2 Unix SMB/CIFS implementation.
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/network.h"
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/util_file.h"
27 #include "lib/util/tevent_ntstatus.h"
28 #include "librpc/rpc/dcerpc.h"
29 #include "librpc/rpc/dcerpc_util.h"
30 #include "librpc/gen_ndr/ndr_dcerpc.h"
31 #include "rpc_common.h"
32 #include "lib/util/bitmap.h"
34 #include "lib/crypto/gnutls_helpers.h"
35 #include <gnutls/gnutls.h>
36 #include <gnutls/crypto.h>
41 /* we need to be able to get/set the fragment length without doing a full
43 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
45 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
47 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
48 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
50 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
54 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
56 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
58 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
59 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
61 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
65 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
67 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
69 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
70 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
72 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
76 uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
78 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
80 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
81 return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
83 return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
87 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
89 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
91 return blob->data[DCERPC_DREP_OFFSET];
94 static uint16_t dcerpc_get_auth_context_offset(const DATA_BLOB *blob)
96 uint16_t frag_len = dcerpc_get_frag_length(blob);
97 uint16_t auth_len = dcerpc_get_auth_length(blob);
105 if (frag_len > blob->length) {
109 if (auth_len > frag_len) {
113 min_offset = DCERPC_NCACN_PAYLOAD_OFFSET + DCERPC_AUTH_TRAILER_LENGTH;
114 offset = frag_len - auth_len;
115 if (offset < min_offset) {
118 offset -= DCERPC_AUTH_TRAILER_LENGTH;
123 uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob)
127 offset = dcerpc_get_auth_context_offset(blob);
133 * auth_typw is in the 1st byte
134 * of the auth trailer
138 return blob->data[offset];
141 uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob)
145 offset = dcerpc_get_auth_context_offset(blob);
151 * auth_level is in 2nd byte
152 * of the auth trailer
156 return blob->data[offset];
159 uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob)
163 offset = dcerpc_get_auth_context_offset(blob);
169 * auth_context_id is in the last 4 byte
170 * of the auth trailer
174 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
175 return IVAL(blob->data, offset);
177 return RIVAL(blob->data, offset);
182 * @brief Decodes a ncacn_packet
184 * @param mem_ctx The memory context on which to allocate the packet
186 * @param blob The blob of data to decode
187 * @param r An empty ncacn_packet, must not be NULL
189 * @return a NTSTATUS error code
191 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
192 const DATA_BLOB *blob,
193 struct ncacn_packet *r)
195 enum ndr_err_code ndr_err;
196 struct ndr_pull *ndr;
198 ndr = ndr_pull_init_blob(blob, mem_ctx);
200 return NT_STATUS_NO_MEMORY;
203 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
205 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
207 return ndr_map_error2ntstatus(ndr_err);
211 if (r->frag_length != blob->length) {
212 return NT_STATUS_RPC_PROTOCOL_ERROR;
219 * @brief Pull a dcerpc_auth structure, taking account of any auth
220 * padding in the blob. For request/response packets we pass
221 * the whole data blob, so auth_data_only must be set to false
222 * as the blob contains data+pad+auth and no just pad+auth.
224 * @param pkt - The ncacn_packet structure
225 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
226 * @param pkt_trailer - The packet trailer data, usually the trailing
227 * auth_info blob, but in the request/response case
228 * this is the stub_and_verifier blob.
229 * @param auth - A preallocated dcerpc_auth *empty* structure
230 * @param auth_length - The length of the auth trail, sum of auth header
231 * length and pkt->auth_length
232 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
233 * (+ padding) or also other data.
235 * @return - A NTSTATUS error code.
237 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
239 const DATA_BLOB *pkt_trailer,
240 struct dcerpc_auth *auth,
241 uint32_t *_auth_length,
244 struct ndr_pull *ndr;
245 enum ndr_err_code ndr_err;
246 uint16_t data_and_pad;
247 uint16_t auth_length;
248 uint16_t auth_offset;
250 uint32_t max_pad_len = 0;
254 if (_auth_length != NULL) {
257 if (auth_data_only) {
258 return NT_STATUS_INTERNAL_ERROR;
261 if (!auth_data_only) {
262 return NT_STATUS_INTERNAL_ERROR;
266 /* Paranoia checks for auth_length. The caller should check this... */
267 if (pkt->auth_length == 0) {
268 return NT_STATUS_INTERNAL_ERROR;
271 /* Paranoia checks for auth_length. The caller should check this... */
272 if (pkt->auth_length > pkt->frag_length) {
273 return NT_STATUS_INTERNAL_ERROR;
275 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
276 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
277 tmp_length += pkt->auth_length;
278 if (tmp_length > pkt->frag_length) {
279 return NT_STATUS_INTERNAL_ERROR;
281 if (pkt_trailer->length > UINT16_MAX) {
282 return NT_STATUS_INTERNAL_ERROR;
285 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
286 if (pkt_trailer->length < auth_length) {
287 return NT_STATUS_RPC_PROTOCOL_ERROR;
290 data_and_pad = pkt_trailer->length - auth_length;
291 auth_offset = pkt->frag_length - auth_length;
292 if ((auth_offset % 4) != 0) {
293 DBG_WARNING("auth_offset[%u] not 4 byte aligned\n",
294 (unsigned)auth_offset);
295 return NT_STATUS_RPC_PROTOCOL_ERROR;
298 auth_blob = data_blob_const(pkt_trailer->data + data_and_pad,
300 ndr = ndr_pull_init_blob(&auth_blob, mem_ctx);
302 return NT_STATUS_NO_MEMORY;
305 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
306 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
309 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
310 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
313 return ndr_map_error2ntstatus(ndr_err);
317 * Make sure the padding would not exceed
320 * Here we assume at least 24 bytes for the
321 * payload specific header the value of
322 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
324 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
326 * We need this check before we ignore possible
327 * invalid values. See also bug #11982.
329 * This check is mainly used to generate the correct
330 * error for BIND_*, ALTER_* and AUTH3 pdus.
332 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
333 * protection for REQUEST and RESPONSE pdus, where the
334 * auth_pad_length field is actually used by the caller.
336 tmp_length = DCERPC_REQUEST_LENGTH;
337 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
338 tmp_length += pkt->auth_length;
339 if (tmp_length < pkt->frag_length) {
340 max_pad_len = pkt->frag_length - tmp_length;
342 if (max_pad_len < auth->auth_pad_length) {
343 DEBUG(1, (__location__ ": ERROR: pad length too large. "
344 "max %"PRIu32" got %"PRIu8"\n",
346 auth->auth_pad_length));
349 return NT_STATUS_RPC_PROTOCOL_ERROR;
353 * This is a workaround for a bug in old
354 * Samba releases. For BIND_ACK <= 3.5.x
355 * and for ALTER_RESP <= 4.2.x (see bug #11061)
357 * See also bug #11982.
359 if (auth_data_only && data_and_pad == 0 &&
360 auth->auth_pad_length > 0) {
362 * we need to ignore invalid auth_pad_length
363 * values for BIND_*, ALTER_* and AUTH3 pdus.
365 auth->auth_pad_length = 0;
368 if (data_and_pad < auth->auth_pad_length) {
369 DBG_WARNING(__location__ ": ERROR: pad length too long. "
370 "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
371 "was less than auth_pad_length=%"PRIu8"\n",
375 auth->auth_pad_length);
378 return NT_STATUS_RPC_PROTOCOL_ERROR;
381 if (auth_data_only && data_and_pad > auth->auth_pad_length) {
382 DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
383 "Client sent a longer BIND packet than expected by %"PRIu16" bytes "
384 "(pkt_trailer->length=%zu - auth_length=%"PRIu16") "
385 "= %"PRIu16" auth_pad_length=%"PRIu8"\n",
386 data_and_pad - auth->auth_pad_length,
390 auth->auth_pad_length);
393 return NT_STATUS_RPC_PROTOCOL_ERROR;
396 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
397 DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
398 "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
399 "but auth_pad_length=%"PRIu8"\n",
403 auth->auth_pad_length);
406 return NT_STATUS_RPC_PROTOCOL_ERROR;
409 DBG_DEBUG("auth_pad_length %"PRIu8"\n",
410 auth->auth_pad_length);
412 talloc_steal(mem_ctx, auth->credentials.data);
415 if (_auth_length != NULL) {
416 *_auth_length = auth_length;
423 * @brief Verify the fields in ncacn_packet header.
425 * @param pkt - The ncacn_packet structure
426 * @param ptype - The expected PDU type
427 * @param max_auth_info - The maximum size of a possible auth trailer
428 * @param required_flags - The required flags for the pdu.
429 * @param optional_flags - The possible optional flags for the pdu.
431 * @return - A NTSTATUS error code.
433 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
434 enum dcerpc_pkt_type ptype,
435 size_t max_auth_info,
436 uint8_t required_flags,
437 uint8_t optional_flags)
439 if (pkt->rpc_vers != 5) {
440 return NT_STATUS_RPC_PROTOCOL_ERROR;
443 if (pkt->rpc_vers_minor != 0) {
444 return NT_STATUS_RPC_PROTOCOL_ERROR;
447 if (pkt->auth_length > pkt->frag_length) {
448 return NT_STATUS_RPC_PROTOCOL_ERROR;
451 if (pkt->ptype != ptype) {
452 return NT_STATUS_RPC_PROTOCOL_ERROR;
455 if (max_auth_info > UINT16_MAX) {
456 return NT_STATUS_INTERNAL_ERROR;
459 if (pkt->auth_length > 0) {
460 size_t max_auth_length;
462 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
463 return NT_STATUS_RPC_PROTOCOL_ERROR;
465 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
467 if (pkt->auth_length > max_auth_length) {
468 return NT_STATUS_RPC_PROTOCOL_ERROR;
472 if ((pkt->pfc_flags & required_flags) != required_flags) {
473 return NT_STATUS_RPC_PROTOCOL_ERROR;
475 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
476 return NT_STATUS_RPC_PROTOCOL_ERROR;
479 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
480 return NT_STATUS_RPC_PROTOCOL_ERROR;
482 if (pkt->drep[1] != 0) {
483 return NT_STATUS_RPC_PROTOCOL_ERROR;
485 if (pkt->drep[2] != 0) {
486 return NT_STATUS_RPC_PROTOCOL_ERROR;
488 if (pkt->drep[3] != 0) {
489 return NT_STATUS_RPC_PROTOCOL_ERROR;
495 struct dcerpc_read_ncacn_packet_state {
501 struct ncacn_packet *pkt;
504 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
507 struct iovec **_vector,
509 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
511 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
512 struct tevent_context *ev,
513 struct tstream_context *stream)
515 struct tevent_req *req;
516 struct dcerpc_read_ncacn_packet_state *state;
517 struct tevent_req *subreq;
519 req = tevent_req_create(mem_ctx, &state,
520 struct dcerpc_read_ncacn_packet_state);
525 state->pkt = talloc_zero(state, struct ncacn_packet);
526 if (tevent_req_nomem(state->pkt, req)) {
530 subreq = tstream_readv_pdu_send(state, ev,
532 dcerpc_read_ncacn_packet_next_vector,
534 if (tevent_req_nomem(subreq, req)) {
537 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
541 tevent_req_post(req, ev);
545 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
548 struct iovec **_vector,
551 struct dcerpc_read_ncacn_packet_state *state =
552 talloc_get_type_abort(private_data,
553 struct dcerpc_read_ncacn_packet_state);
554 struct iovec *vector;
557 if (state->buffer.length == 0) {
559 * first get enough to read the fragment length
561 * We read the full fixed ncacn_packet header
562 * in order to make wireshark happy with
563 * pcap files from socket_wrapper.
566 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
567 state->buffer.data = talloc_array(state, uint8_t,
568 state->buffer.length);
569 if (!state->buffer.data) {
572 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
573 /* now read the fragment length and allocate the full buffer */
574 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
576 ofs = state->buffer.length;
578 if (frag_len <= ofs) {
580 * With frag_len == ofs, we are done, this is likely
581 * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
582 * without any payload.
584 * Otherwise it's a broken packet and we
585 * let the caller deal with it.
592 state->buffer.data = talloc_realloc(state,
595 if (!state->buffer.data) {
598 state->buffer.length = frag_len;
600 /* if we reach this we have a full fragment */
606 /* now create the vector that we want to be filled */
607 vector = talloc_array(mem_ctx, struct iovec, 1);
612 vector[0].iov_base = (void *) (state->buffer.data + ofs);
613 vector[0].iov_len = state->buffer.length - ofs;
620 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
622 struct tevent_req *req = tevent_req_callback_data(subreq,
624 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
625 struct dcerpc_read_ncacn_packet_state);
630 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
633 status = map_nt_error_from_unix_common(sys_errno);
634 tevent_req_nterror(req, status);
638 status = dcerpc_pull_ncacn_packet(state->pkt,
641 if (tevent_req_nterror(req, status)) {
645 tevent_req_done(req);
648 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
650 struct ncacn_packet **pkt,
653 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
654 struct dcerpc_read_ncacn_packet_state);
657 if (tevent_req_is_nterror(req, &status)) {
658 tevent_req_received(req);
662 *pkt = talloc_move(mem_ctx, &state->pkt);
664 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
665 buffer->length = state->buffer.length;
668 tevent_req_received(req);
672 const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
673 enum dcerpc_transport_t transport,
674 const struct ndr_interface_table *table)
677 const char *p = NULL;
678 const char *endpoint = NULL;
680 struct dcerpc_binding *default_binding = NULL;
681 TALLOC_CTX *frame = talloc_stackframe();
683 /* Find one of the default pipes for this interface */
685 for (i = 0; i < table->endpoints->count; i++) {
686 enum dcerpc_transport_t dtransport;
687 const char *dendpoint;
689 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
691 if (!NT_STATUS_IS_OK(status)) {
695 dtransport = dcerpc_binding_get_transport(default_binding);
696 dendpoint = dcerpc_binding_get_string_option(default_binding,
698 if (dendpoint == NULL) {
699 TALLOC_FREE(default_binding);
703 if (transport == NCA_UNKNOWN) {
704 transport = dtransport;
707 if (transport != dtransport) {
708 TALLOC_FREE(default_binding);
721 * extract the pipe name without \\pipe from for example
722 * ncacn_np:[\\pipe\\epmapper]
724 if (transport == NCACN_NP) {
725 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
733 endpoint = talloc_strdup(mem_ctx, p);
740 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
742 struct dcerpc_sec_vt_header2 ret;
745 ret.ptype = pkt->ptype;
746 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
747 ret.call_id = pkt->call_id;
749 switch (pkt->ptype) {
750 case DCERPC_PKT_REQUEST:
751 ret.context_id = pkt->u.request.context_id;
752 ret.opnum = pkt->u.request.opnum;
755 case DCERPC_PKT_RESPONSE:
756 ret.context_id = pkt->u.response.context_id;
759 case DCERPC_PKT_FAULT:
760 ret.context_id = pkt->u.fault.context_id;
770 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
771 const struct dcerpc_sec_vt_header2 *v2)
773 if (v1->ptype != v2->ptype) {
777 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
781 if (v1->call_id != v2->call_id) {
785 if (v1->context_id != v2->context_id) {
789 if (v1->opnum != v2->opnum) {
796 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
799 TALLOC_CTX *frame = talloc_stackframe();
800 struct bitmap *commands_seen;
803 if (r->count.count == 0) {
808 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
812 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
813 if (commands_seen == NULL) {
817 for (i=0; i < r->count.count; i++) {
818 enum dcerpc_sec_vt_command_enum cmd =
819 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
821 if (bitmap_query(commands_seen, cmd)) {
822 /* Each command must appear at most once. */
825 bitmap_set(commands_seen, cmd);
828 case DCERPC_SEC_VT_COMMAND_BITMASK1:
829 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
830 case DCERPC_SEC_VT_COMMAND_HEADER2:
831 case DCERPC_SEC_VT_COMMAND_PREAUTH:
834 if ((r->commands[i].u._unknown.length % 4) != 0) {
846 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
847 const struct dcerpc_sec_vt *c)
849 if (bitmask1 == NULL) {
850 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
851 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
859 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
860 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
861 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
868 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
869 const struct dcerpc_sec_vt *c)
873 if (pcontext == NULL) {
874 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
875 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
883 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
884 &c->u.pcontext.abstract_syntax);
886 struct ndr_syntax_id_buf buf1, buf2;
887 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
889 ndr_syntax_id_buf_string(
890 &pcontext->abstract_syntax, &buf1),
891 ndr_syntax_id_buf_string(
892 &c->u.pcontext.abstract_syntax, &buf2)));
895 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
896 &c->u.pcontext.transfer_syntax);
898 struct ndr_syntax_id_buf buf1, buf2;
899 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
901 ndr_syntax_id_buf_string(
902 &pcontext->transfer_syntax, &buf1),
903 ndr_syntax_id_buf_string(
904 &c->u.pcontext.transfer_syntax, &buf2)));
911 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
912 const struct dcerpc_sec_vt *c)
914 if (header2 == NULL) {
915 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
916 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
923 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
924 DEBUG(10, ("SEC_VT check Header2 failed\n"));
931 NTSTATUS dcerpc_sec_vt_preauth_update(const struct dcerpc_sec_vt_preauth *in,
932 const struct ncacn_packet *pkt,
933 const DATA_BLOB *buffer,
934 struct dcerpc_sec_vt_preauth *out)
936 gnutls_hash_hd_t hash_hnd = NULL;
940 switch (pkt->ptype) {
941 case DCERPC_PKT_BIND:
942 case DCERPC_PKT_BIND_ACK:
943 case DCERPC_PKT_ALTER:
944 case DCERPC_PKT_ALTER_RESP:
945 case DCERPC_PKT_AUTH3:
952 rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA512);
954 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
956 rc = gnutls_hash(hash_hnd, in->sha512, sizeof(in->sha512));
958 gnutls_hash_deinit(hash_hnd, NULL);
959 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
961 rc = gnutls_hash(hash_hnd, buffer->data, buffer->length);
963 gnutls_hash_deinit(hash_hnd, NULL);
964 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
967 gnutls_hash_output(hash_hnd, out->sha512);
972 static bool dcerpc_sec_vt_preauth_check(const struct dcerpc_sec_vt_preauth *preauth,
973 const struct dcerpc_sec_vt *c)
975 struct dcerpc_sec_vt_preauth result;
976 DATA_BLOB buffer = data_blob_null;
980 if (preauth == NULL) {
981 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
982 DEBUG(10, ("SEC_VT check PREAUTH must_process_command failed\n"));
989 buffer = data_blob_const(c->u.preauth.salt, sizeof(c->u.preauth.salt));
991 status = dcerpc_sec_vt_preauth_update(preauth, NULL, &buffer, &result);
992 if (!NT_STATUS_IS_OK(status)) {
993 DBG_ERR("dcerpc_sec_vt_preauth_update() failed: %s\n",
998 cmp = memcmp(c->u.preauth.sha512, result.sha512, sizeof(result.sha512));
1000 DEBUG(10, ("SEC_VT check PREAUTH failed\n"));
1007 bool dcerpc_sec_verification_trailer_check(
1008 const struct dcerpc_sec_verification_trailer *vt,
1009 const uint32_t *bitmask1,
1010 const struct dcerpc_sec_vt_pcontext *pcontext,
1011 const struct dcerpc_sec_vt_header2 *header2,
1012 const struct dcerpc_sec_vt_preauth *preauth)
1016 if (!dcerpc_sec_vt_is_valid(vt)) {
1020 for (i=0; i < vt->count.count; i++) {
1022 struct dcerpc_sec_vt *c = &vt->commands[i];
1024 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
1025 case DCERPC_SEC_VT_COMMAND_BITMASK1:
1026 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
1032 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
1033 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
1039 case DCERPC_SEC_VT_COMMAND_HEADER2: {
1040 ok = dcerpc_sec_vt_hdr2_check(header2, c);
1047 case DCERPC_SEC_VT_COMMAND_PREAUTH: {
1048 ok = dcerpc_sec_vt_preauth_check(preauth, c);
1056 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1057 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
1068 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
1070 .time_low = 0x6cb71c2c,
1072 .time_hi_and_version = 0x4540,
1073 .clock_seq = {0x00, 0x00},
1074 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
1079 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
1082 uint64_t features = 0;
1084 values[0] = s.uuid.clock_seq[0];
1085 values[1] = s.uuid.clock_seq[1];
1086 values[2] = s.uuid.node[0];
1087 values[3] = s.uuid.node[1];
1088 values[4] = s.uuid.node[2];
1089 values[5] = s.uuid.node[3];
1090 values[6] = s.uuid.node[4];
1091 values[7] = s.uuid.node[5];
1093 ZERO_STRUCT(s.uuid.clock_seq);
1094 ZERO_STRUCT(s.uuid.node);
1096 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
1097 if (_features != NULL) {
1103 features = BVAL(values, 0);
1105 if (_features != NULL) {
1106 *_features = features;
1112 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1114 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1117 SBVAL(values, 0, features);
1119 s.uuid.clock_seq[0] = values[0];
1120 s.uuid.clock_seq[1] = values[1];
1121 s.uuid.node[0] = values[2];
1122 s.uuid.node[1] = values[3];
1123 s.uuid.node[2] = values[4];
1124 s.uuid.node[3] = values[5];
1125 s.uuid.node[4] = values[6];
1126 s.uuid.node[5] = values[7];
1131 NTSTATUS dcerpc_generic_session_key(DATA_BLOB *session_key)
1133 *session_key = data_blob_null;
1135 /* this took quite a few CPU cycles to find ... */
1136 session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
1137 session_key->length = 16;
1138 return NT_STATUS_OK;
1142 push a ncacn_packet into a blob, potentially with auth info
1144 NTSTATUS dcerpc_ncacn_push_auth(DATA_BLOB *blob,
1145 TALLOC_CTX *mem_ctx,
1146 struct ncacn_packet *pkt,
1147 struct dcerpc_auth *auth_info)
1149 struct ndr_push *ndr;
1150 enum ndr_err_code ndr_err;
1152 ndr = ndr_push_init_ctx(mem_ctx);
1154 return NT_STATUS_NO_MEMORY;
1158 pkt->auth_length = auth_info->credentials.length;
1160 pkt->auth_length = 0;
1163 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
1164 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1165 return ndr_map_error2ntstatus(ndr_err);
1170 /* the s3 rpc server doesn't handle auth padding in
1171 bind requests. Use zero auth padding to keep us
1172 working with old servers */
1173 uint32_t offset = ndr->offset;
1174 ndr_err = ndr_push_align(ndr, 16);
1175 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1176 return ndr_map_error2ntstatus(ndr_err);
1178 auth_info->auth_pad_length = ndr->offset - offset;
1180 auth_info->auth_pad_length = 0;
1182 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
1183 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1184 return ndr_map_error2ntstatus(ndr_err);
1188 *blob = ndr_push_blob(ndr);
1190 /* fill in the frag length */
1191 dcerpc_set_frag_length(blob, blob->length);
1193 return NT_STATUS_OK;
1197 log a rpc packet in a format suitable for ndrdump. This is especially useful
1198 for sealed packets, where ethereal cannot easily see the contents
1200 this triggers if "dcesrv:stubs directory" is set and present
1201 for all packets that fail to parse
1203 void dcerpc_log_packet(const char *packet_log_dir,
1204 const char *interface_name,
1205 uint32_t opnum, ndr_flags_type flags,
1206 const DATA_BLOB *pkt,
1209 const int num_examples = 20;
1212 if (packet_log_dir == NULL) {
1216 for (i=0;i<num_examples;i++) {
1220 ret = asprintf(&name, "%s/%s-%"PRIu32".%d.%s.%s",
1221 packet_log_dir, interface_name, opnum, i,
1222 (flags&NDR_IN)?"in":"out",
1228 saved = file_save(name, pkt->data, pkt->length);
1230 DBG_DEBUG("Logged rpc packet to %s\n", name);