[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Apr 23 17:30:02 UTC 2024 

The branch, master has been updated
       via  daf6d371f36 s3:rpc_client: implement bind time feature negotiation
       via  713a8022573 s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
       via  6548ccb31bf s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
       via  0cc0970d359 dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
      from  2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit daf6d371f3639cbd64f9ac9f8a3be5b7d37393a7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 19 01:22:17 2024 +0200

    s3:rpc_client: implement bind time feature negotiation
    
    This is not strictly needed as we don't use any of the
    optional features yet.
    
    But it will make it easier to add bind time features we'll
    actually use later.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224

commit 713a8022573a1b917422d888e4bb901539d20a91
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 19 01:17:46 2024 +0200

    s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
    
    We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.
    
    It's also not needed to require a single array element.
    
    We already checked above that we have at least one.
    
    The next patch will all bind time feature negotiation
    and that means we'll have 2 array elements...
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 6548ccb31bfefdfa5d4ddd14ced900c64a68224e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 19 01:15:52 2024 +0200

    s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
    
    This prepares adding bind time feature negotiation in the next commits.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 0cc0970d359f6521b1621c87149291c597f4b0d6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Oct 13 15:43:05 2015 +0200

    dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
    
    dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 librpc/rpc/dcesrv_reply.c       |  2 --
 source3/rpc_client/cli_pipe.c   | 49 +++++++++++++++++++++++++++++++----------
 source3/rpc_client/rpc_client.h |  7 ++++++
 3 files changed, 44 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/rpc/dcesrv_reply.c b/librpc/rpc/dcesrv_reply.c
index 6d605168176..4890169c98b 100644
--- a/librpc/rpc/dcesrv_reply.c
+++ b/librpc/rpc/dcesrv_reply.c
@@ -130,8 +130,6 @@ NTSTATUS dcesrv_fault_with_flags(struct dcesrv_call_state *call,
 		return status;
 	}
 
-	dcerpc_set_frag_length(&rep->blob, rep->blob.length);
-
 	DLIST_ADD_END(call->replies, rep);
 	dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
 
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index b4289e9d35d..cf551f6f548 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1130,17 +1130,28 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
 {
 	uint16_t auth_len = auth_info->length;
 	NTSTATUS status;
-	struct dcerpc_ctx_list ctx_list = {
-		.context_id = 0,
-		.num_transfer_syntaxes = 1,
-		.abstract_syntax = *abstract,
-		.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer),
+	struct ndr_syntax_id bind_time_features = dcerpc_construct_bind_time_features(
+			DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING |
+			DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN);
+	struct dcerpc_ctx_list ctx_list[2] = {
+		[0] = {
+			.context_id = 0,
+			.num_transfer_syntaxes = 1,
+			.abstract_syntax = *abstract,
+			.transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer),
+		},
+		[1] = {
+			.context_id = 1,
+			.num_transfer_syntaxes = 1,
+			.abstract_syntax = *abstract,
+			.transfer_syntaxes = &bind_time_features,
+		},
 	};
 	union dcerpc_payload u = {
 		.bind.max_xmit_frag	= RPC_MAX_PDU_FRAG_LEN,
 		.bind.max_recv_frag	= RPC_MAX_PDU_FRAG_LEN,
-		.bind.num_contexts	= 1,
-		.bind.ctx_list		= &ctx_list,
+		.bind.num_contexts	= ptype == DCERPC_PKT_BIND ? 2 : 1,
+		.bind.ctx_list		= ctx_list,
 		.bind.auth_info		= *auth_info,
 	};
 	uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
@@ -1656,8 +1667,9 @@ static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ct
 ****************************************************************************/
 
 static bool check_bind_response(const struct dcerpc_bind_ack *r,
-				const struct ndr_syntax_id *transfer)
+				struct rpc_pipe_client *cli)
 {
+	const struct ndr_syntax_id *transfer = &cli->transfer_syntax;
 	struct dcerpc_ack_ctx ctx;
 	bool equal;
 
@@ -1678,9 +1690,22 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r,
 		return False;
 	}
 
-	if (r->num_results != 0x1 || ctx.result != 0) {
-		DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
-		          r->num_results, ctx.reason.value));
+	if (ctx.result != DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
+		DBG_NOTICE("bind denied result: %d reason: %x\n",
+			   ctx.result, ctx.reason.value);
+		return false;
+	}
+
+	if (r->num_results >= 2) {
+		const struct dcerpc_ack_ctx *neg = &r->ctx_list[1];
+
+		if (neg->result == DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK) {
+			cli->bind_time_features = neg->reason.negotiate;
+		} else {
+			DBG_DEBUG("bind_time_feature failed - "
+				  "result: %d reason %x\n",
+				  neg->result, neg->reason.value);
+		}
 	}
 
 	DEBUG(5,("check_bind_response: accepted!\n"));
@@ -1866,7 +1891,7 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 		return;
 	}
 
-	if (!check_bind_response(&pkt->u.bind_ack, &state->cli->transfer_syntax)) {
+	if (!check_bind_response(&pkt->u.bind_ack, state->cli)) {
 		DEBUG(2, ("rpc_pipe_bind: check_bind_response failed.\n"));
 		tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
 		return;
diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
index f1be075fea9..55eb4dec90b 100644
--- a/source3/rpc_client/rpc_client.h
+++ b/source3/rpc_client/rpc_client.h
@@ -37,6 +37,13 @@ struct rpc_pipe_client {
 	struct rpc_cli_transport *transport;
 	struct dcerpc_binding_handle *binding_handle;
 
+	/*
+	 * This is per association_group, but
+	 * for now we only have one connection
+	 * per association_group.
+	 */
+	uint16_t bind_time_features;
+
 	struct ndr_syntax_id abstract_syntax;
 	struct ndr_syntax_id transfer_syntax;
 	bool verified_pcontext;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list