search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:rpc_server: remove useless TALLOC_FREE(call->context) from dcesrv_bind()
[Samba.git] / source4 / rpc_server / dcerpc_server.c
blob34de07171e6ec651e3b50c225e8267241153d545
1 /*
2 Unix SMB/CIFS implementation.
3
4 server side dcerpc core code
5
6 Copyright (C) Andrew Tridgell 2003-2005
7 Copyright (C) Stefan (metze) Metzmacher 2004-2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth/auth.h"
25 #include "auth/gensec/gensec.h"
26 #include "../lib/util/dlinklist.h"
27 #include "rpc_server/dcerpc_server.h"
28 #include "rpc_server/dcerpc_server_proto.h"
29 #include "rpc_server/common/proto.h"
30 #include "librpc/rpc/dcerpc_proto.h"
31 #include "system/filesys.h"
32 #include "libcli/security/security.h"
33 #include "param/param.h"
34 #include "../lib/tsocket/tsocket.h"
35 #include "../libcli/named_pipe_auth/npa_tstream.h"
36 #include "smbd/service_stream.h"
37 #include "../lib/tsocket/tsocket.h"
38 #include "lib/socket/socket.h"
39 #include "smbd/process_model.h"
40 #include "lib/messaging/irpc.h"
41 #include "librpc/rpc/rpc_common.h"
42 #include "lib/util/samba_modules.h"
43 #include "librpc/gen_ndr/ndr_dcerpc.h"
44
45 static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
46 const struct dcerpc_bind *b,
47 struct dcerpc_ack_ctx *ack_ctx_list);
48
49 /*
50 find an association group given a assoc_group_id
51 */
52 static struct dcesrv_assoc_group *dcesrv_assoc_group_find(struct dcesrv_context *dce_ctx,
53 uint32_t id)
54 {
55 void *id_ptr;
56
57 id_ptr = idr_find(dce_ctx->assoc_groups_idr, id);
58 if (id_ptr == NULL) {
59 return NULL;
60 }
61 return talloc_get_type_abort(id_ptr, struct dcesrv_assoc_group);
62 }
63
64 /*
65 take a reference to an existing association group
66 */
67 static struct dcesrv_assoc_group *dcesrv_assoc_group_reference(TALLOC_CTX *mem_ctx,
68 struct dcesrv_context *dce_ctx,
69 uint32_t id)
70 {
71 struct dcesrv_assoc_group *assoc_group;
72
73 assoc_group = dcesrv_assoc_group_find(dce_ctx, id);
74 if (assoc_group == NULL) {
75 DEBUG(2,(__location__ ": Failed to find assoc_group 0x%08x\n", id));
76 return NULL;
77 }
78 return talloc_reference(mem_ctx, assoc_group);
79 }
80
81 static int dcesrv_assoc_group_destructor(struct dcesrv_assoc_group *assoc_group)
82 {
83 int ret;
84 ret = idr_remove(assoc_group->dce_ctx->assoc_groups_idr, assoc_group->id);
85 if (ret != 0) {
86 DEBUG(0,(__location__ ": Failed to remove assoc_group 0x%08x\n",
87 assoc_group->id));
88 }
89 return 0;
90 }
91
92 /*
93 allocate a new association group
94 */
95 static struct dcesrv_assoc_group *dcesrv_assoc_group_new(TALLOC_CTX *mem_ctx,
96 struct dcesrv_context *dce_ctx)
97 {
98 struct dcesrv_assoc_group *assoc_group;
99 int id;
100
101 assoc_group = talloc_zero(mem_ctx, struct dcesrv_assoc_group);
102 if (assoc_group == NULL) {
103 return NULL;
104 }
105
106 id = idr_get_new_random(dce_ctx->assoc_groups_idr, assoc_group, UINT16_MAX);
107 if (id == -1) {
108 talloc_free(assoc_group);
109 DEBUG(0,(__location__ ": Out of association groups!\n"));
110 return NULL;
111 }
112
113 assoc_group->id = id;
114 assoc_group->dce_ctx = dce_ctx;
115
116 talloc_set_destructor(assoc_group, dcesrv_assoc_group_destructor);
117
118 return assoc_group;
119 }
120
121
122 /*
123 see if two endpoints match
124 */
125 static bool endpoints_match(const struct dcerpc_binding *ep1,
126 const struct dcerpc_binding *ep2)
127 {
128 enum dcerpc_transport_t t1;
129 enum dcerpc_transport_t t2;
130 const char *e1;
131 const char *e2;
132
133 t1 = dcerpc_binding_get_transport(ep1);
134 t2 = dcerpc_binding_get_transport(ep2);
135
136 e1 = dcerpc_binding_get_string_option(ep1, "endpoint");
137 e2 = dcerpc_binding_get_string_option(ep2, "endpoint");
138
139 if (t1 != t2) {
140 return false;
141 }
142
143 if (!e1 || !e2) {
144 return e1 == e2;
145 }
146
147 if (strcasecmp(e1, e2) != 0) {
148 return false;
149 }
150
151 return true;
152 }
153
154 /*
155 find an endpoint in the dcesrv_context
156 */
157 static struct dcesrv_endpoint *find_endpoint(struct dcesrv_context *dce_ctx,
158 const struct dcerpc_binding *ep_description)
159 {
160 struct dcesrv_endpoint *ep;
161 for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
162 if (endpoints_match(ep->ep_description, ep_description)) {
163 return ep;
164 }
165 }
166 return NULL;
167 }
168
169 /*
170 find a registered context_id from a bind or alter_context
171 */
172 static struct dcesrv_connection_context *dcesrv_find_context(struct dcesrv_connection *conn,
173 uint16_t context_id)
174 {
175 struct dcesrv_connection_context *c;
176 for (c=conn->contexts;c;c=c->next) {
177 if (c->context_id == context_id) return c;
178 }
179 return NULL;
180 }
181
182 /*
183 see if a uuid and if_version match to an interface
184 */
185 static bool interface_match(const struct dcesrv_interface *if1,
186 const struct dcesrv_interface *if2)
187 {
188 return (if1->syntax_id.if_version == if2->syntax_id.if_version &&
189 GUID_equal(&if1->syntax_id.uuid, &if2->syntax_id.uuid));
190 }
191
192 /*
193 find the interface operations on any endpoint with this binding
194 */
195 static const struct dcesrv_interface *find_interface_by_binding(struct dcesrv_context *dce_ctx,
196 struct dcerpc_binding *binding,
197 const struct dcesrv_interface *iface)
198 {
199 struct dcesrv_endpoint *ep;
200 for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
201 if (endpoints_match(ep->ep_description, binding)) {
202 struct dcesrv_if_list *ifl;
203 for (ifl=ep->interface_list; ifl; ifl=ifl->next) {
204 if (interface_match(&(ifl->iface), iface)) {
205 return &(ifl->iface);
206 }
207 }
208 }
209 }
210 return NULL;
211 }
212
213 /*
214 see if a uuid and if_version match to an interface
215 */
216 static bool interface_match_by_uuid(const struct dcesrv_interface *iface,
217 const struct GUID *uuid, uint32_t if_version)
218 {
219 return (iface->syntax_id.if_version == if_version &&
220 GUID_equal(&iface->syntax_id.uuid, uuid));
221 }
222
223 /*
224 find the interface operations on an endpoint by uuid
225 */
226 const struct dcesrv_interface *find_interface_by_uuid(const struct dcesrv_endpoint *endpoint,
227 const struct GUID *uuid, uint32_t if_version)
228 {
229 struct dcesrv_if_list *ifl;
230 for (ifl=endpoint->interface_list; ifl; ifl=ifl->next) {
231 if (interface_match_by_uuid(&(ifl->iface), uuid, if_version)) {
232 return &(ifl->iface);
233 }
234 }
235 return NULL;
236 }
237
238 /*
239 find the earlier parts of a fragmented call awaiting reassembily
240 */
241 static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint16_t call_id)
242 {
243 struct dcesrv_call_state *c;
244 for (c=dce_conn->incoming_fragmented_call_list;c;c=c->next) {
245 if (c->pkt.call_id == call_id) {
246 return c;
247 }
248 }
249 return NULL;
250 }
251
252 /*
253 register an interface on an endpoint
254
255 An endpoint is one unix domain socket (for ncalrpc), one TCP port
256 (for ncacn_ip_tcp) or one (forwarded) named pipe (for ncacn_np).
257
258 Each endpoint can have many interfaces such as netlogon, lsa or
259 samr. Some have essentially the full set.
260
261 This is driven from the set of interfaces listed in each IDL file
262 via the PIDL generated *__op_init_server() functions.
263 */
264 _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
265 const char *ep_name,
266 const struct dcesrv_interface *iface,
267 const struct security_descriptor *sd)
268 {
269 struct dcesrv_endpoint *ep;
270 struct dcesrv_if_list *ifl;
271 struct dcerpc_binding *binding;
272 bool add_ep = false;
273 NTSTATUS status;
274 enum dcerpc_transport_t transport;
275 char *ep_string = NULL;
276 bool use_single_process = true;
277
278 /*
279 * If we are not using handles, there is no need for force
280 * this service into using a single process.
281 *
282 * However, due to the way we listen for RPC packets, we can
283 * only do this if we have a single service per pipe or TCP
284 * port, so we still force a single combined process for
285 * ncalrpc.
286 */
287 if (iface->flags & DCESRV_INTERFACE_FLAGS_HANDLES_NOT_USED) {
288 use_single_process = false;
289 }
290
291 status = dcerpc_parse_binding(dce_ctx, ep_name, &binding);
292
293 if (NT_STATUS_IS_ERR(status)) {
294 DEBUG(0, ("Trouble parsing binding string '%s'\n", ep_name));
295 return status;
296 }
297
298 transport = dcerpc_binding_get_transport(binding);
299 if (transport == NCACN_IP_TCP) {
300 int port;
301 char port_str[6];
302
303 /*
304 * First check if there is already a port specified, eg
305 * for epmapper on ncacn_ip_tcp:[135]
306 */
307 const char *endpoint
308 = dcerpc_binding_get_string_option(binding,
309 "endpoint");
310 if (endpoint == NULL) {
311 port = lpcfg_parm_int(dce_ctx->lp_ctx, NULL,
312 "rpc server port", iface->name, 0);
313
314 /*
315 * For RPC services that are not set to use a single
316 * process, we do not default to using the 'rpc server
317 * port' because that would cause a double-bind on
318 * that port.
319 */
320 if (port == 0 && !use_single_process) {
321 port = lpcfg_rpc_server_port(dce_ctx->lp_ctx);
322 }
323 if (port != 0) {
324 snprintf(port_str, sizeof(port_str), "%u", port);
325 status = dcerpc_binding_set_string_option(binding,
326 "endpoint",
327 port_str);
328 if (!NT_STATUS_IS_OK(status)) {
329 return status;
330 }
331 }
332 }
333 }
334
335 /* see if the interface is already registered on the endpoint */
336 if (find_interface_by_binding(dce_ctx, binding, iface)!=NULL) {
337 DEBUG(0,("dcesrv_interface_register: interface '%s' already registered on endpoint '%s'\n",
338 iface->name, ep_name));
339 return NT_STATUS_OBJECT_NAME_COLLISION;
340 }
341
342 /* check if this endpoint exists
343 */
344 ep = find_endpoint(dce_ctx, binding);
345
346 if (ep != NULL) {
347 /*
348 * We want a new port on ncacn_ip_tcp for NETLOGON, so
349 * it can be multi-process. Other processes can also
350 * listen on distinct ports, if they have one forced
351 * in the code above with eg 'rpc server port:drsuapi = 1027'
352 *
353 * If we have mulitiple endpoints on port 0, they each
354 * get an epemeral port (currently by walking up from
355 * 1024).
356 */
357 if (!use_single_process && transport == NCACN_IP_TCP) {
358 add_ep = true;
359 }
360 }
361
362 if (ep == NULL || add_ep) {
363 ep = talloc_zero(dce_ctx, struct dcesrv_endpoint);
364 if (!ep) {
365 return NT_STATUS_NO_MEMORY;
366 }
367 ZERO_STRUCTP(ep);
368 ep->ep_description = talloc_move(ep, &binding);
369 add_ep = true;
370
371 /* add mgmt interface */
372 ifl = talloc_zero(ep, struct dcesrv_if_list);
373 if (!ifl) {
374 return NT_STATUS_NO_MEMORY;
375 }
376
377 ifl->iface = dcesrv_get_mgmt_interface();
378
379 DLIST_ADD(ep->interface_list, ifl);
380 }
381
382 /*
383 * By default don't force into a single process, but if any
384 * interface on this endpoint on this service uses handles
385 * (most do), then we must force into single process mode
386 *
387 * By overwriting this each time a new interface is added to
388 * this endpoint, we end up with the most restrictive setting.
389 */
390 if (use_single_process) {
391 ep->use_single_process = true;
392 }
393
394 /* talloc a new interface list element */
395 ifl = talloc_zero(ep, struct dcesrv_if_list);
396 if (!ifl) {
397 return NT_STATUS_NO_MEMORY;
398 }
399
400 /* copy the given interface struct to the one on the endpoints interface list */
401 memcpy(&(ifl->iface),iface, sizeof(struct dcesrv_interface));
402
403 /* if we have a security descriptor given,
404 * we should see if we can set it up on the endpoint
405 */
406 if (sd != NULL) {
407 /* if there's currently no security descriptor given on the endpoint
408 * we try to set it
409 */
410 if (ep->sd == NULL) {
411 ep->sd = security_descriptor_copy(ep, sd);
412 }
413
414 /* if now there's no security descriptor given on the endpoint
415 * something goes wrong, either we failed to copy the security descriptor
416 * or there was already one on the endpoint
417 */
418 if (ep->sd != NULL) {
419 DEBUG(0,("dcesrv_interface_register: interface '%s' failed to setup a security descriptor\n"
420 " on endpoint '%s'\n",
421 iface->name, ep_name));
422 if (add_ep) free(ep);
423 free(ifl);
424 return NT_STATUS_OBJECT_NAME_COLLISION;
425 }
426 }
427
428 /* finally add the interface on the endpoint */
429 DLIST_ADD(ep->interface_list, ifl);
430
431 /* if it's a new endpoint add it to the dcesrv_context */
432 if (add_ep) {
433 DLIST_ADD(dce_ctx->endpoint_list, ep);
434 }
435
436 /* Re-get the string as we may have set a port */
437 ep_string = dcerpc_binding_string(dce_ctx, ep->ep_description);
438
439 DEBUG(4,("dcesrv_interface_register: interface '%s' registered on endpoint '%s'\n",
440 iface->name, ep_string));
441 TALLOC_FREE(ep_string);
442
443 return NT_STATUS_OK;
444 }
445
446 NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
447 DATA_BLOB *session_key)
448 {
449 if (p->auth_state.session_info->session_key.length) {
450 *session_key = p->auth_state.session_info->session_key;
451 return NT_STATUS_OK;
452 }
453 return NT_STATUS_NO_USER_SESSION_KEY;
454 }
455
456 /*
457 fetch the user session key - may be default (above) or the SMB session key
458
459 The key is always truncated to 16 bytes
460 */
461 _PUBLIC_ NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
462 DATA_BLOB *session_key)
463 {
464 NTSTATUS status = p->auth_state.session_key(p, session_key);
465 if (!NT_STATUS_IS_OK(status)) {
466 return status;
467 }
468
469 session_key->length = MIN(session_key->length, 16);
470
471 return NT_STATUS_OK;
472 }
473
474 /*
475 connect to a dcerpc endpoint
476 */
477 _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
478 TALLOC_CTX *mem_ctx,
479 const struct dcesrv_endpoint *ep,
480 struct auth_session_info *session_info,
481 struct tevent_context *event_ctx,
482 struct imessaging_context *msg_ctx,
483 struct server_id server_id,
484 uint32_t state_flags,
485 struct dcesrv_connection **_p)
486 {
487 struct dcesrv_connection *p;
488
489 if (!session_info) {
490 return NT_STATUS_ACCESS_DENIED;
491 }
492
493 p = talloc_zero(mem_ctx, struct dcesrv_connection);
494 NT_STATUS_HAVE_NO_MEMORY(p);
495
496 if (!talloc_reference(p, session_info)) {
497 talloc_free(p);
498 return NT_STATUS_NO_MEMORY;
499 }
500
501 p->dce_ctx = dce_ctx;
502 p->endpoint = ep;
503 p->packet_log_dir = lpcfg_lock_directory(dce_ctx->lp_ctx);
504 p->auth_state.session_info = session_info;
505 p->auth_state.session_key = dcesrv_generic_session_key;
506 p->event_ctx = event_ctx;
507 p->msg_ctx = msg_ctx;
508 p->server_id = server_id;
509 p->state_flags = state_flags;
510 p->allow_bind = true;
511 p->max_recv_frag = 5840;
512 p->max_xmit_frag = 5840;
513 p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
514
515 /*
516 * For now we only support NDR32.
517 */
518 p->preferred_transfer = &ndr_transfer_syntax_ndr;
519
520 *_p = p;
521 return NT_STATUS_OK;
522 }
523
524 /*
525 move a call from an existing linked list to the specified list. This
526 prevents bugs where we forget to remove the call from a previous
527 list when moving it.
528 */
529 static void dcesrv_call_set_list(struct dcesrv_call_state *call,
530 enum dcesrv_call_list list)
531 {
532 switch (call->list) {
533 case DCESRV_LIST_NONE:
534 break;
535 case DCESRV_LIST_CALL_LIST:
536 DLIST_REMOVE(call->conn->call_list, call);
537 break;
538 case DCESRV_LIST_FRAGMENTED_CALL_LIST:
539 DLIST_REMOVE(call->conn->incoming_fragmented_call_list, call);
540 break;
541 case DCESRV_LIST_PENDING_CALL_LIST:
542 DLIST_REMOVE(call->conn->pending_call_list, call);
543 break;
544 }
545 call->list = list;
546 switch (list) {
547 case DCESRV_LIST_NONE:
548 break;
549 case DCESRV_LIST_CALL_LIST:
550 DLIST_ADD_END(call->conn->call_list, call);
551 break;
552 case DCESRV_LIST_FRAGMENTED_CALL_LIST:
553 DLIST_ADD_END(call->conn->incoming_fragmented_call_list, call);
554 break;
555 case DCESRV_LIST_PENDING_CALL_LIST:
556 DLIST_ADD_END(call->conn->pending_call_list, call);
557 break;
558 }
559 }
560
561 static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
562 const char *reason)
563 {
564 if (call->conn->terminate != NULL) {
565 return;
566 }
567
568 call->conn->allow_bind = false;
569 call->conn->allow_alter = false;
570 call->conn->allow_auth3 = false;
571 call->conn->allow_request = false;
572
573 call->terminate_reason = talloc_strdup(call, reason);
574 if (call->terminate_reason == NULL) {
575 call->terminate_reason = __location__;
576 }
577 }
578
579 /*
580 return a dcerpc bind_nak
581 */
582 static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
583 {
584 struct ncacn_packet pkt;
585 struct dcerpc_bind_nak_version version;
586 struct data_blob_list_item *rep;
587 NTSTATUS status;
588 static const uint8_t _pad[3] = { 0, };
589
590 /*
591 * We add the call to the pending_call_list
592 * in order to defer the termination.
593 */
594 dcesrv_call_disconnect_after(call, "dcesrv_bind_nak");
595
596 /* setup a bind_nak */
597 dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
598 pkt.auth_length = 0;
599 pkt.call_id = call->pkt.call_id;
600 pkt.ptype = DCERPC_PKT_BIND_NAK;
601 pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
602 pkt.u.bind_nak.reject_reason = reason;
603 version.rpc_vers = 5;
604 version.rpc_vers_minor = 0;
605 pkt.u.bind_nak.num_versions = 1;
606 pkt.u.bind_nak.versions = &version;
607 pkt.u.bind_nak._pad = data_blob_const(_pad, sizeof(_pad));
608
609 rep = talloc_zero(call, struct data_blob_list_item);
610 if (!rep) {
611 return NT_STATUS_NO_MEMORY;
612 }
613
614 status = ncacn_push_auth(&rep->blob, call, &pkt, NULL);
615 if (!NT_STATUS_IS_OK(status)) {
616 return status;
617 }
618
619 dcerpc_set_frag_length(&rep->blob, rep->blob.length);
620
621 DLIST_ADD_END(call->replies, rep);
622 dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
623
624 if (call->conn->call_list && call->conn->call_list->replies) {
625 if (call->conn->transport.report_output_data) {
626 call->conn->transport.report_output_data(call->conn);
627 }
628 }
629
630 return NT_STATUS_OK;
631 }
632
633 static NTSTATUS dcesrv_fault_disconnect(struct dcesrv_call_state *call,
634 uint32_t fault_code)
635 {
636 /*
637 * We add the call to the pending_call_list
638 * in order to defer the termination.
639 */
640 dcesrv_call_disconnect_after(call, "dcesrv_fault_disconnect");
641
642 return dcesrv_fault_with_flags(call, fault_code,
643 DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
644 }
645
646 static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c)
647 {
648 DLIST_REMOVE(c->conn->contexts, c);
649
650 if (c->iface && c->iface->unbind) {
651 c->iface->unbind(c, c->iface);
652 c->iface = NULL;
653 }
654
655 return 0;
656 }
657
658 static void dcesrv_prepare_context_auth(struct dcesrv_call_state *dce_call)
659 {
660 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
661 const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
662 enum dcerpc_transport_t transport =
663 dcerpc_binding_get_transport(endpoint->ep_description);
664 struct dcesrv_connection_context *context = dce_call->context;
665 const struct dcesrv_interface *iface = context->iface;
666
667 context->min_auth_level = DCERPC_AUTH_LEVEL_NONE;
668
669 if (transport == NCALRPC) {
670 context->allow_connect = true;
671 return;
672 }
673
674 /*
675 * allow overwrite per interface
676 * allow dcerpc auth level connect:<interface>
677 */
678 context->allow_connect = lpcfg_allow_dcerpc_auth_level_connect(lp_ctx);
679 context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
680 "allow dcerpc auth level connect",
681 iface->name,
682 context->allow_connect);
683 }
684
685 NTSTATUS dcesrv_interface_bind_require_integrity(struct dcesrv_call_state *dce_call,
686 const struct dcesrv_interface *iface)
687 {
688 if (dce_call->context == NULL) {
689 return NT_STATUS_INTERNAL_ERROR;
690 }
691
692 /*
693 * For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4)
694 * has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5).
695 */
696 dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
697 return NT_STATUS_OK;
698 }
699
700 NTSTATUS dcesrv_interface_bind_require_privacy(struct dcesrv_call_state *dce_call,
701 const struct dcesrv_interface *iface)
702 {
703 if (dce_call->context == NULL) {
704 return NT_STATUS_INTERNAL_ERROR;
705 }
706
707 dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
708 return NT_STATUS_OK;
709 }
710
711 _PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_call_state *dce_call,
712 const struct dcesrv_interface *iface)
713 {
714 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
715 const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
716 enum dcerpc_transport_t transport =
717 dcerpc_binding_get_transport(endpoint->ep_description);
718 struct dcesrv_connection_context *context = dce_call->context;
719
720 if (context == NULL) {
721 return NT_STATUS_INTERNAL_ERROR;
722 }
723
724 if (transport == NCALRPC) {
725 context->allow_connect = true;
726 return NT_STATUS_OK;
727 }
728
729 /*
730 * allow overwrite per interface
731 * allow dcerpc auth level connect:<interface>
732 */
733 context->allow_connect = false;
734 context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
735 "allow dcerpc auth level connect",
736 iface->name,
737 context->allow_connect);
738 return NT_STATUS_OK;
739 }
740
741 _PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_call_state *dce_call,
742 const struct dcesrv_interface *iface)
743 {
744 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
745 const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
746 enum dcerpc_transport_t transport =
747 dcerpc_binding_get_transport(endpoint->ep_description);
748 struct dcesrv_connection_context *context = dce_call->context;
749
750 if (context == NULL) {
751 return NT_STATUS_INTERNAL_ERROR;
752 }
753
754 if (transport == NCALRPC) {
755 context->allow_connect = true;
756 return NT_STATUS_OK;
757 }
758
759 /*
760 * allow overwrite per interface
761 * allow dcerpc auth level connect:<interface>
762 */
763 context->allow_connect = true;
764 context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
765 "allow dcerpc auth level connect",
766 iface->name,
767 context->allow_connect);
768 return NT_STATUS_OK;
769 }
770
771 /*
772 handle a bind request
773 */
774 static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
775 {
776 struct ncacn_packet *pkt = &call->ack_pkt;
777 struct data_blob_list_item *rep;
778 NTSTATUS status;
779 uint32_t extra_flags = 0;
780 uint16_t max_req = 0;
781 uint16_t max_rep = 0;
782 const char *ep_prefix = "";
783 const char *endpoint = NULL;
784 struct dcerpc_ack_ctx *ack_ctx_list = NULL;
785 struct dcerpc_ack_ctx *ack_features = NULL;
786 size_t i;
787
788 status = dcerpc_verify_ncacn_packet_header(&call->pkt,
789 DCERPC_PKT_BIND,
790 call->pkt.u.bind.auth_info.length,
791 0, /* required flags */
792 DCERPC_PFC_FLAG_FIRST |
793 DCERPC_PFC_FLAG_LAST |
794 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
795 0x08 | /* this is not defined, but should be ignored */
796 DCERPC_PFC_FLAG_CONC_MPX |
797 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
798 DCERPC_PFC_FLAG_MAYBE |
799 DCERPC_PFC_FLAG_OBJECT_UUID);
800 if (!NT_STATUS_IS_OK(status)) {
801 return dcesrv_bind_nak(call,
802 DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
803 }
804
805 /* max_recv_frag and max_xmit_frag result always in the same value! */
806 max_req = MIN(call->pkt.u.bind.max_xmit_frag,
807 call->pkt.u.bind.max_recv_frag);
808 /*
809 * The values are between 2048 and 5840 tested against Windows 2012R2
810 * via ncacn_ip_tcp on port 135.
811 */
812 max_req = MAX(2048, max_req);
813 max_rep = MIN(max_req, call->conn->max_recv_frag);
814 /* They are truncated to an 8 byte boundary. */
815 max_rep &= 0xFFF8;
816
817 /* max_recv_frag and max_xmit_frag result always in the same value! */
818 call->conn->max_recv_frag = max_rep;
819 call->conn->max_xmit_frag = max_rep;
820
821 /*
822 if provided, check the assoc_group is valid
823 */
824 if (call->pkt.u.bind.assoc_group_id != 0) {
825 call->conn->assoc_group = dcesrv_assoc_group_reference(call->conn,
826 call->conn->dce_ctx,
827 call->pkt.u.bind.assoc_group_id);
828 } else {
829 call->conn->assoc_group = dcesrv_assoc_group_new(call->conn,
830 call->conn->dce_ctx);
831 }
832
833 /*
834 * The NETLOGON server does not use handles and so
835 * there is no need to support association groups, but
836 * we need to give back a number regardless.
837 *
838 * We have to do this when it is not run as a single process,
839 * because then it can't see the other valid association
840 * groups. We handle this genericly for all endpoints not
841 * running in single process mode.
842 *
843 * We know which endpoint we are on even before checking the
844 * iface UUID, so for simplicity we enforce the same policy
845 * for all interfaces on the endpoint.
846 *
847 * This means that where NETLOGON
848 * shares an endpoint (such as ncalrpc or of 'lsa over
849 * netlogon' is set) we will still check association groups.
850 *
851 */
852
853 if (call->conn->assoc_group == NULL &&
854 !call->conn->endpoint->use_single_process) {
855 call->conn->assoc_group
856 = dcesrv_assoc_group_new(call->conn,
857 call->conn->dce_ctx);
858 }
859 if (call->conn->assoc_group == NULL) {
860 return dcesrv_bind_nak(call, 0);
861 }
862
863 if (call->pkt.u.bind.num_contexts < 1) {
864 return dcesrv_bind_nak(call, 0);
865 }
866
867 ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
868 call->pkt.u.bind.num_contexts);
869 if (ack_ctx_list == NULL) {
870 return dcesrv_bind_nak(call, 0);
871 }
872
873 /*
874 * Set some sane defaults (required by dcesrv_negotiate_contexts()/
875 * dcesrv_check_or_create_context()) and do some protocol validation
876 * and set sane defaults.
877 */
878 for (i = 0; i < call->pkt.u.bind.num_contexts; i++) {
879 const struct dcerpc_ctx_list *c = &call->pkt.u.bind.ctx_list[i];
880 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
881 bool is_feature = false;
882 uint64_t features = 0;
883
884 if (c->num_transfer_syntaxes == 0) {
885 return dcesrv_bind_nak(call, 0);
886 }
887
888 a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
889 a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
890
891 /*
892 * It's only treated as bind time feature request, if the first
893 * transfer_syntax matches, all others are ignored.
894 */
895 is_feature = dcerpc_extract_bind_time_features(c->transfer_syntaxes[0],
896 &features);
897 if (!is_feature) {
898 continue;
899 }
900
901 if (ack_features != NULL) {
902 /*
903 * Only one bind time feature context is allowed.
904 */
905 return dcesrv_bind_nak(call, 0);
906 }
907 ack_features = a;
908
909 a->result = DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK;
910 a->reason.negotiate = 0;
911 if (features & DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING) {
912 /* not supported yet */
913 }
914 if (features & DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN) {
915 a->reason.negotiate |=
916 DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN;
917 }
918
919 call->conn->bind_time_features = a->reason.negotiate;
920 }
921
922 /*
923 * Try to negotiate one new presentation context.
924 *
925 * Deep in here we locate the iface (by uuid) that the client
926 * requested, from the list of interfaces on the
927 * call->conn->endpoint, and call iface->bind() on that iface.
928 *
929 * call->conn was set up at the accept() of the socket, and
930 * call->conn->endpoint has a list of interfaces restricted to
931 * this port or pipe.
932 */
933 status = dcesrv_negotiate_contexts(call, &call->pkt.u.bind, ack_ctx_list);
934 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
935 return dcesrv_bind_nak(call, 0);
936 }
937 if (!NT_STATUS_IS_OK(status)) {
938 return status;
939 }
940
941 /*
942 * At this point we still don't know which interface (eg
943 * netlogon, lsa, drsuapi) the caller requested in this bind!
944 * The most recently added context is available as the first
945 * element in the linked list at call->conn->contexts, that is
946 * call->conn->contexts->iface, but they may not have
947 * requested one at all!
948 */
949
950 if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
951 (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
952 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
953 extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
954 }
955
956 if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
957 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
958 }
959
960 /*
961 * After finding the interface and setting up the NDR
962 * transport negotiation etc, handle any authentication that
963 * is being requested.
964 */
965 if (!dcesrv_auth_bind(call)) {
966 struct dcesrv_auth *auth = &call->conn->auth_state;
967
968 if (auth->auth_level == DCERPC_AUTH_LEVEL_NONE) {
969 /*
970 * With DCERPC_AUTH_LEVEL_NONE, we get the
971 * reject_reason in auth->auth_context_id.
972 */
973 return dcesrv_bind_nak(call, auth->auth_context_id);
974 }
975
976 /*
977 * This must a be a temporary failure e.g. talloc or invalid
978 * configuration, e.g. no machine account.
979 */
980 return dcesrv_bind_nak(call,
981 DCERPC_BIND_NAK_REASON_TEMPORARY_CONGESTION);
982 }
983
984 /* setup a bind_ack */
985 dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
986 pkt->auth_length = 0;
987 pkt->call_id = call->pkt.call_id;
988 pkt->ptype = DCERPC_PKT_BIND_ACK;
989 pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
990 pkt->u.bind_ack.max_xmit_frag = call->conn->max_xmit_frag;
991 pkt->u.bind_ack.max_recv_frag = call->conn->max_recv_frag;
992 pkt->u.bind_ack.assoc_group_id = call->conn->assoc_group->id;
993
994 endpoint = dcerpc_binding_get_string_option(
995 call->conn->endpoint->ep_description,
996 "endpoint");
997 if (endpoint == NULL) {
998 endpoint = "";
999 }
1000
1001 if (strncasecmp(endpoint, "\\pipe\\", 6) == 0) {
1002 /*
1003 * TODO: check if this is really needed
1004 *
1005 * Or if we should fix this in our idl files.
1006 */
1007 ep_prefix = "\\PIPE\\";
1008 endpoint += 6;
1009 }
1010
1011 pkt->u.bind_ack.secondary_address = talloc_asprintf(call, "%s%s",
1012 ep_prefix,
1013 endpoint);
1014 if (pkt->u.bind_ack.secondary_address == NULL) {
1015 return NT_STATUS_NO_MEMORY;
1016 }
1017 pkt->u.bind_ack.num_results = call->pkt.u.bind.num_contexts;
1018 pkt->u.bind_ack.ctx_list = ack_ctx_list;
1019 pkt->u.bind_ack.auth_info = data_blob_null;
1020
1021 status = dcesrv_auth_bind_ack(call, pkt);
1022 if (!NT_STATUS_IS_OK(status)) {
1023 return dcesrv_bind_nak(call, 0);
1024 }
1025
1026 rep = talloc_zero(call, struct data_blob_list_item);
1027 if (!rep) {
1028 return NT_STATUS_NO_MEMORY;
1029 }
1030
1031 status = ncacn_push_auth(&rep->blob, call, pkt,
1032 call->out_auth_info);
1033 if (!NT_STATUS_IS_OK(status)) {
1034 return status;
1035 }
1036
1037 dcerpc_set_frag_length(&rep->blob, rep->blob.length);
1038
1039 DLIST_ADD_END(call->replies, rep);
1040 dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
1041
1042 if (call->conn->call_list && call->conn->call_list->replies) {
1043 if (call->conn->transport.report_output_data) {
1044 call->conn->transport.report_output_data(call->conn);
1045 }
1046 }
1047
1048 return NT_STATUS_OK;
1049 }
1050
1051
1052 /*
1053 handle a auth3 request
1054 */
1055 static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
1056 {
1057 NTSTATUS status;
1058
1059 if (!call->conn->allow_auth3) {
1060 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1061 }
1062
1063 if (call->conn->auth_state.auth_finished) {
1064 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1065 }
1066
1067 status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1068 DCERPC_PKT_AUTH3,
1069 call->pkt.u.auth3.auth_info.length,
1070 0, /* required flags */
1071 DCERPC_PFC_FLAG_FIRST |
1072 DCERPC_PFC_FLAG_LAST |
1073 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1074 0x08 | /* this is not defined, but should be ignored */
1075 DCERPC_PFC_FLAG_CONC_MPX |
1076 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1077 DCERPC_PFC_FLAG_MAYBE |
1078 DCERPC_PFC_FLAG_OBJECT_UUID);
1079 if (!NT_STATUS_IS_OK(status)) {
1080 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1081 }
1082
1083 /* handle the auth3 in the auth code */
1084 if (!dcesrv_auth_auth3(call)) {
1085 call->conn->auth_state.auth_invalid = true;
1086 if (call->fault_code != 0) {
1087 return dcesrv_fault_disconnect(call, call->fault_code);
1088 }
1089 }
1090
1091 talloc_free(call);
1092
1093 /* we don't send a reply to a auth3 request, except by a
1094 fault */
1095 return NT_STATUS_OK;
1096 }
1097
1098
1099 static NTSTATUS dcesrv_check_or_create_context(struct dcesrv_call_state *call,
1100 const struct dcerpc_bind *b,
1101 const struct dcerpc_ctx_list *ctx,
1102 struct dcerpc_ack_ctx *ack,
1103 bool validate_only,
1104 const struct ndr_syntax_id *supported_transfer)
1105 {
1106 uint32_t if_version;
1107 struct dcesrv_connection_context *context;
1108 const struct dcesrv_interface *iface;
1109 struct GUID uuid;
1110 NTSTATUS status;
1111 const struct ndr_syntax_id *selected_transfer = NULL;
1112 size_t i;
1113 bool ok;
1114
1115 if (b == NULL) {
1116 return NT_STATUS_INTERNAL_ERROR;
1117 }
1118 if (ctx == NULL) {
1119 return NT_STATUS_INTERNAL_ERROR;
1120 }
1121 if (ctx->num_transfer_syntaxes < 1) {
1122 return NT_STATUS_INTERNAL_ERROR;
1123 }
1124 if (ack == NULL) {
1125 return NT_STATUS_INTERNAL_ERROR;
1126 }
1127 if (supported_transfer == NULL) {
1128 return NT_STATUS_INTERNAL_ERROR;
1129 }
1130
1131 switch (ack->result) {
1132 case DCERPC_BIND_ACK_RESULT_ACCEPTANCE:
1133 case DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK:
1134 /*
1135 * We is already completed.
1136 */
1137 return NT_STATUS_OK;
1138 default:
1139 break;
1140 }
1141
1142 ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1143 ack->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1144
1145 if_version = ctx->abstract_syntax.if_version;
1146 uuid = ctx->abstract_syntax.uuid;
1147
1148 iface = find_interface_by_uuid(call->conn->endpoint, &uuid, if_version);
1149 if (iface == NULL) {
1150 char *uuid_str = GUID_string(call, &uuid);
1151 DEBUG(2,("Request for unknown dcerpc interface %s/%d\n", uuid_str, if_version));
1152 talloc_free(uuid_str);
1153 /*
1154 * We report this only via ack->result
1155 */
1156 return NT_STATUS_OK;
1157 }
1158
1159 ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1160 ack->reason.value = DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED;
1161
1162 if (validate_only) {
1163 /*
1164 * We report this only via ack->result
1165 */
1166 return NT_STATUS_OK;
1167 }
1168
1169 for (i = 0; i < ctx->num_transfer_syntaxes; i++) {
1170 /*
1171 * we only do NDR encoded dcerpc for now.
1172 */
1173 ok = ndr_syntax_id_equal(&ctx->transfer_syntaxes[i],
1174 supported_transfer);
1175 if (ok) {
1176 selected_transfer = supported_transfer;
1177 break;
1178 }
1179 }
1180
1181 context = dcesrv_find_context(call->conn, ctx->context_id);
1182 if (context != NULL) {
1183 ok = ndr_syntax_id_equal(&context->iface->syntax_id,
1184 &ctx->abstract_syntax);
1185 if (!ok) {
1186 return NT_STATUS_RPC_PROTOCOL_ERROR;
1187 }
1188
1189 if (selected_transfer != NULL) {
1190 ok = ndr_syntax_id_equal(&context->transfer_syntax,
1191 selected_transfer);
1192 if (!ok) {
1193 return NT_STATUS_RPC_PROTOCOL_ERROR;
1194 }
1195
1196 ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1197 ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1198 ack->syntax = context->transfer_syntax;
1199 }
1200
1201 /*
1202 * We report this only via ack->result
1203 */
1204 return NT_STATUS_OK;
1205 }
1206
1207 if (selected_transfer == NULL) {
1208 /*
1209 * We report this only via ack->result
1210 */
1211 return NT_STATUS_OK;
1212 }
1213
1214 ack->result = DCERPC_BIND_ACK_RESULT_USER_REJECTION;
1215 ack->reason.value = DCERPC_BIND_ACK_REASON_LOCAL_LIMIT_EXCEEDED;
1216
1217 /* add this context to the list of available context_ids */
1218 context = talloc_zero(call->conn, struct dcesrv_connection_context);
1219 if (context == NULL) {
1220 return NT_STATUS_NO_MEMORY;
1221 }
1222 context->conn = call->conn;
1223 context->context_id = ctx->context_id;
1224 context->iface = iface;
1225 context->transfer_syntax = *selected_transfer;
1226 context->private_data = NULL;
1227 DLIST_ADD(call->conn->contexts, context);
1228 call->context = context;
1229 talloc_set_destructor(context, dcesrv_connection_context_destructor);
1230
1231 dcesrv_prepare_context_auth(call);
1232
1233 /*
1234 * Multiplex is supported by default
1235 */
1236 call->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1237
1238 status = iface->bind(call, iface, if_version);
1239 call->context = NULL;
1240 if (!NT_STATUS_IS_OK(status)) {
1241 /* we don't want to trigger the iface->unbind() hook */
1242 context->iface = NULL;
1243 talloc_free(context);
1244 /*
1245 * We report this only via ack->result
1246 */
1247 return NT_STATUS_OK;
1248 }
1249
1250 ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1251 ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1252 ack->syntax = context->transfer_syntax;
1253 return NT_STATUS_OK;
1254 }
1255
1256 static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
1257 const struct dcerpc_bind *b,
1258 struct dcerpc_ack_ctx *ack_ctx_list)
1259 {
1260 NTSTATUS status;
1261 size_t i;
1262 bool validate_only = false;
1263 bool preferred_ndr32;
1264
1265 /*
1266 * Try to negotiate one new presentation context,
1267 * using our preferred transfer syntax.
1268 */
1269 for (i = 0; i < b->num_contexts; i++) {
1270 const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1271 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1272
1273 status = dcesrv_check_or_create_context(call, b, c, a,
1274 validate_only,
1275 call->conn->preferred_transfer);
1276 if (!NT_STATUS_IS_OK(status)) {
1277 return status;
1278 }
1279
1280 if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1281 /*
1282 * We managed to negotiate one context.
1283 *
1284 * => we're done.
1285 */
1286 validate_only = true;
1287 }
1288 }
1289
1290 preferred_ndr32 = ndr_syntax_id_equal(&ndr_transfer_syntax_ndr,
1291 call->conn->preferred_transfer);
1292 if (preferred_ndr32) {
1293 /*
1294 * We're done.
1295 */
1296 return NT_STATUS_OK;
1297 }
1298
1299 /*
1300 * Try to negotiate one new presentation context,
1301 * using NDR 32 as fallback.
1302 */
1303 for (i = 0; i < b->num_contexts; i++) {
1304 const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1305 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1306
1307 status = dcesrv_check_or_create_context(call, b, c, a,
1308 validate_only,
1309 &ndr_transfer_syntax_ndr);
1310 if (!NT_STATUS_IS_OK(status)) {
1311 return status;
1312 }
1313
1314 if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1315 /*
1316 * We managed to negotiate one context.
1317 *
1318 * => we're done.
1319 */
1320 validate_only = true;
1321 }
1322 }
1323
1324 return NT_STATUS_OK;
1325 }
1326
1327 /*
1328 handle a alter context request
1329 */
1330 static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
1331 {
1332 NTSTATUS status;
1333 bool auth_ok = false;
1334 struct ncacn_packet *pkt = &call->ack_pkt;
1335 uint32_t extra_flags = 0;
1336 struct data_blob_list_item *rep = NULL;
1337 struct dcerpc_ack_ctx *ack_ctx_list = NULL;
1338 size_t i;
1339
1340 if (!call->conn->allow_alter) {
1341 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1342 }
1343
1344 status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1345 DCERPC_PKT_ALTER,
1346 call->pkt.u.alter.auth_info.length,
1347 0, /* required flags */
1348 DCERPC_PFC_FLAG_FIRST |
1349 DCERPC_PFC_FLAG_LAST |
1350 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1351 0x08 | /* this is not defined, but should be ignored */
1352 DCERPC_PFC_FLAG_CONC_MPX |
1353 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1354 DCERPC_PFC_FLAG_MAYBE |
1355 DCERPC_PFC_FLAG_OBJECT_UUID);
1356 if (!NT_STATUS_IS_OK(status)) {
1357 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1358 }
1359
1360 auth_ok = dcesrv_auth_alter(call);
1361 if (!auth_ok) {
1362 if (call->fault_code != 0) {
1363 return dcesrv_fault_disconnect(call, call->fault_code);
1364 }
1365 }
1366
1367 if (call->pkt.u.alter.num_contexts < 1) {
1368 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1369 }
1370
1371 ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
1372 call->pkt.u.alter.num_contexts);
1373 if (ack_ctx_list == NULL) {
1374 return NT_STATUS_NO_MEMORY;
1375 }
1376
1377 /*
1378 * Set some sane defaults (required by dcesrv_negotiate_contexts()/
1379 * dcesrv_check_or_create_context()) and do some protocol validation
1380 * and set sane defaults.
1381 */
1382 for (i = 0; i < call->pkt.u.alter.num_contexts; i++) {
1383 const struct dcerpc_ctx_list *c = &call->pkt.u.alter.ctx_list[i];
1384 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1385
1386 if (c->num_transfer_syntaxes == 0) {
1387 return dcesrv_fault_disconnect(call,
1388 DCERPC_NCA_S_PROTO_ERROR);
1389 }
1390
1391 a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1392 a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1393 }
1394
1395 /*
1396 * Try to negotiate one new presentation context.
1397 */
1398 status = dcesrv_negotiate_contexts(call, &call->pkt.u.alter, ack_ctx_list);
1399 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
1400 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1401 }
1402 if (!NT_STATUS_IS_OK(status)) {
1403 return status;
1404 }
1405
1406 if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
1407 (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1408 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1409 extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
1410 }
1411
1412 if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
1413 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
1414 }
1415
1416 /* handle any authentication that is being requested */
1417 if (!auth_ok) {
1418 if (call->in_auth_info.auth_type !=
1419 call->conn->auth_state.auth_type)
1420 {
1421 return dcesrv_fault_disconnect(call,
1422 DCERPC_FAULT_SEC_PKG_ERROR);
1423 }
1424 return dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
1425 }
1426
1427 dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
1428 pkt->auth_length = 0;
1429 pkt->call_id = call->pkt.call_id;
1430 pkt->ptype = DCERPC_PKT_ALTER_RESP;
1431 pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
1432 pkt->u.alter_resp.max_xmit_frag = call->conn->max_xmit_frag;
1433 pkt->u.alter_resp.max_recv_frag = call->conn->max_recv_frag;
1434 pkt->u.alter_resp.assoc_group_id = call->conn->assoc_group->id;
1435 pkt->u.alter_resp.secondary_address = "";
1436 pkt->u.alter_resp.num_results = call->pkt.u.alter.num_contexts;
1437 pkt->u.alter_resp.ctx_list = ack_ctx_list;
1438 pkt->u.alter_resp.auth_info = data_blob_null;
1439
1440 status = dcesrv_auth_alter_ack(call, pkt);
1441 if (!NT_STATUS_IS_OK(status)) {
1442 return dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
1443 }
1444
1445 rep = talloc_zero(call, struct data_blob_list_item);
1446 if (!rep) {
1447 return NT_STATUS_NO_MEMORY;
1448 }
1449
1450 status = ncacn_push_auth(&rep->blob, call, pkt, call->out_auth_info);
1451 if (!NT_STATUS_IS_OK(status)) {
1452 return status;
1453 }
1454
1455 dcerpc_set_frag_length(&rep->blob, rep->blob.length);
1456
1457 DLIST_ADD_END(call->replies, rep);
1458 dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
1459
1460 if (call->conn->call_list && call->conn->call_list->replies) {
1461 if (call->conn->transport.report_output_data) {
1462 call->conn->transport.report_output_data(call->conn);
1463 }
1464 }
1465
1466 return NT_STATUS_OK;
1467 }
1468
1469 /*
1470 possibly save the call for inspection with ndrdump
1471 */
1472 static void dcesrv_save_call(struct dcesrv_call_state *call, const char *why)
1473 {
1474 #ifdef DEVELOPER
1475 char *fname;
1476 const char *dump_dir;
1477 dump_dir = lpcfg_parm_string(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv", "stubs directory");
1478 if (!dump_dir) {
1479 return;
1480 }
1481 fname = talloc_asprintf(call, "%s/RPC-%s-%u-%s.dat",
1482 dump_dir,
1483 call->context->iface->name,
1484 call->pkt.u.request.opnum,
1485 why);
1486 if (file_save(fname, call->pkt.u.request.stub_and_verifier.data, call->pkt.u.request.stub_and_verifier.length)) {
1487 DEBUG(0,("RPC SAVED %s\n", fname));
1488 }
1489 talloc_free(fname);
1490 #endif
1491 }
1492
1493 static NTSTATUS dcesrv_check_verification_trailer(struct dcesrv_call_state *call)
1494 {
1495 TALLOC_CTX *frame = talloc_stackframe();
1496 const uint32_t bitmask1 = call->conn->auth_state.client_hdr_signing ?
1497 DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
1498 const struct dcerpc_sec_vt_pcontext pcontext = {
1499 .abstract_syntax = call->context->iface->syntax_id,
1500 .transfer_syntax = call->context->transfer_syntax,
1501 };
1502 const struct dcerpc_sec_vt_header2 header2 =
1503 dcerpc_sec_vt_header2_from_ncacn_packet(&call->pkt);
1504 enum ndr_err_code ndr_err;
1505 struct dcerpc_sec_verification_trailer *vt = NULL;
1506 NTSTATUS status = NT_STATUS_OK;
1507 bool ok;
1508
1509 SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_REQUEST);
1510
1511 ndr_err = ndr_pop_dcerpc_sec_verification_trailer(call->ndr_pull,
1512 frame, &vt);
1513 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1514 status = ndr_map_error2ntstatus(ndr_err);
1515 goto done;
1516 }
1517
1518 ok = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
1519 &pcontext, &header2);
1520 if (!ok) {
1521 status = NT_STATUS_ACCESS_DENIED;
1522 goto done;
1523 }
1524 done:
1525 TALLOC_FREE(frame);
1526 return status;
1527 }
1528
1529 /*
1530 handle a dcerpc request packet
1531 */
1532 static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
1533 {
1534 const struct dcesrv_endpoint *endpoint = call->conn->endpoint;
1535 enum dcerpc_transport_t transport =
1536 dcerpc_binding_get_transport(endpoint->ep_description);
1537 struct ndr_pull *pull;
1538 NTSTATUS status;
1539
1540 if (!call->conn->allow_request) {
1541 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1542 }
1543
1544 /* if authenticated, and the mech we use can't do async replies, don't use them... */
1545 if (call->conn->auth_state.gensec_security &&
1546 !gensec_have_feature(call->conn->auth_state.gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
1547 call->state_flags &= ~DCESRV_CALL_STATE_FLAG_MAY_ASYNC;
1548 }
1549
1550 if (call->context == NULL) {
1551 return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
1552 DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1553 }
1554
1555 switch (call->conn->auth_state.auth_level) {
1556 case DCERPC_AUTH_LEVEL_NONE:
1557 case DCERPC_AUTH_LEVEL_PACKET:
1558 case DCERPC_AUTH_LEVEL_INTEGRITY:
1559 case DCERPC_AUTH_LEVEL_PRIVACY:
1560 break;
1561 default:
1562 if (!call->context->allow_connect) {
1563 char *addr;
1564
1565 addr = tsocket_address_string(call->conn->remote_address,
1566 call);
1567
1568 DEBUG(2, ("%s: restrict auth_level_connect access "
1569 "to [%s] with auth[type=0x%x,level=0x%x] "
1570 "on [%s] from [%s]\n",
1571 __func__, call->context->iface->name,
1572 call->conn->auth_state.auth_type,
1573 call->conn->auth_state.auth_level,
1574 derpc_transport_string_by_transport(transport),
1575 addr));
1576 return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1577 }
1578 break;
1579 }
1580
1581 if (call->conn->auth_state.auth_level < call->context->min_auth_level) {
1582 char *addr;
1583
1584 addr = tsocket_address_string(call->conn->remote_address, call);
1585
1586 DEBUG(2, ("%s: restrict access by min_auth_level[0x%x] "
1587 "to [%s] with auth[type=0x%x,level=0x%x] "
1588 "on [%s] from [%s]\n",
1589 __func__,
1590 call->context->min_auth_level,
1591 call->context->iface->name,
1592 call->conn->auth_state.auth_type,
1593 call->conn->auth_state.auth_level,
1594 derpc_transport_string_by_transport(transport),
1595 addr));
1596 return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1597 }
1598
1599 pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier, call);
1600 NT_STATUS_HAVE_NO_MEMORY(pull);
1601
1602 pull->flags |= LIBNDR_FLAG_REF_ALLOC;
1603
1604 call->ndr_pull = pull;
1605
1606 if (!(call->pkt.drep[0] & DCERPC_DREP_LE)) {
1607 pull->flags |= LIBNDR_FLAG_BIGENDIAN;
1608 }
1609
1610 status = dcesrv_check_verification_trailer(call);
1611 if (!NT_STATUS_IS_OK(status)) {
1612 uint32_t faultcode = DCERPC_FAULT_OTHER;
1613 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
1614 faultcode = DCERPC_FAULT_ACCESS_DENIED;
1615 }
1616 DEBUG(10, ("dcesrv_check_verification_trailer failed: %s\n",
1617 nt_errstr(status)));
1618 return dcesrv_fault(call, faultcode);
1619 }
1620
1621 /* unravel the NDR for the packet */
1622 status = call->context->iface->ndr_pull(call, call, pull, &call->r);
1623 if (!NT_STATUS_IS_OK(status)) {
1624 uint8_t extra_flags = 0;
1625 if (call->fault_code == DCERPC_FAULT_OP_RNG_ERROR) {
1626 /* we got an unknown call */
1627 DEBUG(3,(__location__ ": Unknown RPC call %u on %s\n",
1628 call->pkt.u.request.opnum,
1629 call->context->iface->name));
1630 dcesrv_save_call(call, "unknown");
1631 extra_flags |= DCERPC_PFC_FLAG_DID_NOT_EXECUTE;
1632 } else {
1633 dcesrv_save_call(call, "pullfail");
1634 }
1635 return dcesrv_fault_with_flags(call, call->fault_code, extra_flags);
1636 }
1637
1638 if (pull->offset != pull->data_size) {
1639 dcesrv_save_call(call, "extrabytes");
1640 DEBUG(3,("Warning: %d extra bytes in incoming RPC request\n",
1641 pull->data_size - pull->offset));
1642 }
1643
1644 /* call the dispatch function */
1645 status = call->context->iface->dispatch(call, call, call->r);
1646 if (!NT_STATUS_IS_OK(status)) {
1647 DEBUG(5,("dcerpc fault in call %s:%02x - %s\n",
1648 call->context->iface->name,
1649 call->pkt.u.request.opnum,
1650 dcerpc_errstr(pull, call->fault_code)));
1651 return dcesrv_fault(call, call->fault_code);
1652 }
1653
1654 /* add the call to the pending list */
1655 dcesrv_call_set_list(call, DCESRV_LIST_PENDING_CALL_LIST);
1656
1657 if (call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
1658 return NT_STATUS_OK;
1659 }
1660
1661 return dcesrv_reply(call);
1662 }
1663
1664
1665 /*
1666 remove the call from the right list when freed
1667 */
1668 static int dcesrv_call_dequeue(struct dcesrv_call_state *call)
1669 {
1670 dcesrv_call_set_list(call, DCESRV_LIST_NONE);
1671 return 0;
1672 }
1673
1674 _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_local_address(struct dcesrv_connection *conn)
1675 {
1676 return conn->local_address;
1677 }
1678
1679 _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_remote_address(struct dcesrv_connection *conn)
1680 {
1681 return conn->remote_address;
1682 }
1683
1684 /*
1685 process some input to a dcerpc endpoint server.
1686 */
1687 static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
1688 struct ncacn_packet *pkt,
1689 DATA_BLOB blob)
1690 {
1691 NTSTATUS status;
1692 struct dcesrv_call_state *call;
1693 struct dcesrv_call_state *existing = NULL;
1694
1695 call = talloc_zero(dce_conn, struct dcesrv_call_state);
1696 if (!call) {
1697 data_blob_free(&blob);
1698 talloc_free(pkt);
1699 return NT_STATUS_NO_MEMORY;
1700 }
1701 call->conn = dce_conn;
1702 call->event_ctx = dce_conn->event_ctx;
1703 call->msg_ctx = dce_conn->msg_ctx;
1704 call->state_flags = call->conn->state_flags;
1705 call->time = timeval_current();
1706 call->list = DCESRV_LIST_NONE;
1707
1708 talloc_steal(call, pkt);
1709 talloc_steal(call, blob.data);
1710 call->pkt = *pkt;
1711
1712 talloc_set_destructor(call, dcesrv_call_dequeue);
1713
1714 if (call->conn->allow_bind) {
1715 /*
1716 * Only one bind is possible per connection
1717 */
1718 call->conn->allow_bind = false;
1719 return dcesrv_bind(call);
1720 }
1721
1722 /* we have to check the signing here, before combining the
1723 pdus */
1724 if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
1725 if (!call->conn->allow_request) {
1726 return dcesrv_fault_disconnect(call,
1727 DCERPC_NCA_S_PROTO_ERROR);
1728 }
1729
1730 status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1731 DCERPC_PKT_REQUEST,
1732 call->pkt.u.request.stub_and_verifier.length,
1733 0, /* required_flags */
1734 DCERPC_PFC_FLAG_FIRST |
1735 DCERPC_PFC_FLAG_LAST |
1736 DCERPC_PFC_FLAG_PENDING_CANCEL |
1737 0x08 | /* this is not defined, but should be ignored */
1738 DCERPC_PFC_FLAG_CONC_MPX |
1739 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1740 DCERPC_PFC_FLAG_MAYBE |
1741 DCERPC_PFC_FLAG_OBJECT_UUID);
1742 if (!NT_STATUS_IS_OK(status)) {
1743 return dcesrv_fault_disconnect(call,
1744 DCERPC_NCA_S_PROTO_ERROR);
1745 }
1746
1747 if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
1748 /*
1749 * We don't use dcesrv_fault_disconnect()
1750 * here, because we don't want to set
1751 * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
1752 *
1753 * Note that we don't check against the negotiated
1754 * max_recv_frag, but a hard coded value.
1755 */
1756 dcesrv_call_disconnect_after(call,
1757 "dcesrv_auth_request - frag_length too large");
1758 return dcesrv_fault(call,
1759 DCERPC_NCA_S_PROTO_ERROR);
1760 }
1761
1762 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
1763 if (dce_conn->pending_call_list != NULL) {
1764 /*
1765 * concurrent requests are only allowed
1766 * if DCERPC_PFC_FLAG_CONC_MPX was negotiated.
1767 */
1768 if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1769 dcesrv_call_disconnect_after(call,
1770 "dcesrv_auth_request - "
1771 "existing pending call without CONN_MPX");
1772 return dcesrv_fault(call,
1773 DCERPC_NCA_S_PROTO_ERROR);
1774 }
1775 }
1776 /* only one request is possible in the fragmented list */
1777 if (dce_conn->incoming_fragmented_call_list != NULL) {
1778 if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1779 /*
1780 * Without DCERPC_PFC_FLAG_CONC_MPX
1781 * we need to return the FAULT on the
1782 * already existing call.
1783 *
1784 * This is important to get the
1785 * call_id and context_id right.
1786 */
1787 TALLOC_FREE(call);
1788 call = dce_conn->incoming_fragmented_call_list;
1789 }
1790 dcesrv_call_disconnect_after(call,
1791 "dcesrv_auth_request - "
1792 "existing fragmented call");
1793 return dcesrv_fault(call,
1794 DCERPC_NCA_S_PROTO_ERROR);
1795 }
1796 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) {
1797 return dcesrv_fault_disconnect(call,
1798 DCERPC_FAULT_NO_CALL_ACTIVE);
1799 }
1800 call->context = dcesrv_find_context(call->conn,
1801 call->pkt.u.request.context_id);
1802 if (call->context == NULL) {
1803 return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
1804 DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1805 }
1806 } else {
1807 const struct dcerpc_request *nr = &call->pkt.u.request;
1808 const struct dcerpc_request *er = NULL;
1809 int cmp;
1810
1811 existing = dcesrv_find_fragmented_call(dce_conn,
1812 call->pkt.call_id);
1813 if (existing == NULL) {
1814 dcesrv_call_disconnect_after(call,
1815 "dcesrv_auth_request - "
1816 "no existing fragmented call");
1817 return dcesrv_fault(call,
1818 DCERPC_NCA_S_PROTO_ERROR);
1819 }
1820 er = &existing->pkt.u.request;
1821
1822 if (call->pkt.ptype != existing->pkt.ptype) {
1823 /* trying to play silly buggers are we? */
1824 return dcesrv_fault_disconnect(existing,
1825 DCERPC_NCA_S_PROTO_ERROR);
1826 }
1827 cmp = memcmp(call->pkt.drep, existing->pkt.drep,
1828 sizeof(pkt->drep));
1829 if (cmp != 0) {
1830 return dcesrv_fault_disconnect(existing,
1831 DCERPC_NCA_S_PROTO_ERROR);
1832 }
1833 if (nr->context_id != er->context_id) {
1834 return dcesrv_fault_disconnect(existing,
1835 DCERPC_NCA_S_PROTO_ERROR);
1836 }
1837 if (nr->opnum != er->opnum) {
1838 return dcesrv_fault_disconnect(existing,
1839 DCERPC_NCA_S_PROTO_ERROR);
1840 }
1841 }
1842 }
1843
1844 if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
1845 bool ok;
1846 uint8_t payload_offset = DCERPC_REQUEST_LENGTH;
1847
1848 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1849 payload_offset += 16;
1850 }
1851
1852 ok = dcesrv_auth_pkt_pull(call, &blob,
1853 0, /* required_flags */
1854 DCERPC_PFC_FLAG_FIRST |
1855 DCERPC_PFC_FLAG_LAST |
1856 DCERPC_PFC_FLAG_PENDING_CANCEL |
1857 0x08 | /* this is not defined, but should be ignored */
1858 DCERPC_PFC_FLAG_CONC_MPX |
1859 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1860 DCERPC_PFC_FLAG_MAYBE |
1861 DCERPC_PFC_FLAG_OBJECT_UUID,
1862 payload_offset,
1863 &call->pkt.u.request.stub_and_verifier);
1864 if (!ok) {
1865 /*
1866 * We don't use dcesrv_fault_disconnect()
1867 * here, because we don't want to set
1868 * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
1869 */
1870 dcesrv_call_disconnect_after(call,
1871 "dcesrv_auth_request - failed");
1872 if (call->fault_code == 0) {
1873 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
1874 }
1875 return dcesrv_fault(call, call->fault_code);
1876 }
1877 }
1878
1879 /* see if this is a continued packet */
1880 if (existing != NULL) {
1881 struct dcerpc_request *er = &existing->pkt.u.request;
1882 const struct dcerpc_request *nr = &call->pkt.u.request;
1883 size_t available;
1884 size_t alloc_size;
1885 size_t alloc_hint;
1886
1887 /*
1888 * Up to 4 MByte are allowed by all fragments
1889 */
1890 available = dce_conn->max_total_request_size;
1891 if (er->stub_and_verifier.length > available) {
1892 dcesrv_call_disconnect_after(existing,
1893 "dcesrv_auth_request - existing payload too large");
1894 return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
1895 }
1896 available -= er->stub_and_verifier.length;
1897 if (nr->alloc_hint > available) {
1898 dcesrv_call_disconnect_after(existing,
1899 "dcesrv_auth_request - alloc hint too large");
1900 return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
1901 }
1902 if (nr->stub_and_verifier.length > available) {
1903 dcesrv_call_disconnect_after(existing,
1904 "dcesrv_auth_request - new payload too large");
1905 return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
1906 }
1907 alloc_hint = er->stub_and_verifier.length + nr->alloc_hint;
1908 /* allocate at least 1 byte */
1909 alloc_hint = MAX(alloc_hint, 1);
1910 alloc_size = er->stub_and_verifier.length +
1911 nr->stub_and_verifier.length;
1912 alloc_size = MAX(alloc_size, alloc_hint);
1913
1914 er->stub_and_verifier.data =
1915 talloc_realloc(existing,
1916 er->stub_and_verifier.data,
1917 uint8_t, alloc_size);
1918 if (er->stub_and_verifier.data == NULL) {
1919 TALLOC_FREE(call);
1920 return dcesrv_fault_with_flags(existing,
1921 DCERPC_FAULT_OUT_OF_RESOURCES,
1922 DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1923 }
1924 memcpy(er->stub_and_verifier.data +
1925 er->stub_and_verifier.length,
1926 nr->stub_and_verifier.data,
1927 nr->stub_and_verifier.length);
1928 er->stub_and_verifier.length += nr->stub_and_verifier.length;
1929
1930 existing->pkt.pfc_flags |= (call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST);
1931
1932 TALLOC_FREE(call);
1933 call = existing;
1934 }
1935
1936 /* this may not be the last pdu in the chain - if its isn't then
1937 just put it on the incoming_fragmented_call_list and wait for the rest */
1938 if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
1939 !(call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
1940 /*
1941 * Up to 4 MByte are allowed by all fragments
1942 */
1943 if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) {
1944 dcesrv_call_disconnect_after(call,
1945 "dcesrv_auth_request - initial alloc hint too large");
1946 return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1947 }
1948 dcesrv_call_set_list(call, DCESRV_LIST_FRAGMENTED_CALL_LIST);
1949 return NT_STATUS_OK;
1950 }
1951
1952 /* This removes any fragments we may have had stashed away */
1953 dcesrv_call_set_list(call, DCESRV_LIST_NONE);
1954
1955 switch (call->pkt.ptype) {
1956 case DCERPC_PKT_BIND:
1957 status = dcesrv_bind_nak(call,
1958 DCERPC_BIND_NAK_REASON_NOT_SPECIFIED);
1959 break;
1960 case DCERPC_PKT_AUTH3:
1961 status = dcesrv_auth3(call);
1962 break;
1963 case DCERPC_PKT_ALTER:
1964 status = dcesrv_alter(call);
1965 break;
1966 case DCERPC_PKT_REQUEST:
1967 status = dcesrv_request(call);
1968 break;
1969 case DCERPC_PKT_CO_CANCEL:
1970 case DCERPC_PKT_ORPHANED:
1971 /*
1972 * Window just ignores CO_CANCEL and ORPHANED,
1973 * so we do...
1974 */
1975 status = NT_STATUS_OK;
1976 TALLOC_FREE(call);
1977 break;
1978 case DCERPC_PKT_BIND_ACK:
1979 case DCERPC_PKT_BIND_NAK:
1980 case DCERPC_PKT_ALTER_RESP:
1981 case DCERPC_PKT_RESPONSE:
1982 case DCERPC_PKT_FAULT:
1983 case DCERPC_PKT_SHUTDOWN:
1984 default:
1985 status = dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1986 break;
1987 }
1988
1989 /* if we are going to be sending a reply then add
1990 it to the list of pending calls. We add it to the end to keep the call
1991 list in the order we will answer */
1992 if (!NT_STATUS_IS_OK(status)) {
1993 talloc_free(call);
1994 }
1995
1996 return status;
1997 }
1998
1999 _PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
2000 struct loadparm_context *lp_ctx,
2001 const char **endpoint_servers, struct dcesrv_context **_dce_ctx)
2002 {
2003 NTSTATUS status;
2004 struct dcesrv_context *dce_ctx;
2005 int i;
2006
2007 if (!endpoint_servers) {
2008 DEBUG(0,("dcesrv_init_context: no endpoint servers configured\n"));
2009 return NT_STATUS_INTERNAL_ERROR;
2010 }
2011
2012 dce_ctx = talloc_zero(mem_ctx, struct dcesrv_context);
2013 NT_STATUS_HAVE_NO_MEMORY(dce_ctx);
2014
2015 if (uid_wrapper_enabled()) {
2016 setenv("UID_WRAPPER_MYUID", "1", 1);
2017 }
2018 dce_ctx->initial_euid = geteuid();
2019 if (uid_wrapper_enabled()) {
2020 unsetenv("UID_WRAPPER_MYUID");
2021 }
2022
2023 dce_ctx->endpoint_list = NULL;
2024 dce_ctx->lp_ctx = lp_ctx;
2025 dce_ctx->assoc_groups_idr = idr_init(dce_ctx);
2026 NT_STATUS_HAVE_NO_MEMORY(dce_ctx->assoc_groups_idr);
2027 dce_ctx->broken_connections = NULL;
2028
2029 for (i=0;endpoint_servers[i];i++) {
2030 const struct dcesrv_endpoint_server *ep_server;
2031
2032 ep_server = dcesrv_ep_server_byname(endpoint_servers[i]);
2033 if (!ep_server) {
2034 DEBUG(0,("dcesrv_init_context: failed to find endpoint server = '%s'\n", endpoint_servers[i]));
2035 return NT_STATUS_INTERNAL_ERROR;
2036 }
2037
2038 status = ep_server->init_server(dce_ctx, ep_server);
2039 if (!NT_STATUS_IS_OK(status)) {
2040 DEBUG(0,("dcesrv_init_context: failed to init endpoint server = '%s': %s\n", endpoint_servers[i],
2041 nt_errstr(status)));
2042 return status;
2043 }
2044 }
2045
2046 *_dce_ctx = dce_ctx;
2047 return NT_STATUS_OK;
2048 }
2049
2050 /* the list of currently registered DCERPC endpoint servers.
2051 */
2052 static struct ep_server {
2053 struct dcesrv_endpoint_server *ep_server;
2054 } *ep_servers = NULL;
2055 static int num_ep_servers;
2056
2057 /*
2058 register a DCERPC endpoint server.
2059
2060 The 'name' can be later used by other backends to find the operations
2061 structure for this backend.
2062
2063 */
2064 _PUBLIC_ NTSTATUS dcerpc_register_ep_server(const struct dcesrv_endpoint_server *ep_server)
2065 {
2066
2067 if (dcesrv_ep_server_byname(ep_server->name) != NULL) {
2068 /* its already registered! */
2069 DEBUG(0,("DCERPC endpoint server '%s' already registered\n",
2070 ep_server->name));
2071 return NT_STATUS_OBJECT_NAME_COLLISION;
2072 }
2073
2074 ep_servers = realloc_p(ep_servers, struct ep_server, num_ep_servers+1);
2075 if (!ep_servers) {
2076 smb_panic("out of memory in dcerpc_register");
2077 }
2078
2079 ep_servers[num_ep_servers].ep_server = smb_xmemdup(ep_server, sizeof(*ep_server));
2080 ep_servers[num_ep_servers].ep_server->name = smb_xstrdup(ep_server->name);
2081
2082 num_ep_servers++;
2083
2084 DEBUG(3,("DCERPC endpoint server '%s' registered\n",
2085 ep_server->name));
2086
2087 return NT_STATUS_OK;
2088 }
2089
2090 /*
2091 return the operations structure for a named backend of the specified type
2092 */
2093 const struct dcesrv_endpoint_server *dcesrv_ep_server_byname(const char *name)
2094 {
2095 int i;
2096
2097 for (i=0;i<num_ep_servers;i++) {
2098 if (strcmp(ep_servers[i].ep_server->name, name) == 0) {
2099 return ep_servers[i].ep_server;
2100 }
2101 }
2102
2103 return NULL;
2104 }
2105
2106 void dcerpc_server_init(struct loadparm_context *lp_ctx)
2107 {
2108 static bool initialized;
2109 #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
2110 STATIC_dcerpc_server_MODULES_PROTO;
2111 init_module_fn static_init[] = { STATIC_dcerpc_server_MODULES };
2112 init_module_fn *shared_init;
2113
2114 if (initialized) {
2115 return;
2116 }
2117 initialized = true;
2118
2119 shared_init = load_samba_modules(NULL, "dcerpc_server");
2120
2121 run_init_functions(NULL, static_init);
2122 run_init_functions(NULL, shared_init);
2123
2124 talloc_free(shared_init);
2125 }
2126
2127 /*
2128 return the DCERPC module version, and the size of some critical types
2129 This can be used by endpoint server modules to either detect compilation errors, or provide
2130 multiple implementations for different smbd compilation options in one module
2131 */
2132 const struct dcesrv_critical_sizes *dcerpc_module_version(void)
2133 {
2134 static const struct dcesrv_critical_sizes critical_sizes = {
2135 DCERPC_MODULE_VERSION,
2136 sizeof(struct dcesrv_context),
2137 sizeof(struct dcesrv_endpoint),
2138 sizeof(struct dcesrv_endpoint_server),
2139 sizeof(struct dcesrv_interface),
2140 sizeof(struct dcesrv_if_list),
2141 sizeof(struct dcesrv_connection),
2142 sizeof(struct dcesrv_call_state),
2143 sizeof(struct dcesrv_auth),
2144 sizeof(struct dcesrv_handle)
2145 };
2146
2147 return &critical_sizes;
2148 }
2149
2150 static void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, const char *reason)
2151 {
2152 struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2153 struct stream_connection *srv_conn;
2154 srv_conn = talloc_get_type(dce_conn->transport.private_data,
2155 struct stream_connection);
2156
2157 dce_conn->wait_send = NULL;
2158 dce_conn->wait_recv = NULL;
2159 dce_conn->wait_private = NULL;
2160
2161 dce_conn->allow_bind = false;
2162 dce_conn->allow_auth3 = false;
2163 dce_conn->allow_alter = false;
2164 dce_conn->allow_request = false;
2165
2166 if (dce_conn->pending_call_list == NULL) {
2167 char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
2168
2169 DLIST_REMOVE(dce_ctx->broken_connections, dce_conn);
2170 stream_terminate_connection(srv_conn, full_reason ? full_reason : reason);
2171 return;
2172 }
2173
2174 if (dce_conn->terminate != NULL) {
2175 return;
2176 }
2177
2178 DEBUG(3,("dcesrv: terminating connection due to '%s' deferred due to pending calls\n",
2179 reason));
2180 dce_conn->terminate = talloc_strdup(dce_conn, reason);
2181 if (dce_conn->terminate == NULL) {
2182 dce_conn->terminate = "dcesrv: deferred terminating connection - no memory";
2183 }
2184 DLIST_ADD_END(dce_ctx->broken_connections, dce_conn);
2185 }
2186
2187 static void dcesrv_cleanup_broken_connections(struct dcesrv_context *dce_ctx)
2188 {
2189 struct dcesrv_connection *cur, *next;
2190
2191 next = dce_ctx->broken_connections;
2192 while (next != NULL) {
2193 cur = next;
2194 next = cur->next;
2195
2196 if (cur->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
2197 struct dcesrv_connection_context *context_cur, *context_next;
2198
2199 context_next = cur->contexts;
2200 while (context_next != NULL) {
2201 context_cur = context_next;
2202 context_next = context_cur->next;
2203
2204 dcesrv_connection_context_destructor(context_cur);
2205 }
2206 }
2207
2208 dcesrv_terminate_connection(cur, cur->terminate);
2209 }
2210 }
2211
2212 /* We need this include to be able to compile on some plateforms
2213 * (ie. freebsd 7.2) as it seems that <sys/uio.h> is not included
2214 * correctly.
2215 * It has to be that deep because otherwise we have a conflict on
2216 * const struct dcesrv_interface declaration.
2217 * This is mostly due to socket_wrapper defining #define bind swrap_bind
2218 * which conflict with the bind used before.
2219 */
2220 #include "system/network.h"
2221
2222 struct dcesrv_sock_reply_state {
2223 struct dcesrv_connection *dce_conn;
2224 struct dcesrv_call_state *call;
2225 struct iovec iov;
2226 };
2227
2228 static void dcesrv_sock_reply_done(struct tevent_req *subreq);
2229 static void dcesrv_call_terminate_step1(struct tevent_req *subreq);
2230
2231 static void dcesrv_sock_report_output_data(struct dcesrv_connection *dce_conn)
2232 {
2233 struct dcesrv_call_state *call;
2234
2235 call = dce_conn->call_list;
2236 if (!call || !call->replies) {
2237 return;
2238 }
2239
2240 while (call->replies) {
2241 struct data_blob_list_item *rep = call->replies;
2242 struct dcesrv_sock_reply_state *substate;
2243 struct tevent_req *subreq;
2244
2245 substate = talloc_zero(call, struct dcesrv_sock_reply_state);
2246 if (!substate) {
2247 dcesrv_terminate_connection(dce_conn, "no memory");
2248 return;
2249 }
2250
2251 substate->dce_conn = dce_conn;
2252 substate->call = NULL;
2253
2254 DLIST_REMOVE(call->replies, rep);
2255
2256 if (call->replies == NULL && call->terminate_reason == NULL) {
2257 substate->call = call;
2258 }
2259
2260 substate->iov.iov_base = (void *) rep->blob.data;
2261 substate->iov.iov_len = rep->blob.length;
2262
2263 subreq = tstream_writev_queue_send(substate,
2264 dce_conn->event_ctx,
2265 dce_conn->stream,
2266 dce_conn->send_queue,
2267 &substate->iov, 1);
2268 if (!subreq) {
2269 dcesrv_terminate_connection(dce_conn, "no memory");
2270 return;
2271 }
2272 tevent_req_set_callback(subreq, dcesrv_sock_reply_done,
2273 substate);
2274 }
2275
2276 if (call->terminate_reason != NULL) {
2277 struct tevent_req *subreq;
2278
2279 subreq = tevent_queue_wait_send(call,
2280 dce_conn->event_ctx,
2281 dce_conn->send_queue);
2282 if (!subreq) {
2283 dcesrv_terminate_connection(dce_conn, __location__);
2284 return;
2285 }
2286 tevent_req_set_callback(subreq, dcesrv_call_terminate_step1,
2287 call);
2288 }
2289
2290 DLIST_REMOVE(call->conn->call_list, call);
2291 call->list = DCESRV_LIST_NONE;
2292 }
2293
2294 static void dcesrv_sock_reply_done(struct tevent_req *subreq)
2295 {
2296 struct dcesrv_sock_reply_state *substate = tevent_req_callback_data(subreq,
2297 struct dcesrv_sock_reply_state);
2298 int ret;
2299 int sys_errno;
2300 NTSTATUS status;
2301 struct dcesrv_call_state *call = substate->call;
2302
2303 ret = tstream_writev_queue_recv(subreq, &sys_errno);
2304 TALLOC_FREE(subreq);
2305 if (ret == -1) {
2306 status = map_nt_error_from_unix_common(sys_errno);
2307 dcesrv_terminate_connection(substate->dce_conn, nt_errstr(status));
2308 return;
2309 }
2310
2311 talloc_free(substate);
2312 if (call) {
2313 talloc_free(call);
2314 }
2315 }
2316
2317 static void dcesrv_call_terminate_step2(struct tevent_req *subreq);
2318
2319 static void dcesrv_call_terminate_step1(struct tevent_req *subreq)
2320 {
2321 struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2322 struct dcesrv_call_state);
2323 bool ok;
2324 struct timeval tv;
2325
2326 /* make sure we stop send queue before removing subreq */
2327 tevent_queue_stop(call->conn->send_queue);
2328
2329 ok = tevent_queue_wait_recv(subreq);
2330 TALLOC_FREE(subreq);
2331 if (!ok) {
2332 dcesrv_terminate_connection(call->conn, __location__);
2333 return;
2334 }
2335
2336 /* disconnect after 200 usecs */
2337 tv = timeval_current_ofs_usec(200);
2338 subreq = tevent_wakeup_send(call, call->conn->event_ctx, tv);
2339 if (subreq == NULL) {
2340 dcesrv_terminate_connection(call->conn, __location__);
2341 return;
2342 }
2343 tevent_req_set_callback(subreq, dcesrv_call_terminate_step2,
2344 call);
2345 }
2346
2347 static void dcesrv_call_terminate_step2(struct tevent_req *subreq)
2348 {
2349 struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2350 struct dcesrv_call_state);
2351 bool ok;
2352
2353 ok = tevent_wakeup_recv(subreq);
2354 TALLOC_FREE(subreq);
2355 if (!ok) {
2356 dcesrv_terminate_connection(call->conn, __location__);
2357 return;
2358 }
2359
2360 dcesrv_terminate_connection(call->conn, call->terminate_reason);
2361 }
2362
2363 struct dcesrv_socket_context {
2364 const struct dcesrv_endpoint *endpoint;
2365 struct dcesrv_context *dcesrv_ctx;
2366 };
2367
2368
2369 static void dcesrv_read_fragment_done(struct tevent_req *subreq);
2370
2371 static void dcesrv_sock_accept(struct stream_connection *srv_conn)
2372 {
2373 NTSTATUS status;
2374 struct dcesrv_socket_context *dcesrv_sock =
2375 talloc_get_type(srv_conn->private_data, struct dcesrv_socket_context);
2376 enum dcerpc_transport_t transport =
2377 dcerpc_binding_get_transport(dcesrv_sock->endpoint->ep_description);
2378 struct dcesrv_connection *dcesrv_conn = NULL;
2379 int ret;
2380 struct tevent_req *subreq;
2381 struct loadparm_context *lp_ctx = dcesrv_sock->dcesrv_ctx->lp_ctx;
2382
2383 dcesrv_cleanup_broken_connections(dcesrv_sock->dcesrv_ctx);
2384
2385 if (!srv_conn->session_info) {
2386 status = auth_anonymous_session_info(srv_conn,
2387 lp_ctx,
2388 &srv_conn->session_info);
2389 if (!NT_STATUS_IS_OK(status)) {
2390 DEBUG(0,("dcesrv_sock_accept: auth_anonymous_session_info failed: %s\n",
2391 nt_errstr(status)));
2392 stream_terminate_connection(srv_conn, nt_errstr(status));
2393 return;
2394 }
2395 }
2396
2397 /*
2398 * This fills in dcesrv_conn->endpoint with the endpoint
2399 * associated with the socket. From this point on we know
2400 * which (group of) services we are handling, but not the
2401 * specific interface.
2402 */
2403
2404 status = dcesrv_endpoint_connect(dcesrv_sock->dcesrv_ctx,
2405 srv_conn,
2406 dcesrv_sock->endpoint,
2407 srv_conn->session_info,
2408 srv_conn->event.ctx,
2409 srv_conn->msg_ctx,
2410 srv_conn->server_id,
2411 DCESRV_CALL_STATE_FLAG_MAY_ASYNC,
2412 &dcesrv_conn);
2413 if (!NT_STATUS_IS_OK(status)) {
2414 DEBUG(0,("dcesrv_sock_accept: dcesrv_endpoint_connect failed: %s\n",
2415 nt_errstr(status)));
2416 stream_terminate_connection(srv_conn, nt_errstr(status));
2417 return;
2418 }
2419
2420 dcesrv_conn->transport.private_data = srv_conn;
2421 dcesrv_conn->transport.report_output_data = dcesrv_sock_report_output_data;
2422
2423 TALLOC_FREE(srv_conn->event.fde);
2424
2425 dcesrv_conn->send_queue = tevent_queue_create(dcesrv_conn, "dcesrv send queue");
2426 if (!dcesrv_conn->send_queue) {
2427 status = NT_STATUS_NO_MEMORY;
2428 DEBUG(0,("dcesrv_sock_accept: tevent_queue_create(%s)\n",
2429 nt_errstr(status)));
2430 stream_terminate_connection(srv_conn, nt_errstr(status));
2431 return;
2432 }
2433
2434 if (transport == NCACN_NP) {
2435 dcesrv_conn->auth_state.session_key = dcesrv_inherited_session_key;
2436 dcesrv_conn->stream = talloc_move(dcesrv_conn,
2437 &srv_conn->tstream);
2438 } else {
2439 ret = tstream_bsd_existing_socket(dcesrv_conn,
2440 socket_get_fd(srv_conn->socket),
2441 &dcesrv_conn->stream);
2442 if (ret == -1) {
2443 status = map_nt_error_from_unix_common(errno);
2444 DEBUG(0, ("dcesrv_sock_accept: "
2445 "failed to setup tstream: %s\n",
2446 nt_errstr(status)));
2447 stream_terminate_connection(srv_conn, nt_errstr(status));
2448 return;
2449 }
2450 socket_set_flags(srv_conn->socket, SOCKET_FLAG_NOCLOSE);
2451 }
2452
2453 dcesrv_conn->local_address = srv_conn->local_address;
2454 dcesrv_conn->remote_address = srv_conn->remote_address;
2455
2456 if (transport == NCALRPC) {
2457 uid_t uid;
2458 gid_t gid;
2459 int sock_fd;
2460
2461 sock_fd = socket_get_fd(srv_conn->socket);
2462 if (sock_fd == -1) {
2463 stream_terminate_connection(
2464 srv_conn, "socket_get_fd failed\n");
2465 return;
2466 }
2467
2468 ret = getpeereid(sock_fd, &uid, &gid);
2469 if (ret == -1) {
2470 status = map_nt_error_from_unix_common(errno);
2471 DEBUG(0, ("dcesrv_sock_accept: "
2472 "getpeereid() failed for NCALRPC: %s\n",
2473 nt_errstr(status)));
2474 stream_terminate_connection(srv_conn, nt_errstr(status));
2475 return;
2476 }
2477 if (uid == dcesrv_conn->dce_ctx->initial_euid) {
2478 struct tsocket_address *r = NULL;
2479
2480 ret = tsocket_address_unix_from_path(dcesrv_conn,
2481 "/root/ncalrpc_as_system",
2482 &r);
2483 if (ret == -1) {
2484 status = map_nt_error_from_unix_common(errno);
2485 DEBUG(0, ("dcesrv_sock_accept: "
2486 "tsocket_address_unix_from_path() failed for NCALRPC: %s\n",
2487 nt_errstr(status)));
2488 stream_terminate_connection(srv_conn, nt_errstr(status));
2489 return;
2490 }
2491 dcesrv_conn->remote_address = r;
2492 }
2493 }
2494
2495 srv_conn->private_data = dcesrv_conn;
2496
2497 irpc_add_name(srv_conn->msg_ctx, "rpc_server");
2498
2499 subreq = dcerpc_read_ncacn_packet_send(dcesrv_conn,
2500 dcesrv_conn->event_ctx,
2501 dcesrv_conn->stream);
2502 if (!subreq) {
2503 status = NT_STATUS_NO_MEMORY;
2504 DEBUG(0,("dcesrv_sock_accept: dcerpc_read_fragment_buffer_send(%s)\n",
2505 nt_errstr(status)));
2506 stream_terminate_connection(srv_conn, nt_errstr(status));
2507 return;
2508 }
2509 tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dcesrv_conn);
2510
2511 return;
2512 }
2513
2514 static void dcesrv_conn_wait_done(struct tevent_req *subreq);
2515
2516 static void dcesrv_read_fragment_done(struct tevent_req *subreq)
2517 {
2518 struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2519 struct dcesrv_connection);
2520 struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2521 struct ncacn_packet *pkt;
2522 DATA_BLOB buffer;
2523 NTSTATUS status;
2524
2525 if (dce_conn->terminate) {
2526 /*
2527 * if the current connection is broken
2528 * we need to clean it up before any other connection
2529 */
2530 dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2531 dcesrv_cleanup_broken_connections(dce_ctx);
2532 return;
2533 }
2534
2535 dcesrv_cleanup_broken_connections(dce_ctx);
2536
2537 status = dcerpc_read_ncacn_packet_recv(subreq, dce_conn,
2538 &pkt, &buffer);
2539 TALLOC_FREE(subreq);
2540 if (!NT_STATUS_IS_OK(status)) {
2541 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2542 return;
2543 }
2544
2545 status = dcesrv_process_ncacn_packet(dce_conn, pkt, buffer);
2546 if (!NT_STATUS_IS_OK(status)) {
2547 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2548 return;
2549 }
2550
2551 /*
2552 * This is used to block the connection during
2553 * pending authentication.
2554 */
2555 if (dce_conn->wait_send != NULL) {
2556 subreq = dce_conn->wait_send(dce_conn,
2557 dce_conn->event_ctx,
2558 dce_conn->wait_private);
2559 if (!subreq) {
2560 status = NT_STATUS_NO_MEMORY;
2561 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2562 return;
2563 }
2564 tevent_req_set_callback(subreq, dcesrv_conn_wait_done, dce_conn);
2565 return;
2566 }
2567
2568 subreq = dcerpc_read_ncacn_packet_send(dce_conn,
2569 dce_conn->event_ctx,
2570 dce_conn->stream);
2571 if (!subreq) {
2572 status = NT_STATUS_NO_MEMORY;
2573 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2574 return;
2575 }
2576 tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dce_conn);
2577 }
2578
2579 static void dcesrv_conn_wait_done(struct tevent_req *subreq)
2580 {
2581 struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2582 struct dcesrv_connection);
2583 struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2584 NTSTATUS status;
2585
2586 if (dce_conn->terminate) {
2587 /*
2588 * if the current connection is broken
2589 * we need to clean it up before any other connection
2590 */
2591 dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2592 dcesrv_cleanup_broken_connections(dce_ctx);
2593 return;
2594 }
2595
2596 dcesrv_cleanup_broken_connections(dce_ctx);
2597
2598 status = dce_conn->wait_recv(subreq);
2599 dce_conn->wait_send = NULL;
2600 dce_conn->wait_recv = NULL;
2601 dce_conn->wait_private = NULL;
2602 TALLOC_FREE(subreq);
2603 if (!NT_STATUS_IS_OK(status)) {
2604 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2605 return;
2606 }
2607
2608 subreq = dcerpc_read_ncacn_packet_send(dce_conn,
2609 dce_conn->event_ctx,
2610 dce_conn->stream);
2611 if (!subreq) {
2612 status = NT_STATUS_NO_MEMORY;
2613 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2614 return;
2615 }
2616 tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dce_conn);
2617 }
2618
2619 static void dcesrv_sock_recv(struct stream_connection *conn, uint16_t flags)
2620 {
2621 struct dcesrv_connection *dce_conn = talloc_get_type(conn->private_data,
2622 struct dcesrv_connection);
2623 dcesrv_terminate_connection(dce_conn, "dcesrv_sock_recv triggered");
2624 }
2625
2626 static void dcesrv_sock_send(struct stream_connection *conn, uint16_t flags)
2627 {
2628 struct dcesrv_connection *dce_conn = talloc_get_type(conn->private_data,
2629 struct dcesrv_connection);
2630 dcesrv_terminate_connection(dce_conn, "dcesrv_sock_send triggered");
2631 }
2632
2633
2634 static const struct stream_server_ops dcesrv_stream_ops = {
2635 .name = "rpc",
2636 .accept_connection = dcesrv_sock_accept,
2637 .recv_handler = dcesrv_sock_recv,
2638 .send_handler = dcesrv_sock_send,
2639 };
2640
2641 static NTSTATUS dcesrv_add_ep_unix(struct dcesrv_context *dce_ctx,
2642 struct loadparm_context *lp_ctx,
2643 struct dcesrv_endpoint *e,
2644 struct tevent_context *event_ctx, const struct model_ops *model_ops)
2645 {
2646 struct dcesrv_socket_context *dcesrv_sock;
2647 uint16_t port = 1;
2648 NTSTATUS status;
2649 const char *endpoint;
2650
2651 dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2652 NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2653
2654 /* remember the endpoint of this socket */
2655 dcesrv_sock->endpoint = e;
2656 dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
2657
2658 endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2659
2660 status = stream_setup_socket(dcesrv_sock, event_ctx, lp_ctx,
2661 model_ops, &dcesrv_stream_ops,
2662 "unix", endpoint, &port,
2663 lpcfg_socket_options(lp_ctx),
2664 dcesrv_sock);
2665 if (!NT_STATUS_IS_OK(status)) {
2666 DEBUG(0,("service_setup_stream_socket(path=%s) failed - %s\n",
2667 endpoint, nt_errstr(status)));
2668 }
2669
2670 return status;
2671 }
2672
2673 static NTSTATUS dcesrv_add_ep_ncalrpc(struct dcesrv_context *dce_ctx,
2674 struct loadparm_context *lp_ctx,
2675 struct dcesrv_endpoint *e,
2676 struct tevent_context *event_ctx, const struct model_ops *model_ops)
2677 {
2678 struct dcesrv_socket_context *dcesrv_sock;
2679 uint16_t port = 1;
2680 char *full_path;
2681 NTSTATUS status;
2682 const char *endpoint;
2683
2684 endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2685
2686 if (endpoint == NULL) {
2687 /*
2688 * No identifier specified: use DEFAULT.
2689 *
2690 * TODO: DO NOT hardcode this value anywhere else. Rather, specify
2691 * no endpoint and let the epmapper worry about it.
2692 */
2693 endpoint = "DEFAULT";
2694 status = dcerpc_binding_set_string_option(e->ep_description,
2695 "endpoint",
2696 endpoint);
2697 if (!NT_STATUS_IS_OK(status)) {
2698 DEBUG(0,("dcerpc_binding_set_string_option() failed - %s\n",
2699 nt_errstr(status)));
2700 return status;
2701 }
2702 }
2703
2704 full_path = talloc_asprintf(dce_ctx, "%s/%s", lpcfg_ncalrpc_dir(lp_ctx),
2705 endpoint);
2706
2707 dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2708 NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2709
2710 /* remember the endpoint of this socket */
2711 dcesrv_sock->endpoint = e;
2712 dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
2713
2714 status = stream_setup_socket(dcesrv_sock, event_ctx, lp_ctx,
2715 model_ops, &dcesrv_stream_ops,
2716 "unix", full_path, &port,
2717 lpcfg_socket_options(lp_ctx),
2718 dcesrv_sock);
2719 if (!NT_STATUS_IS_OK(status)) {
2720 DEBUG(0,("service_setup_stream_socket(identifier=%s,path=%s) failed - %s\n",
2721 endpoint, full_path, nt_errstr(status)));
2722 }
2723 return status;
2724 }
2725
2726 static NTSTATUS dcesrv_add_ep_np(struct dcesrv_context *dce_ctx,
2727 struct loadparm_context *lp_ctx,
2728 struct dcesrv_endpoint *e,
2729 struct tevent_context *event_ctx, const struct model_ops *model_ops)
2730 {
2731 struct dcesrv_socket_context *dcesrv_sock;
2732 NTSTATUS status;
2733 const char *endpoint;
2734
2735 endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2736 if (endpoint == NULL) {
2737 DEBUG(0, ("Endpoint mandatory for named pipes\n"));
2738 return NT_STATUS_INVALID_PARAMETER;
2739 }
2740
2741 dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2742 NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2743
2744 /* remember the endpoint of this socket */
2745 dcesrv_sock->endpoint = e;
2746 dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
2747
2748 status = tstream_setup_named_pipe(dce_ctx, event_ctx, lp_ctx,
2749 model_ops, &dcesrv_stream_ops,
2750 endpoint,
2751 dcesrv_sock);
2752 if (!NT_STATUS_IS_OK(status)) {
2753 DEBUG(0,("stream_setup_named_pipe(pipe=%s) failed - %s\n",
2754 endpoint, nt_errstr(status)));
2755 return status;
2756 }
2757
2758 return NT_STATUS_OK;
2759 }
2760
2761 /*
2762 add a socket address to the list of events, one event per dcerpc endpoint
2763 */
2764 static NTSTATUS add_socket_rpc_tcp_iface(struct dcesrv_context *dce_ctx, struct dcesrv_endpoint *e,
2765 struct tevent_context *event_ctx, const struct model_ops *model_ops,
2766 const char *address)
2767 {
2768 struct dcesrv_socket_context *dcesrv_sock;
2769 uint16_t port = 0;
2770 NTSTATUS status;
2771 const char *endpoint;
2772 char port_str[6];
2773
2774 endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2775 if (endpoint != NULL) {
2776 port = atoi(endpoint);
2777 }
2778
2779 dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2780 NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2781
2782 /* remember the endpoint of this socket */
2783 dcesrv_sock->endpoint = e;
2784 dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
2785
2786 status = stream_setup_socket(dcesrv_sock, event_ctx, dce_ctx->lp_ctx,
2787 model_ops, &dcesrv_stream_ops,
2788 "ip", address, &port,
2789 lpcfg_socket_options(dce_ctx->lp_ctx),
2790 dcesrv_sock);
2791 if (!NT_STATUS_IS_OK(status)) {
2792 struct dcesrv_if_list *iface;
2793 DEBUG(0,("service_setup_stream_socket(address=%s,port=%u) for ",
2794 address, port));
2795 for (iface = e->interface_list; iface; iface = iface->next) {
2796 DEBUGADD(0, ("%s ", iface->iface.name));
2797 }
2798 DEBUGADD(0, ("failed - %s",
2799 nt_errstr(status)));
2800 return status;
2801 }
2802
2803 snprintf(port_str, sizeof(port_str), "%u", port);
2804
2805 status = dcerpc_binding_set_string_option(e->ep_description,
2806 "endpoint", port_str);
2807 if (!NT_STATUS_IS_OK(status)) {
2808 DEBUG(0,("dcerpc_binding_set_string_option(endpoint, %s) failed - %s\n",
2809 port_str, nt_errstr(status)));
2810 return status;
2811 } else {
2812 struct dcesrv_if_list *iface;
2813 DEBUG(4,("Successfully listening on ncacn_ip_tcp endpoint [%s]:[%s] for ",
2814 address, port_str));
2815 for (iface = e->interface_list; iface; iface = iface->next) {
2816 DEBUGADD(4, ("%s ", iface->iface.name));
2817 }
2818 DEBUGADD(4, ("\n"));
2819 }
2820
2821 return NT_STATUS_OK;
2822 }
2823
2824 #include "lib/socket/netif.h" /* Included here to work around the fact that socket_wrapper redefines bind() */
2825
2826 static NTSTATUS dcesrv_add_ep_tcp(struct dcesrv_context *dce_ctx,
2827 struct loadparm_context *lp_ctx,
2828 struct dcesrv_endpoint *e,
2829 struct tevent_context *event_ctx, const struct model_ops *model_ops)
2830 {
2831 NTSTATUS status;
2832
2833 /* Add TCP/IP sockets */
2834 if (lpcfg_interfaces(lp_ctx) && lpcfg_bind_interfaces_only(lp_ctx)) {
2835 int num_interfaces;
2836 int i;
2837 struct interface *ifaces;
2838
2839 load_interface_list(dce_ctx, lp_ctx, &ifaces);
2840
2841 num_interfaces = iface_list_count(ifaces);
2842 for(i = 0; i < num_interfaces; i++) {
2843 const char *address = iface_list_n_ip(ifaces, i);
2844 status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, address);
2845 NT_STATUS_NOT_OK_RETURN(status);
2846 }
2847 } else {
2848 char **wcard;
2849 int i;
2850 int num_binds = 0;
2851 wcard = iface_list_wildcard(dce_ctx);
2852 NT_STATUS_HAVE_NO_MEMORY(wcard);
2853 for (i=0; wcard[i]; i++) {
2854 status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, wcard[i]);
2855 if (NT_STATUS_IS_OK(status)) {
2856 num_binds++;
2857 }
2858 }
2859 talloc_free(wcard);
2860 if (num_binds == 0) {
2861 return NT_STATUS_INVALID_PARAMETER_MIX;
2862 }
2863 }
2864
2865 return NT_STATUS_OK;
2866 }
2867
2868 NTSTATUS dcesrv_add_ep(struct dcesrv_context *dce_ctx,
2869 struct loadparm_context *lp_ctx,
2870 struct dcesrv_endpoint *e,
2871 struct tevent_context *event_ctx,
2872 const struct model_ops *model_ops)
2873 {
2874 enum dcerpc_transport_t transport =
2875 dcerpc_binding_get_transport(e->ep_description);
2876
2877 switch (transport) {
2878 case NCACN_UNIX_STREAM:
2879 return dcesrv_add_ep_unix(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2880
2881 case NCALRPC:
2882 return dcesrv_add_ep_ncalrpc(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2883
2884 case NCACN_IP_TCP:
2885 return dcesrv_add_ep_tcp(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2886
2887 case NCACN_NP:
2888 return dcesrv_add_ep_np(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2889
2890 default:
2891 return NT_STATUS_NOT_SUPPORTED;
2892 }
2893 }
2894
2895
2896 /**
2897 * retrieve credentials from a dce_call
2898 */
2899 _PUBLIC_ struct cli_credentials *dcesrv_call_credentials(struct dcesrv_call_state *dce_call)
2900 {
2901 return dce_call->conn->auth_state.session_info->credentials;
2902 }
2903
2904 /**
2905 * returns true if this is an authenticated call
2906 */
2907 _PUBLIC_ bool dcesrv_call_authenticated(struct dcesrv_call_state *dce_call)
2908 {
2909 enum security_user_level level;
2910 level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
2911 return level >= SECURITY_USER;
2912 }
2913
2914 /**
2915 * retrieve account_name for a dce_call
2916 */
2917 _PUBLIC_ const char *dcesrv_call_account_name(struct dcesrv_call_state *dce_call)
2918 {
2919 return dce_call->context->conn->auth_state.session_info->info->account_name;
2920 }
Samba GIT mirror