X-Git-Url: http://git.samba.org/samba.git/?p=bbaumbach%2Fsamba-autobuild%2F.git;a=blobdiff_plain;f=source3%2Frpc_client%2Fcli_pipe.c;h=f67869ffd503f0884dc165d01d90f9eec4fbf052;hp=1b049de4c00dddcd40bd6ed8f3a1167ab7b035d0;hb=ee4eab14f16f967188a1e68fcf27e8e9fd653eeb;hpb=c0761c3eae34175d772476006caf5caad68bd8c6 diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 1b049de4c00..f67869ffd50 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -20,6 +20,7 @@ */ #include "includes.h" +#include "libsmb/namequery.h" #include "../lib/util/tevent_ntstatus.h" #include "librpc/gen_ndr/ndr_epmapper_c.h" #include "../librpc/gen_ndr/ndr_dssetup.h" @@ -56,9 +57,9 @@ static const char *rpccli_pipe_txt(TALLOC_CTX *mem_ctx, Rpc pipe call id. ********************************************************************/ -static uint32 get_rpc_call_id(void) +static uint32_t get_rpc_call_id(void) { - static uint32 call_id = 0; + static uint32_t call_id = 0; return ++call_id; } @@ -391,9 +392,9 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, DATA_BLOB *rdata, DATA_BLOB *reply_pdu) { - struct dcerpc_response *r; - NTSTATUS ret = NT_STATUS_OK; - size_t pad_len = 0; + const struct dcerpc_response *r = NULL; + DATA_BLOB tmp_stub = data_blob_null; + NTSTATUS ret; /* * Point the return values at the real data including the RPC @@ -401,50 +402,128 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, */ *rdata = *pdu; + if ((pkt->ptype == DCERPC_PKT_BIND_ACK) && + !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) { + /* + * TODO: do we still need this hack which was introduced + * in commit a42afcdcc7ab9aa9ed193ae36d3dbb10843447f0. + * + * I don't even know what AS/U might be... + */ + DEBUG(5, (__location__ ": bug in server (AS/U?), setting " + "fragment first/last ON.\n")); + pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST; + } + /* Ensure we have the correct type. */ switch (pkt->ptype) { - case DCERPC_PKT_ALTER_RESP: + case DCERPC_PKT_BIND_NAK: + DEBUG(1, (__location__ ": Bind NACK received from %s!\n", + rpccli_pipe_txt(talloc_tos(), cli))); + + ret = dcerpc_verify_ncacn_packet_header(pkt, + DCERPC_PKT_BIND_NAK, + 0, /* max_auth_info */ + DCERPC_PFC_FLAG_FIRST | + DCERPC_PFC_FLAG_LAST, + 0); /* optional flags */ + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, (__location__ ": Connection to %s got an unexpected " + "RPC packet type - %u, expected %u: %s\n", + rpccli_pipe_txt(talloc_tos(), cli), + pkt->ptype, expected_pkt_type, + nt_errstr(ret))); + NDR_PRINT_DEBUG(ncacn_packet, pkt); + return ret; + } + + /* Use this for now... */ + return NT_STATUS_NETWORK_ACCESS_DENIED; + case DCERPC_PKT_BIND_ACK: + ret = dcerpc_verify_ncacn_packet_header(pkt, + expected_pkt_type, + pkt->u.bind_ack.auth_info.length, + DCERPC_PFC_FLAG_FIRST | + DCERPC_PFC_FLAG_LAST, + DCERPC_PFC_FLAG_CONC_MPX | + DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, (__location__ ": Connection to %s got an unexpected " + "RPC packet type - %u, expected %u: %s\n", + rpccli_pipe_txt(talloc_tos(), cli), + pkt->ptype, expected_pkt_type, + nt_errstr(ret))); + NDR_PRINT_DEBUG(ncacn_packet, pkt); + return ret; + } - /* Client code never receives this kind of packets */ break; + case DCERPC_PKT_ALTER_RESP: + ret = dcerpc_verify_ncacn_packet_header(pkt, + expected_pkt_type, + pkt->u.alter_resp.auth_info.length, + DCERPC_PFC_FLAG_FIRST | + DCERPC_PFC_FLAG_LAST, + DCERPC_PFC_FLAG_CONC_MPX | + DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, (__location__ ": Connection to %s got an unexpected " + "RPC packet type - %u, expected %u: %s\n", + rpccli_pipe_txt(talloc_tos(), cli), + pkt->ptype, expected_pkt_type, + nt_errstr(ret))); + NDR_PRINT_DEBUG(ncacn_packet, pkt); + return ret; + } + + break; case DCERPC_PKT_RESPONSE: r = &pkt->u.response; + ret = dcerpc_verify_ncacn_packet_header(pkt, + expected_pkt_type, + r->stub_and_verifier.length, + 0, /* required_flags */ + DCERPC_PFC_FLAG_FIRST | + DCERPC_PFC_FLAG_LAST); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, (__location__ ": Connection to %s got an unexpected " + "RPC packet type - %u, expected %u: %s\n", + rpccli_pipe_txt(talloc_tos(), cli), + pkt->ptype, expected_pkt_type, + nt_errstr(ret))); + NDR_PRINT_DEBUG(ncacn_packet, pkt); + return ret; + } + + tmp_stub.data = r->stub_and_verifier.data; + tmp_stub.length = r->stub_and_verifier.length; + /* Here's where we deal with incoming sign/seal. */ ret = dcerpc_check_auth(cli->auth, pkt, - &r->stub_and_verifier, + &tmp_stub, DCERPC_RESPONSE_LENGTH, - pdu, &pad_len); + pdu); if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, (__location__ ": Connection to %s got an unexpected " + "RPC packet type - %u, expected %u: %s\n", + rpccli_pipe_txt(talloc_tos(), cli), + pkt->ptype, expected_pkt_type, + nt_errstr(ret))); + NDR_PRINT_DEBUG(ncacn_packet, pkt); return ret; } - if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) { - return NT_STATUS_BUFFER_TOO_SMALL; - } - /* Point the return values at the NDR data. */ - rdata->data = r->stub_and_verifier.data; - - if (pkt->auth_length) { - /* We've already done integer wrap tests in - * dcerpc_check_auth(). */ - rdata->length = r->stub_and_verifier.length - - pad_len - - DCERPC_AUTH_TRAILER_LENGTH - - pkt->auth_length; - } else { - rdata->length = r->stub_and_verifier.length; - } + *rdata = tmp_stub; - DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n", + DEBUG(10, ("Got pdu len %lu, data_len %lu\n", (long unsigned int)pdu->length, - (long unsigned int)rdata->length, - (unsigned int)pad_len)); + (long unsigned int)rdata->length)); /* * If this is the first reply, and the allocation hint is @@ -465,14 +544,24 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, break; - case DCERPC_PKT_BIND_NAK: - DEBUG(1, (__location__ ": Bind NACK received from %s!\n", - rpccli_pipe_txt(talloc_tos(), cli))); - /* Use this for now... */ - return NT_STATUS_NETWORK_ACCESS_DENIED; - case DCERPC_PKT_FAULT: + ret = dcerpc_verify_ncacn_packet_header(pkt, + DCERPC_PKT_FAULT, + 0, /* max_auth_info */ + DCERPC_PFC_FLAG_FIRST | + DCERPC_PFC_FLAG_LAST, + DCERPC_PFC_FLAG_DID_NOT_EXECUTE); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, (__location__ ": Connection to %s got an unexpected " + "RPC packet type - %u, expected %u: %s\n", + rpccli_pipe_txt(talloc_tos(), cli), + pkt->ptype, expected_pkt_type, + nt_errstr(ret))); + NDR_PRINT_DEBUG(ncacn_packet, pkt); + return ret; + } + DEBUG(1, (__location__ ": RPC fault code %s received " "from %s!\n", dcerpc_errstr(talloc_tos(), @@ -489,13 +578,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, return NT_STATUS_RPC_PROTOCOL_ERROR; } - if (pkt->ptype != expected_pkt_type) { - DEBUG(3, (__location__ ": Connection to %s got an unexpected " - "RPC packet type - %u, not %u\n", - rpccli_pipe_txt(talloc_tos(), cli), - pkt->ptype, expected_pkt_type)); - return NT_STATUS_RPC_PROTOCOL_ERROR; - } if (pkt->call_id != call_id) { DEBUG(3, (__location__ ": Connection to %s got an unexpected " @@ -505,17 +587,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, return NT_STATUS_RPC_PROTOCOL_ERROR; } - /* Do this just before return - we don't want to modify any rpc header - data before now as we may have needed to do cryptographic actions on - it before. */ - - if ((pkt->ptype == DCERPC_PKT_BIND_ACK) && - !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) { - DEBUG(5, (__location__ ": bug in server (AS/U?), setting " - "fragment first/last ON.\n")); - pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST; - } - return NT_STATUS_OK; } @@ -866,25 +937,32 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) state->pkt = talloc(state, struct ncacn_packet); if (!state->pkt) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); tevent_req_nterror(req, NT_STATUS_NO_MEMORY); return; } status = dcerpc_pull_ncacn_packet(state->pkt, &state->incoming_frag, - state->pkt, - !state->endianess); + state->pkt); if (!NT_STATUS_IS_OK(status)) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); tevent_req_nterror(req, status); return; } - if (state->incoming_frag.length != state->pkt->frag_length) { - DEBUG(5, ("Incorrect pdu length %u, expected %u\n", - (unsigned int)state->incoming_frag.length, - (unsigned int)state->pkt->frag_length)); - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); - return; + if (DEBUGLEVEL >= 10) { + NDR_PRINT_DEBUG(ncacn_packet, state->pkt); } status = cli_pipe_validate_current_pdu(state, @@ -900,6 +978,28 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) (unsigned)state->reply_pdu_offset, nt_errstr(status))); + if (state->pkt->ptype != DCERPC_PKT_FAULT && !NT_STATUS_IS_OK(status)) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); + } else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); + } else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); + } if (!NT_STATUS_IS_OK(status)) { tevent_req_nterror(req, status); return; @@ -924,7 +1024,24 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) "%s\n", state->endianess?"little":"big", state->pkt->drep[0]?"little":"big")); - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); + return; + } + + if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); return; } @@ -932,6 +1049,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) { if (!data_blob_realloc(NULL, &state->reply_pdu, state->reply_pdu_offset + rdata.length)) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); tevent_req_nterror(req, NT_STATUS_NO_MEMORY); return; } @@ -960,6 +1083,14 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) subreq = get_complete_frag_send(state, state->ev, state->cli, &state->incoming_frag); + if (subreq == NULL) { + /* + * TODO: do a real async disconnect ... + * + * For now do it sync... + */ + TALLOC_FREE(state->cli->transport); + } if (tevent_req_nomem(subreq, req)) { return; } @@ -1007,11 +1138,10 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli, DATA_BLOB null_blob = data_blob_null; NTSTATUS status; - gensec_security = talloc_get_type_abort(cli->auth->auth_ctx, - struct gensec_security); + gensec_security = cli->auth->auth_ctx; DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n")); - status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token); + status = gensec_update(gensec_security, mem_ctx, null_blob, auth_token); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) @@ -1019,11 +1149,18 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli, return status; } - if (client_hdr_signing != NULL) { - *client_hdr_signing = gensec_have_feature(gensec_security, - GENSEC_FEATURE_SIGN_PKT_HEADER); + if (client_hdr_signing == NULL) { + return status; } + if (cli->auth->auth_level < DCERPC_AUTH_LEVEL_PACKET) { + *client_hdr_signing = false; + return status; + } + + *client_hdr_signing = gensec_have_feature(gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER); + return status; } @@ -1033,14 +1170,14 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli, static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx, enum dcerpc_pkt_type ptype, - uint32 rpc_call_id, + uint32_t rpc_call_id, const struct ndr_syntax_id *abstract, const struct ndr_syntax_id *transfer, const DATA_BLOB *auth_info, bool client_hdr_signing, DATA_BLOB *blob) { - uint16 auth_len = auth_info->length; + uint16_t auth_len = auth_info->length; NTSTATUS status; union dcerpc_payload u; struct dcerpc_ctx_list ctx_list; @@ -1087,20 +1224,20 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx, static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli, struct pipe_auth_data *auth, - uint32 rpc_call_id, + uint32_t rpc_call_id, const struct ndr_syntax_id *abstract, const struct ndr_syntax_id *transfer, DATA_BLOB *rpc_out) { DATA_BLOB auth_token = data_blob_null; DATA_BLOB auth_info = data_blob_null; - NTSTATUS ret = NT_STATUS_OK; + NTSTATUS ret; switch (auth->auth_type) { - case DCERPC_AUTH_TYPE_SCHANNEL: - case DCERPC_AUTH_TYPE_NTLMSSP: - case DCERPC_AUTH_TYPE_KRB5: - case DCERPC_AUTH_TYPE_SPNEGO: + case DCERPC_AUTH_TYPE_NONE: + break; + + default: ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token, &auth->client_hdr_signing); @@ -1110,19 +1247,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx, return ret; } break; - - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM: - auth_token = data_blob_talloc(mem_ctx, - "NCALRPC_AUTH_TOKEN", - 18); - break; - - case DCERPC_AUTH_TYPE_NONE: - break; - - default: - /* "Can't" happen. */ - return NT_STATUS_INVALID_INFO_CLASS; } if (auth_token.length != 0) { @@ -1130,7 +1254,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx, auth->auth_type, auth->auth_level, 0, /* auth_pad_length */ - 1, /* auth_context_id */ + auth->auth_context_id, &auth_token, &auth_info); if (!NT_STATUS_IS_OK(ret)) { @@ -1163,6 +1287,7 @@ struct rpc_api_pipe_req_state { uint8_t op_num; uint32_t call_id; const DATA_BLOB *req_data; + const struct GUID *object_uuid; uint32_t req_data_sent; DATA_BLOB req_trailer; uint32_t req_trailer_sent; @@ -1182,6 +1307,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct rpc_pipe_client *cli, uint8_t op_num, + const struct GUID *object_uuid, const DATA_BLOB *req_data) { struct tevent_req *req, *subreq; @@ -1197,6 +1323,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->cli = cli; state->op_num = op_num; + state->object_uuid = object_uuid; state->req_data = req_data; state->req_data_sent = 0; state->call_id = get_rpc_call_id(); @@ -1263,7 +1390,7 @@ static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *stat return NT_STATUS_OK; } - if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) { + if (a->auth_level < DCERPC_AUTH_LEVEL_PACKET) { return NT_STATUS_OK; } @@ -1405,7 +1532,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state, status = dcerpc_guess_sizes(state->cli->auth, DCERPC_REQUEST_LENGTH, total_left, state->cli->max_xmit_frag, - CLIENT_NDR_PADDING_SIZE, &total_thistime, &frag_len, &auth_len, &pad_len); if (!NT_STATUS_IS_OK(status)) { @@ -1433,6 +1559,12 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state, u.request.context_id = 0; u.request.opnum = state->op_num; + if (state->object_uuid) { + flags |= DCERPC_PFC_FLAG_OBJECT_UUID; + u.request.object.object = *state->object_uuid; + frag_len += ndr_size_GUID(state->object_uuid, 0); + } + status = dcerpc_push_ncacn_packet(state, DCERPC_PKT_REQUEST, flags, @@ -1474,8 +1606,8 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state, switch (state->cli->auth->auth_level) { case DCERPC_AUTH_LEVEL_NONE: case DCERPC_AUTH_LEVEL_CONNECT: - case DCERPC_AUTH_LEVEL_PACKET: break; + case DCERPC_AUTH_LEVEL_PACKET: case DCERPC_AUTH_LEVEL_INTEGRITY: case DCERPC_AUTH_LEVEL_PRIVACY: status = dcerpc_add_auth_footer(state->cli->auth, pad_len, @@ -1620,7 +1752,7 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r, if (r->num_results != 0x1 || ctx.result != 0) { DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n", - r->num_results, ctx.reason)); + r->num_results, ctx.reason.value)); } DEBUG(5,("check_bind_response: accepted!\n")); @@ -1636,9 +1768,8 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r, static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli, - uint32 rpc_call_id, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, + struct pipe_auth_data *auth, + uint32_t rpc_call_id, DATA_BLOB *pauth_blob, DATA_BLOB *rpc_out) { @@ -1648,10 +1779,10 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, u.auth3._pad = 0; status = dcerpc_push_dcerpc_auth(mem_ctx, - auth_type, - auth_level, + auth->auth_type, + auth->auth_level, 0, /* auth_pad_length */ - 1, /* auth_context_id */ + auth->auth_context_id, pauth_blob, &u.auth3.auth_info); if (!NT_STATUS_IS_OK(status)) { @@ -1681,9 +1812,8 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx, ********************************************************************/ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx, - enum dcerpc_AuthType auth_type, - enum dcerpc_AuthLevel auth_level, - uint32 rpc_call_id, + struct pipe_auth_data *auth, + uint32_t rpc_call_id, const struct ndr_syntax_id *abstract, const struct ndr_syntax_id *transfer, const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */ @@ -1693,10 +1823,10 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx, NTSTATUS status; status = dcerpc_push_dcerpc_auth(mem_ctx, - auth_type, - auth_level, + auth->auth_type, + auth->auth_level, 0, /* auth_pad_length */ - 1, /* auth_context_id */ + auth->auth_context_id, pauth_blob, &auth_info); if (!NT_STATUS_IS_OK(status)) { @@ -1823,42 +1953,63 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) return; } + if (pkt->ptype == DCERPC_PKT_BIND_ACK) { + if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) { + if (pauth->client_hdr_signing) { + pauth->hdr_signing = true; + } + } + } + state->cli->max_xmit_frag = pkt->u.bind_ack.max_xmit_frag; - state->cli->max_recv_frag = pkt->u.bind_ack.max_recv_frag; switch(pauth->auth_type) { case DCERPC_AUTH_TYPE_NONE: - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM: /* Bind complete. */ tevent_req_done(req); return; - case DCERPC_AUTH_TYPE_SCHANNEL: - case DCERPC_AUTH_TYPE_NTLMSSP: - case DCERPC_AUTH_TYPE_SPNEGO: - case DCERPC_AUTH_TYPE_KRB5: - /* Paranoid lenght checks */ - if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH - + pkt->auth_length) { - tevent_req_nterror(req, - NT_STATUS_INFO_LENGTH_MISMATCH); + default: + if (pkt->auth_length == 0) { + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); return; } + /* get auth credentials */ - status = dcerpc_pull_dcerpc_auth(talloc_tos(), - &pkt->u.bind_ack.auth_info, - &auth, false); + status = dcerpc_pull_auth_trailer(pkt, talloc_tos(), + &pkt->u.bind_ack.auth_info, + &auth, NULL, true); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to pull dcerpc auth: %s.\n", nt_errstr(status))); tevent_req_nterror(req, status); return; } - break; - default: - goto err_out; + if (auth.auth_type != pauth->auth_type) { + DEBUG(0, (__location__ " Auth type %u mismatch expected %u.\n", + auth.auth_type, pauth->auth_type)); + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); + return; + } + + if (auth.auth_level != pauth->auth_level) { + DEBUG(0, (__location__ " Auth level %u mismatch expected %u.\n", + auth.auth_level, pauth->auth_level)); + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); + return; + } + + if (auth.auth_context_id != pauth->auth_context_id) { + DEBUG(0, (__location__ " Auth context id %u mismatch expected %u.\n", + (unsigned)auth.auth_context_id, + (unsigned)pauth->auth_context_id)); + tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); + return; + } + + break; } /* @@ -1868,33 +2019,26 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) switch(pauth->auth_type) { case DCERPC_AUTH_TYPE_NONE: - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM: /* Bind complete. */ tevent_req_done(req); return; - case DCERPC_AUTH_TYPE_SCHANNEL: - case DCERPC_AUTH_TYPE_NTLMSSP: - case DCERPC_AUTH_TYPE_KRB5: - case DCERPC_AUTH_TYPE_SPNEGO: - gensec_security = talloc_get_type_abort(pauth->auth_ctx, - struct gensec_security); + default: + gensec_security = pauth->auth_ctx; - if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) { - if (pauth->client_hdr_signing) { - pauth->hdr_signing = true; - gensec_want_feature(gensec_security, - GENSEC_FEATURE_SIGN_PKT_HEADER); - } - } - status = gensec_update(gensec_security, state, NULL, + status = gensec_update(gensec_security, state, auth.credentials, &auth_token); if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { status = rpc_bind_next_send(req, state, &auth_token); } else if (NT_STATUS_IS_OK(status)) { + if (pauth->hdr_signing) { + gensec_want_feature(gensec_security, + GENSEC_FEATURE_SIGN_PKT_HEADER); + } + if (auth_token.length == 0) { /* Bind complete. */ tevent_req_done(req); @@ -1904,20 +2048,12 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq) &auth_token); } break; - - default: - goto err_out; } if (!NT_STATUS_IS_OK(status)) { tevent_req_nterror(req, status); } return; - -err_out: - DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n", - (unsigned int)state->cli->auth->auth_type)); - tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); } static NTSTATUS rpc_bind_next_send(struct tevent_req *req, @@ -1931,9 +2067,7 @@ static NTSTATUS rpc_bind_next_send(struct tevent_req *req, /* Now prepare the alter context pdu. */ data_blob_free(&state->rpc_out); - status = create_rpc_alter_context(state, - auth->auth_type, - auth->auth_level, + status = create_rpc_alter_context(state, auth, state->rpc_call_id, &state->cli->abstract_syntax, &state->cli->transfer_syntax, @@ -1966,10 +2100,8 @@ static NTSTATUS rpc_bind_finish_send(struct tevent_req *req, /* Now prepare the auth3 context pdu. */ data_blob_free(&state->rpc_out); - status = create_rpc_bind_auth3(state, state->cli, + status = create_rpc_bind_auth3(state, state->cli, auth, state->rpc_call_id, - auth->auth_type, - auth->auth_level, auth_token, &state->rpc_out); if (!NT_STATUS_IS_OK(status)) { @@ -2011,8 +2143,7 @@ NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli, goto fail; } - if (!tevent_req_poll(req, ev)) { - status = map_nt_error_from_unix(errno); + if (!tevent_req_poll_ntstatus(req, ev, &status)) { goto fail; } @@ -2137,7 +2268,7 @@ static struct tevent_req *rpccli_bh_raw_call_send(TALLOC_CTX *mem_ctx, } subreq = rpc_api_pipe_req_send(state, ev, hs->rpc_cli, - opnum, &state->in_data); + opnum, object, &state->in_data); if (tevent_req_nomem(subreq, req)) { return tevent_req_post(req, ev); } @@ -2222,8 +2353,9 @@ static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx, /* * TODO: do a real async disconnect ... * - * For now the caller needs to free rpc_cli + * For now we do it sync... */ + TALLOC_FREE(hs->rpc_cli->transport); hs->rpc_cli = NULL; tevent_req_done(req); @@ -2310,50 +2442,54 @@ struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c, return h; } -NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx, - struct pipe_auth_data **presult) +NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx, + struct pipe_auth_data **presult) { struct pipe_auth_data *result; + struct auth_generic_state *auth_generic_ctx; + NTSTATUS status; result = talloc_zero(mem_ctx, struct pipe_auth_data); if (result == NULL) { return NT_STATUS_NO_MEMORY; } - result->auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM; - result->auth_level = DCERPC_AUTH_LEVEL_CONNECT; + result->auth_type = DCERPC_AUTH_TYPE_NONE; + result->auth_level = DCERPC_AUTH_LEVEL_NONE; + result->auth_context_id = 0; - result->user_name = talloc_strdup(result, ""); - result->domain = talloc_strdup(result, ""); - if ((result->user_name == NULL) || (result->domain == NULL)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + status = auth_generic_client_prepare(result, + &auth_generic_ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to create auth_generic context: %s\n", + nt_errstr(status))); } - *presult = result; - return NT_STATUS_OK; -} - -NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx, - struct pipe_auth_data **presult) -{ - struct pipe_auth_data *result; - - result = talloc_zero(mem_ctx, struct pipe_auth_data); - if (result == NULL) { - return NT_STATUS_NO_MEMORY; + status = auth_generic_set_username(auth_generic_ctx, ""); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to set username: %s\n", + nt_errstr(status))); } - result->auth_type = DCERPC_AUTH_TYPE_NONE; - result->auth_level = DCERPC_AUTH_LEVEL_NONE; + status = auth_generic_set_domain(auth_generic_ctx, ""); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to set domain: %s\n", + nt_errstr(status))); + return status; + } - result->user_name = talloc_strdup(result, ""); - result->domain = talloc_strdup(result, ""); - if ((result->user_name == NULL) || (result->domain == NULL)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + status = gensec_set_credentials(auth_generic_ctx->gensec_security, + auth_generic_ctx->credentials); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to set GENSEC credentials: %s\n", + nt_errstr(status))); + return status; } + talloc_unlink(auth_generic_ctx, auth_generic_ctx->credentials); + auth_generic_ctx->credentials = NULL; + result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security); + talloc_free(auth_generic_ctx); *presult = result; return NT_STATUS_OK; } @@ -2381,13 +2517,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx, result->auth_type = auth_type; result->auth_level = auth_level; - - result->user_name = talloc_strdup(result, username); - result->domain = talloc_strdup(result, domain); - if ((result->user_name == NULL) || (result->domain == NULL)) { - status = NT_STATUS_NO_MEMORY; - goto fail; - } + result->auth_context_id = 1; status = auth_generic_client_prepare(result, &auth_generic_ctx); @@ -2438,6 +2568,80 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx, return status; } +/* This routine steals the creds pointer that is passed in */ +static NTSTATUS rpccli_generic_bind_data_from_creds(TALLOC_CTX *mem_ctx, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *server, + const char *target_service, + struct cli_credentials *creds, + struct pipe_auth_data **presult) +{ + struct auth_generic_state *auth_generic_ctx; + struct pipe_auth_data *result; + NTSTATUS status; + + result = talloc_zero(mem_ctx, struct pipe_auth_data); + if (result == NULL) { + return NT_STATUS_NO_MEMORY; + } + + result->auth_type = auth_type; + result->auth_level = auth_level; + result->auth_context_id = 1; + + status = auth_generic_client_prepare(result, + &auth_generic_ctx); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = auth_generic_set_creds(auth_generic_ctx, creds); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = gensec_set_target_service(auth_generic_ctx->gensec_security, target_service); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = gensec_set_target_hostname(auth_generic_ctx->gensec_security, server); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security); + talloc_free(auth_generic_ctx); + *presult = result; + return NT_STATUS_OK; + + fail: + TALLOC_FREE(result); + return status; +} + +NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx, + struct pipe_auth_data **presult) +{ + return rpccli_generic_bind_data(mem_ctx, + DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM, + DCERPC_AUTH_LEVEL_CONNECT, + NULL, /* server */ + "host", /* target_service */ + NAME_NT_AUTHORITY, /* domain */ + "SYSTEM", + NULL, /* password */ + CRED_DONT_USE_KERBEROS, + NULL, /* netlogon_creds_CredentialState */ + presult); +} + /** * Create an rpc pipe client struct, connecting to a tcp port. */ @@ -2461,15 +2665,19 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host, result->transfer_syntax = ndr_transfer_syntax_ndr; result->desthost = talloc_strdup(result, host); + if (result->desthost == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + result->srv_name_slash = talloc_asprintf_strupper_m( result, "\\\\%s", result->desthost); - if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) { + if (result->srv_name_slash == NULL) { status = NT_STATUS_NO_MEMORY; goto fail; } result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; - result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN; if (ss_addr == NULL) { if (!resolve_name(host, &addr, NBT_NAME_SERVER, false)) { @@ -2524,6 +2732,8 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host, struct pipe_auth_data *auth = NULL; struct dcerpc_binding *map_binding = NULL; struct dcerpc_binding *res_binding = NULL; + enum dcerpc_transport_t transport; + const char *endpoint = NULL; struct epm_twr_t *map_tower = NULL; struct epm_twr_t *res_towers = NULL; struct policy_handle *entry_handle = NULL; @@ -2567,16 +2777,17 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host, /* create tower for asking the epmapper */ - map_binding = talloc_zero(tmp_ctx, struct dcerpc_binding); - if (map_binding == NULL) { - status = NT_STATUS_NO_MEMORY; + status = dcerpc_parse_binding(tmp_ctx, "ncacn_ip_tcp:[135]", + &map_binding); + if (!NT_STATUS_IS_OK(status)) { goto done; } - map_binding->transport = NCACN_IP_TCP; - map_binding->object = table->syntax_id; - map_binding->host = host; /* needed? */ - map_binding->endpoint = "0"; /* correct? needed? */ + status = dcerpc_binding_set_abstract_syntax(map_binding, + &table->syntax_id); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } map_tower = talloc_zero(tmp_ctx, struct epm_twr_t); if (map_tower == NULL) { @@ -2641,13 +2852,21 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host, goto done; } + transport = dcerpc_binding_get_transport(res_binding); + endpoint = dcerpc_binding_get_string_option(res_binding, "endpoint"); + /* are further checks here necessary? */ - if (res_binding->transport != NCACN_IP_TCP) { - status = NT_STATUS_UNSUCCESSFUL; + if (transport != NCACN_IP_TCP) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto done; + } + + if (endpoint == NULL) { + status = NT_STATUS_INVALID_NETWORK_RESPONSE; goto done; } - *pport = (uint16_t)atoi(res_binding->endpoint); + *pport = (uint16_t)atoi(endpoint); done: TALLOC_FREE(tmp_ctx); @@ -2698,15 +2917,19 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path, result->transfer_syntax = ndr_transfer_syntax_ndr; result->desthost = get_myname(result); + if (result->desthost == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + result->srv_name_slash = talloc_asprintf_strupper_m( result, "\\\\%s", result->desthost); - if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) { + if (result->srv_name_slash == NULL) { status = NT_STATUS_NO_MEMORY; goto fail; } result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; - result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN; fd = socket(AF_UNIX, SOCK_STREAM, 0); if (fd == -1) { @@ -2793,18 +3016,23 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli, result->abstract_syntax = table->syntax_id; result->transfer_syntax = ndr_transfer_syntax_ndr; - result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn)); - result->srv_name_slash = talloc_asprintf_strupper_m( - result, "\\\\%s", result->desthost); - result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; - result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN; + result->desthost = talloc_strdup( + result, smbXcli_conn_remote_name(cli->conn)); + if (result->desthost == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } - if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) { + result->srv_name_slash = talloc_asprintf_strupper_m( + result, "\\\\%s", result->desthost); + if (result->srv_name_slash == NULL) { TALLOC_FREE(result); return NT_STATUS_NO_MEMORY; } + result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN; + status = rpc_transport_np_init(result, cli, table, &result->transport); if (!NT_STATUS_IS_OK(status)) { @@ -2889,12 +3117,6 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, * from the enclosing SMB creds */ - TALLOC_FREE(auth->user_name); - TALLOC_FREE(auth->domain); - - auth->user_name = talloc_strdup(auth, cli->user_name); - auth->domain = talloc_strdup(auth, cli->domain); - if (transport == NCACN_NP) { struct smbXcli_session *session; @@ -2911,11 +3133,6 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, } } - if ((auth->user_name == NULL) || (auth->domain == NULL)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - status = rpc_pipe_bind(result, auth); if (!NT_STATUS_IS_OK(status)) { int lvl = 0; @@ -2955,6 +3172,65 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, /**************************************************************************** Open a named pipe to an SMB server and bind using the mech specified + + This routine references the creds pointer that is passed in + ****************************************************************************/ + +NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, + const struct ndr_interface_table *table, + enum dcerpc_transport_t transport, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *server, + struct cli_credentials *creds, + struct rpc_pipe_client **presult) +{ + struct rpc_pipe_client *result; + struct pipe_auth_data *auth = NULL; + const char *target_service = table->authservices->names[0]; + NTSTATUS status; + + status = cli_rpc_pipe_open(cli, transport, table, &result); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = rpccli_generic_bind_data_from_creds(result, + auth_type, auth_level, + server, target_service, + creds, + &auth); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("rpccli_generic_bind_data_from_creds returned %s\n", + nt_errstr(status)); + goto err; + } + + status = rpc_pipe_bind(result, auth); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("cli_rpc_pipe_bind failed with error %s\n", + nt_errstr(status)); + goto err; + } + + DBG_DEBUG("opened pipe %s to machine %s and bound as user %s.\n", + table->name, + result->desthost, + cli_credentials_get_unparsed_name(creds, talloc_tos())); + + *presult = result; + return NT_STATUS_OK; + + err: + + TALLOC_FREE(result); + return status; +} + +/**************************************************************************** + Open a named pipe to an SMB server and bind using the mech specified + + This routine steals the creds pointer that is passed in ****************************************************************************/ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli, @@ -3012,163 +3288,123 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli, return status; } -/**************************************************************************** - External interface. - Open a named pipe to an SMB server and bind using schannel (bind type 68) - using session_key. sign and seal. - - The *pdc will be stolen onto this new pipe - ****************************************************************************/ - -NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, - const struct ndr_interface_table *table, - enum dcerpc_transport_t transport, - const char *domain, - struct netlogon_creds_cli_context *netlogon_creds, - struct rpc_pipe_client **_rpccli) +NTSTATUS cli_rpc_pipe_open_bind_schannel( + struct cli_state *cli, + const struct ndr_interface_table *table, + enum dcerpc_transport_t transport, + struct netlogon_creds_cli_context *netlogon_creds, + struct rpc_pipe_client **_rpccli) { struct rpc_pipe_client *rpccli; struct pipe_auth_data *rpcauth; - struct netlogon_creds_CredentialState *creds = NULL; + const char *target_service = table->authservices->names[0]; + struct cli_credentials *cli_creds; enum dcerpc_AuthLevel auth_level; NTSTATUS status; - const char *target_service = table->authservices->names[0]; - int rpc_pipe_bind_dbglvl = 0; status = cli_rpc_pipe_open(cli, transport, table, &rpccli); if (!NT_STATUS_IS_OK(status)) { return status; } - status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("netlogon_creds_cli_get returned %s\n", - nt_errstr(status))); - TALLOC_FREE(rpccli); - return status; - } - auth_level = netlogon_creds_cli_auth_level(netlogon_creds); - status = rpccli_generic_bind_data(rpccli, - DCERPC_AUTH_TYPE_SCHANNEL, - auth_level, - NULL, - target_service, - domain, - creds->computer_name, - NULL, - CRED_AUTO_USE_KERBEROS, - creds, - &rpcauth); + status = netlogon_creds_bind_cli_credentials( + netlogon_creds, rpccli, &cli_creds); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("rpccli_generic_bind_data returned %s\n", - nt_errstr(status))); + DBG_DEBUG("netlogon_creds_bind_cli_credentials failed: %s\n", + nt_errstr(status)); TALLOC_FREE(rpccli); return status; } - status = rpc_pipe_bind(rpccli, rpcauth); - if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { - rpc_pipe_bind_dbglvl = 1; - netlogon_creds_cli_delete(netlogon_creds, &creds); - } + status = rpccli_generic_bind_data_from_creds(rpccli, + DCERPC_AUTH_TYPE_SCHANNEL, + auth_level, + rpccli->desthost, + target_service, + cli_creds, + &rpcauth); if (!NT_STATUS_IS_OK(status)) { - DEBUG(rpc_pipe_bind_dbglvl, - ("cli_rpc_pipe_open_schannel_with_key: " - "rpc_pipe_bind failed with error %s\n", - nt_errstr(status))); + DEBUG(0, ("rpccli_generic_bind_data_from_creds returned %s\n", + nt_errstr(status))); TALLOC_FREE(rpccli); return status; } - TALLOC_FREE(creds); + status = rpc_pipe_bind(rpccli, rpcauth); - if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) { - goto done; - } + /* No TALLOC_FREE, gensec takes references */ + talloc_unlink(rpccli, cli_creds); + cli_creds = NULL; - status = netlogon_creds_cli_check(netlogon_creds, - rpccli->binding_handle); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("netlogon_creds_cli_check failed with %s\n", - nt_errstr(status))); + DBG_DEBUG("rpc_pipe_bind failed with error %s\n", + nt_errstr(status)); TALLOC_FREE(rpccli); return status; } - -done: - DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s " - "for domain %s and bound using schannel.\n", - table->name, - rpccli->desthost, domain)); - *_rpccli = rpccli; + return NT_STATUS_OK; } -NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli, - const struct ndr_interface_table *table, - enum dcerpc_transport_t transport, - const char *oid, - enum dcerpc_AuthLevel auth_level, - const char *server, - const char *domain, - const char *username, - const char *password, - struct rpc_pipe_client **presult) +NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, + const struct ndr_interface_table *table, + enum dcerpc_transport_t transport, + struct netlogon_creds_cli_context *netlogon_creds, + struct rpc_pipe_client **_rpccli) { - struct rpc_pipe_client *result; - struct pipe_auth_data *auth = NULL; - const char *target_service = table->authservices->names[0]; - + TALLOC_CTX *frame = talloc_stackframe(); + struct rpc_pipe_client *rpccli; + struct netlogon_creds_cli_lck *lck; NTSTATUS status; - enum credentials_use_kerberos use_kerberos; - if (strcmp(oid, GENSEC_OID_KERBEROS5) == 0) { - use_kerberos = CRED_MUST_USE_KERBEROS; - } else if (strcmp(oid, GENSEC_OID_NTLMSSP) == 0) { - use_kerberos = CRED_DONT_USE_KERBEROS; - } else { - return NT_STATUS_INVALID_PARAMETER; - } - - status = cli_rpc_pipe_open(cli, transport, table, &result); + status = netlogon_creds_cli_lck( + netlogon_creds, NETLOGON_CREDS_CLI_LCK_EXCLUSIVE, + frame, &lck); if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netlogon_creds_cli_lck returned %s\n", + nt_errstr(status)); + TALLOC_FREE(frame); return status; } - status = rpccli_generic_bind_data(result, - DCERPC_AUTH_TYPE_SPNEGO, auth_level, - server, target_service, - domain, username, password, - use_kerberos, NULL, - &auth); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("rpccli_generic_bind_data returned %s\n", - nt_errstr(status))); - goto err; + status = cli_rpc_pipe_open_bind_schannel( + cli, table, transport, netlogon_creds, &rpccli); + if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { + netlogon_creds_cli_delete_lck(netlogon_creds); } - - status = rpc_pipe_bind(result, auth); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("cli_rpc_pipe_open_spnego: cli_rpc_pipe_bind failed with error %s\n", - nt_errstr(status) )); - goto err; + DBG_DEBUG("cli_rpc_pipe_open_bind_schannel failed: %s\n", + nt_errstr(status)); + TALLOC_FREE(frame); + return status; } - DEBUG(10,("cli_rpc_pipe_open_spnego: opened pipe %s to " - "machine %s.\n", table->name, - result->desthost)); + if (ndr_syntax_id_equal(&table->syntax_id, + &ndr_table_netlogon.syntax_id)) { + status = netlogon_creds_cli_check(netlogon_creds, + rpccli->binding_handle, + NULL); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("netlogon_creds_cli_check failed with %s\n", + nt_errstr(status))); + TALLOC_FREE(frame); + return status; + } + } - *presult = result; - return NT_STATUS_OK; + DBG_DEBUG("opened pipe %s to machine %s with key %s " + "and bound using schannel.\n", + table->name, rpccli->desthost, + netlogon_creds_cli_debug_string(netlogon_creds, lck)); - err: + TALLOC_FREE(frame); - TALLOC_FREE(result); - return status; + *_rpccli = rpccli; + return NT_STATUS_OK; } NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx, @@ -3192,24 +3428,18 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx, } switch (cli->auth->auth_type) { - case DCERPC_AUTH_TYPE_SPNEGO: - case DCERPC_AUTH_TYPE_NTLMSSP: - case DCERPC_AUTH_TYPE_KRB5: - gensec_security = talloc_get_type_abort(a->auth_ctx, - struct gensec_security); - status = gensec_session_key(gensec_security, mem_ctx, &sk); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - make_dup = false; - break; - case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM: case DCERPC_AUTH_TYPE_NONE: sk = data_blob_const(a->transport_session_key.data, a->transport_session_key.length); make_dup = true; break; default: + gensec_security = a->auth_ctx; + status = gensec_session_key(gensec_security, mem_ctx, &sk); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + make_dup = false; break; }