BOOL create_next_pdu(pipes_struct *p)
{
RPC_HDR_RESP hdr_resp;
BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
uint32 ss_padding_len = 0;
uint32 data_len;
uint32 data_space_available;
uint32 data_len_left;
prs_struct outgoing_pdu;
uint32 data_pos;
/*
* If we're in the fault state, keep returning fault PDU's until
* the pipe gets closed. JRA.
*/
if(p->fault_state) {
setup_fault_pdu(p, NT_STATUS(0x1c010002));
return True;
}
memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
/* Change the incoming request header to a response. */
p->hdr.pkt_type = RPC_RESPONSE;
/* Set up rpc header flags. */
if (p->out_data.data_sent_length == 0) {
p->hdr.flags = RPC_FLG_FIRST;
} else {
p->hdr.flags = 0;
}
/*
* Work out how much we can fit in a single PDU.
*/
data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
if(p->ntlmssp_auth_validated) {
data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
} else if(p->netsec_auth_validated) {
data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN);
}
/*
* The amount we send is the minimum of the available
* space and the amount left to send.
*/
data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
/*
* Ensure there really is data left to send.
*/
if(!data_len_left) {
DEBUG(0,("create_next_pdu: no data left to send !\n"));
return False;
}
data_len = MIN(data_len_left, data_space_available);
/*
* Set up the alloc hint. This should be the data left to
* send.
*/
hdr_resp.alloc_hint = data_len_left;
/*
* Work out if this PDU will be the last.
*/
if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
p->hdr.flags |= RPC_FLG_LAST;
if ((auth_seal || auth_verify) && (data_len_left % 8)) {
ss_padding_len = 8 - (data_len_left % 8);
DEBUG(10,("create_next_pdu: adding sign/seal padding of %u\n",
ss_padding_len ));
}
}
/*
* Set up the header lengths.
*/
if (p->ntlmssp_auth_validated) {
p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
data_len + ss_padding_len +
RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
} else if (p->netsec_auth_validated) {
p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
data_len + ss_padding_len +
RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
p->hdr.auth_len = RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN;
} else {
p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
p->hdr.auth_len = 0;
}
/*
* Init the parse struct to point at the outgoing
* data.
*/
prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
/* Store the header in the data stream. */
if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
prs_mem_free(&outgoing_pdu);
return False;
}
if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
prs_mem_free(&outgoing_pdu);
return False;
}
/* Store the current offset. */
data_pos = prs_offset(&outgoing_pdu);
/* Copy the data into the PDU. */
if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
prs_mem_free(&outgoing_pdu);
return False;
}
/* Copy the sign/seal padding data. */
if (ss_padding_len) {
char pad[8];
memset(pad, '\0', 8);
if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
DEBUG(0,("create_next_pdu: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
prs_mem_free(&outgoing_pdu);
return False;
}
}
if (p->ntlmssp_auth_validated) {
/*
* NTLMSSP processing. Mutually exclusive with Schannel.
*/
uint32 crc32 = 0;
char *data;
DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len + ss_padding_len, p->hdr.auth_len));
/*
* Set data to point to where we copied the data into.
*/
data = prs_data_p(&outgoing_pdu) + data_pos;
if (auth_seal) {
crc32 = crc32_calc_buffer(data, data_len + ss_padding_len);
NTLMSSPcalc_p(p, (uchar*)data, data_len + ss_padding_len);
}
if (auth_seal || auth_verify) {
RPC_HDR_AUTH auth_info;
init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE,
auth_seal ? RPC_PIPE_AUTH_SEAL_LEVEL : RPC_PIPE_AUTH_SIGN_LEVEL,
(auth_verify ? ss_padding_len : 0), (auth_verify ? 1 : 0));
if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
prs_mem_free(&outgoing_pdu);
return False;
}
}
if (auth_verify) {
RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
char *auth_data = prs_data_p(&outgoing_pdu);
p->ntlmssp_seq_num++;
init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
crc32, p->ntlmssp_seq_num++);
auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
prs_mem_free(&outgoing_pdu);
return False;
}
NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
}
} else if (p->netsec_auth_validated) {
/*
* Schannel processing. Mutually exclusive with NTLMSSP.
*/
int auth_type, auth_level;
char *data;
RPC_HDR_AUTH auth_info;
RPC_AUTH_NETSEC_CHK verf;
prs_struct rverf;
prs_struct rauth;
data = prs_data_p(&outgoing_pdu) + data_pos;
/* Check it's the type of reply we were expecting to decode */
get_auth_type_level(p->netsec_auth.auth_flags, &auth_type, &auth_level);
init_rpc_hdr_auth(&auth_info, auth_type, auth_level,
ss_padding_len, 1);
if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
prs_mem_free(&outgoing_pdu);
return False;
}
prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
netsec_encode(&p->netsec_auth,
p->netsec_auth.auth_flags,
SENDER_IS_ACCEPTOR,
&verf, data, data_len + ss_padding_len);
smb_io_rpc_auth_netsec_chk("", RPC_AUTH_NETSEC_SIGN_OR_SEAL_CHK_LEN,
&verf, &outgoing_pdu, 0);
p->netsec_auth.seq_num++;
}
/*
* Setup the counts for this PDU.
*/
p->out_data.data_sent_length += data_len;
p->out_data.current_pdu_len = p->hdr.frag_len;
p->out_data.current_pdu_sent = 0;
prs_mem_free(&outgoing_pdu);
return True;
}
BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
prs_struct *data, prs_struct *rdata)
{
uint32 auth_len, real_auth_len, auth_hdr_len, max_data, data_left, data_sent;
NTSTATUS nt_status;
BOOL ret = False;
uint32 callid = 0;
fstring dump_name;
auth_len = 0;
real_auth_len = 0;
auth_hdr_len = 0;
if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
}
if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
auth_len = RPC_AUTH_NETSEC_CHK_LEN;
}
auth_hdr_len = RPC_HDR_AUTH_LEN;
}
/*
* calc how much actual data we can send in a PDU fragment
*/
max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
auth_hdr_len - auth_len - 8;
for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
prs_struct outgoing_packet;
prs_struct sec_blob;
uint32 data_len, send_size;
uint8 flags = 0;
uint32 auth_padding = 0;
DATA_BLOB sign_blob;
/*
* how much will we send this time
*/
send_size = MIN(data_left, max_data);
if (!prs_init(&sec_blob, send_size, /* will need at least this much */
cli->mem_ctx, MARSHALL)) {
DEBUG(0,("Could not malloc %u bytes",
send_size+auth_padding));
return False;
}
if(!prs_append_some_prs_data(&sec_blob, data,
data_sent, send_size)) {
DEBUG(0,("Failed to append data to netsec blob\n"));
prs_mem_free(&sec_blob);
return False;
}
/*
* NT expects the data that is sealed to be 8-byte
* aligned. The padding must be encrypted as well and
* taken into account when generating the
* authentication verifier. The amount of padding must
* be stored in the auth header.
*/
if (cli->pipe_auth_flags) {
size_t data_and_padding_size;
int auth_type;
int auth_level;
prs_align_uint64(&sec_blob);
get_auth_type_level(cli->pipe_auth_flags, &auth_type, &auth_level);
data_and_padding_size = prs_offset(&sec_blob);
auth_padding = data_and_padding_size - send_size;
/* insert the auth header */
if(!create_auth_hdr(&sec_blob, auth_type, auth_level, auth_padding)) {
prs_mem_free(&sec_blob);
return False;
}
/* create an NTLMSSP signature */
if (cli->pipe_auth_flags & AUTH_PIPE_NTLMSSP) {
/*
* Seal the outgoing data if requested.
*/
if (cli->pipe_auth_flags & AUTH_PIPE_SEAL) {
nt_status = ntlmssp_seal_packet(cli->ntlmssp_pipe_state,
(unsigned char*)prs_data_p(&sec_blob),
data_and_padding_size,
&sign_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
prs_mem_free(&sec_blob);
return False;
}
}
else if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
nt_status = ntlmssp_sign_packet(cli->ntlmssp_pipe_state,
(unsigned char*)prs_data_p(&sec_blob),
data_and_padding_size, &sign_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
prs_mem_free(&sec_blob);
return False;
}
}
/* write auth footer onto the packet */
real_auth_len = sign_blob.length;
prs_copy_data_in(&sec_blob, (char *)sign_blob.data, sign_blob.length);
data_blob_free(&sign_blob);
}
else if (cli->pipe_auth_flags & AUTH_PIPE_NETSEC) {
size_t parse_offset_marker;
RPC_AUTH_NETSEC_CHK verf;
DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
netsec_encode(&cli->auth_info,
cli->pipe_auth_flags,
SENDER_IS_INITIATOR,
&verf,
prs_data_p(&sec_blob),
data_and_padding_size);
cli->auth_info.seq_num++;
/* write auth footer onto the packet */
parse_offset_marker = prs_offset(&sec_blob);
if (!smb_io_rpc_auth_netsec_chk("", &verf,
&sec_blob, 0)) {
prs_mem_free(&sec_blob);
return False;
}
real_auth_len = prs_offset(&sec_blob) - parse_offset_marker;
}
}
data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + prs_offset(&sec_blob);
/*
* Malloc parse struct to hold it (and enough for alignments).
*/
if(!prs_init(&outgoing_packet, data_len + 8,
cli->mem_ctx, MARSHALL)) {
DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
return False;
}
if (data_left == prs_offset(data))
flags |= RPC_FLG_FIRST;
if (data_left <= max_data)
flags |= RPC_FLG_LAST;
/*
* Write out the RPC header and the request header.
*/
if(!(callid = create_rpc_request(&outgoing_packet, op_num,
data_len, real_auth_len, flags,
callid, data_left))) {
DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
prs_mem_free(&outgoing_packet);
prs_mem_free(&sec_blob);
return False;
}
prs_append_prs_data(&outgoing_packet, &sec_blob);
prs_mem_free(&sec_blob);
DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len,
prs_offset(&outgoing_packet)));
if (flags & RPC_FLG_LAST)
ret = rpc_api_pipe(cli, &outgoing_packet,
rdata, RPC_RESPONSE);
else {
cli_write(cli, cli->nt_pipe_fnum, 0x0008,
prs_data_p(&outgoing_packet),
data_sent, data_len);
}
prs_mem_free(&outgoing_packet);
data_sent += send_size;
data_left -= send_size;
}
/* Also capture received data */
slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
cli_pipe_get_name(cli));
prs_dump(dump_name, op_num, rdata);
return ret;
}
