rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN

you need "dcesrv:header signing=yes" to enable it.

metze

diff --git a/source/rpc_server/dcerpc_server.c b/source/rpc_server/dcerpc_server.c
index 95589498e213851588b5c9e53c608004632bc9e5..a336ddb3398b1208bf3c60d591be26847e573942 100644 (file)
--- a/source/rpc_server/dcerpc_server.c
+++ b/source/rpc_server/dcerpc_server.c
@@ -544,6 +544,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        uint32_t result=0, reason=0;
        uint32_t context_id;
        const struct dcesrv_interface *iface;
+       uint32_t extra_flags = 0;
 
        /*
         * Association groups allow policy handles to be shared across
@@ -617,6 +618,12 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
                call->conn->cli_max_recv_frag = call->pkt.u.bind.max_recv_frag;
        }
 
+       if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
+           lp_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
+               call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
+               extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+       }
+
        /* handle any authentication that is being requested */
        if (!dcesrv_auth_bind(call)) {
                return dcesrv_bind_nak(call, DCERPC_BIND_REASON_INVALID_AUTH_TYPE);
@@ -627,7 +634,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        pkt.auth_length = 0;
        pkt.call_id = call->pkt.call_id;
        pkt.ptype = DCERPC_PKT_BIND_ACK;
-       pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+       pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
        pkt.u.bind_ack.max_xmit_frag = 0x2000;
        pkt.u.bind_ack.max_recv_frag = 0x2000;
        /* we need to send a non zero assoc_group_id here to make longhorn happy, it also matches samba3 */

diff --git a/source/rpc_server/dcerpc_server.h b/source/rpc_server/dcerpc_server.h
index 058dfe3ab24e7737aa9931613da197bb2bc97147..b5672b41ac4fe3eb2ea9d3d75df8963210f6c59c 100644 (file)
--- a/source/rpc_server/dcerpc_server.h
+++ b/source/rpc_server/dcerpc_server.h
@@ -101,6 +101,7 @@ struct dcesrv_call_state {
         */
 #define DCESRV_CALL_STATE_FLAG_ASYNC (1<<0)
 #define DCESRV_CALL_STATE_FLAG_MAY_ASYNC (1<<1)
+#define DCESRV_CALL_STATE_FLAG_HEADER_SIGNING (1<<2)
        uint32_t state_flags;
 
        /* the time the request arrived in the server */

diff --git a/source/rpc_server/dcesrv_auth.c b/source/rpc_server/dcesrv_auth.c
index 1d89441170be883ca9feb19a74f46b45a4e462d1..64f42eea257d35066b7f3033158a03ccbd0dd1cf 100644 (file)
--- a/source/rpc_server/dcesrv_auth.c
+++ b/source/rpc_server/dcesrv_auth.c
@@ -124,6 +124,11 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
                        return status;
                }
 
+               if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
+                       gensec_want_feature(dce_conn->auth_state.gensec_security,
+                                           GENSEC_FEATURE_SIGN_PKT_HEADER);
+               }
+
                /* Now that we are authenticated, go back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
                return NT_STATUS_OK;