search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nbt_server: Factor out nbtd_node_status_reply_packet
[Samba.git] / librpc / rpc / dcerpc_util.c
blob0808131dd145a648d9103193759b361b71a4b0f4
1 /*
2 Unix SMB/CIFS implementation.
3 raw dcerpc operations
4
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include <tevent.h>
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "rpc_common.h"
30 #include "lib/util/bitmap.h"
31 #include "auth/gensec/gensec.h"
32
33 /* we need to be able to get/set the fragment length without doing a full
34 decode */
35 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
36 {
37 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
38 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
39 } else {
40 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
41 }
42 }
43
44 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
45 {
46 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
47 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
48 } else {
49 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
50 }
51 }
52
53 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
54 {
55 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
56 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
57 } else {
58 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
59 }
60 }
61
62 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
63 {
64 return blob->data[DCERPC_DREP_OFFSET];
65 }
66
67 /**
68 * @brief Decodes a ncacn_packet
69 *
70 * @param mem_ctx The memory context on which to allocate the packet
71 * elements
72 * @param blob The blob of data to decode
73 * @param r An empty ncacn_packet, must not be NULL
74 *
75 * @return a NTSTATUS error code
76 */
77 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
78 const DATA_BLOB *blob,
79 struct ncacn_packet *r)
80 {
81 enum ndr_err_code ndr_err;
82 struct ndr_pull *ndr;
83
84 ndr = ndr_pull_init_blob(blob, mem_ctx);
85 if (!ndr) {
86 return NT_STATUS_NO_MEMORY;
87 }
88
89 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
90
91 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
92 talloc_free(ndr);
93 return ndr_map_error2ntstatus(ndr_err);
94 }
95 talloc_free(ndr);
96
97 if (r->frag_length != blob->length) {
98 return NT_STATUS_RPC_PROTOCOL_ERROR;
99 }
100
101 return NT_STATUS_OK;
102 }
103
104 /**
105 * @brief Pull a dcerpc_auth structure, taking account of any auth
106 * padding in the blob. For request/response packets we pass
107 * the whole data blob, so auth_data_only must be set to false
108 * as the blob contains data+pad+auth and no just pad+auth.
109 *
110 * @param pkt - The ncacn_packet strcuture
111 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
112 * @param pkt_trailer - The packet trailer data, usually the trailing
113 * auth_info blob, but in the request/response case
114 * this is the stub_and_verifier blob.
115 * @param auth - A preallocated dcerpc_auth *empty* structure
116 * @param auth_length - The length of the auth trail, sum of auth header
117 * lenght and pkt->auth_length
118 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
119 * (+ padding) or also other data.
120 *
121 * @return - A NTSTATUS error code.
122 */
123 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
124 TALLOC_CTX *mem_ctx,
125 const DATA_BLOB *pkt_trailer,
126 struct dcerpc_auth *auth,
127 uint32_t *_auth_length,
128 bool auth_data_only)
129 {
130 struct ndr_pull *ndr;
131 enum ndr_err_code ndr_err;
132 uint16_t data_and_pad;
133 uint16_t auth_length;
134 uint32_t tmp_length;
135 uint32_t max_pad_len = 0;
136
137 ZERO_STRUCTP(auth);
138 if (_auth_length != NULL) {
139 *_auth_length = 0;
140
141 if (auth_data_only) {
142 return NT_STATUS_INTERNAL_ERROR;
143 }
144 } else {
145 if (!auth_data_only) {
146 return NT_STATUS_INTERNAL_ERROR;
147 }
148 }
149
150 /* Paranoia checks for auth_length. The caller should check this... */
151 if (pkt->auth_length == 0) {
152 return NT_STATUS_INTERNAL_ERROR;
153 }
154
155 /* Paranoia checks for auth_length. The caller should check this... */
156 if (pkt->auth_length > pkt->frag_length) {
157 return NT_STATUS_INTERNAL_ERROR;
158 }
159 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
160 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
161 tmp_length += pkt->auth_length;
162 if (tmp_length > pkt->frag_length) {
163 return NT_STATUS_INTERNAL_ERROR;
164 }
165 if (pkt_trailer->length > UINT16_MAX) {
166 return NT_STATUS_INTERNAL_ERROR;
167 }
168
169 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
170 if (pkt_trailer->length < auth_length) {
171 return NT_STATUS_RPC_PROTOCOL_ERROR;
172 }
173
174 data_and_pad = pkt_trailer->length - auth_length;
175
176 ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
177 if (!ndr) {
178 return NT_STATUS_NO_MEMORY;
179 }
180
181 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
182 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
183 }
184
185 ndr_err = ndr_pull_advance(ndr, data_and_pad);
186 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
187 talloc_free(ndr);
188 return ndr_map_error2ntstatus(ndr_err);
189 }
190
191 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
192 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
193 talloc_free(ndr);
194 ZERO_STRUCTP(auth);
195 return ndr_map_error2ntstatus(ndr_err);
196 }
197
198 /*
199 * Make sure the padding would not exceed
200 * the frag_length.
201 *
202 * Here we assume at least 24 bytes for the
203 * payload specific header the value of
204 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
205 *
206 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
207 *
208 * We need this check before we ignore possible
209 * invalid values. See also bug #11982.
210 *
211 * This check is mainly used to generate the correct
212 * error for BIND_*, ALTER_* and AUTH3 pdus.
213 *
214 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
215 * protection for REQUEST and RESPONSE pdus, where the
216 * auth_pad_length field is actually used by the caller.
217 */
218 tmp_length = DCERPC_REQUEST_LENGTH;
219 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
220 tmp_length += pkt->auth_length;
221 if (tmp_length < pkt->frag_length) {
222 max_pad_len = pkt->frag_length - tmp_length;
223 }
224 if (max_pad_len < auth->auth_pad_length) {
225 DEBUG(1, (__location__ ": ERROR: pad length to large. "
226 "max %u got %u\n",
227 (unsigned)max_pad_len,
228 (unsigned)auth->auth_pad_length));
229 talloc_free(ndr);
230 ZERO_STRUCTP(auth);
231 return NT_STATUS_RPC_PROTOCOL_ERROR;
232 }
233
234 /*
235 * This is a workarround for a bug in old
236 * Samba releases. For BIND_ACK <= 3.5.x
237 * and for ALTER_RESP <= 4.2.x (see bug #11061)
238 *
239 * See also bug #11982.
240 */
241 if (auth_data_only && data_and_pad == 0 &&
242 auth->auth_pad_length > 0) {
243 /*
244 * we need to ignore invalid auth_pad_length
245 * values for BIND_*, ALTER_* and AUTH3 pdus.
246 */
247 auth->auth_pad_length = 0;
248 }
249
250 if (data_and_pad < auth->auth_pad_length) {
251 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
252 "Calculated %u got %u\n",
253 (unsigned)data_and_pad,
254 (unsigned)auth->auth_pad_length));
255 talloc_free(ndr);
256 ZERO_STRUCTP(auth);
257 return NT_STATUS_RPC_PROTOCOL_ERROR;
258 }
259
260 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
261 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
262 "Calculated %u got %u\n",
263 (unsigned)data_and_pad,
264 (unsigned)auth->auth_pad_length));
265 talloc_free(ndr);
266 ZERO_STRUCTP(auth);
267 return NT_STATUS_RPC_PROTOCOL_ERROR;
268 }
269
270 DBG_DEBUG("auth_pad_length %u\n",
271 (unsigned)auth->auth_pad_length);
272
273 talloc_steal(mem_ctx, auth->credentials.data);
274 talloc_free(ndr);
275
276 if (_auth_length != NULL) {
277 *_auth_length = auth_length;
278 }
279
280 return NT_STATUS_OK;
281 }
282
283 /**
284 * @brief Verify the fields in ncacn_packet header.
285 *
286 * @param pkt - The ncacn_packet strcuture
287 * @param ptype - The expected PDU type
288 * @param max_auth_info - The maximum size of a possible auth trailer
289 * @param required_flags - The required flags for the pdu.
290 * @param optional_flags - The possible optional flags for the pdu.
291 *
292 * @return - A NTSTATUS error code.
293 */
294 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
295 enum dcerpc_pkt_type ptype,
296 size_t max_auth_info,
297 uint8_t required_flags,
298 uint8_t optional_flags)
299 {
300 if (pkt->rpc_vers != 5) {
301 return NT_STATUS_RPC_PROTOCOL_ERROR;
302 }
303
304 if (pkt->rpc_vers_minor != 0) {
305 return NT_STATUS_RPC_PROTOCOL_ERROR;
306 }
307
308 if (pkt->auth_length > pkt->frag_length) {
309 return NT_STATUS_RPC_PROTOCOL_ERROR;
310 }
311
312 if (pkt->ptype != ptype) {
313 return NT_STATUS_RPC_PROTOCOL_ERROR;
314 }
315
316 if (max_auth_info > UINT16_MAX) {
317 return NT_STATUS_INTERNAL_ERROR;
318 }
319
320 if (pkt->auth_length > 0) {
321 size_t max_auth_length;
322
323 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
324 return NT_STATUS_RPC_PROTOCOL_ERROR;
325 }
326 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
327
328 if (pkt->auth_length > max_auth_length) {
329 return NT_STATUS_RPC_PROTOCOL_ERROR;
330 }
331 }
332
333 if ((pkt->pfc_flags & required_flags) != required_flags) {
334 return NT_STATUS_RPC_PROTOCOL_ERROR;
335 }
336 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
337 return NT_STATUS_RPC_PROTOCOL_ERROR;
338 }
339
340 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
341 return NT_STATUS_RPC_PROTOCOL_ERROR;
342 }
343 if (pkt->drep[1] != 0) {
344 return NT_STATUS_RPC_PROTOCOL_ERROR;
345 }
346 if (pkt->drep[2] != 0) {
347 return NT_STATUS_RPC_PROTOCOL_ERROR;
348 }
349 if (pkt->drep[3] != 0) {
350 return NT_STATUS_RPC_PROTOCOL_ERROR;
351 }
352
353 return NT_STATUS_OK;
354 }
355
356 NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state,
357 struct gensec_security *gensec,
358 TALLOC_CTX *mem_ctx,
359 enum dcerpc_pkt_type ptype,
360 uint8_t required_flags,
361 uint8_t optional_flags,
362 uint8_t payload_offset,
363 DATA_BLOB *payload_and_verifier,
364 DATA_BLOB *raw_packet,
365 const struct ncacn_packet *pkt)
366 {
367 NTSTATUS status;
368 struct dcerpc_auth auth;
369 uint32_t auth_length;
370
371 if (auth_state == NULL) {
372 return NT_STATUS_INTERNAL_ERROR;
373 }
374
375 status = dcerpc_verify_ncacn_packet_header(pkt, ptype,
376 payload_and_verifier->length,
377 required_flags, optional_flags);
378 if (!NT_STATUS_IS_OK(status)) {
379 return status;
380 }
381
382 switch (auth_state->auth_level) {
383 case DCERPC_AUTH_LEVEL_PRIVACY:
384 case DCERPC_AUTH_LEVEL_INTEGRITY:
385 case DCERPC_AUTH_LEVEL_PACKET:
386 break;
387
388 case DCERPC_AUTH_LEVEL_CONNECT:
389 if (pkt->auth_length != 0) {
390 break;
391 }
392 return NT_STATUS_OK;
393 case DCERPC_AUTH_LEVEL_NONE:
394 if (pkt->auth_length != 0) {
395 return NT_STATUS_ACCESS_DENIED;
396 }
397 return NT_STATUS_OK;
398
399 default:
400 return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL;
401 }
402
403 if (pkt->auth_length == 0) {
404 return NT_STATUS_RPC_PROTOCOL_ERROR;
405 }
406
407 if (gensec == NULL) {
408 return NT_STATUS_INTERNAL_ERROR;
409 }
410
411 status = dcerpc_pull_auth_trailer(pkt, mem_ctx,
412 payload_and_verifier,
413 &auth, &auth_length, false);
414 if (!NT_STATUS_IS_OK(status)) {
415 return status;
416 }
417
418 if (payload_and_verifier->length < auth_length) {
419 /*
420 * should be checked in dcerpc_pull_auth_trailer()
421 */
422 return NT_STATUS_INTERNAL_ERROR;
423 }
424
425 payload_and_verifier->length -= auth_length;
426
427 if (payload_and_verifier->length < auth.auth_pad_length) {
428 /*
429 * should be checked in dcerpc_pull_auth_trailer()
430 */
431 return NT_STATUS_INTERNAL_ERROR;
432 }
433
434 if (auth.auth_type != auth_state->auth_type) {
435 return NT_STATUS_ACCESS_DENIED;
436 }
437
438 if (auth.auth_level != auth_state->auth_level) {
439 return NT_STATUS_ACCESS_DENIED;
440 }
441
442 if (auth.auth_context_id != auth_state->auth_context_id) {
443 return NT_STATUS_ACCESS_DENIED;
444 }
445
446 /* check signature or unseal the packet */
447 switch (auth_state->auth_level) {
448 case DCERPC_AUTH_LEVEL_PRIVACY:
449 status = gensec_unseal_packet(gensec,
450 raw_packet->data + payload_offset,
451 payload_and_verifier->length,
452 raw_packet->data,
453 raw_packet->length -
454 auth.credentials.length,
455 &auth.credentials);
456 if (!NT_STATUS_IS_OK(status)) {
457 return NT_STATUS_RPC_SEC_PKG_ERROR;
458 }
459 memcpy(payload_and_verifier->data,
460 raw_packet->data + payload_offset,
461 payload_and_verifier->length);
462 break;
463
464 case DCERPC_AUTH_LEVEL_INTEGRITY:
465 case DCERPC_AUTH_LEVEL_PACKET:
466 status = gensec_check_packet(gensec,
467 payload_and_verifier->data,
468 payload_and_verifier->length,
469 raw_packet->data,
470 raw_packet->length -
471 auth.credentials.length,
472 &auth.credentials);
473 if (!NT_STATUS_IS_OK(status)) {
474 return NT_STATUS_RPC_SEC_PKG_ERROR;
475 }
476 break;
477
478 case DCERPC_AUTH_LEVEL_CONNECT:
479 /* for now we ignore possible signatures here */
480 break;
481
482 default:
483 return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL;
484 }
485
486 /*
487 * remove the indicated amount of padding
488 *
489 * A possible overflow is checked above.
490 */
491 payload_and_verifier->length -= auth.auth_pad_length;
492
493 return NT_STATUS_OK;
494 }
495
496 NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state,
497 struct gensec_security *gensec,
498 TALLOC_CTX *mem_ctx,
499 DATA_BLOB *raw_packet,
500 size_t sig_size,
501 uint8_t payload_offset,
502 const DATA_BLOB *payload,
503 const struct ncacn_packet *pkt)
504 {
505 TALLOC_CTX *frame = talloc_stackframe();
506 NTSTATUS status;
507 enum ndr_err_code ndr_err;
508 struct ndr_push *ndr = NULL;
509 uint32_t payload_length;
510 uint32_t whole_length;
511 DATA_BLOB blob = data_blob_null;
512 DATA_BLOB sig = data_blob_null;
513 struct dcerpc_auth _out_auth_info;
514 struct dcerpc_auth *out_auth_info = NULL;
515
516 *raw_packet = data_blob_null;
517
518 if (auth_state == NULL) {
519 TALLOC_FREE(frame);
520 return NT_STATUS_INTERNAL_ERROR;
521 }
522
523 switch (auth_state->auth_level) {
524 case DCERPC_AUTH_LEVEL_PRIVACY:
525 case DCERPC_AUTH_LEVEL_INTEGRITY:
526 case DCERPC_AUTH_LEVEL_PACKET:
527 if (sig_size == 0) {
528 TALLOC_FREE(frame);
529 return NT_STATUS_INTERNAL_ERROR;
530 }
531
532 if (gensec == NULL) {
533 TALLOC_FREE(frame);
534 return NT_STATUS_INTERNAL_ERROR;
535 }
536
537 _out_auth_info = (struct dcerpc_auth) {
538 .auth_type = auth_state->auth_type,
539 .auth_level = auth_state->auth_level,
540 .auth_context_id = auth_state->auth_context_id,
541 };
542 out_auth_info = &_out_auth_info;
543 break;
544
545 case DCERPC_AUTH_LEVEL_CONNECT:
546 /*
547 * TODO: let the gensec mech decide if it wants to generate a
548 * signature that might be needed for schannel...
549 */
550 if (sig_size != 0) {
551 TALLOC_FREE(frame);
552 return NT_STATUS_INTERNAL_ERROR;
553 }
554
555 if (gensec == NULL) {
556 TALLOC_FREE(frame);
557 return NT_STATUS_INTERNAL_ERROR;
558 }
559 break;
560
561 case DCERPC_AUTH_LEVEL_NONE:
562 if (sig_size != 0) {
563 TALLOC_FREE(frame);
564 return NT_STATUS_INTERNAL_ERROR;
565 }
566 break;
567
568 default:
569 TALLOC_FREE(frame);
570 return NT_STATUS_INTERNAL_ERROR;
571 }
572
573 ndr = ndr_push_init_ctx(frame);
574 if (ndr == NULL) {
575 TALLOC_FREE(frame);
576 return NT_STATUS_NO_MEMORY;
577 }
578
579 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
580 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
581 TALLOC_FREE(frame);
582 return ndr_map_error2ntstatus(ndr_err);
583 }
584
585 if (out_auth_info != NULL) {
586 /*
587 * pad to 16 byte multiple in the payload portion of the
588 * packet. This matches what w2k3 does. Note that we can't use
589 * ndr_push_align() as that is relative to the start of the
590 * whole packet, whereas w2k8 wants it relative to the start
591 * of the stub.
592 */
593 out_auth_info->auth_pad_length =
594 DCERPC_AUTH_PAD_LENGTH(payload->length);
595 ndr_err = ndr_push_zero(ndr, out_auth_info->auth_pad_length);
596 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
597 TALLOC_FREE(frame);
598 return ndr_map_error2ntstatus(ndr_err);
599 }
600
601 payload_length = payload->length +
602 out_auth_info->auth_pad_length;
603
604 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS,
605 out_auth_info);
606 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
607 TALLOC_FREE(frame);
608 return ndr_map_error2ntstatus(ndr_err);
609 }
610
611 whole_length = ndr->offset;
612
613 ndr_err = ndr_push_zero(ndr, sig_size);
614 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
615 TALLOC_FREE(frame);
616 return ndr_map_error2ntstatus(ndr_err);
617 }
618 } else {
619 payload_length = payload->length;
620 whole_length = ndr->offset;
621 }
622
623 /* extract the whole packet as a blob */
624 blob = ndr_push_blob(ndr);
625
626 /*
627 * Setup the frag and auth length in the packet buffer.
628 * This is needed if the GENSEC mech does AEAD signing
629 * of the packet headers. The signature itself will be
630 * appended later.
631 */
632 dcerpc_set_frag_length(&blob, blob.length);
633 dcerpc_set_auth_length(&blob, sig_size);
634
635 /* sign or seal the packet */
636 switch (auth_state->auth_level) {
637 case DCERPC_AUTH_LEVEL_PRIVACY:
638 status = gensec_seal_packet(gensec,
639 frame,
640 blob.data + payload_offset,
641 payload_length,
642 blob.data,
643 whole_length,
644 &sig);
645 if (!NT_STATUS_IS_OK(status)) {
646 TALLOC_FREE(frame);
647 return status;
648 }
649 break;
650
651 case DCERPC_AUTH_LEVEL_INTEGRITY:
652 case DCERPC_AUTH_LEVEL_PACKET:
653 status = gensec_sign_packet(gensec,
654 frame,
655 blob.data + payload_offset,
656 payload_length,
657 blob.data,
658 whole_length,
659 &sig);
660 if (!NT_STATUS_IS_OK(status)) {
661 TALLOC_FREE(frame);
662 return status;
663 }
664 break;
665
666 case DCERPC_AUTH_LEVEL_CONNECT:
667 case DCERPC_AUTH_LEVEL_NONE:
668 break;
669
670 default:
671 TALLOC_FREE(frame);
672 return NT_STATUS_INTERNAL_ERROR;
673 }
674
675 if (sig.length != sig_size) {
676 TALLOC_FREE(frame);
677 return NT_STATUS_RPC_SEC_PKG_ERROR;
678 }
679
680 if (sig_size != 0) {
681 memcpy(blob.data + whole_length, sig.data, sig_size);
682 }
683
684 *raw_packet = blob;
685 talloc_steal(mem_ctx, raw_packet->data);
686 TALLOC_FREE(frame);
687 return NT_STATUS_OK;
688 }
689
690 struct dcerpc_read_ncacn_packet_state {
691 #if 0
692 struct {
693 } caller;
694 #endif
695 DATA_BLOB buffer;
696 struct ncacn_packet *pkt;
697 };
698
699 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
700 void *private_data,
701 TALLOC_CTX *mem_ctx,
702 struct iovec **_vector,
703 size_t *_count);
704 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
705
706 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
707 struct tevent_context *ev,
708 struct tstream_context *stream)
709 {
710 struct tevent_req *req;
711 struct dcerpc_read_ncacn_packet_state *state;
712 struct tevent_req *subreq;
713
714 req = tevent_req_create(mem_ctx, &state,
715 struct dcerpc_read_ncacn_packet_state);
716 if (req == NULL) {
717 return NULL;
718 }
719
720 state->pkt = talloc_zero(state, struct ncacn_packet);
721 if (tevent_req_nomem(state->pkt, req)) {
722 goto post;
723 }
724
725 subreq = tstream_readv_pdu_send(state, ev,
726 stream,
727 dcerpc_read_ncacn_packet_next_vector,
728 state);
729 if (tevent_req_nomem(subreq, req)) {
730 goto post;
731 }
732 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
733
734 return req;
735 post:
736 tevent_req_post(req, ev);
737 return req;
738 }
739
740 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
741 void *private_data,
742 TALLOC_CTX *mem_ctx,
743 struct iovec **_vector,
744 size_t *_count)
745 {
746 struct dcerpc_read_ncacn_packet_state *state =
747 talloc_get_type_abort(private_data,
748 struct dcerpc_read_ncacn_packet_state);
749 struct iovec *vector;
750 off_t ofs = 0;
751
752 if (state->buffer.length == 0) {
753 /*
754 * first get enough to read the fragment length
755 *
756 * We read the full fixed ncacn_packet header
757 * in order to make wireshark happy with
758 * pcap files from socket_wrapper.
759 */
760 ofs = 0;
761 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
762 state->buffer.data = talloc_array(state, uint8_t,
763 state->buffer.length);
764 if (!state->buffer.data) {
765 return -1;
766 }
767 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
768 /* now read the fragment length and allocate the full buffer */
769 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
770
771 ofs = state->buffer.length;
772
773 if (frag_len < ofs) {
774 /*
775 * something is wrong, let the caller deal with it
776 */
777 *_vector = NULL;
778 *_count = 0;
779 return 0;
780 }
781
782 state->buffer.data = talloc_realloc(state,
783 state->buffer.data,
784 uint8_t, frag_len);
785 if (!state->buffer.data) {
786 return -1;
787 }
788 state->buffer.length = frag_len;
789 } else {
790 /* if we reach this we have a full fragment */
791 *_vector = NULL;
792 *_count = 0;
793 return 0;
794 }
795
796 /* now create the vector that we want to be filled */
797 vector = talloc_array(mem_ctx, struct iovec, 1);
798 if (!vector) {
799 return -1;
800 }
801
802 vector[0].iov_base = (void *) (state->buffer.data + ofs);
803 vector[0].iov_len = state->buffer.length - ofs;
804
805 *_vector = vector;
806 *_count = 1;
807 return 0;
808 }
809
810 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
811 {
812 struct tevent_req *req = tevent_req_callback_data(subreq,
813 struct tevent_req);
814 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
815 struct dcerpc_read_ncacn_packet_state);
816 int ret;
817 int sys_errno;
818 NTSTATUS status;
819
820 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
821 TALLOC_FREE(subreq);
822 if (ret == -1) {
823 status = map_nt_error_from_unix_common(sys_errno);
824 tevent_req_nterror(req, status);
825 return;
826 }
827
828 status = dcerpc_pull_ncacn_packet(state->pkt,
829 &state->buffer,
830 state->pkt);
831 if (tevent_req_nterror(req, status)) {
832 return;
833 }
834
835 tevent_req_done(req);
836 }
837
838 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
839 TALLOC_CTX *mem_ctx,
840 struct ncacn_packet **pkt,
841 DATA_BLOB *buffer)
842 {
843 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
844 struct dcerpc_read_ncacn_packet_state);
845 NTSTATUS status;
846
847 if (tevent_req_is_nterror(req, &status)) {
848 tevent_req_received(req);
849 return status;
850 }
851
852 *pkt = talloc_move(mem_ctx, &state->pkt);
853 if (buffer) {
854 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
855 buffer->length = state->buffer.length;
856 }
857
858 tevent_req_received(req);
859 return NT_STATUS_OK;
860 }
861
862 const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
863 enum dcerpc_transport_t transport,
864 const struct ndr_interface_table *table)
865 {
866 NTSTATUS status;
867 const char *p = NULL;
868 const char *endpoint = NULL;
869 int i;
870 struct dcerpc_binding *default_binding = NULL;
871 TALLOC_CTX *frame = talloc_stackframe();
872
873 /* Find one of the default pipes for this interface */
874
875 for (i = 0; i < table->endpoints->count; i++) {
876 enum dcerpc_transport_t dtransport;
877 const char *dendpoint;
878
879 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
880 &default_binding);
881 if (!NT_STATUS_IS_OK(status)) {
882 continue;
883 }
884
885 dtransport = dcerpc_binding_get_transport(default_binding);
886 dendpoint = dcerpc_binding_get_string_option(default_binding,
887 "endpoint");
888 if (dendpoint == NULL) {
889 TALLOC_FREE(default_binding);
890 continue;
891 }
892
893 if (transport == NCA_UNKNOWN) {
894 transport = dtransport;
895 }
896
897 if (transport != dtransport) {
898 TALLOC_FREE(default_binding);
899 continue;
900 }
901
902 p = dendpoint;
903 break;
904 }
905
906 if (p == NULL) {
907 goto done;
908 }
909
910 /*
911 * extract the pipe name without \\pipe from for example
912 * ncacn_np:[\\pipe\\epmapper]
913 */
914 if (transport == NCACN_NP) {
915 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
916 p += 6;
917 }
918 if (strncmp(p, "\\", 1) == 0) {
919 p += 1;
920 }
921 }
922
923 endpoint = talloc_strdup(mem_ctx, p);
924
925 done:
926 talloc_free(frame);
927 return endpoint;
928 }
929
930 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
931 {
932 struct dcerpc_sec_vt_header2 ret;
933
934 ZERO_STRUCT(ret);
935 ret.ptype = pkt->ptype;
936 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
937 ret.call_id = pkt->call_id;
938
939 switch (pkt->ptype) {
940 case DCERPC_PKT_REQUEST:
941 ret.context_id = pkt->u.request.context_id;
942 ret.opnum = pkt->u.request.opnum;
943 break;
944
945 case DCERPC_PKT_RESPONSE:
946 ret.context_id = pkt->u.response.context_id;
947 break;
948
949 case DCERPC_PKT_FAULT:
950 ret.context_id = pkt->u.fault.context_id;
951 break;
952
953 default:
954 break;
955 }
956
957 return ret;
958 }
959
960 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
961 const struct dcerpc_sec_vt_header2 *v2)
962 {
963 if (v1->ptype != v2->ptype) {
964 return false;
965 }
966
967 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
968 return false;
969 }
970
971 if (v1->call_id != v2->call_id) {
972 return false;
973 }
974
975 if (v1->context_id != v2->context_id) {
976 return false;
977 }
978
979 if (v1->opnum != v2->opnum) {
980 return false;
981 }
982
983 return true;
984 }
985
986 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
987 {
988 bool ret = false;
989 TALLOC_CTX *frame = talloc_stackframe();
990 struct bitmap *commands_seen;
991 int i;
992
993 if (r->count.count == 0) {
994 ret = true;
995 goto done;
996 }
997
998 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
999 goto done;
1000 }
1001
1002 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
1003 if (commands_seen == NULL) {
1004 goto done;
1005 }
1006
1007 for (i=0; i < r->count.count; i++) {
1008 enum dcerpc_sec_vt_command_enum cmd =
1009 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
1010
1011 if (bitmap_query(commands_seen, cmd)) {
1012 /* Each command must appear at most once. */
1013 goto done;
1014 }
1015 bitmap_set(commands_seen, cmd);
1016
1017 switch (cmd) {
1018 case DCERPC_SEC_VT_COMMAND_BITMASK1:
1019 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
1020 case DCERPC_SEC_VT_COMMAND_HEADER2:
1021 break;
1022 default:
1023 if ((r->commands[i].u._unknown.length % 4) != 0) {
1024 goto done;
1025 }
1026 break;
1027 }
1028 }
1029 ret = true;
1030 done:
1031 TALLOC_FREE(frame);
1032 return ret;
1033 }
1034
1035 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
1036 struct dcerpc_sec_vt *c)
1037 {
1038 if (bitmask1 == NULL) {
1039 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1040 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
1041 "failed\n"));
1042 return false;
1043 }
1044
1045 return true;
1046 }
1047
1048 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
1049 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
1050 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
1051 "failed\n"));
1052 return false;
1053 }
1054 return true;
1055 }
1056
1057 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
1058 struct dcerpc_sec_vt *c)
1059 {
1060 TALLOC_CTX *mem_ctx;
1061 bool ok;
1062
1063 if (pcontext == NULL) {
1064 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1065 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
1066 "failed\n"));
1067 return false;
1068 }
1069
1070 return true;
1071 }
1072
1073 mem_ctx = talloc_stackframe();
1074 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
1075 &c->u.pcontext.abstract_syntax);
1076 if (!ok) {
1077 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
1078 "%s vs. %s\n",
1079 ndr_syntax_id_to_string(mem_ctx,
1080 &pcontext->abstract_syntax),
1081 ndr_syntax_id_to_string(mem_ctx,
1082 &c->u.pcontext.abstract_syntax)));
1083 goto err_ctx_free;
1084 }
1085 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
1086 &c->u.pcontext.transfer_syntax);
1087 if (!ok) {
1088 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
1089 "%s vs. %s\n",
1090 ndr_syntax_id_to_string(mem_ctx,
1091 &pcontext->transfer_syntax),
1092 ndr_syntax_id_to_string(mem_ctx,
1093 &c->u.pcontext.transfer_syntax)));
1094 goto err_ctx_free;
1095 }
1096
1097 ok = true;
1098 err_ctx_free:
1099 talloc_free(mem_ctx);
1100 return ok;
1101 }
1102
1103 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
1104 struct dcerpc_sec_vt *c)
1105 {
1106 if (header2 == NULL) {
1107 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1108 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
1109 return false;
1110 }
1111
1112 return true;
1113 }
1114
1115 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
1116 DEBUG(10, ("SEC_VT check Header2 failed\n"));
1117 return false;
1118 }
1119
1120 return true;
1121 }
1122
1123 bool dcerpc_sec_verification_trailer_check(
1124 const struct dcerpc_sec_verification_trailer *vt,
1125 const uint32_t *bitmask1,
1126 const struct dcerpc_sec_vt_pcontext *pcontext,
1127 const struct dcerpc_sec_vt_header2 *header2)
1128 {
1129 size_t i;
1130
1131 if (!dcerpc_sec_vt_is_valid(vt)) {
1132 return false;
1133 }
1134
1135 for (i=0; i < vt->count.count; i++) {
1136 bool ok;
1137 struct dcerpc_sec_vt *c = &vt->commands[i];
1138
1139 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
1140 case DCERPC_SEC_VT_COMMAND_BITMASK1:
1141 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
1142 if (!ok) {
1143 return false;
1144 }
1145 break;
1146
1147 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
1148 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
1149 if (!ok) {
1150 return false;
1151 }
1152 break;
1153
1154 case DCERPC_SEC_VT_COMMAND_HEADER2: {
1155 ok = dcerpc_sec_vt_hdr2_check(header2, c);
1156 if (!ok) {
1157 return false;
1158 }
1159 break;
1160 }
1161
1162 default:
1163 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1164 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
1165 return false;
1166 }
1167
1168 break;
1169 }
1170 }
1171
1172 return true;
1173 }
1174
1175 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
1176 .uuid = {
1177 .time_low = 0x6cb71c2c,
1178 .time_mid = 0x9812,
1179 .time_hi_and_version = 0x4540,
1180 .clock_seq = {0x00, 0x00},
1181 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
1182 },
1183 .if_version = 1,
1184 };
1185
1186 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
1187 {
1188 uint8_t values[8];
1189 uint64_t features = 0;
1190
1191 values[0] = s.uuid.clock_seq[0];
1192 values[1] = s.uuid.clock_seq[1];
1193 values[2] = s.uuid.node[0];
1194 values[3] = s.uuid.node[1];
1195 values[4] = s.uuid.node[2];
1196 values[5] = s.uuid.node[3];
1197 values[6] = s.uuid.node[4];
1198 values[7] = s.uuid.node[5];
1199
1200 ZERO_STRUCT(s.uuid.clock_seq);
1201 ZERO_STRUCT(s.uuid.node);
1202
1203 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
1204 if (_features != NULL) {
1205 *_features = 0;
1206 }
1207 return false;
1208 }
1209
1210 features = BVAL(values, 0);
1211
1212 if (_features != NULL) {
1213 *_features = features;
1214 }
1215
1216 return true;
1217 }
1218
1219 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1220 {
1221 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1222 uint8_t values[8];
1223
1224 SBVAL(values, 0, features);
1225
1226 s.uuid.clock_seq[0] = values[0];
1227 s.uuid.clock_seq[1] = values[1];
1228 s.uuid.node[0] = values[2];
1229 s.uuid.node[1] = values[3];
1230 s.uuid.node[2] = values[4];
1231 s.uuid.node[3] = values[5];
1232 s.uuid.node[4] = values[6];
1233 s.uuid.node[5] = values[7];
1234
1235 return s;
1236 }
Samba GIT mirror