Context Navigation

source: vendor/3.6.0/source4/librpc/rpc/dcerpc.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 52.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	raw dcerpc operations
4
5	Copyright (C) Tim Potter 2003
6	Copyright (C) Andrew Tridgell 2003-2005
7	Copyright (C) Jelmer Vernooij 2004-2005
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#include "includes.h"
24	#include "../lib/util/dlinklist.h"
25	#include "lib/events/events.h"
26	#include "librpc/rpc/dcerpc.h"
27	#include "librpc/rpc/dcerpc_proto.h"
28	#include "librpc/gen_ndr/ndr_misc.h"
29	#include "librpc/gen_ndr/ndr_dcerpc.h"
30	#include "libcli/composite/composite.h"
31	#include "auth/gensec/gensec.h"
32	#include "param/param.h"
33	#include "lib/util/tevent_ntstatus.h"
34	#include "librpc/rpc/rpc_common.h"
35
36	enum rpc_request_state {
37	RPC_REQUEST_QUEUED,
38	RPC_REQUEST_PENDING,
39	RPC_REQUEST_DONE
40	};
41
42	/*
43	handle for an async dcerpc request
44	*/
45	struct rpc_request {
46	struct rpc_request next, prev;
47	struct dcerpc_pipe *p;
48	NTSTATUS status;
49	uint32_t call_id;
50	enum rpc_request_state state;
51	DATA_BLOB payload;
52	uint32_t flags;
53	uint32_t fault_code;
54
55	/* this is used to distinguish bind and alter_context requests
56	from normal requests */
57	void (recv_handler)(struct rpc_request conn,
58	DATA_BLOB blob, struct ncacn_packet pkt);
59
60	const struct GUID *object;
61	uint16_t opnum;
62	DATA_BLOB request_data;
63	bool ignore_timeout;
64
65	/* use by the ndr level async recv call */
66	struct {
67	const struct ndr_interface_table *table;
68	uint32_t opnum;
69	void *struct_ptr;
70	TALLOC_CTX *mem_ctx;
71	} ndr;
72
73	struct {
74	void (callback)(struct rpc_request );
75	void *private_data;
76	} async;
77	};
78
79	_PUBLIC_ NTSTATUS dcerpc_init(struct loadparm_context *lp_ctx)
80	{
81	return gensec_init(lp_ctx);
82	}
83
84	static void dcerpc_connection_dead(struct dcecli_connection *conn, NTSTATUS status);
85	static void dcerpc_ship_next_request(struct dcecli_connection *c);
86
87	static struct rpc_request dcerpc_request_send(struct dcerpc_pipe p,
88	const struct GUID *object,
89	uint16_t opnum,
90	DATA_BLOB *stub_data);
91	static NTSTATUS dcerpc_request_recv(struct rpc_request *req,
92	TALLOC_CTX *mem_ctx,
93	DATA_BLOB *stub_data);
94	static NTSTATUS dcerpc_ndr_validate_in(struct dcecli_connection *c,
95	TALLOC_CTX *mem_ctx,
96	DATA_BLOB blob,
97	size_t struct_size,
98	ndr_push_flags_fn_t ndr_push,
99	ndr_pull_flags_fn_t ndr_pull);
100	static NTSTATUS dcerpc_ndr_validate_out(struct dcecli_connection *c,
101	struct ndr_pull *pull_in,
102	void *struct_ptr,
103	size_t struct_size,
104	ndr_push_flags_fn_t ndr_push,
105	ndr_pull_flags_fn_t ndr_pull,
106	ndr_print_function_t ndr_print);
107
108	/* destroy a dcerpc connection */
109	static int dcerpc_connection_destructor(struct dcecli_connection *conn)
110	{
111	if (conn->dead) {
112	conn->free_skipped = true;
113	return -1;
114	}
115	dcerpc_connection_dead(conn, NT_STATUS_LOCAL_DISCONNECT);
116	return 0;
117	}
118
119
120	/* initialise a dcerpc connection.
121	the event context is optional
122	*/
123	static struct dcecli_connection dcerpc_connection_init(TALLOC_CTX mem_ctx,
124	struct tevent_context *ev)
125	{
126	struct dcecli_connection *c;
127
128	c = talloc_zero(mem_ctx, struct dcecli_connection);
129	if (!c) {
130	return NULL;
131	}
132
133	c->event_ctx = ev;
134
135	if (c->event_ctx == NULL) {
136	talloc_free(c);
137	return NULL;
138	}
139
140	c->call_id = 1;
141	c->security_state.auth_info = NULL;
142	c->security_state.session_key = dcerpc_generic_session_key;
143	c->security_state.generic_state = NULL;
144	c->binding_string = NULL;
145	c->flags = 0;
146	c->srv_max_xmit_frag = 0;
147	c->srv_max_recv_frag = 0;
148	c->pending = NULL;
149
150	talloc_set_destructor(c, dcerpc_connection_destructor);
151
152	return c;
153	}
154
155	struct dcerpc_bh_state {
156	struct dcerpc_pipe *p;
157	};
158
159	static bool dcerpc_bh_is_connected(struct dcerpc_binding_handle *h)
160	{
161	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
162	struct dcerpc_bh_state);
163
164	if (!hs->p) {
165	return false;
166	}
167
168	return true;
169	}
170
171	static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
172	uint32_t timeout)
173	{
174	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
175	struct dcerpc_bh_state);
176	uint32_t old;
177
178	if (!hs->p) {
179	return DCERPC_REQUEST_TIMEOUT;
180	}
181
182	old = hs->p->request_timeout;
183	hs->p->request_timeout = timeout;
184
185	return old;
186	}
187
188	struct dcerpc_bh_raw_call_state {
189	struct dcerpc_binding_handle *h;
190	DATA_BLOB in_data;
191	DATA_BLOB out_data;
192	uint32_t out_flags;
193	};
194
195	static void dcerpc_bh_raw_call_done(struct rpc_request *subreq);
196
197	static struct tevent_req dcerpc_bh_raw_call_send(TALLOC_CTX mem_ctx,
198	struct tevent_context *ev,
199	struct dcerpc_binding_handle *h,
200	const struct GUID *object,
201	uint32_t opnum,
202	uint32_t in_flags,
203	const uint8_t *in_data,
204	size_t in_length)
205	{
206	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
207	struct dcerpc_bh_state);
208	struct tevent_req *req;
209	struct dcerpc_bh_raw_call_state *state;
210	bool ok;
211	struct rpc_request *subreq;
212
213	req = tevent_req_create(mem_ctx, &state,
214	struct dcerpc_bh_raw_call_state);
215	if (req == NULL) {
216	return NULL;
217	}
218	state->h = h;
219	state->in_data.data = discard_const_p(uint8_t, in_data);
220	state->in_data.length = in_length;
221
222	ok = dcerpc_bh_is_connected(h);
223	if (!ok) {
224	tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
225	return tevent_req_post(req, ev);
226	}
227
228	subreq = dcerpc_request_send(hs->p,
229	object,
230	opnum,
231	&state->in_data);
232	if (tevent_req_nomem(subreq, req)) {
233	return tevent_req_post(req, ev);
234	}
235	subreq->async.callback = dcerpc_bh_raw_call_done;
236	subreq->async.private_data = req;
237
238	return req;
239	}
240
241	static void dcerpc_bh_raw_call_done(struct rpc_request *subreq)
242	{
243	struct tevent_req *req =
244	talloc_get_type_abort(subreq->async.private_data,
245	struct tevent_req);
246	struct dcerpc_bh_raw_call_state *state =
247	tevent_req_data(req,
248	struct dcerpc_bh_raw_call_state);
249	NTSTATUS status;
250	uint32_t fault_code;
251
252	state->out_flags = 0;
253	if (subreq->flags & DCERPC_PULL_BIGENDIAN) {
254	state->out_flags \|= LIBNDR_FLAG_BIGENDIAN;
255	}
256
257	fault_code = subreq->fault_code;
258
259	status = dcerpc_request_recv(subreq, state, &state->out_data);
260	if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
261	status = dcerpc_fault_to_nt_status(fault_code);
262	}
263	if (!NT_STATUS_IS_OK(status)) {
264	tevent_req_nterror(req, status);
265	return;
266	}
267
268	tevent_req_done(req);
269	}
270
271	static NTSTATUS dcerpc_bh_raw_call_recv(struct tevent_req *req,
272	TALLOC_CTX *mem_ctx,
273	uint8_t **out_data,
274	size_t *out_length,
275	uint32_t *out_flags)
276	{
277	struct dcerpc_bh_raw_call_state *state =
278	tevent_req_data(req,
279	struct dcerpc_bh_raw_call_state);
280	NTSTATUS status;
281
282	if (tevent_req_is_nterror(req, &status)) {
283	tevent_req_received(req);
284	return status;
285	}
286
287	*out_data = talloc_move(mem_ctx, &state->out_data.data);
288	*out_length = state->out_data.length;
289	*out_flags = state->out_flags;
290	tevent_req_received(req);
291	return NT_STATUS_OK;
292	}
293
294	struct dcerpc_bh_disconnect_state {
295	uint8_t _dummy;
296	};
297
298	static struct tevent_req dcerpc_bh_disconnect_send(TALLOC_CTX mem_ctx,
299	struct tevent_context *ev,
300	struct dcerpc_binding_handle *h)
301	{
302	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
303	struct dcerpc_bh_state);
304	struct tevent_req *req;
305	struct dcerpc_bh_disconnect_state *state;
306	bool ok;
307
308	req = tevent_req_create(mem_ctx, &state,
309	struct dcerpc_bh_disconnect_state);
310	if (req == NULL) {
311	return NULL;
312	}
313
314	ok = dcerpc_bh_is_connected(h);
315	if (!ok) {
316	tevent_req_nterror(req, NT_STATUS_INVALID_CONNECTION);
317	return tevent_req_post(req, ev);
318	}
319
320	/* TODO: do a real disconnect ... */
321	hs->p = NULL;
322
323	tevent_req_done(req);
324	return tevent_req_post(req, ev);
325	}
326
327	static NTSTATUS dcerpc_bh_disconnect_recv(struct tevent_req *req)
328	{
329	NTSTATUS status;
330
331	if (tevent_req_is_nterror(req, &status)) {
332	tevent_req_received(req);
333	return status;
334	}
335
336	tevent_req_received(req);
337	return NT_STATUS_OK;
338	}
339
340	static bool dcerpc_bh_push_bigendian(struct dcerpc_binding_handle *h)
341	{
342	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
343	struct dcerpc_bh_state);
344
345	if (hs->p->conn->flags & DCERPC_PUSH_BIGENDIAN) {
346	return true;
347	}
348
349	return false;
350	}
351
352	static bool dcerpc_bh_ref_alloc(struct dcerpc_binding_handle *h)
353	{
354	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
355	struct dcerpc_bh_state);
356
357	if (hs->p->conn->flags & DCERPC_NDR_REF_ALLOC) {
358	return true;
359	}
360
361	return false;
362	}
363
364	static bool dcerpc_bh_use_ndr64(struct dcerpc_binding_handle *h)
365	{
366	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
367	struct dcerpc_bh_state);
368
369	if (hs->p->conn->flags & DCERPC_NDR64) {
370	return true;
371	}
372
373	return false;
374	}
375
376	static void dcerpc_bh_do_ndr_print(struct dcerpc_binding_handle *h,
377	int ndr_flags,
378	const void *_struct_ptr,
379	const struct ndr_interface_call *call)
380	{
381	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
382	struct dcerpc_bh_state);
383	void *struct_ptr = discard_const(_struct_ptr);
384
385	if (ndr_flags & NDR_IN) {
386	if (hs->p->conn->flags & DCERPC_DEBUG_PRINT_IN) {
387	ndr_print_function_debug(call->ndr_print,
388	call->name,
389	ndr_flags,
390	struct_ptr);
391	}
392	}
393	if (ndr_flags & NDR_OUT) {
394	if (hs->p->conn->flags & DCERPC_DEBUG_PRINT_OUT) {
395	ndr_print_function_debug(call->ndr_print,
396	call->name,
397	ndr_flags,
398	struct_ptr);
399	}
400	}
401	}
402
403	static void dcerpc_bh_ndr_push_failed(struct dcerpc_binding_handle *h,
404	NTSTATUS error,
405	const void *struct_ptr,
406	const struct ndr_interface_call *call)
407	{
408	DEBUG(2,("Unable to ndr_push structure for %s - %s\n",
409	call->name, nt_errstr(error)));
410	}
411
412	static void dcerpc_bh_ndr_pull_failed(struct dcerpc_binding_handle *h,
413	NTSTATUS error,
414	const DATA_BLOB *blob,
415	const struct ndr_interface_call *call)
416	{
417	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
418	struct dcerpc_bh_state);
419	const uint32_t num_examples = 20;
420	uint32_t i;
421
422	DEBUG(2,("Unable to ndr_pull structure for %s - %s\n",
423	call->name, nt_errstr(error)));
424
425	if (hs->p->conn->packet_log_dir == NULL) return;
426
427	for (i=0;i<num_examples;i++) {
428	char *name=NULL;
429	asprintf(&name, "%s/rpclog/%s-out.%d",
430	hs->p->conn->packet_log_dir,
431	call->name, i);
432	if (name == NULL) {
433	return;
434	}
435	if (!file_exist(name)) {
436	if (file_save(name, blob->data, blob->length)) {
437	DEBUG(10,("Logged rpc packet to %s\n", name));
438	}
439	free(name);
440	break;
441	}
442	free(name);
443	}
444	}
445
446	static NTSTATUS dcerpc_bh_ndr_validate_in(struct dcerpc_binding_handle *h,
447	TALLOC_CTX *mem_ctx,
448	const DATA_BLOB *blob,
449	const struct ndr_interface_call *call)
450	{
451	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
452	struct dcerpc_bh_state);
453
454	if (hs->p->conn->flags & DCERPC_DEBUG_VALIDATE_IN) {
455	NTSTATUS status;
456
457	status = dcerpc_ndr_validate_in(hs->p->conn,
458	mem_ctx,
459	*blob,
460	call->struct_size,
461	call->ndr_push,
462	call->ndr_pull);
463	if (!NT_STATUS_IS_OK(status)) {
464	DEBUG(0,("Validation [in] failed for %s - %s\n",
465	call->name, nt_errstr(status)));
466	return status;
467	}
468	}
469
470	DEBUG(10,("rpc request data:\n"));
471	dump_data(10, blob->data, blob->length);
472
473	return NT_STATUS_OK;
474	}
475
476	static NTSTATUS dcerpc_bh_ndr_validate_out(struct dcerpc_binding_handle *h,
477	struct ndr_pull *pull_in,
478	const void *_struct_ptr,
479	const struct ndr_interface_call *call)
480	{
481	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
482	struct dcerpc_bh_state);
483	void *struct_ptr = discard_const(_struct_ptr);
484
485	DEBUG(10,("rpc reply data:\n"));
486	dump_data(10, pull_in->data, pull_in->data_size);
487
488	if (pull_in->offset != pull_in->data_size) {
489	DEBUG(0,("Warning! ignoring %u unread bytes at ofs:%u (0x%08X) for %s!\n",
490	pull_in->data_size - pull_in->offset,
491	pull_in->offset, pull_in->offset,
492	call->name));
493	/* we used to return NT_STATUS_INFO_LENGTH_MISMATCH here,
494	but it turns out that early versions of NT
495	(specifically NT3.1) add junk onto the end of rpc
496	packets, so if we want to interoperate at all with
497	those versions then we need to ignore this error */
498	}
499
500	if (hs->p->conn->flags & DCERPC_DEBUG_VALIDATE_OUT) {
501	NTSTATUS status;
502
503	status = dcerpc_ndr_validate_out(hs->p->conn,
504	pull_in,
505	struct_ptr,
506	call->struct_size,
507	call->ndr_push,
508	call->ndr_pull,
509	call->ndr_print);
510	if (!NT_STATUS_IS_OK(status)) {
511	DEBUG(2,("Validation [out] failed for %s - %s\n",
512	call->name, nt_errstr(status)));
513	return status;
514	}
515	}
516
517	return NT_STATUS_OK;
518	}
519
520	static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
521	.name = "dcerpc",
522	.is_connected = dcerpc_bh_is_connected,
523	.set_timeout = dcerpc_bh_set_timeout,
524	.raw_call_send = dcerpc_bh_raw_call_send,
525	.raw_call_recv = dcerpc_bh_raw_call_recv,
526	.disconnect_send = dcerpc_bh_disconnect_send,
527	.disconnect_recv = dcerpc_bh_disconnect_recv,
528
529	.push_bigendian = dcerpc_bh_push_bigendian,
530	.ref_alloc = dcerpc_bh_ref_alloc,
531	.use_ndr64 = dcerpc_bh_use_ndr64,
532	.do_ndr_print = dcerpc_bh_do_ndr_print,
533	.ndr_push_failed = dcerpc_bh_ndr_push_failed,
534	.ndr_pull_failed = dcerpc_bh_ndr_pull_failed,
535	.ndr_validate_in = dcerpc_bh_ndr_validate_in,
536	.ndr_validate_out = dcerpc_bh_ndr_validate_out,
537	};
538
539	/* initialise a dcerpc pipe. */
540	struct dcerpc_binding_handle dcerpc_pipe_binding_handle(struct dcerpc_pipe p)
541	{
542	struct dcerpc_binding_handle *h;
543	struct dcerpc_bh_state *hs;
544
545	h = dcerpc_binding_handle_create(p,
546	&dcerpc_bh_ops,
547	NULL,
548	NULL, /* TODO */
549	&hs,
550	struct dcerpc_bh_state,
551	__location__);
552	if (h == NULL) {
553	return NULL;
554	}
555	hs->p = p;
556
557	dcerpc_binding_handle_set_sync_ev(h, p->conn->event_ctx);
558
559	return h;
560	}
561
562	/* initialise a dcerpc pipe. */
563	_PUBLIC_ struct dcerpc_pipe dcerpc_pipe_init(TALLOC_CTX mem_ctx, struct tevent_context *ev)
564	{
565	struct dcerpc_pipe *p;
566
567	p = talloc_zero(mem_ctx, struct dcerpc_pipe);
568	if (!p) {
569	return NULL;
570	}
571
572	p->conn = dcerpc_connection_init(p, ev);
573	if (p->conn == NULL) {
574	talloc_free(p);
575	return NULL;
576	}
577
578	p->last_fault_code = 0;
579	p->context_id = 0;
580	p->request_timeout = DCERPC_REQUEST_TIMEOUT;
581	p->binding = NULL;
582
583	ZERO_STRUCT(p->syntax);
584	ZERO_STRUCT(p->transfer_syntax);
585
586	if (DEBUGLVL(100)) {
587	p->conn->flags \|= DCERPC_DEBUG_PRINT_BOTH;
588	}
589
590	p->binding_handle = dcerpc_pipe_binding_handle(p);
591	if (p->binding_handle == NULL) {
592	talloc_free(p);
593	return NULL;
594	}
595
596	return p;
597	}
598
599
600	/*
601	choose the next call id to use
602	*/
603	static uint32_t next_call_id(struct dcecli_connection *c)
604	{
605	c->call_id++;
606	if (c->call_id == 0) {
607	c->call_id++;
608	}
609	return c->call_id;
610	}
611
612	/**
613	setup for a ndr pull, also setting up any flags from the binding string
614	*/
615	static struct ndr_pull ndr_pull_init_flags(struct dcecli_connection c,
616	DATA_BLOB blob, TALLOC_CTX mem_ctx)
617	{
618	struct ndr_pull *ndr = ndr_pull_init_blob(blob, mem_ctx);
619
620	if (ndr == NULL) return ndr;
621
622	if (c->flags & DCERPC_DEBUG_PAD_CHECK) {
623	ndr->flags \|= LIBNDR_FLAG_PAD_CHECK;
624	}
625
626	if (c->flags & DCERPC_NDR_REF_ALLOC) {
627	ndr->flags \|= LIBNDR_FLAG_REF_ALLOC;
628	}
629
630	if (c->flags & DCERPC_NDR64) {
631	ndr->flags \|= LIBNDR_FLAG_NDR64;
632	}
633
634	return ndr;
635	}
636
637	/*
638	parse a data blob into a ncacn_packet structure. This handles both
639	input and output packets
640	*/
641	static NTSTATUS ncacn_pull(struct dcecli_connection c, DATA_BLOB blob, TALLOC_CTX *mem_ctx,
642	struct ncacn_packet *pkt)
643	{
644	struct ndr_pull *ndr;
645	enum ndr_err_code ndr_err;
646
647	ndr = ndr_pull_init_flags(c, blob, mem_ctx);
648	if (!ndr) {
649	return NT_STATUS_NO_MEMORY;
650	}
651
652	if (! (CVAL(blob->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
653	ndr->flags \|= LIBNDR_FLAG_BIGENDIAN;
654	}
655
656	ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS\|NDR_BUFFERS, pkt);
657	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
658	return ndr_map_error2ntstatus(ndr_err);
659	}
660
661	return NT_STATUS_OK;
662	}
663
664	/*
665	parse the authentication information on a dcerpc response packet
666	*/
667	static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection c, TALLOC_CTX mem_ctx,
668	DATA_BLOB *raw_packet,
669	struct ncacn_packet *pkt)
670	{
671	NTSTATUS status;
672	struct dcerpc_auth auth;
673	uint32_t auth_length;
674
675	if (!c->security_state.auth_info \|\|
676	!c->security_state.generic_state) {
677	return NT_STATUS_OK;
678	}
679
680	switch (c->security_state.auth_info->auth_level) {
681	case DCERPC_AUTH_LEVEL_PRIVACY:
682	case DCERPC_AUTH_LEVEL_INTEGRITY:
683	break;
684
685	case DCERPC_AUTH_LEVEL_CONNECT:
686	if (pkt->auth_length != 0) {
687	break;
688	}
689	return NT_STATUS_OK;
690	case DCERPC_AUTH_LEVEL_NONE:
691	if (pkt->auth_length != 0) {
692	return NT_STATUS_INVALID_NETWORK_RESPONSE;
693	}
694	return NT_STATUS_OK;
695
696	default:
697	return NT_STATUS_INVALID_LEVEL;
698	}
699
700	status = dcerpc_pull_auth_trailer(pkt, mem_ctx,
701	&pkt->u.response.stub_and_verifier,
702	&auth, &auth_length, false);
703	NT_STATUS_NOT_OK_RETURN(status);
704
705	pkt->u.response.stub_and_verifier.length -= auth_length;
706
707	/* check signature or unseal the packet */
708	switch (c->security_state.auth_info->auth_level) {
709	case DCERPC_AUTH_LEVEL_PRIVACY:
710	status = gensec_unseal_packet(c->security_state.generic_state,
711	mem_ctx,
712	raw_packet->data + DCERPC_REQUEST_LENGTH,
713	pkt->u.response.stub_and_verifier.length,
714	raw_packet->data,
715	raw_packet->length - auth.credentials.length,
716	&auth.credentials);
717	memcpy(pkt->u.response.stub_and_verifier.data,
718	raw_packet->data + DCERPC_REQUEST_LENGTH,
719	pkt->u.response.stub_and_verifier.length);
720	break;
721
722	case DCERPC_AUTH_LEVEL_INTEGRITY:
723	status = gensec_check_packet(c->security_state.generic_state,
724	mem_ctx,
725	pkt->u.response.stub_and_verifier.data,
726	pkt->u.response.stub_and_verifier.length,
727	raw_packet->data,
728	raw_packet->length - auth.credentials.length,
729	&auth.credentials);
730	break;
731
732	case DCERPC_AUTH_LEVEL_CONNECT:
733	/* for now we ignore possible signatures here */
734	status = NT_STATUS_OK;
735	break;
736
737	default:
738	status = NT_STATUS_INVALID_LEVEL;
739	break;
740	}
741
742	/* remove the indicated amount of padding */
743	if (pkt->u.response.stub_and_verifier.length < auth.auth_pad_length) {
744	return NT_STATUS_INFO_LENGTH_MISMATCH;
745	}
746	pkt->u.response.stub_and_verifier.length -= auth.auth_pad_length;
747
748	return status;
749	}
750
751
752	/*
753	push a dcerpc request packet into a blob, possibly signing it.
754	*/
755	static NTSTATUS ncacn_push_request_sign(struct dcecli_connection *c,
756	DATA_BLOB blob, TALLOC_CTX mem_ctx,
757	size_t sig_size,
758	struct ncacn_packet *pkt)
759	{
760	NTSTATUS status;
761	struct ndr_push *ndr;
762	DATA_BLOB creds2;
763	size_t payload_length;
764	enum ndr_err_code ndr_err;
765	size_t hdr_size = DCERPC_REQUEST_LENGTH;
766
767	/* non-signed packets are simpler */
768	if (sig_size == 0) {
769	return ncacn_push_auth(blob, mem_ctx, pkt, NULL);
770	}
771
772	switch (c->security_state.auth_info->auth_level) {
773	case DCERPC_AUTH_LEVEL_PRIVACY:
774	case DCERPC_AUTH_LEVEL_INTEGRITY:
775	break;
776
777	case DCERPC_AUTH_LEVEL_CONNECT:
778	/* TODO: let the gensec mech decide if it wants to generate a signature */
779	return ncacn_push_auth(blob, mem_ctx, pkt, NULL);
780
781	case DCERPC_AUTH_LEVEL_NONE:
782	return ncacn_push_auth(blob, mem_ctx, pkt, NULL);
783
784	default:
785	return NT_STATUS_INVALID_LEVEL;
786	}
787
788	ndr = ndr_push_init_ctx(mem_ctx);
789	if (!ndr) {
790	return NT_STATUS_NO_MEMORY;
791	}
792
793	if (c->flags & DCERPC_PUSH_BIGENDIAN) {
794	ndr->flags \|= LIBNDR_FLAG_BIGENDIAN;
795	}
796
797	if (c->flags & DCERPC_NDR64) {
798	ndr->flags \|= LIBNDR_FLAG_NDR64;
799	}
800
801	if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
802	ndr->flags \|= LIBNDR_FLAG_OBJECT_PRESENT;
803	hdr_size += 16;
804	}
805
806	ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS\|NDR_BUFFERS, pkt);
807	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
808	return ndr_map_error2ntstatus(ndr_err);
809	}
810
811	/* pad to 16 byte multiple in the payload portion of the
812	packet. This matches what w2k3 does. Note that we can't use
813	ndr_push_align() as that is relative to the start of the
814	whole packet, whereas w2k8 wants it relative to the start
815	of the stub */
816	c->security_state.auth_info->auth_pad_length =
817	(16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15;
818	ndr_err = ndr_push_zero(ndr, c->security_state.auth_info->auth_pad_length);
819	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
820	return ndr_map_error2ntstatus(ndr_err);
821	}
822
823	payload_length = pkt->u.request.stub_and_verifier.length +
824	c->security_state.auth_info->auth_pad_length;
825
826	/* we start without signature, it will appended later */
827	c->security_state.auth_info->credentials = data_blob(NULL,0);
828
829	/* add the auth verifier */
830	ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS\|NDR_BUFFERS, c->security_state.auth_info);
831	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
832	return ndr_map_error2ntstatus(ndr_err);
833	}
834
835	/* extract the whole packet as a blob */
836	*blob = ndr_push_blob(ndr);
837
838	/*
839	* Setup the frag and auth length in the packet buffer.
840	* This is needed if the GENSEC mech does AEAD signing
841	* of the packet headers. The signature itself will be
842	* appended later.
843	*/
844	dcerpc_set_frag_length(blob, blob->length + sig_size);
845	dcerpc_set_auth_length(blob, sig_size);
846
847	/* sign or seal the packet */
848	switch (c->security_state.auth_info->auth_level) {
849	case DCERPC_AUTH_LEVEL_PRIVACY:
850	status = gensec_seal_packet(c->security_state.generic_state,
851	mem_ctx,
852	blob->data + hdr_size,
853	payload_length,
854	blob->data,
855	blob->length,
856	&creds2);
857	if (!NT_STATUS_IS_OK(status)) {
858	return status;
859	}
860	break;
861
862	case DCERPC_AUTH_LEVEL_INTEGRITY:
863	status = gensec_sign_packet(c->security_state.generic_state,
864	mem_ctx,
865	blob->data + hdr_size,
866	payload_length,
867	blob->data,
868	blob->length,
869	&creds2);
870	if (!NT_STATUS_IS_OK(status)) {
871	return status;
872	}
873	break;
874
875	default:
876	status = NT_STATUS_INVALID_LEVEL;
877	break;
878	}
879
880	if (creds2.length != sig_size) {
881	/* this means the sig_size estimate for the signature
882	was incorrect. We have to correct the packet
883	sizes. That means we could go over the max fragment
884	length */
885	DEBUG(3,("ncacn_push_request_sign: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n",
886	(unsigned) creds2.length,
887	(unsigned) sig_size,
888	(unsigned) c->security_state.auth_info->auth_pad_length,
889	(unsigned) pkt->u.request.stub_and_verifier.length));
890	dcerpc_set_frag_length(blob, blob->length + creds2.length);
891	dcerpc_set_auth_length(blob, creds2.length);
892	}
893
894	if (!data_blob_append(mem_ctx, blob, creds2.data, creds2.length)) {
895	return NT_STATUS_NO_MEMORY;
896	}
897
898	return NT_STATUS_OK;
899	}
900
901
902	/*
903	fill in the fixed values in a dcerpc header
904	*/
905	static void init_ncacn_hdr(struct dcecli_connection c, struct ncacn_packet pkt)
906	{
907	pkt->rpc_vers = 5;
908	pkt->rpc_vers_minor = 0;
909	if (c->flags & DCERPC_PUSH_BIGENDIAN) {
910	pkt->drep[0] = 0;
911	} else {
912	pkt->drep[0] = DCERPC_DREP_LE;
913	}
914	pkt->drep[1] = 0;
915	pkt->drep[2] = 0;
916	pkt->drep[3] = 0;
917	}
918
919	/*
920	map a bind nak reason to a NTSTATUS
921	*/
922	static NTSTATUS dcerpc_map_reason(uint16_t reason)
923	{
924	switch (reason) {
925	case DCERPC_BIND_REASON_ASYNTAX:
926	return NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX;
927	case DCERPC_BIND_REASON_INVALID_AUTH_TYPE:
928	return NT_STATUS_INVALID_PARAMETER;
929	}
930	return NT_STATUS_UNSUCCESSFUL;
931	}
932
933	/*
934	a bind or alter context has failed
935	*/
936	static void dcerpc_composite_fail(struct rpc_request *req)
937	{
938	struct composite_context *c = talloc_get_type(req->async.private_data,
939	struct composite_context);
940	composite_error(c, req->status);
941	}
942
943	/*
944	remove requests from the pending or queued queues
945	*/
946	static int dcerpc_req_dequeue(struct rpc_request *req)
947	{
948	switch (req->state) {
949	case RPC_REQUEST_QUEUED:
950	DLIST_REMOVE(req->p->conn->request_queue, req);
951	break;
952	case RPC_REQUEST_PENDING:
953	DLIST_REMOVE(req->p->conn->pending, req);
954	break;
955	case RPC_REQUEST_DONE:
956	break;
957	}
958	return 0;
959	}
960
961
962	/*
963	mark the dcerpc connection dead. All outstanding requests get an error
964	*/
965	static void dcerpc_connection_dead(struct dcecli_connection *conn, NTSTATUS status)
966	{
967	if (conn->dead) return;
968
969	conn->dead = true;
970
971	if (conn->transport.shutdown_pipe) {
972	conn->transport.shutdown_pipe(conn, status);
973	}
974
975	/* all pending requests get the error */
976	while (conn->pending) {
977	struct rpc_request *req = conn->pending;
978	dcerpc_req_dequeue(req);
979	req->state = RPC_REQUEST_DONE;
980	req->status = status;
981	if (req->async.callback) {
982	req->async.callback(req);
983	}
984	}
985
986	talloc_set_destructor(conn, NULL);
987	if (conn->free_skipped) {
988	talloc_free(conn);
989	}
990	}
991
992	/*
993	forward declarations of the recv_data handlers for the types of
994	packets we need to handle
995	*/
996	static void dcerpc_request_recv_data(struct dcecli_connection *c,
997	DATA_BLOB raw_packet, struct ncacn_packet pkt);
998
999	/*
1000	receive a dcerpc reply from the transport. Here we work out what
1001	type of reply it is (normal request, bind or alter context) and
1002	dispatch to the appropriate handler
1003	*/
1004	static void dcerpc_recv_data(struct dcecli_connection conn, DATA_BLOB blob, NTSTATUS status)
1005	{
1006	struct ncacn_packet pkt;
1007
1008	if (NT_STATUS_IS_OK(status) && blob->length == 0) {
1009	status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
1010	}
1011
1012	/* the transport may be telling us of a severe error, such as
1013	a dropped socket */
1014	if (!NT_STATUS_IS_OK(status)) {
1015	data_blob_free(blob);
1016	dcerpc_connection_dead(conn, status);
1017	return;
1018	}
1019
1020	/* parse the basic packet to work out what type of response this is */
1021	status = ncacn_pull(conn, blob, blob->data, &pkt);
1022	if (!NT_STATUS_IS_OK(status)) {
1023	data_blob_free(blob);
1024	dcerpc_connection_dead(conn, status);
1025	}
1026
1027	dcerpc_request_recv_data(conn, blob, &pkt);
1028	}
1029
1030	/*
1031	Receive a bind reply from the transport
1032	*/
1033	static void dcerpc_bind_recv_handler(struct rpc_request *req,
1034	DATA_BLOB raw_packet, struct ncacn_packet pkt)
1035	{
1036	struct composite_context *c;
1037	struct dcecli_connection *conn;
1038
1039	c = talloc_get_type(req->async.private_data, struct composite_context);
1040
1041	if (pkt->ptype == DCERPC_PKT_BIND_NAK) {
1042	DEBUG(2,("dcerpc: bind_nak reason %d\n",
1043	pkt->u.bind_nak.reject_reason));
1044	composite_error(c, dcerpc_map_reason(pkt->u.bind_nak.
1045	reject_reason));
1046	return;
1047	}
1048
1049	if ((pkt->ptype != DCERPC_PKT_BIND_ACK) \|\|
1050	(pkt->u.bind_ack.num_results == 0) \|\|
1051	(pkt->u.bind_ack.ctx_list[0].result != 0)) {
1052	req->p->last_fault_code = DCERPC_NCA_S_PROTO_ERROR;
1053	composite_error(c, NT_STATUS_NET_WRITE_FAULT);
1054	return;
1055	}
1056
1057	conn = req->p->conn;
1058
1059	conn->srv_max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
1060	conn->srv_max_recv_frag = pkt->u.bind_ack.max_recv_frag;
1061
1062	if ((req->p->binding->flags & DCERPC_CONCURRENT_MULTIPLEX) &&
1063	(pkt->pfc_flags & DCERPC_PFC_FLAG_CONC_MPX)) {
1064	conn->flags \|= DCERPC_CONCURRENT_MULTIPLEX;
1065	}
1066
1067	if ((req->p->binding->flags & DCERPC_HEADER_SIGNING) &&
1068	(pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
1069	conn->flags \|= DCERPC_HEADER_SIGNING;
1070	}
1071
1072	/* the bind_ack might contain a reply set of credentials */
1073	if (conn->security_state.auth_info && pkt->u.bind_ack.auth_info.length) {
1074	NTSTATUS status;
1075	uint32_t auth_length;
1076	status = dcerpc_pull_auth_trailer(pkt, conn, &pkt->u.bind_ack.auth_info,
1077	conn->security_state.auth_info, &auth_length, true);
1078	if (!NT_STATUS_IS_OK(status)) {
1079	composite_error(c, status);
1080	return;
1081	}
1082	}
1083
1084	req->p->assoc_group_id = pkt->u.bind_ack.assoc_group_id;
1085
1086	composite_done(c);
1087	}
1088
1089	/*
1090	handle timeouts of individual dcerpc requests
1091	*/
1092	static void dcerpc_timeout_handler(struct tevent_context ev, struct tevent_timer te,
1093	struct timeval t, void *private_data)
1094	{
1095	struct rpc_request *req = talloc_get_type(private_data, struct rpc_request);
1096
1097	if (req->ignore_timeout) {
1098	dcerpc_req_dequeue(req);
1099	req->state = RPC_REQUEST_DONE;
1100	req->status = NT_STATUS_IO_TIMEOUT;
1101	if (req->async.callback) {
1102	req->async.callback(req);
1103	}
1104	return;
1105	}
1106
1107	dcerpc_connection_dead(req->p->conn, NT_STATUS_IO_TIMEOUT);
1108	}
1109
1110	/*
1111	send a async dcerpc bind request
1112	*/
1113	struct composite_context dcerpc_bind_send(struct dcerpc_pipe p,
1114	TALLOC_CTX *mem_ctx,
1115	const struct ndr_syntax_id *syntax,
1116	const struct ndr_syntax_id *transfer_syntax)
1117	{
1118	struct composite_context *c;
1119	struct ncacn_packet pkt;
1120	DATA_BLOB blob;
1121	struct rpc_request *req;
1122
1123	c = composite_create(mem_ctx,p->conn->event_ctx);
1124	if (c == NULL) return NULL;
1125
1126	c->private_data = p;
1127
1128	p->syntax = *syntax;
1129	p->transfer_syntax = *transfer_syntax;
1130
1131	init_ncacn_hdr(p->conn, &pkt);
1132
1133	pkt.ptype = DCERPC_PKT_BIND;
1134	pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST \| DCERPC_PFC_FLAG_LAST;
1135	pkt.call_id = p->conn->call_id;
1136	pkt.auth_length = 0;
1137
1138	if (p->binding->flags & DCERPC_CONCURRENT_MULTIPLEX) {
1139	pkt.pfc_flags \|= DCERPC_PFC_FLAG_CONC_MPX;
1140	}
1141
1142	if (p->binding->flags & DCERPC_HEADER_SIGNING) {
1143	pkt.pfc_flags \|= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
1144	}
1145
1146	pkt.u.bind.max_xmit_frag = 5840;
1147	pkt.u.bind.max_recv_frag = 5840;
1148	pkt.u.bind.assoc_group_id = p->binding->assoc_group_id;
1149	pkt.u.bind.num_contexts = 1;
1150	pkt.u.bind.ctx_list = talloc_array(mem_ctx, struct dcerpc_ctx_list, 1);
1151	if (composite_nomem(pkt.u.bind.ctx_list, c)) return c;
1152	pkt.u.bind.ctx_list[0].context_id = p->context_id;
1153	pkt.u.bind.ctx_list[0].num_transfer_syntaxes = 1;
1154	pkt.u.bind.ctx_list[0].abstract_syntax = p->syntax;
1155	pkt.u.bind.ctx_list[0].transfer_syntaxes = &p->transfer_syntax;
1156	pkt.u.bind.auth_info = data_blob(NULL, 0);
1157
1158	/* construct the NDR form of the packet */
1159	c->status = ncacn_push_auth(&blob, c, &pkt,
1160	p->conn->security_state.auth_info);
1161	if (!composite_is_ok(c)) return c;
1162
1163	p->conn->transport.recv_data = dcerpc_recv_data;
1164
1165	/*
1166	* we allocate a dcerpc_request so we can be in the same
1167	* request queue as normal requests
1168	*/
1169	req = talloc_zero(c, struct rpc_request);
1170	if (composite_nomem(req, c)) return c;
1171
1172	req->state = RPC_REQUEST_PENDING;
1173	req->call_id = pkt.call_id;
1174	req->async.private_data = c;
1175	req->async.callback = dcerpc_composite_fail;
1176	req->p = p;
1177	req->recv_handler = dcerpc_bind_recv_handler;
1178	DLIST_ADD_END(p->conn->pending, req, struct rpc_request *);
1179	talloc_set_destructor(req, dcerpc_req_dequeue);
1180
1181	c->status = p->conn->transport.send_request(p->conn, &blob,
1182	true);
1183	if (!composite_is_ok(c)) return c;
1184
1185	event_add_timed(c->event_ctx, req,
1186	timeval_current_ofs(DCERPC_REQUEST_TIMEOUT, 0),
1187	dcerpc_timeout_handler, req);
1188
1189	return c;
1190	}
1191
1192	/*
1193	recv side of async dcerpc bind request
1194	*/
1195	NTSTATUS dcerpc_bind_recv(struct composite_context *ctx)
1196	{
1197	NTSTATUS result = composite_wait(ctx);
1198	talloc_free(ctx);
1199	return result;
1200	}
1201
1202	/*
1203	perform a continued bind (and auth3)
1204	*/
1205	NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
1206	TALLOC_CTX *mem_ctx)
1207	{
1208	struct ncacn_packet pkt;
1209	NTSTATUS status;
1210	DATA_BLOB blob;
1211
1212	init_ncacn_hdr(p->conn, &pkt);
1213
1214	pkt.ptype = DCERPC_PKT_AUTH3;
1215	pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST \| DCERPC_PFC_FLAG_LAST;
1216	pkt.call_id = next_call_id(p->conn);
1217	pkt.auth_length = 0;
1218	pkt.u.auth3.auth_info = data_blob(NULL, 0);
1219
1220	if (p->binding->flags & DCERPC_CONCURRENT_MULTIPLEX) {
1221	pkt.pfc_flags \|= DCERPC_PFC_FLAG_CONC_MPX;
1222	}
1223
1224	if (p->binding->flags & DCERPC_HEADER_SIGNING) {
1225	pkt.pfc_flags \|= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
1226	}
1227
1228	/* construct the NDR form of the packet */
1229	status = ncacn_push_auth(&blob, mem_ctx,
1230	&pkt,
1231	p->conn->security_state.auth_info);
1232	if (!NT_STATUS_IS_OK(status)) {
1233	return status;
1234	}
1235
1236	/* send it on its way */
1237	status = p->conn->transport.send_request(p->conn, &blob, false);
1238	if (!NT_STATUS_IS_OK(status)) {
1239	return status;
1240	}
1241
1242	return NT_STATUS_OK;
1243	}
1244
1245
1246	/*
1247	process a fragment received from the transport layer during a
1248	request
1249
1250	This function frees the data
1251	*/
1252	static void dcerpc_request_recv_data(struct dcecli_connection *c,
1253	DATA_BLOB raw_packet, struct ncacn_packet pkt)
1254	{
1255	struct rpc_request *req;
1256	unsigned int length;
1257	NTSTATUS status = NT_STATUS_OK;
1258
1259	/*
1260	if this is an authenticated connection then parse and check
1261	the auth info. We have to do this before finding the
1262	matching packet, as the request structure might have been
1263	removed due to a timeout, but if it has been we still need
1264	to run the auth routines so that we don't get the sign/seal
1265	info out of step with the server
1266	*/
1267	if (c->security_state.auth_info && c->security_state.generic_state &&
1268	pkt->ptype == DCERPC_PKT_RESPONSE) {
1269	status = ncacn_pull_request_auth(c, raw_packet->data, raw_packet, pkt);
1270	}
1271
1272	/* find the matching request */
1273	for (req=c->pending;req;req=req->next) {
1274	if (pkt->call_id == req->call_id) break;
1275	}
1276
1277	#if 0
1278	/* useful for testing certain vendors RPC servers */
1279	if (req == NULL && c->pending && pkt->call_id == 0) {
1280	DEBUG(0,("HACK FOR INCORRECT CALL ID\n"));
1281	req = c->pending;
1282	}
1283	#endif
1284
1285	if (req == NULL) {
1286	DEBUG(2,("dcerpc_request: unmatched call_id %u in response packet\n", pkt->call_id));
1287	data_blob_free(raw_packet);
1288	return;
1289	}
1290
1291	talloc_steal(req, raw_packet->data);
1292
1293	if (req->recv_handler != NULL) {
1294	dcerpc_req_dequeue(req);
1295	req->state = RPC_REQUEST_DONE;
1296	req->recv_handler(req, raw_packet, pkt);
1297	return;
1298	}
1299
1300	if (pkt->ptype == DCERPC_PKT_FAULT) {
1301	DEBUG(5,("rpc fault: %s\n", dcerpc_errstr(c, pkt->u.fault.status)));
1302	req->fault_code = pkt->u.fault.status;
1303	req->status = NT_STATUS_NET_WRITE_FAULT;
1304	goto req_done;
1305	}
1306
1307	if (pkt->ptype != DCERPC_PKT_RESPONSE) {
1308	DEBUG(2,("Unexpected packet type %d in dcerpc response\n",
1309	(int)pkt->ptype));
1310	req->fault_code = DCERPC_FAULT_OTHER;
1311	req->status = NT_STATUS_NET_WRITE_FAULT;
1312	goto req_done;
1313	}
1314
1315	/* now check the status from the auth routines, and if it failed then fail
1316	this request accordingly */
1317	if (!NT_STATUS_IS_OK(status)) {
1318	req->status = status;
1319	goto req_done;
1320	}
1321
1322	length = pkt->u.response.stub_and_verifier.length;
1323
1324	if (length > 0) {
1325	req->payload.data = talloc_realloc(req,
1326	req->payload.data,
1327	uint8_t,
1328	req->payload.length + length);
1329	if (!req->payload.data) {
1330	req->status = NT_STATUS_NO_MEMORY;
1331	goto req_done;
1332	}
1333	memcpy(req->payload.data+req->payload.length,
1334	pkt->u.response.stub_and_verifier.data, length);
1335	req->payload.length += length;
1336	}
1337
1338	if (!(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
1339	c->transport.send_read(c);
1340	return;
1341	}
1342
1343	if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
1344	req->flags \|= DCERPC_PULL_BIGENDIAN;
1345	} else {
1346	req->flags &= ~DCERPC_PULL_BIGENDIAN;
1347	}
1348
1349
1350	req_done:
1351	/* we've got the full payload */
1352	req->state = RPC_REQUEST_DONE;
1353	DLIST_REMOVE(c->pending, req);
1354
1355	if (c->request_queue != NULL) {
1356	/* We have to look at shipping further requests before calling
1357	* the async function, that one might close the pipe */
1358	dcerpc_ship_next_request(c);
1359	}
1360
1361	if (req->async.callback) {
1362	req->async.callback(req);
1363	}
1364	}
1365
1366	/*
1367	perform the send side of a async dcerpc request
1368	*/
1369	static struct rpc_request dcerpc_request_send(struct dcerpc_pipe p,
1370	const struct GUID *object,
1371	uint16_t opnum,
1372	DATA_BLOB *stub_data)
1373	{
1374	struct rpc_request *req;
1375
1376	p->conn->transport.recv_data = dcerpc_recv_data;
1377
1378	req = talloc(p, struct rpc_request);
1379	if (req == NULL) {
1380	return NULL;
1381	}
1382
1383	req->p = p;
1384	req->call_id = next_call_id(p->conn);
1385	req->status = NT_STATUS_OK;
1386	req->state = RPC_REQUEST_QUEUED;
1387	req->payload = data_blob(NULL, 0);
1388	req->flags = 0;
1389	req->fault_code = 0;
1390	req->ignore_timeout = false;
1391	req->async.callback = NULL;
1392	req->async.private_data = NULL;
1393	req->recv_handler = NULL;
1394
1395	if (object != NULL) {
1396	req->object = (struct GUID )talloc_memdup(req, (const void )object, sizeof(*object));
1397	if (req->object == NULL) {
1398	talloc_free(req);
1399	return NULL;
1400	}
1401	} else {
1402	req->object = NULL;
1403	}
1404
1405	req->opnum = opnum;
1406	req->request_data.length = stub_data->length;
1407	req->request_data.data = talloc_reference(req, stub_data->data);
1408	if (req->request_data.length && req->request_data.data == NULL) {
1409	return NULL;
1410	}
1411
1412	DLIST_ADD_END(p->conn->request_queue, req, struct rpc_request *);
1413	talloc_set_destructor(req, dcerpc_req_dequeue);
1414
1415	dcerpc_ship_next_request(p->conn);
1416
1417	if (p->request_timeout) {
1418	event_add_timed(dcerpc_event_context(p), req,
1419	timeval_current_ofs(p->request_timeout, 0),
1420	dcerpc_timeout_handler, req);
1421	}
1422
1423	return req;
1424	}
1425
1426	/*
1427	Send a request using the transport
1428	*/
1429
1430	static void dcerpc_ship_next_request(struct dcecli_connection *c)
1431	{
1432	struct rpc_request *req;
1433	struct dcerpc_pipe *p;
1434	DATA_BLOB *stub_data;
1435	struct ncacn_packet pkt;
1436	DATA_BLOB blob;
1437	uint32_t remaining, chunk_size;
1438	bool first_packet = true;
1439	size_t sig_size = 0;
1440	bool need_async = false;
1441
1442	req = c->request_queue;
1443	if (req == NULL) {
1444	return;
1445	}
1446
1447	p = req->p;
1448	stub_data = &req->request_data;
1449
1450	if (c->pending) {
1451	need_async = true;
1452	}
1453
1454	DLIST_REMOVE(c->request_queue, req);
1455	DLIST_ADD(c->pending, req);
1456	req->state = RPC_REQUEST_PENDING;
1457
1458	init_ncacn_hdr(p->conn, &pkt);
1459
1460	remaining = stub_data->length;
1461
1462	/* we can write a full max_recv_frag size, minus the dcerpc
1463	request header size */
1464	chunk_size = p->conn->srv_max_recv_frag;
1465	chunk_size -= DCERPC_REQUEST_LENGTH;
1466	if (c->security_state.auth_info &&
1467	c->security_state.generic_state) {
1468	sig_size = gensec_sig_size(c->security_state.generic_state,
1469	p->conn->srv_max_recv_frag);
1470	if (sig_size) {
1471	chunk_size -= DCERPC_AUTH_TRAILER_LENGTH;
1472	chunk_size -= sig_size;
1473	}
1474	}
1475	chunk_size -= (chunk_size % 16);
1476
1477	pkt.ptype = DCERPC_PKT_REQUEST;
1478	pkt.call_id = req->call_id;
1479	pkt.auth_length = 0;
1480	pkt.pfc_flags = 0;
1481	pkt.u.request.alloc_hint = remaining;
1482	pkt.u.request.context_id = p->context_id;
1483	pkt.u.request.opnum = req->opnum;
1484
1485	if (req->object) {
1486	pkt.u.request.object.object = *req->object;
1487	pkt.pfc_flags \|= DCERPC_PFC_FLAG_OBJECT_UUID;
1488	chunk_size -= ndr_size_GUID(req->object,0);
1489	}
1490
1491	/* we send a series of pdus without waiting for a reply */
1492	while (remaining > 0 \|\| first_packet) {
1493	uint32_t chunk = MIN(chunk_size, remaining);
1494	bool last_frag = false;
1495	bool do_trans = false;
1496
1497	first_packet = false;
1498	pkt.pfc_flags &= ~(DCERPC_PFC_FLAG_FIRST \|DCERPC_PFC_FLAG_LAST);
1499
1500	if (remaining == stub_data->length) {
1501	pkt.pfc_flags \|= DCERPC_PFC_FLAG_FIRST;
1502	}
1503	if (chunk == remaining) {
1504	pkt.pfc_flags \|= DCERPC_PFC_FLAG_LAST;
1505	last_frag = true;
1506	}
1507
1508	pkt.u.request.stub_and_verifier.data = stub_data->data +
1509	(stub_data->length - remaining);
1510	pkt.u.request.stub_and_verifier.length = chunk;
1511
1512	req->status = ncacn_push_request_sign(p->conn, &blob, req, sig_size, &pkt);
1513	if (!NT_STATUS_IS_OK(req->status)) {
1514	req->state = RPC_REQUEST_DONE;
1515	DLIST_REMOVE(p->conn->pending, req);
1516	return;
1517	}
1518
1519	if (last_frag && !need_async) {
1520	do_trans = true;
1521	}
1522
1523	req->status = p->conn->transport.send_request(p->conn, &blob, do_trans);
1524	if (!NT_STATUS_IS_OK(req->status)) {
1525	req->state = RPC_REQUEST_DONE;
1526	DLIST_REMOVE(p->conn->pending, req);
1527	return;
1528	}
1529
1530	if (last_frag && !do_trans) {
1531	req->status = p->conn->transport.send_read(p->conn);
1532	if (!NT_STATUS_IS_OK(req->status)) {
1533	req->state = RPC_REQUEST_DONE;
1534	DLIST_REMOVE(p->conn->pending, req);
1535	return;
1536	}
1537	}
1538
1539	remaining -= chunk;
1540	}
1541	}
1542
1543	/*
1544	return the event context for a dcerpc pipe
1545	used by callers who wish to operate asynchronously
1546	*/
1547	_PUBLIC_ struct tevent_context dcerpc_event_context(struct dcerpc_pipe p)
1548	{
1549	return p->conn->event_ctx;
1550	}
1551
1552
1553
1554	/*
1555	perform the receive side of a async dcerpc request
1556	*/
1557	static NTSTATUS dcerpc_request_recv(struct rpc_request *req,
1558	TALLOC_CTX *mem_ctx,
1559	DATA_BLOB *stub_data)
1560	{
1561	NTSTATUS status;
1562
1563	while (req->state != RPC_REQUEST_DONE) {
1564	struct tevent_context *ctx = dcerpc_event_context(req->p);
1565	if (event_loop_once(ctx) != 0) {
1566	return NT_STATUS_CONNECTION_DISCONNECTED;
1567	}
1568	}
1569	*stub_data = req->payload;
1570	status = req->status;
1571	if (stub_data->data) {
1572	stub_data->data = talloc_steal(mem_ctx, stub_data->data);
1573	}
1574	if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
1575	req->p->last_fault_code = req->fault_code;
1576	}
1577	talloc_unlink(talloc_parent(req), req);
1578	return status;
1579	}
1580
1581	/*
1582	this is a paranoid NDR validator. For every packet we push onto the wire
1583	we pull it back again, then push it again. Then we compare the raw NDR data
1584	for that to the NDR we initially generated. If they don't match then we know
1585	we must have a bug in either the pull or push side of our code
1586	*/
1587	static NTSTATUS dcerpc_ndr_validate_in(struct dcecli_connection *c,
1588	TALLOC_CTX *mem_ctx,
1589	DATA_BLOB blob,
1590	size_t struct_size,
1591	ndr_push_flags_fn_t ndr_push,
1592	ndr_pull_flags_fn_t ndr_pull)
1593	{
1594	void *st;
1595	struct ndr_pull *pull;
1596	struct ndr_push *push;
1597	DATA_BLOB blob2;
1598	enum ndr_err_code ndr_err;
1599
1600	st = talloc_size(mem_ctx, struct_size);
1601	if (!st) {
1602	return NT_STATUS_NO_MEMORY;
1603	}
1604
1605	pull = ndr_pull_init_flags(c, &blob, mem_ctx);
1606	if (!pull) {
1607	return NT_STATUS_NO_MEMORY;
1608	}
1609	pull->flags \|= LIBNDR_FLAG_REF_ALLOC;
1610
1611	if (c->flags & DCERPC_PUSH_BIGENDIAN) {
1612	pull->flags \|= LIBNDR_FLAG_BIGENDIAN;
1613	}
1614
1615	if (c->flags & DCERPC_NDR64) {
1616	pull->flags \|= LIBNDR_FLAG_NDR64;
1617	}
1618
1619	ndr_err = ndr_pull(pull, NDR_IN, st);
1620	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1621	NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1622	ndr_err = ndr_pull_error(pull, NDR_ERR_VALIDATE,
1623	"failed input validation pull - %s",
1624	nt_errstr(status));
1625	return ndr_map_error2ntstatus(ndr_err);
1626	}
1627
1628	push = ndr_push_init_ctx(mem_ctx);
1629	if (!push) {
1630	return NT_STATUS_NO_MEMORY;
1631	}
1632
1633	if (c->flags & DCERPC_PUSH_BIGENDIAN) {
1634	push->flags \|= LIBNDR_FLAG_BIGENDIAN;
1635	}
1636
1637	if (c->flags & DCERPC_NDR64) {
1638	push->flags \|= LIBNDR_FLAG_NDR64;
1639	}
1640
1641	ndr_err = ndr_push(push, NDR_IN, st);
1642	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1643	NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1644	ndr_err = ndr_pull_error(pull, NDR_ERR_VALIDATE,
1645	"failed input validation push - %s",
1646	nt_errstr(status));
1647	return ndr_map_error2ntstatus(ndr_err);
1648	}
1649
1650	blob2 = ndr_push_blob(push);
1651
1652	if (data_blob_cmp(&blob, &blob2) != 0) {
1653	DEBUG(3,("original:\n"));
1654	dump_data(3, blob.data, blob.length);
1655	DEBUG(3,("secondary:\n"));
1656	dump_data(3, blob2.data, blob2.length);
1657	ndr_err = ndr_pull_error(pull, NDR_ERR_VALIDATE,
1658	"failed input validation blobs doesn't match");
1659	return ndr_map_error2ntstatus(ndr_err);
1660	}
1661
1662	return NT_STATUS_OK;
1663	}
1664
1665	/*
1666	this is a paranoid NDR input validator. For every packet we pull
1667	from the wire we push it back again then pull and push it
1668	again. Then we compare the raw NDR data for that to the NDR we
1669	initially generated. If they don't match then we know we must have a
1670	bug in either the pull or push side of our code
1671	*/
1672	static NTSTATUS dcerpc_ndr_validate_out(struct dcecli_connection *c,
1673	struct ndr_pull *pull_in,
1674	void *struct_ptr,
1675	size_t struct_size,
1676	ndr_push_flags_fn_t ndr_push,
1677	ndr_pull_flags_fn_t ndr_pull,
1678	ndr_print_function_t ndr_print)
1679	{
1680	void *st;
1681	struct ndr_pull *pull;
1682	struct ndr_push *push;
1683	DATA_BLOB blob, blob2;
1684	TALLOC_CTX *mem_ctx = pull_in;
1685	char s1, s2;
1686	enum ndr_err_code ndr_err;
1687
1688	st = talloc_size(mem_ctx, struct_size);
1689	if (!st) {
1690	return NT_STATUS_NO_MEMORY;
1691	}
1692	memcpy(st, struct_ptr, struct_size);
1693
1694	push = ndr_push_init_ctx(mem_ctx);
1695	if (!push) {
1696	return NT_STATUS_NO_MEMORY;
1697	}
1698
1699	ndr_err = ndr_push(push, NDR_OUT, struct_ptr);
1700	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1701	NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1702	ndr_err = ndr_push_error(push, NDR_ERR_VALIDATE,
1703	"failed output validation push - %s",
1704	nt_errstr(status));
1705	return ndr_map_error2ntstatus(ndr_err);
1706	}
1707
1708	blob = ndr_push_blob(push);
1709
1710	pull = ndr_pull_init_flags(c, &blob, mem_ctx);
1711	if (!pull) {
1712	return NT_STATUS_NO_MEMORY;
1713	}
1714
1715	pull->flags \|= LIBNDR_FLAG_REF_ALLOC;
1716	ndr_err = ndr_pull(pull, NDR_OUT, st);
1717	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1718	NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1719	ndr_err = ndr_pull_error(pull, NDR_ERR_VALIDATE,
1720	"failed output validation pull - %s",
1721	nt_errstr(status));
1722	return ndr_map_error2ntstatus(ndr_err);
1723	}
1724
1725	push = ndr_push_init_ctx(mem_ctx);
1726	if (!push) {
1727	return NT_STATUS_NO_MEMORY;
1728	}
1729
1730	ndr_err = ndr_push(push, NDR_OUT, st);
1731	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1732	NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1733	ndr_err = ndr_push_error(push, NDR_ERR_VALIDATE,
1734	"failed output validation push2 - %s",
1735	nt_errstr(status));
1736	return ndr_map_error2ntstatus(ndr_err);
1737	}
1738
1739	blob2 = ndr_push_blob(push);
1740
1741	if (data_blob_cmp(&blob, &blob2) != 0) {
1742	DEBUG(3,("original:\n"));
1743	dump_data(3, blob.data, blob.length);
1744	DEBUG(3,("secondary:\n"));
1745	dump_data(3, blob2.data, blob2.length);
1746	ndr_err = ndr_push_error(push, NDR_ERR_VALIDATE,
1747	"failed output validation blobs doesn't match");
1748	return ndr_map_error2ntstatus(ndr_err);
1749	}
1750
1751	/* this checks the printed forms of the two structures, which effectively
1752	tests all of the value() attributes */
1753	s1 = ndr_print_function_string(mem_ctx, ndr_print, "VALIDATE",
1754	NDR_OUT, struct_ptr);
1755	s2 = ndr_print_function_string(mem_ctx, ndr_print, "VALIDATE",
1756	NDR_OUT, st);
1757	if (strcmp(s1, s2) != 0) {
1758	#if 1
1759	DEBUG(3,("VALIDATE ERROR:\nWIRE:\n%s\n GEN:\n%s\n", s1, s2));
1760	#else
1761	/* this is sometimes useful */
1762	printf("VALIDATE ERROR\n");
1763	file_save("wire.dat", s1, strlen(s1));
1764	file_save("gen.dat", s2, strlen(s2));
1765	system("diff -u wire.dat gen.dat");
1766	#endif
1767	ndr_err = ndr_push_error(push, NDR_ERR_VALIDATE,
1768	"failed output validation strings doesn't match");
1769	return ndr_map_error2ntstatus(ndr_err);
1770	}
1771
1772	return NT_STATUS_OK;
1773	}
1774
1775	/*
1776	a useful function for retrieving the server name we connected to
1777	*/
1778	_PUBLIC_ const char dcerpc_server_name(struct dcerpc_pipe p)
1779	{
1780	if (!p->conn->transport.target_hostname) {
1781	if (!p->conn->transport.peer_name) {
1782	return "";
1783	}
1784	return p->conn->transport.peer_name(p->conn);
1785	}
1786	return p->conn->transport.target_hostname(p->conn);
1787	}
1788
1789
1790	/*
1791	get the dcerpc auth_level for a open connection
1792	*/
1793	uint32_t dcerpc_auth_level(struct dcecli_connection *c)
1794	{
1795	uint8_t auth_level;
1796
1797	if (c->flags & DCERPC_SEAL) {
1798	auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1799	} else if (c->flags & DCERPC_SIGN) {
1800	auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1801	} else if (c->flags & DCERPC_CONNECT) {
1802	auth_level = DCERPC_AUTH_LEVEL_CONNECT;
1803	} else {
1804	auth_level = DCERPC_AUTH_LEVEL_NONE;
1805	}
1806	return auth_level;
1807	}
1808
1809	/*
1810	Receive an alter reply from the transport
1811	*/
1812	static void dcerpc_alter_recv_handler(struct rpc_request *req,
1813	DATA_BLOB raw_packet, struct ncacn_packet pkt)
1814	{
1815	struct composite_context *c;
1816	struct dcerpc_pipe *recv_pipe;
1817
1818	c = talloc_get_type(req->async.private_data, struct composite_context);
1819	recv_pipe = talloc_get_type(c->private_data, struct dcerpc_pipe);
1820
1821	if (pkt->ptype == DCERPC_PKT_ALTER_RESP &&
1822	pkt->u.alter_resp.num_results == 1 &&
1823	pkt->u.alter_resp.ctx_list[0].result != 0) {
1824	DEBUG(2,("dcerpc: alter_resp failed - reason %d\n",
1825	pkt->u.alter_resp.ctx_list[0].reason));
1826	composite_error(c, dcerpc_map_reason(pkt->u.alter_resp.ctx_list[0].reason));
1827	return;
1828	}
1829
1830	if (pkt->ptype == DCERPC_PKT_FAULT) {
1831	DEBUG(5,("rpc fault: %s\n", dcerpc_errstr(c, pkt->u.fault.status)));
1832	recv_pipe->last_fault_code = pkt->u.fault.status;
1833	composite_error(c, NT_STATUS_NET_WRITE_FAULT);
1834	return;
1835	}
1836
1837	if (pkt->ptype != DCERPC_PKT_ALTER_RESP \|\|
1838	pkt->u.alter_resp.num_results == 0 \|\|
1839	pkt->u.alter_resp.ctx_list[0].result != 0) {
1840	recv_pipe->last_fault_code = DCERPC_NCA_S_PROTO_ERROR;
1841	composite_error(c, NT_STATUS_NET_WRITE_FAULT);
1842	return;
1843	}
1844
1845	/* the alter_resp might contain a reply set of credentials */
1846	if (recv_pipe->conn->security_state.auth_info &&
1847	pkt->u.alter_resp.auth_info.length) {
1848	struct dcecli_connection *conn = recv_pipe->conn;
1849	NTSTATUS status;
1850	uint32_t auth_length;
1851	status = dcerpc_pull_auth_trailer(pkt, conn, &pkt->u.alter_resp.auth_info,
1852	conn->security_state.auth_info, &auth_length, true);
1853	if (!NT_STATUS_IS_OK(status)) {
1854	composite_error(c, status);
1855	return;
1856	}
1857	}
1858
1859	composite_done(c);
1860	}
1861
1862	/*
1863	send a dcerpc alter_context request
1864	*/
1865	struct composite_context dcerpc_alter_context_send(struct dcerpc_pipe p,
1866	TALLOC_CTX *mem_ctx,
1867	const struct ndr_syntax_id *syntax,
1868	const struct ndr_syntax_id *transfer_syntax)
1869	{
1870	struct composite_context *c;
1871	struct ncacn_packet pkt;
1872	DATA_BLOB blob;
1873	struct rpc_request *req;
1874
1875	c = composite_create(mem_ctx, p->conn->event_ctx);
1876	if (c == NULL) return NULL;
1877
1878	c->private_data = p;
1879
1880	p->syntax = *syntax;
1881	p->transfer_syntax = *transfer_syntax;
1882
1883	init_ncacn_hdr(p->conn, &pkt);
1884
1885	pkt.ptype = DCERPC_PKT_ALTER;
1886	pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST \| DCERPC_PFC_FLAG_LAST;
1887	pkt.call_id = p->conn->call_id;
1888	pkt.auth_length = 0;
1889
1890	if (p->binding->flags & DCERPC_CONCURRENT_MULTIPLEX) {
1891	pkt.pfc_flags \|= DCERPC_PFC_FLAG_CONC_MPX;
1892	}
1893
1894	if (p->binding->flags & DCERPC_HEADER_SIGNING) {
1895	pkt.pfc_flags \|= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
1896	}
1897
1898	pkt.u.alter.max_xmit_frag = 5840;
1899	pkt.u.alter.max_recv_frag = 5840;
1900	pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
1901	pkt.u.alter.num_contexts = 1;
1902	pkt.u.alter.ctx_list = talloc_array(c, struct dcerpc_ctx_list, 1);
1903	if (composite_nomem(pkt.u.alter.ctx_list, c)) return c;
1904	pkt.u.alter.ctx_list[0].context_id = p->context_id;
1905	pkt.u.alter.ctx_list[0].num_transfer_syntaxes = 1;
1906	pkt.u.alter.ctx_list[0].abstract_syntax = p->syntax;
1907	pkt.u.alter.ctx_list[0].transfer_syntaxes = &p->transfer_syntax;
1908	pkt.u.alter.auth_info = data_blob(NULL, 0);
1909
1910	/* construct the NDR form of the packet */
1911	c->status = ncacn_push_auth(&blob, mem_ctx, &pkt,
1912	p->conn->security_state.auth_info);
1913	if (!composite_is_ok(c)) return c;
1914
1915	p->conn->transport.recv_data = dcerpc_recv_data;
1916
1917	/*
1918	* we allocate a dcerpc_request so we can be in the same
1919	* request queue as normal requests
1920	*/
1921	req = talloc_zero(c, struct rpc_request);
1922	if (composite_nomem(req, c)) return c;
1923
1924	req->state = RPC_REQUEST_PENDING;
1925	req->call_id = pkt.call_id;
1926	req->async.private_data = c;
1927	req->async.callback = dcerpc_composite_fail;
1928	req->p = p;
1929	req->recv_handler = dcerpc_alter_recv_handler;
1930	DLIST_ADD_END(p->conn->pending, req, struct rpc_request *);
1931	talloc_set_destructor(req, dcerpc_req_dequeue);
1932
1933	c->status = p->conn->transport.send_request(p->conn, &blob, true);
1934	if (!composite_is_ok(c)) return c;
1935
1936	event_add_timed(c->event_ctx, req,
1937	timeval_current_ofs(DCERPC_REQUEST_TIMEOUT, 0),
1938	dcerpc_timeout_handler, req);
1939
1940	return c;
1941	}
1942
1943	NTSTATUS dcerpc_alter_context_recv(struct composite_context *ctx)
1944	{
1945	NTSTATUS result = composite_wait(ctx);
1946	talloc_free(ctx);
1947	return result;
1948	}
1949
1950	/*
1951	send a dcerpc alter_context request
1952	*/
1953	_PUBLIC_ NTSTATUS dcerpc_alter_context(struct dcerpc_pipe *p,
1954	TALLOC_CTX *mem_ctx,
1955	const struct ndr_syntax_id *syntax,
1956	const struct ndr_syntax_id *transfer_syntax)
1957	{
1958	struct composite_context *creq;
1959	creq = dcerpc_alter_context_send(p, mem_ctx, syntax, transfer_syntax);
1960	return dcerpc_alter_context_recv(creq);
1961	}
1962

Note: See TracBrowser for help on using the repository browser.

Download in other formats: