1 2/* 3 * Unix SMB/Netbios implementation. 4 * Version 1.9. 5 * RPC Pipe client / server routines 6 * Copyright (C) Andrew Tridgell 1992-1998, 7 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, 8 * Copyright (C) Paul Ashton 1998. 9 * Copyright (C) Jeremy Allison 1999. 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License as published by 13 * the Free Software Foundation; either version 2 of the License, or 14 * (at your option) any later version. 15 * 16 * This program is distributed in the hope that it will be useful, 17 * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 * GNU General Public License for more details. 20 * 21 * You should have received a copy of the GNU General Public License 22 * along with this program; if not, write to the Free Software 23 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 24 */ 25 26 27#ifdef SYSLOG 28#undef SYSLOG 29#endif 30 31#include "includes.h" 32 33extern int DEBUGLEVEL; 34extern struct pipe_id_info pipe_names[]; 35extern fstring global_myworkgroup; 36extern pstring global_myname; 37 38/******************************************************************** 39 Rpc pipe call id. 40 ********************************************************************/ 41 42static uint32 get_rpc_call_id(void) 43{ 44 static uint32 call_id = 0; 45 return ++call_id; 46} 47 48/******************************************************************* 49 Use SMBreadX to get rest of one fragment's worth of rpc data. 50 ********************************************************************/ 51 52static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset) 53{ 54 size_t size = (size_t)cli->max_recv_frag; 55 int stream_offset = 0; 56 int num_read; 57 char *pdata; 58 uint32 err; 59 int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata); 60 61 DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n", 62 (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size)); 63 64 /* 65 * Grow the buffer if needed to accommodate the data to be read. 66 */ 67 68 if (extra_data_size > 0) { 69 if(!prs_force_grow(rdata, (uint32)extra_data_size)) { 70 DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size )); 71 return False; 72 } 73 DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) )); 74 } 75 76 pdata = prs_data_p(rdata) + *rdata_offset; 77 78 do /* read data using SMBreadX */ 79 { 80 if (size > (size_t)data_to_read) 81 size = (size_t)data_to_read; 82 83 num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size); 84 85 DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n", 86 num_read, stream_offset, data_to_read)); 87 88 if (cli_error(cli, NULL, &err, NULL)) { 89 DEBUG(0,("rpc_read: Error %u in cli_read\n", (unsigned int)err )); 90 return False; 91 } 92 93 data_to_read -= num_read; 94 stream_offset += num_read; 95 pdata += num_read; 96 97 } while (num_read > 0 && data_to_read > 0); 98 /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */ 99 100 /* 101 * Update the current offset into rdata by the amount read. 102 */ 103 *rdata_offset += stream_offset; 104 105 return True; 106} 107 108/**************************************************************************** 109 Checks the header. 110 ****************************************************************************/ 111 112static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr, 113 BOOL *first, BOOL *last, uint32 *len) 114{ 115 DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) )); 116 117 if(!smb_io_rpc_hdr("rpc_hdr ", rhdr, rdata, 0)) { 118 DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n")); 119 return False; 120 } 121 122 if (prs_offset(rdata) != RPC_HEADER_LEN) { 123 DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN)); 124 return False; 125 } 126 127 (*first) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST); 128 (*last) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST ); 129 (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata); 130 131 return (rhdr->pkt_type != RPC_FAULT); 132} 133 134static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len) 135{ 136 unsigned char *hash = cli->ntlmssp_hash; 137 unsigned char index_i = hash[256]; 138 unsigned char index_j = hash[257]; 139 int ind; 140 141 for( ind = 0; ind < len; ind++) { 142 unsigned char tc; 143 unsigned char t; 144 145 index_i++; 146 index_j += hash[index_i]; 147 148 tc = hash[index_i]; 149 hash[index_i] = hash[index_j]; 150 hash[index_j] = tc; 151 152 t = hash[index_i] + hash[index_j]; 153 data[ind] = data[ind] ^ hash[t]; 154 } 155 156 hash[256] = index_i; 157 hash[257] = index_j; 158} 159 160/**************************************************************************** 161 Verify data on an rpc pipe. 162 The VERIFY & SEAL code is only executed on packets that look like this : 163 164 Request/Response PDU's look like the following... 165 166 |<------------------PDU len----------------------------------------------->| 167 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->| 168 169 +------------+-----------------+-------------+---------------+-------------+ 170 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA | 171 +------------+-----------------+-------------+---------------+-------------+ 172 173 Never on bind requests/responses. 174 ****************************************************************************/ 175 176static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len) 177{ 178 /* 179 * The following is that length of the data we must sign or seal. 180 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN 181 * preceeding the auth_data. 182 */ 183 184 int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len; 185 186 /* 187 * The start of the data to sign/seal is just after the RPC headers. 188 */ 189 char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN; 190 191 BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN); 192 BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL); 193 194 DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n", 195 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal))); 196 197 /* 198 * Unseal any sealed data in the PDU, not including the 199 * 8 byte auth_header or the auth_data. 200 */ 201 202 if (auth_seal) { 203 DEBUG(10,("rpc_auth_pipe: unseal\n")); 204 dump_data(100, reply_data, data_len); 205 NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len); 206 dump_data(100, reply_data, data_len); 207 } 208 209 if (auth_verify || auth_seal) { 210 RPC_HDR_AUTH rhdr_auth; 211 prs_struct auth_req; 212 char data[RPC_HDR_AUTH_LEN]; 213 /* 214 * We set dp to be the end of the packet, minus the auth_len 215 * and the length of the header that preceeds the auth_data. 216 */ 217 char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN; 218 219 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) { 220 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n")); 221 return False; 222 } 223 224 memcpy(data, dp, sizeof(data)); 225 226 prs_init(&auth_req , 0, 4, UNMARSHALL); 227 prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False); 228 229 /* 230 * Unmarshall the 8 byte auth_header that comes before the 231 * auth data. 232 */ 233 234 if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) { 235 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n")); 236 return False; 237 } 238 239 if (!rpc_hdr_auth_chk(&rhdr_auth)) { 240 DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n")); 241 return False; 242 } 243 } 244 245 /* 246 * Now unseal and check the auth verifier in the auth_data at 247 * then end of the packet. The 4 bytes skipped in the unseal 248 * seem to be a buffer pointer preceeding the sealed data. 249 */ 250 251 if (auth_verify) { 252 RPC_AUTH_NTLMSSP_CHK chk; 253 uint32 crc32; 254 prs_struct auth_verf; 255 char data[RPC_AUTH_NTLMSSP_CHK_LEN]; 256 char *dp = prs_data_p(rdata) + len - auth_len; 257 258 if(dp - prs_data_p(rdata) > prs_data_size(rdata)) { 259 DEBUG(0,("rpc_auth_pipe: auth data > data size !\n")); 260 return False; 261 } 262 263 DEBUG(10,("rpc_auth_pipe: verify\n")); 264 dump_data(100, dp, auth_len); 265 NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4); 266 267 memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN); 268 dump_data(100, data, auth_len); 269 270 prs_init(&auth_verf, 0, 4, UNMARSHALL); 271 prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False); 272 273 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) { 274 DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n")); 275 return False; 276 } 277 278 crc32 = crc32_calc_buffer(reply_data, data_len); 279 280 if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) { 281 DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n")); 282 return False; 283 } 284 cli->ntlmssp_seq_num++; 285 } 286 return True; 287} 288 289 290/**************************************************************************** 291 Send data on an rpc pipe, which *must* be in one fragment. 292 receive response data from an rpc pipe, which may be large... 293 294 Read the first fragment: unfortunately have to use SMBtrans for the first 295 bit, then SMBreadX for subsequent bits. 296 297 If first fragment received also wasn't the last fragment, continue 298 getting fragments until we _do_ receive the last fragment. 299 300 Request/Response PDU's look like the following... 301 302 |<------------------PDU len----------------------------------------------->| 303 |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->| 304 305 +------------+-----------------+-------------+---------------+-------------+ 306 | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR | AUTH DATA | 307 +------------+-----------------+-------------+---------------+-------------+ 308 309 Where the presence of the AUTH_HDR and AUTH are dependent on the 310 signing & sealing being neogitated. 311 312 ****************************************************************************/ 313 314static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *data, prs_struct *rdata) 315{ 316 uint32 len; 317 char *rparam = NULL; 318 uint32 rparam_len = 0; 319 uint16 setup[2]; 320 uint32 err; 321 BOOL first = True; 322 BOOL last = True; 323 RPC_HDR rhdr; 324 char *pdata = data ? prs_data_p(data) : NULL; 325 uint32 data_len = data ? prs_offset(data) : 0; 326 char *prdata = NULL; 327 uint32 rdata_len = 0; 328 uint32 current_offset = 0; 329 330 /* 331 * Create setup parameters - must be in native byte order. 332 */ 333 setup[0] = cmd; 334 setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */ 335 336 DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", (int)cmd, (int)cli->nt_pipe_fnum)); 337 338 /* send the data: receive a response. */ 339 if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8, 340 setup, 2, 0, /* Setup, length, max */ 341 NULL, 0, 0, /* Params, length, max */ 342 pdata, data_len, data_len, /* data, length, max */ 343 &rparam, &rparam_len, /* return params, len */ 344 &prdata, &rdata_len)) /* return data, len */ 345 { 346 DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli))); 347 return False; 348 } 349 350 /* 351 * Throw away returned params - we know we won't use them. 352 */ 353 354 if(rparam) { 355 free(rparam); 356 rparam = NULL; 357 } 358 359 if (prdata == NULL) { 360 DEBUG(0,("rpc_api_pipe: cmd %x on pipe %x failed to return data.\n", 361 (int)cmd, (int)cli->nt_pipe_fnum)); 362 return False; 363 } 364 365 /* 366 * Give this memory as dynamically allocated to the return parse struct. 367 */ 368 369 prs_give_memory(rdata, prdata, rdata_len, True); 370 current_offset = rdata_len; 371 372 if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) { 373 prs_mem_free(rdata); 374 return False; 375 } 376 377 if (rhdr.pkt_type == RPC_BINDACK) { 378 if (!last && !first) { 379 DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n")); 380 first = True; 381 last = True; 382 } 383 } 384 385 if (rhdr.pkt_type == RPC_RESPONSE) { 386 RPC_HDR_RESP rhdr_resp; 387 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) { 388 DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n")); 389 prs_mem_free(rdata); 390 return False; 391 } 392 } 393 394 DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n", 395 (unsigned int)len, (unsigned int)rdata_len )); 396 397 /* check if data to be sent back was too large for one SMB. */ 398 /* err status is only informational: the _real_ check is on the length */ 399 if (len > 0) { 400 /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */ 401 /* 402 * Read the rest of the first response PDU. 403 */ 404 if (!rpc_read(cli, rdata, len, ¤t_offset)) { 405 prs_mem_free(rdata); 406 return False; 407 } 408 } 409 410 /* 411 * Now we have a complete PDU, check the auth struct if any was sent. 412 */ 413 414 if (rhdr.auth_len != 0) { 415 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) 416 return False; 417 /* 418 * Drop the auth footers from the current offset. 419 * We need this if there are more fragments. 420 * The auth footers consist of the auth_data and the 421 * preceeding 8 byte auth_header. 422 */ 423 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN); 424 } 425 426 /* 427 * Only one rpc fragment, and it has been read. 428 */ 429 430 if (first && last) { 431 DEBUG(6,("rpc_api_pipe: fragment first and last both set\n")); 432 return True; 433 } 434 435 /* 436 * Read more fragments until we get the last one. 437 */ 438 439 while (!last) { 440 RPC_HDR_RESP rhdr_resp; 441 int num_read; 442 char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN]; 443 prs_struct hps; 444 445 /* 446 * First read the header of the next PDU. 447 */ 448 449 prs_init(&hps, 0, 4, UNMARSHALL); 450 prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False); 451 452 num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN); 453 if (cli_error(cli, NULL, &err, NULL)) { 454 DEBUG(0,("rpc_api_pipe: cli_read error : %d\n", err )); 455 return False; 456 } 457 458 DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read)); 459 460 if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) { 461 DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n", 462 RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read )); 463 return False; 464 } 465 466 if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len)) 467 return False; 468 469 if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) { 470 DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n")); 471 return False; 472 } 473 474 if (first) { 475 DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n")); 476 return False; 477 } 478 479 /* 480 * Now read the rest of the PDU. 481 */ 482 483 if (!rpc_read(cli, rdata, len, ¤t_offset)) 484 return False; 485 486 /* 487 * Verify any authentication footer. 488 */ 489 490 if (rhdr.auth_len != 0 ) { 491 if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) 492 return False; 493 /* 494 * Drop the auth footers from the current offset. 495 * The auth footers consist of the auth_data and the 496 * preceeding 8 byte auth_header. 497 * We need this if there are more fragments. 498 */ 499 current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN); 500 } 501 } 502 503 return True; 504} 505 506/******************************************************************* 507 creates a DCE/RPC bind request 508 509 - initialises the parse structure. 510 - dynamically allocates the header data structure 511 - caller is expected to free the header data structure once used. 512 513 ********************************************************************/ 514 515static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, uint32 rpc_call_id, 516 RPC_IFACE *abstract, RPC_IFACE *transfer, 517 char *my_name, char *domain, uint32 neg_flags) 518{ 519 RPC_HDR hdr; 520 RPC_HDR_RB hdr_rb; 521 char buffer[4096]; 522 prs_struct auth_info; 523 int auth_len = 0; 524 525 prs_init(&auth_info, 0, 4, MARSHALL); 526 527 if (do_auth) { 528 RPC_HDR_AUTH hdr_auth; 529 RPC_AUTH_VERIFIER auth_verifier; 530 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg; 531 532 /* 533 * Create the auth structs we will marshall. 534 */ 535 536 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1); 537 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE); 538 init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain); 539 540 /* 541 * Use the 4k buffer to store the auth info. 542 */ 543 544 prs_give_memory( &auth_info, buffer, sizeof(buffer), False); 545 546 /* 547 * Now marshall the data into the temporary parse_struct. 548 */ 549 550 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) { 551 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n")); 552 return False; 553 } 554 555 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) { 556 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n")); 557 return False; 558 } 559 560 if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) { 561 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n")); 562 return False; 563 } 564 565 /* Auth len in the rpc header doesn't include auth_header. */ 566 auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN; 567 } 568 569 /* create the request RPC_HDR */ 570 init_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id, 571 RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info), 572 auth_len); 573 574 if(!smb_io_rpc_hdr("hdr" , &hdr, rpc_out, 0)) { 575 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n")); 576 return False; 577 } 578 579 /* create the bind request RPC_HDR_RB */ 580 init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0, 581 0x1, 0x0, 0x1, abstract, transfer); 582 583 /* Marshall the bind request data */ 584 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) { 585 DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n")); 586 return False; 587 } 588 589 /* 590 * Grow the outgoing buffer to store any auth info. 591 */ 592 593 if(hdr.auth_len != 0) { 594 if(!prs_append_prs_data( rpc_out, &auth_info)) { 595 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n")); 596 return False; 597 } 598 } 599 600 return True; 601} 602 603/******************************************************************* 604 Creates a DCE/RPC bind authentication response. 605 This is the packet that is sent back to the server once we 606 have received a BIND-ACK, to finish the third leg of 607 the authentication handshake. 608 ********************************************************************/ 609 610static BOOL create_rpc_bind_resp(struct pwd_info *pwd, 611 char *domain, char *user_name, char *my_name, 612 uint32 ntlmssp_cli_flgs, 613 uint32 rpc_call_id, 614 prs_struct *rpc_out) 615{ 616 unsigned char lm_owf[24]; 617 unsigned char nt_owf[24]; 618 RPC_HDR hdr; 619 RPC_HDR_AUTHA hdr_autha; 620 RPC_AUTH_VERIFIER auth_verifier; 621 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp; 622 char buffer[4096]; 623 prs_struct auth_info; 624 625 /* 626 * Marshall the variable length data into a temporary parse 627 * struct, pointing into a 4k local buffer. 628 */ 629 prs_init(&auth_info, 0, 4, MARSHALL); 630 631 /* 632 * Use the 4k buffer to store the auth info. 633 */ 634 635 prs_give_memory( &auth_info, buffer, sizeof(buffer), False); 636 637 /* 638 * Create the variable length auth_data. 639 */ 640 641 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH); 642 643 pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf); 644 645 init_rpc_auth_ntlmssp_resp(&ntlmssp_resp, 646 lm_owf, nt_owf, 647 domain, user_name, my_name, 648 ntlmssp_cli_flgs); 649 650 /* 651 * Marshall the variable length auth_data into a temp parse_struct. 652 */ 653 654 if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) { 655 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n")); 656 return False; 657 } 658 659 if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) { 660 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n")); 661 return False; 662 } 663 664 /* Create the request RPC_HDR */ 665 init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id, 666 RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info), 667 prs_offset(&auth_info) ); 668 669 /* Marshall it. */ 670 if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) { 671 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n")); 672 return False; 673 } 674 675 /* Create the request RPC_HDR_AUTHA */ 676 init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 677 NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00); 678 679 if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) { 680 DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n")); 681 return False; 682 } 683 684 /* 685 * Append the auth data to the outgoing buffer. 686 */ 687 688 if(!prs_append_prs_data(rpc_out, &auth_info)) { 689 DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n")); 690 return False; 691 } 692 693 return True; 694} 695 696 697/******************************************************************* 698 Creates a DCE/RPC request. 699 ********************************************************************/ 700 701static BOOL create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len) 702{ 703 uint32 alloc_hint; 704 RPC_HDR hdr; 705 RPC_HDR_REQ hdr_req; 706 707 DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len)); 708 709 /* create the rpc header RPC_HDR */ 710 init_rpc_hdr(&hdr, RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST, 711 get_rpc_call_id(), data_len, auth_len); 712 713 /* 714 * The alloc hint should be the amount of data, not including 715 * RPC headers & footers. 716 */ 717 718 if (auth_len != 0) 719 alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len; 720 else 721 alloc_hint = data_len - RPC_HEADER_LEN; 722 723 DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n", 724 data_len, auth_len, alloc_hint)); 725 726 /* Create the rpc request RPC_HDR_REQ */ 727 init_rpc_hdr_req(&hdr_req, alloc_hint, op_num); 728 729 /* stream-time... */ 730 if(!smb_io_rpc_hdr("hdr ", &hdr, rpc_out, 0)) 731 return False; 732 733 if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0)) 734 return False; 735 736 if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN) 737 return False; 738 739 return True; 740} 741 742 743/**************************************************************************** 744 Send a request on an rpc pipe. 745 ****************************************************************************/ 746 747BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num, 748 prs_struct *data, prs_struct *rdata) 749{ 750 prs_struct outgoing_packet; 751 uint32 data_len; 752 uint32 auth_len; 753 BOOL ret; 754 BOOL auth_verify; 755 BOOL auth_seal; 756 uint32 crc32 = 0; 757 char *pdata_out = NULL; 758 759 auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN); 760 auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL); 761 762 /* 763 * The auth_len doesn't include the RPC_HDR_AUTH_LEN. 764 */ 765 766 auth_len = (auth_verify ? RPC_AUTH_NTLMSSP_CHK_LEN : 0); 767 768 /* 769 * PDU len is header, plus request header, plus data, plus 770 * auth_header_len (if present), plus auth_len (if present). 771 * NB. The auth stuff should be aligned on an 8 byte boundary 772 * to be totally DCE/RPC spec complient. For now we cheat and 773 * hope that the data structs defined are a multiple of 8 bytes. 774 */ 775 776 if((prs_offset(data) % 8) != 0) { 777 DEBUG(5,("rpc_api_pipe_req: Outgoing data not a multiple of 8 bytes....\n")); 778 } 779 780 data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(data) + 781 (auth_verify ? RPC_HDR_AUTH_LEN : 0) + auth_len; 782 783 /* 784 * Malloc a parse struct to hold it (and enough for alignments). 785 */ 786 787 if(!prs_init(&outgoing_packet, data_len + 8, 4, MARSHALL)) { 788 DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len )); 789 return False; 790 } 791 792 pdata_out = prs_data_p(&outgoing_packet); 793 794 /* 795 * Write out the RPC header and the request header. 796 */ 797 798 if(!create_rpc_request(&outgoing_packet, op_num, data_len, auth_len)) { 799 DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n")); 800 prs_mem_free(&outgoing_packet); 801 return False; 802 } 803 804 /* 805 * Seal the outgoing data if requested. 806 */ 807 808 if (auth_seal) { 809 crc32 = crc32_calc_buffer(prs_data_p(data), prs_offset(data)); 810 NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data), prs_offset(data)); 811 } 812 813 /* 814 * Now copy the data into the outgoing packet. 815 */ 816 817 if(!prs_append_prs_data( &outgoing_packet, data)) { 818 DEBUG(0,("rpc_api_pipe_req: Failed to append data to outgoing packet.\n")); 819 prs_mem_free(&outgoing_packet); 820 return False; 821 } 822 823 /* 824 * Add a trailing auth_verifier if needed. 825 */ 826 827 if (auth_seal || auth_verify) { 828 RPC_HDR_AUTH hdr_auth; 829 830 init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, 831 NTLMSSP_AUTH_LEVEL, 0x08, (auth_verify ? 1 : 0)); 832 if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &outgoing_packet, 0)) { 833 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_HDR_AUTH.\n")); 834 prs_mem_free(&outgoing_packet); 835 return False; 836 } 837 } 838 839 /* 840 * Finally the auth data itself. 841 */ 842 843 if (auth_verify) { 844 RPC_AUTH_NTLMSSP_CHK chk; 845 uint32 current_offset = prs_offset(&outgoing_packet); 846 847 init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++); 848 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &outgoing_packet, 0)) { 849 DEBUG(0,("rpc_api_pipe_req: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n")); 850 prs_mem_free(&outgoing_packet); 851 return False; 852 } 853 NTLMSSPcalc_ap(cli, (unsigned char*)&pdata_out[current_offset+4], RPC_AUTH_NTLMSSP_CHK_LEN - 4); 854 } 855 856 DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, prs_offset(&outgoing_packet))); 857 858 ret = rpc_api_pipe(cli, 0x0026, &outgoing_packet, rdata); 859 860 prs_mem_free(&outgoing_packet); 861 862 return ret; 863} 864 865/**************************************************************************** 866 Set the handle state. 867****************************************************************************/ 868 869static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint16 device_state) 870{ 871 BOOL state_set = False; 872 char param[2]; 873 uint16 setup[2]; /* only need 2 uint16 setup parameters */ 874 char *rparam = NULL; 875 char *rdata = NULL; 876 uint32 rparam_len, rdata_len; 877 878 if (pipe_name == NULL) 879 return False; 880 881 DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n", 882 cli->nt_pipe_fnum, pipe_name, device_state)); 883 884 /* create parameters: device state */ 885 SSVAL(param, 0, device_state); 886 887 /* create setup parameters. */ 888 setup[0] = 0x0001; 889 setup[1] = cli->nt_pipe_fnum; /* pipe file handle. got this from an SMBOpenX. */ 890 891 /* send the data on \PIPE\ */ 892 if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8, 893 setup, 2, 0, /* setup, length, max */ 894 param, 2, 0, /* param, length, max */ 895 NULL, 0, 1024, /* data, length, max */ 896 &rparam, &rparam_len, /* return param, length */ 897 &rdata, &rdata_len)) /* return data, length */ 898 { 899 DEBUG(5, ("Set Handle state: return OK\n")); 900 state_set = True; 901 } 902 903 if (rparam) 904 free(rparam); 905 if (rdata) 906 free(rdata ); 907 908 return state_set; 909} 910 911/**************************************************************************** 912 check the rpc bind acknowledge response 913****************************************************************************/ 914 915static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer) 916{ 917 int pipe_idx = 0; 918 919 while (pipe_names[pipe_idx].client_pipe != NULL) { 920 if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) { 921 DEBUG(5,("Bind Abstract Syntax: ")); 922 dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), 923 sizeof(pipe_names[pipe_idx].abstr_syntax)); 924 DEBUG(5,("Bind Transfer Syntax: ")); 925 dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax), 926 sizeof(pipe_names[pipe_idx].trans_syntax)); 927 928 /* copy the required syntaxes out so we can do the right bind */ 929 *transfer = pipe_names[pipe_idx].trans_syntax; 930 *abstract = pipe_names[pipe_idx].abstr_syntax; 931 932 return True; 933 } 934 pipe_idx++; 935 }; 936 937 DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name)); 938 return False; 939} 940 941/**************************************************************************** 942 check the rpc bind acknowledge response 943****************************************************************************/ 944 945static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer) 946{ 947 int i = 0; 948 949 while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0) { 950 DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n", 951 pipe_names[i].client_pipe , pipe_names[i].server_pipe )); 952 953 if ((strequal(pipe_name, pipe_names[i].client_pipe ))) { 954 if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe )) { 955 DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", 956 pipe_names[i].server_pipe )); 957 break; 958 } else { 959 DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n", 960 pipe_names[i].server_pipe , 961 hdr_ba->addr.str)); 962 break; 963 } 964 } else { 965 i++; 966 } 967 } 968 969 if (pipe_names[i].server_pipe == NULL) { 970 DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str)); 971 return False; 972 } 973 974 /* check the transfer syntax */ 975 if ((hdr_ba->transfer.version != transfer->version) || 976 (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) { 977 DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n")); 978 return False; 979 } 980 981 /* lkclXXXX only accept one result: check the result(s) */ 982 if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) { 983 DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n", 984 hdr_ba->res.num_results, hdr_ba->res.reason)); 985 } 986 987 DEBUG(5,("bind_rpc_pipe: accepted!\n")); 988 return True; 989} 990 991/**************************************************************************** 992 Create and send the third packet in an RPC auth. 993****************************************************************************/ 994 995static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id) 996{ 997 RPC_HDR_AUTH rhdr_auth; 998 RPC_AUTH_VERIFIER rhdr_verf; 999 RPC_AUTH_NTLMSSP_CHAL rhdr_chal; 1000 char buffer[MAX_PDU_FRAG_LEN]; 1001 prs_struct rpc_out; 1002 ssize_t ret; 1003 1004 unsigned char p24[24]; 1005 unsigned char lm_owf[24]; 1006 unsigned char lm_hash[16]; 1007 1008 if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) { 1009 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n")); 1010 return False; 1011 } 1012 if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) { 1013 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n")); 1014 return False; 1015 } 1016 if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) { 1017 DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n")); 1018 return False; 1019 } 1020 1021 cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags; 1022 1023 pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge); 1024 1025 prs_init(&rpc_out, 0, 4, MARSHALL); 1026 1027 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False); 1028 1029 create_rpc_bind_resp(&cli->pwd, cli->domain, 1030 cli->user_name, global_myname, 1031 cli->ntlmssp_cli_flgs, rpc_call_id, 1032 &rpc_out); 1033 1034 pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL); 1035 pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL); 1036 1037 NTLMSSPOWFencrypt(lm_hash, lm_owf, p24); 1038 1039 { 1040 unsigned char j = 0; 1041 int ind; 1042 unsigned char k2[8]; 1043 1044 memcpy(k2, p24, 5); 1045 k2[5] = 0xe5; 1046 k2[6] = 0x38; 1047 k2[7] = 0xb0; 1048 1049 for (ind = 0; ind < 256; ind++) 1050 cli->ntlmssp_hash[ind] = (unsigned char)ind; 1051 1052 for( ind = 0; ind < 256; ind++) { 1053 unsigned char tc; 1054 1055 j += (cli->ntlmssp_hash[ind] + k2[ind%8]); 1056 1057 tc = cli->ntlmssp_hash[ind]; 1058 cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j]; 1059 cli->ntlmssp_hash[j] = tc; 1060 } 1061 1062 cli->ntlmssp_hash[256] = 0; 1063 cli->ntlmssp_hash[257] = 0; 1064 } 1065 1066 memset((char *)lm_hash, '\0', sizeof(lm_hash)); 1067 1068 if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out), 1069 0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) { 1070 DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret)); 1071 return False; 1072 } 1073 1074 cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags; 1075 return True; 1076} 1077 1078/**************************************************************************** 1079 Do an rpc bind. 1080****************************************************************************/ 1081 1082static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, char *my_name) 1083{ 1084 RPC_IFACE abstract; 1085 RPC_IFACE transfer; 1086 prs_struct rpc_out; 1087 prs_struct rdata; 1088 BOOL do_auth = (cli->ntlmssp_cli_flgs != 0); 1089 uint32 rpc_call_id; 1090 char buffer[MAX_PDU_FRAG_LEN]; 1091 1092 DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name)); 1093 1094 if (!valid_pipe_name(pipe_name, &abstract, &transfer)) 1095 return False; 1096 1097 prs_init(&rpc_out, 0, 4, MARSHALL); 1098 1099 /* 1100 * Use the MAX_PDU_FRAG_LEN buffer to store the bind request. 1101 */ 1102 1103 prs_give_memory( &rpc_out, buffer, sizeof(buffer), False); 1104 1105 rpc_call_id = get_rpc_call_id(); 1106 1107 /* Marshall the outgoing data. */ 1108 create_rpc_bind_req(&rpc_out, do_auth, rpc_call_id, 1109 &abstract, &transfer, 1110 global_myname, cli->domain, cli->ntlmssp_cli_flgs); 1111 1112 /* Initialize the incoming data struct. */ 1113 prs_init(&rdata, 0, 4, UNMARSHALL); 1114 1115 /* send data on \PIPE\. receive a response */ 1116 if (rpc_api_pipe(cli, 0x0026, &rpc_out, &rdata)) { 1117 RPC_HDR_BA hdr_ba; 1118 1119 DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n")); 1120 1121 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) { 1122 DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n")); 1123 prs_mem_free(&rdata); 1124 return False; 1125 } 1126 1127 if(!check_bind_response(&hdr_ba, pipe_name, &transfer)) { 1128 DEBUG(0,("rpc_pipe_bind: check_bind_response failed.\n")); 1129 prs_mem_free(&rdata); 1130 return False; 1131 } 1132 1133 cli->max_xmit_frag = hdr_ba.bba.max_tsize; 1134 cli->max_recv_frag = hdr_ba.bba.max_rsize; 1135 1136 /* 1137 * If we're doing NTLMSSP auth we need to send a reply to 1138 * the bind-ack to complete the 3-way challenge response 1139 * handshake. 1140 */ 1141 1142 if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) { 1143 DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n")); 1144 prs_mem_free(&rdata); 1145 return False; 1146 } 1147 } 1148 1149 prs_mem_free(&rdata); 1150 return True; 1151} 1152 1153/**************************************************************************** 1154 Set ntlmssp negotiation flags. 1155 ****************************************************************************/ 1156 1157void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs) 1158{ 1159 cli->ntlmssp_cli_flgs = ntlmssp_flgs; 1160} 1161 1162 1163/**************************************************************************** 1164 Open a session. 1165 ****************************************************************************/ 1166 1167BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name) 1168{ 1169 int fnum; 1170 1171 if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS)) { 1172 if ((fnum = cli_nt_create(cli, &(pipe_name[5]))) == -1) { 1173 DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s. Error was %s\n", 1174 &(pipe_name[5]), cli->desthost, cli_errstr(cli))); 1175 return False; 1176 } 1177 1178 cli->nt_pipe_fnum = (uint16)fnum; 1179 } else { 1180 if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1) { 1181 DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s. Error was %s\n", 1182 pipe_name, cli->desthost, cli_errstr(cli))); 1183 return False; 1184 } 1185 1186 cli->nt_pipe_fnum = (uint16)fnum; 1187 1188 /**************** Set Named Pipe State ***************/ 1189 if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300)) { 1190 DEBUG(0,("cli_nt_session_open: pipe hnd state failed. Error was %s\n", 1191 cli_errstr(cli))); 1192 cli_close(cli, cli->nt_pipe_fnum); 1193 return False; 1194 } 1195 } 1196 1197 /******************* bind request on pipe *****************/ 1198 1199 if (!rpc_pipe_bind(cli, pipe_name, global_myname)) { 1200 DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n", 1201 cli_errstr(cli))); 1202 cli_close(cli, cli->nt_pipe_fnum); 1203 return False; 1204 } 1205 1206 /* 1207 * Setup the remote server name prefixed by \ and the machine account name. 1208 */ 1209 1210 fstrcpy(cli->srv_name_slash, "\\\\"); 1211 fstrcat(cli->srv_name_slash, cli->desthost); 1212 strupper(cli->srv_name_slash); 1213 1214 fstrcpy(cli->clnt_name_slash, "\\\\"); 1215 fstrcat(cli->clnt_name_slash, global_myname); 1216 strupper(cli->clnt_name_slash); 1217 1218 fstrcpy(cli->mach_acct, global_myname); 1219 fstrcat(cli->mach_acct, "$"); 1220 strupper(cli->mach_acct); 1221 1222 return True; 1223} 1224 1225/**************************************************************************** 1226close the session 1227****************************************************************************/ 1228 1229void cli_nt_session_close(struct cli_state *cli) 1230{ 1231 cli_close(cli, cli->nt_pipe_fnum); 1232} 1233