Context Navigation

source: branches/samba-3.2.x/source/rpc_client/cli_pipe.c

Visit:

Last change on this file was 228, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 branch to 3.2.6
File size: 84.7 KB

Line
1	/*
2	* Unix SMB/CIFS implementation.
3	* RPC Pipe client / server routines
4	* Largely rewritten by Jeremy Allison 2005.
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License as published by
8	* the Free Software Foundation; either version 3 of the License, or
9	* (at your option) any later version.
10	*
11	* This program is distributed in the hope that it will be useful,
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	* GNU General Public License for more details.
15	*
16	* You should have received a copy of the GNU General Public License
17	* along with this program; if not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21
22	#undef DBGC_CLASS
23	#define DBGC_CLASS DBGC_RPC_CLI
24
25	extern struct pipe_id_info pipe_names[];
26
27	/********************************************************************
28	Map internal value to wire value.
29	********************************************************************/
30
31	static int map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type)
32	{
33	switch (auth_type) {
34
35	case PIPE_AUTH_TYPE_NONE:
36	return RPC_ANONYMOUS_AUTH_TYPE;
37
38	case PIPE_AUTH_TYPE_NTLMSSP:
39	return RPC_NTLMSSP_AUTH_TYPE;
40
41	case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
42	case PIPE_AUTH_TYPE_SPNEGO_KRB5:
43	return RPC_SPNEGO_AUTH_TYPE;
44
45	case PIPE_AUTH_TYPE_SCHANNEL:
46	return RPC_SCHANNEL_AUTH_TYPE;
47
48	case PIPE_AUTH_TYPE_KRB5:
49	return RPC_KRB5_AUTH_TYPE;
50
51	default:
52	DEBUG(0,("map_pipe_auth_type_to_rpc_type: unknown pipe "
53	"auth type %u\n",
54	(unsigned int)auth_type ));
55	break;
56	}
57	return -1;
58	}
59
60	/********************************************************************
61	Rpc pipe call id.
62	********************************************************************/
63
64	static uint32 get_rpc_call_id(void)
65	{
66	static uint32 call_id = 0;
67	return ++call_id;
68	}
69
70	/*******************************************************************
71	Use SMBreadX to get rest of one fragment's worth of rpc data.
72	Will expand the current_pdu struct to the correct size.
73	********************************************************************/
74
75	static NTSTATUS rpc_read(struct rpc_pipe_client *cli,
76	prs_struct *current_pdu,
77	uint32 data_to_read,
78	uint32 *current_pdu_offset)
79	{
80	size_t size = (size_t)cli->max_recv_frag;
81	uint32 stream_offset = 0;
82	ssize_t num_read;
83	char *pdata;
84	ssize_t extra_data_size = ((ssize_t)*current_pdu_offset) + ((ssize_t)data_to_read) - (ssize_t)prs_data_size(current_pdu);
85
86	DEBUG(5,("rpc_read: data_to_read: %u current_pdu offset: %u extra_data_size: %d\n",
87	(unsigned int)data_to_read, (unsigned int)*current_pdu_offset, (int)extra_data_size ));
88
89	/*
90	* Grow the buffer if needed to accommodate the data to be read.
91	*/
92
93	if (extra_data_size > 0) {
94	if(!prs_force_grow(current_pdu, (uint32)extra_data_size)) {
95	DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", (int)extra_data_size ));
96	return NT_STATUS_NO_MEMORY;
97	}
98	DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", (int)extra_data_size, prs_data_size(current_pdu) ));
99	}
100
101	pdata = prs_data_p(current_pdu) + *current_pdu_offset;
102
103	do {
104	/* read data using SMBreadX */
105	if (size > (size_t)data_to_read) {
106	size = (size_t)data_to_read;
107	}
108
109	num_read = cli_read(cli->cli, cli->fnum, pdata,
110	(off_t)stream_offset, size);
111
112	DEBUG(5,("rpc_read: num_read = %d, read offset: %u, to read: %u\n",
113	(int)num_read, (unsigned int)stream_offset, (unsigned int)data_to_read));
114
115	/*
116	* A dos error of ERRDOS/ERRmoredata is not an error.
117	*/
118	if (cli_is_dos_error(cli->cli)) {
119	uint32 ecode;
120	uint8 eclass;
121	cli_dos_error(cli->cli, &eclass, &ecode);
122	if (eclass != ERRDOS && ecode != ERRmoredata) {
123	DEBUG(0,("rpc_read: DOS Error %d/%u (%s) in cli_read on pipe %s\n",
124	eclass, (unsigned int)ecode,
125	cli_errstr(cli->cli),
126	cli->pipe_name ));
127	return dos_to_ntstatus(eclass, ecode);
128	}
129	}
130
131	/*
132	* Likewise for NT_STATUS_BUFFER_TOO_SMALL
133	*/
134	if (cli_is_nt_error(cli->cli)) {
135	if (!NT_STATUS_EQUAL(cli_nt_error(cli->cli), NT_STATUS_BUFFER_TOO_SMALL)) {
136	DEBUG(0,("rpc_read: Error (%s) in cli_read on pipe %s\n",
137	nt_errstr(cli_nt_error(cli->cli)),
138	cli->pipe_name ));
139	return cli_nt_error(cli->cli);
140	}
141	}
142
143	if (num_read == -1) {
144	DEBUG(0,("rpc_read: Error - cli_read on pipe %s returned -1\n",
145	cli->pipe_name ));
146	return cli_get_nt_error(cli->cli);
147	}
148
149	data_to_read -= num_read;
150	stream_offset += num_read;
151	pdata += num_read;
152
153	} while (num_read > 0 && data_to_read > 0);
154	/* && err == (0x80000000 \| STATUS_BUFFER_OVERFLOW)); */
155
156	/*
157	* Update the current offset into current_pdu by the amount read.
158	*/
159	*current_pdu_offset += stream_offset;
160	return NT_STATUS_OK;
161	}
162
163	/****************************************************************************
164	Try and get a PDU's worth of data from current_pdu. If not, then read more
165	from the wire.
166	****************************************************************************/
167
168	static NTSTATUS cli_pipe_get_current_pdu(struct rpc_pipe_client cli, RPC_HDR prhdr, prs_struct *current_pdu)
169	{
170	NTSTATUS ret = NT_STATUS_OK;
171	uint32 current_pdu_len = prs_data_size(current_pdu);
172
173	/* Ensure we have at least RPC_HEADER_LEN worth of data to parse. */
174	if (current_pdu_len < RPC_HEADER_LEN) {
175	/* rpc_read expands the current_pdu struct as neccessary. */
176	ret = rpc_read(cli, current_pdu, RPC_HEADER_LEN - current_pdu_len, &current_pdu_len);
177	if (!NT_STATUS_IS_OK(ret)) {
178	return ret;
179	}
180	}
181
182	/* This next call sets the endian bit correctly in current_pdu. */
183	/* We will propagate this to rbuf later. */
184	if(!smb_io_rpc_hdr("rpc_hdr ", prhdr, current_pdu, 0)) {
185	DEBUG(0,("cli_pipe_get_current_pdu: Failed to unmarshall RPC_HDR.\n"));
186	return NT_STATUS_BUFFER_TOO_SMALL;
187	}
188
189	/* Ensure we have frag_len bytes of data. */
190	if (current_pdu_len < prhdr->frag_len) {
191	/* rpc_read expands the current_pdu struct as neccessary. */
192	ret = rpc_read(cli, current_pdu, (uint32)prhdr->frag_len - current_pdu_len, &current_pdu_len);
193	if (!NT_STATUS_IS_OK(ret)) {
194	return ret;
195	}
196	}
197
198	if (current_pdu_len < prhdr->frag_len) {
199	return NT_STATUS_BUFFER_TOO_SMALL;
200	}
201
202	return NT_STATUS_OK;
203	}
204
205	/****************************************************************************
206	NTLMSSP specific sign/seal.
207	Virtually identical to rpc_server/srv_pipe.c:api_pipe_ntlmssp_auth_process.
208	In fact I should probably abstract these into identical pieces of code... JRA.
209	****************************************************************************/
210
211	static NTSTATUS cli_pipe_verify_ntlmssp(struct rpc_pipe_client cli, RPC_HDR prhdr,
212	prs_struct *current_pdu,
213	uint8 *p_ss_padding_len)
214	{
215	RPC_HDR_AUTH auth_info;
216	uint32 save_offset = prs_offset(current_pdu);
217	uint32 auth_len = prhdr->auth_len;
218	NTLMSSP_STATE *ntlmssp_state = cli->auth.a_u.ntlmssp_state;
219	unsigned char *data = NULL;
220	size_t data_len;
221	unsigned char *full_packet_data = NULL;
222	size_t full_packet_data_len;
223	DATA_BLOB auth_blob;
224	NTSTATUS status;
225
226	if (cli->auth.auth_level == PIPE_AUTH_LEVEL_NONE \|\| cli->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
227	return NT_STATUS_OK;
228	}
229
230	if (!ntlmssp_state) {
231	return NT_STATUS_INVALID_PARAMETER;
232	}
233
234	/* Ensure there's enough data for an authenticated response. */
235	if ((auth_len > RPC_MAX_SIGN_SIZE) \|\|
236	(RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
237	DEBUG(0,("cli_pipe_verify_ntlmssp: auth_len %u is too large.\n",
238	(unsigned int)auth_len ));
239	return NT_STATUS_BUFFER_TOO_SMALL;
240	}
241
242	/*
243	* We need the full packet data + length (minus auth stuff) as well as the packet data + length
244	* after the RPC header.
245	* We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
246	* functions as NTLMv2 checks the rpc headers also.
247	*/
248
249	data = (unsigned char *)(prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN);
250	data_len = (size_t)(prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len);
251
252	full_packet_data = (unsigned char *)prs_data_p(current_pdu);
253	full_packet_data_len = prhdr->frag_len - auth_len;
254
255	/* Pull the auth header and the following data into a blob. */
256	if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
257	DEBUG(0,("cli_pipe_verify_ntlmssp: cannot move offset to %u.\n",
258	(unsigned int)RPC_HEADER_LEN + (unsigned int)RPC_HDR_RESP_LEN + (unsigned int)data_len ));
259	return NT_STATUS_BUFFER_TOO_SMALL;
260	}
261
262	if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
263	DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unmarshall RPC_HDR_AUTH.\n"));
264	return NT_STATUS_BUFFER_TOO_SMALL;
265	}
266
267	auth_blob.data = (unsigned char *)prs_data_p(current_pdu) + prs_offset(current_pdu);
268	auth_blob.length = auth_len;
269
270	switch (cli->auth.auth_level) {
271	case PIPE_AUTH_LEVEL_PRIVACY:
272	/* Data is encrypted. */
273	status = ntlmssp_unseal_packet(ntlmssp_state,
274	data, data_len,
275	full_packet_data,
276	full_packet_data_len,
277	&auth_blob);
278	if (!NT_STATUS_IS_OK(status)) {
279	DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unseal "
280	"packet from remote machine %s on pipe %s "
281	"fnum 0x%x. Error was %s.\n",
282	cli->cli->desthost,
283	cli->pipe_name,
284	(unsigned int)cli->fnum,
285	nt_errstr(status) ));
286	return status;
287	}
288	break;
289	case PIPE_AUTH_LEVEL_INTEGRITY:
290	/* Data is signed. */
291	status = ntlmssp_check_packet(ntlmssp_state,
292	data, data_len,
293	full_packet_data,
294	full_packet_data_len,
295	&auth_blob);
296	if (!NT_STATUS_IS_OK(status)) {
297	DEBUG(0,("cli_pipe_verify_ntlmssp: check signing failed on "
298	"packet from remote machine %s on pipe %s "
299	"fnum 0x%x. Error was %s.\n",
300	cli->cli->desthost,
301	cli->pipe_name,
302	(unsigned int)cli->fnum,
303	nt_errstr(status) ));
304	return status;
305	}
306	break;
307	default:
308	DEBUG(0,("cli_pipe_verify_ntlmssp: unknown internal auth level %d\n",
309	cli->auth.auth_level ));
310	return NT_STATUS_INVALID_INFO_CLASS;
311	}
312
313	/*
314	* Return the current pointer to the data offset.
315	*/
316
317	if(!prs_set_offset(current_pdu, save_offset)) {
318	DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
319	(unsigned int)save_offset ));
320	return NT_STATUS_BUFFER_TOO_SMALL;
321	}
322
323	/*
324	* Remember the padding length. We must remove it from the real data
325	* stream once the sign/seal is done.
326	*/
327
328	*p_ss_padding_len = auth_info.auth_pad_len;
329
330	return NT_STATUS_OK;
331	}
332
333	/****************************************************************************
334	schannel specific sign/seal.
335	****************************************************************************/
336
337	static NTSTATUS cli_pipe_verify_schannel(struct rpc_pipe_client cli, RPC_HDR prhdr,
338	prs_struct *current_pdu,
339	uint8 *p_ss_padding_len)
340	{
341	RPC_HDR_AUTH auth_info;
342	RPC_AUTH_SCHANNEL_CHK schannel_chk;
343	uint32 auth_len = prhdr->auth_len;
344	uint32 save_offset = prs_offset(current_pdu);
345	struct schannel_auth_struct *schannel_auth = cli->auth.a_u.schannel_auth;
346	uint32 data_len;
347
348	if (cli->auth.auth_level == PIPE_AUTH_LEVEL_NONE \|\| cli->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
349	return NT_STATUS_OK;
350	}
351
352	if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
353	DEBUG(0,("cli_pipe_verify_schannel: auth_len %u.\n", (unsigned int)auth_len ));
354	return NT_STATUS_INVALID_PARAMETER;
355	}
356
357	if (!schannel_auth) {
358	return NT_STATUS_INVALID_PARAMETER;
359	}
360
361	/* Ensure there's enough data for an authenticated response. */
362	if ((auth_len > RPC_MAX_SIGN_SIZE) \|\|
363	(RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_AUTH_LEN + auth_len > prhdr->frag_len)) {
364	DEBUG(0,("cli_pipe_verify_schannel: auth_len %u is too large.\n",
365	(unsigned int)auth_len ));
366	return NT_STATUS_INVALID_PARAMETER;
367	}
368
369	data_len = prhdr->frag_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
370
371	if(!prs_set_offset(current_pdu, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len)) {
372	DEBUG(0,("cli_pipe_verify_schannel: cannot move offset to %u.\n",
373	(unsigned int)RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len ));
374	return NT_STATUS_BUFFER_TOO_SMALL;
375	}
376
377	if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, current_pdu, 0)) {
378	DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshall RPC_HDR_AUTH.\n"));
379	return NT_STATUS_BUFFER_TOO_SMALL;
380	}
381
382	if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
383	DEBUG(0,("cli_pipe_verify_schannel: Invalid auth info %d on schannel\n",
384	auth_info.auth_type));
385	return NT_STATUS_BUFFER_TOO_SMALL;
386	}
387
388	if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
389	&schannel_chk, current_pdu, 0)) {
390	DEBUG(0,("cli_pipe_verify_schannel: failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
391	return NT_STATUS_BUFFER_TOO_SMALL;
392	}
393
394	if (!schannel_decode(schannel_auth,
395	cli->auth.auth_level,
396	SENDER_IS_ACCEPTOR,
397	&schannel_chk,
398	prs_data_p(current_pdu)+RPC_HEADER_LEN+RPC_HDR_RESP_LEN,
399	data_len)) {
400	DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
401	"Connection to remote machine %s "
402	"pipe %s fnum 0x%x.\n",
403	cli->cli->desthost,
404	cli->pipe_name,
405	(unsigned int)cli->fnum ));
406	return NT_STATUS_INVALID_PARAMETER;
407	}
408
409	/* The sequence number gets incremented on both send and receive. */
410	schannel_auth->seq_num++;
411
412	/*
413	* Return the current pointer to the data offset.
414	*/
415
416	if(!prs_set_offset(current_pdu, save_offset)) {
417	DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
418	(unsigned int)save_offset ));
419	return NT_STATUS_BUFFER_TOO_SMALL;
420	}
421
422	/*
423	* Remember the padding length. We must remove it from the real data
424	* stream once the sign/seal is done.
425	*/
426
427	*p_ss_padding_len = auth_info.auth_pad_len;
428
429	return NT_STATUS_OK;
430	}
431
432	/****************************************************************************
433	Do the authentication checks on an incoming pdu. Check sign and unseal etc.
434	****************************************************************************/
435
436	static NTSTATUS cli_pipe_validate_rpc_response(struct rpc_pipe_client cli, RPC_HDR prhdr,
437	prs_struct *current_pdu,
438	uint8 *p_ss_padding_len)
439	{
440	NTSTATUS ret = NT_STATUS_OK;
441
442	/* Paranioa checks for auth_len. */
443	if (prhdr->auth_len) {
444	if (prhdr->auth_len > prhdr->frag_len) {
445	return NT_STATUS_INVALID_PARAMETER;
446	}
447
448	if (prhdr->auth_len + (unsigned int)RPC_HDR_AUTH_LEN < prhdr->auth_len \|\|
449	prhdr->auth_len + (unsigned int)RPC_HDR_AUTH_LEN < (unsigned int)RPC_HDR_AUTH_LEN) {
450	/* Integer wrap attempt. */
451	return NT_STATUS_INVALID_PARAMETER;
452	}
453	}
454
455	/*
456	* Now we have a complete RPC request PDU fragment, try and verify any auth data.
457	*/
458
459	switch(cli->auth.auth_type) {
460	case PIPE_AUTH_TYPE_NONE:
461	if (prhdr->auth_len) {
462	DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
463	"pipe %s fnum 0x%x - got non-zero auth len %u.\n",
464	cli->cli->desthost,
465	cli->pipe_name,
466	(unsigned int)cli->fnum,
467	(unsigned int)prhdr->auth_len ));
468	return NT_STATUS_INVALID_PARAMETER;
469	}
470	break;
471
472	case PIPE_AUTH_TYPE_NTLMSSP:
473	case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
474	ret = cli_pipe_verify_ntlmssp(cli, prhdr, current_pdu, p_ss_padding_len);
475	if (!NT_STATUS_IS_OK(ret)) {
476	return ret;
477	}
478	break;
479
480	case PIPE_AUTH_TYPE_SCHANNEL:
481	ret = cli_pipe_verify_schannel(cli, prhdr, current_pdu, p_ss_padding_len);
482	if (!NT_STATUS_IS_OK(ret)) {
483	return ret;
484	}
485	break;
486
487	case PIPE_AUTH_TYPE_KRB5:
488	case PIPE_AUTH_TYPE_SPNEGO_KRB5:
489	default:
490	DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
491	"pipe %s fnum %x - unknown internal auth type %u.\n",
492	cli->cli->desthost,
493	cli->pipe_name,
494	(unsigned int)cli->fnum,
495	cli->auth.auth_type ));
496	return NT_STATUS_INVALID_INFO_CLASS;
497	}
498
499	return NT_STATUS_OK;
500	}
501
502	/****************************************************************************
503	Do basic authentication checks on an incoming pdu.
504	****************************************************************************/
505
506	static NTSTATUS cli_pipe_validate_current_pdu(struct rpc_pipe_client cli, RPC_HDR prhdr,
507	prs_struct *current_pdu,
508	uint8 expected_pkt_type,
509	char **ppdata,
510	uint32 *pdata_len,
511	prs_struct *return_data)
512	{
513
514	NTSTATUS ret = NT_STATUS_OK;
515	uint32 current_pdu_len = prs_data_size(current_pdu);
516
517	if (current_pdu_len != prhdr->frag_len) {
518	DEBUG(5,("cli_pipe_validate_current_pdu: incorrect pdu length %u, expected %u\n",
519	(unsigned int)current_pdu_len, (unsigned int)prhdr->frag_len ));
520	return NT_STATUS_INVALID_PARAMETER;
521	}
522
523	/*
524	* Point the return values at the real data including the RPC
525	* header. Just in case the caller wants it.
526	*/
527	*ppdata = prs_data_p(current_pdu);
528	*pdata_len = current_pdu_len;
529
530	/* Ensure we have the correct type. */
531	switch (prhdr->pkt_type) {
532	case RPC_ALTCONTRESP:
533	case RPC_BINDACK:
534
535	/* Alter context and bind ack share the same packet definitions. */
536	break;
537
538
539	case RPC_RESPONSE:
540	{
541	RPC_HDR_RESP rhdr_resp;
542	uint8 ss_padding_len = 0;
543
544	if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
545	DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
546	return NT_STATUS_BUFFER_TOO_SMALL;
547	}
548
549	/* Here's where we deal with incoming sign/seal. */
550	ret = cli_pipe_validate_rpc_response(cli, prhdr,
551	current_pdu, &ss_padding_len);
552	if (!NT_STATUS_IS_OK(ret)) {
553	return ret;
554	}
555
556	/* Point the return values at the NDR data. Remember to remove any ss padding. */
557	*ppdata = prs_data_p(current_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
558
559	if (current_pdu_len < RPC_HEADER_LEN + RPC_HDR_RESP_LEN + ss_padding_len) {
560	return NT_STATUS_BUFFER_TOO_SMALL;
561	}
562
563	*pdata_len = current_pdu_len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - ss_padding_len;
564
565	/* Remember to remove the auth footer. */
566	if (prhdr->auth_len) {
567	/* We've already done integer wrap tests on auth_len in
568	cli_pipe_validate_rpc_response(). */
569	if (*pdata_len < RPC_HDR_AUTH_LEN + prhdr->auth_len) {
570	return NT_STATUS_BUFFER_TOO_SMALL;
571	}
572	*pdata_len -= (RPC_HDR_AUTH_LEN + prhdr->auth_len);
573	}
574
575	DEBUG(10,("cli_pipe_validate_current_pdu: got pdu len %u, data_len %u, ss_len %u\n",
576	current_pdu_len, *pdata_len, ss_padding_len ));
577
578	/*
579	* If this is the first reply, and the allocation hint is reasonably, try and
580	* set up the return_data parse_struct to the correct size.
581	*/
582
583	if ((prs_data_size(return_data) == 0) && rhdr_resp.alloc_hint && (rhdr_resp.alloc_hint < 1510241024)) {
584	if (!prs_set_buffer_size(return_data, rhdr_resp.alloc_hint)) {
585	DEBUG(0,("cli_pipe_validate_current_pdu: reply alloc hint %u "
586	"too large to allocate\n",
587	(unsigned int)rhdr_resp.alloc_hint ));
588	return NT_STATUS_NO_MEMORY;
589	}
590	}
591
592	break;
593	}
594
595	case RPC_BINDNACK:
596	DEBUG(1, ("cli_pipe_validate_current_pdu: Bind NACK received from remote machine %s "
597	"pipe %s fnum 0x%x!\n",
598	cli->cli->desthost,
599	cli->pipe_name,
600	(unsigned int)cli->fnum));
601	/* Use this for now... */
602	return NT_STATUS_NETWORK_ACCESS_DENIED;
603
604	case RPC_FAULT:
605	{
606	RPC_HDR_RESP rhdr_resp;
607	RPC_HDR_FAULT fault_resp;
608
609	if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, current_pdu, 0)) {
610	DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_RESP.\n"));
611	return NT_STATUS_BUFFER_TOO_SMALL;
612	}
613
614	if(!smb_io_rpc_hdr_fault("fault", &fault_resp, current_pdu, 0)) {
615	DEBUG(5,("cli_pipe_validate_current_pdu: failed to unmarshal RPC_HDR_FAULT.\n"));
616	return NT_STATUS_BUFFER_TOO_SMALL;
617	}
618
619	DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault code %s received from remote machine %s "
620	"pipe %s fnum 0x%x!\n",
621	dcerpc_errstr(NT_STATUS_V(fault_resp.status)),
622	cli->cli->desthost,
623	cli->pipe_name,
624	(unsigned int)cli->fnum));
625	if (NT_STATUS_IS_OK(fault_resp.status)) {
626	return NT_STATUS_UNSUCCESSFUL;
627	} else {
628	return fault_resp.status;
629	}
630
631	}
632
633	default:
634	DEBUG(0, ("cli_pipe_validate_current_pdu: unknown packet type %u received "
635	"from remote machine %s pipe %s fnum 0x%x!\n",
636	(unsigned int)prhdr->pkt_type,
637	cli->cli->desthost,
638	cli->pipe_name,
639	(unsigned int)cli->fnum));
640	return NT_STATUS_INVALID_INFO_CLASS;
641	}
642
643	if (prhdr->pkt_type != expected_pkt_type) {
644	DEBUG(3, ("cli_pipe_validate_current_pdu: Connection to remote machine %s "
645	"pipe %s fnum %x got an unexpected RPC packet "
646	"type - %u, not %u\n",
647	cli->cli->desthost,
648	cli->pipe_name,
649	(unsigned int)cli->fnum,
650	prhdr->pkt_type,
651	expected_pkt_type));
652	return NT_STATUS_INVALID_INFO_CLASS;
653	}
654
655	/* Do this just before return - we don't want to modify any rpc header
656	data before now as we may have needed to do cryptographic actions on
657	it before. */
658
659	if ((prhdr->pkt_type == RPC_BINDACK) && !(prhdr->flags & RPC_FLG_LAST)) {
660	DEBUG(5,("cli_pipe_validate_current_pdu: bug in server (AS/U?), "
661	"setting fragment first/last ON.\n"));
662	prhdr->flags \|= RPC_FLG_FIRST\|RPC_FLG_LAST;
663	}
664
665	return NT_STATUS_OK;
666	}
667
668	/****************************************************************************
669	Ensure we eat the just processed pdu from the current_pdu prs_struct.
670	Normally the frag_len and buffer size will match, but on the first trans
671	reply there is a theoretical chance that buffer size > frag_len, so we must
672	deal with that.
673	****************************************************************************/
674
675	static NTSTATUS cli_pipe_reset_current_pdu(struct rpc_pipe_client cli, RPC_HDR prhdr, prs_struct *current_pdu)
676	{
677	uint32 current_pdu_len = prs_data_size(current_pdu);
678
679	if (current_pdu_len < prhdr->frag_len) {
680	return NT_STATUS_BUFFER_TOO_SMALL;
681	}
682
683	/* Common case. */
684	if (current_pdu_len == (uint32)prhdr->frag_len) {
685	prs_mem_free(current_pdu);
686	prs_init_empty(current_pdu, prs_get_mem_context(current_pdu), UNMARSHALL);
687	/* Make current_pdu dynamic with no memory. */
688	prs_give_memory(current_pdu, 0, 0, True);
689	return NT_STATUS_OK;
690	}
691
692	/*
693	* Oh no ! More data in buffer than we processed in current pdu.
694	* Cheat. Move the data down and shrink the buffer.
695	*/
696
697	memcpy(prs_data_p(current_pdu), prs_data_p(current_pdu) + prhdr->frag_len,
698	current_pdu_len - prhdr->frag_len);
699
700	/* Remember to set the read offset back to zero. */
701	prs_set_offset(current_pdu, 0);
702
703	/* Shrink the buffer. */
704	if (!prs_set_buffer_size(current_pdu, current_pdu_len - prhdr->frag_len)) {
705	return NT_STATUS_BUFFER_TOO_SMALL;
706	}
707
708	return NT_STATUS_OK;
709	}
710
711	/****************************************************************************
712	Send data on an rpc pipe via trans. The prs_struct data must be the last
713	pdu fragment of an NDR data stream.
714
715	Receive response data from an rpc pipe, which may be large...
716
717	Read the first fragment: unfortunately have to use SMBtrans for the first
718	bit, then SMBreadX for subsequent bits.
719
720	If first fragment received also wasn't the last fragment, continue
721	getting fragments until we _do_ receive the last fragment.
722
723	Request/Response PDU's look like the following...
724
725	\|<------------------PDU len----------------------------------------------->\|
726	\|<-HDR_LEN-->\|<--REQ LEN------>\|.............\|<-AUTH_HDRLEN->\|<-AUTH_LEN-->\|
727
728	+------------+-----------------+-------------+---------------+-------------+
729	\| RPC HEADER \| REQ/RESP HEADER \| DATA ...... \| AUTH_HDR \| AUTH DATA \|
730	+------------+-----------------+-------------+---------------+-------------+
731
732	Where the presence of the AUTH_HDR and AUTH DATA are dependent on the
733	signing & sealing being negotiated.
734
735	****************************************************************************/
736
737	static NTSTATUS rpc_api_pipe(struct rpc_pipe_client *cli,
738	prs_struct data, / Outgoing pdu fragment, already formatted for send. */
739	prs_struct rbuf, / Incoming reply - return as an NDR stream. */
740	uint8 expected_pkt_type)
741	{
742	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
743	char *rparam = NULL;
744	uint32 rparam_len = 0;
745	uint16 setup[2];
746	char *pdata = prs_data_p(data);
747	uint32 data_len = prs_offset(data);
748	char *prdata = NULL;
749	uint32 rdata_len = 0;
750	uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : RPC_MAX_PDU_FRAG_LEN;
751	uint32 current_rbuf_offset = 0;
752	prs_struct current_pdu;
753
754	#ifdef DEVELOPER
755	/* Ensure we're not sending too much. */
756	SMB_ASSERT(data_len <= max_data);
757	#endif
758
759	/* Set up the current pdu parse struct. */
760	prs_init_empty(&current_pdu, prs_get_mem_context(rbuf), UNMARSHALL);
761
762	/* Create setup parameters - must be in native byte order. */
763	setup[0] = TRANSACT_DCERPCCMD;
764	setup[1] = cli->fnum; /* Pipe file handle. */
765
766	DEBUG(5,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x\n",
767	cli->cli->desthost,
768	cli->pipe_name,
769	(unsigned int)cli->fnum ));
770
771	/*
772	* Send the last (or only) fragment of an RPC request. For small
773	* amounts of data (about 1024 bytes or so) the RPC request and response
774	* appears in a SMBtrans request and response.
775	*/
776
777	if (!cli_api_pipe(cli->cli, "\\PIPE\\",
778	setup, 2, 0, /* Setup, length, max */
779	NULL, 0, 0, /* Params, length, max */
780	pdata, data_len, max_data, /* data, length, max */
781	&rparam, &rparam_len, /* return params, len */
782	&prdata, &rdata_len)) /* return data, len */
783	{
784	DEBUG(0, ("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x "
785	"returned critical error. Error was %s\n",
786	cli->cli->desthost,
787	cli->pipe_name,
788	(unsigned int)cli->fnum,
789	cli_errstr(cli->cli)));
790	ret = cli_get_nt_error(cli->cli);
791	SAFE_FREE(rparam);
792	SAFE_FREE(prdata);
793	goto err;
794	}
795
796	/* Throw away returned params - we know we won't use them. */
797
798	SAFE_FREE(rparam);
799
800	if (prdata == NULL) {
801	DEBUG(3,("rpc_api_pipe: Remote machine %s pipe %s "
802	"fnum 0x%x failed to return data.\n",
803	cli->cli->desthost,
804	cli->pipe_name,
805	(unsigned int)cli->fnum));
806	/* Yes - some calls can truely return no data... */
807	prs_mem_free(&current_pdu);
808	return NT_STATUS_OK;
809	}
810
811	/*
812	* Give this memory as dynamic to the current pdu.
813	*/
814
815	prs_give_memory(&current_pdu, prdata, rdata_len, True);
816
817	/* Ensure we can mess with the return prs_struct. */
818	SMB_ASSERT(UNMARSHALLING(rbuf));
819	SMB_ASSERT(prs_data_size(rbuf) == 0);
820
821	/* Make rbuf dynamic with no memory. */
822	prs_give_memory(rbuf, 0, 0, True);
823
824	while(1) {
825	RPC_HDR rhdr;
826	char *ret_data = NULL;
827	uint32 ret_data_len = 0;
828
829	/* Ensure we have enough data for a pdu. */
830	ret = cli_pipe_get_current_pdu(cli, &rhdr, &current_pdu);
831	if (!NT_STATUS_IS_OK(ret)) {
832	goto err;
833	}
834
835	/* We pass in rbuf here so if the alloc hint is set correctly
836	we can set the output size and avoid reallocs. */
837
838	ret = cli_pipe_validate_current_pdu(cli, &rhdr, &current_pdu, expected_pkt_type,
839	&ret_data, &ret_data_len, rbuf);
840
841	DEBUG(10,("rpc_api_pipe: got PDU len of %u at offset %u\n",
842	prs_data_size(&current_pdu), current_rbuf_offset ));
843
844	if (!NT_STATUS_IS_OK(ret)) {
845	goto err;
846	}
847
848	if ((rhdr.flags & RPC_FLG_FIRST)) {
849	if (rhdr.pack_type[0] == 0) {
850	/* Set the data type correctly for big-endian data on the first packet. */
851	DEBUG(10,("rpc_api_pipe: On machine %s pipe %s fnum 0x%x "
852	"PDU data format is big-endian.\n",
853	cli->cli->desthost,
854	cli->pipe_name,
855	(unsigned int)cli->fnum));
856
857	prs_set_endian_data(rbuf, RPC_BIG_ENDIAN);
858	} else {
859	/* Check endianness on subsequent packets. */
860	if (current_pdu.bigendian_data != rbuf->bigendian_data) {
861	DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
862	rbuf->bigendian_data ? "big" : "little",
863	current_pdu.bigendian_data ? "big" : "little" ));
864	ret = NT_STATUS_INVALID_PARAMETER;
865	goto err;
866	}
867	}
868	}
869
870	/* Now copy the data portion out of the pdu into rbuf. */
871	if (!prs_force_grow(rbuf, ret_data_len)) {
872	ret = NT_STATUS_NO_MEMORY;
873	goto err;
874	}
875	memcpy(prs_data_p(rbuf)+current_rbuf_offset, ret_data, (size_t)ret_data_len);
876	current_rbuf_offset += ret_data_len;
877
878	/* See if we've finished with all the data in current_pdu yet ? */
879	ret = cli_pipe_reset_current_pdu(cli, &rhdr, &current_pdu);
880	if (!NT_STATUS_IS_OK(ret)) {
881	goto err;
882	}
883
884	if (rhdr.flags & RPC_FLG_LAST) {
885	break; /* We're done. */
886	}
887	}
888
889	DEBUG(10,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x returned %u bytes.\n",
890	cli->cli->desthost,
891	cli->pipe_name,
892	(unsigned int)cli->fnum,
893	(unsigned int)prs_data_size(rbuf) ));
894
895	prs_mem_free(&current_pdu);
896	return NT_STATUS_OK;
897
898	err:
899
900	prs_mem_free(&current_pdu);
901	prs_mem_free(rbuf);
902	return ret;
903	}
904
905	/*******************************************************************
906	Creates krb5 auth bind.
907	********************************************************************/
908
909	static NTSTATUS create_krb5_auth_bind_req( struct rpc_pipe_client *cli,
910	enum pipe_auth_level auth_level,
911	RPC_HDR_AUTH *pauth_out,
912	prs_struct *auth_data)
913	{
914	#ifdef HAVE_KRB5
915	int ret;
916	struct kerberos_auth_struct *a = cli->auth.a_u.kerberos_auth;
917	DATA_BLOB tkt = data_blob_null;
918	DATA_BLOB tkt_wrapped = data_blob_null;
919
920	/* We may change the pad length before marshalling. */
921	init_rpc_hdr_auth(pauth_out, RPC_KRB5_AUTH_TYPE, (int)auth_level, 0, 1);
922
923	DEBUG(5, ("create_krb5_auth_bind_req: creating a service ticket for principal %s\n",
924	a->service_principal ));
925
926	/* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
927
928	ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
929	&a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL);
930
931	if (ret) {
932	DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
933	"failed with %s\n",
934	a->service_principal,
935	error_message(ret) ));
936
937	data_blob_free(&tkt);
938	prs_mem_free(auth_data);
939	return NT_STATUS_INVALID_PARAMETER;
940	}
941
942	/* wrap that up in a nice GSS-API wrapping */
943	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
944
945	data_blob_free(&tkt);
946
947	/* Auth len in the rpc header doesn't include auth_header. */
948	if (!prs_copy_data_in(auth_data, (char *)tkt_wrapped.data, tkt_wrapped.length)) {
949	data_blob_free(&tkt_wrapped);
950	prs_mem_free(auth_data);
951	return NT_STATUS_NO_MEMORY;
952	}
953
954	DEBUG(5, ("create_krb5_auth_bind_req: Created krb5 GSS blob :\n"));
955	dump_data(5, tkt_wrapped.data, tkt_wrapped.length);
956
957	data_blob_free(&tkt_wrapped);
958	return NT_STATUS_OK;
959	#else
960	return NT_STATUS_INVALID_PARAMETER;
961	#endif
962	}
963
964	/*******************************************************************
965	Creates SPNEGO NTLMSSP auth bind.
966	********************************************************************/
967
968	static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
969	enum pipe_auth_level auth_level,
970	RPC_HDR_AUTH *pauth_out,
971	prs_struct *auth_data)
972	{
973	NTSTATUS nt_status;
974	DATA_BLOB null_blob = data_blob_null;
975	DATA_BLOB request = data_blob_null;
976	DATA_BLOB spnego_msg = data_blob_null;
977
978	/* We may change the pad length before marshalling. */
979	init_rpc_hdr_auth(pauth_out, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
980
981	DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
982	nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
983	null_blob,
984	&request);
985
986	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
987	data_blob_free(&request);
988	prs_mem_free(auth_data);
989	return nt_status;
990	}
991
992	/* Wrap this in SPNEGO. */
993	spnego_msg = gen_negTokenInit(OID_NTLMSSP, request);
994
995	data_blob_free(&request);
996
997	/* Auth len in the rpc header doesn't include auth_header. */
998	if (!prs_copy_data_in(auth_data, (char *)spnego_msg.data, spnego_msg.length)) {
999	data_blob_free(&spnego_msg);
1000	prs_mem_free(auth_data);
1001	return NT_STATUS_NO_MEMORY;
1002	}
1003
1004	DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1005	dump_data(5, spnego_msg.data, spnego_msg.length);
1006
1007	data_blob_free(&spnego_msg);
1008	return NT_STATUS_OK;
1009	}
1010
1011	/*******************************************************************
1012	Creates NTLMSSP auth bind.
1013	********************************************************************/
1014
1015	static NTSTATUS create_ntlmssp_auth_rpc_bind_req( struct rpc_pipe_client *cli,
1016	enum pipe_auth_level auth_level,
1017	RPC_HDR_AUTH *pauth_out,
1018	prs_struct *auth_data)
1019	{
1020	NTSTATUS nt_status;
1021	DATA_BLOB null_blob = data_blob_null;
1022	DATA_BLOB request = data_blob_null;
1023
1024	/* We may change the pad length before marshalling. */
1025	init_rpc_hdr_auth(pauth_out, RPC_NTLMSSP_AUTH_TYPE, (int)auth_level, 0, 1);
1026
1027	DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
1028	nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
1029	null_blob,
1030	&request);
1031
1032	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1033	data_blob_free(&request);
1034	prs_mem_free(auth_data);
1035	return nt_status;
1036	}
1037
1038	/* Auth len in the rpc header doesn't include auth_header. */
1039	if (!prs_copy_data_in(auth_data, (char *)request.data, request.length)) {
1040	data_blob_free(&request);
1041	prs_mem_free(auth_data);
1042	return NT_STATUS_NO_MEMORY;
1043	}
1044
1045	DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n"));
1046	dump_data(5, request.data, request.length);
1047
1048	data_blob_free(&request);
1049	return NT_STATUS_OK;
1050	}
1051
1052	/*******************************************************************
1053	Creates schannel auth bind.
1054	********************************************************************/
1055
1056	static NTSTATUS create_schannel_auth_rpc_bind_req( struct rpc_pipe_client *cli,
1057	enum pipe_auth_level auth_level,
1058	RPC_HDR_AUTH *pauth_out,
1059	prs_struct *auth_data)
1060	{
1061	RPC_AUTH_SCHANNEL_NEG schannel_neg;
1062
1063	/* We may change the pad length before marshalling. */
1064	init_rpc_hdr_auth(pauth_out, RPC_SCHANNEL_AUTH_TYPE, (int)auth_level, 0, 1);
1065
1066	/* Use lp_workgroup() if domain not specified */
1067
1068	if (!cli->domain \|\| !cli->domain[0]) {
1069	cli->domain = lp_workgroup();
1070	}
1071
1072	init_rpc_auth_schannel_neg(&schannel_neg, cli->domain, global_myname());
1073
1074	/*
1075	* Now marshall the data into the auth parse_struct.
1076	*/
1077
1078	if(!smb_io_rpc_auth_schannel_neg("schannel_neg",
1079	&schannel_neg, auth_data, 0)) {
1080	DEBUG(0,("Failed to marshall RPC_AUTH_SCHANNEL_NEG.\n"));
1081	prs_mem_free(auth_data);
1082	return NT_STATUS_NO_MEMORY;
1083	}
1084
1085	return NT_STATUS_OK;
1086	}
1087
1088	/*******************************************************************
1089	Creates the internals of a DCE/RPC bind request or alter context PDU.
1090	********************************************************************/
1091
1092	static NTSTATUS create_bind_or_alt_ctx_internal(enum RPC_PKT_TYPE pkt_type,
1093	prs_struct *rpc_out,
1094	uint32 rpc_call_id,
1095	RPC_IFACE *abstract,
1096	RPC_IFACE *transfer,
1097	RPC_HDR_AUTH *phdr_auth,
1098	prs_struct *pauth_info)
1099	{
1100	RPC_HDR hdr;
1101	RPC_HDR_RB hdr_rb;
1102	RPC_CONTEXT rpc_ctx;
1103	uint16 auth_len = prs_offset(pauth_info);
1104	uint8 ss_padding_len = 0;
1105	uint16 frag_len = 0;
1106
1107	/* create the RPC context. */
1108	init_rpc_context(&rpc_ctx, 0 /* context id */, abstract, transfer);
1109
1110	/* create the bind request RPC_HDR_RB */
1111	init_rpc_hdr_rb(&hdr_rb, RPC_MAX_PDU_FRAG_LEN, RPC_MAX_PDU_FRAG_LEN, 0x0, &rpc_ctx);
1112
1113	/* Start building the frag length. */
1114	frag_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
1115
1116	/* Do we need to pad ? */
1117	if (auth_len) {
1118	uint16 data_len = RPC_HEADER_LEN + RPC_HDR_RB_LEN(&hdr_rb);
1119	if (data_len % 8) {
1120	ss_padding_len = 8 - (data_len % 8);
1121	phdr_auth->auth_pad_len = ss_padding_len;
1122	}
1123	frag_len += RPC_HDR_AUTH_LEN + auth_len + ss_padding_len;
1124	}
1125
1126	/* Create the request RPC_HDR */
1127	init_rpc_hdr(&hdr, pkt_type, RPC_FLG_FIRST\|RPC_FLG_LAST, rpc_call_id, frag_len, auth_len);
1128
1129	/* Marshall the RPC header */
1130	if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) {
1131	DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR.\n"));
1132	return NT_STATUS_NO_MEMORY;
1133	}
1134
1135	/* Marshall the bind request data */
1136	if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
1137	DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_RB.\n"));
1138	return NT_STATUS_NO_MEMORY;
1139	}
1140
1141	/*
1142	* Grow the outgoing buffer to store any auth info.
1143	*/
1144
1145	if(auth_len != 0) {
1146	if (ss_padding_len) {
1147	char pad[8];
1148	memset(pad, '\0', 8);
1149	if (!prs_copy_data_in(rpc_out, pad, ss_padding_len)) {
1150	DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall padding.\n"));
1151	return NT_STATUS_NO_MEMORY;
1152	}
1153	}
1154
1155	if(!smb_io_rpc_hdr_auth("hdr_auth", phdr_auth, rpc_out, 0)) {
1156	DEBUG(0,("create_bind_or_alt_ctx_internal: failed to marshall RPC_HDR_AUTH.\n"));
1157	return NT_STATUS_NO_MEMORY;
1158	}
1159
1160
1161	if(!prs_append_prs_data( rpc_out, pauth_info)) {
1162	DEBUG(0,("create_bind_or_alt_ctx_internal: failed to grow parse struct to add auth.\n"));
1163	return NT_STATUS_NO_MEMORY;
1164	}
1165	}
1166
1167	return NT_STATUS_OK;
1168	}
1169
1170	/*******************************************************************
1171	Creates a DCE/RPC bind request.
1172	********************************************************************/
1173
1174	static NTSTATUS create_rpc_bind_req(struct rpc_pipe_client *cli,
1175	prs_struct *rpc_out,
1176	uint32 rpc_call_id,
1177	RPC_IFACE abstract, RPC_IFACE transfer,
1178	enum pipe_auth_type auth_type,
1179	enum pipe_auth_level auth_level)
1180	{
1181	RPC_HDR_AUTH hdr_auth;
1182	prs_struct auth_info;
1183	NTSTATUS ret = NT_STATUS_OK;
1184
1185	ZERO_STRUCT(hdr_auth);
1186	if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
1187	return NT_STATUS_NO_MEMORY;
1188
1189	switch (auth_type) {
1190	case PIPE_AUTH_TYPE_SCHANNEL:
1191	ret = create_schannel_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1192	if (!NT_STATUS_IS_OK(ret)) {
1193	prs_mem_free(&auth_info);
1194	return ret;
1195	}
1196	break;
1197
1198	case PIPE_AUTH_TYPE_NTLMSSP:
1199	ret = create_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1200	if (!NT_STATUS_IS_OK(ret)) {
1201	prs_mem_free(&auth_info);
1202	return ret;
1203	}
1204	break;
1205
1206	case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1207	ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1208	if (!NT_STATUS_IS_OK(ret)) {
1209	prs_mem_free(&auth_info);
1210	return ret;
1211	}
1212	break;
1213
1214	case PIPE_AUTH_TYPE_KRB5:
1215	ret = create_krb5_auth_bind_req(cli, auth_level, &hdr_auth, &auth_info);
1216	if (!NT_STATUS_IS_OK(ret)) {
1217	prs_mem_free(&auth_info);
1218	return ret;
1219	}
1220	break;
1221
1222	case PIPE_AUTH_TYPE_NONE:
1223	break;
1224
1225	default:
1226	/* "Can't" happen. */
1227	return NT_STATUS_INVALID_INFO_CLASS;
1228	}
1229
1230	ret = create_bind_or_alt_ctx_internal(RPC_BIND,
1231	rpc_out,
1232	rpc_call_id,
1233	abstract,
1234	transfer,
1235	&hdr_auth,
1236	&auth_info);
1237
1238	prs_mem_free(&auth_info);
1239	return ret;
1240	}
1241
1242	/*******************************************************************
1243	Create and add the NTLMSSP sign/seal auth header and data.
1244	********************************************************************/
1245
1246	static NTSTATUS add_ntlmssp_auth_footer(struct rpc_pipe_client *cli,
1247	RPC_HDR *phdr,
1248	uint32 ss_padding_len,
1249	prs_struct *outgoing_pdu)
1250	{
1251	RPC_HDR_AUTH auth_info;
1252	NTSTATUS status;
1253	DATA_BLOB auth_blob = data_blob_null;
1254	uint16 data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
1255
1256	if (!cli->auth.a_u.ntlmssp_state) {
1257	return NT_STATUS_INVALID_PARAMETER;
1258	}
1259
1260	/* Init and marshall the auth header. */
1261	init_rpc_hdr_auth(&auth_info,
1262	map_pipe_auth_type_to_rpc_auth_type(cli->auth.auth_type),
1263	cli->auth.auth_level,
1264	ss_padding_len,
1265	1 /* context id. */);
1266
1267	if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
1268	DEBUG(0,("add_ntlmssp_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
1269	data_blob_free(&auth_blob);
1270	return NT_STATUS_NO_MEMORY;
1271	}
1272
1273	switch (cli->auth.auth_level) {
1274	case PIPE_AUTH_LEVEL_PRIVACY:
1275	/* Data portion is encrypted. */
1276	status = ntlmssp_seal_packet(cli->auth.a_u.ntlmssp_state,
1277	(unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
1278	data_and_pad_len,
1279	(unsigned char *)prs_data_p(outgoing_pdu),
1280	(size_t)prs_offset(outgoing_pdu),
1281	&auth_blob);
1282	if (!NT_STATUS_IS_OK(status)) {
1283	data_blob_free(&auth_blob);
1284	return status;
1285	}
1286	break;
1287
1288	case PIPE_AUTH_LEVEL_INTEGRITY:
1289	/* Data is signed. */
1290	status = ntlmssp_sign_packet(cli->auth.a_u.ntlmssp_state,
1291	(unsigned char *)prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
1292	data_and_pad_len,
1293	(unsigned char *)prs_data_p(outgoing_pdu),
1294	(size_t)prs_offset(outgoing_pdu),
1295	&auth_blob);
1296	if (!NT_STATUS_IS_OK(status)) {
1297	data_blob_free(&auth_blob);
1298	return status;
1299	}
1300	break;
1301
1302	default:
1303	/* Can't happen. */
1304	smb_panic("bad auth level");
1305	/* Notreached. */
1306	return NT_STATUS_INVALID_PARAMETER;
1307	}
1308
1309	/* Finally marshall the blob. */
1310
1311	if (!prs_copy_data_in(outgoing_pdu, (const char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
1312	DEBUG(0,("add_ntlmssp_auth_footer: failed to add %u bytes auth blob.\n",
1313	(unsigned int)NTLMSSP_SIG_SIZE));
1314	data_blob_free(&auth_blob);
1315	return NT_STATUS_NO_MEMORY;
1316	}
1317
1318	data_blob_free(&auth_blob);
1319	return NT_STATUS_OK;
1320	}
1321
1322	/*******************************************************************
1323	Create and add the schannel sign/seal auth header and data.
1324	********************************************************************/
1325
1326	static NTSTATUS add_schannel_auth_footer(struct rpc_pipe_client *cli,
1327	RPC_HDR *phdr,
1328	uint32 ss_padding_len,
1329	prs_struct *outgoing_pdu)
1330	{
1331	RPC_HDR_AUTH auth_info;
1332	RPC_AUTH_SCHANNEL_CHK verf;
1333	struct schannel_auth_struct *sas = cli->auth.a_u.schannel_auth;
1334	char *data_p = prs_data_p(outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN;
1335	size_t data_and_pad_len = prs_offset(outgoing_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
1336
1337	if (!sas) {
1338	return NT_STATUS_INVALID_PARAMETER;
1339	}
1340
1341	/* Init and marshall the auth header. */
1342	init_rpc_hdr_auth(&auth_info,
1343	map_pipe_auth_type_to_rpc_auth_type(cli->auth.auth_type),
1344	cli->auth.auth_level,
1345	ss_padding_len,
1346	1 /* context id. */);
1347
1348	if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, outgoing_pdu, 0)) {
1349	DEBUG(0,("add_schannel_auth_footer: failed to marshall RPC_HDR_AUTH.\n"));
1350	return NT_STATUS_NO_MEMORY;
1351	}
1352
1353	switch (cli->auth.auth_level) {
1354	case PIPE_AUTH_LEVEL_PRIVACY:
1355	case PIPE_AUTH_LEVEL_INTEGRITY:
1356	DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
1357	sas->seq_num));
1358
1359	schannel_encode(sas,
1360	cli->auth.auth_level,
1361	SENDER_IS_INITIATOR,
1362	&verf,
1363	data_p,
1364	data_and_pad_len);
1365
1366	sas->seq_num++;
1367	break;
1368
1369	default:
1370	/* Can't happen. */
1371	smb_panic("bad auth level");
1372	/* Notreached. */
1373	return NT_STATUS_INVALID_PARAMETER;
1374	}
1375
1376	/* Finally marshall the blob. */
1377	smb_io_rpc_auth_schannel_chk("",
1378	RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN,
1379	&verf,
1380	outgoing_pdu,
1381	0);
1382
1383	return NT_STATUS_OK;
1384	}
1385
1386	/*******************************************************************
1387	Calculate how much data we're going to send in this packet, also
1388	work out any sign/seal padding length.
1389	********************************************************************/
1390
1391	static uint32 calculate_data_len_tosend(struct rpc_pipe_client *cli,
1392	uint32 data_left,
1393	uint16 *p_frag_len,
1394	uint16 *p_auth_len,
1395	uint32 *p_ss_padding)
1396	{
1397	uint32 data_space, data_len;
1398
1399	switch (cli->auth.auth_level) {
1400	case PIPE_AUTH_LEVEL_NONE:
1401	case PIPE_AUTH_LEVEL_CONNECT:
1402	data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN;
1403	data_len = MIN(data_space, data_left);
1404	*p_ss_padding = 0;
1405	*p_auth_len = 0;
1406	*p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + data_len;
1407	return data_len;
1408
1409	case PIPE_AUTH_LEVEL_INTEGRITY:
1410	case PIPE_AUTH_LEVEL_PRIVACY:
1411	/* Treat the same for all authenticated rpc requests. */
1412	switch(cli->auth.auth_type) {
1413	case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1414	case PIPE_AUTH_TYPE_NTLMSSP:
1415	*p_auth_len = NTLMSSP_SIG_SIZE;
1416	break;
1417	case PIPE_AUTH_TYPE_SCHANNEL:
1418	*p_auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
1419	break;
1420	default:
1421	smb_panic("bad auth type");
1422	break;
1423	}
1424
1425	data_space = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1426	RPC_HDR_AUTH_LEN - *p_auth_len;
1427
1428	data_len = MIN(data_space, data_left);
1429	if (data_len % 8) {
1430	*p_ss_padding = 8 - (data_len % 8);
1431	}
1432	p_frag_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + / Normal headers. */
1433	data_len + p_ss_padding + / data plus padding. */
1434	RPC_HDR_AUTH_LEN + p_auth_len; / Auth header and auth data. */
1435	return data_len;
1436
1437	default:
1438	smb_panic("bad auth level");
1439	/* Notreached. */
1440	return 0;
1441	}
1442	}
1443
1444	/*******************************************************************
1445	External interface.
1446	Does an rpc request on a pipe. Incoming data is NDR encoded in in_data.
1447	Reply is NDR encoded in out_data. Splits the data stream into RPC PDU's
1448	and deals with signing/sealing details.
1449	********************************************************************/
1450
1451	NTSTATUS rpc_api_pipe_req(struct rpc_pipe_client *cli,
1452	uint8 op_num,
1453	prs_struct *in_data,
1454	prs_struct *out_data)
1455	{
1456	NTSTATUS ret;
1457	uint32 data_left = prs_offset(in_data);
1458	uint32 alloc_hint = prs_offset(in_data);
1459	uint32 data_sent_thistime = 0;
1460	uint32 current_data_offset = 0;
1461	uint32 call_id = get_rpc_call_id();
1462	char pad[8];
1463	prs_struct outgoing_pdu;
1464
1465	memset(pad, '\0', 8);
1466
1467	if (cli->max_xmit_frag < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_MAX_SIGN_SIZE) {
1468	/* Server is screwed up ! */
1469	return NT_STATUS_INVALID_PARAMETER;
1470	}
1471
1472	if (!prs_init(&outgoing_pdu, cli->max_xmit_frag, prs_get_mem_context(in_data), MARSHALL))
1473	return NT_STATUS_NO_MEMORY;
1474
1475	while (1) {
1476	RPC_HDR hdr;
1477	RPC_HDR_REQ hdr_req;
1478	uint16 auth_len = 0;
1479	uint16 frag_len = 0;
1480	uint8 flags = 0;
1481	uint32 ss_padding = 0;
1482
1483	data_sent_thistime = calculate_data_len_tosend(cli, data_left,
1484	&frag_len, &auth_len, &ss_padding);
1485
1486	if (current_data_offset == 0) {
1487	flags = RPC_FLG_FIRST;
1488	}
1489
1490	if (data_sent_thistime == data_left) {
1491	flags \|= RPC_FLG_LAST;
1492	}
1493
1494	/* Create and marshall the header and request header. */
1495	init_rpc_hdr(&hdr, RPC_REQUEST, flags, call_id, frag_len, auth_len);
1496
1497	if(!smb_io_rpc_hdr("hdr ", &hdr, &outgoing_pdu, 0)) {
1498	prs_mem_free(&outgoing_pdu);
1499	return NT_STATUS_NO_MEMORY;
1500	}
1501
1502	/* Create the rpc request RPC_HDR_REQ */
1503	init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
1504
1505	if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, &outgoing_pdu, 0)) {
1506	prs_mem_free(&outgoing_pdu);
1507	return NT_STATUS_NO_MEMORY;
1508	}
1509
1510	/* Copy in the data, plus any ss padding. */
1511	if (!prs_append_some_prs_data(&outgoing_pdu, in_data, current_data_offset, data_sent_thistime)) {
1512	prs_mem_free(&outgoing_pdu);
1513	return NT_STATUS_NO_MEMORY;
1514	}
1515
1516	/* Copy the sign/seal padding data. */
1517	if (ss_padding) {
1518	if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding)) {
1519	prs_mem_free(&outgoing_pdu);
1520	return NT_STATUS_NO_MEMORY;
1521	}
1522	}
1523
1524	/* Generate any auth sign/seal and add the auth footer. */
1525	if (auth_len) {
1526	switch (cli->auth.auth_type) {
1527	case PIPE_AUTH_TYPE_NONE:
1528	break;
1529	case PIPE_AUTH_TYPE_NTLMSSP:
1530	case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
1531	ret = add_ntlmssp_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
1532	if (!NT_STATUS_IS_OK(ret)) {
1533	prs_mem_free(&outgoing_pdu);
1534	return ret;
1535	}
1536	break;
1537	case PIPE_AUTH_TYPE_SCHANNEL:
1538	ret = add_schannel_auth_footer(cli, &hdr, ss_padding, &outgoing_pdu);
1539	if (!NT_STATUS_IS_OK(ret)) {
1540	prs_mem_free(&outgoing_pdu);
1541	return ret;
1542	}
1543	break;
1544	default:
1545	smb_panic("bad auth type");
1546	break; /* notreached */
1547	}
1548	}
1549
1550	/* Actually send the packet. */
1551	if (flags & RPC_FLG_LAST) {
1552	/* Last packet - send the data, get the reply and return. */
1553	ret = rpc_api_pipe(cli, &outgoing_pdu, out_data, RPC_RESPONSE);
1554	prs_mem_free(&outgoing_pdu);
1555
1556	if (DEBUGLEVEL >= 50) {
1557	char *dump_name = NULL;
1558	/* Also capture received data */
1559	if (asprintf(&dump_name, "%s/reply_%s_%d",
1560	get_dyn_LOGFILEBASE(), cli->pipe_name,
1561	op_num) > 0) {
1562	prs_dump(dump_name, op_num, out_data);
1563	SAFE_FREE(dump_name);
1564	}
1565	}
1566
1567	return ret;
1568	} else {
1569	/* More packets to come - write and continue. */
1570	ssize_t num_written = cli_write(cli->cli, cli->fnum, 8, /* 8 means message mode. */
1571	prs_data_p(&outgoing_pdu),
1572	(off_t)0,
1573	(size_t)hdr.frag_len);
1574
1575	if (num_written != hdr.frag_len) {
1576	prs_mem_free(&outgoing_pdu);
1577	return cli_get_nt_error(cli->cli);
1578	}
1579	}
1580
1581	current_data_offset += data_sent_thistime;
1582	data_left -= data_sent_thistime;
1583
1584	/* Reset the marshalling position back to zero. */
1585	if (!prs_set_offset(&outgoing_pdu, 0)) {
1586	prs_mem_free(&outgoing_pdu);
1587	return NT_STATUS_NO_MEMORY;
1588	}
1589	}
1590	}
1591	#if 0
1592	/****************************************************************************
1593	Set the handle state.
1594	****************************************************************************/
1595
1596	static bool rpc_pipe_set_hnd_state(struct rpc_pipe_client *cli,
1597	const char *pipe_name, uint16 device_state)
1598	{
1599	bool state_set = False;
1600	char param[2];
1601	uint16 setup[2]; /* only need 2 uint16 setup parameters */
1602	char *rparam = NULL;
1603	char *rdata = NULL;
1604	uint32 rparam_len, rdata_len;
1605
1606	if (pipe_name == NULL)
1607	return False;
1608
1609	DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
1610	cli->fnum, pipe_name, device_state));
1611
1612	/* create parameters: device state */
1613	SSVAL(param, 0, device_state);
1614
1615	/* create setup parameters. */
1616	setup[0] = 0x0001;
1617	setup[1] = cli->fnum; /* pipe file handle. got this from an SMBOpenX. */
1618
1619	/* send the data on \PIPE\ */
1620	if (cli_api_pipe(cli->cli, "\\PIPE\\",
1621	setup, 2, 0, /* setup, length, max */
1622	param, 2, 0, /* param, length, max */
1623	NULL, 0, 1024, /* data, length, max */
1624	&rparam, &rparam_len, /* return param, length */
1625	&rdata, &rdata_len)) /* return data, length */
1626	{
1627	DEBUG(5, ("Set Handle state: return OK\n"));
1628	state_set = True;
1629	}
1630
1631	SAFE_FREE(rparam);
1632	SAFE_FREE(rdata);
1633
1634	return state_set;
1635	}
1636	#endif
1637
1638	/****************************************************************************
1639	Check the rpc bind acknowledge response.
1640	****************************************************************************/
1641
1642	static bool valid_pipe_name(const int pipe_idx, RPC_IFACE abstract, RPC_IFACE transfer)
1643	{
1644	if ( pipe_idx >= PI_MAX_PIPES ) {
1645	DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
1646	pipe_idx));
1647	return False;
1648	}
1649
1650	DEBUG(5,("Bind Abstract Syntax: "));
1651	dump_data(5, (uint8 *)&pipe_names[pipe_idx].abstr_syntax,
1652	sizeof(pipe_names[pipe_idx].abstr_syntax));
1653	DEBUG(5,("Bind Transfer Syntax: "));
1654	dump_data(5, (uint8 *)&pipe_names[pipe_idx].trans_syntax,
1655	sizeof(pipe_names[pipe_idx].trans_syntax));
1656
1657	/* copy the required syntaxes out so we can do the right bind */
1658
1659	*transfer = pipe_names[pipe_idx].trans_syntax;
1660	*abstract = pipe_names[pipe_idx].abstr_syntax;
1661
1662	return True;
1663	}
1664
1665	/****************************************************************************
1666	Check the rpc bind acknowledge response.
1667	****************************************************************************/
1668
1669	static bool check_bind_response(RPC_HDR_BA hdr_ba, const int pipe_idx, RPC_IFACE transfer)
1670	{
1671	if ( hdr_ba->addr.len == 0) {
1672	DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
1673	}
1674
1675	# if 0 /* JERRY -- apparently ASU forgets to fill in the server pipe name sometimes */
1676	if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].client_pipe) &&
1677	!strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe) )
1678	{
1679	DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
1680	pipe_names[i].server_pipe ,hdr_ba->addr.str));
1681	return False;
1682	}
1683
1684	DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
1685
1686	if (pipe_names[pipe_idx].server_pipe == NULL) {
1687	DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
1688	return False;
1689	}
1690	#endif /* JERRY */
1691
1692	/* check the transfer syntax */
1693	if ((hdr_ba->transfer.version != transfer->version) \|\|
1694	(memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
1695	DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
1696	return False;
1697	}
1698
1699	if (hdr_ba->res.num_results != 0x1 \|\| hdr_ba->res.result != 0) {
1700	DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
1701	hdr_ba->res.num_results, hdr_ba->res.reason));
1702	}
1703
1704	DEBUG(5,("check_bind_response: accepted!\n"));
1705	return True;
1706	}
1707
1708	/*******************************************************************
1709	Creates a DCE/RPC bind authentication response.
1710	This is the packet that is sent back to the server once we
1711	have received a BIND-ACK, to finish the third leg of
1712	the authentication handshake.
1713	********************************************************************/
1714
1715	static NTSTATUS create_rpc_bind_auth3(struct rpc_pipe_client *cli,
1716	uint32 rpc_call_id,
1717	enum pipe_auth_type auth_type,
1718	enum pipe_auth_level auth_level,
1719	DATA_BLOB *pauth_blob,
1720	prs_struct *rpc_out)
1721	{
1722	RPC_HDR hdr;
1723	RPC_HDR_AUTH hdr_auth;
1724	uint32 pad = 0;
1725
1726	/* Create the request RPC_HDR */
1727	init_rpc_hdr(&hdr, RPC_AUTH3, RPC_FLG_FIRST\|RPC_FLG_LAST, rpc_call_id,
1728	RPC_HEADER_LEN + 4 /* pad */ + RPC_HDR_AUTH_LEN + pauth_blob->length,
1729	pauth_blob->length );
1730
1731	/* Marshall it. */
1732	if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
1733	DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR.\n"));
1734	return NT_STATUS_NO_MEMORY;
1735	}
1736
1737	/*
1738	I'm puzzled about this - seems to violate the DCE RPC auth rules,
1739	about padding - shouldn't this pad to length 8 ? JRA.
1740	*/
1741
1742	/* 4 bytes padding. */
1743	if (!prs_uint32("pad", rpc_out, 0, &pad)) {
1744	DEBUG(0,("create_rpc_bind_auth3: failed to marshall 4 byte pad.\n"));
1745	return NT_STATUS_NO_MEMORY;
1746	}
1747
1748	/* Create the request RPC_HDR_AUTHA */
1749	init_rpc_hdr_auth(&hdr_auth,
1750	map_pipe_auth_type_to_rpc_auth_type(auth_type),
1751	auth_level, 0, 1);
1752
1753	if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rpc_out, 0)) {
1754	DEBUG(0,("create_rpc_bind_auth3: failed to marshall RPC_HDR_AUTHA.\n"));
1755	return NT_STATUS_NO_MEMORY;
1756	}
1757
1758	/*
1759	* Append the auth data to the outgoing buffer.
1760	*/
1761
1762	if(!prs_copy_data_in(rpc_out, (char *)pauth_blob->data, pauth_blob->length)) {
1763	DEBUG(0,("create_rpc_bind_auth3: failed to marshall auth blob.\n"));
1764	return NT_STATUS_NO_MEMORY;
1765	}
1766
1767	return NT_STATUS_OK;
1768	}
1769
1770	/****************************************************************************
1771	Create and send the third packet in an RPC auth.
1772	****************************************************************************/
1773
1774	static NTSTATUS rpc_finish_auth3_bind(struct rpc_pipe_client *cli,
1775	RPC_HDR *phdr,
1776	prs_struct *rbuf,
1777	uint32 rpc_call_id,
1778	enum pipe_auth_type auth_type,
1779	enum pipe_auth_level auth_level)
1780	{
1781	DATA_BLOB server_response = data_blob_null;
1782	DATA_BLOB client_reply = data_blob_null;
1783	RPC_HDR_AUTH hdr_auth;
1784	NTSTATUS nt_status;
1785	prs_struct rpc_out;
1786	ssize_t ret;
1787
1788	if (!phdr->auth_len \|\| (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
1789	return NT_STATUS_INVALID_PARAMETER;
1790	}
1791
1792	/* Process the returned NTLMSSP blob first. */
1793	if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
1794	return NT_STATUS_INVALID_PARAMETER;
1795	}
1796
1797	if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
1798	return NT_STATUS_INVALID_PARAMETER;
1799	}
1800
1801	/* TODO - check auth_type/auth_level match. */
1802
1803	server_response = data_blob(NULL, phdr->auth_len);
1804	prs_copy_data_out((char *)server_response.data, rbuf, phdr->auth_len);
1805
1806	nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
1807	server_response,
1808	&client_reply);
1809
1810	if (!NT_STATUS_IS_OK(nt_status)) {
1811	DEBUG(0,("rpc_finish_auth3_bind: NTLMSSP update using server blob failed.\n"));
1812	data_blob_free(&server_response);
1813	return nt_status;
1814	}
1815
1816	prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
1817
1818	nt_status = create_rpc_bind_auth3(cli, rpc_call_id,
1819	auth_type, auth_level,
1820	&client_reply, &rpc_out);
1821
1822	if (!NT_STATUS_IS_OK(nt_status)) {
1823	prs_mem_free(&rpc_out);
1824	data_blob_free(&client_reply);
1825	data_blob_free(&server_response);
1826	return nt_status;
1827	}
1828
1829	/* 8 here is named pipe message mode. */
1830	ret = cli_write(cli->cli, cli->fnum, 0x8, prs_data_p(&rpc_out), 0,
1831	(size_t)prs_offset(&rpc_out));
1832
1833	if (ret != (ssize_t)prs_offset(&rpc_out)) {
1834	DEBUG(0,("rpc_send_auth_auth3: cli_write failed. Return was %d\n", (int)ret));
1835	prs_mem_free(&rpc_out);
1836	data_blob_free(&client_reply);
1837	data_blob_free(&server_response);
1838	return cli_get_nt_error(cli->cli);
1839	}
1840
1841	DEBUG(5,("rpc_send_auth_auth3: Remote machine %s pipe %s "
1842	"fnum 0x%x sent auth3 response ok.\n",
1843	cli->cli->desthost,
1844	cli->pipe_name,
1845	(unsigned int)cli->fnum));
1846
1847	prs_mem_free(&rpc_out);
1848	data_blob_free(&client_reply);
1849	data_blob_free(&server_response);
1850	return NT_STATUS_OK;
1851	}
1852
1853	/*******************************************************************
1854	Creates a DCE/RPC bind alter context authentication request which
1855	may contain a spnego auth blobl
1856	********************************************************************/
1857
1858	static NTSTATUS create_rpc_alter_context(uint32 rpc_call_id,
1859	RPC_IFACE *abstract,
1860	RPC_IFACE *transfer,
1861	enum pipe_auth_level auth_level,
1862	const DATA_BLOB pauth_blob, / spnego auth blob already created. */
1863	prs_struct *rpc_out)
1864	{
1865	RPC_HDR_AUTH hdr_auth;
1866	prs_struct auth_info;
1867	NTSTATUS ret = NT_STATUS_OK;
1868
1869	ZERO_STRUCT(hdr_auth);
1870	if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
1871	return NT_STATUS_NO_MEMORY;
1872
1873	/* We may change the pad length before marshalling. */
1874	init_rpc_hdr_auth(&hdr_auth, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
1875
1876	if (pauth_blob->length) {
1877	if (!prs_copy_data_in(&auth_info, (const char *)pauth_blob->data, pauth_blob->length)) {
1878	prs_mem_free(&auth_info);
1879	return NT_STATUS_NO_MEMORY;
1880	}
1881	}
1882
1883	ret = create_bind_or_alt_ctx_internal(RPC_ALTCONT,
1884	rpc_out,
1885	rpc_call_id,
1886	abstract,
1887	transfer,
1888	&hdr_auth,
1889	&auth_info);
1890	prs_mem_free(&auth_info);
1891	return ret;
1892	}
1893
1894	/*******************************************************************
1895	Third leg of the SPNEGO bind mechanism - sends alter context PDU
1896	and gets a response.
1897	********************************************************************/
1898
1899	static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli,
1900	RPC_HDR *phdr,
1901	prs_struct *rbuf,
1902	uint32 rpc_call_id,
1903	RPC_IFACE *abstract,
1904	RPC_IFACE *transfer,
1905	enum pipe_auth_type auth_type,
1906	enum pipe_auth_level auth_level)
1907	{
1908	DATA_BLOB server_spnego_response = data_blob_null;
1909	DATA_BLOB server_ntlm_response = data_blob_null;
1910	DATA_BLOB client_reply = data_blob_null;
1911	DATA_BLOB tmp_blob = data_blob_null;
1912	RPC_HDR_AUTH hdr_auth;
1913	NTSTATUS nt_status;
1914	prs_struct rpc_out;
1915
1916	if (!phdr->auth_len \|\| (phdr->frag_len < phdr->auth_len + RPC_HDR_AUTH_LEN)) {
1917	return NT_STATUS_INVALID_PARAMETER;
1918	}
1919
1920	/* Process the returned NTLMSSP blob first. */
1921	if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
1922	return NT_STATUS_INVALID_PARAMETER;
1923	}
1924
1925	if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
1926	return NT_STATUS_INVALID_PARAMETER;
1927	}
1928
1929	server_spnego_response = data_blob(NULL, phdr->auth_len);
1930	prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
1931
1932	/* The server might give us back two challenges - tmp_blob is for the second. */
1933	if (!spnego_parse_challenge(server_spnego_response, &server_ntlm_response, &tmp_blob)) {
1934	data_blob_free(&server_spnego_response);
1935	data_blob_free(&server_ntlm_response);
1936	data_blob_free(&tmp_blob);
1937	return NT_STATUS_INVALID_PARAMETER;
1938	}
1939
1940	/* We're finished with the server spnego response and the tmp_blob. */
1941	data_blob_free(&server_spnego_response);
1942	data_blob_free(&tmp_blob);
1943
1944	nt_status = ntlmssp_update(cli->auth.a_u.ntlmssp_state,
1945	server_ntlm_response,
1946	&client_reply);
1947
1948	/* Finished with the server_ntlm response */
1949	data_blob_free(&server_ntlm_response);
1950
1951	if (!NT_STATUS_IS_OK(nt_status)) {
1952	DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: NTLMSSP update using server blob failed.\n"));
1953	data_blob_free(&client_reply);
1954	return nt_status;
1955	}
1956
1957	/* SPNEGO wrap the client reply. */
1958	tmp_blob = spnego_gen_auth(client_reply);
1959	data_blob_free(&client_reply);
1960	client_reply = tmp_blob;
1961	tmp_blob = data_blob_null; /* Ensure it's safe to free this just in case. */
1962
1963	/* Now prepare the alter context pdu. */
1964	prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
1965
1966	nt_status = create_rpc_alter_context(rpc_call_id,
1967	abstract,
1968	transfer,
1969	auth_level,
1970	&client_reply,
1971	&rpc_out);
1972
1973	data_blob_free(&client_reply);
1974
1975	if (!NT_STATUS_IS_OK(nt_status)) {
1976	prs_mem_free(&rpc_out);
1977	return nt_status;
1978	}
1979
1980	/* Initialize the returning data struct. */
1981	prs_mem_free(rbuf);
1982	prs_init_empty(rbuf, cli->mem_ctx, UNMARSHALL);
1983
1984	nt_status = rpc_api_pipe(cli, &rpc_out, rbuf, RPC_ALTCONTRESP);
1985	if (!NT_STATUS_IS_OK(nt_status)) {
1986	prs_mem_free(&rpc_out);
1987	return nt_status;
1988	}
1989
1990	prs_mem_free(&rpc_out);
1991
1992	/* Get the auth blob from the reply. */
1993	if(!smb_io_rpc_hdr("rpc_hdr ", phdr, rbuf, 0)) {
1994	DEBUG(0,("rpc_finish_spnego_ntlmssp_bind: Failed to unmarshall RPC_HDR.\n"));
1995	return NT_STATUS_BUFFER_TOO_SMALL;
1996	}
1997
1998	if (!prs_set_offset(rbuf, phdr->frag_len - phdr->auth_len - RPC_HDR_AUTH_LEN)) {
1999	return NT_STATUS_INVALID_PARAMETER;
2000	}
2001
2002	if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rbuf, 0)) {
2003	return NT_STATUS_INVALID_PARAMETER;
2004	}
2005
2006	server_spnego_response = data_blob(NULL, phdr->auth_len);
2007	prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
2008
2009	/* Check we got a valid auth response. */
2010	if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) {
2011	data_blob_free(&server_spnego_response);
2012	data_blob_free(&tmp_blob);
2013	return NT_STATUS_INVALID_PARAMETER;
2014	}
2015
2016	data_blob_free(&server_spnego_response);
2017	data_blob_free(&tmp_blob);
2018
2019	DEBUG(5,("rpc_finish_spnego_ntlmssp_bind: alter context request to "
2020	"remote machine %s pipe %s fnum 0x%x.\n",
2021	cli->cli->desthost,
2022	cli->pipe_name,
2023	(unsigned int)cli->fnum));
2024
2025	return NT_STATUS_OK;
2026	}
2027
2028	/****************************************************************************
2029	Do an rpc bind.
2030	****************************************************************************/
2031
2032	static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
2033	enum pipe_auth_type auth_type,
2034	enum pipe_auth_level auth_level)
2035	{
2036	RPC_HDR hdr;
2037	RPC_HDR_BA hdr_ba;
2038	RPC_IFACE abstract;
2039	RPC_IFACE transfer;
2040	prs_struct rpc_out;
2041	prs_struct rbuf;
2042	uint32 rpc_call_id;
2043	NTSTATUS status;
2044
2045	DEBUG(5,("Bind RPC Pipe[%x]: %s auth_type %u, auth_level %u\n",
2046	(unsigned int)cli->fnum,
2047	cli->pipe_name,
2048	(unsigned int)auth_type,
2049	(unsigned int)auth_level ));
2050
2051	if (!valid_pipe_name(cli->pipe_idx, &abstract, &transfer)) {
2052	return NT_STATUS_INVALID_PARAMETER;
2053	}
2054
2055	prs_init_empty(&rpc_out, cli->mem_ctx, MARSHALL);
2056
2057	rpc_call_id = get_rpc_call_id();
2058
2059	/* Marshall the outgoing data. */
2060	status = create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
2061	&abstract, &transfer,
2062	auth_type,
2063	auth_level);
2064
2065	if (!NT_STATUS_IS_OK(status)) {
2066	prs_mem_free(&rpc_out);
2067	return status;
2068	}
2069
2070	/* Initialize the incoming data struct. */
2071	prs_init_empty(&rbuf, cli->mem_ctx, UNMARSHALL);
2072
2073	/* send data on \PIPE\. receive a response */
2074	status = rpc_api_pipe(cli, &rpc_out, &rbuf, RPC_BINDACK);
2075	if (!NT_STATUS_IS_OK(status)) {
2076	prs_mem_free(&rpc_out);
2077	return status;
2078	}
2079
2080	prs_mem_free(&rpc_out);
2081
2082	DEBUG(3,("rpc_pipe_bind: Remote machine %s pipe %s "
2083	"fnum 0x%x bind request returned ok.\n",
2084	cli->cli->desthost,
2085	cli->pipe_name,
2086	(unsigned int)cli->fnum));
2087
2088	/* Unmarshall the RPC header */
2089	if(!smb_io_rpc_hdr("hdr" , &hdr, &rbuf, 0)) {
2090	DEBUG(0,("rpc_pipe_bind: failed to unmarshall RPC_HDR.\n"));
2091	prs_mem_free(&rbuf);
2092	return NT_STATUS_BUFFER_TOO_SMALL;
2093	}
2094
2095	if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rbuf, 0)) {
2096	DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
2097	prs_mem_free(&rbuf);
2098	return NT_STATUS_BUFFER_TOO_SMALL;
2099	}
2100
2101	if(!check_bind_response(&hdr_ba, cli->pipe_idx, &transfer)) {
2102	DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
2103	prs_mem_free(&rbuf);
2104	return NT_STATUS_BUFFER_TOO_SMALL;
2105	}
2106
2107	cli->max_xmit_frag = hdr_ba.bba.max_tsize;
2108	cli->max_recv_frag = hdr_ba.bba.max_rsize;
2109
2110	/* For authenticated binds we may need to do 3 or 4 leg binds. */
2111	switch(auth_type) {
2112
2113	case PIPE_AUTH_TYPE_NONE:
2114	case PIPE_AUTH_TYPE_SCHANNEL:
2115	/* Bind complete. */
2116	break;
2117
2118	case PIPE_AUTH_TYPE_NTLMSSP:
2119	/* Need to send AUTH3 packet - no reply. */
2120	status = rpc_finish_auth3_bind(cli, &hdr, &rbuf, rpc_call_id,
2121	auth_type, auth_level);
2122	if (!NT_STATUS_IS_OK(status)) {
2123	prs_mem_free(&rbuf);
2124	return status;
2125	}
2126	break;
2127
2128	case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
2129	/* Need to send alter context request and reply. */
2130	status = rpc_finish_spnego_ntlmssp_bind(cli, &hdr, &rbuf, rpc_call_id,
2131	&abstract, &transfer,
2132	auth_type, auth_level);
2133	if (!NT_STATUS_IS_OK(status)) {
2134	prs_mem_free(&rbuf);
2135	return status;
2136	}
2137	break;
2138
2139	case PIPE_AUTH_TYPE_KRB5:
2140	/* */
2141
2142	default:
2143	DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
2144	(unsigned int)auth_type ));
2145	prs_mem_free(&rbuf);
2146	return NT_STATUS_INVALID_INFO_CLASS;
2147	}
2148
2149	/* For NTLMSSP ensure the server gave us the auth_level we wanted. */
2150	if (auth_type == PIPE_AUTH_TYPE_NTLMSSP \|\| auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
2151	if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2152	if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
2153	DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n"));
2154	prs_mem_free(&rbuf);
2155	return NT_STATUS_INVALID_PARAMETER;
2156	}
2157	}
2158	if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2159	if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
2160	DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n"));
2161	prs_mem_free(&rbuf);
2162	return NT_STATUS_INVALID_PARAMETER;
2163	}
2164	}
2165	}
2166
2167	/* Pipe is bound - set up auth_type and auth_level data. */
2168
2169	cli->auth.auth_type = auth_type;
2170	cli->auth.auth_level = auth_level;
2171
2172	prs_mem_free(&rbuf);
2173	return NT_STATUS_OK;
2174	}
2175
2176	/****************************************************************************
2177	Open a named pipe over SMB to a remote server.
2178	*
2179	* CAVEAT CALLER OF THIS FUNCTION:
2180	* The returned rpc_pipe_client saves a copy of the cli_state cli pointer,
2181	* so be sure that this function is called AFTER any structure (vs pointer)
2182	* assignment of the cli. In particular, libsmbclient does structure
2183	* assignments of cli, which invalidates the data in the returned
2184	* rpc_pipe_client if this function is called before the structure assignment
2185	* of cli.
2186	*
2187	****************************************************************************/
2188
2189	static struct rpc_pipe_client cli_rpc_pipe_open(struct cli_state cli, int pipe_idx, NTSTATUS *perr)
2190	{
2191	TALLOC_CTX *mem_ctx;
2192	struct rpc_pipe_client *result;
2193	int fnum;
2194
2195	*perr = NT_STATUS_NO_MEMORY;
2196
2197	/* sanity check to protect against crashes */
2198
2199	if ( !cli ) {
2200	*perr = NT_STATUS_INVALID_HANDLE;
2201	return NULL;
2202	}
2203
2204	/* The pipe name index must fall within our array */
2205	SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
2206
2207	mem_ctx = talloc_init("struct rpc_pipe_client");
2208	if (mem_ctx == NULL) {
2209	return NULL;
2210	}
2211
2212	result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
2213	if (result == NULL) {
2214	return NULL;
2215	}
2216
2217	result->mem_ctx = mem_ctx;
2218
2219	result->pipe_name = cli_get_pipe_name(pipe_idx);
2220
2221	fnum = cli_nt_create(cli, result->pipe_name, DESIRED_ACCESS_PIPE);
2222
2223	if (fnum == -1) {
2224	DEBUG(3,("cli_rpc_pipe_open: cli_nt_create failed on pipe %s "
2225	"to machine %s. Error was %s\n",
2226	result->pipe_name, cli->desthost,
2227	cli_errstr(cli)));
2228	*perr = cli_get_nt_error(cli);
2229	talloc_destroy(result->mem_ctx);
2230	return NULL;
2231	}
2232
2233	result->fnum = fnum;
2234	result->cli = cli;
2235	result->pipe_idx = pipe_idx;
2236	result->auth.auth_type = PIPE_AUTH_TYPE_NONE;
2237	result->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
2238
2239	if (pipe_idx == PI_NETLOGON) {
2240	/* Set up a netlogon credential chain for a netlogon pipe. */
2241	result->dc = TALLOC_ZERO_P(mem_ctx, struct dcinfo);
2242	if (result->dc == NULL) {
2243	talloc_destroy(result->mem_ctx);
2244	return NULL;
2245	}
2246	}
2247
2248	DLIST_ADD(cli->pipe_list, result);
2249	*perr = NT_STATUS_OK;
2250
2251	return result;
2252	}
2253
2254	/****************************************************************************
2255	Open a named pipe to an SMB server and bind anonymously.
2256	****************************************************************************/
2257
2258	struct rpc_pipe_client cli_rpc_pipe_open_noauth(struct cli_state cli, int pipe_idx, NTSTATUS *perr)
2259	{
2260	struct rpc_pipe_client *result;
2261
2262	result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2263	if (result == NULL) {
2264	return NULL;
2265	}
2266
2267	*perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_NONE, PIPE_AUTH_LEVEL_NONE);
2268	if (!NT_STATUS_IS_OK(*perr)) {
2269	int lvl = 0;
2270	if (pipe_idx == PI_DSSETUP) {
2271	/* non AD domains just don't have this pipe, avoid
2272	* level 0 statement in that case - gd */
2273	lvl = 3;
2274	}
2275	DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe %s failed with error %s\n",
2276	cli_get_pipe_name(pipe_idx), nt_errstr(*perr) ));
2277	cli_rpc_pipe_close(result);
2278	return NULL;
2279	}
2280
2281	DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine %s and bound anonymously.\n",
2282	result->pipe_name, cli->desthost ));
2283
2284	return result;
2285	}
2286
2287	/****************************************************************************
2288	Free function for NTLMSSP auth.
2289	****************************************************************************/
2290
2291	static void cli_ntlmssp_auth_free(struct cli_pipe_auth_data *auth)
2292	{
2293	if (auth->a_u.ntlmssp_state) {
2294	ntlmssp_end(&auth->a_u.ntlmssp_state);
2295	auth->a_u.ntlmssp_state = NULL;
2296	}
2297	}
2298
2299	/****************************************************************************
2300	Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
2301	****************************************************************************/
2302
2303	static struct rpc_pipe_client cli_rpc_pipe_open_ntlmssp_internal(struct cli_state cli,
2304	int pipe_idx,
2305	enum pipe_auth_type auth_type,
2306	enum pipe_auth_level auth_level,
2307	const char *domain,
2308	const char *username,
2309	const char *password,
2310	NTSTATUS *perr)
2311	{
2312	struct rpc_pipe_client *result;
2313	NTLMSSP_STATE *ntlmssp_state = NULL;
2314
2315	result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2316	if (result == NULL) {
2317	return NULL;
2318	}
2319
2320	result->auth.cli_auth_data_free_func = cli_ntlmssp_auth_free;
2321
2322	result->domain = domain;
2323	result->user_name = username;
2324	pwd_set_cleartext(&result->pwd, password);
2325
2326	*perr = ntlmssp_client_start(&ntlmssp_state);
2327	if (!NT_STATUS_IS_OK(*perr)) {
2328	goto err;
2329	}
2330
2331	result->auth.a_u.ntlmssp_state = ntlmssp_state;
2332
2333	*perr = ntlmssp_set_username(ntlmssp_state, cli->user_name);
2334	if (!NT_STATUS_IS_OK(*perr)) {
2335	goto err;
2336	}
2337
2338	*perr = ntlmssp_set_domain(ntlmssp_state, cli->domain);
2339	if (!NT_STATUS_IS_OK(*perr)) {
2340	goto err;
2341	}
2342
2343	if (cli->pwd.null_pwd) {
2344	*perr = ntlmssp_set_password(ntlmssp_state, NULL);
2345	if (!NT_STATUS_IS_OK(*perr)) {
2346	goto err;
2347	}
2348	} else {
2349	*perr = ntlmssp_set_password(ntlmssp_state, password);
2350	if (!NT_STATUS_IS_OK(*perr)) {
2351	goto err;
2352	}
2353	}
2354
2355	/* Turn off sign+seal to allow selected auth level to turn it back on. */
2356	ntlmssp_state->neg_flags &= ~(NTLMSSP_NEGOTIATE_SIGN\|NTLMSSP_NEGOTIATE_SEAL);
2357
2358	if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
2359	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SIGN;
2360	} else if (auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
2361	ntlmssp_state->neg_flags \|= NTLMSSP_NEGOTIATE_SEAL \| NTLMSSP_NEGOTIATE_SIGN;
2362	}
2363
2364	*perr = rpc_pipe_bind(result, auth_type, auth_level);
2365	if (!NT_STATUS_IS_OK(*perr)) {
2366	DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
2367	nt_errstr(*perr) ));
2368	goto err;
2369	}
2370
2371	DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
2372	"machine %s and bound NTLMSSP as user %s\\%s.\n",
2373	result->pipe_name, cli->desthost,
2374	domain, username ));
2375
2376	return result;
2377
2378	err:
2379
2380	cli_rpc_pipe_close(result);
2381	return NULL;
2382	}
2383
2384	/****************************************************************************
2385	External interface.
2386	Open a named pipe to an SMB server and bind using NTLMSSP (bind type 10)
2387	****************************************************************************/
2388
2389	struct rpc_pipe_client cli_rpc_pipe_open_ntlmssp(struct cli_state cli,
2390	int pipe_idx,
2391	enum pipe_auth_level auth_level,
2392	const char *domain,
2393	const char *username,
2394	const char *password,
2395	NTSTATUS *perr)
2396	{
2397	return cli_rpc_pipe_open_ntlmssp_internal(cli,
2398	pipe_idx,
2399	PIPE_AUTH_TYPE_NTLMSSP,
2400	auth_level,
2401	domain,
2402	username,
2403	password,
2404	perr);
2405	}
2406
2407	/****************************************************************************
2408	External interface.
2409	Open a named pipe to an SMB server and bind using spnego NTLMSSP (bind type 9)
2410	****************************************************************************/
2411
2412	struct rpc_pipe_client cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state cli,
2413	int pipe_idx,
2414	enum pipe_auth_level auth_level,
2415	const char *domain,
2416	const char *username,
2417	const char *password,
2418	NTSTATUS *perr)
2419	{
2420	return cli_rpc_pipe_open_ntlmssp_internal(cli,
2421	pipe_idx,
2422	PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
2423	auth_level,
2424	domain,
2425	username,
2426	password,
2427	perr);
2428	}
2429
2430	/****************************************************************************
2431	Get a the schannel session key out of an already opened netlogon pipe.
2432	****************************************************************************/
2433	static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
2434	struct cli_state *cli,
2435	const char *domain,
2436	uint32 *pneg_flags,
2437	NTSTATUS *perr)
2438	{
2439	uint32 sec_chan_type = 0;
2440	unsigned char machine_pwd[16];
2441	const char *machine_account;
2442
2443	/* Get the machine account credentials from secrets.tdb. */
2444	if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
2445	&sec_chan_type))
2446	{
2447	DEBUG(0, ("get_schannel_session_key: could not fetch "
2448	"trust account password for domain '%s'\n",
2449	domain));
2450	*perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2451	return false;
2452	}
2453
2454	*perr = rpccli_netlogon_setup_creds(netlogon_pipe,
2455	cli->desthost, /* server name */
2456	domain, /* domain */
2457	global_myname(), /* client name */
2458	machine_account, /* machine account name */
2459	machine_pwd,
2460	sec_chan_type,
2461	pneg_flags);
2462
2463	if (!NT_STATUS_IS_OK(*perr)) {
2464	DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
2465	"failed with result %s to server %s, domain %s, machine account %s.\n",
2466	nt_errstr(*perr), cli->desthost, domain, machine_account ));
2467	return false;
2468	}
2469
2470	if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
2471	DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
2472	cli->desthost));
2473	*perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
2474	return false;
2475	}
2476
2477	return true;
2478	}
2479
2480	/****************************************************************************
2481	Open a netlogon pipe and get the schannel session key.
2482	Now exposed to external callers.
2483	****************************************************************************/
2484
2485
2486	struct rpc_pipe_client get_schannel_session_key(struct cli_state cli,
2487	const char *domain,
2488	uint32 *pneg_flags,
2489	NTSTATUS *perr)
2490	{
2491	struct rpc_pipe_client *netlogon_pipe = NULL;
2492
2493	netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
2494	if (!netlogon_pipe) {
2495	return NULL;
2496	}
2497
2498	if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
2499	pneg_flags, perr))
2500	{
2501	cli_rpc_pipe_close(netlogon_pipe);
2502	return NULL;
2503	}
2504
2505	return netlogon_pipe;
2506	}
2507
2508	/****************************************************************************
2509	External interface.
2510	Open a named pipe to an SMB server and bind using schannel (bind type 68)
2511	using session_key. sign and seal.
2512	****************************************************************************/
2513
2514	struct rpc_pipe_client cli_rpc_pipe_open_schannel_with_key(struct cli_state cli,
2515	int pipe_idx,
2516	enum pipe_auth_level auth_level,
2517	const char *domain,
2518	const struct dcinfo *pdc,
2519	NTSTATUS *perr)
2520	{
2521	struct rpc_pipe_client *result;
2522
2523	result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2524	if (result == NULL) {
2525	return NULL;
2526	}
2527
2528	result->auth.a_u.schannel_auth = TALLOC_ZERO_P(result->mem_ctx, struct schannel_auth_struct);
2529	if (!result->auth.a_u.schannel_auth) {
2530	cli_rpc_pipe_close(result);
2531	*perr = NT_STATUS_NO_MEMORY;
2532	return NULL;
2533	}
2534
2535	result->domain = domain;
2536	memcpy(result->auth.a_u.schannel_auth->sess_key, pdc->sess_key, 16);
2537
2538	*perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_SCHANNEL, auth_level);
2539	if (!NT_STATUS_IS_OK(*perr)) {
2540	DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed with error %s\n",
2541	nt_errstr(*perr) ));
2542	cli_rpc_pipe_close(result);
2543	return NULL;
2544	}
2545
2546	/* The credentials on a new netlogon pipe are the ones we are passed in - copy them over. */
2547	if (result->dc) {
2548	result->dc = pdc;
2549	}
2550
2551	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
2552	"for domain %s "
2553	"and bound using schannel.\n",
2554	result->pipe_name, cli->desthost, domain ));
2555
2556	return result;
2557	}
2558
2559	/****************************************************************************
2560	Open a named pipe to an SMB server and bind using schannel (bind type 68).
2561	Fetch the session key ourselves using a temporary netlogon pipe. This
2562	version uses an ntlmssp auth bound netlogon pipe to get the key.
2563	****************************************************************************/
2564
2565	static struct rpc_pipe_client get_schannel_session_key_auth_ntlmssp(struct cli_state cli,
2566	const char *domain,
2567	const char *username,
2568	const char *password,
2569	uint32 *pneg_flags,
2570	NTSTATUS *perr)
2571	{
2572	struct rpc_pipe_client *netlogon_pipe = NULL;
2573
2574	netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
2575	if (!netlogon_pipe) {
2576	return NULL;
2577	}
2578
2579	if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
2580	pneg_flags, perr))
2581	{
2582	cli_rpc_pipe_close(netlogon_pipe);
2583	return NULL;
2584	}
2585
2586	return netlogon_pipe;
2587	}
2588
2589	/****************************************************************************
2590	Open a named pipe to an SMB server and bind using schannel (bind type 68).
2591	Fetch the session key ourselves using a temporary netlogon pipe. This version
2592	uses an ntlmssp bind to get the session key.
2593	****************************************************************************/
2594
2595	struct rpc_pipe_client cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state cli,
2596	int pipe_idx,
2597	enum pipe_auth_level auth_level,
2598	const char *domain,
2599	const char *username,
2600	const char *password,
2601	NTSTATUS *perr)
2602	{
2603	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2604	struct rpc_pipe_client *netlogon_pipe = NULL;
2605	struct rpc_pipe_client *result = NULL;
2606
2607	netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username,
2608	password, &neg_flags, perr);
2609	if (!netlogon_pipe) {
2610	DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
2611	"key from server %s for domain %s.\n",
2612	cli->desthost, domain ));
2613	return NULL;
2614	}
2615
2616	result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
2617	auth_level,
2618	domain, netlogon_pipe->dc, perr);
2619
2620	/* Now we've bound using the session key we can close the netlog pipe. */
2621	cli_rpc_pipe_close(netlogon_pipe);
2622
2623	return result;
2624	}
2625
2626	/****************************************************************************
2627	Open a named pipe to an SMB server and bind using schannel (bind type 68).
2628	Fetch the session key ourselves using a temporary netlogon pipe.
2629	****************************************************************************/
2630
2631	struct rpc_pipe_client cli_rpc_pipe_open_schannel(struct cli_state cli,
2632	int pipe_idx,
2633	enum pipe_auth_level auth_level,
2634	const char *domain,
2635	NTSTATUS *perr)
2636	{
2637	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
2638	struct rpc_pipe_client *netlogon_pipe = NULL;
2639	struct rpc_pipe_client *result = NULL;
2640
2641	netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, perr);
2642	if (!netlogon_pipe) {
2643	DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
2644	"key from server %s for domain %s.\n",
2645	cli->desthost, domain ));
2646	return NULL;
2647	}
2648
2649	result = cli_rpc_pipe_open_schannel_with_key(cli, pipe_idx,
2650	auth_level,
2651	domain, netlogon_pipe->dc, perr);
2652
2653	/* Now we've bound using the session key we can close the netlog pipe. */
2654	cli_rpc_pipe_close(netlogon_pipe);
2655
2656	return result;
2657	}
2658
2659	#ifdef HAVE_KRB5
2660
2661	/****************************************************************************
2662	Free function for the kerberos spcific data.
2663	****************************************************************************/
2664
2665	static void kerberos_auth_struct_free(struct cli_pipe_auth_data *a)
2666	{
2667	data_blob_free(&a->a_u.kerberos_auth->session_key);
2668	}
2669
2670	#endif
2671
2672	/****************************************************************************
2673	Open a named pipe to an SMB server and bind using krb5 (bind type 16).
2674	The idea is this can be called with service_princ, username and password all
2675	NULL so long as the caller has a TGT.
2676	****************************************************************************/
2677
2678	struct rpc_pipe_client cli_rpc_pipe_open_krb5(struct cli_state cli,
2679	int pipe_idx,
2680	enum pipe_auth_level auth_level,
2681	const char *service_princ,
2682	const char *username,
2683	const char *password,
2684	NTSTATUS *perr)
2685	{
2686	#ifdef HAVE_KRB5
2687	struct rpc_pipe_client *result;
2688
2689	result = cli_rpc_pipe_open(cli, pipe_idx, perr);
2690	if (result == NULL) {
2691	return NULL;
2692	}
2693
2694	/* Default service principal is "desthost$@realm" */
2695	if (!service_princ) {
2696	service_princ = talloc_asprintf(result->mem_ctx, "%s$@%s",
2697	cli->desthost, lp_realm() );
2698	if (!service_princ) {
2699	cli_rpc_pipe_close(result);
2700	return NULL;
2701	}
2702	}
2703
2704	/* Only get a new TGT if username/password are given. */
2705	if (username && password) {
2706	int ret = kerberos_kinit_password(username, password, 0, NULL);
2707	if (ret) {
2708	cli_rpc_pipe_close(result);
2709	return NULL;
2710	}
2711	}
2712
2713	result->auth.a_u.kerberos_auth = TALLOC_ZERO_P(result->mem_ctx, struct kerberos_auth_struct);
2714	if (!result->auth.a_u.kerberos_auth) {
2715	cli_rpc_pipe_close(result);
2716	*perr = NT_STATUS_NO_MEMORY;
2717	return NULL;
2718	}
2719
2720	result->auth.a_u.kerberos_auth->service_principal = service_princ;
2721	result->auth.cli_auth_data_free_func = kerberos_auth_struct_free;
2722
2723	*perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_KRB5, auth_level);
2724	if (!NT_STATUS_IS_OK(*perr)) {
2725	DEBUG(0, ("cli_rpc_pipe_open_krb5: cli_rpc_pipe_bind failed with error %s\n",
2726	nt_errstr(*perr) ));
2727	cli_rpc_pipe_close(result);
2728	return NULL;
2729	}
2730
2731	return result;
2732	#else
2733	DEBUG(0,("cli_rpc_pipe_open_krb5: kerberos not found at compile time.\n"));
2734	return NULL;
2735	#endif
2736	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: