2 Unix SMB/CIFS implementation.
4 dcerpc utility functions
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Jelmer Vernooij 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9 Copyright (C) Rafal Szczesniak 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "libcli/composite/composite.h"
28 #include "librpc/gen_ndr/ndr_epmapper_c.h"
29 #include "librpc/gen_ndr/ndr_dcerpc.h"
30 #include "librpc/gen_ndr/ndr_misc.h"
31 #include "librpc/rpc/dcerpc_proto.h"
32 #include "auth/credentials/credentials.h"
33 #include "param/param.h"
34 #include "librpc/rpc/rpc_common.h"
37 find a dcerpc call on an interface by name
39 const struct ndr_interface_call *dcerpc_iface_find_call(const struct ndr_interface_table *iface,
43 for (i=0;i<iface->num_calls;i++) {
44 if (strcmp(iface->calls[i].name, name) == 0) {
45 return &iface->calls[i];
52 push a ncacn_packet into a blob, potentially with auth info
54 NTSTATUS ncacn_push_auth(DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
55 struct ncacn_packet *pkt,
56 struct dcerpc_auth *auth_info)
59 enum ndr_err_code ndr_err;
61 ndr = ndr_push_init_ctx(mem_ctx);
63 return NT_STATUS_NO_MEMORY;
66 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
67 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
70 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
71 ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
75 pkt->auth_length = auth_info->credentials.length;
80 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
81 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
82 return ndr_map_error2ntstatus(ndr_err);
87 /* the s3 rpc server doesn't handle auth padding in
88 bind requests. Use zero auth padding to keep us
89 working with old servers */
90 uint32_t offset = ndr->offset;
91 ndr_err = ndr_push_align(ndr, 16);
92 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
93 return ndr_map_error2ntstatus(ndr_err);
95 auth_info->auth_pad_length = ndr->offset - offset;
97 auth_info->auth_pad_length = 0;
99 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
100 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
101 return ndr_map_error2ntstatus(ndr_err);
105 *blob = ndr_push_blob(ndr);
107 /* fill in the frag length */
108 dcerpc_set_frag_length(blob, blob->length);
114 struct epm_map_binding_state {
115 struct dcerpc_binding *binding;
116 const struct ndr_interface_table *table;
117 struct dcerpc_pipe *pipe;
118 struct policy_handle handle;
120 struct epm_twr_t twr;
121 struct epm_twr_t *twr_r;
127 static void continue_epm_recv_binding(struct composite_context *ctx);
128 static void continue_epm_map(struct tevent_req *subreq);
132 Stage 2 of epm_map_binding: Receive connected rpc pipe and send endpoint
135 static void continue_epm_recv_binding(struct composite_context *ctx)
137 struct composite_context *c = talloc_get_type(ctx->async.private_data,
138 struct composite_context);
139 struct epm_map_binding_state *s = talloc_get_type(c->private_data,
140 struct epm_map_binding_state);
141 struct tevent_req *subreq;
143 /* receive result of rpc pipe connect request */
144 c->status = dcerpc_pipe_connect_b_recv(ctx, c, &s->pipe);
145 if (!composite_is_ok(c)) return;
147 /* prepare requested binding parameters */
148 s->binding->object = s->table->syntax_id;
150 c->status = dcerpc_binding_build_tower(s->pipe, s->binding, &s->twr.tower);
151 if (!composite_is_ok(c)) return;
153 /* with some nice pretty paper around it of course */
154 s->r.in.object = &s->guid;
155 s->r.in.map_tower = &s->twr;
156 s->r.in.entry_handle = &s->handle;
157 s->r.in.max_towers = 1;
158 s->r.out.entry_handle = &s->handle;
159 s->r.out.num_towers = &s->num_towers;
161 /* send request for an endpoint mapping - a rpc request on connected pipe */
162 subreq = dcerpc_epm_Map_r_send(s, c->event_ctx,
163 s->pipe->binding_handle,
165 if (composite_nomem(subreq, c)) return;
167 tevent_req_set_callback(subreq, continue_epm_map, c);
172 Stage 3 of epm_map_binding: Receive endpoint mapping and provide binding details
174 static void continue_epm_map(struct tevent_req *subreq)
176 struct composite_context *c = tevent_req_callback_data(subreq,
177 struct composite_context);
178 struct epm_map_binding_state *s = talloc_get_type(c->private_data,
179 struct epm_map_binding_state);
181 /* receive result of a rpc request */
182 c->status = dcerpc_epm_Map_r_recv(subreq, s);
184 if (!composite_is_ok(c)) return;
186 /* check the details */
187 if (s->r.out.result != 0 || *s->r.out.num_towers != 1) {
188 composite_error(c, NT_STATUS_PORT_UNREACHABLE);
192 s->twr_r = s->r.out.towers[0].twr;
193 if (s->twr_r == NULL) {
194 composite_error(c, NT_STATUS_PORT_UNREACHABLE);
198 if (s->twr_r->tower.num_floors != s->twr.tower.num_floors ||
199 s->twr_r->tower.floors[3].lhs.protocol != s->twr.tower.floors[3].lhs.protocol) {
200 composite_error(c, NT_STATUS_PORT_UNREACHABLE);
204 /* get received endpoint */
205 s->binding->endpoint = talloc_reference(s->binding,
206 dcerpc_floor_get_rhs_data(c, &s->twr_r->tower.floors[3]));
207 if (composite_nomem(s->binding->endpoint, c)) return;
214 Request for endpoint mapping of dcerpc binding - try to request for endpoint
215 unless there is default one.
217 struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx,
218 struct dcerpc_binding *binding,
219 const struct ndr_interface_table *table,
220 struct tevent_context *ev,
221 struct loadparm_context *lp_ctx)
223 struct composite_context *c;
224 struct epm_map_binding_state *s;
225 struct composite_context *pipe_connect_req;
226 struct cli_credentials *anon_creds;
229 struct dcerpc_binding *epmapper_binding;
236 /* composite context allocation and setup */
237 c = composite_create(mem_ctx, ev);
242 s = talloc_zero(c, struct epm_map_binding_state);
243 if (composite_nomem(s, c)) return c;
246 s->binding = binding;
249 /* anonymous credentials for rpc connection used to get endpoint mapping */
250 anon_creds = cli_credentials_init(mem_ctx);
251 cli_credentials_set_anonymous(anon_creds);
254 First, check if there is a default endpoint specified in the IDL
257 struct dcerpc_binding *default_binding;
259 /* Find one of the default pipes for this interface */
260 for (i = 0; i < table->endpoints->count; i++) {
261 status = dcerpc_parse_binding(mem_ctx, table->endpoints->names[i], &default_binding);
263 if (NT_STATUS_IS_OK(status)) {
264 if (binding->transport == NCA_UNKNOWN)
265 binding->transport = default_binding->transport;
266 if (default_binding->transport == binding->transport &&
267 default_binding->endpoint) {
268 binding->endpoint = talloc_reference(binding, default_binding->endpoint);
269 talloc_free(default_binding);
275 talloc_free(default_binding);
281 epmapper_binding = talloc_zero(c, struct dcerpc_binding);
282 if (composite_nomem(epmapper_binding, c)) return c;
284 /* basic endpoint mapping data */
285 epmapper_binding->transport = binding->transport;
286 epmapper_binding->host = talloc_reference(epmapper_binding, binding->host);
287 epmapper_binding->target_hostname = epmapper_binding->host;
288 epmapper_binding->options = NULL;
289 epmapper_binding->localaddress = talloc_reference(epmapper_binding, binding->localaddress);
290 epmapper_binding->flags = 0;
291 epmapper_binding->assoc_group_id = 0;
292 epmapper_binding->endpoint = NULL;
294 /* initiate rpc pipe connection */
295 pipe_connect_req = dcerpc_pipe_connect_b_send(c, epmapper_binding,
297 anon_creds, c->event_ctx,
299 if (composite_nomem(pipe_connect_req, c)) return c;
301 composite_continue(c, pipe_connect_req, continue_epm_recv_binding, c);
307 Receive result of endpoint mapping request
309 NTSTATUS dcerpc_epm_map_binding_recv(struct composite_context *c)
311 NTSTATUS status = composite_wait(c);
319 Get endpoint mapping for rpc connection
321 _PUBLIC_ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *binding,
322 const struct ndr_interface_table *table, struct tevent_context *ev,
323 struct loadparm_context *lp_ctx)
325 struct composite_context *c;
327 c = dcerpc_epm_map_binding_send(mem_ctx, binding, table, ev, lp_ctx);
328 return dcerpc_epm_map_binding_recv(c);
332 struct pipe_auth_state {
333 struct dcerpc_pipe *pipe;
334 struct dcerpc_binding *binding;
335 const struct ndr_interface_table *table;
336 struct loadparm_context *lp_ctx;
337 struct cli_credentials *credentials;
341 static void continue_auth_schannel(struct composite_context *ctx);
342 static void continue_auth(struct composite_context *ctx);
343 static void continue_auth_none(struct composite_context *ctx);
344 static void continue_ntlmssp_connection(struct composite_context *ctx);
345 static void continue_spnego_after_wrong_pass(struct composite_context *ctx);
349 Stage 2 of pipe_auth: Receive result of schannel bind request
351 static void continue_auth_schannel(struct composite_context *ctx)
353 struct composite_context *c = talloc_get_type(ctx->async.private_data,
354 struct composite_context);
356 c->status = dcerpc_bind_auth_schannel_recv(ctx);
357 if (!composite_is_ok(c)) return;
364 Stage 2 of pipe_auth: Receive result of authenticated bind request
366 static void continue_auth(struct composite_context *ctx)
368 struct composite_context *c = talloc_get_type(ctx->async.private_data,
369 struct composite_context);
371 c->status = dcerpc_bind_auth_recv(ctx);
372 if (!composite_is_ok(c)) return;
377 Stage 2 of pipe_auth: Receive result of authenticated bind request, but handle fallbacks:
380 static void continue_auth_auto(struct composite_context *ctx)
382 struct composite_context *c = talloc_get_type(ctx->async.private_data,
383 struct composite_context);
384 struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
385 struct composite_context *sec_conn_req;
387 c->status = dcerpc_bind_auth_recv(ctx);
388 if (NT_STATUS_EQUAL(c->status, NT_STATUS_INVALID_PARAMETER)) {
390 * Retry with NTLMSSP auth as fallback
391 * send a request for secondary rpc connection
393 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
395 composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c);
397 } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
398 if (cli_credentials_wrong_password(s->credentials)) {
400 * Retry SPNEGO with a better password
401 * send a request for secondary rpc connection
403 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
405 composite_continue(c, sec_conn_req, continue_spnego_after_wrong_pass, c);
410 if (!composite_is_ok(c)) return;
416 Stage 3 of pipe_auth (fallback to NTLMSSP case): Receive secondary
417 rpc connection (the first one can't be used any more, due to the
418 bind nak) and perform authenticated bind request
420 static void continue_ntlmssp_connection(struct composite_context *ctx)
422 struct composite_context *c;
423 struct pipe_auth_state *s;
424 struct composite_context *auth_req;
425 struct dcerpc_pipe *p2;
428 c = talloc_get_type(ctx->async.private_data, struct composite_context);
429 s = talloc_get_type(c->private_data, struct pipe_auth_state);
431 /* receive secondary rpc connection */
432 c->status = dcerpc_secondary_connection_recv(ctx, &p2);
433 if (!composite_is_ok(c)) return;
436 /* this is a rather strange situation. When
437 we come into the routine, s is a child of s->pipe, and
438 when we created p2 above, it also became a child of
441 Now we want p2 to be a parent of s->pipe, and we want s to
442 be a parent of both of them! If we don't do this very
443 carefully we end up creating a talloc loop
446 /* we need the new contexts to hang off the same context
447 that s->pipe is on, but the only way to get that is
448 via talloc_parent() */
449 pp = talloc_parent(s->pipe);
451 /* promote s to be at the top */
454 /* and put p2 under s */
457 /* now put s->pipe under p2 */
458 talloc_steal(p2, s->pipe);
462 /* initiate a authenticated bind */
463 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
465 lpcfg_gensec_settings(c, s->lp_ctx),
466 DCERPC_AUTH_TYPE_NTLMSSP,
467 dcerpc_auth_level(s->pipe->conn),
468 s->table->authservices->names[0]);
469 composite_continue(c, auth_req, continue_auth, c);
473 Stage 3 of pipe_auth (retry on wrong password): Receive secondary
474 rpc connection (the first one can't be used any more, due to the
475 bind nak) and perform authenticated bind request
477 static void continue_spnego_after_wrong_pass(struct composite_context *ctx)
479 struct composite_context *c;
480 struct pipe_auth_state *s;
481 struct composite_context *auth_req;
482 struct dcerpc_pipe *p2;
484 c = talloc_get_type(ctx->async.private_data, struct composite_context);
485 s = talloc_get_type(c->private_data, struct pipe_auth_state);
487 /* receive secondary rpc connection */
488 c->status = dcerpc_secondary_connection_recv(ctx, &p2);
489 if (!composite_is_ok(c)) return;
492 talloc_steal(p2, s->pipe);
495 /* initiate a authenticated bind */
496 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
498 lpcfg_gensec_settings(c, s->lp_ctx),
499 DCERPC_AUTH_TYPE_SPNEGO,
500 dcerpc_auth_level(s->pipe->conn),
501 s->table->authservices->names[0]);
502 composite_continue(c, auth_req, continue_auth, c);
507 Stage 2 of pipe_auth: Receive result of non-authenticated bind request
509 static void continue_auth_none(struct composite_context *ctx)
511 struct composite_context *c = talloc_get_type(ctx->async.private_data,
512 struct composite_context);
514 c->status = dcerpc_bind_auth_none_recv(ctx);
515 if (!composite_is_ok(c)) return;
522 Request to perform an authenticated bind if required. Authentication
523 is determined using credentials passed and binding flags.
525 struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
526 struct dcerpc_binding *binding,
527 const struct ndr_interface_table *table,
528 struct cli_credentials *credentials,
529 struct loadparm_context *lp_ctx)
531 struct composite_context *c;
532 struct pipe_auth_state *s;
533 struct composite_context *auth_schannel_req;
534 struct composite_context *auth_req;
535 struct composite_context *auth_none_req;
536 struct dcecli_connection *conn;
539 /* composite context allocation and setup */
540 c = composite_create(p, p->conn->event_ctx);
541 if (c == NULL) return NULL;
543 s = talloc_zero(c, struct pipe_auth_state);
544 if (composite_nomem(s, c)) return c;
547 /* store parameters in state structure */
548 s->binding = binding;
550 s->credentials = credentials;
554 conn = s->pipe->conn;
555 conn->flags = binding->flags;
558 conn->flags |= DCERPC_DEBUG_PRINT_BOTH;
561 /* remember the binding string for possible secondary connections */
562 conn->binding_string = dcerpc_binding_string(p, binding);
564 if (cli_credentials_is_anonymous(s->credentials)) {
565 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe, s->table);
566 composite_continue(c, auth_none_req, continue_auth_none, c);
570 if ((binding->flags & DCERPC_SCHANNEL) &&
571 !cli_credentials_get_netlogon_creds(s->credentials)) {
572 /* If we don't already have netlogon credentials for
573 * the schannel bind, then we have to get these
575 auth_schannel_req = dcerpc_bind_auth_schannel_send(c, s->pipe, s->table,
576 s->credentials, s->lp_ctx,
577 dcerpc_auth_level(conn));
578 composite_continue(c, auth_schannel_req, continue_auth_schannel, c);
583 * we rely on the already authenticated CIFS connection
584 * if not doing sign or seal
586 if (conn->transport.transport == NCACN_NP &&
587 !(s->binding->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
588 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe, s->table);
589 composite_continue(c, auth_none_req, continue_auth_none, c);
594 /* Perform an authenticated DCE-RPC bind
596 if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
598 we are doing an authenticated connection,
599 but not using sign or seal. We must force
600 the CONNECT dcerpc auth type as a NONE auth
601 type doesn't allow authentication
602 information to be passed.
604 conn->flags |= DCERPC_CONNECT;
607 if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
608 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
610 } else if (s->binding->flags & DCERPC_AUTH_KRB5) {
611 auth_type = DCERPC_AUTH_TYPE_KRB5;
613 } else if (s->binding->flags & DCERPC_SCHANNEL) {
614 auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
616 } else if (s->binding->flags & DCERPC_AUTH_NTLM) {
617 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
620 /* try SPNEGO with fallback to NTLMSSP */
621 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
623 lpcfg_gensec_settings(c, s->lp_ctx),
624 DCERPC_AUTH_TYPE_SPNEGO,
625 dcerpc_auth_level(conn),
626 s->table->authservices->names[0]);
627 composite_continue(c, auth_req, continue_auth_auto, c);
631 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
633 lpcfg_gensec_settings(c, s->lp_ctx),
635 dcerpc_auth_level(conn),
636 s->table->authservices->names[0]);
637 composite_continue(c, auth_req, continue_auth, c);
643 Receive result of authenticated bind request on dcerpc pipe
645 This returns *p, which may be different to the one originally
646 supllied, as it rebinds to a new pipe due to authentication fallback
649 NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c, TALLOC_CTX *mem_ctx,
650 struct dcerpc_pipe **p)
654 struct pipe_auth_state *s = talloc_get_type(c->private_data,
655 struct pipe_auth_state);
656 status = composite_wait(c);
657 if (!NT_STATUS_IS_OK(status)) {
658 char *uuid_str = GUID_string(s->pipe, &s->table->syntax_id.uuid);
659 DEBUG(0, ("Failed to bind to uuid %s for %s %s\n", uuid_str,
660 dcerpc_binding_string(uuid_str, s->binding), nt_errstr(status)));
661 talloc_free(uuid_str);
663 talloc_steal(mem_ctx, s->pipe);
673 Perform an authenticated bind if needed - sync version
675 This may change *p, as it rebinds to a new pipe due to authentication fallback
677 _PUBLIC_ NTSTATUS dcerpc_pipe_auth(TALLOC_CTX *mem_ctx,
678 struct dcerpc_pipe **p,
679 struct dcerpc_binding *binding,
680 const struct ndr_interface_table *table,
681 struct cli_credentials *credentials,
682 struct loadparm_context *lp_ctx)
684 struct composite_context *c;
686 c = dcerpc_pipe_auth_send(*p, binding, table, credentials, lp_ctx);
687 return dcerpc_pipe_auth_recv(c, mem_ctx, p);
691 NTSTATUS dcerpc_generic_session_key(struct dcecli_connection *c,
692 DATA_BLOB *session_key)
694 /* this took quite a few CPU cycles to find ... */
695 session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
696 session_key->length = 16;
701 fetch the user session key - may be default (above) or the SMB session key
703 The key is always truncated to 16 bytes
705 _PUBLIC_ NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p,
706 DATA_BLOB *session_key)
709 status = p->conn->security_state.session_key(p->conn, session_key);
710 if (!NT_STATUS_IS_OK(status)) {
714 session_key->length = MIN(session_key->length, 16);
721 log a rpc packet in a format suitable for ndrdump. This is especially useful
722 for sealed packets, where ethereal cannot easily see the contents
724 this triggers on a debug level of >= 10
726 _PUBLIC_ void dcerpc_log_packet(const char *lockdir,
727 const struct ndr_interface_table *ndr,
728 uint32_t opnum, uint32_t flags,
729 const DATA_BLOB *pkt)
731 const int num_examples = 20;
734 if (lockdir == NULL) return;
736 for (i=0;i<num_examples;i++) {
738 asprintf(&name, "%s/rpclog/%s-%u.%d.%s",
739 lockdir, ndr->name, opnum, i,
740 (flags&NDR_IN)?"in":"out");
744 if (!file_exist(name)) {
745 if (file_save(name, pkt->data, pkt->length)) {
746 DEBUG(10,("Logged rpc packet to %s\n", name));
758 create a secondary context from a primary connection
760 this uses dcerpc_alter_context() to create a new dcerpc context_id
762 _PUBLIC_ NTSTATUS dcerpc_secondary_context(struct dcerpc_pipe *p,
763 struct dcerpc_pipe **pp2,
764 const struct ndr_interface_table *table)
767 struct dcerpc_pipe *p2;
769 p2 = talloc_zero(p, struct dcerpc_pipe);
771 return NT_STATUS_NO_MEMORY;
773 p2->conn = talloc_reference(p2, p->conn);
774 p2->request_timeout = p->request_timeout;
776 p2->context_id = ++p->conn->next_context_id;
778 p2->syntax = table->syntax_id;
780 p2->transfer_syntax = p->transfer_syntax;
782 p2->binding = talloc_reference(p2, p->binding);
784 p2->binding_handle = dcerpc_pipe_binding_handle(p2);
785 if (p2->binding_handle == NULL) {
787 return NT_STATUS_NO_MEMORY;
790 status = dcerpc_alter_context(p2, p2, &p2->syntax, &p2->transfer_syntax);
791 if (!NT_STATUS_IS_OK(status)) {
git.samba.org / kai / samba.git / blob