2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client routines
4 * Largely rewritten by Jeremy Allison 2005.
5 * Heavily modified by Simo Sorce 2010.
6 * Copyright Andrew Bartlett 2011.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "../lib/util/tevent_ntstatus.h"
24 #include "librpc/gen_ndr/ndr_epmapper_c.h"
25 #include "../librpc/gen_ndr/ndr_dssetup.h"
26 #include "../libcli/auth/schannel.h"
27 #include "../libcli/auth/netlogon_creds_cli.h"
28 #include "auth_generic.h"
29 #include "librpc/gen_ndr/ndr_dcerpc.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "librpc/rpc/dcerpc.h"
34 #include "libsmb/libsmb.h"
35 #include "auth/gensec/gensec.h"
36 #include "auth/credentials/credentials.h"
37 #include "../libcli/smb/smbXcli_base.h"
40 #define DBGC_CLASS DBGC_RPC_CLI
42 /********************************************************************
43 Pipe description for a DEBUG
44 ********************************************************************/
45 static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx,
46 struct rpc_pipe_client *cli)
48 char *result = talloc_asprintf(mem_ctx, "host %s", cli->desthost);
55 /********************************************************************
57 ********************************************************************/
59 static uint32_t get_rpc_call_id(void)
61 static uint32_t call_id = 0;
65 /*******************************************************************
66 Use SMBreadX to get rest of one fragment's worth of rpc data.
67 Reads the whole size or give an error message
68 ********************************************************************/
70 struct rpc_read_state {
71 struct tevent_context *ev;
72 struct rpc_cli_transport *transport;
78 static void rpc_read_done(struct tevent_req *subreq);
80 static struct tevent_req *rpc_read_send(TALLOC_CTX *mem_ctx,
81 struct tevent_context *ev,
82 struct rpc_cli_transport *transport,
83 uint8_t *data, size_t size)
85 struct tevent_req *req, *subreq;
86 struct rpc_read_state *state;
88 req = tevent_req_create(mem_ctx, &state, struct rpc_read_state);
93 state->transport = transport;
98 DEBUG(5, ("rpc_read_send: data_to_read: %u\n", (unsigned int)size));
100 subreq = transport->read_send(state, ev, (uint8_t *)data, size,
102 if (subreq == NULL) {
105 tevent_req_set_callback(subreq, rpc_read_done, req);
113 static void rpc_read_done(struct tevent_req *subreq)
115 struct tevent_req *req = tevent_req_callback_data(
116 subreq, struct tevent_req);
117 struct rpc_read_state *state = tevent_req_data(
118 req, struct rpc_read_state);
122 status = state->transport->read_recv(subreq, &received);
124 if (!NT_STATUS_IS_OK(status)) {
125 tevent_req_nterror(req, status);
129 state->num_read += received;
130 if (state->num_read == state->size) {
131 tevent_req_done(req);
135 subreq = state->transport->read_send(state, state->ev,
136 state->data + state->num_read,
137 state->size - state->num_read,
138 state->transport->priv);
139 if (tevent_req_nomem(subreq, req)) {
142 tevent_req_set_callback(subreq, rpc_read_done, req);
145 static NTSTATUS rpc_read_recv(struct tevent_req *req)
147 return tevent_req_simple_recv_ntstatus(req);
150 struct rpc_write_state {
151 struct tevent_context *ev;
152 struct rpc_cli_transport *transport;
158 static void rpc_write_done(struct tevent_req *subreq);
160 static struct tevent_req *rpc_write_send(TALLOC_CTX *mem_ctx,
161 struct tevent_context *ev,
162 struct rpc_cli_transport *transport,
163 const uint8_t *data, size_t size)
165 struct tevent_req *req, *subreq;
166 struct rpc_write_state *state;
168 req = tevent_req_create(mem_ctx, &state, struct rpc_write_state);
173 state->transport = transport;
176 state->num_written = 0;
178 DEBUG(5, ("rpc_write_send: data_to_write: %u\n", (unsigned int)size));
180 subreq = transport->write_send(state, ev, data, size, transport->priv);
181 if (subreq == NULL) {
184 tevent_req_set_callback(subreq, rpc_write_done, req);
191 static void rpc_write_done(struct tevent_req *subreq)
193 struct tevent_req *req = tevent_req_callback_data(
194 subreq, struct tevent_req);
195 struct rpc_write_state *state = tevent_req_data(
196 req, struct rpc_write_state);
200 status = state->transport->write_recv(subreq, &written);
202 if (!NT_STATUS_IS_OK(status)) {
203 tevent_req_nterror(req, status);
207 state->num_written += written;
209 if (state->num_written == state->size) {
210 tevent_req_done(req);
214 subreq = state->transport->write_send(state, state->ev,
215 state->data + state->num_written,
216 state->size - state->num_written,
217 state->transport->priv);
218 if (tevent_req_nomem(subreq, req)) {
221 tevent_req_set_callback(subreq, rpc_write_done, req);
224 static NTSTATUS rpc_write_recv(struct tevent_req *req)
226 return tevent_req_simple_recv_ntstatus(req);
230 /****************************************************************************
231 Try and get a PDU's worth of data from current_pdu. If not, then read more
233 ****************************************************************************/
235 struct get_complete_frag_state {
236 struct tevent_context *ev;
237 struct rpc_pipe_client *cli;
242 static void get_complete_frag_got_header(struct tevent_req *subreq);
243 static void get_complete_frag_got_rest(struct tevent_req *subreq);
245 static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
246 struct tevent_context *ev,
247 struct rpc_pipe_client *cli,
250 struct tevent_req *req, *subreq;
251 struct get_complete_frag_state *state;
255 req = tevent_req_create(mem_ctx, &state,
256 struct get_complete_frag_state);
262 state->frag_len = RPC_HEADER_LEN;
265 received = pdu->length;
266 if (received < RPC_HEADER_LEN) {
267 if (!data_blob_realloc(mem_ctx, pdu, RPC_HEADER_LEN)) {
268 status = NT_STATUS_NO_MEMORY;
271 subreq = rpc_read_send(state, state->ev,
272 state->cli->transport,
273 pdu->data + received,
274 RPC_HEADER_LEN - received);
275 if (subreq == NULL) {
276 status = NT_STATUS_NO_MEMORY;
279 tevent_req_set_callback(subreq, get_complete_frag_got_header,
284 state->frag_len = dcerpc_get_frag_length(pdu);
285 if (state->frag_len < RPC_HEADER_LEN) {
286 tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
287 return tevent_req_post(req, ev);
291 * Ensure we have frag_len bytes of data.
293 if (received < state->frag_len) {
294 if (!data_blob_realloc(NULL, pdu, state->frag_len)) {
295 status = NT_STATUS_NO_MEMORY;
298 subreq = rpc_read_send(state, state->ev,
299 state->cli->transport,
300 pdu->data + received,
301 state->frag_len - received);
302 if (subreq == NULL) {
303 status = NT_STATUS_NO_MEMORY;
306 tevent_req_set_callback(subreq, get_complete_frag_got_rest,
311 status = NT_STATUS_OK;
313 if (NT_STATUS_IS_OK(status)) {
314 tevent_req_done(req);
316 tevent_req_nterror(req, status);
318 return tevent_req_post(req, ev);
321 static void get_complete_frag_got_header(struct tevent_req *subreq)
323 struct tevent_req *req = tevent_req_callback_data(
324 subreq, struct tevent_req);
325 struct get_complete_frag_state *state = tevent_req_data(
326 req, struct get_complete_frag_state);
329 status = rpc_read_recv(subreq);
331 if (!NT_STATUS_IS_OK(status)) {
332 tevent_req_nterror(req, status);
336 state->frag_len = dcerpc_get_frag_length(state->pdu);
337 if (state->frag_len < RPC_HEADER_LEN) {
338 tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
342 if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
343 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
348 * We're here in this piece of code because we've read exactly
349 * RPC_HEADER_LEN bytes into state->pdu.
352 subreq = rpc_read_send(state, state->ev, state->cli->transport,
353 state->pdu->data + RPC_HEADER_LEN,
354 state->frag_len - RPC_HEADER_LEN);
355 if (tevent_req_nomem(subreq, req)) {
358 tevent_req_set_callback(subreq, get_complete_frag_got_rest, req);
361 static void get_complete_frag_got_rest(struct tevent_req *subreq)
363 struct tevent_req *req = tevent_req_callback_data(
364 subreq, struct tevent_req);
367 status = rpc_read_recv(subreq);
369 if (!NT_STATUS_IS_OK(status)) {
370 tevent_req_nterror(req, status);
373 tevent_req_done(req);
376 static NTSTATUS get_complete_frag_recv(struct tevent_req *req)
378 return tevent_req_simple_recv_ntstatus(req);
381 /****************************************************************************
382 Do basic authentication checks on an incoming pdu.
383 ****************************************************************************/
385 static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
386 struct rpc_pipe_client *cli,
387 struct ncacn_packet *pkt,
389 uint8_t expected_pkt_type,
392 DATA_BLOB *reply_pdu)
394 struct dcerpc_response *r;
395 NTSTATUS ret = NT_STATUS_OK;
399 * Point the return values at the real data including the RPC
400 * header. Just in case the caller wants it.
404 if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
405 !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
407 * TODO: do we still need this hack which was introduced
408 * in commit a42afcdcc7ab9aa9ed193ae36d3dbb10843447f0.
410 * I don't even know what AS/U might be...
412 DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
413 "fragment first/last ON.\n"));
414 pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
417 /* Ensure we have the correct type. */
418 switch (pkt->ptype) {
419 case DCERPC_PKT_ALTER_RESP:
420 case DCERPC_PKT_BIND_ACK:
422 /* Client code never receives this kind of packets */
426 case DCERPC_PKT_RESPONSE:
428 r = &pkt->u.response;
430 /* Here's where we deal with incoming sign/seal. */
431 ret = dcerpc_check_auth(cli->auth, pkt,
432 &r->stub_and_verifier,
433 DCERPC_RESPONSE_LENGTH,
435 if (!NT_STATUS_IS_OK(ret)) {
439 if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
440 return NT_STATUS_BUFFER_TOO_SMALL;
443 /* Point the return values at the NDR data. */
444 rdata->data = r->stub_and_verifier.data;
446 if (pkt->auth_length) {
447 /* We've already done integer wrap tests in
448 * dcerpc_check_auth(). */
449 rdata->length = r->stub_and_verifier.length
451 - DCERPC_AUTH_TRAILER_LENGTH
454 rdata->length = r->stub_and_verifier.length;
457 DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
458 (long unsigned int)pdu->length,
459 (long unsigned int)rdata->length,
460 (unsigned int)pad_len));
463 * If this is the first reply, and the allocation hint is
464 * reasonable, try and set up the reply_pdu DATA_BLOB to the
468 if ((reply_pdu->length == 0) &&
469 r->alloc_hint && (r->alloc_hint < 15*1024*1024)) {
470 if (!data_blob_realloc(mem_ctx, reply_pdu,
472 DEBUG(0, ("reply alloc hint %d too "
473 "large to allocate\n",
474 (int)r->alloc_hint));
475 return NT_STATUS_NO_MEMORY;
481 case DCERPC_PKT_BIND_NAK:
482 DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
483 rpccli_pipe_txt(talloc_tos(), cli)));
484 /* Use this for now... */
485 return NT_STATUS_NETWORK_ACCESS_DENIED;
487 case DCERPC_PKT_FAULT:
489 DEBUG(1, (__location__ ": RPC fault code %s received "
491 dcerpc_errstr(talloc_tos(),
492 pkt->u.fault.status),
493 rpccli_pipe_txt(talloc_tos(), cli)));
495 return dcerpc_fault_to_nt_status(pkt->u.fault.status);
498 DEBUG(0, (__location__ "Unknown packet type %u received "
500 (unsigned int)pkt->ptype,
501 rpccli_pipe_txt(talloc_tos(), cli)));
502 return NT_STATUS_RPC_PROTOCOL_ERROR;
505 if (pkt->ptype != expected_pkt_type) {
506 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
507 "RPC packet type - %u, not %u\n",
508 rpccli_pipe_txt(talloc_tos(), cli),
509 pkt->ptype, expected_pkt_type));
510 return NT_STATUS_RPC_PROTOCOL_ERROR;
513 if (pkt->call_id != call_id) {
514 DEBUG(3, (__location__ ": Connection to %s got an unexpected "
515 "RPC call_id - %u, not %u\n",
516 rpccli_pipe_txt(talloc_tos(), cli),
517 pkt->call_id, call_id));
518 return NT_STATUS_RPC_PROTOCOL_ERROR;
524 /****************************************************************************
525 Call a remote api on an arbitrary pipe. takes param, data and setup buffers.
526 ****************************************************************************/
528 struct cli_api_pipe_state {
529 struct tevent_context *ev;
530 struct rpc_cli_transport *transport;
535 static void cli_api_pipe_trans_done(struct tevent_req *subreq);
536 static void cli_api_pipe_write_done(struct tevent_req *subreq);
537 static void cli_api_pipe_read_done(struct tevent_req *subreq);
539 static struct tevent_req *cli_api_pipe_send(TALLOC_CTX *mem_ctx,
540 struct tevent_context *ev,
541 struct rpc_cli_transport *transport,
542 uint8_t *data, size_t data_len,
543 uint32_t max_rdata_len)
545 struct tevent_req *req, *subreq;
546 struct cli_api_pipe_state *state;
549 req = tevent_req_create(mem_ctx, &state, struct cli_api_pipe_state);
554 state->transport = transport;
556 if (max_rdata_len < RPC_HEADER_LEN) {
558 * For a RPC reply we always need at least RPC_HEADER_LEN
559 * bytes. We check this here because we will receive
560 * RPC_HEADER_LEN bytes in cli_trans_sock_send_done.
562 status = NT_STATUS_INVALID_PARAMETER;
566 if (transport->trans_send != NULL) {
567 subreq = transport->trans_send(state, ev, data, data_len,
568 max_rdata_len, transport->priv);
569 if (subreq == NULL) {
572 tevent_req_set_callback(subreq, cli_api_pipe_trans_done, req);
577 * If the transport does not provide a "trans" routine, i.e. for
578 * example the ncacn_ip_tcp transport, do the write/read step here.
581 subreq = rpc_write_send(state, ev, transport, data, data_len);
582 if (subreq == NULL) {
585 tevent_req_set_callback(subreq, cli_api_pipe_write_done, req);
589 tevent_req_nterror(req, status);
590 return tevent_req_post(req, ev);
596 static void cli_api_pipe_trans_done(struct tevent_req *subreq)
598 struct tevent_req *req = tevent_req_callback_data(
599 subreq, struct tevent_req);
600 struct cli_api_pipe_state *state = tevent_req_data(
601 req, struct cli_api_pipe_state);
604 status = state->transport->trans_recv(subreq, state, &state->rdata,
607 if (!NT_STATUS_IS_OK(status)) {
608 tevent_req_nterror(req, status);
611 tevent_req_done(req);
614 static void cli_api_pipe_write_done(struct tevent_req *subreq)
616 struct tevent_req *req = tevent_req_callback_data(
617 subreq, struct tevent_req);
618 struct cli_api_pipe_state *state = tevent_req_data(
619 req, struct cli_api_pipe_state);
622 status = rpc_write_recv(subreq);
624 if (!NT_STATUS_IS_OK(status)) {
625 tevent_req_nterror(req, status);
629 state->rdata = talloc_array(state, uint8_t, RPC_HEADER_LEN);
630 if (tevent_req_nomem(state->rdata, req)) {
635 * We don't need to use rpc_read_send here, the upper layer will cope
636 * with a short read, transport->trans_send could also return less
637 * than state->max_rdata_len.
639 subreq = state->transport->read_send(state, state->ev, state->rdata,
641 state->transport->priv);
642 if (tevent_req_nomem(subreq, req)) {
645 tevent_req_set_callback(subreq, cli_api_pipe_read_done, req);
648 static void cli_api_pipe_read_done(struct tevent_req *subreq)
650 struct tevent_req *req = tevent_req_callback_data(
651 subreq, struct tevent_req);
652 struct cli_api_pipe_state *state = tevent_req_data(
653 req, struct cli_api_pipe_state);
657 status = state->transport->read_recv(subreq, &received);
659 if (!NT_STATUS_IS_OK(status)) {
660 tevent_req_nterror(req, status);
663 state->rdata_len = received;
664 tevent_req_done(req);
667 static NTSTATUS cli_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
668 uint8_t **prdata, uint32_t *prdata_len)
670 struct cli_api_pipe_state *state = tevent_req_data(
671 req, struct cli_api_pipe_state);
674 if (tevent_req_is_nterror(req, &status)) {
678 *prdata = talloc_move(mem_ctx, &state->rdata);
679 *prdata_len = state->rdata_len;
683 /****************************************************************************
684 Send data on an rpc pipe via trans. The data must be the last
685 pdu fragment of an NDR data stream.
687 Receive response data from an rpc pipe, which may be large...
689 Read the first fragment: unfortunately have to use SMBtrans for the first
690 bit, then SMBreadX for subsequent bits.
692 If first fragment received also wasn't the last fragment, continue
693 getting fragments until we _do_ receive the last fragment.
695 Request/Response PDU's look like the following...
697 |<------------------PDU len----------------------------------------------->|
698 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
700 +------------+-----------------+-------------+---------------+-------------+
701 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA |
702 +------------+-----------------+-------------+---------------+-------------+
704 Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
705 signing & sealing being negotiated.
707 ****************************************************************************/
709 struct rpc_api_pipe_state {
710 struct tevent_context *ev;
711 struct rpc_pipe_client *cli;
712 uint8_t expected_pkt_type;
715 DATA_BLOB incoming_frag;
716 struct ncacn_packet *pkt;
720 size_t reply_pdu_offset;
724 static void rpc_api_pipe_trans_done(struct tevent_req *subreq);
725 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq);
726 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq);
728 static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
729 struct tevent_context *ev,
730 struct rpc_pipe_client *cli,
731 DATA_BLOB *data, /* Outgoing PDU */
732 uint8_t expected_pkt_type,
735 struct tevent_req *req, *subreq;
736 struct rpc_api_pipe_state *state;
737 uint16_t max_recv_frag;
740 req = tevent_req_create(mem_ctx, &state, struct rpc_api_pipe_state);
746 state->expected_pkt_type = expected_pkt_type;
747 state->call_id = call_id;
748 state->endianess = DCERPC_DREP_LE;
751 * Ensure we're not sending too much.
753 if (data->length > cli->max_xmit_frag) {
754 status = NT_STATUS_INVALID_PARAMETER;
758 DEBUG(5,("rpc_api_pipe: %s\n", rpccli_pipe_txt(talloc_tos(), cli)));
760 if (state->expected_pkt_type == DCERPC_PKT_AUTH3) {
761 subreq = rpc_write_send(state, ev, cli->transport,
762 data->data, data->length);
763 if (subreq == NULL) {
766 tevent_req_set_callback(subreq, rpc_api_pipe_auth3_done, req);
770 /* get the header first, then fetch the rest once we have
771 * the frag_length available */
772 max_recv_frag = RPC_HEADER_LEN;
774 subreq = cli_api_pipe_send(state, ev, cli->transport,
775 data->data, data->length, max_recv_frag);
776 if (subreq == NULL) {
779 tevent_req_set_callback(subreq, rpc_api_pipe_trans_done, req);
783 tevent_req_nterror(req, status);
784 return tevent_req_post(req, ev);
790 static void rpc_api_pipe_auth3_done(struct tevent_req *subreq)
792 struct tevent_req *req =
793 tevent_req_callback_data(subreq,
797 status = rpc_write_recv(subreq);
799 if (!NT_STATUS_IS_OK(status)) {
800 tevent_req_nterror(req, status);
804 tevent_req_done(req);
807 static void rpc_api_pipe_trans_done(struct tevent_req *subreq)
809 struct tevent_req *req = tevent_req_callback_data(
810 subreq, struct tevent_req);
811 struct rpc_api_pipe_state *state = tevent_req_data(
812 req, struct rpc_api_pipe_state);
814 uint8_t *rdata = NULL;
815 uint32_t rdata_len = 0;
817 status = cli_api_pipe_recv(subreq, state, &rdata, &rdata_len);
819 if (!NT_STATUS_IS_OK(status)) {
820 DEBUG(5, ("cli_api_pipe failed: %s\n", nt_errstr(status)));
821 tevent_req_nterror(req, status);
826 DEBUG(3,("rpc_api_pipe: %s failed to return data.\n",
827 rpccli_pipe_txt(talloc_tos(), state->cli)));
828 tevent_req_done(req);
833 * Move data on state->incoming_frag.
835 state->incoming_frag.data = talloc_move(state, &rdata);
836 state->incoming_frag.length = rdata_len;
837 if (!state->incoming_frag.data) {
838 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
842 /* Ensure we have enough data for a pdu. */
843 subreq = get_complete_frag_send(state, state->ev, state->cli,
844 &state->incoming_frag);
845 if (tevent_req_nomem(subreq, req)) {
848 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
851 static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
853 struct tevent_req *req = tevent_req_callback_data(
854 subreq, struct tevent_req);
855 struct rpc_api_pipe_state *state = tevent_req_data(
856 req, struct rpc_api_pipe_state);
858 DATA_BLOB rdata = data_blob_null;
860 status = get_complete_frag_recv(subreq);
862 if (!NT_STATUS_IS_OK(status)) {
863 DEBUG(5, ("get_complete_frag failed: %s\n",
865 tevent_req_nterror(req, status);
869 state->pkt = talloc(state, struct ncacn_packet);
871 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
875 status = dcerpc_pull_ncacn_packet(state->pkt,
876 &state->incoming_frag,
879 if (!NT_STATUS_IS_OK(status)) {
880 tevent_req_nterror(req, status);
884 status = cli_pipe_validate_current_pdu(state,
885 state->cli, state->pkt,
886 &state->incoming_frag,
887 state->expected_pkt_type,
892 DEBUG(10,("rpc_api_pipe: got frag len of %u at offset %u: %s\n",
893 (unsigned)state->incoming_frag.length,
894 (unsigned)state->reply_pdu_offset,
897 if (!NT_STATUS_IS_OK(status)) {
898 tevent_req_nterror(req, status);
902 if ((state->pkt->pfc_flags & DCERPC_PFC_FLAG_FIRST)
903 && (state->pkt->drep[0] != DCERPC_DREP_LE)) {
905 * Set the data type correctly for big-endian data on the
908 DEBUG(10,("rpc_api_pipe: On %s PDU data format is "
910 rpccli_pipe_txt(talloc_tos(), state->cli)));
911 state->endianess = 0x00; /* BIG ENDIAN */
914 * Check endianness on subsequent packets.
916 if (state->endianess != state->pkt->drep[0]) {
917 DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to "
919 state->endianess?"little":"big",
920 state->pkt->drep[0]?"little":"big"));
921 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
925 /* Now copy the data portion out of the pdu into rbuf. */
926 if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
927 if (!data_blob_realloc(NULL, &state->reply_pdu,
928 state->reply_pdu_offset + rdata.length)) {
929 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
934 memcpy(state->reply_pdu.data + state->reply_pdu_offset,
935 rdata.data, rdata.length);
936 state->reply_pdu_offset += rdata.length;
938 /* reset state->incoming_frag, there is no need to free it,
939 * it will be reallocated to the right size the next time
941 state->incoming_frag.length = 0;
943 if (state->pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
944 /* make sure the pdu length is right now that we
945 * have all the data available (alloc hint may
946 * have allocated more than was actually used) */
947 state->reply_pdu.length = state->reply_pdu_offset;
948 DEBUG(10,("rpc_api_pipe: %s returned %u bytes.\n",
949 rpccli_pipe_txt(talloc_tos(), state->cli),
950 (unsigned)state->reply_pdu.length));
951 tevent_req_done(req);
955 subreq = get_complete_frag_send(state, state->ev, state->cli,
956 &state->incoming_frag);
957 if (tevent_req_nomem(subreq, req)) {
960 tevent_req_set_callback(subreq, rpc_api_pipe_got_pdu, req);
963 static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
964 struct ncacn_packet **pkt,
965 DATA_BLOB *reply_pdu)
967 struct rpc_api_pipe_state *state = tevent_req_data(
968 req, struct rpc_api_pipe_state);
971 if (tevent_req_is_nterror(req, &status)) {
975 /* return data to caller and assign it ownership of memory */
977 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
978 reply_pdu->length = state->reply_pdu.length;
979 state->reply_pdu.length = 0;
981 data_blob_free(&state->reply_pdu);
985 *pkt = talloc_steal(mem_ctx, state->pkt);
991 /*******************************************************************
992 Creates NTLMSSP auth bind.
993 ********************************************************************/
995 static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
997 DATA_BLOB *auth_token,
998 bool *client_hdr_signing)
1000 struct gensec_security *gensec_security;
1001 DATA_BLOB null_blob = data_blob_null;
1004 gensec_security = cli->auth->auth_ctx;
1006 DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
1007 status = gensec_update(gensec_security, mem_ctx, null_blob, auth_token);
1009 if (!NT_STATUS_IS_OK(status) &&
1010 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
1015 if (client_hdr_signing == NULL) {
1019 if (cli->auth->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
1020 *client_hdr_signing = false;
1024 *client_hdr_signing = gensec_have_feature(gensec_security,
1025 GENSEC_FEATURE_SIGN_PKT_HEADER);
1030 /*******************************************************************
1031 Creates the internals of a DCE/RPC bind request or alter context PDU.
1032 ********************************************************************/
1034 static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
1035 enum dcerpc_pkt_type ptype,
1036 uint32_t rpc_call_id,
1037 const struct ndr_syntax_id *abstract,
1038 const struct ndr_syntax_id *transfer,
1039 const DATA_BLOB *auth_info,
1040 bool client_hdr_signing,
1043 uint16_t auth_len = auth_info->length;
1045 union dcerpc_payload u;
1046 struct dcerpc_ctx_list ctx_list;
1047 uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
1050 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
1053 if (client_hdr_signing) {
1054 pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
1057 ctx_list.context_id = 0;
1058 ctx_list.num_transfer_syntaxes = 1;
1059 ctx_list.abstract_syntax = *abstract;
1060 ctx_list.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer);
1062 u.bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1063 u.bind.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1064 u.bind.assoc_group_id = 0x0;
1065 u.bind.num_contexts = 1;
1066 u.bind.ctx_list = &ctx_list;
1067 u.bind.auth_info = *auth_info;
1069 status = dcerpc_push_ncacn_packet(mem_ctx,
1075 if (!NT_STATUS_IS_OK(status)) {
1076 DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
1080 return NT_STATUS_OK;
1083 /*******************************************************************
1084 Creates a DCE/RPC bind request.
1085 ********************************************************************/
1087 static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
1088 struct rpc_pipe_client *cli,
1089 struct pipe_auth_data *auth,
1090 uint32_t rpc_call_id,
1091 const struct ndr_syntax_id *abstract,
1092 const struct ndr_syntax_id *transfer,
1095 DATA_BLOB auth_token = data_blob_null;
1096 DATA_BLOB auth_info = data_blob_null;
1097 NTSTATUS ret = NT_STATUS_OK;
1099 switch (auth->auth_type) {
1100 case DCERPC_AUTH_TYPE_NONE:
1104 ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
1106 &auth->client_hdr_signing);
1108 if (!NT_STATUS_IS_OK(ret) &&
1109 !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1115 if (auth_token.length != 0) {
1116 ret = dcerpc_push_dcerpc_auth(cli,
1119 0, /* auth_pad_length */
1120 1, /* auth_context_id */
1123 if (!NT_STATUS_IS_OK(ret)) {
1126 data_blob_free(&auth_token);
1129 ret = create_bind_or_alt_ctx_internal(mem_ctx,
1135 auth->client_hdr_signing,
1140 /*******************************************************************
1142 Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1143 Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1144 and deals with signing/sealing details.
1145 ********************************************************************/
1147 struct rpc_api_pipe_req_state {
1148 struct tevent_context *ev;
1149 struct rpc_pipe_client *cli;
1152 const DATA_BLOB *req_data;
1153 uint32_t req_data_sent;
1154 DATA_BLOB req_trailer;
1155 uint32_t req_trailer_sent;
1156 bool verify_bitmask1;
1157 bool verify_pcontext;
1159 DATA_BLOB reply_pdu;
1162 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
1163 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
1164 static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
1165 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1166 bool *is_last_frag);
1168 static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
1169 struct tevent_context *ev,
1170 struct rpc_pipe_client *cli,
1172 const DATA_BLOB *req_data)
1174 struct tevent_req *req, *subreq;
1175 struct rpc_api_pipe_req_state *state;
1179 req = tevent_req_create(mem_ctx, &state,
1180 struct rpc_api_pipe_req_state);
1186 state->op_num = op_num;
1187 state->req_data = req_data;
1188 state->req_data_sent = 0;
1189 state->call_id = get_rpc_call_id();
1190 state->reply_pdu = data_blob_null;
1191 state->rpc_out = data_blob_null;
1193 if (cli->max_xmit_frag < DCERPC_REQUEST_LENGTH
1194 + RPC_MAX_SIGN_SIZE) {
1195 /* Server is screwed up ! */
1196 status = NT_STATUS_INVALID_PARAMETER;
1200 status = prepare_verification_trailer(state);
1201 if (!NT_STATUS_IS_OK(status)) {
1205 status = prepare_next_frag(state, &is_last_frag);
1206 if (!NT_STATUS_IS_OK(status)) {
1211 subreq = rpc_api_pipe_send(state, ev, state->cli,
1213 DCERPC_PKT_RESPONSE,
1215 if (subreq == NULL) {
1218 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1220 subreq = rpc_write_send(state, ev, cli->transport,
1221 state->rpc_out.data,
1222 state->rpc_out.length);
1223 if (subreq == NULL) {
1226 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1232 tevent_req_nterror(req, status);
1233 return tevent_req_post(req, ev);
1239 static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
1241 struct pipe_auth_data *a = state->cli->auth;
1242 struct dcerpc_sec_verification_trailer *t;
1243 struct dcerpc_sec_vt *c = NULL;
1244 struct ndr_push *ndr = NULL;
1245 enum ndr_err_code ndr_err;
1250 return NT_STATUS_OK;
1253 if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
1254 return NT_STATUS_OK;
1257 t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
1259 return NT_STATUS_NO_MEMORY;
1262 if (!a->verified_bitmask1) {
1263 t->commands = talloc_realloc(t, t->commands,
1264 struct dcerpc_sec_vt,
1265 t->count.count + 1);
1266 if (t->commands == NULL) {
1267 return NT_STATUS_NO_MEMORY;
1269 c = &t->commands[t->count.count++];
1272 c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
1273 if (a->client_hdr_signing) {
1274 c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
1276 state->verify_bitmask1 = true;
1279 if (!state->cli->verified_pcontext) {
1280 t->commands = talloc_realloc(t, t->commands,
1281 struct dcerpc_sec_vt,
1282 t->count.count + 1);
1283 if (t->commands == NULL) {
1284 return NT_STATUS_NO_MEMORY;
1286 c = &t->commands[t->count.count++];
1289 c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
1290 c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
1291 c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
1293 state->verify_pcontext = true;
1296 if (!a->hdr_signing) {
1297 t->commands = talloc_realloc(t, t->commands,
1298 struct dcerpc_sec_vt,
1299 t->count.count + 1);
1300 if (t->commands == NULL) {
1301 return NT_STATUS_NO_MEMORY;
1303 c = &t->commands[t->count.count++];
1306 c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
1307 c->u.header2.ptype = DCERPC_PKT_REQUEST;
1308 c->u.header2.drep[0] = DCERPC_DREP_LE;
1309 c->u.header2.drep[1] = 0;
1310 c->u.header2.drep[2] = 0;
1311 c->u.header2.drep[3] = 0;
1312 c->u.header2.call_id = state->call_id;
1313 c->u.header2.context_id = 0;
1314 c->u.header2.opnum = state->op_num;
1317 if (t->count.count == 0) {
1319 return NT_STATUS_OK;
1322 c = &t->commands[t->count.count - 1];
1323 c->command |= DCERPC_SEC_VT_COMMAND_END;
1325 if (DEBUGLEVEL >= 10) {
1326 NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
1329 ndr = ndr_push_init_ctx(state);
1331 return NT_STATUS_NO_MEMORY;
1334 ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
1335 NDR_SCALARS | NDR_BUFFERS,
1337 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1338 return ndr_map_error2ntstatus(ndr_err);
1340 state->req_trailer = ndr_push_blob(ndr);
1342 align = state->req_data->length & 0x3;
1349 const uint8_t zeros[4] = { 0, };
1351 ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
1353 return NT_STATUS_NO_MEMORY;
1356 /* move the padding to the start */
1357 p = state->req_trailer.data;
1358 memmove(p + pad, p, state->req_trailer.length - pad);
1362 return NT_STATUS_OK;
1365 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
1373 size_t data_thistime;
1374 size_t trailer_left;
1375 size_t trailer_thistime = 0;
1377 size_t total_thistime;
1380 union dcerpc_payload u;
1382 data_left = state->req_data->length - state->req_data_sent;
1383 trailer_left = state->req_trailer.length - state->req_trailer_sent;
1384 total_left = data_left + trailer_left;
1385 if ((total_left < data_left) || (total_left < trailer_left)) {
1389 return NT_STATUS_INVALID_PARAMETER_MIX;
1392 status = dcerpc_guess_sizes(state->cli->auth,
1393 DCERPC_REQUEST_LENGTH, total_left,
1394 state->cli->max_xmit_frag,
1396 &frag_len, &auth_len, &pad_len);
1397 if (!NT_STATUS_IS_OK(status)) {
1401 if (state->req_data_sent == 0) {
1402 flags = DCERPC_PFC_FLAG_FIRST;
1405 if (total_thistime == total_left) {
1406 flags |= DCERPC_PFC_FLAG_LAST;
1409 data_thistime = MIN(total_thistime, data_left);
1410 if (data_thistime < total_thistime) {
1411 trailer_thistime = total_thistime - data_thistime;
1414 data_blob_free(&state->rpc_out);
1416 ZERO_STRUCT(u.request);
1418 u.request.alloc_hint = total_left;
1419 u.request.context_id = 0;
1420 u.request.opnum = state->op_num;
1422 status = dcerpc_push_ncacn_packet(state,
1429 if (!NT_STATUS_IS_OK(status)) {
1433 /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
1434 * compute it right for requests because the auth trailer is missing
1436 dcerpc_set_frag_length(&state->rpc_out, frag_len);
1438 if (data_thistime > 0) {
1439 /* Copy in the data. */
1440 ok = data_blob_append(NULL, &state->rpc_out,
1441 state->req_data->data + state->req_data_sent,
1444 return NT_STATUS_NO_MEMORY;
1446 state->req_data_sent += data_thistime;
1449 if (trailer_thistime > 0) {
1450 /* Copy in the verification trailer. */
1451 ok = data_blob_append(NULL, &state->rpc_out,
1452 state->req_trailer.data + state->req_trailer_sent,
1455 return NT_STATUS_NO_MEMORY;
1457 state->req_trailer_sent += trailer_thistime;
1460 switch (state->cli->auth->auth_level) {
1461 case DCERPC_AUTH_LEVEL_NONE:
1462 case DCERPC_AUTH_LEVEL_CONNECT:
1463 case DCERPC_AUTH_LEVEL_PACKET:
1465 case DCERPC_AUTH_LEVEL_INTEGRITY:
1466 case DCERPC_AUTH_LEVEL_PRIVACY:
1467 status = dcerpc_add_auth_footer(state->cli->auth, pad_len,
1469 if (!NT_STATUS_IS_OK(status)) {
1474 return NT_STATUS_INVALID_PARAMETER;
1477 *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
1482 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
1484 struct tevent_req *req = tevent_req_callback_data(
1485 subreq, struct tevent_req);
1486 struct rpc_api_pipe_req_state *state = tevent_req_data(
1487 req, struct rpc_api_pipe_req_state);
1491 status = rpc_write_recv(subreq);
1492 TALLOC_FREE(subreq);
1493 if (!NT_STATUS_IS_OK(status)) {
1494 tevent_req_nterror(req, status);
1498 status = prepare_next_frag(state, &is_last_frag);
1499 if (!NT_STATUS_IS_OK(status)) {
1500 tevent_req_nterror(req, status);
1505 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1507 DCERPC_PKT_RESPONSE,
1509 if (tevent_req_nomem(subreq, req)) {
1512 tevent_req_set_callback(subreq, rpc_api_pipe_req_done, req);
1514 subreq = rpc_write_send(state, state->ev,
1515 state->cli->transport,
1516 state->rpc_out.data,
1517 state->rpc_out.length);
1518 if (tevent_req_nomem(subreq, req)) {
1521 tevent_req_set_callback(subreq, rpc_api_pipe_req_write_done,
1526 static void rpc_api_pipe_req_done(struct tevent_req *subreq)
1528 struct tevent_req *req = tevent_req_callback_data(
1529 subreq, struct tevent_req);
1530 struct rpc_api_pipe_req_state *state = tevent_req_data(
1531 req, struct rpc_api_pipe_req_state);
1534 status = rpc_api_pipe_recv(subreq, state, NULL, &state->reply_pdu);
1535 TALLOC_FREE(subreq);
1536 if (!NT_STATUS_IS_OK(status)) {
1537 tevent_req_nterror(req, status);
1541 if (state->cli->auth == NULL) {
1542 tevent_req_done(req);
1546 if (state->verify_bitmask1) {
1547 state->cli->auth->verified_bitmask1 = true;
1550 if (state->verify_pcontext) {
1551 state->cli->verified_pcontext = true;
1554 tevent_req_done(req);
1557 static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
1558 DATA_BLOB *reply_pdu)
1560 struct rpc_api_pipe_req_state *state = tevent_req_data(
1561 req, struct rpc_api_pipe_req_state);
1564 if (tevent_req_is_nterror(req, &status)) {
1566 * We always have to initialize to reply pdu, even if there is
1567 * none. The rpccli_* caller routines expect this.
1569 *reply_pdu = data_blob_null;
1573 /* return data to caller and assign it ownership of memory */
1574 reply_pdu->data = talloc_move(mem_ctx, &state->reply_pdu.data);
1575 reply_pdu->length = state->reply_pdu.length;
1576 state->reply_pdu.length = 0;
1578 return NT_STATUS_OK;
1581 /****************************************************************************
1582 Check the rpc bind acknowledge response.
1583 ****************************************************************************/
1585 static bool check_bind_response(const struct dcerpc_bind_ack *r,
1586 const struct ndr_syntax_id *transfer)
1588 struct dcerpc_ack_ctx ctx;
1590 if (r->secondary_address_size == 0) {
1591 DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1594 if (r->num_results < 1 || !r->ctx_list) {
1598 ctx = r->ctx_list[0];
1600 /* check the transfer syntax */
1601 if ((ctx.syntax.if_version != transfer->if_version) ||
1602 (memcmp(&ctx.syntax.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1603 DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1607 if (r->num_results != 0x1 || ctx.result != 0) {
1608 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1609 r->num_results, ctx.reason.value));
1612 DEBUG(5,("check_bind_response: accepted!\n"));
1616 /*******************************************************************
1617 Creates a DCE/RPC bind authentication response.
1618 This is the packet that is sent back to the server once we
1619 have received a BIND-ACK, to finish the third leg of
1620 the authentication handshake.
1621 ********************************************************************/
1623 static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
1624 struct rpc_pipe_client *cli,
1625 uint32_t rpc_call_id,
1626 enum dcerpc_AuthType auth_type,
1627 enum dcerpc_AuthLevel auth_level,
1628 DATA_BLOB *pauth_blob,
1632 union dcerpc_payload u;
1636 status = dcerpc_push_dcerpc_auth(mem_ctx,
1639 0, /* auth_pad_length */
1640 1, /* auth_context_id */
1642 &u.auth3.auth_info);
1643 if (!NT_STATUS_IS_OK(status)) {
1647 status = dcerpc_push_ncacn_packet(mem_ctx,
1649 DCERPC_PFC_FLAG_FIRST |
1650 DCERPC_PFC_FLAG_LAST,
1655 data_blob_free(&u.auth3.auth_info);
1656 if (!NT_STATUS_IS_OK(status)) {
1657 DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1661 return NT_STATUS_OK;
1664 /*******************************************************************
1665 Creates a DCE/RPC bind alter context authentication request which
1666 may contain a spnego auth blobl
1667 ********************************************************************/
1669 static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
1670 enum dcerpc_AuthType auth_type,
1671 enum dcerpc_AuthLevel auth_level,
1672 uint32_t rpc_call_id,
1673 const struct ndr_syntax_id *abstract,
1674 const struct ndr_syntax_id *transfer,
1675 const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
1678 DATA_BLOB auth_info;
1681 status = dcerpc_push_dcerpc_auth(mem_ctx,
1684 0, /* auth_pad_length */
1685 1, /* auth_context_id */
1688 if (!NT_STATUS_IS_OK(status)) {
1692 status = create_bind_or_alt_ctx_internal(mem_ctx,
1698 false, /* client_hdr_signing */
1700 data_blob_free(&auth_info);
1704 /****************************************************************************
1706 ****************************************************************************/
1708 struct rpc_pipe_bind_state {
1709 struct tevent_context *ev;
1710 struct rpc_pipe_client *cli;
1713 uint32_t rpc_call_id;
1716 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
1717 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1718 struct rpc_pipe_bind_state *state,
1719 DATA_BLOB *credentials);
1720 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1721 struct rpc_pipe_bind_state *state,
1722 DATA_BLOB *credentials);
1724 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
1725 struct tevent_context *ev,
1726 struct rpc_pipe_client *cli,
1727 struct pipe_auth_data *auth)
1729 struct tevent_req *req, *subreq;
1730 struct rpc_pipe_bind_state *state;
1733 req = tevent_req_create(mem_ctx, &state, struct rpc_pipe_bind_state);
1738 DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
1739 rpccli_pipe_txt(talloc_tos(), cli),
1740 (unsigned int)auth->auth_type,
1741 (unsigned int)auth->auth_level ));
1745 state->rpc_call_id = get_rpc_call_id();
1747 cli->auth = talloc_move(cli, &auth);
1749 /* Marshall the outgoing data. */
1750 status = create_rpc_bind_req(state, cli,
1753 &cli->abstract_syntax,
1754 &cli->transfer_syntax,
1757 if (!NT_STATUS_IS_OK(status) &&
1758 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1762 subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
1763 DCERPC_PKT_BIND_ACK, state->rpc_call_id);
1764 if (subreq == NULL) {
1767 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1771 tevent_req_nterror(req, status);
1772 return tevent_req_post(req, ev);
1778 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
1780 struct tevent_req *req = tevent_req_callback_data(
1781 subreq, struct tevent_req);
1782 struct rpc_pipe_bind_state *state = tevent_req_data(
1783 req, struct rpc_pipe_bind_state);
1784 struct pipe_auth_data *pauth = state->cli->auth;
1785 struct gensec_security *gensec_security;
1786 struct ncacn_packet *pkt = NULL;
1787 struct dcerpc_auth auth;
1788 DATA_BLOB auth_token = data_blob_null;
1791 status = rpc_api_pipe_recv(subreq, talloc_tos(), &pkt, NULL);
1792 TALLOC_FREE(subreq);
1793 if (!NT_STATUS_IS_OK(status)) {
1794 DEBUG(3, ("rpc_pipe_bind: %s bind request returned %s\n",
1795 rpccli_pipe_txt(talloc_tos(), state->cli),
1796 nt_errstr(status)));
1797 tevent_req_nterror(req, status);
1802 tevent_req_done(req);
1806 if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
1807 DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
1808 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
1812 state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1813 state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1815 switch(pauth->auth_type) {
1817 case DCERPC_AUTH_TYPE_NONE:
1818 /* Bind complete. */
1819 tevent_req_done(req);
1823 /* Paranoid lenght checks */
1824 if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
1825 + pkt->auth_length) {
1826 tevent_req_nterror(req,
1827 NT_STATUS_INFO_LENGTH_MISMATCH);
1830 /* get auth credentials */
1831 status = dcerpc_pull_dcerpc_auth(talloc_tos(),
1832 &pkt->u.bind_ack.auth_info,
1834 if (!NT_STATUS_IS_OK(status)) {
1835 DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
1836 nt_errstr(status)));
1837 tevent_req_nterror(req, status);
1844 * For authenticated binds we may need to do 3 or 4 leg binds.
1847 switch(pauth->auth_type) {
1849 case DCERPC_AUTH_TYPE_NONE:
1850 /* Bind complete. */
1851 tevent_req_done(req);
1855 gensec_security = pauth->auth_ctx;
1857 if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
1858 if (pauth->client_hdr_signing) {
1859 pauth->hdr_signing = true;
1860 gensec_want_feature(gensec_security,
1861 GENSEC_FEATURE_SIGN_PKT_HEADER);
1865 status = gensec_update(gensec_security, state,
1866 auth.credentials, &auth_token);
1867 if (NT_STATUS_EQUAL(status,
1868 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1869 status = rpc_bind_next_send(req, state,
1871 } else if (NT_STATUS_IS_OK(status)) {
1872 if (auth_token.length == 0) {
1873 /* Bind complete. */
1874 tevent_req_done(req);
1877 status = rpc_bind_finish_send(req, state,
1883 if (!NT_STATUS_IS_OK(status)) {
1884 tevent_req_nterror(req, status);
1889 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
1890 struct rpc_pipe_bind_state *state,
1891 DATA_BLOB *auth_token)
1893 struct pipe_auth_data *auth = state->cli->auth;
1894 struct tevent_req *subreq;
1897 /* Now prepare the alter context pdu. */
1898 data_blob_free(&state->rpc_out);
1900 status = create_rpc_alter_context(state,
1904 &state->cli->abstract_syntax,
1905 &state->cli->transfer_syntax,
1908 if (!NT_STATUS_IS_OK(status)) {
1912 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1913 &state->rpc_out, DCERPC_PKT_ALTER_RESP,
1914 state->rpc_call_id);
1915 if (subreq == NULL) {
1916 return NT_STATUS_NO_MEMORY;
1918 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1919 return NT_STATUS_OK;
1922 static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
1923 struct rpc_pipe_bind_state *state,
1924 DATA_BLOB *auth_token)
1926 struct pipe_auth_data *auth = state->cli->auth;
1927 struct tevent_req *subreq;
1930 state->auth3 = true;
1932 /* Now prepare the auth3 context pdu. */
1933 data_blob_free(&state->rpc_out);
1935 status = create_rpc_bind_auth3(state, state->cli,
1941 if (!NT_STATUS_IS_OK(status)) {
1945 subreq = rpc_api_pipe_send(state, state->ev, state->cli,
1946 &state->rpc_out, DCERPC_PKT_AUTH3,
1947 state->rpc_call_id);
1948 if (subreq == NULL) {
1949 return NT_STATUS_NO_MEMORY;
1951 tevent_req_set_callback(subreq, rpc_pipe_bind_step_one_done, req);
1952 return NT_STATUS_OK;
1955 NTSTATUS rpc_pipe_bind_recv(struct tevent_req *req)
1957 return tevent_req_simple_recv_ntstatus(req);
1960 NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
1961 struct pipe_auth_data *auth)
1963 TALLOC_CTX *frame = talloc_stackframe();
1964 struct tevent_context *ev;
1965 struct tevent_req *req;
1966 NTSTATUS status = NT_STATUS_OK;
1968 ev = samba_tevent_context_init(frame);
1970 status = NT_STATUS_NO_MEMORY;
1974 req = rpc_pipe_bind_send(frame, ev, cli, auth);
1976 status = NT_STATUS_NO_MEMORY;
1980 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
1984 status = rpc_pipe_bind_recv(req);
1990 #define RPCCLI_DEFAULT_TIMEOUT 10000 /* 10 seconds. */
1992 unsigned int rpccli_set_timeout(struct rpc_pipe_client *rpc_cli,
1993 unsigned int timeout)
1997 if (rpc_cli->transport == NULL) {
1998 return RPCCLI_DEFAULT_TIMEOUT;
2001 if (rpc_cli->transport->set_timeout == NULL) {
2002 return RPCCLI_DEFAULT_TIMEOUT;
2005 old = rpc_cli->transport->set_timeout(rpc_cli->transport->priv, timeout);
2007 return RPCCLI_DEFAULT_TIMEOUT;
2013 bool rpccli_is_connected(struct rpc_pipe_client *rpc_cli)
2015 if (rpc_cli == NULL) {
2019 if (rpc_cli->transport == NULL) {
2023 return rpc_cli->transport->is_connected(rpc_cli->transport->priv);
2026 struct rpccli_bh_state {
2027 struct rpc_pipe_client *rpc_cli;
2030 static bool rpccli_bh_is_connected(struct dcerpc_binding_handle *h)
2032 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2033 struct rpccli_bh_state);
2035 return rpccli_is_connected(hs->rpc_cli);
2038 static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
2041 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2042 struct rpccli_bh_state);
2044 return rpccli_set_timeout(hs->rpc_cli, timeout);
2047 static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
2048 enum dcerpc_AuthType *auth_type,
2049 enum dcerpc_AuthLevel *auth_level)
2051 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2052 struct rpccli_bh_state);
2054 if (hs->rpc_cli == NULL) {
2058 if (hs->rpc_cli->auth == NULL) {
2062 *auth_type = hs->rpc_cli->auth->auth_type;
2063 *auth_level = hs->rpc_cli->auth->auth_level;
2066 struct rpccli_bh_raw_call_state {
2072 static void rpccli_bh_raw_call_done(struct tevent_req *subreq);
2074 static struct tevent_req *rpccli_bh_raw_call_send(TALLOC_CTX *mem_ctx,
2075 struct tevent_context *ev,
2076 struct dcerpc_binding_handle *h,
2077 const struct GUID *object,
2080 const uint8_t *in_data,
2083 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2084 struct rpccli_bh_state);
2085 struct tevent_req *req;
2086 struct rpccli_bh_raw_call_state *state;
2088 struct tevent_req *subreq;
2090 req = tevent_req_create(mem_ctx, &state,
2091 struct rpccli_bh_raw_call_state);
2095 state->in_data.data = discard_const_p(uint8_t, in_data);
2096 state->in_data.length = in_length;
2098 ok = rpccli_bh_is_connected(h);
2100 tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
2101 return tevent_req_post(req, ev);
2104 subreq = rpc_api_pipe_req_send(state, ev, hs->rpc_cli,
2105 opnum, &state->in_data);
2106 if (tevent_req_nomem(subreq, req)) {
2107 return tevent_req_post(req, ev);
2109 tevent_req_set_callback(subreq, rpccli_bh_raw_call_done, req);
2114 static void rpccli_bh_raw_call_done(struct tevent_req *subreq)
2116 struct tevent_req *req =
2117 tevent_req_callback_data(subreq,
2119 struct rpccli_bh_raw_call_state *state =
2120 tevent_req_data(req,
2121 struct rpccli_bh_raw_call_state);
2124 state->out_flags = 0;
2126 /* TODO: support bigendian responses */
2128 status = rpc_api_pipe_req_recv(subreq, state, &state->out_data);
2129 TALLOC_FREE(subreq);
2130 if (!NT_STATUS_IS_OK(status)) {
2131 tevent_req_nterror(req, status);
2135 tevent_req_done(req);
2138 static NTSTATUS rpccli_bh_raw_call_recv(struct tevent_req *req,
2139 TALLOC_CTX *mem_ctx,
2142 uint32_t *out_flags)
2144 struct rpccli_bh_raw_call_state *state =
2145 tevent_req_data(req,
2146 struct rpccli_bh_raw_call_state);
2149 if (tevent_req_is_nterror(req, &status)) {
2150 tevent_req_received(req);
2154 *out_data = talloc_move(mem_ctx, &state->out_data.data);
2155 *out_length = state->out_data.length;
2156 *out_flags = state->out_flags;
2157 tevent_req_received(req);
2158 return NT_STATUS_OK;
2161 struct rpccli_bh_disconnect_state {
2165 static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
2166 struct tevent_context *ev,
2167 struct dcerpc_binding_handle *h)
2169 struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
2170 struct rpccli_bh_state);
2171 struct tevent_req *req;
2172 struct rpccli_bh_disconnect_state *state;
2175 req = tevent_req_create(mem_ctx, &state,
2176 struct rpccli_bh_disconnect_state);
2181 ok = rpccli_bh_is_connected(h);
2183 tevent_req_nterror(req, NT_STATUS_CONNECTION_DISCONNECTED);
2184 return tevent_req_post(req, ev);
2188 * TODO: do a real async disconnect ...
2190 * For now the caller needs to free rpc_cli
2194 tevent_req_done(req);
2195 return tevent_req_post(req, ev);
2198 static NTSTATUS rpccli_bh_disconnect_recv(struct tevent_req *req)
2202 if (tevent_req_is_nterror(req, &status)) {
2203 tevent_req_received(req);
2207 tevent_req_received(req);
2208 return NT_STATUS_OK;
2211 static bool rpccli_bh_ref_alloc(struct dcerpc_binding_handle *h)
2216 static void rpccli_bh_do_ndr_print(struct dcerpc_binding_handle *h,
2218 const void *_struct_ptr,
2219 const struct ndr_interface_call *call)
2221 void *struct_ptr = discard_const(_struct_ptr);
2223 if (DEBUGLEVEL < 10) {
2227 if (ndr_flags & NDR_IN) {
2228 ndr_print_function_debug(call->ndr_print,
2233 if (ndr_flags & NDR_OUT) {
2234 ndr_print_function_debug(call->ndr_print,
2241 static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
2243 .is_connected = rpccli_bh_is_connected,
2244 .set_timeout = rpccli_bh_set_timeout,
2245 .auth_info = rpccli_bh_auth_info,
2246 .raw_call_send = rpccli_bh_raw_call_send,
2247 .raw_call_recv = rpccli_bh_raw_call_recv,
2248 .disconnect_send = rpccli_bh_disconnect_send,
2249 .disconnect_recv = rpccli_bh_disconnect_recv,
2251 .ref_alloc = rpccli_bh_ref_alloc,
2252 .do_ndr_print = rpccli_bh_do_ndr_print,
2255 /* initialise a rpc_pipe_client binding handle */
2256 struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c,
2257 const struct GUID *object,
2258 const struct ndr_interface_table *table)
2260 struct dcerpc_binding_handle *h;
2261 struct rpccli_bh_state *hs;
2263 h = dcerpc_binding_handle_create(c,
2268 struct rpccli_bh_state,
2278 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
2279 struct pipe_auth_data **presult)
2281 struct pipe_auth_data *result;
2282 struct auth_generic_state *auth_generic_ctx;
2285 result = talloc_zero(mem_ctx, struct pipe_auth_data);
2286 if (result == NULL) {
2287 return NT_STATUS_NO_MEMORY;
2290 result->auth_type = DCERPC_AUTH_TYPE_NONE;
2291 result->auth_level = DCERPC_AUTH_LEVEL_NONE;
2293 status = auth_generic_client_prepare(result,
2295 if (!NT_STATUS_IS_OK(status)) {
2296 DEBUG(1, ("Failed to create auth_generic context: %s\n",
2297 nt_errstr(status)));
2300 status = auth_generic_set_username(auth_generic_ctx, "");
2301 if (!NT_STATUS_IS_OK(status)) {
2302 DEBUG(1, ("Failed to set username: %s\n",
2303 nt_errstr(status)));
2306 status = auth_generic_set_domain(auth_generic_ctx, "");
2307 if (!NT_STATUS_IS_OK(status)) {
2308 DEBUG(1, ("Failed to set domain: %s\n",
2309 nt_errstr(status)));
2313 status = gensec_set_credentials(auth_generic_ctx->gensec_security,
2314 auth_generic_ctx->credentials);
2315 if (!NT_STATUS_IS_OK(status)) {
2316 DEBUG(1, ("Failed to set GENSEC credentials: %s\n",
2317 nt_errstr(status)));
2320 talloc_unlink(auth_generic_ctx, auth_generic_ctx->credentials);
2321 auth_generic_ctx->credentials = NULL;
2323 result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security);
2324 talloc_free(auth_generic_ctx);
2326 return NT_STATUS_OK;
2329 static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
2330 enum dcerpc_AuthType auth_type,
2331 enum dcerpc_AuthLevel auth_level,
2333 const char *target_service,
2335 const char *username,
2336 const char *password,
2337 enum credentials_use_kerberos use_kerberos,
2338 struct netlogon_creds_CredentialState *creds,
2339 struct pipe_auth_data **presult)
2341 struct auth_generic_state *auth_generic_ctx;
2342 struct pipe_auth_data *result;
2345 result = talloc_zero(mem_ctx, struct pipe_auth_data);
2346 if (result == NULL) {
2347 return NT_STATUS_NO_MEMORY;
2350 result->auth_type = auth_type;
2351 result->auth_level = auth_level;
2353 status = auth_generic_client_prepare(result,
2355 if (!NT_STATUS_IS_OK(status)) {
2359 status = auth_generic_set_username(auth_generic_ctx, username);
2360 if (!NT_STATUS_IS_OK(status)) {
2364 status = auth_generic_set_domain(auth_generic_ctx, domain);
2365 if (!NT_STATUS_IS_OK(status)) {
2369 status = auth_generic_set_password(auth_generic_ctx, password);
2370 if (!NT_STATUS_IS_OK(status)) {
2374 status = gensec_set_target_service(auth_generic_ctx->gensec_security, target_service);
2375 if (!NT_STATUS_IS_OK(status)) {
2379 status = gensec_set_target_hostname(auth_generic_ctx->gensec_security, server);
2380 if (!NT_STATUS_IS_OK(status)) {
2384 cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
2385 cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
2387 status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
2388 if (!NT_STATUS_IS_OK(status)) {
2392 result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security);
2393 talloc_free(auth_generic_ctx);
2395 return NT_STATUS_OK;
2398 TALLOC_FREE(result);
2402 /* This routine steals the creds pointer that is passed in */
2403 static NTSTATUS rpccli_generic_bind_data_from_creds(TALLOC_CTX *mem_ctx,
2404 enum dcerpc_AuthType auth_type,
2405 enum dcerpc_AuthLevel auth_level,
2407 const char *target_service,
2408 struct cli_credentials *creds,
2409 struct pipe_auth_data **presult)
2411 struct auth_generic_state *auth_generic_ctx;
2412 struct pipe_auth_data *result;
2415 result = talloc_zero(mem_ctx, struct pipe_auth_data);
2416 if (result == NULL) {
2417 return NT_STATUS_NO_MEMORY;
2420 result->auth_type = auth_type;
2421 result->auth_level = auth_level;
2423 status = auth_generic_client_prepare(result,
2425 if (!NT_STATUS_IS_OK(status)) {
2429 status = auth_generic_set_creds(auth_generic_ctx, creds);
2430 if (!NT_STATUS_IS_OK(status)) {
2434 status = gensec_set_target_service(auth_generic_ctx->gensec_security, target_service);
2435 if (!NT_STATUS_IS_OK(status)) {
2439 status = gensec_set_target_hostname(auth_generic_ctx->gensec_security, server);
2440 if (!NT_STATUS_IS_OK(status)) {
2444 status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
2445 if (!NT_STATUS_IS_OK(status)) {
2449 result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security);
2450 talloc_free(auth_generic_ctx);
2452 return NT_STATUS_OK;
2455 TALLOC_FREE(result);
2459 NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
2460 struct pipe_auth_data **presult)
2462 return rpccli_generic_bind_data(mem_ctx,
2463 DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM,
2464 DCERPC_AUTH_LEVEL_CONNECT,
2466 "host", /* target_service */
2467 NAME_NT_AUTHORITY, /* domain */
2470 CRED_DONT_USE_KERBEROS,
2471 NULL, /* netlogon_creds_CredentialState */
2476 * Create an rpc pipe client struct, connecting to a tcp port.
2478 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
2479 const struct sockaddr_storage *ss_addr,
2481 const struct ndr_interface_table *table,
2482 struct rpc_pipe_client **presult)
2484 struct rpc_pipe_client *result;
2485 struct sockaddr_storage addr;
2489 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2490 if (result == NULL) {
2491 return NT_STATUS_NO_MEMORY;
2494 result->abstract_syntax = table->syntax_id;
2495 result->transfer_syntax = ndr_transfer_syntax_ndr;
2497 result->desthost = talloc_strdup(result, host);
2498 result->srv_name_slash = talloc_asprintf_strupper_m(
2499 result, "\\\\%s", result->desthost);
2500 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2501 status = NT_STATUS_NO_MEMORY;
2505 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2506 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2508 if (ss_addr == NULL) {
2509 if (!resolve_name(host, &addr, NBT_NAME_SERVER, false)) {
2510 status = NT_STATUS_NOT_FOUND;
2517 status = open_socket_out(&addr, port, 60*1000, &fd);
2518 if (!NT_STATUS_IS_OK(status)) {
2521 set_socket_options(fd, lp_socket_options());
2523 status = rpc_transport_sock_init(result, fd, &result->transport);
2524 if (!NT_STATUS_IS_OK(status)) {
2529 result->transport->transport = NCACN_IP_TCP;
2531 result->binding_handle = rpccli_bh_create(result, NULL, table);
2532 if (result->binding_handle == NULL) {
2533 TALLOC_FREE(result);
2534 return NT_STATUS_NO_MEMORY;
2538 return NT_STATUS_OK;
2541 TALLOC_FREE(result);
2546 * Determine the tcp port on which a dcerpc interface is listening
2547 * for the ncacn_ip_tcp transport via the endpoint mapper of the
2550 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
2551 const struct sockaddr_storage *addr,
2552 const struct ndr_interface_table *table,
2556 struct rpc_pipe_client *epm_pipe = NULL;
2557 struct dcerpc_binding_handle *epm_handle = NULL;
2558 struct pipe_auth_data *auth = NULL;
2559 struct dcerpc_binding *map_binding = NULL;
2560 struct dcerpc_binding *res_binding = NULL;
2561 enum dcerpc_transport_t transport;
2562 const char *endpoint = NULL;
2563 struct epm_twr_t *map_tower = NULL;
2564 struct epm_twr_t *res_towers = NULL;
2565 struct policy_handle *entry_handle = NULL;
2566 uint32_t num_towers = 0;
2567 uint32_t max_towers = 1;
2568 struct epm_twr_p_t towers;
2569 TALLOC_CTX *tmp_ctx = talloc_stackframe();
2570 uint32_t result = 0;
2572 if (pport == NULL) {
2573 status = NT_STATUS_INVALID_PARAMETER;
2577 if (ndr_syntax_id_equal(&table->syntax_id,
2578 &ndr_table_epmapper.syntax_id)) {
2580 status = NT_STATUS_OK;
2584 /* open the connection to the endpoint mapper */
2585 status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
2586 &ndr_table_epmapper,
2589 if (!NT_STATUS_IS_OK(status)) {
2592 epm_handle = epm_pipe->binding_handle;
2594 status = rpccli_anon_bind_data(tmp_ctx, &auth);
2595 if (!NT_STATUS_IS_OK(status)) {
2599 status = rpc_pipe_bind(epm_pipe, auth);
2600 if (!NT_STATUS_IS_OK(status)) {
2604 /* create tower for asking the epmapper */
2606 status = dcerpc_parse_binding(tmp_ctx, "ncacn_ip_tcp:[135]",
2608 if (!NT_STATUS_IS_OK(status)) {
2612 status = dcerpc_binding_set_abstract_syntax(map_binding,
2614 if (!NT_STATUS_IS_OK(status)) {
2618 map_tower = talloc_zero(tmp_ctx, struct epm_twr_t);
2619 if (map_tower == NULL) {
2620 status = NT_STATUS_NO_MEMORY;
2624 status = dcerpc_binding_build_tower(tmp_ctx, map_binding,
2625 &(map_tower->tower));
2626 if (!NT_STATUS_IS_OK(status)) {
2630 /* allocate further parameters for the epm_Map call */
2632 res_towers = talloc_array(tmp_ctx, struct epm_twr_t, max_towers);
2633 if (res_towers == NULL) {
2634 status = NT_STATUS_NO_MEMORY;
2637 towers.twr = res_towers;
2639 entry_handle = talloc_zero(tmp_ctx, struct policy_handle);
2640 if (entry_handle == NULL) {
2641 status = NT_STATUS_NO_MEMORY;
2645 /* ask the endpoint mapper for the port */
2647 status = dcerpc_epm_Map(epm_handle,
2649 discard_const_p(struct GUID,
2650 &(table->syntax_id.uuid)),
2658 if (!NT_STATUS_IS_OK(status)) {
2662 if (result != EPMAPPER_STATUS_OK) {
2663 status = NT_STATUS_UNSUCCESSFUL;
2667 if (num_towers != 1) {
2668 status = NT_STATUS_UNSUCCESSFUL;
2672 /* extract the port from the answer */
2674 status = dcerpc_binding_from_tower(tmp_ctx,
2675 &(towers.twr->tower),
2677 if (!NT_STATUS_IS_OK(status)) {
2681 transport = dcerpc_binding_get_transport(res_binding);
2682 endpoint = dcerpc_binding_get_string_option(res_binding, "endpoint");
2684 /* are further checks here necessary? */
2685 if (transport != NCACN_IP_TCP) {
2686 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
2690 if (endpoint == NULL) {
2691 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
2695 *pport = (uint16_t)atoi(endpoint);
2698 TALLOC_FREE(tmp_ctx);
2703 * Create a rpc pipe client struct, connecting to a host via tcp.
2704 * The port is determined by asking the endpoint mapper on the given
2707 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
2708 const struct sockaddr_storage *addr,
2709 const struct ndr_interface_table *table,
2710 struct rpc_pipe_client **presult)
2715 status = rpc_pipe_get_tcp_port(host, addr, table, &port);
2716 if (!NT_STATUS_IS_OK(status)) {
2720 return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
2724 /********************************************************************
2725 Create a rpc pipe client struct, connecting to a unix domain socket
2726 ********************************************************************/
2727 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
2728 const struct ndr_interface_table *table,
2729 struct rpc_pipe_client **presult)
2731 struct rpc_pipe_client *result;
2732 struct sockaddr_un addr;
2737 result = talloc_zero(mem_ctx, struct rpc_pipe_client);
2738 if (result == NULL) {
2739 return NT_STATUS_NO_MEMORY;
2742 result->abstract_syntax = table->syntax_id;
2743 result->transfer_syntax = ndr_transfer_syntax_ndr;
2745 result->desthost = get_myname(result);
2746 result->srv_name_slash = talloc_asprintf_strupper_m(
2747 result, "\\\\%s", result->desthost);
2748 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2749 status = NT_STATUS_NO_MEMORY;
2753 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2754 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2756 fd = socket(AF_UNIX, SOCK_STREAM, 0);
2758 status = map_nt_error_from_unix(errno);
2763 addr.sun_family = AF_UNIX;
2764 strlcpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
2765 salen = sizeof(struct sockaddr_un);
2767 if (connect(fd, (struct sockaddr *)(void *)&addr, salen) == -1) {
2768 DEBUG(0, ("connect(%s) failed: %s\n", socket_path,
2771 return map_nt_error_from_unix(errno);
2774 status = rpc_transport_sock_init(result, fd, &result->transport);
2775 if (!NT_STATUS_IS_OK(status)) {
2780 result->transport->transport = NCALRPC;
2782 result->binding_handle = rpccli_bh_create(result, NULL, table);
2783 if (result->binding_handle == NULL) {
2784 TALLOC_FREE(result);
2785 return NT_STATUS_NO_MEMORY;
2789 return NT_STATUS_OK;
2792 TALLOC_FREE(result);
2796 struct rpc_pipe_client_np_ref {
2797 struct cli_state *cli;
2798 struct rpc_pipe_client *pipe;
2801 static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_ref)
2803 DLIST_REMOVE(np_ref->cli->pipe_list, np_ref->pipe);
2807 /****************************************************************************
2808 Open a named pipe over SMB to a remote server.
2810 * CAVEAT CALLER OF THIS FUNCTION:
2811 * The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2812 * so be sure that this function is called AFTER any structure (vs pointer)
2813 * assignment of the cli. In particular, libsmbclient does structure
2814 * assignments of cli, which invalidates the data in the returned
2815 * rpc_pipe_client if this function is called before the structure assignment
2818 ****************************************************************************/
2820 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
2821 const struct ndr_interface_table *table,
2822 struct rpc_pipe_client **presult)
2824 struct rpc_pipe_client *result;
2826 struct rpc_pipe_client_np_ref *np_ref;
2828 /* sanity check to protect against crashes */
2831 return NT_STATUS_INVALID_HANDLE;
2834 result = talloc_zero(NULL, struct rpc_pipe_client);
2835 if (result == NULL) {
2836 return NT_STATUS_NO_MEMORY;
2839 result->abstract_syntax = table->syntax_id;
2840 result->transfer_syntax = ndr_transfer_syntax_ndr;
2841 result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
2842 result->srv_name_slash = talloc_asprintf_strupper_m(
2843 result, "\\\\%s", result->desthost);
2845 result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
2846 result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
2848 if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
2849 TALLOC_FREE(result);
2850 return NT_STATUS_NO_MEMORY;
2853 status = rpc_transport_np_init(result, cli, table,
2854 &result->transport);
2855 if (!NT_STATUS_IS_OK(status)) {
2856 TALLOC_FREE(result);
2860 result->transport->transport = NCACN_NP;
2862 np_ref = talloc(result->transport, struct rpc_pipe_client_np_ref);
2863 if (np_ref == NULL) {
2864 TALLOC_FREE(result);
2865 return NT_STATUS_NO_MEMORY;
2868 np_ref->pipe = result;
2870 DLIST_ADD(np_ref->cli->pipe_list, np_ref->pipe);
2871 talloc_set_destructor(np_ref, rpc_pipe_client_np_ref_destructor);
2873 result->binding_handle = rpccli_bh_create(result, NULL, table);
2874 if (result->binding_handle == NULL) {
2875 TALLOC_FREE(result);
2876 return NT_STATUS_NO_MEMORY;
2880 return NT_STATUS_OK;
2883 /****************************************************************************
2884 Open a pipe to a remote server.
2885 ****************************************************************************/
2887 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
2888 enum dcerpc_transport_t transport,
2889 const struct ndr_interface_table *table,
2890 struct rpc_pipe_client **presult)
2892 switch (transport) {
2894 return rpc_pipe_open_tcp(NULL,
2895 smbXcli_conn_remote_name(cli->conn),
2896 smbXcli_conn_remote_sockaddr(cli->conn),
2899 return rpc_pipe_open_np(cli, table, presult);
2901 return NT_STATUS_NOT_IMPLEMENTED;
2905 /****************************************************************************
2906 Open a named pipe to an SMB server and bind anonymously.
2907 ****************************************************************************/
2909 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
2910 enum dcerpc_transport_t transport,
2911 const struct ndr_interface_table *table,
2912 struct rpc_pipe_client **presult)
2914 struct rpc_pipe_client *result;
2915 struct pipe_auth_data *auth;
2918 status = cli_rpc_pipe_open(cli, transport, table, &result);
2919 if (!NT_STATUS_IS_OK(status)) {
2923 status = rpccli_anon_bind_data(result, &auth);
2924 if (!NT_STATUS_IS_OK(status)) {
2925 DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
2926 nt_errstr(status)));
2927 TALLOC_FREE(result);
2932 * This is a bit of an abstraction violation due to the fact that an
2933 * anonymous bind on an authenticated SMB inherits the user/domain
2934 * from the enclosing SMB creds
2937 if (transport == NCACN_NP) {
2938 struct smbXcli_session *session;
2940 if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
2941 session = cli->smb2.session;
2943 session = cli->smb1.session;
2946 status = smbXcli_session_application_key(session, auth,
2947 &auth->transport_session_key);
2948 if (!NT_STATUS_IS_OK(status)) {
2949 auth->transport_session_key = data_blob_null;
2953 status = rpc_pipe_bind(result, auth);
2954 if (!NT_STATUS_IS_OK(status)) {
2956 if (ndr_syntax_id_equal(&table->syntax_id,
2957 &ndr_table_dssetup.syntax_id)) {
2958 /* non AD domains just don't have this pipe, avoid
2959 * level 0 statement in that case - gd */
2962 DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
2963 "%s failed with error %s\n",
2965 nt_errstr(status) ));
2966 TALLOC_FREE(result);
2970 DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
2971 "%s and bound anonymously.\n",
2976 return NT_STATUS_OK;
2979 /****************************************************************************
2980 ****************************************************************************/
2982 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
2983 const struct ndr_interface_table *table,
2984 struct rpc_pipe_client **presult)
2986 return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
2990 /****************************************************************************
2991 Open a named pipe to an SMB server and bind using the mech specified
2993 This routine references the creds pointer that is passed in
2994 ****************************************************************************/
2996 NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli,
2997 const struct ndr_interface_table *table,
2998 enum dcerpc_transport_t transport,
2999 enum dcerpc_AuthType auth_type,
3000 enum dcerpc_AuthLevel auth_level,
3002 struct cli_credentials *creds,
3003 struct rpc_pipe_client **presult)
3005 struct rpc_pipe_client *result;
3006 struct pipe_auth_data *auth = NULL;
3007 const char *target_service = table->authservices->names[0];
3011 status = cli_rpc_pipe_open(cli, transport, table, &result);
3012 if (!NT_STATUS_IS_OK(status)) {
3016 status = rpccli_generic_bind_data_from_creds(result,
3017 auth_type, auth_level,
3018 server, target_service,
3021 if (!NT_STATUS_IS_OK(status)) {
3022 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
3023 nt_errstr(status)));
3027 status = rpc_pipe_bind(result, auth);
3028 if (!NT_STATUS_IS_OK(status)) {
3029 DEBUG(0, ("cli_rpc_pipe_open_generic_auth: cli_rpc_pipe_bind failed with error %s\n",
3030 nt_errstr(status) ));
3034 DEBUG(10,("cli_rpc_pipe_open_generic_auth: opened pipe %s to "
3035 "machine %s and bound as user %s.\n", table->name,
3036 result->desthost, cli_credentials_get_unparsed_name(creds, talloc_tos())));
3039 return NT_STATUS_OK;
3043 TALLOC_FREE(result);
3047 /****************************************************************************
3048 Open a named pipe to an SMB server and bind using the mech specified
3050 This routine steals the creds pointer that is passed in
3051 ****************************************************************************/
3053 NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
3054 const struct ndr_interface_table *table,
3055 enum dcerpc_transport_t transport,
3056 enum credentials_use_kerberos use_kerberos,
3057 enum dcerpc_AuthType auth_type,
3058 enum dcerpc_AuthLevel auth_level,
3061 const char *username,
3062 const char *password,
3063 struct rpc_pipe_client **presult)
3065 struct rpc_pipe_client *result;
3066 struct pipe_auth_data *auth = NULL;
3067 const char *target_service = table->authservices->names[0];
3071 status = cli_rpc_pipe_open(cli, transport, table, &result);
3072 if (!NT_STATUS_IS_OK(status)) {
3076 status = rpccli_generic_bind_data(result,
3077 auth_type, auth_level,
3078 server, target_service,
3079 domain, username, password,
3080 CRED_AUTO_USE_KERBEROS,
3083 if (!NT_STATUS_IS_OK(status)) {
3084 DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
3085 nt_errstr(status)));
3089 status = rpc_pipe_bind(result, auth);
3090 if (!NT_STATUS_IS_OK(status)) {
3091 DEBUG(0, ("cli_rpc_pipe_open_generic_auth: cli_rpc_pipe_bind failed with error %s\n",
3092 nt_errstr(status) ));
3096 DEBUG(10,("cli_rpc_pipe_open_generic_auth: opened pipe %s to "
3097 "machine %s and bound as user %s\\%s.\n", table->name,
3098 result->desthost, domain, username));
3101 return NT_STATUS_OK;
3105 TALLOC_FREE(result);
3109 NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
3110 const struct ndr_interface_table *table,
3111 enum dcerpc_transport_t transport,
3112 struct cli_credentials *cli_creds,
3113 struct netlogon_creds_cli_context *netlogon_creds,
3114 struct rpc_pipe_client **_rpccli)
3116 struct rpc_pipe_client *rpccli;
3117 struct pipe_auth_data *rpcauth;
3118 const char *target_service = table->authservices->names[0];
3119 struct netlogon_creds_CredentialState *ncreds = NULL;
3120 enum dcerpc_AuthLevel auth_level;
3122 int rpc_pipe_bind_dbglvl = 0;
3124 status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
3125 if (!NT_STATUS_IS_OK(status)) {
3129 status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &ncreds);
3130 if (!NT_STATUS_IS_OK(status)) {
3131 DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
3132 nt_errstr(status)));
3133 TALLOC_FREE(rpccli);
3137 auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
3139 cli_credentials_set_netlogon_creds(cli_creds, ncreds);
3141 status = rpccli_generic_bind_data_from_creds(rpccli,
3142 DCERPC_AUTH_TYPE_SCHANNEL,
3148 if (!NT_STATUS_IS_OK(status)) {
3149 DEBUG(0, ("rpccli_generic_bind_data_from_creds returned %s\n",
3150 nt_errstr(status)));
3151 TALLOC_FREE(rpccli);
3155 status = rpc_pipe_bind(rpccli, rpcauth);
3156 cli_credentials_set_netlogon_creds(cli_creds, NULL);
3157 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
3158 rpc_pipe_bind_dbglvl = 1;
3159 netlogon_creds_cli_delete(netlogon_creds, &ncreds);
3161 if (!NT_STATUS_IS_OK(status)) {
3162 DEBUG(rpc_pipe_bind_dbglvl,
3163 ("%s: rpc_pipe_bind failed with error %s\n",
3164 __func__, nt_errstr(status)));
3165 TALLOC_FREE(rpccli);
3169 TALLOC_FREE(ncreds);
3171 if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
3175 status = netlogon_creds_cli_check(netlogon_creds,
3176 rpccli->binding_handle);
3177 if (!NT_STATUS_IS_OK(status)) {
3178 DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
3179 nt_errstr(status)));
3180 TALLOC_FREE(rpccli);
3186 DEBUG(10,("%s: opened pipe %s to machine %s "
3187 "for domain %s and bound using schannel.\n",
3188 __func__, table->name,
3189 rpccli->desthost, cli_credentials_get_domain(cli_creds)));
3192 return NT_STATUS_OK;
3195 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
3196 struct rpc_pipe_client *cli,
3197 DATA_BLOB *session_key)
3200 struct pipe_auth_data *a;
3201 struct gensec_security *gensec_security;
3202 DATA_BLOB sk = data_blob_null;
3203 bool make_dup = false;
3205 if (!session_key || !cli) {
3206 return NT_STATUS_INVALID_PARAMETER;
3212 return NT_STATUS_INVALID_PARAMETER;
3215 switch (cli->auth->auth_type) {
3216 case DCERPC_AUTH_TYPE_NONE:
3217 sk = data_blob_const(a->transport_session_key.data,
3218 a->transport_session_key.length);
3222 gensec_security = a->auth_ctx;
3223 status = gensec_session_key(gensec_security, mem_ctx, &sk);
3224 if (!NT_STATUS_IS_OK(status)) {
3232 return NT_STATUS_NO_USER_SESSION_KEY;
3236 *session_key = data_blob_dup_talloc(mem_ctx, sk);
3241 return NT_STATUS_OK;