raw dcerpc operations
Copyright (C) Tim Potter 2003
- Copyright (C) Andrew Tridgell 2003
+ Copyright (C) Andrew Tridgell 2003-2005
+ Copyright (C) Jelmer Vernooij 2004-2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
*/
#include "includes.h"
+#include "dlinklist.h"
+#include "lib/events/events.h"
+#include "librpc/gen_ndr/ndr_epmapper.h"
+#include "librpc/gen_ndr/ndr_dcerpc.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+#include "libcli/composite/composite.h"
+#include "auth/gensec/gensec.h"
+
+static void dcerpc_ship_next_request(struct dcerpc_connection *c);
+
+/* destroy a dcerpc connection */
+static int dcerpc_connection_destructor(void *ptr)
+{
+ struct dcerpc_connection *c = ptr;
+ if (c->transport.shutdown_pipe) {
+ c->transport.shutdown_pipe(c);
+ }
+ return 0;
+}
+
-/* initialise a dcerpc pipe. This currently assumes a SMB named pipe
- transport */
-struct dcerpc_pipe *dcerpc_pipe_init(void)
+/* initialise a dcerpc connection.
+ the event context is optional
+*/
+struct dcerpc_connection *dcerpc_connection_init(TALLOC_CTX *mem_ctx,
+ struct event_context *ev)
{
- struct dcerpc_pipe *p;
+ struct dcerpc_connection *c;
- TALLOC_CTX *mem_ctx = talloc_init("dcerpc_tree");
- if (mem_ctx == NULL)
+ c = talloc_zero(mem_ctx, struct dcerpc_connection);
+ if (!c) {
return NULL;
+ }
+
+ if (ev == NULL) {
+ ev = event_context_init(c);
+ if (ev == NULL) {
+ talloc_free(c);
+ return NULL;
+ }
+ }
+
+ c->event_ctx = ev;
+ c->call_id = 1;
+ c->security_state.auth_info = NULL;
+ c->security_state.session_key = dcerpc_generic_session_key;
+ c->security_state.generic_state = NULL;
+ c->binding_string = NULL;
+ c->flags = 0;
+ c->srv_max_xmit_frag = 0;
+ c->srv_max_recv_frag = 0;
+ c->pending = NULL;
+
+ talloc_set_destructor(c, dcerpc_connection_destructor);
- p = talloc(mem_ctx, sizeof(*p));
+ return c;
+}
+
+/* initialise a dcerpc pipe. */
+struct dcerpc_pipe *dcerpc_pipe_init(TALLOC_CTX *mem_ctx, struct event_context *ev)
+{
+ struct dcerpc_pipe *p;
+
+ p = talloc(mem_ctx, struct dcerpc_pipe);
if (!p) {
- talloc_destroy(mem_ctx);
return NULL;
}
- p->reference_count = 0;
- p->mem_ctx = mem_ctx;
- p->call_id = 1;
- p->auth_info = NULL;
- p->ntlmssp_state = NULL;
- p->flags = 0;
- p->srv_max_xmit_frag = 0;
- p->srv_max_recv_frag = 0;
+ p->conn = dcerpc_connection_init(p, ev);
+ if (p->conn == NULL) {
+ talloc_free(p);
+ return NULL;
+ }
+
+ p->last_fault_code = 0;
+ p->context_id = 0;
+ p->request_timeout = DCERPC_REQUEST_TIMEOUT;
+
+ ZERO_STRUCT(p->syntax);
+ ZERO_STRUCT(p->transfer_syntax);
return p;
}
-/* close down a dcerpc over SMB pipe */
-void dcerpc_pipe_close(struct dcerpc_pipe *p)
+
+/*
+ choose the next call id to use
+*/
+static uint32_t next_call_id(struct dcerpc_connection *c)
{
- if (!p) return;
- p->reference_count--;
- if (p->reference_count <= 0) {
- if (p->ntlmssp_state) {
- ntlmssp_end(&p->ntlmssp_state);
- }
- p->transport.shutdown_pipe(p);
- talloc_destroy(p->mem_ctx);
+ c->call_id++;
+ if (c->call_id == 0) {
+ c->call_id++;
}
+ return c->call_id;
}
/* we need to be able to get/set the fragment length without doing a full
decode */
-void dcerpc_set_frag_length(DATA_BLOB *blob, uint16 v)
+void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
{
- if (CVAL(blob->data,DCERPC_DREP_OFFSET) & 0x10) {
+ if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
} else {
RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
}
}
-uint16 dcerpc_get_frag_length(DATA_BLOB *blob)
+uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
{
- if (CVAL(blob->data,DCERPC_DREP_OFFSET) & 0x10) {
+ if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
} else {
return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
}
}
-void dcerpc_set_auth_length(DATA_BLOB *blob, uint16 v)
+void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
{
- if (CVAL(blob->data,DCERPC_DREP_OFFSET) & 0x10) {
+ if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
} else {
RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
}
-/*
- parse a data blob into a dcerpc_packet structure. This handles both
- input and output packets
+/*
+ setup for a ndr pull, also setting up any flags from the binding string
*/
-static NTSTATUS dcerpc_pull(DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
- struct dcerpc_packet *pkt)
+static struct ndr_pull *ndr_pull_init_flags(struct dcerpc_connection *c,
+ DATA_BLOB *blob, TALLOC_CTX *mem_ctx)
{
- struct ndr_pull *ndr;
+ struct ndr_pull *ndr = ndr_pull_init_blob(blob, mem_ctx);
- ndr = ndr_pull_init_blob(blob, mem_ctx);
- if (!ndr) {
- return NT_STATUS_NO_MEMORY;
+ if (ndr == NULL) return ndr;
+
+ if (c->flags & DCERPC_DEBUG_PAD_CHECK) {
+ ndr->flags |= LIBNDR_FLAG_PAD_CHECK;
}
- if (! (CVAL(blob, DCERPC_DREP_OFFSET) & 0x10)) {
- ndr->flags |= DCERPC_PULL_BIGENDIAN;
+ if (c->flags & DCERPC_NDR_REF_ALLOC) {
+ ndr->flags |= LIBNDR_FLAG_REF_ALLOC;
}
- return ndr_pull_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
+ return ndr;
}
/*
- parse a possibly signed blob into a dcerpc request packet structure
+ parse a data blob into a ncacn_packet structure. This handles both
+ input and output packets
*/
-static NTSTATUS dcerpc_pull_request_sign(struct dcerpc_pipe *p,
- DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
- struct dcerpc_packet *pkt)
+static NTSTATUS ncacn_pull(struct dcerpc_connection *c, DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
+ struct ncacn_packet *pkt)
{
struct ndr_pull *ndr;
- NTSTATUS status;
- struct dcerpc_auth auth;
- DATA_BLOB auth_blob;
- /* non-signed packets are simpler */
- if (!p->auth_info || !p->ntlmssp_state) {
- return dcerpc_pull(blob, mem_ctx, pkt);
- }
-
- ndr = ndr_pull_init_blob(blob, mem_ctx);
+ ndr = ndr_pull_init_flags(c, blob, mem_ctx);
if (!ndr) {
return NT_STATUS_NO_MEMORY;
}
- if (! (CVAL(blob, DCERPC_DREP_OFFSET) & 0x10)) {
- ndr->flags |= DCERPC_PULL_BIGENDIAN;
+ if (! (CVAL(blob->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
+ ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
}
- /* pull the basic packet */
- status = ndr_pull_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ return ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
+}
+
+/*
+ generate a CONNECT level verifier
+*/
+static NTSTATUS dcerpc_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
+{
+ *blob = data_blob_talloc(mem_ctx, NULL, 16);
+ if (blob->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
+ SIVAL(blob->data, 0, 1);
+ memset(blob->data+4, 0, 12);
+ return NT_STATUS_OK;
+}
- if (pkt->ptype != DCERPC_PKT_RESPONSE) {
- return status;
+/*
+ check a CONNECT level verifier
+*/
+static NTSTATUS dcerpc_check_connect_verifier(DATA_BLOB *blob)
+{
+ if (blob->length != 16 ||
+ IVAL(blob->data, 0) != 1) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
+/*
+ parse the authentication information on a dcerpc response packet
+*/
+static NTSTATUS ncacn_pull_request_auth(struct dcerpc_connection *c, TALLOC_CTX *mem_ctx,
+ DATA_BLOB *raw_packet,
+ struct ncacn_packet *pkt)
+{
+ struct ndr_pull *ndr;
+ NTSTATUS status;
+ struct dcerpc_auth auth;
+ DATA_BLOB auth_blob;
+
+ if (pkt->auth_length == 0 &&
+ c->security_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
+ return NT_STATUS_OK;
}
auth_blob.length = 8 + pkt->auth_length;
pkt->u.response.stub_and_verifier.length -= auth_blob.length;
/* pull the auth structure */
- ndr = ndr_pull_init_blob(&auth_blob, mem_ctx);
+ ndr = ndr_pull_init_flags(c, &auth_blob, mem_ctx);
if (!ndr) {
return NT_STATUS_NO_MEMORY;
}
- if (! (CVAL(blob, DCERPC_DREP_OFFSET) & 0x10)) {
- ndr->flags |= DCERPC_PULL_BIGENDIAN;
+ if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
+ ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
}
status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
-
-
+
+
/* check signature or unseal the packet */
- switch (p->auth_info->auth_level) {
+ switch (c->security_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
- status = ntlmssp_unseal_packet(p->ntlmssp_state,
- pkt->u.response.stub_and_verifier.data,
- pkt->u.response.stub_and_verifier.length,
- &auth.credentials);
- break;
-
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- status = ntlmssp_check_packet(p->ntlmssp_state,
- pkt->u.response.stub_and_verifier.data,
+ status = gensec_unseal_packet(c->security_state.generic_state,
+ mem_ctx,
+ raw_packet->data + DCERPC_REQUEST_LENGTH,
pkt->u.response.stub_and_verifier.length,
+ raw_packet->data,
+ raw_packet->length - auth.credentials.length,
&auth.credentials);
+ memcpy(pkt->u.response.stub_and_verifier.data,
+ raw_packet->data + DCERPC_REQUEST_LENGTH,
+ pkt->u.response.stub_and_verifier.length);
+ break;
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ status = gensec_check_packet(c->security_state.generic_state,
+ mem_ctx,
+ pkt->u.response.stub_and_verifier.data,
+ pkt->u.response.stub_and_verifier.length,
+ raw_packet->data,
+ raw_packet->length - auth.credentials.length,
+ &auth.credentials);
+ break;
+
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ status = dcerpc_check_connect_verifier(&auth.credentials);
break;
case DCERPC_AUTH_LEVEL_NONE:
status = NT_STATUS_INVALID_LEVEL;
break;
}
-
+
/* remove the indicated amount of paddiing */
if (pkt->u.response.stub_and_verifier.length < auth.auth_pad_length) {
return NT_STATUS_INFO_LENGTH_MISMATCH;
/*
push a dcerpc request packet into a blob, possibly signing it.
*/
-static NTSTATUS dcerpc_push_request_sign(struct dcerpc_pipe *p,
+static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c,
DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
- struct dcerpc_packet *pkt)
+ struct ncacn_packet *pkt)
{
NTSTATUS status;
struct ndr_push *ndr;
+ DATA_BLOB creds2;
+ size_t payload_length;
/* non-signed packets are simpler */
- if (!p->auth_info || !p->ntlmssp_state) {
- return dcerpc_push_auth(blob, mem_ctx, pkt, p->auth_info, p->flags);
+ if (!c->security_state.auth_info ||
+ !c->security_state.generic_state) {
+ return ncacn_push_auth(blob, mem_ctx, pkt, c->security_state.auth_info);
}
ndr = ndr_push_init_ctx(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
- if (p->flags & DCERPC_PUSH_BIGENDIAN) {
+ if (c->flags & DCERPC_PUSH_BIGENDIAN) {
ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
}
- status = ndr_push_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
+ if (pkt->pfc_flags & DCERPC_PFC_FLAG_ORPC) {
+ ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
+ }
+
+ status = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- /* pad to 8 byte multiple */
- p->auth_info->auth_pad_length = NDR_ALIGN(ndr, 8);
- ndr_push_zero(ndr, p->auth_info->auth_pad_length);
+ /* pad to 16 byte multiple in the payload portion of the
+ packet. This matches what w2k3 does */
+ c->security_state.auth_info->auth_pad_length =
+ (16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15;
+ ndr_push_zero(ndr, c->security_state.auth_info->auth_pad_length);
+
+ payload_length = pkt->u.request.stub_and_verifier.length +
+ c->security_state.auth_info->auth_pad_length;
/* sign or seal the packet */
- switch (p->auth_info->auth_level) {
+ switch (c->security_state.auth_info->auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
- status = ntlmssp_seal_packet(p->ntlmssp_state,
- ndr->data + DCERPC_REQUEST_LENGTH,
- ndr->offset - DCERPC_REQUEST_LENGTH,
- &p->auth_info->credentials);
- break;
-
case DCERPC_AUTH_LEVEL_INTEGRITY:
- status = ntlmssp_sign_packet(p->ntlmssp_state,
- ndr->data + DCERPC_REQUEST_LENGTH,
- ndr->offset - DCERPC_REQUEST_LENGTH,
- &p->auth_info->credentials);
+ c->security_state.auth_info->credentials
+ = data_blob_talloc(mem_ctx, NULL, gensec_sig_size(c->security_state.generic_state,
+ payload_length));
+ data_blob_clear(&c->security_state.auth_info->credentials);
break;
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ status = dcerpc_connect_verifier(mem_ctx, &c->security_state.auth_info->credentials);
+ break;
+
case DCERPC_AUTH_LEVEL_NONE:
- p->auth_info->credentials = data_blob(NULL, 0);
+ c->security_state.auth_info->credentials = data_blob(NULL, 0);
break;
-
+
default:
status = NT_STATUS_INVALID_LEVEL;
break;
}
-
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* add the auth verifier */
- status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, p->auth_info);
+ status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, c->security_state.auth_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
in these earlier as we don't know the signature length (it
could be variable length) */
dcerpc_set_frag_length(blob, blob->length);
- dcerpc_set_auth_length(blob, p->auth_info->credentials.length);
+ dcerpc_set_auth_length(blob, c->security_state.auth_info->credentials.length);
+
+ /* sign or seal the packet */
+ switch (c->security_state.auth_info->auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ status = gensec_seal_packet(c->security_state.generic_state,
+ mem_ctx,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ payload_length,
+ blob->data,
+ blob->length -
+ c->security_state.auth_info->credentials.length,
+ &creds2);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ memcpy(blob->data + blob->length - creds2.length, creds2.data, creds2.length);
+ break;
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ status = gensec_sign_packet(c->security_state.generic_state,
+ mem_ctx,
+ blob->data + DCERPC_REQUEST_LENGTH,
+ payload_length,
+ blob->data,
+ blob->length -
+ c->security_state.auth_info->credentials.length,
+ &creds2);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ memcpy(blob->data + blob->length - creds2.length, creds2.data, creds2.length);
+ break;
- data_blob_free(&p->auth_info->credentials);
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ break;
+
+ case DCERPC_AUTH_LEVEL_NONE:
+ c->security_state.auth_info->credentials = data_blob(NULL, 0);
+ break;
+
+ default:
+ status = NT_STATUS_INVALID_LEVEL;
+ break;
+ }
+
+ data_blob_free(&c->security_state.auth_info->credentials);
return NT_STATUS_OK;
}
/*
fill in the fixed values in a dcerpc header
*/
-static void init_dcerpc_hdr(struct dcerpc_pipe *p, struct dcerpc_packet *pkt)
+static void init_ncacn_hdr(struct dcerpc_connection *c, struct ncacn_packet *pkt)
{
pkt->rpc_vers = 5;
pkt->rpc_vers_minor = 0;
- if (p->flags & DCERPC_PUSH_BIGENDIAN) {
+ if (c->flags & DCERPC_PUSH_BIGENDIAN) {
pkt->drep[0] = 0;
} else {
- pkt->drep[0] = 0x10;
+ pkt->drep[0] = DCERPC_DREP_LE;
}
pkt->drep[1] = 0;
pkt->drep[2] = 0;
pkt->drep[3] = 0;
}
+/*
+ map a bind nak reason to a NTSTATUS
+*/
+static NTSTATUS dcerpc_map_reason(uint16_t reason)
+{
+ switch (reason) {
+ case DCERPC_BIND_REASON_ASYNTAX:
+ return NT_STATUS_RPC_UNSUPPORTED_NAME_SYNTAX;
+ }
+ return NT_STATUS_UNSUCCESSFUL;
+}
-/*
- perform a bind using the given syntax
+/*
+ mark the dcerpc connection dead. All outstanding requests get an error
+*/
+static void dcerpc_connection_dead(struct dcerpc_connection *conn, NTSTATUS status)
+{
+ /* all pending requests get the error */
+ while (conn->pending) {
+ struct rpc_request *req = conn->pending;
+ req->state = RPC_REQUEST_DONE;
+ req->status = status;
+ DLIST_REMOVE(conn->pending, req);
+ if (req->async.callback) {
+ req->async.callback(req);
+ }
+ }
- the auth_info structure is updated with the reply authentication info
- on success
+ if (conn->bind_private) {
+ /* a bind was in flight - fail it */
+ struct composite_context *c = talloc_get_type(conn->bind_private, struct composite_context);
+ composite_error(c, status);
+ }
+
+ if (conn->alter_private) {
+ /* a alter context was in flight - fail it */
+ struct composite_context *c = talloc_get_type(conn->alter_private, struct composite_context);
+ composite_error(c, status);
+ }
+}
+
+/*
+ forward declarations of the recv_data handlers for the 3 types of packets we need
+ to handle
*/
-NTSTATUS dcerpc_bind(struct dcerpc_pipe *p,
- TALLOC_CTX *mem_ctx,
- const struct dcerpc_syntax_id *syntax,
- const struct dcerpc_syntax_id *transfer_syntax)
+static void dcerpc_bind_recv_data(struct dcerpc_connection *conn, struct ncacn_packet *pkt);
+static void dcerpc_alter_recv_data(struct dcerpc_connection *conn, struct ncacn_packet *pkt);
+static void dcerpc_request_recv_data(struct dcerpc_connection *c,
+ DATA_BLOB *raw_packet, struct ncacn_packet *pkt);
+
+/*
+ receive a dcerpc reply from the transport. Here we work out what
+ type of reply it is (normal request, bind or alter context) and
+ dispatch to the appropriate handler
+*/
+static void dcerpc_recv_data(struct dcerpc_connection *conn, DATA_BLOB *blob, NTSTATUS status)
{
- struct dcerpc_packet pkt;
- NTSTATUS status;
+ struct ncacn_packet pkt;
+
+ if (NT_STATUS_IS_OK(status) && blob->length == 0) {
+ status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
+ }
+
+ /* the transport may be telling us of a severe error, such as
+ a dropped socket */
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(blob);
+ dcerpc_connection_dead(conn, status);
+ return;
+ }
+
+ /* parse the basic packet to work out what type of response this is */
+ status = ncacn_pull(conn, blob, blob->data, &pkt);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(blob);
+ dcerpc_connection_dead(conn, status);
+ }
+
+ switch (pkt.ptype) {
+ case DCERPC_PKT_BIND_NAK:
+ case DCERPC_PKT_BIND_ACK:
+ if (conn->bind_private) {
+ talloc_steal(conn->bind_private, blob->data);
+ dcerpc_bind_recv_data(conn, &pkt);
+ }
+ break;
+
+ case DCERPC_PKT_ALTER_RESP:
+ if (conn->alter_private) {
+ talloc_steal(conn->alter_private, blob->data);
+ dcerpc_alter_recv_data(conn, &pkt);
+ }
+ break;
+
+ default:
+ /* assume its an ordinary request */
+ dcerpc_request_recv_data(conn, blob, &pkt);
+ break;
+ }
+}
+
+
+/*
+ Receive a bind reply from the transport
+*/
+static void dcerpc_bind_recv_data(struct dcerpc_connection *conn, struct ncacn_packet *pkt)
+{
+ struct composite_context *c;
+ struct dcerpc_pipe *pipe;
+
+ c = talloc_get_type(conn->bind_private, struct composite_context);
+ pipe = talloc_get_type(c->private_data, struct dcerpc_pipe);
+
+ /* mark the connection as not waiting for a bind reply */
+ conn->bind_private = NULL;
+
+ if (pkt->ptype == DCERPC_PKT_BIND_NAK) {
+ DEBUG(2,("dcerpc: bind_nak reason %d\n",
+ pkt->u.bind_nak.reject_reason));
+ composite_error(c, dcerpc_map_reason(pkt->u.bind_nak.
+ reject_reason));
+ return;
+ }
+
+ if ((pkt->ptype != DCERPC_PKT_BIND_ACK) ||
+ (pkt->u.bind_ack.num_results == 0) ||
+ (pkt->u.bind_ack.ctx_list[0].result != 0)) {
+ composite_error(c, NT_STATUS_UNSUCCESSFUL);
+ return;
+ }
+
+ conn->srv_max_xmit_frag = pkt->u.bind_ack.max_xmit_frag;
+ conn->srv_max_recv_frag = pkt->u.bind_ack.max_recv_frag;
+
+ /* the bind_ack might contain a reply set of credentials */
+ if (conn->security_state.auth_info &&
+ pkt->u.bind_ack.auth_info.length) {
+ c->status = ndr_pull_struct_blob(
+ &pkt->u.bind_ack.auth_info, conn,
+ conn->security_state.auth_info,
+ (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
+ if (!composite_is_ok(c)) return;
+ }
+
+ composite_done(c);
+}
+
+/*
+ handle timeouts of dcerpc bind and alter context requests
+*/
+static void bind_timeout_handler(struct event_context *ev,
+ struct timed_event *te,
+ struct timeval t, void *private)
+{
+ struct composite_context *ctx =
+ talloc_get_type(private, struct composite_context);
+ struct dcerpc_pipe *pipe = talloc_get_type(ctx->private_data, struct dcerpc_pipe);
+
+ SMB_ASSERT(pipe->conn->bind_private != NULL);
+ pipe->conn->bind_private = NULL;
+ composite_error(ctx, NT_STATUS_IO_TIMEOUT);
+}
+
+/*
+ send a async dcerpc bind request
+*/
+struct composite_context *dcerpc_bind_send(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ const struct dcerpc_syntax_id *syntax,
+ const struct dcerpc_syntax_id *transfer_syntax)
+{
+ struct composite_context *c;
+ struct ncacn_packet pkt;
DATA_BLOB blob;
- struct dcerpc_syntax_id tsyntax;
- init_dcerpc_hdr(p, &pkt);
+ c = talloc_zero(mem_ctx, struct composite_context);
+ if (c == NULL) return NULL;
+
+ c->state = COMPOSITE_STATE_IN_PROGRESS;
+ c->private_data = p;
+ c->event_ctx = p->conn->event_ctx;
+
+ p->syntax = *syntax;
+ p->transfer_syntax = *transfer_syntax;
+
+ init_ncacn_hdr(p->conn, &pkt);
pkt.ptype = DCERPC_PKT_BIND;
pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
- pkt.call_id = p->call_id;
+ pkt.call_id = p->conn->call_id;
pkt.auth_length = 0;
- pkt.u.bind.max_xmit_frag = 0x2000;
- pkt.u.bind.max_recv_frag = 0x2000;
+ pkt.u.bind.max_xmit_frag = 5840;
+ pkt.u.bind.max_recv_frag = 5840;
pkt.u.bind.assoc_group_id = 0;
pkt.u.bind.num_contexts = 1;
- pkt.u.bind.ctx_list = talloc(mem_ctx, sizeof(pkt.u.bind.ctx_list[0]));
- if (!pkt.u.bind.ctx_list) {
- return NT_STATUS_NO_MEMORY;
+ pkt.u.bind.ctx_list =
+ talloc_array(mem_ctx, struct dcerpc_ctx_list, 1);
+ if (pkt.u.bind.ctx_list == NULL) {
+ c->status = NT_STATUS_NO_MEMORY;
+ goto failed;
}
- pkt.u.bind.ctx_list[0].context_id = 0;
+ pkt.u.bind.ctx_list[0].context_id = p->context_id;
pkt.u.bind.ctx_list[0].num_transfer_syntaxes = 1;
- pkt.u.bind.ctx_list[0].abstract_syntax = *syntax;
- tsyntax = *transfer_syntax;
- pkt.u.bind.ctx_list[0].transfer_syntaxes = &tsyntax;
+ pkt.u.bind.ctx_list[0].abstract_syntax = p->syntax;
+ pkt.u.bind.ctx_list[0].transfer_syntaxes = &p->transfer_syntax;
pkt.u.bind.auth_info = data_blob(NULL, 0);
/* construct the NDR form of the packet */
- status = dcerpc_push_auth(&blob, mem_ctx, &pkt, p->auth_info, p->flags);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ c->status = ncacn_push_auth(&blob, c, &pkt,
+ p->conn->security_state.auth_info);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ goto failed;
}
- /* send it on its way */
- status = p->transport.full_request(p, mem_ctx, &blob, &blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ p->conn->transport.recv_data = dcerpc_recv_data;
+ p->conn->bind_private = c;
- /* unmarshall the NDR */
- status = dcerpc_pull(&blob, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ c->status = p->conn->transport.send_request(p->conn, &blob,
+ True);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ goto failed;
}
- if ((pkt.ptype != DCERPC_PKT_BIND_ACK && pkt.ptype != DCERPC_PKT_ALTER_ACK) ||
- pkt.u.bind_ack.num_results == 0 ||
- pkt.u.bind_ack.ctx_list[0].result != 0) {
- status = NT_STATUS_UNSUCCESSFUL;
- }
+ event_add_timed(c->event_ctx, c,
+ timeval_current_ofs(DCERPC_REQUEST_TIMEOUT, 0),
+ bind_timeout_handler, c);
- if (pkt.ptype != DCERPC_PKT_ALTER_ACK) {
- p->srv_max_xmit_frag = pkt.u.bind_ack.max_xmit_frag;
- p->srv_max_recv_frag = pkt.u.bind_ack.max_recv_frag;
- }
+ return c;
- /* the bind_ack might contain a reply set of credentials */
- if (p->auth_info && pkt.u.bind_ack.auth_info.length) {
- status = ndr_pull_struct_blob(&pkt.u.bind_ack.auth_info,
- mem_ctx,
- p->auth_info,
- (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
- }
+ failed:
+ composite_error(c, c->status);
+ return c;
+}
- return status;
+/*
+ recv side of async dcerpc bind request
+*/
+NTSTATUS dcerpc_bind_recv(struct composite_context *ctx)
+{
+ NTSTATUS result = composite_wait(ctx);
+ talloc_free(ctx);
+ return result;
+}
+
+/*
+ perform a bind using the given syntax
+
+ the auth_info structure is updated with the reply authentication info
+ on success
+*/
+NTSTATUS dcerpc_bind(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ const struct dcerpc_syntax_id *syntax,
+ const struct dcerpc_syntax_id *transfer_syntax)
+{
+ struct composite_context *creq;
+ creq = dcerpc_bind_send(p, mem_ctx, syntax, transfer_syntax);
+ return dcerpc_bind_recv(creq);
}
/*
perform a continued bind (and auth3)
*/
-NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
+NTSTATUS dcerpc_auth3(struct dcerpc_connection *c,
TALLOC_CTX *mem_ctx)
{
- struct dcerpc_packet pkt;
+ struct ncacn_packet pkt;
NTSTATUS status;
DATA_BLOB blob;
- init_dcerpc_hdr(p, &pkt);
+ init_ncacn_hdr(c, &pkt);
pkt.ptype = DCERPC_PKT_AUTH3;
pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
- pkt.call_id = p->call_id++;
+ pkt.call_id = next_call_id(c);
pkt.auth_length = 0;
- pkt.u.auth._pad = 0;
- pkt.u.auth.auth_info = data_blob(NULL, 0);
+ pkt.u.auth3._pad = 0;
+ pkt.u.auth3.auth_info = data_blob(NULL, 0);
/* construct the NDR form of the packet */
- status = dcerpc_push_auth(&blob, mem_ctx, &pkt, p->auth_info, p->flags);
+ status = ncacn_push_auth(&blob, mem_ctx, &pkt, c->security_state.auth_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* send it on its way */
- status = p->transport.initial_request(p, mem_ctx, &blob);
+ status = c->transport.send_request(c, &blob, False);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
+/*
+ return the rpc syntax and transfer syntax given the pipe uuid and version
+*/
+NTSTATUS dcerpc_init_syntaxes(const struct dcerpc_interface_table *table,
+ struct dcerpc_syntax_id *syntax,
+ struct dcerpc_syntax_id *transfer_syntax)
+{
+ syntax->uuid = table->uuid;
+ syntax->if_version = table->if_version;
+
+ *transfer_syntax = ndr_transfer_syntax;
+
+ return NT_STATUS_OK;
+}
+
/* perform a dcerpc bind, using the uuid as the key */
NTSTATUS dcerpc_bind_byuuid(struct dcerpc_pipe *p,
TALLOC_CTX *mem_ctx,
- const char *uuid, unsigned version)
+ const struct dcerpc_interface_table *table)
{
struct dcerpc_syntax_id syntax;
struct dcerpc_syntax_id transfer_syntax;
NTSTATUS status;
- status = GUID_from_string(uuid, &syntax.uuid);
+ status = dcerpc_init_syntaxes(table,
+ &syntax, &transfer_syntax);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(2,("Invalid uuid string in dcerpc_bind_byuuid\n"));
return status;
}
- syntax.if_version = version;
-
- status = GUID_from_string(NDR_GUID, &transfer_syntax.uuid);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- transfer_syntax.if_version = NDR_GUID_VERSION;
return dcerpc_bind(p, mem_ctx, &syntax, &transfer_syntax);
}
+
/*
- perform a full request/response pair on a dcerpc pipe
+ process a fragment received from the transport layer during a
+ request
+
+ This function frees the data
*/
-NTSTATUS dcerpc_request(struct dcerpc_pipe *p,
- uint16 opnum,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *stub_data_in,
- DATA_BLOB *stub_data_out)
+static void dcerpc_request_recv_data(struct dcerpc_connection *c,
+ DATA_BLOB *raw_packet, struct ncacn_packet *pkt)
{
-
- struct dcerpc_packet pkt;
- NTSTATUS status;
- DATA_BLOB blob, payload;
- uint32 remaining, chunk_size;
+ struct rpc_request *req;
+ uint_t length;
+ NTSTATUS status = NT_STATUS_OK;
- init_dcerpc_hdr(p, &pkt);
+ /*
+ if this is an authenticated connection then parse and check
+ the auth info. We have to do this before finding the
+ matching packet, as the request structure might have been
+ removed due to a timeout, but if it has been we still need
+ to run the auth routines so that we don't get the sign/seal
+ info out of step with the server
+ */
+ if (c->security_state.auth_info && c->security_state.generic_state &&
+ pkt->ptype == DCERPC_PKT_RESPONSE) {
+ status = ncacn_pull_request_auth(c, raw_packet->data, raw_packet, pkt);
+ }
- remaining = stub_data_in->length;
+ /* find the matching request */
+ for (req=c->pending;req;req=req->next) {
+ if (pkt->call_id == req->call_id) break;
+ }
- /* we can write a full max_recv_frag size, minus the dcerpc
- request header size */
- chunk_size = p->srv_max_recv_frag - (DCERPC_MAX_SIGN_SIZE+DCERPC_REQUEST_LENGTH);
+ if (req == NULL) {
+ DEBUG(2,("dcerpc_request: unmatched call_id %u in response packet\n", pkt->call_id));
+ data_blob_free(raw_packet);
+ return;
+ }
- pkt.ptype = DCERPC_PKT_REQUEST;
- pkt.call_id = p->call_id++;
- pkt.auth_length = 0;
- pkt.u.request.alloc_hint = remaining;
- pkt.u.request.context_id = 0;
- pkt.u.request.opnum = opnum;
-
- /* we send a series of pdus without waiting for a reply until
- the last pdu */
- while (remaining > chunk_size) {
- if (remaining == stub_data_in->length) {
- pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST;
- } else {
- pkt.pfc_flags = 0;
- }
+ talloc_steal(req, raw_packet->data);
- pkt.u.request.stub_and_verifier.data = stub_data_in->data +
- (stub_data_in->length - remaining);
- pkt.u.request.stub_and_verifier.length = chunk_size;
+ if (pkt->ptype == DCERPC_PKT_FAULT) {
+ DEBUG(5,("rpc fault: %s\n", dcerpc_errstr(c, pkt->u.fault.status)));
+ req->fault_code = pkt->u.fault.status;
+ req->status = NT_STATUS_NET_WRITE_FAULT;
+ goto req_done;
+ }
- status = dcerpc_push_request_sign(p, &blob, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ if (pkt->ptype != DCERPC_PKT_RESPONSE) {
+ DEBUG(2,("Unexpected packet type %d in dcerpc response\n",
+ (int)pkt->ptype));
+ req->fault_code = DCERPC_FAULT_OTHER;
+ req->status = NT_STATUS_NET_WRITE_FAULT;
+ goto req_done;
+ }
+
+ /* now check the status from the auth routines, and if it failed then fail
+ this request accordingly */
+ if (!NT_STATUS_IS_OK(status)) {
+ req->status = status;
+ goto req_done;
+ }
+
+ length = pkt->u.response.stub_and_verifier.length;
+
+ if (length > 0) {
+ req->payload.data = talloc_realloc(req,
+ req->payload.data,
+ uint8_t,
+ req->payload.length + length);
+ if (!req->payload.data) {
+ req->status = NT_STATUS_NO_MEMORY;
+ goto req_done;
}
-
- status = p->transport.initial_request(p, mem_ctx, &blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ memcpy(req->payload.data+req->payload.length,
+ pkt->u.response.stub_and_verifier.data, length);
+ req->payload.length += length;
+ }
- remaining -= chunk_size;
+ if (!(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
+ c->transport.send_read(c);
+ return;
}
- /* now we send a pdu with LAST_FRAG sent and get the first
- part of the reply */
- if (remaining == stub_data_in->length) {
- pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+ if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
+ req->flags |= DCERPC_PULL_BIGENDIAN;
} else {
- pkt.pfc_flags = DCERPC_PFC_FLAG_LAST;
+ req->flags &= ~DCERPC_PULL_BIGENDIAN;
}
- pkt.u.request.stub_and_verifier.data = stub_data_in->data +
- (stub_data_in->length - remaining);
- pkt.u.request.stub_and_verifier.length = remaining;
- status = dcerpc_push_request_sign(p, &blob, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+
+req_done:
+ /* we've got the full payload */
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(c->pending, req);
+
+ if (c->request_queue != NULL) {
+ /* We have to look at shipping further requests before calling
+ * the async function, that one might close the pipe */
+ dcerpc_ship_next_request(c);
}
- /* send the pdu and get the initial response pdu */
- status = p->transport.full_request(p, mem_ctx, &blob, &blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ if (req->async.callback) {
+ req->async.callback(req);
}
+}
- status = dcerpc_pull_request_sign(p, &blob, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+/*
+ handle timeouts of individual dcerpc requests
+*/
+static void dcerpc_timeout_handler(struct event_context *ev, struct timed_event *te,
+ struct timeval t, void *private)
+{
+ struct rpc_request *req = talloc_get_type(private, struct rpc_request);
+
+ if (req->state != RPC_REQUEST_PENDING) {
+ return;
}
- if (pkt.ptype == DCERPC_PKT_FAULT) {
- p->last_fault_code = pkt.u.fault.status;
- return NT_STATUS_NET_WRITE_FAULT;
+ req->status = NT_STATUS_IO_TIMEOUT;
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(req->p->conn->pending, req);
+ if (req->async.callback) {
+ req->async.callback(req);
}
+}
+
+
+/*
+ make sure requests are cleaned up
+ */
+static int dcerpc_req_destructor(void *ptr)
+{
+ struct rpc_request *req = ptr;
+ DLIST_REMOVE(req->p->conn->pending, req);
+ return 0;
+}
+
+/*
+ perform the send side of a async dcerpc request
+*/
+static struct rpc_request *dcerpc_request_send(struct dcerpc_pipe *p,
+ const struct GUID *object,
+ uint16_t opnum,
+ BOOL async,
+ DATA_BLOB *stub_data)
+{
+ struct rpc_request *req;
+
+ p->conn->transport.recv_data = dcerpc_recv_data;
- if (pkt.ptype != DCERPC_PKT_RESPONSE) {
- return NT_STATUS_UNSUCCESSFUL;
+ req = talloc(p, struct rpc_request);
+ if (req == NULL) {
+ return NULL;
}
- if (!(pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST)) {
- /* something is badly wrong! */
- return NT_STATUS_UNSUCCESSFUL;
+ req->p = p;
+ req->call_id = next_call_id(p->conn);
+ req->status = NT_STATUS_OK;
+ req->state = RPC_REQUEST_PENDING;
+ req->payload = data_blob(NULL, 0);
+ req->flags = 0;
+ req->fault_code = 0;
+ req->async_call = async;
+ req->async.callback = NULL;
+
+ if (object != NULL) {
+ req->object = talloc_memdup(req, object, sizeof(*object));
+ if (req->object == NULL) {
+ talloc_free(req);
+ return NULL;
+ }
+ } else {
+ req->object = NULL;
}
- payload = pkt.u.response.stub_and_verifier;
+ req->opnum = opnum;
+ req->request_data.length = stub_data->length;
+ req->request_data.data = talloc_reference(req, stub_data->data);
+ if (req->request_data.data == NULL) {
+ return NULL;
+ }
- /* continue receiving fragments */
- while (!(pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
- uint32 length;
+ DLIST_ADD_END(p->conn->request_queue, req, struct rpc_request *);
- status = p->transport.secondary_request(p, mem_ctx, &blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ dcerpc_ship_next_request(p->conn);
- status = dcerpc_pull_request_sign(p, &blob, mem_ctx, &pkt);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
+ if (p->request_timeout) {
+ event_add_timed(dcerpc_event_context(p), req,
+ timeval_current_ofs(p->request_timeout, 0),
+ dcerpc_timeout_handler, req);
+ }
- if (pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
- /* start of another packet!? */
- return NT_STATUS_UNSUCCESSFUL;
- }
+ talloc_set_destructor(req, dcerpc_req_destructor);
+ return req;
+}
- if (pkt.ptype == DCERPC_PKT_FAULT) {
- p->last_fault_code = pkt.u.fault.status;
- return NT_STATUS_NET_WRITE_FAULT;
- }
+/*
+ Send a request using the transport
+*/
- if (pkt.ptype != DCERPC_PKT_RESPONSE) {
- return NT_STATUS_UNSUCCESSFUL;
- }
+static void dcerpc_ship_next_request(struct dcerpc_connection *c)
+{
+ struct rpc_request *req;
+ struct dcerpc_pipe *p;
+ DATA_BLOB *stub_data;
+ struct ncacn_packet pkt;
+ DATA_BLOB blob;
+ uint32_t remaining, chunk_size;
+ BOOL first_packet = True;
+
+ req = c->request_queue;
+ if (req == NULL) {
+ return;
+ }
+
+ p = req->p;
+ stub_data = &req->request_data;
+
+ if (!req->async_call && (c->pending != NULL)) {
+ return;
+ }
+
+ DLIST_REMOVE(c->request_queue, req);
+ DLIST_ADD(c->pending, req);
+
+ init_ncacn_hdr(p->conn, &pkt);
+
+ remaining = stub_data->length;
+
+ /* we can write a full max_recv_frag size, minus the dcerpc
+ request header size */
+ chunk_size = p->conn->srv_max_recv_frag - (DCERPC_MAX_SIGN_SIZE+DCERPC_REQUEST_LENGTH);
+
+ pkt.ptype = DCERPC_PKT_REQUEST;
+ pkt.call_id = req->call_id;
+ pkt.auth_length = 0;
+ pkt.pfc_flags = 0;
+ pkt.u.request.alloc_hint = remaining;
+ pkt.u.request.context_id = p->context_id;
+ pkt.u.request.opnum = req->opnum;
+
+ if (req->object) {
+ pkt.u.request.object.object = *req->object;
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_ORPC;
+ chunk_size -= ndr_size_GUID(req->object,0);
+ }
- length = pkt.u.response.stub_and_verifier.length;
+ /* we send a series of pdus without waiting for a reply */
+ while (remaining > 0 || first_packet) {
+ uint32_t chunk = MIN(chunk_size, remaining);
+ BOOL last_frag = False;
- payload.data = talloc_realloc(mem_ctx,
- payload.data,
- payload.length + length);
- if (!payload.data) {
- return NT_STATUS_NO_MEMORY;
+ first_packet = False;
+ pkt.pfc_flags &= ~(DCERPC_PFC_FLAG_FIRST |DCERPC_PFC_FLAG_LAST);
+
+ if (remaining == stub_data->length) {
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_FIRST;
+ }
+ if (chunk == remaining) {
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_LAST;
+ last_frag = True;
}
- memcpy(payload.data + payload.length,
- pkt.u.response.stub_and_verifier.data,
- length);
+ pkt.u.request.stub_and_verifier.data = stub_data->data +
+ (stub_data->length - remaining);
+ pkt.u.request.stub_and_verifier.length = chunk;
+
+ req->status = ncacn_push_request_sign(p->conn, &blob, req, &pkt);
+ if (!NT_STATUS_IS_OK(req->status)) {
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->conn->pending, req);
+ return;
+ }
+
+ req->status = p->conn->transport.send_request(p->conn, &blob, last_frag);
+ if (!NT_STATUS_IS_OK(req->status)) {
+ req->state = RPC_REQUEST_DONE;
+ DLIST_REMOVE(p->conn->pending, req);
+ return;
+ }
- payload.length += length;
+ remaining -= chunk;
}
+}
+
+/*
+ return the event context for a dcerpc pipe
+ used by callers who wish to operate asynchronously
+*/
+struct event_context *dcerpc_event_context(struct dcerpc_pipe *p)
+{
+ return p->conn->event_ctx;
+}
+
+
+
+/*
+ perform the receive side of a async dcerpc request
+*/
+NTSTATUS dcerpc_request_recv(struct rpc_request *req,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *stub_data)
+{
+ NTSTATUS status;
- if (stub_data_out) {
- *stub_data_out = payload;
+ while (req->state == RPC_REQUEST_PENDING) {
+ struct event_context *ctx = dcerpc_event_context(req->p);
+ if (event_loop_once(ctx) != 0) {
+ return NT_STATUS_CONNECTION_DISCONNECTED;
+ }
+ }
+ *stub_data = req->payload;
+ status = req->status;
+ if (stub_data->data) {
+ stub_data->data = talloc_steal(mem_ctx, stub_data->data);
}
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+ req->p->last_fault_code = req->fault_code;
+ }
+ talloc_free(req);
+ return status;
+}
- if (!(pkt.drep[0] & 0x10)) {
- p->flags |= DCERPC_PULL_BIGENDIAN;
- } else {
- p->flags &= ~DCERPC_PULL_BIGENDIAN;
+/*
+ perform a full request/response pair on a dcerpc pipe
+*/
+NTSTATUS dcerpc_request(struct dcerpc_pipe *p,
+ struct GUID *object,
+ uint16_t opnum,
+ BOOL async,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *stub_data_in,
+ DATA_BLOB *stub_data_out)
+{
+ struct rpc_request *req;
+
+ req = dcerpc_request_send(p, object, opnum, async, stub_data_in);
+ if (req == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- return status;
+ return dcerpc_request_recv(req, mem_ctx, stub_data_out);
}
for that to the NDR we initially generated. If they don't match then we know
we must have a bug in either the pull or push side of our code
*/
-static NTSTATUS dcerpc_ndr_validate_in(TALLOC_CTX *mem_ctx,
+static NTSTATUS dcerpc_ndr_validate_in(struct dcerpc_connection *c,
+ TALLOC_CTX *mem_ctx,
DATA_BLOB blob,
size_t struct_size,
- NTSTATUS (*ndr_push)(struct ndr_push *, int, void *),
- NTSTATUS (*ndr_pull)(struct ndr_pull *, int, void *))
+ ndr_push_flags_fn_t ndr_push,
+ ndr_pull_flags_fn_t ndr_pull)
{
void *st;
struct ndr_pull *pull;
NTSTATUS status;
DATA_BLOB blob2;
- st = talloc(mem_ctx, struct_size);
+ st = talloc_size(mem_ctx, struct_size);
if (!st) {
return NT_STATUS_NO_MEMORY;
}
- pull = ndr_pull_init_blob(&blob, mem_ctx);
+ pull = ndr_pull_init_flags(c, &blob, mem_ctx);
if (!pull) {
return NT_STATUS_NO_MEMORY;
}
+ pull->flags |= LIBNDR_FLAG_REF_ALLOC;
status = ndr_pull(pull, NDR_IN, st);
if (!NT_STATUS_IS_OK(status)) {
initially generated. If they don't match then we know we must have a
bug in either the pull or push side of our code
*/
-static NTSTATUS dcerpc_ndr_validate_out(TALLOC_CTX *mem_ctx,
+static NTSTATUS dcerpc_ndr_validate_out(struct dcerpc_connection *c,
+ TALLOC_CTX *mem_ctx,
void *struct_ptr,
size_t struct_size,
- NTSTATUS (*ndr_push)(struct ndr_push *, int, void *),
- NTSTATUS (*ndr_pull)(struct ndr_pull *, int, void *))
+ ndr_push_flags_fn_t ndr_push,
+ ndr_pull_flags_fn_t ndr_pull)
{
void *st;
struct ndr_pull *pull;
NTSTATUS status;
DATA_BLOB blob, blob2;
- st = talloc(mem_ctx, struct_size);
+ st = talloc_size(mem_ctx, struct_size);
if (!st) {
return NT_STATUS_NO_MEMORY;
}
blob = ndr_push_blob(push);
- pull = ndr_pull_init_blob(&blob, mem_ctx);
+ pull = ndr_pull_init_flags(c, &blob, mem_ctx);
if (!pull) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
-/*
- a useful helper function for synchronous rpc requests
- this can be used when you have ndr push/pull functions in the
- standard format
-*/
-NTSTATUS dcerpc_ndr_request(struct dcerpc_pipe *p,
- uint32 opnum,
- TALLOC_CTX *mem_ctx,
- NTSTATUS (*ndr_push)(struct ndr_push *, int, void *),
- NTSTATUS (*ndr_pull)(struct ndr_pull *, int, void *),
- void *struct_ptr,
- size_t struct_size)
+/*
+ send a rpc request given a dcerpc_call structure
+ */
+struct rpc_request *dcerpc_ndr_request_send(struct dcerpc_pipe *p,
+ const struct GUID *object,
+ const struct dcerpc_interface_table *table,
+ uint32_t opnum,
+ TALLOC_CTX *mem_ctx,
+ void *r)
{
+ const struct dcerpc_interface_call *call;
struct ndr_push *push;
- struct ndr_pull *pull;
NTSTATUS status;
- DATA_BLOB request, response;
+ DATA_BLOB request;
+ struct rpc_request *req;
+
+ call = &table->calls[opnum];
/* setup for a ndr_push_* call */
- push = ndr_push_init();
+ push = ndr_push_init_ctx(mem_ctx);
if (!push) {
- talloc_destroy(mem_ctx);
- return NT_STATUS_NO_MEMORY;
+ return NULL;
}
- if (p->flags & DCERPC_PUSH_BIGENDIAN) {
+ if (p->conn->flags & DCERPC_PUSH_BIGENDIAN) {
push->flags |= LIBNDR_FLAG_BIGENDIAN;
}
/* push the structure into a blob */
- status = ndr_push(push, NDR_IN, struct_ptr);
+ status = call->ndr_push(push, NDR_IN, r);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ DEBUG(2,("Unable to ndr_push structure in dcerpc_ndr_request_send - %s\n",
+ nt_errstr(status)));
+ talloc_free(push);
+ return NULL;
}
/* retrieve the blob */
request = ndr_push_blob(push);
- if (p->flags & DCERPC_DEBUG_VALIDATE_IN) {
- status = dcerpc_ndr_validate_in(mem_ctx, request, struct_size,
- ndr_push, ndr_pull);
+ if (p->conn->flags & DCERPC_DEBUG_VALIDATE_IN) {
+ status = dcerpc_ndr_validate_in(p->conn, push, request, call->struct_size,
+ call->ndr_push, call->ndr_pull);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ DEBUG(2,("Validation failed in dcerpc_ndr_request_send - %s\n",
+ nt_errstr(status)));
+ talloc_free(push);
+ return NULL;
}
}
dump_data(10, request.data, request.length);
/* make the actual dcerpc request */
- status = dcerpc_request(p, opnum, mem_ctx, &request, &response);
+ req = dcerpc_request_send(p, object, opnum, table->calls[opnum].async,
+ &request);
+
+ if (req != NULL) {
+ req->ndr.table = table;
+ req->ndr.opnum = opnum;
+ req->ndr.struct_ptr = r;
+ req->ndr.mem_ctx = mem_ctx;
+ }
+
+ talloc_free(push);
+
+ return req;
+}
+
+/*
+ receive the answer from a dcerpc_ndr_request_send()
+*/
+NTSTATUS dcerpc_ndr_request_recv(struct rpc_request *req)
+{
+ struct dcerpc_pipe *p = req->p;
+ NTSTATUS status;
+ DATA_BLOB response;
+ struct ndr_pull *pull;
+ uint_t flags;
+ TALLOC_CTX *mem_ctx = req->ndr.mem_ctx;
+ void *r = req->ndr.struct_ptr;
+ uint32_t opnum = req->ndr.opnum;
+ const struct dcerpc_interface_table *table = req->ndr.table;
+ const struct dcerpc_interface_call *call = &table->calls[opnum];
+
+ /* make sure the recv code doesn't free the request, as we
+ need to grab the flags element before it is freed */
+ talloc_increase_ref_count(req);
+
+ status = dcerpc_request_recv(req, mem_ctx, &response);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ return status;
}
+ flags = req->flags;
+
/* prepare for ndr_pull_* */
- pull = ndr_pull_init_blob(&response, mem_ctx);
+ pull = ndr_pull_init_flags(p->conn, &response, mem_ctx);
if (!pull) {
- goto failed;
+ talloc_free(req);
+ return NT_STATUS_NO_MEMORY;
}
- if (p->flags & DCERPC_PULL_BIGENDIAN) {
+ if (pull->data) {
+ pull->data = talloc_steal(pull, pull->data);
+ }
+ talloc_free(req);
+
+ if (flags & DCERPC_PULL_BIGENDIAN) {
pull->flags |= LIBNDR_FLAG_BIGENDIAN;
}
dump_data(10, pull->data, pull->data_size);
/* pull the structure from the blob */
- status = ndr_pull(pull, NDR_OUT, struct_ptr);
+ status = call->ndr_pull(pull, NDR_OUT, r);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ dcerpc_log_packet(table, opnum, NDR_OUT,
+ &response);
+ return status;
}
- /* possibly check the packet signature */
-
-
- if (p->flags & DCERPC_DEBUG_VALIDATE_OUT) {
- status = dcerpc_ndr_validate_out(mem_ctx, struct_ptr, struct_size,
- ndr_push, ndr_pull);
+ if (p->conn->flags & DCERPC_DEBUG_VALIDATE_OUT) {
+ status = dcerpc_ndr_validate_out(p->conn, pull, r, call->struct_size,
+ call->ndr_push, call->ndr_pull);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ dcerpc_log_packet(table, opnum, NDR_OUT,
+ &response);
+ return status;
}
}
if (pull->offset != pull->data_size) {
- DEBUG(0,("Warning! %d unread bytes\n", pull->data_size - pull->offset));
- status = NT_STATUS_INFO_LENGTH_MISMATCH;
- goto failed;
+ DEBUG(0,("Warning! ignoring %d unread bytes in rpc packet!\n",
+ pull->data_size - pull->offset));
+ /* we used to return NT_STATUS_INFO_LENGTH_MISMATCH here,
+ but it turns out that early versions of NT
+ (specifically NT3.1) add junk onto the end of rpc
+ packets, so if we want to interoperate at all with
+ those versions then we need to ignore this error */
}
-failed:
- ndr_push_free(push);
- return status;
+ /* TODO: make pull context independent from the output mem_ctx and free the pull context */
+
+ return NT_STATUS_OK;
+}
+
+
+/*
+ a useful helper function for synchronous rpc requests
+
+ this can be used when you have ndr push/pull functions in the
+ standard format
+*/
+NTSTATUS dcerpc_ndr_request(struct dcerpc_pipe *p,
+ const struct GUID *object,
+ const struct dcerpc_interface_table *table,
+ uint32_t opnum,
+ TALLOC_CTX *mem_ctx,
+ void *r)
+{
+ struct rpc_request *req;
+
+ req = dcerpc_ndr_request_send(p, object, table, opnum, mem_ctx, r);
+ if (req == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return dcerpc_ndr_request_recv(req);
}
*/
const char *dcerpc_server_name(struct dcerpc_pipe *p)
{
- if (!p->transport.peer_name) {
+ if (!p->conn->transport.peer_name) {
return "";
}
- return p->transport.peer_name(p);
+ return p->conn->transport.peer_name(p->conn);
+}
+
+
+/*
+ get the dcerpc auth_level for a open connection
+*/
+uint32_t dcerpc_auth_level(struct dcerpc_connection *c)
+{
+ uint8_t auth_level;
+
+ if (c->flags & DCERPC_SEAL) {
+ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+ } else if (c->flags & DCERPC_SIGN) {
+ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+ } else if (c->flags & DCERPC_CONNECT) {
+ auth_level = DCERPC_AUTH_LEVEL_CONNECT;
+ } else {
+ auth_level = DCERPC_AUTH_LEVEL_NONE;
+ }
+ return auth_level;
+}
+
+/*
+ Receive an alter reply from the transport
+*/
+static void dcerpc_alter_recv_data(struct dcerpc_connection *conn, struct ncacn_packet *pkt)
+{
+ struct composite_context *c;
+ struct dcerpc_pipe *pipe;
+
+ c = talloc_get_type(conn->alter_private, struct composite_context);
+ pipe = talloc_get_type(c->private_data, struct dcerpc_pipe);
+
+ /* mark the connection as not waiting for a alter context reply */
+ conn->alter_private = NULL;
+
+ if (pkt->ptype == DCERPC_PKT_ALTER_RESP &&
+ pkt->u.alter_resp.num_results == 1 &&
+ pkt->u.alter_resp.ctx_list[0].result != 0) {
+ DEBUG(2,("dcerpc: alter_resp failed - reason %d\n",
+ pkt->u.alter_resp.ctx_list[0].reason));
+ composite_error(c, dcerpc_map_reason(pkt->u.alter_resp.ctx_list[0].reason));
+ return;
+ }
+
+ if (pkt->ptype != DCERPC_PKT_ALTER_RESP ||
+ pkt->u.alter_resp.num_results == 0 ||
+ pkt->u.alter_resp.ctx_list[0].result != 0) {
+ composite_error(c, NT_STATUS_UNSUCCESSFUL);
+ return;
+ }
+
+ /* the alter_resp might contain a reply set of credentials */
+ if (pipe->conn->security_state.auth_info &&
+ pkt->u.alter_resp.auth_info.length) {
+ c->status = ndr_pull_struct_blob(
+ &pkt->u.alter_resp.auth_info, pipe,
+ pipe->conn->security_state.auth_info,
+ (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
+ if (!composite_is_ok(c)) return;
+ }
+
+ composite_done(c);
+}
+
+/*
+ send a dcerpc alter_context request
+*/
+struct composite_context *dcerpc_alter_context_send(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ const struct dcerpc_syntax_id *syntax,
+ const struct dcerpc_syntax_id *transfer_syntax)
+{
+ struct composite_context *c;
+ struct ncacn_packet pkt;
+ DATA_BLOB blob;
+
+ c = talloc_zero(mem_ctx, struct composite_context);
+ if (c == NULL) return NULL;
+
+ c->state = COMPOSITE_STATE_IN_PROGRESS;
+ c->private_data = p;
+ c->event_ctx = p->conn->event_ctx;
+
+ p->syntax = *syntax;
+ p->transfer_syntax = *transfer_syntax;
+
+ init_ncacn_hdr(p->conn, &pkt);
+
+ pkt.ptype = DCERPC_PKT_ALTER;
+ pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+ pkt.call_id = p->conn->call_id;
+ pkt.auth_length = 0;
+
+ pkt.u.alter.max_xmit_frag = 5840;
+ pkt.u.alter.max_recv_frag = 5840;
+ pkt.u.alter.assoc_group_id = 0;
+ pkt.u.alter.num_contexts = 1;
+ pkt.u.alter.ctx_list = talloc_array(mem_ctx,
+ struct dcerpc_ctx_list, 1);
+ if (pkt.u.alter.ctx_list == NULL) {
+ c->status = NT_STATUS_NO_MEMORY;
+ goto failed;
+ }
+ pkt.u.alter.ctx_list[0].context_id = p->context_id;
+ pkt.u.alter.ctx_list[0].num_transfer_syntaxes = 1;
+ pkt.u.alter.ctx_list[0].abstract_syntax = p->syntax;
+ pkt.u.alter.ctx_list[0].transfer_syntaxes = &p->transfer_syntax;
+ pkt.u.alter.auth_info = data_blob(NULL, 0);
+
+ /* construct the NDR form of the packet */
+ c->status = ncacn_push_auth(&blob, mem_ctx, &pkt,
+ p->conn->security_state.auth_info);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ goto failed;
+ }
+
+ p->conn->transport.recv_data = dcerpc_recv_data;
+ p->conn->alter_private = c;
+
+ c->status = p->conn->transport.send_request(p->conn, &blob, True);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ goto failed;
+ }
+
+ event_add_timed(c->event_ctx, c,
+ timeval_current_ofs(DCERPC_REQUEST_TIMEOUT, 0),
+ bind_timeout_handler, c);
+
+ return c;
+
+ failed:
+ composite_error(c, c->status);
+ return c;
+}
+
+NTSTATUS dcerpc_alter_context_recv(struct composite_context *ctx)
+{
+ NTSTATUS result = composite_wait(ctx);
+ talloc_free(ctx);
+ return result;
+}
+
+/*
+ send a dcerpc alter_context request
+*/
+NTSTATUS dcerpc_alter_context(struct dcerpc_pipe *p,
+ TALLOC_CTX *mem_ctx,
+ const struct dcerpc_syntax_id *syntax,
+ const struct dcerpc_syntax_id *transfer_syntax)
+{
+ struct composite_context *creq;
+ creq = dcerpc_alter_context_send(p, mem_ctx, syntax, transfer_syntax);
+ return dcerpc_alter_context_recv(creq);
}