1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 /*
28 * Client NDR RPC interface.
29 */
30
31 #include <sys/types.h>
32 #include <sys/errno.h>
33 #include <sys/fcntl.h>
34 #include <sys/tzfile.h>
35 #include <time.h>
36 #include <strings.h>
37 #include <assert.h>
38 #include <errno.h>
39 #include <thread.h>
40 #include <unistd.h>
41 #include <syslog.h>
42 #include <synch.h>
43
44 #include <netsmb/smbfs_api.h>
45 #include <smbsrv/libsmb.h>
46 #include <smbsrv/libsmbns.h>
47 #include <smbsrv/libmlrpc.h>
48 #include <smbsrv/libmlsvc.h>
49 #include <smbsrv/ndl/srvsvc.ndl>
50 #include <libsmbrdr.h>
51 #include <mlsvc.h>
52
53 static int ndr_xa_init(ndr_client_t *, ndr_xa_t *);
54 static int ndr_xa_exchange(ndr_client_t *, ndr_xa_t *);
55 static int ndr_xa_read(ndr_client_t *, ndr_xa_t *);
56 static void ndr_xa_preserve(ndr_client_t *, ndr_xa_t *);
57 static void ndr_xa_destruct(ndr_client_t *, ndr_xa_t *);
58 static void ndr_xa_release(ndr_client_t *);
59
60
61 /*
62 * This call must be made to initialize an RPC client structure and bind
63 * to the remote service before any RPCs can be exchanged with that service.
64 *
65 * The mlsvc_handle_t is a wrapper that is used to associate an RPC handle
66 * with the client context for an instance of the interface. The handle
67 * is zeroed to ensure that it doesn't look like a valid handle -
68 * handle content is provided by the remove service.
69 *
70 * The client points to this top-level handle so that we know when to
71 * unbind and teardown the connection. As each handle is initialized it
72 * will inherit a reference to the client context.
73 *
74 * Returns 0 or an NT_STATUS:
75 * NT_STATUS_BAD_NETWORK_PATH (get server addr)
76 * NT_STATUS_NETWORK_ACCESS_DENIED (connect, auth)
77 * NT_STATUS_BAD_NETWORK_NAME (tcon, open)
78 * NT_STATUS_ACCESS_DENIED (open pipe)
79 * NT_STATUS_INVALID_PARAMETER (rpc bind)
80 *
81 * NT_STATUS_INTERNAL_ERROR (bad args etc)
82 * NT_STATUS_NO_MEMORY
83 */
84 DWORD
ndr_rpc_bind(mlsvc_handle_t * handle,char * server,char * domain,char * username,const char * service)85 ndr_rpc_bind(mlsvc_handle_t *handle, char *server, char *domain,
86 char *username, const char *service)
87 {
88 struct smb_ctx *ctx = NULL;
89 ndr_client_t *clnt = NULL;
90 ndr_service_t *svc;
91 srvsvc_server_info_t svinfo;
92 DWORD status;
93 int fd = -1;
94 int rc;
95
96 if (handle == NULL || server == NULL || server[0] == '\0' ||
97 domain == NULL || username == NULL)
98 return (NT_STATUS_INTERNAL_ERROR);
99
100 /* In case the service was not registered... */
101 if ((svc = ndr_svc_lookup_name(service)) == NULL)
102 return (NT_STATUS_INTERNAL_ERROR);
103
104 /*
105 * Set the default based on the assumption that most
106 * servers will be Windows 2000 or later. This used to
107 * try to get the actual server version, but that RPC
108 * is not necessarily allowed anymore, so don't bother.
109 */
110 bzero(&svinfo, sizeof (srvsvc_server_info_t));
111 svinfo.sv_platform_id = SV_PLATFORM_ID_NT;
112 svinfo.sv_version_major = 5;
113 svinfo.sv_version_minor = 0;
114 svinfo.sv_type = SV_TYPE_DEFAULT;
115 svinfo.sv_os = NATIVE_OS_WIN2000;
116
117 /*
118 * Some callers pass this when they want a NULL session.
119 * Todo: have callers pass an empty string for that.
120 */
121 if (strcmp(username, MLSVC_ANON_USER) == 0)
122 username = "";
123
124 /*
125 * Setup smbfs library handle, authenticate, connect to
126 * the IPC$ share. This will reuse an existing connection
127 * if the driver already has one for this combination of
128 * server, user, domain. It may return any of:
129 * NT_STATUS_BAD_NETWORK_PATH (get server addr)
130 * NT_STATUS_NETWORK_ACCESS_DENIED (connect, auth)
131 * NT_STATUS_BAD_NETWORK_NAME (tcon)
132 */
133 status = smbrdr_ctx_new(&ctx, server, domain, username);
134 if (status != NT_STATUS_SUCCESS) {
135 syslog(LOG_ERR, "ndr_rpc_bind: smbrdr_ctx_new"
136 "(Srv=%s Dom=%s User=%s), %s (0x%x)",
137 server, domain, username,
138 xlate_nt_status(status), status);
139 /* Tell the DC Locator this DC failed. */
140 smb_ddiscover_bad_dc(server);
141 goto errout;
142 }
143
144 /*
145 * Open the named pipe.
146 */
147 fd = smb_fh_open(ctx, svc->endpoint, O_RDWR);
148 if (fd < 0) {
149 rc = errno;
150 syslog(LOG_DEBUG, "ndr_rpc_bind: "
151 "smb_fh_open (%s) err=%d",
152 svc->endpoint, rc);
153 switch (rc) {
154 case EACCES:
155 status = NT_STATUS_ACCESS_DENIED;
156 break;
157 default:
158 status = NT_STATUS_BAD_NETWORK_NAME;
159 break;
160 }
161 goto errout;
162 }
163
164 /*
165 * Setup the RPC client handle.
166 */
167 if ((clnt = malloc(sizeof (ndr_client_t))) == NULL) {
168 status = NT_STATUS_NO_MEMORY;
169 goto errout;
170 }
171 bzero(clnt, sizeof (ndr_client_t));
172
173 clnt->handle = &handle->handle;
174 clnt->xa_init = ndr_xa_init;
175 clnt->xa_exchange = ndr_xa_exchange;
176 clnt->xa_read = ndr_xa_read;
177 clnt->xa_preserve = ndr_xa_preserve;
178 clnt->xa_destruct = ndr_xa_destruct;
179 clnt->xa_release = ndr_xa_release;
180 clnt->xa_private = ctx;
181 clnt->xa_fd = fd;
182
183 ndr_svc_binding_pool_init(&clnt->binding_list,
184 clnt->binding_pool, NDR_N_BINDING_POOL);
185
186 if ((clnt->heap = ndr_heap_create()) == NULL) {
187 status = NT_STATUS_NO_MEMORY;
188 goto errout;
189 }
190
191 /*
192 * Fill in the caller's handle.
193 */
194 bzero(&handle->handle, sizeof (ndr_hdid_t));
195 handle->clnt = clnt;
196 bcopy(&svinfo, &handle->svinfo, sizeof (srvsvc_server_info_t));
197
198 /*
199 * Do the OtW RPC bind.
200 */
201 rc = ndr_clnt_bind(clnt, service, &clnt->binding);
202 switch (rc) {
203 case NDR_DRC_FAULT_OUT_OF_MEMORY:
204 status = NT_STATUS_NO_MEMORY;
205 break;
206 case NDR_DRC_FAULT_API_SERVICE_INVALID: /* not registered */
207 status = NT_STATUS_INTERNAL_ERROR;
208 break;
209 default:
210 if (NDR_DRC_IS_FAULT(rc)) {
211 status = NT_STATUS_INVALID_PARAMETER;
212 break;
213 }
214 /* FALLTHROUGH */
215 case NDR_DRC_OK:
216 return (NT_STATUS_SUCCESS);
217 }
218
219 syslog(LOG_DEBUG, "ndr_rpc_bind: "
220 "ndr_clnt_bind, %s (0x%x)",
221 xlate_nt_status(status), status);
222
223 errout:
224 handle->clnt = NULL;
225 if (clnt != NULL) {
226 ndr_heap_destroy(clnt->heap);
227 free(clnt);
228 }
229 if (ctx != NULL) {
230 if (fd != -1)
231 (void) smb_fh_close(fd);
232 smbrdr_ctx_free(ctx);
233 }
234
235 return (status);
236 }
237
238 /*
239 * Unbind and close the pipe to an RPC service.
240 *
241 * If the heap has been preserved we need to go through an xa release.
242 * The heap is preserved during an RPC call because that's where data
243 * returned from the server is stored.
244 *
245 * Otherwise we destroy the heap directly.
246 */
247 void
ndr_rpc_unbind(mlsvc_handle_t * handle)248 ndr_rpc_unbind(mlsvc_handle_t *handle)
249 {
250 ndr_client_t *clnt = handle->clnt;
251 struct smb_ctx *ctx = clnt->xa_private;
252
253 if (clnt->heap_preserved)
254 ndr_clnt_free_heap(clnt);
255 else
256 ndr_heap_destroy(clnt->heap);
257
258 (void) smb_fh_close(clnt->xa_fd);
259 smbrdr_ctx_free(ctx);
260 free(clnt);
261 bzero(handle, sizeof (mlsvc_handle_t));
262 }
263
264 /*
265 * Call the RPC function identified by opnum. The remote service is
266 * identified by the handle, which should have been initialized by
267 * ndr_rpc_bind.
268 *
269 * If the RPC call is successful (returns 0), the caller must call
270 * ndr_rpc_release to release the heap. Otherwise, we release the
271 * heap here.
272 */
273 int
ndr_rpc_call(mlsvc_handle_t * handle,int opnum,void * params)274 ndr_rpc_call(mlsvc_handle_t *handle, int opnum, void *params)
275 {
276 ndr_client_t *clnt = handle->clnt;
277 int rc;
278
279 if (ndr_rpc_get_heap(handle) == NULL)
280 return (-1);
281
282 rc = ndr_clnt_call(clnt->binding, opnum, params);
283
284 /*
285 * Always clear the nonull flag to ensure
286 * it is not applied to subsequent calls.
287 */
288 clnt->nonull = B_FALSE;
289
290 if (NDR_DRC_IS_FAULT(rc)) {
291 ndr_rpc_release(handle);
292 return (-1);
293 }
294
295 return (0);
296 }
297
298 /*
299 * Outgoing strings should not be null terminated.
300 */
301 void
ndr_rpc_set_nonull(mlsvc_handle_t * handle)302 ndr_rpc_set_nonull(mlsvc_handle_t *handle)
303 {
304 handle->clnt->nonull = B_TRUE;
305 }
306
307 /*
308 * Return a reference to the server info.
309 */
310 const srvsvc_server_info_t *
ndr_rpc_server_info(mlsvc_handle_t * handle)311 ndr_rpc_server_info(mlsvc_handle_t *handle)
312 {
313 return (&handle->svinfo);
314 }
315
316 /*
317 * Return the RPC server OS level.
318 */
319 uint32_t
ndr_rpc_server_os(mlsvc_handle_t * handle)320 ndr_rpc_server_os(mlsvc_handle_t *handle)
321 {
322 return (handle->svinfo.sv_os);
323 }
324
325 /*
326 * Get the session key from a bound RPC client handle.
327 *
328 * The key returned is the 16-byte "user session key"
329 * established by the underlying authentication protocol
330 * (either Kerberos or NTLM). This key is needed for
331 * SAM RPC calls such as SamrSetInformationUser, etc.
332 * See [MS-SAMR] sections: 2.2.3.3, 2.2.7.21, 2.2.7.25.
333 *
334 * Returns zero (success) or an errno.
335 */
336 int
ndr_rpc_get_ssnkey(mlsvc_handle_t * handle,unsigned char * ssn_key,size_t len)337 ndr_rpc_get_ssnkey(mlsvc_handle_t *handle,
338 unsigned char *ssn_key, size_t len)
339 {
340 ndr_client_t *clnt = handle->clnt;
341 int rc;
342
343 if (clnt == NULL)
344 return (EINVAL);
345
346 rc = smb_fh_getssnkey(clnt->xa_fd, ssn_key, len);
347 return (rc);
348 }
349
350 void *
ndr_rpc_malloc(mlsvc_handle_t * handle,size_t size)351 ndr_rpc_malloc(mlsvc_handle_t *handle, size_t size)
352 {
353 ndr_heap_t *heap;
354
355 if ((heap = ndr_rpc_get_heap(handle)) == NULL)
356 return (NULL);
357
358 return (ndr_heap_malloc(heap, size));
359 }
360
361 ndr_heap_t *
ndr_rpc_get_heap(mlsvc_handle_t * handle)362 ndr_rpc_get_heap(mlsvc_handle_t *handle)
363 {
364 ndr_client_t *clnt = handle->clnt;
365
366 if (clnt->heap == NULL)
367 clnt->heap = ndr_heap_create();
368
369 return (clnt->heap);
370 }
371
372 /*
373 * Must be called by RPC clients to free the heap after a successful RPC
374 * call, i.e. ndr_rpc_call returned 0. The caller should take a copy
375 * of any data returned by the RPC prior to calling this function because
376 * returned data is in the heap.
377 */
378 void
ndr_rpc_release(mlsvc_handle_t * handle)379 ndr_rpc_release(mlsvc_handle_t *handle)
380 {
381 ndr_client_t *clnt = handle->clnt;
382
383 if (clnt->heap_preserved)
384 ndr_clnt_free_heap(clnt);
385 else
386 ndr_heap_destroy(clnt->heap);
387
388 clnt->heap = NULL;
389 }
390
391 /*
392 * Returns true if the handle is null.
393 * Otherwise returns false.
394 */
395 boolean_t
ndr_is_null_handle(mlsvc_handle_t * handle)396 ndr_is_null_handle(mlsvc_handle_t *handle)
397 {
398 static ndr_hdid_t zero_handle;
399
400 if (handle == NULL || handle->clnt == NULL)
401 return (B_TRUE);
402
403 if (!memcmp(&handle->handle, &zero_handle, sizeof (ndr_hdid_t)))
404 return (B_TRUE);
405
406 return (B_FALSE);
407 }
408
409 /*
410 * Returns true if the handle is the top level bind handle.
411 * Otherwise returns false.
412 */
413 boolean_t
ndr_is_bind_handle(mlsvc_handle_t * handle)414 ndr_is_bind_handle(mlsvc_handle_t *handle)
415 {
416 return (handle->clnt->handle == &handle->handle);
417 }
418
419 /*
420 * Pass the client reference from parent to child.
421 */
422 void
ndr_inherit_handle(mlsvc_handle_t * child,mlsvc_handle_t * parent)423 ndr_inherit_handle(mlsvc_handle_t *child, mlsvc_handle_t *parent)
424 {
425 child->clnt = parent->clnt;
426 bcopy(&parent->svinfo, &child->svinfo, sizeof (srvsvc_server_info_t));
427 }
428
429 void
ndr_rpc_status(mlsvc_handle_t * handle,int opnum,DWORD status)430 ndr_rpc_status(mlsvc_handle_t *handle, int opnum, DWORD status)
431 {
432 ndr_service_t *svc;
433 char *name = "NDR RPC";
434 char *s = "unknown";
435
436 switch (NT_SC_SEVERITY(status)) {
437 case NT_STATUS_SEVERITY_SUCCESS:
438 s = "success";
439 break;
440 case NT_STATUS_SEVERITY_INFORMATIONAL:
441 s = "info";
442 break;
443 case NT_STATUS_SEVERITY_WARNING:
444 s = "warning";
445 break;
446 case NT_STATUS_SEVERITY_ERROR:
447 s = "error";
448 break;
449 }
450
451 if (handle) {
452 svc = handle->clnt->binding->service;
453 name = svc->name;
454 }
455
456 smb_tracef("%s[0x%02x]: %s: %s (0x%08x)",
457 name, opnum, s, xlate_nt_status(status), status);
458 }
459
460 /*
461 * The following functions provide the client callback interface.
462 * If the caller hasn't provided a heap, create one here.
463 */
464 static int
ndr_xa_init(ndr_client_t * clnt,ndr_xa_t * mxa)465 ndr_xa_init(ndr_client_t *clnt, ndr_xa_t *mxa)
466 {
467 ndr_stream_t *recv_nds = &mxa->recv_nds;
468 ndr_stream_t *send_nds = &mxa->send_nds;
469 ndr_heap_t *heap = clnt->heap;
470 int rc;
471
472 if (heap == NULL) {
473 if ((heap = ndr_heap_create()) == NULL)
474 return (-1);
475
476 clnt->heap = heap;
477 }
478
479 mxa->heap = heap;
480
481 rc = nds_initialize(send_nds, 0, NDR_MODE_CALL_SEND, heap);
482 if (rc == 0)
483 rc = nds_initialize(recv_nds, NDR_PDU_SIZE_HINT_DEFAULT,
484 NDR_MODE_RETURN_RECV, heap);
485
486 if (rc != 0) {
487 nds_destruct(&mxa->recv_nds);
488 nds_destruct(&mxa->send_nds);
489 ndr_heap_destroy(mxa->heap);
490 mxa->heap = NULL;
491 clnt->heap = NULL;
492 return (-1);
493 }
494
495 if (clnt->nonull)
496 NDS_SETF(send_nds, NDS_F_NONULL);
497
498 return (0);
499 }
500
501 /*
502 * This is the entry pointy for an RPC client call exchange with
503 * a server, which will result in an smbrdr SmbTransact request.
504 *
505 * SmbTransact should return the number of bytes received, which
506 * we record as the PDU size, or a negative error code.
507 */
508 static int
ndr_xa_exchange(ndr_client_t * clnt,ndr_xa_t * mxa)509 ndr_xa_exchange(ndr_client_t *clnt, ndr_xa_t *mxa)
510 {
511 ndr_stream_t *recv_nds = &mxa->recv_nds;
512 ndr_stream_t *send_nds = &mxa->send_nds;
513 int err, more, nbytes;
514
515 nbytes = recv_nds->pdu_max_size;
516 err = smb_fh_xactnp(clnt->xa_fd,
517 send_nds->pdu_size, (char *)send_nds->pdu_base_offset,
518 &nbytes, (char *)recv_nds->pdu_base_offset, &more);
519 if (err) {
520 recv_nds->pdu_size = 0;
521 return (-1);
522 }
523
524 recv_nds->pdu_size = nbytes;
525 return (0);
526 }
527
528 /*
529 * This entry point will be invoked if the xa-exchange response contained
530 * only the first fragment of a multi-fragment response. The RPC client
531 * code will then make repeated xa-read requests to obtain the remaining
532 * fragments, which will result in smbrdr SmbReadX requests.
533 *
534 * SmbReadX should return the number of bytes received, in which case we
535 * expand the PDU size to include the received data, or a negative error
536 * code.
537 */
538 static int
ndr_xa_read(ndr_client_t * clnt,ndr_xa_t * mxa)539 ndr_xa_read(ndr_client_t *clnt, ndr_xa_t *mxa)
540 {
541 ndr_stream_t *nds = &mxa->recv_nds;
542 int len;
543 int nbytes;
544
545 if ((len = (nds->pdu_max_size - nds->pdu_size)) < 0)
546 return (-1);
547
548 nbytes = smb_fh_read(clnt->xa_fd, 0, len,
549 (char *)nds->pdu_base_offset + nds->pdu_size);
550
551 if (nbytes < 0)
552 return (-1);
553
554 nds->pdu_size += nbytes;
555
556 if (nds->pdu_size > nds->pdu_max_size) {
557 nds->pdu_size = nds->pdu_max_size;
558 return (-1);
559 }
560
561 return (nbytes);
562 }
563
564 /*
565 * Preserve the heap so that the client application has access to data
566 * returned from the server after an RPC call.
567 */
568 static void
ndr_xa_preserve(ndr_client_t * clnt,ndr_xa_t * mxa)569 ndr_xa_preserve(ndr_client_t *clnt, ndr_xa_t *mxa)
570 {
571 assert(clnt->heap == mxa->heap);
572
573 clnt->heap_preserved = B_TRUE;
574 mxa->heap = NULL;
575 }
576
577 /*
578 * Dispose of the transaction streams. If the heap has not been
579 * preserved, we can destroy it here.
580 */
581 static void
ndr_xa_destruct(ndr_client_t * clnt,ndr_xa_t * mxa)582 ndr_xa_destruct(ndr_client_t *clnt, ndr_xa_t *mxa)
583 {
584 nds_destruct(&mxa->recv_nds);
585 nds_destruct(&mxa->send_nds);
586
587 if (!clnt->heap_preserved) {
588 ndr_heap_destroy(mxa->heap);
589 mxa->heap = NULL;
590 clnt->heap = NULL;
591 }
592 }
593
594 /*
595 * Dispose of a preserved heap.
596 */
597 static void
ndr_xa_release(ndr_client_t * clnt)598 ndr_xa_release(ndr_client_t *clnt)
599 {
600 if (clnt->heap_preserved) {
601 ndr_heap_destroy(clnt->heap);
602 clnt->heap = NULL;
603 clnt->heap_preserved = B_FALSE;
604 }
605 }
606
607
608 /*
609 * Compare the time here with the remote time on the server
610 * and report clock skew.
611 */
612 void
ndr_srvsvc_timecheck(char * server,char * domain)613 ndr_srvsvc_timecheck(char *server, char *domain)
614 {
615 char hostname[MAXHOSTNAMELEN];
616 struct timeval dc_tv;
617 struct tm dc_tm;
618 struct tm *tm;
619 time_t tnow;
620 time_t tdiff;
621 int priority;
622
623 if (srvsvc_net_remote_tod(server, domain, &dc_tv, &dc_tm) < 0) {
624 syslog(LOG_DEBUG, "srvsvc_net_remote_tod failed");
625 return;
626 }
627
628 tnow = time(NULL);
629
630 if (tnow > dc_tv.tv_sec)
631 tdiff = (tnow - dc_tv.tv_sec) / SECSPERMIN;
632 else
633 tdiff = (dc_tv.tv_sec - tnow) / SECSPERMIN;
634
635 if (tdiff != 0) {
636 (void) strlcpy(hostname, "localhost", MAXHOSTNAMELEN);
637 (void) gethostname(hostname, MAXHOSTNAMELEN);
638
639 priority = (tdiff > 2) ? LOG_NOTICE : LOG_DEBUG;
640 syslog(priority, "DC [%s] clock skew detected: %u minutes",
641 server, tdiff);
642
643 tm = gmtime(&dc_tv.tv_sec);
644 syslog(priority, "%-8s UTC: %s", server, asctime(tm));
645 tm = gmtime(&tnow);
646 syslog(priority, "%-8s UTC: %s", hostname, asctime(tm));
647 }
648 }
649