search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
librpc/rpc: ignore invalid auth_pad_length values in BIND, ALTER and AUTH3 pdus
[Samba.git] / librpc / rpc / dcerpc_util.c
blobdf149481559e1b72caaa6397b3ff1c43737bdb9e
1 /*
2 Unix SMB/CIFS implementation.
3 raw dcerpc operations
4
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include <tevent.h>
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "rpc_common.h"
30 #include "lib/util/bitmap.h"
31
32 /* we need to be able to get/set the fragment length without doing a full
33 decode */
34 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
35 {
36 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
37 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
38 } else {
39 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
40 }
41 }
42
43 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
44 {
45 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
46 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
47 } else {
48 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
49 }
50 }
51
52 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
53 {
54 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
55 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
56 } else {
57 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
58 }
59 }
60
61 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
62 {
63 return blob->data[DCERPC_DREP_OFFSET];
64 }
65
66
67 /**
68 * @brief Pull a dcerpc_auth structure, taking account of any auth
69 * padding in the blob. For request/response packets we pass
70 * the whole data blob, so auth_data_only must be set to false
71 * as the blob contains data+pad+auth and no just pad+auth.
72 *
73 * @param pkt - The ncacn_packet strcuture
74 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
75 * @param pkt_trailer - The packet trailer data, usually the trailing
76 * auth_info blob, but in the request/response case
77 * this is the stub_and_verifier blob.
78 * @param auth - A preallocated dcerpc_auth *empty* structure
79 * @param auth_length - The length of the auth trail, sum of auth header
80 * lenght and pkt->auth_length
81 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
82 * (+ padding) or also other data.
83 *
84 * @return - A NTSTATUS error code.
85 */
86 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
87 TALLOC_CTX *mem_ctx,
88 const DATA_BLOB *pkt_trailer,
89 struct dcerpc_auth *auth,
90 uint32_t *_auth_length,
91 bool auth_data_only)
92 {
93 struct ndr_pull *ndr;
94 enum ndr_err_code ndr_err;
95 uint16_t data_and_pad;
96 uint16_t auth_length;
97 uint32_t tmp_length;
98 uint32_t max_pad_len = 0;
99
100 ZERO_STRUCTP(auth);
101 if (_auth_length != NULL) {
102 *_auth_length = 0;
103
104 if (auth_data_only) {
105 return NT_STATUS_INTERNAL_ERROR;
106 }
107 } else {
108 if (!auth_data_only) {
109 return NT_STATUS_INTERNAL_ERROR;
110 }
111 }
112
113 /* Paranoia checks for auth_length. The caller should check this... */
114 if (pkt->auth_length == 0) {
115 return NT_STATUS_INTERNAL_ERROR;
116 }
117
118 /* Paranoia checks for auth_length. The caller should check this... */
119 if (pkt->auth_length > pkt->frag_length) {
120 return NT_STATUS_INTERNAL_ERROR;
121 }
122 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
123 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
124 tmp_length += pkt->auth_length;
125 if (tmp_length > pkt->frag_length) {
126 return NT_STATUS_INTERNAL_ERROR;
127 }
128 if (pkt_trailer->length > UINT16_MAX) {
129 return NT_STATUS_INTERNAL_ERROR;
130 }
131
132 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
133 if (pkt_trailer->length < auth_length) {
134 return NT_STATUS_RPC_PROTOCOL_ERROR;
135 }
136
137 data_and_pad = pkt_trailer->length - auth_length;
138
139 ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
140 if (!ndr) {
141 return NT_STATUS_NO_MEMORY;
142 }
143
144 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
145 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
146 }
147
148 ndr_err = ndr_pull_advance(ndr, data_and_pad);
149 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
150 talloc_free(ndr);
151 return ndr_map_error2ntstatus(ndr_err);
152 }
153
154 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
155 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
156 talloc_free(ndr);
157 ZERO_STRUCTP(auth);
158 return ndr_map_error2ntstatus(ndr_err);
159 }
160
161 /*
162 * Make sure the padding would not exceed
163 * the frag_length.
164 *
165 * Here we assume at least 24 bytes for the
166 * payload specific header the value of
167 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
168 *
169 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
170 *
171 * We need this check before we ignore possible
172 * invalid values. See also bug #11982.
173 *
174 * This check is mainly used to generate the correct
175 * error for BIND_*, ALTER_* and AUTH3 pdus.
176 *
177 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
178 * protection for REQUEST and RESPONSE pdus, where the
179 * auth_pad_length field is actually used by the caller.
180 */
181 tmp_length = DCERPC_REQUEST_LENGTH;
182 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
183 tmp_length += pkt->auth_length;
184 if (tmp_length < pkt->frag_length) {
185 max_pad_len = pkt->frag_length - tmp_length;
186 }
187 if (max_pad_len < auth->auth_pad_length) {
188 DEBUG(1, (__location__ ": ERROR: pad length to large. "
189 "max %u got %u\n",
190 (unsigned)max_pad_len,
191 (unsigned)auth->auth_pad_length));
192 talloc_free(ndr);
193 ZERO_STRUCTP(auth);
194 return NT_STATUS_RPC_PROTOCOL_ERROR;
195 }
196
197 /*
198 * This is a workarround for a bug in old
199 * Samba releases. For BIND_ACK <= 3.5.x
200 * and for ALTER_RESP <= 4.2.x (see bug #11061)
201 *
202 * See also bug #11982.
203 */
204 if (auth_data_only && data_and_pad == 0 &&
205 auth->auth_pad_length > 0) {
206 /*
207 * we need to ignore invalid auth_pad_length
208 * values for BIND_*, ALTER_* and AUTH3 pdus.
209 */
210 auth->auth_pad_length = 0;
211 }
212
213 if (data_and_pad < auth->auth_pad_length) {
214 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
215 "Calculated %u got %u\n",
216 (unsigned)data_and_pad,
217 (unsigned)auth->auth_pad_length));
218 talloc_free(ndr);
219 ZERO_STRUCTP(auth);
220 return NT_STATUS_RPC_PROTOCOL_ERROR;
221 }
222
223 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
224 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
225 "Calculated %u got %u\n",
226 (unsigned)data_and_pad,
227 (unsigned)auth->auth_pad_length));
228 talloc_free(ndr);
229 ZERO_STRUCTP(auth);
230 return NT_STATUS_RPC_PROTOCOL_ERROR;
231 }
232
233 DEBUG(6,(__location__ ": auth_pad_length %u\n",
234 (unsigned)auth->auth_pad_length));
235
236 talloc_steal(mem_ctx, auth->credentials.data);
237 talloc_free(ndr);
238
239 if (_auth_length != NULL) {
240 *_auth_length = auth_length;
241 }
242
243 return NT_STATUS_OK;
244 }
245
246 /**
247 * @brief Verify the fields in ncacn_packet header.
248 *
249 * @param pkt - The ncacn_packet strcuture
250 * @param ptype - The expected PDU type
251 * @param max_auth_info - The maximum size of a possible auth trailer
252 * @param required_flags - The required flags for the pdu.
253 * @param optional_flags - The possible optional flags for the pdu.
254 *
255 * @return - A NTSTATUS error code.
256 */
257 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
258 enum dcerpc_pkt_type ptype,
259 size_t max_auth_info,
260 uint8_t required_flags,
261 uint8_t optional_flags)
262 {
263 if (pkt->rpc_vers != 5) {
264 return NT_STATUS_RPC_PROTOCOL_ERROR;
265 }
266
267 if (pkt->rpc_vers_minor != 0) {
268 return NT_STATUS_RPC_PROTOCOL_ERROR;
269 }
270
271 if (pkt->auth_length > pkt->frag_length) {
272 return NT_STATUS_RPC_PROTOCOL_ERROR;
273 }
274
275 if (pkt->ptype != ptype) {
276 return NT_STATUS_RPC_PROTOCOL_ERROR;
277 }
278
279 if (max_auth_info > UINT16_MAX) {
280 return NT_STATUS_INTERNAL_ERROR;
281 }
282
283 if (pkt->auth_length > 0) {
284 size_t max_auth_length;
285
286 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
287 return NT_STATUS_RPC_PROTOCOL_ERROR;
288 }
289 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
290
291 if (pkt->auth_length > max_auth_length) {
292 return NT_STATUS_RPC_PROTOCOL_ERROR;
293 }
294 }
295
296 if ((pkt->pfc_flags & required_flags) != required_flags) {
297 return NT_STATUS_RPC_PROTOCOL_ERROR;
298 }
299 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
300 return NT_STATUS_RPC_PROTOCOL_ERROR;
301 }
302
303 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
304 return NT_STATUS_RPC_PROTOCOL_ERROR;
305 }
306 if (pkt->drep[1] != 0) {
307 return NT_STATUS_RPC_PROTOCOL_ERROR;
308 }
309 if (pkt->drep[2] != 0) {
310 return NT_STATUS_RPC_PROTOCOL_ERROR;
311 }
312 if (pkt->drep[3] != 0) {
313 return NT_STATUS_RPC_PROTOCOL_ERROR;
314 }
315
316 return NT_STATUS_OK;
317 }
318
319 struct dcerpc_read_ncacn_packet_state {
320 #if 0
321 struct {
322 } caller;
323 #endif
324 DATA_BLOB buffer;
325 struct ncacn_packet *pkt;
326 };
327
328 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
329 void *private_data,
330 TALLOC_CTX *mem_ctx,
331 struct iovec **_vector,
332 size_t *_count);
333 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
334
335 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
336 struct tevent_context *ev,
337 struct tstream_context *stream)
338 {
339 struct tevent_req *req;
340 struct dcerpc_read_ncacn_packet_state *state;
341 struct tevent_req *subreq;
342
343 req = tevent_req_create(mem_ctx, &state,
344 struct dcerpc_read_ncacn_packet_state);
345 if (req == NULL) {
346 return NULL;
347 }
348
349 state->buffer = data_blob_const(NULL, 0);
350 state->pkt = talloc(state, struct ncacn_packet);
351 if (tevent_req_nomem(state->pkt, req)) {
352 goto post;
353 }
354
355 subreq = tstream_readv_pdu_send(state, ev,
356 stream,
357 dcerpc_read_ncacn_packet_next_vector,
358 state);
359 if (tevent_req_nomem(subreq, req)) {
360 goto post;
361 }
362 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
363
364 return req;
365 post:
366 tevent_req_post(req, ev);
367 return req;
368 }
369
370 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
371 void *private_data,
372 TALLOC_CTX *mem_ctx,
373 struct iovec **_vector,
374 size_t *_count)
375 {
376 struct dcerpc_read_ncacn_packet_state *state =
377 talloc_get_type_abort(private_data,
378 struct dcerpc_read_ncacn_packet_state);
379 struct iovec *vector;
380 off_t ofs = 0;
381
382 if (state->buffer.length == 0) {
383 /*
384 * first get enough to read the fragment length
385 *
386 * We read the full fixed ncacn_packet header
387 * in order to make wireshark happy with
388 * pcap files from socket_wrapper.
389 */
390 ofs = 0;
391 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
392 state->buffer.data = talloc_array(state, uint8_t,
393 state->buffer.length);
394 if (!state->buffer.data) {
395 return -1;
396 }
397 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
398 /* now read the fragment length and allocate the full buffer */
399 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
400
401 ofs = state->buffer.length;
402
403 if (frag_len < ofs) {
404 /*
405 * something is wrong, let the caller deal with it
406 */
407 *_vector = NULL;
408 *_count = 0;
409 return 0;
410 }
411
412 state->buffer.data = talloc_realloc(state,
413 state->buffer.data,
414 uint8_t, frag_len);
415 if (!state->buffer.data) {
416 return -1;
417 }
418 state->buffer.length = frag_len;
419 } else {
420 /* if we reach this we have a full fragment */
421 *_vector = NULL;
422 *_count = 0;
423 return 0;
424 }
425
426 /* now create the vector that we want to be filled */
427 vector = talloc_array(mem_ctx, struct iovec, 1);
428 if (!vector) {
429 return -1;
430 }
431
432 vector[0].iov_base = (void *) (state->buffer.data + ofs);
433 vector[0].iov_len = state->buffer.length - ofs;
434
435 *_vector = vector;
436 *_count = 1;
437 return 0;
438 }
439
440 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
441 {
442 struct tevent_req *req = tevent_req_callback_data(subreq,
443 struct tevent_req);
444 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
445 struct dcerpc_read_ncacn_packet_state);
446 int ret;
447 int sys_errno;
448 struct ndr_pull *ndr;
449 enum ndr_err_code ndr_err;
450 NTSTATUS status;
451
452 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
453 TALLOC_FREE(subreq);
454 if (ret == -1) {
455 status = map_nt_error_from_unix_common(sys_errno);
456 tevent_req_nterror(req, status);
457 return;
458 }
459
460 ndr = ndr_pull_init_blob(&state->buffer, state->pkt);
461 if (tevent_req_nomem(ndr, req)) {
462 return;
463 }
464
465 if (!(CVAL(ndr->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
466 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
467 }
468
469 if (CVAL(ndr->data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) {
470 ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
471 }
472
473 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, state->pkt);
474 TALLOC_FREE(ndr);
475 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
476 status = ndr_map_error2ntstatus(ndr_err);
477 tevent_req_nterror(req, status);
478 return;
479 }
480
481 if (state->pkt->frag_length != state->buffer.length) {
482 tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
483 return;
484 }
485
486 tevent_req_done(req);
487 }
488
489 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
490 TALLOC_CTX *mem_ctx,
491 struct ncacn_packet **pkt,
492 DATA_BLOB *buffer)
493 {
494 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
495 struct dcerpc_read_ncacn_packet_state);
496 NTSTATUS status;
497
498 if (tevent_req_is_nterror(req, &status)) {
499 tevent_req_received(req);
500 return status;
501 }
502
503 *pkt = talloc_move(mem_ctx, &state->pkt);
504 if (buffer) {
505 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
506 buffer->length = state->buffer.length;
507 }
508
509 tevent_req_received(req);
510 return NT_STATUS_OK;
511 }
512
513 const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
514 enum dcerpc_transport_t transport,
515 const struct ndr_interface_table *table)
516 {
517 NTSTATUS status;
518 const char *p = NULL;
519 const char *endpoint = NULL;
520 int i;
521 struct dcerpc_binding *default_binding = NULL;
522 TALLOC_CTX *frame = talloc_stackframe();
523
524 /* Find one of the default pipes for this interface */
525
526 for (i = 0; i < table->endpoints->count; i++) {
527 enum dcerpc_transport_t dtransport;
528 const char *dendpoint;
529
530 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
531 &default_binding);
532 if (!NT_STATUS_IS_OK(status)) {
533 continue;
534 }
535
536 dtransport = dcerpc_binding_get_transport(default_binding);
537 dendpoint = dcerpc_binding_get_string_option(default_binding,
538 "endpoint");
539 if (dendpoint == NULL) {
540 TALLOC_FREE(default_binding);
541 continue;
542 }
543
544 if (transport == NCA_UNKNOWN) {
545 transport = dtransport;
546 }
547
548 if (transport != dtransport) {
549 TALLOC_FREE(default_binding);
550 continue;
551 }
552
553 p = dendpoint;
554 break;
555 }
556
557 if (p == NULL) {
558 goto done;
559 }
560
561 /*
562 * extract the pipe name without \\pipe from for example
563 * ncacn_np:[\\pipe\\epmapper]
564 */
565 if (transport == NCACN_NP) {
566 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
567 p += 6;
568 }
569 if (strncmp(p, "\\", 1) == 0) {
570 p += 1;
571 }
572 }
573
574 endpoint = talloc_strdup(mem_ctx, p);
575
576 done:
577 talloc_free(frame);
578 return endpoint;
579 }
580
581 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
582 {
583 struct dcerpc_sec_vt_header2 ret;
584
585 ZERO_STRUCT(ret);
586 ret.ptype = pkt->ptype;
587 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
588 ret.call_id = pkt->call_id;
589
590 switch (pkt->ptype) {
591 case DCERPC_PKT_REQUEST:
592 ret.context_id = pkt->u.request.context_id;
593 ret.opnum = pkt->u.request.opnum;
594 break;
595
596 case DCERPC_PKT_RESPONSE:
597 ret.context_id = pkt->u.response.context_id;
598 break;
599
600 case DCERPC_PKT_FAULT:
601 ret.context_id = pkt->u.fault.context_id;
602 break;
603
604 default:
605 break;
606 }
607
608 return ret;
609 }
610
611 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
612 const struct dcerpc_sec_vt_header2 *v2)
613 {
614 if (v1->ptype != v2->ptype) {
615 return false;
616 }
617
618 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
619 return false;
620 }
621
622 if (v1->call_id != v2->call_id) {
623 return false;
624 }
625
626 if (v1->context_id != v2->context_id) {
627 return false;
628 }
629
630 if (v1->opnum != v2->opnum) {
631 return false;
632 }
633
634 return true;
635 }
636
637 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
638 {
639 bool ret = false;
640 TALLOC_CTX *frame = talloc_stackframe();
641 struct bitmap *commands_seen;
642 int i;
643
644 if (r->count.count == 0) {
645 ret = true;
646 goto done;
647 }
648
649 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
650 goto done;
651 }
652
653 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
654 if (commands_seen == NULL) {
655 goto done;
656 }
657
658 for (i=0; i < r->count.count; i++) {
659 enum dcerpc_sec_vt_command_enum cmd =
660 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
661
662 if (bitmap_query(commands_seen, cmd)) {
663 /* Each command must appear at most once. */
664 goto done;
665 }
666 bitmap_set(commands_seen, cmd);
667
668 switch (cmd) {
669 case DCERPC_SEC_VT_COMMAND_BITMASK1:
670 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
671 case DCERPC_SEC_VT_COMMAND_HEADER2:
672 break;
673 default:
674 if ((r->commands[i].u._unknown.length % 4) != 0) {
675 goto done;
676 }
677 break;
678 }
679 }
680 ret = true;
681 done:
682 TALLOC_FREE(frame);
683 return ret;
684 }
685
686 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
687 struct dcerpc_sec_vt *c)
688 {
689 if (bitmask1 == NULL) {
690 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
691 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
692 "failed\n"));
693 return false;
694 }
695
696 return true;
697 }
698
699 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
700 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
701 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
702 "failed\n"));
703 return false;
704 }
705 return true;
706 }
707
708 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
709 struct dcerpc_sec_vt *c)
710 {
711 TALLOC_CTX *mem_ctx;
712 bool ok;
713
714 if (pcontext == NULL) {
715 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
716 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
717 "failed\n"));
718 return false;
719 }
720
721 return true;
722 }
723
724 mem_ctx = talloc_stackframe();
725 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
726 &c->u.pcontext.abstract_syntax);
727 if (!ok) {
728 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
729 "%s vs. %s\n",
730 ndr_syntax_id_to_string(mem_ctx,
731 &pcontext->abstract_syntax),
732 ndr_syntax_id_to_string(mem_ctx,
733 &c->u.pcontext.abstract_syntax)));
734 goto err_ctx_free;
735 }
736 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
737 &c->u.pcontext.transfer_syntax);
738 if (!ok) {
739 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
740 "%s vs. %s\n",
741 ndr_syntax_id_to_string(mem_ctx,
742 &pcontext->transfer_syntax),
743 ndr_syntax_id_to_string(mem_ctx,
744 &c->u.pcontext.transfer_syntax)));
745 goto err_ctx_free;
746 }
747
748 ok = true;
749 err_ctx_free:
750 talloc_free(mem_ctx);
751 return ok;
752 }
753
754 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
755 struct dcerpc_sec_vt *c)
756 {
757 if (header2 == NULL) {
758 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
759 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
760 return false;
761 }
762
763 return true;
764 }
765
766 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
767 DEBUG(10, ("SEC_VT check Header2 failed\n"));
768 return false;
769 }
770
771 return true;
772 }
773
774 bool dcerpc_sec_verification_trailer_check(
775 const struct dcerpc_sec_verification_trailer *vt,
776 const uint32_t *bitmask1,
777 const struct dcerpc_sec_vt_pcontext *pcontext,
778 const struct dcerpc_sec_vt_header2 *header2)
779 {
780 size_t i;
781
782 if (!dcerpc_sec_vt_is_valid(vt)) {
783 return false;
784 }
785
786 for (i=0; i < vt->count.count; i++) {
787 bool ok;
788 struct dcerpc_sec_vt *c = &vt->commands[i];
789
790 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
791 case DCERPC_SEC_VT_COMMAND_BITMASK1:
792 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
793 if (!ok) {
794 return false;
795 }
796 break;
797
798 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
799 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
800 if (!ok) {
801 return false;
802 }
803 break;
804
805 case DCERPC_SEC_VT_COMMAND_HEADER2: {
806 ok = dcerpc_sec_vt_hdr2_check(header2, c);
807 if (!ok) {
808 return false;
809 }
810 break;
811 }
812
813 default:
814 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
815 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
816 return false;
817 }
818
819 break;
820 }
821 }
822
823 return true;
824 }
825
826 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
827 .uuid = {
828 .time_low = 0x6cb71c2c,
829 .time_mid = 0x9812,
830 .time_hi_and_version = 0x4540,
831 .clock_seq = {0x00, 0x00},
832 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
833 },
834 .if_version = 1,
835 };
836
837 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
838 {
839 uint8_t values[8];
840 uint64_t features = 0;
841
842 values[0] = s.uuid.clock_seq[0];
843 values[1] = s.uuid.clock_seq[1];
844 values[2] = s.uuid.node[0];
845 values[3] = s.uuid.node[1];
846 values[4] = s.uuid.node[2];
847 values[5] = s.uuid.node[3];
848 values[6] = s.uuid.node[4];
849 values[7] = s.uuid.node[5];
850
851 ZERO_STRUCT(s.uuid.clock_seq);
852 ZERO_STRUCT(s.uuid.node);
853
854 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
855 if (_features != NULL) {
856 *_features = 0;
857 }
858 return false;
859 }
860
861 features = BVAL(values, 0);
862
863 if (_features != NULL) {
864 *_features = features;
865 }
866
867 return true;
868 }
869
870 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
871 {
872 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
873 uint8_t values[8];
874
875 SBVAL(values, 0, features);
876
877 s.uuid.clock_seq[0] = values[0];
878 s.uuid.clock_seq[1] = values[1];
879 s.uuid.node[0] = values[2];
880 s.uuid.node[1] = values[3];
881 s.uuid.node[2] = values[4];
882 s.uuid.node[3] = values[5];
883 s.uuid.node[4] = values[6];
884 s.uuid.node[5] = values[7];
885
886 return s;
887 }
Samba GIT mirror