s4:rpc_server: make use of dcesrv_auth_prepare_alter_ack() in dcesrv_alter()
[samba.git] / source4 / rpc_server / dcerpc_server.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    server side dcerpc core code
5
6    Copyright (C) Andrew Tridgell 2003-2005
7    Copyright (C) Stefan (metze) Metzmacher 2004-2005
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth/auth.h"
25 #include "auth/gensec/gensec.h"
26 #include "../lib/util/dlinklist.h"
27 #include "rpc_server/dcerpc_server.h"
28 #include "rpc_server/dcerpc_server_proto.h"
29 #include "rpc_server/common/proto.h"
30 #include "librpc/rpc/dcerpc_proto.h"
31 #include "system/filesys.h"
32 #include "libcli/security/security.h"
33 #include "param/param.h"
34 #include "../lib/tsocket/tsocket.h"
35 #include "../libcli/named_pipe_auth/npa_tstream.h"
36 #include "smbd/service_stream.h"
37 #include "../lib/tsocket/tsocket.h"
38 #include "lib/socket/socket.h"
39 #include "smbd/process_model.h"
40 #include "lib/messaging/irpc.h"
41 #include "librpc/rpc/rpc_common.h"
42 #include "lib/util/samba_modules.h"
43 #include "librpc/gen_ndr/ndr_dcerpc.h"
44
45 static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
46                                 const struct dcerpc_bind *b,
47                                 struct dcerpc_ack_ctx *ack_ctx_list);
48
49 /*
50   find an association group given a assoc_group_id
51  */
52 static struct dcesrv_assoc_group *dcesrv_assoc_group_find(struct dcesrv_context *dce_ctx,
53                                                           uint32_t id)
54 {
55         void *id_ptr;
56
57         id_ptr = idr_find(dce_ctx->assoc_groups_idr, id);
58         if (id_ptr == NULL) {
59                 return NULL;
60         }
61         return talloc_get_type_abort(id_ptr, struct dcesrv_assoc_group);
62 }
63
64 /*
65   take a reference to an existing association group
66  */
67 static struct dcesrv_assoc_group *dcesrv_assoc_group_reference(TALLOC_CTX *mem_ctx,
68                                                                struct dcesrv_context *dce_ctx,
69                                                                uint32_t id)
70 {
71         struct dcesrv_assoc_group *assoc_group;
72
73         assoc_group = dcesrv_assoc_group_find(dce_ctx, id);
74         if (assoc_group == NULL) {
75                 DEBUG(2,(__location__ ": Failed to find assoc_group 0x%08x\n", id));
76                 return NULL;
77         }
78         return talloc_reference(mem_ctx, assoc_group);
79 }
80
81 static int dcesrv_assoc_group_destructor(struct dcesrv_assoc_group *assoc_group)
82 {
83         int ret;
84         ret = idr_remove(assoc_group->dce_ctx->assoc_groups_idr, assoc_group->id);
85         if (ret != 0) {
86                 DEBUG(0,(__location__ ": Failed to remove assoc_group 0x%08x\n",
87                          assoc_group->id));
88         }
89         return 0;
90 }
91
92 /*
93   allocate a new association group
94  */
95 static struct dcesrv_assoc_group *dcesrv_assoc_group_new(TALLOC_CTX *mem_ctx,
96                                                          struct dcesrv_context *dce_ctx)
97 {
98         struct dcesrv_assoc_group *assoc_group;
99         int id;
100
101         assoc_group = talloc_zero(mem_ctx, struct dcesrv_assoc_group);
102         if (assoc_group == NULL) {
103                 return NULL;
104         }
105         
106         id = idr_get_new_random(dce_ctx->assoc_groups_idr, assoc_group, UINT16_MAX);
107         if (id == -1) {
108                 talloc_free(assoc_group);
109                 DEBUG(0,(__location__ ": Out of association groups!\n"));
110                 return NULL;
111         }
112
113         assoc_group->id = id;
114         assoc_group->dce_ctx = dce_ctx;
115
116         talloc_set_destructor(assoc_group, dcesrv_assoc_group_destructor);
117
118         return assoc_group;
119 }
120
121
122 /*
123   see if two endpoints match
124 */
125 static bool endpoints_match(const struct dcerpc_binding *ep1,
126                             const struct dcerpc_binding *ep2)
127 {
128         enum dcerpc_transport_t t1;
129         enum dcerpc_transport_t t2;
130         const char *e1;
131         const char *e2;
132
133         t1 = dcerpc_binding_get_transport(ep1);
134         t2 = dcerpc_binding_get_transport(ep2);
135
136         e1 = dcerpc_binding_get_string_option(ep1, "endpoint");
137         e2 = dcerpc_binding_get_string_option(ep2, "endpoint");
138
139         if (t1 != t2) {
140                 return false;
141         }
142
143         if (!e1 || !e2) {
144                 return e1 == e2;
145         }
146
147         if (strcasecmp(e1, e2) != 0) {
148                 return false;
149         }
150
151         return true;
152 }
153
154 /*
155   find an endpoint in the dcesrv_context
156 */
157 static struct dcesrv_endpoint *find_endpoint(struct dcesrv_context *dce_ctx,
158                                              const struct dcerpc_binding *ep_description)
159 {
160         struct dcesrv_endpoint *ep;
161         for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
162                 if (endpoints_match(ep->ep_description, ep_description)) {
163                         return ep;
164                 }
165         }
166         return NULL;
167 }
168
169 /*
170   find a registered context_id from a bind or alter_context
171 */
172 static struct dcesrv_connection_context *dcesrv_find_context(struct dcesrv_connection *conn, 
173                                                              uint16_t context_id)
174 {
175         struct dcesrv_connection_context *c;
176         for (c=conn->contexts;c;c=c->next) {
177                 if (c->context_id == context_id) return c;
178         }
179         return NULL;
180 }
181
182 /*
183   see if a uuid and if_version match to an interface
184 */
185 static bool interface_match(const struct dcesrv_interface *if1,
186                                                         const struct dcesrv_interface *if2)
187 {
188         return (if1->syntax_id.if_version == if2->syntax_id.if_version && 
189                         GUID_equal(&if1->syntax_id.uuid, &if2->syntax_id.uuid));
190 }
191
192 /*
193   find the interface operations on any endpoint with this binding
194 */
195 static const struct dcesrv_interface *find_interface_by_binding(struct dcesrv_context *dce_ctx,
196                                                                 struct dcerpc_binding *binding,
197                                                                 const struct dcesrv_interface *iface)
198 {
199         struct dcesrv_endpoint *ep;
200         for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
201                 if (endpoints_match(ep->ep_description, binding)) {
202                         struct dcesrv_if_list *ifl;
203                         for (ifl=ep->interface_list; ifl; ifl=ifl->next) {
204                                 if (interface_match(&(ifl->iface), iface)) {
205                                         return &(ifl->iface);
206                                 }
207                         }
208                 }
209         }
210         return NULL;
211 }
212
213 /*
214   see if a uuid and if_version match to an interface
215 */
216 static bool interface_match_by_uuid(const struct dcesrv_interface *iface,
217                                     const struct GUID *uuid, uint32_t if_version)
218 {
219         return (iface->syntax_id.if_version == if_version && 
220                         GUID_equal(&iface->syntax_id.uuid, uuid));
221 }
222
223 /*
224   find the interface operations on an endpoint by uuid
225 */
226 const struct dcesrv_interface *find_interface_by_uuid(const struct dcesrv_endpoint *endpoint,
227                                                       const struct GUID *uuid, uint32_t if_version)
228 {
229         struct dcesrv_if_list *ifl;
230         for (ifl=endpoint->interface_list; ifl; ifl=ifl->next) {
231                 if (interface_match_by_uuid(&(ifl->iface), uuid, if_version)) {
232                         return &(ifl->iface);
233                 }
234         }
235         return NULL;
236 }
237
238 /*
239   find the earlier parts of a fragmented call awaiting reassembily
240 */
241 static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint16_t call_id)
242 {
243         struct dcesrv_call_state *c;
244         for (c=dce_conn->incoming_fragmented_call_list;c;c=c->next) {
245                 if (c->pkt.call_id == call_id) {
246                         return c;
247                 }
248         }
249         return NULL;
250 }
251
252 /*
253   register an interface on an endpoint
254
255   An endpoint is one unix domain socket (for ncalrpc), one TCP port
256   (for ncacn_ip_tcp) or one (forwarded) named pipe (for ncacn_np).
257
258   Each endpoint can have many interfaces such as netlogon, lsa or
259   samr.  Some have essentially the full set.
260
261   This is driven from the set of interfaces listed in each IDL file
262   via the PIDL generated *__op_init_server() functions.
263 */
264 _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
265                                    const char *ep_name,
266                                    const struct dcesrv_interface *iface,
267                                    const struct security_descriptor *sd)
268 {
269         struct dcesrv_endpoint *ep;
270         struct dcesrv_if_list *ifl;
271         struct dcerpc_binding *binding;
272         bool add_ep = false;
273         NTSTATUS status;
274         enum dcerpc_transport_t transport;
275         char *ep_string = NULL;
276         bool use_single_process = true;
277         
278         /*
279          * If we are not using handles, there is no need for force
280          * this service into using a single process.
281          *
282          * However, due to the way we listen for RPC packets, we can
283          * only do this if we have a single service per pipe or TCP
284          * port, so we still force a single combined process for
285          * ncalrpc.
286          */
287         if (iface->flags & DCESRV_INTERFACE_FLAGS_HANDLES_NOT_USED) {
288                 use_single_process = false;
289         }
290
291         status = dcerpc_parse_binding(dce_ctx, ep_name, &binding);
292
293         if (NT_STATUS_IS_ERR(status)) {
294                 DEBUG(0, ("Trouble parsing binding string '%s'\n", ep_name));
295                 return status;
296         }
297
298         transport = dcerpc_binding_get_transport(binding);
299         if (transport == NCACN_IP_TCP) {
300                 int port;
301                 char port_str[6];
302
303                 /* 
304                  * First check if there is already a port specified, eg
305                  * for epmapper on ncacn_ip_tcp:[135]
306                  */
307                 const char *endpoint
308                         = dcerpc_binding_get_string_option(binding,
309                                                            "endpoint");
310                 if (endpoint == NULL) {
311                         port = lpcfg_parm_int(dce_ctx->lp_ctx, NULL,
312                                               "rpc server port", iface->name, 0);
313                         
314                         /*
315                          * For RPC services that are not set to use a single
316                          * process, we do not default to using the 'rpc server
317                          * port' because that would cause a double-bind on
318                          * that port.
319                          */
320                         if (port == 0 && !use_single_process) {
321                                 port = lpcfg_rpc_server_port(dce_ctx->lp_ctx);
322                         }
323                         if (port != 0) {
324                                 snprintf(port_str, sizeof(port_str), "%u", port);
325                                 status = dcerpc_binding_set_string_option(binding,
326                                                                           "endpoint",
327                                                                           port_str);
328                                 if (!NT_STATUS_IS_OK(status)) {
329                                         return status;
330                                 }
331                         }
332                 }
333         }
334
335         /* see if the interface is already registered on the endpoint */
336         if (find_interface_by_binding(dce_ctx, binding, iface)!=NULL) {
337                 DEBUG(0,("dcesrv_interface_register: interface '%s' already registered on endpoint '%s'\n",
338                          iface->name, ep_name));
339                 return NT_STATUS_OBJECT_NAME_COLLISION;
340         }
341
342         /* check if this endpoint exists
343          */
344         ep = find_endpoint(dce_ctx, binding);
345
346         if (ep != NULL) {
347                 /*
348                  * We want a new port on ncacn_ip_tcp for NETLOGON, so
349                  * it can be multi-process.  Other processes can also
350                  * listen on distinct ports, if they have one forced
351                  * in the code above with eg 'rpc server port:drsuapi = 1027'
352                  *
353                  * If we have mulitiple endpoints on port 0, they each
354                  * get an epemeral port (currently by walking up from
355                  * 1024).
356                  */
357                 if (!use_single_process && transport == NCACN_IP_TCP) {
358                         add_ep = true;
359                 }
360         }
361
362         if (ep == NULL || add_ep) {
363                 ep = talloc_zero(dce_ctx, struct dcesrv_endpoint);
364                 if (!ep) {
365                         return NT_STATUS_NO_MEMORY;
366                 }
367                 ZERO_STRUCTP(ep);
368                 ep->ep_description = talloc_move(ep, &binding);
369                 add_ep = true;
370
371                 /* add mgmt interface */
372                 ifl = talloc_zero(ep, struct dcesrv_if_list);
373                 if (!ifl) {
374                         return NT_STATUS_NO_MEMORY;
375                 }
376
377                 ifl->iface = dcesrv_get_mgmt_interface();
378
379                 DLIST_ADD(ep->interface_list, ifl);
380         }
381
382         /*
383          * By default don't force into a single process, but if any
384          * interface on this endpoint on this service uses handles
385          * (most do), then we must force into single process mode
386          *
387          * By overwriting this each time a new interface is added to
388          * this endpoint, we end up with the most restrictive setting.
389          */
390         if (use_single_process) {
391                 ep->use_single_process = true;
392         }
393
394         /* talloc a new interface list element */
395         ifl = talloc_zero(ep, struct dcesrv_if_list);
396         if (!ifl) {
397                 return NT_STATUS_NO_MEMORY;
398         }
399
400         /* copy the given interface struct to the one on the endpoints interface list */
401         memcpy(&(ifl->iface),iface, sizeof(struct dcesrv_interface));
402
403         /* if we have a security descriptor given,
404          * we should see if we can set it up on the endpoint
405          */
406         if (sd != NULL) {
407                 /* if there's currently no security descriptor given on the endpoint
408                  * we try to set it
409                  */
410                 if (ep->sd == NULL) {
411                         ep->sd = security_descriptor_copy(ep, sd);
412                 }
413
414                 /* if now there's no security descriptor given on the endpoint
415                  * something goes wrong, either we failed to copy the security descriptor
416                  * or there was already one on the endpoint
417                  */
418                 if (ep->sd != NULL) {
419                         DEBUG(0,("dcesrv_interface_register: interface '%s' failed to setup a security descriptor\n"
420                                  "                           on endpoint '%s'\n",
421                                 iface->name, ep_name));
422                         if (add_ep) free(ep);
423                         free(ifl);
424                         return NT_STATUS_OBJECT_NAME_COLLISION;
425                 }
426         }
427
428         /* finally add the interface on the endpoint */
429         DLIST_ADD(ep->interface_list, ifl);
430
431         /* if it's a new endpoint add it to the dcesrv_context */
432         if (add_ep) {
433                 DLIST_ADD(dce_ctx->endpoint_list, ep);
434         }
435
436         /* Re-get the string as we may have set a port */
437         ep_string = dcerpc_binding_string(dce_ctx, ep->ep_description);
438
439         DEBUG(4,("dcesrv_interface_register: interface '%s' registered on endpoint '%s'\n",
440                  iface->name, ep_string));
441         TALLOC_FREE(ep_string);
442
443         return NT_STATUS_OK;
444 }
445
446 NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
447                                       DATA_BLOB *session_key)
448 {
449         if (p->auth_state.session_info->session_key.length) {
450                 *session_key = p->auth_state.session_info->session_key;
451                 return NT_STATUS_OK;
452         }
453         return NT_STATUS_NO_USER_SESSION_KEY;
454 }
455
456 /*
457   fetch the user session key - may be default (above) or the SMB session key
458
459   The key is always truncated to 16 bytes 
460 */
461 _PUBLIC_ NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
462                                   DATA_BLOB *session_key)
463 {
464         NTSTATUS status = p->auth_state.session_key(p, session_key);
465         if (!NT_STATUS_IS_OK(status)) {
466                 return status;
467         }
468
469         session_key->length = MIN(session_key->length, 16);
470
471         return NT_STATUS_OK;
472 }
473
474 /*
475   connect to a dcerpc endpoint
476 */
477 _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
478                                  TALLOC_CTX *mem_ctx,
479                                  const struct dcesrv_endpoint *ep,
480                                  struct auth_session_info *session_info,
481                                  struct tevent_context *event_ctx,
482                                  struct imessaging_context *msg_ctx,
483                                  struct server_id server_id,
484                                  uint32_t state_flags,
485                                  struct dcesrv_connection **_p)
486 {
487         struct dcesrv_connection *p;
488
489         if (!session_info) {
490                 return NT_STATUS_ACCESS_DENIED;
491         }
492
493         p = talloc_zero(mem_ctx, struct dcesrv_connection);
494         NT_STATUS_HAVE_NO_MEMORY(p);
495
496         if (!talloc_reference(p, session_info)) {
497                 talloc_free(p);
498                 return NT_STATUS_NO_MEMORY;
499         }
500
501         p->dce_ctx = dce_ctx;
502         p->endpoint = ep;
503         p->packet_log_dir = lpcfg_lock_directory(dce_ctx->lp_ctx);
504         p->auth_state.session_info = session_info;
505         p->auth_state.session_key = dcesrv_generic_session_key;
506         p->event_ctx = event_ctx;
507         p->msg_ctx = msg_ctx;
508         p->server_id = server_id;
509         p->state_flags = state_flags;
510         p->allow_bind = true;
511         p->max_recv_frag = 5840;
512         p->max_xmit_frag = 5840;
513         p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
514
515         /*
516          * For now we only support NDR32.
517          */
518         p->preferred_transfer = &ndr_transfer_syntax_ndr;
519
520         *_p = p;
521         return NT_STATUS_OK;
522 }
523
524 /*
525   move a call from an existing linked list to the specified list. This
526   prevents bugs where we forget to remove the call from a previous
527   list when moving it.
528  */
529 static void dcesrv_call_set_list(struct dcesrv_call_state *call, 
530                                  enum dcesrv_call_list list)
531 {
532         switch (call->list) {
533         case DCESRV_LIST_NONE:
534                 break;
535         case DCESRV_LIST_CALL_LIST:
536                 DLIST_REMOVE(call->conn->call_list, call);
537                 break;
538         case DCESRV_LIST_FRAGMENTED_CALL_LIST:
539                 DLIST_REMOVE(call->conn->incoming_fragmented_call_list, call);
540                 break;
541         case DCESRV_LIST_PENDING_CALL_LIST:
542                 DLIST_REMOVE(call->conn->pending_call_list, call);
543                 break;
544         }
545         call->list = list;
546         switch (list) {
547         case DCESRV_LIST_NONE:
548                 break;
549         case DCESRV_LIST_CALL_LIST:
550                 DLIST_ADD_END(call->conn->call_list, call);
551                 break;
552         case DCESRV_LIST_FRAGMENTED_CALL_LIST:
553                 DLIST_ADD_END(call->conn->incoming_fragmented_call_list, call);
554                 break;
555         case DCESRV_LIST_PENDING_CALL_LIST:
556                 DLIST_ADD_END(call->conn->pending_call_list, call);
557                 break;
558         }
559 }
560
561 static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
562                                          const char *reason)
563 {
564         if (call->conn->terminate != NULL) {
565                 return;
566         }
567
568         call->conn->allow_bind = false;
569         call->conn->allow_alter = false;
570         call->conn->allow_auth3 = false;
571         call->conn->allow_request = false;
572
573         call->terminate_reason = talloc_strdup(call, reason);
574         if (call->terminate_reason == NULL) {
575                 call->terminate_reason = __location__;
576         }
577 }
578
579 /*
580   return a dcerpc bind_nak
581 */
582 static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
583 {
584         struct ncacn_packet pkt;
585         struct dcerpc_bind_nak_version version;
586         struct data_blob_list_item *rep;
587         NTSTATUS status;
588         static const uint8_t _pad[3] = { 0, };
589
590         /*
591          * We add the call to the pending_call_list
592          * in order to defer the termination.
593          */
594         dcesrv_call_disconnect_after(call, "dcesrv_bind_nak");
595
596         /* setup a bind_nak */
597         dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
598         pkt.auth_length = 0;
599         pkt.call_id = call->pkt.call_id;
600         pkt.ptype = DCERPC_PKT_BIND_NAK;
601         pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
602         pkt.u.bind_nak.reject_reason = reason;
603         version.rpc_vers = 5;
604         version.rpc_vers_minor = 0;
605         pkt.u.bind_nak.num_versions = 1;
606         pkt.u.bind_nak.versions = &version;
607         pkt.u.bind_nak._pad = data_blob_const(_pad, sizeof(_pad));
608
609         rep = talloc_zero(call, struct data_blob_list_item);
610         if (!rep) {
611                 return NT_STATUS_NO_MEMORY;
612         }
613
614         status = ncacn_push_auth(&rep->blob, call, &pkt, NULL);
615         if (!NT_STATUS_IS_OK(status)) {
616                 return status;
617         }
618
619         dcerpc_set_frag_length(&rep->blob, rep->blob.length);
620
621         DLIST_ADD_END(call->replies, rep);
622         dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
623
624         if (call->conn->call_list && call->conn->call_list->replies) {
625                 if (call->conn->transport.report_output_data) {
626                         call->conn->transport.report_output_data(call->conn);
627                 }
628         }
629
630         return NT_STATUS_OK;    
631 }
632
633 static NTSTATUS dcesrv_fault_disconnect(struct dcesrv_call_state *call,
634                                  uint32_t fault_code)
635 {
636         /*
637          * We add the call to the pending_call_list
638          * in order to defer the termination.
639          */
640         dcesrv_call_disconnect_after(call, "dcesrv_fault_disconnect");
641
642         return dcesrv_fault_with_flags(call, fault_code,
643                                        DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
644 }
645
646 static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c)
647 {
648         DLIST_REMOVE(c->conn->contexts, c);
649
650         if (c->iface && c->iface->unbind) {
651                 c->iface->unbind(c, c->iface);
652                 c->iface = NULL;
653         }
654
655         return 0;
656 }
657
658 static void dcesrv_prepare_context_auth(struct dcesrv_call_state *dce_call)
659 {
660         struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
661         const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
662         enum dcerpc_transport_t transport =
663                 dcerpc_binding_get_transport(endpoint->ep_description);
664         struct dcesrv_connection_context *context = dce_call->context;
665         const struct dcesrv_interface *iface = context->iface;
666
667         context->min_auth_level = DCERPC_AUTH_LEVEL_NONE;
668
669         if (transport == NCALRPC) {
670                 context->allow_connect = true;
671                 return;
672         }
673
674         /*
675          * allow overwrite per interface
676          * allow dcerpc auth level connect:<interface>
677          */
678         context->allow_connect = lpcfg_allow_dcerpc_auth_level_connect(lp_ctx);
679         context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
680                                         "allow dcerpc auth level connect",
681                                         iface->name,
682                                         context->allow_connect);
683 }
684
685 NTSTATUS dcesrv_interface_bind_require_integrity(struct dcesrv_call_state *dce_call,
686                                                  const struct dcesrv_interface *iface)
687 {
688         if (dce_call->context == NULL) {
689                 return NT_STATUS_INTERNAL_ERROR;
690         }
691
692         /*
693          * For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4)
694          * has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5).
695          */
696         dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
697         return NT_STATUS_OK;
698 }
699
700 NTSTATUS dcesrv_interface_bind_require_privacy(struct dcesrv_call_state *dce_call,
701                                                const struct dcesrv_interface *iface)
702 {
703         if (dce_call->context == NULL) {
704                 return NT_STATUS_INTERNAL_ERROR;
705         }
706
707         dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
708         return NT_STATUS_OK;
709 }
710
711 _PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_call_state *dce_call,
712                                                        const struct dcesrv_interface *iface)
713 {
714         struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
715         const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
716         enum dcerpc_transport_t transport =
717                 dcerpc_binding_get_transport(endpoint->ep_description);
718         struct dcesrv_connection_context *context = dce_call->context;
719
720         if (context == NULL) {
721                 return NT_STATUS_INTERNAL_ERROR;
722         }
723
724         if (transport == NCALRPC) {
725                 context->allow_connect = true;
726                 return NT_STATUS_OK;
727         }
728
729         /*
730          * allow overwrite per interface
731          * allow dcerpc auth level connect:<interface>
732          */
733         context->allow_connect = false;
734         context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
735                                         "allow dcerpc auth level connect",
736                                         iface->name,
737                                         context->allow_connect);
738         return NT_STATUS_OK;
739 }
740
741 _PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_call_state *dce_call,
742                                                       const struct dcesrv_interface *iface)
743 {
744         struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
745         const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
746         enum dcerpc_transport_t transport =
747                 dcerpc_binding_get_transport(endpoint->ep_description);
748         struct dcesrv_connection_context *context = dce_call->context;
749
750         if (context == NULL) {
751                 return NT_STATUS_INTERNAL_ERROR;
752         }
753
754         if (transport == NCALRPC) {
755                 context->allow_connect = true;
756                 return NT_STATUS_OK;
757         }
758
759         /*
760          * allow overwrite per interface
761          * allow dcerpc auth level connect:<interface>
762          */
763         context->allow_connect = true;
764         context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
765                                         "allow dcerpc auth level connect",
766                                         iface->name,
767                                         context->allow_connect);
768         return NT_STATUS_OK;
769 }
770
771 static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call);
772
773 /*
774   handle a bind request
775 */
776 static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
777 {
778         struct ncacn_packet *pkt = &call->ack_pkt;
779         NTSTATUS status;
780         uint32_t extra_flags = 0;
781         uint16_t max_req = 0;
782         uint16_t max_rep = 0;
783         const char *ep_prefix = "";
784         const char *endpoint = NULL;
785         struct dcesrv_auth *auth = &call->conn->auth_state;
786         struct dcerpc_ack_ctx *ack_ctx_list = NULL;
787         struct dcerpc_ack_ctx *ack_features = NULL;
788         size_t i;
789
790         status = dcerpc_verify_ncacn_packet_header(&call->pkt,
791                         DCERPC_PKT_BIND,
792                         call->pkt.u.bind.auth_info.length,
793                         0, /* required flags */
794                         DCERPC_PFC_FLAG_FIRST |
795                         DCERPC_PFC_FLAG_LAST |
796                         DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
797                         0x08 | /* this is not defined, but should be ignored */
798                         DCERPC_PFC_FLAG_CONC_MPX |
799                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
800                         DCERPC_PFC_FLAG_MAYBE |
801                         DCERPC_PFC_FLAG_OBJECT_UUID);
802         if (!NT_STATUS_IS_OK(status)) {
803                 return dcesrv_bind_nak(call,
804                         DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
805         }
806
807         /* max_recv_frag and max_xmit_frag result always in the same value! */
808         max_req = MIN(call->pkt.u.bind.max_xmit_frag,
809                       call->pkt.u.bind.max_recv_frag);
810         /*
811          * The values are between 2048 and 5840 tested against Windows 2012R2
812          * via ncacn_ip_tcp on port 135.
813          */
814         max_req = MAX(2048, max_req);
815         max_rep = MIN(max_req, call->conn->max_recv_frag);
816         /* They are truncated to an 8 byte boundary. */
817         max_rep &= 0xFFF8;
818
819         /* max_recv_frag and max_xmit_frag result always in the same value! */
820         call->conn->max_recv_frag = max_rep;
821         call->conn->max_xmit_frag = max_rep;
822
823         /*
824           if provided, check the assoc_group is valid
825          */
826         if (call->pkt.u.bind.assoc_group_id != 0) {
827                 call->conn->assoc_group = dcesrv_assoc_group_reference(call->conn,
828                                                                        call->conn->dce_ctx,
829                                                                        call->pkt.u.bind.assoc_group_id);
830         } else {
831                 call->conn->assoc_group = dcesrv_assoc_group_new(call->conn,
832                                                                  call->conn->dce_ctx);
833         }
834
835         /*
836          * The NETLOGON server does not use handles and so
837          * there is no need to support association groups, but
838          * we need to give back a number regardless.
839          *
840          * We have to do this when it is not run as a single process,
841          * because then it can't see the other valid association
842          * groups.  We handle this genericly for all endpoints not
843          * running in single process mode.
844          *
845          * We know which endpoint we are on even before checking the
846          * iface UUID, so for simplicity we enforce the same policy
847          * for all interfaces on the endpoint.
848          *
849          * This means that where NETLOGON
850          * shares an endpoint (such as ncalrpc or of 'lsa over
851          * netlogon' is set) we will still check association groups.
852          *
853          */
854
855         if (call->conn->assoc_group == NULL &&
856             !call->conn->endpoint->use_single_process) {
857                 call->conn->assoc_group
858                         = dcesrv_assoc_group_new(call->conn,
859                                                  call->conn->dce_ctx);
860         }
861         if (call->conn->assoc_group == NULL) {
862                 return dcesrv_bind_nak(call, 0);
863         }
864
865         if (call->pkt.u.bind.num_contexts < 1) {
866                 return dcesrv_bind_nak(call, 0);
867         }
868
869         ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
870                                          call->pkt.u.bind.num_contexts);
871         if (ack_ctx_list == NULL) {
872                 return dcesrv_bind_nak(call, 0);
873         }
874
875         /*
876          * Set some sane defaults (required by dcesrv_negotiate_contexts()/
877          * dcesrv_check_or_create_context()) and do some protocol validation
878          * and set sane defaults.
879          */
880         for (i = 0; i < call->pkt.u.bind.num_contexts; i++) {
881                 const struct dcerpc_ctx_list *c = &call->pkt.u.bind.ctx_list[i];
882                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
883                 bool is_feature = false;
884                 uint64_t features = 0;
885
886                 if (c->num_transfer_syntaxes == 0) {
887                         return dcesrv_bind_nak(call, 0);
888                 }
889
890                 a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
891                 a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
892
893                 /*
894                  * It's only treated as bind time feature request, if the first
895                  * transfer_syntax matches, all others are ignored.
896                  */
897                 is_feature = dcerpc_extract_bind_time_features(c->transfer_syntaxes[0],
898                                                                &features);
899                 if (!is_feature) {
900                         continue;
901                 }
902
903                 if (ack_features != NULL) {
904                         /*
905                          * Only one bind time feature context is allowed.
906                          */
907                         return dcesrv_bind_nak(call, 0);
908                 }
909                 ack_features = a;
910
911                 a->result = DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK;
912                 a->reason.negotiate = 0;
913                 if (features & DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING) {
914                         /* not supported yet */
915                 }
916                 if (features & DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN) {
917                         a->reason.negotiate |=
918                                 DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN;
919                 }
920
921                 call->conn->bind_time_features = a->reason.negotiate;
922         }
923
924         /*
925          * Try to negotiate one new presentation context.
926          *
927          * Deep in here we locate the iface (by uuid) that the client
928          * requested, from the list of interfaces on the
929          * call->conn->endpoint, and call iface->bind() on that iface.
930          *
931          * call->conn was set up at the accept() of the socket, and
932          * call->conn->endpoint has a list of interfaces restricted to
933          * this port or pipe.
934          */
935         status = dcesrv_negotiate_contexts(call, &call->pkt.u.bind, ack_ctx_list);
936         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
937                 return dcesrv_bind_nak(call, 0);
938         }
939         if (!NT_STATUS_IS_OK(status)) {
940                 return status;
941         }
942
943         /*
944          * At this point we still don't know which interface (eg
945          * netlogon, lsa, drsuapi) the caller requested in this bind!
946          * The most recently added context is available as the first
947          * element in the linked list at call->conn->contexts, that is
948          * call->conn->contexts->iface, but they may not have
949          * requested one at all!
950          */
951
952         if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
953             (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
954                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
955                 extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
956         }
957
958         if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
959                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
960         }
961
962         /*
963          * After finding the interface and setting up the NDR
964          * transport negotiation etc, handle any authentication that
965          * is being requested.
966          */
967         if (!dcesrv_auth_bind(call)) {
968
969                 if (auth->auth_level == DCERPC_AUTH_LEVEL_NONE) {
970                         /*
971                          * With DCERPC_AUTH_LEVEL_NONE, we get the
972                          * reject_reason in auth->auth_context_id.
973                          */
974                         return dcesrv_bind_nak(call, auth->auth_context_id);
975                 }
976
977                 /*
978                  * This must a be a temporary failure e.g. talloc or invalid
979                  * configuration, e.g. no machine account.
980                  */
981                 return dcesrv_bind_nak(call,
982                                 DCERPC_BIND_NAK_REASON_TEMPORARY_CONGESTION);
983         }
984
985         /* setup a bind_ack */
986         dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
987         pkt->auth_length = 0;
988         pkt->call_id = call->pkt.call_id;
989         pkt->ptype = DCERPC_PKT_BIND_ACK;
990         pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
991         pkt->u.bind_ack.max_xmit_frag = call->conn->max_xmit_frag;
992         pkt->u.bind_ack.max_recv_frag = call->conn->max_recv_frag;
993         pkt->u.bind_ack.assoc_group_id = call->conn->assoc_group->id;
994
995         endpoint = dcerpc_binding_get_string_option(
996                                 call->conn->endpoint->ep_description,
997                                 "endpoint");
998         if (endpoint == NULL) {
999                 endpoint = "";
1000         }
1001
1002         if (strncasecmp(endpoint, "\\pipe\\", 6) == 0) {
1003                 /*
1004                  * TODO: check if this is really needed
1005                  *
1006                  * Or if we should fix this in our idl files.
1007                  */
1008                 ep_prefix = "\\PIPE\\";
1009                 endpoint += 6;
1010         }
1011
1012         pkt->u.bind_ack.secondary_address = talloc_asprintf(call, "%s%s",
1013                                                            ep_prefix,
1014                                                            endpoint);
1015         if (pkt->u.bind_ack.secondary_address == NULL) {
1016                 return NT_STATUS_NO_MEMORY;
1017         }
1018         pkt->u.bind_ack.num_results = call->pkt.u.bind.num_contexts;
1019         pkt->u.bind_ack.ctx_list = ack_ctx_list;
1020         pkt->u.bind_ack.auth_info = data_blob_null;
1021
1022         status = dcesrv_auth_prepare_bind_ack(call, pkt);
1023         if (!NT_STATUS_IS_OK(status)) {
1024                 return dcesrv_bind_nak(call, 0);
1025         }
1026
1027         if (auth->auth_finished) {
1028                 return dcesrv_auth_reply(call);
1029         }
1030
1031         status = gensec_update_ev(auth->gensec_security,
1032                                   call, call->event_ctx,
1033                                   call->in_auth_info.credentials,
1034                                   &call->out_auth_info->credentials);
1035
1036         status = dcesrv_auth_complete(call, status);
1037         if (!NT_STATUS_IS_OK(status)) {
1038                 return dcesrv_bind_nak(call, 0);
1039         }
1040
1041         return dcesrv_auth_reply(call);
1042 }
1043
1044 static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call)
1045 {
1046         struct ncacn_packet *pkt = &call->ack_pkt;
1047         struct data_blob_list_item *rep = NULL;
1048         NTSTATUS status;
1049
1050         rep = talloc_zero(call, struct data_blob_list_item);
1051         if (!rep) {
1052                 return NT_STATUS_NO_MEMORY;
1053         }
1054
1055         status = ncacn_push_auth(&rep->blob, call, pkt,
1056                                  call->out_auth_info);
1057         if (!NT_STATUS_IS_OK(status)) {
1058                 return status;
1059         }
1060
1061         dcerpc_set_frag_length(&rep->blob, rep->blob.length);
1062
1063         DLIST_ADD_END(call->replies, rep);
1064         dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
1065
1066         if (call->conn->call_list && call->conn->call_list->replies) {
1067                 if (call->conn->transport.report_output_data) {
1068                         call->conn->transport.report_output_data(call->conn);
1069                 }
1070         }
1071
1072         return NT_STATUS_OK;
1073 }
1074
1075
1076 /*
1077   handle a auth3 request
1078 */
1079 static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
1080 {
1081         NTSTATUS status;
1082
1083         if (!call->conn->allow_auth3) {
1084                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1085         }
1086
1087         if (call->conn->auth_state.auth_finished) {
1088                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1089         }
1090
1091         status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1092                         DCERPC_PKT_AUTH3,
1093                         call->pkt.u.auth3.auth_info.length,
1094                         0, /* required flags */
1095                         DCERPC_PFC_FLAG_FIRST |
1096                         DCERPC_PFC_FLAG_LAST |
1097                         DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1098                         0x08 | /* this is not defined, but should be ignored */
1099                         DCERPC_PFC_FLAG_CONC_MPX |
1100                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1101                         DCERPC_PFC_FLAG_MAYBE |
1102                         DCERPC_PFC_FLAG_OBJECT_UUID);
1103         if (!NT_STATUS_IS_OK(status)) {
1104                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1105         }
1106
1107         /* handle the auth3 in the auth code */
1108         if (!dcesrv_auth_auth3(call)) {
1109                 call->conn->auth_state.auth_invalid = true;
1110                 if (call->fault_code != 0) {
1111                         return dcesrv_fault_disconnect(call, call->fault_code);
1112                 }
1113         }
1114
1115         talloc_free(call);
1116
1117         /* we don't send a reply to a auth3 request, except by a
1118            fault */
1119         return NT_STATUS_OK;
1120 }
1121
1122
1123 static NTSTATUS dcesrv_check_or_create_context(struct dcesrv_call_state *call,
1124                                 const struct dcerpc_bind *b,
1125                                 const struct dcerpc_ctx_list *ctx,
1126                                 struct dcerpc_ack_ctx *ack,
1127                                 bool validate_only,
1128                                 const struct ndr_syntax_id *supported_transfer)
1129 {
1130         uint32_t if_version;
1131         struct dcesrv_connection_context *context;
1132         const struct dcesrv_interface *iface;
1133         struct GUID uuid;
1134         NTSTATUS status;
1135         const struct ndr_syntax_id *selected_transfer = NULL;
1136         size_t i;
1137         bool ok;
1138
1139         if (b == NULL) {
1140                 return NT_STATUS_INTERNAL_ERROR;
1141         }
1142         if (ctx == NULL) {
1143                 return NT_STATUS_INTERNAL_ERROR;
1144         }
1145         if (ctx->num_transfer_syntaxes < 1) {
1146                 return NT_STATUS_INTERNAL_ERROR;
1147         }
1148         if (ack == NULL) {
1149                 return NT_STATUS_INTERNAL_ERROR;
1150         }
1151         if (supported_transfer == NULL) {
1152                 return NT_STATUS_INTERNAL_ERROR;
1153         }
1154
1155         switch (ack->result) {
1156         case DCERPC_BIND_ACK_RESULT_ACCEPTANCE:
1157         case DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK:
1158                 /*
1159                  * We is already completed.
1160                  */
1161                 return NT_STATUS_OK;
1162         default:
1163                 break;
1164         }
1165
1166         ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1167         ack->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1168
1169         if_version = ctx->abstract_syntax.if_version;
1170         uuid = ctx->abstract_syntax.uuid;
1171
1172         iface = find_interface_by_uuid(call->conn->endpoint, &uuid, if_version);
1173         if (iface == NULL) {
1174                 char *uuid_str = GUID_string(call, &uuid);
1175                 DEBUG(2,("Request for unknown dcerpc interface %s/%d\n", uuid_str, if_version));
1176                 talloc_free(uuid_str);
1177                 /*
1178                  * We report this only via ack->result
1179                  */
1180                 return NT_STATUS_OK;
1181         }
1182
1183         ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1184         ack->reason.value = DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED;
1185
1186         if (validate_only) {
1187                 /*
1188                  * We report this only via ack->result
1189                  */
1190                 return NT_STATUS_OK;
1191         }
1192
1193         for (i = 0; i < ctx->num_transfer_syntaxes; i++) {
1194                 /*
1195                  * we only do NDR encoded dcerpc for now.
1196                  */
1197                 ok = ndr_syntax_id_equal(&ctx->transfer_syntaxes[i],
1198                                          supported_transfer);
1199                 if (ok) {
1200                         selected_transfer = supported_transfer;
1201                         break;
1202                 }
1203         }
1204
1205         context = dcesrv_find_context(call->conn, ctx->context_id);
1206         if (context != NULL) {
1207                 ok = ndr_syntax_id_equal(&context->iface->syntax_id,
1208                                          &ctx->abstract_syntax);
1209                 if (!ok) {
1210                         return NT_STATUS_RPC_PROTOCOL_ERROR;
1211                 }
1212
1213                 if (selected_transfer != NULL) {
1214                         ok = ndr_syntax_id_equal(&context->transfer_syntax,
1215                                                  selected_transfer);
1216                         if (!ok) {
1217                                 return NT_STATUS_RPC_PROTOCOL_ERROR;
1218                         }
1219
1220                         ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1221                         ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1222                         ack->syntax = context->transfer_syntax;
1223                 }
1224
1225                 /*
1226                  * We report this only via ack->result
1227                  */
1228                 return NT_STATUS_OK;
1229         }
1230
1231         if (selected_transfer == NULL) {
1232                 /*
1233                  * We report this only via ack->result
1234                  */
1235                 return NT_STATUS_OK;
1236         }
1237
1238         ack->result = DCERPC_BIND_ACK_RESULT_USER_REJECTION;
1239         ack->reason.value = DCERPC_BIND_ACK_REASON_LOCAL_LIMIT_EXCEEDED;
1240
1241         /* add this context to the list of available context_ids */
1242         context = talloc_zero(call->conn, struct dcesrv_connection_context);
1243         if (context == NULL) {
1244                 return NT_STATUS_NO_MEMORY;
1245         }
1246         context->conn = call->conn;
1247         context->context_id = ctx->context_id;
1248         context->iface = iface;
1249         context->transfer_syntax = *selected_transfer;
1250         context->private_data = NULL;
1251         DLIST_ADD(call->conn->contexts, context);
1252         call->context = context;
1253         talloc_set_destructor(context, dcesrv_connection_context_destructor);
1254
1255         dcesrv_prepare_context_auth(call);
1256
1257         /*
1258          * Multiplex is supported by default
1259          */
1260         call->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1261
1262         status = iface->bind(call, iface, if_version);
1263         call->context = NULL;
1264         if (!NT_STATUS_IS_OK(status)) {
1265                 /* we don't want to trigger the iface->unbind() hook */
1266                 context->iface = NULL;
1267                 talloc_free(context);
1268                 /*
1269                  * We report this only via ack->result
1270                  */
1271                 return NT_STATUS_OK;
1272         }
1273
1274         ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1275         ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1276         ack->syntax = context->transfer_syntax;
1277         return NT_STATUS_OK;
1278 }
1279
1280 static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
1281                                 const struct dcerpc_bind *b,
1282                                 struct dcerpc_ack_ctx *ack_ctx_list)
1283 {
1284         NTSTATUS status;
1285         size_t i;
1286         bool validate_only = false;
1287         bool preferred_ndr32;
1288
1289         /*
1290          * Try to negotiate one new presentation context,
1291          * using our preferred transfer syntax.
1292          */
1293         for (i = 0; i < b->num_contexts; i++) {
1294                 const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1295                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1296
1297                 status = dcesrv_check_or_create_context(call, b, c, a,
1298                                                 validate_only,
1299                                                 call->conn->preferred_transfer);
1300                 if (!NT_STATUS_IS_OK(status)) {
1301                         return status;
1302                 }
1303
1304                 if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1305                         /*
1306                          * We managed to negotiate one context.
1307                          *
1308                          * => we're done.
1309                          */
1310                         validate_only = true;
1311                 }
1312         }
1313
1314         preferred_ndr32 = ndr_syntax_id_equal(&ndr_transfer_syntax_ndr,
1315                                         call->conn->preferred_transfer);
1316         if (preferred_ndr32) {
1317                 /*
1318                  * We're done.
1319                  */
1320                 return NT_STATUS_OK;
1321         }
1322
1323         /*
1324          * Try to negotiate one new presentation context,
1325          * using NDR 32 as fallback.
1326          */
1327         for (i = 0; i < b->num_contexts; i++) {
1328                 const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1329                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1330
1331                 status = dcesrv_check_or_create_context(call, b, c, a,
1332                                                 validate_only,
1333                                                 &ndr_transfer_syntax_ndr);
1334                 if (!NT_STATUS_IS_OK(status)) {
1335                         return status;
1336                 }
1337
1338                 if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1339                         /*
1340                          * We managed to negotiate one context.
1341                          *
1342                          * => we're done.
1343                          */
1344                         validate_only = true;
1345                 }
1346         }
1347
1348         return NT_STATUS_OK;
1349 }
1350
1351 /*
1352   handle a alter context request
1353 */
1354 static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
1355 {
1356         NTSTATUS status;
1357         bool auth_ok = false;
1358         struct ncacn_packet *pkt = &call->ack_pkt;
1359         uint32_t extra_flags = 0;
1360         struct dcesrv_auth *auth = &call->conn->auth_state;
1361         struct dcerpc_ack_ctx *ack_ctx_list = NULL;
1362         size_t i;
1363
1364         if (!call->conn->allow_alter) {
1365                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1366         }
1367
1368         status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1369                         DCERPC_PKT_ALTER,
1370                         call->pkt.u.alter.auth_info.length,
1371                         0, /* required flags */
1372                         DCERPC_PFC_FLAG_FIRST |
1373                         DCERPC_PFC_FLAG_LAST |
1374                         DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1375                         0x08 | /* this is not defined, but should be ignored */
1376                         DCERPC_PFC_FLAG_CONC_MPX |
1377                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1378                         DCERPC_PFC_FLAG_MAYBE |
1379                         DCERPC_PFC_FLAG_OBJECT_UUID);
1380         if (!NT_STATUS_IS_OK(status)) {
1381                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1382         }
1383
1384         auth_ok = dcesrv_auth_alter(call);
1385         if (!auth_ok) {
1386                 if (call->fault_code != 0) {
1387                         return dcesrv_fault_disconnect(call, call->fault_code);
1388                 }
1389         }
1390
1391         if (call->pkt.u.alter.num_contexts < 1) {
1392                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1393         }
1394
1395         ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
1396                                          call->pkt.u.alter.num_contexts);
1397         if (ack_ctx_list == NULL) {
1398                 return NT_STATUS_NO_MEMORY;
1399         }
1400
1401         /*
1402          * Set some sane defaults (required by dcesrv_negotiate_contexts()/
1403          * dcesrv_check_or_create_context()) and do some protocol validation
1404          * and set sane defaults.
1405          */
1406         for (i = 0; i < call->pkt.u.alter.num_contexts; i++) {
1407                 const struct dcerpc_ctx_list *c = &call->pkt.u.alter.ctx_list[i];
1408                 struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1409
1410                 if (c->num_transfer_syntaxes == 0) {
1411                         return dcesrv_fault_disconnect(call,
1412                                         DCERPC_NCA_S_PROTO_ERROR);
1413                 }
1414
1415                 a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1416                 a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1417         }
1418
1419         /*
1420          * Try to negotiate one new presentation context.
1421          */
1422         status = dcesrv_negotiate_contexts(call, &call->pkt.u.alter, ack_ctx_list);
1423         if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
1424                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1425         }
1426         if (!NT_STATUS_IS_OK(status)) {
1427                 return status;
1428         }
1429
1430         if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
1431             (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1432                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1433                 extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
1434         }
1435
1436         if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
1437                 call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
1438         }
1439
1440         /* handle any authentication that is being requested */
1441         if (!auth_ok) {
1442                 if (call->in_auth_info.auth_type !=
1443                     call->conn->auth_state.auth_type)
1444                 {
1445                         return dcesrv_fault_disconnect(call,
1446                                         DCERPC_FAULT_SEC_PKG_ERROR);
1447                 }
1448                 return dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
1449         }
1450
1451         dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
1452         pkt->auth_length = 0;
1453         pkt->call_id = call->pkt.call_id;
1454         pkt->ptype = DCERPC_PKT_ALTER_RESP;
1455         pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
1456         pkt->u.alter_resp.max_xmit_frag = call->conn->max_xmit_frag;
1457         pkt->u.alter_resp.max_recv_frag = call->conn->max_recv_frag;
1458         pkt->u.alter_resp.assoc_group_id = call->conn->assoc_group->id;
1459         pkt->u.alter_resp.secondary_address = "";
1460         pkt->u.alter_resp.num_results = call->pkt.u.alter.num_contexts;
1461         pkt->u.alter_resp.ctx_list = ack_ctx_list;
1462         pkt->u.alter_resp.auth_info = data_blob_null;
1463
1464         status = dcesrv_auth_prepare_alter_ack(call, pkt);
1465         if (!NT_STATUS_IS_OK(status)) {
1466                 return dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
1467         }
1468
1469         if (auth->auth_finished) {
1470                 return dcesrv_auth_reply(call);
1471         }
1472
1473         status = gensec_update_ev(auth->gensec_security,
1474                                   call, call->event_ctx,
1475                                   call->in_auth_info.credentials,
1476                                   &call->out_auth_info->credentials);
1477
1478         status = dcesrv_auth_complete(call, status);
1479         if (!NT_STATUS_IS_OK(status)) {
1480                 return dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
1481         }
1482
1483         return dcesrv_auth_reply(call);
1484 }
1485
1486 /*
1487   possibly save the call for inspection with ndrdump
1488  */
1489 static void dcesrv_save_call(struct dcesrv_call_state *call, const char *why)
1490 {
1491 #ifdef DEVELOPER
1492         char *fname;
1493         const char *dump_dir;
1494         dump_dir = lpcfg_parm_string(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv", "stubs directory");
1495         if (!dump_dir) {
1496                 return;
1497         }
1498         fname = talloc_asprintf(call, "%s/RPC-%s-%u-%s.dat",
1499                                 dump_dir,
1500                                 call->context->iface->name,
1501                                 call->pkt.u.request.opnum,
1502                                 why);
1503         if (file_save(fname, call->pkt.u.request.stub_and_verifier.data, call->pkt.u.request.stub_and_verifier.length)) {
1504                 DEBUG(0,("RPC SAVED %s\n", fname));
1505         }
1506         talloc_free(fname);
1507 #endif
1508 }
1509
1510 static NTSTATUS dcesrv_check_verification_trailer(struct dcesrv_call_state *call)
1511 {
1512         TALLOC_CTX *frame = talloc_stackframe();
1513         const uint32_t bitmask1 = call->conn->auth_state.client_hdr_signing ?
1514                 DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
1515         const struct dcerpc_sec_vt_pcontext pcontext = {
1516                 .abstract_syntax = call->context->iface->syntax_id,
1517                 .transfer_syntax = call->context->transfer_syntax,
1518         };
1519         const struct dcerpc_sec_vt_header2 header2 =
1520                 dcerpc_sec_vt_header2_from_ncacn_packet(&call->pkt);
1521         enum ndr_err_code ndr_err;
1522         struct dcerpc_sec_verification_trailer *vt = NULL;
1523         NTSTATUS status = NT_STATUS_OK;
1524         bool ok;
1525
1526         SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_REQUEST);
1527
1528         ndr_err = ndr_pop_dcerpc_sec_verification_trailer(call->ndr_pull,
1529                                                           frame, &vt);
1530         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1531                 status = ndr_map_error2ntstatus(ndr_err);
1532                 goto done;
1533         }
1534
1535         ok = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
1536                                                    &pcontext, &header2);
1537         if (!ok) {
1538                 status = NT_STATUS_ACCESS_DENIED;
1539                 goto done;
1540         }
1541 done:
1542         TALLOC_FREE(frame);
1543         return status;
1544 }
1545
1546 /*
1547   handle a dcerpc request packet
1548 */
1549 static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
1550 {
1551         const struct dcesrv_endpoint *endpoint = call->conn->endpoint;
1552         enum dcerpc_transport_t transport =
1553                 dcerpc_binding_get_transport(endpoint->ep_description);
1554         struct ndr_pull *pull;
1555         NTSTATUS status;
1556
1557         if (!call->conn->allow_request) {
1558                 return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1559         }
1560
1561         /* if authenticated, and the mech we use can't do async replies, don't use them... */
1562         if (call->conn->auth_state.gensec_security && 
1563             !gensec_have_feature(call->conn->auth_state.gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
1564                 call->state_flags &= ~DCESRV_CALL_STATE_FLAG_MAY_ASYNC;
1565         }
1566
1567         if (call->context == NULL) {
1568                 return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
1569                                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1570         }
1571
1572         switch (call->conn->auth_state.auth_level) {
1573         case DCERPC_AUTH_LEVEL_NONE:
1574         case DCERPC_AUTH_LEVEL_PACKET:
1575         case DCERPC_AUTH_LEVEL_INTEGRITY:
1576         case DCERPC_AUTH_LEVEL_PRIVACY:
1577                 break;
1578         default:
1579                 if (!call->context->allow_connect) {
1580                         char *addr;
1581
1582                         addr = tsocket_address_string(call->conn->remote_address,
1583                                                       call);
1584
1585                         DEBUG(2, ("%s: restrict auth_level_connect access "
1586                                   "to [%s] with auth[type=0x%x,level=0x%x] "
1587                                   "on [%s] from [%s]\n",
1588                                   __func__, call->context->iface->name,
1589                                   call->conn->auth_state.auth_type,
1590                                   call->conn->auth_state.auth_level,
1591                                   derpc_transport_string_by_transport(transport),
1592                                   addr));
1593                         return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1594                 }
1595                 break;
1596         }
1597
1598         if (call->conn->auth_state.auth_level < call->context->min_auth_level) {
1599                 char *addr;
1600
1601                 addr = tsocket_address_string(call->conn->remote_address, call);
1602
1603                 DEBUG(2, ("%s: restrict access by min_auth_level[0x%x] "
1604                           "to [%s] with auth[type=0x%x,level=0x%x] "
1605                           "on [%s] from [%s]\n",
1606                           __func__,
1607                           call->context->min_auth_level,
1608                           call->context->iface->name,
1609                           call->conn->auth_state.auth_type,
1610                           call->conn->auth_state.auth_level,
1611                           derpc_transport_string_by_transport(transport),
1612                           addr));
1613                 return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1614         }
1615
1616         pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier, call);
1617         NT_STATUS_HAVE_NO_MEMORY(pull);
1618
1619         pull->flags |= LIBNDR_FLAG_REF_ALLOC;
1620
1621         call->ndr_pull  = pull;
1622
1623         if (!(call->pkt.drep[0] & DCERPC_DREP_LE)) {
1624                 pull->flags |= LIBNDR_FLAG_BIGENDIAN;
1625         }
1626
1627         status = dcesrv_check_verification_trailer(call);
1628         if (!NT_STATUS_IS_OK(status)) {
1629                 uint32_t faultcode = DCERPC_FAULT_OTHER;
1630                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
1631                         faultcode = DCERPC_FAULT_ACCESS_DENIED;
1632                 }
1633                 DEBUG(10, ("dcesrv_check_verification_trailer failed: %s\n",
1634                            nt_errstr(status)));
1635                 return dcesrv_fault(call, faultcode);
1636         }
1637
1638         /* unravel the NDR for the packet */
1639         status = call->context->iface->ndr_pull(call, call, pull, &call->r);
1640         if (!NT_STATUS_IS_OK(status)) {
1641                 uint8_t extra_flags = 0;
1642                 if (call->fault_code == DCERPC_FAULT_OP_RNG_ERROR) {
1643                         /* we got an unknown call */
1644                         DEBUG(3,(__location__ ": Unknown RPC call %u on %s\n",
1645                                  call->pkt.u.request.opnum,
1646                                  call->context->iface->name));
1647                         dcesrv_save_call(call, "unknown");
1648                         extra_flags |= DCERPC_PFC_FLAG_DID_NOT_EXECUTE;
1649                 } else {
1650                         dcesrv_save_call(call, "pullfail");
1651                 }
1652                 return dcesrv_fault_with_flags(call, call->fault_code, extra_flags);
1653         }
1654
1655         if (pull->offset != pull->data_size) {
1656                 dcesrv_save_call(call, "extrabytes");
1657                 DEBUG(3,("Warning: %d extra bytes in incoming RPC request\n", 
1658                          pull->data_size - pull->offset));
1659         }
1660
1661         /* call the dispatch function */
1662         status = call->context->iface->dispatch(call, call, call->r);
1663         if (!NT_STATUS_IS_OK(status)) {
1664                 DEBUG(5,("dcerpc fault in call %s:%02x - %s\n",
1665                          call->context->iface->name,
1666                          call->pkt.u.request.opnum,
1667                          dcerpc_errstr(pull, call->fault_code)));
1668                 return dcesrv_fault(call, call->fault_code);
1669         }
1670
1671         /* add the call to the pending list */
1672         dcesrv_call_set_list(call, DCESRV_LIST_PENDING_CALL_LIST);
1673
1674         if (call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
1675                 return NT_STATUS_OK;
1676         }
1677
1678         return dcesrv_reply(call);
1679 }
1680
1681
1682 /*
1683   remove the call from the right list when freed
1684  */
1685 static int dcesrv_call_dequeue(struct dcesrv_call_state *call)
1686 {
1687         dcesrv_call_set_list(call, DCESRV_LIST_NONE);
1688         return 0;
1689 }
1690
1691 _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_local_address(struct dcesrv_connection *conn)
1692 {
1693         return conn->local_address;
1694 }
1695
1696 _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_remote_address(struct dcesrv_connection *conn)
1697 {
1698         return conn->remote_address;
1699 }
1700
1701 /*
1702   process some input to a dcerpc endpoint server.
1703 */
1704 static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
1705                                             struct ncacn_packet *pkt,
1706                                             DATA_BLOB blob)
1707 {
1708         NTSTATUS status;
1709         struct dcesrv_call_state *call;
1710         struct dcesrv_call_state *existing = NULL;
1711
1712         call = talloc_zero(dce_conn, struct dcesrv_call_state);
1713         if (!call) {
1714                 data_blob_free(&blob);
1715                 talloc_free(pkt);
1716                 return NT_STATUS_NO_MEMORY;
1717         }
1718         call->conn              = dce_conn;
1719         call->event_ctx         = dce_conn->event_ctx;
1720         call->msg_ctx           = dce_conn->msg_ctx;
1721         call->state_flags       = call->conn->state_flags;
1722         call->time              = timeval_current();
1723         call->list              = DCESRV_LIST_NONE;
1724
1725         talloc_steal(call, pkt);
1726         talloc_steal(call, blob.data);
1727         call->pkt = *pkt;
1728
1729         talloc_set_destructor(call, dcesrv_call_dequeue);
1730
1731         if (call->conn->allow_bind) {
1732                 /*
1733                  * Only one bind is possible per connection
1734                  */
1735                 call->conn->allow_bind = false;
1736                 return dcesrv_bind(call);
1737         }
1738
1739         /* we have to check the signing here, before combining the
1740            pdus */
1741         if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
1742                 if (!call->conn->allow_request) {
1743                         return dcesrv_fault_disconnect(call,
1744                                         DCERPC_NCA_S_PROTO_ERROR);
1745                 }
1746
1747                 status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1748                                 DCERPC_PKT_REQUEST,
1749                                 call->pkt.u.request.stub_and_verifier.length,
1750                                 0, /* required_flags */
1751                                 DCERPC_PFC_FLAG_FIRST |
1752                                 DCERPC_PFC_FLAG_LAST |
1753                                 DCERPC_PFC_FLAG_PENDING_CANCEL |
1754                                 0x08 | /* this is not defined, but should be ignored */
1755                                 DCERPC_PFC_FLAG_CONC_MPX |
1756                                 DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1757                                 DCERPC_PFC_FLAG_MAYBE |
1758                                 DCERPC_PFC_FLAG_OBJECT_UUID);
1759                 if (!NT_STATUS_IS_OK(status)) {
1760                         return dcesrv_fault_disconnect(call,
1761                                         DCERPC_NCA_S_PROTO_ERROR);
1762                 }
1763
1764                 if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
1765                         /*
1766                          * We don't use dcesrv_fault_disconnect()
1767                          * here, because we don't want to set
1768                          * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
1769                          *
1770                          * Note that we don't check against the negotiated
1771                          * max_recv_frag, but a hard coded value.
1772                          */
1773                         dcesrv_call_disconnect_after(call,
1774                                 "dcesrv_auth_request - frag_length too large");
1775                         return dcesrv_fault(call,
1776                                         DCERPC_NCA_S_PROTO_ERROR);
1777                 }
1778
1779                 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
1780                         if (dce_conn->pending_call_list != NULL) {
1781                                 /*
1782                                  * concurrent requests are only allowed
1783                                  * if DCERPC_PFC_FLAG_CONC_MPX was negotiated.
1784                                  */
1785                                 if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1786                                         dcesrv_call_disconnect_after(call,
1787                                                 "dcesrv_auth_request - "
1788                                                 "existing pending call without CONN_MPX");
1789                                         return dcesrv_fault(call,
1790                                                 DCERPC_NCA_S_PROTO_ERROR);
1791                                 }
1792                         }
1793                         /* only one request is possible in the fragmented list */
1794                         if (dce_conn->incoming_fragmented_call_list != NULL) {
1795                                 if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1796                                         /*
1797                                          * Without DCERPC_PFC_FLAG_CONC_MPX
1798                                          * we need to return the FAULT on the
1799                                          * already existing call.
1800                                          *
1801                                          * This is important to get the
1802                                          * call_id and context_id right.
1803                                          */
1804                                         TALLOC_FREE(call);
1805                                         call = dce_conn->incoming_fragmented_call_list;
1806                                 }
1807                                 dcesrv_call_disconnect_after(call,
1808                                         "dcesrv_auth_request - "
1809                                         "existing fragmented call");
1810                                 return dcesrv_fault(call,
1811                                                 DCERPC_NCA_S_PROTO_ERROR);
1812                         }
1813                         if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) {
1814                                 return dcesrv_fault_disconnect(call,
1815                                                 DCERPC_FAULT_NO_CALL_ACTIVE);
1816                         }
1817                         call->context = dcesrv_find_context(call->conn,
1818                                                 call->pkt.u.request.context_id);
1819                         if (call->context == NULL) {
1820                                 return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
1821                                         DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1822                         }
1823                 } else {
1824                         const struct dcerpc_request *nr = &call->pkt.u.request;
1825                         const struct dcerpc_request *er = NULL;
1826                         int cmp;
1827
1828                         existing = dcesrv_find_fragmented_call(dce_conn,
1829                                                         call->pkt.call_id);
1830                         if (existing == NULL) {
1831                                 dcesrv_call_disconnect_after(call,
1832                                         "dcesrv_auth_request - "
1833                                         "no existing fragmented call");
1834                                 return dcesrv_fault(call,
1835                                                 DCERPC_NCA_S_PROTO_ERROR);
1836                         }
1837                         er = &existing->pkt.u.request;
1838
1839                         if (call->pkt.ptype != existing->pkt.ptype) {
1840                                 /* trying to play silly buggers are we? */
1841                                 return dcesrv_fault_disconnect(existing,
1842                                                 DCERPC_NCA_S_PROTO_ERROR);
1843                         }
1844                         cmp = memcmp(call->pkt.drep, existing->pkt.drep,
1845                                      sizeof(pkt->drep));
1846                         if (cmp != 0) {
1847                                 return dcesrv_fault_disconnect(existing,
1848                                                 DCERPC_NCA_S_PROTO_ERROR);
1849                         }
1850                         if (nr->context_id != er->context_id)  {
1851                                 return dcesrv_fault_disconnect(existing,
1852                                                 DCERPC_NCA_S_PROTO_ERROR);
1853                         }
1854                         if (nr->opnum != er->opnum)  {
1855                                 return dcesrv_fault_disconnect(existing,
1856                                                 DCERPC_NCA_S_PROTO_ERROR);
1857                         }
1858                 }
1859         }
1860
1861         if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
1862                 bool ok;
1863                 uint8_t payload_offset = DCERPC_REQUEST_LENGTH;
1864
1865                 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1866                         payload_offset += 16;
1867                 }
1868
1869                 ok = dcesrv_auth_pkt_pull(call, &blob,
1870                                           0, /* required_flags */
1871                                           DCERPC_PFC_FLAG_FIRST |
1872                                           DCERPC_PFC_FLAG_LAST |
1873                                           DCERPC_PFC_FLAG_PENDING_CANCEL |
1874                                           0x08 | /* this is not defined, but should be ignored */
1875                                           DCERPC_PFC_FLAG_CONC_MPX |
1876                                           DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1877                                           DCERPC_PFC_FLAG_MAYBE |
1878                                           DCERPC_PFC_FLAG_OBJECT_UUID,
1879                                           payload_offset,
1880                                           &call->pkt.u.request.stub_and_verifier);
1881                 if (!ok) {
1882                         /*
1883                          * We don't use dcesrv_fault_disconnect()
1884                          * here, because we don't want to set
1885                          * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
1886                          */
1887                         dcesrv_call_disconnect_after(call,
1888                                                 "dcesrv_auth_request - failed");
1889                         if (call->fault_code == 0) {
1890                                 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
1891                         }
1892                         return dcesrv_fault(call, call->fault_code);
1893                 }
1894         }
1895
1896         /* see if this is a continued packet */
1897         if (existing != NULL) {
1898                 struct dcerpc_request *er = &existing->pkt.u.request;
1899                 const struct dcerpc_request *nr = &call->pkt.u.request;
1900                 size_t available;
1901                 size_t alloc_size;
1902                 size_t alloc_hint;
1903
1904                 /*
1905                  * Up to 4 MByte are allowed by all fragments
1906                  */
1907                 available = dce_conn->max_total_request_size;
1908                 if (er->stub_and_verifier.length > available) {
1909                         dcesrv_call_disconnect_after(existing,
1910                                 "dcesrv_auth_request - existing payload too large");
1911                         return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
1912                 }
1913                 available -= er->stub_and_verifier.length;
1914                 if (nr->alloc_hint > available) {
1915                         dcesrv_call_disconnect_after(existing,
1916                                 "dcesrv_auth_request - alloc hint too large");
1917                         return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
1918                 }
1919                 if (nr->stub_and_verifier.length > available) {
1920                         dcesrv_call_disconnect_after(existing,
1921                                 "dcesrv_auth_request - new payload too large");
1922                         return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
1923                 }
1924                 alloc_hint = er->stub_and_verifier.length + nr->alloc_hint;
1925                 /* allocate at least 1 byte */
1926                 alloc_hint = MAX(alloc_hint, 1);
1927                 alloc_size = er->stub_and_verifier.length +
1928                              nr->stub_and_verifier.length;
1929                 alloc_size = MAX(alloc_size, alloc_hint);
1930
1931                 er->stub_and_verifier.data =
1932                         talloc_realloc(existing,
1933                                        er->stub_and_verifier.data,
1934                                        uint8_t, alloc_size);
1935                 if (er->stub_and_verifier.data == NULL) {
1936                         TALLOC_FREE(call);
1937                         return dcesrv_fault_with_flags(existing,
1938                                                        DCERPC_FAULT_OUT_OF_RESOURCES,
1939                                                        DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1940                 }
1941                 memcpy(er->stub_and_verifier.data +
1942                        er->stub_and_verifier.length,
1943                        nr->stub_and_verifier.data,
1944                        nr->stub_and_verifier.length);
1945                 er->stub_and_verifier.length += nr->stub_and_verifier.length;
1946
1947                 existing->pkt.pfc_flags |= (call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST);
1948
1949                 TALLOC_FREE(call);
1950                 call = existing;
1951         }
1952
1953         /* this may not be the last pdu in the chain - if its isn't then
1954            just put it on the incoming_fragmented_call_list and wait for the rest */
1955         if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
1956             !(call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
1957                 /*
1958                  * Up to 4 MByte are allowed by all fragments
1959                  */
1960                 if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) {
1961                         dcesrv_call_disconnect_after(call,
1962                                 "dcesrv_auth_request - initial alloc hint too large");
1963                         return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1964                 }
1965                 dcesrv_call_set_list(call, DCESRV_LIST_FRAGMENTED_CALL_LIST);
1966                 return NT_STATUS_OK;
1967         } 
1968         
1969         /* This removes any fragments we may have had stashed away */
1970         dcesrv_call_set_list(call, DCESRV_LIST_NONE);
1971
1972         switch (call->pkt.ptype) {
1973         case DCERPC_PKT_BIND:
1974                 status = dcesrv_bind_nak(call,
1975                         DCERPC_BIND_NAK_REASON_NOT_SPECIFIED);
1976                 break;
1977         case DCERPC_PKT_AUTH3:
1978                 status = dcesrv_auth3(call);
1979                 break;
1980         case DCERPC_PKT_ALTER:
1981                 status = dcesrv_alter(call);
1982                 break;
1983         case DCERPC_PKT_REQUEST:
1984                 status = dcesrv_request(call);
1985                 break;
1986         case DCERPC_PKT_CO_CANCEL:
1987         case DCERPC_PKT_ORPHANED:
1988                 /*
1989                  * Window just ignores CO_CANCEL and ORPHANED,
1990                  * so we do...
1991                  */
1992                 status = NT_STATUS_OK;
1993                 TALLOC_FREE(call);
1994                 break;
1995         case DCERPC_PKT_BIND_ACK:
1996         case DCERPC_PKT_BIND_NAK:
1997         case DCERPC_PKT_ALTER_RESP:
1998         case DCERPC_PKT_RESPONSE:
1999         case DCERPC_PKT_FAULT:
2000         case DCERPC_PKT_SHUTDOWN:
2001         default:
2002                 status = dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
2003                 break;
2004         }
2005
2006         /* if we are going to be sending a reply then add
2007            it to the list of pending calls. We add it to the end to keep the call
2008            list in the order we will answer */
2009         if (!NT_STATUS_IS_OK(status)) {
2010                 talloc_free(call);
2011         }
2012
2013         return status;
2014 }
2015
2016 _PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx, 
2017                                       struct loadparm_context *lp_ctx,
2018                                       const char **endpoint_servers, struct dcesrv_context **_dce_ctx)
2019 {
2020         NTSTATUS status;
2021         struct dcesrv_context *dce_ctx;
2022         int i;
2023
2024         if (!endpoint_servers) {
2025                 DEBUG(0,("dcesrv_init_context: no endpoint servers configured\n"));
2026                 return NT_STATUS_INTERNAL_ERROR;
2027         }
2028
2029         dce_ctx = talloc_zero(mem_ctx, struct dcesrv_context);
2030         NT_STATUS_HAVE_NO_MEMORY(dce_ctx);
2031
2032         if (uid_wrapper_enabled()) {
2033                 setenv("UID_WRAPPER_MYUID", "1", 1);
2034         }
2035         dce_ctx->initial_euid = geteuid();
2036         if (uid_wrapper_enabled()) {
2037                 unsetenv("UID_WRAPPER_MYUID");
2038         }
2039
2040         dce_ctx->endpoint_list  = NULL;
2041         dce_ctx->lp_ctx = lp_ctx;
2042         dce_ctx->assoc_groups_idr = idr_init(dce_ctx);
2043         NT_STATUS_HAVE_NO_MEMORY(dce_ctx->assoc_groups_idr);
2044         dce_ctx->broken_connections = NULL;
2045
2046         for (i=0;endpoint_servers[i];i++) {
2047                 const struct dcesrv_endpoint_server *ep_server;
2048
2049                 ep_server = dcesrv_ep_server_byname(endpoint_servers[i]);
2050                 if (!ep_server) {
2051                         DEBUG(0,("dcesrv_init_context: failed to find endpoint server = '%s'\n", endpoint_servers[i]));
2052                         return NT_STATUS_INTERNAL_ERROR;
2053                 }
2054
2055                 status = ep_server->init_server(dce_ctx, ep_server);
2056                 if (!NT_STATUS_IS_OK(status)) {
2057                         DEBUG(0,("dcesrv_init_context: failed to init endpoint server = '%s': %s\n", endpoint_servers[i],
2058                                 nt_errstr(status)));
2059                         return status;
2060                 }
2061         }
2062
2063         *_dce_ctx = dce_ctx;
2064         return NT_STATUS_OK;
2065 }
2066
2067 /* the list of currently registered DCERPC endpoint servers.
2068  */
2069 static struct ep_server {
2070         struct dcesrv_endpoint_server *ep_server;
2071 } *ep_servers = NULL;
2072 static int num_ep_servers;
2073
2074 /*
2075   register a DCERPC endpoint server. 
2076
2077   The 'name' can be later used by other backends to find the operations
2078   structure for this backend.  
2079
2080 */
2081 _PUBLIC_ NTSTATUS dcerpc_register_ep_server(const struct dcesrv_endpoint_server *ep_server)
2082 {
2083         
2084         if (dcesrv_ep_server_byname(ep_server->name) != NULL) {
2085                 /* its already registered! */
2086                 DEBUG(0,("DCERPC endpoint server '%s' already registered\n", 
2087                          ep_server->name));
2088                 return NT_STATUS_OBJECT_NAME_COLLISION;
2089         }
2090
2091         ep_servers = realloc_p(ep_servers, struct ep_server, num_ep_servers+1);
2092         if (!ep_servers) {
2093                 smb_panic("out of memory in dcerpc_register");
2094         }
2095
2096         ep_servers[num_ep_servers].ep_server = smb_xmemdup(ep_server, sizeof(*ep_server));
2097         ep_servers[num_ep_servers].ep_server->name = smb_xstrdup(ep_server->name);
2098
2099         num_ep_servers++;
2100
2101         DEBUG(3,("DCERPC endpoint server '%s' registered\n", 
2102                  ep_server->name));
2103
2104         return NT_STATUS_OK;
2105 }
2106
2107 /*
2108   return the operations structure for a named backend of the specified type
2109 */
2110 const struct dcesrv_endpoint_server *dcesrv_ep_server_byname(const char *name)
2111 {
2112         int i;
2113
2114         for (i=0;i<num_ep_servers;i++) {
2115                 if (strcmp(ep_servers[i].ep_server->name, name) == 0) {
2116                         return ep_servers[i].ep_server;
2117                 }
2118         }
2119
2120         return NULL;
2121 }
2122
2123 void dcerpc_server_init(struct loadparm_context *lp_ctx)
2124 {
2125         static bool initialized;
2126 #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
2127         STATIC_dcerpc_server_MODULES_PROTO;
2128         init_module_fn static_init[] = { STATIC_dcerpc_server_MODULES };
2129         init_module_fn *shared_init;
2130
2131         if (initialized) {
2132                 return;
2133         }
2134         initialized = true;
2135
2136         shared_init = load_samba_modules(NULL, "dcerpc_server");
2137
2138         run_init_functions(NULL, static_init);
2139         run_init_functions(NULL, shared_init);
2140
2141         talloc_free(shared_init);
2142 }
2143
2144 /*
2145   return the DCERPC module version, and the size of some critical types
2146   This can be used by endpoint server modules to either detect compilation errors, or provide
2147   multiple implementations for different smbd compilation options in one module
2148 */
2149 const struct dcesrv_critical_sizes *dcerpc_module_version(void)
2150 {
2151         static const struct dcesrv_critical_sizes critical_sizes = {
2152                 DCERPC_MODULE_VERSION,
2153                 sizeof(struct dcesrv_context),
2154                 sizeof(struct dcesrv_endpoint),
2155                 sizeof(struct dcesrv_endpoint_server),
2156                 sizeof(struct dcesrv_interface),
2157                 sizeof(struct dcesrv_if_list),
2158                 sizeof(struct dcesrv_connection),
2159                 sizeof(struct dcesrv_call_state),
2160                 sizeof(struct dcesrv_auth),
2161                 sizeof(struct dcesrv_handle)
2162         };
2163
2164         return &critical_sizes;
2165 }
2166
2167 static void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, const char *reason)
2168 {
2169         struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2170         struct stream_connection *srv_conn;
2171         srv_conn = talloc_get_type(dce_conn->transport.private_data,
2172                                    struct stream_connection);
2173
2174         dce_conn->wait_send = NULL;
2175         dce_conn->wait_recv = NULL;
2176         dce_conn->wait_private = NULL;
2177
2178         dce_conn->allow_bind = false;
2179         dce_conn->allow_auth3 = false;
2180         dce_conn->allow_alter = false;
2181         dce_conn->allow_request = false;
2182
2183         if (dce_conn->pending_call_list == NULL) {
2184                 char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
2185
2186                 DLIST_REMOVE(dce_ctx->broken_connections, dce_conn);
2187                 stream_terminate_connection(srv_conn, full_reason ? full_reason : reason);
2188                 return;
2189         }
2190
2191         if (dce_conn->terminate != NULL) {
2192                 return;
2193         }
2194
2195         DEBUG(3,("dcesrv: terminating connection due to '%s' deferred due to pending calls\n",
2196                  reason));
2197         dce_conn->terminate = talloc_strdup(dce_conn, reason);
2198         if (dce_conn->terminate == NULL) {
2199                 dce_conn->terminate = "dcesrv: deferred terminating connection - no memory";
2200         }
2201         DLIST_ADD_END(dce_ctx->broken_connections, dce_conn);
2202 }
2203
2204 static void dcesrv_cleanup_broken_connections(struct dcesrv_context *dce_ctx)
2205 {
2206         struct dcesrv_connection *cur, *next;
2207
2208         next = dce_ctx->broken_connections;
2209         while (next != NULL) {
2210                 cur = next;
2211                 next = cur->next;
2212
2213                 if (cur->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
2214                         struct dcesrv_connection_context *context_cur, *context_next;
2215
2216                         context_next = cur->contexts;
2217                         while (context_next != NULL) {
2218                                 context_cur = context_next;
2219                                 context_next = context_cur->next;
2220
2221                                 dcesrv_connection_context_destructor(context_cur);
2222                         }
2223                 }
2224
2225                 dcesrv_terminate_connection(cur, cur->terminate);
2226         }
2227 }
2228
2229 /* We need this include to be able to compile on some plateforms
2230  * (ie. freebsd 7.2) as it seems that <sys/uio.h> is not included
2231  * correctly.
2232  * It has to be that deep because otherwise we have a conflict on
2233  * const struct dcesrv_interface declaration.
2234  * This is mostly due to socket_wrapper defining #define bind swrap_bind
2235  * which conflict with the bind used before.
2236  */
2237 #include "system/network.h"
2238
2239 struct dcesrv_sock_reply_state {
2240         struct dcesrv_connection *dce_conn;
2241         struct dcesrv_call_state *call;
2242         struct iovec iov;
2243 };
2244
2245 static void dcesrv_sock_reply_done(struct tevent_req *subreq);
2246 static void dcesrv_call_terminate_step1(struct tevent_req *subreq);
2247
2248 static void dcesrv_sock_report_output_data(struct dcesrv_connection *dce_conn)
2249 {
2250         struct dcesrv_call_state *call;
2251
2252         call = dce_conn->call_list;
2253         if (!call || !call->replies) {
2254                 return;
2255         }
2256
2257         while (call->replies) {
2258                 struct data_blob_list_item *rep = call->replies;
2259                 struct dcesrv_sock_reply_state *substate;
2260                 struct tevent_req *subreq;
2261
2262                 substate = talloc_zero(call, struct dcesrv_sock_reply_state);
2263                 if (!substate) {
2264                         dcesrv_terminate_connection(dce_conn, "no memory");
2265                         return;
2266                 }
2267
2268                 substate->dce_conn = dce_conn;
2269                 substate->call = NULL;
2270
2271                 DLIST_REMOVE(call->replies, rep);
2272
2273                 if (call->replies == NULL && call->terminate_reason == NULL) {
2274                         substate->call = call;
2275                 }
2276
2277                 substate->iov.iov_base = (void *) rep->blob.data;
2278                 substate->iov.iov_len = rep->blob.length;
2279
2280                 subreq = tstream_writev_queue_send(substate,
2281                                                    dce_conn->event_ctx,
2282                                                    dce_conn->stream,
2283                                                    dce_conn->send_queue,
2284                                                    &substate->iov, 1);
2285                 if (!subreq) {
2286                         dcesrv_terminate_connection(dce_conn, "no memory");
2287                         return;
2288                 }
2289                 tevent_req_set_callback(subreq, dcesrv_sock_reply_done,
2290                                         substate);
2291         }
2292
2293         if (call->terminate_reason != NULL) {
2294                 struct tevent_req *subreq;
2295
2296                 subreq = tevent_queue_wait_send(call,
2297                                                 dce_conn->event_ctx,
2298                                                 dce_conn->send_queue);
2299                 if (!subreq) {
2300                         dcesrv_terminate_connection(dce_conn, __location__);
2301                         return;
2302                 }
2303                 tevent_req_set_callback(subreq, dcesrv_call_terminate_step1,
2304                                         call);
2305         }
2306
2307         DLIST_REMOVE(call->conn->call_list, call);
2308         call->list = DCESRV_LIST_NONE;
2309 }
2310
2311 static void dcesrv_sock_reply_done(struct tevent_req *subreq)
2312 {
2313         struct dcesrv_sock_reply_state *substate = tevent_req_callback_data(subreq,
2314                                                 struct dcesrv_sock_reply_state);
2315         int ret;
2316         int sys_errno;
2317         NTSTATUS status;
2318         struct dcesrv_call_state *call = substate->call;
2319
2320         ret = tstream_writev_queue_recv(subreq, &sys_errno);
2321         TALLOC_FREE(subreq);
2322         if (ret == -1) {
2323                 status = map_nt_error_from_unix_common(sys_errno);
2324                 dcesrv_terminate_connection(substate->dce_conn, nt_errstr(status));
2325                 return;
2326         }
2327
2328         talloc_free(substate);
2329         if (call) {
2330                 talloc_free(call);
2331         }
2332 }
2333
2334 static void dcesrv_call_terminate_step2(struct tevent_req *subreq);
2335
2336 static void dcesrv_call_terminate_step1(struct tevent_req *subreq)
2337 {
2338         struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2339                                                 struct dcesrv_call_state);
2340         bool ok;
2341         struct timeval tv;
2342
2343         /* make sure we stop send queue before removing subreq */
2344         tevent_queue_stop(call->conn->send_queue);
2345
2346         ok = tevent_queue_wait_recv(subreq);
2347         TALLOC_FREE(subreq);
2348         if (!ok) {
2349                 dcesrv_terminate_connection(call->conn, __location__);
2350                 return;
2351         }
2352
2353         /* disconnect after 200 usecs */
2354         tv = timeval_current_ofs_usec(200);
2355         subreq = tevent_wakeup_send(call, call->conn->event_ctx, tv);
2356         if (subreq == NULL) {
2357                 dcesrv_terminate_connection(call->conn, __location__);
2358                 return;
2359         }
2360         tevent_req_set_callback(subreq, dcesrv_call_terminate_step2,
2361                                 call);
2362 }
2363
2364 static void dcesrv_call_terminate_step2(struct tevent_req *subreq)
2365 {
2366         struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2367                                                 struct dcesrv_call_state);
2368         bool ok;
2369
2370         ok = tevent_wakeup_recv(subreq);
2371         TALLOC_FREE(subreq);
2372         if (!ok) {
2373                 dcesrv_terminate_connection(call->conn, __location__);
2374                 return;
2375         }
2376
2377         dcesrv_terminate_connection(call->conn, call->terminate_reason);
2378 }
2379
2380 struct dcesrv_socket_context {
2381         const struct dcesrv_endpoint *endpoint;
2382         struct dcesrv_context *dcesrv_ctx;
2383 };
2384
2385
2386 static void dcesrv_read_fragment_done(struct tevent_req *subreq);
2387
2388 static void dcesrv_sock_accept(struct stream_connection *srv_conn)
2389 {
2390         NTSTATUS status;
2391         struct dcesrv_socket_context *dcesrv_sock = 
2392                 talloc_get_type(srv_conn->private_data, struct dcesrv_socket_context);
2393         enum dcerpc_transport_t transport =
2394                 dcerpc_binding_get_transport(dcesrv_sock->endpoint->ep_description);
2395         struct dcesrv_connection *dcesrv_conn = NULL;
2396         int ret;
2397         struct tevent_req *subreq;
2398         struct loadparm_context *lp_ctx = dcesrv_sock->dcesrv_ctx->lp_ctx;
2399
2400         dcesrv_cleanup_broken_connections(dcesrv_sock->dcesrv_ctx);
2401
2402         if (!srv_conn->session_info) {
2403                 status = auth_anonymous_session_info(srv_conn,
2404                                                      lp_ctx,
2405                                                      &srv_conn->session_info);
2406                 if (!NT_STATUS_IS_OK(status)) {
2407                         DEBUG(0,("dcesrv_sock_accept: auth_anonymous_session_info failed: %s\n",
2408                                 nt_errstr(status)));
2409                         stream_terminate_connection(srv_conn, nt_errstr(status));
2410                         return;
2411                 }
2412         }
2413
2414         /*
2415          * This fills in dcesrv_conn->endpoint with the endpoint
2416          * associated with the socket.  From this point on we know
2417          * which (group of) services we are handling, but not the
2418          * specific interface.
2419          */
2420
2421         status = dcesrv_endpoint_connect(dcesrv_sock->dcesrv_ctx,
2422                                          srv_conn,
2423                                          dcesrv_sock->endpoint,
2424                                          srv_conn->session_info,
2425                                          srv_conn->event.ctx,
2426                                          srv_conn->msg_ctx,
2427                                          srv_conn->server_id,
2428                                          DCESRV_CALL_STATE_FLAG_MAY_ASYNC,
2429                                          &dcesrv_conn);
2430         if (!NT_STATUS_IS_OK(status)) {
2431                 DEBUG(0,("dcesrv_sock_accept: dcesrv_endpoint_connect failed: %s\n", 
2432                         nt_errstr(status)));
2433                 stream_terminate_connection(srv_conn, nt_errstr(status));
2434                 return;
2435         }
2436
2437         dcesrv_conn->transport.private_data             = srv_conn;
2438         dcesrv_conn->transport.report_output_data       = dcesrv_sock_report_output_data;
2439
2440         TALLOC_FREE(srv_conn->event.fde);
2441
2442         dcesrv_conn->send_queue = tevent_queue_create(dcesrv_conn, "dcesrv send queue");
2443         if (!dcesrv_conn->send_queue) {
2444                 status = NT_STATUS_NO_MEMORY;
2445                 DEBUG(0,("dcesrv_sock_accept: tevent_queue_create(%s)\n",
2446                         nt_errstr(status)));
2447                 stream_terminate_connection(srv_conn, nt_errstr(status));
2448                 return;
2449         }
2450
2451         if (transport == NCACN_NP) {
2452                 dcesrv_conn->auth_state.session_key = dcesrv_inherited_session_key;
2453                 dcesrv_conn->stream = talloc_move(dcesrv_conn,
2454                                                   &srv_conn->tstream);
2455         } else {
2456                 ret = tstream_bsd_existing_socket(dcesrv_conn,
2457                                                   socket_get_fd(srv_conn->socket),
2458                                                   &dcesrv_conn->stream);
2459                 if (ret == -1) {
2460                         status = map_nt_error_from_unix_common(errno);
2461                         DEBUG(0, ("dcesrv_sock_accept: "
2462                                   "failed to setup tstream: %s\n",
2463                                   nt_errstr(status)));
2464                         stream_terminate_connection(srv_conn, nt_errstr(status));
2465                         return;
2466                 }
2467                 socket_set_flags(srv_conn->socket, SOCKET_FLAG_NOCLOSE);
2468         }
2469
2470         dcesrv_conn->local_address = srv_conn->local_address;
2471         dcesrv_conn->remote_address = srv_conn->remote_address;
2472
2473         if (transport == NCALRPC) {
2474                 uid_t uid;
2475                 gid_t gid;
2476                 int sock_fd;
2477
2478                 sock_fd = socket_get_fd(srv_conn->socket);
2479                 if (sock_fd == -1) {
2480                         stream_terminate_connection(
2481                                 srv_conn, "socket_get_fd failed\n");
2482                         return;
2483                 }
2484
2485                 ret = getpeereid(sock_fd, &uid, &gid);
2486                 if (ret == -1) {
2487                         status = map_nt_error_from_unix_common(errno);
2488                         DEBUG(0, ("dcesrv_sock_accept: "
2489                                   "getpeereid() failed for NCALRPC: %s\n",
2490                                   nt_errstr(status)));
2491                         stream_terminate_connection(srv_conn, nt_errstr(status));
2492                         return;
2493                 }
2494                 if (uid == dcesrv_conn->dce_ctx->initial_euid) {
2495                         struct tsocket_address *r = NULL;
2496
2497                         ret = tsocket_address_unix_from_path(dcesrv_conn,
2498                                                              "/root/ncalrpc_as_system",
2499                                                              &r);
2500                         if (ret == -1) {
2501                                 status = map_nt_error_from_unix_common(errno);
2502                                 DEBUG(0, ("dcesrv_sock_accept: "
2503                                           "tsocket_address_unix_from_path() failed for NCALRPC: %s\n",
2504                                           nt_errstr(status)));
2505                                 stream_terminate_connection(srv_conn, nt_errstr(status));
2506                                 return;
2507                         }
2508                         dcesrv_conn->remote_address = r;
2509                 }
2510         }
2511
2512         srv_conn->private_data = dcesrv_conn;
2513
2514         irpc_add_name(srv_conn->msg_ctx, "rpc_server");
2515
2516         subreq = dcerpc_read_ncacn_packet_send(dcesrv_conn,
2517                                                dcesrv_conn->event_ctx,
2518                                                dcesrv_conn->stream);
2519         if (!subreq) {
2520                 status = NT_STATUS_NO_MEMORY;
2521                 DEBUG(0,("dcesrv_sock_accept: dcerpc_read_fragment_buffer_send(%s)\n",
2522                         nt_errstr(status)));
2523                 stream_terminate_connection(srv_conn, nt_errstr(status));
2524                 return;
2525         }
2526         tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dcesrv_conn);
2527
2528         return;
2529 }
2530
2531 static void dcesrv_conn_wait_done(struct tevent_req *subreq);
2532
2533 static void dcesrv_read_fragment_done(struct tevent_req *subreq)
2534 {
2535         struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2536                                              struct dcesrv_connection);
2537         struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2538         struct ncacn_packet *pkt;
2539         DATA_BLOB buffer;
2540         NTSTATUS status;
2541
2542         if (dce_conn->terminate) {
2543                 /*
2544                  * if the current connection is broken
2545                  * we need to clean it up before any other connection
2546                  */
2547                 dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2548                 dcesrv_cleanup_broken_connections(dce_ctx);
2549                 return;
2550         }
2551
2552         dcesrv_cleanup_broken_connections(dce_ctx);
2553
2554         status = dcerpc_read_ncacn_packet_recv(subreq, dce_conn,
2555                                                &pkt, &buffer);
2556         TALLOC_FREE(subreq);
2557         if (!NT_STATUS_IS_OK(status)) {
2558                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2559                 return;
2560         }
2561
2562         status = dcesrv_process_ncacn_packet(dce_conn, pkt, buffer);
2563         if (!NT_STATUS_IS_OK(status)) {
2564                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2565                 return;
2566         }
2567
2568         /*
2569          * This is used to block the connection during
2570          * pending authentication.
2571          */
2572         if (dce_conn->wait_send != NULL) {
2573                 subreq = dce_conn->wait_send(dce_conn,
2574                                              dce_conn->event_ctx,
2575                                              dce_conn->wait_private);
2576                 if (!subreq) {
2577                         status = NT_STATUS_NO_MEMORY;
2578                         dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2579                         return;
2580                 }
2581                 tevent_req_set_callback(subreq, dcesrv_conn_wait_done, dce_conn);
2582                 return;
2583         }
2584
2585         subreq = dcerpc_read_ncacn_packet_send(dce_conn,
2586                                                dce_conn->event_ctx,
2587                                                dce_conn->stream);
2588         if (!subreq) {
2589                 status = NT_STATUS_NO_MEMORY;
2590                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2591                 return;
2592         }
2593         tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dce_conn);
2594 }
2595
2596 static void dcesrv_conn_wait_done(struct tevent_req *subreq)
2597 {
2598         struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2599                                              struct dcesrv_connection);
2600         struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2601         NTSTATUS status;
2602
2603         if (dce_conn->terminate) {
2604                 /*
2605                  * if the current connection is broken
2606                  * we need to clean it up before any other connection
2607                  */
2608                 dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2609                 dcesrv_cleanup_broken_connections(dce_ctx);
2610                 return;
2611         }
2612
2613         dcesrv_cleanup_broken_connections(dce_ctx);
2614
2615         status = dce_conn->wait_recv(subreq);
2616         dce_conn->wait_send = NULL;
2617         dce_conn->wait_recv = NULL;
2618         dce_conn->wait_private = NULL;
2619         TALLOC_FREE(subreq);
2620         if (!NT_STATUS_IS_OK(status)) {
2621                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2622                 return;
2623         }
2624
2625         subreq = dcerpc_read_ncacn_packet_send(dce_conn,
2626                                                dce_conn->event_ctx,
2627                                                dce_conn->stream);
2628         if (!subreq) {
2629                 status = NT_STATUS_NO_MEMORY;
2630                 dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2631                 return;
2632         }
2633         tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dce_conn);
2634 }
2635
2636 static void dcesrv_sock_recv(struct stream_connection *conn, uint16_t flags)
2637 {
2638         struct dcesrv_connection *dce_conn = talloc_get_type(conn->private_data,
2639                                              struct dcesrv_connection);
2640         dcesrv_terminate_connection(dce_conn, "dcesrv_sock_recv triggered");
2641 }
2642
2643 static void dcesrv_sock_send(struct stream_connection *conn, uint16_t flags)
2644 {
2645         struct dcesrv_connection *dce_conn = talloc_get_type(conn->private_data,
2646                                              struct dcesrv_connection);
2647         dcesrv_terminate_connection(dce_conn, "dcesrv_sock_send triggered");
2648 }
2649
2650
2651 static const struct stream_server_ops dcesrv_stream_ops = {
2652         .name                   = "rpc",
2653         .accept_connection      = dcesrv_sock_accept,
2654         .recv_handler           = dcesrv_sock_recv,
2655         .send_handler           = dcesrv_sock_send,
2656 };
2657
2658 static NTSTATUS dcesrv_add_ep_unix(struct dcesrv_context *dce_ctx, 
2659                                    struct loadparm_context *lp_ctx,
2660                                    struct dcesrv_endpoint *e,
2661                             struct tevent_context *event_ctx, const struct model_ops *model_ops)
2662 {
2663         struct dcesrv_socket_context *dcesrv_sock;
2664         uint16_t port = 1;
2665         NTSTATUS status;
2666         const char *endpoint;
2667
2668         dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2669         NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2670
2671         /* remember the endpoint of this socket */
2672         dcesrv_sock->endpoint           = e;
2673         dcesrv_sock->dcesrv_ctx         = talloc_reference(dcesrv_sock, dce_ctx);
2674
2675         endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2676
2677         status = stream_setup_socket(dcesrv_sock, event_ctx, lp_ctx,
2678                                      model_ops, &dcesrv_stream_ops, 
2679                                      "unix", endpoint, &port,
2680                                      lpcfg_socket_options(lp_ctx),
2681                                      dcesrv_sock);
2682         if (!NT_STATUS_IS_OK(status)) {
2683                 DEBUG(0,("service_setup_stream_socket(path=%s) failed - %s\n",
2684                          endpoint, nt_errstr(status)));
2685         }
2686
2687         return status;
2688 }
2689
2690 static NTSTATUS dcesrv_add_ep_ncalrpc(struct dcesrv_context *dce_ctx, 
2691                                       struct loadparm_context *lp_ctx,
2692                                       struct dcesrv_endpoint *e,
2693                                       struct tevent_context *event_ctx, const struct model_ops *model_ops)
2694 {
2695         struct dcesrv_socket_context *dcesrv_sock;
2696         uint16_t port = 1;
2697         char *full_path;
2698         NTSTATUS status;
2699         const char *endpoint;
2700
2701         endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2702
2703         if (endpoint == NULL) {
2704                 /*
2705                  * No identifier specified: use DEFAULT.
2706                  *
2707                  * TODO: DO NOT hardcode this value anywhere else. Rather, specify
2708                  * no endpoint and let the epmapper worry about it.
2709                  */
2710                 endpoint = "DEFAULT";
2711                 status = dcerpc_binding_set_string_option(e->ep_description,
2712                                                           "endpoint",
2713                                                           endpoint);
2714                 if (!NT_STATUS_IS_OK(status)) {
2715                         DEBUG(0,("dcerpc_binding_set_string_option() failed - %s\n",
2716                                   nt_errstr(status)));
2717                         return status;
2718                 }
2719         }
2720
2721         full_path = talloc_asprintf(dce_ctx, "%s/%s", lpcfg_ncalrpc_dir(lp_ctx),
2722                                     endpoint);
2723
2724         dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2725         NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2726
2727         /* remember the endpoint of this socket */
2728         dcesrv_sock->endpoint           = e;
2729         dcesrv_sock->dcesrv_ctx         = talloc_reference(dcesrv_sock, dce_ctx);
2730
2731         status = stream_setup_socket(dcesrv_sock, event_ctx, lp_ctx,
2732                                      model_ops, &dcesrv_stream_ops, 
2733                                      "unix", full_path, &port, 
2734                                      lpcfg_socket_options(lp_ctx),
2735                                      dcesrv_sock);
2736         if (!NT_STATUS_IS_OK(status)) {
2737                 DEBUG(0,("service_setup_stream_socket(identifier=%s,path=%s) failed - %s\n",
2738                          endpoint, full_path, nt_errstr(status)));
2739         }
2740         return status;
2741 }
2742
2743 static NTSTATUS dcesrv_add_ep_np(struct dcesrv_context *dce_ctx,
2744                                  struct loadparm_context *lp_ctx,
2745                                  struct dcesrv_endpoint *e,
2746                                  struct tevent_context *event_ctx, const struct model_ops *model_ops)
2747 {
2748         struct dcesrv_socket_context *dcesrv_sock;
2749         NTSTATUS status;
2750         const char *endpoint;
2751
2752         endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2753         if (endpoint == NULL) {
2754                 DEBUG(0, ("Endpoint mandatory for named pipes\n"));
2755                 return NT_STATUS_INVALID_PARAMETER;
2756         }
2757
2758         dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2759         NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2760
2761         /* remember the endpoint of this socket */
2762         dcesrv_sock->endpoint           = e;
2763         dcesrv_sock->dcesrv_ctx         = talloc_reference(dcesrv_sock, dce_ctx);
2764
2765         status = tstream_setup_named_pipe(dce_ctx, event_ctx, lp_ctx,
2766                                           model_ops, &dcesrv_stream_ops,
2767                                           endpoint,
2768                                           dcesrv_sock);
2769         if (!NT_STATUS_IS_OK(status)) {
2770                 DEBUG(0,("stream_setup_named_pipe(pipe=%s) failed - %s\n",
2771                          endpoint, nt_errstr(status)));
2772                 return status;
2773         }
2774
2775         return NT_STATUS_OK;
2776 }
2777
2778 /*
2779   add a socket address to the list of events, one event per dcerpc endpoint
2780 */
2781 static NTSTATUS add_socket_rpc_tcp_iface(struct dcesrv_context *dce_ctx, struct dcesrv_endpoint *e,
2782                                          struct tevent_context *event_ctx, const struct model_ops *model_ops,
2783                                          const char *address)
2784 {
2785         struct dcesrv_socket_context *dcesrv_sock;
2786         uint16_t port = 0;
2787         NTSTATUS status;
2788         const char *endpoint;
2789         char port_str[6];
2790
2791         endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
2792         if (endpoint != NULL) {
2793                 port = atoi(endpoint);
2794         }
2795
2796         dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
2797         NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
2798
2799         /* remember the endpoint of this socket */
2800         dcesrv_sock->endpoint           = e;
2801         dcesrv_sock->dcesrv_ctx         = talloc_reference(dcesrv_sock, dce_ctx);
2802
2803         status = stream_setup_socket(dcesrv_sock, event_ctx, dce_ctx->lp_ctx,
2804                                      model_ops, &dcesrv_stream_ops, 
2805                                      "ip", address, &port,
2806                                      lpcfg_socket_options(dce_ctx->lp_ctx),
2807                                      dcesrv_sock);
2808         if (!NT_STATUS_IS_OK(status)) {
2809                 struct dcesrv_if_list *iface;
2810                 DEBUG(0,("service_setup_stream_socket(address=%s,port=%u) for ",
2811                          address, port));
2812                 for (iface = e->interface_list; iface; iface = iface->next) {
2813                         DEBUGADD(0, ("%s ", iface->iface.name));
2814                 }
2815                 DEBUGADD(0, ("failed - %s",
2816                              nt_errstr(status)));
2817                 return status;
2818         }
2819
2820         snprintf(port_str, sizeof(port_str), "%u", port);
2821
2822         status = dcerpc_binding_set_string_option(e->ep_description,
2823                                                   "endpoint", port_str);
2824         if (!NT_STATUS_IS_OK(status)) {
2825                 DEBUG(0,("dcerpc_binding_set_string_option(endpoint, %s) failed - %s\n",
2826                          port_str, nt_errstr(status)));
2827                 return status;
2828         } else {
2829                 struct dcesrv_if_list *iface;
2830                 DEBUG(4,("Successfully listening on ncacn_ip_tcp endpoint [%s]:[%s] for ",
2831                          address, port_str));
2832                 for (iface = e->interface_list; iface; iface = iface->next) {
2833                         DEBUGADD(4, ("%s ", iface->iface.name));
2834                 }
2835                 DEBUGADD(4, ("\n"));
2836         }
2837
2838         return NT_STATUS_OK;
2839 }
2840
2841 #include "lib/socket/netif.h" /* Included here to work around the fact that socket_wrapper redefines bind() */
2842
2843 static NTSTATUS dcesrv_add_ep_tcp(struct dcesrv_context *dce_ctx, 
2844                                   struct loadparm_context *lp_ctx,
2845                                   struct dcesrv_endpoint *e,
2846                                   struct tevent_context *event_ctx, const struct model_ops *model_ops)
2847 {
2848         NTSTATUS status;
2849
2850         /* Add TCP/IP sockets */
2851         if (lpcfg_interfaces(lp_ctx) && lpcfg_bind_interfaces_only(lp_ctx)) {
2852                 int num_interfaces;
2853                 int i;
2854                 struct interface *ifaces;
2855
2856                 load_interface_list(dce_ctx, lp_ctx, &ifaces);
2857
2858                 num_interfaces = iface_list_count(ifaces);
2859                 for(i = 0; i < num_interfaces; i++) {
2860                         const char *address = iface_list_n_ip(ifaces, i);
2861                         status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, address);
2862                         NT_STATUS_NOT_OK_RETURN(status);
2863                 }
2864         } else {
2865                 char **wcard;
2866                 int i;
2867                 int num_binds = 0;
2868                 wcard = iface_list_wildcard(dce_ctx);
2869                 NT_STATUS_HAVE_NO_MEMORY(wcard);
2870                 for (i=0; wcard[i]; i++) {
2871                         status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, wcard[i]);
2872                         if (NT_STATUS_IS_OK(status)) {
2873                                 num_binds++;
2874                         }
2875                 }
2876                 talloc_free(wcard);
2877                 if (num_binds == 0) {
2878                         return NT_STATUS_INVALID_PARAMETER_MIX;
2879                 }
2880         }
2881
2882         return NT_STATUS_OK;
2883 }
2884
2885 NTSTATUS dcesrv_add_ep(struct dcesrv_context *dce_ctx,
2886                        struct loadparm_context *lp_ctx,
2887                        struct dcesrv_endpoint *e,
2888                        struct tevent_context *event_ctx,
2889                        const struct model_ops *model_ops)
2890 {
2891         enum dcerpc_transport_t transport =
2892                 dcerpc_binding_get_transport(e->ep_description);
2893
2894         switch (transport) {
2895         case NCACN_UNIX_STREAM:
2896                 return dcesrv_add_ep_unix(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2897
2898         case NCALRPC:
2899                 return dcesrv_add_ep_ncalrpc(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2900
2901         case NCACN_IP_TCP:
2902                 return dcesrv_add_ep_tcp(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2903
2904         case NCACN_NP:
2905                 return dcesrv_add_ep_np(dce_ctx, lp_ctx, e, event_ctx, model_ops);
2906
2907         default:
2908                 return NT_STATUS_NOT_SUPPORTED;
2909         }
2910 }
2911
2912
2913 /**
2914  * retrieve credentials from a dce_call
2915  */
2916 _PUBLIC_ struct cli_credentials *dcesrv_call_credentials(struct dcesrv_call_state *dce_call)
2917 {
2918         return dce_call->conn->auth_state.session_info->credentials;
2919 }
2920
2921 /**
2922  * returns true if this is an authenticated call
2923  */
2924 _PUBLIC_ bool dcesrv_call_authenticated(struct dcesrv_call_state *dce_call)
2925 {
2926         enum security_user_level level;
2927         level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
2928         return level >= SECURITY_USER;
2929 }
2930
2931 /**
2932  * retrieve account_name for a dce_call
2933  */
2934 _PUBLIC_ const char *dcesrv_call_account_name(struct dcesrv_call_state *dce_call)
2935 {
2936         return dce_call->context->conn->auth_state.session_info->info->account_name;
2937 }