xref: /titanic_52/usr/src/lib/smbsrv/libmlsvc/common/mlsvc_client.c (revision 7f11fd00fc23e2af7ae21cc8837a2b86380dcfa7)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
25  */
26 
27 /*
28  * Client NDR RPC interface.
29  */
30 
31 #include <sys/types.h>
32 #include <sys/errno.h>
33 #include <sys/fcntl.h>
34 #include <sys/tzfile.h>
35 #include <time.h>
36 #include <strings.h>
37 #include <assert.h>
38 #include <errno.h>
39 #include <thread.h>
40 #include <unistd.h>
41 #include <syslog.h>
42 #include <synch.h>
43 
44 #include <netsmb/smbfs_api.h>
45 #include <smbsrv/libsmb.h>
46 #include <smbsrv/libsmbns.h>
47 #include <smbsrv/libmlrpc.h>
48 #include <smbsrv/libmlsvc.h>
49 #include <smbsrv/ndl/srvsvc.ndl>
50 #include <libsmbrdr.h>
51 #include <mlsvc.h>
52 
53 static int ndr_xa_init(ndr_client_t *, ndr_xa_t *);
54 static int ndr_xa_exchange(ndr_client_t *, ndr_xa_t *);
55 static int ndr_xa_read(ndr_client_t *, ndr_xa_t *);
56 static void ndr_xa_preserve(ndr_client_t *, ndr_xa_t *);
57 static void ndr_xa_destruct(ndr_client_t *, ndr_xa_t *);
58 static void ndr_xa_release(ndr_client_t *);
59 
60 
61 /*
62  * This call must be made to initialize an RPC client structure and bind
63  * to the remote service before any RPCs can be exchanged with that service.
64  *
65  * The mlsvc_handle_t is a wrapper that is used to associate an RPC handle
66  * with the client context for an instance of the interface.  The handle
67  * is zeroed to ensure that it doesn't look like a valid handle -
68  * handle content is provided by the remove service.
69  *
70  * The client points to this top-level handle so that we know when to
71  * unbind and teardown the connection.  As each handle is initialized it
72  * will inherit a reference to the client context.
73  *
74  * Returns 0 or an NT_STATUS:
75  *	NT_STATUS_BAD_NETWORK_PATH	(get server addr)
76  *	NT_STATUS_NETWORK_ACCESS_DENIED	(connect, auth)
77  *	NT_STATUS_BAD_NETWORK_NAME	(tcon, open)
78  *	NT_STATUS_ACCESS_DENIED		(open pipe)
79  *	NT_STATUS_INVALID_PARAMETER	(rpc bind)
80  *
81  *	NT_STATUS_INTERNAL_ERROR	(bad args etc)
82  *	NT_STATUS_NO_MEMORY
83  */
84 DWORD
85 ndr_rpc_bind(mlsvc_handle_t *handle, char *server, char *domain,
86     char *username, const char *service)
87 {
88 	struct smb_ctx		*ctx = NULL;
89 	ndr_client_t		*clnt = NULL;
90 	ndr_service_t		*svc;
91 	srvsvc_server_info_t	svinfo;
92 	DWORD			status;
93 	int			fd = -1;
94 	int			rc;
95 
96 	if (handle == NULL || server == NULL || server[0] == '\0' ||
97 	    domain == NULL || username == NULL)
98 		return (NT_STATUS_INTERNAL_ERROR);
99 
100 	/* In case the service was not registered... */
101 	if ((svc = ndr_svc_lookup_name(service)) == NULL)
102 		return (NT_STATUS_INTERNAL_ERROR);
103 
104 	/*
105 	 * Set the default based on the assumption that most
106 	 * servers will be Windows 2000 or later.  This used to
107 	 * try to get the actual server version, but that RPC
108 	 * is not necessarily allowed anymore, so don't bother.
109 	 */
110 	bzero(&svinfo, sizeof (srvsvc_server_info_t));
111 	svinfo.sv_platform_id = SV_PLATFORM_ID_NT;
112 	svinfo.sv_version_major = 5;
113 	svinfo.sv_version_minor = 0;
114 	svinfo.sv_type = SV_TYPE_DEFAULT;
115 	svinfo.sv_os = NATIVE_OS_WIN2000;
116 
117 	/*
118 	 * Some callers pass this when they want a NULL session.
119 	 * Todo: have callers pass an empty string for that.
120 	 */
121 	if (strcmp(username, MLSVC_ANON_USER) == 0)
122 		username = "";
123 
124 	/*
125 	 * Setup smbfs library handle, authenticate, connect to
126 	 * the IPC$ share.  This will reuse an existing connection
127 	 * if the driver already has one for this combination of
128 	 * server, user, domain.  It may return any of:
129 	 *	NT_STATUS_BAD_NETWORK_PATH	(get server addr)
130 	 *	NT_STATUS_NETWORK_ACCESS_DENIED	(connect, auth)
131 	 *	NT_STATUS_BAD_NETWORK_NAME	(tcon)
132 	 */
133 	status = smbrdr_ctx_new(&ctx, server, domain, username);
134 	if (status != NT_STATUS_SUCCESS) {
135 		syslog(LOG_ERR, "ndr_rpc_bind: smbrdr_ctx_new"
136 		    "(Srv=%s Dom=%s User=%s), %s (0x%x)",
137 		    server, domain, username,
138 		    xlate_nt_status(status), status);
139 		/* Tell the DC Locator this DC failed. */
140 		smb_ddiscover_bad_dc(server);
141 		goto errout;
142 	}
143 
144 	/*
145 	 * Open the named pipe.
146 	 */
147 	fd = smb_fh_open(ctx, svc->endpoint, O_RDWR);
148 	if (fd < 0) {
149 		rc = errno;
150 		syslog(LOG_DEBUG, "ndr_rpc_bind: "
151 		    "smb_fh_open (%s) err=%d",
152 		    svc->endpoint, rc);
153 		switch (rc) {
154 		case EACCES:
155 			status = NT_STATUS_ACCESS_DENIED;
156 			break;
157 		default:
158 			status = NT_STATUS_BAD_NETWORK_NAME;
159 			break;
160 		}
161 		goto errout;
162 	}
163 
164 	/*
165 	 * Setup the RPC client handle.
166 	 */
167 	if ((clnt = malloc(sizeof (ndr_client_t))) == NULL) {
168 		status = NT_STATUS_NO_MEMORY;
169 		goto errout;
170 	}
171 	bzero(clnt, sizeof (ndr_client_t));
172 
173 	clnt->handle = &handle->handle;
174 	clnt->xa_init = ndr_xa_init;
175 	clnt->xa_exchange = ndr_xa_exchange;
176 	clnt->xa_read = ndr_xa_read;
177 	clnt->xa_preserve = ndr_xa_preserve;
178 	clnt->xa_destruct = ndr_xa_destruct;
179 	clnt->xa_release = ndr_xa_release;
180 	clnt->xa_private = ctx;
181 	clnt->xa_fd = fd;
182 
183 	ndr_svc_binding_pool_init(&clnt->binding_list,
184 	    clnt->binding_pool, NDR_N_BINDING_POOL);
185 
186 	if ((clnt->heap = ndr_heap_create()) == NULL) {
187 		status = NT_STATUS_NO_MEMORY;
188 		goto errout;
189 	}
190 
191 	/*
192 	 * Fill in the caller's handle.
193 	 */
194 	bzero(&handle->handle, sizeof (ndr_hdid_t));
195 	handle->clnt = clnt;
196 	bcopy(&svinfo, &handle->svinfo, sizeof (srvsvc_server_info_t));
197 
198 	/*
199 	 * Do the OtW RPC bind.
200 	 */
201 	rc = ndr_clnt_bind(clnt, service, &clnt->binding);
202 	switch (rc) {
203 	case NDR_DRC_FAULT_OUT_OF_MEMORY:
204 		status = NT_STATUS_NO_MEMORY;
205 		break;
206 	case NDR_DRC_FAULT_API_SERVICE_INVALID:	/* not registered */
207 		status = NT_STATUS_INTERNAL_ERROR;
208 		break;
209 	default:
210 		if (NDR_DRC_IS_FAULT(rc)) {
211 			status = NT_STATUS_INVALID_PARAMETER;
212 			break;
213 		}
214 		/* FALLTHROUGH */
215 	case NDR_DRC_OK:
216 		return (NT_STATUS_SUCCESS);
217 	}
218 
219 	syslog(LOG_DEBUG, "ndr_rpc_bind: "
220 	    "ndr_clnt_bind, %s (0x%x)",
221 	    xlate_nt_status(status), status);
222 
223 errout:
224 	handle->clnt = NULL;
225 	if (clnt != NULL) {
226 		ndr_heap_destroy(clnt->heap);
227 		free(clnt);
228 	}
229 	if (ctx != NULL) {
230 		if (fd != -1)
231 			(void) smb_fh_close(fd);
232 		smbrdr_ctx_free(ctx);
233 	}
234 
235 	return (status);
236 }
237 
238 /*
239  * Unbind and close the pipe to an RPC service.
240  *
241  * If the heap has been preserved we need to go through an xa release.
242  * The heap is preserved during an RPC call because that's where data
243  * returned from the server is stored.
244  *
245  * Otherwise we destroy the heap directly.
246  */
247 void
248 ndr_rpc_unbind(mlsvc_handle_t *handle)
249 {
250 	ndr_client_t *clnt = handle->clnt;
251 	struct smb_ctx *ctx = clnt->xa_private;
252 
253 	if (clnt->heap_preserved)
254 		ndr_clnt_free_heap(clnt);
255 	else
256 		ndr_heap_destroy(clnt->heap);
257 
258 	(void) smb_fh_close(clnt->xa_fd);
259 	smbrdr_ctx_free(ctx);
260 	free(clnt);
261 	bzero(handle, sizeof (mlsvc_handle_t));
262 }
263 
264 /*
265  * Call the RPC function identified by opnum.  The remote service is
266  * identified by the handle, which should have been initialized by
267  * ndr_rpc_bind.
268  *
269  * If the RPC call is successful (returns 0), the caller must call
270  * ndr_rpc_release to release the heap.  Otherwise, we release the
271  * heap here.
272  */
273 int
274 ndr_rpc_call(mlsvc_handle_t *handle, int opnum, void *params)
275 {
276 	ndr_client_t *clnt = handle->clnt;
277 	int rc;
278 
279 	if (ndr_rpc_get_heap(handle) == NULL)
280 		return (-1);
281 
282 	rc = ndr_clnt_call(clnt->binding, opnum, params);
283 
284 	/*
285 	 * Always clear the nonull flag to ensure
286 	 * it is not applied to subsequent calls.
287 	 */
288 	clnt->nonull = B_FALSE;
289 
290 	if (NDR_DRC_IS_FAULT(rc)) {
291 		ndr_rpc_release(handle);
292 		return (-1);
293 	}
294 
295 	return (0);
296 }
297 
298 /*
299  * Outgoing strings should not be null terminated.
300  */
301 void
302 ndr_rpc_set_nonull(mlsvc_handle_t *handle)
303 {
304 	handle->clnt->nonull = B_TRUE;
305 }
306 
307 /*
308  * Return a reference to the server info.
309  */
310 const srvsvc_server_info_t *
311 ndr_rpc_server_info(mlsvc_handle_t *handle)
312 {
313 	return (&handle->svinfo);
314 }
315 
316 /*
317  * Return the RPC server OS level.
318  */
319 uint32_t
320 ndr_rpc_server_os(mlsvc_handle_t *handle)
321 {
322 	return (handle->svinfo.sv_os);
323 }
324 
325 /*
326  * Get the session key from a bound RPC client handle.
327  *
328  * The key returned is the 16-byte "user session key"
329  * established by the underlying authentication protocol
330  * (either Kerberos or NTLM).  This key is needed for
331  * SAM RPC calls such as SamrSetInformationUser, etc.
332  * See [MS-SAMR] sections: 2.2.3.3, 2.2.7.21, 2.2.7.25.
333  *
334  * Returns zero (success) or an errno.
335  */
336 int
337 ndr_rpc_get_ssnkey(mlsvc_handle_t *handle,
338 	unsigned char *ssn_key, size_t len)
339 {
340 	ndr_client_t *clnt = handle->clnt;
341 	int rc;
342 
343 	if (clnt == NULL)
344 		return (EINVAL);
345 
346 	rc = smb_fh_getssnkey(clnt->xa_fd, ssn_key, len);
347 	return (rc);
348 }
349 
350 void *
351 ndr_rpc_malloc(mlsvc_handle_t *handle, size_t size)
352 {
353 	ndr_heap_t *heap;
354 
355 	if ((heap = ndr_rpc_get_heap(handle)) == NULL)
356 		return (NULL);
357 
358 	return (ndr_heap_malloc(heap, size));
359 }
360 
361 ndr_heap_t *
362 ndr_rpc_get_heap(mlsvc_handle_t *handle)
363 {
364 	ndr_client_t *clnt = handle->clnt;
365 
366 	if (clnt->heap == NULL)
367 		clnt->heap = ndr_heap_create();
368 
369 	return (clnt->heap);
370 }
371 
372 /*
373  * Must be called by RPC clients to free the heap after a successful RPC
374  * call, i.e. ndr_rpc_call returned 0.  The caller should take a copy
375  * of any data returned by the RPC prior to calling this function because
376  * returned data is in the heap.
377  */
378 void
379 ndr_rpc_release(mlsvc_handle_t *handle)
380 {
381 	ndr_client_t *clnt = handle->clnt;
382 
383 	if (clnt->heap_preserved)
384 		ndr_clnt_free_heap(clnt);
385 	else
386 		ndr_heap_destroy(clnt->heap);
387 
388 	clnt->heap = NULL;
389 }
390 
391 /*
392  * Returns true if the handle is null.
393  * Otherwise returns false.
394  */
395 boolean_t
396 ndr_is_null_handle(mlsvc_handle_t *handle)
397 {
398 	static ndr_hdid_t zero_handle;
399 
400 	if (handle == NULL || handle->clnt == NULL)
401 		return (B_TRUE);
402 
403 	if (!memcmp(&handle->handle, &zero_handle, sizeof (ndr_hdid_t)))
404 		return (B_TRUE);
405 
406 	return (B_FALSE);
407 }
408 
409 /*
410  * Returns true if the handle is the top level bind handle.
411  * Otherwise returns false.
412  */
413 boolean_t
414 ndr_is_bind_handle(mlsvc_handle_t *handle)
415 {
416 	return (handle->clnt->handle == &handle->handle);
417 }
418 
419 /*
420  * Pass the client reference from parent to child.
421  */
422 void
423 ndr_inherit_handle(mlsvc_handle_t *child, mlsvc_handle_t *parent)
424 {
425 	child->clnt = parent->clnt;
426 	bcopy(&parent->svinfo, &child->svinfo, sizeof (srvsvc_server_info_t));
427 }
428 
429 void
430 ndr_rpc_status(mlsvc_handle_t *handle, int opnum, DWORD status)
431 {
432 	ndr_service_t *svc;
433 	char *name = "NDR RPC";
434 	char *s = "unknown";
435 
436 	switch (NT_SC_SEVERITY(status)) {
437 	case NT_STATUS_SEVERITY_SUCCESS:
438 		s = "success";
439 		break;
440 	case NT_STATUS_SEVERITY_INFORMATIONAL:
441 		s = "info";
442 		break;
443 	case NT_STATUS_SEVERITY_WARNING:
444 		s = "warning";
445 		break;
446 	case NT_STATUS_SEVERITY_ERROR:
447 		s = "error";
448 		break;
449 	}
450 
451 	if (handle) {
452 		svc = handle->clnt->binding->service;
453 		name = svc->name;
454 	}
455 
456 	smb_tracef("%s[0x%02x]: %s: %s (0x%08x)",
457 	    name, opnum, s, xlate_nt_status(status), status);
458 }
459 
460 /*
461  * The following functions provide the client callback interface.
462  * If the caller hasn't provided a heap, create one here.
463  */
464 static int
465 ndr_xa_init(ndr_client_t *clnt, ndr_xa_t *mxa)
466 {
467 	ndr_stream_t	*recv_nds = &mxa->recv_nds;
468 	ndr_stream_t	*send_nds = &mxa->send_nds;
469 	ndr_heap_t	*heap = clnt->heap;
470 	int		rc;
471 
472 	if (heap == NULL) {
473 		if ((heap = ndr_heap_create()) == NULL)
474 			return (-1);
475 
476 		clnt->heap = heap;
477 	}
478 
479 	mxa->heap = heap;
480 
481 	rc = nds_initialize(send_nds, 0, NDR_MODE_CALL_SEND, heap);
482 	if (rc == 0)
483 		rc = nds_initialize(recv_nds, NDR_PDU_SIZE_HINT_DEFAULT,
484 		    NDR_MODE_RETURN_RECV, heap);
485 
486 	if (rc != 0) {
487 		nds_destruct(&mxa->recv_nds);
488 		nds_destruct(&mxa->send_nds);
489 		ndr_heap_destroy(mxa->heap);
490 		mxa->heap = NULL;
491 		clnt->heap = NULL;
492 		return (-1);
493 	}
494 
495 	if (clnt->nonull)
496 		NDS_SETF(send_nds, NDS_F_NONULL);
497 
498 	return (0);
499 }
500 
501 /*
502  * This is the entry pointy for an RPC client call exchange with
503  * a server, which will result in an smbrdr SmbTransact request.
504  *
505  * SmbTransact should return the number of bytes received, which
506  * we record as the PDU size, or a negative error code.
507  */
508 static int
509 ndr_xa_exchange(ndr_client_t *clnt, ndr_xa_t *mxa)
510 {
511 	ndr_stream_t *recv_nds = &mxa->recv_nds;
512 	ndr_stream_t *send_nds = &mxa->send_nds;
513 	int err, more, nbytes;
514 
515 	nbytes = recv_nds->pdu_max_size;
516 	err = smb_fh_xactnp(clnt->xa_fd,
517 	    send_nds->pdu_size, (char *)send_nds->pdu_base_offset,
518 	    &nbytes, (char *)recv_nds->pdu_base_offset, &more);
519 	if (err) {
520 		recv_nds->pdu_size = 0;
521 		return (-1);
522 	}
523 
524 	recv_nds->pdu_size = nbytes;
525 	return (0);
526 }
527 
528 /*
529  * This entry point will be invoked if the xa-exchange response contained
530  * only the first fragment of a multi-fragment response.  The RPC client
531  * code will then make repeated xa-read requests to obtain the remaining
532  * fragments, which will result in smbrdr SmbReadX requests.
533  *
534  * SmbReadX should return the number of bytes received, in which case we
535  * expand the PDU size to include the received data, or a negative error
536  * code.
537  */
538 static int
539 ndr_xa_read(ndr_client_t *clnt, ndr_xa_t *mxa)
540 {
541 	ndr_stream_t *nds = &mxa->recv_nds;
542 	int len;
543 	int nbytes;
544 
545 	if ((len = (nds->pdu_max_size - nds->pdu_size)) < 0)
546 		return (-1);
547 
548 	nbytes = smb_fh_read(clnt->xa_fd, 0, len,
549 	    (char *)nds->pdu_base_offset + nds->pdu_size);
550 
551 	if (nbytes < 0)
552 		return (-1);
553 
554 	nds->pdu_size += nbytes;
555 
556 	if (nds->pdu_size > nds->pdu_max_size) {
557 		nds->pdu_size = nds->pdu_max_size;
558 		return (-1);
559 	}
560 
561 	return (nbytes);
562 }
563 
564 /*
565  * Preserve the heap so that the client application has access to data
566  * returned from the server after an RPC call.
567  */
568 static void
569 ndr_xa_preserve(ndr_client_t *clnt, ndr_xa_t *mxa)
570 {
571 	assert(clnt->heap == mxa->heap);
572 
573 	clnt->heap_preserved = B_TRUE;
574 	mxa->heap = NULL;
575 }
576 
577 /*
578  * Dispose of the transaction streams.  If the heap has not been
579  * preserved, we can destroy it here.
580  */
581 static void
582 ndr_xa_destruct(ndr_client_t *clnt, ndr_xa_t *mxa)
583 {
584 	nds_destruct(&mxa->recv_nds);
585 	nds_destruct(&mxa->send_nds);
586 
587 	if (!clnt->heap_preserved) {
588 		ndr_heap_destroy(mxa->heap);
589 		mxa->heap = NULL;
590 		clnt->heap = NULL;
591 	}
592 }
593 
594 /*
595  * Dispose of a preserved heap.
596  */
597 static void
598 ndr_xa_release(ndr_client_t *clnt)
599 {
600 	if (clnt->heap_preserved) {
601 		ndr_heap_destroy(clnt->heap);
602 		clnt->heap = NULL;
603 		clnt->heap_preserved = B_FALSE;
604 	}
605 }
606 
607 
608 /*
609  * Compare the time here with the remote time on the server
610  * and report clock skew.
611  */
612 void
613 ndr_srvsvc_timecheck(char *server, char *domain)
614 {
615 	char			hostname[MAXHOSTNAMELEN];
616 	struct timeval		dc_tv;
617 	struct tm		dc_tm;
618 	struct tm		*tm;
619 	time_t			tnow;
620 	time_t			tdiff;
621 	int			priority;
622 
623 	if (srvsvc_net_remote_tod(server, domain, &dc_tv, &dc_tm) < 0) {
624 		syslog(LOG_DEBUG, "srvsvc_net_remote_tod failed");
625 		return;
626 	}
627 
628 	tnow = time(NULL);
629 
630 	if (tnow > dc_tv.tv_sec)
631 		tdiff = (tnow - dc_tv.tv_sec) / SECSPERMIN;
632 	else
633 		tdiff = (dc_tv.tv_sec - tnow) / SECSPERMIN;
634 
635 	if (tdiff != 0) {
636 		(void) strlcpy(hostname, "localhost", MAXHOSTNAMELEN);
637 		(void) gethostname(hostname, MAXHOSTNAMELEN);
638 
639 		priority = (tdiff > 2) ? LOG_NOTICE : LOG_DEBUG;
640 		syslog(priority, "DC [%s] clock skew detected: %u minutes",
641 		    server, tdiff);
642 
643 		tm = gmtime(&dc_tv.tv_sec);
644 		syslog(priority, "%-8s  UTC: %s", server, asctime(tm));
645 		tm = gmtime(&tnow);
646 		syslog(priority, "%-8s  UTC: %s", hostname, asctime(tm));
647 	}
648 }
649