From 3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 13 Dec 1999 13:27:58 +0000 Subject: first pass at updating head branch to be to be the same as the SAMBA_2_0 branch (This used to be commit 453a822a76780063dff23526c35408866d0c0154) --- source3/rpc_client/cli_pipe.c | 1439 ++++++++++++++++++++++------------------- 1 file changed, 766 insertions(+), 673 deletions(-) (limited to 'source3/rpc_client/cli_pipe.c') diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index a8debd87fd..8711ab116e 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -6,6 +6,7 @@ * Copyright (C) Andrew Tridgell 1992-1998, * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, * Copyright (C) Paul Ashton 1998. + * Copyright (C) Jeremy Allison 1999. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,196 +32,253 @@ extern int DEBUGLEVEL; extern struct pipe_id_info pipe_names[]; +extern fstring global_myworkgroup; extern pstring global_myname; /******************************************************************** - rpc pipe call id + Rpc pipe call id. ********************************************************************/ + static uint32 get_rpc_call_id(void) { - static uint32 call_id = 0; - return ++call_id; + static uint32 call_id = 0; + return ++call_id; } /******************************************************************* - uses SMBreadX to get rest of rpc data + Use SMBreadX to get rest of one fragment's worth of rpc data. ********************************************************************/ -static BOOL rpc_read(struct cli_state *cli, uint16 fnum, - prs_struct *rdata, uint32 data_to_read, - uint32 rdata_offset, BOOL one_only) +static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset) { - size_t size = cli->max_recv_frag; - int file_offset = 0; + size_t size = (size_t)cli->max_recv_frag; + int stream_offset = 0; int num_read; - char *data; - uint32 new_data_size = rdata_offset + data_to_read; - uint8 cls; - uint32 type; + char *pdata; + uint32 err; + int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata); - DEBUG(5,("rpc_read: data_to_read: %d data offset: %d file offset: %d\n", - data_to_read, rdata_offset, file_offset)); + DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n", + (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size)); - if (new_data_size > rdata->data->data_size) - { - mem_grow_data(&rdata->data, True, new_data_size, True); - DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used)); + /* + * Grow the buffer if needed to accommodate the data to be read. + */ + + if (extra_data_size > 0) { + if(!prs_force_grow(rdata, (uint32)extra_data_size)) { + DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size )); + return False; + } + DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) )); } - data = rdata->data->data + rdata_offset; + pdata = prs_data_p(rdata) + *rdata_offset; do /* read data using SMBreadX */ { - if (size > data_to_read) - { - size = data_to_read; - } + if (size > (size_t)data_to_read) + size = (size_t)data_to_read; - num_read = cli_read(cli, fnum, data, file_offset, size); + num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size); - DEBUG(5,("rpc_read: read offset: %d read: %d to read: %d\n", - file_offset, num_read, data_to_read)); + DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n", + num_read, stream_offset, data_to_read)); - data_to_read -= num_read; - file_offset += num_read; - data += num_read; - - if (cli_error(cli, &cls, &type)) - { - if (cls != ERRDOS || type != ERRmoredata) - { - return False; - } + if (cli_error(cli, NULL, &err, NULL)) { + DEBUG(0,("rpc_read: Error %u in cli_read\n", (unsigned int)err )); + return False; } - } while (!one_only && num_read > 0 && data_to_read > 0); + data_to_read -= num_read; + stream_offset += num_read; + pdata += num_read; - rdata->data->offset.end = new_data_size; + } while (num_read > 0 && data_to_read > 0); + /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */ - DEBUG(5,("rpc_read: offset end: 0x%x. data left to read:0x%x\n", - rdata->data->offset.end, data_to_read)); + /* + * Update the current offset into rdata by the amount read. + */ + *rdata_offset += stream_offset; return True; } /**************************************************************************** - checks the header + Checks the header. ****************************************************************************/ + static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr, - BOOL *first, BOOL *last, int *len) + BOOL *first, BOOL *last, uint32 *len) { - DEBUG(5,("rpc_check_hdr: rdata->data->data_used: %d\n", rdata->data->data_used)); + DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) )); - smb_io_rpc_hdr ("rpc_hdr ", rhdr , rdata, 0); - - if (!rdata->offset || rdata->offset != 0x10) - { - DEBUG(0,("cli_pipe: error in rpc header\n")); + if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) { + DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n")); return False; } - DEBUG(5,("rpc_check_hdr: (after smb_io_rpc_hdr call) rdata->data->data_used: %d\n", - rdata->data->data_used)); + if (prs_offset(rdata) != RPC_HEADER_LEN) { + DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN)); + return False; + } - (*first ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST); - (*last ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST ); - (*len ) = rhdr->frag_len - rdata->data->data_used; + (*first) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST); + (*last) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST ); + (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata); - return rhdr->pkt_type != RPC_FAULT; + return (rhdr->pkt_type != RPC_FAULT); } -static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, int len) +static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len) { unsigned char *hash = cli->ntlmssp_hash; - unsigned char index_i = hash[256]; - unsigned char index_j = hash[257]; - int ind; + unsigned char index_i = hash[256]; + unsigned char index_j = hash[257]; + int ind; - for( ind = 0; ind < len; ind++) - { - unsigned char tc; - unsigned char t; + for( ind = 0; ind < len; ind++) { + unsigned char tc; + unsigned char t; - index_i++; - index_j += hash[index_i]; + index_i++; + index_j += hash[index_i]; - tc = hash[index_i]; - hash[index_i] = hash[index_j]; - hash[index_j] = tc; + tc = hash[index_i]; + hash[index_i] = hash[index_j]; + hash[index_j] = tc; - t = hash[index_i] + hash[index_j]; - data[ind] = data[ind] ^ hash[t]; - } + t = hash[index_i] + hash[index_j]; + data[ind] = data[ind] ^ hash[t]; + } - hash[256] = index_i; - hash[257] = index_j; + hash[256] = index_i; + hash[257] = index_j; } /**************************************************************************** - decrypt data on an rpc pipe + Verify data on an rpc pipe. + The VERIFY & SEAL code is only executed on packets that look like this : + + Request/Response PDU's look like the following... + + |<------------------PDU len----------------------------------------------->| + |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->| + + +------------+-----------------+-------------+---------------+-------------+ + | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA | + +------------+-----------------+-------------+---------------+-------------+ + + Never on bind requests/responses. ****************************************************************************/ -static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, - int len, int auth_len) +static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len) { - RPC_AUTH_NTLMSSP_CHK chk; - uint32 crc32; - int data_len = len - 0x18 - auth_len - 8; - char *reply_data = mem_data(&rdata->data, 0x18); + /* + * The following is that length of the data we must sign or seal. + * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN + * preceeding the auth_data. + */ + + int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len; + + /* + * The start of the data to sign/seal is just after the RPC headers. + */ + char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN; BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN); - BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL); + BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL); DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n", len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal))); - if (reply_data == NULL) return False; + /* + * Unseal any sealed data in the PDU, not including the + * 8 byte auth_header or the auth_data. + */ - if (auth_seal) - { - DEBUG(10,("rpc_auth_pipe: seal\n")); + if (auth_seal) { + DEBUG(10,("rpc_auth_pipe: unseal\n")); dump_data(100, reply_data, data_len); NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len); dump_data(100, reply_data, data_len); } - if (auth_verify || auth_seal) - { - RPC_HDR_AUTH rhdr_auth; + if (auth_verify || auth_seal) { + RPC_HDR_AUTH rhdr_auth; prs_struct auth_req; - char *data = mem_data(&rdata->data, len - auth_len - 8); - prs_init(&auth_req , 0x08, 4, 0, True); - memcpy(auth_req.data->data, data, 8); - smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0); - prs_mem_free(&auth_req); - - if (!rpc_hdr_auth_chk(&rhdr_auth)) - { + char data[RPC_HDR_AUTH_LEN]; + /* + * We set dp to be the end of the packet, minus the auth_len + * and the length of the header that preceeds the auth_data. + */ + char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN; + + if(dp - prs_data_p(rdata) > prs_data_size(rdata)) { + DEBUG(0,("rpc_auth_pipe: auth data > data size !\n")); + return False; + } + + memcpy(data, dp, sizeof(data)); + + prs_init(&auth_req , 0, 4, UNMARSHALL); + prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False); + + /* + * Unmarshall the 8 byte auth_header that comes before the + * auth data. + */ + + if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) { + DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n")); + return False; + } + + if (!rpc_hdr_auth_chk(&rhdr_auth)) { + DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n")); return False; } } - if (auth_verify) - { + /* + * Now unseal and check the auth verifier in the auth_data at + * then end of the packet. The 4 bytes skipped in the unseal + * seem to be a buffer pointer preceeding the sealed data. + */ + + if (auth_verify) { + RPC_AUTH_NTLMSSP_CHK chk; + uint32 crc32; prs_struct auth_verf; - char *data = mem_data(&rdata->data, len - auth_len); - if (data == NULL) return False; + char data[RPC_AUTH_NTLMSSP_CHK_LEN]; + char *dp = prs_data_p(rdata) + len - auth_len; + + if(dp - prs_data_p(rdata) > prs_data_size(rdata)) { + DEBUG(0,("rpc_auth_pipe: auth data > data size !\n")); + return False; + } DEBUG(10,("rpc_auth_pipe: verify\n")); + dump_data(100, dp, auth_len); + NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4); + + memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN); dump_data(100, data, auth_len); - NTLMSSPcalc_ap(cli, (uchar*)(data+4), auth_len - 4); - prs_init(&auth_verf, 0x08, 4, 0, True); - memcpy(auth_verf.data->data, data, 16); - smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0); - dump_data(100, data, auth_len); - prs_mem_free(&auth_verf); - } - if (auth_verify) - { - crc32 = crc32_calc_buffer(data_len, reply_data); - if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) - { + prs_init(&auth_verf, 0, 4, UNMARSHALL); + prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False); + + if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) { + DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n")); + return False; + } + + crc32 = crc32_calc_buffer(reply_data, data_len); + + if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) { + DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n")); return False; } cli->ntlmssp_seq_num++; @@ -230,204 +288,215 @@ static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, /**************************************************************************** - send data on an rpc pipe, which *must* be in one fragment. + Send data on an rpc pipe, which *must* be in one fragment. receive response data from an rpc pipe, which may be large... - read the first fragment: unfortunately have to use SMBtrans for the first + Read the first fragment: unfortunately have to use SMBtrans for the first bit, then SMBreadX for subsequent bits. - if first fragment received also wasn't the last fragment, continue + If first fragment received also wasn't the last fragment, continue getting fragments until we _do_ receive the last fragment. - [note: from a data abstraction viewpoint, this function is marginally - complicated by the return side of cli_api_pipe getting in the way - (i.e, the SMB header stuff). the proper way to do this is to split - cli_api_pipe down into receive / transmit. oh, and split cli_readx - down. in other words, state-based (kernel) techniques...] + Request/Response PDU's look like the following... + + |<------------------PDU len----------------------------------------------->| + |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->| + + +------------+-----------------+-------------+---------------+-------------+ + | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA | + +------------+-----------------+-------------+---------------+-------------+ + + Where the presence of the AUTH_HDR and AUTH are dependent on the + signing & sealing being neogitated. ****************************************************************************/ -static BOOL rpc_api_pipe(struct cli_state *cli, uint16 fnum, - BOOL bind_rq, uint16 cmd, - prs_struct *param , prs_struct *data, - prs_struct *rparam, prs_struct *rdata) +static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *data, prs_struct *rdata) { - int len; - - uint16 setup[2]; /* only need 2 uint16 setup parameters */ - uint8 cls; - uint32 type; + uint32 len; + char *rparam = NULL; + uint32 rparam_len = 0; + uint16 setup[2]; + uint32 err; BOOL first = True; BOOL last = True; - BOOL used_smb_trans = False; - RPC_HDR rhdr; + RPC_HDR rhdr; + char *pdata = data ? prs_data_p(data) : NULL; + uint32 data_len = data ? prs_offset(data) : 0; + char *prdata = NULL; + uint32 rdata_len = 0; + uint32 current_offset = 0; - /* - * Setup the pointers from the incoming. - */ - char *pparams = param ? param->data->data : NULL; - int params_len = param ? param->data->data_used : 0; - char *pdata = data ? data->data->data : NULL; - int data_len = data ? data->data->data_used : 0; - - /* - * Setup the pointers to the outgoing. - */ - char **pp_ret_params = rparam ? &rparam->data->data : NULL; - uint32 *p_ret_params_len = rparam ? &rparam->data->data_used : NULL; - - char **pp_ret_data = rdata ? &rdata->data->data : NULL; - uint32 *p_ret_data_len = rdata ? &rdata->data->data_used : NULL; - - /* create setup parameters. */ + /* + * Create setup parameters - must be in native byte order. + */ setup[0] = cmd; - setup[1] = fnum; /* pipe file handle. got this from an SMBOpenX. */ + setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */ - if (data_len > 2048 && !bind_rq) - { - ssize_t written; - - DEBUG(5,("rpc_api_pipe: cli_write %d\n", data_len)); + DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd, (int)cli->nt_pipe_fnum)); - written = cli_write(cli, fnum, 0x0008, pdata, 0, data_len); + /* send the data: receive a response. */ + if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8, + setup, 2, 0, /* Setup, length, max */ + NULL, 0, 0, /* Params, length, max */ + pdata, data_len, data_len, /* data, length, max */ + &rparam, &rparam_len, /* return params, len */ + &prdata, &rdata_len)) /* return data, len */ + { + DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli))); + return False; + } - if (written != data_len) - - { - fstring errstr; - cli_safe_errstr(cli, errstr, sizeof(errstr)-1); - DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", errstr)); - return False; - } + /* + * Throw away returned params - we know we won't use them. + */ - DEBUG(5,("rpc_api_pipe: rpc_read after write\n")); - - first = False; - last = False; + if(rparam) { + free(rparam); + rparam = NULL; } - else - { - DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", cmd, fnum)); - used_smb_trans = True; - - /* send the data: receive a response. */ - if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8, - setup, 2, 0, /* Setup, length, max */ - pparams, params_len, 0, /* Params, length, max */ - pdata, data_len, 2048, /* data, length, max */ - pp_ret_params, p_ret_params_len, /* return params, len */ - pp_ret_data, p_ret_data_len)) /* return data, len */ - { - fstring errstr; - cli_safe_errstr(cli, errstr, sizeof(errstr)-1); - DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", errstr)); - return False; - } - if (rdata->data->data == NULL) return False; + if (prdata == NULL) { + DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n", + (int)cmd, (int)cli->nt_pipe_fnum)); + return False; + } - /**** parse the header: check it's a response record */ + /* + * Give this memory as dynamically allocated to the return parse struct. + */ - rdata->data->offset.start = 0; - rdata->data->offset.end = rdata->data->data_used; - rdata->offset = 0; + prs_give_memory(rdata, prdata, rdata_len, True); + current_offset = rdata_len; - /* cli_api_pipe does an ordinary Realloc - we have no margins now. */ - rdata->data->margin = 0; - if (rparam) rparam->data->margin = 0; + if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) { + prs_mem_free(rdata); + return False; + } - if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) - { - return False; + if (rhdr.pkt_type == RPC_BINDACK) { + if (!last && !first) { + DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n")); + first = True; + last = True; } + } - if (rhdr.pkt_type == RPC_BINDACK) - { - if (!last && !first) - { - DEBUG(5,("rpc_api_pipe: bug in AS/U, setting fragment first/last ON\n")); - first = True; - last = True; - } + if (rhdr.pkt_type == RPC_RESPONSE) { + RPC_HDR_RESP rhdr_resp; + if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) { + DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n")); + prs_mem_free(rdata); + return False; } + } - if (rhdr.pkt_type == RPC_RESPONSE) - { - RPC_HDR_RESP rhdr_resp; - smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0); + DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n", + (unsigned int)len, (unsigned int)rdata_len )); + + /* check if data to be sent back was too large for one SMB. */ + /* err status is only informational: the _real_ check is on the length */ + if (len > 0) { + /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */ + /* + * Read the rest of the first response PDU. + */ + if (!rpc_read(cli, rdata, len, ¤t_offset)) { + prs_mem_free(rdata); + return False; } + } - DEBUG(5,("rpc_api_pipe: len left: %d smbtrans read: %d\n", - len, rdata->data->data_used)); - - /* check if data to be sent back was too large for one SMB. */ - /* err status is only informational: the _real_ check is on the length */ - if (len > 0) /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */ - { - if (!rpc_read(cli, fnum, rdata, len, rdata->data->data_used, False)) - { - return False; - } - } + /* + * Now we have a complete PDU, check the auth struct if any was sent. + */ - if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) - { + if (rhdr.auth_len != 0) { + if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) return False; - } - - /* only one rpc fragment, and it has been read */ - if (first && last) - { - DEBUG(6,("rpc_api_pipe: fragment first and last both set\n")); - return True; - } + /* + * Drop the auth footers from the current offset. + * We need this if there are more fragments. + * The auth footers consist of the auth_data and the + * preceeding 8 byte auth_header. + */ + current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN); + } + + /* + * Only one rpc fragment, and it has been read. + */ + if (first && last) { + DEBUG(6,("rpc_api_pipe: fragment first and last both set\n")); + return True; } - while (!last) /* read more fragments until we get the last one */ - { + /* + * Read more fragments until we get the last one. + */ + + while (!last) { RPC_HDR_RESP rhdr_resp; int num_read; + char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN]; prs_struct hps; - prs_init(&hps, 0x18, 4, 0, True); - - num_read = cli_read(cli, fnum, hps.data->data, 0, 0x18); - DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read)); + /* + * First read the header of the next PDU. + */ - if (num_read != 0x18) return False; + prs_init(&hps, 0, 4, UNMARSHALL); + prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False); - if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len)) - { + num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN); + if (cli_error(cli, NULL, &err, NULL)) { + DEBUG(0,("rpc_api_pipe: cli_read error : %d\n", err )); return False; } - smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0); - - prs_mem_free(&hps); + DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read)); - if (cli_error(cli, &cls, &type)) - { - if (cls != ERRDOS || type != ERRmoredata) - { - return False; - } + if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) { + DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n", + RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read )); + return False; } - if (first && used_smb_trans) - { - DEBUG(0,("rpc_api_pipe: wierd rpc header received\n")); + if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len)) + return False; + + if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) { + DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n")); return False; } - if (!rpc_read(cli, fnum, rdata, len, rdata->data->data_used, False)) - { + if (first) { + DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n")); return False; } - if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) - { + /* + * Now read the rest of the PDU. + */ + + if (!rpc_read(cli, rdata, len, ¤t_offset)) return False; + + /* + * Verify any authentication footer. + */ + + if (rhdr.auth_len != 0 ) { + if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) + return False; + /* + * Drop the auth footers from the current offset. + * The auth footers consist of the auth_data and the + * preceeding 8 byte auth_header. + * We need this if there are more fragments. + */ + current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN); } } @@ -442,283 +511,362 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 fnum, - caller is expected to free the header data structure once used. ********************************************************************/ -static BOOL create_rpc_bind_req(prs_struct *rhdr, - prs_struct *rhdr_rb, - prs_struct *rhdr_auth, - prs_struct *auth_req, - prs_struct *auth_ntlm, - uint32 rpc_call_id, + +static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id, RPC_IFACE *abstract, RPC_IFACE *transfer, char *my_name, char *domain, uint32 neg_flags) { - RPC_HDR_RB hdr_rb; - RPC_HDR hdr; - RPC_HDR_AUTH hdr_auth; - RPC_AUTH_NTLMSSP_VERIFIER auth_verifier; - RPC_AUTH_NTLMSSP_NEG ntlmssp_neg; + RPC_HDR hdr; + RPC_HDR_RB hdr_rb; + char buffer[4096]; + prs_struct auth_info; + int auth_len = 0; - /* create the bind request RPC_HDR_RB */ - make_rpc_hdr_rb(&hdr_rb, 0x1630, 0x1630, 0x0, - 0x1, 0x0, 0x1, abstract, transfer); + prs_init(&auth_info, 0, 4, MARSHALL); - /* stream the bind request data */ - smb_io_rpc_hdr_rb("", &hdr_rb, rhdr_rb, 0); - mem_realloc_data(rhdr_rb->data, rhdr_rb->offset); + if (do_auth) { + RPC_HDR_AUTH hdr_auth; + RPC_AUTH_VERIFIER auth_verifier; + RPC_AUTH_NTLMSSP_NEG ntlmssp_neg; - if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL) - { - make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00, 1); - smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0); - mem_realloc_data(rhdr_auth->data, rhdr_auth->offset); + /* + * Create the auth structs we will marshall. + */ + + init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1); + init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE); + init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain); + + /* + * Use the 4k buffer to store the auth info. + */ + + prs_give_memory( &auth_info, buffer, sizeof(buffer), False); - make_rpc_auth_ntlmssp_verifier(&auth_verifier, - "NTLMSSP", NTLMSSP_NEGOTIATE); + /* + * Now marshall the data into the temporary parse_struct. + */ - smb_io_rpc_auth_ntlmssp_verifier("auth_verifier", &auth_verifier, auth_req, 0); - mem_realloc_data(auth_req->data, auth_req->offset); + if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) { + DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n")); + return False; + } + + if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) { + DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n")); + return False; + } - make_rpc_auth_ntlmssp_neg(&ntlmssp_neg, - neg_flags, my_name, domain); + if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) { + DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n")); + return False; + } - smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, auth_req, 0); - mem_realloc_data(auth_req->data, auth_req->offset); + /* Auth len in the rpc header doesn't include auth_header. */ + auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN; } /* create the request RPC_HDR */ - make_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id, - (auth_req != NULL ? auth_req ->offset : 0) + - (auth_ntlm != NULL ? auth_ntlm->offset : 0) + - (rhdr_auth != NULL ? rhdr_auth->offset : 0) + - rhdr_rb->offset + 0x10, - (auth_req != NULL ? auth_req ->offset : 0) + - (auth_ntlm != NULL ? auth_ntlm->offset : 0)); - - smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0); - mem_realloc_data(rhdr->data, rhdr->offset); + init_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id, + RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info), + auth_len); - if (rhdr->data == NULL || rhdr_rb->data == NULL) return False; + if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) { + DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n")); + return False; + } - /***/ - /*** link rpc header, bind acknowledgment and authentication responses ***/ - /***/ + /* create the bind request RPC_HDR_RB */ + init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0, + 0x1, 0x0, 0x1, abstract, transfer); - if (auth_req != NULL) - { - prs_link(NULL , rhdr , rhdr_rb ); - prs_link(rhdr , rhdr_rb , rhdr_auth); - prs_link(rhdr_rb , rhdr_auth , auth_req ); - prs_link(rhdr_auth, auth_req , auth_ntlm); - prs_link(auth_req , auth_ntlm , NULL ); + /* Marshall the bind request data */ + if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) { + DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n")); + return False; } - else - { - prs_link(NULL, rhdr , rhdr_rb); - prs_link(rhdr, rhdr_rb, NULL ); + + /* + * Grow the outgoing buffer to store any auth info. + */ + + if(hdr.auth_len != 0) { + if(!prs_append_prs_data( rpc_out, &auth_info)) { + DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n")); + return False; + } } return True; } /******************************************************************* - creates a DCE/RPC bind authentication response - - - initialises the parse structure. - - dynamically allocates the header data structure - - caller is expected to free the header data structure once used. - + Creates a DCE/RPC bind authentication response. + This is the packet that is sent back to the server once we + have received a BIND-ACK, to finish the third leg of + the authentication handshake. ********************************************************************/ -BOOL create_rpc_bind_resp(struct pwd_info *pwd, + +static BOOL create_rpc_bind_resp(struct pwd_info *pwd, char *domain, char *user_name, char *my_name, uint32 ntlmssp_cli_flgs, uint32 rpc_call_id, - prs_struct *rhdr, - prs_struct *rhdr_autha, - prs_struct *auth_resp) + prs_struct *rpc_out) { - RPC_HDR hdr; - RPC_HDR_AUTHA hdr_autha; - RPC_AUTH_NTLMSSP_VERIFIER auth_verifier; + unsigned char lm_owf[24]; + unsigned char nt_owf[24]; + RPC_HDR hdr; + RPC_HDR_AUTHA hdr_autha; + RPC_AUTH_VERIFIER auth_verifier; + RPC_AUTH_NTLMSSP_RESP ntlmssp_resp; + char buffer[4096]; + prs_struct auth_info; - make_rpc_hdr_autha(&hdr_autha, 0x1630, 0x1630, 0x0a, 0x06, 0x00); - smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rhdr_autha, 0); - mem_realloc_data(rhdr_autha->data, rhdr_autha->offset); + /* + * Marshall the variable length data into a temporary parse + * struct, pointing into a 4k local buffer. + */ + prs_init(&auth_info, 0, 4, MARSHALL); - make_rpc_auth_ntlmssp_verifier(&auth_verifier, - "NTLMSSP", NTLMSSP_AUTH); + /* + * Use the 4k buffer to store the auth info. + */ - smb_io_rpc_auth_ntlmssp_verifier("auth_verifier", &auth_verifier, auth_resp, 0); - mem_realloc_data(auth_resp->data, auth_resp->offset); + prs_give_memory( &auth_info, buffer, sizeof(buffer), False); - create_ntlmssp_resp(pwd, domain, user_name, my_name, ntlmssp_cli_flgs, - auth_resp); + /* + * Create the variable length auth_data. + */ - /* create the request RPC_HDR */ - make_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id, - auth_resp->offset + rhdr_autha->offset + 0x10, - auth_resp->offset); + init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH); + + pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf); + + init_rpc_auth_ntlmssp_resp(&ntlmssp_resp, + lm_owf, nt_owf, + domain, user_name, my_name, + ntlmssp_cli_flgs); + + /* + * Marshall the variable length auth_data into a temp parse_struct. + */ + + if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) { + DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n")); + return False; + } + + if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) { + DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n")); + return False; + } + + /* Create the request RPC_HDR */ + init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id, + RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info), + prs_offset(&auth_info) ); + + /* Marshall it. */ + if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) { + DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n")); + return False; + } - smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0); - mem_realloc_data(rhdr->data, rhdr->offset); + /* Create the request RPC_HDR_AUTHA */ + init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, + NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00); - if (rhdr->data == NULL || rhdr_autha->data == NULL) return False; + if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) { + DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n")); + return False; + } - /***/ - /*** link rpc header and authentication responses ***/ - /***/ + /* + * Append the auth data to the outgoing buffer. + */ - prs_link(NULL , rhdr , rhdr_autha); - prs_link(rhdr , rhdr_autha , auth_resp ); - prs_link(rhdr_autha, auth_resp , NULL ); + if(!prs_append_prs_data(rpc_out, &auth_info)) { + DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n")); + return False; + } return True; } /******************************************************************* - creates a DCE/RPC bind request - - - initialises the parse structure. - - dynamically allocates the header data structure - - caller is expected to free the header data structure once used. - + Creates a DCE/RPC request. ********************************************************************/ -static BOOL create_rpc_request(prs_struct *rhdr, uint8 op_num, int data_len, - int auth_len) +static BOOL create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len) { uint32 alloc_hint; - RPC_HDR_REQ hdr_req; RPC_HDR hdr; + RPC_HDR_REQ hdr_req; - DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", - op_num, data_len)); + DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len)); /* create the rpc header RPC_HDR */ - make_rpc_hdr(&hdr , RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST, + init_rpc_hdr(&hdr, RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST, get_rpc_call_id(), data_len, auth_len); + /* + * The alloc hint should be the amount of data, not including + * RPC headers & footers. + */ + if (auth_len != 0) - { - alloc_hint = data_len - 0x18 - auth_len - 16; - } + alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len; else - { - alloc_hint = data_len - 0x18; - } + alloc_hint = data_len - RPC_HEADER_LEN; DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n", data_len, auth_len, alloc_hint)); - /* create the rpc request RPC_HDR_REQ */ - make_rpc_hdr_req(&hdr_req, alloc_hint, op_num); + /* Create the rpc request RPC_HDR_REQ */ + init_rpc_hdr_req(&hdr_req, alloc_hint, op_num); /* stream-time... */ - smb_io_rpc_hdr ("hdr ", &hdr , rhdr, 0); - smb_io_rpc_hdr_req("hdr_req", &hdr_req, rhdr, 0); + if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0)) + return False; - if (rhdr->data == NULL || rhdr->offset != 0x18) return False; + if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0)) + return False; - rhdr->data->offset.start = 0; - rhdr->data->offset.end = rhdr->offset; + if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN) + return False; return True; } /**************************************************************************** - send a request on an rpc pipe. + Send a request on an rpc pipe. ****************************************************************************/ -BOOL rpc_api_pipe_req(struct cli_state *cli, uint16 fnum, uint8 op_num, + +BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num, prs_struct *data, prs_struct *rdata) { - /* fudge this, at the moment: create the header; memcpy the data. oops. */ - prs_struct dataa; - prs_struct rparam; - prs_struct hdr; - prs_struct hdr_auth; - prs_struct auth_verf; - int data_len; - int auth_len; + prs_struct outgoing_packet; + uint32 data_len; + uint32 auth_len; BOOL ret; BOOL auth_verify; BOOL auth_seal; uint32 crc32 = 0; + char *pdata_out = NULL; auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN); auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL); - /* happen to know that NTLMSSP authentication verifier is 16 bytes */ - auth_len = (auth_verify ? 16 : 0); - data_len = data->offset + auth_len + (auth_verify ? 8 : 0) + 0x18; - data->data->offset.end = data->offset; + /* + * The auth_len doesn't include the RPC_HDR_AUTH_LEN. + */ - prs_init(&hdr , data_len, 4, SAFETY_MARGIN, False); - prs_init(&hdr_auth , 8 , 4, SAFETY_MARGIN, False); - prs_init(&auth_verf, auth_len, 4, SAFETY_MARGIN, False); - prs_init(&rparam , 0 , 4, 0 , True ); + auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0); - create_rpc_request(&hdr, op_num, data_len, auth_len); + /* + * PDU len is header, plus request header, plus data, plus + * auth_header_len (if present), plus auth_len (if present). + * NB. The auth stuff should be aligned on an 8 byte boundary + * to be totally DCE/RPC spec complient. For now we cheat and + * hope that the data structs defined are a multiple of 8 bytes. + */ - if (auth_seal) - { - crc32 = crc32_calc_buffer(data->offset, mem_data(&data->data, 0)); - NTLMSSPcalc_ap(cli, (uchar*)mem_data(&data->data, 0), data->offset); + if((prs_offset(data) % 8) != 0) { + DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n")); } - if (auth_seal || auth_verify) - { - RPC_HDR_AUTH rhdr_auth; + data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(data) + + (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len; - make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08, (auth_verify ? 1 : 0)); - smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0); + /* + * Malloc a parse struct to hold it (and enough for alignments). + */ + + if(!prs_init(&outgoing_packet, data_len + 8, 4, MARSHALL)) { + DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len )); + return False; } - if (auth_verify) - { - RPC_AUTH_NTLMSSP_CHK chk; + pdata_out = prs_data_p(&outgoing_packet); + + /* + * Write out the RPC header and the request header. + */ + + if(!create_rpc_request(&outgoing_packet, op_num, data_len, auth_len)) { + DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n")); + prs_mem_free(&outgoing_packet); + return False; + } + + /* + * Seal the outgoing data if requested. + */ - make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++); - smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0); - NTLMSSPcalc_ap(cli, (uchar*)mem_data(&auth_verf.data, 4), 12); + if (auth_seal) { + crc32 = crc32_calc_buffer(prs_data_p(data), prs_offset(data)); + NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data), prs_offset(data)); } - if (auth_seal || auth_verify) - { - prs_link(NULL , &hdr , data ); - prs_link(&hdr , data , &hdr_auth ); - prs_link(data , &hdr_auth , &auth_verf); - prs_link(&hdr_auth, &auth_verf, NULL ); + /* + * Now copy the data into the outgoing packet. + */ + + if(!prs_append_prs_data( &outgoing_packet, data)) { + DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n")); + prs_mem_free(&outgoing_packet); + return False; } - else - { - prs_link(NULL, &hdr, data); - prs_link(&hdr, data, NULL); + + /* + * Add a trailing auth_verifier if needed. + */ + + if (auth_seal || auth_verify) { + RPC_HDR_AUTH hdr_auth; + + init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, + NTLMSSP_AUTH_LEVEL, 0x08, (auth_verify ? 1 : 0)); + if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &outgoing_packet, 0)) { + DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n")); + prs_mem_free(&outgoing_packet); + return False; + } } - DEBUG(100,("data_len: %x data_calc_len: %x\n", - data_len, mem_buf_len(data->data))); + /* + * Finally the auth data itself. + */ + + if (auth_verify) { + RPC_AUTH_NTLMSSP_CHK chk; + uint32 current_offset = prs_offset(&outgoing_packet); + + init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++); + if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &outgoing_packet, 0)) { + DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n")); + prs_mem_free(&outgoing_packet); + return False; + } + NTLMSSPcalc_ap(cli, (unsigned char*)&pdata_out[current_offset+4], RPC_AUTH_NTLMSSP_CHK_LEN - 4); + } - /* this is a hack due to limitations in rpc_api_pipe */ - prs_init(&dataa, data_len, 4, 0x0, False); - mem_buf_copy(dataa.data->data, hdr.data, 0, mem_buf_len(hdr.data)); + DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, prs_offset(&outgoing_packet))); - ret = rpc_api_pipe(cli, fnum, False, 0x0026, NULL, &dataa, &rparam, rdata); + ret = rpc_api_pipe(cli, 0x0026, &outgoing_packet, rdata); - prs_mem_free(&hdr_auth ); - prs_mem_free(&auth_verf); - prs_mem_free(&rparam ); - prs_mem_free(&hdr ); - prs_mem_free(&dataa ); + prs_mem_free(&outgoing_packet); return ret; } /**************************************************************************** -do an rpc bind + Set the handle state. ****************************************************************************/ -static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 fnum, - const char *pipe_name, uint16 device_state) +static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint16 device_state) { BOOL state_set = False; char param[2]; @@ -727,17 +875,18 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 fnum, char *rdata = NULL; uint32 rparam_len, rdata_len; - if (pipe_name == NULL) return False; + if (pipe_name == NULL) + return False; DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n", - fnum, pipe_name, device_state)); + cli->nt_pipe_fnum, pipe_name, device_state)); /* create parameters: device state */ SSVAL(param, 0, device_state); /* create setup parameters. */ setup[0] = 0x0001; - setup[1] = fnum; /* pipe file handle. got this from an SMBOpenX. */ + setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */ /* send the data on \PIPE\ */ if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8, @@ -751,8 +900,10 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 fnum, state_set = True; } - if (rparam) free(rparam); - if (rdata ) free(rdata ); + if (rparam) + free(rparam); + if (rdata) + free(rdata ); return state_set; } @@ -761,27 +912,22 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 fnum, check the rpc bind acknowledge response ****************************************************************************/ -static BOOL valid_pipe_name(const char *pipe_name, - RPC_IFACE *abstract, RPC_IFACE *transfer) +static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer) { int pipe_idx = 0; - while (pipe_names[pipe_idx].client_pipe != NULL) - { - if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) - { - DEBUG(5,("Bind Abstract Syntax:\n")); + while (pipe_names[pipe_idx].client_pipe != NULL) { + if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) { + DEBUG(5,("Bind Abstract Syntax: ")); dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), sizeof(pipe_names[pipe_idx].abstr_syntax)); - DEBUG(5,("Bind Transfer Syntax:\n")); + DEBUG(5,("Bind Transfer Syntax: ")); dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax), sizeof(pipe_names[pipe_idx].trans_syntax)); /* copy the required syntaxes out so we can do the right bind */ - memcpy(transfer, &(pipe_names[pipe_idx].trans_syntax), - sizeof(pipe_names[pipe_idx].trans_syntax)); - memcpy(abstract, &(pipe_names[pipe_idx].abstr_syntax), - sizeof(pipe_names[pipe_idx].abstr_syntax)); + *transfer = pipe_names[pipe_idx].trans_syntax; + *abstract = pipe_names[pipe_idx].abstr_syntax; return True; } @@ -796,56 +942,44 @@ static BOOL valid_pipe_name(const char *pipe_name, check the rpc bind acknowledge response ****************************************************************************/ -static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const char *pipe_name, - RPC_IFACE *transfer) +static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer) { int i = 0; - while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0) - { + while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0) { DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n", pipe_names[i].client_pipe , pipe_names[i].server_pipe )); - if ((strequal(pipe_name, pipe_names[i].client_pipe ))) - { - if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe )) - { + if ((strequal(pipe_name, pipe_names[i].client_pipe ))) { + if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe )) { DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe )); break; - } - else - { + } else { DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n", pipe_names[i].server_pipe , hdr_ba->addr.str)); break; } - } - else - { + } else { i++; } } - if (pipe_names[i].server_pipe == NULL) - { + if (pipe_names[i].server_pipe == NULL) { DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str)); return False; } /* check the transfer syntax */ - if (!((hdr_ba->transfer.version == transfer->version) && - (memcmp(hdr_ba->transfer.data, transfer->data, - sizeof(transfer->version)) ==0))) - { + if ((hdr_ba->transfer.version != transfer->version) || + (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) { DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n")); return False; } /* lkclXXXX only accept one result: check the result(s) */ - if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) - { + if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) { DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n", hdr_ba->res.num_results, hdr_ba->res.reason)); } @@ -855,196 +989,169 @@ static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const char *pipe_name, } /**************************************************************************** -do an rpc bind + Create and send the third packet in an RPC auth. ****************************************************************************/ -static BOOL rpc_pipe_bind(struct cli_state *cli, uint16 fnum, - const char *pipe_name, - RPC_IFACE *abstract, RPC_IFACE *transfer, - char *my_name) +static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id) { - prs_struct hdr; - prs_struct hdr_rb; - prs_struct hdr_auth; - prs_struct auth_req; - prs_struct auth_ntlm; - prs_struct data; - prs_struct rdata; - prs_struct rparam; + RPC_HDR_AUTH rhdr_auth; + RPC_AUTH_VERIFIER rhdr_verf; + RPC_AUTH_NTLMSSP_CHAL rhdr_chal; + char buffer[MAX_PDU_FRAG_LEN]; + prs_struct rpc_out; + ssize_t ret; + + unsigned char p24[24]; + unsigned char lm_owf[24]; + unsigned char lm_hash[16]; + + if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) { + DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n")); + return False; + } + if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) { + DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n")); + return False; + } + if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) { + DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n")); + return False; + } - BOOL valid_ack = False; - BOOL ntlmssp_auth = cli->ntlmssp_cli_flgs != 0; - uint32 rpc_call_id; + cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags; + + pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge); + + prs_init(&rpc_out, 0, 4, MARSHALL); + + prs_give_memory( &rpc_out, buffer, sizeof(buffer), False); + + create_rpc_bind_resp(&cli->pwd, cli->domain, + cli->user_name, global_myname, + cli->ntlmssp_cli_flgs, rpc_call_id, + &rpc_out); + + pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL); + pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL); + + NTLMSSPOWFencrypt(lm_hash, lm_owf, p24); - if (pipe_name == NULL || abstract == NULL || transfer == NULL) { + unsigned char j = 0; + int ind; + unsigned char k2[8]; + + memcpy(k2, p24, 5); + k2[5] = 0xe5; + k2[6] = 0x38; + k2[7] = 0xb0; + + for (ind = 0; ind < 256; ind++) + cli->ntlmssp_hash[ind] = (unsigned char)ind; + + for( ind = 0; ind < 256; ind++) { + unsigned char tc; + + j += (cli->ntlmssp_hash[ind] + k2[ind%8]); + + tc = cli->ntlmssp_hash[ind]; + cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j]; + cli->ntlmssp_hash[j] = tc; + } + + cli->ntlmssp_hash[256] = 0; + cli->ntlmssp_hash[257] = 0; + } + + memset((char *)lm_hash, '\0', sizeof(lm_hash)); + + if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out), + 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) { + DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret)); return False; } - DEBUG(5,("Bind RPC Pipe[%x]: %s\n", fnum, pipe_name)); + cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags; + return True; +} + +/**************************************************************************** + Do an rpc bind. +****************************************************************************/ + +static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, char *my_name) +{ + RPC_IFACE abstract; + RPC_IFACE transfer; + prs_struct rpc_out; + prs_struct rdata; + BOOL do_auth = (cli->ntlmssp_cli_flgs != 0); + uint32 rpc_call_id; + char buffer[MAX_PDU_FRAG_LEN]; - if (!valid_pipe_name(pipe_name, abstract, transfer)) return False; + DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name)); - prs_init(&hdr , 0x10 , 4, 0x0 , False); - prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False); - prs_init(&hdr_auth , (ntlmssp_auth ? 8 : 0), 4, SAFETY_MARGIN, False); - prs_init(&auth_req , (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False); - prs_init(&auth_ntlm, (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False); + if (!valid_pipe_name(pipe_name, &abstract, &transfer)) + return False; - prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True); - prs_init(&rparam , 0 , 4, SAFETY_MARGIN, True); + prs_init(&rpc_out, 0, 4, MARSHALL); - rpc_call_id = get_rpc_call_id(); - create_rpc_bind_req(&hdr, &hdr_rb, - ntlmssp_auth ? &hdr_auth : NULL, - ntlmssp_auth ? &auth_req : NULL, - ntlmssp_auth ? &auth_ntlm : NULL, - rpc_call_id, - abstract, transfer, - global_myname, cli->usr.domain, cli->usr.ntlmssp_flags); + /* + * Use the MAX_PDU_FRAG_LEN buffer to store the bind request. + */ - /* this is a hack due to limitations in rpc_api_pipe */ - prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False); - mem_buf_copy(data.data->data, hdr.data, 0, mem_buf_len(hdr.data)); + prs_give_memory( &rpc_out, buffer, sizeof(buffer), False); - cli->max_recv_frag = 0x1000; + rpc_call_id = get_rpc_call_id(); - /* send data on \PIPE\. receive a response */ - if (rpc_api_pipe(cli, fnum, True, 0x0026, NULL, &data, &rparam, &rdata)) - { - RPC_HDR_BA hdr_ba; - RPC_HDR_AUTH rhdr_auth; - RPC_AUTH_NTLMSSP_VERIFIER rhdr_verf; - RPC_AUTH_NTLMSSP_CHAL rhdr_chal; + /* Marshall the outgoing data. */ + create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id, + &abstract, &transfer, + global_myname, cli->domain, cli->ntlmssp_cli_flgs); - DEBUG(5, ("rpc_api_pipe: return OK\n")); + /* Initialize the incoming data struct. */ + prs_init(&rdata, 0, 4, UNMARSHALL); - smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0); + /* send data on \PIPE\. receive a response */ + if (rpc_api_pipe(cli, 0x0026, &rpc_out, &rdata)) { + RPC_HDR_BA hdr_ba; - if (rdata.offset != 0) - { - valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer); - } + DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n")); - if (valid_ack) - { - cli->max_xmit_frag = hdr_ba.bba.max_tsize; - cli->max_recv_frag = hdr_ba.bba.max_rsize; + if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) { + DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n")); + prs_mem_free(&rdata); + return False; } - if (valid_ack && ntlmssp_auth) - { - smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0); - if (rdata.offset == 0) valid_ack = False; + if(!check_bind_response(&hdr_ba, pipe_name, &transfer)) { + DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n")); + prs_mem_free(&rdata); + return False; } - if (valid_ack && ntlmssp_auth) - { - smb_io_rpc_auth_ntlmssp_verifier("", &rhdr_verf, &rdata, 0); - if (rdata.offset == 0) valid_ack = False; - } - if (valid_ack && ntlmssp_auth) - { - smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0); - if (rdata.offset == 0) valid_ack = False; - } - if (valid_ack && ntlmssp_auth) - { - unsigned char p24[24]; - unsigned char lm_owf[24]; - unsigned char lm_hash[16]; - - prs_struct hdra; - prs_struct hdr_autha; - prs_struct auth_resp; - prs_struct dataa; - - cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags; - - prs_init(&hdra , 0x10, 4, 0x0 , False); - prs_init(&hdr_autha, 1024, 4, SAFETY_MARGIN, False); - prs_init(&auth_resp, 1024, 4, SAFETY_MARGIN, False); - - pwd_make_lm_nt_owf(&cli->usr.pwd, rhdr_chal.challenge); - - create_rpc_bind_resp(&cli->usr.pwd, cli->usr.domain, - cli->usr.user_name, global_myname, - cli->ntlmssp_cli_flgs, - rpc_call_id, - &hdra, &hdr_autha, &auth_resp); - - pwd_get_lm_nt_owf(&cli->usr.pwd, lm_owf, NULL, NULL, NULL); - pwd_get_lm_nt_16(&cli->usr.pwd, lm_hash, NULL); - NTLMSSPOWFencrypt(lm_hash, lm_owf, p24); - { - unsigned char j = 0; - int ind; - unsigned char k2[8]; - - memcpy(k2, p24, 5); - k2[5] = 0xe5; - k2[6] = 0x38; - k2[7] = 0xb0; - - for (ind = 0; ind < 256; ind++) - { - cli->ntlmssp_hash[ind] = (unsigned char)ind; - } - - for( ind = 0; ind < 256; ind++) - { - unsigned char tc; - - j += (cli->ntlmssp_hash[ind] + k2[ind%8]); - - tc = cli->ntlmssp_hash[ind]; - cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j]; - cli->ntlmssp_hash[j] = tc; - } - - cli->ntlmssp_hash[256] = 0; - cli->ntlmssp_hash[257] = 0; - } -/* NTLMSSPhash(cli->ntlmssp_hash, p24); */ - bzero(lm_hash, sizeof(lm_hash)); - - /* this is a hack due to limitations in rpc_api_pipe */ - prs_init(&dataa, mem_buf_len(hdra.data), 4, 0x0, False); - mem_buf_copy(dataa.data->data, hdra.data, 0, mem_buf_len(hdra.data)); - - if (cli_write(cli, fnum, 0x0008, - dataa.data->data, 0, - dataa.data->data_used) < 0) - { - valid_ack = False; - } + cli->max_xmit_frag = hdr_ba.bba.max_tsize; + cli->max_recv_frag = hdr_ba.bba.max_rsize; - if (valid_ack) - { - cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags; - } + /* + * If we're doing NTLMSSP auth we need to send a reply to + * the bind-ack to complete the 3-way challenge response + * handshake. + */ - prs_mem_free(&hdra); - prs_mem_free(&dataa); - prs_mem_free(&hdr_autha); - prs_mem_free(&auth_resp); + if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) { + DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n")); + prs_mem_free(&rdata); + return False; } } - prs_mem_free(&data ); - prs_mem_free(&hdr ); - prs_mem_free(&hdr_rb ); - prs_mem_free(&hdr_auth ); - prs_mem_free(&auth_req ); - prs_mem_free(&auth_ntlm); - prs_mem_free(&rdata ); - prs_mem_free(&rparam ); - - return valid_ack; + prs_mem_free(&rdata); + return True; } /**************************************************************************** - set ntlmssp negotiation flags + Set ntlmssp negotiation flags. ****************************************************************************/ void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs) @@ -1054,68 +1161,45 @@ void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs) /**************************************************************************** - open a session + Open a session. ****************************************************************************/ -BOOL cli_nt_session_open(struct cli_state *cli, const char *pipe_name, - uint16* fnum) +BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name) { - RPC_IFACE abstract; - RPC_IFACE transfer; + int fnum; - /******************* open the pipe *****************/ - if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS)) - { - int f; - f = cli_nt_create(cli, &(pipe_name[5])); - if (f == -1) - { - fstring errstr; - cli_safe_errstr(cli, errstr, sizeof(errstr)-1); + if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS)) { + if ((fnum = cli_nt_create(cli, &(pipe_name[5]))) == -1) { DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n", - &(pipe_name[5]), cli->desthost, errstr)); + &(pipe_name[5]), cli->desthost, cli_errstr(cli))); return False; } - *fnum = (uint16)f; - } - else - { - int f; - f = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE); - if (f == -1) - { - fstring errstr; - cli_safe_errstr(cli, errstr, sizeof(errstr)-1); + + cli->nt_pipe_fnum = (uint16)fnum; + } else { + if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1) { DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n", - pipe_name, cli->desthost, errstr)); + pipe_name, cli->desthost, cli_errstr(cli))); return False; } - *fnum = (uint16)f; + + cli->nt_pipe_fnum = (uint16)fnum; /**************** Set Named Pipe State ***************/ - if (!rpc_pipe_set_hnd_state(cli, *fnum, pipe_name, 0x4300)) - { - fstring errstr; - cli_safe_errstr(cli, errstr, sizeof(errstr)-1); + if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300)) { DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n", - errstr)); - cli_close(cli, *fnum); + cli_errstr(cli))); + cli_close(cli, cli->nt_pipe_fnum); return False; } - } /******************* bind request on pipe *****************/ - if (!rpc_pipe_bind(cli, *fnum, pipe_name, - &abstract, &transfer, - global_myname)) - { - fstring errstr; - cli_safe_errstr(cli, errstr, sizeof(errstr)-1); + if (!rpc_pipe_bind(cli, pipe_name, global_myname)) { DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n", - errstr)); - cli_close(cli, *fnum); + cli_errstr(cli))); + cli_close(cli, cli->nt_pipe_fnum); return False; } @@ -1123,6 +1207,18 @@ BOOL cli_nt_session_open(struct cli_state *cli, const char *pipe_name, * Setup the remote server name prefixed by \ and the machine account name. */ + fstrcpy(cli->srv_name_slash, "\\\\"); + fstrcat(cli->srv_name_slash, cli->desthost); + strupper(cli->srv_name_slash); + + fstrcpy(cli->clnt_name_slash, "\\\\"); + fstrcat(cli->clnt_name_slash, global_myname); + strupper(cli->clnt_name_slash); + + fstrcpy(cli->mach_acct, global_myname); + fstrcat(cli->mach_acct, "$"); + strupper(cli->mach_acct); + return True; } @@ -1130,10 +1226,7 @@ BOOL cli_nt_session_open(struct cli_state *cli, const char *pipe_name, close the session ****************************************************************************/ -void cli_nt_session_close(struct cli_state *cli, uint16 fnum) +void cli_nt_session_close(struct cli_state *cli) { - if (fnum != 0xffff) - { - cli_close(cli, fnum); - } + cli_close(cli, cli->nt_pipe_fnum); } -- cgit