2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2014,2015
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 sys.path.insert(0, "bin/python")
24 os.environ["PYTHONUNBUFFERED"] = "1"
26 import samba.dcerpc.dcerpc as dcerpc
27 import samba.dcerpc.base as base
28 import samba.dcerpc.misc as misc
29 import samba.dcerpc.epmapper
30 import samba.dcerpc.mgmt
31 import samba.dcerpc.netlogon
32 import samba.dcerpc.lsa
34 from samba import gensec
35 from samba.tests.dcerpc.raw_testcase import RawDCERPCTest
36 from samba.compat import binary_type
37 from samba.ntstatus import (
41 global_ndr_print = False
42 global_hexdump = False
45 class TestDCERPC_BIND(RawDCERPCTest):
48 super(TestDCERPC_BIND, self).setUp()
49 self.do_ndr_print = global_ndr_print
50 self.do_hexdump = global_hexdump
52 def _test_no_auth_request_bind_pfc_flags(self, req_pfc_flags, rep_pfc_flags):
53 ndr32 = base.transfer_syntax_ndr()
56 ctx1 = dcerpc.ctx_list()
58 ctx1.num_transfer_syntaxes = len(tsf1_list)
59 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
60 ctx1.transfer_syntaxes = tsf1_list
62 req = self.generate_bind(call_id=0, pfc_flags=req_pfc_flags, ctx_list=[ctx1])
65 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
66 pfc_flags=rep_pfc_flags, auth_length=0)
67 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
68 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
69 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
70 self.assertEqual(rep.u.secondary_address_size, 4)
71 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
72 self.assertPadding(rep.u._pad1, 2)
73 self.assertEqual(rep.u.num_results, 1)
74 self.assertEqual(rep.u.ctx_list[0].result,
75 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
76 self.assertEqual(rep.u.ctx_list[0].reason,
77 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
78 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
79 self.assertEqual(rep.u.auth_info, b'\0' * 0)
81 # And now try a request
82 req = self.generate_request(call_id=1,
83 context_id=ctx1.context_id,
88 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
90 self.assertNotEquals(rep.u.alloc_hint, 0)
91 self.assertEqual(rep.u.context_id, req.u.context_id)
92 self.assertEqual(rep.u.cancel_count, 0)
93 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
95 def _test_no_auth_request_alter_pfc_flags(self, req_pfc_flags, rep_pfc_flags):
96 ndr32 = base.transfer_syntax_ndr()
99 ctx1 = dcerpc.ctx_list()
101 ctx1.num_transfer_syntaxes = len(tsf1_list)
102 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
103 ctx1.transfer_syntaxes = tsf1_list
105 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
107 rep = self.recv_pdu()
108 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
110 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
111 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
112 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
113 self.assertEqual(rep.u.secondary_address_size, 4)
114 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
115 self.assertPadding(rep.u._pad1, 2)
116 self.assertEqual(rep.u.num_results, 1)
117 self.assertEqual(rep.u.ctx_list[0].result,
118 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
119 self.assertEqual(rep.u.ctx_list[0].reason,
120 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
121 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
122 self.assertEqual(rep.u.auth_info, b'\0' * 0)
124 # And now try a alter context
125 req = self.generate_alter(call_id=0, pfc_flags=req_pfc_flags, ctx_list=[ctx1])
127 rep = self.recv_pdu()
128 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
129 pfc_flags=rep_pfc_flags, auth_length=0)
130 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
131 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
132 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
133 self.assertEqual(rep.u.secondary_address_size, 0)
134 self.assertEqual(rep.u.secondary_address, "")
135 self.assertPadding(rep.u._pad1, 2)
136 self.assertEqual(rep.u.num_results, 1)
137 self.assertEqual(rep.u.ctx_list[0].result,
138 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
139 self.assertEqual(rep.u.ctx_list[0].reason,
140 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
141 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
142 self.assertEqual(rep.u.auth_info, b'\0' * 0)
144 # And now try a request
145 req = self.generate_request(call_id=1,
146 context_id=ctx1.context_id,
150 rep = self.recv_pdu()
151 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
153 self.assertNotEquals(rep.u.alloc_hint, 0)
154 self.assertEqual(rep.u.context_id, req.u.context_id)
155 self.assertEqual(rep.u.cancel_count, 0)
156 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
158 def test_no_auth_request(self):
159 return self._test_no_auth_request_bind_pfc_flags(
161 dcerpc.DCERPC_PFC_FLAG_FIRST |
162 dcerpc.DCERPC_PFC_FLAG_LAST,
164 dcerpc.DCERPC_PFC_FLAG_FIRST |
165 dcerpc.DCERPC_PFC_FLAG_LAST)
167 def test_no_auth_request_bind_pfc_00(self):
168 return self._test_no_auth_request_bind_pfc_flags(
172 dcerpc.DCERPC_PFC_FLAG_FIRST |
173 dcerpc.DCERPC_PFC_FLAG_LAST)
175 def test_no_auth_request_bind_pfc_FIRST(self):
176 return self._test_no_auth_request_bind_pfc_flags(
178 dcerpc.DCERPC_PFC_FLAG_FIRST |
181 dcerpc.DCERPC_PFC_FLAG_FIRST |
182 dcerpc.DCERPC_PFC_FLAG_LAST)
184 def test_no_auth_request_bind_pfc_LAST(self):
185 return self._test_no_auth_request_bind_pfc_flags(
187 dcerpc.DCERPC_PFC_FLAG_LAST |
190 dcerpc.DCERPC_PFC_FLAG_FIRST |
191 dcerpc.DCERPC_PFC_FLAG_LAST)
193 def test_no_auth_request_bind_pfc_HDR_SIGNING(self):
194 return self._test_no_auth_request_bind_pfc_flags(
196 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
199 dcerpc.DCERPC_PFC_FLAG_FIRST |
200 dcerpc.DCERPC_PFC_FLAG_LAST |
201 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)
203 def test_no_auth_request_bind_pfc_08(self):
204 return self._test_no_auth_request_bind_pfc_flags(
209 dcerpc.DCERPC_PFC_FLAG_FIRST |
210 dcerpc.DCERPC_PFC_FLAG_LAST)
212 def test_no_auth_request_bind_pfc_CONC_MPX(self):
213 return self._test_no_auth_request_bind_pfc_flags(
215 dcerpc.DCERPC_PFC_FLAG_CONC_MPX |
218 dcerpc.DCERPC_PFC_FLAG_FIRST |
219 dcerpc.DCERPC_PFC_FLAG_LAST |
220 dcerpc.DCERPC_PFC_FLAG_CONC_MPX)
222 def test_no_auth_request_bind_pfc_DID_NOT_EXECUTE(self):
223 return self._test_no_auth_request_bind_pfc_flags(
225 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
228 dcerpc.DCERPC_PFC_FLAG_FIRST |
229 dcerpc.DCERPC_PFC_FLAG_LAST)
231 def test_no_auth_request_bind_pfc_MAYBE(self):
232 return self._test_no_auth_request_bind_pfc_flags(
234 dcerpc.DCERPC_PFC_FLAG_MAYBE |
237 dcerpc.DCERPC_PFC_FLAG_FIRST |
238 dcerpc.DCERPC_PFC_FLAG_LAST)
240 def test_no_auth_request_bind_pfc_OBJECT_UUID(self):
241 return self._test_no_auth_request_bind_pfc_flags(
243 dcerpc.DCERPC_PFC_FLAG_OBJECT_UUID |
246 dcerpc.DCERPC_PFC_FLAG_FIRST |
247 dcerpc.DCERPC_PFC_FLAG_LAST)
249 # TODO: doesn't announce DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
250 # without authentication
251 # TODO: doesn't announce DCERPC_PFC_FLAG_CONC_MPX
253 def _test_no_auth_request_bind_pfc_ff(self):
254 return self._test_no_auth_request_bind_pfc_flags(
259 dcerpc.DCERPC_PFC_FLAG_FIRST |
260 dcerpc.DCERPC_PFC_FLAG_LAST |
261 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
262 dcerpc.DCERPC_PFC_FLAG_CONC_MPX)
264 def test_no_auth_request_alter_pfc_00(self):
265 return self._test_no_auth_request_alter_pfc_flags(
269 dcerpc.DCERPC_PFC_FLAG_FIRST |
270 dcerpc.DCERPC_PFC_FLAG_LAST)
272 def test_no_auth_request_alter_pfc_FIRST(self):
273 return self._test_no_auth_request_alter_pfc_flags(
275 dcerpc.DCERPC_PFC_FLAG_FIRST |
278 dcerpc.DCERPC_PFC_FLAG_FIRST |
279 dcerpc.DCERPC_PFC_FLAG_LAST)
281 def test_no_auth_request_alter_pfc_LAST(self):
282 return self._test_no_auth_request_alter_pfc_flags(
284 dcerpc.DCERPC_PFC_FLAG_LAST |
287 dcerpc.DCERPC_PFC_FLAG_FIRST |
288 dcerpc.DCERPC_PFC_FLAG_LAST)
290 def test_no_auth_request_alter_pfc_HDR_SIGNING(self):
291 return self._test_no_auth_request_alter_pfc_flags(
293 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
296 dcerpc.DCERPC_PFC_FLAG_FIRST |
297 dcerpc.DCERPC_PFC_FLAG_LAST |
298 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)
300 def test_no_auth_request_alter_pfc_08(self):
301 return self._test_no_auth_request_alter_pfc_flags(
306 dcerpc.DCERPC_PFC_FLAG_FIRST |
307 dcerpc.DCERPC_PFC_FLAG_LAST)
309 def test_no_auth_request_alter_pfc_CONC_MPX(self):
310 return self._test_no_auth_request_alter_pfc_flags(
312 dcerpc.DCERPC_PFC_FLAG_CONC_MPX |
315 dcerpc.DCERPC_PFC_FLAG_FIRST |
316 dcerpc.DCERPC_PFC_FLAG_LAST)
318 def test_no_auth_request_alter_pfc_DID_NOT_EXECUTE(self):
319 return self._test_no_auth_request_alter_pfc_flags(
321 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
324 dcerpc.DCERPC_PFC_FLAG_FIRST |
325 dcerpc.DCERPC_PFC_FLAG_LAST)
327 def test_no_auth_request_alter_pfc_MAYBE(self):
328 return self._test_no_auth_request_alter_pfc_flags(
330 dcerpc.DCERPC_PFC_FLAG_MAYBE |
333 dcerpc.DCERPC_PFC_FLAG_FIRST |
334 dcerpc.DCERPC_PFC_FLAG_LAST)
336 def test_no_auth_request_alter_pfc_OBJECT_UUID(self):
337 return self._test_no_auth_request_alter_pfc_flags(
339 dcerpc.DCERPC_PFC_FLAG_OBJECT_UUID |
342 dcerpc.DCERPC_PFC_FLAG_FIRST |
343 dcerpc.DCERPC_PFC_FLAG_LAST)
345 def test_no_auth_request_alter_pfc_ff(self):
346 return self._test_no_auth_request_alter_pfc_flags(
351 dcerpc.DCERPC_PFC_FLAG_FIRST |
352 dcerpc.DCERPC_PFC_FLAG_LAST |
353 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)
355 def test_no_auth_no_ctx(self):
356 # send an useless bind
357 req = self.generate_bind(call_id=0)
359 rep = self.recv_pdu()
360 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
362 self.assertEqual(rep.u.reject_reason,
363 dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
364 self.assertEqual(rep.u.num_versions, 1)
365 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
366 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
367 self.assertPadding(rep.u._pad, 3)
369 def test_invalid_auth_noctx(self):
370 req = self.generate_bind(call_id=0)
371 req.auth_length = dcerpc.DCERPC_AUTH_TRAILER_LENGTH
373 rep = self.recv_pdu()
374 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
376 self.assertEqual(rep.u.reject_reason,
377 dcerpc.DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED)
378 self.assertEqual(rep.u.num_versions, 1)
379 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
380 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
381 self.assertPadding(rep.u._pad, 3)
383 def test_no_auth_valid_valid_request(self):
384 ndr32 = base.transfer_syntax_ndr()
387 ctx1 = dcerpc.ctx_list()
389 ctx1.num_transfer_syntaxes = len(tsf1_list)
390 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
391 ctx1.transfer_syntaxes = tsf1_list
393 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
395 rep = self.recv_pdu()
396 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
398 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
399 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
400 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
401 self.assertEqual(rep.u.secondary_address_size, 4)
402 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
403 self.assertPadding(rep.u._pad1, 2)
404 self.assertEqual(rep.u.num_results, 1)
405 self.assertEqual(rep.u.ctx_list[0].result,
406 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
407 self.assertEqual(rep.u.ctx_list[0].reason,
408 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
409 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
410 self.assertEqual(rep.u.auth_info, b'\0' * 0)
414 ctx2 = dcerpc.ctx_list()
416 ctx2.num_transfer_syntaxes = len(tsf2_list)
417 ctx2.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
418 ctx2.transfer_syntaxes = tsf2_list
420 req = self.generate_bind(call_id=1, ctx_list=[ctx2])
422 rep = self.recv_pdu()
423 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
425 self.assertEqual(rep.u.reject_reason,
426 dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
427 self.assertEqual(rep.u.num_versions, 1)
428 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
429 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
430 self.assertPadding(rep.u._pad, 3)
432 # wait for a disconnect
433 rep = self.recv_pdu()
434 self.assertIsNone(rep)
435 self.assertNotConnected()
437 def test_no_auth_invalid_valid_request(self):
438 # send an useless bind
439 req = self.generate_bind(call_id=0)
441 rep = self.recv_pdu()
442 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
444 self.assertEqual(rep.u.reject_reason,
445 dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
446 self.assertEqual(rep.u.num_versions, 1)
447 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
448 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
449 self.assertPadding(rep.u._pad, 3)
451 # wait for a disconnect
452 rep = self.recv_pdu()
453 self.assertIsNone(rep)
454 self.assertNotConnected()
456 def test_alter_no_auth_no_ctx(self):
457 ndr32 = base.transfer_syntax_ndr()
460 ctx1 = dcerpc.ctx_list()
462 ctx1.num_transfer_syntaxes = len(tsf1_list)
463 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
464 ctx1.transfer_syntaxes = tsf1_list
466 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
468 rep = self.recv_pdu()
469 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
471 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
472 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
473 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
474 self.assertEqual(rep.u.secondary_address_size, 4)
475 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
476 self.assertPadding(rep.u._pad1, 2)
477 self.assertEqual(rep.u.num_results, 1)
478 self.assertEqual(rep.u.ctx_list[0].result,
479 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
480 self.assertEqual(rep.u.ctx_list[0].reason,
481 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
482 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
483 self.assertEqual(rep.u.auth_info, b'\0' * 0)
486 req = self.generate_alter(call_id=1, ctx_list=[])
488 rep = self.recv_pdu()
489 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
490 pfc_flags=req.pfc_flags |
491 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
493 self.assertNotEquals(rep.u.alloc_hint, 0)
494 self.assertEqual(rep.u.context_id, 0)
495 self.assertEqual(rep.u.cancel_count, 0)
496 self.assertEqual(rep.u.flags, 0)
497 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
498 self.assertEqual(rep.u.reserved, 0)
499 self.assertEqual(len(rep.u.error_and_verifier), 0)
501 # wait for a disconnect
502 rep = self.recv_pdu()
503 self.assertIsNone(rep)
504 self.assertNotConnected()
506 def test_no_auth_presentation_ctx_valid1(self):
507 ndr32 = base.transfer_syntax_ndr()
509 zero_syntax = misc.ndr_syntax_id()
511 tsf1_list = [zero_syntax, ndr32]
512 ctx1 = dcerpc.ctx_list()
514 ctx1.num_transfer_syntaxes = len(tsf1_list)
515 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
516 ctx1.transfer_syntaxes = tsf1_list
518 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
520 rep = self.recv_pdu()
521 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
523 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
524 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
525 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
526 self.assertEqual(rep.u.secondary_address_size, 4)
527 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
528 self.assertPadding(rep.u._pad1, 2)
529 self.assertEqual(rep.u.num_results, 1)
530 self.assertEqual(rep.u.ctx_list[0].result,
531 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
532 self.assertEqual(rep.u.ctx_list[0].reason,
533 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
534 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
535 self.assertEqual(rep.u.auth_info, b'\0' * 0)
538 req = self.generate_alter(call_id=1, ctx_list=[ctx1])
540 rep = self.recv_pdu()
541 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
543 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
544 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
545 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
546 self.assertEqual(rep.u.secondary_address_size, 0)
547 self.assertPadding(rep.u._pad1, 2)
548 self.assertEqual(rep.u.num_results, 1)
549 self.assertEqual(rep.u.ctx_list[0].result,
550 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
551 self.assertEqual(rep.u.ctx_list[0].reason,
552 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
553 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
554 self.assertEqual(rep.u.auth_info, b'\0' * 0)
556 req = self.generate_request(call_id=2,
557 context_id=ctx1.context_id,
561 rep = self.recv_pdu()
562 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
563 pfc_flags=req.pfc_flags |
564 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
566 self.assertNotEquals(rep.u.alloc_hint, 0)
567 self.assertEqual(rep.u.context_id, ctx1.context_id)
568 self.assertEqual(rep.u.cancel_count, 0)
569 self.assertEqual(rep.u.flags, 0)
570 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_OP_RNG_ERROR)
571 self.assertEqual(rep.u.reserved, 0)
572 self.assertEqual(len(rep.u.error_and_verifier), 0)
574 def test_no_auth_presentation_ctx_invalid1(self):
575 ndr32 = base.transfer_syntax_ndr()
577 zero_syntax = misc.ndr_syntax_id()
580 ctx1 = dcerpc.ctx_list()
582 ctx1.num_transfer_syntaxes = len(tsf1_list)
583 ctx1.abstract_syntax = ndr32
584 ctx1.transfer_syntaxes = tsf1_list
586 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
588 rep = self.recv_pdu()
589 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
591 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
592 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
593 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
594 self.assertEqual(rep.u.secondary_address_size, 4)
595 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
596 self.assertPadding(rep.u._pad1, 2)
597 self.assertEqual(rep.u.num_results, 1)
598 self.assertEqual(rep.u.ctx_list[0].result,
599 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
600 self.assertEqual(rep.u.ctx_list[0].reason,
601 dcerpc.DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED)
602 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
603 self.assertEqual(rep.u.auth_info, b'\0' * 0)
606 req = self.generate_alter(call_id=1, ctx_list=[ctx1])
608 rep = self.recv_pdu()
609 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
611 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
612 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
613 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
614 self.assertEqual(rep.u.secondary_address_size, 0)
615 self.assertPadding(rep.u._pad1, 2)
616 self.assertEqual(rep.u.num_results, 1)
617 self.assertEqual(rep.u.ctx_list[0].result,
618 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
619 self.assertEqual(rep.u.ctx_list[0].reason,
620 dcerpc.DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED)
621 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
622 self.assertEqual(rep.u.auth_info, b'\0' * 0)
624 req = self.generate_request(call_id=2,
629 rep = self.recv_pdu()
630 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
631 pfc_flags=req.pfc_flags |
632 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
634 self.assertNotEquals(rep.u.alloc_hint, 0)
635 self.assertEqual(rep.u.context_id, 0)
636 self.assertEqual(rep.u.cancel_count, 0)
637 self.assertEqual(rep.u.flags, 0)
638 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_UNKNOWN_IF)
639 self.assertEqual(rep.u.reserved, 0)
640 self.assertEqual(len(rep.u.error_and_verifier), 0)
642 # Send a alter again to prove the connection is still alive
643 req = self.generate_alter(call_id=3, ctx_list=[ctx1])
645 rep = self.recv_pdu()
646 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
648 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
649 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
650 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
651 self.assertEqual(rep.u.secondary_address_size, 0)
652 self.assertPadding(rep.u._pad1, 2)
653 self.assertEqual(rep.u.num_results, 1)
654 self.assertEqual(rep.u.ctx_list[0].result,
655 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
656 self.assertEqual(rep.u.ctx_list[0].reason,
657 dcerpc.DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED)
658 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
659 self.assertEqual(rep.u.auth_info, b'\0' * 0)
661 def test_no_auth_presentation_ctx_invalid2(self):
662 ndr32 = base.transfer_syntax_ndr()
664 zero_syntax = misc.ndr_syntax_id()
667 ctx1a = dcerpc.ctx_list()
669 ctx1a.num_transfer_syntaxes = len(tsf1a_list)
670 ctx1a.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
671 ctx1a.transfer_syntaxes = tsf1a_list
673 req = self.generate_bind(call_id=0, ctx_list=[ctx1a])
675 rep = self.recv_pdu()
676 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
678 self.assertEqual(rep.u.reject_reason,
679 dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
680 self.assertEqual(rep.u.num_versions, 1)
681 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
682 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
683 self.assertPadding(rep.u._pad, 3)
685 # wait for a disconnect
686 rep = self.recv_pdu()
687 self.assertIsNone(rep)
688 self.assertNotConnected()
690 def test_no_auth_presentation_ctx_invalid3(self):
691 ndr32 = base.transfer_syntax_ndr()
693 zero_syntax = misc.ndr_syntax_id()
695 tsf1a_list = [zero_syntax, ndr32, ndr32, ndr32]
696 ctx1a = dcerpc.ctx_list()
698 ctx1a.num_transfer_syntaxes = len(tsf1a_list)
699 ctx1a.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
700 ctx1a.transfer_syntaxes = tsf1a_list
702 req = self.generate_bind(call_id=0, ctx_list=[ctx1a])
704 rep = self.recv_pdu()
705 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
707 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
708 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
709 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
710 self.assertEqual(rep.u.secondary_address_size, 4)
711 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
712 self.assertPadding(rep.u._pad1, 2)
713 self.assertEqual(rep.u.num_results, 1)
714 self.assertEqual(rep.u.ctx_list[0].result,
715 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
716 self.assertEqual(rep.u.ctx_list[0].reason,
717 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
718 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
719 self.assertEqual(rep.u.auth_info, b'\0' * 0)
722 ctx1b = dcerpc.ctx_list()
724 ctx1b.num_transfer_syntaxes = len(tsf1b_list)
725 ctx1b.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
726 ctx1b.transfer_syntaxes = tsf1b_list
729 req = self.generate_alter(call_id=1, ctx_list=[ctx1b])
731 rep = self.recv_pdu()
732 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
733 pfc_flags=req.pfc_flags |
734 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
736 self.assertNotEquals(rep.u.alloc_hint, 0)
737 self.assertEqual(rep.u.context_id, 0)
738 self.assertEqual(rep.u.cancel_count, 0)
739 self.assertEqual(rep.u.flags, 0)
740 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
741 self.assertEqual(rep.u.reserved, 0)
742 self.assertEqual(len(rep.u.error_and_verifier), 0)
744 # wait for a disconnect
745 rep = self.recv_pdu()
746 self.assertIsNone(rep)
747 self.assertNotConnected()
749 def test_no_auth_presentation_ctx_invalid4(self):
750 ndr32 = base.transfer_syntax_ndr()
751 ndr64 = base.transfer_syntax_ndr64()
753 zero_syntax = misc.ndr_syntax_id()
755 tsf1a_list = [zero_syntax, ndr32, ndr32, ndr32]
756 ctx1a = dcerpc.ctx_list()
758 ctx1a.num_transfer_syntaxes = len(tsf1a_list)
759 ctx1a.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
760 ctx1a.transfer_syntaxes = tsf1a_list
762 req = self.generate_bind(call_id=0, ctx_list=[ctx1a])
764 rep = self.recv_pdu()
765 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
767 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
768 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
769 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
770 self.assertEqual(rep.u.secondary_address_size, 4)
771 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
772 self.assertPadding(rep.u._pad1, 2)
773 self.assertEqual(rep.u.num_results, 1)
774 self.assertEqual(rep.u.ctx_list[0].result,
775 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
776 self.assertEqual(rep.u.ctx_list[0].reason,
777 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
778 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
779 self.assertEqual(rep.u.auth_info, b'\0' * 0)
781 # With a known but wrong syntax we get a protocol error
782 # see test_no_auth_presentation_ctx_valid2
783 tsf1b_list = [zero_syntax, samba.dcerpc.epmapper.abstract_syntax(), ndr64]
784 ctx1b = dcerpc.ctx_list()
786 ctx1b.num_transfer_syntaxes = len(tsf1b_list)
787 ctx1b.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
788 ctx1b.transfer_syntaxes = tsf1b_list
791 req = self.generate_alter(call_id=1, ctx_list=[ctx1b])
793 rep = self.recv_pdu()
794 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
795 pfc_flags=req.pfc_flags |
796 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
798 self.assertNotEquals(rep.u.alloc_hint, 0)
799 self.assertEqual(rep.u.context_id, 0)
800 self.assertEqual(rep.u.cancel_count, 0)
801 self.assertEqual(rep.u.flags, 0)
802 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
803 self.assertEqual(rep.u.reserved, 0)
804 self.assertEqual(len(rep.u.error_and_verifier), 0)
806 # wait for a disconnect
807 rep = self.recv_pdu()
808 self.assertIsNone(rep)
809 self.assertNotConnected()
811 def test_no_auth_presentation_ctx_valid2(self):
812 ndr32 = base.transfer_syntax_ndr()
814 zero_syntax = misc.ndr_syntax_id()
816 tsf1a_list = [zero_syntax, ndr32, ndr32, ndr32]
817 ctx1a = dcerpc.ctx_list()
819 ctx1a.num_transfer_syntaxes = len(tsf1a_list)
820 ctx1a.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
821 ctx1a.transfer_syntaxes = tsf1a_list
823 req = self.generate_bind(call_id=0, ctx_list=[ctx1a])
825 rep = self.recv_pdu()
826 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
828 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
829 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
830 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
831 self.assertEqual(rep.u.secondary_address_size, 4)
832 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
833 self.assertPadding(rep.u._pad1, 2)
834 self.assertEqual(rep.u.num_results, 1)
835 self.assertEqual(rep.u.ctx_list[0].result,
836 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
837 self.assertEqual(rep.u.ctx_list[0].reason,
838 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
839 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
840 self.assertEqual(rep.u.auth_info, b'\0' * 0)
842 # With a unknown but wrong syntaxes we get NO protocol error
843 # see test_no_auth_presentation_ctx_invalid4
844 tsf1b_list = [zero_syntax, samba.dcerpc.epmapper.abstract_syntax()]
845 ctx1b = dcerpc.ctx_list()
847 ctx1b.num_transfer_syntaxes = len(tsf1b_list)
848 ctx1b.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
849 ctx1b.transfer_syntaxes = tsf1b_list
852 req = self.generate_alter(call_id=1, ctx_list=[ctx1b])
854 rep = self.recv_pdu()
855 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
857 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
858 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
859 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
860 self.assertEqual(rep.u.secondary_address_size, 0)
861 self.assertPadding(rep.u._pad1, 2)
862 self.assertEqual(rep.u.num_results, 1)
863 self.assertEqual(rep.u.ctx_list[0].result,
864 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
865 self.assertEqual(rep.u.ctx_list[0].reason,
866 dcerpc.DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED)
867 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
868 self.assertEqual(rep.u.auth_info, b'\0' * 0)
870 req = self.generate_request(call_id=2,
871 context_id=ctx1a.context_id,
875 rep = self.recv_pdu()
876 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
877 pfc_flags=req.pfc_flags |
878 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
880 self.assertNotEquals(rep.u.alloc_hint, 0)
881 self.assertEqual(rep.u.context_id, ctx1a.context_id)
882 self.assertEqual(rep.u.cancel_count, 0)
883 self.assertEqual(rep.u.flags, 0)
884 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_OP_RNG_ERROR)
885 self.assertEqual(rep.u.reserved, 0)
886 self.assertEqual(len(rep.u.error_and_verifier), 0)
888 def test_no_auth_presentation_ctx_no_ndr64(self):
889 ndr32 = base.transfer_syntax_ndr()
890 zero_syntax = misc.ndr_syntax_id()
892 tsfZ_list = [zero_syntax]
893 ctxZ = dcerpc.ctx_list()
894 ctxZ.context_id = 54321
895 ctxZ.num_transfer_syntaxes = len(tsfZ_list)
896 ctxZ.abstract_syntax = zero_syntax
897 ctxZ.transfer_syntaxes = tsfZ_list
899 req = self.generate_bind(call_id=0, ctx_list=[ctxZ])
901 rep = self.recv_pdu()
902 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
904 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
905 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
906 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
907 self.assertEqual(rep.u.secondary_address_size, 4)
908 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
909 self.assertPadding(rep.u._pad1, 2)
910 self.assertEqual(rep.u.num_results, 1)
911 self.assertEqual(rep.u.ctx_list[0].result,
912 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
913 self.assertEqual(rep.u.ctx_list[0].reason,
914 dcerpc.DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED)
915 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
916 self.assertEqual(rep.u.auth_info, b'\0' * 0)
919 ctx0 = dcerpc.ctx_list()
921 ctx0.num_transfer_syntaxes = len(tsf0_list)
922 ctx0.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
923 ctx0.transfer_syntaxes = tsf0_list
925 req = self.generate_alter(call_id=0, ctx_list=[ctx0])
927 rep = self.recv_pdu()
928 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
930 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
931 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
932 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
933 self.assertEqual(rep.u.secondary_address_size, 0)
934 self.assertPadding(rep.u._pad1, 2)
935 self.assertEqual(rep.u.num_results, 1)
936 self.assertEqual(rep.u.ctx_list[0].result,
937 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
938 self.assertEqual(rep.u.ctx_list[0].reason,
939 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
940 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
941 self.assertEqual(rep.u.auth_info, b'\0' * 0)
943 req = self.generate_request(call_id=1,
944 context_id=ctx0.context_id,
948 rep = self.recv_pdu()
949 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
951 self.assertNotEquals(rep.u.alloc_hint, 0)
952 self.assertEqual(rep.u.context_id, req.u.context_id)
953 self.assertEqual(rep.u.cancel_count, 0)
954 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
956 tsf1_list = [zero_syntax, ndr32]
957 ctx1 = dcerpc.ctx_list()
959 ctx1.num_transfer_syntaxes = len(tsf1_list)
960 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
961 ctx1.transfer_syntaxes = tsf1_list
963 req = self.generate_alter(call_id=1, ctx_list=[ctx1])
965 rep = self.recv_pdu()
966 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
968 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
969 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
970 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
971 self.assertEqual(rep.u.secondary_address_size, 0)
972 self.assertPadding(rep.u._pad1, 2)
973 self.assertEqual(rep.u.num_results, 1)
974 self.assertEqual(rep.u.ctx_list[0].result,
975 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
976 self.assertEqual(rep.u.ctx_list[0].reason,
977 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
978 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
979 self.assertEqual(rep.u.auth_info, b'\0' * 0)
981 req = self.generate_request(call_id=1,
982 context_id=ctx1.context_id,
986 rep = self.recv_pdu()
987 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
989 self.assertNotEquals(rep.u.alloc_hint, 0)
990 self.assertEqual(rep.u.context_id, req.u.context_id)
991 self.assertEqual(rep.u.cancel_count, 0)
992 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
994 tsf2_list = [ndr32, ndr32]
995 ctx2 = dcerpc.ctx_list()
997 ctx2.num_transfer_syntaxes = len(tsf2_list)
998 ctx2.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
999 ctx2.transfer_syntaxes = tsf2_list
1001 req = self.generate_alter(call_id=2, ctx_list=[ctx2])
1003 rep = self.recv_pdu()
1004 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
1006 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1007 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1008 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1009 self.assertEqual(rep.u.secondary_address_size, 0)
1010 self.assertPadding(rep.u._pad1, 2)
1011 self.assertEqual(rep.u.num_results, 1)
1012 self.assertEqual(rep.u.ctx_list[0].result,
1013 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1014 self.assertEqual(rep.u.ctx_list[0].reason,
1015 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1016 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1017 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1019 req = self.generate_request(call_id=1,
1020 context_id=ctx2.context_id,
1024 rep = self.recv_pdu()
1025 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1027 self.assertNotEquals(rep.u.alloc_hint, 0)
1028 self.assertEqual(rep.u.context_id, req.u.context_id)
1029 self.assertEqual(rep.u.cancel_count, 0)
1030 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1033 ctx3 = dcerpc.ctx_list()
1035 ctx3.num_transfer_syntaxes = len(tsf3_list)
1036 ctx3.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1037 ctx3.transfer_syntaxes = tsf3_list
1040 ctx4 = dcerpc.ctx_list()
1042 ctx4.num_transfer_syntaxes = len(tsf4_list)
1043 ctx4.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1044 ctx4.transfer_syntaxes = tsf4_list
1046 req = self.generate_alter(call_id=34, ctx_list=[ctx3, ctx4])
1048 rep = self.recv_pdu()
1049 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
1051 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1052 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1053 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1054 self.assertEqual(rep.u.secondary_address_size, 0)
1055 self.assertPadding(rep.u._pad1, 2)
1056 self.assertEqual(rep.u.num_results, 2)
1057 self.assertEqual(rep.u.ctx_list[0].result,
1058 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1059 self.assertEqual(rep.u.ctx_list[0].reason,
1060 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1061 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1062 self.assertEqual(rep.u.ctx_list[1].result,
1063 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
1064 self.assertEqual(rep.u.ctx_list[1].reason,
1065 dcerpc.DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED)
1066 self.assertNDRSyntaxEquals(rep.u.ctx_list[1].syntax, zero_syntax)
1067 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1069 req = self.generate_request(call_id=1,
1070 context_id=ctx3.context_id,
1074 rep = self.recv_pdu()
1075 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1077 self.assertNotEquals(rep.u.alloc_hint, 0)
1078 self.assertEqual(rep.u.context_id, req.u.context_id)
1079 self.assertEqual(rep.u.cancel_count, 0)
1080 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1082 req = self.generate_alter(call_id=43, ctx_list=[ctx4, ctx3])
1084 rep = self.recv_pdu()
1085 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
1087 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1088 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1089 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1090 self.assertEqual(rep.u.secondary_address_size, 0)
1091 self.assertPadding(rep.u._pad1, 2)
1092 self.assertEqual(rep.u.num_results, 2)
1093 self.assertEqual(rep.u.ctx_list[0].result,
1094 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1095 self.assertEqual(rep.u.ctx_list[0].reason,
1096 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1097 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1098 self.assertEqual(rep.u.ctx_list[1].result,
1099 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
1100 self.assertEqual(rep.u.ctx_list[1].reason,
1101 dcerpc.DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED)
1102 self.assertNDRSyntaxEquals(rep.u.ctx_list[1].syntax, zero_syntax)
1103 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1105 req = self.generate_request(call_id=1,
1106 context_id=ctx4.context_id,
1110 rep = self.recv_pdu()
1111 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1113 self.assertNotEquals(rep.u.alloc_hint, 0)
1114 self.assertEqual(rep.u.context_id, req.u.context_id)
1115 self.assertEqual(rep.u.cancel_count, 0)
1116 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1118 req = self.generate_request(call_id=1,
1119 context_id=ctx3.context_id,
1123 rep = self.recv_pdu()
1124 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1126 self.assertNotEquals(rep.u.alloc_hint, 0)
1127 self.assertEqual(rep.u.context_id, req.u.context_id)
1128 self.assertEqual(rep.u.cancel_count, 0)
1129 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1131 req = self.generate_alter(call_id=44, ctx_list=[ctx4, ctx4])
1133 rep = self.recv_pdu()
1134 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
1136 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1137 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1138 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1139 self.assertEqual(rep.u.secondary_address_size, 0)
1140 self.assertPadding(rep.u._pad1, 2)
1141 self.assertEqual(rep.u.num_results, 2)
1142 self.assertEqual(rep.u.ctx_list[0].result,
1143 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1144 self.assertEqual(rep.u.ctx_list[0].reason,
1145 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1146 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1147 self.assertEqual(rep.u.ctx_list[1].result,
1148 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
1149 self.assertEqual(rep.u.ctx_list[1].reason,
1150 dcerpc.DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED)
1151 self.assertNDRSyntaxEquals(rep.u.ctx_list[1].syntax, zero_syntax)
1152 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1154 req = self.generate_request(call_id=1,
1155 context_id=ctx4.context_id,
1159 rep = self.recv_pdu()
1160 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1162 self.assertNotEquals(rep.u.alloc_hint, 0)
1163 self.assertEqual(rep.u.context_id, req.u.context_id)
1164 self.assertEqual(rep.u.cancel_count, 0)
1165 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1167 req = self.generate_request(call_id=1,
1168 context_id=ctx3.context_id,
1172 rep = self.recv_pdu()
1173 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1175 self.assertNotEquals(rep.u.alloc_hint, 0)
1176 self.assertEqual(rep.u.context_id, req.u.context_id)
1177 self.assertEqual(rep.u.cancel_count, 0)
1178 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1180 tsf5mgmt_list = [ndr32]
1181 ctx5mgmt = dcerpc.ctx_list()
1182 ctx5mgmt.context_id = 5
1183 ctx5mgmt.num_transfer_syntaxes = len(tsf5mgmt_list)
1184 ctx5mgmt.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1185 ctx5mgmt.transfer_syntaxes = tsf5mgmt_list
1187 tsf5epm_list = [ndr32]
1188 ctx5epm = dcerpc.ctx_list()
1189 ctx5epm.context_id = 5
1190 ctx5epm.num_transfer_syntaxes = len(tsf5epm_list)
1191 ctx5epm.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1192 ctx5epm.transfer_syntaxes = tsf5epm_list
1194 req = self.generate_alter(call_id=55, ctx_list=[ctx5mgmt, ctx5epm])
1196 rep = self.recv_pdu()
1197 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
1199 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1200 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1201 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1202 self.assertEqual(rep.u.secondary_address_size, 0)
1203 self.assertPadding(rep.u._pad1, 2)
1204 self.assertEqual(rep.u.num_results, 2)
1205 self.assertEqual(rep.u.ctx_list[0].result,
1206 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1207 self.assertEqual(rep.u.ctx_list[0].reason,
1208 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1209 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1210 self.assertEqual(rep.u.ctx_list[1].result,
1211 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
1212 self.assertEqual(rep.u.ctx_list[1].reason,
1213 dcerpc.DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED)
1214 self.assertNDRSyntaxEquals(rep.u.ctx_list[1].syntax, zero_syntax)
1215 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1217 req = self.generate_request(call_id=1,
1218 context_id=ctx5mgmt.context_id,
1222 rep = self.recv_pdu()
1223 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1225 self.assertNotEquals(rep.u.alloc_hint, 0)
1226 self.assertEqual(rep.u.context_id, req.u.context_id)
1227 self.assertEqual(rep.u.cancel_count, 0)
1228 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1230 req = self.generate_alter(call_id=55, ctx_list=[ctx5mgmt, ctx5epm])
1232 rep = self.recv_pdu()
1233 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
1235 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1236 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1237 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1238 self.assertEqual(rep.u.secondary_address_size, 0)
1239 self.assertPadding(rep.u._pad1, 2)
1240 self.assertEqual(rep.u.num_results, 2)
1241 self.assertEqual(rep.u.ctx_list[0].result,
1242 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1243 self.assertEqual(rep.u.ctx_list[0].reason,
1244 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1245 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1246 self.assertEqual(rep.u.ctx_list[1].result,
1247 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
1248 self.assertEqual(rep.u.ctx_list[1].reason,
1249 dcerpc.DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED)
1250 self.assertNDRSyntaxEquals(rep.u.ctx_list[1].syntax, zero_syntax)
1251 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1253 req = self.generate_request(call_id=1,
1254 context_id=ctx5mgmt.context_id,
1258 rep = self.recv_pdu()
1259 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1261 self.assertNotEquals(rep.u.alloc_hint, 0)
1262 self.assertEqual(rep.u.context_id, req.u.context_id)
1263 self.assertEqual(rep.u.cancel_count, 0)
1264 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1266 def test_no_auth_bind_time_none_simple(self):
1268 btf = base.bind_time_features_syntax(features)
1270 zero_syntax = misc.ndr_syntax_id()
1273 ctx1 = dcerpc.ctx_list()
1275 ctx1.num_transfer_syntaxes = len(tsf1_list)
1276 ctx1.abstract_syntax = zero_syntax
1277 ctx1.transfer_syntaxes = tsf1_list
1279 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
1281 rep = self.recv_pdu()
1282 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1284 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1285 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1286 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1287 self.assertEqual(rep.u.secondary_address_size, 4)
1288 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1289 self.assertPadding(rep.u._pad1, 2)
1290 self.assertEqual(rep.u.num_results, 1)
1291 self.assertEqual(rep.u.ctx_list[0].result,
1292 dcerpc.DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK)
1293 self.assertEqual(rep.u.ctx_list[0].reason, features)
1294 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
1295 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1297 def test_no_auth_bind_time_none_ignore_additional(self):
1299 btf1 = base.bind_time_features_syntax(features1)
1301 features2 = dcerpc.DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN
1302 features2 |= dcerpc.DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING
1303 btf2 = base.bind_time_features_syntax(features2)
1305 zero_syntax = misc.ndr_syntax_id()
1306 ndr64 = base.transfer_syntax_ndr64()
1308 tsf1_list = [btf1, btf2, zero_syntax]
1309 ctx1 = dcerpc.ctx_list()
1311 ctx1.num_transfer_syntaxes = len(tsf1_list)
1312 ctx1.abstract_syntax = ndr64
1313 ctx1.transfer_syntaxes = tsf1_list
1315 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
1317 rep = self.recv_pdu()
1318 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1320 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1321 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1322 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1323 self.assertEqual(rep.u.secondary_address_size, 4)
1324 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1325 self.assertPadding(rep.u._pad1, 2)
1326 self.assertEqual(rep.u.num_results, 1)
1327 self.assertEqual(rep.u.ctx_list[0].result,
1328 dcerpc.DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK)
1329 self.assertEqual(rep.u.ctx_list[0].reason, features1)
1330 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
1331 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1333 def test_no_auth_bind_time_only_first(self):
1334 features1 = dcerpc.DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN
1335 btf1 = base.bind_time_features_syntax(features1)
1337 features2 = dcerpc.DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING
1338 btf2 = base.bind_time_features_syntax(features2)
1340 zero_syntax = misc.ndr_syntax_id()
1342 tsf1_list = [zero_syntax, btf1, btf2, zero_syntax]
1343 ctx1 = dcerpc.ctx_list()
1345 ctx1.num_transfer_syntaxes = len(tsf1_list)
1346 ctx1.abstract_syntax = zero_syntax
1347 ctx1.transfer_syntaxes = tsf1_list
1349 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
1351 rep = self.recv_pdu()
1352 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1354 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1355 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1356 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1357 self.assertEqual(rep.u.secondary_address_size, 4)
1358 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1359 self.assertPadding(rep.u._pad1, 2)
1360 self.assertEqual(rep.u.num_results, 1)
1361 self.assertEqual(rep.u.ctx_list[0].result,
1362 dcerpc.DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION)
1363 self.assertEqual(rep.u.ctx_list[0].reason,
1364 dcerpc.DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED)
1365 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
1366 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1368 def test_no_auth_bind_time_twice(self):
1369 features1 = dcerpc.DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN
1370 btf1 = base.bind_time_features_syntax(features1)
1372 features2 = dcerpc.DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING
1373 btf2 = base.bind_time_features_syntax(features2)
1375 zero_syntax = misc.ndr_syntax_id()
1378 ctx1 = dcerpc.ctx_list()
1380 ctx1.num_transfer_syntaxes = len(tsf1_list)
1381 ctx1.abstract_syntax = zero_syntax
1382 ctx1.transfer_syntaxes = tsf1_list
1385 ctx2 = dcerpc.ctx_list()
1387 ctx2.num_transfer_syntaxes = len(tsf2_list)
1388 ctx2.abstract_syntax = zero_syntax
1389 ctx2.transfer_syntaxes = tsf2_list
1391 req = self.generate_bind(call_id=0, ctx_list=[ctx1, ctx2])
1393 rep = self.recv_pdu()
1394 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
1396 self.assertEqual(rep.u.reject_reason,
1397 dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
1398 self.assertEqual(rep.u.num_versions, 1)
1399 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
1400 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
1401 self.assertPadding(rep.u._pad, 3)
1403 # wait for a disconnect
1404 rep = self.recv_pdu()
1405 self.assertIsNone(rep)
1406 self.assertNotConnected()
1408 def test_no_auth_bind_time_keep_on_orphan_simple(self):
1409 features = dcerpc.DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN
1410 btf = base.bind_time_features_syntax(features)
1412 zero_syntax = misc.ndr_syntax_id()
1415 ctx1 = dcerpc.ctx_list()
1417 ctx1.num_transfer_syntaxes = len(tsf1_list)
1418 ctx1.abstract_syntax = zero_syntax
1419 ctx1.transfer_syntaxes = tsf1_list
1421 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
1423 rep = self.recv_pdu()
1424 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1426 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1427 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1428 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1429 self.assertEqual(rep.u.secondary_address_size, 4)
1430 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1431 self.assertPadding(rep.u._pad1, 2)
1432 self.assertEqual(rep.u.num_results, 1)
1433 self.assertEqual(rep.u.ctx_list[0].result,
1434 dcerpc.DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK)
1435 self.assertEqual(rep.u.ctx_list[0].reason, features)
1436 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
1437 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1439 def test_no_auth_bind_time_keep_on_orphan_ignore_additional(self):
1440 features1 = dcerpc.DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN
1441 btf1 = base.bind_time_features_syntax(features1)
1443 features2 = dcerpc.DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING
1444 btf2 = base.bind_time_features_syntax(features2)
1446 zero_syntax = misc.ndr_syntax_id()
1447 ndr64 = base.transfer_syntax_ndr64()
1449 tsf1_list = [btf1, btf2, zero_syntax]
1450 ctx1 = dcerpc.ctx_list()
1452 ctx1.num_transfer_syntaxes = len(tsf1_list)
1453 ctx1.abstract_syntax = ndr64
1454 ctx1.transfer_syntaxes = tsf1_list
1456 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
1458 rep = self.recv_pdu()
1459 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1461 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1462 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1463 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1464 self.assertEqual(rep.u.secondary_address_size, 4)
1465 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1466 self.assertPadding(rep.u._pad1, 2)
1467 self.assertEqual(rep.u.num_results, 1)
1468 self.assertEqual(rep.u.ctx_list[0].result,
1469 dcerpc.DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK)
1470 self.assertEqual(rep.u.ctx_list[0].reason, features1)
1471 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
1472 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1474 def test_no_auth_bind_time_sec_ctx_ignore_additional(self):
1475 features1 = dcerpc.DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING
1476 btf1 = base.bind_time_features_syntax(features1)
1478 features2 = dcerpc.DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN
1479 btf2 = base.bind_time_features_syntax(features2)
1481 zero_syntax = misc.ndr_syntax_id()
1482 ndr64 = base.transfer_syntax_ndr64()
1484 tsf1_list = [btf1, btf2, zero_syntax]
1485 ctx1 = dcerpc.ctx_list()
1487 ctx1.num_transfer_syntaxes = len(tsf1_list)
1488 ctx1.abstract_syntax = ndr64
1489 ctx1.transfer_syntaxes = tsf1_list
1491 req = self.generate_bind(call_id=0, ctx_list=[ctx1])
1493 rep = self.recv_pdu()
1494 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1496 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1497 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1498 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1499 self.assertEqual(rep.u.secondary_address_size, 4)
1500 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1501 self.assertPadding(rep.u._pad1, 2)
1502 self.assertEqual(rep.u.num_results, 1)
1503 self.assertEqual(rep.u.ctx_list[0].result,
1504 dcerpc.DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK)
1505 self.assertEqual(rep.u.ctx_list[0].reason, features1)
1506 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, zero_syntax)
1507 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1509 def _test_auth_type_level_bind_nak(self, auth_type, auth_level, creds=None,
1510 reason=dcerpc.DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE):
1511 ndr32 = base.transfer_syntax_ndr()
1514 ctx1 = dcerpc.ctx_list()
1516 ctx1.num_transfer_syntaxes = len(tsf1_list)
1517 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1518 ctx1.transfer_syntaxes = tsf1_list
1523 if creds is not None:
1524 # We always start with DCERPC_AUTH_LEVEL_INTEGRITY
1525 auth_context = self.get_auth_context_creds(creds,
1526 auth_type=auth_type,
1527 auth_level=auth_level,
1528 auth_context_id=auth_context_id,
1529 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
1531 (finished, to_server) = auth_context["gensec"].update(from_server)
1532 self.assertFalse(finished)
1534 auth_info = self.generate_auth(auth_type=auth_context["auth_type"],
1535 auth_level=auth_context["auth_level"],
1536 auth_context_id=auth_context["auth_context_id"],
1537 auth_blob=to_server)
1540 auth_info = self.generate_auth(auth_type=auth_type,
1541 auth_level=auth_level,
1542 auth_context_id=auth_context_id,
1543 auth_blob=to_server)
1545 req = self.generate_bind(call_id=0,
1547 auth_info=auth_info)
1549 rep = self.recv_pdu()
1550 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
1552 self.assertEqual(rep.u.reject_reason, reason)
1553 self.assertEqual(rep.u.num_versions, 1)
1554 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
1555 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
1556 self.assertPadding(rep.u._pad, 3)
1558 # wait for a disconnect
1559 rep = self.recv_pdu()
1560 self.assertIsNone(rep)
1561 self.assertNotConnected()
1563 def _test_auth_none_level_bind(self, auth_level,
1564 reason=dcerpc.DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE):
1565 return self._test_auth_type_level_bind_nak(auth_type=dcerpc.DCERPC_AUTH_LEVEL_NONE,
1566 auth_level=auth_level, reason=reason)
1568 def test_auth_none_none_bind(self):
1569 return self._test_auth_none_level_bind(dcerpc.DCERPC_AUTH_LEVEL_NONE,
1570 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
1572 def test_auth_none_connect_bind(self):
1573 return self._test_auth_none_level_bind(dcerpc.DCERPC_AUTH_LEVEL_CONNECT)
1575 def test_auth_none_call_bind(self):
1576 return self._test_auth_none_level_bind(dcerpc.DCERPC_AUTH_LEVEL_CALL)
1578 def test_auth_none_packet_bind(self):
1579 return self._test_auth_none_level_bind(dcerpc.DCERPC_AUTH_LEVEL_PACKET)
1581 def test_auth_none_integrity_bind(self):
1582 return self._test_auth_none_level_bind(dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
1584 def test_auth_none_privacy_bind(self):
1585 return self._test_auth_none_level_bind(dcerpc.DCERPC_AUTH_LEVEL_PRIVACY)
1587 def test_auth_none_0_bind(self):
1588 return self._test_auth_none_level_bind(0,
1589 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
1591 def test_auth_none_7_bind(self):
1592 return self._test_auth_none_level_bind(7,
1593 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
1595 def test_auth_none_255_bind(self):
1596 return self._test_auth_none_level_bind(255,
1597 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
1599 def _test_auth_none_level_request(self, auth_level):
1600 ndr32 = base.transfer_syntax_ndr()
1603 ctx1 = dcerpc.ctx_list()
1605 ctx1.num_transfer_syntaxes = len(tsf1_list)
1606 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1607 ctx1.transfer_syntaxes = tsf1_list
1610 auth_type = dcerpc.DCERPC_AUTH_TYPE_NONE
1613 req = self.generate_bind(call_id=0,
1617 rep = self.recv_pdu()
1618 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
1619 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1620 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1621 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1622 self.assertEqual(rep.u.secondary_address_size, 4)
1623 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1624 self.assertPadding(rep.u._pad1, 2)
1625 self.assertEqual(rep.u.num_results, 1)
1626 self.assertEqual(rep.u.ctx_list[0].result,
1627 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1628 self.assertEqual(rep.u.ctx_list[0].reason,
1629 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1630 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1631 self.assertEqual(len(rep.u.auth_info), 0)
1633 # And now try a request without auth_info
1634 req = self.generate_request(call_id=2,
1635 context_id=ctx1.context_id,
1639 rep = self.recv_pdu()
1640 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1642 self.assertNotEquals(rep.u.alloc_hint, 0)
1643 self.assertEqual(rep.u.context_id, req.u.context_id)
1644 self.assertEqual(rep.u.cancel_count, 0)
1645 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1647 auth_info = self.generate_auth(auth_type=auth_type,
1648 auth_level=auth_level,
1649 auth_context_id=auth_context_id,
1652 req = self.generate_request(call_id=3,
1653 context_id=ctx1.context_id,
1656 auth_info=auth_info)
1658 rep = self.recv_pdu()
1659 # We get a fault back
1660 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
1662 self.assertNotEquals(rep.u.alloc_hint, 0)
1663 self.assertEqual(rep.u.context_id, req.u.context_id)
1664 self.assertEqual(rep.u.cancel_count, 0)
1665 self.assertEqual(rep.u.flags, 0)
1666 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_ACCESS_DENIED)
1667 self.assertEqual(rep.u.reserved, 0)
1668 self.assertEqual(len(rep.u.error_and_verifier), 0)
1670 # wait for a disconnect
1671 rep = self.recv_pdu()
1672 self.assertIsNone(rep)
1673 self.assertNotConnected()
1675 def test_auth_none_none_request(self):
1676 return self._test_auth_none_level_request(dcerpc.DCERPC_AUTH_LEVEL_NONE)
1678 def test_auth_none_connect_request(self):
1679 return self._test_auth_none_level_request(dcerpc.DCERPC_AUTH_LEVEL_CONNECT)
1681 def test_auth_none_call_request(self):
1682 return self._test_auth_none_level_request(dcerpc.DCERPC_AUTH_LEVEL_CALL)
1684 def test_auth_none_packet_request(self):
1685 return self._test_auth_none_level_request(dcerpc.DCERPC_AUTH_LEVEL_PACKET)
1687 def _test_neg_xmit_check_values(self,
1693 ndr32 = base.transfer_syntax_ndr()
1696 ctx1 = dcerpc.ctx_list()
1698 ctx1.num_transfer_syntaxes = len(tsf1_list)
1699 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1700 ctx1.transfer_syntaxes = tsf1_list
1702 req = self.generate_bind(call_id=0,
1703 max_xmit_frag=req_xmit,
1704 max_recv_frag=req_recv,
1707 rep = self.recv_pdu()
1708 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1710 self.assertEqual(rep.u.max_xmit_frag, rep_both)
1711 self.assertEqual(rep.u.max_recv_frag, rep_both)
1712 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1713 self.assertEqual(rep.u.secondary_address_size, 4)
1714 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1715 self.assertPadding(rep.u._pad1, 2)
1716 self.assertEqual(rep.u.num_results, 1)
1717 self.assertEqual(rep.u.ctx_list[0].result,
1718 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1719 self.assertEqual(rep.u.ctx_list[0].reason,
1720 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1721 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1722 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1724 assoc_group_id = rep.u.assoc_group_id
1725 if alter_xmit is None:
1726 alter_xmit = rep_both - 8
1727 if alter_recv is None:
1728 alter_recv = rep_both - 8
1730 # max_{xmit,recv}_frag and assoc_group_id are completely
1731 # ignored in alter_context requests
1732 req = self.generate_alter(call_id=1,
1733 max_xmit_frag=alter_xmit,
1734 max_recv_frag=alter_recv,
1735 assoc_group_id=0xffffffff - rep.u.assoc_group_id,
1738 rep = self.recv_pdu()
1739 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
1741 self.assertEqual(rep.u.max_xmit_frag, rep_both)
1742 self.assertEqual(rep.u.max_recv_frag, rep_both)
1743 self.assertEqual(rep.u.assoc_group_id, rep.u.assoc_group_id)
1744 self.assertEqual(rep.u.secondary_address_size, 0)
1745 self.assertPadding(rep.u._pad1, 2)
1746 self.assertEqual(rep.u.num_results, 1)
1747 self.assertEqual(rep.u.ctx_list[0].result,
1748 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1749 self.assertEqual(rep.u.ctx_list[0].reason,
1750 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1751 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1752 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1754 chunk_size = rep_both - dcerpc.DCERPC_REQUEST_LENGTH
1755 req = self.generate_request(call_id=2,
1756 context_id=ctx1.context_id,
1758 alloc_hint=0xffffffff,
1759 stub=b"\00" * chunk_size)
1760 self.send_pdu(req, ndr_print=True, hexdump=True)
1761 rep = self.recv_pdu(ndr_print=True, hexdump=True)
1762 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1764 self.assertNotEquals(rep.u.alloc_hint, 0)
1765 self.assertEqual(rep.u.context_id, req.u.context_id)
1766 self.assertEqual(rep.u.cancel_count, 0)
1767 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1769 chunk_size = 5840 - dcerpc.DCERPC_REQUEST_LENGTH
1770 req = self.generate_request(call_id=2,
1771 context_id=ctx1.context_id,
1773 alloc_hint=0xffffffff,
1774 stub=b"\00" * chunk_size)
1776 rep = self.recv_pdu()
1777 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1779 self.assertNotEquals(rep.u.alloc_hint, 0)
1780 self.assertEqual(rep.u.context_id, req.u.context_id)
1781 self.assertEqual(rep.u.cancel_count, 0)
1782 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1785 req = self.generate_request(call_id=3,
1786 context_id=ctx1.context_id,
1788 alloc_hint=0xffffffff,
1789 stub=b"\00" * chunk_size)
1791 rep = self.recv_pdu()
1793 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
1795 self.assertNotEquals(rep.u.alloc_hint, 0)
1796 self.assertEqual(rep.u.context_id, 0)
1797 self.assertEqual(rep.u.cancel_count, 0)
1798 self.assertEqual(rep.u.flags, 0)
1799 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
1800 self.assertEqual(rep.u.reserved, 0)
1801 self.assertEqual(len(rep.u.error_and_verifier), 0)
1803 # wait for a disconnect
1804 rep = self.recv_pdu()
1805 self.assertIsNone(rep)
1806 self.assertNotConnected()
1808 def test_neg_xmit_ffff_ffff(self):
1809 return self._test_neg_xmit_check_values(req_xmit=0xffff,
1813 def test_neg_xmit_0_ffff(self):
1814 return self._test_neg_xmit_check_values(req_xmit=0,
1820 def test_neg_xmit_ffff_0(self):
1821 return self._test_neg_xmit_check_values(req_xmit=0xffff,
1825 def test_neg_xmit_0_0(self):
1826 return self._test_neg_xmit_check_values(req_xmit=0,
1832 def test_neg_xmit_3199_0(self):
1833 return self._test_neg_xmit_check_values(req_xmit=3199,
1837 def test_neg_xmit_0_3199(self):
1838 return self._test_neg_xmit_check_values(req_xmit=0,
1842 def test_neg_xmit_3199_ffff(self):
1843 return self._test_neg_xmit_check_values(req_xmit=3199,
1847 def test_neg_xmit_ffff_3199(self):
1848 return self._test_neg_xmit_check_values(req_xmit=0xffff,
1852 def test_alloc_hint(self):
1853 ndr32 = base.transfer_syntax_ndr()
1856 ctx = dcerpc.ctx_list()
1858 ctx.num_transfer_syntaxes = len(tsf1_list)
1859 ctx.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
1860 ctx.transfer_syntaxes = tsf1_list
1862 req = self.generate_bind(call_id=0,
1865 rep = self.recv_pdu()
1866 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
1868 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
1869 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
1870 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
1871 self.assertEqual(rep.u.secondary_address_size, 4)
1872 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
1873 self.assertPadding(rep.u._pad1, 2)
1874 self.assertEqual(rep.u.num_results, 1)
1875 self.assertEqual(rep.u.ctx_list[0].result,
1876 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
1877 self.assertEqual(rep.u.ctx_list[0].reason,
1878 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
1879 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
1880 self.assertEqual(rep.u.auth_info, b'\0' * 0)
1882 # And now try a request without auth_info
1883 req = self.generate_request(call_id=2,
1884 context_id=ctx.context_id,
1886 alloc_hint=0xffffffff,
1889 rep = self.recv_pdu()
1890 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1892 self.assertNotEquals(rep.u.alloc_hint, 0)
1893 self.assertEqual(rep.u.context_id, req.u.context_id)
1894 self.assertEqual(rep.u.cancel_count, 0)
1895 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1897 req = self.generate_request(call_id=3,
1898 context_id=ctx.context_id,
1900 alloc_hint=0xffffffff,
1901 stub=b"\04\00\00\00\00\00\00\00")
1903 rep = self.recv_pdu()
1904 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1906 self.assertNotEquals(rep.u.alloc_hint, 0)
1907 self.assertEqual(rep.u.context_id, req.u.context_id)
1908 self.assertEqual(rep.u.cancel_count, 0)
1909 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1911 req = self.generate_request(call_id=4,
1912 context_id=ctx.context_id,
1915 stub=b"\04\00\00\00\00\00\00\00")
1917 rep = self.recv_pdu()
1918 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
1920 self.assertNotEquals(rep.u.alloc_hint, 0)
1921 self.assertEqual(rep.u.context_id, req.u.context_id)
1922 self.assertEqual(rep.u.cancel_count, 0)
1923 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
1925 def _get_netlogon_ctx(self):
1926 abstract = samba.dcerpc.netlogon.abstract_syntax()
1927 ndr32 = base.transfer_syntax_ndr()
1929 (ctx, ack) = self.prepare_presentation(abstract, ndr32, context_id=0,
1930 epmap=True, return_ack=True)
1932 server = '\\\\' + self.target_hostname
1933 if isinstance(server, binary_type):
1934 server_utf16 = server.decode('utf-8').encode('utf-16-le')
1936 server_utf16 = server.encode('utf-16-le')
1937 computer = 'UNKNOWNCOMPUTER'
1938 if isinstance(server, binary_type):
1939 computer_utf16 = computer.decode('utf-8').encode('utf-16-le')
1941 computer_utf16 = computer.encode('utf-16-le')
1943 real_stub = struct.pack('<IIII', 0x00200000,
1944 len(server) + 1, 0, len(server) + 1)
1945 real_stub += server_utf16 + b'\x00\x00'
1946 mod_len = len(real_stub) % 4
1948 real_stub += b'\x00' * (4 - mod_len)
1949 real_stub += struct.pack('<III',
1950 len(computer) + 1, 0, len(computer) + 1)
1951 real_stub += computer_utf16 + b'\x00\x00'
1952 real_stub += b'\x11\x22\x33\x44\x55\x66\x77\x88'
1954 return (ctx, ack, real_stub)
1956 def _test_fragmented_requests(self, remaining=None, alloc_hint=None,
1957 fault_first=None, fault_last=None):
1958 (ctx, rep, real_stub) = self._get_netlogon_ctx()
1960 chunk = rep.u.max_recv_frag - dcerpc.DCERPC_REQUEST_LENGTH
1964 while remaining > 0:
1965 thistime = min(remaining, chunk)
1966 remaining -= thistime
1971 pfc_flags |= dcerpc.DCERPC_PFC_FLAG_FIRST
1973 stub = real_stub + b'\x00' * (thistime - len(real_stub))
1975 stub = b"\x00" * thistime
1978 pfc_flags |= dcerpc.DCERPC_PFC_FLAG_LAST
1980 # And now try a request without auth_info
1981 # netr_ServerReqChallenge()
1982 req = self.generate_request(call_id=0x21234,
1983 pfc_flags=pfc_flags,
1984 context_id=ctx.context_id,
1986 alloc_hint=alloc_hint,
1988 if alloc_hint >= thistime:
1989 alloc_hint -= thistime
1992 self.send_pdu(req, hexdump=False)
1993 if fault_first is not None:
1994 rep = self.recv_pdu()
1995 # We get a fault back
1996 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
1998 self.assertNotEquals(rep.u.alloc_hint, 0)
1999 self.assertEqual(rep.u.context_id, req.u.context_id)
2000 self.assertEqual(rep.u.cancel_count, 0)
2001 self.assertEqual(rep.u.flags, 0)
2002 self.assertEqual(rep.u.status, fault_first)
2003 self.assertEqual(rep.u.reserved, 0)
2004 self.assertEqual(len(rep.u.error_and_verifier), 0)
2006 # wait for a disconnect
2007 rep = self.recv_pdu()
2008 self.assertIsNone(rep)
2009 self.assertNotConnected()
2013 if total >= 0x400000 and fault_last is not None:
2014 rep = self.recv_pdu()
2015 # We get a fault back
2016 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2018 self.assertNotEquals(rep.u.alloc_hint, 0)
2019 self.assertEqual(rep.u.context_id, req.u.context_id)
2020 self.assertEqual(rep.u.cancel_count, 0)
2021 self.assertEqual(rep.u.flags, 0)
2022 self.assertEqual(rep.u.status, fault_last)
2023 self.assertEqual(rep.u.reserved, 0)
2024 self.assertEqual(len(rep.u.error_and_verifier), 0)
2026 # wait for a disconnect
2027 rep = self.recv_pdu()
2028 self.assertIsNone(rep)
2029 self.assertNotConnected()
2031 rep = self.recv_pdu(timeout=0.01)
2032 self.assertIsNone(rep)
2033 self.assertIsConnected()
2035 if total >= 0x400000 and fault_last is not None:
2036 rep = self.recv_pdu()
2037 # We get a fault back
2038 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2040 self.assertNotEquals(rep.u.alloc_hint, 0)
2041 self.assertEqual(rep.u.context_id, req.u.context_id)
2042 self.assertEqual(rep.u.cancel_count, 0)
2043 self.assertEqual(rep.u.flags, 0)
2044 self.assertEqual(rep.u.status, fault_last)
2045 self.assertEqual(rep.u.reserved, 0)
2046 self.assertEqual(len(rep.u.error_and_verifier), 0)
2048 # wait for a disconnect
2049 rep = self.recv_pdu()
2050 self.assertIsNone(rep)
2051 self.assertNotConnected()
2053 rep = self.recv_pdu()
2054 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2056 self.assertNotEquals(rep.u.alloc_hint, 0)
2057 self.assertEqual(rep.u.context_id, req.u.context_id)
2058 self.assertEqual(rep.u.cancel_count, 0)
2059 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2061 self.assertEqual(len(rep.u.stub_and_verifier), 12)
2062 status = struct.unpack_from("<I", rep.u.stub_and_verifier, len(rep.u.stub_and_verifier) - 4)
2063 self.assertEqual(status[0], 0)
2065 def test_fragmented_requests01(self):
2066 return self._test_fragmented_requests(remaining=0x400000,
2067 alloc_hint=0x400000)
2069 def test_fragmented_requests02(self):
2070 return self._test_fragmented_requests(remaining=0x400000,
2071 alloc_hint=0x100000)
2073 def test_fragmented_requests03(self):
2074 return self._test_fragmented_requests(remaining=0x400000,
2077 def test_fragmented_requests04(self):
2078 return self._test_fragmented_requests(remaining=0x400000,
2079 alloc_hint=0x400001,
2080 fault_first=dcerpc.DCERPC_FAULT_ACCESS_DENIED)
2082 def test_fragmented_requests05(self):
2083 return self._test_fragmented_requests(remaining=0x500001,
2085 fault_last=dcerpc.DCERPC_FAULT_ACCESS_DENIED)
2087 def _test_same_requests(self, pfc_flags, fault_1st=False, fault_2nd=False):
2088 (ctx, rep, real_stub) = self._get_netlogon_ctx()
2090 # netr_ServerReqChallenge with given flags
2091 req = self.generate_request(call_id=2,
2092 pfc_flags=pfc_flags,
2093 context_id=ctx.context_id,
2098 rep = self.recv_pdu()
2099 # We get a fault back
2100 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2102 self.assertNotEquals(rep.u.alloc_hint, 0)
2103 self.assertEqual(rep.u.context_id, 0)
2104 self.assertEqual(rep.u.cancel_count, 0)
2105 self.assertEqual(rep.u.flags, 0)
2106 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
2107 self.assertEqual(rep.u.reserved, 0)
2108 self.assertEqual(len(rep.u.error_and_verifier), 0)
2110 # wait for a disconnect
2111 rep = self.recv_pdu()
2112 self.assertIsNone(rep)
2113 self.assertNotConnected()
2115 rep = self.recv_pdu(timeout=0.1)
2116 self.assertIsNone(rep)
2117 self.assertIsConnected()
2119 # netr_ServerReqChallenge without DCERPC_PFC_FLAG_LAST
2120 # with the same call_id
2121 req = self.generate_request(call_id=2,
2122 pfc_flags=pfc_flags,
2123 context_id=ctx.context_id,
2128 rep = self.recv_pdu()
2129 # We get a fault back
2130 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2132 self.assertNotEquals(rep.u.alloc_hint, 0)
2133 self.assertEqual(rep.u.context_id, req.u.context_id)
2134 self.assertEqual(rep.u.cancel_count, 0)
2135 self.assertEqual(rep.u.flags, 0)
2136 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
2137 self.assertEqual(rep.u.reserved, 0)
2138 self.assertEqual(len(rep.u.error_and_verifier), 0)
2140 # wait for a disconnect
2141 rep = self.recv_pdu()
2142 self.assertIsNone(rep)
2143 self.assertNotConnected()
2146 rep = self.recv_pdu(timeout=0.1)
2147 self.assertIsNone(rep)
2148 self.assertIsConnected()
2150 def test_first_only_requests(self):
2151 return self._test_same_requests(pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2154 def test_none_only_requests(self):
2155 return self._test_same_requests(pfc_flags=0, fault_1st=True)
2157 def test_last_only_requests(self):
2158 return self._test_same_requests(pfc_flags=dcerpc.DCERPC_PFC_FLAG_LAST,
2161 def test_first_maybe_requests(self):
2162 return self._test_same_requests(pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
2163 dcerpc.DCERPC_PFC_FLAG_MAYBE,
2166 def test_first_didnot_requests(self):
2167 return self._test_same_requests(pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
2168 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
2171 def test_first_cmpx_requests(self):
2172 return self._test_same_requests(pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
2173 dcerpc.DCERPC_PFC_FLAG_CONC_MPX,
2176 def test_first_08_requests(self):
2177 return self._test_same_requests(pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
2181 def test_first_cancel_requests(self):
2182 (ctx, rep, real_stub) = self._get_netlogon_ctx()
2184 # netr_ServerReqChallenge with given flags
2185 req = self.generate_request(call_id=2,
2186 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
2187 dcerpc.DCERPC_PFC_FLAG_PENDING_CANCEL,
2188 context_id=ctx.context_id,
2192 rep = self.recv_pdu()
2193 # We get a fault back
2194 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2195 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
2196 dcerpc.DCERPC_PFC_FLAG_LAST |
2197 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
2199 self.assertNotEquals(rep.u.alloc_hint, 0)
2200 self.assertEqual(rep.u.context_id, 0)
2201 self.assertEqual(rep.u.cancel_count, 0)
2202 self.assertEqual(rep.u.flags, 0)
2203 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_NO_CALL_ACTIVE)
2204 self.assertEqual(rep.u.reserved, 0)
2205 self.assertEqual(len(rep.u.error_and_verifier), 0)
2207 # wait for a disconnect
2208 rep = self.recv_pdu()
2209 self.assertIsNone(rep)
2210 self.assertNotConnected()
2212 def test_2nd_cancel_requests(self):
2213 (ctx, rep, real_stub) = self._get_netlogon_ctx()
2215 # netr_ServerReqChallenge with given flags
2216 req = self.generate_request(call_id=2,
2217 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2218 context_id=ctx.context_id,
2222 rep = self.recv_pdu(timeout=0.1)
2223 self.assertIsNone(rep)
2224 self.assertIsConnected()
2226 # netr_ServerReqChallenge with given flags
2227 req = self.generate_request(call_id=2,
2228 pfc_flags=dcerpc.DCERPC_PFC_FLAG_PENDING_CANCEL,
2229 context_id=ctx.context_id,
2233 rep = self.recv_pdu(timeout=0.1)
2234 self.assertIsNone(rep)
2235 self.assertIsConnected()
2237 # netr_ServerReqChallenge with given flags
2238 req = self.generate_request(call_id=2,
2239 pfc_flags=dcerpc.DCERPC_PFC_FLAG_LAST,
2240 context_id=ctx.context_id,
2244 rep = self.recv_pdu()
2245 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2247 self.assertNotEquals(rep.u.alloc_hint, 0)
2248 self.assertEqual(rep.u.context_id, req.u.context_id)
2249 self.assertEqual(rep.u.cancel_count, 0)
2250 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2252 self.assertEqual(len(rep.u.stub_and_verifier), 12)
2253 status = struct.unpack_from("<I", rep.u.stub_and_verifier, len(rep.u.stub_and_verifier) - 4)
2254 self.assertEqual(status[0], 0)
2256 def test_last_cancel_requests(self):
2257 (ctx, rep, real_stub) = self._get_netlogon_ctx()
2259 # netr_ServerReqChallenge with given flags
2260 req = self.generate_request(call_id=2,
2261 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2262 context_id=ctx.context_id,
2266 rep = self.recv_pdu(timeout=0.1)
2267 self.assertIsNone(rep)
2268 self.assertIsConnected()
2270 # netr_ServerReqChallenge with given flags
2271 req = self.generate_request(call_id=2,
2272 pfc_flags=dcerpc.DCERPC_PFC_FLAG_LAST |
2273 dcerpc.DCERPC_PFC_FLAG_PENDING_CANCEL,
2274 context_id=ctx.context_id,
2278 rep = self.recv_pdu()
2279 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2281 self.assertNotEquals(rep.u.alloc_hint, 0)
2282 self.assertEqual(rep.u.context_id, req.u.context_id)
2283 self.assertEqual(rep.u.cancel_count, 0)
2284 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2286 self.assertEqual(len(rep.u.stub_and_verifier), 12)
2287 status = struct.unpack_from("<I", rep.u.stub_and_verifier, len(rep.u.stub_and_verifier) - 4)
2288 self.assertEqual(status[0], 0)
2290 def test_mix_requests(self):
2291 (ctx, rep, real_stub) = self._get_netlogon_ctx()
2293 # netr_ServerReqChallenge with given flags
2294 req = self.generate_request(call_id=50,
2295 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2296 context_id=ctx.context_id,
2300 rep = self.recv_pdu(timeout=0.1)
2301 self.assertIsNone(rep)
2302 self.assertIsConnected()
2304 # netr_ServerReqChallenge with given flags
2305 req = self.generate_request(call_id=51,
2306 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2307 context_id=ctx.context_id,
2311 rep = self.recv_pdu()
2312 # We get a fault back
2313 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, 50,
2314 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
2315 dcerpc.DCERPC_PFC_FLAG_LAST,
2317 self.assertNotEquals(rep.u.alloc_hint, 0)
2318 self.assertEqual(rep.u.context_id, req.u.context_id)
2319 self.assertEqual(rep.u.cancel_count, 0)
2320 self.assertEqual(rep.u.flags, 0)
2321 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
2322 self.assertEqual(rep.u.reserved, 0)
2323 self.assertEqual(len(rep.u.error_and_verifier), 0)
2325 def test_co_cancel_no_request(self):
2326 ndr32 = base.transfer_syntax_ndr()
2327 abstract = samba.dcerpc.mgmt.abstract_syntax()
2328 ctx = self.prepare_presentation(abstract, ndr32, context_id=0xff)
2330 req = self.generate_co_cancel(call_id=3)
2332 rep = self.recv_pdu(timeout=0.01)
2333 self.assertIsNone(rep)
2334 self.assertIsConnected()
2336 # And now try a request
2337 req = self.generate_request(call_id=1,
2338 context_id=ctx.context_id,
2342 rep = self.recv_pdu()
2343 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2345 self.assertNotEquals(rep.u.alloc_hint, 0)
2346 self.assertEqual(rep.u.context_id, req.u.context_id)
2347 self.assertEqual(rep.u.cancel_count, 0)
2348 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2350 def test_co_cancel_request_after_first(self):
2351 ndr32 = base.transfer_syntax_ndr()
2352 abstract = samba.dcerpc.mgmt.abstract_syntax()
2353 ctx = self.prepare_presentation(abstract, ndr32, context_id=0xff)
2355 req = self.generate_request(call_id=1,
2356 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2357 context_id=ctx.context_id,
2361 rep = self.recv_pdu(timeout=0.01)
2362 self.assertIsNone(rep)
2363 self.assertIsConnected()
2365 req = self.generate_co_cancel(call_id=1)
2367 rep = self.recv_pdu(timeout=0.01)
2368 self.assertIsNone(rep)
2369 self.assertIsConnected()
2371 req = self.generate_request(call_id=1,
2372 pfc_flags=dcerpc.DCERPC_PFC_FLAG_LAST,
2373 context_id=ctx.context_id,
2377 rep = self.recv_pdu()
2378 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2380 self.assertNotEquals(rep.u.alloc_hint, 0)
2381 self.assertEqual(rep.u.context_id, req.u.context_id)
2382 self.assertEqual(rep.u.cancel_count, 0)
2383 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2385 # And now try a request
2386 req = self.generate_request(call_id=2,
2387 context_id=ctx.context_id,
2391 rep = self.recv_pdu()
2392 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2394 self.assertNotEquals(rep.u.alloc_hint, 0)
2395 self.assertEqual(rep.u.context_id, req.u.context_id)
2396 self.assertEqual(rep.u.cancel_count, 0)
2397 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2399 def test_orphaned_no_request(self):
2400 ndr32 = base.transfer_syntax_ndr()
2401 abstract = samba.dcerpc.mgmt.abstract_syntax()
2402 ctx = self.prepare_presentation(abstract, ndr32)
2404 req = self.generate_orphaned(call_id=3)
2406 rep = self.recv_pdu(timeout=0.01)
2407 self.assertIsNone(rep)
2408 self.assertIsConnected()
2410 # And now try a request
2411 req = self.generate_request(call_id=1,
2412 context_id=ctx.context_id,
2416 rep = self.recv_pdu()
2417 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2419 self.assertNotEquals(rep.u.alloc_hint, 0)
2420 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
2421 self.assertEqual(rep.u.cancel_count, 0)
2422 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2424 def test_orphaned_request_after_first_last(self):
2425 ndr32 = base.transfer_syntax_ndr()
2426 abstract = samba.dcerpc.mgmt.abstract_syntax()
2427 ctx = self.prepare_presentation(abstract, ndr32)
2429 req = self.generate_request(call_id=1,
2430 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2431 context_id=ctx.context_id,
2435 rep = self.recv_pdu(timeout=0.1)
2436 self.assertIsNone(rep)
2437 self.assertIsConnected()
2439 req = self.generate_orphaned(call_id=1)
2441 rep = self.recv_pdu(timeout=0.1)
2442 self.assertIsNone(rep)
2443 self.assertIsConnected()
2445 req = self.generate_request(call_id=1,
2446 pfc_flags=dcerpc.DCERPC_PFC_FLAG_LAST,
2447 context_id=ctx.context_id,
2451 rep = self.recv_pdu()
2452 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2454 self.assertNotEquals(rep.u.alloc_hint, 0)
2455 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
2456 self.assertEqual(rep.u.cancel_count, 0)
2457 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2459 # And now try a request
2460 req = self.generate_request(call_id=2,
2461 context_id=ctx.context_id,
2465 rep = self.recv_pdu()
2466 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2468 self.assertNotEquals(rep.u.alloc_hint, 0)
2469 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
2470 self.assertEqual(rep.u.cancel_count, 0)
2471 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2473 def test_orphaned_request_after_first_mpx_last(self):
2474 ndr32 = base.transfer_syntax_ndr()
2475 abstract = samba.dcerpc.mgmt.abstract_syntax()
2477 pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST
2478 pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST
2479 pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_CONC_MPX
2480 ctx = self.prepare_presentation(abstract, ndr32, pfc_flags=pfc_flags)
2482 req = self.generate_request(call_id=1,
2483 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2484 context_id=ctx.context_id,
2488 rep = self.recv_pdu(timeout=0.1)
2489 self.assertIsNone(rep)
2490 self.assertIsConnected()
2492 req = self.generate_orphaned(call_id=1)
2494 rep = self.recv_pdu(timeout=0.1)
2495 self.assertIsNone(rep)
2496 self.assertIsConnected()
2498 req = self.generate_request(call_id=1,
2499 pfc_flags=dcerpc.DCERPC_PFC_FLAG_LAST,
2500 context_id=ctx.context_id,
2504 rep = self.recv_pdu()
2505 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2507 self.assertNotEquals(rep.u.alloc_hint, 0)
2508 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
2509 self.assertEqual(rep.u.cancel_count, 0)
2510 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2512 # And now try a request
2513 req = self.generate_request(call_id=2,
2514 context_id=ctx.context_id,
2518 rep = self.recv_pdu()
2519 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2521 self.assertNotEquals(rep.u.alloc_hint, 0)
2522 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
2523 self.assertEqual(rep.u.cancel_count, 0)
2524 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2526 def test_orphaned_request_after_first_no_last(self):
2527 ndr32 = base.transfer_syntax_ndr()
2528 abstract = samba.dcerpc.mgmt.abstract_syntax()
2529 ctx = self.prepare_presentation(abstract, ndr32)
2531 req1 = self.generate_request(call_id=1,
2532 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2533 context_id=ctx.context_id,
2537 rep = self.recv_pdu(timeout=0.1)
2538 self.assertIsNone(rep)
2539 self.assertIsConnected()
2541 req = self.generate_orphaned(call_id=1)
2543 rep = self.recv_pdu(timeout=0.1)
2544 self.assertIsNone(rep)
2545 self.assertIsConnected()
2547 # And now try a new request
2548 req2 = self.generate_request(call_id=2,
2549 context_id=ctx.context_id,
2553 rep = self.recv_pdu()
2554 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req1.call_id,
2556 self.assertNotEquals(rep.u.alloc_hint, 0)
2557 self.assertEqual(rep.u.context_id, req1.u.context_id)
2558 self.assertEqual(rep.u.cancel_count, 0)
2559 self.assertEqual(rep.u.flags, 0)
2560 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
2561 self.assertEqual(rep.u.reserved, 0)
2562 self.assertEqual(len(rep.u.error_and_verifier), 0)
2564 # wait for a disconnect
2565 rep = self.recv_pdu()
2566 self.assertIsNone(rep)
2567 self.assertNotConnected()
2569 def test_orphaned_request_after_first_mpx_no_last(self):
2570 ndr32 = base.transfer_syntax_ndr()
2571 abstract = samba.dcerpc.mgmt.abstract_syntax()
2573 pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST
2574 pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST
2575 pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_CONC_MPX
2576 ctx = self.prepare_presentation(abstract, ndr32,
2577 pfc_flags=pfc_flags)
2579 req1 = self.generate_request(call_id=1,
2580 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST,
2581 context_id=ctx.context_id,
2585 rep = self.recv_pdu(timeout=0.1)
2586 self.assertIsNone(rep)
2587 self.assertIsConnected()
2589 req = self.generate_orphaned(call_id=1)
2591 rep = self.recv_pdu(timeout=0.1)
2592 self.assertIsNone(rep)
2593 self.assertIsConnected()
2595 # And now try a new request
2596 req2 = self.generate_request(call_id=2,
2597 context_id=ctx.context_id - 1,
2601 rep = self.recv_pdu()
2602 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req2.call_id,
2604 self.assertNotEquals(rep.u.alloc_hint, 0)
2605 self.assertEqual(rep.u.context_id, 0)
2606 self.assertEqual(rep.u.cancel_count, 0)
2607 self.assertEqual(rep.u.flags, 0)
2608 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
2609 self.assertEqual(rep.u.reserved, 0)
2610 self.assertEqual(len(rep.u.error_and_verifier), 0)
2612 # wait for a disconnect
2613 rep = self.recv_pdu()
2614 self.assertIsNone(rep)
2615 self.assertNotConnected()
2617 def _test_spnego_connect_upgrade_request(self, upgrade_auth_level):
2618 ndr32 = base.transfer_syntax_ndr()
2621 ctx1 = dcerpc.ctx_list()
2623 ctx1.num_transfer_syntaxes = len(tsf1_list)
2624 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
2625 ctx1.transfer_syntaxes = tsf1_list
2628 c = self.get_anon_creds()
2629 g = gensec.Security.start_client(self.settings)
2630 g.set_credentials(c)
2631 g.want_feature(gensec.FEATURE_DCE_STYLE)
2632 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
2633 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
2635 g.start_mech_by_authtype(auth_type, auth_level)
2637 (finished, to_server) = g.update(from_server)
2638 self.assertFalse(finished)
2640 auth_info = self.generate_auth(auth_type=auth_type,
2641 auth_level=auth_level,
2642 auth_context_id=auth_context_id,
2643 auth_blob=to_server)
2645 req = self.generate_bind(call_id=0,
2647 auth_info=auth_info)
2650 rep = self.recv_pdu()
2651 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
2652 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
2653 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
2654 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
2655 self.assertEqual(rep.u.secondary_address_size, 4)
2656 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
2657 self.assertPadding(rep.u._pad1, 2)
2658 self.assertEqual(rep.u.num_results, 1)
2659 self.assertEqual(rep.u.ctx_list[0].result,
2660 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
2661 self.assertEqual(rep.u.ctx_list[0].reason,
2662 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
2663 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
2664 self.assertNotEquals(len(rep.u.auth_info), 0)
2665 a = self.parse_auth(rep.u.auth_info)
2667 from_server = a.credentials
2668 (finished, to_server) = g.update(from_server)
2669 self.assertFalse(finished)
2671 auth_info = self.generate_auth(auth_type=auth_type,
2672 auth_level=auth_level,
2673 auth_context_id=auth_context_id,
2674 auth_blob=to_server)
2676 req = self.generate_alter(call_id=0,
2678 assoc_group_id=rep.u.assoc_group_id,
2679 auth_info=auth_info)
2682 rep = self.recv_pdu()
2683 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id)
2684 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
2685 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
2686 self.assertEqual(rep.u.assoc_group_id, req.u.assoc_group_id)
2687 self.assertEqual(rep.u.secondary_address_size, 0)
2688 self.assertPadding(rep.u._pad1, 2)
2689 self.assertEqual(rep.u.num_results, 1)
2690 self.assertEqual(rep.u.ctx_list[0].result,
2691 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
2692 self.assertEqual(rep.u.ctx_list[0].reason,
2693 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
2694 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
2695 self.assertNotEquals(len(rep.u.auth_info), 0)
2696 a = self.parse_auth(rep.u.auth_info)
2698 from_server = a.credentials
2699 (finished, to_server) = g.update(from_server)
2700 self.assertTrue(finished)
2702 # And now try a request without auth_info
2703 req = self.generate_request(call_id=2,
2704 context_id=ctx1.context_id,
2708 rep = self.recv_pdu()
2709 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2711 self.assertNotEquals(rep.u.alloc_hint, 0)
2712 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
2713 self.assertEqual(rep.u.cancel_count, 0)
2714 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2716 # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
2717 auth_info = self.generate_auth(auth_type=auth_type,
2718 auth_level=auth_level,
2719 auth_context_id=auth_context_id,
2720 auth_blob=b"\x01" +b"\x00" *15)
2721 req = self.generate_request(call_id=3,
2722 context_id=ctx1.context_id,
2725 auth_info=auth_info)
2727 rep = self.recv_pdu()
2728 # We don't get an auth_info back
2729 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
2731 self.assertNotEquals(rep.u.alloc_hint, 0)
2732 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
2733 self.assertEqual(rep.u.cancel_count, 0)
2734 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
2736 # Now a request with auth_info upgrade_auth_level
2737 auth_info = self.generate_auth(auth_type=auth_type,
2738 auth_level=upgrade_auth_level,
2739 auth_context_id=auth_context_id,
2740 auth_blob=b"\x01" + b"\x00" * 15)
2741 req = self.generate_request(call_id=4,
2742 context_id=ctx1.context_id,
2745 auth_info=auth_info)
2747 rep = self.recv_pdu()
2748 # We get a fault back
2749 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2751 self.assertNotEquals(rep.u.alloc_hint, 0)
2752 self.assertEqual(rep.u.context_id, req.u.context_id)
2753 self.assertEqual(rep.u.cancel_count, 0)
2754 self.assertEqual(rep.u.flags, 0)
2755 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_ACCESS_DENIED)
2756 self.assertEqual(rep.u.reserved, 0)
2757 self.assertEqual(len(rep.u.error_and_verifier), 0)
2759 # wait for a disconnect
2760 rep = self.recv_pdu()
2761 self.assertIsNone(rep)
2762 self.assertNotConnected()
2764 def test_spnego_connect_packet_upgrade(self):
2765 return self._test_spnego_connect_upgrade_request(
2766 dcerpc.DCERPC_AUTH_LEVEL_PACKET)
2768 def test_spnego_connect_integrity_upgrade(self):
2769 return self._test_spnego_connect_upgrade_request(
2770 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
2772 def _test_spnego_connect_downgrade_request(self, initial_auth_level):
2773 ndr32 = base.transfer_syntax_ndr()
2776 ctx1 = dcerpc.ctx_list()
2778 ctx1.num_transfer_syntaxes = len(tsf1_list)
2779 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
2780 ctx1.transfer_syntaxes = tsf1_list
2783 c = self.get_anon_creds()
2784 g = gensec.Security.start_client(self.settings)
2785 g.set_credentials(c)
2786 g.want_feature(gensec.FEATURE_DCE_STYLE)
2787 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
2788 auth_level = initial_auth_level
2790 g.start_mech_by_authtype(auth_type, auth_level)
2792 (finished, to_server) = g.update(from_server)
2793 self.assertFalse(finished)
2795 auth_info = self.generate_auth(auth_type=auth_type,
2796 auth_level=auth_level,
2797 auth_context_id=auth_context_id,
2798 auth_blob=to_server)
2800 req = self.generate_bind(call_id=0,
2802 auth_info=auth_info)
2805 rep = self.recv_pdu()
2806 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
2807 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
2808 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
2809 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
2810 self.assertEqual(rep.u.secondary_address_size, 4)
2811 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
2812 self.assertPadding(rep.u._pad1, 2)
2813 self.assertEqual(rep.u.num_results, 1)
2814 self.assertEqual(rep.u.ctx_list[0].result,
2815 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
2816 self.assertEqual(rep.u.ctx_list[0].reason,
2817 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
2818 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
2819 self.assertNotEquals(len(rep.u.auth_info), 0)
2820 a = self.parse_auth(rep.u.auth_info)
2822 from_server = a.credentials
2823 (finished, to_server) = g.update(from_server)
2824 self.assertFalse(finished)
2826 auth_info = self.generate_auth(auth_type=auth_type,
2827 auth_level=auth_level,
2828 auth_context_id=auth_context_id,
2829 auth_blob=to_server)
2831 req = self.generate_alter(call_id=0,
2833 assoc_group_id=rep.u.assoc_group_id,
2834 auth_info=auth_info)
2837 rep = self.recv_pdu()
2838 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id)
2839 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
2840 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
2841 self.assertEqual(rep.u.assoc_group_id, req.u.assoc_group_id)
2842 self.assertEqual(rep.u.secondary_address_size, 0)
2843 self.assertPadding(rep.u._pad1, 2)
2844 self.assertEqual(rep.u.num_results, 1)
2845 self.assertEqual(rep.u.ctx_list[0].result,
2846 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
2847 self.assertEqual(rep.u.ctx_list[0].reason,
2848 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
2849 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
2850 self.assertNotEquals(len(rep.u.auth_info), 0)
2851 a = self.parse_auth(rep.u.auth_info)
2853 from_server = a.credentials
2854 (finished, to_server) = g.update(from_server)
2855 self.assertTrue(finished)
2857 # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
2858 auth_info = self.generate_auth(auth_type=auth_type,
2859 auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT,
2860 auth_context_id=auth_context_id,
2861 auth_blob=b"\x01" + b"\x00" * 15)
2862 req = self.generate_request(call_id=3,
2863 context_id=ctx1.context_id,
2866 auth_info=auth_info)
2868 rep = self.recv_pdu()
2869 # We get a fault back
2870 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2872 self.assertNotEquals(rep.u.alloc_hint, 0)
2873 self.assertEqual(rep.u.context_id, req.u.context_id)
2874 self.assertEqual(rep.u.cancel_count, 0)
2875 self.assertEqual(rep.u.flags, 0)
2876 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_ACCESS_DENIED)
2877 self.assertEqual(rep.u.reserved, 0)
2878 self.assertEqual(len(rep.u.error_and_verifier), 0)
2880 # wait for a disconnect
2881 rep = self.recv_pdu()
2882 self.assertIsNone(rep)
2883 self.assertNotConnected()
2885 def test_spnego_packet_downgrade_connect(self):
2886 return self._test_spnego_connect_downgrade_request(
2887 dcerpc.DCERPC_AUTH_LEVEL_PACKET)
2889 def test_spnego_integrity_downgrade_connect(self):
2890 return self._test_spnego_connect_upgrade_request(
2891 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
2893 def test_spnego_unfinished_request(self):
2894 ndr32 = base.transfer_syntax_ndr()
2897 ctx1 = dcerpc.ctx_list()
2899 ctx1.num_transfer_syntaxes = len(tsf1_list)
2900 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
2901 ctx1.transfer_syntaxes = tsf1_list
2904 c = self.get_anon_creds()
2905 g = gensec.Security.start_client(self.settings)
2906 g.set_credentials(c)
2907 g.want_feature(gensec.FEATURE_DCE_STYLE)
2908 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
2909 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
2911 g.start_mech_by_authtype(auth_type, auth_level)
2913 (finished, to_server) = g.update(from_server)
2914 self.assertFalse(finished)
2916 auth_info = self.generate_auth(auth_type=auth_type,
2917 auth_level=auth_level,
2918 auth_context_id=auth_context_id,
2919 auth_blob=to_server)
2921 req = self.generate_bind(call_id=0,
2923 auth_info=auth_info)
2926 rep = self.recv_pdu()
2927 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
2928 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
2929 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
2930 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
2931 assoc_group_id = rep.u.assoc_group_id
2932 self.assertEqual(rep.u.secondary_address_size, 4)
2933 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
2934 self.assertPadding(rep.u._pad1, 2)
2935 self.assertEqual(rep.u.num_results, 1)
2936 self.assertEqual(rep.u.ctx_list[0].result,
2937 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
2938 self.assertEqual(rep.u.ctx_list[0].reason,
2939 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
2940 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
2941 self.assertNotEquals(len(rep.u.auth_info), 0)
2942 a = self.parse_auth(rep.u.auth_info)
2944 from_server = a.credentials
2945 (finished, to_server) = g.update(from_server)
2946 self.assertFalse(finished)
2948 # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
2949 auth_info = self.generate_auth(auth_type=auth_type,
2950 auth_level=auth_level,
2951 auth_context_id=auth_context_id,
2952 auth_blob=b"\x01" + b"\x00" * 15)
2953 req = self.generate_request(call_id=1,
2954 context_id=ctx1.context_id,
2957 auth_info=auth_info)
2959 rep = self.recv_pdu()
2961 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
2962 pfc_flags=req.pfc_flags |
2963 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
2965 self.assertNotEquals(rep.u.alloc_hint, 0)
2966 self.assertEqual(rep.u.context_id, 0)
2967 self.assertEqual(rep.u.cancel_count, 0)
2968 self.assertEqual(rep.u.flags, 0)
2969 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
2970 self.assertEqual(rep.u.reserved, 0)
2971 self.assertEqual(len(rep.u.error_and_verifier), 0)
2973 # wait for a disconnect
2974 rep = self.recv_pdu()
2975 self.assertIsNone(rep)
2976 self.assertNotConnected()
2978 def test_spnego_auth3(self):
2979 ndr32 = base.transfer_syntax_ndr()
2982 ctx1 = dcerpc.ctx_list()
2984 ctx1.num_transfer_syntaxes = len(tsf1_list)
2985 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
2986 ctx1.transfer_syntaxes = tsf1_list
2989 c = self.get_anon_creds()
2990 g = gensec.Security.start_client(self.settings)
2991 g.set_credentials(c)
2992 g.want_feature(gensec.FEATURE_DCE_STYLE)
2993 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
2994 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
2996 g.start_mech_by_authtype(auth_type, auth_level)
2998 (finished, to_server) = g.update(from_server)
2999 self.assertFalse(finished)
3001 auth_info = self.generate_auth(auth_type=auth_type,
3002 auth_level=auth_level,
3003 auth_context_id=auth_context_id,
3004 auth_blob=to_server)
3005 req = self.generate_bind(call_id=0,
3007 auth_info=auth_info)
3009 rep = self.recv_pdu()
3010 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3011 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3012 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3013 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3014 self.assertEqual(rep.u.secondary_address_size, 4)
3015 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3016 self.assertPadding(rep.u._pad1, 2)
3017 self.assertEqual(rep.u.num_results, 1)
3018 self.assertEqual(rep.u.ctx_list[0].result,
3019 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3020 self.assertEqual(rep.u.ctx_list[0].reason,
3021 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3022 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3023 self.assertNotEquals(len(rep.u.auth_info), 0)
3024 a = self.parse_auth(rep.u.auth_info)
3026 from_server = a.credentials
3027 (finished, to_server) = g.update(from_server)
3028 self.assertFalse(finished)
3030 auth_info = self.generate_auth(auth_type=auth_type,
3031 auth_level=auth_level,
3032 auth_context_id=auth_context_id,
3033 auth_blob=to_server)
3034 req = self.generate_auth3(call_id=0,
3035 auth_info=auth_info)
3037 rep = self.recv_pdu(timeout=0.01)
3038 self.assertIsNone(rep)
3039 self.assertIsConnected()
3041 # And now try a request without auth_info
3042 req = self.generate_request(call_id=2,
3043 context_id=ctx1.context_id,
3047 rep = self.recv_pdu()
3048 # We get a fault back
3049 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3051 self.assertNotEquals(rep.u.alloc_hint, 0)
3052 self.assertEqual(rep.u.context_id, req.u.context_id)
3053 self.assertEqual(rep.u.cancel_count, 0)
3054 self.assertEqual(rep.u.flags, 0)
3055 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_ACCESS_DENIED)
3056 self.assertEqual(rep.u.reserved, 0)
3057 self.assertEqual(len(rep.u.error_and_verifier), 0)
3059 # wait for a disconnect
3060 rep = self.recv_pdu()
3061 self.assertIsNone(rep)
3062 self.assertNotConnected()
3064 def test_spnego_connect_reauth_alter(self):
3065 ndr32 = base.transfer_syntax_ndr()
3066 ndr64 = base.transfer_syntax_ndr64()
3069 ctx1 = dcerpc.ctx_list()
3071 ctx1.num_transfer_syntaxes = len(tsf1_list)
3072 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3073 ctx1.transfer_syntaxes = tsf1_list
3076 c = self.get_anon_creds()
3077 g = gensec.Security.start_client(self.settings)
3078 g.set_credentials(c)
3079 g.want_feature(gensec.FEATURE_DCE_STYLE)
3080 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3081 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
3083 g.start_mech_by_authtype(auth_type, auth_level)
3085 (finished, to_server) = g.update(from_server)
3086 self.assertFalse(finished)
3088 auth_info = self.generate_auth(auth_type=auth_type,
3089 auth_level=auth_level,
3090 auth_context_id=auth_context_id,
3091 auth_blob=to_server)
3093 req = self.generate_bind(call_id=0,
3095 auth_info=auth_info)
3098 rep = self.recv_pdu()
3099 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3100 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3101 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3102 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3103 self.assertEqual(rep.u.secondary_address_size, 4)
3104 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3105 self.assertPadding(rep.u._pad1, 2)
3106 self.assertEqual(rep.u.num_results, 1)
3107 self.assertEqual(rep.u.ctx_list[0].result,
3108 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3109 self.assertEqual(rep.u.ctx_list[0].reason,
3110 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3111 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3112 self.assertNotEquals(len(rep.u.auth_info), 0)
3113 a = self.parse_auth(rep.u.auth_info)
3115 from_server = a.credentials
3116 (finished, to_server) = g.update(from_server)
3117 self.assertFalse(finished)
3119 auth_info = self.generate_auth(auth_type=auth_type,
3120 auth_level=auth_level,
3121 auth_context_id=auth_context_id,
3122 auth_blob=to_server)
3123 req = self.generate_alter(call_id=0,
3125 assoc_group_id=rep.u.assoc_group_id,
3126 auth_info=auth_info)
3128 rep = self.recv_pdu()
3129 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id)
3130 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3131 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3132 self.assertEqual(rep.u.assoc_group_id, req.u.assoc_group_id)
3133 self.assertEqual(rep.u.secondary_address_size, 0)
3134 self.assertPadding(rep.u._pad1, 2)
3135 self.assertEqual(rep.u.num_results, 1)
3136 self.assertEqual(rep.u.ctx_list[0].result,
3137 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3138 self.assertEqual(rep.u.ctx_list[0].reason,
3139 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3140 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3141 self.assertNotEquals(len(rep.u.auth_info), 0)
3142 a = self.parse_auth(rep.u.auth_info)
3144 from_server = a.credentials
3145 (finished, to_server) = g.update(from_server)
3146 self.assertTrue(finished)
3148 # And now try a request without auth_info
3149 req = self.generate_request(call_id=2,
3150 context_id=ctx1.context_id,
3154 rep = self.recv_pdu()
3155 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
3157 self.assertNotEquals(rep.u.alloc_hint, 0)
3158 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
3159 self.assertEqual(rep.u.cancel_count, 0)
3160 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
3162 # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
3163 auth_info = self.generate_auth(auth_type=auth_type,
3164 auth_level=auth_level,
3165 auth_context_id=auth_context_id,
3166 auth_blob=b"\x01" + b"\x00" * 15)
3167 req = self.generate_request(call_id=3,
3168 context_id=ctx1.context_id,
3171 auth_info=auth_info)
3173 rep = self.recv_pdu()
3174 # We don't get an auth_info back
3175 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
3177 self.assertNotEquals(rep.u.alloc_hint, 0)
3178 self.assertEqual(rep.u.context_id, req.u.context_id)
3179 self.assertEqual(rep.u.cancel_count, 0)
3180 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
3184 g = gensec.Security.start_client(self.settings)
3185 g.set_credentials(c)
3186 g.want_feature(gensec.FEATURE_DCE_STYLE)
3187 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3188 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
3190 g.start_mech_by_authtype(auth_type, auth_level)
3192 (finished, to_server) = g.update(from_server)
3193 self.assertFalse(finished)
3195 auth_info = self.generate_auth(auth_type=auth_type,
3196 auth_level=auth_level,
3197 auth_context_id=auth_context_id,
3198 auth_blob=to_server)
3199 req = self.generate_alter(call_id=0,
3201 auth_info=auth_info)
3203 rep = self.recv_pdu()
3205 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3206 pfc_flags=req.pfc_flags |
3207 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3209 self.assertNotEquals(rep.u.alloc_hint, 0)
3210 self.assertEqual(rep.u.context_id, 0)
3211 self.assertEqual(rep.u.cancel_count, 0)
3212 self.assertEqual(rep.u.flags, 0)
3213 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_ACCESS_DENIED)
3214 self.assertEqual(rep.u.reserved, 0)
3215 self.assertEqual(len(rep.u.error_and_verifier), 0)
3217 # wait for a disconnect
3218 rep = self.recv_pdu()
3219 self.assertIsNone(rep)
3220 self.assertNotConnected()
3222 def test_spnego_connect_reauth_auth3(self):
3223 ndr32 = base.transfer_syntax_ndr()
3224 ndr64 = base.transfer_syntax_ndr64()
3227 ctx1 = dcerpc.ctx_list()
3229 ctx1.num_transfer_syntaxes = len(tsf1_list)
3230 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3231 ctx1.transfer_syntaxes = tsf1_list
3234 c = self.get_anon_creds()
3235 g = gensec.Security.start_client(self.settings)
3236 g.set_credentials(c)
3237 g.want_feature(gensec.FEATURE_DCE_STYLE)
3238 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3239 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
3241 g.start_mech_by_authtype(auth_type, auth_level)
3243 (finished, to_server) = g.update(from_server)
3244 self.assertFalse(finished)
3246 auth_info = self.generate_auth(auth_type=auth_type,
3247 auth_level=auth_level,
3248 auth_context_id=auth_context_id,
3249 auth_blob=to_server)
3251 req = self.generate_bind(call_id=0,
3253 auth_info=auth_info)
3256 rep = self.recv_pdu()
3257 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3258 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3259 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3260 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3261 self.assertEqual(rep.u.secondary_address_size, 4)
3262 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3263 self.assertPadding(rep.u._pad1, 2)
3264 self.assertEqual(rep.u.num_results, 1)
3265 self.assertEqual(rep.u.ctx_list[0].result,
3266 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3267 self.assertEqual(rep.u.ctx_list[0].reason,
3268 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3269 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3270 self.assertNotEquals(len(rep.u.auth_info), 0)
3271 a = self.parse_auth(rep.u.auth_info)
3273 from_server = a.credentials
3274 (finished, to_server) = g.update(from_server)
3275 self.assertFalse(finished)
3277 auth_info = self.generate_auth(auth_type=auth_type,
3278 auth_level=auth_level,
3279 auth_context_id=auth_context_id,
3280 auth_blob=to_server)
3281 req = self.generate_alter(call_id=0,
3283 assoc_group_id=rep.u.assoc_group_id,
3284 auth_info=auth_info)
3286 rep = self.recv_pdu()
3287 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id)
3288 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3289 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3290 self.assertEqual(rep.u.assoc_group_id, req.u.assoc_group_id)
3291 self.assertEqual(rep.u.secondary_address_size, 0)
3292 self.assertPadding(rep.u._pad1, 2)
3293 self.assertEqual(rep.u.num_results, 1)
3294 self.assertEqual(rep.u.ctx_list[0].result,
3295 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3296 self.assertEqual(rep.u.ctx_list[0].reason,
3297 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3298 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3299 self.assertNotEquals(len(rep.u.auth_info), 0)
3300 a = self.parse_auth(rep.u.auth_info)
3302 from_server = a.credentials
3303 (finished, to_server) = g.update(from_server)
3304 self.assertTrue(finished)
3306 # And now try a request without auth_info
3307 req = self.generate_request(call_id=2,
3308 context_id=ctx1.context_id,
3312 rep = self.recv_pdu()
3313 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
3315 self.assertNotEquals(rep.u.alloc_hint, 0)
3316 self.assertEqual(rep.u.context_id, req.u.context_id)
3317 self.assertEqual(rep.u.cancel_count, 0)
3318 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
3320 # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
3321 auth_info = self.generate_auth(auth_type=auth_type,
3322 auth_level=auth_level,
3323 auth_context_id=auth_context_id,
3324 auth_blob=b"\x01" + b"\x00" * 15)
3325 req = self.generate_request(call_id=3,
3326 context_id=ctx1.context_id,
3329 auth_info=auth_info)
3331 rep = self.recv_pdu()
3332 # We don't get an auth_info back
3333 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
3335 self.assertNotEquals(rep.u.alloc_hint, 0)
3336 self.assertEqual(rep.u.context_id, req.u.context_id)
3337 self.assertEqual(rep.u.cancel_count, 0)
3338 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
3342 g = gensec.Security.start_client(self.settings)
3343 g.set_credentials(c)
3344 g.want_feature(gensec.FEATURE_DCE_STYLE)
3345 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3346 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
3348 g.start_mech_by_authtype(auth_type, auth_level)
3350 (finished, to_server) = g.update(from_server)
3351 self.assertFalse(finished)
3353 auth_info = self.generate_auth(auth_type=auth_type,
3354 auth_level=auth_level,
3355 auth_context_id=auth_context_id,
3356 auth_blob=to_server)
3357 req = self.generate_auth3(call_id=0,
3358 auth_info=auth_info)
3360 rep = self.recv_pdu()
3362 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3363 pfc_flags=req.pfc_flags |
3364 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3366 self.assertNotEquals(rep.u.alloc_hint, 0)
3367 self.assertEqual(rep.u.context_id, 0)
3368 self.assertEqual(rep.u.cancel_count, 0)
3369 self.assertEqual(rep.u.flags, 0)
3370 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
3371 self.assertEqual(rep.u.reserved, 0)
3372 self.assertEqual(len(rep.u.error_and_verifier), 0)
3374 # wait for a disconnect
3375 rep = self.recv_pdu()
3376 self.assertIsNone(rep)
3377 self.assertNotConnected()
3379 def test_spnego_change_auth_level(self):
3380 ndr32 = base.transfer_syntax_ndr()
3383 ctx1 = dcerpc.ctx_list()
3385 ctx1.num_transfer_syntaxes = len(tsf1_list)
3386 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3387 ctx1.transfer_syntaxes = tsf1_list
3389 c = self.get_anon_creds()
3390 g = gensec.Security.start_client(self.settings)
3391 g.set_credentials(c)
3392 g.want_feature(gensec.FEATURE_DCE_STYLE)
3393 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3394 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
3396 g.start_mech_by_authtype(auth_type, auth_level)
3398 (finished, to_server) = g.update(from_server)
3399 self.assertFalse(finished)
3401 auth_info = self.generate_auth(auth_type=auth_type,
3402 auth_level=auth_level,
3403 auth_context_id=auth_context_id,
3404 auth_blob=to_server)
3405 req = self.generate_bind(call_id=0,
3407 auth_info=auth_info)
3409 rep = self.recv_pdu()
3410 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3411 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3412 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3413 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3414 self.assertEqual(rep.u.secondary_address_size, 4)
3415 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3416 self.assertPadding(rep.u._pad1, 2)
3417 self.assertEqual(rep.u.num_results, 1)
3418 self.assertEqual(rep.u.ctx_list[0].result,
3419 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3420 self.assertEqual(rep.u.ctx_list[0].reason,
3421 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3422 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3423 self.assertNotEquals(len(rep.u.auth_info), 0)
3424 a = self.parse_auth(rep.u.auth_info)
3426 from_server = a.credentials
3427 (finished, to_server) = g.update(from_server)
3428 self.assertFalse(finished)
3430 auth_info = self.generate_auth(auth_type=auth_type,
3431 auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
3432 auth_context_id=auth_context_id,
3433 auth_blob=to_server)
3434 req = self.generate_alter(call_id=0,
3436 assoc_group_id=rep.u.assoc_group_id,
3437 auth_info=auth_info)
3439 rep = self.recv_pdu()
3440 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3441 pfc_flags=req.pfc_flags |
3442 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3444 self.assertNotEquals(rep.u.alloc_hint, 0)
3445 self.assertEqual(rep.u.context_id, 0)
3446 self.assertEqual(rep.u.cancel_count, 0)
3447 self.assertEqual(rep.u.flags, 0)
3448 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_ACCESS_DENIED)
3449 self.assertEqual(rep.u.reserved, 0)
3450 self.assertEqual(len(rep.u.error_and_verifier), 0)
3452 # wait for a disconnect
3453 rep = self.recv_pdu()
3454 self.assertIsNone(rep)
3455 self.assertNotConnected()
3457 def test_spnego_change_abstract(self):
3458 ndr32 = base.transfer_syntax_ndr()
3461 ctx1 = dcerpc.ctx_list()
3463 ctx1.num_transfer_syntaxes = len(tsf1_list)
3464 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3465 ctx1.transfer_syntaxes = tsf1_list
3467 ctx1b = dcerpc.ctx_list()
3468 ctx1b.context_id = 1
3469 ctx1b.num_transfer_syntaxes = len(tsf1_list)
3470 ctx1b.abstract_syntax = samba.dcerpc.epmapper.abstract_syntax()
3471 ctx1b.transfer_syntaxes = tsf1_list
3473 c = self.get_anon_creds()
3474 g = gensec.Security.start_client(self.settings)
3475 g.set_credentials(c)
3476 g.want_feature(gensec.FEATURE_DCE_STYLE)
3477 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3478 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
3480 g.start_mech_by_authtype(auth_type, auth_level)
3482 (finished, to_server) = g.update(from_server)
3483 self.assertFalse(finished)
3485 auth_info = self.generate_auth(auth_type=auth_type,
3486 auth_level=auth_level,
3487 auth_context_id=auth_context_id,
3488 auth_blob=to_server)
3489 req = self.generate_bind(call_id=0,
3491 auth_info=auth_info)
3493 rep = self.recv_pdu()
3494 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3495 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3496 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3497 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3498 self.assertEqual(rep.u.secondary_address_size, 4)
3499 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3500 self.assertPadding(rep.u._pad1, 2)
3501 self.assertEqual(rep.u.num_results, 1)
3502 self.assertEqual(rep.u.ctx_list[0].result,
3503 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3504 self.assertEqual(rep.u.ctx_list[0].reason,
3505 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3506 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3507 self.assertNotEquals(len(rep.u.auth_info), 0)
3508 a = self.parse_auth(rep.u.auth_info)
3510 from_server = a.credentials
3511 (finished, to_server) = g.update(from_server)
3512 self.assertFalse(finished)
3514 auth_info = self.generate_auth(auth_type=auth_type,
3515 auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
3516 auth_context_id=auth_context_id,
3517 auth_blob=to_server)
3518 req = self.generate_alter(call_id=0,
3520 assoc_group_id=rep.u.assoc_group_id,
3521 auth_info=auth_info)
3523 rep = self.recv_pdu()
3524 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3525 pfc_flags=req.pfc_flags |
3526 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3528 self.assertNotEquals(rep.u.alloc_hint, 0)
3529 self.assertEqual(rep.u.context_id, 0)
3530 self.assertEqual(rep.u.cancel_count, 0)
3531 self.assertEqual(rep.u.flags, 0)
3532 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
3533 self.assertEqual(rep.u.reserved, 0)
3534 self.assertEqual(len(rep.u.error_and_verifier), 0)
3536 # wait for a disconnect
3537 rep = self.recv_pdu()
3538 self.assertIsNone(rep)
3539 self.assertNotConnected()
3541 def test_spnego_change_transfer(self):
3542 ndr32 = base.transfer_syntax_ndr()
3543 ndr64 = base.transfer_syntax_ndr64()
3546 ctx1 = dcerpc.ctx_list()
3548 ctx1.num_transfer_syntaxes = len(tsf1_list)
3549 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3550 ctx1.transfer_syntaxes = tsf1_list
3552 tsf1b_list = [ndr32, ndr64]
3553 ctx1b = dcerpc.ctx_list()
3554 ctx1b.context_id = 1
3555 ctx1b.num_transfer_syntaxes = len(tsf1b_list)
3556 ctx1b.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3557 ctx1b.transfer_syntaxes = tsf1b_list
3559 c = self.get_anon_creds()
3560 g = gensec.Security.start_client(self.settings)
3561 g.set_credentials(c)
3562 g.want_feature(gensec.FEATURE_DCE_STYLE)
3563 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3564 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
3566 g.start_mech_by_authtype(auth_type, auth_level)
3568 (finished, to_server) = g.update(from_server)
3569 self.assertFalse(finished)
3571 auth_info = self.generate_auth(auth_type=auth_type,
3572 auth_level=auth_level,
3573 auth_context_id=auth_context_id,
3574 auth_blob=to_server)
3575 req = self.generate_bind(call_id=0,
3577 auth_info=auth_info)
3579 rep = self.recv_pdu()
3580 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3581 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3582 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3583 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3584 self.assertEqual(rep.u.secondary_address_size, 4)
3585 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3586 self.assertPadding(rep.u._pad1, 2)
3587 self.assertEqual(rep.u.num_results, 1)
3588 self.assertEqual(rep.u.ctx_list[0].result,
3589 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3590 self.assertEqual(rep.u.ctx_list[0].reason,
3591 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3592 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3593 self.assertNotEquals(len(rep.u.auth_info), 0)
3594 a = self.parse_auth(rep.u.auth_info)
3596 from_server = a.credentials
3597 (finished, to_server) = g.update(from_server)
3598 self.assertFalse(finished)
3600 # We change ctx_list and auth_level
3601 auth_info = self.generate_auth(auth_type=auth_type,
3602 auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
3603 auth_context_id=auth_context_id,
3604 auth_blob=to_server)
3605 req = self.generate_alter(call_id=0,
3607 assoc_group_id=rep.u.assoc_group_id,
3608 auth_info=auth_info)
3610 rep = self.recv_pdu()
3611 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3612 pfc_flags=req.pfc_flags |
3613 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3615 self.assertNotEquals(rep.u.alloc_hint, 0)
3616 self.assertEqual(rep.u.context_id, 0)
3617 self.assertEqual(rep.u.cancel_count, 0)
3618 self.assertEqual(rep.u.flags, 0)
3619 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
3620 self.assertEqual(rep.u.reserved, 0)
3621 self.assertEqual(len(rep.u.error_and_verifier), 0)
3623 # wait for a disconnect
3624 rep = self.recv_pdu()
3625 self.assertIsNone(rep)
3626 self.assertNotConnected()
3628 def test_spnego_change_auth_type1(self):
3629 ndr32 = base.transfer_syntax_ndr()
3630 ndr64 = base.transfer_syntax_ndr64()
3633 ctx1 = dcerpc.ctx_list()
3635 ctx1.num_transfer_syntaxes = len(tsf1_list)
3636 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3637 ctx1.transfer_syntaxes = tsf1_list
3639 c = self.get_anon_creds()
3640 g = gensec.Security.start_client(self.settings)
3641 g.set_credentials(c)
3642 g.want_feature(gensec.FEATURE_DCE_STYLE)
3643 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3644 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
3646 g.start_mech_by_authtype(auth_type, auth_level)
3648 (finished, to_server) = g.update(from_server)
3649 self.assertFalse(finished)
3651 auth_info = self.generate_auth(auth_type=auth_type,
3652 auth_level=auth_level,
3653 auth_context_id=auth_context_id,
3654 auth_blob=to_server)
3655 req = self.generate_bind(call_id=0,
3657 auth_info=auth_info)
3659 rep = self.recv_pdu()
3660 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3661 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3662 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3663 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3664 self.assertEqual(rep.u.secondary_address_size, 4)
3665 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3666 self.assertPadding(rep.u._pad1, 2)
3667 self.assertEqual(rep.u.num_results, 1)
3668 self.assertEqual(rep.u.ctx_list[0].result,
3669 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3670 self.assertEqual(rep.u.ctx_list[0].reason,
3671 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3672 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3673 self.assertNotEquals(len(rep.u.auth_info), 0)
3674 a = self.parse_auth(rep.u.auth_info)
3676 from_server = a.credentials
3677 (finished, to_server) = g.update(from_server)
3678 self.assertFalse(finished)
3680 # We change ctx_list and auth_level
3681 auth_info = self.generate_auth(auth_type=dcerpc.DCERPC_AUTH_TYPE_KRB5,
3682 auth_level=auth_level,
3683 auth_context_id=auth_context_id,
3684 auth_blob=to_server)
3685 req = self.generate_alter(call_id=0,
3687 assoc_group_id=rep.u.assoc_group_id,
3688 auth_info=auth_info)
3690 rep = self.recv_pdu()
3691 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3692 pfc_flags=req.pfc_flags |
3693 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3695 self.assertNotEquals(rep.u.alloc_hint, 0)
3696 self.assertEqual(rep.u.context_id, 0)
3697 self.assertEqual(rep.u.cancel_count, 0)
3698 self.assertEqual(rep.u.flags, 0)
3699 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_SEC_PKG_ERROR)
3700 self.assertEqual(rep.u.reserved, 0)
3701 self.assertEqual(len(rep.u.error_and_verifier), 0)
3703 # wait for a disconnect
3704 rep = self.recv_pdu()
3705 self.assertIsNone(rep)
3706 self.assertNotConnected()
3708 def test_spnego_change_auth_type2(self):
3709 ndr32 = base.transfer_syntax_ndr()
3710 ndr64 = base.transfer_syntax_ndr64()
3713 ctx1 = dcerpc.ctx_list()
3715 ctx1.num_transfer_syntaxes = len(tsf1_list)
3716 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3717 ctx1.transfer_syntaxes = tsf1_list
3719 tsf1b_list = [ndr32, ndr64]
3720 ctx1b = dcerpc.ctx_list()
3721 ctx1b.context_id = 1
3722 ctx1b.num_transfer_syntaxes = len(tsf1b_list)
3723 ctx1b.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3724 ctx1b.transfer_syntaxes = tsf1b_list
3726 c = self.get_anon_creds()
3727 g = gensec.Security.start_client(self.settings)
3728 g.set_credentials(c)
3729 g.want_feature(gensec.FEATURE_DCE_STYLE)
3730 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3731 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
3733 g.start_mech_by_authtype(auth_type, auth_level)
3735 (finished, to_server) = g.update(from_server)
3736 self.assertFalse(finished)
3738 auth_info = self.generate_auth(auth_type=auth_type,
3739 auth_level=auth_level,
3740 auth_context_id=auth_context_id,
3741 auth_blob=to_server)
3742 req = self.generate_bind(call_id=0,
3744 auth_info=auth_info)
3746 rep = self.recv_pdu()
3747 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3748 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3749 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3750 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3751 self.assertEqual(rep.u.secondary_address_size, 4)
3752 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3753 self.assertPadding(rep.u._pad1, 2)
3754 self.assertEqual(rep.u.num_results, 1)
3755 self.assertEqual(rep.u.ctx_list[0].result,
3756 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3757 self.assertEqual(rep.u.ctx_list[0].reason,
3758 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3759 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3760 self.assertNotEquals(len(rep.u.auth_info), 0)
3761 a = self.parse_auth(rep.u.auth_info)
3763 from_server = a.credentials
3764 (finished, to_server) = g.update(from_server)
3765 self.assertFalse(finished)
3767 # We change ctx_list and auth_level
3768 auth_info = self.generate_auth(auth_type=dcerpc.DCERPC_AUTH_TYPE_KRB5,
3769 auth_level=auth_level,
3770 auth_context_id=auth_context_id,
3771 auth_blob=to_server)
3772 req = self.generate_alter(call_id=0,
3774 assoc_group_id=rep.u.assoc_group_id,
3775 auth_info=auth_info)
3777 rep = self.recv_pdu()
3778 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3779 pfc_flags=req.pfc_flags |
3780 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3782 self.assertNotEquals(rep.u.alloc_hint, 0)
3783 self.assertEqual(rep.u.context_id, 0)
3784 self.assertEqual(rep.u.cancel_count, 0)
3785 self.assertEqual(rep.u.flags, 0)
3786 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
3787 self.assertEqual(rep.u.reserved, 0)
3788 self.assertEqual(len(rep.u.error_and_verifier), 0)
3790 # wait for a disconnect
3791 rep = self.recv_pdu()
3792 self.assertIsNone(rep)
3793 self.assertNotConnected()
3795 def test_spnego_change_auth_type3(self):
3796 ndr32 = base.transfer_syntax_ndr()
3797 ndr64 = base.transfer_syntax_ndr64()
3800 ctx1 = dcerpc.ctx_list()
3802 ctx1.num_transfer_syntaxes = len(tsf1_list)
3803 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3804 ctx1.transfer_syntaxes = tsf1_list
3806 tsf1b_list = [ndr32, ndr64]
3807 ctx1b = dcerpc.ctx_list()
3808 ctx1b.context_id = 1
3809 ctx1b.num_transfer_syntaxes = len(tsf1b_list)
3810 ctx1b.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3811 ctx1b.transfer_syntaxes = tsf1b_list
3813 c = self.get_anon_creds()
3814 g = gensec.Security.start_client(self.settings)
3815 g.set_credentials(c)
3816 g.want_feature(gensec.FEATURE_DCE_STYLE)
3817 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3818 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
3820 g.start_mech_by_authtype(auth_type, auth_level)
3822 (finished, to_server) = g.update(from_server)
3823 self.assertFalse(finished)
3825 auth_info = self.generate_auth(auth_type=auth_type,
3826 auth_level=auth_level,
3827 auth_context_id=auth_context_id,
3828 auth_blob=to_server)
3829 req = self.generate_bind(call_id=0,
3831 auth_info=auth_info)
3833 rep = self.recv_pdu()
3834 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3835 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3836 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3837 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3838 self.assertEqual(rep.u.secondary_address_size, 4)
3839 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3840 self.assertPadding(rep.u._pad1, 2)
3841 self.assertEqual(rep.u.num_results, 1)
3842 self.assertEqual(rep.u.ctx_list[0].result,
3843 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3844 self.assertEqual(rep.u.ctx_list[0].reason,
3845 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3846 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3847 self.assertNotEquals(len(rep.u.auth_info), 0)
3848 a = self.parse_auth(rep.u.auth_info)
3850 from_server = a.credentials
3851 (finished, to_server) = g.update(from_server)
3852 self.assertFalse(finished)
3854 # We change ctx_list and auth_level
3855 auth_info = self.generate_auth(auth_type=dcerpc.DCERPC_AUTH_TYPE_NONE,
3856 auth_level=auth_level,
3857 auth_context_id=auth_context_id,
3858 auth_blob=to_server)
3859 req = self.generate_alter(call_id=0,
3861 assoc_group_id=rep.u.assoc_group_id,
3862 auth_info=auth_info)
3864 rep = self.recv_pdu()
3865 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
3866 pfc_flags=req.pfc_flags |
3867 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
3869 self.assertNotEquals(rep.u.alloc_hint, 0)
3870 self.assertEqual(rep.u.context_id, 0)
3871 self.assertEqual(rep.u.cancel_count, 0)
3872 self.assertEqual(rep.u.flags, 0)
3873 self.assertEqual(rep.u.status, dcerpc.DCERPC_FAULT_ACCESS_DENIED)
3874 self.assertEqual(rep.u.reserved, 0)
3875 self.assertEqual(len(rep.u.error_and_verifier), 0)
3877 # wait for a disconnect
3878 rep = self.recv_pdu()
3879 self.assertIsNone(rep)
3880 self.assertNotConnected()
3882 def test_spnego_auth_pad_ok(self):
3883 ndr32 = base.transfer_syntax_ndr()
3886 ctx1 = dcerpc.ctx_list()
3888 ctx1.num_transfer_syntaxes = len(tsf1_list)
3889 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
3890 ctx1.transfer_syntaxes = tsf1_list
3893 c = self.get_anon_creds()
3894 g = gensec.Security.start_client(self.settings)
3895 g.set_credentials(c)
3896 g.want_feature(gensec.FEATURE_DCE_STYLE)
3897 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
3898 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
3900 g.start_mech_by_authtype(auth_type, auth_level)
3902 (finished, to_server) = g.update(from_server)
3903 self.assertFalse(finished)
3905 auth_info = self.generate_auth(auth_type=auth_type,
3906 auth_level=auth_level,
3907 auth_context_id=auth_context_id,
3908 auth_blob=to_server)
3910 req = self.generate_bind(call_id=0,
3912 auth_info=auth_info)
3913 req_pdu = samba.ndr.ndr_pack(req)
3915 auth_pad_ok = len(req_pdu)
3916 auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
3917 auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
3918 auth_pad_ok -= len(to_server)
3920 auth_info = self.generate_auth(auth_type=auth_type,
3921 auth_level=auth_level,
3922 auth_context_id=auth_context_id,
3923 auth_pad_length=auth_pad_ok,
3924 auth_blob=to_server)
3926 req = self.generate_bind(call_id=0,
3928 auth_info=auth_info)
3930 rep = self.recv_pdu()
3931 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
3932 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3933 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3934 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
3935 self.assertEqual(rep.u.secondary_address_size, 4)
3936 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
3937 self.assertPadding(rep.u._pad1, 2)
3938 self.assertEqual(rep.u.num_results, 1)
3939 self.assertEqual(rep.u.ctx_list[0].result,
3940 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3941 self.assertEqual(rep.u.ctx_list[0].reason,
3942 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3943 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3944 self.assertNotEquals(len(rep.u.auth_info), 0)
3945 a = self.parse_auth(rep.u.auth_info)
3947 from_server = a.credentials
3948 (finished, to_server) = g.update(from_server)
3949 self.assertFalse(finished)
3951 auth_info = self.generate_auth(auth_type=auth_type,
3952 auth_level=auth_level,
3953 auth_context_id=auth_context_id,
3954 auth_blob=to_server)
3955 req = self.generate_alter(call_id=0,
3957 assoc_group_id=rep.u.assoc_group_id,
3958 auth_info=auth_info)
3959 req_pdu = samba.ndr.ndr_pack(req)
3961 auth_pad_ok = len(req_pdu)
3962 auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
3963 auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
3964 auth_pad_ok -= len(to_server)
3965 auth_info = self.generate_auth(auth_type=auth_type,
3966 auth_level=auth_level,
3967 auth_context_id=auth_context_id,
3968 auth_pad_length=auth_pad_ok,
3969 auth_blob=to_server)
3970 req = self.generate_alter(call_id=0,
3972 assoc_group_id=rep.u.assoc_group_id,
3973 auth_info=auth_info)
3975 rep = self.recv_pdu()
3976 self.verify_pdu(rep, dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id)
3977 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
3978 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
3979 self.assertEqual(rep.u.assoc_group_id, req.u.assoc_group_id)
3980 self.assertEqual(rep.u.secondary_address_size, 0)
3981 self.assertPadding(rep.u._pad1, 2)
3982 self.assertEqual(rep.u.num_results, 1)
3983 self.assertEqual(rep.u.ctx_list[0].result,
3984 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
3985 self.assertEqual(rep.u.ctx_list[0].reason,
3986 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
3987 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
3988 self.assertNotEquals(len(rep.u.auth_info), 0)
3989 a = self.parse_auth(rep.u.auth_info)
3991 from_server = a.credentials
3992 (finished, to_server) = g.update(from_server)
3993 self.assertTrue(finished)
3995 # And now try a request without auth_info
3996 req = self.generate_request(call_id=2,
3997 context_id=ctx1.context_id,
4001 rep = self.recv_pdu()
4002 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
4004 self.assertNotEquals(rep.u.alloc_hint, 0)
4005 self.assertEqual(rep.u.context_id, req.u.context_id)
4006 self.assertEqual(rep.u.cancel_count, 0)
4007 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
4009 # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
4010 auth_info = self.generate_auth(auth_type=auth_type,
4011 auth_level=auth_level,
4012 auth_context_id=auth_context_id,
4013 auth_blob=b"\x01" + b"\x00" * 15)
4014 req = self.generate_request(call_id=3,
4015 context_id=ctx1.context_id,
4018 auth_info=auth_info)
4020 rep = self.recv_pdu()
4021 # We don't get an auth_info back
4022 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
4024 self.assertNotEquals(rep.u.alloc_hint, 0)
4025 self.assertEqual(rep.u.context_id, req.u.context_id)
4026 self.assertEqual(rep.u.cancel_count, 0)
4027 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
4029 self._disconnect("disconnect")
4030 self.assertNotConnected()
4032 def test_spnego_auth_pad_fail_bind(self):
4033 ndr32 = base.transfer_syntax_ndr()
4036 ctx1 = dcerpc.ctx_list()
4038 ctx1.num_transfer_syntaxes = len(tsf1_list)
4039 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
4040 ctx1.transfer_syntaxes = tsf1_list
4043 c = self.get_anon_creds()
4044 g = gensec.Security.start_client(self.settings)
4045 g.set_credentials(c)
4046 g.want_feature(gensec.FEATURE_DCE_STYLE)
4047 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
4048 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
4050 g.start_mech_by_authtype(auth_type, auth_level)
4052 (finished, to_server) = g.update(from_server)
4053 self.assertFalse(finished)
4055 auth_info = self.generate_auth(auth_type=auth_type,
4056 auth_level=auth_level,
4057 auth_context_id=auth_context_id,
4058 auth_blob=to_server)
4060 req = self.generate_bind(call_id=0,
4062 auth_info=auth_info)
4063 req_pdu = samba.ndr.ndr_pack(req)
4065 auth_pad_ok = len(req_pdu)
4066 auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
4067 auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4068 auth_pad_ok -= len(to_server)
4069 auth_pad_bad = auth_pad_ok + 1
4070 auth_info = self.generate_auth(auth_type=auth_type,
4071 auth_level=auth_level,
4072 auth_context_id=auth_context_id,
4073 auth_pad_length=auth_pad_bad,
4074 auth_blob=to_server)
4076 req = self.generate_bind(call_id=0,
4078 auth_info=auth_info)
4080 rep = self.recv_pdu()
4081 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
4083 self.assertEqual(rep.u.reject_reason,
4084 dcerpc.DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED)
4085 self.assertEqual(rep.u.num_versions, 1)
4086 self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
4087 self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
4088 self.assertEqual(len(rep.u._pad), 3)
4089 self.assertEqual(rep.u._pad, b'\0' * 3)
4091 # wait for a disconnect
4092 rep = self.recv_pdu()
4093 self.assertIsNone(rep)
4094 self.assertNotConnected()
4096 def test_spnego_auth_pad_fail_alter(self):
4097 ndr32 = base.transfer_syntax_ndr()
4100 ctx1 = dcerpc.ctx_list()
4102 ctx1.num_transfer_syntaxes = len(tsf1_list)
4103 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
4104 ctx1.transfer_syntaxes = tsf1_list
4107 c = self.get_anon_creds()
4108 g = gensec.Security.start_client(self.settings)
4109 g.set_credentials(c)
4110 g.want_feature(gensec.FEATURE_DCE_STYLE)
4111 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
4112 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
4114 g.start_mech_by_authtype(auth_type, auth_level)
4116 (finished, to_server) = g.update(from_server)
4117 self.assertFalse(finished)
4119 auth_info = self.generate_auth(auth_type=auth_type,
4120 auth_level=auth_level,
4121 auth_context_id=auth_context_id,
4122 auth_blob=to_server)
4124 req = self.generate_bind(call_id=0,
4126 auth_info=auth_info)
4127 req_pdu = samba.ndr.ndr_pack(req)
4129 auth_pad_ok = len(req_pdu)
4130 auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
4131 auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4132 auth_pad_ok -= len(to_server)
4134 auth_info = self.generate_auth(auth_type=auth_type,
4135 auth_level=auth_level,
4136 auth_context_id=auth_context_id,
4137 auth_pad_length=auth_pad_ok,
4138 auth_blob=to_server)
4140 req = self.generate_bind(call_id=0,
4142 auth_info=auth_info)
4144 rep = self.recv_pdu()
4145 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
4146 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
4147 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
4148 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
4149 self.assertEqual(rep.u.secondary_address_size, 4)
4150 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
4151 self.assertPadding(rep.u._pad1, 2)
4152 self.assertEqual(rep.u.num_results, 1)
4153 self.assertEqual(rep.u.ctx_list[0].result,
4154 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
4155 self.assertEqual(rep.u.ctx_list[0].reason,
4156 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
4157 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
4158 self.assertNotEquals(len(rep.u.auth_info), 0)
4159 a = self.parse_auth(rep.u.auth_info)
4161 from_server = a.credentials
4162 (finished, to_server) = g.update(from_server)
4163 self.assertFalse(finished)
4165 auth_info = self.generate_auth(auth_type=auth_type,
4166 auth_level=auth_level,
4167 auth_context_id=auth_context_id,
4168 auth_blob=to_server)
4169 req = self.generate_alter(call_id=0,
4171 assoc_group_id=rep.u.assoc_group_id,
4172 auth_info=auth_info)
4173 req_pdu = samba.ndr.ndr_pack(req)
4175 auth_pad_ok = len(req_pdu)
4176 auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
4177 auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4178 auth_pad_ok -= len(to_server)
4179 auth_pad_bad = auth_pad_ok + 1
4180 auth_info = self.generate_auth(auth_type=auth_type,
4181 auth_level=auth_level,
4182 auth_context_id=auth_context_id,
4183 auth_pad_length=auth_pad_bad,
4184 auth_blob=to_server)
4185 req = self.generate_alter(call_id=0,
4187 assoc_group_id=rep.u.assoc_group_id,
4188 auth_info=auth_info)
4190 rep = self.recv_pdu()
4191 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
4192 pfc_flags=req.pfc_flags |
4193 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
4195 self.assertNotEquals(rep.u.alloc_hint, 0)
4196 self.assertEqual(rep.u.context_id, 0)
4197 self.assertEqual(rep.u.cancel_count, 0)
4198 self.assertEqual(rep.u.flags, 0)
4199 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_PROTO_ERROR)
4200 self.assertEqual(rep.u.reserved, 0)
4201 self.assertEqual(len(rep.u.error_and_verifier), 0)
4203 # wait for a disconnect
4204 rep = self.recv_pdu()
4205 self.assertIsNone(rep)
4206 self.assertNotConnected()
4208 def test_ntlmssp_auth_pad_ok(self):
4209 ndr32 = base.transfer_syntax_ndr()
4212 ctx1 = dcerpc.ctx_list()
4214 ctx1.num_transfer_syntaxes = len(tsf1_list)
4215 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
4216 ctx1.transfer_syntaxes = tsf1_list
4219 c = self.get_anon_creds()
4220 g = gensec.Security.start_client(self.settings)
4221 g.set_credentials(c)
4222 g.want_feature(gensec.FEATURE_DCE_STYLE)
4223 auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
4224 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
4226 g.start_mech_by_authtype(auth_type, auth_level)
4228 (finished, to_server) = g.update(from_server)
4229 self.assertFalse(finished)
4231 auth_info = self.generate_auth(auth_type=auth_type,
4232 auth_level=auth_level,
4233 auth_context_id=auth_context_id,
4234 auth_blob=to_server)
4236 req = self.generate_bind(call_id=0,
4238 auth_info=auth_info)
4239 req_pdu = samba.ndr.ndr_pack(req)
4241 auth_pad_ok = len(req_pdu)
4242 auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
4243 auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4244 auth_pad_ok -= len(to_server)
4246 auth_info = self.generate_auth(auth_type=auth_type,
4247 auth_level=auth_level,
4248 auth_context_id=auth_context_id,
4249 auth_pad_length=auth_pad_ok,
4250 auth_blob=to_server)
4252 req = self.generate_bind(call_id=0,
4254 auth_info=auth_info)
4256 rep = self.recv_pdu()
4257 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
4258 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
4259 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
4260 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
4261 self.assertEqual(rep.u.secondary_address_size, 4)
4262 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
4263 self.assertPadding(rep.u._pad1, 2)
4264 self.assertEqual(rep.u.num_results, 1)
4265 self.assertEqual(rep.u.ctx_list[0].result,
4266 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
4267 self.assertEqual(rep.u.ctx_list[0].reason,
4268 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
4269 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
4270 self.assertNotEquals(len(rep.u.auth_info), 0)
4271 a = self.parse_auth(rep.u.auth_info)
4273 from_server = a.credentials
4274 (finished, to_server) = g.update(from_server)
4275 self.assertTrue(finished)
4278 auth_info = self.generate_auth(auth_type=auth_type,
4279 auth_level=auth_level,
4280 auth_context_id=auth_context_id,
4281 auth_pad_length=auth_pad_ok,
4282 auth_blob=to_server)
4283 req = self.generate_auth3(call_id=0,
4284 auth_info=auth_info)
4286 rep = self.recv_pdu(timeout=0.01)
4287 self.assertIsNone(rep)
4288 self.assertIsConnected()
4290 # And now try a request without auth_info
4291 req = self.generate_request(call_id=2,
4292 context_id=ctx1.context_id,
4296 rep = self.recv_pdu()
4297 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
4299 self.assertNotEquals(rep.u.alloc_hint, 0)
4300 self.assertEqual(rep.u.context_id, req.u.context_id)
4301 self.assertEqual(rep.u.cancel_count, 0)
4302 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
4304 # Now a request with auth_info DCERPC_AUTH_LEVEL_CONNECT
4305 auth_info = self.generate_auth(auth_type=auth_type,
4306 auth_level=auth_level,
4307 auth_context_id=auth_context_id,
4308 auth_blob=b"\x01" + b"\x00" * 15)
4309 req = self.generate_request(call_id=3,
4310 context_id=ctx1.context_id,
4313 auth_info=auth_info)
4315 rep = self.recv_pdu()
4316 # We don't get an auth_info back
4317 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
4319 self.assertNotEquals(rep.u.alloc_hint, 0)
4320 self.assertEqual(rep.u.context_id, req.u.context_id)
4321 self.assertEqual(rep.u.cancel_count, 0)
4322 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
4324 self._disconnect("disconnect")
4325 self.assertNotConnected()
4327 def test_ntlmssp_auth_pad_fail_auth3(self):
4328 ndr32 = base.transfer_syntax_ndr()
4331 ctx1 = dcerpc.ctx_list()
4333 ctx1.num_transfer_syntaxes = len(tsf1_list)
4334 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
4335 ctx1.transfer_syntaxes = tsf1_list
4338 c = self.get_anon_creds()
4339 g = gensec.Security.start_client(self.settings)
4340 g.set_credentials(c)
4341 g.want_feature(gensec.FEATURE_DCE_STYLE)
4342 auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
4343 auth_level = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
4345 g.start_mech_by_authtype(auth_type, auth_level)
4347 (finished, to_server) = g.update(from_server)
4348 self.assertFalse(finished)
4350 auth_info = self.generate_auth(auth_type=auth_type,
4351 auth_level=auth_level,
4352 auth_context_id=auth_context_id,
4353 auth_blob=to_server)
4355 req = self.generate_bind(call_id=0,
4357 auth_info=auth_info)
4358 req_pdu = samba.ndr.ndr_pack(req)
4360 auth_pad_ok = len(req_pdu)
4361 auth_pad_ok -= dcerpc.DCERPC_REQUEST_LENGTH
4362 auth_pad_ok -= dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4363 auth_pad_ok -= len(to_server)
4365 auth_info = self.generate_auth(auth_type=auth_type,
4366 auth_level=auth_level,
4367 auth_context_id=auth_context_id,
4368 auth_pad_length=auth_pad_ok,
4369 auth_blob=to_server)
4371 req = self.generate_bind(call_id=0,
4373 auth_info=auth_info)
4375 rep = self.recv_pdu()
4376 self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id)
4377 self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
4378 self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
4379 self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id)
4380 self.assertEqual(rep.u.secondary_address_size, 4)
4381 self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port)
4382 self.assertPadding(rep.u._pad1, 2)
4383 self.assertEqual(rep.u.num_results, 1)
4384 self.assertEqual(rep.u.ctx_list[0].result,
4385 dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
4386 self.assertEqual(rep.u.ctx_list[0].reason,
4387 dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
4388 self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32)
4389 self.assertNotEquals(len(rep.u.auth_info), 0)
4390 a = self.parse_auth(rep.u.auth_info)
4392 from_server = a.credentials
4393 (finished, to_server) = g.update(from_server)
4394 self.assertTrue(finished)
4397 auth_info = self.generate_auth(auth_type=auth_type,
4398 auth_level=auth_level,
4399 auth_context_id=auth_context_id,
4400 auth_pad_length=auth_pad_bad,
4401 auth_blob=to_server)
4402 req = self.generate_auth3(call_id=0,
4403 auth_info=auth_info)
4405 rep = self.recv_pdu()
4406 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
4407 pfc_flags=req.pfc_flags |
4408 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
4410 self.assertNotEquals(rep.u.alloc_hint, 0)
4411 self.assertEqual(rep.u.context_id, 0)
4412 self.assertEqual(rep.u.cancel_count, 0)
4413 self.assertEqual(rep.u.flags, 0)
4414 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY)
4415 self.assertEqual(rep.u.reserved, 0)
4416 self.assertEqual(len(rep.u.error_and_verifier), 0)
4418 # wait for a disconnect
4419 rep = self.recv_pdu()
4420 self.assertIsNone(rep)
4421 self.assertNotConnected()
4423 def _test_auth_bind_auth_level(self, auth_type, auth_level, auth_context_id, ctx,
4424 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4427 creds = self.get_user_creds()
4428 auth_context = self.get_auth_context_creds(creds=creds,
4429 auth_type=auth_type,
4430 auth_level=auth_level,
4431 auth_context_id=auth_context_id,
4432 g_auth_level=g_auth_level,
4433 hdr_signing=hdr_signing)
4434 if auth_context is None:
4436 ack = self.do_generic_bind(ctx=ctx,
4437 auth_context=auth_context,
4438 alter_fault=alter_fault)
4443 def _test_spnego_level_bind_nak(self, auth_level,
4444 reason=dcerpc.DCERPC_BIND_NAK_REASON_INVALID_CHECKSUM):
4445 c = self.get_user_creds()
4446 return self._test_auth_type_level_bind_nak(auth_type=dcerpc.DCERPC_AUTH_TYPE_SPNEGO,
4447 auth_level=auth_level, creds=c, reason=reason)
4449 def _test_spnego_level_bind(self, auth_level,
4450 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4453 response_fault_flags=0):
4454 ndr32 = base.transfer_syntax_ndr()
4457 ctx1 = dcerpc.ctx_list()
4458 ctx1.context_id = 0x1001
4459 ctx1.num_transfer_syntaxes = len(tsf1_list)
4460 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
4461 ctx1.transfer_syntaxes = tsf1_list
4463 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
4466 auth_context = self._test_auth_bind_auth_level(auth_type=auth_type,
4467 auth_level=auth_level,
4468 auth_context_id=auth_context_id,
4470 g_auth_level=g_auth_level,
4471 alter_fault=alter_fault)
4472 if request_fault is None:
4475 self.assertIsNotNone(auth_context)
4476 g = auth_context["gensec"]
4477 self.assertIsNotNone(g)
4479 stub_bin = b'\x00' * 17
4480 mod_len = len(stub_bin) % dcerpc.DCERPC_AUTH_PAD_ALIGNMENT
4483 auth_pad_length = dcerpc.DCERPC_AUTH_PAD_ALIGNMENT - mod_len
4484 stub_bin += b'\x00' * auth_pad_length
4486 if g_auth_level >= dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY:
4487 sig_size = g.sig_size(len(stub_bin))
4490 zero_sig = b"\x00" * sig_size
4492 auth_info = self.generate_auth(auth_type=auth_type,
4493 auth_level=auth_level,
4494 auth_pad_length=auth_pad_length,
4495 auth_context_id=auth_context_id,
4497 req = self.generate_request(call_id=4,
4498 context_id=ctx1.context_id,
4501 auth_info=auth_info)
4502 if g_auth_level >= dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY:
4503 req_blob = samba.ndr.ndr_pack(req)
4504 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4505 ofs_sig = len(req_blob) - req.auth_length
4506 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4507 req_data = req_blob[ofs_stub:ofs_trailer]
4508 req_whole = req_blob[0:ofs_sig]
4509 sig = g.sign_packet(req_data, req_whole)
4510 auth_info = self.generate_auth(auth_type=auth_type,
4511 auth_level=auth_level,
4512 auth_pad_length=auth_pad_length,
4513 auth_context_id=auth_context_id,
4515 req = self.generate_request(call_id=4,
4516 context_id=ctx1.context_id,
4519 auth_info=auth_info)
4521 rep = self.recv_pdu()
4522 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
4523 pfc_flags=req.pfc_flags | response_fault_flags,
4525 self.assertNotEquals(rep.u.alloc_hint, 0)
4526 self.assertEqual(rep.u.context_id, ctx1.context_id)
4527 self.assertEqual(rep.u.cancel_count, 0)
4528 self.assertEqual(rep.u.flags, 0)
4529 self.assertEqual(rep.u.status, request_fault)
4530 self.assertEqual(rep.u.reserved, 0)
4531 self.assertEqual(len(rep.u.error_and_verifier), 0)
4533 if response_fault_flags & dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE:
4536 # wait for a disconnect
4537 rep = self.recv_pdu()
4538 self.assertIsNone(rep)
4539 self.assertNotConnected()
4541 def test_spnego_none_bind(self):
4542 return self._test_spnego_level_bind_nak(dcerpc.DCERPC_AUTH_LEVEL_NONE,
4543 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
4545 def test_spnego_call_bind(self):
4546 return self._test_spnego_level_bind_nak(dcerpc.DCERPC_AUTH_LEVEL_CALL,
4547 reason=dcerpc.DCERPC_BIND_NAK_REASON_INVALID_CHECKSUM)
4549 def test_spnego_0_bind(self):
4550 return self._test_spnego_level_bind_nak(0,
4551 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
4553 def test_spnego_7_bind(self):
4554 return self._test_spnego_level_bind_nak(7,
4555 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
4557 def test_spnego_255_bind(self):
4558 return self._test_spnego_level_bind_nak(255,
4559 reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
4561 def test_spnego_connect_bind_none(self):
4562 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT,
4563 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT)
4565 def test_spnego_connect_bind_sign(self):
4566 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT,
4567 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
4569 def test_spnego_connect_bind_seal(self):
4570 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT,
4571 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY)
4573 def test_spnego_packet_bind_none(self):
4574 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4575 # DCERPC_AUTH_LEVEL_INTEGRITY
4576 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_PACKET,
4577 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT,
4578 request_fault=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR)
4580 def test_spnego_packet_bind_sign(self):
4581 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4582 # DCERPC_AUTH_LEVEL_INTEGRITY
4583 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_PACKET,
4584 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4585 request_fault=dcerpc.DCERPC_NCA_S_OP_RNG_ERROR,
4586 response_fault_flags=dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE)
4588 def test_spnego_packet_bind_seal(self):
4589 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4590 # DCERPC_AUTH_LEVEL_INTEGRITY
4591 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_PACKET,
4592 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
4593 request_fault=dcerpc.DCERPC_NCA_S_OP_RNG_ERROR,
4594 response_fault_flags=dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE)
4596 def test_spnego_integrity_bind_none(self):
4597 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4598 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT,
4599 request_fault=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR)
4601 def test_spnego_integrity_bind_sign(self):
4602 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4603 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4604 request_fault=dcerpc.DCERPC_NCA_S_OP_RNG_ERROR,
4605 response_fault_flags=dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE)
4607 def test_spnego_integrity_bind_seal(self):
4608 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4609 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
4610 request_fault=dcerpc.DCERPC_NCA_S_OP_RNG_ERROR,
4611 response_fault_flags=dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE)
4613 def test_spnego_privacy_bind_none(self):
4615 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
4616 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_CONNECT,
4617 alter_fault=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR)
4619 def test_spnego_privacy_bind_sign(self):
4621 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
4622 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4623 alter_fault=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR)
4625 def test_spnego_privacy_bind_seal(self):
4626 return self._test_spnego_level_bind(auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY,
4627 g_auth_level=dcerpc.DCERPC_AUTH_LEVEL_PRIVACY)
4629 def _test_auth_signing_auth_level_request(self, auth_type, auth_level, hdr_sign=False):
4630 ndr32 = base.transfer_syntax_ndr()
4633 ctx1 = dcerpc.ctx_list()
4634 ctx1.context_id = 0x1001
4635 ctx1.num_transfer_syntaxes = len(tsf1_list)
4636 ctx1.abstract_syntax = samba.dcerpc.mgmt.abstract_syntax()
4637 ctx1.transfer_syntaxes = tsf1_list
4642 auth_context = self._test_auth_bind_auth_level(auth_type=auth_type,
4643 auth_level=auth_level,
4644 auth_context_id=auth_context_id,
4645 hdr_signing=hdr_sign,
4647 self.assertIsNotNone(auth_context)
4648 g = auth_context["gensec"]
4649 self.assertIsNotNone(g)
4651 stub_bin = b'\x00' * 0
4652 mod_len = len(stub_bin) % dcerpc.DCERPC_AUTH_PAD_ALIGNMENT
4655 auth_pad_length = dcerpc.DCERPC_AUTH_PAD_ALIGNMENT - mod_len
4656 stub_bin += b'\x00' * auth_pad_length
4658 sig_size = g.sig_size(len(stub_bin))
4659 zero_sig = b"\x00" * sig_size
4661 auth_info = self.generate_auth(auth_type=auth_type,
4662 auth_level=auth_level,
4663 auth_pad_length=auth_pad_length,
4664 auth_context_id=auth_context_id,
4666 req = self.generate_request(call_id=3,
4667 context_id=ctx1.context_id,
4670 auth_info=auth_info)
4671 req_blob = samba.ndr.ndr_pack(req)
4672 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4673 ofs_sig = len(req_blob) - req.auth_length
4674 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4675 req_data = req_blob[ofs_stub:ofs_trailer]
4676 req_whole = req_blob[0:ofs_sig]
4677 sig = g.sign_packet(req_data, req_whole)
4678 auth_info = self.generate_auth(auth_type=auth_type,
4679 auth_level=auth_level,
4680 auth_pad_length=auth_pad_length,
4681 auth_context_id=auth_context_id,
4683 req = self.generate_request(call_id=3,
4684 context_id=ctx1.context_id,
4687 auth_info=auth_info)
4689 (rep, rep_blob) = self.recv_pdu_raw()
4690 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
4691 auth_length=sig_size)
4692 self.assertNotEquals(rep.u.alloc_hint, 0)
4693 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
4694 self.assertEqual(rep.u.cancel_count, 0)
4695 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
4696 self.assertEqual(rep.auth_length, sig_size)
4698 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4699 ofs_sig = rep.frag_length - rep.auth_length
4700 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4701 rep_data = rep_blob[ofs_stub:ofs_trailer]
4702 rep_whole = rep_blob[0:ofs_sig]
4703 rep_sig = rep_blob[ofs_sig:]
4704 rep_auth_info_blob = rep_blob[ofs_trailer:]
4706 rep_auth_info = self.parse_auth(rep_auth_info_blob)
4707 self.assertEqual(rep_auth_info.auth_type, auth_type)
4708 self.assertEqual(rep_auth_info.auth_level, auth_level)
4709 # mgmt_inq_if_ids() returns no fixed size results
4710 #self.assertEqual(rep_auth_info.auth_pad_length, 0)
4711 self.assertEqual(rep_auth_info.auth_reserved, 0)
4712 self.assertEqual(rep_auth_info.auth_context_id, auth_context_id)
4713 self.assertEqual(rep_auth_info.credentials, rep_sig)
4715 g.check_packet(rep_data, rep_whole, rep_sig)
4717 stub_bin = b'\x00' * 17
4718 mod_len = len(stub_bin) % dcerpc.DCERPC_AUTH_PAD_ALIGNMENT
4721 auth_pad_length = dcerpc.DCERPC_AUTH_PAD_ALIGNMENT - mod_len
4722 stub_bin += b'\x00' * auth_pad_length
4724 sig_size = g.sig_size(len(stub_bin))
4725 zero_sig = b"\x00" * sig_size
4727 auth_info = self.generate_auth(auth_type=auth_type,
4728 auth_level=auth_level,
4729 auth_pad_length=auth_pad_length,
4730 auth_context_id=auth_context_id,
4732 req = self.generate_request(call_id=4,
4733 context_id=ctx1.context_id,
4736 auth_info=auth_info)
4737 req_blob = samba.ndr.ndr_pack(req)
4738 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4739 ofs_sig = len(req_blob) - req.auth_length
4740 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4741 req_data = req_blob[ofs_stub:ofs_trailer]
4742 req_whole = req_blob[0:ofs_sig]
4743 sig = g.sign_packet(req_data, req_whole)
4744 auth_info = self.generate_auth(auth_type=auth_type,
4745 auth_level=auth_level,
4746 auth_pad_length=auth_pad_length,
4747 auth_context_id=auth_context_id,
4749 req = self.generate_request(call_id=4,
4750 context_id=ctx1.context_id,
4753 auth_info=auth_info)
4755 rep = self.recv_pdu()
4756 self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id,
4757 pfc_flags=req.pfc_flags |
4758 dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
4760 self.assertNotEquals(rep.u.alloc_hint, 0)
4761 self.assertEqual(rep.u.context_id, ctx1.context_id)
4762 self.assertEqual(rep.u.cancel_count, 0)
4763 self.assertEqual(rep.u.flags, 0)
4764 self.assertEqual(rep.u.status, dcerpc.DCERPC_NCA_S_OP_RNG_ERROR)
4765 self.assertEqual(rep.u.reserved, 0)
4766 self.assertEqual(len(rep.u.error_and_verifier), 0)
4768 stub_bin = b'\x00' * 8
4769 mod_len = len(stub_bin) % dcerpc.DCERPC_AUTH_PAD_ALIGNMENT
4772 auth_pad_length = dcerpc.DCERPC_AUTH_PAD_ALIGNMENT - mod_len
4773 stub_bin += b'\x00' * auth_pad_length
4775 sig_size = g.sig_size(len(stub_bin))
4776 zero_sig = b"\x00" * sig_size
4778 auth_info = self.generate_auth(auth_type=auth_type,
4779 auth_level=auth_level,
4780 auth_pad_length=auth_pad_length,
4781 auth_context_id=auth_context_id,
4783 req = self.generate_request(call_id=5,
4784 context_id=ctx1.context_id,
4787 auth_info=auth_info)
4788 req_blob = samba.ndr.ndr_pack(req)
4789 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4790 ofs_sig = len(req_blob) - req.auth_length
4791 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4792 req_data = req_blob[ofs_stub:ofs_trailer]
4793 req_whole = req_blob[0:ofs_sig]
4794 sig = g.sign_packet(req_data, req_whole)
4795 auth_info = self.generate_auth(auth_type=auth_type,
4796 auth_level=auth_level,
4797 auth_pad_length=auth_pad_length,
4798 auth_context_id=auth_context_id,
4800 req = self.generate_request(call_id=5,
4801 context_id=ctx1.context_id,
4804 auth_info=auth_info)
4806 (rep, rep_blob) = self.recv_pdu_raw()
4807 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
4808 auth_length=sig_size)
4809 self.assertNotEquals(rep.u.alloc_hint, 0)
4810 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
4811 self.assertEqual(rep.u.cancel_count, 0)
4812 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
4813 self.assertEqual(rep.auth_length, sig_size)
4815 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4816 ofs_sig = rep.frag_length - rep.auth_length
4817 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4818 rep_data = rep_blob[ofs_stub:ofs_trailer]
4819 rep_whole = rep_blob[0:ofs_sig]
4820 rep_sig = rep_blob[ofs_sig:]
4821 rep_auth_info_blob = rep_blob[ofs_trailer:]
4823 rep_auth_info = self.parse_auth(rep_auth_info_blob)
4824 self.assertEqual(rep_auth_info.auth_type, auth_type)
4825 self.assertEqual(rep_auth_info.auth_level, auth_level)
4826 self.assertEqual(rep_auth_info.auth_pad_length, 4)
4827 self.assertEqual(rep_auth_info.auth_reserved, 0)
4828 self.assertEqual(rep_auth_info.auth_context_id, auth_context_id)
4829 self.assertEqual(rep_auth_info.credentials, rep_sig)
4831 g.check_packet(rep_data, rep_whole, rep_sig)
4833 stub_bin = b'\x00' * 8
4834 mod_len = len(stub_bin) % dcerpc.DCERPC_AUTH_PAD_ALIGNMENT
4837 auth_pad_length = dcerpc.DCERPC_AUTH_PAD_ALIGNMENT - mod_len
4838 stub_bin += b'\x00' * auth_pad_length
4840 sig_size = g.sig_size(len(stub_bin))
4841 zero_sig = b"\x00" * sig_size
4843 auth_info = self.generate_auth(auth_type=auth_type,
4844 auth_level=auth_level,
4845 auth_pad_length=auth_pad_length,
4846 auth_context_id=auth_context_id,
4848 req = self.generate_request(call_id=6,
4849 context_id=ctx1.context_id,
4852 auth_info=auth_info)
4853 req_blob = samba.ndr.ndr_pack(req)
4854 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4855 ofs_sig = len(req_blob) - req.auth_length
4856 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4857 req_data = req_blob[ofs_stub:ofs_trailer]
4858 req_whole = req_blob[0:ofs_sig]
4859 sig = g.sign_packet(req_data, req_whole)
4860 auth_info = self.generate_auth(auth_type=auth_type,
4861 auth_level=auth_level,
4862 auth_pad_length=auth_pad_length,
4863 auth_context_id=auth_context_id,
4865 req = self.generate_request(call_id=6,
4866 context_id=ctx1.context_id,
4869 auth_info=auth_info)
4871 (rep, rep_blob) = self.recv_pdu_raw()
4872 self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id,
4873 auth_length=sig_size)
4874 self.assertNotEquals(rep.u.alloc_hint, 0)
4875 self.assertEqual(rep.u.context_id, req.u.context_id & 0xff)
4876 self.assertEqual(rep.u.cancel_count, 0)
4877 self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
4878 self.assertEqual(rep.auth_length, sig_size)
4880 ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
4881 ofs_sig = rep.frag_length - rep.auth_length
4882 ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
4883 rep_data = rep_blob[ofs_stub:ofs_trailer]
4884 rep_whole = rep_blob[0:ofs_sig]
4885 rep_sig = rep_blob[ofs_sig:]
4886 rep_auth_info_blob = rep_blob[ofs_trailer:]
4888 rep_auth_info = self.parse_auth(rep_auth_info_blob)
4889 self.assertEqual(rep_auth_info.auth_type, auth_type)
4890 self.assertEqual(rep_auth_info.auth_level, auth_level)
4891 self.assertEqual(rep_auth_info.auth_pad_length, 12)
4892 self.assertEqual(rep_auth_info.auth_reserved, 0)
4893 self.assertEqual(rep_auth_info.auth_context_id, auth_context_id)
4894 self.assertEqual(rep_auth_info.credentials, rep_sig)
4896 g.check_packet(rep_data, rep_whole, rep_sig)
4898 def test_spnego_signing_packet(self):
4899 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4900 # DCERPC_AUTH_LEVEL_INTEGRITY
4901 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_SPNEGO,
4902 dcerpc.DCERPC_AUTH_LEVEL_PACKET)
4904 def test_spnego_hdr_signing_packet(self):
4905 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4906 # DCERPC_AUTH_LEVEL_INTEGRITY
4907 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_SPNEGO,
4908 dcerpc.DCERPC_AUTH_LEVEL_PACKET,
4911 def test_spnego_signing_integrity(self):
4912 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_SPNEGO,
4913 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
4915 def test_spnego_hdr_signing_integrity(self):
4916 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_SPNEGO,
4917 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4920 def test_ntlm_signing_packet(self):
4921 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4922 # DCERPC_AUTH_LEVEL_INTEGRITY
4923 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_NTLMSSP,
4924 dcerpc.DCERPC_AUTH_LEVEL_PACKET)
4926 def test_ntlm_hdr_signing_packet(self):
4927 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4928 # DCERPC_AUTH_LEVEL_INTEGRITY
4929 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_NTLMSSP,
4930 dcerpc.DCERPC_AUTH_LEVEL_PACKET,
4933 def test_ntlm_signing_integrity(self):
4934 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_NTLMSSP,
4935 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
4937 def test_ntlm_hdr_signing_integrity(self):
4938 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_NTLMSSP,
4939 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4942 def test_krb5_signing_packet(self):
4943 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4944 # DCERPC_AUTH_LEVEL_INTEGRITY
4945 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_KRB5,
4946 dcerpc.DCERPC_AUTH_LEVEL_PACKET)
4948 def test_krb5_hdr_signing_packet(self):
4949 # DCERPC_AUTH_LEVEL_PACKET is handled as alias of
4950 # DCERPC_AUTH_LEVEL_INTEGRITY
4951 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_KRB5,
4952 dcerpc.DCERPC_AUTH_LEVEL_PACKET,
4955 def test_krb5_signing_integrity(self):
4956 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_KRB5,
4957 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY)
4959 def test_krb5_hdr_signing_integrity(self):
4960 return self._test_auth_signing_auth_level_request(dcerpc.DCERPC_AUTH_TYPE_KRB5,
4961 dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY,
4964 def test_assoc_group_fail1(self):
4965 abstract = samba.dcerpc.mgmt.abstract_syntax()
4966 transfer = base.transfer_syntax_ndr()
4968 tsf1_list = [transfer]
4969 ctx = samba.dcerpc.dcerpc.ctx_list()
4971 ctx.num_transfer_syntaxes = len(tsf1_list)
4972 ctx.abstract_syntax = abstract
4973 ctx.transfer_syntaxes = tsf1_list
4975 ack = self.do_generic_bind(ctx=ctx, assoc_group_id=1,
4976 nak_reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
4979 def test_assoc_group_fail2(self):
4980 abstract = samba.dcerpc.mgmt.abstract_syntax()
4981 transfer = base.transfer_syntax_ndr()
4983 tsf1_list = [transfer]
4984 ctx = samba.dcerpc.dcerpc.ctx_list()
4986 ctx.num_transfer_syntaxes = len(tsf1_list)
4987 ctx.abstract_syntax = abstract
4988 ctx.transfer_syntaxes = tsf1_list
4990 ack = self.do_generic_bind(ctx=ctx)
4992 self._disconnect("test_assoc_group_fail2")
4993 self.assertNotConnected()
4997 ack2 = self.do_generic_bind(ctx=ctx, assoc_group_id=ack.u.assoc_group_id,
4998 nak_reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
5001 def test_assoc_group_diff1(self):
5002 abstract = samba.dcerpc.mgmt.abstract_syntax()
5003 transfer = base.transfer_syntax_ndr()
5005 (ctx1, ack1) = self.prepare_presentation(abstract, transfer,
5006 context_id=1, return_ack=True)
5008 conn2 = self.second_connection()
5009 (ctx2, ack2) = conn2.prepare_presentation(abstract, transfer,
5010 context_id=2, return_ack=True)
5011 self.assertNotEqual(ack2.u.assoc_group_id, ack1.u.assoc_group_id)
5013 conn2._disconnect("End of Test")
5016 def test_assoc_group_ok1(self):
5017 abstract = samba.dcerpc.mgmt.abstract_syntax()
5018 transfer = base.transfer_syntax_ndr()
5020 (ctx1, ack1) = self.prepare_presentation(abstract, transfer,
5021 context_id=1, return_ack=True)
5023 conn2 = self.second_connection()
5024 (ctx2, ack2) = conn2.prepare_presentation(abstract, transfer,
5025 assoc_group_id=ack1.u.assoc_group_id,
5026 context_id=2, return_ack=True)
5028 inq_if_ids = samba.dcerpc.mgmt.inq_if_ids()
5029 self.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids)
5030 conn2.do_single_request(call_id=1, ctx=ctx2, io=inq_if_ids)
5032 conn2.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids,
5034 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
5035 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST |
5036 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE),
5037 fault_status=dcerpc.DCERPC_NCA_S_UNKNOWN_IF,
5040 self.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids)
5041 conn2.do_single_request(call_id=1, ctx=ctx2, io=inq_if_ids)
5042 conn2._disconnect("End of Test")
5045 def test_assoc_group_ok2(self):
5046 abstract = samba.dcerpc.mgmt.abstract_syntax()
5047 transfer = base.transfer_syntax_ndr()
5049 self.reconnect_smb_pipe(primary_address='\\pipe\\lsarpc',
5050 secondary_address='\\pipe\\lsass',
5051 transport_creds=self.get_user_creds())
5052 (ctx1, ack1) = self.prepare_presentation(abstract, transfer,
5053 context_id=1, return_ack=True)
5055 conn2 = self.second_connection()
5056 (ctx2, ack2) = conn2.prepare_presentation(abstract, transfer,
5057 assoc_group_id=ack1.u.assoc_group_id,
5058 context_id=2, return_ack=True)
5060 inq_if_ids = samba.dcerpc.mgmt.inq_if_ids()
5061 self.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids)
5062 conn2.do_single_request(call_id=1, ctx=ctx2, io=inq_if_ids)
5064 conn2.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids,
5066 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
5067 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST |
5068 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE),
5069 fault_status=dcerpc.DCERPC_NCA_S_UNKNOWN_IF,
5072 self.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids)
5073 conn2.do_single_request(call_id=1, ctx=ctx2, io=inq_if_ids)
5074 conn2._disconnect("End of Test")
5077 def test_assoc_group_fail3(self):
5078 abstract = samba.dcerpc.mgmt.abstract_syntax()
5079 transfer = base.transfer_syntax_ndr()
5081 (ctx1, ack1) = self.prepare_presentation(abstract, transfer,
5082 context_id=1, return_ack=True)
5084 # assoc groups are per transport
5085 connF = self.second_connection(primary_address="\\pipe\\lsarpc",
5086 secondary_address="\\pipe\\lsass",
5087 transport_creds=self.get_user_creds())
5088 tsfF_list = [transfer]
5089 ctxF = samba.dcerpc.dcerpc.ctx_list()
5090 ctxF.context_id = 0xF
5091 ctxF.num_transfer_syntaxes = len(tsfF_list)
5092 ctxF.abstract_syntax = abstract
5093 ctxF.transfer_syntaxes = tsfF_list
5094 ack = connF.do_generic_bind(ctx=ctxF, assoc_group_id=ack1.u.assoc_group_id,
5095 nak_reason=dcerpc.DCERPC_BIND_NAK_REASON_NOT_SPECIFIED)
5096 # wait for a disconnect
5097 rep = connF.recv_pdu()
5098 self.assertIsNone(rep)
5099 connF.assertNotConnected()
5101 conn2 = self.second_connection()
5102 (ctx2, ack2) = conn2.prepare_presentation(abstract, transfer,
5103 assoc_group_id=ack1.u.assoc_group_id,
5104 context_id=2, return_ack=True)
5106 inq_if_ids = samba.dcerpc.mgmt.inq_if_ids()
5107 self.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids)
5108 conn2.do_single_request(call_id=1, ctx=ctx2, io=inq_if_ids)
5110 conn2.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids,
5112 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
5113 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST |
5114 samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE),
5115 fault_status=dcerpc.DCERPC_NCA_S_UNKNOWN_IF,
5118 self.do_single_request(call_id=1, ctx=ctx1, io=inq_if_ids)
5119 conn2.do_single_request(call_id=1, ctx=ctx2, io=inq_if_ids)
5120 conn2._disconnect("End of Test")
5123 def _test_krb5_hdr_sign_delayed1(self, do_upgrade):
5124 auth_type = dcerpc.DCERPC_AUTH_TYPE_KRB5
5125 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
5128 creds = self.get_user_creds()
5130 abstract = samba.dcerpc.mgmt.abstract_syntax()
5131 transfer = base.transfer_syntax_ndr()
5133 tsf1_list = [transfer]
5134 ctx = samba.dcerpc.dcerpc.ctx_list()
5136 ctx.num_transfer_syntaxes = len(tsf1_list)
5137 ctx.abstract_syntax = abstract
5138 ctx.transfer_syntaxes = tsf1_list
5140 auth_context = self.get_auth_context_creds(creds=creds,
5141 auth_type=auth_type,
5142 auth_level=auth_level,
5143 auth_context_id=auth_context_id,
5146 ack = self.do_generic_bind(call_id=1,
5148 auth_context=auth_context)
5150 inq_if_ids = samba.dcerpc.mgmt.inq_if_ids()
5151 self.do_single_request(call_id=2, ctx=ctx, io=inq_if_ids,
5152 auth_context=auth_context)
5155 # This is just an alter context without authentication
5156 # But it can turn on header signing for the whole connection
5158 ack2 = self.do_generic_bind(call_id=3, ctx=ctx,
5159 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
5160 dcerpc.DCERPC_PFC_FLAG_LAST |
5161 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN,
5162 assoc_group_id = ack.u.assoc_group_id,
5163 start_with_alter=True)
5165 self.assertFalse(auth_context['hdr_signing'])
5167 auth_context['hdr_signing'] = True
5168 auth_context["gensec"].want_feature(gensec.FEATURE_SIGN_PKT_HEADER)
5171 fault_status=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR
5173 self.do_single_request(call_id=4, ctx=ctx, io=inq_if_ids,
5174 auth_context=auth_context,
5175 fault_status=fault_status)
5177 if fault_status is not None:
5178 # wait for a disconnect
5179 rep = self.recv_pdu()
5180 self.assertIsNone(rep)
5181 self.assertNotConnected()
5184 self.do_single_request(call_id=5, ctx=ctx, io=inq_if_ids,
5185 auth_context=auth_context)
5188 def test_krb5_hdr_sign_delayed1_ok1(self):
5189 return self._test_krb5_hdr_sign_delayed1(do_upgrade=True)
5191 def test_krb5_hdr_sign_delayed1_fail1(self):
5192 return self._test_krb5_hdr_sign_delayed1(do_upgrade=False)
5194 def _test_krb5_hdr_sign_delayed2(self, do_upgrade):
5195 auth_type = dcerpc.DCERPC_AUTH_TYPE_KRB5
5196 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
5199 creds = self.get_user_creds()
5201 abstract = samba.dcerpc.mgmt.abstract_syntax()
5202 transfer = base.transfer_syntax_ndr()
5204 tsf1_list = [transfer]
5205 ctx = samba.dcerpc.dcerpc.ctx_list()
5207 ctx.num_transfer_syntaxes = len(tsf1_list)
5208 ctx.abstract_syntax = abstract
5209 ctx.transfer_syntaxes = tsf1_list
5211 auth_context = self.get_auth_context_creds(creds=creds,
5212 auth_type=auth_type,
5213 auth_level=auth_level,
5214 auth_context_id=auth_context_id,
5218 # SUPPORT_HEADER_SIGN on alter context activates header signing
5220 ack = self.do_generic_bind(call_id=1,
5222 auth_context=auth_context,
5223 pfc_flags_2nd=dcerpc.DCERPC_PFC_FLAG_FIRST |
5224 dcerpc.DCERPC_PFC_FLAG_LAST |
5225 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)
5227 self.assertFalse(auth_context['hdr_signing'])
5229 auth_context['hdr_signing'] = True
5230 auth_context["gensec"].want_feature(gensec.FEATURE_SIGN_PKT_HEADER)
5233 fault_status=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR
5235 inq_if_ids = samba.dcerpc.mgmt.inq_if_ids()
5236 self.do_single_request(call_id=4, ctx=ctx, io=inq_if_ids,
5237 auth_context=auth_context,
5238 fault_status=fault_status)
5240 if fault_status is not None:
5241 # wait for a disconnect
5242 rep = self.recv_pdu()
5243 self.assertIsNone(rep)
5244 self.assertNotConnected()
5247 self.do_single_request(call_id=5, ctx=ctx, io=inq_if_ids,
5248 auth_context=auth_context)
5251 def test_krb5_hdr_sign_delayed2_ok1(self):
5252 return self._test_krb5_hdr_sign_delayed2(do_upgrade=True)
5254 def test_krb5_hdr_sign_delayed2_fail1(self):
5255 return self._test_krb5_hdr_sign_delayed2(do_upgrade=False)
5257 def test_krb5_hdr_sign_delayed3_fail1(self):
5258 auth_type = dcerpc.DCERPC_AUTH_TYPE_KRB5
5259 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
5262 creds = self.get_user_creds()
5264 abstract = samba.dcerpc.mgmt.abstract_syntax()
5265 transfer = base.transfer_syntax_ndr()
5267 tsf1_list = [transfer]
5268 ctx = samba.dcerpc.dcerpc.ctx_list()
5270 ctx.num_transfer_syntaxes = len(tsf1_list)
5271 ctx.abstract_syntax = abstract
5272 ctx.transfer_syntaxes = tsf1_list
5274 auth_context = self.get_auth_context_creds(creds=creds,
5275 auth_type=auth_type,
5276 auth_level=auth_level,
5277 auth_context_id=auth_context_id,
5281 # SUPPORT_HEADER_SIGN on auth3 doesn't activate header signing
5283 ack = self.do_generic_bind(call_id=1,
5285 auth_context=auth_context,
5286 pfc_flags_2nd=dcerpc.DCERPC_PFC_FLAG_FIRST |
5287 dcerpc.DCERPC_PFC_FLAG_LAST |
5288 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN,
5291 inq_if_ids = samba.dcerpc.mgmt.inq_if_ids()
5292 self.do_single_request(call_id=2, ctx=ctx, io=inq_if_ids,
5293 auth_context=auth_context)
5295 self.assertFalse(auth_context['hdr_signing'])
5296 auth_context['hdr_signing'] = True
5297 auth_context["gensec"].want_feature(gensec.FEATURE_SIGN_PKT_HEADER)
5298 fault_status=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR
5300 self.do_single_request(call_id=4, ctx=ctx, io=inq_if_ids,
5301 auth_context=auth_context,
5302 fault_status=fault_status)
5304 # wait for a disconnect
5305 rep = self.recv_pdu()
5306 self.assertIsNone(rep)
5307 self.assertNotConnected()
5310 def _test_lsa_multi_auth_connect1(self, smb_creds,
5311 account_name0, authority_name0):
5312 creds1 = self.get_anon_creds()
5313 account_name1 = "ANONYMOUS LOGON"
5314 authority_name1 = "NT AUTHORITY"
5315 auth_type1 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5316 auth_level1 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5317 auth_context_id1 = 1
5319 creds2 = self.get_user_creds()
5320 account_name2 = creds2.get_username()
5321 authority_name2 = creds2.get_domain()
5322 auth_type2 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5323 auth_level2 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5324 auth_context_id2 = 2
5326 abstract = samba.dcerpc.lsa.abstract_syntax()
5327 transfer = base.transfer_syntax_ndr()
5329 self.reconnect_smb_pipe(primary_address='\\pipe\\lsarpc',
5330 secondary_address='\\pipe\\lsass',
5331 transport_creds=smb_creds)
5332 self.assertIsConnected()
5334 tsf1_list = [transfer]
5335 ctx1 = samba.dcerpc.dcerpc.ctx_list()
5337 ctx1.num_transfer_syntaxes = len(tsf1_list)
5338 ctx1.abstract_syntax = abstract
5339 ctx1.transfer_syntaxes = tsf1_list
5341 auth_context1 = self.get_auth_context_creds(creds=creds1,
5342 auth_type=auth_type1,
5343 auth_level=auth_level1,
5344 auth_context_id=auth_context_id1,
5346 auth_context2 = self.get_auth_context_creds(creds=creds2,
5347 auth_type=auth_type2,
5348 auth_level=auth_level2,
5349 auth_context_id=auth_context_id2,
5352 get_user_name = samba.dcerpc.lsa.GetUserName()
5353 get_user_name.in_system_name = self.target_hostname
5354 get_user_name.in_account_name = None
5355 get_user_name.in_authority_name = base.ndr_pointer(None)
5357 ack1 = self.do_generic_bind(call_id=0,
5359 auth_context=auth_context1)
5362 # With just one explicit auth context and that
5363 # uses AUTH_LEVEL_CONNECT context.
5365 # We always get that by default instead of the one default one
5366 # inherited from the transport
5368 self.do_single_request(call_id=1, ctx=ctx1, io=get_user_name)
5369 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5370 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5371 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5373 self.do_single_request(call_id=2, ctx=ctx1, io=get_user_name,
5374 auth_context=auth_context1)
5375 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5376 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5377 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5379 ack2 = self.do_generic_bind(call_id=3,
5381 auth_context=auth_context2,
5382 assoc_group_id = ack1.u.assoc_group_id,
5383 start_with_alter=True)
5386 # Now we have two explicit auth contexts
5388 # If we don't specify one of them we get the default one
5389 # inherited from the transport
5391 self.do_single_request(call_id=4, ctx=ctx1, io=get_user_name)
5392 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5393 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5394 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5396 self.do_single_request(call_id=5, ctx=ctx1, io=get_user_name,
5397 auth_context=auth_context1)
5398 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5399 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5400 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5402 self.do_single_request(call_id=6, ctx=ctx1, io=get_user_name,
5403 auth_context=auth_context2)
5404 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5405 self.assertEqualsStrLower(get_user_name.out_account_name, account_name2)
5406 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name2)
5408 self.do_single_request(call_id=7, ctx=ctx1, io=get_user_name)
5409 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5410 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5411 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5415 def test_lsa_multi_auth_connect1u(self):
5416 smb_auth_creds = self.get_user_creds()
5417 account_name0 = smb_auth_creds.get_username()
5418 authority_name0 = smb_auth_creds.get_domain()
5419 return self._test_lsa_multi_auth_connect1(smb_auth_creds,
5423 def test_lsa_multi_auth_connect1a(self):
5424 smb_auth_creds = self.get_anon_creds()
5425 account_name0 = "ANONYMOUS LOGON"
5426 authority_name0 = "NT AUTHORITY"
5427 return self._test_lsa_multi_auth_connect1(smb_auth_creds,
5431 def _test_lsa_multi_auth_connect2(self, smb_creds,
5432 account_name0, authority_name0):
5433 creds1 = self.get_anon_creds()
5434 account_name1 = "ANONYMOUS LOGON"
5435 authority_name1 = "NT AUTHORITY"
5436 auth_type1 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5437 auth_level1 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5438 auth_context_id1 = 1
5440 creds2 = self.get_user_creds()
5441 account_name2 = creds2.get_username()
5442 authority_name2 = creds2.get_domain()
5443 auth_type2 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5444 auth_level2 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5445 auth_context_id2 = 2
5447 abstract = samba.dcerpc.lsa.abstract_syntax()
5448 transfer = base.transfer_syntax_ndr()
5450 self.reconnect_smb_pipe(primary_address='\\pipe\\lsarpc',
5451 secondary_address='\\pipe\\lsass',
5452 transport_creds=smb_creds)
5453 self.assertIsConnected()
5455 tsf1_list = [transfer]
5456 ctx1 = samba.dcerpc.dcerpc.ctx_list()
5458 ctx1.num_transfer_syntaxes = len(tsf1_list)
5459 ctx1.abstract_syntax = abstract
5460 ctx1.transfer_syntaxes = tsf1_list
5462 auth_context1 = self.get_auth_context_creds(creds=creds1,
5463 auth_type=auth_type1,
5464 auth_level=auth_level1,
5465 auth_context_id=auth_context_id1,
5467 auth_context2 = self.get_auth_context_creds(creds=creds2,
5468 auth_type=auth_type2,
5469 auth_level=auth_level2,
5470 auth_context_id=auth_context_id2,
5473 get_user_name = samba.dcerpc.lsa.GetUserName()
5474 get_user_name.in_system_name = self.target_hostname
5475 get_user_name.in_account_name = None
5476 get_user_name.in_authority_name = base.ndr_pointer(None)
5478 ack0 = self.do_generic_bind(call_id=0, ctx=ctx1)
5481 # We use the default auth context
5482 # inherited from the transport
5484 self.do_single_request(call_id=1, ctx=ctx1, io=get_user_name)
5485 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5486 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5487 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5489 ack1 = self.do_generic_bind(call_id=2,
5491 auth_context=auth_context1,
5492 assoc_group_id = ack0.u.assoc_group_id,
5493 start_with_alter=True)
5496 # With just one explicit auth context and that
5497 # uses AUTH_LEVEL_CONNECT context.
5499 # We always get that by default instead of the one default one
5500 # inherited from the transport
5502 self.do_single_request(call_id=3, ctx=ctx1, io=get_user_name)
5503 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5504 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5505 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5507 self.do_single_request(call_id=4, ctx=ctx1, io=get_user_name,
5508 auth_context=auth_context1)
5509 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5510 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5511 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5513 ack2 = self.do_generic_bind(call_id=5,
5515 auth_context=auth_context2,
5516 assoc_group_id = ack0.u.assoc_group_id,
5517 start_with_alter=True)
5520 # Now we have two explicit auth contexts
5522 # If we don't specify one of them we get the default one
5523 # inherited from the transport (again)
5525 self.do_single_request(call_id=6, ctx=ctx1, io=get_user_name)
5526 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5527 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5528 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5530 self.do_single_request(call_id=7, ctx=ctx1, io=get_user_name,
5531 auth_context=auth_context1)
5532 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5533 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5534 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5536 self.do_single_request(call_id=8, ctx=ctx1, io=get_user_name,
5537 auth_context=auth_context2)
5538 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5539 self.assertEqualsStrLower(get_user_name.out_account_name, account_name2)
5540 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name2)
5542 self.do_single_request(call_id=9, ctx=ctx1, io=get_user_name)
5543 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5544 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5545 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5549 def test_lsa_multi_auth_connect2u(self):
5550 smb_auth_creds = self.get_user_creds()
5551 account_name0 = smb_auth_creds.get_username()
5552 authority_name0 = smb_auth_creds.get_domain()
5553 return self._test_lsa_multi_auth_connect2(smb_auth_creds,
5557 def test_lsa_multi_auth_connect2a(self):
5558 smb_auth_creds = self.get_anon_creds()
5559 account_name0 = "ANONYMOUS LOGON"
5560 authority_name0 = "NT AUTHORITY"
5561 return self._test_lsa_multi_auth_connect2(smb_auth_creds,
5565 def _test_lsa_multi_auth_connect3(self, smb_creds,
5566 account_name0, authority_name0):
5567 creds1 = self.get_anon_creds()
5568 account_name1 = "ANONYMOUS LOGON"
5569 authority_name1 = "NT AUTHORITY"
5570 auth_type1 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5571 auth_level1 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5572 auth_context_id1 = 1
5574 creds2 = self.get_user_creds()
5575 account_name2 = creds2.get_username()
5576 authority_name2 = creds2.get_domain()
5577 auth_type2 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5578 auth_level2 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5579 auth_context_id2 = 2
5581 abstract = samba.dcerpc.lsa.abstract_syntax()
5582 transfer = base.transfer_syntax_ndr()
5584 self.reconnect_smb_pipe(primary_address='\\pipe\\lsarpc',
5585 secondary_address='\\pipe\\lsass',
5586 transport_creds=smb_creds)
5587 self.assertIsConnected()
5589 tsf1_list = [transfer]
5590 ctx1 = samba.dcerpc.dcerpc.ctx_list()
5592 ctx1.num_transfer_syntaxes = len(tsf1_list)
5593 ctx1.abstract_syntax = abstract
5594 ctx1.transfer_syntaxes = tsf1_list
5596 auth_context1 = self.get_auth_context_creds(creds=creds1,
5597 auth_type=auth_type1,
5598 auth_level=auth_level1,
5599 auth_context_id=auth_context_id1,
5601 auth_context2 = self.get_auth_context_creds(creds=creds2,
5602 auth_type=auth_type2,
5603 auth_level=auth_level2,
5604 auth_context_id=auth_context_id2,
5607 get_user_name = samba.dcerpc.lsa.GetUserName()
5608 get_user_name.in_system_name = self.target_hostname
5609 get_user_name.in_account_name = None
5610 get_user_name.in_authority_name = base.ndr_pointer(None)
5612 ack0 = self.do_generic_bind(call_id=0, ctx=ctx1)
5615 # We use the default auth context
5616 # inherited from the transport
5618 self.do_single_request(call_id=1, ctx=ctx1, io=get_user_name)
5619 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5620 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5621 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5623 ack1 = self.do_generic_bind(call_id=2,
5625 auth_context=auth_context1,
5626 assoc_group_id = ack0.u.assoc_group_id,
5627 start_with_alter=True)
5630 # With just one explicit auth context and that
5631 # uses AUTH_LEVEL_CONNECT context.
5633 # We always get that by default instead of the one default one
5634 # inherited from the transport
5636 # Until an explicit usage resets that mode
5638 self.do_single_request(call_id=3, ctx=ctx1, io=get_user_name)
5639 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5640 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5641 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5643 self.do_single_request(call_id=4, ctx=ctx1, io=get_user_name)
5644 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5645 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5646 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5648 self.do_single_request(call_id=5, ctx=ctx1, io=get_user_name,
5649 auth_context=auth_context1)
5650 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5651 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5652 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5654 self.do_single_request(call_id=6, ctx=ctx1, io=get_user_name)
5655 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5656 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5657 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5659 ack2 = self.do_generic_bind(call_id=7,
5661 auth_context=auth_context2,
5662 assoc_group_id = ack0.u.assoc_group_id,
5663 start_with_alter=True)
5665 # A new auth context won't change that mode again.
5667 self.do_single_request(call_id=8, ctx=ctx1, io=get_user_name)
5668 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5669 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5670 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5672 self.do_single_request(call_id=9, ctx=ctx1, io=get_user_name,
5673 auth_context=auth_context1)
5674 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5675 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5676 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5678 self.do_single_request(call_id=10, ctx=ctx1, io=get_user_name,
5679 auth_context=auth_context2)
5680 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5681 self.assertEqualsStrLower(get_user_name.out_account_name, account_name2)
5682 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name2)
5684 self.do_single_request(call_id=11, ctx=ctx1, io=get_user_name)
5685 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5686 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5687 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5691 def test_lsa_multi_auth_connect3u(self):
5692 smb_auth_creds = self.get_user_creds()
5693 account_name0 = smb_auth_creds.get_username()
5694 authority_name0 = smb_auth_creds.get_domain()
5695 return self._test_lsa_multi_auth_connect3(smb_auth_creds,
5699 def test_lsa_multi_auth_connect3a(self):
5700 smb_auth_creds = self.get_anon_creds()
5701 account_name0 = "ANONYMOUS LOGON"
5702 authority_name0 = "NT AUTHORITY"
5703 return self._test_lsa_multi_auth_connect3(smb_auth_creds,
5707 def _test_lsa_multi_auth_connect4(self, smb_creds,
5708 account_name0, authority_name0):
5709 creds1 = self.get_anon_creds()
5710 account_name1 = "ANONYMOUS LOGON"
5711 authority_name1 = "NT AUTHORITY"
5712 auth_type1 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5713 auth_level1 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5714 auth_context_id1 = 1
5716 creds2 = self.get_user_creds()
5717 account_name2 = creds2.get_username()
5718 authority_name2 = creds2.get_domain()
5719 auth_type2 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5720 auth_level2 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5721 auth_context_id2 = 2
5723 creds3 = self.get_anon_creds()
5724 account_name3 = "ANONYMOUS LOGON"
5725 authority_name3 = "NT AUTHORITY"
5726 auth_type3 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5727 auth_level3 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5728 auth_context_id3 = 3
5730 creds4 = self.get_user_creds()
5731 account_name4 = creds4.get_username()
5732 authority_name4 = creds4.get_domain()
5733 auth_type4 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5734 auth_level4 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5735 auth_context_id4 = 4
5737 abstract = samba.dcerpc.lsa.abstract_syntax()
5738 transfer = base.transfer_syntax_ndr()
5740 self.reconnect_smb_pipe(primary_address='\\pipe\\lsarpc',
5741 secondary_address='\\pipe\\lsass',
5742 transport_creds=smb_creds)
5743 self.assertIsConnected()
5745 tsf1_list = [transfer]
5746 ctx1 = samba.dcerpc.dcerpc.ctx_list()
5748 ctx1.num_transfer_syntaxes = len(tsf1_list)
5749 ctx1.abstract_syntax = abstract
5750 ctx1.transfer_syntaxes = tsf1_list
5752 auth_context1 = self.get_auth_context_creds(creds=creds1,
5753 auth_type=auth_type1,
5754 auth_level=auth_level1,
5755 auth_context_id=auth_context_id1,
5757 auth_context2 = self.get_auth_context_creds(creds=creds2,
5758 auth_type=auth_type2,
5759 auth_level=auth_level2,
5760 auth_context_id=auth_context_id2,
5762 auth_context3 = self.get_auth_context_creds(creds=creds3,
5763 auth_type=auth_type3,
5764 auth_level=auth_level3,
5765 auth_context_id=auth_context_id3,
5767 auth_context4 = self.get_auth_context_creds(creds=creds4,
5768 auth_type=auth_type4,
5769 auth_level=auth_level4,
5770 auth_context_id=auth_context_id4,
5773 get_user_name = samba.dcerpc.lsa.GetUserName()
5774 get_user_name.in_system_name = self.target_hostname
5775 get_user_name.in_account_name = None
5776 get_user_name.in_authority_name = base.ndr_pointer(None)
5778 ack0 = self.do_generic_bind(call_id=0, ctx=ctx1)
5781 # We use the default auth context
5782 # inherited from the transport
5784 self.do_single_request(call_id=1, ctx=ctx1, io=get_user_name)
5785 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5786 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5787 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5789 ack1 = self.do_generic_bind(call_id=2,
5791 auth_context=auth_context1,
5792 assoc_group_id = ack0.u.assoc_group_id,
5793 start_with_alter=True)
5796 # With just one explicit auth context and that
5797 # uses AUTH_LEVEL_CONNECT context.
5799 # We always get that by default instead of the one default one
5800 # inherited from the transport
5802 # Until a new explicit context resets the mode
5804 self.do_single_request(call_id=3, ctx=ctx1, io=get_user_name)
5805 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5806 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5807 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5809 self.do_single_request(call_id=4, ctx=ctx1, io=get_user_name)
5810 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5811 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5812 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5814 ack2 = self.do_generic_bind(call_id=5,
5816 auth_context=auth_context2,
5817 assoc_group_id = ack0.u.assoc_group_id,
5818 start_with_alter=True)
5821 # A new auth context with LEVEL_CONNECT resets the default.
5823 self.do_single_request(call_id=6, ctx=ctx1, io=get_user_name)
5824 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5825 self.assertEqualsStrLower(get_user_name.out_account_name, account_name2)
5826 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name2)
5828 self.do_single_request(call_id=7, ctx=ctx1, io=get_user_name)
5829 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5830 self.assertEqualsStrLower(get_user_name.out_account_name, account_name2)
5831 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name2)
5833 ack3 = self.do_generic_bind(call_id=8,
5835 auth_context=auth_context3,
5836 assoc_group_id = ack0.u.assoc_group_id,
5837 start_with_alter=True)
5840 # A new auth context with LEVEL_CONNECT resets the default.
5842 self.do_single_request(call_id=9, ctx=ctx1, io=get_user_name)
5843 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5844 self.assertEqualsStrLower(get_user_name.out_account_name, account_name3)
5845 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name3)
5847 self.do_single_request(call_id=10, ctx=ctx1, io=get_user_name)
5848 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5849 self.assertEqualsStrLower(get_user_name.out_account_name, account_name3)
5850 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name3)
5852 ack4 = self.do_generic_bind(call_id=11,
5854 auth_context=auth_context4,
5855 assoc_group_id = ack0.u.assoc_group_id,
5856 start_with_alter=True)
5859 # A new auth context with LEVEL_CONNECT resets the default.
5861 self.do_single_request(call_id=12, ctx=ctx1, io=get_user_name)
5862 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5863 self.assertEqualsStrLower(get_user_name.out_account_name, account_name4)
5864 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name4)
5866 self.do_single_request(call_id=13, ctx=ctx1, io=get_user_name)
5867 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5868 self.assertEqualsStrLower(get_user_name.out_account_name, account_name4)
5869 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name4)
5872 # Only the explicit usage of any context reset that mode
5874 self.do_single_request(call_id=14, ctx=ctx1, io=get_user_name,
5875 auth_context=auth_context1)
5876 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5877 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5878 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5880 self.do_single_request(call_id=15, ctx=ctx1, io=get_user_name)
5881 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5882 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5883 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5885 self.do_single_request(call_id=16, ctx=ctx1, io=get_user_name,
5886 auth_context=auth_context1)
5887 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5888 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
5889 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
5891 self.do_single_request(call_id=17, ctx=ctx1, io=get_user_name,
5892 auth_context=auth_context2)
5893 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5894 self.assertEqualsStrLower(get_user_name.out_account_name, account_name2)
5895 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name2)
5897 self.do_single_request(call_id=18, ctx=ctx1, io=get_user_name,
5898 auth_context=auth_context3)
5899 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5900 self.assertEqualsStrLower(get_user_name.out_account_name, account_name3)
5901 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name3)
5903 self.do_single_request(call_id=19, ctx=ctx1, io=get_user_name,
5904 auth_context=auth_context4)
5905 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5906 self.assertEqualsStrLower(get_user_name.out_account_name, account_name4)
5907 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name4)
5909 self.do_single_request(call_id=20, ctx=ctx1, io=get_user_name)
5910 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
5911 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
5912 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
5916 def test_lsa_multi_auth_connect4u(self):
5917 smb_auth_creds = self.get_user_creds()
5918 account_name0 = smb_auth_creds.get_username()
5919 authority_name0 = smb_auth_creds.get_domain()
5920 return self._test_lsa_multi_auth_connect4(smb_auth_creds,
5924 def test_lsa_multi_auth_connect4a(self):
5925 smb_auth_creds = self.get_anon_creds()
5926 account_name0 = "ANONYMOUS LOGON"
5927 authority_name0 = "NT AUTHORITY"
5928 return self._test_lsa_multi_auth_connect4(smb_auth_creds,
5932 def _test_lsa_multi_auth_sign_connect1(self, smb_creds,
5933 account_name0, authority_name0):
5935 creds1 = self.get_user_creds()
5936 account_name1 = creds1.get_username()
5937 authority_name1 = creds1.get_domain()
5938 auth_type1 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5939 auth_level1 = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
5940 auth_context_id1 = 1
5942 creds2 = self.get_user_creds()
5943 account_name2 = creds2.get_username()
5944 authority_name2 = creds2.get_domain()
5945 auth_type2 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5946 auth_level2 = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
5947 auth_context_id2 = 2
5949 creds3 = self.get_anon_creds()
5950 account_name3 = "ANONYMOUS LOGON"
5951 authority_name3 = "NT AUTHORITY"
5952 auth_type3 = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP
5953 auth_level3 = dcerpc.DCERPC_AUTH_LEVEL_CONNECT
5954 auth_context_id3 = 3
5956 abstract = samba.dcerpc.lsa.abstract_syntax()
5957 transfer = base.transfer_syntax_ndr()
5959 self.reconnect_smb_pipe(primary_address='\\pipe\\lsarpc',
5960 secondary_address='\\pipe\\lsass',
5961 transport_creds=smb_creds)
5962 self.assertIsConnected()
5964 tsf1_list = [transfer]
5965 ctx1 = samba.dcerpc.dcerpc.ctx_list()
5967 ctx1.num_transfer_syntaxes = len(tsf1_list)
5968 ctx1.abstract_syntax = abstract
5969 ctx1.transfer_syntaxes = tsf1_list
5971 auth_context1 = self.get_auth_context_creds(creds=creds1,
5972 auth_type=auth_type1,
5973 auth_level=auth_level1,
5974 auth_context_id=auth_context_id1,
5976 auth_context2 = self.get_auth_context_creds(creds=creds2,
5977 auth_type=auth_type2,
5978 auth_level=auth_level2,
5979 auth_context_id=auth_context_id2,
5981 auth_context3 = self.get_auth_context_creds(creds=creds3,
5982 auth_type=auth_type3,
5983 auth_level=auth_level3,
5984 auth_context_id=auth_context_id3,
5987 get_user_name = samba.dcerpc.lsa.GetUserName()
5988 get_user_name.in_system_name = self.target_hostname
5989 get_user_name.in_account_name = None
5990 get_user_name.in_authority_name = base.ndr_pointer(None)
5992 ack1 = self.do_generic_bind(call_id=0,
5994 auth_context=auth_context1)
5997 # With just one explicit auth context and that
5998 # *not* uses AUTH_LEVEL_CONNECT context.
6000 # We don't get the by default (auth_context1)
6002 self.do_single_request(call_id=1, ctx=ctx1, io=get_user_name)
6003 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6004 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
6005 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
6007 self.do_single_request(call_id=2, ctx=ctx1, io=get_user_name,
6008 auth_context=auth_context1)
6009 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6010 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
6011 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
6013 self.do_single_request(call_id=3, ctx=ctx1, io=get_user_name)
6014 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6015 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
6016 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
6018 ack2 = self.do_generic_bind(call_id=4,
6020 auth_context=auth_context2,
6021 assoc_group_id = ack1.u.assoc_group_id,
6022 start_with_alter=True)
6025 # With just two explicit auth context and
6026 # *none* uses AUTH_LEVEL_CONNECT context.
6028 # We don't get auth_context1 or auth_context2 by default
6030 self.do_single_request(call_id=5, ctx=ctx1, io=get_user_name)
6031 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6032 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
6033 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
6035 self.do_single_request(call_id=6, ctx=ctx1, io=get_user_name,
6036 auth_context=auth_context1)
6037 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6038 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
6039 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
6041 self.do_single_request(call_id=7, ctx=ctx1, io=get_user_name,
6042 auth_context=auth_context2)
6043 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6044 self.assertEqualsStrLower(get_user_name.out_account_name, account_name2)
6045 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name2)
6047 self.do_single_request(call_id=8, ctx=ctx1, io=get_user_name)
6048 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6049 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
6050 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
6052 ack3 = self.do_generic_bind(call_id=9,
6054 auth_context=auth_context3,
6055 assoc_group_id = ack1.u.assoc_group_id,
6056 start_with_alter=True)
6059 # Now we have tree explicit auth contexts,
6060 # but just one with AUTH_LEVEL_CONNECT
6062 # If we don't specify one of them we get
6063 # that one auth_level_connect context.
6065 # Until an explicit usage of any auth context reset that mode.
6067 self.do_single_request(call_id=10, ctx=ctx1, io=get_user_name)
6068 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6069 self.assertEqualsStrLower(get_user_name.out_account_name, account_name3)
6070 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name3)
6072 self.do_single_request(call_id=11, ctx=ctx1, io=get_user_name)
6073 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6074 self.assertEqualsStrLower(get_user_name.out_account_name, account_name3)
6075 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name3)
6077 self.do_single_request(call_id=12, ctx=ctx1, io=get_user_name,
6078 auth_context=auth_context1)
6079 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6080 self.assertEqualsStrLower(get_user_name.out_account_name, account_name1)
6081 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name1)
6083 self.do_single_request(call_id=13, ctx=ctx1, io=get_user_name)
6084 self.assertEqual(get_user_name.result[0], NT_STATUS_SUCCESS)
6085 self.assertEqualsStrLower(get_user_name.out_account_name, account_name0)
6086 self.assertEqualsStrLower(get_user_name.out_authority_name.value, authority_name0)
6090 def test_lsa_multi_auth_sign_connect1u(self):
6091 smb_auth_creds = self.get_user_creds()
6092 account_name0 = smb_auth_creds.get_username()
6093 authority_name0 = smb_auth_creds.get_domain()
6094 return self._test_lsa_multi_auth_sign_connect1(smb_auth_creds,
6097 def test_lsa_multi_auth_sign_connect1a(self):
6098 smb_auth_creds = self.get_anon_creds()
6099 account_name0 = "ANONYMOUS LOGON"
6100 authority_name0 = "NT AUTHORITY"
6101 return self._test_lsa_multi_auth_sign_connect1(smb_auth_creds,
6105 def test_spnego_multiple_auth_hdr_signing(self):
6106 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
6107 auth_level1 = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
6109 auth_level2 = dcerpc.DCERPC_AUTH_LEVEL_PACKET
6112 creds = self.get_user_creds()
6114 abstract = samba.dcerpc.mgmt.abstract_syntax()
6115 transfer = base.transfer_syntax_ndr()
6117 tsf1_list = [transfer]
6118 ctx = samba.dcerpc.dcerpc.ctx_list()
6120 ctx.num_transfer_syntaxes = len(tsf1_list)
6121 ctx.abstract_syntax = abstract
6122 ctx.transfer_syntaxes = tsf1_list
6124 auth_context1 = self.get_auth_context_creds(creds=creds,
6125 auth_type=auth_type,
6126 auth_level=auth_level1,
6127 auth_context_id=auth_context_id1,
6129 auth_context2 = self.get_auth_context_creds(creds=creds,
6130 auth_type=auth_type,
6131 auth_level=auth_level2,
6132 auth_context_id=auth_context_id2,
6135 ack0 = self.do_generic_bind(call_id=1, ctx=ctx)
6137 ack1 = self.do_generic_bind(call_id=2,
6139 auth_context=auth_context1,
6140 assoc_group_id = ack0.u.assoc_group_id,
6141 start_with_alter=True)
6142 ack2 = self.do_generic_bind(call_id=3,
6144 auth_context=auth_context2,
6145 assoc_group_id = ack0.u.assoc_group_id,
6146 start_with_alter=True)
6148 inq_if_ids = samba.dcerpc.mgmt.inq_if_ids()
6149 self.do_single_request(call_id=4, ctx=ctx, io=inq_if_ids)
6150 self.do_single_request(call_id=5, ctx=ctx, io=inq_if_ids,
6151 auth_context=auth_context1)
6152 self.do_single_request(call_id=6, ctx=ctx, io=inq_if_ids,
6153 auth_context=auth_context2)
6155 ack3 = self.do_generic_bind(call_id=7, ctx=ctx,
6156 pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST |
6157 dcerpc.DCERPC_PFC_FLAG_LAST |
6158 dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN,
6159 assoc_group_id = ack0.u.assoc_group_id,
6160 start_with_alter=True)
6162 self.assertFalse(auth_context1['hdr_signing'])
6163 auth_context1['hdr_signing'] = True
6164 auth_context1["gensec"].want_feature(gensec.FEATURE_SIGN_PKT_HEADER)
6166 self.do_single_request(call_id=8, ctx=ctx, io=inq_if_ids)
6167 self.do_single_request(call_id=9, ctx=ctx, io=inq_if_ids,
6168 auth_context=auth_context1)
6169 self.do_single_request(call_id=10, ctx=ctx, io=inq_if_ids,
6170 auth_context=auth_context2,
6171 fault_status=dcerpc.DCERPC_FAULT_SEC_PKG_ERROR)
6173 # wait for a disconnect
6174 rep = self.recv_pdu()
6175 self.assertIsNone(rep)
6176 self.assertNotConnected()
6178 def test_multiple_auth_limit(self):
6179 creds = self.get_user_creds()
6181 abstract = samba.dcerpc.mgmt.abstract_syntax()
6182 transfer = base.transfer_syntax_ndr()
6184 tsf1_list = [transfer]
6185 ctx = samba.dcerpc.dcerpc.ctx_list()
6187 ctx.num_transfer_syntaxes = len(tsf1_list)
6188 ctx.abstract_syntax = abstract
6189 ctx.transfer_syntaxes = tsf1_list
6191 ack0 = self.do_generic_bind(call_id=0, ctx=ctx)
6193 is_server_listening = samba.dcerpc.mgmt.is_server_listening()
6195 max_num_auth_str = samba.tests.env_get_var_value('MAX_NUM_AUTH', allow_missing=True)
6196 if max_num_auth_str is not None:
6197 max_num_auth = int(max_num_auth_str)
6201 for i in range(1, max_num_auth+2):
6202 auth_type = dcerpc.DCERPC_AUTH_TYPE_SPNEGO
6203 auth_level = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY
6206 auth_context = self.get_auth_context_creds(creds=creds,
6207 auth_type=auth_type,
6208 auth_level=auth_level,
6209 auth_context_id=auth_context_id,
6213 if i > max_num_auth:
6214 alter_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR
6216 ack = self.do_generic_bind(call_id=auth_context_id,
6218 auth_context=auth_context,
6219 assoc_group_id = ack0.u.assoc_group_id,
6220 alter_fault=alter_fault,
6221 start_with_alter=True,
6223 if alter_fault is not None:
6227 self.do_single_request(call_id=auth_context_id,
6228 ctx=ctx, io=is_server_listening,
6229 auth_context=auth_context)
6231 # wait for a disconnect
6232 rep = self.recv_pdu()
6233 self.assertIsNone(rep)
6234 self.assertNotConnected()
6238 if __name__ == "__main__":
6239 global_ndr_print = True
6240 global_hexdump = True