2 Unix SMB/CIFS implementation.
4 dcerpc utility functions
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Jelmer Vernooij 2004
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9 Copyright (C) Rafal Szczesniak 2006
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "lib/events/events.h"
27 #include "libcli/composite/composite.h"
28 #include "librpc/gen_ndr/ndr_epmapper_c.h"
29 #include "librpc/gen_ndr/ndr_dcerpc.h"
30 #include "librpc/gen_ndr/ndr_misc.h"
31 #include "librpc/rpc/dcerpc_proto.h"
32 #include "auth/credentials/credentials.h"
33 #include "param/param.h"
36 find a dcerpc call on an interface by name
38 const struct ndr_interface_call *dcerpc_iface_find_call(const struct ndr_interface_table *iface,
42 for (i=0;i<iface->num_calls;i++) {
43 if (strcmp(iface->calls[i].name, name) == 0) {
44 return &iface->calls[i];
51 push a ncacn_packet into a blob, potentially with auth info
53 NTSTATUS ncacn_push_auth(DATA_BLOB *blob, TALLOC_CTX *mem_ctx,
54 struct smb_iconv_convenience *iconv_convenience,
55 struct ncacn_packet *pkt,
56 struct dcerpc_auth *auth_info)
59 enum ndr_err_code ndr_err;
61 ndr = ndr_push_init_ctx(mem_ctx, iconv_convenience);
63 return NT_STATUS_NO_MEMORY;
66 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
67 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
70 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
71 ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
75 pkt->auth_length = auth_info->credentials.length;
80 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
81 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
82 return ndr_map_error2ntstatus(ndr_err);
86 uint32_t offset = ndr->offset;
87 ndr_err = ndr_push_align(ndr, 16);
88 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
89 return ndr_map_error2ntstatus(ndr_err);
91 auth_info->auth_pad_length = ndr->offset - offset;
92 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
93 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
94 return ndr_map_error2ntstatus(ndr_err);
98 *blob = ndr_push_blob(ndr);
100 /* fill in the frag length */
101 dcerpc_set_frag_length(blob, blob->length);
107 struct epm_map_binding_state {
108 struct dcerpc_binding *binding;
109 const struct ndr_interface_table *table;
110 struct dcerpc_pipe *pipe;
111 struct policy_handle handle;
113 struct epm_twr_t twr;
114 struct epm_twr_t *twr_r;
119 static void continue_epm_recv_binding(struct composite_context *ctx);
120 static void continue_epm_map(struct rpc_request *req);
124 Stage 2 of epm_map_binding: Receive connected rpc pipe and send endpoint
127 static void continue_epm_recv_binding(struct composite_context *ctx)
129 struct rpc_request *map_req;
131 struct composite_context *c = talloc_get_type(ctx->async.private_data,
132 struct composite_context);
133 struct epm_map_binding_state *s = talloc_get_type(c->private_data,
134 struct epm_map_binding_state);
136 /* receive result of rpc pipe connect request */
137 c->status = dcerpc_pipe_connect_b_recv(ctx, c, &s->pipe);
138 if (!composite_is_ok(c)) return;
140 s->pipe->conn->flags |= DCERPC_NDR_REF_ALLOC;
142 /* prepare requested binding parameters */
143 s->binding->object = s->table->syntax_id;
145 c->status = dcerpc_binding_build_tower(s->pipe, s->binding, &s->twr.tower);
146 if (!composite_is_ok(c)) return;
148 /* with some nice pretty paper around it of course */
149 s->r.in.object = &s->guid;
150 s->r.in.map_tower = &s->twr;
151 s->r.in.entry_handle = &s->handle;
152 s->r.in.max_towers = 1;
153 s->r.out.entry_handle = &s->handle;
155 /* send request for an endpoint mapping - a rpc request on connected pipe */
156 map_req = dcerpc_epm_Map_send(s->pipe, c, &s->r);
157 if (composite_nomem(map_req, c)) return;
159 composite_continue_rpc(c, map_req, continue_epm_map, c);
164 Stage 3 of epm_map_binding: Receive endpoint mapping and provide binding details
166 static void continue_epm_map(struct rpc_request *req)
168 struct composite_context *c = talloc_get_type(req->async.private_data,
169 struct composite_context);
170 struct epm_map_binding_state *s = talloc_get_type(c->private_data,
171 struct epm_map_binding_state);
173 /* receive result of a rpc request */
174 c->status = dcerpc_ndr_request_recv(req);
175 if (!composite_is_ok(c)) return;
177 /* check the details */
178 if (s->r.out.result != 0 || *s->r.out.num_towers != 1) {
179 composite_error(c, NT_STATUS_PORT_UNREACHABLE);
183 s->twr_r = s->r.out.towers[0].twr;
184 if (s->twr_r == NULL) {
185 composite_error(c, NT_STATUS_PORT_UNREACHABLE);
189 if (s->twr_r->tower.num_floors != s->twr.tower.num_floors ||
190 s->twr_r->tower.floors[3].lhs.protocol != s->twr.tower.floors[3].lhs.protocol) {
191 composite_error(c, NT_STATUS_PORT_UNREACHABLE);
195 /* get received endpoint */
196 s->binding->endpoint = talloc_reference(s->binding,
197 dcerpc_floor_get_rhs_data(c, &s->twr_r->tower.floors[3]));
198 if (composite_nomem(s->binding->endpoint, c)) return;
205 Request for endpoint mapping of dcerpc binding - try to request for endpoint
206 unless there is default one.
208 struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx,
209 struct dcerpc_binding *binding,
210 const struct ndr_interface_table *table,
211 struct tevent_context *ev,
212 struct loadparm_context *lp_ctx)
214 struct composite_context *c;
215 struct epm_map_binding_state *s;
216 struct composite_context *pipe_connect_req;
217 struct cli_credentials *anon_creds;
220 struct dcerpc_binding *epmapper_binding;
227 /* composite context allocation and setup */
228 c = composite_create(mem_ctx, ev);
233 s = talloc_zero(c, struct epm_map_binding_state);
234 if (composite_nomem(s, c)) return c;
237 s->binding = binding;
240 /* anonymous credentials for rpc connection used to get endpoint mapping */
241 anon_creds = cli_credentials_init(mem_ctx);
242 cli_credentials_set_anonymous(anon_creds);
245 First, check if there is a default endpoint specified in the IDL
248 struct dcerpc_binding *default_binding;
250 /* Find one of the default pipes for this interface */
251 for (i = 0; i < table->endpoints->count; i++) {
252 status = dcerpc_parse_binding(mem_ctx, table->endpoints->names[i], &default_binding);
254 if (NT_STATUS_IS_OK(status)) {
255 if (binding->transport == NCA_UNKNOWN)
256 binding->transport = default_binding->transport;
257 if (default_binding->transport == binding->transport &&
258 default_binding->endpoint) {
259 binding->endpoint = talloc_reference(binding, default_binding->endpoint);
260 talloc_free(default_binding);
266 talloc_free(default_binding);
272 epmapper_binding = talloc_zero(c, struct dcerpc_binding);
273 if (composite_nomem(epmapper_binding, c)) return c;
275 /* basic endpoint mapping data */
276 epmapper_binding->transport = binding->transport;
277 epmapper_binding->host = talloc_reference(epmapper_binding, binding->host);
278 epmapper_binding->target_hostname = epmapper_binding->host;
279 epmapper_binding->options = NULL;
280 epmapper_binding->flags = 0;
281 epmapper_binding->assoc_group_id = 0;
282 epmapper_binding->endpoint = NULL;
284 /* initiate rpc pipe connection */
285 pipe_connect_req = dcerpc_pipe_connect_b_send(c, epmapper_binding,
287 anon_creds, c->event_ctx,
289 if (composite_nomem(pipe_connect_req, c)) return c;
291 composite_continue(c, pipe_connect_req, continue_epm_recv_binding, c);
297 Receive result of endpoint mapping request
299 NTSTATUS dcerpc_epm_map_binding_recv(struct composite_context *c)
301 NTSTATUS status = composite_wait(c);
309 Get endpoint mapping for rpc connection
311 _PUBLIC_ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *binding,
312 const struct ndr_interface_table *table, struct tevent_context *ev,
313 struct loadparm_context *lp_ctx)
315 struct composite_context *c;
317 c = dcerpc_epm_map_binding_send(mem_ctx, binding, table, ev, lp_ctx);
318 return dcerpc_epm_map_binding_recv(c);
322 struct pipe_auth_state {
323 struct dcerpc_pipe *pipe;
324 struct dcerpc_binding *binding;
325 const struct ndr_interface_table *table;
326 struct loadparm_context *lp_ctx;
327 struct cli_credentials *credentials;
331 static void continue_auth_schannel(struct composite_context *ctx);
332 static void continue_auth(struct composite_context *ctx);
333 static void continue_auth_none(struct composite_context *ctx);
334 static void continue_ntlmssp_connection(struct composite_context *ctx);
335 static void continue_spnego_after_wrong_pass(struct composite_context *ctx);
339 Stage 2 of pipe_auth: Receive result of schannel bind request
341 static void continue_auth_schannel(struct composite_context *ctx)
343 struct composite_context *c = talloc_get_type(ctx->async.private_data,
344 struct composite_context);
346 c->status = dcerpc_bind_auth_schannel_recv(ctx);
347 if (!composite_is_ok(c)) return;
354 Stage 2 of pipe_auth: Receive result of authenticated bind request
356 static void continue_auth(struct composite_context *ctx)
358 struct composite_context *c = talloc_get_type(ctx->async.private_data,
359 struct composite_context);
361 c->status = dcerpc_bind_auth_recv(ctx);
362 if (!composite_is_ok(c)) return;
367 Stage 2 of pipe_auth: Receive result of authenticated bind request, but handle fallbacks:
370 static void continue_auth_auto(struct composite_context *ctx)
372 struct composite_context *c = talloc_get_type(ctx->async.private_data,
373 struct composite_context);
374 struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
375 struct composite_context *sec_conn_req;
377 c->status = dcerpc_bind_auth_recv(ctx);
378 if (NT_STATUS_EQUAL(c->status, NT_STATUS_INVALID_PARAMETER)) {
380 * Retry with NTLMSSP auth as fallback
381 * send a request for secondary rpc connection
383 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
385 composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c);
387 } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
388 if (cli_credentials_wrong_password(s->credentials)) {
390 * Retry SPNEGO with a better password
391 * send a request for secondary rpc connection
393 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
395 composite_continue(c, sec_conn_req, continue_spnego_after_wrong_pass, c);
400 if (!composite_is_ok(c)) return;
406 Stage 3 of pipe_auth (fallback to NTLMSSP case): Receive secondary
407 rpc connection (the first one can't be used any more, due to the
408 bind nak) and perform authenticated bind request
410 static void continue_ntlmssp_connection(struct composite_context *ctx)
412 struct composite_context *c;
413 struct pipe_auth_state *s;
414 struct composite_context *auth_req;
415 struct dcerpc_pipe *p2;
417 c = talloc_get_type(ctx->async.private_data, struct composite_context);
418 s = talloc_get_type(c->private_data, struct pipe_auth_state);
420 /* receive secondary rpc connection */
421 c->status = dcerpc_secondary_connection_recv(ctx, &p2);
422 if (!composite_is_ok(c)) return;
425 talloc_steal(p2, s->pipe);
428 /* initiate a authenticated bind */
429 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
431 lp_gensec_settings(c, s->lp_ctx),
432 DCERPC_AUTH_TYPE_NTLMSSP,
433 dcerpc_auth_level(s->pipe->conn),
434 s->table->authservices->names[0]);
435 composite_continue(c, auth_req, continue_auth, c);
439 Stage 3 of pipe_auth (retry on wrong password): Receive secondary
440 rpc connection (the first one can't be used any more, due to the
441 bind nak) and perform authenticated bind request
443 static void continue_spnego_after_wrong_pass(struct composite_context *ctx)
445 struct composite_context *c;
446 struct pipe_auth_state *s;
447 struct composite_context *auth_req;
448 struct dcerpc_pipe *p2;
450 c = talloc_get_type(ctx->async.private_data, struct composite_context);
451 s = talloc_get_type(c->private_data, struct pipe_auth_state);
453 /* receive secondary rpc connection */
454 c->status = dcerpc_secondary_connection_recv(ctx, &p2);
455 if (!composite_is_ok(c)) return;
458 talloc_steal(p2, s->pipe);
461 /* initiate a authenticated bind */
462 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
464 lp_gensec_settings(c, s->lp_ctx),
465 DCERPC_AUTH_TYPE_SPNEGO,
466 dcerpc_auth_level(s->pipe->conn),
467 s->table->authservices->names[0]);
468 composite_continue(c, auth_req, continue_auth, c);
473 Stage 2 of pipe_auth: Receive result of non-authenticated bind request
475 static void continue_auth_none(struct composite_context *ctx)
477 struct composite_context *c = talloc_get_type(ctx->async.private_data,
478 struct composite_context);
480 c->status = dcerpc_bind_auth_none_recv(ctx);
481 if (!composite_is_ok(c)) return;
488 Request to perform an authenticated bind if required. Authentication
489 is determined using credentials passed and binding flags.
491 struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
492 struct dcerpc_binding *binding,
493 const struct ndr_interface_table *table,
494 struct cli_credentials *credentials,
495 struct loadparm_context *lp_ctx)
497 struct composite_context *c;
498 struct pipe_auth_state *s;
499 struct composite_context *auth_schannel_req;
500 struct composite_context *auth_req;
501 struct composite_context *auth_none_req;
502 struct dcerpc_connection *conn;
505 /* composite context allocation and setup */
506 c = composite_create(p, p->conn->event_ctx);
507 if (c == NULL) return NULL;
509 s = talloc_zero(c, struct pipe_auth_state);
510 if (composite_nomem(s, c)) return c;
513 /* store parameters in state structure */
514 s->binding = binding;
516 s->credentials = credentials;
520 conn = s->pipe->conn;
521 conn->flags = binding->flags;
524 conn->flags |= DCERPC_DEBUG_PRINT_BOTH;
527 /* remember the binding string for possible secondary connections */
528 conn->binding_string = dcerpc_binding_string(p, binding);
530 if (cli_credentials_is_anonymous(s->credentials)) {
531 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe, s->table);
532 composite_continue(c, auth_none_req, continue_auth_none, c);
536 if ((binding->flags & DCERPC_SCHANNEL) &&
537 !cli_credentials_get_netlogon_creds(s->credentials)) {
538 /* If we don't already have netlogon credentials for
539 * the schannel bind, then we have to get these
541 auth_schannel_req = dcerpc_bind_auth_schannel_send(c, s->pipe, s->table,
542 s->credentials, s->lp_ctx,
543 dcerpc_auth_level(conn));
544 composite_continue(c, auth_schannel_req, continue_auth_schannel, c);
549 * we rely on the already authenticated CIFS connection
550 * if not doing sign or seal
552 if (conn->transport.transport == NCACN_NP &&
553 !(s->binding->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
554 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe, s->table);
555 composite_continue(c, auth_none_req, continue_auth_none, c);
560 /* Perform an authenticated DCE-RPC bind
562 if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
564 we are doing an authenticated connection,
565 but not using sign or seal. We must force
566 the CONNECT dcerpc auth type as a NONE auth
567 type doesn't allow authentication
568 information to be passed.
570 conn->flags |= DCERPC_CONNECT;
573 if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
574 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
576 } else if (s->binding->flags & DCERPC_AUTH_KRB5) {
577 auth_type = DCERPC_AUTH_TYPE_KRB5;
579 } else if (s->binding->flags & DCERPC_SCHANNEL) {
580 auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
582 } else if (s->binding->flags & DCERPC_AUTH_NTLM) {
583 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
586 /* try SPNEGO with fallback to NTLMSSP */
587 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
589 lp_gensec_settings(c, s->lp_ctx),
590 DCERPC_AUTH_TYPE_SPNEGO,
591 dcerpc_auth_level(conn),
592 s->table->authservices->names[0]);
593 composite_continue(c, auth_req, continue_auth_auto, c);
597 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
599 lp_gensec_settings(c, s->lp_ctx),
601 dcerpc_auth_level(conn),
602 s->table->authservices->names[0]);
603 composite_continue(c, auth_req, continue_auth, c);
609 Receive result of authenticated bind request on dcerpc pipe
611 This returns *p, which may be different to the one originally
612 supllied, as it rebinds to a new pipe due to authentication fallback
615 NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c, TALLOC_CTX *mem_ctx,
616 struct dcerpc_pipe **p)
620 struct pipe_auth_state *s = talloc_get_type(c->private_data,
621 struct pipe_auth_state);
622 status = composite_wait(c);
623 if (!NT_STATUS_IS_OK(status)) {
624 char *uuid_str = GUID_string(s->pipe, &s->table->syntax_id.uuid);
625 DEBUG(0, ("Failed to bind to uuid %s - %s\n", uuid_str, nt_errstr(status)));
626 talloc_free(uuid_str);
628 talloc_steal(mem_ctx, s->pipe);
638 Perform an authenticated bind if needed - sync version
640 This may change *p, as it rebinds to a new pipe due to authentication fallback
642 _PUBLIC_ NTSTATUS dcerpc_pipe_auth(TALLOC_CTX *mem_ctx,
643 struct dcerpc_pipe **p,
644 struct dcerpc_binding *binding,
645 const struct ndr_interface_table *table,
646 struct cli_credentials *credentials,
647 struct loadparm_context *lp_ctx)
649 struct composite_context *c;
651 c = dcerpc_pipe_auth_send(*p, binding, table, credentials, lp_ctx);
652 return dcerpc_pipe_auth_recv(c, mem_ctx, p);
656 NTSTATUS dcerpc_generic_session_key(struct dcerpc_connection *c,
657 DATA_BLOB *session_key)
659 /* this took quite a few CPU cycles to find ... */
660 session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
661 session_key->length = 16;
666 fetch the user session key - may be default (above) or the SMB session key
668 The key is always truncated to 16 bytes
670 _PUBLIC_ NTSTATUS dcerpc_fetch_session_key(struct dcerpc_pipe *p,
671 DATA_BLOB *session_key)
674 status = p->conn->security_state.session_key(p->conn, session_key);
675 if (!NT_STATUS_IS_OK(status)) {
679 session_key->length = MIN(session_key->length, 16);
686 log a rpc packet in a format suitable for ndrdump. This is especially useful
687 for sealed packets, where ethereal cannot easily see the contents
689 this triggers on a debug level of >= 10
691 _PUBLIC_ void dcerpc_log_packet(const char *lockdir,
692 const struct ndr_interface_table *ndr,
693 uint32_t opnum, uint32_t flags,
696 const int num_examples = 20;
699 if (lockdir == NULL) return;
701 for (i=0;i<num_examples;i++) {
703 asprintf(&name, "%s/rpclog/%s-%u.%d.%s",
704 lockdir, ndr->name, opnum, i,
705 (flags&NDR_IN)?"in":"out");
709 if (!file_exist(name)) {
710 if (file_save(name, pkt->data, pkt->length)) {
711 DEBUG(10,("Logged rpc packet to %s\n", name));
723 create a secondary context from a primary connection
725 this uses dcerpc_alter_context() to create a new dcerpc context_id
727 _PUBLIC_ NTSTATUS dcerpc_secondary_context(struct dcerpc_pipe *p,
728 struct dcerpc_pipe **pp2,
729 const struct ndr_interface_table *table)
732 struct dcerpc_pipe *p2;
734 p2 = talloc_zero(p, struct dcerpc_pipe);
736 return NT_STATUS_NO_MEMORY;
738 p2->conn = talloc_reference(p2, p->conn);
739 p2->request_timeout = p->request_timeout;
741 p2->context_id = ++p->conn->next_context_id;
743 p2->syntax = table->syntax_id;
745 p2->transfer_syntax = p->transfer_syntax;
747 p2->binding = talloc_reference(p2, p->binding);
749 status = dcerpc_alter_context(p2, p2, &p2->syntax, &p2->transfer_syntax);
750 if (!NT_STATUS_IS_OK(status)) {
762 pull an dcerpc_auth structure, taking account of any auth padding in
763 the blob at the end of the structure
765 NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
767 DATA_BLOB *pkt_auth_blob,
768 struct dcerpc_auth *auth,
769 uint32_t *auth_length,
772 struct ndr_pull *ndr;
773 enum ndr_err_code ndr_err;
776 pad = pkt_auth_blob->length - (DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length);
777 *auth_length = pkt_auth_blob->length - pad;
779 ndr = ndr_pull_init_blob(pkt_auth_blob, mem_ctx, NULL);
781 return NT_STATUS_NO_MEMORY;
784 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
785 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
788 ndr_err = ndr_pull_advance(ndr, pad);
789 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
791 return ndr_map_error2ntstatus(ndr_err);
794 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
795 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
797 return ndr_map_error2ntstatus(ndr_err);
800 if (check_pad && pad != auth->auth_pad_length) {
801 DEBUG(1,(__location__ ": WARNING: pad length mismatch. Calculated %u got %u\n",
802 (unsigned)pad, (unsigned)auth->auth_pad_length));
805 DEBUG(6,(__location__ ": auth_pad_length %u\n",
806 (unsigned)auth->auth_pad_length));
808 talloc_steal(mem_ctx, auth->credentials.data);