STEP01: dcerpc_do_bind_handle_in_frag alter...

[metze/samba/wip.git] / librpc / rpc / dcerpc_connection.c

/*
 *  Unix SMB/CIFS implementation.
 *  DCERPC client routines
 *
 *  Copyright (C) Stefan Metzmacher 2011
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

#include "includes.h"
#include "system/network.h"
#include <tevent.h>
#include "lib/util/tevent_ntstatus.h"
#include "lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "source3/librpc/rpc/dcerpc.h"
#include "source4/librpc/rpc/dcerpc.h"
#include "auth/gensec/gensec.h"
#include "librpc/rpc/dcerpc_connection.h"
#include "../lib/util/dlinklist.h"

struct dcerpc_association;
struct dcerpc_connection;
struct dcerpc_security;
struct dcerpc_presentation;
struct dcerpc_call;

struct dcerpc_association {
        uint32_t assoc_group_id;
        uint16_t client_features;
        uint16_t features;
        bool negotiate_done;
        uint32_t next_call_id;
};

struct dcerpc_connection {
        struct dcerpc_association *assoc;

        struct {
                struct tstream_context *stream;
                dcerpc_connection_use_trans_fn use_trans_fn;
                struct tevent_queue *write_queue;
        } transport;

        struct {
                uint16_t max_xmit_frag;
                uint16_t max_recv_frag;
                bool concurrent_multiplex;
                bool bind_done;
        } features;

        uint32_t next_sec_context_id;
        uint16_t next_pres_context_id;

        struct {
                struct tevent_queue *out_queue;
                struct dcerpc_call *list;
                struct dcerpc_call *active;
        } calls;

        struct {
                struct tevent_context *ev;
                struct tevent_req *subreq;
        } loop;
};

struct dcerpc_security {
        uint32_t context_id;
        enum dcerpc_AuthType auth_type;
        enum dcerpc_AuthLevel auth_level;
        struct gensec_security *gensec;
};

struct dcerpc_presentation {
        uint16_t context_id;
        const struct ndr_interface_table *table;
        struct ndr_syntax_id transfer;
        struct {
                struct dcerpc_ctx_list req;
                struct dcerpc_ack_ctx ack;
        } negotiate;
};

struct dcerpc_call {
        struct dcerpc_call *prev, *next;
        uint32_t call_id;

        struct dcerpc_security *sec;
        struct dcerpc_presentation *pres;

        struct {
                void *private_data;
                NTSTATUS (*handler)(void *private_data,
                                    struct ncacn_packet *pkt,
                                    DATA_BLOB frag);
        } incoming;
};

struct dcerpc_association *dcerpc_association_create(TALLOC_CTX *mem_ctx,
                                                     uint16_t client_features)
{
        struct dcerpc_association *assoc;

        assoc = talloc_zero(mem_ctx, struct dcerpc_association);
        if (assoc == NULL) {
                return NULL;
        }

        assoc->next_call_id = 1;

        assoc->client_features = client_features;

        return assoc;
}

struct dcerpc_connection *dcerpc_connection_create(TALLOC_CTX *mem_ctx,
                                        struct dcerpc_association *assoc,
                                        struct tstream_context **stream)
{
        struct dcerpc_connection *conn;

        conn = talloc_zero(mem_ctx, struct dcerpc_connection);
        if (conn == NULL) {
                return NULL;
        }
        conn->assoc = assoc;

        conn->transport.stream = talloc_move(conn, stream);
        conn->transport.write_queue = tevent_queue_create(conn, "write_queue");
        if (conn->transport.write_queue == NULL) {
                talloc_free(conn);
                return NULL;
        }

        conn->features.max_xmit_frag = 4280;
        conn->features.max_recv_frag = 4280;

        conn->calls.out_queue = tevent_queue_create(conn, "out_queue");
        if (conn->calls.out_queue == NULL) {
                talloc_free(conn);
                return NULL;
        }

        return conn;
}

void dcerpc_connection_set_use_trans_fn(struct dcerpc_connection *conn,
                                        dcerpc_connection_use_trans_fn fn)
{
        conn->transport.use_trans_fn = fn;
}

struct dcerpc_security *dcerpc_security_allocate(
                                        TALLOC_CTX *mem_ctx,
                                        struct dcerpc_connection *conn,
                                        enum dcerpc_AuthType auth_type,
                                        enum dcerpc_AuthLevel auth_level,
                                        struct gensec_security **gensec)
{
        struct dcerpc_security *sec;

        sec = talloc_zero(mem_ctx, struct dcerpc_security);
        if (sec == NULL) {
                return NULL;
        }

        sec->context_id = conn->next_sec_context_id++;
        sec->auth_type = auth_type;
        sec->auth_level = auth_level;

        if (gensec != NULL) {
                sec->gensec = talloc_move(sec, gensec);
        }

        return sec;
}

struct dcerpc_presentation *dcerpc_presentation_allocate(
                                        TALLOC_CTX *mem_ctx,
                                        struct dcerpc_connection *conn,
                                        const struct ndr_interface_table *table,
                                        const struct ndr_syntax_id *transfer)
{
        struct dcerpc_presentation *pres;

        pres = talloc_zero(mem_ctx, struct dcerpc_presentation);
        if (pres == NULL) {
                return NULL;
        }

        pres->context_id = conn->next_pres_context_id++;
        pres->table = table;
        pres->transfer = *transfer;

        pres->negotiate.req.abstract_syntax = table->syntax_id;
        pres->negotiate.req.context_id = pres->context_id;
        pres->negotiate.req.num_transfer_syntaxes = 1;
        pres->negotiate.req.transfer_syntaxes = &pres->transfer;

        pres->negotiate.ack.result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
        pres->negotiate.ack.reason.value =
                DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;

        return pres;
}

struct dcerpc_call *dcerpc_call_allocate(TALLOC_CTX *mem_ctx,
                                         struct dcerpc_association *assoc,
                                         struct dcerpc_security *sec,
                                         struct dcerpc_presentation *pres)
{
        struct dcerpc_call *call;

        call = talloc_zero(mem_ctx, struct dcerpc_call);
        if (call == NULL) {
                return NULL;
        }

        call->call_id = assoc->next_call_id++;

        call->sec = sec;
        call->pres = pres;

        return call;
}

static NTSTATUS dcerpc_guess_pdu_sizes(struct dcerpc_security *sec,
                                       size_t header_len,
                                       size_t data_left,
                                       size_t max_xmit_frag,
                                       size_t pad_alignment,
                                       size_t *data_to_send,
                                       size_t *frag_len,
                                       size_t *auth_len,
                                       size_t *pad_len)
{
        size_t max_len;
        size_t mod_len;

        /* no auth token cases first */
        switch (sec->auth_level) {
        case DCERPC_AUTH_LEVEL_NONE:
        case DCERPC_AUTH_LEVEL_CONNECT:
        case DCERPC_AUTH_LEVEL_PACKET:
                max_len = max_xmit_frag - header_len;
                *data_to_send = MIN(max_len, data_left);
                *pad_len = 0;
                *auth_len = 0;
                *frag_len = header_len + *data_to_send;
                return NT_STATUS_OK;

        case DCERPC_AUTH_LEVEL_PRIVACY:
        case DCERPC_AUTH_LEVEL_INTEGRITY:
                if (sec->auth_type == DCERPC_AUTH_TYPE_NONE) {
                        return NT_STATUS_INVALID_PARAMETER_MIX;
                }
                if (sec->gensec == NULL) {
                        return NT_STATUS_INVALID_PARAMETER_MIX;
                }
                break;

        default:
                return NT_STATUS_INVALID_PARAMETER;
        }


        /* Sign/seal case, calculate auth and pad lengths */

        max_len = max_xmit_frag - header_len - DCERPC_AUTH_TRAILER_LENGTH;

        *auth_len = gensec_sig_size(sec->gensec, max_len);

        max_len -= *auth_len;

        *data_to_send = MIN(max_len, data_left);

        mod_len = (header_len + *data_to_send) % pad_alignment;
        if (mod_len) {
                *pad_len = pad_alignment - mod_len;
        } else {
                *pad_len = 0;
        }

        if (*data_to_send + *pad_len > max_len) {
                *data_to_send -= pad_alignment;
        }

        *frag_len = header_len + *data_to_send + *pad_len
                        + DCERPC_AUTH_TRAILER_LENGTH + *auth_len;

        return NT_STATUS_OK;
}

static NTSTATUS dcerpc_ncacn_push_auth(DATA_BLOB *blob,
                                       TALLOC_CTX *mem_ctx,
                                       struct ncacn_packet *pkt,
                                       struct dcerpc_auth *auth_info)
{
        struct ndr_push *ndr;
        enum ndr_err_code ndr_err;

        ndr = ndr_push_init_ctx(mem_ctx);
        if (!ndr) {
                return NT_STATUS_NO_MEMORY;
        }

        if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
                ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
        }

        if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
                ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
        }

        if (auth_info) {
                pkt->auth_length = auth_info->credentials.length;
        } else {
                pkt->auth_length = 0;
        }

        ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                return ndr_map_error2ntstatus(ndr_err);
        }

        if (auth_info) {
#if 0
                /* the s3 rpc server doesn't handle auth padding in
                   bind requests. Use zero auth padding to keep us
                   working with old servers */
                uint32_t offset = ndr->offset;
                ndr_err = ndr_push_align(ndr, 16);
                if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                        return ndr_map_error2ntstatus(ndr_err);
                }
                auth_info->auth_pad_length = ndr->offset - offset;
#else
                auth_info->auth_pad_length = 0;
#endif
                ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
                if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                        return ndr_map_error2ntstatus(ndr_err);
                }
        }

        *blob = ndr_push_blob(ndr);

        /* fill in the frag length */
        dcerpc_set_frag_length(blob, blob->length);

        return NT_STATUS_OK;
}

static NTSTATUS dcerpc_ncacn_packet_blob(TALLOC_CTX *mem_ctx,
                                         enum dcerpc_pkt_type ptype,
                                         uint8_t pfc_flags,
                                         uint16_t auth_length,
                                         uint32_t call_id,
                                         union dcerpc_payload *u,
                                         DATA_BLOB *blob)
{
        struct ncacn_packet r;
        NTSTATUS status;

        r.rpc_vers              = 5;
        r.rpc_vers_minor        = 0;
        r.ptype                 = ptype;
        r.pfc_flags             = pfc_flags;
        r.drep[0]               = DCERPC_DREP_LE;
        r.drep[1]               = 0;
        r.drep[2]               = 0;
        r.drep[3]               = 0;
        r.auth_length           = auth_length;
        r.call_id               = call_id;
        r.u                     = *u;

        status = dcerpc_ncacn_push_auth(blob, mem_ctx, &r, NULL);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }

        if (DEBUGLEVEL >= 10) {
                /* set frag len for print function */
                r.frag_length = blob->length;
                NDR_PRINT_DEBUG(ncacn_packet, &r);
        }

        return NT_STATUS_OK;
}

#define DCERPC_PAYLOAD_PADDING_SIZE 16 //TODO???

static NTSTATUS dcerpc_auth_blob(TALLOC_CTX *mem_ctx,
                                 enum dcerpc_AuthType auth_type,
                                 enum dcerpc_AuthLevel auth_level,
                                 uint8_t auth_pad_length,
                                 uint32_t auth_context_id,
                                 const DATA_BLOB *credentials,
                                 DATA_BLOB *blob)
{
        struct dcerpc_auth r;
        enum ndr_err_code ndr_err;

        r.auth_type             = auth_type;
        r.auth_level            = auth_level;
        r.auth_pad_length       = auth_pad_length;
        r.auth_reserved         = 0;
        r.auth_context_id       = auth_context_id;
        r.credentials           = *credentials;

        ndr_err = ndr_push_struct_blob(blob, mem_ctx, &r,
                (ndr_push_flags_fn_t)ndr_push_dcerpc_auth);
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                return ndr_map_error2ntstatus(ndr_err);
        }

        if (DEBUGLEVEL >= 10) {
                NDR_PRINT_DEBUG(dcerpc_auth, &r);
        }

        return NT_STATUS_OK;
}

static NTSTATUS dcerpc_response_auth_blob(struct dcerpc_security *sec,
                                          size_t pad_len,
                                          DATA_BLOB *rpc_out)
{
        char pad[DCERPC_PAYLOAD_PADDING_SIZE] = { 0, };
        DATA_BLOB auth_info;
        DATA_BLOB auth_blob;
        uint16_t data_and_pad_len = 0;
        NTSTATUS status;

        if (rpc_out->length < DCERPC_RESPONSE_LENGTH) {
                return NT_STATUS_INVALID_PARAMETER_MIX;
        }

        if (sec->auth_type == DCERPC_AUTH_TYPE_NONE ||
            sec->auth_type == DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM) {
                return NT_STATUS_OK;
        }

        if (sec->gensec == NULL) {
                return NT_STATUS_INVALID_PARAMETER_MIX;
        }

        if (pad_len) {
                /* Copy the sign/seal padding data. */
                if (!data_blob_append(NULL, rpc_out, pad, pad_len)) {
                        return NT_STATUS_NO_MEMORY;
                }
        }

        data_and_pad_len = rpc_out->length - DCERPC_RESPONSE_LENGTH;

        /* marshall the dcerpc_auth with an actually empty auth_blob.
         * This is needed because the ntmlssp signature includes the
         * auth header. We will append the actual blob later. */
        auth_blob = data_blob_null;
        status = dcerpc_auth_blob(rpc_out->data,
                                  sec->auth_type,
                                  sec->auth_level,
                                  pad_len,
                                  sec->context_id,
                                  &auth_blob,
                                  &auth_info);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }

        /* append the header */
        if (!data_blob_append(NULL, rpc_out,
                                auth_info.data, auth_info.length)) {
                DEBUG(0, ("Failed to add %u bytes auth blob.\n",
                          (unsigned int)auth_info.length));
                return NT_STATUS_NO_MEMORY;
        }
        data_blob_free(&auth_info);

        switch (sec->auth_level) {
        case DCERPC_AUTH_LEVEL_PRIVACY:
                /* Data portion is encrypted. */
                status = gensec_seal_packet(sec->gensec,
                                            rpc_out->data,
                                            rpc_out->data
                                            + DCERPC_RESPONSE_LENGTH,
                                            data_and_pad_len,
                                            rpc_out->data,
                                            rpc_out->length,
                                            &auth_blob);
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
                break;

        case DCERPC_AUTH_LEVEL_INTEGRITY:
                /* Data is signed. */
                status = gensec_sign_packet(sec->gensec,
                                            rpc_out->data,
                                            rpc_out->data
                                            + DCERPC_RESPONSE_LENGTH,
                                            data_and_pad_len,
                                            rpc_out->data,
                                            rpc_out->length,
                                            &auth_blob);
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
                break;

        default:
                /* Can't happen. */
                smb_panic("bad auth level");
                /* Notreached. */
                return NT_STATUS_INVALID_PARAMETER;
        }

        /* Finally attach the blob. */
        if (!data_blob_append(NULL, rpc_out,
                                auth_blob.data, auth_blob.length)) {
                DEBUG(0, ("Failed to add %u bytes auth blob.\n",
                          (unsigned int)auth_blob.length));
                return NT_STATUS_NO_MEMORY;
        }
        data_blob_free(&auth_blob);

        return NT_STATUS_OK;
}

static NTSTATUS dcerpc_check_pdu_auth(struct dcerpc_security *sec,
                           struct ncacn_packet *pkt,
                           DATA_BLOB *pkt_trailer,
                           size_t header_size,
                           DATA_BLOB *raw_pkt,
                           size_t *pad_len)
{
        NTSTATUS status;
        struct dcerpc_auth auth_info;
        uint32_t auth_length;
        DATA_BLOB full_pkt;
        DATA_BLOB data;

        switch (sec->auth_level) {
        case DCERPC_AUTH_LEVEL_PRIVACY:
                DEBUG(10, ("Requested Privacy.\n"));
                break;

        case DCERPC_AUTH_LEVEL_INTEGRITY:
                DEBUG(10, ("Requested Integrity.\n"));
                break;

        case DCERPC_AUTH_LEVEL_CONNECT:
                if (pkt->auth_length != 0) {
                        break;
                }
                *pad_len = 0;
                return NT_STATUS_OK;

        case DCERPC_AUTH_LEVEL_NONE:
                if (pkt->auth_length != 0) {
                        DEBUG(3, ("Got non-zero auth len on non "
                                  "authenticated connection!\n"));
                        return NT_STATUS_INVALID_PARAMETER;
                }
                *pad_len = 0;
                return NT_STATUS_OK;

        default:
                DEBUG(3, ("Unimplemented Auth Level %d",
                          sec->auth_level));
                return NT_STATUS_INVALID_PARAMETER;
        }

        /* Paranioa checks for auth_length. */
        if (pkt->auth_length > pkt->frag_length) {
                return NT_STATUS_INFO_LENGTH_MISMATCH;
        }
        if (((unsigned int)pkt->auth_length
             + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
            ((unsigned int)pkt->auth_length
             + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
                /* Integer wrap attempt. */
                return NT_STATUS_INFO_LENGTH_MISMATCH;
        }

        status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
                                          &auth_info, &auth_length, false);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }

        data = data_blob_const(raw_pkt->data + header_size,
                                pkt_trailer->length - auth_length);
        full_pkt = data_blob_const(raw_pkt->data,
                                raw_pkt->length - auth_info.credentials.length);

        switch (sec->auth_type) {
        case DCERPC_AUTH_TYPE_NONE:
        case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
                return NT_STATUS_OK;
        default:
                break;
        }

        switch (sec->auth_level) {
        case DCERPC_AUTH_LEVEL_PRIVACY:
                /* Data portion is encrypted. */
                status = gensec_unseal_packet(sec->gensec,
                                            data.data,
                                            data.length,
                                            full_pkt.data,
                                            full_pkt.length,
                                            &auth_info.credentials);
                break;

        case DCERPC_AUTH_LEVEL_INTEGRITY:
                /* Data is signed. */
                status = gensec_check_packet(sec->gensec,
                                            data.data,
                                            data.length,
                                            full_pkt.data,
                                            full_pkt.length,
                                            &auth_info.credentials);
                break;
        default:
                return NT_STATUS_INVALID_PARAMETER;
        }
        /* TODO: remove later
         * this is still needed because in the server code the
         * pkt_trailer actually has a copy of the raw data, and they
         * are still both used in later calls */
        if (sec->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
                memcpy(pkt_trailer->data, data.data, data.length);
        }

        *pad_len = auth_info.auth_pad_length;
        data_blob_free(&auth_info.credentials);
        return NT_STATUS_OK;
}

static void dcerpc_connection_loop(struct tevent_req *subreq);

static NTSTATUS dcerpc_connection_loop_restart(struct dcerpc_connection *conn,
                                               struct tevent_context *ev)
{
        if (ev == NULL) {
                return NT_STATUS_INVALID_PARAMETER; // TODO...
        }

        if (conn->loop.subreq) {
                if (conn->loop.ev != ev) {
                        return NT_STATUS_INVALID_PARAMETER; // TODO...
                }
                return NT_STATUS_OK;
        }

        if (conn->calls.list == NULL) {
                conn->loop.ev = NULL;
                return NT_STATUS_OK;
        }

        conn->loop.subreq = dcerpc_read_ncacn_packet_send(conn,
                                                          ev,
                                                          conn->transport.stream);
        if (conn->loop.subreq == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
        tevent_req_set_callback(conn->loop.subreq, dcerpc_connection_loop, conn);
        conn->loop.ev = ev;
        return NT_STATUS_OK;
}

static void dcerpc_connection_loop(struct tevent_req *subreq)
{
        struct dcerpc_connection *conn =
                tevent_req_callback_data(subreq,
                struct dcerpc_connection);
        NTSTATUS error;
        struct ncacn_packet *pkt;
        DATA_BLOB pdu;
        struct dcerpc_call *call;
        bool valid_type = false;

        conn->loop.subreq = NULL;

        error = dcerpc_read_ncacn_packet_recv(subreq, subreq, &pkt, &pdu);
        if (!NT_STATUS_IS_OK(error)) {
                TALLOC_FREE(subreq);
                // disconnect and notify pending calls
                return;
        }

        if (DEBUGLEVEL >= 10) {
                NDR_PRINT_DEBUG(ncacn_packet, pkt);
        }

        switch (pkt->ptype) {
        case DCERPC_PKT_REQUEST:
                /* Ordinary request. */
                valid_type = true;
                break;

        case DCERPC_PKT_PING:
                /* Connectionless is server alive ? */
                break;

        case DCERPC_PKT_RESPONSE:
                /* Ordinary reply. */
                valid_type = true;
                break;

        case DCERPC_PKT_FAULT:
                /* Fault in processing of call. */
                valid_type = true;
                break;

        case DCERPC_PKT_WORKING:
                /* Connectionless reply to a ping when server busy. */
                break;

        case DCERPC_PKT_NOCALL:
                /* Connectionless reply to a ping when server has lost part of clients call. */
                break;

        case DCERPC_PKT_REJECT:
                /* Refuse a request with a code. */
                break;

        case DCERPC_PKT_ACK:
                break;

        case DCERPC_PKT_CL_CANCEL:
                break;

        case DCERPC_PKT_FACK:
                break;

        case DCERPC_PKT_CANCEL_ACK:
                /* Server ACK to client cancel request. */
                break;

        case DCERPC_PKT_BIND:
                /* Bind to interface. */
                valid_type = true;
                break;

        case DCERPC_PKT_BIND_ACK:
                /* Server ack of bind. */
                valid_type = true;
                break;

        case DCERPC_PKT_BIND_NAK:
                /* Server nack of bind. */
                valid_type = true;
                break;

        case DCERPC_PKT_ALTER:
                /* Alter auth. */
                valid_type = true;
                break;

        case DCERPC_PKT_ALTER_RESP:
                /* Reply to alter auth. */
                valid_type = true;
                break;

        case DCERPC_PKT_AUTH3:
                /* not the real name!  this is undocumented! */
                valid_type = true;
                break;

        case DCERPC_PKT_SHUTDOWN:
                /* Server to client request to shutdown. */
                valid_type = true;
                break;

        case DCERPC_PKT_CO_CANCEL:
                /* Connection-oriented cancel request. */
                valid_type = true;
                break;

        case DCERPC_PKT_ORPHANED:
                /* Client telling server it's aborting a partially sent request or telling server to stop sending replies. */
                valid_type = true;
                break;

        case DCERPC_PKT_RTS:
                /* RTS packets used in ncacn_http */
                break;
        }

        if (!valid_type) {
                TALLOC_FREE(subreq);
                // disconnect and notify pending calls NT_STATUS_RPC_PROTOCOL_ERROR;
                return;
        }

        for (call = conn->calls.list; call; call = call->next) {
                if (call->call_id == pkt->call_id) {
                        break;
                }
        }

        if (call == NULL) {
                TALLOC_FREE(subreq);
                // disconnect and notify pending calls NT_STATUS_RPC_PROTOCOL_ERROR;
                return;
        }

        if (call->incoming.handler == NULL) {
                TALLOC_FREE(subreq);
                // disconnect and notify pending calls NT_STATUS_RPC_PROTOCOL_ERROR;
                return;
        }

        error = call->incoming.handler(call->incoming.private_data, pkt, pdu);
        TALLOC_FREE(subreq);
        if (!NT_STATUS_IS_OK(error)) {
                // disconnect and notify pending calls
                return;
        }

        error = dcerpc_connection_loop_restart(conn, conn->loop.ev);
        if (!NT_STATUS_IS_OK(error)) {
                // disconnect and notify pending calls
                return;
        }
}

struct dcerpc_do_bind_out_frag;

struct dcerpc_do_bind_state {
        struct tevent_context *ev;
        struct dcerpc_connection *conn;
        struct dcerpc_call *call;
        struct dcerpc_security *sec;
        DATA_BLOB sec_in;
        NTSTATUS sec_status;
        DATA_BLOB sec_out;
        struct dcerpc_do_bind_out_frag *out_frag;
        uint32_t num_pres;
        struct dcerpc_presentation **pres;
        uint32_t remaining_pres;

        uint32_t num_ctx;
        struct dcerpc_ctx_list *ctx_list;
        struct ndr_syntax_id features;
};

struct dcerpc_do_bind_out_frag {
        struct tevent_context *ev;
        struct dcerpc_connection *conn;
        struct tevent_req *req;
        enum dcerpc_pkt_type ptype;
        DATA_BLOB blob;
        struct iovec vector;
        struct tevent_req *subreq_wait1;
        struct tevent_req *subreq_wait2;
};

static void dcerpc_do_bind_cleanup(struct tevent_req *req,
                                   enum tevent_req_state req_state);

static void dcerpc_do_bind_out_frag_next(struct tevent_req *req,
                                            void *private_data);
static void dcerpc_do_bind_sec_next(struct tevent_req *subreq);

static NTSTATUS dcerpc_do_bind_handle_in_frag(void *private_data,
                                              struct ncacn_packet *pkt,
                                              DATA_BLOB frag);

struct tevent_req *dcerpc_do_bind_send(TALLOC_CTX *mem_ctx,
                                struct tevent_context *ev,
                                struct dcerpc_connection *conn,
                                struct dcerpc_call *call,
                                struct dcerpc_security *sec,
                                uint32_t num_pres,
                                struct dcerpc_presentation **pres)
{
        struct tevent_req *req;
        struct dcerpc_do_bind_state *state;
        bool ok;

        req = tevent_req_create(mem_ctx, &state,
                                struct dcerpc_do_bind_state);
        if (req == NULL) {
                return NULL;
        }
        state->ev = ev;
        state->conn = conn;
        state->call = call;
        state->sec = sec;
        state->num_pres = num_pres;
        state->pres = pres;

        state->call->incoming.private_data = req;
        state->call->incoming.handler = dcerpc_do_bind_handle_in_frag;
        DLIST_ADD_END(state->conn->calls.list, state->call, NULL);

        tevent_req_set_cleanup_fn(req, dcerpc_do_bind_cleanup);

        if (state->sec != NULL && state->sec->gensec != NULL) {
                struct tevent_req *subreq;

                subreq = gensec_update_send(state, ev,
                                            state->sec->gensec,
                                            state->sec_in);
                if (tevent_req_nomem(subreq, req)) {
                        return tevent_req_post(req, ev);
                }
                tevent_req_set_callback(subreq, dcerpc_do_bind_sec_next, req);

                return req;
        }

        state->sec_status = NT_STATUS_OK;
        ok = tevent_queue_add(state->conn->calls.out_queue,
                              state->ev,
                              req,
                              dcerpc_do_bind_out_frag_next,
                              NULL);
        if (!ok) {
                tevent_req_nomem(NULL, req);
                return tevent_req_post(req, ev);
        }

        return req;
}

static void dcerpc_do_bind_cleanup(struct tevent_req *req,
                                   enum tevent_req_state req_state)
{
        struct dcerpc_do_bind_state *state =
                tevent_req_data(req,
                struct dcerpc_do_bind_state);

        if (state->out_frag != NULL) {
                state->out_frag->req = NULL;
                state->out_frag = NULL;
        }

        if (state->call != NULL) {
                ZERO_STRUCT(state->call->incoming);
                DLIST_REMOVE(state->conn->calls.list, state->call);
                state->call = NULL;
        }
}

static void dcerpc_do_bind_sec_next(struct tevent_req *subreq)
{
        struct tevent_req *req =
                tevent_req_callback_data(subreq,
                struct tevent_req);
        struct dcerpc_do_bind_state *state =
                tevent_req_data(req,
                struct dcerpc_do_bind_state);
        NTSTATUS status;
        bool ok;

        data_blob_free(&state->sec_out);
        status = gensec_update_recv(subreq, state, &state->sec_out);
        TALLOC_FREE(subreq);
        data_blob_free(&state->sec_in);
        state->sec_status = status;
        if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                status = NT_STATUS_OK;
        }
        if (!NT_STATUS_IS_OK(status)) {
                tevent_req_nterror(req, status);
                return;
        }

        ok = tevent_queue_add(state->conn->calls.out_queue,
                              state->ev,
                              req,
                              dcerpc_do_bind_out_frag_next,
                              NULL);
        if (!ok) {
                tevent_req_nomem(NULL, req);
                return;
        }
}

static void dcerpc_do_bind_out_frag_trans_wait1(struct tevent_req *subreq);
static void dcerpc_do_bind_out_frag_done(struct tevent_req *subreq);
static void dcerpc_do_bind_out_frag_trans_wait2(struct tevent_req *subreq);

static void dcerpc_do_bind_out_frag_next(struct tevent_req *req,
                                         void *private_data)
{
        struct dcerpc_do_bind_state *state =
                tevent_req_data(req,
                struct dcerpc_do_bind_state);
        struct dcerpc_do_bind_out_frag *frag;
        size_t auth_len = 0;
        NTSTATUS status;
        DATA_BLOB auth_info = data_blob_null;
        union dcerpc_payload u;
        struct tevent_req *subreq;
        uint32_t i;
        bool use_trans = true;

        /*
         * the fragment belongs to the connection instead of the request
         * because it has to remain in case the request is canceled
         */
        frag = talloc_zero(state->conn, struct dcerpc_do_bind_out_frag);
        if (tevent_req_nomem(frag, req)) {
                return;
        }
        frag->ev = state->ev;
        frag->conn = state->conn;
        frag->req = req;
        state->out_frag = frag;

        if (!state->conn->features.bind_done) {
                frag->ptype = DCERPC_PKT_BIND;
        } else if (state->remaining_pres > 0) {
                frag->ptype = DCERPC_PKT_ALTER;
        } else if (!NT_STATUS_IS_OK(state->sec_status)) {
                frag->ptype = DCERPC_PKT_ALTER;
        } else if (state->sec_out.length > 0) {
                frag->ptype = DCERPC_PKT_AUTH3;
        }

        if (state->sec) {
                status = dcerpc_auth_blob(frag,
                                          state->sec->auth_type,
                                          state->sec->auth_level,
                                          0, /* auth_pad_length */
                                          state->sec->context_id, /* auth_context_id */
                                          &state->sec_in,
                                          &auth_info);
                if (!NT_STATUS_IS_OK(status)) {
                        tevent_req_nterror(req, status);
                        return;
                }

                auth_len = auth_info.length;

                if (auth_len) {
                        auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
                }
        }

        state->num_ctx = state->num_pres;
        if (!state->conn->assoc->negotiate_done) {
                state->num_ctx += 1;
        }

        state->ctx_list = talloc_zero_array(frag,
                                            struct dcerpc_ctx_list,
                                            state->num_ctx);
        if (tevent_req_nomem(state->ctx_list, req)) {
                return;
        }

        for (i=0; i < state->num_pres; i++) {
                state->ctx_list[i] = state->pres[i]->negotiate.req;
        }

        if (!state->conn->assoc->negotiate_done) {
                state->features = dcerpc_construct_bind_time_features(
                                        state->conn->assoc->client_features);

                state->ctx_list[i].context_id = state->conn->next_pres_context_id;
                if (i > 0) {
                        state->ctx_list[i].abstract_syntax =
                                state->ctx_list[i-1].abstract_syntax;
                }
                state->ctx_list[i].num_transfer_syntaxes = 1;
                state->ctx_list[i].transfer_syntaxes = &state->features;
        }

        switch (frag->ptype) {
        case DCERPC_PKT_BIND:
        case DCERPC_PKT_ALTER:
                u.bind.max_xmit_frag    = state->conn->features.max_xmit_frag;
                u.bind.max_recv_frag    = state->conn->features.max_recv_frag;
                u.bind.assoc_group_id   = state->conn->assoc->assoc_group_id;
                u.bind.num_contexts     = state->num_ctx;
                u.bind.ctx_list         = state->ctx_list;
                u.bind.auth_info        = auth_info;
                break;

        case DCERPC_PKT_AUTH3:
                u.auth3._pad            = 0;
                u.auth3.auth_info       = auth_info;
                break;
        default:
                tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
                return;
        }

        status = dcerpc_ncacn_packet_blob(frag,
                                          frag->ptype,
                                          DCERPC_PFC_FLAG_FIRST |
                                          DCERPC_PFC_FLAG_LAST,
                                          auth_len,
                                          state->call->call_id,
                                          &u,
                                          &frag->blob);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0, ("Failed to marshall bind/alter ncacn_packet.\n"));
                tevent_req_nterror(req, status);
                return;
        }

        if (frag->ptype == DCERPC_PKT_AUTH3) {
                use_trans = false;
        }

        if (frag->conn->transport.use_trans_fn == NULL) {
                use_trans = false;
        }

        if (frag->conn->loop.subreq != NULL) {
                use_trans = false;
        }

        if (frag->conn->features.concurrent_multiplex) {
                use_trans = false;
        }

        if (tevent_queue_length(frag->conn->calls.out_queue) > 1) {
                use_trans = false;
        }

        if (use_trans) {
                frag->subreq_wait1 = tevent_queue_wait_send(frag,
                                                frag->ev,
                                                frag->conn->transport.write_queue);
                if (tevent_req_nomem(req, frag->subreq_wait1)) {
                        return;
                }
                tevent_req_set_callback(frag->subreq_wait1,
                                        dcerpc_do_bind_out_frag_trans_wait1,
                                        frag);
                /*
                 * we need to block reads until our write is
                 * the next in the write queue.
                 */
                frag->conn->loop.subreq = frag->subreq_wait1;
                frag->conn->loop.ev = frag->ev;
        }

        /*
         * We need to add a dcerpc_write_fragment_queue_send/recv()
         */

        frag->vector.iov_base = frag->blob.data;
        frag->vector.iov_len = frag->blob.length;
        subreq = tstream_writev_queue_send(frag, frag->ev,
                                           frag->conn->transport.stream,
                                           frag->conn->transport.write_queue,
                                           &frag->vector, 1);
        if (tevent_req_nomem(subreq, req)) {
                return;
        }
        tevent_req_set_callback(subreq,
                                dcerpc_do_bind_out_frag_done,
                                frag);

        if (use_trans) {
                frag->subreq_wait2 = tevent_queue_wait_send(frag,
                                                frag->ev,
                                                frag->conn->transport.write_queue);
                if (tevent_req_nomem(req, frag->subreq_wait2)) {
                        return;
                }
                tevent_req_set_callback(frag->subreq_wait2,
                                        dcerpc_do_bind_out_frag_trans_wait2,
                                        frag);
        }

        status = dcerpc_connection_loop_restart(frag->conn, frag->ev);
        if (tevent_req_nterror(req, status)) {
                return;
        }
}

static void dcerpc_do_bind_out_frag_trans_wait1(struct tevent_req *subreq)
{
        struct dcerpc_do_bind_out_frag *frag =
                tevent_req_callback_data(subreq,
                struct dcerpc_do_bind_out_frag);
        struct tevent_req *req = frag->req;
        NTSTATUS status;
        bool ok;

        /*
         * TODO; what if the caller has been free'ed?
         */

        frag->subreq_wait1 = NULL;
        frag->conn->loop.subreq = NULL;

        ok = tevent_queue_wait_recv(subreq);
        if (!ok) {
                status = NT_STATUS_INTERNAL_ERROR;
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        if (tevent_queue_length(frag->conn->transport.write_queue) > 3) {
                /*
                 * We added 3 entries into the queue,
                 * wait1, writev and wait2.
                 *
                 * There's more to write, we should not block
                 * further writev calls for a trans call.
                 *
                 * The wait2 stage will trigger the read.
                 */
                TALLOC_FREE(subreq);
                return;
        }

        /*
         * we don't need wait2 anymore, we're sure that
         * we'll do a trans call.
         */
        TALLOC_FREE(frag->subreq_wait2);

        status = frag->conn->transport.use_trans_fn(frag->conn->transport.stream);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        /* we free subreq after tstream_cli_np_use_trans */
        TALLOC_FREE(subreq);

        status = dcerpc_connection_loop_restart(frag->conn, frag->ev);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }
}

static void dcerpc_do_bind_out_frag_done(struct tevent_req *subreq)
{
        struct dcerpc_do_bind_out_frag *frag =
                tevent_req_callback_data(subreq,
                struct dcerpc_do_bind_out_frag);
        struct tevent_req *req = frag->req;
        NTSTATUS status;
        int ret;
        int sys_errno;

        /*
         * If the caller has been free'ed, we have should
         * ignore any errors and just free 'frag'
         */
        if (req) {
                struct dcerpc_do_bind_state *state =
                        tevent_req_data(req,
                        struct dcerpc_do_bind_state);

                state->out_frag = NULL;
        }

        ret = tstream_writev_queue_recv(subreq, &sys_errno);
        TALLOC_FREE(subreq);
        if (ret == -1) {
                TALLOC_FREE(frag);
                status = map_nt_error_from_unix_common(sys_errno);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                return;
        }

        if (frag->ptype == DCERPC_PKT_AUTH3) {
                TALLOC_FREE(frag);
                if (req == NULL) {
                        return;
                }
                tevent_req_done(req);
                return;
        }

        if (frag->subreq_wait2 != NULL) {
                return;
        }

        TALLOC_FREE(frag);

        /* we need to wait for incoming pdus */
}

static void dcerpc_do_bind_out_frag_trans_wait2(struct tevent_req *subreq)
{
        struct dcerpc_do_bind_out_frag *frag =
                tevent_req_callback_data(subreq,
                struct dcerpc_do_bind_out_frag);
        struct tevent_req *req = frag->req;
        NTSTATUS status;
        bool ok;

        frag->subreq_wait2 = NULL;

        ok = tevent_queue_wait_recv(subreq);
        if (!ok) {
                status = NT_STATUS_INTERNAL_ERROR;
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        TALLOC_FREE(subreq);

        status = dcerpc_connection_loop_restart(frag->conn, frag->ev);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        TALLOC_FREE(frag);

        /* we need to wait for incoming pdus */
}

static NTSTATUS dcerpc_do_bind_handle_in_frag(void *private_data,
                                                 struct ncacn_packet *pkt,
                                                 DATA_BLOB frag)
{
        struct tevent_req *req =
                talloc_get_type_abort(private_data,
                struct tevent_req);
        struct dcerpc_do_bind_state *state =
                tevent_req_data(req,
                struct dcerpc_do_bind_state);
        NTSTATUS status;
        size_t i;

        DLIST_REMOVE(state->conn->calls.list, state->call);

        /* Ensure we have the correct type. */
        switch (pkt->ptype) {
        case DCERPC_PKT_BIND_ACK:
        case DCERPC_PKT_ALTER_RESP:
                if (pkt->auth_length != 0) {
                        return NT_STATUS_NOT_IMPLEMENTED;
                }

                if (!state->conn->features.bind_done) {
                        if (pkt->u.bind_ack.max_recv_frag < 1234) {
                                return NT_STATUS_RPC_PROTOCOL_ERROR;
                        }
                        if (pkt->u.bind_ack.max_xmit_frag < 1234) {
                                return NT_STATUS_RPC_PROTOCOL_ERROR;
                        }
                        state->conn->features.max_recv_frag =
                                pkt->u.bind_ack.max_recv_frag;
                        state->conn->features.max_xmit_frag =
                                pkt->u.bind_ack.max_xmit_frag;

                        if (pkt->pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) {
                                state->conn->features.concurrent_multiplex = true;
                        }

                        state->conn->features.bind_done = true;
                }

                if (!state->conn->assoc->negotiate_done) {
                        state->conn->assoc->negotiate_done = true;
                        state->conn->assoc->assoc_group_id = pkt->u.bind_ack.assoc_group_id;
                }

                if (pkt->u.bind_ack.assoc_group_id != state->conn->assoc->assoc_group_id) {
                        return NT_STATUS_RPC_PROTOCOL_ERROR;
                }

                if (pkt->u.bind_ack.num_results > state->num_ctx) {
                        return NT_STATUS_RPC_PROTOCOL_ERROR;
                }

                for (i = 0; i < pkt->u.bind_ack.num_results; i++) {
                        struct dcerpc_ack_ctx *ack = &pkt->u.bind_ack.ctx_list[i];

                        if (i < state->num_pres) {
                                state->pres[i]->negotiate.ack = *ack;
                                continue;
                        }

                        if (ack->result != DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK) {
                                continue;
                        }

                        state->conn->assoc->features = state->conn->assoc->client_features;
                        state->conn->assoc->features &= ack->reason.negotiate;
                }

                for (i = 0; i < state->num_pres; i++) {
                        struct dcerpc_ack_ctx *ack = &state->pres[i]->negotiate.ack;
                        bool ok;

                        if (ack->result != DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
                                continue;
                        }

                        ok = ndr_syntax_id_equal(&state->pres[i]->transfer,
                                                 &ack->syntax);
                        if (!ok) {
                                return NT_STATUS_RPC_PROTOCOL_ERROR;
                        }
                }

                tevent_req_done(req);
                return NT_STATUS_OK;

        //case DCERPC_PKT_ALTER_RESP:
                if (pkt->auth_length != 0) {
                        return NT_STATUS_NOT_IMPLEMENTED;
                }

                return NT_STATUS_NOT_IMPLEMENTED;
//TODO
#if 0
                /* Point the return values at the NDR data. */
                payload.data = frag.data + DCERPC_RESPONSE_LENGTH;

                if (pkt->auth_length) {
                        /* We've already done integer wrap tests in
                         * dcerpc_check_auth(). */
                        payload.length = frag.length
                                         - DCERPC_RESPONSE_LENGTH
                                         - pad_len
                                         - DCERPC_AUTH_TRAILER_LENGTH
                                         - pkt->auth_length;
                } else {
                        payload.length = frag.length - DCERPC_RESPONSE_LENGTH;
                }

                if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
                        if (pkt->drep[0] & DCERPC_DREP_LE) {
                                state->response.bigendian = false;
                        } else {
                                state->response.bigendian = true;
                        }
                }

                DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
                           (long unsigned int)frag.length,
                           (long unsigned int)payload.length,
                           (unsigned int)pad_len));

                /*
                 * If this is the first reply, and the allocation hint is
                 * reasonable, try and set up the reply_pdu DATA_BLOB to the
                 * correct size.
                 */

                if ((state->response.blob.length == 0) &&
                    pkt->u.response.alloc_hint &&
                    (pkt->u.response.alloc_hint < 15*1024*1024)) {
                        ok = data_blob_realloc(state, &state->response.blob,
                                               pkt->u.response.alloc_hint);
                        if (!ok) {
                                DEBUG(0, ("reply alloc hint %d too "
                                          "large to allocate\n",
                                    (int)pkt->u.response.alloc_hint));
                                return NT_STATUS_NO_MEMORY;
                        }
                }

                new_total = state->response.ofs + payload.length;

                if (new_total > 15 * 1024 *1024) {
                        return NT_STATUS_RPC_PROTOCOL_ERROR;//TODO
                }

                missing = new_total - state->response.blob.length;

                if (missing > 0) {
                        ok = data_blob_realloc(state, &state->response.blob,
                                               new_total);
                        if (!ok) {
                                DEBUG(0, ("reply alloc hint %d too "
                                          "large to allocate\n",
                                    (int)pkt->u.response.alloc_hint));
                                return NT_STATUS_NO_MEMORY;
                        }
                }

                memcpy(state->response.blob.data + state->response.ofs,
                       payload.data, payload.length);
                state->response.ofs += payload.length;

                if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
                        tevent_req_done(req);//TODO
                        return NT_STATUS_OK;
                }
                return NT_STATUS_OK;
#endif
                return NT_STATUS_NOT_IMPLEMENTED;

        case DCERPC_PKT_FAULT:

                DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault "
                          "code %s received from %s!\n",
                          dcerpc_errstr(talloc_tos(),
                          pkt->u.fault.status),
                          "TODO"));

                status = dcerpc_fault_to_nt_status(pkt->u.fault.status);
                if (NT_STATUS_IS_OK(status)) {
                        status = NT_STATUS_RPC_PROTOCOL_ERROR;
                }

                tevent_req_nterror(req, status);//TODO
                return NT_STATUS_OK;
        default:
                DEBUG(0, ("Unknown packet type %u received from %s!\n",
                          (unsigned int)pkt->ptype,
                         "TODO"));
                return NT_STATUS_RPC_PROTOCOL_ERROR;
        }

        return NT_STATUS_RPC_PROTOCOL_ERROR;
}

NTSTATUS dcerpc_do_bind_recv(struct tevent_req *req)
{
        struct dcerpc_do_bind_state *state =
                tevent_req_data(req,
                struct dcerpc_do_bind_state);
        NTSTATUS status;

        if (tevent_req_is_nterror(req, &status)) {
                tevent_req_received(req);
                return status;
        }

        if (!NT_STATUS_IS_OK(state->sec_status)) {
                status = state->sec_status;
                tevent_req_received(req);
                return status;
        }

        tevent_req_received(req);
        return NT_STATUS_OK;
}

struct dcerpc_do_request_out_frag;

struct dcerpc_do_request_state {
        struct tevent_context *ev;
        struct dcerpc_connection *conn;
        struct dcerpc_call *call;
        const struct GUID *object;
        uint16_t opnum;
        struct {
                const DATA_BLOB *blob;
                size_t ofs;
                bool bigendian;
        } request;
        struct dcerpc_do_request_out_frag *out_frag;
        struct {
                DATA_BLOB blob;
                size_t ofs;
                bool bigendian;
        } response;
};

struct dcerpc_do_request_out_frag {
        struct tevent_context *ev;
        struct dcerpc_connection *conn;
        struct tevent_req *req;
        DATA_BLOB blob;
        bool is_last;
        struct iovec vector;
        struct tevent_req *subreq_wait1;
        struct tevent_req *subreq_wait2;
};

static void dcerpc_do_request_cleanup(struct tevent_req *req,
                                      enum tevent_req_state req_state);

static void dcerpc_do_request_out_frag_next(struct tevent_req *req,
                                            void *private_data);

static NTSTATUS dcerpc_do_request_handle_in_frag(void *private_data,
                                                 struct ncacn_packet *pkt,
                                                 DATA_BLOB frag);

struct tevent_req *dcerpc_do_request_send(TALLOC_CTX *mem_ctx,
                                struct tevent_context *ev,
                                struct dcerpc_connection *conn,
                                struct dcerpc_call *call,
                                const struct GUID *object,
                                uint16_t opnum,
                                const DATA_BLOB *request,
                                bool bigendian)
{
        struct tevent_req *req;
        struct dcerpc_do_request_state *state;
        bool ok;

        req = tevent_req_create(mem_ctx, &state,
                                struct dcerpc_do_request_state);
        if (req == NULL) {
                return NULL;
        }
        state->ev = ev;
        state->conn = conn;
        state->call = call;
        state->object = object;
        state->opnum = opnum;
        state->request.blob = request;
        state->request.bigendian = bigendian;

        state->call->incoming.private_data = req;
        state->call->incoming.handler = dcerpc_do_request_handle_in_frag;
        DLIST_ADD_END(state->conn->calls.list, state->call, NULL);

        tevent_req_set_cleanup_fn(req, dcerpc_do_request_cleanup);

        ok = tevent_queue_add(state->conn->calls.out_queue,
                              state->ev,
                              req,
                              dcerpc_do_request_out_frag_next,
                              NULL);
        if (!ok) {
                tevent_req_nomem(NULL, req);
                return tevent_req_post(req, ev);
        }

        return req;
}

static void dcerpc_do_request_cleanup(struct tevent_req *req,
                                      enum tevent_req_state req_state)
{
        struct dcerpc_do_request_state *state =
                tevent_req_data(req,
                struct dcerpc_do_request_state);

        if (state->out_frag != NULL) {
                state->out_frag->req = NULL;
                state->out_frag = NULL;
        }

        if (state->call != NULL) {
                ZERO_STRUCT(state->call->incoming);
                DLIST_REMOVE(state->conn->calls.list, state->call);
                state->call = NULL;
        }
}

static void dcerpc_do_request_out_frag_trans_wait1(struct tevent_req *subreq);
static void dcerpc_do_request_out_frag_done(struct tevent_req *subreq);
static void dcerpc_do_request_out_frag_trans_wait2(struct tevent_req *subreq);

static void dcerpc_do_request_out_frag_next(struct tevent_req *req,
                                            void *private_data)
{
        struct dcerpc_do_request_state *state =
                tevent_req_data(req,
                struct dcerpc_do_request_state);
        struct dcerpc_do_request_out_frag *frag;
        size_t data_sent_thistime;
        size_t hdr_len = DCERPC_REQUEST_LENGTH;
        size_t auth_len;
        size_t frag_len;
        uint8_t flags = 0;
        size_t pad_len;
        size_t data_left;
        NTSTATUS status;
        union dcerpc_payload u;
        DATA_BLOB payload;
        bool ok;
        struct tevent_req *subreq;
        bool use_trans = true;

        if (state->object) {
                flags |= DCERPC_PFC_FLAG_OBJECT_UUID;
                hdr_len += 16;
        }

        /*
         * the fragment belongs to the connection instead of the request
         * because it has to remain in case the request is canceled
         */
        frag = talloc_zero(state->conn, struct dcerpc_do_request_out_frag);
        if (tevent_req_nomem(frag, req)) {
                return;
        }
        frag->ev = state->ev;
        frag->conn = state->conn;
        frag->req = req;
        state->out_frag = frag;

        data_left = state->request.blob->length - state->request.ofs;

        status = dcerpc_guess_pdu_sizes(state->call->sec,
                                    hdr_len, data_left,
                                    state->conn->features.max_xmit_frag,
                                    16,//TODO
                                    &data_sent_thistime,
                                    &frag_len, &auth_len, &pad_len);
        if (!NT_STATUS_IS_OK(status)) {
                tevent_req_nterror(req, status);
                return;
        }

        if (state->request.ofs == 0) {
                flags |= DCERPC_PFC_FLAG_FIRST;
        }

        payload.data = state->request.blob->data + state->request.ofs;
        payload.length = data_sent_thistime;

        state->request.ofs += data_sent_thistime;

        if (state->request.blob->length == state->request.ofs) {
                flags |= DCERPC_PFC_FLAG_LAST;
        }

        ZERO_STRUCT(u.request);

        u.request.alloc_hint    = state->request.blob->length -
                                  state->request.ofs;
        u.request.context_id    = state->call->pres->context_id;
        u.request.opnum         = state->opnum;
        if (state->object) {
                u.request.object.object = *state->object;
        }
//TODO pass state->request.bigendian
        status = dcerpc_ncacn_packet_blob(frag,
                                          DCERPC_PKT_REQUEST,
                                          flags,
                                          auth_len,
                                          state->call->call_id,
                                          &u,
                                          &frag->blob);
        if (!NT_STATUS_IS_OK(status)) {
                tevent_req_nterror(req, status);
                return;
        }

        /* explicitly set frag_len here as dcerpc_push_ncacn_packet() can't
         * compute it right for requests because the auth trailer is missing
         * at this stage */
        dcerpc_set_frag_length(&frag->blob, frag_len);

        /* Copy in the data. */
        ok = data_blob_append(frag, &frag->blob,
                              payload.data, payload.length);
        if (!ok) {
                tevent_req_nomem(NULL, req);
                return;
        }

        switch (state->call->sec->auth_level) {
        case DCERPC_AUTH_LEVEL_NONE:
        case DCERPC_AUTH_LEVEL_CONNECT:
        case DCERPC_AUTH_LEVEL_PACKET:
                break;
        case DCERPC_AUTH_LEVEL_INTEGRITY:
        case DCERPC_AUTH_LEVEL_PRIVACY:
                status = dcerpc_response_auth_blob(state->call->sec,
                                                pad_len,
                                                &frag->blob);
                if (!NT_STATUS_IS_OK(status)) {
                        tevent_req_nterror(req, status);
                        return;
                }
                break;
        default:
                tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
                return;
        }

        frag->is_last = ((flags & DCERPC_PFC_FLAG_LAST) != 0);

        if (!frag->is_last) {
                use_trans = false;
        }

        if (frag->conn->transport.use_trans_fn == NULL) {
                use_trans = false;
        }

        if (frag->conn->loop.subreq != NULL) {
                use_trans = false;
        }

        if (frag->conn->features.concurrent_multiplex) {
                use_trans = false;
        }

        if (tevent_queue_length(frag->conn->calls.out_queue) > 1) {
                use_trans = false;
        }

        if (use_trans) {
                frag->subreq_wait1 = tevent_queue_wait_send(frag,
                                                frag->ev,
                                                frag->conn->transport.write_queue);
                if (tevent_req_nomem(req, frag->subreq_wait1)) {
                        return;
                }
                tevent_req_set_callback(frag->subreq_wait1,
                                        dcerpc_do_request_out_frag_trans_wait1,
                                        frag);
                /*
                 * we need to block reads until our write is
                 * the next in the write queue.
                 */
                frag->conn->loop.subreq = frag->subreq_wait1;
                frag->conn->loop.ev = frag->ev;
        }

        /*
         * We need to add a dcerpc_write_fragment_queue_send/recv()
         */

        frag->vector.iov_base = frag->blob.data;
        frag->vector.iov_len = frag->blob.length;
        subreq = tstream_writev_queue_send(frag, frag->ev,
                                           frag->conn->transport.stream,
                                           frag->conn->transport.write_queue,
                                           &frag->vector, 1);
        if (tevent_req_nomem(subreq, req)) {
                return;
        }
        tevent_req_set_callback(subreq,
                                dcerpc_do_request_out_frag_done,
                                frag);

        if (use_trans) {
                frag->subreq_wait2 = tevent_queue_wait_send(frag,
                                                frag->ev,
                                                frag->conn->transport.write_queue);
                if (tevent_req_nomem(req, frag->subreq_wait2)) {
                        return;
                }
                tevent_req_set_callback(frag->subreq_wait2,
                                        dcerpc_do_request_out_frag_trans_wait2,
                                        frag);
        }

        if (!frag->is_last) {
                return;
        }

        status = dcerpc_connection_loop_restart(frag->conn, frag->ev);
        if (tevent_req_nterror(req, status)) {
                return;
        }
}

static void dcerpc_do_request_out_frag_trans_wait1(struct tevent_req *subreq)
{
        struct dcerpc_do_request_out_frag *frag =
                tevent_req_callback_data(subreq,
                struct dcerpc_do_request_out_frag);
        struct tevent_req *req = frag->req;
        NTSTATUS status;
        bool ok;

        /*
         * TODO; what if the caller has been free'ed?
         */

        frag->subreq_wait1 = NULL;
        frag->conn->loop.subreq = NULL;

        ok = tevent_queue_wait_recv(subreq);
        if (!ok) {
                status = NT_STATUS_INTERNAL_ERROR;
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        if (tevent_queue_length(frag->conn->transport.write_queue) > 3) {
                /*
                 * We added 3 entries into the queue,
                 * wait1, writev and wait2.
                 *
                 * There's more to write, we should not block
                 * further writev calls for a trans call.
                 *
                 * The wait2 stage will trigger the read.
                 */
                TALLOC_FREE(subreq);
                return;
        }

        /*
         * we don't need wait2 anymore, we're sure that
         * we'll do a trans call.
         */
        TALLOC_FREE(frag->subreq_wait2);

        status = frag->conn->transport.use_trans_fn(frag->conn->transport.stream);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        /* we free subreq after tstream_cli_np_use_trans */
        TALLOC_FREE(subreq);

        status = dcerpc_connection_loop_restart(frag->conn, frag->ev);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }
}

static void dcerpc_do_request_out_frag_done(struct tevent_req *subreq)
{
        struct dcerpc_do_request_out_frag *frag =
                tevent_req_callback_data(subreq,
                struct dcerpc_do_request_out_frag);
        struct tevent_req *req = frag->req;
        NTSTATUS status;
        int ret;
        int sys_errno;

        /*
         * If the caller has been free'ed, we have should
         * ignore any errors and just free 'frag'
         */
        if (req) {
                struct dcerpc_do_request_state *state =
                        tevent_req_data(req,
                        struct dcerpc_do_request_state);

                state->out_frag = NULL;
        }

        ret = tstream_writev_queue_recv(subreq, &sys_errno);
        TALLOC_FREE(subreq);
        if (ret == -1) {
                TALLOC_FREE(frag);
                status = map_nt_error_from_unix_common(sys_errno);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                return;
        }

        if (frag->subreq_wait2 != NULL) {
                return;
        }

        if (frag->is_last) {
                TALLOC_FREE(frag);
                return;
        }
        TALLOC_FREE(frag);

        if (req == NULL) {
                return;
        }

        dcerpc_do_request_out_frag_next(req, NULL);
}

static void dcerpc_do_request_out_frag_trans_wait2(struct tevent_req *subreq)
{
        struct dcerpc_do_request_out_frag *frag =
                tevent_req_callback_data(subreq,
                struct dcerpc_do_request_out_frag);
        struct tevent_req *req = frag->req;
        NTSTATUS status;
        bool ok;

        frag->subreq_wait2 = NULL;

        ok = tevent_queue_wait_recv(subreq);
        if (!ok) {
                status = NT_STATUS_INTERNAL_ERROR;
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        TALLOC_FREE(subreq);

        status = dcerpc_connection_loop_restart(frag->conn, frag->ev);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frag);
                if (req) {
                        tevent_req_nterror(req, status);
                }
                //dcerpc_transport_dead(p, NT_STATUS_NO_MEMORY);
                return;
        }

        TALLOC_FREE(frag);

        /* we need to wait for incoming pdus */
}

static NTSTATUS dcerpc_do_request_handle_in_frag(void *private_data,
                                                 struct ncacn_packet *pkt,
                                                 DATA_BLOB frag)
{
        struct tevent_req *req =
                talloc_get_type_abort(private_data,
                struct tevent_req);
        struct dcerpc_do_request_state *state =
                tevent_req_data(req,
                struct dcerpc_do_request_state);
        NTSTATUS error;
        NTSTATUS status;
        size_t pad_len = 0;
        DATA_BLOB payload;
        size_t new_total;
        size_t missing;
        bool ok;

        /* Ensure we have the correct type. */
        switch (pkt->ptype) {
        case DCERPC_PKT_RESPONSE:

                /* Here's where we deal with incoming sign/seal. */
                error = dcerpc_check_pdu_auth(state->call->sec,
                                        pkt,
                                        &pkt->u.response.stub_and_verifier,
                                        DCERPC_RESPONSE_LENGTH,
                                        &frag, &pad_len);
                if (!NT_STATUS_IS_OK(error)) {
                        return error;
                }

                if (frag.length < DCERPC_RESPONSE_LENGTH + pad_len) {
                        return NT_STATUS_RPC_PROTOCOL_ERROR;
                }
//TODO
                /* Point the return values at the NDR data. */
                payload.data = frag.data + DCERPC_RESPONSE_LENGTH;

                if (pkt->auth_length) {
                        /* We've already done integer wrap tests in
                         * dcerpc_check_auth(). */
                        payload.length = frag.length
                                         - DCERPC_RESPONSE_LENGTH
                                         - pad_len
                                         - DCERPC_AUTH_TRAILER_LENGTH
                                         - pkt->auth_length;
                } else {
                        payload.length = frag.length - DCERPC_RESPONSE_LENGTH;
                }

                if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
                        if (pkt->drep[0] & DCERPC_DREP_LE) {
                                state->response.bigendian = false;
                        } else {
                                state->response.bigendian = true;
                        }
                }

                DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
                           (long unsigned int)frag.length,
                           (long unsigned int)payload.length,
                           (unsigned int)pad_len));

                /*
                 * If this is the first reply, and the allocation hint is
                 * reasonable, try and set up the reply_pdu DATA_BLOB to the
                 * correct size.
                 */

                if ((state->response.blob.length == 0) &&
                    pkt->u.response.alloc_hint &&
                    (pkt->u.response.alloc_hint < 15*1024*1024)) {
                        ok = data_blob_realloc(state, &state->response.blob,
                                               pkt->u.response.alloc_hint);
                        if (!ok) {
                                DEBUG(0, ("reply alloc hint %d too "
                                          "large to allocate\n",
                                    (int)pkt->u.response.alloc_hint));
                                return NT_STATUS_NO_MEMORY;
                        }
                }

                new_total = state->response.ofs + payload.length;

                if (new_total > 15 * 1024 *1024) {
                        return NT_STATUS_RPC_PROTOCOL_ERROR;//TODO
                }

                missing = new_total - state->response.blob.length;

                if (missing > 0) {
                        ok = data_blob_realloc(state, &state->response.blob,
                                               new_total);
                        if (!ok) {
                                DEBUG(0, ("reply alloc hint %d too "
                                          "large to allocate\n",
                                    (int)pkt->u.response.alloc_hint));
                                return NT_STATUS_NO_MEMORY;
                        }
                }

                memcpy(state->response.blob.data + state->response.ofs,
                       payload.data, payload.length);
                state->response.ofs += payload.length;

                if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
                        tevent_req_done(req);//TODO
                        return NT_STATUS_OK;
                }
                return NT_STATUS_OK;

        case DCERPC_PKT_FAULT:

                DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault "
                          "code %s received from %s!\n",
                          dcerpc_errstr(talloc_tos(),
                          pkt->u.fault.status),
                          "TODO"));

                status = dcerpc_fault_to_nt_status(pkt->u.fault.status);
                if (NT_STATUS_IS_OK(status)) {
                        status = NT_STATUS_RPC_PROTOCOL_ERROR;
                }

                tevent_req_nterror(req, status);//TODO
                return NT_STATUS_OK;
        default:
                DEBUG(0, ("Unknown packet type %u received from %s!\n",
                          (unsigned int)pkt->ptype,
                         "TODO"));
                return NT_STATUS_RPC_PROTOCOL_ERROR;
        }
}

NTSTATUS dcerpc_do_request_recv(struct tevent_req *req,
                                TALLOC_CTX *mem_ctx,
                                DATA_BLOB *response,
                                bool *bigendian)
{
        struct dcerpc_do_request_state *state =
                tevent_req_data(req,
                struct dcerpc_do_request_state);
        NTSTATUS status;

        if (tevent_req_is_nterror(req, &status)) {
                tevent_req_received(req);
                return status;
        }

        /* return data to caller and assign it ownership of memory */
        response->data = talloc_move(mem_ctx, &state->response.blob.data);
        response->length = state->response.blob.length;
        *bigendian = state->response.bigendian;

        tevent_req_received(req);
        return NT_STATUS_OK;
}