#include "librpc/rpc/rpc_common.h"
#include "lib/util/samba_modules.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
+#include "../lib/util/tevent_ntstatus.h"
static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
const struct dcerpc_bind *b,
/*
take a reference to an existing association group
*/
-static struct dcesrv_assoc_group *dcesrv_assoc_group_reference(TALLOC_CTX *mem_ctx,
- struct dcesrv_context *dce_ctx,
+static struct dcesrv_assoc_group *dcesrv_assoc_group_reference(struct dcesrv_connection *conn,
uint32_t id)
{
+ const struct dcesrv_endpoint *endpoint = conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(endpoint->ep_description);
struct dcesrv_assoc_group *assoc_group;
- assoc_group = dcesrv_assoc_group_find(dce_ctx, id);
+ assoc_group = dcesrv_assoc_group_find(conn->dce_ctx, id);
if (assoc_group == NULL) {
- DEBUG(2,(__location__ ": Failed to find assoc_group 0x%08x\n", id));
+ DBG_NOTICE("Failed to find assoc_group 0x%08x\n", id);
return NULL;
}
- return talloc_reference(mem_ctx, assoc_group);
+ if (assoc_group->transport != transport) {
+ const char *at =
+ derpc_transport_string_by_transport(
+ assoc_group->transport);
+ const char *ct =
+ derpc_transport_string_by_transport(
+ transport);
+
+ DBG_NOTICE("assoc_group 0x%08x (transport %s) "
+ "is not available on transport %s",
+ id, at, ct);
+ return NULL;
+ }
+
+ return talloc_reference(conn, assoc_group);
}
static int dcesrv_assoc_group_destructor(struct dcesrv_assoc_group *assoc_group)
/*
allocate a new association group
*/
-static struct dcesrv_assoc_group *dcesrv_assoc_group_new(TALLOC_CTX *mem_ctx,
- struct dcesrv_context *dce_ctx)
+static struct dcesrv_assoc_group *dcesrv_assoc_group_new(struct dcesrv_connection *conn)
{
+ struct dcesrv_context *dce_ctx = conn->dce_ctx;
+ const struct dcesrv_endpoint *endpoint = conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(endpoint->ep_description);
struct dcesrv_assoc_group *assoc_group;
int id;
- assoc_group = talloc_zero(mem_ctx, struct dcesrv_assoc_group);
+ assoc_group = talloc_zero(conn, struct dcesrv_assoc_group);
if (assoc_group == NULL) {
return NULL;
}
return NULL;
}
+ assoc_group->transport = transport;
assoc_group->id = id;
assoc_group->dce_ctx = dce_ctx;
/*
find the earlier parts of a fragmented call awaiting reassembily
*/
-static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint16_t call_id)
+static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint32_t call_id)
{
struct dcesrv_call_state *c;
for (c=dce_conn->incoming_fragmented_call_list;c;c=c->next) {
*/
_PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
const char *ep_name,
+ const char *ncacn_np_secondary_endpoint,
const struct dcesrv_interface *iface,
const struct security_descriptor *sd)
{
struct dcesrv_endpoint *ep;
struct dcesrv_if_list *ifl;
struct dcerpc_binding *binding;
+ struct dcerpc_binding *binding2 = NULL;
bool add_ep = false;
NTSTATUS status;
enum dcerpc_transport_t transport;
char *ep_string = NULL;
bool use_single_process = true;
-
+ const char *ep_process_string;
+
/*
* If we are not using handles, there is no need for force
* this service into using a single process.
}
}
+ if (transport == NCACN_NP && ncacn_np_secondary_endpoint != NULL) {
+ enum dcerpc_transport_t transport2;
+
+ status = dcerpc_parse_binding(dce_ctx,
+ ncacn_np_secondary_endpoint,
+ &binding2);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Trouble parsing 2nd binding string '%s'\n",
+ ncacn_np_secondary_endpoint));
+ return status;
+ }
+
+ transport2 = dcerpc_binding_get_transport(binding2);
+ SMB_ASSERT(transport2 == transport);
+ }
+
/* see if the interface is already registered on the endpoint */
if (find_interface_by_binding(dce_ctx, binding, iface)!=NULL) {
DEBUG(0,("dcesrv_interface_register: interface '%s' already registered on endpoint '%s'\n",
* If we have mulitiple endpoints on port 0, they each
* get an epemeral port (currently by walking up from
* 1024).
+ *
+ * Because one endpoint can only have one process
+ * model, we add a new IP_TCP endpoint for each model.
+ *
+ * This works in conjunction with the forced overwrite
+ * of ep->use_single_process below.
*/
- if (!use_single_process && transport == NCACN_IP_TCP) {
+ if (ep->use_single_process != use_single_process
+ && transport == NCACN_IP_TCP) {
add_ep = true;
}
}
}
ZERO_STRUCTP(ep);
ep->ep_description = talloc_move(ep, &binding);
+ ep->ep_2nd_description = talloc_move(ep, &binding2);
add_ep = true;
/* add mgmt interface */
/* Re-get the string as we may have set a port */
ep_string = dcerpc_binding_string(dce_ctx, ep->ep_description);
- DEBUG(4,("dcesrv_interface_register: interface '%s' registered on endpoint '%s'\n",
- iface->name, ep_string));
+ if (use_single_process) {
+ ep_process_string = "single process required";
+ } else {
+ ep_process_string = "multi process compatible";
+ }
+
+ DBG_INFO("dcesrv_interface_register: interface '%s' "
+ "registered on endpoint '%s' (%s)\n",
+ iface->name, ep_string, ep_process_string);
TALLOC_FREE(ep_string);
return NT_STATUS_OK;
}
-NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
- DATA_BLOB *session_key)
+static NTSTATUS dcesrv_session_info_session_key(struct dcesrv_auth *auth,
+ DATA_BLOB *session_key)
{
- if (p->auth_state.session_info->session_key.length) {
- *session_key = p->auth_state.session_info->session_key;
- return NT_STATUS_OK;
+ if (auth->session_info == NULL) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
}
- return NT_STATUS_NO_USER_SESSION_KEY;
+
+ if (auth->session_info->session_key.length == 0) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ *session_key = auth->session_info->session_key;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_remote_session_key(struct dcesrv_auth *auth,
+ DATA_BLOB *session_key)
+{
+ if (auth->auth_type != DCERPC_AUTH_TYPE_NONE) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ return dcesrv_session_info_session_key(auth, session_key);
+}
+
+static NTSTATUS dcesrv_local_fixed_session_key(struct dcesrv_auth *auth,
+ DATA_BLOB *session_key)
+{
+ return dcerpc_generic_session_key(NULL, session_key);
}
/*
- fetch the user session key - may be default (above) or the SMB session key
+ * Fetch the authentication session key if available.
+ *
+ * This is the key generated by a gensec authentication.
+ *
+ */
+_PUBLIC_ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state *call,
+ DATA_BLOB *session_key)
+{
+ struct dcesrv_auth *auth = call->auth_state;
+ SMB_ASSERT(auth->auth_finished);
+ return dcesrv_session_info_session_key(auth, session_key);
+}
- The key is always truncated to 16 bytes
+/*
+ * Fetch the transport session key if available.
+ * Typically this is the SMB session key
+ * or a fixed key for local transports.
+ *
+ * The key is always truncated to 16 bytes.
*/
-_PUBLIC_ NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
- DATA_BLOB *session_key)
+_PUBLIC_ NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call,
+ DATA_BLOB *session_key)
{
- NTSTATUS status = p->auth_state.session_key(p, session_key);
+ struct dcesrv_auth *auth = call->auth_state;
+ NTSTATUS status;
+
+ SMB_ASSERT(auth->auth_finished);
+
+ if (auth->session_key_fn == NULL) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ status = auth->session_key_fn(auth, session_key);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
+static struct dcesrv_auth *dcesrv_auth_create(struct dcesrv_connection *conn)
+{
+ const struct dcesrv_endpoint *ep = conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(ep->ep_description);
+ struct dcesrv_auth *auth = NULL;
+
+ auth = talloc_zero(conn, struct dcesrv_auth);
+ if (auth == NULL) {
+ return NULL;
+ }
+
+ switch (transport) {
+ case NCACN_NP:
+ auth->session_key_fn = dcesrv_remote_session_key;
+ break;
+ case NCALRPC:
+ case NCACN_UNIX_STREAM:
+ auth->session_key_fn = dcesrv_local_fixed_session_key;
+ break;
+ default:
+ /*
+ * All other's get a NULL pointer, which
+ * results in NT_STATUS_NO_USER_SESSION_KEY
+ */
+ break;
+ }
+
+ return auth;
+}
+
/*
connect to a dcerpc endpoint
*/
-_PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
+static NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
TALLOC_CTX *mem_ctx,
const struct dcesrv_endpoint *ep,
struct auth_session_info *session_info,
uint32_t state_flags,
struct dcesrv_connection **_p)
{
+ struct dcesrv_auth *auth = NULL;
struct dcesrv_connection *p;
if (!session_info) {
p = talloc_zero(mem_ctx, struct dcesrv_connection);
NT_STATUS_HAVE_NO_MEMORY(p);
- if (!talloc_reference(p, session_info)) {
- talloc_free(p);
- return NT_STATUS_NO_MEMORY;
- }
-
p->dce_ctx = dce_ctx;
p->endpoint = ep;
p->packet_log_dir = lpcfg_lock_directory(dce_ctx->lp_ctx);
- p->auth_state.session_info = session_info;
- p->auth_state.session_key = dcesrv_generic_session_key;
p->event_ctx = event_ctx;
p->msg_ctx = msg_ctx;
p->server_id = server_id;
p->max_xmit_frag = 5840;
p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
+ p->support_hdr_signing = lpcfg_parm_bool(dce_ctx->lp_ctx,
+ NULL,
+ "dcesrv",
+ "header signing",
+ true);
+ p->max_auth_states = lpcfg_parm_ulong(dce_ctx->lp_ctx,
+ NULL,
+ "dcesrv",
+ "max auth states",
+ 2049);
+
+ auth = dcesrv_auth_create(p);
+ if (auth == NULL) {
+ talloc_free(p);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ auth->session_info = talloc_reference(auth, session_info);
+ if (auth->session_info == NULL) {
+ talloc_free(p);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ p->default_auth_state = auth;
+
/*
* For now we only support NDR32.
*/
static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
const char *reason)
{
+ struct dcesrv_auth *a = NULL;
+
if (call->conn->terminate != NULL) {
return;
}
call->conn->allow_bind = false;
call->conn->allow_alter = false;
- call->conn->allow_auth3 = false;
- call->conn->allow_request = false;
+
+ call->conn->default_auth_state->auth_invalid = true;
+
+ for (a = call->conn->auth_states; a != NULL; a = a->next) {
+ a->auth_invalid = true;
+ }
call->terminate_reason = talloc_strdup(call, reason);
if (call->terminate_reason == NULL) {
context->allow_connect);
}
-NTSTATUS dcesrv_interface_bind_require_integrity(struct dcesrv_call_state *dce_call,
+NTSTATUS dcesrv_interface_bind_require_integrity(struct dcesrv_connection_context *context,
const struct dcesrv_interface *iface)
{
- if (dce_call->context == NULL) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
/*
* For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4)
* has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5).
*/
- dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
+ context->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
return NT_STATUS_OK;
}
-NTSTATUS dcesrv_interface_bind_require_privacy(struct dcesrv_call_state *dce_call,
+NTSTATUS dcesrv_interface_bind_require_privacy(struct dcesrv_connection_context *context,
const struct dcesrv_interface *iface)
{
- if (dce_call->context == NULL) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+ context->min_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
return NT_STATUS_OK;
}
-_PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_call_state *dce_call,
+_PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_connection_context *context,
const struct dcesrv_interface *iface)
{
- struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
+ const struct dcesrv_endpoint *endpoint = context->conn->endpoint;
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(endpoint->ep_description);
- struct dcesrv_connection_context *context = dce_call->context;
-
- if (context == NULL) {
- return NT_STATUS_INTERNAL_ERROR;
- }
if (transport == NCALRPC) {
context->allow_connect = true;
return NT_STATUS_OK;
}
-_PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_call_state *dce_call,
+_PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_connection_context *context,
const struct dcesrv_interface *iface)
{
- struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
+ const struct dcesrv_endpoint *endpoint = context->conn->endpoint;
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(endpoint->ep_description);
- struct dcesrv_connection_context *context = dce_call->context;
-
- if (context == NULL) {
- return NT_STATUS_INTERNAL_ERROR;
- }
if (transport == NCALRPC) {
context->allow_connect = true;
return NT_STATUS_OK;
}
+struct dcesrv_conn_auth_wait_context {
+ struct tevent_req *req;
+ bool done;
+ NTSTATUS status;
+};
+
+struct dcesrv_conn_auth_wait_state {
+ uint8_t dummy;
+};
+
+static struct tevent_req *dcesrv_conn_auth_wait_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ void *private_data)
+{
+ struct dcesrv_conn_auth_wait_context *auth_wait =
+ talloc_get_type_abort(private_data,
+ struct dcesrv_conn_auth_wait_context);
+ struct tevent_req *req = NULL;
+ struct dcesrv_conn_auth_wait_state *state = NULL;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct dcesrv_conn_auth_wait_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ auth_wait->req = req;
+
+ tevent_req_defer_callback(req, ev);
+
+ if (!auth_wait->done) {
+ return req;
+ }
+
+ if (tevent_req_nterror(req, auth_wait->status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+static NTSTATUS dcesrv_conn_auth_wait_recv(struct tevent_req *req)
+{
+ return tevent_req_simple_recv_ntstatus(req);
+}
+
+static NTSTATUS dcesrv_conn_auth_wait_setup(struct dcesrv_connection *conn)
+{
+ struct dcesrv_conn_auth_wait_context *auth_wait = NULL;
+
+ if (conn->wait_send != NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ auth_wait = talloc_zero(conn, struct dcesrv_conn_auth_wait_context);
+ if (auth_wait == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ conn->wait_private = auth_wait;
+ conn->wait_send = dcesrv_conn_auth_wait_send;
+ conn->wait_recv = dcesrv_conn_auth_wait_recv;
+ return NT_STATUS_OK;
+}
+
+static void dcesrv_conn_auth_wait_finished(struct dcesrv_connection *conn,
+ NTSTATUS status)
+{
+ struct dcesrv_conn_auth_wait_context *auth_wait =
+ talloc_get_type_abort(conn->wait_private,
+ struct dcesrv_conn_auth_wait_context);
+
+ auth_wait->done = true;
+ auth_wait->status = status;
+
+ if (auth_wait->req == NULL) {
+ return;
+ }
+
+ if (tevent_req_nterror(auth_wait->req, status)) {
+ return;
+ }
+
+ tevent_req_done(auth_wait->req);
+}
+
static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call);
+static void dcesrv_bind_done(struct tevent_req *subreq);
+
/*
handle a bind request
*/
static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
{
+ struct dcesrv_connection *conn = call->conn;
struct ncacn_packet *pkt = &call->ack_pkt;
NTSTATUS status;
uint32_t extra_flags = 0;
uint16_t max_req = 0;
uint16_t max_rep = 0;
- const char *ep_prefix = "";
+ struct dcerpc_binding *ep_2nd_description = NULL;
const char *endpoint = NULL;
- struct dcesrv_auth *auth = &call->conn->auth_state;
+ struct dcesrv_auth *auth = call->auth_state;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct dcerpc_ack_ctx *ack_features = NULL;
+ struct tevent_req *subreq = NULL;
size_t i;
status = dcerpc_verify_ncacn_packet_header(&call->pkt,
*/
if (call->pkt.u.bind.assoc_group_id != 0) {
call->conn->assoc_group = dcesrv_assoc_group_reference(call->conn,
- call->conn->dce_ctx,
call->pkt.u.bind.assoc_group_id);
} else {
- call->conn->assoc_group = dcesrv_assoc_group_new(call->conn,
- call->conn->dce_ctx);
+ call->conn->assoc_group = dcesrv_assoc_group_new(call->conn);
}
/*
if (call->conn->assoc_group == NULL &&
!call->conn->endpoint->use_single_process) {
call->conn->assoc_group
- = dcesrv_assoc_group_new(call->conn,
- call->conn->dce_ctx);
+ = dcesrv_assoc_group_new(call->conn);
}
if (call->conn->assoc_group == NULL) {
return dcesrv_bind_nak(call, 0);
a->result = DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK;
a->reason.negotiate = 0;
if (features & DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING) {
- /* not supported yet */
+ if (call->conn->max_auth_states != 0) {
+ a->reason.negotiate |=
+ DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING;
+ }
}
if (features & DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN) {
a->reason.negotiate |=
DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN;
}
- call->conn->bind_time_features = a->reason.negotiate;
+ call->conn->assoc_group->bind_time_features = a->reason.negotiate;
}
/*
pkt->u.bind_ack.max_recv_frag = call->conn->max_recv_frag;
pkt->u.bind_ack.assoc_group_id = call->conn->assoc_group->id;
+ ep_2nd_description = call->conn->endpoint->ep_2nd_description;
+ if (ep_2nd_description == NULL) {
+ ep_2nd_description = call->conn->endpoint->ep_description;
+ }
+
endpoint = dcerpc_binding_get_string_option(
- call->conn->endpoint->ep_description,
+ ep_2nd_description,
"endpoint");
if (endpoint == NULL) {
endpoint = "";
}
- if (strncasecmp(endpoint, "\\pipe\\", 6) == 0) {
- /*
- * TODO: check if this is really needed
- *
- * Or if we should fix this in our idl files.
- */
- ep_prefix = "\\PIPE\\";
- endpoint += 6;
- }
-
- pkt->u.bind_ack.secondary_address = talloc_asprintf(call, "%s%s",
- ep_prefix,
- endpoint);
- if (pkt->u.bind_ack.secondary_address == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
+ pkt->u.bind_ack.secondary_address = endpoint;
pkt->u.bind_ack.num_results = call->pkt.u.bind.num_contexts;
pkt->u.bind_ack.ctx_list = ack_ctx_list;
pkt->u.bind_ack.auth_info = data_blob_null;
return dcesrv_auth_reply(call);
}
- status = gensec_update_ev(auth->gensec_security,
- call, call->event_ctx,
- call->in_auth_info.credentials,
- &call->out_auth_info->credentials);
+ subreq = gensec_update_send(call, call->event_ctx,
+ auth->gensec_security,
+ call->in_auth_info.credentials);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq, dcesrv_bind_done, call);
+
+ return dcesrv_conn_auth_wait_setup(conn);
+}
+
+static void dcesrv_bind_done(struct tevent_req *subreq)
+{
+ struct dcesrv_call_state *call =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_call_state);
+ struct dcesrv_connection *conn = call->conn;
+ NTSTATUS status;
+
+ status = gensec_update_recv(subreq, call,
+ &call->out_auth_info->credentials);
+ TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
if (!NT_STATUS_IS_OK(status)) {
- return dcesrv_bind_nak(call, 0);
+ status = dcesrv_bind_nak(call, 0);
+ dcesrv_conn_auth_wait_finished(conn, status);
+ return;
}
- return dcesrv_auth_reply(call);
+ status = dcesrv_auth_reply(call);
+ dcesrv_conn_auth_wait_finished(conn, status);
+ return;
}
static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call)
}
+static void dcesrv_auth3_done(struct tevent_req *subreq);
+
/*
handle a auth3 request
*/
static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
{
+ struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_auth *auth = call->auth_state;
+ struct tevent_req *subreq = NULL;
NTSTATUS status;
- if (!call->conn->allow_auth3) {
+ if (!auth->auth_started) {
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
}
- if (call->conn->auth_state.auth_finished) {
+ if (auth->auth_finished) {
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
}
}
/* handle the auth3 in the auth code */
- if (!dcesrv_auth_auth3(call)) {
- call->conn->auth_state.auth_invalid = true;
+ if (!dcesrv_auth_prepare_auth3(call)) {
+ /*
+ * we don't send a reply to a auth3 request,
+ * except by a fault.
+ *
+ * In anycase we mark the connection as
+ * invalid.
+ */
+ auth->auth_invalid = true;
if (call->fault_code != 0) {
return dcesrv_fault_disconnect(call, call->fault_code);
}
+ TALLOC_FREE(call);
+ return NT_STATUS_OK;
}
- talloc_free(call);
+ subreq = gensec_update_send(call, call->event_ctx,
+ auth->gensec_security,
+ call->in_auth_info.credentials);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq, dcesrv_auth3_done, call);
- /* we don't send a reply to a auth3 request, except by a
- fault */
- return NT_STATUS_OK;
+ return dcesrv_conn_auth_wait_setup(conn);
+}
+
+static void dcesrv_auth3_done(struct tevent_req *subreq)
+{
+ struct dcesrv_call_state *call =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_call_state);
+ struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_auth *auth = call->auth_state;
+ NTSTATUS status;
+
+ status = gensec_update_recv(subreq, call,
+ &call->out_auth_info->credentials);
+ TALLOC_FREE(subreq);
+
+ status = dcesrv_auth_complete(call, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * we don't send a reply to a auth3 request,
+ * except by a fault.
+ *
+ * In anycase we mark the connection as
+ * invalid.
+ */
+ auth->auth_invalid = true;
+ if (call->fault_code != 0) {
+ status = dcesrv_fault_disconnect(call, call->fault_code);
+ dcesrv_conn_auth_wait_finished(conn, status);
+ return;
+ }
+ TALLOC_FREE(call);
+ dcesrv_conn_auth_wait_finished(conn, NT_STATUS_OK);
+ return;
+ }
+
+ /*
+ * we don't send a reply to a auth3 request.
+ */
+ TALLOC_FREE(call);
+ dcesrv_conn_auth_wait_finished(conn, NT_STATUS_OK);
+ return;
}
context->context_id = ctx->context_id;
context->iface = iface;
context->transfer_syntax = *selected_transfer;
- context->private_data = NULL;
DLIST_ADD(call->conn->contexts, context);
call->context = context;
talloc_set_destructor(context, dcesrv_connection_context_destructor);
*/
call->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
- status = iface->bind(call, iface, if_version);
+ status = iface->bind(context, iface);
call->context = NULL;
if (!NT_STATUS_IS_OK(status)) {
/* we don't want to trigger the iface->unbind() hook */
return NT_STATUS_OK;
}
+static void dcesrv_alter_done(struct tevent_req *subreq);
+
/*
handle a alter context request
*/
static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
{
+ struct dcesrv_connection *conn = call->conn;
NTSTATUS status;
bool auth_ok = false;
struct ncacn_packet *pkt = &call->ack_pkt;
uint32_t extra_flags = 0;
+ struct dcesrv_auth *auth = call->auth_state;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
+ struct tevent_req *subreq = NULL;
size_t i;
if (!call->conn->allow_alter) {
/* handle any authentication that is being requested */
if (!auth_ok) {
- if (call->in_auth_info.auth_type !=
- call->conn->auth_state.auth_type)
- {
+ if (call->in_auth_info.auth_type != auth->auth_type) {
return dcesrv_fault_disconnect(call,
DCERPC_FAULT_SEC_PKG_ERROR);
}
pkt->u.alter_resp.ctx_list = ack_ctx_list;
pkt->u.alter_resp.auth_info = data_blob_null;
- status = dcesrv_auth_alter_ack(call, pkt);
+ status = dcesrv_auth_prepare_alter_ack(call, pkt);
if (!NT_STATUS_IS_OK(status)) {
return dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
}
- return dcesrv_auth_reply(call);
+ if (auth->auth_finished) {
+ return dcesrv_auth_reply(call);
+ }
+
+ subreq = gensec_update_send(call, call->event_ctx,
+ auth->gensec_security,
+ call->in_auth_info.credentials);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq, dcesrv_alter_done, call);
+
+ return dcesrv_conn_auth_wait_setup(conn);
+}
+
+static void dcesrv_alter_done(struct tevent_req *subreq)
+{
+ struct dcesrv_call_state *call =
+ tevent_req_callback_data(subreq,
+ struct dcesrv_call_state);
+ struct dcesrv_connection *conn = call->conn;
+ NTSTATUS status;
+
+ status = gensec_update_recv(subreq, call,
+ &call->out_auth_info->credentials);
+ TALLOC_FREE(subreq);
+
+ status = dcesrv_auth_complete(call, status);
+ if (!NT_STATUS_IS_OK(status)) {
+ status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
+ dcesrv_conn_auth_wait_finished(conn, status);
+ return;
+ }
+
+ status = dcesrv_auth_reply(call);
+ dcesrv_conn_auth_wait_finished(conn, status);
+ return;
}
/*
static NTSTATUS dcesrv_check_verification_trailer(struct dcesrv_call_state *call)
{
TALLOC_CTX *frame = talloc_stackframe();
- const uint32_t bitmask1 = call->conn->auth_state.client_hdr_signing ?
+ const uint32_t bitmask1 = call->conn->client_hdr_signing ?
DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
const struct dcerpc_sec_vt_pcontext pcontext = {
.abstract_syntax = call->context->iface->syntax_id,
static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
{
const struct dcesrv_endpoint *endpoint = call->conn->endpoint;
+ struct dcesrv_auth *auth = call->auth_state;
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(endpoint->ep_description);
struct ndr_pull *pull;
NTSTATUS status;
- if (!call->conn->allow_request) {
+ if (!auth->auth_finished) {
return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
}
/* if authenticated, and the mech we use can't do async replies, don't use them... */
- if (call->conn->auth_state.gensec_security &&
- !gensec_have_feature(call->conn->auth_state.gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
+ if (auth->gensec_security != NULL &&
+ !gensec_have_feature(auth->gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
call->state_flags &= ~DCESRV_CALL_STATE_FLAG_MAY_ASYNC;
}
DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
}
- switch (call->conn->auth_state.auth_level) {
+ switch (auth->auth_level) {
case DCERPC_AUTH_LEVEL_NONE:
case DCERPC_AUTH_LEVEL_PACKET:
case DCERPC_AUTH_LEVEL_INTEGRITY:
"to [%s] with auth[type=0x%x,level=0x%x] "
"on [%s] from [%s]\n",
__func__, call->context->iface->name,
- call->conn->auth_state.auth_type,
- call->conn->auth_state.auth_level,
+ auth->auth_type,
+ auth->auth_level,
derpc_transport_string_by_transport(transport),
addr));
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
break;
}
- if (call->conn->auth_state.auth_level < call->context->min_auth_level) {
+ if (auth->auth_level < call->context->min_auth_level) {
char *addr;
addr = tsocket_address_string(call->conn->remote_address, call);
__func__,
call->context->min_auth_level,
call->context->iface->name,
- call->conn->auth_state.auth_type,
- call->conn->auth_state.auth_level,
+ auth->auth_type,
+ auth->auth_level,
derpc_transport_string_by_transport(transport),
addr));
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
NTSTATUS status;
struct dcesrv_call_state *call;
struct dcesrv_call_state *existing = NULL;
+ size_t num_auth_ctx = 0;
+ enum dcerpc_AuthType auth_type = 0;
+ enum dcerpc_AuthLevel auth_level = 0;
+ uint32_t auth_context_id = 0;
call = talloc_zero(dce_conn, struct dcesrv_call_state);
if (!call) {
talloc_steal(call, blob.data);
call->pkt = *pkt;
+ if (dce_conn->max_auth_states == 0) {
+ call->auth_state = dce_conn->default_auth_state;
+ } else if (call->pkt.auth_length == 0) {
+ if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
+ dce_conn->default_auth_level_connect != NULL)
+ {
+ call->auth_state = dce_conn->default_auth_level_connect;
+ } else {
+ call->auth_state = dce_conn->default_auth_state;
+ }
+ }
+
+ if (call->auth_state == NULL) {
+ struct dcesrv_auth *a = NULL;
+
+ auth_type = dcerpc_get_auth_type(&blob);
+ auth_level = dcerpc_get_auth_level(&blob);
+ auth_context_id = dcerpc_get_auth_context_id(&blob);
+
+ if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
+ dce_conn->default_auth_level_connect = NULL;
+ if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
+ dce_conn->got_explicit_auth_level_connect = true;
+ }
+ }
+
+ for (a = dce_conn->auth_states; a != NULL; a = a->next) {
+ num_auth_ctx++;
+
+ if (a->auth_type != auth_type) {
+ continue;
+ }
+ if (a->auth_finished && a->auth_level != auth_level) {
+ continue;
+ }
+ if (a->auth_context_id != auth_context_id) {
+ continue;
+ }
+
+ DLIST_PROMOTE(dce_conn->auth_states, a);
+ call->auth_state = a;
+ break;
+ }
+ }
+
+ if (call->auth_state == NULL) {
+ struct dcesrv_auth *a = NULL;
+
+ if (num_auth_ctx >= dce_conn->max_auth_states) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ a = dcesrv_auth_create(dce_conn);
+ if (a == NULL) {
+ talloc_free(call);
+ return NT_STATUS_NO_MEMORY;
+ }
+ DLIST_ADD(dce_conn->auth_states, a);
+ if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
+ /*
+ * This can never be valid.
+ */
+ a->auth_invalid = true;
+ }
+ call->auth_state = a;
+ }
+
talloc_set_destructor(call, dcesrv_call_dequeue);
if (call->conn->allow_bind) {
/* we have to check the signing here, before combining the
pdus */
if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
- if (!call->conn->allow_request) {
+ dcesrv_default_auth_state_prepare_request(call);
+
+ if (call->auth_state->auth_started &&
+ !call->auth_state->auth_finished) {
return dcesrv_fault_disconnect(call,
DCERPC_NCA_S_PROTO_ERROR);
}
static void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, const char *reason)
{
struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
+ struct dcesrv_auth *a = NULL;
struct stream_connection *srv_conn;
srv_conn = talloc_get_type(dce_conn->transport.private_data,
struct stream_connection);
dce_conn->wait_private = NULL;
dce_conn->allow_bind = false;
- dce_conn->allow_auth3 = false;
dce_conn->allow_alter = false;
- dce_conn->allow_request = false;
+
+ dce_conn->default_auth_state->auth_invalid = true;
+
+ for (a = dce_conn->auth_states; a != NULL; a = a->next) {
+ a->auth_invalid = true;
+ }
if (dce_conn->pending_call_list == NULL) {
char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
}
if (transport == NCACN_NP) {
- dcesrv_conn->auth_state.session_key = dcesrv_inherited_session_key;
dcesrv_conn->stream = talloc_move(dcesrv_conn,
&srv_conn->tstream);
} else {
struct tsocket_address *r = NULL;
ret = tsocket_address_unix_from_path(dcesrv_conn,
- "/root/ncalrpc_as_system",
+ AS_SYSTEM_MAGIC_PATH_TOKEN,
&r);
if (ret == -1) {
status = map_nt_error_from_unix_common(errno);
srv_conn->private_data = dcesrv_conn;
- irpc_add_name(srv_conn->msg_ctx, "rpc_server");
-
subreq = dcerpc_read_ncacn_packet_send(dcesrv_conn,
dcesrv_conn->event_ctx,
dcesrv_conn->stream);
static NTSTATUS dcesrv_add_ep_unix(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 1;
model_ops, &dcesrv_stream_ops,
"unix", endpoint, &port,
lpcfg_socket_options(lp_ctx),
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("service_setup_stream_socket(path=%s) failed - %s\n",
endpoint, nt_errstr(status)));
static NTSTATUS dcesrv_add_ep_ncalrpc(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 1;
model_ops, &dcesrv_stream_ops,
"unix", full_path, &port,
lpcfg_socket_options(lp_ctx),
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("service_setup_stream_socket(identifier=%s,path=%s) failed - %s\n",
endpoint, full_path, nt_errstr(status)));
static NTSTATUS dcesrv_add_ep_np(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
NTSTATUS status;
status = tstream_setup_named_pipe(dce_ctx, event_ctx, lp_ctx,
model_ops, &dcesrv_stream_ops,
endpoint,
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("stream_setup_named_pipe(pipe=%s) failed - %s\n",
endpoint, nt_errstr(status)));
/*
add a socket address to the list of events, one event per dcerpc endpoint
*/
-static NTSTATUS add_socket_rpc_tcp_iface(struct dcesrv_context *dce_ctx, struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops,
- const char *address)
+static NTSTATUS add_socket_rpc_tcp_iface(struct dcesrv_context *dce_ctx,
+ struct dcesrv_endpoint *e,
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ const char *address,
+ void *process_context)
{
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 0;
model_ops, &dcesrv_stream_ops,
"ip", address, &port,
lpcfg_socket_options(dce_ctx->lp_ctx),
- dcesrv_sock);
+ dcesrv_sock, process_context);
if (!NT_STATUS_IS_OK(status)) {
struct dcesrv_if_list *iface;
DEBUG(0,("service_setup_stream_socket(address=%s,port=%u) for ",
for (iface = e->interface_list; iface; iface = iface->next) {
DEBUGADD(0, ("%s ", iface->iface.name));
}
- DEBUGADD(0, ("failed - %s",
+ DEBUGADD(0, ("failed - %s\n",
nt_errstr(status)));
return status;
}
static NTSTATUS dcesrv_add_ep_tcp(struct dcesrv_context *dce_ctx,
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops,
+ void *process_context)
{
NTSTATUS status;
num_interfaces = iface_list_count(ifaces);
for(i = 0; i < num_interfaces; i++) {
const char *address = iface_list_n_ip(ifaces, i);
- status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, address);
+ status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx,
+ model_ops, address,
+ process_context);
NT_STATUS_NOT_OK_RETURN(status);
}
} else {
char **wcard;
- int i;
- int num_binds = 0;
+ size_t i;
+ size_t num_binds = 0;
wcard = iface_list_wildcard(dce_ctx);
NT_STATUS_HAVE_NO_MEMORY(wcard);
for (i=0; wcard[i]; i++) {
- status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, wcard[i]);
+ status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx,
+ model_ops, wcard[i],
+ process_context);
if (NT_STATUS_IS_OK(status)) {
num_binds++;
}
struct loadparm_context *lp_ctx,
struct dcesrv_endpoint *e,
struct tevent_context *event_ctx,
- const struct model_ops *model_ops)
+ const struct model_ops *model_ops,
+ void *process_context)
{
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(e->ep_description);
switch (transport) {
case NCACN_UNIX_STREAM:
- return dcesrv_add_ep_unix(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_unix(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
case NCALRPC:
- return dcesrv_add_ep_ncalrpc(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_ncalrpc(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
case NCACN_IP_TCP:
- return dcesrv_add_ep_tcp(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_tcp(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
case NCACN_NP:
- return dcesrv_add_ep_np(dce_ctx, lp_ctx, e, event_ctx, model_ops);
+ return dcesrv_add_ep_np(dce_ctx, lp_ctx, e, event_ctx,
+ model_ops, process_context);
default:
return NT_STATUS_NOT_SUPPORTED;
*/
_PUBLIC_ struct cli_credentials *dcesrv_call_credentials(struct dcesrv_call_state *dce_call)
{
- return dce_call->conn->auth_state.session_info->credentials;
+ struct dcesrv_auth *auth = dce_call->auth_state;
+ SMB_ASSERT(auth->auth_finished);
+ return auth->session_info->credentials;
}
/**
*/
_PUBLIC_ bool dcesrv_call_authenticated(struct dcesrv_call_state *dce_call)
{
+ struct dcesrv_auth *auth = dce_call->auth_state;
enum security_user_level level;
- level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+ SMB_ASSERT(auth->auth_finished);
+ level = security_session_user_level(auth->session_info, NULL);
return level >= SECURITY_USER;
}
*/
_PUBLIC_ const char *dcesrv_call_account_name(struct dcesrv_call_state *dce_call)
{
- return dce_call->context->conn->auth_state.session_info->info->account_name;
+ struct dcesrv_auth *auth = dce_call->auth_state;
+ SMB_ASSERT(auth->auth_finished);
+ return auth->session_info->info->account_name;
+}
+
+/**
+ * retrieve session_info from a dce_call
+ */
+_PUBLIC_ struct auth_session_info *dcesrv_call_session_info(struct dcesrv_call_state *dce_call)
+{
+ struct dcesrv_auth *auth = dce_call->auth_state;
+ SMB_ASSERT(auth->auth_finished);
+ return auth->session_info;
+}
+
+/**
+ * retrieve auth type/level from a dce_call
+ */
+_PUBLIC_ void dcesrv_call_auth_info(struct dcesrv_call_state *dce_call,
+ enum dcerpc_AuthType *auth_type,
+ enum dcerpc_AuthLevel *auth_level)
+{
+ struct dcesrv_auth *auth = dce_call->auth_state;
+
+ SMB_ASSERT(auth->auth_finished);
+
+ if (auth_type != NULL) {
+ *auth_type = auth->auth_type;
+ }
+ if (auth_level != NULL) {
+ *auth_level = auth->auth_level;
+ }
}