git.samba.org / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
lib/util: remove extra safe_string.h file
[samba.git] / librpc / rpc / dcesrv_core.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    server side dcerpc core code
5
6    Copyright (C) Andrew Tridgell 2003-2005
7    Copyright (C) Stefan (metze) Metzmacher 2004-2005
8    Copyright (C) Samuel Cabrero <scabrero@samba.org> 2019
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "librpc/rpc/dcesrv_core.h"
26 #include "librpc/rpc/dcesrv_core_proto.h"
27 #include "librpc/gen_ndr/auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "lib/util/dlinklist.h"
30 #include "libcli/security/security.h"
31 #include "param/param.h"
32 #include "lib/tsocket/tsocket.h"
33 #include "librpc/gen_ndr/ndr_dcerpc.h"
34 #include "lib/util/tevent_ntstatus.h"
35
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_RPC_SRV
39
40 #undef strcasecmp
41
42 static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
43                                 const struct dcerpc_bind *b,
44                                 struct dcerpc_ack_ctx *ack_ctx_list);
45
46 /*
47   see if two endpoints match
48 */
49 static bool endpoints_match(const struct dcerpc_binding *ep1,
50                             const struct dcerpc_binding *ep2)
51 {
52         enum dcerpc_transport_t t1;
53         enum dcerpc_transport_t t2;
54         const char *e1;
55         const char *e2;
56
57         t1 = dcerpc_binding_get_transport(ep1);
58         t2 = dcerpc_binding_get_transport(ep2);
59
60         e1 = dcerpc_binding_get_string_option(ep1, "endpoint");
61         e2 = dcerpc_binding_get_string_option(ep2, "endpoint");
62
63         if (t1 != t2) {
64                 return false;
65         }
66
67         if (!e1 || !e2) {
68                 return e1 == e2;
69         }
70
71         if (strcasecmp(e1, e2) != 0) {
72                 return false;
73         }
74
75         return true;
76 }
77
78 /*
79   find an endpoint in the dcesrv_context
80 */
81 _PUBLIC_ NTSTATUS dcesrv_find_endpoint(struct dcesrv_context *dce_ctx,
82                                 const struct dcerpc_binding *ep_description,
83                                 struct dcesrv_endpoint **_out)
84 {
85         struct dcesrv_endpoint *ep = NULL;
86         for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
87                 if (endpoints_match(ep->ep_description, ep_description)) {
88                         *_out = ep;
89                         return NT_STATUS_OK;
90                 }
91         }
92         return NT_STATUS_NOT_FOUND;
93 }
94
95 /*
96   find a registered context_id from a bind or alter_context
97 */
98 static struct dcesrv_connection_context *dcesrv_find_context(struct dcesrv_connection *conn,
99                                                              uint16_t context_id)
100 {
101         struct dcesrv_connection_context *c;
102         for (c=conn->contexts;c;c=c->next) {
103                 if (c->context_id == context_id) return c;
104         }
105         return NULL;
106 }
107
108 /*
109   see if a uuid and if_version match to an interface
110 */
111 static bool interface_match(const struct dcesrv_interface *if1,
112                                                         const struct dcesrv_interface *if2)
113 {
114         return (if1->syntax_id.if_version == if2->syntax_id.if_version &&
115                         GUID_equal(&if1->syntax_id.uuid, &if2->syntax_id.uuid));
116 }
117
118 /*
119   find the interface operations on any endpoint with this binding
120 */
121 static const struct dcesrv_interface *find_interface_by_binding(struct dcesrv_context *dce_ctx,
122                                                                 struct dcerpc_binding *binding,
123                                                                 const struct dcesrv_interface *iface)
124 {
125         struct dcesrv_endpoint *ep;
126         for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
127                 if (endpoints_match(ep->ep_description, binding)) {
128                         struct dcesrv_if_list *ifl;
129                         for (ifl=ep->interface_list; ifl; ifl=ifl->next) {
130                                 if (interface_match(ifl->iface, iface)) {
131                                         return ifl->iface;
132                                 }
133                         }
134                 }
135         }
136         return NULL;
137 }
138
139 /*
140   see if a uuid and if_version match to an interface
141 */
142 static bool interface_match_by_uuid(const struct dcesrv_interface *iface,
143                                     const struct GUID *uuid, uint32_t if_version)
144 {
145         return (iface->syntax_id.if_version == if_version &&
146                         GUID_equal(&iface->syntax_id.uuid, uuid));
147 }
148
149 /*
150   find the interface operations on an endpoint by uuid
151 */
152 _PUBLIC_ const struct dcesrv_interface *find_interface_by_uuid(const struct dcesrv_endpoint *endpoint,
153                                                       const struct GUID *uuid, uint32_t if_version)
154 {
155         struct dcesrv_if_list *ifl;
156         for (ifl=endpoint->interface_list; ifl; ifl=ifl->next) {
157                 if (interface_match_by_uuid(ifl->iface, uuid, if_version)) {
158                         return ifl->iface;
159                 }
160         }
161         return NULL;
162 }
163
164 /*
165   find the earlier parts of a fragmented call awaiting reassembily
166 */
167 static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint32_t call_id)
168 {
169         struct dcesrv_call_state *c;
170         for (c=dce_conn->incoming_fragmented_call_list;c;c=c->next) {
171                 if (c->pkt.call_id == call_id) {
172                         return c;
173                 }
174         }
175         return NULL;
176 }
177
178 /*
179   register an interface on an endpoint
180
181   An endpoint is one unix domain socket (for ncalrpc), one TCP port
182   (for ncacn_ip_tcp) or one (forwarded) named pipe (for ncacn_np).
183
184   Each endpoint can have many interfaces such as netlogon, lsa or
185   samr.  Some have essentially the full set.
186
187   This is driven from the set of interfaces listed in each IDL file
188   via the PIDL generated *__op_init_server() functions.
189 */
190 _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
191                                    const char *ep_name,
192                                    const char *ncacn_np_secondary_endpoint,
193                                    const struct dcesrv_interface *iface,
194                                    const struct security_descriptor *sd)
195 {
196         struct dcesrv_endpoint *ep;
197         struct dcesrv_if_list *ifl;
198         struct dcerpc_binding *binding;
199         struct dcerpc_binding *binding2 = NULL;
200         bool add_ep = false;
201         NTSTATUS status;
202         enum dcerpc_transport_t transport;
203         char *ep_string = NULL;
204         bool use_single_process = true;
205         const char *ep_process_string;
206
207         /*
208          * If we are not using handles, there is no need for force
209          * this service into using a single process.
210          *
211          * However, due to the way we listen for RPC packets, we can
212          * only do this if we have a single service per pipe or TCP
213          * port, so we still force a single combined process for
214          * ncalrpc.
215          */
216         if (iface->flags & DCESRV_INTERFACE_FLAGS_HANDLES_NOT_USED) {
217                 use_single_process = false;
218         }
219
220         status = dcerpc_parse_binding(dce_ctx, ep_name, &binding);
221
222         if (NT_STATUS_IS_ERR(status)) {
223                 DEBUG(0, ("Trouble parsing binding string '%s'\n", ep_name));
224                 return status;
225         }
226
227         transport = dcerpc_binding_get_transport(binding);
228         if (transport == NCACN_IP_TCP) {
229                 int port;
230                 char port_str[6];
231
232                 /*
233                  * First check if there is already a port specified, eg
234                  * for epmapper on ncacn_ip_tcp:[135]
235                  */
236                 const char *endpoint
237                         = dcerpc_binding_get_string_option(binding,
238                                                            "endpoint");
239                 if (endpoint == NULL) {
240                         port = lpcfg_parm_int(dce_ctx->lp_ctx, NULL,
241                                               "rpc server port", iface->name, 0);
242
243                         /*
244                          * For RPC services that are not set to use a single
245                          * process, we do not default to using the 'rpc server
246                          * port' because that would cause a double-bind on
247                          * that port.
248                          */
249                         if (port == 0 && !use_single_process) {
250                                 port = lpcfg_rpc_server_port(dce_ctx->lp_ctx);
251                         }
252                         if (port != 0) {
253                                 snprintf(port_str, sizeof(port_str), "%u", port);
254                                 status = dcerpc_binding_set_string_option(binding,
255                                                                           "endpoint",
256                                                                           port_str);
257                                 if (!NT_STATUS_IS_OK(status)) {
258                                         return status;
259                                 }
260                         }
261                 }
262         }
263
264         if (transport == NCACN_NP && ncacn_np_secondary_endpoint != NULL) {
265                 enum dcerpc_transport_t transport2;
266
267                 status = dcerpc_parse_binding(dce_ctx,
268                                               ncacn_np_secondary_endpoint,
269                                               &binding2);
270                 if (!NT_STATUS_IS_OK(status)) {
271                         DEBUG(0, ("Trouble parsing 2nd binding string '%s'\n",
272                                   ncacn_np_secondary_endpoint));
273                         return status;
274                 }
275
276                 transport2 = dcerpc_binding_get_transport(binding2);
277                 SMB_ASSERT(transport2 == transport);
278         }
279
280         /* see if the interface is already registered on the endpoint */
281         if (find_interface_by_binding(dce_ctx, binding, iface)!=NULL) {
282                 DEBUG(0,("dcesrv_interface_register: interface '%s' already registered on endpoint '%s'\n",
283                          iface->name, ep_name));
284                 return NT_STATUS_OBJECT_NAME_COLLISION;
285         }
286
287         /* check if this endpoint exists
288          */
289         status = dcesrv_find_endpoint(dce_ctx, binding, &ep);
290         if (NT_STATUS_IS_OK(status)) {
291                 /*
292                  * We want a new port on ncacn_ip_tcp for NETLOGON, so
293                  * it can be multi-process.  Other processes can also
294                  * listen on distinct ports, if they have one forced
295                  * in the code above with eg 'rpc server port:drsuapi = 1027'
296                  *
297                  * If we have mulitiple endpoints on port 0, they each
298                  * get an epemeral port (currently by walking up from
299                  * 1024).
300                  *
301                  * Because one endpoint can only have one process
302                  * model, we add a new IP_TCP endpoint for each model.
303                  *
304                  * This works in conjunction with the forced overwrite
305                  * of ep->use_single_process below.
306                  */
307                 if (ep->use_single_process != use_single_process
308                     && transport == NCACN_IP_TCP) {
309                         add_ep = true;
310                 }
311         }
312
313         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND) || add_ep) {
314                 ep = talloc_zero(dce_ctx, struct dcesrv_endpoint);
315                 if (!ep) {
316                         return NT_STATUS_NO_MEMORY;
317                 }
318                 ZERO_STRUCTP(ep);
319                 ep->ep_description = talloc_move(ep, &binding);
320                 ep->ep_2nd_description = talloc_move(ep, &binding2);
321                 add_ep = true;
322
323                 /* add mgmt interface */
324                 ifl = talloc_zero(ep, struct dcesrv_if_list);
325                 if (!ifl) {
326                         return NT_STATUS_NO_MEMORY;
327                 }
328
329                 ifl->iface = talloc_memdup(ifl,
330                                            dcesrv_get_mgmt_interface(),
331                                            sizeof(struct dcesrv_interface));
332                 if (ifl->iface == NULL) {
333                         talloc_free(ep);
334                         return NT_STATUS_NO_MEMORY;
335                 }
336
337                 DLIST_ADD(ep->interface_list, ifl);
338         } else if (!NT_STATUS_IS_OK(status)) {
339                 DBG_NOTICE("Failed to find endpoint: %s\n", nt_errstr(status));
340                 return status;
341         }
342
343         /*
344          * By default don't force into a single process, but if any
345          * interface on this endpoint on this service uses handles
346          * (most do), then we must force into single process mode
347          *
348          * By overwriting this each time a new interface is added to
349          * this endpoint, we end up with the most restrictive setting.
350          */
351         if (use_single_process) {
352                 ep->use_single_process = true;
353         }
354
355         /* talloc a new interface list element */
356         ifl = talloc_zero(ep, struct dcesrv_if_list);
357         if (!ifl) {
358                 return NT_STATUS_NO_MEMORY;
359         }
360
361         /* copy the given interface struct to the one on the endpoints interface list */
362         ifl->iface = talloc_memdup(ifl,
363                                    iface,
364                                    sizeof(struct dcesrv_interface));
365         if (ifl->iface == NULL) {
366                 talloc_free(ep);
367                 return NT_STATUS_NO_MEMORY;
368         }
369
370         /* if we have a security descriptor given,
371          * we should see if we can set it up on the endpoint
372          */
373         if (sd != NULL) {
374                 /* if there's currently no security descriptor given on the endpoint
375                  * we try to set it
376                  */
377                 if (ep->sd == NULL) {
378                         ep->sd = security_descriptor_copy(ep, sd);
379                 }
380
381                 /* if now there's no security descriptor given on the endpoint
382                  * something goes wrong, either we failed to copy the security descriptor
383                  * or there was already one on the endpoint
384                  */
385                 if (ep->sd != NULL) {
386                         DEBUG(0,("dcesrv_interface_register: interface '%s' failed to setup a security descriptor\n"
387                                  "                           on endpoint '%s'\n",
388                                 iface->name, ep_name));
389                         if (add_ep) free(ep);
390                         free(ifl);
391                         return NT_STATUS_OBJECT_NAME_COLLISION;
392                 }
393         }
394
395         /* finally add the interface on the endpoint */
396         DLIST_ADD(ep->interface_list, ifl);
397
398         /* if it's a new endpoint add it to the dcesrv_context */
399         if (add_ep) {
400                 DLIST_ADD(dce_ctx->endpoint_list, ep);
401         }
402
403         /* Re-get the string as we may have set a port */
404         ep_string = dcerpc_binding_string(dce_ctx, ep->ep_description);
405
406         if (use_single_process) {
407                 ep_process_string = "single process required";
408         } else {
409                 ep_process_string = "multi process compatible";
410         }
411
412         DBG_INFO("Interface '%s' registered on endpoint '%s' (%s)\n",
413                  iface->name, ep_string, ep_process_string);
414         TALLOC_FREE(ep_string);
415
416         return NT_STATUS_OK;
417 }
418
419 static NTSTATUS dcesrv_session_info_session_key(struct dcesrv_auth *auth,
420                                                 DATA_BLOB *session_key)
421 {
422         if (auth->session_info == NULL) {
423                 return NT_STATUS_NO_USER_SESSION_KEY;
424         }
425
426         if (auth->session_info->session_key.length == 0) {
427                 return NT_STATUS_NO_USER_SESSION_KEY;
428         }
429
430         *session_key = auth->session_info->session_key;
431         return NT_STATUS_OK;
432 }
433
434 static NTSTATUS dcesrv_remote_session_key(struct dcesrv_auth *auth,
435                                           DATA_BLOB *session_key)
436 {
437         if (auth->auth_type != DCERPC_AUTH_TYPE_NONE) {
438                 return NT_STATUS_NO_USER_SESSION_KEY;
439         }
440
441         return dcesrv_session_info_session_key(auth, session_key);
442 }
443
444 static NTSTATUS dcesrv_local_fixed_session_key(struct dcesrv_auth *auth,
445                                                DATA_BLOB *session_key)
446 {
447         return dcerpc_generic_session_key(session_key);
448 }
449
450 /*
451  * Fetch the authentication session key if available.
452  *
453  * This is the key generated by a gensec authentication.
454  *
455  */
456 _PUBLIC_ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state *call,
457                                           DATA_BLOB *session_key)
458 {
459         struct dcesrv_auth *auth = call->auth_state;
460         SMB_ASSERT(auth->auth_finished);
461         return dcesrv_session_info_session_key(auth, session_key);
462 }
463
464 /*
465  * Fetch the transport session key if available.
466  * Typically this is the SMB session key
467  * or a fixed key for local transports.
468  *
469  * The key is always truncated to 16 bytes.
470 */
471 _PUBLIC_ NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call,
472                                                DATA_BLOB *session_key)
473 {
474         struct dcesrv_auth *auth = call->auth_state;
475         NTSTATUS status;
476
477         SMB_ASSERT(auth->auth_finished);
478
479         if (auth->session_key_fn == NULL) {
480                 return NT_STATUS_NO_USER_SESSION_KEY;
481         }
482
483         status = auth->session_key_fn(auth, session_key);
484         if (!NT_STATUS_IS_OK(status)) {
485                 return status;
486         }
487
488         session_key->length = MIN(session_key->length, 16);
489
490         return NT_STATUS_OK;
491 }
492
493 static struct dcesrv_auth *dcesrv_auth_create(struct dcesrv_connection *conn)
494 {
495         const struct dcesrv_endpoint *ep = conn->endpoint;
496         enum dcerpc_transport_t transport =
497                 dcerpc_binding_get_transport(ep->ep_description);
498         struct dcesrv_auth *auth = NULL;
499
500         auth = talloc_zero(conn, struct dcesrv_auth);
501         if (auth == NULL) {
502                 return NULL;
503         }
504
505         switch (transport) {
506         case NCACN_NP:
507                 auth->session_key_fn = dcesrv_remote_session_key;
508                 break;
509         case NCALRPC:
510         case NCACN_UNIX_STREAM:
511                 auth->session_key_fn = dcesrv_local_fixed_session_key;
512                 break;
513         default:
514                 /*
515                  * All other's get a NULL pointer, which
516                  * results in NT_STATUS_NO_USER_SESSION_KEY
517                  */
518                 break;
519         }
520
521         return auth;
522 }
523
524 /*
525   connect to a dcerpc endpoint
526 */
527 _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
528                                 TALLOC_CTX *mem_ctx,
529                                 const struct dcesrv_endpoint *ep,
530                                 struct auth_session_info *session_info,
531                                 struct tevent_context *event_ctx,
532                                 uint32_t state_flags,
533                                 struct dcesrv_connection **_p)
534 {
535         struct dcesrv_auth *auth = NULL;
536         struct dcesrv_connection *p;
537
538         if (!session_info) {
539                 return NT_STATUS_ACCESS_DENIED;
540         }
541
542         p = talloc_zero(mem_ctx, struct dcesrv_connection);
543         NT_STATUS_HAVE_NO_MEMORY(p);
544
545         p->dce_ctx = dce_ctx;
546         p->endpoint = ep;
547         p->packet_log_dir = lpcfg_parm_string(dce_ctx->lp_ctx,
548                                               NULL,
549                                               "dcesrv",
550                                               "stubs directory");
551         p->event_ctx = event_ctx;
552         p->state_flags = state_flags;
553         p->allow_bind = true;
554         p->max_recv_frag = 5840;
555         p->max_xmit_frag = 5840;
556         p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
557
558         p->support_hdr_signing = lpcfg_parm_bool(dce_ctx->lp_ctx,
559                                                  NULL,
560                                                  "dcesrv",
561                                                  "header signing",
562                                                  true);
563         p->max_auth_states = lpcfg_parm_ulong(dce_ctx->lp_ctx,
564                                               NULL,
565                                               "dcesrv",
566                                               "max auth states",
567                                               2049);
568
569         auth = dcesrv_auth_create(p);
570         if (auth == NULL) {
571                 talloc_free(p);
572                 return NT_STATUS_NO_MEMORY;
573         }
574
575         auth->session_info = talloc_reference(auth, session_info);
576         if (auth->session_info == NULL) {
577                 talloc_free(p);
578                 return NT_STATUS_NO_MEMORY;
579         }
580
581         p->default_auth_state = auth;
582
583         /*
584          * For now we only support NDR32.
585          */
586         p->preferred_transfer = &ndr_transfer_syntax_ndr;
587
588         *_p = p;
589         return NT_STATUS_OK;
590 }
591
592 /*
593   move a call from an existing linked list to the specified list. This
594   prevents bugs where we forget to remove the call from a previous
595   list when moving it.
596  */
597 static void dcesrv_call_set_list(struct dcesrv_call_state *call,
598                                  enum dcesrv_call_list list)
599 {
600         switch (call->list) {
601         case DCESRV_LIST_NONE:
602                 break;
603         case DCESRV_LIST_CALL_LIST:
604                 DLIST_REMOVE(call->conn->call_list, call);
605                 break;
606         case DCESRV_LIST_FRAGMENTED_CALL_LIST:
607                 DLIST_REMOVE(call->conn->incoming_fragmented_call_list, call);
608                 break;
609         case DCESRV_LIST_PENDING_CALL_LIST:
610                 DLIST_REMOVE(call->conn->pending_call_list, call);
611                 break;
612         }
613         call->list = list;
614         switch (list) {
615         case DCESRV_LIST_NONE:
616                 break;
617         case DCESRV_LIST_CALL_LIST:
618                 DLIST_ADD_END(call->conn->call_list, call);
619                 break;
620         case DCESRV_LIST_FRAGMENTED_CALL_LIST:
621                 DLIST_ADD_END(call->conn->incoming_fragmented_call_list, call);
622                 break;
623         case DCESRV_LIST_PENDING_CALL_LIST:
624                 DLIST_ADD_END(call->conn->pending_call_list, call);
625                 break;
626         }
627 }
628
629 static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
630                                          const char *reason)
631 {
632         struct dcesrv_auth *a = NULL;
633
634         if (call->conn->terminate != NULL) {
635                 return;
636         }
637
638         call->conn->allow_bind = false;
639         call->conn->allow_alter = false;
640
641         call->conn->default_auth_state->auth_invalid = true;
642
643         for (a = call->conn->auth_states; a != NULL; a = a->next) {
644                 a->auth_invalid = true;
645         }
646
647         call->terminate_reason = talloc_strdup(call, reason);
648         if (call->terminate_reason == NULL) {
649                 call->terminate_reason = __location__;
650         }
651 }
652
653 /*
654   return a dcerpc bind_nak
655 */
656 static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
657 {
658         struct ncacn_packet pkt;
659         struct dcerpc_bind_nak_version version;
660         struct data_blob_list_item *rep;
661         NTSTATUS status;
662         static const uint8_t _pad[3] = { 0, };
663
664         /*
665          * We add the call to the pending_call_list
666          * in order to defer the termination.
667          */
668         dcesrv_call_disconnect_after(call, "dcesrv_bind_nak");
669
670         /* setup a bind_nak */
671         dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
672         pkt.auth_length = 0;
673         pkt.call_id = call->pkt.call_id;
674         pkt.ptype = DCERPC_PKT_BIND_NAK;
675         pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
676         pkt.u.bind_nak.reject_reason = reason;
677         version.rpc_vers = 5;
678         version.rpc_vers_minor = 0;
679         pkt.u.bind_nak.num_versions = 1;
680         pkt.u.bind_nak.versions = &version;
681         pkt.u.bind_nak._pad = data_blob_const(_pad, sizeof(_pad));
682
683         rep = talloc_zero(call, struct data_blob_list_item);
684         if (!rep) {
685                 return NT_STATUS_NO_MEMORY;
686         }
687
688         status = dcerpc_ncacn_push_auth(&rep->blob, call, &pkt, NULL);
689         if (!NT_STATUS_IS_OK(status)) {
690                 return status;
691         }
692
693         dcerpc_set_frag_length(&rep->blob, rep->blob.length);
694
695         DLIST_ADD_END(call->replies, rep);
696         dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
697
698         if (call->conn->call_list && call->conn->call_list->replies) {
699                 if (call->conn->transport.report_output_data) {
700                         call->conn->transport.report_output_data(call->conn);
701                 }
702         }
703
704         return NT_STATUS_OK;
705 }
706
707 static NTSTATUS dcesrv_fault_disconnect(struct dcesrv_call_state *call,
708                                  uint32_t fault_code)
709 {
710         /*
711          * We add the call to the pending_call_list
712          * in order to defer the termination.
713          */
714         dcesrv_call_disconnect_after(call, "dcesrv_fault_disconnect");
715
716         return dcesrv_fault_with_flags(call, fault_code,
717                                        DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
718 }
719
720 static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c)
721 {
722         DLIST_REMOVE(c->conn->contexts, c);
723
724         if (c->iface && c->iface->unbind) {
725                 c->iface->unbind(c, c->iface);
726                 c->iface = NULL;
727         }
728
729         return 0;
730 }
731
732 static void dcesrv_prepare_context_auth(struct dcesrv_call_state *dce_call)
733 {
734         struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
735         const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
736         enum dcerpc_transport_t transport =
737                 dcerpc_binding_get_transport(endpoint->ep_description);
738         struct dcesrv_connection_context *context = dce_call->context;
739         const struct dcesrv_interface *iface = context->iface;
740
741         context->min_auth_level = DCERPC_AUTH_LEVEL_NONE;
742
743         if (transport == NCALRPC) {
744                 context->allow_connect = true;
745                 return;
746         }
747
748         /*
749          * allow overwrite per interface
750          * allow dcerpc auth level connect:<interface>
751          */
752         context->allow_connect = lpcfg_allow_dcerpc_auth_level_connect(lp_ctx);
753         context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
754                                         "allow dcerpc auth level connect",
755                                         iface->name,
756                                         context->allow_connect);
757 }
758
759 NTSTATUS dcesrv_interface_bind_require_integrity(struct dcesrv_connection_context *context,
760                                                  const struct dcesrv_interface *iface)
761 {
762         /*
763          * For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4)
764          * has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5).
765          */
766         context->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
767         return NT_STATUS_OK;
768 }
769
770 NTSTATUS dcesrv_interface_bind_require_privacy(struct dcesrv_connection_context *context,
771                                                const struct dcesrv_interface *iface)
772 {
773         context->min_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
774         return NT_STATUS_OK;
775 }
776
777 _PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_connection_context *context,
778                                                        const struct dcesrv_interface *iface)
779 {
780         struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
781         const struct dcesrv_endpoint *endpoint = context->conn->endpoint;
782         enum dcerpc_transport_t transport =
783                 dcerpc_binding_get_transport(endpoint->ep_description);
784
785         if (transport == NCALRPC) {
786                 context->allow_connect = true;
787                 return NT_STATUS_OK;
788         }
789
790         /*
791          * allow overwrite per interface
792          * allow dcerpc auth level connect:<interface>
793          */
794         context->allow_connect = false;
795         context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
796                                         "allow dcerpc auth level connect",
797                                         iface->name,
798                                         context->allow_connect);
799         return NT_STATUS_OK;
800 }
801
802 _PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_connection_context *context,
803                                                       const struct dcesrv_interface *iface)
804 {
805         struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
806         const struct dcesrv_endpoint *endpoint = context->conn->endpoint;
807         enum dcerpc_transport_t transport =
808                 dcerpc_binding_get_transport(endpoint->ep_description);
809
810         if (transport == NCALRPC) {
811                 context->allow_connect = true;
812                 return NT_STATUS_OK;
813         }
814
815         /*
816          * allow overwrite per interface
817          * allow dcerpc auth level connect:<interface>
818          */
819         context->allow_connect = true;
820         context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
821                                         "allow dcerpc auth level connect",
822                                         iface->name,
823                                         context->allow_connect);
824         return NT_STATUS_OK;
825 }
826
827 struct dcesrv_conn_auth_wait_context {
828         struct tevent_req *req;
829         bool done;
830         NTSTATUS status;
831 };
832
833 struct dcesrv_conn_auth_wait_state {
834         uint8_t dummy;
835 };
836
837 static struct tevent_req *dcesrv_conn_auth_wait_send(TALLOC_CTX *mem_ctx,
838                                                      struct tevent_context *ev,
839                                                      void *private_data)
840 {
841         struct dcesrv_conn_auth_wait_context *auth_wait =
842                 talloc_get_type_abort(private_data,
843                 struct dcesrv_conn_auth_wait_context);
844         struct tevent_req *req = NULL;
845         struct dcesrv_conn_auth_wait_state *state = NULL;
846
847         req = tevent_req_create(mem_ctx, &state,
848                                 struct dcesrv_conn_auth_wait_state);
849         if (req == NULL) {
850                 return NULL;
851         }
852         auth_wait->req = req;
853
854         tevent_req_defer_callback(req, ev);
855
856         if (!auth_wait->done) {
857                 return req;
858         }
859
860         if (tevent_req_nterror(req, auth_wait->status)) {
861                 return tevent_req_post(req, ev);
862         }
863
864         tevent_req_done(req);
865         return tevent_req_post(req, ev);
866 }
867
868 static NTSTATUS dcesrv_conn_auth_wait_recv(struct tevent_req *req)
869 {
870         return tevent_req_simple_recv_ntstatus(req);
871 }
872
873 static NTSTATUS dcesrv_conn_auth_wait_setup(struct dcesrv_connection *conn)
874 {
875         struct dcesrv_conn_auth_wait_context *auth_wait = NULL;
876
877         if (conn->wait_send != NULL) {
878                 return NT_STATUS_INTERNAL_ERROR;
879         }
880
881         auth_wait = talloc_zero(conn, struct dcesrv_conn_auth_wait_context);
882         if (auth_wait == NULL) {
883                 return NT_STATUS_NO_MEMORY;
884         }
885
886         conn->wait_private = auth_wait;
887         conn->wait_send = dcesrv_conn_auth_wait_send;
888         conn->wait_recv = dcesrv_conn_auth_wait_recv;
889         return NT_STATUS_OK;
890 }
891
892 static void dcesrv_conn_auth_wait_finished(struct dcesrv_connection *conn,
893                                            NTSTATUS status)
894 {
895         struct dcesrv_conn_auth_wait_context *auth_wait =
896                 talloc_get_type_abort(conn->wait_private,
897                 struct dcesrv_conn_auth_wait_context);
898
899         auth_wait->done = true;
900         auth_wait->status = status;
901
902         if (auth_wait->req == NULL) {
903                 return;
904         }
905
906         if (tevent_req_nterror(auth_wait->req, status)) {
907                 return;
908         }
909
910         tevent_req_done(auth_wait->req);
911 }
912
913 static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call);
914
915 static void dcesrv_bind_done(struct tevent_req *subreq);
916
917 /*
918   handle a bind request
919 */
920 static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
921 {
922         struct dcesrv_connection *conn = call->conn;
923         struct ncacn_packet *pkt = &call->ack_pkt;
924         NTSTATUS status;
925         uint32_t extra_flags = 0;
926         uint16_t max_req = 0;
927         uint16_t max_rep = 0;
928         struct dcerpc_binding *ep_2nd_description = NULL;
929         const char *endpoint = NULL;
930         struct dcesrv_auth *auth = call->auth_state;
931         struct dcerpc_ack_ctx *ack_ctx_list = NULL;
932         struct dcerpc_ack_ctx *ack_features = NULL;
933         struct tevent_req *subreq = NULL;
934         size_t i;
935
936         status = dcerpc_verify_ncacn_packet_header(&call->pkt,
937                         DCERPC_PKT_BIND,
938                         call->pkt.u.bind.auth_info.length,
939                         0, /* required flags */
940                         DCERPC_PFC_FLAG_FIRST |
941                         DCERPC_PFC_FLAG_LAST |
942                         DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
943                         0x08 | /* this is not defined, but should be ignored */
944                         DCERPC_PFC_FLAG_CONC_MPX |
945                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
946                         DCERPC_PFC_FLAG_MAYBE |
947                         DCERPC_PFC_FLAG_OBJECT_UUID);
948         if (!NT_STATUS_IS_OK(status)) {
949                 return dcesrv_bind_nak(call,
950                         DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
951         }
952
953         /* max_recv_frag and max_xmit_frag result always in the same value! */
954         max_req = MIN(call->pkt.u.bind.max_xmit_frag,
955                       call->pkt.u.bind.max_recv_frag);
956         /*
957          * The values are between 2048 and 5840 tested against Windows 2012R2
958          * via ncacn_ip_tcp on port 135.
959          */
960         max_req = MAX(2048, max_req);
961         max_rep = MIN(max_req, call->conn->max_recv_frag);
962         /* They are truncated to an 8 byte boundary. */
963         max_rep &= 0xFFF8;
964
965         /* max_recv_frag and max_xmit_frag result always in the same value! */
966         call->conn->max_recv_frag = max_rep;
967         call->conn->max_xmit_frag = max_rep;
968
969         status = call->conn->dce_ctx->callbacks.assoc_group.find(call);
970         if (!NT_STATUS_IS_OK(status)) {
971                 DBG_NOTICE("Failed to find assoc_group 0x%08x: %s\n",
972                            call->pkt.u.bind.assoc_group_id, nt_errstr(status));
973                 return dcesrv_bind_nak(call, 0);
974         }
975
976         if (call->pkt.u.bind.num_contexts < 1) {
977                 return dcesrv_bind_nak(call, 0);
978         }
979
980         ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
981                                          call->pkt.u.bind.num_contexts);
982         if (ack_ctx_list == NULL) {
983                 return dcesrv_bind_nak(call, 0);
984         }
985
986         /*
987          * Set some sane defaults (required by dcesrv_negotiate_contexts()/
988          * dcesrv_check_or_create_context()) and do some protocol validation
989          * and set sane defaults.
990          */
991         for (i = 0; i < call->pkt.u.bind.num_contexts; i++) {
992                 const struct dcerpc_ctx_list *c = &call->pkt.u.bind.ctx_list[i];
993                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
994                 bool is_feature = false;
995                 uint64_t features = 0;
996
997                 if (c->num_transfer_syntaxes == 0) {
998                         return dcesrv_bind_nak(call, 0);
999                 }
1000
1001                 a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1002                 a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1003
1004                 /*
1005                  * It's only treated as bind time feature request, if the first
1006                  * transfer_syntax matches, all others are ignored.
1007                  */
1008                 is_feature = dcerpc_extract_bind_time_features(c->transfer_syntaxes[0],
1009                                                                &features);
1010                 if (!is_feature) {
1011                         continue;
1012                 }
1013
1014                 if (ack_features != NULL) {
1015                         /*
1016                          * Only one bind time feature context is allowed.
1017                          */
1018                         return dcesrv_bind_nak(call, 0);
1019                 }
1020                 ack_features = a;
1021
1022                 a->result = DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK;
1023                 a->reason.negotiate = 0;
1024                 if (features & DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING) {
1025                         if (call->conn->max_auth_states != 0) {
1026                                 a->reason.negotiate |=
1027                                 DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING;
1028                         }
1029                 }
1030                 if (features & DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN) {
1031                         a->reason.negotiate |=
1032                                 DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN;
1033                 }
1034
1035                 call->conn->assoc_group->bind_time_features = a->reason.negotiate;
1036         }
1037
1038         /*
1039          * Try to negotiate one new presentation context.
1040          *
1041          * Deep in here we locate the iface (by uuid) that the client
1042          * requested, from the list of interfaces on the
1043          * call->conn->endpoint, and call iface->bind() on that iface.
1044          *
1045          * call->conn was set up at the accept() of the socket, and
1046          * call->conn->endpoint has a list of interfaces restricted to
1047          * this port or pipe.
1048          */
1049         status = dcesrv_negotiate_contexts(call, &call->pkt.u.bind, ack_ctx_list);
1050         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
1051                 return dcesrv_bind_nak(call, 0);
1052         }
1053         if (!NT_STATUS_IS_OK(status)) {
1054                 return status;
1055         }
1056
1057         /*
1058          * At this point we still don't know which interface (eg
1059          * netlogon, lsa, drsuapi) the caller requested in this bind!
1060          * The most recently added context is available as the first
1061          * element in the linked list at call->conn->contexts, that is
1062          * call->conn->contexts->iface, but they may not have
1063          * requested one at all!
1064          */
1065
1066         if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
1067             (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1068                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1069                 extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
1070         }
1071
1072         if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
1073                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
1074         }
1075
1076         /*
1077          * After finding the interface and setting up the NDR
1078          * transport negotiation etc, handle any authentication that
1079          * is being requested.
1080          */
1081         if (!dcesrv_auth_bind(call)) {
1082
1083                 if (auth->auth_level == DCERPC_AUTH_LEVEL_NONE) {
1084                         /*
1085                          * With DCERPC_AUTH_LEVEL_NONE, we get the
1086                          * reject_reason in auth->auth_context_id.
1087                          */
1088                         return dcesrv_bind_nak(call, auth->auth_context_id);
1089                 }
1090
1091                 /*
1092                  * This must a be a temporary failure e.g. talloc or invalid
1093                  * configuration, e.g. no machine account.
1094                  */
1095                 return dcesrv_bind_nak(call,
1096                                 DCERPC_BIND_NAK_REASON_TEMPORARY_CONGESTION);
1097         }
1098
1099         /* setup a bind_ack */
1100         dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
1101         pkt->auth_length = 0;
1102         pkt->call_id = call->pkt.call_id;
1103         pkt->ptype = DCERPC_PKT_BIND_ACK;
1104         pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
1105         pkt->u.bind_ack.max_xmit_frag = call->conn->max_xmit_frag;
1106         pkt->u.bind_ack.max_recv_frag = call->conn->max_recv_frag;
1107         pkt->u.bind_ack.assoc_group_id = call->conn->assoc_group->id;
1108
1109         ep_2nd_description = call->conn->endpoint->ep_2nd_description;
1110         if (ep_2nd_description == NULL) {
1111                 ep_2nd_description = call->conn->endpoint->ep_description;
1112         }
1113
1114         endpoint = dcerpc_binding_get_string_option(
1115                                 ep_2nd_description,
1116                                 "endpoint");
1117         if (endpoint == NULL) {
1118                 endpoint = "";
1119         }
1120
1121         pkt->u.bind_ack.secondary_address = endpoint;
1122         pkt->u.bind_ack.num_results = call->pkt.u.bind.num_contexts;
1123         pkt->u.bind_ack.ctx_list = ack_ctx_list;
1124         pkt->u.bind_ack.auth_info = data_blob_null;
1125
1126         status = dcesrv_auth_prepare_bind_ack(call, pkt);
1127         if (!NT_STATUS_IS_OK(status)) {
1128                 return dcesrv_bind_nak(call, 0);
1129         }
1130
1131         if (auth->auth_finished) {
1132                 return dcesrv_auth_reply(call);
1133         }
1134
1135         subreq = gensec_update_send(call, call->event_ctx,
1136                                     auth->gensec_security,
1137                                     call->in_auth_info.credentials);
1138         if (subreq == NULL) {
1139                 return NT_STATUS_NO_MEMORY;
1140         }
1141         tevent_req_set_callback(subreq, dcesrv_bind_done, call);
1142
1143         return dcesrv_conn_auth_wait_setup(conn);
1144 }
1145
1146 static void dcesrv_bind_done(struct tevent_req *subreq)
1147 {
1148         struct dcesrv_call_state *call =
1149                 tevent_req_callback_data(subreq,
1150                 struct dcesrv_call_state);
1151         struct dcesrv_connection *conn = call->conn;
1152         NTSTATUS status;
1153
1154         status = gensec_update_recv(subreq, call,
1155                                     &call->out_auth_info->credentials);
1156         TALLOC_FREE(subreq);
1157
1158         status = dcesrv_auth_complete(call, status);
1159         if (!NT_STATUS_IS_OK(status)) {
1160                 status = dcesrv_bind_nak(call, 0);
1161                 dcesrv_conn_auth_wait_finished(conn, status);
1162                 return;
1163         }
1164
1165         status = dcesrv_auth_reply(call);
1166         dcesrv_conn_auth_wait_finished(conn, status);
1167         return;
1168 }
1169
1170 static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call)
1171 {
1172         struct ncacn_packet *pkt = &call->ack_pkt;
1173         struct data_blob_list_item *rep = NULL;
1174         NTSTATUS status;
1175
1176         rep = talloc_zero(call, struct data_blob_list_item);
1177         if (!rep) {
1178                 return NT_STATUS_NO_MEMORY;
1179         }
1180
1181         status = dcerpc_ncacn_push_auth(&rep->blob,
1182                                         call,
1183                                         pkt,
1184                                         call->out_auth_info);
1185         if (!NT_STATUS_IS_OK(status)) {
1186                 return status;
1187         }
1188
1189         dcerpc_set_frag_length(&rep->blob, rep->blob.length);
1190
1191         DLIST_ADD_END(call->replies, rep);
1192         dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
1193
1194         if (call->conn->call_list && call->conn->call_list->replies) {
1195                 if (call->conn->transport.report_output_data) {
1196                         call->conn->transport.report_output_data(call->conn);
1197                 }
1198         }
1199
1200         return NT_STATUS_OK;
1201 }
1202
1203
1204 static void dcesrv_auth3_done(struct tevent_req *subreq);
1205
1206 /*
1207   handle a auth3 request
1208 */
1209 static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
1210 {
1211         struct dcesrv_connection *conn = call->conn;
1212         struct dcesrv_auth *auth = call->auth_state;
1213         struct tevent_req *subreq = NULL;
1214         NTSTATUS status;
1215
1216         if (!auth->auth_started) {
1217                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1218         }
1219
1220         if (auth->auth_finished) {
1221                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1222         }
1223
1224         status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1225                         DCERPC_PKT_AUTH3,
1226                         call->pkt.u.auth3.auth_info.length,
1227                         0, /* required flags */
1228                         DCERPC_PFC_FLAG_FIRST |
1229                         DCERPC_PFC_FLAG_LAST |
1230                         DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1231                         0x08 | /* this is not defined, but should be ignored */
1232                         DCERPC_PFC_FLAG_CONC_MPX |
1233                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1234                         DCERPC_PFC_FLAG_MAYBE |
1235                         DCERPC_PFC_FLAG_OBJECT_UUID);
1236         if (!NT_STATUS_IS_OK(status)) {
1237                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1238         }
1239
1240         /* handle the auth3 in the auth code */
1241         if (!dcesrv_auth_prepare_auth3(call)) {
1242                 /*
1243                  * we don't send a reply to a auth3 request,
1244                  * except by a fault.
1245                  *
1246                  * In anycase we mark the connection as
1247                  * invalid.
1248                  */
1249                 auth->auth_invalid = true;
1250                 if (call->fault_code != 0) {
1251                         return dcesrv_fault_disconnect(call, call->fault_code);
1252                 }
1253                 TALLOC_FREE(call);
1254                 return NT_STATUS_OK;
1255         }
1256
1257         subreq = gensec_update_send(call, call->event_ctx,
1258                                     auth->gensec_security,
1259                                     call->in_auth_info.credentials);
1260         if (subreq == NULL) {
1261                 return NT_STATUS_NO_MEMORY;
1262         }
1263         tevent_req_set_callback(subreq, dcesrv_auth3_done, call);
1264
1265         return dcesrv_conn_auth_wait_setup(conn);
1266 }
1267
1268 static void dcesrv_auth3_done(struct tevent_req *subreq)
1269 {
1270         struct dcesrv_call_state *call =
1271                 tevent_req_callback_data(subreq,
1272                 struct dcesrv_call_state);
1273         struct dcesrv_connection *conn = call->conn;
1274         struct dcesrv_auth *auth = call->auth_state;
1275         NTSTATUS status;
1276
1277         status = gensec_update_recv(subreq, call,
1278                                     &call->out_auth_info->credentials);
1279         TALLOC_FREE(subreq);
1280
1281         status = dcesrv_auth_complete(call, status);
1282         if (!NT_STATUS_IS_OK(status)) {
1283                 /*
1284                  * we don't send a reply to a auth3 request,
1285                  * except by a fault.
1286                  *
1287                  * In anycase we mark the connection as
1288                  * invalid.
1289                  */
1290                 auth->auth_invalid = true;
1291                 if (call->fault_code != 0) {
1292                         status = dcesrv_fault_disconnect(call, call->fault_code);
1293                         dcesrv_conn_auth_wait_finished(conn, status);
1294                         return;
1295                 }
1296                 TALLOC_FREE(call);
1297                 dcesrv_conn_auth_wait_finished(conn, NT_STATUS_OK);
1298                 return;
1299         }
1300
1301         /*
1302          * we don't send a reply to a auth3 request.
1303          */
1304         TALLOC_FREE(call);
1305         dcesrv_conn_auth_wait_finished(conn, NT_STATUS_OK);
1306         return;
1307 }
1308
1309
1310 static NTSTATUS dcesrv_check_or_create_context(struct dcesrv_call_state *call,
1311                                 const struct dcerpc_bind *b,
1312                                 const struct dcerpc_ctx_list *ctx,
1313                                 struct dcerpc_ack_ctx *ack,
1314                                 bool validate_only,
1315                                 const struct ndr_syntax_id *supported_transfer)
1316 {
1317         uint32_t if_version;
1318         struct dcesrv_connection_context *context;
1319         const struct dcesrv_interface *iface;
1320         struct GUID uuid;
1321         NTSTATUS status;
1322         const struct ndr_syntax_id *selected_transfer = NULL;
1323         size_t i;
1324         bool ok;
1325
1326         if (b == NULL) {
1327                 return NT_STATUS_INTERNAL_ERROR;
1328         }
1329         if (ctx == NULL) {
1330                 return NT_STATUS_INTERNAL_ERROR;
1331         }
1332         if (ctx->num_transfer_syntaxes < 1) {
1333                 return NT_STATUS_INTERNAL_ERROR;
1334         }
1335         if (ack == NULL) {
1336                 return NT_STATUS_INTERNAL_ERROR;
1337         }
1338         if (supported_transfer == NULL) {
1339                 return NT_STATUS_INTERNAL_ERROR;
1340         }
1341
1342         switch (ack->result) {
1343         case DCERPC_BIND_ACK_RESULT_ACCEPTANCE:
1344         case DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK:
1345                 /*
1346                  * We is already completed.
1347                  */
1348                 return NT_STATUS_OK;
1349         default:
1350                 break;
1351         }
1352
1353         ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1354         ack->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1355
1356         if_version = ctx->abstract_syntax.if_version;
1357         uuid = ctx->abstract_syntax.uuid;
1358
1359         iface = find_interface_by_uuid(call->conn->endpoint, &uuid, if_version);
1360         if (iface == NULL) {
1361                 char *uuid_str = GUID_string(call, &uuid);
1362                 DEBUG(2,("Request for unknown dcerpc interface %s/%d\n", uuid_str, if_version));
1363                 talloc_free(uuid_str);
1364                 /*
1365                  * We report this only via ack->result
1366                  */
1367                 return NT_STATUS_OK;
1368         }
1369
1370         ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1371         ack->reason.value = DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED;
1372
1373         if (validate_only) {
1374                 /*
1375                  * We report this only via ack->result
1376                  */
1377                 return NT_STATUS_OK;
1378         }
1379
1380         for (i = 0; i < ctx->num_transfer_syntaxes; i++) {
1381                 /*
1382                  * we only do NDR encoded dcerpc for now.
1383                  */
1384                 ok = ndr_syntax_id_equal(&ctx->transfer_syntaxes[i],
1385                                          supported_transfer);
1386                 if (ok) {
1387                         selected_transfer = supported_transfer;
1388                         break;
1389                 }
1390         }
1391
1392         context = dcesrv_find_context(call->conn, ctx->context_id);
1393         if (context != NULL) {
1394                 ok = ndr_syntax_id_equal(&context->iface->syntax_id,
1395                                          &ctx->abstract_syntax);
1396                 if (!ok) {
1397                         return NT_STATUS_RPC_PROTOCOL_ERROR;
1398                 }
1399
1400                 if (selected_transfer != NULL) {
1401                         ok = ndr_syntax_id_equal(&context->transfer_syntax,
1402                                                  selected_transfer);
1403                         if (!ok) {
1404                                 return NT_STATUS_RPC_PROTOCOL_ERROR;
1405                         }
1406
1407                         ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1408                         ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1409                         ack->syntax = context->transfer_syntax;
1410                 }
1411
1412                 /*
1413                  * We report this only via ack->result
1414                  */
1415                 return NT_STATUS_OK;
1416         }
1417
1418         if (selected_transfer == NULL) {
1419                 /*
1420                  * We report this only via ack->result
1421                  */
1422                 return NT_STATUS_OK;
1423         }
1424
1425         ack->result = DCERPC_BIND_ACK_RESULT_USER_REJECTION;
1426         ack->reason.value = DCERPC_BIND_ACK_REASON_LOCAL_LIMIT_EXCEEDED;
1427
1428         /* add this context to the list of available context_ids */
1429         context = talloc_zero(call->conn, struct dcesrv_connection_context);
1430         if (context == NULL) {
1431                 return NT_STATUS_NO_MEMORY;
1432         }
1433         context->conn = call->conn;
1434         context->context_id = ctx->context_id;
1435         context->iface = iface;
1436         context->transfer_syntax = *selected_transfer;
1437         DLIST_ADD(call->conn->contexts, context);
1438         call->context = context;
1439         talloc_set_destructor(context, dcesrv_connection_context_destructor);
1440
1441         dcesrv_prepare_context_auth(call);
1442
1443         /*
1444          * Multiplex is supported by default
1445          */
1446         call->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1447
1448         status = iface->bind(context, iface);
1449         call->context = NULL;
1450         if (!NT_STATUS_IS_OK(status)) {
1451                 /* we don't want to trigger the iface->unbind() hook */
1452                 context->iface = NULL;
1453                 talloc_free(context);
1454                 /*
1455                  * We report this only via ack->result
1456                  */
1457                 return NT_STATUS_OK;
1458         }
1459
1460         ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1461         ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1462         ack->syntax = context->transfer_syntax;
1463         return NT_STATUS_OK;
1464 }
1465
1466 static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
1467                                 const struct dcerpc_bind *b,
1468                                 struct dcerpc_ack_ctx *ack_ctx_list)
1469 {
1470         NTSTATUS status;
1471         size_t i;
1472         bool validate_only = false;
1473         bool preferred_ndr32;
1474
1475         /*
1476          * Try to negotiate one new presentation context,
1477          * using our preferred transfer syntax.
1478          */
1479         for (i = 0; i < b->num_contexts; i++) {
1480                 const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1481                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1482
1483                 status = dcesrv_check_or_create_context(call, b, c, a,
1484                                                 validate_only,
1485                                                 call->conn->preferred_transfer);
1486                 if (!NT_STATUS_IS_OK(status)) {
1487                         return status;
1488                 }
1489
1490                 if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1491                         /*
1492                          * We managed to negotiate one context.
1493                          *
1494                          * => we're done.
1495                          */
1496                         validate_only = true;
1497                 }
1498         }
1499
1500         preferred_ndr32 = ndr_syntax_id_equal(&ndr_transfer_syntax_ndr,
1501                                         call->conn->preferred_transfer);
1502         if (preferred_ndr32) {
1503                 /*
1504                  * We're done.
1505                  */
1506                 return NT_STATUS_OK;
1507         }
1508
1509         /*
1510          * Try to negotiate one new presentation context,
1511          * using NDR 32 as fallback.
1512          */
1513         for (i = 0; i < b->num_contexts; i++) {
1514                 const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1515                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1516
1517                 status = dcesrv_check_or_create_context(call, b, c, a,
1518                                                 validate_only,
1519                                                 &ndr_transfer_syntax_ndr);
1520                 if (!NT_STATUS_IS_OK(status)) {
1521                         return status;
1522                 }
1523
1524                 if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1525                         /*
1526                          * We managed to negotiate one context.
1527                          *
1528                          * => we're done.
1529                          */
1530                         validate_only = true;
1531                 }
1532         }
1533
1534         return NT_STATUS_OK;
1535 }
1536
1537 static void dcesrv_alter_done(struct tevent_req *subreq);
1538
1539 /*
1540   handle a alter context request
1541 */
1542 static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
1543 {
1544         struct dcesrv_connection *conn = call->conn;
1545         NTSTATUS status;
1546         bool auth_ok = false;
1547         struct ncacn_packet *pkt = &call->ack_pkt;
1548         uint32_t extra_flags = 0;
1549         struct dcesrv_auth *auth = call->auth_state;
1550         struct dcerpc_ack_ctx *ack_ctx_list = NULL;
1551         struct tevent_req *subreq = NULL;
1552         size_t i;
1553
1554         if (!call->conn->allow_alter) {
1555                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1556         }
1557
1558         status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1559                         DCERPC_PKT_ALTER,
1560                         call->pkt.u.alter.auth_info.length,
1561                         0, /* required flags */
1562                         DCERPC_PFC_FLAG_FIRST |
1563                         DCERPC_PFC_FLAG_LAST |
1564                         DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1565                         0x08 | /* this is not defined, but should be ignored */
1566                         DCERPC_PFC_FLAG_CONC_MPX |
1567                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1568                         DCERPC_PFC_FLAG_MAYBE |
1569                         DCERPC_PFC_FLAG_OBJECT_UUID);
1570         if (!NT_STATUS_IS_OK(status)) {
1571                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1572         }
1573
1574         auth_ok = dcesrv_auth_alter(call);
1575         if (!auth_ok) {
1576                 if (call->fault_code != 0) {
1577                         return dcesrv_fault_disconnect(call, call->fault_code);
1578                 }
1579         }
1580
1581         if (call->pkt.u.alter.num_contexts < 1) {
1582                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1583         }
1584
1585         ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
1586                                          call->pkt.u.alter.num_contexts);
1587         if (ack_ctx_list == NULL) {
1588                 return NT_STATUS_NO_MEMORY;
1589         }
1590
1591         /*
1592          * Set some sane defaults (required by dcesrv_negotiate_contexts()/
1593          * dcesrv_check_or_create_context()) and do some protocol validation
1594          * and set sane defaults.
1595          */
1596         for (i = 0; i < call->pkt.u.alter.num_contexts; i++) {
1597                 const struct dcerpc_ctx_list *c = &call->pkt.u.alter.ctx_list[i];
1598                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1599
1600                 if (c->num_transfer_syntaxes == 0) {
1601                         return dcesrv_fault_disconnect(call,
1602                                         DCERPC_NCA_S_PROTO_ERROR);
1603                 }
1604
1605                 a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1606                 a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1607         }
1608
1609         /*
1610          * Try to negotiate one new presentation context.
1611          */
1612         status = dcesrv_negotiate_contexts(call, &call->pkt.u.alter, ack_ctx_list);
1613         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
1614                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1615         }
1616         if (!NT_STATUS_IS_OK(status)) {
1617                 return status;
1618         }
1619
1620         if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
1621             (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1622                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1623                 extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
1624         }
1625
1626         if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
1627                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
1628         }
1629
1630         /* handle any authentication that is being requested */
1631         if (!auth_ok) {
1632                 if (call->in_auth_info.auth_type != auth->auth_type) {
1633                         return dcesrv_fault_disconnect(call,
1634                                         DCERPC_FAULT_SEC_PKG_ERROR);
1635                 }
1636                 return dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
1637         }
1638
1639         dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
1640         pkt->auth_length = 0;
1641         pkt->call_id = call->pkt.call_id;
1642         pkt->ptype = DCERPC_PKT_ALTER_RESP;
1643         pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
1644         pkt->u.alter_resp.max_xmit_frag = call->conn->max_xmit_frag;
1645         pkt->u.alter_resp.max_recv_frag = call->conn->max_recv_frag;
1646         pkt->u.alter_resp.assoc_group_id = call->conn->assoc_group->id;
1647         pkt->u.alter_resp.secondary_address = "";
1648         pkt->u.alter_resp.num_results = call->pkt.u.alter.num_contexts;
1649         pkt->u.alter_resp.ctx_list = ack_ctx_list;
1650         pkt->u.alter_resp.auth_info = data_blob_null;
1651
1652         status = dcesrv_auth_prepare_alter_ack(call, pkt);
1653         if (!NT_STATUS_IS_OK(status)) {
1654                 return dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
1655         }
1656
1657         if (auth->auth_finished) {
1658                 return dcesrv_auth_reply(call);
1659         }
1660
1661         subreq = gensec_update_send(call, call->event_ctx,
1662                                     auth->gensec_security,
1663                                     call->in_auth_info.credentials);
1664         if (subreq == NULL) {
1665                 return NT_STATUS_NO_MEMORY;
1666         }
1667         tevent_req_set_callback(subreq, dcesrv_alter_done, call);
1668
1669         return dcesrv_conn_auth_wait_setup(conn);
1670 }
1671
1672 static void dcesrv_alter_done(struct tevent_req *subreq)
1673 {
1674         struct dcesrv_call_state *call =
1675                 tevent_req_callback_data(subreq,
1676                 struct dcesrv_call_state);
1677         struct dcesrv_connection *conn = call->conn;
1678         NTSTATUS status;
1679
1680         status = gensec_update_recv(subreq, call,
1681                                     &call->out_auth_info->credentials);
1682         TALLOC_FREE(subreq);
1683
1684         status = dcesrv_auth_complete(call, status);
1685         if (!NT_STATUS_IS_OK(status)) {
1686                 status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
1687                 dcesrv_conn_auth_wait_finished(conn, status);
1688                 return;
1689         }
1690
1691         status = dcesrv_auth_reply(call);
1692         dcesrv_conn_auth_wait_finished(conn, status);
1693         return;
1694 }
1695
1696 /*
1697   possibly save the call for inspection with ndrdump
1698  */
1699 static void dcesrv_save_call(struct dcesrv_call_state *call, const char *why)
1700 {
1701 #ifdef DEVELOPER
1702         dcerpc_log_packet(call->conn->packet_log_dir,
1703                           call->context->iface->name,
1704                           call->pkt.u.request.opnum,
1705                           NDR_IN,
1706                           &call->pkt.u.request.stub_and_verifier,
1707                           why);
1708 #endif
1709 }
1710
1711 #ifdef DEVELOPER
1712 /*
1713   Save the call for use as a seed for fuzzing.
1714
1715   This is only enabled in a developer build, and only has effect if the
1716   "dcesrv fuzz directory" param is set.
1717 */
1718 void _dcesrv_save_ndr_fuzz_seed(DATA_BLOB call_blob,
1719                                 struct dcesrv_call_state *call,
1720                                 int flags)
1721 {
1722         const char *dump_dir = lpcfg_parm_string(call->conn->dce_ctx->lp_ctx,
1723                                                  NULL,
1724                                                  "dcesrv", "fuzz directory");
1725
1726         dcerpc_save_ndr_fuzz_seed(call,
1727                                   call_blob,
1728                                   dump_dir,
1729                                   call->context->iface->name,
1730                                   flags,
1731                                   call->pkt.u.request.opnum,
1732                                   call->ndr_pull->flags & LIBNDR_FLAG_NDR64);
1733 }
1734 #endif /*if DEVELOPER, enveloping _dcesrv_save_ndr_fuzz_seed() */
1735
1736
1737 static NTSTATUS dcesrv_check_verification_trailer(struct dcesrv_call_state *call)
1738 {
1739         TALLOC_CTX *frame = talloc_stackframe();
1740         const uint32_t bitmask1 = call->conn->client_hdr_signing ?
1741                 DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
1742         const struct dcerpc_sec_vt_pcontext pcontext = {
1743                 .abstract_syntax = call->context->iface->syntax_id,
1744                 .transfer_syntax = call->context->transfer_syntax,
1745         };
1746         const struct dcerpc_sec_vt_header2 header2 =
1747                 dcerpc_sec_vt_header2_from_ncacn_packet(&call->pkt);
1748         enum ndr_err_code ndr_err;
1749         struct dcerpc_sec_verification_trailer *vt = NULL;
1750         NTSTATUS status = NT_STATUS_OK;
1751         bool ok;
1752
1753         SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_REQUEST);
1754
1755         ndr_err = ndr_pop_dcerpc_sec_verification_trailer(call->ndr_pull,
1756                                                           frame, &vt);
1757         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1758                 status = ndr_map_error2ntstatus(ndr_err);
1759                 goto done;
1760         }
1761
1762         ok = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
1763                                                    &pcontext, &header2);
1764         if (!ok) {
1765                 status = NT_STATUS_ACCESS_DENIED;
1766                 goto done;
1767         }
1768 done:
1769         TALLOC_FREE(frame);
1770         return status;
1771 }
1772
1773 /*
1774   handle a dcerpc request packet
1775 */
1776 static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
1777 {
1778         const struct dcesrv_endpoint *endpoint = call->conn->endpoint;
1779         struct dcesrv_auth *auth = call->auth_state;
1780         enum dcerpc_transport_t transport =
1781                 dcerpc_binding_get_transport(endpoint->ep_description);
1782         struct ndr_pull *pull;
1783         NTSTATUS status;
1784
1785         if (!auth->auth_finished) {
1786                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1787         }
1788
1789         /* if authenticated, and the mech we use can't do async replies, don't use them... */
1790         if (auth->gensec_security != NULL &&
1791             !gensec_have_feature(auth->gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
1792                 call->state_flags &= ~DCESRV_CALL_STATE_FLAG_MAY_ASYNC;
1793         }
1794
1795         if (call->context == NULL) {
1796                 return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
1797                                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1798         }
1799
1800         switch (auth->auth_level) {
1801         case DCERPC_AUTH_LEVEL_NONE:
1802         case DCERPC_AUTH_LEVEL_PACKET:
1803         case DCERPC_AUTH_LEVEL_INTEGRITY:
1804         case DCERPC_AUTH_LEVEL_PRIVACY:
1805                 break;
1806         default:
1807                 if (!call->context->allow_connect) {
1808                         char *addr;
1809
1810                         addr = tsocket_address_string(call->conn->remote_address,
1811                                                       call);
1812
1813                         DEBUG(2, ("%s: restrict auth_level_connect access "
1814                                   "to [%s] with auth[type=0x%x,level=0x%x] "
1815                                   "on [%s] from [%s]\n",
1816                                   __func__, call->context->iface->name,
1817                                   auth->auth_type,
1818                                   auth->auth_level,
1819                                   derpc_transport_string_by_transport(transport),
1820                                   addr));
1821                         return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1822                 }
1823                 break;
1824         }
1825
1826         if (auth->auth_level < call->context->min_auth_level) {
1827                 char *addr;
1828
1829                 addr = tsocket_address_string(call->conn->remote_address, call);
1830
1831                 DEBUG(2, ("%s: restrict access by min_auth_level[0x%x] "
1832                           "to [%s] with auth[type=0x%x,level=0x%x] "
1833                           "on [%s] from [%s]\n",
1834                           __func__,
1835                           call->context->min_auth_level,
1836                           call->context->iface->name,
1837                           auth->auth_type,
1838                           auth->auth_level,
1839                           derpc_transport_string_by_transport(transport),
1840                           addr));
1841                 return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1842         }
1843
1844         pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier, call);
1845         NT_STATUS_HAVE_NO_MEMORY(pull);
1846
1847         pull->flags |= LIBNDR_FLAG_REF_ALLOC;
1848
1849         call->ndr_pull  = pull;
1850
1851         if (!(call->pkt.drep[0] & DCERPC_DREP_LE)) {
1852                 pull->flags |= LIBNDR_FLAG_BIGENDIAN;
1853         }
1854
1855         status = dcesrv_check_verification_trailer(call);
1856         if (!NT_STATUS_IS_OK(status)) {
1857                 uint32_t faultcode = DCERPC_FAULT_OTHER;
1858                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
1859                         faultcode = DCERPC_FAULT_ACCESS_DENIED;
1860                 }
1861                 DEBUG(10, ("dcesrv_check_verification_trailer failed: %s\n",
1862                            nt_errstr(status)));
1863                 return dcesrv_fault(call, faultcode);
1864         }
1865
1866         /* unravel the NDR for the packet */
1867         status = call->context->iface->ndr_pull(call, call, pull, &call->r);
1868         if (!NT_STATUS_IS_OK(status)) {
1869                 uint8_t extra_flags = 0;
1870                 if (call->fault_code == DCERPC_FAULT_OP_RNG_ERROR) {
1871                         /* we got an unknown call */
1872                         DEBUG(3,(__location__ ": Unknown RPC call %u on %s\n",
1873                                  call->pkt.u.request.opnum,
1874                                  call->context->iface->name));
1875                         dcesrv_save_call(call, "unknown");
1876                         extra_flags |= DCERPC_PFC_FLAG_DID_NOT_EXECUTE;
1877                 } else {
1878                         dcesrv_save_call(call, "pullfail");
1879                 }
1880
1881                 return dcesrv_fault_with_flags(call, call->fault_code, extra_flags);
1882         }
1883
1884         dcesrv_save_ndr_fuzz_seed(call->pkt.u.request.stub_and_verifier,
1885                                   call,
1886                                   NDR_IN);
1887
1888         if (pull->offset != pull->data_size) {
1889                 dcesrv_save_call(call, "extrabytes");
1890                 DEBUG(3,("Warning: %d extra bytes in incoming RPC request\n",
1891                          pull->data_size - pull->offset));
1892         }
1893
1894         /* call the dispatch function */
1895         status = call->context->iface->dispatch(call, call, call->r);
1896         if (!NT_STATUS_IS_OK(status)) {
1897                 DEBUG(5,("dcerpc fault in call %s:%02x - %s\n",
1898                          call->context->iface->name,
1899                          call->pkt.u.request.opnum,
1900                          dcerpc_errstr(pull, call->fault_code)));
1901                 return dcesrv_fault(call, call->fault_code);
1902         }
1903
1904         /* add the call to the pending list */
1905         dcesrv_call_set_list(call, DCESRV_LIST_PENDING_CALL_LIST);
1906
1907         if (call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
1908                 return NT_STATUS_OK;
1909         }
1910
1911         return dcesrv_reply(call);
1912 }
1913
1914
1915 /*
1916   remove the call from the right list when freed
1917  */
1918 static int dcesrv_call_dequeue(struct dcesrv_call_state *call)
1919 {
1920         dcesrv_call_set_list(call, DCESRV_LIST_NONE);
1921         return 0;
1922 }
1923
1924 _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_local_address(struct dcesrv_connection *conn)
1925 {
1926         return conn->local_address;
1927 }
1928
1929 _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_remote_address(struct dcesrv_connection *conn)
1930 {
1931         return conn->remote_address;
1932 }
1933
1934 /*
1935   process some input to a dcerpc endpoint server.
1936 */
1937 static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
1938                                             struct ncacn_packet *pkt,
1939                                             DATA_BLOB blob)
1940 {
1941         NTSTATUS status;
1942         struct dcesrv_call_state *call;
1943         struct dcesrv_call_state *existing = NULL;
1944         size_t num_auth_ctx = 0;
1945         enum dcerpc_AuthType auth_type = 0;
1946         enum dcerpc_AuthLevel auth_level = 0;
1947         uint32_t auth_context_id = 0;
1948
1949         call = talloc_zero(dce_conn, struct dcesrv_call_state);
1950         if (!call) {
1951                 data_blob_free(&blob);
1952                 talloc_free(pkt);
1953                 return NT_STATUS_NO_MEMORY;
1954         }
1955         call->conn              = dce_conn;
1956         call->event_ctx         = dce_conn->event_ctx;
1957         call->state_flags       = call->conn->state_flags;
1958         call->time              = timeval_current();
1959         call->list              = DCESRV_LIST_NONE;
1960
1961         talloc_steal(call, pkt);
1962         talloc_steal(call, blob.data);
1963         call->pkt = *pkt;
1964
1965         if (dce_conn->max_auth_states == 0) {
1966                 call->auth_state = dce_conn->default_auth_state;
1967         } else if (call->pkt.auth_length == 0) {
1968                 if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
1969                     dce_conn->default_auth_level_connect != NULL)
1970                 {
1971                         call->auth_state = dce_conn->default_auth_level_connect;
1972                 } else {
1973                         call->auth_state = dce_conn->default_auth_state;
1974                 }
1975         }
1976
1977         if (call->auth_state == NULL) {
1978                 struct dcesrv_auth *a = NULL;
1979
1980                 auth_type = dcerpc_get_auth_type(&blob);
1981                 auth_level = dcerpc_get_auth_level(&blob);
1982                 auth_context_id = dcerpc_get_auth_context_id(&blob);
1983
1984                 if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
1985                         dce_conn->default_auth_level_connect = NULL;
1986                         if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
1987                                 dce_conn->got_explicit_auth_level_connect = true;
1988                         }
1989                 }
1990
1991                 for (a = dce_conn->auth_states; a != NULL; a = a->next) {
1992                         num_auth_ctx++;
1993
1994                         if (a->auth_type != auth_type) {
1995                                 continue;
1996                         }
1997                         if (a->auth_finished && a->auth_level != auth_level) {
1998                                 continue;
1999                         }
2000                         if (a->auth_context_id != auth_context_id) {
2001                                 continue;
2002                         }
2003
2004                         DLIST_PROMOTE(dce_conn->auth_states, a);
2005                         call->auth_state = a;
2006                         break;
2007                 }
2008         }
2009
2010         if (call->auth_state == NULL) {
2011                 struct dcesrv_auth *a = NULL;
2012
2013                 if (num_auth_ctx >= dce_conn->max_auth_states) {
2014                         return dcesrv_fault_disconnect(call,
2015                                         DCERPC_NCA_S_PROTO_ERROR);
2016                 }
2017
2018                 a = dcesrv_auth_create(dce_conn);
2019                 if (a == NULL) {
2020                         talloc_free(call);
2021                         return NT_STATUS_NO_MEMORY;
2022                 }
2023                 DLIST_ADD(dce_conn->auth_states, a);
2024                 if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
2025                         /*
2026                          * This can never be valid.
2027                          */
2028                         a->auth_invalid = true;
2029                 }
2030                 call->auth_state = a;
2031         }
2032
2033         talloc_set_destructor(call, dcesrv_call_dequeue);
2034
2035         if (call->conn->allow_bind) {
2036                 /*
2037                  * Only one bind is possible per connection
2038                  */
2039                 call->conn->allow_bind = false;
2040                 return dcesrv_bind(call);
2041         }
2042
2043         /* we have to check the signing here, before combining the
2044            pdus */
2045         if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
2046                 dcesrv_default_auth_state_prepare_request(call);
2047
2048                 if (call->auth_state->auth_started &&
2049                     !call->auth_state->auth_finished) {
2050                         return dcesrv_fault_disconnect(call,
2051                                         DCERPC_NCA_S_PROTO_ERROR);
2052                 }
2053
2054                 status = dcerpc_verify_ncacn_packet_header(&call->pkt,
2055                                 DCERPC_PKT_REQUEST,
2056                                 call->pkt.u.request.stub_and_verifier.length,
2057                                 0, /* required_flags */
2058                                 DCERPC_PFC_FLAG_FIRST |
2059                                 DCERPC_PFC_FLAG_LAST |
2060                                 DCERPC_PFC_FLAG_PENDING_CANCEL |
2061                                 0x08 | /* this is not defined, but should be ignored */
2062                                 DCERPC_PFC_FLAG_CONC_MPX |
2063                                 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
2064                                 DCERPC_PFC_FLAG_MAYBE |
2065                                 DCERPC_PFC_FLAG_OBJECT_UUID);
2066                 if (!NT_STATUS_IS_OK(status)) {
2067                         return dcesrv_fault_disconnect(call,
2068                                         DCERPC_NCA_S_PROTO_ERROR);
2069                 }
2070
2071                 if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
2072                         /*
2073                          * We don't use dcesrv_fault_disconnect()
2074                          * here, because we don't want to set
2075                          * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
2076                          *
2077                          * Note that we don't check against the negotiated
2078                          * max_recv_frag, but a hard coded value.
2079                          */
2080                         dcesrv_call_disconnect_after(call,
2081                                 "dcesrv_auth_request - frag_length too large");
2082                         return dcesrv_fault(call,
2083                                         DCERPC_NCA_S_PROTO_ERROR);
2084                 }
2085
2086                 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
2087                         if (dce_conn->pending_call_list != NULL) {
2088                                 /*
2089                                  * concurrent requests are only allowed
2090                                  * if DCERPC_PFC_FLAG_CONC_MPX was negotiated.
2091                                  */
2092                                 if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
2093                                         dcesrv_call_disconnect_after(call,
2094                                                 "dcesrv_auth_request - "
2095                                                 "existing pending call without CONN_MPX");
2096                                         return dcesrv_fault(call,
2097                                                 DCERPC_NCA_S_PROTO_ERROR);
2098                                 }
2099                         }
2100                         /* only one request is possible in the fragmented list */
2101                         if (dce_conn->incoming_fragmented_call_list != NULL) {
2102                                 if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
2103                                         /*
2104                                          * Without DCERPC_PFC_FLAG_CONC_MPX
2105                                          * we need to return the FAULT on the
2106                                          * already existing call.
2107                                          *
2108                                          * This is important to get the
2109                                          * call_id and context_id right.
2110                                          */
2111                                         TALLOC_FREE(call);
2112                                         call = dce_conn->incoming_fragmented_call_list;
2113                                 }
2114                                 dcesrv_call_disconnect_after(call,
2115                                         "dcesrv_auth_request - "
2116                                         "existing fragmented call");
2117                                 return dcesrv_fault(call,
2118                                                 DCERPC_NCA_S_PROTO_ERROR);
2119                         }
2120                         if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) {
2121                                 return dcesrv_fault_disconnect(call,
2122                                                 DCERPC_FAULT_NO_CALL_ACTIVE);
2123                         }
2124                         call->context = dcesrv_find_context(call->conn,
2125                                                 call->pkt.u.request.context_id);
2126                         if (call->context == NULL) {
2127                                 return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
2128                                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
2129                         }
2130                 } else {
2131                         const struct dcerpc_request *nr = &call->pkt.u.request;
2132                         const struct dcerpc_request *er = NULL;
2133                         int cmp;
2134
2135                         existing = dcesrv_find_fragmented_call(dce_conn,
2136                                                         call->pkt.call_id);
2137                         if (existing == NULL) {
2138                                 dcesrv_call_disconnect_after(call,
2139                                         "dcesrv_auth_request - "
2140                                         "no existing fragmented call");
2141                                 return dcesrv_fault(call,
2142                                                 DCERPC_NCA_S_PROTO_ERROR);
2143                         }
2144                         er = &existing->pkt.u.request;
2145
2146                         if (call->pkt.ptype != existing->pkt.ptype) {
2147                                 /* trying to play silly buggers are we? */
2148                                 return dcesrv_fault_disconnect(existing,
2149                                                 DCERPC_NCA_S_PROTO_ERROR);
2150                         }
2151                         cmp = memcmp(call->pkt.drep, existing->pkt.drep,
2152                                      sizeof(pkt->drep));
2153                         if (cmp != 0) {
2154                                 return dcesrv_fault_disconnect(existing,
2155                                                 DCERPC_NCA_S_PROTO_ERROR);
2156                         }
2157                         if (nr->context_id != er->context_id)  {
2158                                 return dcesrv_fault_disconnect(existing,
2159                                                 DCERPC_NCA_S_PROTO_ERROR);
2160                         }
2161                         if (nr->opnum != er->opnum)  {
2162                                 return dcesrv_fault_disconnect(existing,
2163                                                 DCERPC_NCA_S_PROTO_ERROR);
2164                         }
2165                 }
2166         }
2167
2168         if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
2169                 bool ok;
2170                 uint8_t payload_offset = DCERPC_REQUEST_LENGTH;
2171
2172                 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
2173                         payload_offset += 16;
2174                 }
2175
2176                 ok = dcesrv_auth_pkt_pull(call, &blob,
2177                                           0, /* required_flags */
2178                                           DCERPC_PFC_FLAG_FIRST |
2179                                           DCERPC_PFC_FLAG_LAST |
2180                                           DCERPC_PFC_FLAG_PENDING_CANCEL |
2181                                           0x08 | /* this is not defined, but should be ignored */
2182                                           DCERPC_PFC_FLAG_CONC_MPX |
2183                                           DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
2184                                           DCERPC_PFC_FLAG_MAYBE |
2185                                           DCERPC_PFC_FLAG_OBJECT_UUID,
2186                                           payload_offset,
2187                                           &call->pkt.u.request.stub_and_verifier);
2188                 if (!ok) {
2189                         /*
2190                          * We don't use dcesrv_fault_disconnect()
2191                          * here, because we don't want to set
2192                          * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
2193                          */
2194                         dcesrv_call_disconnect_after(call,
2195                                                 "dcesrv_auth_request - failed");
2196                         if (call->fault_code == 0) {
2197                                 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
2198                         }
2199                         return dcesrv_fault(call, call->fault_code);
2200                 }
2201         }
2202
2203         /* see if this is a continued packet */
2204         if (existing != NULL) {
2205                 struct dcerpc_request *er = &existing->pkt.u.request;
2206                 const struct dcerpc_request *nr = &call->pkt.u.request;
2207                 size_t available;
2208                 size_t alloc_size;
2209                 size_t alloc_hint;
2210
2211                 /*
2212                  * Up to 4 MByte are allowed by all fragments
2213                  */
2214                 available = dce_conn->max_total_request_size;
2215                 if (er->stub_and_verifier.length > available) {
2216                         dcesrv_call_disconnect_after(existing,
2217                                 "dcesrv_auth_request - existing payload too large");
2218                         return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
2219                 }
2220                 available -= er->stub_and_verifier.length;
2221                 if (nr->alloc_hint > available) {
2222                         dcesrv_call_disconnect_after(existing,
2223                                 "dcesrv_auth_request - alloc hint too large");
2224                         return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
2225                 }
2226                 if (nr->stub_and_verifier.length > available) {
2227                         dcesrv_call_disconnect_after(existing,
2228                                 "dcesrv_auth_request - new payload too large");
2229                         return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
2230                 }
2231                 alloc_hint = er->stub_and_verifier.length + nr->alloc_hint;
2232                 /* allocate at least 1 byte */
2233                 alloc_hint = MAX(alloc_hint, 1);
2234                 alloc_size = er->stub_and_verifier.length +
2235                              nr->stub_and_verifier.length;
2236                 alloc_size = MAX(alloc_size, alloc_hint);
2237
2238                 er->stub_and_verifier.data =
2239                         talloc_realloc(existing,
2240                                        er->stub_and_verifier.data,
2241                                        uint8_t, alloc_size);
2242                 if (er->stub_and_verifier.data == NULL) {
2243                         TALLOC_FREE(call);
2244                         return dcesrv_fault_with_flags(existing,
2245                                                        DCERPC_FAULT_OUT_OF_RESOURCES,
2246                                                        DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
2247                 }
2248                 memcpy(er->stub_and_verifier.data +
2249                        er->stub_and_verifier.length,
2250                        nr->stub_and_verifier.data,
2251                        nr->stub_and_verifier.length);
2252                 er->stub_and_verifier.length += nr->stub_and_verifier.length;
2253
2254                 existing->pkt.pfc_flags |= (call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST);
2255
2256                 TALLOC_FREE(call);
2257                 call = existing;
2258         }
2259
2260         /* this may not be the last pdu in the chain - if its isn't then
2261            just put it on the incoming_fragmented_call_list and wait for the rest */
2262         if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
2263             !(call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
2264                 /*
2265                  * Up to 4 MByte are allowed by all fragments
2266                  */
2267                 if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) {
2268                         dcesrv_call_disconnect_after(call,
2269                                 "dcesrv_auth_request - initial alloc hint too large");
2270                         return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
2271                 }
2272                 dcesrv_call_set_list(call, DCESRV_LIST_FRAGMENTED_CALL_LIST);
2273                 return NT_STATUS_OK;
2274         }
2275
2276         /* This removes any fragments we may have had stashed away */
2277         dcesrv_call_set_list(call, DCESRV_LIST_NONE);
2278
2279         switch (call->pkt.ptype) {
2280         case DCERPC_PKT_BIND:
2281                 status = dcesrv_bind_nak(call,
2282                         DCERPC_BIND_NAK_REASON_NOT_SPECIFIED);
2283                 break;
2284         case DCERPC_PKT_AUTH3:
2285                 status = dcesrv_auth3(call);
2286                 break;
2287         case DCERPC_PKT_ALTER:
2288                 status = dcesrv_alter(call);
2289                 break;
2290         case DCERPC_PKT_REQUEST:
2291                 status = dcesrv_request(call);
2292                 break;
2293         case DCERPC_PKT_CO_CANCEL:
2294         case DCERPC_PKT_ORPHANED:
2295                 /*
2296                  * Window just ignores CO_CANCEL and ORPHANED,
2297                  * so we do...
2298                  */
2299                 status = NT_STATUS_OK;
2300                 TALLOC_FREE(call);
2301                 break;
2302         case DCERPC_PKT_BIND_ACK:
2303         case DCERPC_PKT_BIND_NAK:
2304         case DCERPC_PKT_ALTER_RESP:
2305         case DCERPC_PKT_RESPONSE:
2306         case DCERPC_PKT_FAULT:
2307         case DCERPC_PKT_SHUTDOWN:
2308         default:
2309                 status = dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
2310                 break;
2311         }
2312
2313         /* if we are going to be sending a reply then add
2314            it to the list of pending calls. We add it to the end to keep the call
2315            list in the order we will answer */
2316         if (!NT_STATUS_IS_OK(status)) {
2317                 talloc_free(call);
2318         }
2319
2320         return status;
2321 }
2322
2323 _PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
2324                                       struct loadparm_context *lp_ctx,
2325                                       struct dcesrv_context_callbacks *cb,
2326                                       struct dcesrv_context **_dce_ctx)
2327 {
2328         struct dcesrv_context *dce_ctx;
2329
2330         dce_ctx = talloc_zero(mem_ctx, struct dcesrv_context);
2331         NT_STATUS_HAVE_NO_MEMORY(dce_ctx);
2332
2333         if (uid_wrapper_enabled()) {
2334                 setenv("UID_WRAPPER_MYUID", "1", 1);
2335         }
2336         dce_ctx->initial_euid = geteuid();
2337         if (uid_wrapper_enabled()) {
2338                 unsetenv("UID_WRAPPER_MYUID");
2339         }
2340
2341         dce_ctx->endpoint_list  = NULL;
2342         dce_ctx->lp_ctx = lp_ctx;
2343         dce_ctx->assoc_groups_idr = idr_init(dce_ctx);
2344         NT_STATUS_HAVE_NO_MEMORY(dce_ctx->assoc_groups_idr);
2345         dce_ctx->broken_connections = NULL;
2346         if (cb != NULL) {
2347                 dce_ctx->callbacks = *cb;
2348         }
2349
2350         *_dce_ctx = dce_ctx;
2351         return NT_STATUS_OK;
2352 }
2353
2354 _PUBLIC_ NTSTATUS dcesrv_reinit_context(struct dcesrv_context *dce_ctx)
2355 {
2356         NTSTATUS status;
2357
2358         status = dcesrv_shutdown_registered_ep_servers(dce_ctx);
2359         if (!NT_STATUS_IS_OK(status)) {
2360                 return status;
2361         }
2362
2363         /* Clear endpoints */
2364         while (dce_ctx->endpoint_list != NULL) {
2365                 struct dcesrv_endpoint *e = dce_ctx->endpoint_list;
2366                 DLIST_REMOVE(dce_ctx->endpoint_list, e);
2367                 TALLOC_FREE(e);
2368         }
2369
2370         /* Remove broken connections */
2371         dcesrv_cleanup_broken_connections(dce_ctx);
2372
2373         /* Reinit assoc group idr */
2374         TALLOC_FREE(dce_ctx->assoc_groups_idr);
2375         dce_ctx->assoc_groups_idr = idr_init(dce_ctx);
2376         if (dce_ctx->assoc_groups_idr == NULL) {
2377                 return NT_STATUS_NO_MEMORY;
2378         }
2379
2380         return NT_STATUS_OK;
2381 }
2382
2383 _PUBLIC_ NTSTATUS dcesrv_init_ep_servers(struct dcesrv_context *dce_ctx,
2384                                          const char **endpoint_servers)
2385 {
2386         NTSTATUS status;
2387         int i;
2388
2389         if (endpoint_servers == NULL) {
2390                 DBG_ERR("No endpoint servers configured\n");
2391                 return NT_STATUS_INTERNAL_ERROR;
2392         }
2393
2394         for (i=0;endpoint_servers[i];i++) {
2395                 status = dcesrv_init_ep_server(dce_ctx, endpoint_servers[i]);
2396                 if (!NT_STATUS_IS_OK(status)) {
2397                         DBG_ERR("failed to init endpoint server = '%s': %s\n",
2398                                 endpoint_servers[i], nt_errstr(status));
2399                         return status;
2400                 }
2401         }
2402
2403         return NT_STATUS_OK;
2404 }
2405
2406 /* the list of currently registered DCERPC endpoint servers.
2407  */
2408 static struct ep_server {
2409         struct dcesrv_endpoint_server *ep_server;
2410 } *ep_servers = NULL;
2411 static int num_ep_servers = 0;
2412
2413 _PUBLIC_ NTSTATUS dcesrv_init_registered_ep_servers(
2414                                         struct dcesrv_context *dce_ctx)
2415 {
2416         NTSTATUS status;
2417         int i;
2418
2419         for (i = 0; i < num_ep_servers; i++) {
2420                 status = dcesrv_init_ep_server(dce_ctx,
2421                                                ep_servers[i].ep_server->name);
2422                 if (!NT_STATUS_IS_OK(status)) {
2423                         return status;
2424                 }
2425         }
2426
2427         return NT_STATUS_OK;
2428 }
2429
2430 _PUBLIC_ NTSTATUS dcesrv_init_ep_server(struct dcesrv_context *dce_ctx,
2431                                         const char *ep_server_name)
2432 {
2433         struct dcesrv_endpoint_server *ep_server = NULL;
2434         NTSTATUS status;
2435
2436         ep_server = discard_const_p(struct dcesrv_endpoint_server,
2437                                     dcesrv_ep_server_byname(ep_server_name));
2438         if (ep_server == NULL) {
2439                 DBG_ERR("Failed to find endpoint server '%s'\n",
2440                         ep_server_name);
2441                 return NT_STATUS_INTERNAL_ERROR;
2442         }
2443
2444         if (ep_server->initialized) {
2445                 return NT_STATUS_OK;
2446         }
2447
2448         status = ep_server->init_server(dce_ctx, ep_server);
2449         if (!NT_STATUS_IS_OK(status)) {
2450                 DBG_ERR("Failed to init endpoint server '%s': %s\n",
2451                         ep_server_name, nt_errstr(status));
2452                 return status;
2453         }
2454
2455         ep_server->initialized = true;
2456
2457         return NT_STATUS_OK;
2458 }
2459
2460 _PUBLIC_ NTSTATUS dcesrv_shutdown_registered_ep_servers(
2461                                         struct dcesrv_context *dce_ctx)
2462 {
2463         NTSTATUS status;
2464         int i;
2465
2466         for (i = 0; i < num_ep_servers; i++) {
2467                 status = dcesrv_shutdown_ep_server(dce_ctx,
2468                                         ep_servers[i].ep_server->name);
2469                 if (!NT_STATUS_IS_OK(status)) {
2470                         return status;
2471                 }
2472         }
2473
2474         return NT_STATUS_OK;
2475 }
2476
2477 _PUBLIC_ NTSTATUS dcesrv_shutdown_ep_server(struct dcesrv_context *dce_ctx,
2478                                             const char *ep_server_name)
2479 {
2480         struct dcesrv_endpoint_server *ep_server = NULL;
2481         NTSTATUS status;
2482
2483         ep_server = discard_const_p(struct dcesrv_endpoint_server,
2484                                     dcesrv_ep_server_byname(ep_server_name));
2485         if (ep_server == NULL) {
2486                 DBG_ERR("Failed to find endpoint server '%s'\n",
2487                         ep_server_name);
2488                 return NT_STATUS_INTERNAL_ERROR;
2489         }
2490
2491         if (!ep_server->initialized) {
2492                 return NT_STATUS_OK;
2493         }
2494
2495         DBG_INFO("Shutting down DCE/RPC endpoint server '%s'\n",
2496                  ep_server_name);
2497
2498         status = ep_server->shutdown_server(dce_ctx, ep_server);
2499         if (!NT_STATUS_IS_OK(status)) {
2500                 DBG_ERR("Failed to shutdown endpoint server '%s': %s\n",
2501                         ep_server_name, nt_errstr(status));
2502                 return status;
2503         }
2504
2505         ep_server->initialized = false;
2506
2507         return NT_STATUS_OK;
2508 }
2509
2510 /*
2511   register a DCERPC endpoint server.
2512
2513   The 'name' can be later used by other backends to find the operations
2514   structure for this backend.
2515
2516 */
2517 _PUBLIC_ NTSTATUS dcerpc_register_ep_server(const struct dcesrv_endpoint_server *ep_server)
2518 {
2519
2520         if (dcesrv_ep_server_byname(ep_server->name) != NULL) {
2521                 /* its already registered! */
2522                 DEBUG(0,("DCERPC endpoint server '%s' already registered\n",
2523                          ep_server->name));
2524                 return NT_STATUS_OBJECT_NAME_COLLISION;
2525         }
2526
2527         ep_servers = realloc_p(ep_servers, struct ep_server, num_ep_servers+1);
2528         if (!ep_servers) {
2529                 smb_panic("out of memory in dcerpc_register");
2530         }
2531
2532         ep_servers[num_ep_servers].ep_server = smb_xmemdup(ep_server, sizeof(*ep_server));
2533         ep_servers[num_ep_servers].ep_server->name = smb_xstrdup(ep_server->name);
2534
2535         num_ep_servers++;
2536
2537         DEBUG(3,("DCERPC endpoint server '%s' registered\n",
2538                  ep_server->name));
2539
2540         return NT_STATUS_OK;
2541 }
2542
2543 /*
2544   return the operations structure for a named backend of the specified type
2545 */
2546 _PUBLIC_ const struct dcesrv_endpoint_server *dcesrv_ep_server_byname(const char *name)
2547 {
2548         int i;
2549
2550         for (i=0;i<num_ep_servers;i++) {
2551                 if (strcmp(ep_servers[i].ep_server->name, name) == 0) {
2552                         return ep_servers[i].ep_server;
2553                 }
2554         }
2555
2556         return NULL;
2557 }
2558
2559 /*
2560   return the DCERPC module version, and the size of some critical types
2561   This can be used by endpoint server modules to either detect compilation errors, or provide
2562   multiple implementations for different smbd compilation options in one module
2563 */
2564 const struct dcesrv_critical_sizes *dcerpc_module_version(void)
2565 {
2566         static const struct dcesrv_critical_sizes critical_sizes = {
2567                 DCERPC_MODULE_VERSION,
2568                 sizeof(struct dcesrv_context),
2569                 sizeof(struct dcesrv_endpoint),
2570                 sizeof(struct dcesrv_endpoint_server),
2571                 sizeof(struct dcesrv_interface),
2572                 sizeof(struct dcesrv_if_list),
2573                 sizeof(struct dcesrv_connection),
2574                 sizeof(struct dcesrv_call_state),
2575                 sizeof(struct dcesrv_auth),
2576                 sizeof(struct dcesrv_handle)
2577         };
2578
2579         return &critical_sizes;
2580 }
2581
2582 _PUBLIC_ void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, const char *reason)
2583 {
2584         struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2585         struct dcesrv_auth *a = NULL;
2586
2587         dce_conn->wait_send = NULL;
2588         dce_conn->wait_recv = NULL;
2589         dce_conn->wait_private = NULL;
2590
2591         dce_conn->allow_bind = false;
2592         dce_conn->allow_alter = false;
2593
2594         dce_conn->default_auth_state->auth_invalid = true;
2595
2596         for (a = dce_conn->auth_states; a != NULL; a = a->next) {
2597                 a->auth_invalid = true;
2598         }
2599
2600         if (dce_conn->pending_call_list == NULL) {
2601                 char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
2602
2603                 DLIST_REMOVE(dce_ctx->broken_connections, dce_conn);
2604                 dce_conn->transport.terminate_connection(dce_conn,
2605                                         full_reason ? full_reason : reason);
2606                 return;
2607         }
2608
2609         if (dce_conn->terminate != NULL) {
2610                 return;
2611         }
2612
2613         DEBUG(3,("dcesrv: terminating connection due to '%s' deferred due to pending calls\n",
2614                  reason));
2615         dce_conn->terminate = talloc_strdup(dce_conn, reason);
2616         if (dce_conn->terminate == NULL) {
2617                 dce_conn->terminate = "dcesrv: deferred terminating connection - no memory";
2618         }
2619         DLIST_ADD_END(dce_ctx->broken_connections, dce_conn);
2620 }
2621
2622 _PUBLIC_ void dcesrv_cleanup_broken_connections(struct dcesrv_context *dce_ctx)
2623 {
2624         struct dcesrv_connection *cur, *next;
2625
2626         next = dce_ctx->broken_connections;
2627         while (next != NULL) {
2628                 cur = next;
2629                 next = cur->next;
2630
2631                 if (cur->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
2632                         struct dcesrv_connection_context *context_cur, *context_next;
2633
2634                         context_next = cur->contexts;
2635                         while (context_next != NULL) {
2636                                 context_cur = context_next;
2637                                 context_next = context_cur->next;
2638
2639                                 dcesrv_connection_context_destructor(context_cur);
2640                         }
2641                 }
2642
2643                 dcesrv_terminate_connection(cur, cur->terminate);
2644         }
2645 }
2646
2647 /* We need this include to be able to compile on some plateforms
2648  * (ie. freebsd 7.2) as it seems that <sys/uio.h> is not included
2649  * correctly.
2650  * It has to be that deep because otherwise we have a conflict on
2651  * const struct dcesrv_interface declaration.
2652  * This is mostly due to socket_wrapper defining #define bind swrap_bind
2653  * which conflict with the bind used before.
2654  */
2655 #include "system/network.h"
2656
2657 struct dcesrv_sock_reply_state {
2658         struct dcesrv_connection *dce_conn;
2659         struct dcesrv_call_state *call;
2660         struct iovec iov;
2661 };
2662
2663 static void dcesrv_sock_reply_done(struct tevent_req *subreq);
2664 static void dcesrv_call_terminate_step1(struct tevent_req *subreq);
2665
2666 _PUBLIC_ void dcesrv_sock_report_output_data(struct dcesrv_connection *dce_conn)
2667 {
2668         struct dcesrv_call_state *call;
2669
2670         call = dce_conn->call_list;
2671         if (!call || !call->replies) {
2672                 return;
2673         }
2674
2675         while (call->replies) {
2676                 struct data_blob_list_item *rep = call->replies;
2677                 struct dcesrv_sock_reply_state *substate;
2678                 struct tevent_req *subreq;
2679
2680                 substate = talloc_zero(call, struct dcesrv_sock_reply_state);
2681                 if (!substate) {
2682                         dcesrv_terminate_connection(dce_conn, "no memory");
2683                         return;
2684                 }
2685
2686                 substate->dce_conn = dce_conn;
2687                 substate->call = NULL;
2688
2689                 DLIST_REMOVE(call->replies, rep);
2690
2691                 if (call->replies == NULL && call->terminate_reason == NULL) {
2692                         substate->call = call;
2693                 }
2694
2695                 substate->iov.iov_base = (void *) rep->blob.data;
2696                 substate->iov.iov_len = rep->blob.length;
2697
2698                 subreq = tstream_writev_queue_send(substate,
2699                                                    dce_conn->event_ctx,
2700                                                    dce_conn->stream,
2701                                                    dce_conn->send_queue,
2702                                                    &substate->iov, 1);
2703                 if (!subreq) {
2704                         dcesrv_terminate_connection(dce_conn, "no memory");
2705                         return;
2706                 }
2707                 tevent_req_set_callback(subreq, dcesrv_sock_reply_done,
2708                                         substate);
2709         }
2710
2711         if (call->terminate_reason != NULL) {
2712                 struct tevent_req *subreq;
2713
2714                 subreq = tevent_queue_wait_send(call,
2715                                                 dce_conn->event_ctx,
2716                                                 dce_conn->send_queue);
2717                 if (!subreq) {
2718                         dcesrv_terminate_connection(dce_conn, __location__);
2719                         return;
2720                 }
2721                 tevent_req_set_callback(subreq, dcesrv_call_terminate_step1,
2722                                         call);
2723         }
2724
2725         DLIST_REMOVE(call->conn->call_list, call);
2726         call->list = DCESRV_LIST_NONE;
2727 }
2728
2729 static void dcesrv_sock_reply_done(struct tevent_req *subreq)
2730 {
2731         struct dcesrv_sock_reply_state *substate = tevent_req_callback_data(subreq,
2732                                                 struct dcesrv_sock_reply_state);
2733         int ret;
2734         int sys_errno;
2735         NTSTATUS status;
2736         struct dcesrv_call_state *call = substate->call;
2737
2738         ret = tstream_writev_queue_recv(subreq, &sys_errno);
2739         TALLOC_FREE(subreq);
2740         if (ret == -1) {
2741                 status = map_nt_error_from_unix_common(sys_errno);
2742                 dcesrv_terminate_connection(substate->dce_conn, nt_errstr(status));
2743                 return;
2744         }
2745
2746         talloc_free(substate);
2747         if (call) {
2748                 talloc_free(call);
2749         }
2750 }
2751
2752 static void dcesrv_call_terminate_step2(struct tevent_req *subreq);
2753
2754 static void dcesrv_call_terminate_step1(struct tevent_req *subreq)
2755 {
2756         struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2757                                                 struct dcesrv_call_state);
2758         bool ok;
2759         struct timeval tv;
2760
2761         /* make sure we stop send queue before removing subreq */
2762         tevent_queue_stop(call->conn->send_queue);
2763
2764         ok = tevent_queue_wait_recv(subreq);
2765         TALLOC_FREE(subreq);
2766         if (!ok) {
2767                 dcesrv_terminate_connection(call->conn, __location__);
2768                 return;
2769         }
2770
2771         /* disconnect after 200 usecs */
2772         tv = timeval_current_ofs_usec(200);
2773         subreq = tevent_wakeup_send(call, call->conn->event_ctx, tv);
2774         if (subreq == NULL) {
2775                 dcesrv_terminate_connection(call->conn, __location__);
2776                 return;
2777         }
2778         tevent_req_set_callback(subreq, dcesrv_call_terminate_step2,
2779                                 call);
2780 }
2781
2782 static void dcesrv_call_terminate_step2(struct tevent_req *subreq)
2783 {
2784         struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2785                                                 struct dcesrv_call_state);
2786         bool ok;
2787
2788         ok = tevent_wakeup_recv(subreq);
2789         TALLOC_FREE(subreq);
2790         if (!ok) {
2791                 dcesrv_terminate_connection(call->conn, __location__);
2792                 return;
2793         }
2794
2795         dcesrv_terminate_connection(call->conn, call->terminate_reason);
2796 }
2797
2798 static void dcesrv_conn_wait_done(struct tevent_req *subreq);
2799
2800 static void dcesrv_read_fragment_done(struct tevent_req *subreq)
2801 {
2802         struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2803                                              struct dcesrv_connection);
2804         struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2805         struct ncacn_packet *pkt;
2806         DATA_BLOB buffer;
2807         NTSTATUS status;
2808
2809         if (dce_conn->terminate) {
2810                 /*
2811                  * if the current connection is broken
2812                  * we need to clean it up before any other connection
2813                  */
2814                 dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2815                 dcesrv_cleanup_broken_connections(dce_ctx);
2816                 return;
2817         }
2818
2819         dcesrv_cleanup_broken_connections(dce_ctx);
2820
2821         status = dcerpc_read_ncacn_packet_recv(subreq, dce_conn,
2822                                                &pkt, &buffer);
2823         TALLOC_FREE(subreq);
2824         if (!NT_STATUS_IS_OK(status)) {
2825                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2826                 return;
2827         }
2828
2829         status = dcesrv_process_ncacn_packet(dce_conn, pkt, buffer);
2830         if (!NT_STATUS_IS_OK(status)) {
2831                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2832                 return;
2833         }
2834
2835         /*
2836          * This is used to block the connection during
2837          * pending authentication.
2838          */
2839         if (dce_conn->wait_send != NULL) {
2840                 subreq = dce_conn->wait_send(dce_conn,
2841                                              dce_conn->event_ctx,
2842                                              dce_conn->wait_private);
2843                 if (!subreq) {
2844                         status = NT_STATUS_NO_MEMORY;
2845                         dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2846                         return;
2847                 }
2848                 tevent_req_set_callback(subreq, dcesrv_conn_wait_done, dce_conn);
2849                 return;
2850         }
2851
2852         subreq = dcerpc_read_ncacn_packet_send(dce_conn,
2853                                                dce_conn->event_ctx,
2854                                                dce_conn->stream);
2855         if (!subreq) {
2856                 status = NT_STATUS_NO_MEMORY;
2857                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2858                 return;
2859         }
2860         tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dce_conn);
2861 }
2862
2863 static void dcesrv_conn_wait_done(struct tevent_req *subreq)
2864 {
2865         struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2866                                              struct dcesrv_connection);
2867         struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2868         NTSTATUS status;
2869
2870         if (dce_conn->terminate) {
2871                 /*
2872                  * if the current connection is broken
2873                  * we need to clean it up before any other connection
2874                  */
2875                 dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2876                 dcesrv_cleanup_broken_connections(dce_ctx);
2877                 return;
2878         }
2879
2880         dcesrv_cleanup_broken_connections(dce_ctx);
2881
2882         status = dce_conn->wait_recv(subreq);
2883         dce_conn->wait_send = NULL;
2884         dce_conn->wait_recv = NULL;
2885         dce_conn->wait_private = NULL;
2886         TALLOC_FREE(subreq);
2887         if (!NT_STATUS_IS_OK(status)) {
2888                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2889                 return;
2890         }
2891
2892         status = dcesrv_connection_loop_start(dce_conn);
2893         if (!NT_STATUS_IS_OK(status)) {
2894                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2895                 return;
2896         }
2897 }
2898
2899 /**
2900  * retrieve credentials from a dce_call
2901  */
2902 _PUBLIC_ struct cli_credentials *dcesrv_call_credentials(struct dcesrv_call_state *dce_call)
2903 {
2904         struct dcesrv_auth *auth = dce_call->auth_state;
2905         SMB_ASSERT(auth->auth_finished);
2906         return auth->session_info->credentials;
2907 }
2908
2909 /**
2910  * returns true if this is an authenticated call
2911  */
2912 _PUBLIC_ bool dcesrv_call_authenticated(struct dcesrv_call_state *dce_call)
2913 {
2914         struct dcesrv_auth *auth = dce_call->auth_state;
2915         enum security_user_level level;
2916         SMB_ASSERT(auth->auth_finished);
2917         level = security_session_user_level(auth->session_info, NULL);
2918         return level >= SECURITY_USER;
2919 }
2920
2921 /**
2922  * retrieve account_name for a dce_call
2923  */
2924 _PUBLIC_ const char *dcesrv_call_account_name(struct dcesrv_call_state *dce_call)
2925 {
2926         struct dcesrv_auth *auth = dce_call->auth_state;
2927         SMB_ASSERT(auth->auth_finished);
2928         return auth->session_info->info->account_name;
2929 }
2930
2931 /**
2932  * retrieve session_info from a dce_call
2933  */
2934 _PUBLIC_ struct auth_session_info *dcesrv_call_session_info(struct dcesrv_call_state *dce_call)
2935 {
2936         struct dcesrv_auth *auth = dce_call->auth_state;
2937         SMB_ASSERT(auth->auth_finished);
2938         return auth->session_info;
2939 }
2940
2941 /**
2942  * retrieve auth type/level from a dce_call
2943  */
2944 _PUBLIC_ void dcesrv_call_auth_info(struct dcesrv_call_state *dce_call,
2945                                     enum dcerpc_AuthType *auth_type,
2946                                     enum dcerpc_AuthLevel *auth_level)
2947 {
2948         struct dcesrv_auth *auth = dce_call->auth_state;
2949
2950         SMB_ASSERT(auth->auth_finished);
2951
2952         if (auth_type != NULL) {
2953                 *auth_type = auth->auth_type;
2954         }
2955         if (auth_level != NULL) {
2956                 *auth_level = auth->auth_level;
2957         }
2958 }
2959
2960 _PUBLIC_ NTSTATUS dcesrv_connection_loop_start(struct dcesrv_connection *conn)
2961 {
2962         struct tevent_req *subreq;
2963
2964         subreq = dcerpc_read_ncacn_packet_send(conn,
2965                                                conn->event_ctx,
2966                                                conn->stream);
2967         if (subreq == NULL) {
2968                 return NT_STATUS_NO_MEMORY;
2969         }
2970         tevent_req_set_callback(subreq, dcesrv_read_fragment_done, conn);
2971
2972         return NT_STATUS_OK;
2973 }
Samba Shared Repository