2 Unix SMB/CIFS implementation.
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/network.h"
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "librpc/rpc/dcerpc_util.h"
29 #include "librpc/gen_ndr/ndr_dcerpc.h"
30 #include "rpc_common.h"
31 #include "lib/util/bitmap.h"
35 /* we need to be able to get/set the fragment length without doing a full
37 void dcerpc_set_frag_length(DATA_BLOB
*blob
, uint16_t v
)
39 SMB_ASSERT(blob
->length
>= DCERPC_NCACN_PAYLOAD_OFFSET
);
41 if (CVAL(blob
->data
,DCERPC_DREP_OFFSET
) & DCERPC_DREP_LE
) {
42 SSVAL(blob
->data
, DCERPC_FRAG_LEN_OFFSET
, v
);
44 RSSVAL(blob
->data
, DCERPC_FRAG_LEN_OFFSET
, v
);
48 uint16_t dcerpc_get_frag_length(const DATA_BLOB
*blob
)
50 SMB_ASSERT(blob
->length
>= DCERPC_NCACN_PAYLOAD_OFFSET
);
52 if (CVAL(blob
->data
,DCERPC_DREP_OFFSET
) & DCERPC_DREP_LE
) {
53 return SVAL(blob
->data
, DCERPC_FRAG_LEN_OFFSET
);
55 return RSVAL(blob
->data
, DCERPC_FRAG_LEN_OFFSET
);
59 void dcerpc_set_auth_length(DATA_BLOB
*blob
, uint16_t v
)
61 SMB_ASSERT(blob
->length
>= DCERPC_NCACN_PAYLOAD_OFFSET
);
63 if (CVAL(blob
->data
,DCERPC_DREP_OFFSET
) & DCERPC_DREP_LE
) {
64 SSVAL(blob
->data
, DCERPC_AUTH_LEN_OFFSET
, v
);
66 RSSVAL(blob
->data
, DCERPC_AUTH_LEN_OFFSET
, v
);
70 uint16_t dcerpc_get_auth_length(const DATA_BLOB
*blob
)
72 SMB_ASSERT(blob
->length
>= DCERPC_NCACN_PAYLOAD_OFFSET
);
74 if (CVAL(blob
->data
,DCERPC_DREP_OFFSET
) & DCERPC_DREP_LE
) {
75 return SVAL(blob
->data
, DCERPC_AUTH_LEN_OFFSET
);
77 return RSVAL(blob
->data
, DCERPC_AUTH_LEN_OFFSET
);
81 uint8_t dcerpc_get_endian_flag(DATA_BLOB
*blob
)
83 SMB_ASSERT(blob
->length
>= DCERPC_NCACN_PAYLOAD_OFFSET
);
85 return blob
->data
[DCERPC_DREP_OFFSET
];
88 static uint16_t dcerpc_get_auth_context_offset(const DATA_BLOB
*blob
)
90 uint16_t frag_len
= dcerpc_get_frag_length(blob
);
91 uint16_t auth_len
= dcerpc_get_auth_length(blob
);
99 if (frag_len
> blob
->length
) {
103 if (auth_len
> frag_len
) {
107 min_offset
= DCERPC_NCACN_PAYLOAD_OFFSET
+ DCERPC_AUTH_TRAILER_LENGTH
;
108 offset
= frag_len
- auth_len
;
109 if (offset
< min_offset
) {
112 offset
-= DCERPC_AUTH_TRAILER_LENGTH
;
117 uint8_t dcerpc_get_auth_type(const DATA_BLOB
*blob
)
121 offset
= dcerpc_get_auth_context_offset(blob
);
127 * auth_typw is in the 1st byte
128 * of the auth trailer
132 return blob
->data
[offset
];
135 uint8_t dcerpc_get_auth_level(const DATA_BLOB
*blob
)
139 offset
= dcerpc_get_auth_context_offset(blob
);
145 * auth_level is in 2nd byte
146 * of the auth trailer
150 return blob
->data
[offset
];
153 uint32_t dcerpc_get_auth_context_id(const DATA_BLOB
*blob
)
157 offset
= dcerpc_get_auth_context_offset(blob
);
163 * auth_context_id is in the last 4 byte
164 * of the auth trailer
168 if (CVAL(blob
->data
,DCERPC_DREP_OFFSET
) & DCERPC_DREP_LE
) {
169 return IVAL(blob
->data
, offset
);
171 return RIVAL(blob
->data
, offset
);
176 * @brief Decodes a ncacn_packet
178 * @param mem_ctx The memory context on which to allocate the packet
180 * @param blob The blob of data to decode
181 * @param r An empty ncacn_packet, must not be NULL
183 * @return a NTSTATUS error code
185 NTSTATUS
dcerpc_pull_ncacn_packet(TALLOC_CTX
*mem_ctx
,
186 const DATA_BLOB
*blob
,
187 struct ncacn_packet
*r
)
189 enum ndr_err_code ndr_err
;
190 struct ndr_pull
*ndr
;
192 ndr
= ndr_pull_init_blob(blob
, mem_ctx
);
194 return NT_STATUS_NO_MEMORY
;
197 ndr_err
= ndr_pull_ncacn_packet(ndr
, NDR_SCALARS
|NDR_BUFFERS
, r
);
199 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
201 return ndr_map_error2ntstatus(ndr_err
);
205 if (r
->frag_length
!= blob
->length
) {
206 return NT_STATUS_RPC_PROTOCOL_ERROR
;
213 * @brief Pull a dcerpc_auth structure, taking account of any auth
214 * padding in the blob. For request/response packets we pass
215 * the whole data blob, so auth_data_only must be set to false
216 * as the blob contains data+pad+auth and no just pad+auth.
218 * @param pkt - The ncacn_packet structure
219 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
220 * @param pkt_trailer - The packet trailer data, usually the trailing
221 * auth_info blob, but in the request/response case
222 * this is the stub_and_verifier blob.
223 * @param auth - A preallocated dcerpc_auth *empty* structure
224 * @param auth_length - The length of the auth trail, sum of auth header
225 * length and pkt->auth_length
226 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
227 * (+ padding) or also other data.
229 * @return - A NTSTATUS error code.
231 NTSTATUS
dcerpc_pull_auth_trailer(const struct ncacn_packet
*pkt
,
233 const DATA_BLOB
*pkt_trailer
,
234 struct dcerpc_auth
*auth
,
235 uint32_t *_auth_length
,
238 struct ndr_pull
*ndr
;
239 enum ndr_err_code ndr_err
;
240 uint16_t data_and_pad
;
241 uint16_t auth_length
;
243 uint32_t max_pad_len
= 0;
246 if (_auth_length
!= NULL
) {
249 if (auth_data_only
) {
250 return NT_STATUS_INTERNAL_ERROR
;
253 if (!auth_data_only
) {
254 return NT_STATUS_INTERNAL_ERROR
;
258 /* Paranoia checks for auth_length. The caller should check this... */
259 if (pkt
->auth_length
== 0) {
260 return NT_STATUS_INTERNAL_ERROR
;
263 /* Paranoia checks for auth_length. The caller should check this... */
264 if (pkt
->auth_length
> pkt
->frag_length
) {
265 return NT_STATUS_INTERNAL_ERROR
;
267 tmp_length
= DCERPC_NCACN_PAYLOAD_OFFSET
;
268 tmp_length
+= DCERPC_AUTH_TRAILER_LENGTH
;
269 tmp_length
+= pkt
->auth_length
;
270 if (tmp_length
> pkt
->frag_length
) {
271 return NT_STATUS_INTERNAL_ERROR
;
273 if (pkt_trailer
->length
> UINT16_MAX
) {
274 return NT_STATUS_INTERNAL_ERROR
;
277 auth_length
= DCERPC_AUTH_TRAILER_LENGTH
+ pkt
->auth_length
;
278 if (pkt_trailer
->length
< auth_length
) {
279 return NT_STATUS_RPC_PROTOCOL_ERROR
;
282 data_and_pad
= pkt_trailer
->length
- auth_length
;
284 ndr
= ndr_pull_init_blob(pkt_trailer
, mem_ctx
);
286 return NT_STATUS_NO_MEMORY
;
289 if (!(pkt
->drep
[0] & DCERPC_DREP_LE
)) {
290 ndr
->flags
|= LIBNDR_FLAG_BIGENDIAN
;
293 ndr_err
= ndr_pull_advance(ndr
, data_and_pad
);
294 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
296 return ndr_map_error2ntstatus(ndr_err
);
299 ndr_err
= ndr_pull_dcerpc_auth(ndr
, NDR_SCALARS
|NDR_BUFFERS
, auth
);
300 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
303 return ndr_map_error2ntstatus(ndr_err
);
307 * Make sure the padding would not exceed
310 * Here we assume at least 24 bytes for the
311 * payload specific header the value of
312 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
314 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
316 * We need this check before we ignore possible
317 * invalid values. See also bug #11982.
319 * This check is mainly used to generate the correct
320 * error for BIND_*, ALTER_* and AUTH3 pdus.
322 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
323 * protection for REQUEST and RESPONSE pdus, where the
324 * auth_pad_length field is actually used by the caller.
326 tmp_length
= DCERPC_REQUEST_LENGTH
;
327 tmp_length
+= DCERPC_AUTH_TRAILER_LENGTH
;
328 tmp_length
+= pkt
->auth_length
;
329 if (tmp_length
< pkt
->frag_length
) {
330 max_pad_len
= pkt
->frag_length
- tmp_length
;
332 if (max_pad_len
< auth
->auth_pad_length
) {
333 DEBUG(1, (__location__
": ERROR: pad length too large. "
334 "max %"PRIu32
" got %"PRIu8
"\n",
336 auth
->auth_pad_length
));
339 return NT_STATUS_RPC_PROTOCOL_ERROR
;
343 * This is a workaround for a bug in old
344 * Samba releases. For BIND_ACK <= 3.5.x
345 * and for ALTER_RESP <= 4.2.x (see bug #11061)
347 * See also bug #11982.
349 if (auth_data_only
&& data_and_pad
== 0 &&
350 auth
->auth_pad_length
> 0) {
352 * we need to ignore invalid auth_pad_length
353 * values for BIND_*, ALTER_* and AUTH3 pdus.
355 auth
->auth_pad_length
= 0;
358 if (data_and_pad
< auth
->auth_pad_length
) {
359 DBG_WARNING(__location__
": ERROR: pad length too long. "
360 "Calculated %"PRIu16
" (pkt_trailer->length=%zu - auth_length=%"PRIu16
") "
361 "was less than auth_pad_length=%"PRIu8
"\n",
365 auth
->auth_pad_length
);
368 return NT_STATUS_RPC_PROTOCOL_ERROR
;
371 if (auth_data_only
&& data_and_pad
> auth
->auth_pad_length
) {
372 DBG_WARNING(__location__
": ERROR: auth_data_only pad length mismatch. "
373 "Client sent a longer BIND packet than expected by %"PRIu16
" bytes "
374 "(pkt_trailer->length=%zu - auth_length=%"PRIu16
") "
375 "= %"PRIu16
" auth_pad_length=%"PRIu8
"\n",
376 data_and_pad
- auth
->auth_pad_length
,
380 auth
->auth_pad_length
);
383 return NT_STATUS_RPC_PROTOCOL_ERROR
;
386 if (auth_data_only
&& data_and_pad
!= auth
->auth_pad_length
) {
387 DBG_WARNING(__location__
": ERROR: auth_data_only pad length mismatch. "
388 "Calculated %"PRIu16
" (pkt_trailer->length=%zu - auth_length=%"PRIu16
") "
389 "but auth_pad_length=%"PRIu8
"\n",
393 auth
->auth_pad_length
);
396 return NT_STATUS_RPC_PROTOCOL_ERROR
;
399 DBG_DEBUG("auth_pad_length %"PRIu8
"\n",
400 auth
->auth_pad_length
);
402 talloc_steal(mem_ctx
, auth
->credentials
.data
);
405 if (_auth_length
!= NULL
) {
406 *_auth_length
= auth_length
;
413 * @brief Verify the fields in ncacn_packet header.
415 * @param pkt - The ncacn_packet structure
416 * @param ptype - The expected PDU type
417 * @param max_auth_info - The maximum size of a possible auth trailer
418 * @param required_flags - The required flags for the pdu.
419 * @param optional_flags - The possible optional flags for the pdu.
421 * @return - A NTSTATUS error code.
423 NTSTATUS
dcerpc_verify_ncacn_packet_header(const struct ncacn_packet
*pkt
,
424 enum dcerpc_pkt_type ptype
,
425 size_t max_auth_info
,
426 uint8_t required_flags
,
427 uint8_t optional_flags
)
429 if (pkt
->rpc_vers
!= 5) {
430 return NT_STATUS_RPC_PROTOCOL_ERROR
;
433 if (pkt
->rpc_vers_minor
!= 0) {
434 return NT_STATUS_RPC_PROTOCOL_ERROR
;
437 if (pkt
->auth_length
> pkt
->frag_length
) {
438 return NT_STATUS_RPC_PROTOCOL_ERROR
;
441 if (pkt
->ptype
!= ptype
) {
442 return NT_STATUS_RPC_PROTOCOL_ERROR
;
445 if (max_auth_info
> UINT16_MAX
) {
446 return NT_STATUS_INTERNAL_ERROR
;
449 if (pkt
->auth_length
> 0) {
450 size_t max_auth_length
;
452 if (max_auth_info
<= DCERPC_AUTH_TRAILER_LENGTH
) {
453 return NT_STATUS_RPC_PROTOCOL_ERROR
;
455 max_auth_length
= max_auth_info
- DCERPC_AUTH_TRAILER_LENGTH
;
457 if (pkt
->auth_length
> max_auth_length
) {
458 return NT_STATUS_RPC_PROTOCOL_ERROR
;
462 if ((pkt
->pfc_flags
& required_flags
) != required_flags
) {
463 return NT_STATUS_RPC_PROTOCOL_ERROR
;
465 if (pkt
->pfc_flags
& ~(optional_flags
|required_flags
)) {
466 return NT_STATUS_RPC_PROTOCOL_ERROR
;
469 if (pkt
->drep
[0] & ~DCERPC_DREP_LE
) {
470 return NT_STATUS_RPC_PROTOCOL_ERROR
;
472 if (pkt
->drep
[1] != 0) {
473 return NT_STATUS_RPC_PROTOCOL_ERROR
;
475 if (pkt
->drep
[2] != 0) {
476 return NT_STATUS_RPC_PROTOCOL_ERROR
;
478 if (pkt
->drep
[3] != 0) {
479 return NT_STATUS_RPC_PROTOCOL_ERROR
;
485 struct dcerpc_read_ncacn_packet_state
{
491 struct ncacn_packet
*pkt
;
494 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context
*stream
,
497 struct iovec
**_vector
,
499 static void dcerpc_read_ncacn_packet_done(struct tevent_req
*subreq
);
501 struct tevent_req
*dcerpc_read_ncacn_packet_send(TALLOC_CTX
*mem_ctx
,
502 struct tevent_context
*ev
,
503 struct tstream_context
*stream
)
505 struct tevent_req
*req
;
506 struct dcerpc_read_ncacn_packet_state
*state
;
507 struct tevent_req
*subreq
;
509 req
= tevent_req_create(mem_ctx
, &state
,
510 struct dcerpc_read_ncacn_packet_state
);
515 state
->pkt
= talloc_zero(state
, struct ncacn_packet
);
516 if (tevent_req_nomem(state
->pkt
, req
)) {
520 subreq
= tstream_readv_pdu_send(state
, ev
,
522 dcerpc_read_ncacn_packet_next_vector
,
524 if (tevent_req_nomem(subreq
, req
)) {
527 tevent_req_set_callback(subreq
, dcerpc_read_ncacn_packet_done
, req
);
531 tevent_req_post(req
, ev
);
535 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context
*stream
,
538 struct iovec
**_vector
,
541 struct dcerpc_read_ncacn_packet_state
*state
=
542 talloc_get_type_abort(private_data
,
543 struct dcerpc_read_ncacn_packet_state
);
544 struct iovec
*vector
;
547 if (state
->buffer
.length
== 0) {
549 * first get enough to read the fragment length
551 * We read the full fixed ncacn_packet header
552 * in order to make wireshark happy with
553 * pcap files from socket_wrapper.
556 state
->buffer
.length
= DCERPC_NCACN_PAYLOAD_OFFSET
;
557 state
->buffer
.data
= talloc_array(state
, uint8_t,
558 state
->buffer
.length
);
559 if (!state
->buffer
.data
) {
562 } else if (state
->buffer
.length
== DCERPC_NCACN_PAYLOAD_OFFSET
) {
563 /* now read the fragment length and allocate the full buffer */
564 size_t frag_len
= dcerpc_get_frag_length(&state
->buffer
);
566 ofs
= state
->buffer
.length
;
568 if (frag_len
<= ofs
) {
570 * With frag_len == ofs, we are done, this is likely
571 * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
572 * without any payload.
574 * Otherwise it's a broken packet and we
575 * let the caller deal with it.
582 state
->buffer
.data
= talloc_realloc(state
,
585 if (!state
->buffer
.data
) {
588 state
->buffer
.length
= frag_len
;
590 /* if we reach this we have a full fragment */
596 /* now create the vector that we want to be filled */
597 vector
= talloc_array(mem_ctx
, struct iovec
, 1);
602 vector
[0].iov_base
= (void *) (state
->buffer
.data
+ ofs
);
603 vector
[0].iov_len
= state
->buffer
.length
- ofs
;
610 static void dcerpc_read_ncacn_packet_done(struct tevent_req
*subreq
)
612 struct tevent_req
*req
= tevent_req_callback_data(subreq
,
614 struct dcerpc_read_ncacn_packet_state
*state
= tevent_req_data(req
,
615 struct dcerpc_read_ncacn_packet_state
);
620 ret
= tstream_readv_pdu_recv(subreq
, &sys_errno
);
623 status
= map_nt_error_from_unix_common(sys_errno
);
624 tevent_req_nterror(req
, status
);
628 status
= dcerpc_pull_ncacn_packet(state
->pkt
,
631 if (tevent_req_nterror(req
, status
)) {
635 tevent_req_done(req
);
638 NTSTATUS
dcerpc_read_ncacn_packet_recv(struct tevent_req
*req
,
640 struct ncacn_packet
**pkt
,
643 struct dcerpc_read_ncacn_packet_state
*state
= tevent_req_data(req
,
644 struct dcerpc_read_ncacn_packet_state
);
647 if (tevent_req_is_nterror(req
, &status
)) {
648 tevent_req_received(req
);
652 *pkt
= talloc_move(mem_ctx
, &state
->pkt
);
654 buffer
->data
= talloc_move(mem_ctx
, &state
->buffer
.data
);
655 buffer
->length
= state
->buffer
.length
;
658 tevent_req_received(req
);
662 const char *dcerpc_default_transport_endpoint(TALLOC_CTX
*mem_ctx
,
663 enum dcerpc_transport_t transport
,
664 const struct ndr_interface_table
*table
)
667 const char *p
= NULL
;
668 const char *endpoint
= NULL
;
670 struct dcerpc_binding
*default_binding
= NULL
;
671 TALLOC_CTX
*frame
= talloc_stackframe();
673 /* Find one of the default pipes for this interface */
675 for (i
= 0; i
< table
->endpoints
->count
; i
++) {
676 enum dcerpc_transport_t dtransport
;
677 const char *dendpoint
;
679 status
= dcerpc_parse_binding(frame
, table
->endpoints
->names
[i
],
681 if (!NT_STATUS_IS_OK(status
)) {
685 dtransport
= dcerpc_binding_get_transport(default_binding
);
686 dendpoint
= dcerpc_binding_get_string_option(default_binding
,
688 if (dendpoint
== NULL
) {
689 TALLOC_FREE(default_binding
);
693 if (transport
== NCA_UNKNOWN
) {
694 transport
= dtransport
;
697 if (transport
!= dtransport
) {
698 TALLOC_FREE(default_binding
);
711 * extract the pipe name without \\pipe from for example
712 * ncacn_np:[\\pipe\\epmapper]
714 if (transport
== NCACN_NP
) {
715 if (strncasecmp(p
, "\\pipe\\", 6) == 0) {
723 endpoint
= talloc_strdup(mem_ctx
, p
);
730 struct dcerpc_sec_vt_header2
dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet
*pkt
)
732 struct dcerpc_sec_vt_header2 ret
;
735 ret
.ptype
= pkt
->ptype
;
736 memcpy(&ret
.drep
, pkt
->drep
, sizeof(ret
.drep
));
737 ret
.call_id
= pkt
->call_id
;
739 switch (pkt
->ptype
) {
740 case DCERPC_PKT_REQUEST
:
741 ret
.context_id
= pkt
->u
.request
.context_id
;
742 ret
.opnum
= pkt
->u
.request
.opnum
;
745 case DCERPC_PKT_RESPONSE
:
746 ret
.context_id
= pkt
->u
.response
.context_id
;
749 case DCERPC_PKT_FAULT
:
750 ret
.context_id
= pkt
->u
.fault
.context_id
;
760 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2
*v1
,
761 const struct dcerpc_sec_vt_header2
*v2
)
763 if (v1
->ptype
!= v2
->ptype
) {
767 if (memcmp(v1
->drep
, v2
->drep
, sizeof(v1
->drep
)) != 0) {
771 if (v1
->call_id
!= v2
->call_id
) {
775 if (v1
->context_id
!= v2
->context_id
) {
779 if (v1
->opnum
!= v2
->opnum
) {
786 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer
*r
)
789 TALLOC_CTX
*frame
= talloc_stackframe();
790 struct bitmap
*commands_seen
;
793 if (r
->count
.count
== 0) {
798 if (memcmp(r
->magic
, DCERPC_SEC_VT_MAGIC
, sizeof(r
->magic
)) != 0) {
802 commands_seen
= bitmap_talloc(frame
, DCERPC_SEC_VT_COMMAND_ENUM
+ 1);
803 if (commands_seen
== NULL
) {
807 for (i
=0; i
< r
->count
.count
; i
++) {
808 enum dcerpc_sec_vt_command_enum cmd
=
809 r
->commands
[i
].command
& DCERPC_SEC_VT_COMMAND_ENUM
;
811 if (bitmap_query(commands_seen
, cmd
)) {
812 /* Each command must appear at most once. */
815 bitmap_set(commands_seen
, cmd
);
818 case DCERPC_SEC_VT_COMMAND_BITMASK1
:
819 case DCERPC_SEC_VT_COMMAND_PCONTEXT
:
820 case DCERPC_SEC_VT_COMMAND_HEADER2
:
823 if ((r
->commands
[i
].u
._unknown
.length
% 4) != 0) {
835 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1
,
836 struct dcerpc_sec_vt
*c
)
838 if (bitmask1
== NULL
) {
839 if (c
->command
& DCERPC_SEC_VT_MUST_PROCESS
) {
840 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
848 if ((c
->u
.bitmask1
& DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
)
849 && (!(*bitmask1
& DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING
))) {
850 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
857 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext
*pcontext
,
858 struct dcerpc_sec_vt
*c
)
862 if (pcontext
== NULL
) {
863 if (c
->command
& DCERPC_SEC_VT_MUST_PROCESS
) {
864 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
872 ok
= ndr_syntax_id_equal(&pcontext
->abstract_syntax
,
873 &c
->u
.pcontext
.abstract_syntax
);
875 struct ndr_syntax_id_buf buf1
, buf2
;
876 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
878 ndr_syntax_id_buf_string(
879 &pcontext
->abstract_syntax
, &buf1
),
880 ndr_syntax_id_buf_string(
881 &c
->u
.pcontext
.abstract_syntax
, &buf2
)));
884 ok
= ndr_syntax_id_equal(&pcontext
->transfer_syntax
,
885 &c
->u
.pcontext
.transfer_syntax
);
887 struct ndr_syntax_id_buf buf1
, buf2
;
888 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
890 ndr_syntax_id_buf_string(
891 &pcontext
->transfer_syntax
, &buf1
),
892 ndr_syntax_id_buf_string(
893 &c
->u
.pcontext
.transfer_syntax
, &buf2
)));
900 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2
*header2
,
901 struct dcerpc_sec_vt
*c
)
903 if (header2
== NULL
) {
904 if (c
->command
& DCERPC_SEC_VT_MUST_PROCESS
) {
905 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
912 if (!dcerpc_sec_vt_header2_equal(header2
, &c
->u
.header2
)) {
913 DEBUG(10, ("SEC_VT check Header2 failed\n"));
920 bool dcerpc_sec_verification_trailer_check(
921 const struct dcerpc_sec_verification_trailer
*vt
,
922 const uint32_t *bitmask1
,
923 const struct dcerpc_sec_vt_pcontext
*pcontext
,
924 const struct dcerpc_sec_vt_header2
*header2
)
928 if (!dcerpc_sec_vt_is_valid(vt
)) {
932 for (i
=0; i
< vt
->count
.count
; i
++) {
934 struct dcerpc_sec_vt
*c
= &vt
->commands
[i
];
936 switch (c
->command
& DCERPC_SEC_VT_COMMAND_ENUM
) {
937 case DCERPC_SEC_VT_COMMAND_BITMASK1
:
938 ok
= dcerpc_sec_vt_bitmask_check(bitmask1
, c
);
944 case DCERPC_SEC_VT_COMMAND_PCONTEXT
:
945 ok
= dcerpc_sec_vt_pctx_check(pcontext
, c
);
951 case DCERPC_SEC_VT_COMMAND_HEADER2
: {
952 ok
= dcerpc_sec_vt_hdr2_check(header2
, c
);
960 if (c
->command
& DCERPC_SEC_VT_MUST_PROCESS
) {
961 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
972 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix
= {
974 .time_low
= 0x6cb71c2c,
976 .time_hi_and_version
= 0x4540,
977 .clock_seq
= {0x00, 0x00},
978 .node
= {0x00,0x00,0x00,0x00,0x00,0x00}
983 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s
, uint64_t *_features
)
986 uint64_t features
= 0;
988 values
[0] = s
.uuid
.clock_seq
[0];
989 values
[1] = s
.uuid
.clock_seq
[1];
990 values
[2] = s
.uuid
.node
[0];
991 values
[3] = s
.uuid
.node
[1];
992 values
[4] = s
.uuid
.node
[2];
993 values
[5] = s
.uuid
.node
[3];
994 values
[6] = s
.uuid
.node
[4];
995 values
[7] = s
.uuid
.node
[5];
997 ZERO_STRUCT(s
.uuid
.clock_seq
);
998 ZERO_STRUCT(s
.uuid
.node
);
1000 if (!ndr_syntax_id_equal(&s
, &dcerpc_bind_time_features_prefix
)) {
1001 if (_features
!= NULL
) {
1007 features
= BVAL(values
, 0);
1009 if (_features
!= NULL
) {
1010 *_features
= features
;
1016 struct ndr_syntax_id
dcerpc_construct_bind_time_features(uint64_t features
)
1018 struct ndr_syntax_id s
= dcerpc_bind_time_features_prefix
;
1021 SBVAL(values
, 0, features
);
1023 s
.uuid
.clock_seq
[0] = values
[0];
1024 s
.uuid
.clock_seq
[1] = values
[1];
1025 s
.uuid
.node
[0] = values
[2];
1026 s
.uuid
.node
[1] = values
[3];
1027 s
.uuid
.node
[2] = values
[4];
1028 s
.uuid
.node
[3] = values
[5];
1029 s
.uuid
.node
[4] = values
[6];
1030 s
.uuid
.node
[5] = values
[7];
1035 NTSTATUS
dcerpc_generic_session_key(DATA_BLOB
*session_key
)
1037 *session_key
= data_blob_null
;
1039 /* this took quite a few CPU cycles to find ... */
1040 session_key
->data
= discard_const_p(unsigned char, "SystemLibraryDTC");
1041 session_key
->length
= 16;
1042 return NT_STATUS_OK
;
1046 push a ncacn_packet into a blob, potentially with auth info
1048 NTSTATUS
dcerpc_ncacn_push_auth(DATA_BLOB
*blob
,
1049 TALLOC_CTX
*mem_ctx
,
1050 struct ncacn_packet
*pkt
,
1051 struct dcerpc_auth
*auth_info
)
1053 struct ndr_push
*ndr
;
1054 enum ndr_err_code ndr_err
;
1056 ndr
= ndr_push_init_ctx(mem_ctx
);
1058 return NT_STATUS_NO_MEMORY
;
1062 pkt
->auth_length
= auth_info
->credentials
.length
;
1064 pkt
->auth_length
= 0;
1067 ndr_err
= ndr_push_ncacn_packet(ndr
, NDR_SCALARS
|NDR_BUFFERS
, pkt
);
1068 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1069 return ndr_map_error2ntstatus(ndr_err
);
1074 /* the s3 rpc server doesn't handle auth padding in
1075 bind requests. Use zero auth padding to keep us
1076 working with old servers */
1077 uint32_t offset
= ndr
->offset
;
1078 ndr_err
= ndr_push_align(ndr
, 16);
1079 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1080 return ndr_map_error2ntstatus(ndr_err
);
1082 auth_info
->auth_pad_length
= ndr
->offset
- offset
;
1084 auth_info
->auth_pad_length
= 0;
1086 ndr_err
= ndr_push_dcerpc_auth(ndr
, NDR_SCALARS
|NDR_BUFFERS
, auth_info
);
1087 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1088 return ndr_map_error2ntstatus(ndr_err
);
1092 *blob
= ndr_push_blob(ndr
);
1094 /* fill in the frag length */
1095 dcerpc_set_frag_length(blob
, blob
->length
);
1097 return NT_STATUS_OK
;
1101 log a rpc packet in a format suitable for ndrdump. This is especially useful
1102 for sealed packets, where ethereal cannot easily see the contents
1104 this triggers if "dcesrv:stubs directory" is set and present
1105 for all packets that fail to parse
1107 void dcerpc_log_packet(const char *packet_log_dir
,
1108 const char *interface_name
,
1109 uint32_t opnum
, ndr_flags_type flags
,
1110 const DATA_BLOB
*pkt
,
1113 const int num_examples
= 20;
1116 if (packet_log_dir
== NULL
) {
1120 for (i
=0;i
<num_examples
;i
++) {
1124 ret
= asprintf(&name
, "%s/%s-%"PRIu32
".%d.%s.%s",
1125 packet_log_dir
, interface_name
, opnum
, i
,
1126 (flags
&NDR_IN
)?"in":"out",
1132 saved
= file_save(name
, pkt
->data
, pkt
->length
);
1134 DBG_DEBUG("Logged rpc packet to %s\n", name
);