Copyright (C) Tim Potter 2003
Copyright (C) Andrew Tridgell 2003
+ Copyright (C) Jelmer Vernooij 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
*/
#include "includes.h"
+#include "dlinklist.h"
+#include "librpc/gen_ndr/ndr_epmapper.h"
-/* initialise a dcerpc pipe. This currently assumes a SMB named pipe
- transport */
-struct dcerpc_pipe *dcerpc_pipe_init(struct cli_tree *tree)
+struct dcerpc_interface_list *dcerpc_pipes = NULL;
+
+NTSTATUS librpc_register_interface (const struct dcerpc_interface_table *interface)
+{
+ struct dcerpc_interface_list *l = talloc_p(NULL, struct dcerpc_interface_list);
+
+ if (idl_iface_by_name (interface->name) != NULL) {
+ DEBUG(0, ("Attempt to register interface %s twice\n", interface->name));
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+ l->table = interface;
+
+ DLIST_ADD(dcerpc_pipes, l);
+
+ return NT_STATUS_OK;
+}
+
+/* initialise a dcerpc pipe. */
+struct dcerpc_pipe *dcerpc_pipe_init(void)
{
struct dcerpc_pipe *p;
- TALLOC_CTX *mem_ctx = talloc_init("dcerpc_tree");
- if (mem_ctx == NULL)
- return NULL;
-
- p = talloc(mem_ctx, sizeof(*p));
+ p = talloc_p(NULL, struct dcerpc_pipe);
if (!p) {
- talloc_destroy(mem_ctx);
return NULL;
}
p->reference_count = 0;
- p->mem_ctx = mem_ctx;
- p->tree = tree;
- p->tree->reference_count++;
p->call_id = 1;
- p->fnum = 0;
+ p->security_state.auth_info = NULL;
+ p->security_state.session_key = dcerpc_generic_session_key;
+ p->security_state.generic_state = NULL;
+ p->binding_string = NULL;
+ p->flags = 0;
+ p->srv_max_xmit_frag = 0;
+ p->srv_max_recv_frag = 0;
+ p->last_fault_code = 0;
+ p->pending = NULL;
return p;
}
+/*
+ choose the next call id to use
+*/
+static uint32_t next_call_id(struct dcerpc_pipe *p)
+{
+ p->call_id++;
+ if (p->call_id == 0) {
+ p->call_id++;
+ }
+ return p->call_id;
+}
+
/* close down a dcerpc over SMB pipe */
void dcerpc_pipe_close(struct dcerpc_pipe *p)
{
if (!p) return;
p->reference_count--;
if (p->reference_count <= 0) {
- cli_tree_close(p->tree);
- talloc_destroy(p->mem_ctx);
+ p->transport.shutdown_pipe(p);
+ talloc_free(p);
}
}
-#define BLOB_CHECK_BOUNDS(blob, offset, len) do { \
- if ((offset) > blob->length || (blob->length - (offset) < (len))) { \
- return NT_STATUS_INVALID_PARAMETER; \
- } \
-} while (0)
+/* we need to be able to get/set the fragment length without doing a full
+ decode */
+void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
+{
+ if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
+ SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
+ } else {
+ RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
+ }
+}
+
+uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
+{
+ if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
+ return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
+ } else {
+ return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
+ }
+}
+
+void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
+{
+ if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
+ SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
+ } else {
+ RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
+ }
+}
-#define DCERPC_ALIGN(offset, n) do { \
- (offset) = ((offset) + ((n)-1)) & ~((n)-1); \
-} while (0)
/*
- pull a wire format uuid into a string. This will consume 16 bytes
+ setup for a ndr pull, also setting up any flags from the binding string
*/
-static char *dcerpc_pull_uuid(char *data, TALLOC_CTX *mem_ctx)
+static struct ndr_pull *ndr_pull_init_flags(struct dcerpc_pipe *p, DATA_BLOB *blob, TALLOC_CTX *mem_ctx)
{
- uint32 time_low;
- uint16 time_mid, time_hi_and_version;
- uint8 clock_seq_hi_and_reserved;
- uint8 clock_seq_low;
- uint8 node[6];
- int i;
+ struct ndr_pull *ndr = ndr_pull_init_blob(blob, mem_ctx);
+
+ if (ndr == NULL) return ndr;
- time_low = IVAL(data, 0);
- time_mid = SVAL(data, 4);
- time_hi_and_version = SVAL(data, 6);
- clock_seq_hi_and_reserved = CVAL(data, 8);
- clock_seq_low = CVAL(data, 9);
- for (i=0;i<6;i++) {
- node[i] = CVAL(data, 10 + i);
+ if (p->flags & DCERPC_DEBUG_PAD_CHECK) {
+ ndr->flags |= LIBNDR_FLAG_PAD_CHECK;
}
- return talloc_asprintf(mem_ctx,
- "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
- time_low, time_mid, time_hi_and_version,
- clock_seq_hi_and_reserved, clock_seq_low,
- node[0], node[1], node[2], node[3], node[4], node[5]);
+ if (p->flags & DCERPC_NDR_REF_ALLOC) {
+ ndr->flags |= LIBNDR_FLAG_REF_ALLOC;
+ }
+
+ return ndr;
}
-/*
- push a uuid_str into wire format. It will consume 16 bytes
+/*
+ parse a data blob into a dcerpc_packet structure. This handles both
+ input and output packets
*/
-static NTSTATUS push_uuid_str(char *data, const char *uuid_str)
+static NTSTATUS dcerpc_pull(struct dcerpc_pipe *p, DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
+ struct dcerpc_packet *pkt)
{
- uint32 time_low;
- uint32 time_mid, time_hi_and_version;
- uint32 clock_seq_hi_and_reserved;
- uint32 clock_seq_low;
- uint32 node[6];
- int i;
+ struct ndr_pull *ndr;
- if (11 != sscanf(uuid_str, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
- &time_low, &time_mid, &time_hi_and_version,
- &clock_seq_hi_and_reserved, &clock_seq_low,
- &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) {
- return NT_STATUS_INVALID_PARAMETER;
+ ndr = ndr_pull_init_flags(p, blob, mem_ctx);
+ if (!ndr) {
+ return NT_STATUS_NO_MEMORY;
}
- SIVAL(data, 0, time_low);
- SSVAL(data, 4, time_mid);
- SSVAL(data, 6, time_hi_and_version);
- SCVAL(data, 8, clock_seq_hi_and_reserved);
- SCVAL(data, 9, clock_seq_low);
- for (i=0;i<6;i++) {
- SCVAL(data, 10 + i, node[i]);
+ if (! (CVAL(blob->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
+ ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
}
- return NT_STATUS_OK;
+ return ndr_pull_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
}
/*
- pull a dcerpc syntax id from a blob
+ generate a CONNECT level verifier
*/
-static NTSTATUS dcerpc_pull_syntax_id(DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
- uint32 *offset,
- struct dcerpc_syntax_id *syntax)
+static NTSTATUS dcerpc_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
{
- syntax->uuid_str = dcerpc_pull_uuid(blob->data + (*offset), mem_ctx);
- if (!syntax->uuid_str) {
+ *blob = data_blob_talloc(mem_ctx, NULL, 16);
+ if (blob->data == NULL) {
return NT_STATUS_NO_MEMORY;
}
- (*offset) += 16;
- syntax->if_version = IVAL(blob->data, *offset);
- (*offset) += 4;
+ SIVAL(blob->data, 0, 1);
+ memset(blob->data+4, 0, 12);
return NT_STATUS_OK;
}
/*
- push a syntax id onto the wire. It will consume 20 bytes
+ generate a CONNECT level verifier
*/
-static NTSTATUS push_syntax_id(char *data, const struct dcerpc_syntax_id *syntax)
+static NTSTATUS dcerpc_check_connect_verifier(DATA_BLOB *blob)
{
- NTSTATUS status;
-
- status = push_uuid_str(data, syntax->uuid_str);
- SIVAL(data, 16, syntax->if_version);
-
- return status;
+ if (blob->length != 16 ||
+ IVAL(blob->data, 0) != 1) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
}
-/*
- pull an auth verifier from a packet
+/*
+ parse a possibly signed blob into a dcerpc request packet structure
*/
-static NTSTATUS dcerpc_pull_auth_verifier(DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
- uint32 *offset,
- struct dcerpc_hdr *hdr,
- DATA_BLOB *auth)
+static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
+ DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
+ struct dcerpc_packet *pkt)
{
- if (hdr->auth_length == 0) {
- return NT_STATUS_OK;
+ struct ndr_pull *ndr;
+ NTSTATUS status;
+ struct dcerpc_auth auth;
+ DATA_BLOB auth_blob;
+
+ /* non-signed packets are simpler */
+ if (!p->security_state.auth_info ||
+ !p->security_state.generic_state) {
+ return dcerpc_pull(p, blob, mem_ctx, pkt);
}
- BLOB_CHECK_BOUNDS(blob, *offset, hdr->auth_length);
- *auth = data_blob_talloc(mem_ctx, blob->data + (*offset), hdr->auth_length);
- if (!auth->data) {
+ ndr = ndr_pull_init_flags(p, blob, mem_ctx);
+ if (!ndr) {
return NT_STATUS_NO_MEMORY;
}
- (*offset) += hdr->auth_length;
- return NT_STATUS_OK;
-}
-/*
- parse a struct dcerpc_response
-*/
-static NTSTATUS dcerpc_pull_response(DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
- uint32 *offset,
- struct dcerpc_hdr *hdr,
- struct dcerpc_response *pkt)
-{
- uint32 stub_len;
-
- BLOB_CHECK_BOUNDS(blob, *offset, 8);
+ if (! (CVAL(blob->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
+ ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
+ }
- pkt->alloc_hint = IVAL(blob->data, (*offset) + 0);
- pkt->context_id = SVAL(blob->data, (*offset) + 4);
- pkt->cancel_count = CVAL(blob->data, (*offset) + 6);
+ /* pull the basic packet */
+ status = ndr_pull_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- (*offset) += 8;
+ if (pkt->ptype != DCERPC_PKT_RESPONSE) {
+ return status;
+ }
- stub_len = blob->length - ((*offset) + hdr->auth_length);
- BLOB_CHECK_BOUNDS(blob, *offset, stub_len);
- pkt->stub_data = data_blob_talloc(mem_ctx, blob->data + (*offset), stub_len);
- if (stub_len != 0 && !pkt->stub_data.data) {
- return NT_STATUS_NO_MEMORY;
+ if (pkt->auth_length == 0 &&
+ p->security_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
+ return NT_STATUS_OK;
}
- (*offset) += stub_len;
- return dcerpc_pull_auth_verifier(blob, mem_ctx, offset, hdr, &pkt->auth_verifier);
-}
+ auth_blob.length = 8 + pkt->auth_length;
+ /* check for a valid length */
+ if (pkt->u.response.stub_and_verifier.length < auth_blob.length) {
+ return NT_STATUS_INFO_LENGTH_MISMATCH;
+ }
-/*
- parse a struct bind_ack
-*/
-static NTSTATUS dcerpc_pull_bind_ack(DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
- uint32 *offset,
- struct dcerpc_hdr *hdr,
- struct dcerpc_bind_ack *pkt)
-{
- uint16 len;
- int i;
-
- BLOB_CHECK_BOUNDS(blob, *offset, 10);
- pkt->max_xmit_frag = SVAL(blob->data, (*offset) + 0);
- pkt->max_recv_frag = SVAL(blob->data, (*offset) + 2);
- pkt->assoc_group_id = IVAL(blob->data, (*offset) + 4);
- len = SVAL(blob->data, (*offset) + 8);
- (*offset) += 10;
-
- if (len) {
- BLOB_CHECK_BOUNDS(blob, *offset, len);
- pkt->secondary_address = talloc_strndup(mem_ctx, blob->data + (*offset), len);
- if (!pkt->secondary_address) {
- return NT_STATUS_NO_MEMORY;
- }
- (*offset) += len;
+ auth_blob.data =
+ pkt->u.response.stub_and_verifier.data +
+ pkt->u.response.stub_and_verifier.length - auth_blob.length;
+ pkt->u.response.stub_and_verifier.length -= auth_blob.length;
+
+ /* pull the auth structure */
+ ndr = ndr_pull_init_flags(p, &auth_blob, mem_ctx);
+ if (!ndr) {
+ return NT_STATUS_NO_MEMORY;
}
- DCERPC_ALIGN(*offset, 4);
- BLOB_CHECK_BOUNDS(blob, *offset, 4);
- pkt->num_results = CVAL(blob->data, *offset);
- (*offset) += 4;
+ if (! (CVAL(blob->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
+ ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
+ }
- if (pkt->num_results > 0) {
- pkt->ctx_list = talloc(mem_ctx, sizeof(pkt->ctx_list[0]) * pkt->num_results);
- if (!pkt->ctx_list) {
- return NT_STATUS_NO_MEMORY;
- }
+ status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
+
+
+ /* check signature or unseal the packet */
+ switch (p->security_state.auth_info->auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ status = gensec_unseal_packet(p->security_state.generic_state,
+ mem_ctx,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.response.stub_and_verifier.length,
+ blob->data,
+ blob->length - auth.credentials.length,
+ &auth.credentials);
+ memcpy(pkt->u.response.stub_and_verifier.data,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.response.stub_and_verifier.length);
+ break;
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ status = gensec_check_packet(p->security_state.generic_state,
+ mem_ctx,
+ pkt->u.response.stub_and_verifier.data,
+ pkt->u.response.stub_and_verifier.length,
+ blob->data,
+ blob->length - auth.credentials.length,
+ &auth.credentials);
+ break;
- for (i=0;i<pkt->num_results;i++) {
- NTSTATUS status;
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ status = dcerpc_check_connect_verifier(&auth.credentials);
+ break;
- BLOB_CHECK_BOUNDS(blob, *offset, 24);
- pkt->ctx_list[i].result = IVAL(blob->data, *offset);
- (*offset) += 4;
- status = dcerpc_pull_syntax_id(blob, mem_ctx, offset, &pkt->ctx_list[i].syntax);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ case DCERPC_AUTH_LEVEL_NONE:
+ break;
+
+ default:
+ status = NT_STATUS_INVALID_LEVEL;
+ break;
}
+
+ /* remove the indicated amount of paddiing */
+ if (pkt->u.response.stub_and_verifier.length < auth.auth_pad_length) {
+ return NT_STATUS_INFO_LENGTH_MISMATCH;
+ }
+ pkt->u.response.stub_and_verifier.length -= auth.auth_pad_length;
- return dcerpc_pull_auth_verifier(blob, mem_ctx, offset, hdr, &pkt->auth_verifier);
+ return status;
}
/*
- parse a dcerpc header
+ push a dcerpc request packet into a blob, possibly signing it.
*/
-static NTSTATUS dcerpc_pull_hdr(DATA_BLOB *blob, uint32 *offset, struct dcerpc_hdr *hdr)
+static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
+ DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
+ struct dcerpc_packet *pkt)
{
- BLOB_CHECK_BOUNDS(blob, *offset, 16);
-
- hdr->rpc_vers = CVAL(blob->data, (*offset) + 0);
- hdr->rpc_vers_minor = CVAL(blob->data, (*offset) + 1);
- hdr->ptype = CVAL(blob->data, (*offset) + 2);
- hdr->pfc_flags = CVAL(blob->data, (*offset) + 3);
- memcpy(hdr->drep, blob->data + (*offset) + 4, 4);
- hdr->frag_length = SVAL(blob->data, (*offset) + 8);
- hdr->auth_length = SVAL(blob->data, (*offset) + 10);
- hdr->call_id = IVAL(blob->data, (*offset) + 12);
+ NTSTATUS status;
+ struct ndr_push *ndr;
+ DATA_BLOB creds2;
- (*offset) += 16;
+ /* non-signed packets are simpler */
+ if (!p->security_state.auth_info ||
+ !p->security_state.generic_state) {
+ return dcerpc_push_auth(blob, mem_ctx, pkt, p->security_state.auth_info);
+ }
- return NT_STATUS_OK;
-}
+ ndr = ndr_push_init_ctx(mem_ctx);
+ if (!ndr) {
+ return NT_STATUS_NO_MEMORY;
+ }
-/*
- parse a dcerpc header. It consumes 16 bytes
-*/
-static void dcerpc_push_hdr(char *data, struct dcerpc_hdr *hdr)
-{
- SCVAL(data, 0, hdr->rpc_vers);
- SCVAL(data, 1, hdr->rpc_vers_minor);
- SCVAL(data, 2, hdr->ptype);
- SCVAL(data, 3, hdr->pfc_flags);
- memcpy(data + 4, hdr->drep, 4);
- SSVAL(data, 8, hdr->frag_length);
- SSVAL(data, 12, hdr->call_id);
-}
+ if (p->flags & DCERPC_PUSH_BIGENDIAN) {
+ ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
+ }
+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_ORPC) {
+ ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
+ }
+ status = ndr_push_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
-/*
- parse a data blob into a dcerpc_packet structure. This handles both
- input and output packets
-*/
-NTSTATUS dcerpc_pull(DATA_BLOB *blob, TALLOC_CTX *mem_ctx, struct dcerpc_packet *pkt)
-{
- NTSTATUS status;
- uint32 offset = 0;
+ /* pad to 16 byte multiple in the payload portion of the
+ packet. This matches what w2k3 does */
+ p->security_state.auth_info->auth_pad_length =
+ (16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15;
+ ndr_push_zero(ndr, p->security_state.auth_info->auth_pad_length);
+
+ /* sign or seal the packet */
+ switch (p->security_state.auth_info->auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ p->security_state.auth_info->credentials
+ = data_blob_talloc(mem_ctx, NULL, gensec_sig_size(p->security_state.generic_state));
+ data_blob_clear(&p->security_state.auth_info->credentials);
+ break;
+
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ status = dcerpc_connect_verifier(mem_ctx, &p->security_state.auth_info->credentials);
+ break;
+
+ case DCERPC_AUTH_LEVEL_NONE:
+ p->security_state.auth_info->credentials = data_blob(NULL, 0);
+ break;
+
+ default:
+ status = NT_STATUS_INVALID_LEVEL;
+ break;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- status = dcerpc_pull_hdr(blob, &offset, &pkt->hdr);
+ /* add the auth verifier */
+ status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, p->security_state.auth_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- switch (pkt->hdr.ptype) {
- case DCERPC_PKT_BIND_ACK:
- status = dcerpc_pull_bind_ack(blob, mem_ctx, &offset, &pkt->hdr, &pkt->out.bind_ack);
+ /* extract the whole packet as a blob */
+ *blob = ndr_push_blob(ndr);
+
+ /* fill in the fragment length and auth_length, we can't fill
+ in these earlier as we don't know the signature length (it
+ could be variable length) */
+ dcerpc_set_frag_length(blob, blob->length);
+ dcerpc_set_auth_length(blob, p->security_state.auth_info->credentials.length);
+
+ /* sign or seal the packet */
+ switch (p->security_state.auth_info->auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ status = gensec_seal_packet(p->security_state.generic_state,
+ mem_ctx,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.request.stub_and_verifier.length+p->security_state.auth_info->auth_pad_length,
+ blob->data,
+ blob->length -
+ p->security_state.auth_info->credentials.length,
+ &creds2);
if (!NT_STATUS_IS_OK(status)) {
return status;
- }
+ }
+ memcpy(blob->data + blob->length - creds2.length, creds2.data, creds2.length);
break;
- case DCERPC_PKT_RESPONSE:
- status = dcerpc_pull_response(blob, mem_ctx, &offset, &pkt->hdr, &pkt->out.response);
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ status = gensec_sign_packet(p->security_state.generic_state,
+ mem_ctx,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.request.stub_and_verifier.length+p->security_state.auth_info->auth_pad_length,
+ blob->data,
+ blob->length -
+ p->security_state.auth_info->credentials.length,
+ &creds2);
if (!NT_STATUS_IS_OK(status)) {
return status;
- }
+ }
+ memcpy(blob->data + blob->length - creds2.length, creds2.data, creds2.length);
+ break;
+
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ break;
+
+ case DCERPC_AUTH_LEVEL_NONE:
+ p->security_state.auth_info->credentials = data_blob(NULL, 0);
break;
default:
- return NT_STATUS_NET_WRITE_FAULT;
+ status = NT_STATUS_INVALID_LEVEL;
+ break;
}
- return status;
+ data_blob_free(&p->security_state.auth_info->credentials);
+
+ return NT_STATUS_OK;
}
/*
- push a dcerpc_bind into a blob
+ fill in the fixed values in a dcerpc header
*/
-static NTSTATUS dcerpc_push_bind(DATA_BLOB *blob, uint32 *offset,
- struct dcerpc_hdr *hdr,
- struct dcerpc_bind *pkt)
+static void init_dcerpc_hdr(struct dcerpc_pipe *p, struct dcerpc_packet *pkt)
{
- int i, j;
-
- SSVAL(blob->data, (*offset) + 0, pkt->max_xmit_frag);
- SSVAL(blob->data, (*offset) + 2, pkt->max_recv_frag);
- SIVAL(blob->data, (*offset) + 4, pkt->assoc_group_id);
- SCVAL(blob->data, (*offset) + 8, pkt->num_contexts);
- (*offset) += 12;
-
- for (i=0;i<pkt->num_contexts;i++) {
- NTSTATUS status;
-
- SSVAL(blob->data, (*offset) + 0, pkt->ctx_list[i].context_id);
- SCVAL(blob->data, (*offset) + 2, pkt->ctx_list[i].num_transfer_syntaxes);
- status = push_syntax_id(blob->data + (*offset) + 4, &pkt->ctx_list[i].abstract_syntax);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- (*offset) += 24;
- for (j=0;j<pkt->ctx_list[i].num_transfer_syntaxes;j++) {
- status = push_syntax_id(blob->data + (*offset),
- &pkt->ctx_list[i].transfer_syntaxes[j]);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- (*offset) += 20;
- }
+ pkt->rpc_vers = 5;
+ pkt->rpc_vers_minor = 0;
+ if (p->flags & DCERPC_PUSH_BIGENDIAN) {
+ pkt->drep[0] = 0;
+ } else {
+ pkt->drep[0] = DCERPC_DREP_LE;
}
-
- return NT_STATUS_OK;
+ pkt->drep[1] = 0;
+ pkt->drep[2] = 0;
+ pkt->drep[3] = 0;
}
-/*
- push a dcerpc_request into a blob
+/*
+ hold the state of pending full requests
*/
-static NTSTATUS dcerpc_push_request(DATA_BLOB *blob, uint32 *offset,
- struct dcerpc_hdr *hdr,
- struct dcerpc_request *pkt)
-{
- SIVAL(blob->data, (*offset) + 0, pkt->alloc_hint);
- SSVAL(blob->data, (*offset) + 4, pkt->context_id);
- SSVAL(blob->data, (*offset) + 6, pkt->opnum);
-
- (*offset) += 8;
-
- memcpy(blob->data + (*offset), pkt->stub_data.data, pkt->stub_data.length);
- (*offset) += pkt->stub_data.length;
+struct full_request_state {
+ DATA_BLOB *reply_blob;
+ NTSTATUS status;
+};
- memcpy(blob->data + (*offset), pkt->auth_verifier.data, pkt->auth_verifier.length);
- (*offset) += pkt->auth_verifier.length;
+/*
+ receive a reply to a full request
+ */
+static void full_request_recv(struct dcerpc_pipe *p, DATA_BLOB *blob,
+ NTSTATUS status)
+{
+ struct full_request_state *state = p->full_request_private;
- return NT_STATUS_OK;
+ if (!NT_STATUS_IS_OK(status)) {
+ state->status = status;
+ return;
+ }
+ state->reply_blob[0] = data_blob_talloc(state, blob->data, blob->length);
+ state->reply_blob = NULL;
}
-
/*
- work out the wire size of a dcerpc packet
+ perform a single pdu synchronous request - used for the bind code
+ this cannot be mixed with normal async requests
*/
-static uint32 dcerpc_wire_size(struct dcerpc_packet *pkt)
+static NTSTATUS full_request(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *request_blob,
+ DATA_BLOB *reply_blob)
{
- int i;
- uint32 size = 0;
+ struct full_request_state *state = talloc_p(mem_ctx, struct full_request_state);
+ NTSTATUS status;
- size += 16; /* header */
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
- switch (pkt->hdr.ptype) {
- case DCERPC_PKT_REQUEST:
- size += 8;
- size += pkt->in.request.stub_data.length;
- size += pkt->in.request.auth_verifier.length;
- break;
+ state->reply_blob = reply_blob;
+ state->status = NT_STATUS_OK;
- case DCERPC_PKT_RESPONSE:
- size += 8;
- size += pkt->out.response.stub_data.length;
- size += pkt->hdr.auth_length;
- break;
+ p->transport.recv_data = full_request_recv;
+ p->full_request_private = state;
- case DCERPC_PKT_BIND:
- size += 12;
- for (i=0;i<pkt->in.bind.num_contexts;i++) {
- size += 24;
- size += pkt->in.bind.ctx_list[i].num_transfer_syntaxes * 20;
- }
- size += pkt->hdr.auth_length;
- break;
+ status = p->transport.send_request(p, request_blob, True);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- case DCERPC_PKT_BIND_ACK:
- size += 10;
- if (pkt->out.bind_ack.secondary_address) {
- size += strlen(pkt->out.bind_ack.secondary_address) + 1;
+ while (NT_STATUS_IS_OK(state->status) && state->reply_blob) {
+ struct event_context *ctx = p->transport.event_context(p);
+ if (event_loop_once(ctx) != 0) {
+ return NT_STATUS_CONNECTION_DISCONNECTED;
}
- size += 4;
- size += pkt->out.bind_ack.num_results * 24;
- size += pkt->hdr.auth_length;
- break;
}
- return size;
+ return state->status;
}
+
/*
- push a dcerpc_packet into a blob. This handles both input and
- output packets
+ perform a bind using the given syntax
+
+ the auth_info structure is updated with the reply authentication info
+ on success
*/
-NTSTATUS dcerpc_push(DATA_BLOB *blob, TALLOC_CTX *mem_ctx, struct dcerpc_packet *pkt)
+NTSTATUS dcerpc_bind(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ const struct dcerpc_syntax_id *syntax,
+ const struct dcerpc_syntax_id *transfer_syntax)
{
- uint32 offset = 0;
- uint32 wire_size;
+ struct dcerpc_packet pkt;
NTSTATUS status;
+ DATA_BLOB blob;
- /* work out how big the packet will be on the wire */
- wire_size = dcerpc_wire_size(pkt);
+ p->syntax = *syntax;
+ p->transfer_syntax = *transfer_syntax;
- (*blob) = data_blob_talloc(mem_ctx, NULL, wire_size);
- if (!blob->data) {
- return NT_STATUS_NO_MEMORY;
- }
+ init_dcerpc_hdr(p, &pkt);
- pkt->hdr.frag_length = wire_size;
+ pkt.ptype = DCERPC_PKT_BIND;
+ pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+ pkt.call_id = p->call_id;
+ pkt.auth_length = 0;
- dcerpc_push_hdr(blob->data + offset, &pkt->hdr);
- offset += 16;
+ pkt.u.bind.max_xmit_frag = 5840;
+ pkt.u.bind.max_recv_frag = 5840;
+ pkt.u.bind.assoc_group_id = 0;
+ pkt.u.bind.num_contexts = 1;
+ pkt.u.bind.ctx_list = talloc_p(mem_ctx, struct dcerpc_ctx_list);
+ if (!pkt.u.bind.ctx_list) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pkt.u.bind.ctx_list[0].context_id = 0;
+ pkt.u.bind.ctx_list[0].num_transfer_syntaxes = 1;
+ pkt.u.bind.ctx_list[0].abstract_syntax = p->syntax;
+ pkt.u.bind.ctx_list[0].transfer_syntaxes = &p->transfer_syntax;
+ pkt.u.bind.auth_info = data_blob(NULL, 0);
+
+ /* construct the NDR form of the packet */
+ status = dcerpc_push_auth(&blob, mem_ctx, &pkt, p->security_state.auth_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- switch (pkt->hdr.ptype) {
- case DCERPC_PKT_BIND:
- status = dcerpc_push_bind(blob, &offset, &pkt->hdr, &pkt->in.bind);
- break;
+ /* send it on its way */
+ status = full_request(p, mem_ctx, &blob, &blob);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- case DCERPC_PKT_REQUEST:
- status = dcerpc_push_request(blob, &offset, &pkt->hdr, &pkt->in.request);
- break;
-
- default:
- status = NT_STATUS_NET_WRITE_FAULT;
+ /* unmarshall the NDR */
+ status = dcerpc_pull(p, &blob, mem_ctx, &pkt);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- return status;
-}
+ if (pkt.ptype == DCERPC_PKT_BIND_NAK) {
+ DEBUG(2,("dcerpc: bind_nak reason %d\n", pkt.u.bind_nak.reject_reason));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ if ((pkt.ptype != DCERPC_PKT_BIND_ACK) ||
+ pkt.u.bind_ack.num_results == 0 ||
+ pkt.u.bind_ack.ctx_list[0].result != 0) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (pkt.ptype == DCERPC_PKT_BIND_ACK) {
+ p->srv_max_xmit_frag = pkt.u.bind_ack.max_xmit_frag;
+ p->srv_max_recv_frag = pkt.u.bind_ack.max_recv_frag;
+ }
+ /* the bind_ack might contain a reply set of credentials */
+ if (p->security_state.auth_info && pkt.u.bind_ack.auth_info.length) {
+ status = ndr_pull_struct_blob(&pkt.u.bind_ack.auth_info,
+ mem_ctx,
+ p->security_state.auth_info,
+ (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
+ }
-/*
- fill in the fixed values in a dcerpc header
-*/
-static void init_dcerpc_hdr(struct dcerpc_hdr *hdr)
-{
- hdr->rpc_vers = 5;
- hdr->rpc_vers_minor = 0;
- hdr->drep[0] = 0x10; /* Little endian */
- hdr->drep[1] = 0;
- hdr->drep[2] = 0;
- hdr->drep[3] = 0;
+ return status;
}
-
/*
- perform a bind using the given syntax
+ perform a alter context using the given syntax
+
+ the auth_info structure is updated with the reply authentication info
+ on success
*/
-NTSTATUS dcerpc_bind(struct dcerpc_pipe *p,
- const struct dcerpc_syntax_id *syntax,
- const struct dcerpc_syntax_id *transfer_syntax)
+NTSTATUS dcerpc_alter(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx)
{
- TALLOC_CTX *mem_ctx;
- struct dcerpc_packet pkt;
+ struct dcerpc_packet pkt;
NTSTATUS status;
DATA_BLOB blob;
- DATA_BLOB blob_out;
- mem_ctx = talloc_init("dcerpc_bind");
- if (!mem_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
- init_dcerpc_hdr(&pkt.hdr);
+ init_dcerpc_hdr(p, &pkt);
- pkt.hdr.ptype = DCERPC_PKT_BIND;
- pkt.hdr.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
- pkt.hdr.call_id = p->call_id++;
- pkt.hdr.auth_length = 0;
+ pkt.ptype = DCERPC_PKT_ALTER;
+ pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+ pkt.call_id = p->call_id;
+ pkt.auth_length = 0;
- pkt.in.bind.max_xmit_frag = 0x2000;
- pkt.in.bind.max_recv_frag = 0x2000;
- pkt.in.bind.assoc_group_id = 0;
- pkt.in.bind.num_contexts = 1;
- pkt.in.bind.ctx_list = talloc(mem_ctx, sizeof(pkt.in.bind.ctx_list[0]));
- if (!pkt.in.bind.ctx_list) {
- talloc_destroy(mem_ctx);
+ pkt.u.alter.max_xmit_frag = 0x2000;
+ pkt.u.alter.max_recv_frag = 0x2000;
+ pkt.u.alter.assoc_group_id = 0;
+ pkt.u.alter.num_contexts = 1;
+ pkt.u.alter.ctx_list = talloc_p(mem_ctx, struct dcerpc_ctx_list);
+ if (!pkt.u.alter.ctx_list) {
return NT_STATUS_NO_MEMORY;
}
- pkt.in.bind.ctx_list[0].context_id = 0;
- pkt.in.bind.ctx_list[0].num_transfer_syntaxes = 1;
- pkt.in.bind.ctx_list[0].abstract_syntax = *syntax;
- pkt.in.bind.ctx_list[0].transfer_syntaxes = transfer_syntax;
-
- pkt.in.bind.auth_verifier = data_blob(NULL, 0);
-
- status = dcerpc_push(&blob, mem_ctx, &pkt);
+ pkt.u.alter.ctx_list[0].context_id = 0;
+ pkt.u.alter.ctx_list[0].num_transfer_syntaxes = 1;
+ pkt.u.alter.ctx_list[0].abstract_syntax = p->syntax;
+ pkt.u.alter.ctx_list[0].transfer_syntaxes = &p->transfer_syntax;
+ pkt.u.alter.auth_info = data_blob(NULL, 0);
+
+ /* construct the NDR form of the packet */
+ status = dcerpc_push_auth(&blob, mem_ctx, &pkt, p->security_state.auth_info);
if (!NT_STATUS_IS_OK(status)) {
- talloc_destroy(mem_ctx);
return status;
}
- status = dcerpc_raw_packet(p, mem_ctx, &blob, &blob_out);
+ /* send it on its way */
+ status = full_request(p, mem_ctx, &blob, &blob);
if (!NT_STATUS_IS_OK(status)) {
- talloc_destroy(mem_ctx);
return status;
}
- status = dcerpc_pull(&blob_out, mem_ctx, &pkt);
+ /* unmarshall the NDR */
+ status = dcerpc_pull(p, &blob, mem_ctx, &pkt);
if (!NT_STATUS_IS_OK(status)) {
- talloc_destroy(mem_ctx);
return status;
}
- if (pkt.hdr.ptype != DCERPC_PKT_BIND_ACK ||
- pkt.out.bind_ack.num_results == 0 ||
- pkt.out.bind_ack.ctx_list[0].result != 0) {
+ if ((pkt.ptype != DCERPC_PKT_ALTER_ACK) ||
+ pkt.u.alter_ack.num_results == 0 ||
+ pkt.u.alter_ack.ctx_list[0].result != 0) {
status = NT_STATUS_UNSUCCESSFUL;
}
- p->srv_max_xmit_frag = pkt.out.bind_ack.max_xmit_frag;
- p->srv_max_recv_frag = pkt.out.bind_ack.max_recv_frag;
+ /* the bind_ack might contain a reply set of credentials */
+ if (p->security_state.auth_info && pkt.u.alter_ack.auth_info.length) {
+ status = ndr_pull_struct_blob(&pkt.u.alter_ack.auth_info,
+ mem_ctx,
+ p->security_state.auth_info,
+ (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
+ }
+
+ return status;
+}
+
+/*
+ perform a continued bind (and auth3)
+*/
+NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx)
+{
+ struct dcerpc_packet pkt;
+ NTSTATUS status;
+ DATA_BLOB blob;
+
+ init_dcerpc_hdr(p, &pkt);
+
+ pkt.ptype = DCERPC_PKT_AUTH3;
+ pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+ pkt.call_id = next_call_id(p);
+ pkt.auth_length = 0;
+ pkt.u.auth3._pad = 0;
+ pkt.u.auth3.auth_info = data_blob(NULL, 0);
+
+ /* construct the NDR form of the packet */
+ status = dcerpc_push_auth(&blob, mem_ctx, &pkt, p->security_state.auth_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- talloc_destroy(mem_ctx);
+ /* send it on its way */
+ status = p->transport.send_request(p, &blob, False);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
return status;
}
-/* Perform a bind using the given UUID and version */
+
+/* perform a dcerpc bind, using the uuid as the key */
NTSTATUS dcerpc_bind_byuuid(struct dcerpc_pipe *p,
- const char *uuid, unsigned version)
+ TALLOC_CTX *mem_ctx,
+ const char *uuid, uint_t version)
{
struct dcerpc_syntax_id syntax;
struct dcerpc_syntax_id transfer_syntax;
+ NTSTATUS status;
- syntax.uuid_str = uuid;
+ status = GUID_from_string(uuid, &syntax.uuid);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2,("Invalid uuid string in dcerpc_bind_byuuid\n"));
+ return status;
+ }
syntax.if_version = version;
- transfer_syntax.uuid_str = "8a885d04-1ceb-11c9-9fe8-08002b104860";
- transfer_syntax.if_version = 2;
+ status = GUID_from_string(NDR_GUID, &transfer_syntax.uuid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ transfer_syntax.if_version = NDR_GUID_VERSION;
- return dcerpc_bind(p, &syntax, &transfer_syntax);
+ return dcerpc_bind(p, mem_ctx, &syntax, &transfer_syntax);
}
/*
- perform a full request/response pair on a dcerpc pipe
+ process a fragment received from the transport layer during a
+ request
*/
-NTSTATUS dcerpc_request(struct dcerpc_pipe *p,
- uint16 opnum,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *stub_data_in,
- DATA_BLOB *stub_data_out)
+static void dcerpc_request_recv_data(struct dcerpc_pipe *p,
+ DATA_BLOB *data,
+ NTSTATUS status)
{
+ struct dcerpc_packet pkt;
+ struct rpc_request *req;
+ uint_t length;
+ if (!NT_STATUS_IS_OK(status)) {
+ /* all pending requests get the error */
+ while (p->pending) {
+ req = p->pending;
+ req->state = RPC_REQUEST_DONE;
+ req->status = status;
+ DLIST_REMOVE(p->pending, req);
+ if (req->async.callback) {
+ req->async.callback(req);
+ }
+ }
+ return;
+ }
+
+ pkt.call_id = 0;
+
+ status = dcerpc_pull_request_sign(p, data, (TALLOC_CTX *)data->data, &pkt);
+
+ /* find the matching request. Notice we match before we check
+ the status. this is ok as a pending call_id can never be
+ zero */
+ for (req=p->pending;req;req=req->next) {
+ if (pkt.call_id == req->call_id) break;
+ }
+
+ if (req == NULL) {
+ DEBUG(2,("dcerpc_request: unmatched call_id %u in response packet\n", pkt.call_id));
+ return;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ req->status = status;
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->pending, req);
+ if (req->async.callback) {
+ req->async.callback(req);
+ }
+ return;
+ }
+
+ if (pkt.ptype == DCERPC_PKT_FAULT) {
+ DEBUG(5,("rpc fault: %s\n", dcerpc_errstr(p, pkt.u.fault.status)));
+ req->fault_code = pkt.u.fault.status;
+ req->status = NT_STATUS_NET_WRITE_FAULT;
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->pending, req);
+ if (req->async.callback) {
+ req->async.callback(req);
+ }
+ return;
+ }
+
+ if (pkt.ptype != DCERPC_PKT_RESPONSE) {
+ DEBUG(2,("Unexpected packet type %d in dcerpc response\n",
+ (int)pkt.ptype));
+ req->fault_code = DCERPC_FAULT_OTHER;
+ req->status = NT_STATUS_NET_WRITE_FAULT;
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->pending, req);
+ if (req->async.callback) {
+ req->async.callback(req);
+ }
+ return;
+ }
+
+ length = pkt.u.response.stub_and_verifier.length;
+
+ if (length > 0) {
+ req->payload.data = talloc_realloc(req,
+ req->payload.data,
+ req->payload.length + length);
+ if (!req->payload.data) {
+ req->status = NT_STATUS_NO_MEMORY;
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->pending, req);
+ if (req->async.callback) {
+ req->async.callback(req);
+ }
+ return;
+ }
+ memcpy(req->payload.data+req->payload.length,
+ pkt.u.response.stub_and_verifier.data, length);
+ req->payload.length += length;
+ }
+
+ if (!(pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
+ p->transport.send_read(p);
+ return;
+ }
+
+ /* we've got the full payload */
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->pending, req);
+
+ if (!(pkt.drep[0] & DCERPC_DREP_LE)) {
+ req->flags |= DCERPC_PULL_BIGENDIAN;
+ } else {
+ req->flags &= ~DCERPC_PULL_BIGENDIAN;
+ }
+
+ if (req->async.callback) {
+ req->async.callback(req);
+ }
+}
+
+
+/*
+ make sure requests are cleaned up
+ */
+static int dcerpc_req_destructor(void *ptr)
+{
+ struct rpc_request *req = ptr;
+ DLIST_REMOVE(req->p->pending, req);
+ return 0;
+}
+
+/*
+ perform the send size of a async dcerpc request
+*/
+struct rpc_request *dcerpc_request_send(struct dcerpc_pipe *p,
+ const struct GUID *object,
+ uint16_t opnum,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *stub_data)
+{
+ struct rpc_request *req;
struct dcerpc_packet pkt;
- NTSTATUS status;
- DATA_BLOB blob_in, blob_out, payload;
- uint32 remaining, chunk_size;
+ DATA_BLOB blob;
+ uint32_t remaining, chunk_size;
+ BOOL first_packet = True;
+
+ p->transport.recv_data = dcerpc_request_recv_data;
+
+ req = talloc_p(mem_ctx, struct rpc_request);
+ if (req == NULL) {
+ return NULL;
+ }
- init_dcerpc_hdr(&pkt.hdr);
+ req->p = p;
+ req->call_id = next_call_id(p);
+ req->status = NT_STATUS_OK;
+ req->state = RPC_REQUEST_PENDING;
+ req->payload = data_blob(NULL, 0);
+ req->flags = 0;
+ req->fault_code = 0;
+ req->async.callback = NULL;
- remaining = stub_data_in->length;
+ init_dcerpc_hdr(p, &pkt);
+
+ remaining = stub_data->length;
/* we can write a full max_recv_frag size, minus the dcerpc
request header size */
- chunk_size = p->srv_max_recv_frag - 24;
-
- pkt.hdr.ptype = DCERPC_PKT_REQUEST;
- pkt.hdr.call_id = p->call_id++;
- pkt.hdr.auth_length = 0;
- pkt.in.request.alloc_hint = remaining;
- pkt.in.request.context_id = 0;
- pkt.in.request.opnum = opnum;
- pkt.in.request.auth_verifier = data_blob(NULL, 0);
-
- /* we send a series of pdus without waiting for a reply until
- the last pdu */
- while (remaining > chunk_size) {
- if (remaining == stub_data_in->length) {
- pkt.hdr.pfc_flags = DCERPC_PFC_FLAG_FIRST;
- } else {
- pkt.hdr.pfc_flags = 0;
+ chunk_size = p->srv_max_recv_frag - (DCERPC_MAX_SIGN_SIZE+DCERPC_REQUEST_LENGTH);
+
+ pkt.ptype = DCERPC_PKT_REQUEST;
+ pkt.call_id = req->call_id;
+ pkt.auth_length = 0;
+ pkt.pfc_flags = 0;
+ pkt.u.request.alloc_hint = remaining;
+ pkt.u.request.context_id = 0;
+ pkt.u.request.opnum = opnum;
+
+ if (object) {
+ pkt.u.request.object.object = *object;
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_ORPC;
+ chunk_size -= ndr_size_GUID(0,object,0);
+ }
+
+ DLIST_ADD(p->pending, req);
+
+ /* we send a series of pdus without waiting for a reply */
+ while (remaining > 0 || first_packet) {
+ uint32_t chunk = MIN(chunk_size, remaining);
+ BOOL last_frag = False;
+
+ first_packet = False;
+ pkt.pfc_flags &= ~(DCERPC_PFC_FLAG_FIRST |DCERPC_PFC_FLAG_LAST);
+
+ if (remaining == stub_data->length) {
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_FIRST;
+ }
+ if (chunk == remaining) {
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_LAST;
+ last_frag = True;
}
- pkt.in.request.stub_data.data = stub_data_in->data +
- (stub_data_in->length - remaining);
- pkt.in.request.stub_data.length = chunk_size;
+ pkt.u.request.stub_and_verifier.data = stub_data->data +
+ (stub_data->length - remaining);
+ pkt.u.request.stub_and_verifier.length = chunk;
- status = dcerpc_push(&blob_in, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ req->status = dcerpc_push_request_sign(p, &blob, mem_ctx, &pkt);
+ if (!NT_STATUS_IS_OK(req->status)) {
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->pending, req);
+ return req;
}
- status = dcerpc_raw_packet_initial(p, mem_ctx, &blob_in);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ req->status = p->transport.send_request(p, &blob, last_frag);
+ if (!NT_STATUS_IS_OK(req->status)) {
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->pending, req);
+ return req;
}
- remaining -= chunk_size;
+ remaining -= chunk;
}
- /* now we send a pdu with LAST_FRAG sent and get the first
- part of the reply */
- if (remaining == stub_data_in->length) {
- pkt.hdr.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
- } else {
- pkt.hdr.pfc_flags = DCERPC_PFC_FLAG_LAST;
+ talloc_set_destructor(req, dcerpc_req_destructor);
+
+ return req;
+}
+
+/*
+ return the event context for a dcerpc pipe
+ used by callers who wish to operate asynchronously
+*/
+struct event_context *dcerpc_event_context(struct dcerpc_pipe *p)
+{
+ return p->transport.event_context(p);
+}
+
+
+
+/*
+ perform the receive side of a async dcerpc request
+*/
+NTSTATUS dcerpc_request_recv(struct rpc_request *req,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *stub_data)
+{
+ NTSTATUS status;
+
+ while (req->state == RPC_REQUEST_PENDING) {
+ struct event_context *ctx = dcerpc_event_context(req->p);
+ if (event_loop_once(ctx) != 0) {
+ return NT_STATUS_CONNECTION_DISCONNECTED;
+ }
}
- pkt.in.request.stub_data.data = stub_data_in->data +
- (stub_data_in->length - remaining);
- pkt.in.request.stub_data.length = remaining;
-
- status = dcerpc_push(&blob_in, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ *stub_data = req->payload;
+ status = req->status;
+ if (stub_data->data) {
+ stub_data->data = talloc_steal(mem_ctx, stub_data->data);
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+ req->p->last_fault_code = req->fault_code;
+ }
+ talloc_free(req);
+ return status;
+}
+
+/*
+ perform a full request/response pair on a dcerpc pipe
+*/
+NTSTATUS dcerpc_request(struct dcerpc_pipe *p,
+ struct GUID *object,
+ uint16_t opnum,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *stub_data_in,
+ DATA_BLOB *stub_data_out)
+{
+ struct rpc_request *req;
+
+ req = dcerpc_request_send(p, object, opnum, mem_ctx, stub_data_in);
+ if (req == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return dcerpc_request_recv(req, mem_ctx, stub_data_out);
+}
+
+
+/*
+ this is a paranoid NDR validator. For every packet we push onto the wire
+ we pull it back again, then push it again. Then we compare the raw NDR data
+ for that to the NDR we initially generated. If they don't match then we know
+ we must have a bug in either the pull or push side of our code
+*/
+static NTSTATUS dcerpc_ndr_validate_in(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB blob,
+ size_t struct_size,
+ NTSTATUS (*ndr_push)(struct ndr_push *, int, void *),
+ NTSTATUS (*ndr_pull)(struct ndr_pull *, int, void *))
+{
+ void *st;
+ struct ndr_pull *pull;
+ struct ndr_push *push;
+ NTSTATUS status;
+ DATA_BLOB blob2;
+
+ st = talloc(mem_ctx, struct_size);
+ if (!st) {
+ return NT_STATUS_NO_MEMORY;
}
- /* send the pdu and get the initial response pdu */
- status = dcerpc_raw_packet(p, mem_ctx, &blob_in, &blob_out);
+ pull = ndr_pull_init_flags(p, &blob, mem_ctx);
+ if (!pull) {
+ return NT_STATUS_NO_MEMORY;
+ }
- status = dcerpc_pull(&blob_out, mem_ctx, &pkt);
+ status = ndr_pull(pull, NDR_IN, st);
if (!NT_STATUS_IS_OK(status)) {
- return status;
+ return ndr_pull_error(pull, NDR_ERR_VALIDATE,
+ "failed input validation pull - %s",
+ nt_errstr(status));
}
- if (pkt.hdr.ptype != DCERPC_PKT_RESPONSE) {
- return NT_STATUS_UNSUCCESSFUL;
+ push = ndr_push_init_ctx(mem_ctx);
+ if (!push) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = ndr_push(push, NDR_IN, st);
+ if (!NT_STATUS_IS_OK(status)) {
+ return ndr_push_error(push, NDR_ERR_VALIDATE,
+ "failed input validation push - %s",
+ nt_errstr(status));
}
- if (!(pkt.hdr.pfc_flags & DCERPC_PFC_FLAG_FIRST)) {
- /* something is badly wrong! */
- return NT_STATUS_UNSUCCESSFUL;
+ blob2 = ndr_push_blob(push);
+
+ if (!data_blob_equal(&blob, &blob2)) {
+ DEBUG(3,("original:\n"));
+ dump_data(3, blob.data, blob.length);
+ DEBUG(3,("secondary:\n"));
+ dump_data(3, blob2.data, blob2.length);
+ return ndr_push_error(push, NDR_ERR_VALIDATE,
+ "failed input validation data - %s",
+ nt_errstr(status));
}
- payload = pkt.out.response.stub_data;
+ return NT_STATUS_OK;
+}
- /* continue receiving fragments */
- while (!(pkt.hdr.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
- uint32 length;
+/*
+ this is a paranoid NDR input validator. For every packet we pull
+ from the wire we push it back again then pull and push it
+ again. Then we compare the raw NDR data for that to the NDR we
+ initially generated. If they don't match then we know we must have a
+ bug in either the pull or push side of our code
+*/
+static NTSTATUS dcerpc_ndr_validate_out(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ void *struct_ptr,
+ size_t struct_size,
+ NTSTATUS (*ndr_push)(struct ndr_push *, int, void *),
+ NTSTATUS (*ndr_pull)(struct ndr_pull *, int, void *))
+{
+ void *st;
+ struct ndr_pull *pull;
+ struct ndr_push *push;
+ NTSTATUS status;
+ DATA_BLOB blob, blob2;
- status = dcerpc_raw_packet_secondary(p, mem_ctx, &blob_out);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ st = talloc(mem_ctx, struct_size);
+ if (!st) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ memcpy(st, struct_ptr, struct_size);
- status = dcerpc_pull(&blob_out, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ push = ndr_push_init_ctx(mem_ctx);
+ if (!push) {
+ return NT_STATUS_NO_MEMORY;
+ }
- if (pkt.hdr.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
- /* start of another packet!? */
- return NT_STATUS_UNSUCCESSFUL;
- }
+ status = ndr_push(push, NDR_OUT, struct_ptr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return ndr_push_error(push, NDR_ERR_VALIDATE,
+ "failed output validation push - %s",
+ nt_errstr(status));
+ }
- if (pkt.hdr.ptype != DCERPC_PKT_RESPONSE) {
- return NT_STATUS_UNSUCCESSFUL;
- }
+ blob = ndr_push_blob(push);
- length = pkt.out.response.stub_data.length;
+ pull = ndr_pull_init_flags(p, &blob, mem_ctx);
+ if (!pull) {
+ return NT_STATUS_NO_MEMORY;
+ }
- payload.data = talloc_realloc(mem_ctx,
- payload.data,
- payload.length + length);
- if (!payload.data) {
- return NT_STATUS_NO_MEMORY;
- }
+ pull->flags |= LIBNDR_FLAG_REF_ALLOC;
+ status = ndr_pull(pull, NDR_OUT, st);
+ if (!NT_STATUS_IS_OK(status)) {
+ return ndr_pull_error(pull, NDR_ERR_VALIDATE,
+ "failed output validation pull - %s",
+ nt_errstr(status));
+ }
- memcpy(payload.data + payload.length,
- pkt.out.response.stub_data.data,
- length);
+ push = ndr_push_init_ctx(mem_ctx);
+ if (!push) {
+ return NT_STATUS_NO_MEMORY;
+ }
- payload.length += length;
+ status = ndr_push(push, NDR_OUT, st);
+ if (!NT_STATUS_IS_OK(status)) {
+ return ndr_push_error(push, NDR_ERR_VALIDATE,
+ "failed output validation push2 - %s",
+ nt_errstr(status));
}
- if (stub_data_out) {
- *stub_data_out = payload;
+ blob2 = ndr_push_blob(push);
+
+ if (!data_blob_equal(&blob, &blob2)) {
+ DEBUG(3,("original:\n"));
+ dump_data(3, blob.data, blob.length);
+ DEBUG(3,("secondary:\n"));
+ dump_data(3, blob2.data, blob2.length);
+ return ndr_push_error(push, NDR_ERR_VALIDATE,
+ "failed output validation data - %s",
+ nt_errstr(status));
}
- return status;
+ return NT_STATUS_OK;
}
/*
- a useful helper function for synchronous rpc requests
-
- this can be used when you have ndr push/pull functions in the
- standard format
-*/
-NTSTATUS dcerpc_ndr_request(struct dcerpc_pipe *p,
- uint32 opnum,
- TALLOC_CTX *mem_ctx,
- NTSTATUS (*ndr_push)(struct ndr_push *, void *),
- NTSTATUS (*ndr_pull)(struct ndr_pull *, void *),
- void *struct_ptr)
+ send a rpc request given a dcerpc_call structure
+ */
+struct rpc_request *dcerpc_ndr_request_send(struct dcerpc_pipe *p,
+ const struct GUID *object,
+ const struct dcerpc_interface_table *table,
+ uint32_t opnum,
+ TALLOC_CTX *mem_ctx,
+ void *r)
{
+ const struct dcerpc_interface_call *call;
struct ndr_push *push;
- struct ndr_pull *pull;
NTSTATUS status;
- DATA_BLOB request, response;
+ DATA_BLOB request;
+ struct rpc_request *req;
+
+ call = &table->calls[opnum];
/* setup for a ndr_push_* call */
push = ndr_push_init();
if (!push) {
- talloc_destroy(mem_ctx);
- return NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
+
+ if (p->flags & DCERPC_PUSH_BIGENDIAN) {
+ push->flags |= LIBNDR_FLAG_BIGENDIAN;
}
/* push the structure into a blob */
- status = ndr_push(push, struct_ptr);
+ status = call->ndr_push(push, NDR_IN, r);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ DEBUG(2,("Unable to ndr_push structure in dcerpc_ndr_request_send - %s\n",
+ nt_errstr(status)));
+ ndr_push_free(push);
+ return NULL;
}
/* retrieve the blob */
request = ndr_push_blob(push);
+ if (p->flags & DCERPC_DEBUG_VALIDATE_IN) {
+ status = dcerpc_ndr_validate_in(p, mem_ctx, request, call->struct_size,
+ call->ndr_push, call->ndr_pull);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2,("Validation failed in dcerpc_ndr_request_send - %s\n",
+ nt_errstr(status)));
+ ndr_push_free(push);
+ return NULL;
+ }
+ }
+
+ DEBUG(10,("rpc request data:\n"));
dump_data(10, request.data, request.length);
/* make the actual dcerpc request */
- status = dcerpc_request(p, opnum, mem_ctx, &request, &response);
+ req = dcerpc_request_send(p, object, opnum, mem_ctx, &request);
+
+ if (req != NULL) {
+ req->ndr.table = table;
+ req->ndr.opnum = opnum;
+ req->ndr.struct_ptr = r;
+ req->ndr.mem_ctx = mem_ctx;
+ }
+
+ ndr_push_free(push);
+
+ return req;
+}
+
+/*
+ receive the answer from a dcerpc_ndr_request_send()
+*/
+NTSTATUS dcerpc_ndr_request_recv(struct rpc_request *req)
+{
+ struct dcerpc_pipe *p = req->p;
+ NTSTATUS status;
+ DATA_BLOB response;
+ struct ndr_pull *pull;
+ uint_t flags;
+ TALLOC_CTX *mem_ctx = req->ndr.mem_ctx;
+ void *r = req->ndr.struct_ptr;
+ uint32_t opnum = req->ndr.opnum;
+ const struct dcerpc_interface_table *table = req->ndr.table;
+ const struct dcerpc_interface_call *call = &table->calls[opnum];
+
+ /* make sure the recv code doesn't free the request, as we
+ need to grab the flags element before it is freed */
+ talloc_increase_ref_count(req);
+
+ status = dcerpc_request_recv(req, mem_ctx, &response);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ return status;
}
+ flags = req->flags;
+ talloc_free(req);
+
/* prepare for ndr_pull_* */
- pull = ndr_pull_init_blob(&response, mem_ctx);
+ pull = ndr_pull_init_flags(p, &response, mem_ctx);
if (!pull) {
- goto failed;
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (flags & DCERPC_PULL_BIGENDIAN) {
+ pull->flags |= LIBNDR_FLAG_BIGENDIAN;
}
+ DEBUG(10,("rpc reply data:\n"));
dump_data(10, pull->data, pull->data_size);
/* pull the structure from the blob */
- status = ndr_pull(pull, struct_ptr);
+ status = call->ndr_pull(pull, NDR_OUT, r);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ dcerpc_log_packet(table, opnum, NDR_OUT,
+ &response);
+ return status;
+ }
+
+ if (p->flags & DCERPC_DEBUG_VALIDATE_OUT) {
+ status = dcerpc_ndr_validate_out(p, mem_ctx, r, call->struct_size,
+ call->ndr_push, call->ndr_pull);
+ if (!NT_STATUS_IS_OK(status)) {
+ dcerpc_log_packet(table, opnum, NDR_OUT,
+ &response);
+ return status;
+ }
}
if (pull->offset != pull->data_size) {
- DEBUG(0,("Warning! %d unread bytes\n", pull->data_size - pull->offset));
- status = NT_STATUS_INFO_LENGTH_MISMATCH;
- goto failed;
+ DEBUG(0,("Warning! ignoring %d unread bytes in rpc packet!\n",
+ pull->data_size - pull->offset));
+ /* we used return NT_STATUS_INFO_LENGTH_MISMATCH here,
+ but it turns out that early versions of NT
+ (specifically NT3.1) add junk onto the end of rpc
+ packets, so if we want to interoperate at all with
+ those versions then we need to ignore this error */
}
-failed:
- ndr_push_free(push);
- return status;
+ return NT_STATUS_OK;
+}
+
+
+/*
+ a useful helper function for synchronous rpc requests
+
+ this can be used when you have ndr push/pull functions in the
+ standard format
+*/
+NTSTATUS dcerpc_ndr_request(struct dcerpc_pipe *p,
+ const struct GUID *object,
+ const struct dcerpc_interface_table *table,
+ uint32_t opnum,
+ TALLOC_CTX *mem_ctx,
+ void *r)
+{
+ struct rpc_request *req;
+
+ req = dcerpc_ndr_request_send(p, object, table, opnum, mem_ctx, r);
+ if (req == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return dcerpc_ndr_request_recv(req);
}
*/
const char *dcerpc_server_name(struct dcerpc_pipe *p)
{
- return p->tree->session->transport->called.name;
+ if (!p->transport.peer_name) {
+ return "";
+ }
+ return p->transport.peer_name(p);
+}
+
+/*
+ a useful function to get the auth_level
+*/
+
+uint32 dcerpc_auth_level(struct dcerpc_pipe *p)
+{
+ uint8_t auth_level;
+
+ if (p->flags & DCERPC_SEAL) {
+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+ } else if (p->flags & DCERPC_SIGN) {
+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+ } else if (p->flags & DCERPC_CONNECT) {
+ auth_level = DCERPC_AUTH_LEVEL_CONNECT;
+ } else {
+ auth_level = DCERPC_AUTH_LEVEL_NONE;
+ }
+ return auth_level;
}