/*
find the earlier parts of a fragmented call awaiting reassembily
*/
-static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint16_t call_id)
+static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint32_t call_id)
{
struct dcesrv_call_state *c;
for (c=dce_conn->incoming_fragmented_call_list;c;c=c->next) {
enum dcerpc_transport_t transport;
char *ep_string = NULL;
bool use_single_process = true;
-
+ const char *ep_process_string;
+
/*
* If we are not using handles, there is no need for force
* this service into using a single process.
* If we have mulitiple endpoints on port 0, they each
* get an epemeral port (currently by walking up from
* 1024).
+ *
+ * Because one endpoint can only have one process
+ * model, we add a new IP_TCP endpoint for each model.
+ *
+ * This works in conjunction with the forced overwrite
+ * of ep->use_single_process below.
*/
- if (!use_single_process && transport == NCACN_IP_TCP) {
+ if (ep->use_single_process != use_single_process
+ && transport == NCACN_IP_TCP) {
add_ep = true;
}
}
/* Re-get the string as we may have set a port */
ep_string = dcerpc_binding_string(dce_ctx, ep->ep_description);
- DEBUG(4,("dcesrv_interface_register: interface '%s' registered on endpoint '%s'\n",
- iface->name, ep_string));
+ if (use_single_process) {
+ ep_process_string = "single process required";
+ } else {
+ ep_process_string = "multi process compatible";
+ }
+
+ DBG_INFO("dcesrv_interface_register: interface '%s' "
+ "registered on endpoint '%s' (%s)\n",
+ iface->name, ep_string, ep_process_string);
TALLOC_FREE(ep_string);
return NT_STATUS_OK;
}
-NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
- DATA_BLOB *session_key)
+static NTSTATUS dcesrv_session_info_session_key(struct dcesrv_auth *auth,
+ DATA_BLOB *session_key)
{
- if (p->auth_state.session_info->session_key.length) {
- *session_key = p->auth_state.session_info->session_key;
- return NT_STATUS_OK;
+ if (auth->session_info == NULL) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ if (auth->session_info->session_key.length == 0) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
}
- return NT_STATUS_NO_USER_SESSION_KEY;
+
+ *session_key = auth->session_info->session_key;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_remote_session_key(struct dcesrv_auth *auth,
+ DATA_BLOB *session_key)
+{
+ if (auth->auth_type != DCERPC_AUTH_TYPE_NONE) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ return dcesrv_session_info_session_key(auth, session_key);
+}
+
+static NTSTATUS dcesrv_local_fixed_session_key(struct dcesrv_auth *auth,
+ DATA_BLOB *session_key)
+{
+ return dcerpc_generic_session_key(NULL, session_key);
}
/*
- fetch the user session key - may be default (above) or the SMB session key
+ * Fetch the authentication session key if available.
+ *
+ * This is the key generated by a gensec authentication.
+ *
+ */
+_PUBLIC_ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state *call,
+ DATA_BLOB *session_key)
+{
+ struct dcesrv_auth *auth = call->auth_state;
+
+ return dcesrv_session_info_session_key(auth, session_key);
+}
- The key is always truncated to 16 bytes
+/*
+ * Fetch the transport session key if available.
+ * Typically this is the SMB session key
+ * or a fixed key for local transports.
+ *
+ * The key is always truncated to 16 bytes.
*/
-_PUBLIC_ NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
- DATA_BLOB *session_key)
+_PUBLIC_ NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call,
+ DATA_BLOB *session_key)
{
- NTSTATUS status = p->auth_state.session_key(p, session_key);
+ struct dcesrv_auth *auth = call->auth_state;
+ NTSTATUS status;
+
+ if (auth->session_key_fn == NULL) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ status = auth->session_key_fn(auth, session_key);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
+static struct dcesrv_auth *dcesrv_auth_create(struct dcesrv_connection *conn)
+{
+ const struct dcesrv_endpoint *ep = conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(ep->ep_description);
+ struct dcesrv_auth *auth = NULL;
+
+ auth = talloc_zero(conn, struct dcesrv_auth);
+ if (auth == NULL) {
+ return NULL;
+ }
+
+ switch (transport) {
+ case NCACN_NP:
+ auth->session_key_fn = dcesrv_remote_session_key;
+ break;
+ case NCALRPC:
+ case NCACN_UNIX_STREAM:
+ auth->session_key_fn = dcesrv_local_fixed_session_key;
+ break;
+ default:
+ /*
+ * All other's get a NULL pointer, which
+ * results in NT_STATUS_NO_USER_SESSION_KEY
+ */
+ break;
+ }
+
+ return auth;
+}
+
/*
connect to a dcerpc endpoint
*/
-_PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
+static NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
TALLOC_CTX *mem_ctx,
const struct dcesrv_endpoint *ep,
struct auth_session_info *session_info,
uint32_t state_flags,
struct dcesrv_connection **_p)
{
+ struct dcesrv_auth *auth = NULL;
struct dcesrv_connection *p;
if (!session_info) {
p = talloc_zero(mem_ctx, struct dcesrv_connection);
NT_STATUS_HAVE_NO_MEMORY(p);
- if (!talloc_reference(p, session_info)) {
- talloc_free(p);
- return NT_STATUS_NO_MEMORY;
- }
-
p->dce_ctx = dce_ctx;
p->endpoint = ep;
p->packet_log_dir = lpcfg_lock_directory(dce_ctx->lp_ctx);
- p->auth_state.session_info = session_info;
- p->auth_state.session_key = dcesrv_generic_session_key;
p->event_ctx = event_ctx;
p->msg_ctx = msg_ctx;
p->server_id = server_id;
p->max_xmit_frag = 5840;
p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
+ auth = dcesrv_auth_create(p);
+ if (auth == NULL) {
+ talloc_free(p);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ auth->session_info = talloc_reference(auth, session_info);
+ if (auth->session_info == NULL) {
+ talloc_free(p);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ p->default_auth_state = auth;
+
/*
* For now we only support NDR32.
*/
call->conn->allow_bind = false;
call->conn->allow_alter = false;
- call->conn->allow_auth3 = false;
- call->conn->allow_request = false;
+
+ call->conn->default_auth_state->auth_invalid = true;
call->terminate_reason = talloc_strdup(call, reason);
if (call->terminate_reason == NULL) {
uint16_t max_rep = 0;
const char *ep_prefix = "";
const char *endpoint = NULL;
- struct dcesrv_auth *auth = &call->conn->auth_state;
+ struct dcesrv_auth *auth = call->auth_state;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct dcerpc_ack_ctx *ack_features = NULL;
struct tevent_req *subreq = NULL;
DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN;
}
- call->conn->bind_time_features = a->reason.negotiate;
+ call->conn->assoc_group->bind_time_features = a->reason.negotiate;
}
/*
static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
{
struct dcesrv_connection *conn = call->conn;
- struct dcesrv_auth *auth = &call->conn->auth_state;
+ struct dcesrv_auth *auth = call->auth_state;
struct tevent_req *subreq = NULL;
NTSTATUS status;
- if (!call->conn->allow_auth3) {
+ if (!auth->auth_started) {
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
}
- if (call->conn->auth_state.auth_finished) {
+ if (auth->auth_finished) {
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
}
* In anycase we mark the connection as
* invalid.
*/
- call->conn->auth_state.auth_invalid = true;
+ auth->auth_invalid = true;
if (call->fault_code != 0) {
return dcesrv_fault_disconnect(call, call->fault_code);
}
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_auth *auth = call->auth_state;
NTSTATUS status;
status = gensec_update_recv(subreq, call,
* In anycase we mark the connection as
* invalid.
*/
- call->conn->auth_state.auth_invalid = true;
+ auth->auth_invalid = true;
if (call->fault_code != 0) {
status = dcesrv_fault_disconnect(call, call->fault_code);
dcesrv_conn_auth_wait_finished(conn, status);
context->context_id = ctx->context_id;
context->iface = iface;
context->transfer_syntax = *selected_transfer;
- context->private_data = NULL;
DLIST_ADD(call->conn->contexts, context);
call->context = context;
talloc_set_destructor(context, dcesrv_connection_context_destructor);
bool auth_ok = false;
struct ncacn_packet *pkt = &call->ack_pkt;
uint32_t extra_flags = 0;
- struct dcesrv_auth *auth = &call->conn->auth_state;
+ struct dcesrv_auth *auth = call->auth_state;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct tevent_req *subreq = NULL;
size_t i;
/* handle any authentication that is being requested */
if (!auth_ok) {
- if (call->in_auth_info.auth_type !=
- call->conn->auth_state.auth_type)
- {
+ if (call->in_auth_info.auth_type != auth->auth_type) {
return dcesrv_fault_disconnect(call,
DCERPC_FAULT_SEC_PKG_ERROR);
}
static NTSTATUS dcesrv_check_verification_trailer(struct dcesrv_call_state *call)
{
TALLOC_CTX *frame = talloc_stackframe();
- const uint32_t bitmask1 = call->conn->auth_state.client_hdr_signing ?
+ const struct dcesrv_auth *auth = call->auth_state;
+ const uint32_t bitmask1 = auth->client_hdr_signing ?
DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
const struct dcerpc_sec_vt_pcontext pcontext = {
.abstract_syntax = call->context->iface->syntax_id,
static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
{
const struct dcesrv_endpoint *endpoint = call->conn->endpoint;
+ struct dcesrv_auth *auth = call->auth_state;
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(endpoint->ep_description);
struct ndr_pull *pull;
NTSTATUS status;
- if (!call->conn->allow_request) {
+ if (!auth->auth_finished) {
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
}
/* if authenticated, and the mech we use can't do async replies, don't use them... */
- if (call->conn->auth_state.gensec_security &&
- !gensec_have_feature(call->conn->auth_state.gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
+ if (auth->gensec_security != NULL &&
+ !gensec_have_feature(auth->gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
call->state_flags &= ~DCESRV_CALL_STATE_FLAG_MAY_ASYNC;
}
DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
}
- switch (call->conn->auth_state.auth_level) {
+ switch (auth->auth_level) {
case DCERPC_AUTH_LEVEL_NONE:
case DCERPC_AUTH_LEVEL_PACKET:
case DCERPC_AUTH_LEVEL_INTEGRITY:
"to [%s] with auth[type=0x%x,level=0x%x] "
"on [%s] from [%s]\n",
__func__, call->context->iface->name,
- call->conn->auth_state.auth_type,
- call->conn->auth_state.auth_level,
+ auth->auth_type,
+ auth->auth_level,
derpc_transport_string_by_transport(transport),
addr));
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
break;
}
- if (call->conn->auth_state.auth_level < call->context->min_auth_level) {
+ if (auth->auth_level < call->context->min_auth_level) {
char *addr;
addr = tsocket_address_string(call->conn->remote_address, call);
__func__,
call->context->min_auth_level,
call->context->iface->name,
- call->conn->auth_state.auth_type,
- call->conn->auth_state.auth_level,
+ auth->auth_type,
+ auth->auth_level,
derpc_transport_string_by_transport(transport),
addr));
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
talloc_steal(call, blob.data);
call->pkt = *pkt;
+ call->auth_state = dce_conn->default_auth_state;
+
talloc_set_destructor(call, dcesrv_call_dequeue);
if (call->conn->allow_bind) {
/* we have to check the signing here, before combining the
pdus */
if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
- if (!call->conn->allow_request) {
+ if (!call->auth_state->auth_finished) {
return dcesrv_fault_disconnect(call,
DCERPC_NCA_S_PROTO_ERROR);
}
dce_conn->wait_private = NULL;
dce_conn->allow_bind = false;
- dce_conn->allow_auth3 = false;
dce_conn->allow_alter = false;
- dce_conn->allow_request = false;
+
+ dce_conn->default_auth_state->auth_invalid = true;
if (dce_conn->pending_call_list == NULL) {
char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
}
if (transport == NCACN_NP) {
- dcesrv_conn->auth_state.session_key = dcesrv_inherited_session_key;
dcesrv_conn->stream = talloc_move(dcesrv_conn,
&srv_conn->tstream);
} else {
srv_conn->private_data = dcesrv_conn;
- irpc_add_name(srv_conn->msg_ctx, "rpc_server");
-
subreq = dcerpc_read_ncacn_packet_send(dcesrv_conn,
dcesrv_conn->event_ctx,
dcesrv_conn->stream);
static NTSTATUS dcesrv_add_ep_unix(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 1;
model_ops, &dcesrv_stream_ops,
"unix", endpoint, &port,
lpcfg_socket_options(lp_ctx),
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("service_setup_stream_socket(path=%s) failed - %s\n",
endpoint, nt_errstr(status)));
static NTSTATUS dcesrv_add_ep_ncalrpc(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 1;
model_ops, &dcesrv_stream_ops,
"unix", full_path, &port,
lpcfg_socket_options(lp_ctx),
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("service_setup_stream_socket(identifier=%s,path=%s) failed - %s\n",
endpoint, full_path, nt_errstr(status)));
static NTSTATUS dcesrv_add_ep_np(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
NTSTATUS status;
status = tstream_setup_named_pipe(dce_ctx, event_ctx, lp_ctx,
model_ops, &dcesrv_stream_ops,
endpoint,
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("stream_setup_named_pipe(pipe=%s) failed - %s\n",
endpoint, nt_errstr(status)));
/*
add a socket address to the list of events, one event per dcerpc endpoint
*/
-static NTSTATUS add_socket_rpc_tcp_iface(struct dcesrv_context *dce_ctx, struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops,
- const char *address)
+static NTSTATUS add_socket_rpc_tcp_iface(struct dcesrv_context *dce_ctx,
+ struct dcesrv_endpoint *e,
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ const char *address,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 0;
model_ops, &dcesrv_stream_ops,
"ip", address, &port,
lpcfg_socket_options(dce_ctx->lp_ctx),
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
struct dcesrv_if_list *iface;
DEBUG(0,("service_setup_stream_socket(address=%s,port=%u) for ",
static NTSTATUS dcesrv_add_ep_tcp(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
NTSTATUS status;
num_interfaces = iface_list_count(ifaces);
for(i = 0; i < num_interfaces; i++) {
const char *address = iface_list_n_ip(ifaces, i);
- status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, address);
+ status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx,
+ model_ops, address,
+ process_context);
NT_STATUS_NOT_OK_RETURN(status);
}
} else {
char **wcard;
- int i;
- int num_binds = 0;
+ size_t i;
+ size_t num_binds = 0;
wcard = iface_list_wildcard(dce_ctx);
NT_STATUS_HAVE_NO_MEMORY(wcard);
for (i=0; wcard[i]; i++) {
- status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, wcard[i]);
+ status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx,
+ model_ops, wcard[i],
+ process_context);
if (NT_STATUS_IS_OK(status)) {
num_binds++;
}
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
struct tevent_context *event_ctx,
- const struct model_ops *model_ops)
+ const struct model_ops *model_ops,
+ void *process_context)
{
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(e->ep_description);
switch (transport) {
case NCACN_UNIX_STREAM:
- return dcesrv_add_ep_unix(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_unix(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
case NCALRPC:
- return dcesrv_add_ep_ncalrpc(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_ncalrpc(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
case NCACN_IP_TCP:
- return dcesrv_add_ep_tcp(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_tcp(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
case NCACN_NP:
- return dcesrv_add_ep_np(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_np(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
default:
return NT_STATUS_NOT_SUPPORTED;
*/
_PUBLIC_ struct cli_credentials *dcesrv_call_credentials(struct dcesrv_call_state *dce_call)
{
- return dce_call->conn->auth_state.session_info->credentials;
+ struct dcesrv_auth *auth = dce_call->auth_state;
+ return auth->session_info->credentials;
}
/**
*/
_PUBLIC_ bool dcesrv_call_authenticated(struct dcesrv_call_state *dce_call)
{
+ struct dcesrv_auth *auth = dce_call->auth_state;
enum security_user_level level;
- level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+ level = security_session_user_level(auth->session_info, NULL);
return level >= SECURITY_USER;
}
*/
_PUBLIC_ const char *dcesrv_call_account_name(struct dcesrv_call_state *dce_call)
{
- return dce_call->context->conn->auth_state.session_info->info->account_name;
+ struct dcesrv_auth *auth = dce_call->auth_state;
+ return auth->session_info->info->account_name;
+}
+
+/**
+ * retrieve session_info from a dce_call
+ */
+_PUBLIC_ struct auth_session_info *dcesrv_call_session_info(struct dcesrv_call_state *dce_call)
+{
+ struct dcesrv_auth *auth = dce_call->auth_state;
+ return auth->session_info;
+}
+
+/**
+ * retrieve auth type/level from a dce_call
+ */
+_PUBLIC_ void dcesrv_call_auth_info(struct dcesrv_call_state *dce_call,
+ enum dcerpc_AuthType *auth_type,
+ enum dcerpc_AuthLevel *auth_level)
+{
+ struct dcesrv_auth *auth = dce_call->auth_state;
+
+ if (auth_type != NULL) {
+ *auth_type = auth->auth_type;
+ }
+ if (auth_level != NULL) {
+ *auth_level = auth->auth_level;
+ }
}