search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine...
[Samba.git] / librpc / rpc / dcerpc_util.c
blob66b38a4acf2a1ecf27d09b72b01b38c9694ebcf3
1 /*
2 Unix SMB/CIFS implementation.
3 raw dcerpc operations
4
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include <tevent.h>
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/util_file.h"
27 #include "lib/util/tevent_ntstatus.h"
28 #include "librpc/rpc/dcerpc.h"
29 #include "librpc/rpc/dcerpc_util.h"
30 #include "librpc/gen_ndr/ndr_dcerpc.h"
31 #include "rpc_common.h"
32 #include "lib/util/bitmap.h"
33
34 #undef strncasecmp
35
36 /* we need to be able to get/set the fragment length without doing a full
37 decode */
38 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
39 {
40 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
41
42 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
43 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
44 } else {
45 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
46 }
47 }
48
49 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
50 {
51 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
52
53 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
54 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
55 } else {
56 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
57 }
58 }
59
60 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
61 {
62 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
63
64 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
65 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
66 } else {
67 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
68 }
69 }
70
71 uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
72 {
73 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
74
75 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
76 return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
77 } else {
78 return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
79 }
80 }
81
82 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
83 {
84 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
85
86 return blob->data[DCERPC_DREP_OFFSET];
87 }
88
89 static uint16_t dcerpc_get_auth_context_offset(const DATA_BLOB *blob)
90 {
91 uint16_t frag_len = dcerpc_get_frag_length(blob);
92 uint16_t auth_len = dcerpc_get_auth_length(blob);
93 uint16_t min_offset;
94 uint16_t offset;
95
96 if (auth_len == 0) {
97 return 0;
98 }
99
100 if (frag_len > blob->length) {
101 return 0;
102 }
103
104 if (auth_len > frag_len) {
105 return 0;
106 }
107
108 min_offset = DCERPC_NCACN_PAYLOAD_OFFSET + DCERPC_AUTH_TRAILER_LENGTH;
109 offset = frag_len - auth_len;
110 if (offset < min_offset) {
111 return 0;
112 }
113 offset -= DCERPC_AUTH_TRAILER_LENGTH;
114
115 return offset;
116 }
117
118 uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob)
119 {
120 uint16_t offset;
121
122 offset = dcerpc_get_auth_context_offset(blob);
123 if (offset == 0) {
124 return 0;
125 }
126
127 /*
128 * auth_typw is in the 1st byte
129 * of the auth trailer
130 */
131 offset += 0;
132
133 return blob->data[offset];
134 }
135
136 uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob)
137 {
138 uint16_t offset;
139
140 offset = dcerpc_get_auth_context_offset(blob);
141 if (offset == 0) {
142 return 0;
143 }
144
145 /*
146 * auth_level is in 2nd byte
147 * of the auth trailer
148 */
149 offset += 1;
150
151 return blob->data[offset];
152 }
153
154 uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob)
155 {
156 uint16_t offset;
157
158 offset = dcerpc_get_auth_context_offset(blob);
159 if (offset == 0) {
160 return 0;
161 }
162
163 /*
164 * auth_context_id is in the last 4 byte
165 * of the auth trailer
166 */
167 offset += 4;
168
169 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
170 return IVAL(blob->data, offset);
171 } else {
172 return RIVAL(blob->data, offset);
173 }
174 }
175
176 /**
177 * @brief Decodes a ncacn_packet
178 *
179 * @param mem_ctx The memory context on which to allocate the packet
180 * elements
181 * @param blob The blob of data to decode
182 * @param r An empty ncacn_packet, must not be NULL
183 *
184 * @return a NTSTATUS error code
185 */
186 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
187 const DATA_BLOB *blob,
188 struct ncacn_packet *r)
189 {
190 enum ndr_err_code ndr_err;
191 struct ndr_pull *ndr;
192
193 ndr = ndr_pull_init_blob(blob, mem_ctx);
194 if (!ndr) {
195 return NT_STATUS_NO_MEMORY;
196 }
197
198 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
199
200 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
201 talloc_free(ndr);
202 return ndr_map_error2ntstatus(ndr_err);
203 }
204 talloc_free(ndr);
205
206 if (r->frag_length != blob->length) {
207 return NT_STATUS_RPC_PROTOCOL_ERROR;
208 }
209
210 return NT_STATUS_OK;
211 }
212
213 /**
214 * @brief Pull a dcerpc_auth structure, taking account of any auth
215 * padding in the blob. For request/response packets we pass
216 * the whole data blob, so auth_data_only must be set to false
217 * as the blob contains data+pad+auth and no just pad+auth.
218 *
219 * @param pkt - The ncacn_packet structure
220 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
221 * @param pkt_trailer - The packet trailer data, usually the trailing
222 * auth_info blob, but in the request/response case
223 * this is the stub_and_verifier blob.
224 * @param auth - A preallocated dcerpc_auth *empty* structure
225 * @param auth_length - The length of the auth trail, sum of auth header
226 * length and pkt->auth_length
227 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
228 * (+ padding) or also other data.
229 *
230 * @return - A NTSTATUS error code.
231 */
232 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
233 TALLOC_CTX *mem_ctx,
234 const DATA_BLOB *pkt_trailer,
235 struct dcerpc_auth *auth,
236 uint32_t *_auth_length,
237 bool auth_data_only)
238 {
239 struct ndr_pull *ndr;
240 enum ndr_err_code ndr_err;
241 uint16_t data_and_pad;
242 uint16_t auth_length;
243 uint32_t tmp_length;
244 uint32_t max_pad_len = 0;
245
246 ZERO_STRUCTP(auth);
247 if (_auth_length != NULL) {
248 *_auth_length = 0;
249
250 if (auth_data_only) {
251 return NT_STATUS_INTERNAL_ERROR;
252 }
253 } else {
254 if (!auth_data_only) {
255 return NT_STATUS_INTERNAL_ERROR;
256 }
257 }
258
259 /* Paranoia checks for auth_length. The caller should check this... */
260 if (pkt->auth_length == 0) {
261 return NT_STATUS_INTERNAL_ERROR;
262 }
263
264 /* Paranoia checks for auth_length. The caller should check this... */
265 if (pkt->auth_length > pkt->frag_length) {
266 return NT_STATUS_INTERNAL_ERROR;
267 }
268 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
269 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
270 tmp_length += pkt->auth_length;
271 if (tmp_length > pkt->frag_length) {
272 return NT_STATUS_INTERNAL_ERROR;
273 }
274 if (pkt_trailer->length > UINT16_MAX) {
275 return NT_STATUS_INTERNAL_ERROR;
276 }
277
278 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
279 if (pkt_trailer->length < auth_length) {
280 return NT_STATUS_RPC_PROTOCOL_ERROR;
281 }
282
283 data_and_pad = pkt_trailer->length - auth_length;
284
285 ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
286 if (!ndr) {
287 return NT_STATUS_NO_MEMORY;
288 }
289
290 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
291 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
292 }
293
294 ndr_err = ndr_pull_advance(ndr, data_and_pad);
295 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
296 talloc_free(ndr);
297 return ndr_map_error2ntstatus(ndr_err);
298 }
299
300 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
301 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
302 talloc_free(ndr);
303 ZERO_STRUCTP(auth);
304 return ndr_map_error2ntstatus(ndr_err);
305 }
306
307 /*
308 * Make sure the padding would not exceed
309 * the frag_length.
310 *
311 * Here we assume at least 24 bytes for the
312 * payload specific header the value of
313 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
314 *
315 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
316 *
317 * We need this check before we ignore possible
318 * invalid values. See also bug #11982.
319 *
320 * This check is mainly used to generate the correct
321 * error for BIND_*, ALTER_* and AUTH3 pdus.
322 *
323 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
324 * protection for REQUEST and RESPONSE pdus, where the
325 * auth_pad_length field is actually used by the caller.
326 */
327 tmp_length = DCERPC_REQUEST_LENGTH;
328 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
329 tmp_length += pkt->auth_length;
330 if (tmp_length < pkt->frag_length) {
331 max_pad_len = pkt->frag_length - tmp_length;
332 }
333 if (max_pad_len < auth->auth_pad_length) {
334 DEBUG(1, (__location__ ": ERROR: pad length too large. "
335 "max %"PRIu32" got %"PRIu8"\n",
336 max_pad_len,
337 auth->auth_pad_length));
338 talloc_free(ndr);
339 ZERO_STRUCTP(auth);
340 return NT_STATUS_RPC_PROTOCOL_ERROR;
341 }
342
343 /*
344 * This is a workaround for a bug in old
345 * Samba releases. For BIND_ACK <= 3.5.x
346 * and for ALTER_RESP <= 4.2.x (see bug #11061)
347 *
348 * See also bug #11982.
349 */
350 if (auth_data_only && data_and_pad == 0 &&
351 auth->auth_pad_length > 0) {
352 /*
353 * we need to ignore invalid auth_pad_length
354 * values for BIND_*, ALTER_* and AUTH3 pdus.
355 */
356 auth->auth_pad_length = 0;
357 }
358
359 if (data_and_pad < auth->auth_pad_length) {
360 DBG_WARNING(__location__ ": ERROR: pad length too long. "
361 "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
362 "was less than auth_pad_length=%"PRIu8"\n",
363 data_and_pad,
364 pkt_trailer->length,
365 auth_length,
366 auth->auth_pad_length);
367 talloc_free(ndr);
368 ZERO_STRUCTP(auth);
369 return NT_STATUS_RPC_PROTOCOL_ERROR;
370 }
371
372 if (auth_data_only && data_and_pad > auth->auth_pad_length) {
373 DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
374 "Client sent a longer BIND packet than expected by %"PRIu16" bytes "
375 "(pkt_trailer->length=%zu - auth_length=%"PRIu16") "
376 "= %"PRIu16" auth_pad_length=%"PRIu8"\n",
377 data_and_pad - auth->auth_pad_length,
378 pkt_trailer->length,
379 auth_length,
380 data_and_pad,
381 auth->auth_pad_length);
382 talloc_free(ndr);
383 ZERO_STRUCTP(auth);
384 return NT_STATUS_RPC_PROTOCOL_ERROR;
385 }
386
387 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
388 DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
389 "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
390 "but auth_pad_length=%"PRIu8"\n",
391 data_and_pad,
392 pkt_trailer->length,
393 auth_length,
394 auth->auth_pad_length);
395 talloc_free(ndr);
396 ZERO_STRUCTP(auth);
397 return NT_STATUS_RPC_PROTOCOL_ERROR;
398 }
399
400 DBG_DEBUG("auth_pad_length %"PRIu8"\n",
401 auth->auth_pad_length);
402
403 talloc_steal(mem_ctx, auth->credentials.data);
404 talloc_free(ndr);
405
406 if (_auth_length != NULL) {
407 *_auth_length = auth_length;
408 }
409
410 return NT_STATUS_OK;
411 }
412
413 /**
414 * @brief Verify the fields in ncacn_packet header.
415 *
416 * @param pkt - The ncacn_packet structure
417 * @param ptype - The expected PDU type
418 * @param max_auth_info - The maximum size of a possible auth trailer
419 * @param required_flags - The required flags for the pdu.
420 * @param optional_flags - The possible optional flags for the pdu.
421 *
422 * @return - A NTSTATUS error code.
423 */
424 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
425 enum dcerpc_pkt_type ptype,
426 size_t max_auth_info,
427 uint8_t required_flags,
428 uint8_t optional_flags)
429 {
430 if (pkt->rpc_vers != 5) {
431 return NT_STATUS_RPC_PROTOCOL_ERROR;
432 }
433
434 if (pkt->rpc_vers_minor != 0) {
435 return NT_STATUS_RPC_PROTOCOL_ERROR;
436 }
437
438 if (pkt->auth_length > pkt->frag_length) {
439 return NT_STATUS_RPC_PROTOCOL_ERROR;
440 }
441
442 if (pkt->ptype != ptype) {
443 return NT_STATUS_RPC_PROTOCOL_ERROR;
444 }
445
446 if (max_auth_info > UINT16_MAX) {
447 return NT_STATUS_INTERNAL_ERROR;
448 }
449
450 if (pkt->auth_length > 0) {
451 size_t max_auth_length;
452
453 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
454 return NT_STATUS_RPC_PROTOCOL_ERROR;
455 }
456 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
457
458 if (pkt->auth_length > max_auth_length) {
459 return NT_STATUS_RPC_PROTOCOL_ERROR;
460 }
461 }
462
463 if ((pkt->pfc_flags & required_flags) != required_flags) {
464 return NT_STATUS_RPC_PROTOCOL_ERROR;
465 }
466 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
467 return NT_STATUS_RPC_PROTOCOL_ERROR;
468 }
469
470 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
471 return NT_STATUS_RPC_PROTOCOL_ERROR;
472 }
473 if (pkt->drep[1] != 0) {
474 return NT_STATUS_RPC_PROTOCOL_ERROR;
475 }
476 if (pkt->drep[2] != 0) {
477 return NT_STATUS_RPC_PROTOCOL_ERROR;
478 }
479 if (pkt->drep[3] != 0) {
480 return NT_STATUS_RPC_PROTOCOL_ERROR;
481 }
482
483 return NT_STATUS_OK;
484 }
485
486 struct dcerpc_read_ncacn_packet_state {
487 #if 0
488 struct {
489 } caller;
490 #endif
491 DATA_BLOB buffer;
492 struct ncacn_packet *pkt;
493 };
494
495 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
496 void *private_data,
497 TALLOC_CTX *mem_ctx,
498 struct iovec **_vector,
499 size_t *_count);
500 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
501
502 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
503 struct tevent_context *ev,
504 struct tstream_context *stream)
505 {
506 struct tevent_req *req;
507 struct dcerpc_read_ncacn_packet_state *state;
508 struct tevent_req *subreq;
509
510 req = tevent_req_create(mem_ctx, &state,
511 struct dcerpc_read_ncacn_packet_state);
512 if (req == NULL) {
513 return NULL;
514 }
515
516 state->pkt = talloc_zero(state, struct ncacn_packet);
517 if (tevent_req_nomem(state->pkt, req)) {
518 goto post;
519 }
520
521 subreq = tstream_readv_pdu_send(state, ev,
522 stream,
523 dcerpc_read_ncacn_packet_next_vector,
524 state);
525 if (tevent_req_nomem(subreq, req)) {
526 goto post;
527 }
528 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
529
530 return req;
531 post:
532 tevent_req_post(req, ev);
533 return req;
534 }
535
536 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
537 void *private_data,
538 TALLOC_CTX *mem_ctx,
539 struct iovec **_vector,
540 size_t *_count)
541 {
542 struct dcerpc_read_ncacn_packet_state *state =
543 talloc_get_type_abort(private_data,
544 struct dcerpc_read_ncacn_packet_state);
545 struct iovec *vector;
546 off_t ofs = 0;
547
548 if (state->buffer.length == 0) {
549 /*
550 * first get enough to read the fragment length
551 *
552 * We read the full fixed ncacn_packet header
553 * in order to make wireshark happy with
554 * pcap files from socket_wrapper.
555 */
556 ofs = 0;
557 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
558 state->buffer.data = talloc_array(state, uint8_t,
559 state->buffer.length);
560 if (!state->buffer.data) {
561 return -1;
562 }
563 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
564 /* now read the fragment length and allocate the full buffer */
565 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
566
567 ofs = state->buffer.length;
568
569 if (frag_len <= ofs) {
570 /*
571 * With frag_len == ofs, we are done, this is likely
572 * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
573 * without any payload.
574 *
575 * Otherwise it's a broken packet and we
576 * let the caller deal with it.
577 */
578 *_vector = NULL;
579 *_count = 0;
580 return 0;
581 }
582
583 state->buffer.data = talloc_realloc(state,
584 state->buffer.data,
585 uint8_t, frag_len);
586 if (!state->buffer.data) {
587 return -1;
588 }
589 state->buffer.length = frag_len;
590 } else {
591 /* if we reach this we have a full fragment */
592 *_vector = NULL;
593 *_count = 0;
594 return 0;
595 }
596
597 /* now create the vector that we want to be filled */
598 vector = talloc_array(mem_ctx, struct iovec, 1);
599 if (!vector) {
600 return -1;
601 }
602
603 vector[0].iov_base = (void *) (state->buffer.data + ofs);
604 vector[0].iov_len = state->buffer.length - ofs;
605
606 *_vector = vector;
607 *_count = 1;
608 return 0;
609 }
610
611 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
612 {
613 struct tevent_req *req = tevent_req_callback_data(subreq,
614 struct tevent_req);
615 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
616 struct dcerpc_read_ncacn_packet_state);
617 int ret;
618 int sys_errno;
619 NTSTATUS status;
620
621 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
622 TALLOC_FREE(subreq);
623 if (ret == -1) {
624 status = map_nt_error_from_unix_common(sys_errno);
625 tevent_req_nterror(req, status);
626 return;
627 }
628
629 status = dcerpc_pull_ncacn_packet(state->pkt,
630 &state->buffer,
631 state->pkt);
632 if (tevent_req_nterror(req, status)) {
633 return;
634 }
635
636 tevent_req_done(req);
637 }
638
639 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
640 TALLOC_CTX *mem_ctx,
641 struct ncacn_packet **pkt,
642 DATA_BLOB *buffer)
643 {
644 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
645 struct dcerpc_read_ncacn_packet_state);
646 NTSTATUS status;
647
648 if (tevent_req_is_nterror(req, &status)) {
649 tevent_req_received(req);
650 return status;
651 }
652
653 *pkt = talloc_move(mem_ctx, &state->pkt);
654 if (buffer) {
655 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
656 buffer->length = state->buffer.length;
657 }
658
659 tevent_req_received(req);
660 return NT_STATUS_OK;
661 }
662
663 const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
664 enum dcerpc_transport_t transport,
665 const struct ndr_interface_table *table)
666 {
667 NTSTATUS status;
668 const char *p = NULL;
669 const char *endpoint = NULL;
670 uint32_t i;
671 struct dcerpc_binding *default_binding = NULL;
672 TALLOC_CTX *frame = talloc_stackframe();
673
674 /* Find one of the default pipes for this interface */
675
676 for (i = 0; i < table->endpoints->count; i++) {
677 enum dcerpc_transport_t dtransport;
678 const char *dendpoint;
679
680 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
681 &default_binding);
682 if (!NT_STATUS_IS_OK(status)) {
683 continue;
684 }
685
686 dtransport = dcerpc_binding_get_transport(default_binding);
687 dendpoint = dcerpc_binding_get_string_option(default_binding,
688 "endpoint");
689 if (dendpoint == NULL) {
690 TALLOC_FREE(default_binding);
691 continue;
692 }
693
694 if (transport == NCA_UNKNOWN) {
695 transport = dtransport;
696 }
697
698 if (transport != dtransport) {
699 TALLOC_FREE(default_binding);
700 continue;
701 }
702
703 p = dendpoint;
704 break;
705 }
706
707 if (p == NULL) {
708 goto done;
709 }
710
711 /*
712 * extract the pipe name without \\pipe from for example
713 * ncacn_np:[\\pipe\\epmapper]
714 */
715 if (transport == NCACN_NP) {
716 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
717 p += 6;
718 }
719 if (p[0] == '\\') {
720 p += 1;
721 }
722 }
723
724 endpoint = talloc_strdup(mem_ctx, p);
725
726 done:
727 talloc_free(frame);
728 return endpoint;
729 }
730
731 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
732 {
733 struct dcerpc_sec_vt_header2 ret;
734
735 ZERO_STRUCT(ret);
736 ret.ptype = pkt->ptype;
737 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
738 ret.call_id = pkt->call_id;
739
740 switch (pkt->ptype) {
741 case DCERPC_PKT_REQUEST:
742 ret.context_id = pkt->u.request.context_id;
743 ret.opnum = pkt->u.request.opnum;
744 break;
745
746 case DCERPC_PKT_RESPONSE:
747 ret.context_id = pkt->u.response.context_id;
748 break;
749
750 case DCERPC_PKT_FAULT:
751 ret.context_id = pkt->u.fault.context_id;
752 break;
753
754 default:
755 break;
756 }
757
758 return ret;
759 }
760
761 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
762 const struct dcerpc_sec_vt_header2 *v2)
763 {
764 if (v1->ptype != v2->ptype) {
765 return false;
766 }
767
768 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
769 return false;
770 }
771
772 if (v1->call_id != v2->call_id) {
773 return false;
774 }
775
776 if (v1->context_id != v2->context_id) {
777 return false;
778 }
779
780 if (v1->opnum != v2->opnum) {
781 return false;
782 }
783
784 return true;
785 }
786
787 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
788 {
789 bool ret = false;
790 TALLOC_CTX *frame = talloc_stackframe();
791 struct bitmap *commands_seen;
792 int i;
793
794 if (r->count.count == 0) {
795 ret = true;
796 goto done;
797 }
798
799 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
800 goto done;
801 }
802
803 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
804 if (commands_seen == NULL) {
805 goto done;
806 }
807
808 for (i=0; i < r->count.count; i++) {
809 enum dcerpc_sec_vt_command_enum cmd =
810 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
811
812 if (bitmap_query(commands_seen, cmd)) {
813 /* Each command must appear at most once. */
814 goto done;
815 }
816 bitmap_set(commands_seen, cmd);
817
818 switch (cmd) {
819 case DCERPC_SEC_VT_COMMAND_BITMASK1:
820 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
821 case DCERPC_SEC_VT_COMMAND_HEADER2:
822 break;
823 default:
824 if ((r->commands[i].u._unknown.length % 4) != 0) {
825 goto done;
826 }
827 break;
828 }
829 }
830 ret = true;
831 done:
832 TALLOC_FREE(frame);
833 return ret;
834 }
835
836 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
837 struct dcerpc_sec_vt *c)
838 {
839 if (bitmask1 == NULL) {
840 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
841 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
842 "failed\n"));
843 return false;
844 }
845
846 return true;
847 }
848
849 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
850 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
851 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
852 "failed\n"));
853 return false;
854 }
855 return true;
856 }
857
858 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
859 struct dcerpc_sec_vt *c)
860 {
861 bool ok;
862
863 if (pcontext == NULL) {
864 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
865 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
866 "failed\n"));
867 return false;
868 }
869
870 return true;
871 }
872
873 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
874 &c->u.pcontext.abstract_syntax);
875 if (!ok) {
876 struct ndr_syntax_id_buf buf1, buf2;
877 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
878 "%s vs. %s\n",
879 ndr_syntax_id_buf_string(
880 &pcontext->abstract_syntax, &buf1),
881 ndr_syntax_id_buf_string(
882 &c->u.pcontext.abstract_syntax, &buf2)));
883 return false;
884 }
885 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
886 &c->u.pcontext.transfer_syntax);
887 if (!ok) {
888 struct ndr_syntax_id_buf buf1, buf2;
889 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
890 "%s vs. %s\n",
891 ndr_syntax_id_buf_string(
892 &pcontext->transfer_syntax, &buf1),
893 ndr_syntax_id_buf_string(
894 &c->u.pcontext.transfer_syntax, &buf2)));
895 return false;
896 }
897
898 return true;
899 }
900
901 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
902 struct dcerpc_sec_vt *c)
903 {
904 if (header2 == NULL) {
905 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
906 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
907 return false;
908 }
909
910 return true;
911 }
912
913 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
914 DEBUG(10, ("SEC_VT check Header2 failed\n"));
915 return false;
916 }
917
918 return true;
919 }
920
921 bool dcerpc_sec_verification_trailer_check(
922 const struct dcerpc_sec_verification_trailer *vt,
923 const uint32_t *bitmask1,
924 const struct dcerpc_sec_vt_pcontext *pcontext,
925 const struct dcerpc_sec_vt_header2 *header2)
926 {
927 size_t i;
928
929 if (!dcerpc_sec_vt_is_valid(vt)) {
930 return false;
931 }
932
933 for (i=0; i < vt->count.count; i++) {
934 bool ok;
935 struct dcerpc_sec_vt *c = &vt->commands[i];
936
937 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
938 case DCERPC_SEC_VT_COMMAND_BITMASK1:
939 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
940 if (!ok) {
941 return false;
942 }
943 break;
944
945 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
946 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
947 if (!ok) {
948 return false;
949 }
950 break;
951
952 case DCERPC_SEC_VT_COMMAND_HEADER2: {
953 ok = dcerpc_sec_vt_hdr2_check(header2, c);
954 if (!ok) {
955 return false;
956 }
957 break;
958 }
959
960 default:
961 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
962 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
963 return false;
964 }
965
966 break;
967 }
968 }
969
970 return true;
971 }
972
973 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
974 .uuid = {
975 .time_low = 0x6cb71c2c,
976 .time_mid = 0x9812,
977 .time_hi_and_version = 0x4540,
978 .clock_seq = {0x00, 0x00},
979 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
980 },
981 .if_version = 1,
982 };
983
984 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
985 {
986 uint8_t values[8];
987 uint64_t features = 0;
988
989 values[0] = s.uuid.clock_seq[0];
990 values[1] = s.uuid.clock_seq[1];
991 values[2] = s.uuid.node[0];
992 values[3] = s.uuid.node[1];
993 values[4] = s.uuid.node[2];
994 values[5] = s.uuid.node[3];
995 values[6] = s.uuid.node[4];
996 values[7] = s.uuid.node[5];
997
998 ZERO_STRUCT(s.uuid.clock_seq);
999 ZERO_STRUCT(s.uuid.node);
1000
1001 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
1002 if (_features != NULL) {
1003 *_features = 0;
1004 }
1005 return false;
1006 }
1007
1008 features = BVAL(values, 0);
1009
1010 if (_features != NULL) {
1011 *_features = features;
1012 }
1013
1014 return true;
1015 }
1016
1017 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1018 {
1019 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1020 uint8_t values[8];
1021
1022 SBVAL(values, 0, features);
1023
1024 s.uuid.clock_seq[0] = values[0];
1025 s.uuid.clock_seq[1] = values[1];
1026 s.uuid.node[0] = values[2];
1027 s.uuid.node[1] = values[3];
1028 s.uuid.node[2] = values[4];
1029 s.uuid.node[3] = values[5];
1030 s.uuid.node[4] = values[6];
1031 s.uuid.node[5] = values[7];
1032
1033 return s;
1034 }
1035
1036 NTSTATUS dcerpc_generic_session_key(DATA_BLOB *session_key)
1037 {
1038 *session_key = data_blob_null;
1039
1040 /* this took quite a few CPU cycles to find ... */
1041 session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
1042 session_key->length = 16;
1043 return NT_STATUS_OK;
1044 }
1045
1046 /*
1047 push a ncacn_packet into a blob, potentially with auth info
1048 */
1049 NTSTATUS dcerpc_ncacn_push_auth(DATA_BLOB *blob,
1050 TALLOC_CTX *mem_ctx,
1051 struct ncacn_packet *pkt,
1052 struct dcerpc_auth *auth_info)
1053 {
1054 struct ndr_push *ndr;
1055 enum ndr_err_code ndr_err;
1056
1057 ndr = ndr_push_init_ctx(mem_ctx);
1058 if (!ndr) {
1059 return NT_STATUS_NO_MEMORY;
1060 }
1061
1062 if (auth_info) {
1063 pkt->auth_length = auth_info->credentials.length;
1064 } else {
1065 pkt->auth_length = 0;
1066 }
1067
1068 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
1069 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1070 return ndr_map_error2ntstatus(ndr_err);
1071 }
1072
1073 if (auth_info) {
1074 #if 0
1075 /* the s3 rpc server doesn't handle auth padding in
1076 bind requests. Use zero auth padding to keep us
1077 working with old servers */
1078 uint32_t offset = ndr->offset;
1079 ndr_err = ndr_push_align(ndr, 16);
1080 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1081 return ndr_map_error2ntstatus(ndr_err);
1082 }
1083 auth_info->auth_pad_length = ndr->offset - offset;
1084 #else
1085 auth_info->auth_pad_length = 0;
1086 #endif
1087 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
1088 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1089 return ndr_map_error2ntstatus(ndr_err);
1090 }
1091 }
1092
1093 *blob = ndr_push_blob(ndr);
1094
1095 /* fill in the frag length */
1096 dcerpc_set_frag_length(blob, blob->length);
1097
1098 return NT_STATUS_OK;
1099 }
1100
1101 /*
1102 log a rpc packet in a format suitable for ndrdump. This is especially useful
1103 for sealed packets, where ethereal cannot easily see the contents
1104
1105 this triggers if "dcesrv:stubs directory" is set and present
1106 for all packets that fail to parse
1107 */
1108 void dcerpc_log_packet(const char *packet_log_dir,
1109 const char *interface_name,
1110 uint32_t opnum, ndr_flags_type flags,
1111 const DATA_BLOB *pkt,
1112 const char *why)
1113 {
1114 const int num_examples = 20;
1115 int i;
1116
1117 if (packet_log_dir == NULL) {
1118 return;
1119 }
1120
1121 for (i=0;i<num_examples;i++) {
1122 char *name=NULL;
1123 int ret;
1124 bool saved;
1125 ret = asprintf(&name, "%s/%s-%"PRIu32".%d.%s.%s",
1126 packet_log_dir, interface_name, opnum, i,
1127 (flags&NDR_IN)?"in":"out",
1128 why);
1129 if (ret == -1) {
1130 return;
1131 }
1132
1133 saved = file_save(name, pkt->data, pkt->length);
1134 if (saved) {
1135 DBG_DEBUG("Logged rpc packet to %s\n", name);
1136 free(name);
1137 break;
1138 }
1139 free(name);
1140 }
1141 }
Samba GIT mirror