2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client routines
4 * Largely rewritten by Jeremy Allison 2005.
5 * Heavily modified by Simo Sorce 2010.
6 * Copyright Andrew Bartlett 2011.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "../lib/util/tevent_ntstatus.h"
24 #include "librpc/gen_ndr/ndr_epmapper_c.h"
25 #include "../librpc/gen_ndr/ndr_schannel.h"
26 #include "../librpc/gen_ndr/ndr_dssetup.h"
27 #include "../libcli/auth/schannel.h"
28 #include "../libcli/auth/spnego.h"
29 #include "../auth/ntlmssp/ntlmssp.h"
30 #include "auth_generic.h"
31 #include "librpc/gen_ndr/ndr_dcerpc.h"
32 #include "librpc/gen_ndr/ndr_netlogon_c.h"
33 #include "librpc/rpc/dcerpc.h"
36 #include "libsmb/libsmb.h"
37 #include "auth/gensec/gensec.h"
38 #include "auth/credentials/credentials.h"
39 #include "../libcli/smb/smbXcli_base.h"
42 #define DBGC_CLASS DBGC_RPC_CLI
44 /********************************************************************
45 Pipe description for a DEBUG
46 ********************************************************************/
47 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
48 struct rpc_pipe_client *cli)
50 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
57 /********************************************************************
59 ********************************************************************/
61 static uint32 get_rpc_call_id(void)
63 static uint32 call_id = 0;
67 /*******************************************************************
68 Use SMBreadX to get rest of one fragment's worth of rpc data.
69 Reads the whole size or give an error message
70 ********************************************************************/
72 struct rpc_read_state {
73 struct tevent_context *ev;
74 struct rpc_cli_transport *transport;
80 static void rpc_read_done(struct tevent_req *subreq);
82 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
83 struct tevent_context *ev,
84 struct rpc_cli_transport *transport,
85 uint8_t *data, size_t size)
87 struct tevent_req *req, *subreq;
88 struct rpc_read_state *state;
90 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
95 state->transport = transport;
100 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
102 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
104 if (subreq == NULL) {
107 tevent_req_set_callback(subreq, rpc_read_done, req);
115 static void rpc_read_done(struct tevent_req *subreq)
117 struct tevent_req *req = tevent_req_callback_data(
118 subreq, struct tevent_req);
119 struct rpc_read_state *state = tevent_req_data(
120 req, struct rpc_read_state);
124 status = state->transport->read_recv(subreq, &received);
126 if (!NT_STATUS_IS_OK(status)) {
127 tevent_req_nterror(req, status);
131 state->num_read += received;
132 if (state->num_read == state->size) {
133 tevent_req_done(req);
137 subreq = state->transport->read_send(state, state->ev,
138 state->data + state->num_read,
139 state->size - state->num_read,
140 state->transport->priv);
141 if (tevent_req_nomem(subreq, req)) {
144 tevent_req_set_callback(subreq, rpc_read_done, req);
147 static NTSTATUS rpc_read_recv(struct tevent_req *req)
149 return tevent_req_simple_recv_ntstatus(req);
152 struct rpc_write_state {
153 struct tevent_context *ev;
154 struct rpc_cli_transport *transport;
160 static void rpc_write_done(struct tevent_req *subreq);
162 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
163 struct tevent_context *ev,
164 struct rpc_cli_transport *transport,
165 const uint8_t *data, size_t size)
167 struct tevent_req *req, *subreq;
168 struct rpc_write_state *state;
170 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
175 state->transport = transport;
178 state->num_written = 0;
180 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
182 subreq = transport->write_send(state, ev, data, size, transport->priv);
183 if (subreq == NULL) {
186 tevent_req_set_callback(subreq, rpc_write_done, req);
193 static void rpc_write_done(struct tevent_req *subreq)
195 struct tevent_req *req = tevent_req_callback_data(
196 subreq, struct tevent_req);
197 struct rpc_write_state *state = tevent_req_data(
198 req, struct rpc_write_state);
202 status = state->transport->write_recv(subreq, &written);
204 if (!NT_STATUS_IS_OK(status)) {
205 tevent_req_nterror(req, status);
209 state->num_written += written;
211 if (state->num_written == state->size) {
212 tevent_req_done(req);
216 subreq = state->transport->write_send(state, state->ev,
217 state->data + state->num_written,
218 state->size - state->num_written,
219 state->transport->priv);
220 if (tevent_req_nomem(subreq, req)) {
223 tevent_req_set_callback(subreq, rpc_write_done, req);
226 static NTSTATUS rpc_write_recv(struct tevent_req *req)
228 return tevent_req_simple_recv_ntstatus(req);
232 /****************************************************************************
233 Try and get a PDU's worth of data from current_pdu. If not, then read more
235 ****************************************************************************/
237 struct get_complete_frag_state {
238 struct tevent_context *ev;
239 struct rpc_pipe_client *cli;
244 static void get_complete_frag_got_header(struct tevent_req *subreq);
245 static void get_complete_frag_got_rest(struct tevent_req *subreq);
247 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
248 struct tevent_context *ev,
249 struct rpc_pipe_client *cli,
252 struct tevent_req *req, *subreq;
253 struct get_complete_frag_state *state;
257 req = tevent_req_create(mem_ctx, &state,
258 struct get_complete_frag_state);
264 state->frag_len = RPC_HEADER_LEN;
267 received = pdu->length;
268 if (received < RPC_HEADER_LEN) {
269 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
270 status = NT_STATUS_NO_MEMORY;
273 subreq = rpc_read_send(state, state->ev,
274 state->cli->transport,
275 pdu->data + received,
276 RPC_HEADER_LEN - received);
277 if (subreq == NULL) {
278 status = NT_STATUS_NO_MEMORY;
281 tevent_req_set_callback(subreq, get_complete_frag_got_header,
286 state->frag_len = dcerpc_get_frag_length(pdu);
289 * Ensure we have frag_len bytes of data.
291 if (received < state->frag_len) {
292 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
293 status = NT_STATUS_NO_MEMORY;
296 subreq = rpc_read_send(state, state->ev,
297 state->cli->transport,
298 pdu->data + received,
299 state->frag_len - received);
300 if (subreq == NULL) {
301 status = NT_STATUS_NO_MEMORY;
304 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
309 status = NT_STATUS_OK;
311 if (NT_STATUS_IS_OK(status)) {
312 tevent_req_done(req);
314 tevent_req_nterror(req, status);
316 return tevent_req_post(req, ev);
319 static void get_complete_frag_got_header(struct tevent_req *subreq)
321 struct tevent_req *req = tevent_req_callback_data(
322 subreq, struct tevent_req);
323 struct get_complete_frag_state *state = tevent_req_data(
324 req, struct get_complete_frag_state);
327 status = rpc_read_recv(subreq);
329 if (!NT_STATUS_IS_OK(status)) {
330 tevent_req_nterror(req, status);
334 state->frag_len = dcerpc_get_frag_length(state->pdu);
336 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
337 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
342 * We're here in this piece of code because we've read exactly
343 * RPC_HEADER_LEN bytes into state->pdu.
346 subreq = rpc_read_send(state, state->ev, state->cli->transport,
347 state->pdu->data + RPC_HEADER_LEN,
348 state->frag_len - RPC_HEADER_LEN);
349 if (tevent_req_nomem(subreq, req)) {
352 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
355 static void get_complete_frag_got_rest(struct tevent_req *subreq)
357 struct tevent_req *req = tevent_req_callback_data(
358 subreq, struct tevent_req);
361 status = rpc_read_recv(subreq);
363 if (!NT_STATUS_IS_OK(status)) {
364 tevent_req_nterror(req, status);
367 tevent_req_done(req);
370 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
372 return tevent_req_simple_recv_ntstatus(req);
375 /****************************************************************************
376 Do basic authentication checks on an incoming pdu.
377 ****************************************************************************/
379 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
380 struct rpc_pipe_client *cli,
381 struct ncacn_packet *pkt,
383 uint8_t expected_pkt_type,
385 DATA_BLOB *reply_pdu)
387 struct dcerpc_response *r;
388 NTSTATUS ret = NT_STATUS_OK;
392 * Point the return values at the real data including the RPC
393 * header. Just in case the caller wants it.
397 /* Ensure we have the correct type. */
398 switch (pkt->ptype) {
399 case DCERPC_PKT_ALTER_RESP:
400 case DCERPC_PKT_BIND_ACK:
402 /* Client code never receives this kind of packets */
406 case DCERPC_PKT_RESPONSE:
408 r = &pkt->u.response;
410 /* Here's where we deal with incoming sign/seal. */
411 ret = dcerpc_check_auth(cli->auth, pkt,
412 &r->stub_and_verifier,
413 DCERPC_RESPONSE_LENGTH,
415 if (!NT_STATUS_IS_OK(ret)) {
419 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
420 return NT_STATUS_BUFFER_TOO_SMALL;
423 /* Point the return values at the NDR data. */
424 rdata->data = r->stub_and_verifier.data;
426 if (pkt->auth_length) {
427 /* We've already done integer wrap tests in
428 * dcerpc_check_auth(). */
429 rdata->length = r->stub_and_verifier.length
431 - DCERPC_AUTH_TRAILER_LENGTH
434 rdata->length = r->stub_and_verifier.length;
437 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
438 (long unsigned int)pdu->length,
439 (long unsigned int)rdata->length,
440 (unsigned int)pad_len));
443 * If this is the first reply, and the allocation hint is
444 * reasonable, try and set up the reply_pdu DATA_BLOB to the
448 if ((reply_pdu->length == 0) &&
449 r->alloc_hint && (r->alloc_hint < 15*1024*1024)) {
450 if (!data_blob_realloc(mem_ctx, reply_pdu,
452 DEBUG(0, ("reply alloc hint %d too "
453 "large to allocate\n",
454 (int)r->alloc_hint));
455 return NT_STATUS_NO_MEMORY;
461 case DCERPC_PKT_BIND_NAK:
462 DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
463 rpccli_pipe_txt(talloc_tos(), cli)));
464 /* Use this for now... */
465 return NT_STATUS_NETWORK_ACCESS_DENIED;
467 case DCERPC_PKT_FAULT:
469 DEBUG(1, (__location__ ": RPC fault code %s received "
471 dcerpc_errstr(talloc_tos(),
472 pkt->u.fault.status),
473 rpccli_pipe_txt(talloc_tos(), cli)));
475 return dcerpc_fault_to_nt_status(pkt->u.fault.status);
478 DEBUG(0, (__location__ "Unknown packet type %u received "
480 (unsigned int)pkt->ptype,
481 rpccli_pipe_txt(talloc_tos(), cli)));
482 return NT_STATUS_INVALID_INFO_CLASS;
485 if (pkt->ptype != expected_pkt_type) {
486 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
487 "RPC packet type - %u, not %u\n",
488 rpccli_pipe_txt(talloc_tos(), cli),
489 pkt->ptype, expected_pkt_type));
490 return NT_STATUS_INVALID_INFO_CLASS;
493 /* Do this just before return - we don't want to modify any rpc header
494 data before now as we may have needed to do cryptographic actions on
497 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
498 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
499 DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
500 "fragment first/last ON.\n"));
501 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
507 /****************************************************************************
508 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
509 ****************************************************************************/
511 struct cli_api_pipe_state {
512 struct tevent_context *ev;
513 struct rpc_cli_transport *transport;
518 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
519 static void cli_api_pipe_write_done(struct tevent_req *subreq);
520 static void cli_api_pipe_read_done(struct tevent_req *subreq);
522 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
523 struct tevent_context *ev,
524 struct rpc_cli_transport *transport,
525 uint8_t *data, size_t data_len,
526 uint32_t max_rdata_len)
528 struct tevent_req *req, *subreq;
529 struct cli_api_pipe_state *state;
532 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
537 state->transport = transport;
539 if (max_rdata_len < RPC_HEADER_LEN) {
541 * For a RPC reply we always need at least RPC_HEADER_LEN
542 * bytes. We check this here because we will receive
543 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
545 status = NT_STATUS_INVALID_PARAMETER;
549 if (transport->trans_send != NULL) {
550 subreq = transport->trans_send(state, ev, data, data_len,
551 max_rdata_len, transport->priv);
552 if (subreq == NULL) {
555 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
560 * If the transport does not provide a "trans" routine, i.e. for
561 * example the ncacn_ip_tcp transport, do the write/read step here.
564 subreq = rpc_write_send(state, ev, transport, data, data_len);
565 if (subreq == NULL) {
568 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
572 tevent_req_nterror(req, status);
573 return tevent_req_post(req, ev);
579 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
581 struct tevent_req *req = tevent_req_callback_data(
582 subreq, struct tevent_req);
583 struct cli_api_pipe_state *state = tevent_req_data(
584 req, struct cli_api_pipe_state);
587 status = state->transport->trans_recv(subreq, state, &state->rdata,
590 if (!NT_STATUS_IS_OK(status)) {
591 tevent_req_nterror(req, status);
594 tevent_req_done(req);
597 static void cli_api_pipe_write_done(struct tevent_req *subreq)
599 struct tevent_req *req = tevent_req_callback_data(
600 subreq, struct tevent_req);
601 struct cli_api_pipe_state *state = tevent_req_data(
602 req, struct cli_api_pipe_state);
605 status = rpc_write_recv(subreq);
607 if (!NT_STATUS_IS_OK(status)) {
608 tevent_req_nterror(req, status);
612 state->rdata = talloc_array(state, uint8_t, RPC_HEADER_LEN);
613 if (tevent_req_nomem(state->rdata, req)) {
618 * We don't need to use rpc_read_send here, the upper layer will cope
619 * with a short read, transport->trans_send could also return less
620 * than state->max_rdata_len.
622 subreq = state->transport->read_send(state, state->ev, state->rdata,
624 state->transport->priv);
625 if (tevent_req_nomem(subreq, req)) {
628 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
631 static void cli_api_pipe_read_done(struct tevent_req *subreq)
633 struct tevent_req *req = tevent_req_callback_data(
634 subreq, struct tevent_req);
635 struct cli_api_pipe_state *state = tevent_req_data(
636 req, struct cli_api_pipe_state);
640 status = state->transport->read_recv(subreq, &received);
642 if (!NT_STATUS_IS_OK(status)) {
643 tevent_req_nterror(req, status);
646 state->rdata_len = received;
647 tevent_req_done(req);
650 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
651 uint8_t **prdata, uint32_t *prdata_len)
653 struct cli_api_pipe_state *state = tevent_req_data(
654 req, struct cli_api_pipe_state);
657 if (tevent_req_is_nterror(req, &status)) {
661 *prdata = talloc_move(mem_ctx, &state->rdata);
662 *prdata_len = state->rdata_len;
666 /****************************************************************************
667 Send data on an rpc pipe via trans. The data must be the last
668 pdu fragment of an NDR data stream.
670 Receive response data from an rpc pipe, which may be large...
672 Read the first fragment: unfortunately have to use SMBtrans for the first
673 bit, then SMBreadX for subsequent bits.
675 If first fragment received also wasn't the last fragment, continue
676 getting fragments until we _do_ receive the last fragment.
678 Request/Response PDU's look like the following...
680 |<------------------PDU len----------------------------------------------->|
681 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
683 +------------+-----------------+-------------+---------------+-------------+
684 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
685 +------------+-----------------+-------------+---------------+-------------+
687 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
688 signing & sealing being negotiated.
690 ****************************************************************************/
692 struct rpc_api_pipe_state {
693 struct tevent_context *ev;
694 struct rpc_pipe_client *cli;
695 uint8_t expected_pkt_type;
697 DATA_BLOB incoming_frag;
698 struct ncacn_packet *pkt;
702 size_t reply_pdu_offset;
706 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
707 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
708 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq);
710 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
711 struct tevent_context *ev,
712 struct rpc_pipe_client *cli,
713 DATA_BLOB *data, /* Outgoing PDU */
714 uint8_t expected_pkt_type)
716 struct tevent_req *req, *subreq;
717 struct rpc_api_pipe_state *state;
718 uint16_t max_recv_frag;
721 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
727 state->expected_pkt_type = expected_pkt_type;
728 state->incoming_frag = data_blob_null;
729 state->reply_pdu = data_blob_null;
730 state->reply_pdu_offset = 0;
731 state->endianess = DCERPC_DREP_LE;
734 * Ensure we're not sending too much.
736 if (data->length > cli->max_xmit_frag) {
737 status = NT_STATUS_INVALID_PARAMETER;
741 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
743 if (state->expected_pkt_type == DCERPC_PKT_AUTH3) {
744 subreq = rpc_write_send(state, ev, cli->transport,
745 data->data, data->length);
746 if (subreq == NULL) {
749 tevent_req_set_callback(subreq, rpc_api_pipe_auth3_done, req);
753 /* get the header first, then fetch the rest once we have
754 * the frag_length available */
755 max_recv_frag = RPC_HEADER_LEN;
757 subreq = cli_api_pipe_send(state, ev, cli->transport,
758 data->data, data->length, max_recv_frag);
759 if (subreq == NULL) {
762 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
766 tevent_req_nterror(req, status);
767 return tevent_req_post(req, ev);
773 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq)
775 struct tevent_req *req =
776 tevent_req_callback_data(subreq,
780 status = rpc_write_recv(subreq);
782 if (!NT_STATUS_IS_OK(status)) {
783 tevent_req_nterror(req, status);
787 tevent_req_done(req);
790 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
792 struct tevent_req *req = tevent_req_callback_data(
793 subreq, struct tevent_req);
794 struct rpc_api_pipe_state *state = tevent_req_data(
795 req, struct rpc_api_pipe_state);
797 uint8_t *rdata = NULL;
798 uint32_t rdata_len = 0;
800 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
802 if (!NT_STATUS_IS_OK(status)) {
803 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
804 tevent_req_nterror(req, status);
809 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
810 rpccli_pipe_txt(talloc_tos(), state->cli)));
811 tevent_req_done(req);
816 * Move data on state->incoming_frag.
818 state->incoming_frag.data = talloc_move(state, &rdata);
819 state->incoming_frag.length = rdata_len;
820 if (!state->incoming_frag.data) {
821 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
825 /* Ensure we have enough data for a pdu. */
826 subreq = get_complete_frag_send(state, state->ev, state->cli,
827 &state->incoming_frag);
828 if (tevent_req_nomem(subreq, req)) {
831 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
834 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
836 struct tevent_req *req = tevent_req_callback_data(
837 subreq, struct tevent_req);
838 struct rpc_api_pipe_state *state = tevent_req_data(
839 req, struct rpc_api_pipe_state);
841 DATA_BLOB rdata = data_blob_null;
843 status = get_complete_frag_recv(subreq);
845 if (!NT_STATUS_IS_OK(status)) {
846 DEBUG(5, ("get_complete_frag failed: %s\n",
848 tevent_req_nterror(req, status);
852 state->pkt = talloc(state, struct ncacn_packet);
854 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
858 status = dcerpc_pull_ncacn_packet(state->pkt,
859 &state->incoming_frag,
862 if (!NT_STATUS_IS_OK(status)) {
863 tevent_req_nterror(req, status);
867 if (state->incoming_frag.length != state->pkt->frag_length) {
868 DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
869 (unsigned int)state->incoming_frag.length,
870 (unsigned int)state->pkt->frag_length));
871 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
875 status = cli_pipe_validate_current_pdu(state,
876 state->cli, state->pkt,
877 &state->incoming_frag,
878 state->expected_pkt_type,
882 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
883 (unsigned)state->incoming_frag.length,
884 (unsigned)state->reply_pdu_offset,
887 if (!NT_STATUS_IS_OK(status)) {
888 tevent_req_nterror(req, status);
892 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
893 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
895 * Set the data type correctly for big-endian data on the
898 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
900 rpccli_pipe_txt(talloc_tos(), state->cli)));
901 state->endianess = 0x00; /* BIG ENDIAN */
904 * Check endianness on subsequent packets.
906 if (state->endianess != state->pkt->drep[0]) {
907 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
909 state->endianess?"little":"big",
910 state->pkt->drep[0]?"little":"big"));
911 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
915 /* Now copy the data portion out of the pdu into rbuf. */
916 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
917 if (!data_blob_realloc(NULL, &state->reply_pdu,
918 state->reply_pdu_offset + rdata.length)) {
919 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
924 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
925 rdata.data, rdata.length);
926 state->reply_pdu_offset += rdata.length;
928 /* reset state->incoming_frag, there is no need to free it,
929 * it will be reallocated to the right size the next time
931 state->incoming_frag.length = 0;
933 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
934 /* make sure the pdu length is right now that we
935 * have all the data available (alloc hint may
936 * have allocated more than was actually used) */
937 state->reply_pdu.length = state->reply_pdu_offset;
938 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
939 rpccli_pipe_txt(talloc_tos(), state->cli),
940 (unsigned)state->reply_pdu.length));
941 tevent_req_done(req);
945 subreq = get_complete_frag_send(state, state->ev, state->cli,
946 &state->incoming_frag);
947 if (tevent_req_nomem(subreq, req)) {
950 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
953 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
954 struct ncacn_packet **pkt,
955 DATA_BLOB *reply_pdu)
957 struct rpc_api_pipe_state *state = tevent_req_data(
958 req, struct rpc_api_pipe_state);
961 if (tevent_req_is_nterror(req, &status)) {
965 /* return data to caller and assign it ownership of memory */
967 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
968 reply_pdu->length = state->reply_pdu.length;
969 state->reply_pdu.length = 0;
971 data_blob_free(&state->reply_pdu);
975 *pkt = talloc_steal(mem_ctx, state->pkt);
981 /*******************************************************************
982 Creates NTLMSSP auth bind.
983 ********************************************************************/
985 static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
987 DATA_BLOB *auth_token)
989 struct gensec_security *gensec_security;
990 DATA_BLOB null_blob = data_blob_null;
992 gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
993 struct gensec_security);
995 DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
996 return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
999 /*******************************************************************
1000 Creates schannel auth bind.
1001 ********************************************************************/
1003 static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
1004 DATA_BLOB *auth_token)
1007 struct NL_AUTH_MESSAGE r;
1009 /* Use lp_workgroup() if domain not specified */
1011 if (!cli->auth->domain || !cli->auth->domain[0]) {
1012 cli->auth->domain = talloc_strdup(cli, lp_workgroup());
1013 if (cli->auth->domain == NULL) {
1014 return NT_STATUS_NO_MEMORY;
1019 * Now marshall the data into the auth parse_struct.
1022 r.MessageType = NL_NEGOTIATE_REQUEST;
1023 r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
1024 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
1025 r.oem_netbios_domain.a = cli->auth->domain;
1026 r.oem_netbios_computer.a = lp_netbios_name();
1028 status = dcerpc_push_schannel_bind(cli, &r, auth_token);
1029 if (!NT_STATUS_IS_OK(status)) {
1033 return NT_STATUS_OK;
1036 /*******************************************************************
1037 Creates the internals of a DCE/RPC bind request or alter context PDU.
1038 ********************************************************************/
1040 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1041 enum dcerpc_pkt_type ptype,
1043 const struct ndr_syntax_id *abstract,
1044 const struct ndr_syntax_id *transfer,
1045 const DATA_BLOB *auth_info,
1048 uint16 auth_len = auth_info->length;
1050 union dcerpc_payload u;
1051 struct dcerpc_ctx_list ctx_list;
1054 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1057 ctx_list.context_id = 0;
1058 ctx_list.num_transfer_syntaxes = 1;
1059 ctx_list.abstract_syntax = *abstract;
1060 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1062 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1063 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1064 u.bind.assoc_group_id = 0x0;
1065 u.bind.num_contexts = 1;
1066 u.bind.ctx_list = &ctx_list;
1067 u.bind.auth_info = *auth_info;
1069 status = dcerpc_push_ncacn_packet(mem_ctx,
1071 DCERPC_PFC_FLAG_FIRST |
1072 DCERPC_PFC_FLAG_LAST,
1077 if (!NT_STATUS_IS_OK(status)) {
1078 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1082 return NT_STATUS_OK;
1085 /*******************************************************************
1086 Creates a DCE/RPC bind request.
1087 ********************************************************************/
1089 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1090 struct rpc_pipe_client *cli,
1091 struct pipe_auth_data *auth,
1093 const struct ndr_syntax_id *abstract,
1094 const struct ndr_syntax_id *transfer,
1097 DATA_BLOB auth_token = data_blob_null;
1098 DATA_BLOB auth_info = data_blob_null;
1099 NTSTATUS ret = NT_STATUS_OK;
1101 switch (auth->auth_type) {
1102 case DCERPC_AUTH_TYPE_SCHANNEL:
1103 ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
1104 if (!NT_STATUS_IS_OK(ret)) {
1109 case DCERPC_AUTH_TYPE_NTLMSSP:
1110 case DCERPC_AUTH_TYPE_KRB5:
1111 case DCERPC_AUTH_TYPE_SPNEGO:
1112 ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
1114 if (!NT_STATUS_IS_OK(ret) &&
1115 !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1120 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1121 auth_token = data_blob_talloc(mem_ctx,
1122 "NCALRPC_AUTH_TOKEN",
1126 case DCERPC_AUTH_TYPE_NONE:
1130 /* "Can't" happen. */
1131 return NT_STATUS_INVALID_INFO_CLASS;
1134 if (auth_token.length != 0) {
1135 ret = dcerpc_push_dcerpc_auth(cli,
1138 0, /* auth_pad_length */
1139 1, /* auth_context_id */
1142 if (!NT_STATUS_IS_OK(ret)) {
1145 data_blob_free(&auth_token);
1148 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1158 /*******************************************************************
1160 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1161 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1162 and deals with signing/sealing details.
1163 ********************************************************************/
1165 struct rpc_api_pipe_req_state {
1166 struct tevent_context *ev;
1167 struct rpc_pipe_client *cli;
1170 DATA_BLOB *req_data;
1171 uint32_t req_data_sent;
1173 DATA_BLOB reply_pdu;
1176 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1177 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1178 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1179 bool *is_last_frag);
1181 struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1182 struct tevent_context *ev,
1183 struct rpc_pipe_client *cli,
1185 DATA_BLOB *req_data)
1187 struct tevent_req *req, *subreq;
1188 struct rpc_api_pipe_req_state *state;
1192 req = tevent_req_create(mem_ctx, &state,
1193 struct rpc_api_pipe_req_state);
1199 state->op_num = op_num;
1200 state->req_data = req_data;
1201 state->req_data_sent = 0;
1202 state->call_id = get_rpc_call_id();
1203 state->reply_pdu = data_blob_null;
1204 state->rpc_out = data_blob_null;
1206 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1207 + RPC_MAX_SIGN_SIZE) {
1208 /* Server is screwed up ! */
1209 status = NT_STATUS_INVALID_PARAMETER;
1213 status = prepare_next_frag(state, &is_last_frag);
1214 if (!NT_STATUS_IS_OK(status)) {
1219 subreq = rpc_api_pipe_send(state, ev, state->cli,
1221 DCERPC_PKT_RESPONSE);
1222 if (subreq == NULL) {
1225 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1227 subreq = rpc_write_send(state, ev, cli->transport,
1228 state->rpc_out.data,
1229 state->rpc_out.length);
1230 if (subreq == NULL) {
1233 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1239 tevent_req_nterror(req, status);
1240 return tevent_req_post(req, ev);
1246 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1249 size_t data_sent_thistime;
1256 union dcerpc_payload u;
1258 data_left = state->req_data->length - state->req_data_sent;
1260 status = dcerpc_guess_sizes(state->cli->auth,
1261 DCERPC_REQUEST_LENGTH, data_left,
1262 state->cli->max_xmit_frag,
1263 CLIENT_NDR_PADDING_SIZE,
1264 &data_sent_thistime,
1265 &frag_len, &auth_len, &pad_len);
1266 if (!NT_STATUS_IS_OK(status)) {
1270 if (state->req_data_sent == 0) {
1271 flags = DCERPC_PFC_FLAG_FIRST;
1274 if (data_sent_thistime == data_left) {
1275 flags |= DCERPC_PFC_FLAG_LAST;
1278 data_blob_free(&state->rpc_out);
1280 ZERO_STRUCT(u.request);
1282 u.request.alloc_hint = state->req_data->length;
1283 u.request.context_id = 0;
1284 u.request.opnum = state->op_num;
1286 status = dcerpc_push_ncacn_packet(state,
1293 if (!NT_STATUS_IS_OK(status)) {
1297 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1298 * compute it right for requests because the auth trailer is missing
1300 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1302 /* Copy in the data. */
1303 if (!data_blob_append(NULL, &state->rpc_out,
1304 state->req_data->data + state->req_data_sent,
1305 data_sent_thistime)) {
1306 return NT_STATUS_NO_MEMORY;
1309 switch (state->cli->auth->auth_level) {
1310 case DCERPC_AUTH_LEVEL_NONE:
1311 case DCERPC_AUTH_LEVEL_CONNECT:
1312 case DCERPC_AUTH_LEVEL_PACKET:
1314 case DCERPC_AUTH_LEVEL_INTEGRITY:
1315 case DCERPC_AUTH_LEVEL_PRIVACY:
1316 status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
1318 if (!NT_STATUS_IS_OK(status)) {
1323 return NT_STATUS_INVALID_PARAMETER;
1326 state->req_data_sent += data_sent_thistime;
1327 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1332 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
1334 struct tevent_req *req = tevent_req_callback_data(
1335 subreq, struct tevent_req);
1336 struct rpc_api_pipe_req_state *state = tevent_req_data(
1337 req, struct rpc_api_pipe_req_state);
1341 status = rpc_write_recv(subreq);
1342 TALLOC_FREE(subreq);
1343 if (!NT_STATUS_IS_OK(status)) {
1344 tevent_req_nterror(req, status);
1348 status = prepare_next_frag(state, &is_last_frag);
1349 if (!NT_STATUS_IS_OK(status)) {
1350 tevent_req_nterror(req, status);
1355 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1357 DCERPC_PKT_RESPONSE);
1358 if (tevent_req_nomem(subreq, req)) {
1361 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1363 subreq = rpc_write_send(state, state->ev,
1364 state->cli->transport,
1365 state->rpc_out.data,
1366 state->rpc_out.length);
1367 if (tevent_req_nomem(subreq, req)) {
1370 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1375 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
1377 struct tevent_req *req = tevent_req_callback_data(
1378 subreq, struct tevent_req);
1379 struct rpc_api_pipe_req_state *state = tevent_req_data(
1380 req, struct rpc_api_pipe_req_state);
1383 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
1384 TALLOC_FREE(subreq);
1385 if (!NT_STATUS_IS_OK(status)) {
1386 tevent_req_nterror(req, status);
1389 tevent_req_done(req);
1392 NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1393 DATA_BLOB *reply_pdu)
1395 struct rpc_api_pipe_req_state *state = tevent_req_data(
1396 req, struct rpc_api_pipe_req_state);
1399 if (tevent_req_is_nterror(req, &status)) {
1401 * We always have to initialize to reply pdu, even if there is
1402 * none. The rpccli_* caller routines expect this.
1404 *reply_pdu = data_blob_null;
1408 /* return data to caller and assign it ownership of memory */
1409 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1410 reply_pdu->length = state->reply_pdu.length;
1411 state->reply_pdu.length = 0;
1413 return NT_STATUS_OK;
1416 /****************************************************************************
1417 Check the rpc bind acknowledge response.
1418 ****************************************************************************/
1420 static bool check_bind_response(const struct dcerpc_bind_ack *r,
1421 const struct ndr_syntax_id *transfer)
1423 struct dcerpc_ack_ctx ctx;
1425 if (r->secondary_address_size == 0) {
1426 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1429 if (r->num_results < 1 || !r->ctx_list) {
1433 ctx = r->ctx_list[0];
1435 /* check the transfer syntax */
1436 if ((ctx.syntax.if_version != transfer->if_version) ||
1437 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1438 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1442 if (r->num_results != 0x1 || ctx.result != 0) {
1443 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1444 r->num_results, ctx.reason));
1447 DEBUG(5,("check_bind_response: accepted!\n"));
1451 /*******************************************************************
1452 Creates a DCE/RPC bind authentication response.
1453 This is the packet that is sent back to the server once we
1454 have received a BIND-ACK, to finish the third leg of
1455 the authentication handshake.
1456 ********************************************************************/
1458 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
1459 struct rpc_pipe_client *cli,
1461 enum dcerpc_AuthType auth_type,
1462 enum dcerpc_AuthLevel auth_level,
1463 DATA_BLOB *pauth_blob,
1467 union dcerpc_payload u;
1471 status = dcerpc_push_dcerpc_auth(mem_ctx,
1474 0, /* auth_pad_length */
1475 1, /* auth_context_id */
1477 &u.auth3.auth_info);
1478 if (!NT_STATUS_IS_OK(status)) {
1482 status = dcerpc_push_ncacn_packet(mem_ctx,
1484 DCERPC_PFC_FLAG_FIRST |
1485 DCERPC_PFC_FLAG_LAST,
1490 data_blob_free(&u.auth3.auth_info);
1491 if (!NT_STATUS_IS_OK(status)) {
1492 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1496 return NT_STATUS_OK;
1499 /*******************************************************************
1500 Creates a DCE/RPC bind alter context authentication request which
1501 may contain a spnego auth blobl
1502 ********************************************************************/
1504 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
1505 enum dcerpc_AuthType auth_type,
1506 enum dcerpc_AuthLevel auth_level,
1508 const struct ndr_syntax_id *abstract,
1509 const struct ndr_syntax_id *transfer,
1510 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1513 DATA_BLOB auth_info;
1516 status = dcerpc_push_dcerpc_auth(mem_ctx,
1519 0, /* auth_pad_length */
1520 1, /* auth_context_id */
1523 if (!NT_STATUS_IS_OK(status)) {
1527 status = create_bind_or_alt_ctx_internal(mem_ctx,
1534 data_blob_free(&auth_info);
1538 /****************************************************************************
1540 ****************************************************************************/
1542 struct rpc_pipe_bind_state {
1543 struct tevent_context *ev;
1544 struct rpc_pipe_client *cli;
1547 uint32_t rpc_call_id;
1548 struct netr_Authenticator auth;
1549 struct netr_Authenticator return_auth;
1550 struct netlogon_creds_CredentialState *creds;
1551 union netr_Capabilities capabilities;
1552 struct netr_LogonGetCapabilities r;
1555 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
1556 static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
1557 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1558 struct rpc_pipe_bind_state *state,
1559 DATA_BLOB *credentials);
1560 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1561 struct rpc_pipe_bind_state *state,
1562 DATA_BLOB *credentials);
1564 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
1565 struct tevent_context *ev,
1566 struct rpc_pipe_client *cli,
1567 struct pipe_auth_data *auth)
1569 struct tevent_req *req, *subreq;
1570 struct rpc_pipe_bind_state *state;
1573 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
1578 DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
1579 rpccli_pipe_txt(talloc_tos(), cli),
1580 (unsigned int)auth->auth_type,
1581 (unsigned int)auth->auth_level ));
1585 state->rpc_call_id = get_rpc_call_id();
1587 cli->auth = talloc_move(cli, &auth);
1589 /* Marshall the outgoing data. */
1590 status = create_rpc_bind_req(state, cli,
1593 &cli->abstract_syntax,
1594 &cli->transfer_syntax,
1597 if (!NT_STATUS_IS_OK(status) &&
1598 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1602 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
1603 DCERPC_PKT_BIND_ACK);
1604 if (subreq == NULL) {
1607 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1611 tevent_req_nterror(req, status);
1612 return tevent_req_post(req, ev);
1618 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1620 struct tevent_req *req = tevent_req_callback_data(
1621 subreq, struct tevent_req);
1622 struct rpc_pipe_bind_state *state = tevent_req_data(
1623 req, struct rpc_pipe_bind_state);
1624 struct pipe_auth_data *pauth = state->cli->auth;
1625 struct gensec_security *gensec_security;
1626 struct ncacn_packet *pkt = NULL;
1627 struct dcerpc_auth auth;
1628 DATA_BLOB auth_token = data_blob_null;
1631 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, NULL);
1632 TALLOC_FREE(subreq);
1633 if (!NT_STATUS_IS_OK(status)) {
1634 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
1635 rpccli_pipe_txt(talloc_tos(), state->cli),
1636 nt_errstr(status)));
1637 tevent_req_nterror(req, status);
1642 tevent_req_done(req);
1646 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
1647 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
1648 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
1652 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1653 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1655 switch(pauth->auth_type) {
1657 case DCERPC_AUTH_TYPE_NONE:
1658 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1659 /* Bind complete. */
1660 tevent_req_done(req);
1663 case DCERPC_AUTH_TYPE_SCHANNEL:
1664 rpc_pipe_bind_step_two_trigger(req);
1667 case DCERPC_AUTH_TYPE_NTLMSSP:
1668 case DCERPC_AUTH_TYPE_SPNEGO:
1669 case DCERPC_AUTH_TYPE_KRB5:
1670 /* Paranoid lenght checks */
1671 if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
1672 + pkt->auth_length) {
1673 tevent_req_nterror(req,
1674 NT_STATUS_INFO_LENGTH_MISMATCH);
1677 /* get auth credentials */
1678 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
1679 &pkt->u.bind_ack.auth_info,
1681 if (!NT_STATUS_IS_OK(status)) {
1682 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
1683 nt_errstr(status)));
1684 tevent_req_nterror(req, status);
1694 * For authenticated binds we may need to do 3 or 4 leg binds.
1697 switch(pauth->auth_type) {
1699 case DCERPC_AUTH_TYPE_NONE:
1700 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1701 case DCERPC_AUTH_TYPE_SCHANNEL:
1702 /* Bind complete. */
1703 tevent_req_done(req);
1706 case DCERPC_AUTH_TYPE_NTLMSSP:
1707 case DCERPC_AUTH_TYPE_KRB5:
1708 case DCERPC_AUTH_TYPE_SPNEGO:
1709 gensec_security = talloc_get_type_abort(pauth->auth_ctx,
1710 struct gensec_security);
1711 status = gensec_update(gensec_security, state, NULL,
1712 auth.credentials, &auth_token);
1713 if (NT_STATUS_EQUAL(status,
1714 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1715 status = rpc_bind_next_send(req, state,
1717 } else if (NT_STATUS_IS_OK(status)) {
1718 if (auth_token.length == 0) {
1719 /* Bind complete. */
1720 tevent_req_done(req);
1723 status = rpc_bind_finish_send(req, state,
1732 if (!NT_STATUS_IS_OK(status)) {
1733 tevent_req_nterror(req, status);
1738 DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
1739 (unsigned int)state->cli->auth->auth_type));
1740 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
1743 static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
1745 static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
1747 struct rpc_pipe_bind_state *state =
1748 tevent_req_data(req,
1749 struct rpc_pipe_bind_state);
1750 struct dcerpc_binding_handle *b = state->cli->binding_handle;
1751 struct schannel_state *schannel_auth =
1752 talloc_get_type_abort(state->cli->auth->auth_ctx,
1753 struct schannel_state);
1754 struct tevent_req *subreq;
1756 if (schannel_auth == NULL ||
1757 !ndr_syntax_id_equal(&state->cli->abstract_syntax,
1758 &ndr_table_netlogon.syntax_id)) {
1759 tevent_req_done(req);
1763 ZERO_STRUCT(state->return_auth);
1765 state->creds = netlogon_creds_copy(state, schannel_auth->creds);
1766 if (state->creds == NULL) {
1767 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1771 netlogon_creds_client_authenticator(state->creds, &state->auth);
1773 state->r.in.server_name = state->cli->srv_name_slash;
1774 state->r.in.computer_name = state->creds->computer_name;
1775 state->r.in.credential = &state->auth;
1776 state->r.in.query_level = 1;
1777 state->r.in.return_authenticator = &state->return_auth;
1779 state->r.out.capabilities = &state->capabilities;
1780 state->r.out.return_authenticator = &state->return_auth;
1782 subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
1786 if (subreq == NULL) {
1787 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1791 tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
1795 static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
1797 struct tevent_req *req =
1798 tevent_req_callback_data(subreq,
1800 struct rpc_pipe_bind_state *state =
1801 tevent_req_data(req,
1802 struct rpc_pipe_bind_state);
1805 status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
1806 TALLOC_FREE(subreq);
1807 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1808 if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
1809 DEBUG(5, ("AES is not supported and the error was %s\n",
1810 nt_errstr(status)));
1811 tevent_req_nterror(req,
1812 NT_STATUS_INVALID_NETWORK_RESPONSE);
1816 /* This is probably NT */
1817 DEBUG(5, ("We are checking against an NT - %s\n",
1818 nt_errstr(status)));
1819 tevent_req_done(req);
1821 } else if (!NT_STATUS_IS_OK(status)) {
1822 DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
1823 nt_errstr(status)));
1824 tevent_req_nterror(req, status);
1828 if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
1829 if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
1830 /* This means AES isn't supported. */
1831 DEBUG(5, ("AES is not supported and the error was %s\n",
1832 nt_errstr(state->r.out.result)));
1833 tevent_req_nterror(req,
1834 NT_STATUS_INVALID_NETWORK_RESPONSE);
1838 /* This is probably an old Samba version */
1839 DEBUG(5, ("We are checking against an old Samba version - %s\n",
1840 nt_errstr(state->r.out.result)));
1841 tevent_req_done(req);
1845 /* We need to check the credential state here, cause win2k3 and earlier
1846 * returns NT_STATUS_NOT_IMPLEMENTED */
1847 if (!netlogon_creds_client_check(state->creds,
1848 &state->r.out.return_authenticator->cred)) {
1850 * Server replied with bad credential. Fail.
1852 DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
1853 "replied with bad credential\n",
1854 state->cli->desthost));
1855 tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
1859 if (!NT_STATUS_IS_OK(state->r.out.result)) {
1860 DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
1861 nt_errstr(state->r.out.result)));
1862 tevent_req_nterror(req, state->r.out.result);
1866 if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
1867 DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
1868 "but AES was not negotiated - downgrade detected",
1869 state->cli->desthost));
1870 tevent_req_nterror(req,
1871 NT_STATUS_INVALID_NETWORK_RESPONSE);
1875 TALLOC_FREE(state->cli->dc);
1876 state->cli->dc = talloc_move(state->cli, &state->creds);
1878 tevent_req_done(req);
1882 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1883 struct rpc_pipe_bind_state *state,
1884 DATA_BLOB *auth_token)
1886 struct pipe_auth_data *auth = state->cli->auth;
1887 struct tevent_req *subreq;
1890 /* Now prepare the alter context pdu. */
1891 data_blob_free(&state->rpc_out);
1893 status = create_rpc_alter_context(state,
1897 &state->cli->abstract_syntax,
1898 &state->cli->transfer_syntax,
1901 if (!NT_STATUS_IS_OK(status)) {
1905 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1906 &state->rpc_out, DCERPC_PKT_ALTER_RESP);
1907 if (subreq == NULL) {
1908 return NT_STATUS_NO_MEMORY;
1910 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1911 return NT_STATUS_OK;
1914 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1915 struct rpc_pipe_bind_state *state,
1916 DATA_BLOB *auth_token)
1918 struct pipe_auth_data *auth = state->cli->auth;
1919 struct tevent_req *subreq;
1922 state->auth3 = true;
1924 /* Now prepare the auth3 context pdu. */
1925 data_blob_free(&state->rpc_out);
1927 status = create_rpc_bind_auth3(state, state->cli,
1933 if (!NT_STATUS_IS_OK(status)) {
1937 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1938 &state->rpc_out, DCERPC_PKT_AUTH3);
1939 if (subreq == NULL) {
1940 return NT_STATUS_NO_MEMORY;
1942 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1943 return NT_STATUS_OK;
1946 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
1948 return tevent_req_simple_recv_ntstatus(req);
1951 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
1952 struct pipe_auth_data *auth)
1954 TALLOC_CTX *frame = talloc_stackframe();
1955 struct tevent_context *ev;
1956 struct tevent_req *req;
1957 NTSTATUS status = NT_STATUS_OK;
1959 ev = samba_tevent_context_init(frame);
1961 status = NT_STATUS_NO_MEMORY;
1965 req = rpc_pipe_bind_send(frame, ev, cli, auth);
1967 status = NT_STATUS_NO_MEMORY;
1971 if (!tevent_req_poll(req, ev)) {
1972 status = map_nt_error_from_unix(errno);
1976 status = rpc_pipe_bind_recv(req);
1982 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
1984 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
1985 unsigned int timeout)
1989 if (rpc_cli->transport == NULL) {
1990 return RPCCLI_DEFAULT_TIMEOUT;
1993 if (rpc_cli->transport->set_timeout == NULL) {
1994 return RPCCLI_DEFAULT_TIMEOUT;
1997 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
1999 return RPCCLI_DEFAULT_TIMEOUT;
2005 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
2007 if (rpc_cli == NULL) {
2011 if (rpc_cli->transport == NULL) {
2015 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
2018 struct rpccli_bh_state {
2019 struct rpc_pipe_client *rpc_cli;
2022 static bool rpccli_bh_is_connected(struct dcerpc_binding_handle *h)
2024 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2025 struct rpccli_bh_state);
2027 return rpccli_is_connected(hs->rpc_cli);
2030 static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
2033 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2034 struct rpccli_bh_state);
2036 return rpccli_set_timeout(hs->rpc_cli, timeout);
2039 struct rpccli_bh_raw_call_state {
2045 static void rpccli_bh_raw_call_done(struct tevent_req *subreq);
2047 static struct tevent_req *rpccli_bh_raw_call_send(TALLOC_CTX *mem_ctx,
2048 struct tevent_context *ev,
2049 struct dcerpc_binding_handle *h,
2050 const struct GUID *object,
2053 const uint8_t *in_data,
2056 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2057 struct rpccli_bh_state);
2058 struct tevent_req *req;
2059 struct rpccli_bh_raw_call_state *state;
2061 struct tevent_req *subreq;
2063 req = tevent_req_create(mem_ctx, &state,
2064 struct rpccli_bh_raw_call_state);
2068 state->in_data.data = discard_const_p(uint8_t, in_data);
2069 state->in_data.length = in_length;
2071 ok = rpccli_bh_is_connected(h);
2073 tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
2074 return tevent_req_post(req, ev);
2077 subreq = rpc_api_pipe_req_send(state, ev, hs->rpc_cli,
2078 opnum, &state->in_data);
2079 if (tevent_req_nomem(subreq, req)) {
2080 return tevent_req_post(req, ev);
2082 tevent_req_set_callback(subreq, rpccli_bh_raw_call_done, req);
2087 static void rpccli_bh_raw_call_done(struct tevent_req *subreq)
2089 struct tevent_req *req =
2090 tevent_req_callback_data(subreq,
2092 struct rpccli_bh_raw_call_state *state =
2093 tevent_req_data(req,
2094 struct rpccli_bh_raw_call_state);
2097 state->out_flags = 0;
2099 /* TODO: support bigendian responses */
2101 status = rpc_api_pipe_req_recv(subreq, state, &state->out_data);
2102 TALLOC_FREE(subreq);
2103 if (!NT_STATUS_IS_OK(status)) {
2104 tevent_req_nterror(req, status);
2108 tevent_req_done(req);
2111 static NTSTATUS rpccli_bh_raw_call_recv(struct tevent_req *req,
2112 TALLOC_CTX *mem_ctx,
2115 uint32_t *out_flags)
2117 struct rpccli_bh_raw_call_state *state =
2118 tevent_req_data(req,
2119 struct rpccli_bh_raw_call_state);
2122 if (tevent_req_is_nterror(req, &status)) {
2123 tevent_req_received(req);
2127 *out_data = talloc_move(mem_ctx, &state->out_data.data);
2128 *out_length = state->out_data.length;
2129 *out_flags = state->out_flags;
2130 tevent_req_received(req);
2131 return NT_STATUS_OK;
2134 struct rpccli_bh_disconnect_state {
2138 static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
2139 struct tevent_context *ev,
2140 struct dcerpc_binding_handle *h)
2142 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2143 struct rpccli_bh_state);
2144 struct tevent_req *req;
2145 struct rpccli_bh_disconnect_state *state;
2148 req = tevent_req_create(mem_ctx, &state,
2149 struct rpccli_bh_disconnect_state);
2154 ok = rpccli_bh_is_connected(h);
2156 tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
2157 return tevent_req_post(req, ev);
2161 * TODO: do a real async disconnect ...
2163 * For now the caller needs to free rpc_cli
2167 tevent_req_done(req);
2168 return tevent_req_post(req, ev);
2171 static NTSTATUS rpccli_bh_disconnect_recv(struct tevent_req *req)
2175 if (tevent_req_is_nterror(req, &status)) {
2176 tevent_req_received(req);
2180 tevent_req_received(req);
2181 return NT_STATUS_OK;
2184 static bool rpccli_bh_ref_alloc(struct dcerpc_binding_handle *h)
2189 static void rpccli_bh_do_ndr_print(struct dcerpc_binding_handle *h,
2191 const void *_struct_ptr,
2192 const struct ndr_interface_call *call)
2194 void *struct_ptr = discard_const(_struct_ptr);
2196 if (DEBUGLEVEL < 10) {
2200 if (ndr_flags & NDR_IN) {
2201 ndr_print_function_debug(call->ndr_print,
2206 if (ndr_flags & NDR_OUT) {
2207 ndr_print_function_debug(call->ndr_print,
2214 static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
2216 .is_connected = rpccli_bh_is_connected,
2217 .set_timeout = rpccli_bh_set_timeout,
2218 .raw_call_send = rpccli_bh_raw_call_send,
2219 .raw_call_recv = rpccli_bh_raw_call_recv,
2220 .disconnect_send = rpccli_bh_disconnect_send,
2221 .disconnect_recv = rpccli_bh_disconnect_recv,
2223 .ref_alloc = rpccli_bh_ref_alloc,
2224 .do_ndr_print = rpccli_bh_do_ndr_print,
2227 /* initialise a rpc_pipe_client binding handle */
2228 struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c)
2230 struct dcerpc_binding_handle *h;
2231 struct rpccli_bh_state *hs;
2233 h = dcerpc_binding_handle_create(c,
2238 struct rpccli_bh_state,
2248 NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
2249 struct pipe_auth_data **presult)
2251 struct pipe_auth_data *result;
2253 result = talloc(mem_ctx, struct pipe_auth_data);
2254 if (result == NULL) {
2255 return NT_STATUS_NO_MEMORY;
2258 result->auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
2259 result->auth_level = DCERPC_AUTH_LEVEL_CONNECT;
2261 result->user_name = talloc_strdup(result, "");
2262 result->domain = talloc_strdup(result, "");
2263 if ((result->user_name == NULL) || (result->domain == NULL)) {
2264 TALLOC_FREE(result);
2265 return NT_STATUS_NO_MEMORY;
2269 return NT_STATUS_OK;
2272 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2273 struct pipe_auth_data **presult)
2275 struct pipe_auth_data *result;
2277 result = talloc(mem_ctx, struct pipe_auth_data);
2278 if (result == NULL) {
2279 return NT_STATUS_NO_MEMORY;
2282 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2283 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2285 result->user_name = talloc_strdup(result, "");
2286 result->domain = talloc_strdup(result, "");
2287 if ((result->user_name == NULL) || (result->domain == NULL)) {
2288 TALLOC_FREE(result);
2289 return NT_STATUS_NO_MEMORY;
2293 return NT_STATUS_OK;
2296 static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
2297 enum dcerpc_AuthType auth_type,
2298 enum dcerpc_AuthLevel auth_level,
2300 const char *target_service,
2302 const char *username,
2303 const char *password,
2304 enum credentials_use_kerberos use_kerberos,
2305 struct pipe_auth_data **presult)
2307 struct auth_generic_state *auth_generic_ctx;
2308 struct pipe_auth_data *result;
2311 result = talloc(mem_ctx, struct pipe_auth_data);
2312 if (result == NULL) {
2313 return NT_STATUS_NO_MEMORY;
2316 result->auth_type = auth_type;
2317 result->auth_level = auth_level;
2319 result->user_name = talloc_strdup(result, username);
2320 result->domain = talloc_strdup(result, domain);
2321 if ((result->user_name == NULL) || (result->domain == NULL)) {
2322 status = NT_STATUS_NO_MEMORY;
2326 status = auth_generic_client_prepare(result,
2328 if (!NT_STATUS_IS_OK(status)) {
2332 status = auth_generic_set_username(auth_generic_ctx, username);
2333 if (!NT_STATUS_IS_OK(status)) {
2337 status = auth_generic_set_domain(auth_generic_ctx, domain);
2338 if (!NT_STATUS_IS_OK(status)) {
2342 status = auth_generic_set_password(auth_generic_ctx, password);
2343 if (!NT_STATUS_IS_OK(status)) {
2347 status = gensec_set_target_service(auth_generic_ctx->gensec_security, target_service);
2348 if (!NT_STATUS_IS_OK(status)) {
2352 status = gensec_set_target_hostname(auth_generic_ctx->gensec_security, server);
2353 if (!NT_STATUS_IS_OK(status)) {
2357 cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
2359 status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
2360 if (!NT_STATUS_IS_OK(status)) {
2364 result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security);
2365 talloc_free(auth_generic_ctx);
2367 return NT_STATUS_OK;
2370 TALLOC_FREE(result);
2374 NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
2375 enum dcerpc_AuthLevel auth_level,
2376 struct netlogon_creds_CredentialState *creds,
2377 struct pipe_auth_data **presult)
2379 struct schannel_state *schannel_auth;
2380 struct pipe_auth_data *result;
2382 result = talloc(mem_ctx, struct pipe_auth_data);
2383 if (result == NULL) {
2384 return NT_STATUS_NO_MEMORY;
2387 result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
2388 result->auth_level = auth_level;
2390 result->user_name = talloc_strdup(result, "");
2391 result->domain = talloc_strdup(result, domain);
2392 if ((result->user_name == NULL) || (result->domain == NULL)) {
2396 schannel_auth = talloc_zero(result, struct schannel_state);
2397 if (schannel_auth == NULL) {
2401 schannel_auth->state = SCHANNEL_STATE_START;
2402 schannel_auth->initiator = true;
2403 schannel_auth->creds = netlogon_creds_copy(result, creds);
2405 result->auth_ctx = schannel_auth;
2407 return NT_STATUS_OK;
2410 TALLOC_FREE(result);
2411 return NT_STATUS_NO_MEMORY;
2415 * Create an rpc pipe client struct, connecting to a tcp port.
2417 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2418 const struct sockaddr_storage *ss_addr,
2420 const struct ndr_syntax_id *abstract_syntax,
2421 struct rpc_pipe_client **presult)
2423 struct rpc_pipe_client *result;
2424 struct sockaddr_storage addr;
2428 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2429 if (result == NULL) {
2430 return NT_STATUS_NO_MEMORY;
2433 result->abstract_syntax = *abstract_syntax;
2434 result->transfer_syntax = ndr_transfer_syntax_ndr;
2436 result->desthost = talloc_strdup(result, host);
2437 result->srv_name_slash = talloc_asprintf_strupper_m(
2438 result, "\\\\%s", result->desthost);
2439 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2440 status = NT_STATUS_NO_MEMORY;
2444 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2445 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2447 if (ss_addr == NULL) {
2448 if (!resolve_name(host, &addr, NBT_NAME_SERVER, false)) {
2449 status = NT_STATUS_NOT_FOUND;
2456 status = open_socket_out(&addr, port, 60*1000, &fd);
2457 if (!NT_STATUS_IS_OK(status)) {
2460 set_socket_options(fd, lp_socket_options());
2462 status = rpc_transport_sock_init(result, fd, &result->transport);
2463 if (!NT_STATUS_IS_OK(status)) {
2468 result->transport->transport = NCACN_IP_TCP;
2470 result->binding_handle = rpccli_bh_create(result);
2471 if (result->binding_handle == NULL) {
2472 TALLOC_FREE(result);
2473 return NT_STATUS_NO_MEMORY;
2477 return NT_STATUS_OK;
2480 TALLOC_FREE(result);
2485 * Determine the tcp port on which a dcerpc interface is listening
2486 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2489 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2490 const struct sockaddr_storage *addr,
2491 const struct ndr_syntax_id *abstract_syntax,
2495 struct rpc_pipe_client *epm_pipe = NULL;
2496 struct dcerpc_binding_handle *epm_handle = NULL;
2497 struct pipe_auth_data *auth = NULL;
2498 struct dcerpc_binding *map_binding = NULL;
2499 struct dcerpc_binding *res_binding = NULL;
2500 struct epm_twr_t *map_tower = NULL;
2501 struct epm_twr_t *res_towers = NULL;
2502 struct policy_handle *entry_handle = NULL;
2503 uint32_t num_towers = 0;
2504 uint32_t max_towers = 1;
2505 struct epm_twr_p_t towers;
2506 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2507 uint32_t result = 0;
2509 if (pport == NULL) {
2510 status = NT_STATUS_INVALID_PARAMETER;
2514 if (ndr_syntax_id_equal(abstract_syntax,
2515 &ndr_table_epmapper.syntax_id)) {
2517 return NT_STATUS_OK;
2520 /* open the connection to the endpoint mapper */
2521 status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
2522 &ndr_table_epmapper.syntax_id,
2525 if (!NT_STATUS_IS_OK(status)) {
2528 epm_handle = epm_pipe->binding_handle;
2530 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2531 if (!NT_STATUS_IS_OK(status)) {
2535 status = rpc_pipe_bind(epm_pipe, auth);
2536 if (!NT_STATUS_IS_OK(status)) {
2540 /* create tower for asking the epmapper */
2542 map_binding = talloc_zero(tmp_ctx, struct dcerpc_binding);
2543 if (map_binding == NULL) {
2544 status = NT_STATUS_NO_MEMORY;
2548 map_binding->transport = NCACN_IP_TCP;
2549 map_binding->object = *abstract_syntax;
2550 map_binding->host = host; /* needed? */
2551 map_binding->endpoint = "0"; /* correct? needed? */
2553 map_tower = talloc_zero(tmp_ctx, struct epm_twr_t);
2554 if (map_tower == NULL) {
2555 status = NT_STATUS_NO_MEMORY;
2559 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2560 &(map_tower->tower));
2561 if (!NT_STATUS_IS_OK(status)) {
2565 /* allocate further parameters for the epm_Map call */
2567 res_towers = talloc_array(tmp_ctx, struct epm_twr_t, max_towers);
2568 if (res_towers == NULL) {
2569 status = NT_STATUS_NO_MEMORY;
2572 towers.twr = res_towers;
2574 entry_handle = talloc_zero(tmp_ctx, struct policy_handle);
2575 if (entry_handle == NULL) {
2576 status = NT_STATUS_NO_MEMORY;
2580 /* ask the endpoint mapper for the port */
2582 status = dcerpc_epm_Map(epm_handle,
2584 discard_const_p(struct GUID,
2585 &(abstract_syntax->uuid)),
2593 if (!NT_STATUS_IS_OK(status)) {
2597 if (result != EPMAPPER_STATUS_OK) {
2598 status = NT_STATUS_UNSUCCESSFUL;
2602 if (num_towers != 1) {
2603 status = NT_STATUS_UNSUCCESSFUL;
2607 /* extract the port from the answer */
2609 status = dcerpc_binding_from_tower(tmp_ctx,
2610 &(towers.twr->tower),
2612 if (!NT_STATUS_IS_OK(status)) {
2616 /* are further checks here necessary? */
2617 if (res_binding->transport != NCACN_IP_TCP) {
2618 status = NT_STATUS_UNSUCCESSFUL;
2622 *pport = (uint16_t)atoi(res_binding->endpoint);
2625 TALLOC_FREE(tmp_ctx);
2630 * Create a rpc pipe client struct, connecting to a host via tcp.
2631 * The port is determined by asking the endpoint mapper on the given
2634 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2635 const struct sockaddr_storage *addr,
2636 const struct ndr_syntax_id *abstract_syntax,
2637 struct rpc_pipe_client **presult)
2642 status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
2643 if (!NT_STATUS_IS_OK(status)) {
2647 return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
2648 abstract_syntax, presult);
2651 /********************************************************************
2652 Create a rpc pipe client struct, connecting to a unix domain socket
2653 ********************************************************************/
2654 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2655 const struct ndr_syntax_id *abstract_syntax,
2656 struct rpc_pipe_client **presult)
2658 struct rpc_pipe_client *result;
2659 struct sockaddr_un addr;
2664 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2665 if (result == NULL) {
2666 return NT_STATUS_NO_MEMORY;
2669 result->abstract_syntax = *abstract_syntax;
2670 result->transfer_syntax = ndr_transfer_syntax_ndr;
2672 result->desthost = get_myname(result);
2673 result->srv_name_slash = talloc_asprintf_strupper_m(
2674 result, "\\\\%s", result->desthost);
2675 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2676 status = NT_STATUS_NO_MEMORY;
2680 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2681 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2683 fd = socket(AF_UNIX, SOCK_STREAM, 0);
2685 status = map_nt_error_from_unix(errno);
2690 addr.sun_family = AF_UNIX;
2691 strlcpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2692 salen = sizeof(struct sockaddr_un);
2694 if (connect(fd, (struct sockaddr *)(void *)&addr, salen) == -1) {
2695 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2698 return map_nt_error_from_unix(errno);
2701 status = rpc_transport_sock_init(result, fd, &result->transport);
2702 if (!NT_STATUS_IS_OK(status)) {
2707 result->transport->transport = NCALRPC;
2709 result->binding_handle = rpccli_bh_create(result);
2710 if (result->binding_handle == NULL) {
2711 TALLOC_FREE(result);
2712 return NT_STATUS_NO_MEMORY;
2716 return NT_STATUS_OK;
2719 TALLOC_FREE(result);
2723 struct rpc_pipe_client_np_ref {
2724 struct cli_state *cli;
2725 struct rpc_pipe_client *pipe;
2728 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
2730 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
2734 /****************************************************************************
2735 Open a named pipe over SMB to a remote server.
2737 * CAVEAT CALLER OF THIS FUNCTION:
2738 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2739 * so be sure that this function is called AFTER any structure (vs pointer)
2740 * assignment of the cli. In particular, libsmbclient does structure
2741 * assignments of cli, which invalidates the data in the returned
2742 * rpc_pipe_client if this function is called before the structure assignment
2745 ****************************************************************************/
2747 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
2748 const struct ndr_syntax_id *abstract_syntax,
2749 struct rpc_pipe_client **presult)
2751 struct rpc_pipe_client *result;
2753 struct rpc_pipe_client_np_ref *np_ref;
2755 /* sanity check to protect against crashes */
2758 return NT_STATUS_INVALID_HANDLE;
2761 result = talloc_zero(NULL, struct rpc_pipe_client);
2762 if (result == NULL) {
2763 return NT_STATUS_NO_MEMORY;
2766 result->abstract_syntax = *abstract_syntax;
2767 result->transfer_syntax = ndr_transfer_syntax_ndr;
2768 result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
2769 result->srv_name_slash = talloc_asprintf_strupper_m(
2770 result, "\\\\%s", result->desthost);
2772 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2773 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2775 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2776 TALLOC_FREE(result);
2777 return NT_STATUS_NO_MEMORY;
2780 status = rpc_transport_np_init(result, cli, abstract_syntax,
2781 &result->transport);
2782 if (!NT_STATUS_IS_OK(status)) {
2783 TALLOC_FREE(result);
2787 result->transport->transport = NCACN_NP;
2789 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
2790 if (np_ref == NULL) {
2791 TALLOC_FREE(result);
2792 return NT_STATUS_NO_MEMORY;
2795 np_ref->pipe = result;
2797 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
2798 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
2800 result->binding_handle = rpccli_bh_create(result);
2801 if (result->binding_handle == NULL) {
2802 TALLOC_FREE(result);
2803 return NT_STATUS_NO_MEMORY;
2807 return NT_STATUS_OK;
2810 /****************************************************************************
2811 Open a pipe to a remote server.
2812 ****************************************************************************/
2814 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
2815 enum dcerpc_transport_t transport,
2816 const struct ndr_syntax_id *interface,
2817 struct rpc_pipe_client **presult)
2819 switch (transport) {
2821 return rpc_pipe_open_tcp(NULL,
2822 smbXcli_conn_remote_name(cli->conn),
2823 smbXcli_conn_remote_sockaddr(cli->conn),
2824 interface, presult);
2826 return rpc_pipe_open_np(cli, interface, presult);
2828 return NT_STATUS_NOT_IMPLEMENTED;
2832 /****************************************************************************
2833 Open a named pipe to an SMB server and bind anonymously.
2834 ****************************************************************************/
2836 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2837 enum dcerpc_transport_t transport,
2838 const struct ndr_syntax_id *interface,
2839 struct rpc_pipe_client **presult)
2841 struct rpc_pipe_client *result;
2842 struct pipe_auth_data *auth;
2845 status = cli_rpc_pipe_open(cli, transport, interface, &result);
2846 if (!NT_STATUS_IS_OK(status)) {
2850 status = rpccli_anon_bind_data(result, &auth);
2851 if (!NT_STATUS_IS_OK(status)) {
2852 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
2853 nt_errstr(status)));
2854 TALLOC_FREE(result);
2859 * This is a bit of an abstraction violation due to the fact that an
2860 * anonymous bind on an authenticated SMB inherits the user/domain
2861 * from the enclosing SMB creds
2864 TALLOC_FREE(auth->user_name);
2865 TALLOC_FREE(auth->domain);
2867 auth->user_name = talloc_strdup(auth, cli->user_name);
2868 auth->domain = talloc_strdup(auth, cli->domain);
2870 if (transport == NCACN_NP) {
2871 struct smbXcli_session *session;
2873 if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
2874 session = cli->smb2.session;
2876 session = cli->smb1.session;
2879 status = smbXcli_session_application_key(session, auth,
2880 &auth->transport_session_key);
2881 if (!NT_STATUS_IS_OK(status)) {
2882 auth->transport_session_key = data_blob_null;
2886 if ((auth->user_name == NULL) || (auth->domain == NULL)) {
2887 TALLOC_FREE(result);
2888 return NT_STATUS_NO_MEMORY;
2891 status = rpc_pipe_bind(result, auth);
2892 if (!NT_STATUS_IS_OK(status)) {
2894 if (ndr_syntax_id_equal(interface,
2895 &ndr_table_dssetup.syntax_id)) {
2896 /* non AD domains just don't have this pipe, avoid
2897 * level 0 statement in that case - gd */
2900 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
2901 "%s failed with error %s\n",
2902 get_pipe_name_from_syntax(talloc_tos(), interface),
2903 nt_errstr(status) ));
2904 TALLOC_FREE(result);
2908 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
2909 "%s and bound anonymously.\n",
2910 get_pipe_name_from_syntax(talloc_tos(), interface),
2914 return NT_STATUS_OK;
2917 /****************************************************************************
2918 ****************************************************************************/
2920 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2921 const struct ndr_syntax_id *interface,
2922 struct rpc_pipe_client **presult)
2924 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2925 interface, presult);
2928 /****************************************************************************
2929 Open a named pipe to an SMB server and bind using the mech specified
2930 ****************************************************************************/
2932 NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
2933 const struct ndr_interface_table *table,
2934 enum dcerpc_transport_t transport,
2935 enum dcerpc_AuthType auth_type,
2936 enum dcerpc_AuthLevel auth_level,
2939 const char *username,
2940 const char *password,
2941 struct rpc_pipe_client **presult)
2943 struct rpc_pipe_client *result;
2944 struct pipe_auth_data *auth = NULL;
2945 const char *target_service = table->authservices->names[0];
2949 status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
2950 if (!NT_STATUS_IS_OK(status)) {
2954 status = rpccli_generic_bind_data(result,
2955 auth_type, auth_level,
2956 server, target_service,
2957 domain, username, password,
2958 CRED_AUTO_USE_KERBEROS,
2960 if (!NT_STATUS_IS_OK(status)) {
2961 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
2962 nt_errstr(status)));
2966 status = rpc_pipe_bind(result, auth);
2967 if (!NT_STATUS_IS_OK(status)) {
2968 DEBUG(0, ("cli_rpc_pipe_open_generic_auth: cli_rpc_pipe_bind failed with error %s\n",
2969 nt_errstr(status) ));
2973 DEBUG(10,("cli_rpc_pipe_open_generic_auth: opened pipe %s to "
2974 "machine %s and bound as user %s\\%s.\n", table->name,
2975 result->desthost, domain, username));
2978 return NT_STATUS_OK;
2982 TALLOC_FREE(result);
2986 /****************************************************************************
2988 Open a named pipe to an SMB server and bind using schannel (bind type 68)
2989 using session_key. sign and seal.
2991 The *pdc will be stolen onto this new pipe
2992 ****************************************************************************/
2994 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
2995 const struct ndr_syntax_id *interface,
2996 enum dcerpc_transport_t transport,
2997 enum dcerpc_AuthLevel auth_level,
2999 struct netlogon_creds_CredentialState **pdc,
3000 struct rpc_pipe_client **presult)
3002 struct rpc_pipe_client *result;
3003 struct pipe_auth_data *auth;
3006 status = cli_rpc_pipe_open(cli, transport, interface, &result);
3007 if (!NT_STATUS_IS_OK(status)) {
3011 status = rpccli_schannel_bind_data(result, domain, auth_level,
3013 if (!NT_STATUS_IS_OK(status)) {
3014 DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
3015 nt_errstr(status)));
3016 TALLOC_FREE(result);
3020 status = rpc_pipe_bind(result, auth);
3021 if (!NT_STATUS_IS_OK(status)) {
3022 DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
3023 "cli_rpc_pipe_bind failed with error %s\n",
3024 nt_errstr(status) ));
3025 TALLOC_FREE(result);
3030 * The credentials on a new netlogon pipe are the ones we are passed
3031 * in - copy them over
3033 if (result->dc == NULL) {
3034 result->dc = netlogon_creds_copy(result, *pdc);
3035 if (result->dc == NULL) {
3036 TALLOC_FREE(result);
3037 return NT_STATUS_NO_MEMORY;
3041 DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
3042 "for domain %s and bound using schannel.\n",
3043 get_pipe_name_from_syntax(talloc_tos(), interface),
3044 result->desthost, domain));
3047 return NT_STATUS_OK;
3050 NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
3051 const struct ndr_interface_table *table,
3052 enum dcerpc_transport_t transport,
3054 enum dcerpc_AuthLevel auth_level,
3057 const char *username,
3058 const char *password,
3059 struct rpc_pipe_client **presult)
3061 struct rpc_pipe_client *result;
3062 struct pipe_auth_data *auth = NULL;
3063 const char *target_service = table->authservices->names[0];
3066 enum credentials_use_kerberos use_kerberos;
3068 if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) {
3069 use_kerberos = CRED_MUST_USE_KERBEROS;
3070 } else if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) {
3071 use_kerberos = CRED_DONT_USE_KERBEROS;
3073 return NT_STATUS_INVALID_PARAMETER;
3076 status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
3077 if (!NT_STATUS_IS_OK(status)) {
3081 status = rpccli_generic_bind_data(result,
3082 DCERPC_AUTH_TYPE_SPNEGO, auth_level,
3083 server, target_service,
3084 domain, username, password,
3087 if (!NT_STATUS_IS_OK(status)) {
3088 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
3089 nt_errstr(status)));
3093 status = rpc_pipe_bind(result, auth);
3094 if (!NT_STATUS_IS_OK(status)) {
3095 DEBUG(0, ("cli_rpc_pipe_open_spnego: cli_rpc_pipe_bind failed with error %s\n",
3096 nt_errstr(status) ));
3100 DEBUG(10,("cli_rpc_pipe_open_spnego: opened pipe %s to "
3101 "machine %s.\n", table->name,
3105 return NT_STATUS_OK;
3109 TALLOC_FREE(result);
3113 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3114 struct rpc_pipe_client *cli,
3115 DATA_BLOB *session_key)
3118 struct pipe_auth_data *a;
3119 struct schannel_state *schannel_auth;
3120 struct gensec_security *gensec_security;
3121 DATA_BLOB sk = data_blob_null;
3122 bool make_dup = false;
3124 if (!session_key || !cli) {
3125 return NT_STATUS_INVALID_PARAMETER;
3131 return NT_STATUS_INVALID_PARAMETER;
3134 switch (cli->auth->auth_type) {
3135 case DCERPC_AUTH_TYPE_SCHANNEL:
3136 schannel_auth = talloc_get_type_abort(a->auth_ctx,
3137 struct schannel_state);
3138 sk = data_blob_const(schannel_auth->creds->session_key, 16);
3141 case DCERPC_AUTH_TYPE_SPNEGO:
3142 case DCERPC_AUTH_TYPE_NTLMSSP:
3143 case DCERPC_AUTH_TYPE_KRB5:
3144 gensec_security = talloc_get_type_abort(a->auth_ctx,
3145 struct gensec_security);
3146 status = gensec_session_key(gensec_security, mem_ctx, &sk);
3147 if (!NT_STATUS_IS_OK(status)) {
3152 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
3153 case DCERPC_AUTH_TYPE_NONE:
3154 sk = data_blob_const(a->transport_session_key.data,
3155 a->transport_session_key.length);
3163 return NT_STATUS_NO_USER_SESSION_KEY;
3167 *session_key = data_blob_dup_talloc(mem_ctx, sk);
3172 return NT_STATUS_OK;