auth_data);
2343 if (result == NULL) {
2344 return NT_STATUS_NO_MEMORY;
2347 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2348 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2350 result->user_name = talloc_strdup(result, "");
2351 result->domain = talloc_strdup(result, "");
2352 if ((result->user_name == NULL) || (result->domain == NULL)) {
2353 TALLOC_FREE(result);
2354 return NT_STATUS_NO_MEMORY;
2358 return NT_STATUS_OK;
2361 static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
2362 enum dcerpc_AuthType auth_type,
2363 enum dcerpc_AuthLevel auth_level,
2365 const char *target_service,
2367 const char *username,
2368 const char *password,
2369 enum credentials_use_kerberos use_kerberos,
2370 struct netlogon_creds_CredentialState *creds,
2371 struct pipe_auth_data **presult)
2373 struct auth_generic_state *auth_generic_ctx;
2374 struct pipe_auth_data *result;
2377 result = talloc_zero(mem_ctx, struct pipe_auth_data);
2378 if (result == NULL) {
2379 return NT_STATUS_NO_MEMORY;
2382 result->auth_type = auth_type;
2383 result->auth_level = auth_level;
2385 result->user_name = talloc_strdup(result, username);
2386 result->domain = talloc_strdup(result, domain);
2387 if ((result->user_name == NULL) || (result->domain == NULL)) {
2388 status = NT_STATUS_NO_MEMORY;
2392 status = auth_generic_client_prepare(result,
2394 if (!NT_STATUS_IS_OK(status)) {
2398 status = auth_generic_set_username(auth_generic_ctx, username);
2399 if (!NT_STATUS_IS_OK(status)) {
2403 status = auth_generic_set_domain(auth_generic_ctx, domain);
2404 if (!NT_STATUS_IS_OK(status)) {
2408 status = auth_generic_set_password(auth_generic_ctx, password);
2409 if (!NT_STATUS_IS_OK(status)) {
2413 status = gensec_set_target_service(auth_generic_ctx->gensec_security, target_service);
2414 if (!NT_STATUS_IS_OK(status)) {
2418 status = gensec_set_target_hostname(auth_generic_ctx->gensec_security, server);
2419 if (!NT_STATUS_IS_OK(status)) {
2423 cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
2424 cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
2426 status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
2427 if (!NT_STATUS_IS_OK(status)) {
2431 result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security);
2432 talloc_free(auth_generic_ctx);
2434 return NT_STATUS_OK;
2437 TALLOC_FREE(result);
2442 * Create an rpc pipe client struct, connecting to a tcp port.
2444 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2445 const struct sockaddr_storage *ss_addr,
2447 const struct ndr_interface_table *table,
2448 struct rpc_pipe_client **presult)
2450 struct rpc_pipe_client *result;
2451 struct sockaddr_storage addr;
2455 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2456 if (result == NULL) {
2457 return NT_STATUS_NO_MEMORY;
2460 result->abstract_syntax = table->syntax_id;
2461 result->transfer_syntax = ndr_transfer_syntax_ndr;
2463 result->desthost = talloc_strdup(result, host);
2464 result->srv_name_slash = talloc_asprintf_strupper_m(
2465 result, "\\\\%s", result->desthost);
2466 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2467 status = NT_STATUS_NO_MEMORY;
2471 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2472 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2474 if (ss_addr == NULL) {
2475 if (!resolve_name(host, &addr, NBT_NAME_SERVER, false)) {
2476 status = NT_STATUS_NOT_FOUND;
2483 status = open_socket_out(&addr, port, 60*1000, &fd);
2484 if (!NT_STATUS_IS_OK(status)) {
2487 set_socket_options(fd, lp_socket_options());
2489 status = rpc_transport_sock_init(result, fd, &result->transport);
2490 if (!NT_STATUS_IS_OK(status)) {
2495 result->transport->transport = NCACN_IP_TCP;
2497 result->binding_handle = rpccli_bh_create(result, NULL, table);
2498 if (result->binding_handle == NULL) {
2499 TALLOC_FREE(result);
2500 return NT_STATUS_NO_MEMORY;
2504 return NT_STATUS_OK;
2507 TALLOC_FREE(result);
2512 * Determine the tcp port on which a dcerpc interface is listening
2513 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2516 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2517 const struct sockaddr_storage *addr,
2518 const struct ndr_interface_table *table,
2522 struct rpc_pipe_client *epm_pipe = NULL;
2523 struct dcerpc_binding_handle *epm_handle = NULL;
2524 struct pipe_auth_data *auth = NULL;
2525 struct dcerpc_binding *map_binding = NULL;
2526 struct dcerpc_binding *res_binding = NULL;
2527 struct epm_twr_t *map_tower = NULL;
2528 struct epm_twr_t *res_towers = NULL;
2529 struct policy_handle *entry_handle = NULL;
2530 uint32_t num_towers = 0;
2531 uint32_t max_towers = 1;
2532 struct epm_twr_p_t towers;
2533 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2534 uint32_t result = 0;
2536 if (pport == NULL) {
2537 status = NT_STATUS_INVALID_PARAMETER;
2541 if (ndr_syntax_id_equal(&table->syntax_id,
2542 &ndr_table_epmapper.syntax_id)) {
2544 status = NT_STATUS_OK;
2548 /* open the connection to the endpoint mapper */
2549 status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
2550 &ndr_table_epmapper,
2553 if (!NT_STATUS_IS_OK(status)) {
2556 epm_handle = epm_pipe->binding_handle;
2558 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2559 if (!NT_STATUS_IS_OK(status)) {
2563 status = rpc_pipe_bind(epm_pipe, auth);
2564 if (!NT_STATUS_IS_OK(status)) {
2568 /* create tower for asking the epmapper */
2570 map_binding = talloc_zero(tmp_ctx, struct dcerpc_binding);
2571 if (map_binding == NULL) {
2572 status = NT_STATUS_NO_MEMORY;
2576 map_binding->transport = NCACN_IP_TCP;
2577 map_binding->object = table->syntax_id;
2578 map_binding->host = host; /* needed? */
2579 map_binding->endpoint = "0"; /* correct? needed? */
2581 map_tower = talloc_zero(tmp_ctx, struct epm_twr_t);
2582 if (map_tower == NULL) {
2583 status = NT_STATUS_NO_MEMORY;
2587 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2588 &(map_tower->tower));
2589 if (!NT_STATUS_IS_OK(status)) {
2593 /* allocate further parameters for the epm_Map call */
2595 res_towers = talloc_array(tmp_ctx, struct epm_twr_t, max_towers);
2596 if (res_towers == NULL) {
2597 status = NT_STATUS_NO_MEMORY;
2600 towers.twr = res_towers;
2602 entry_handle = talloc_zero(tmp_ctx, struct policy_handle);
2603 if (entry_handle == NULL) {
2604 status = NT_STATUS_NO_MEMORY;
2608 /* ask the endpoint mapper for the port */
2610 status = dcerpc_epm_Map(epm_handle,
2612 discard_const_p(struct GUID,
2613 &(table->syntax_id.uuid)),
2621 if (!NT_STATUS_IS_OK(status)) {
2625 if (result != EPMAPPER_STATUS_OK) {
2626 status = NT_STATUS_UNSUCCESSFUL;
2630 if (num_towers != 1) {
2631 status = NT_STATUS_UNSUCCESSFUL;
2635 /* extract the port from the answer */
2637 status = dcerpc_binding_from_tower(tmp_ctx,
2638 &(towers.twr->tower),
2640 if (!NT_STATUS_IS_OK(status)) {
2644 /* are further checks here necessary? */
2645 if (res_binding->transport != NCACN_IP_TCP) {
2646 status = NT_STATUS_UNSUCCESSFUL;
2650 *pport = (uint16_t)atoi(res_binding->endpoint);
2653 TALLOC_FREE(tmp_ctx);
2658 * Create a rpc pipe client struct, connecting to a host via tcp.
2659 * The port is determined by asking the endpoint mapper on the given
2662 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2663 const struct sockaddr_storage *addr,
2664 const struct ndr_interface_table *table,
2665 struct rpc_pipe_client **presult)
2670 status = rpc_pipe_get_tcp_port(host, addr, table, &port);
2671 if (!NT_STATUS_IS_OK(status)) {
2675 return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
2679 /********************************************************************
2680 Create a rpc pipe client struct, connecting to a unix domain socket
2681 ********************************************************************/
2682 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2683 const struct ndr_interface_table *table,
2684 struct rpc_pipe_client **presult)
2686 struct rpc_pipe_client *result;
2687 struct sockaddr_un addr;
2692 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2693 if (result == NULL) {
2694 return NT_STATUS_NO_MEMORY;
2697 result->abstract_syntax = table->syntax_id;
2698 result->transfer_syntax = ndr_transfer_syntax_ndr;
2700 result->desthost = get_myname(result);
2701 result->srv_name_slash = talloc_asprintf_strupper_m(
2702 result, "\\\\%s", result->desthost);
2703 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2704 status = NT_STATUS_NO_MEMORY;
2708 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2709 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2711 fd = socket(AF_UNIX, SOCK_STREAM, 0);
2713 status = map_nt_error_from_unix(errno);
2718 addr.sun_family = AF_UNIX;
2719 strlcpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2720 salen = sizeof(struct sockaddr_un);
2722 if (connect(fd, (struct sockaddr *)(void *)&addr, salen) == -1) {
2723 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2726 return map_nt_error_from_unix(errno);
2729 status = rpc_transport_sock_init(result, fd, &result->transport);
2730 if (!NT_STATUS_IS_OK(status)) {
2735 result->transport->transport = NCALRPC;
2737 result->binding_handle = rpccli_bh_create(result, NULL, table);
2738 if (result->binding_handle == NULL) {
2739 TALLOC_FREE(result);
2740 return NT_STATUS_NO_MEMORY;
2744 return NT_STATUS_OK;
2747 TALLOC_FREE(result);
2751 struct rpc_pipe_client_np_ref {
2752 struct cli_state *cli;
2753 struct rpc_pipe_client *pipe;
2756 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
2758 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
2762 /****************************************************************************
2763 Open a named pipe over SMB to a remote server.
2765 * CAVEAT CALLER OF THIS FUNCTION:
2766 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2767 * so be sure that this function is called AFTER any structure (vs pointer)
2768 * assignment of the cli. In particular, libsmbclient does structure
2769 * assignments of cli, which invalidates the data in the returned
2770 * rpc_pipe_client if this function is called before the structure assignment
2773 ****************************************************************************/
2775 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
2776 const struct ndr_interface_table *table,
2777 struct rpc_pipe_client **presult)
2779 struct rpc_pipe_client *result;
2781 struct rpc_pipe_client_np_ref *np_ref;
2783 /* sanity check to protect against crashes */
2786 return NT_STATUS_INVALID_HANDLE;
2789 result = talloc_zero(NULL, struct rpc_pipe_client);
2790 if (result == NULL) {
2791 return NT_STATUS_NO_MEMORY;
2794 result->abstract_syntax = table->syntax_id;
2795 result->transfer_syntax = ndr_transfer_syntax_ndr;
2796 result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
2797 result->srv_name_slash = talloc_asprintf_strupper_m(
2798 result, "\\\\%s", result->desthost);
2800 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2801 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2803 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2804 TALLOC_FREE(result);
2805 return NT_STATUS_NO_MEMORY;
2808 status = rpc_transport_np_init(result, cli, table,
2809 &result->transport);
2810 if (!NT_STATUS_IS_OK(status)) {
2811 TALLOC_FREE(result);
2815 result->transport->transport = NCACN_NP;
2817 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
2818 if (np_ref == NULL) {
2819 TALLOC_FREE(result);
2820 return NT_STATUS_NO_MEMORY;
2823 np_ref->pipe = result;
2825 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
2826 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
2828 result->binding_handle = rpccli_bh_create(result, NULL, table);
2829 if (result->binding_handle == NULL) {
2830 TALLOC_FREE(result);
2831 return NT_STATUS_NO_MEMORY;
2835 return NT_STATUS_OK;
2838 /****************************************************************************
2839 Open a pipe to a remote server.
2840 ****************************************************************************/
2842 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
2843 enum dcerpc_transport_t transport,
2844 const struct ndr_interface_table *table,
2845 struct rpc_pipe_client **presult)
2847 switch (transport) {
2849 return rpc_pipe_open_tcp(NULL,
2850 smbXcli_conn_remote_name(cli->conn),
2851 smbXcli_conn_remote_sockaddr(cli->conn),
2854 return rpc_pipe_open_np(cli, table, presult);
2856 return NT_STATUS_NOT_IMPLEMENTED;
2860 /****************************************************************************
2861 Open a named pipe to an SMB server and bind anonymously.
2862 ****************************************************************************/
2864 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2865 enum dcerpc_transport_t transport,
2866 const struct ndr_interface_table *table,
2867 struct rpc_pipe_client **presult)
2869 struct rpc_pipe_client *result;
2870 struct pipe_auth_data *auth;
2873 status = cli_rpc_pipe_open(cli, transport, table, &result);
2874 if (!NT_STATUS_IS_OK(status)) {
2878 status = rpccli_anon_bind_data(result, &auth);
2879 if (!NT_STATUS_IS_OK(status)) {
2880 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
2881 nt_errstr(status)));
2882 TALLOC_FREE(result);
2887 * This is a bit of an abstraction violation due to the fact that an
2888 * anonymous bind on an authenticated SMB inherits the user/domain
2889 * from the enclosing SMB creds
2892 TALLOC_FREE(auth->user_name);
2893 TALLOC_FREE(auth->domain);
2895 auth->user_name = talloc_strdup(auth, cli->user_name);
2896 auth->domain = talloc_strdup(auth, cli->domain);
2898 if (transport == NCACN_NP) {
2899 struct smbXcli_session *session;
2901 if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
2902 session = cli->smb2.session;
2904 session = cli->smb1.session;
2907 status = smbXcli_session_application_key(session, auth,
2908 &auth->transport_session_key);
2909 if (!NT_STATUS_IS_OK(status)) {
2910 auth->transport_session_key = data_blob_null;
2914 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
2915 TALLOC_FREE(result);
2916 return NT_STATUS_NO_MEMORY;
2919 status = rpc_pipe_bind(result, auth);
2920 if (!NT_STATUS_IS_OK(status)) {
2922 if (ndr_syntax_id_equal(&table->syntax_id,
2923 &ndr_table_dssetup.syntax_id)) {
2924 /* non AD domains just don't have this pipe, avoid
2925 * level 0 statement in that case - gd */
2928 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
2929 "%s failed with error %s\n",
2931 nt_errstr(status) ));
2932 TALLOC_FREE(result);
2936 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
2937 "%s and bound anonymously.\n",
2942 return NT_STATUS_OK;
2945 /****************************************************************************
2946 ****************************************************************************/
2948 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2949 const struct ndr_interface_table *table,
2950 struct rpc_pipe_client **presult)
2952 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2956 /****************************************************************************
2957 Open a named pipe to an SMB server and bind using the mech specified
2958 ****************************************************************************/
2960 NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
2961 const struct ndr_interface_table *table,
2962 enum dcerpc_transport_t transport,
2963 enum dcerpc_AuthType auth_type,
2964 enum dcerpc_AuthLevel auth_level,
2967 const char *username,
2968 const char *password,
2969 struct rpc_pipe_client **presult)
2971 struct rpc_pipe_client *result;
2972 struct pipe_auth_data *auth = NULL;
2973 const char *target_service = table->authservices->names[0];
2977 status = cli_rpc_pipe_open(cli, transport, table, &result);
2978 if (!NT_STATUS_IS_OK(status)) {
2982 status = rpccli_generic_bind_data(result,
2983 auth_type, auth_level,
2984 server, target_service,
2985 domain, username, password,
2986 CRED_AUTO_USE_KERBEROS,
2989 if (!NT_STATUS_IS_OK(status)) {
2990 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
2991 nt_errstr(status)));
2995 status = rpc_pipe_bind(result, auth);
2996 if (!NT_STATUS_IS_OK(status)) {
2997 DEBUG(0, ("cli_rpc_pipe_open_generic_auth: cli_rpc_pipe_bind failed with error %s\n",
2998 nt_errstr(status) ));
3002 DEBUG(10,("cli_rpc_pipe_open_generic_auth: opened pipe %s to "
3003 "machine %s and bound as user %s\\%s.\n", table->name,
3004 result->desthost, domain, username));
3007 return NT_STATUS_OK;
3011 TALLOC_FREE(result);
3015 /****************************************************************************
3017 Open a named pipe to an SMB server and bind using schannel (bind type 68)
3018 using session_key. sign and seal.
3020 The *pdc will be stolen onto this new pipe
3021 ****************************************************************************/
3023 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
3024 const struct ndr_interface_table *table,
3025 enum dcerpc_transport_t transport,
3027 struct netlogon_creds_cli_context *netlogon_creds,
3028 struct rpc_pipe_client **_rpccli)
3030 struct rpc_pipe_client *rpccli;
3031 struct pipe_auth_data *rpcauth;
3032 struct netlogon_creds_CredentialState *creds = NULL;
3033 enum dcerpc_AuthLevel auth_level;
3035 const char *target_service = table->authservices->names[0];
3036 int rpc_pipe_bind_dbglvl = 0;
3038 status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
3039 if (!NT_STATUS_IS_OK(status)) {
3043 status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
3044 if (!NT_STATUS_IS_OK(status)) {
3045 DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
3046 nt_errstr(status)));
3047 TALLOC_FREE(rpccli);
3051 auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
3053 status = rpccli_generic_bind_data(rpccli,
3054 DCERPC_AUTH_TYPE_SCHANNEL,
3059 creds->computer_name,
3061 CRED_AUTO_USE_KERBEROS,
3064 if (!NT_STATUS_IS_OK(status)) {
3065 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
3066 nt_errstr(status)));
3067 TALLOC_FREE(rpccli);
3071 status = rpc_pipe_bind(rpccli, rpcauth);
3072 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
3073 rpc_pipe_bind_dbglvl = 1;
3074 netlogon_creds_cli_delete(netlogon_creds, &creds);
3076 if (!NT_STATUS_IS_OK(status)) {
3077 DEBUG(rpc_pipe_bind_dbglvl,
3078 ("cli_rpc_pipe_open_schannel_with_key: "
3079 "rpc_pipe_bind failed with error %s\n",
3080 nt_errstr(status)));
3081 TALLOC_FREE(rpccli);
3087 if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
3091 status = netlogon_creds_cli_check(netlogon_creds,
3092 rpccli->binding_handle);
3093 if (!NT_STATUS_IS_OK(status)) {
3094 DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
3095 nt_errstr(status)));
3096 TALLOC_FREE(rpccli);
3102 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
3103 "for domain %s and bound using schannel.\n",
3105 rpccli->desthost, domain));
3108 return NT_STATUS_OK;
3111 NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
3112 const struct ndr_interface_table *table,
3113 enum dcerpc_transport_t transport,
3115 enum dcerpc_AuthLevel auth_level,
3118 const char *username,
3119 const char *password,
3120 struct rpc_pipe_client **presult)
3122 struct rpc_pipe_client *result;
3123 struct pipe_auth_data *auth = NULL;
3124 const char *target_service = table->authservices->names[0];
3127 enum credentials_use_kerberos use_kerberos;
3129 if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) {
3130 use_kerberos = CRED_MUST_USE_KERBEROS;
3131 } else if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) {
3132 use_kerberos = CRED_DONT_USE_KERBEROS;
3134 return NT_STATUS_INVALID_PARAMETER;
3137 status = cli_rpc_pipe_open(cli, transport, table, &result);
3138 if (!NT_STATUS_IS_OK(status)) {
3142 status = rpccli_generic_bind_data(result,
3143 DCERPC_AUTH_TYPE_SPNEGO, auth_level,
3144 server, target_service,
3145 domain, username, password,
3148 if (!NT_STATUS_IS_OK(status)) {
3149 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
3150 nt_errstr(status)));
3154 status = rpc_pipe_bind(result, auth);
3155 if (!NT_STATUS_IS_OK(status)) {
3156 DEBUG(0, ("cli_rpc_pipe_open_spnego: cli_rpc_pipe_bind failed with error %s\n",
3157 nt_errstr(status) ));
3161 DEBUG(10,("cli_rpc_pipe_open_spnego: opened pipe %s to "
3162 "machine %s.\n", table->name,
3166 return NT_STATUS_OK;
3170 TALLOC_FREE(result);
3174 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3175 struct rpc_pipe_client *cli,
3176 DATA_BLOB *session_key)
3179 struct pipe_auth_data *a;
3180 struct gensec_security *gensec_security;
3181 DATA_BLOB sk = data_blob_null;
3182 bool make_dup = false;
3184 if (!session_key || !cli) {
3185 return NT_STATUS_INVALID_PARAMETER;
3191 return NT_STATUS_INVALID_PARAMETER;
3194 switch (cli->auth->auth_type) {
3195 case DCERPC_AUTH_TYPE_SPNEGO:
3196 case DCERPC_AUTH_TYPE_NTLMSSP:
3197 case DCERPC_AUTH_TYPE_KRB5:
3198 gensec_security = talloc_get_type_abort(a->auth_ctx,
3199 struct gensec_security);
3200 status = gensec_session_key(gensec_security, mem_ctx, &sk);
3201 if (!NT_STATUS_IS_OK(status)) {
3206 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
3207 case DCERPC_AUTH_TYPE_NONE:
3208 sk = data_blob_const(a->transport_session_key.data,
3209 a->transport_session_key.length);
3217 return NT_STATUS_NO_USER_SESSION_KEY;
3221 *session_key = data_blob_dup_talloc(mem_ctx, sk);
3226 return NT_STATUS_OK;