2 Unix SMB/CIFS implementation.
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/network.h"
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "rpc_common.h"
30 #include "lib/util/bitmap.h"
31 #include "auth/gensec/gensec.h"
33 /* we need to be able to get/set the fragment length without doing a full
35 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
37 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
38 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
40 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
44 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
46 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
47 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
49 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
53 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
55 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
56 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
58 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
62 uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
64 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
65 return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
67 return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
71 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
73 return blob->data[DCERPC_DREP_OFFSET];
77 * @brief Decodes a ncacn_packet
79 * @param mem_ctx The memory context on which to allocate the packet
81 * @param blob The blob of data to decode
82 * @param r An empty ncacn_packet, must not be NULL
84 * @return a NTSTATUS error code
86 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
87 const DATA_BLOB *blob,
88 struct ncacn_packet *r)
90 enum ndr_err_code ndr_err;
93 ndr = ndr_pull_init_blob(blob, mem_ctx);
95 return NT_STATUS_NO_MEMORY;
98 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
100 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
102 return ndr_map_error2ntstatus(ndr_err);
106 if (r->frag_length != blob->length) {
107 return NT_STATUS_RPC_PROTOCOL_ERROR;
114 * @brief Pull a dcerpc_auth structure, taking account of any auth
115 * padding in the blob. For request/response packets we pass
116 * the whole data blob, so auth_data_only must be set to false
117 * as the blob contains data+pad+auth and no just pad+auth.
119 * @param pkt - The ncacn_packet strcuture
120 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
121 * @param pkt_trailer - The packet trailer data, usually the trailing
122 * auth_info blob, but in the request/response case
123 * this is the stub_and_verifier blob.
124 * @param auth - A preallocated dcerpc_auth *empty* structure
125 * @param auth_length - The length of the auth trail, sum of auth header
126 * lenght and pkt->auth_length
127 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
128 * (+ padding) or also other data.
130 * @return - A NTSTATUS error code.
132 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
134 const DATA_BLOB *pkt_trailer,
135 struct dcerpc_auth *auth,
136 uint32_t *_auth_length,
139 struct ndr_pull *ndr;
140 enum ndr_err_code ndr_err;
141 uint16_t data_and_pad;
142 uint16_t auth_length;
144 uint32_t max_pad_len = 0;
147 if (_auth_length != NULL) {
150 if (auth_data_only) {
151 return NT_STATUS_INTERNAL_ERROR;
154 if (!auth_data_only) {
155 return NT_STATUS_INTERNAL_ERROR;
159 /* Paranoia checks for auth_length. The caller should check this... */
160 if (pkt->auth_length == 0) {
161 return NT_STATUS_INTERNAL_ERROR;
164 /* Paranoia checks for auth_length. The caller should check this... */
165 if (pkt->auth_length > pkt->frag_length) {
166 return NT_STATUS_INTERNAL_ERROR;
168 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
169 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
170 tmp_length += pkt->auth_length;
171 if (tmp_length > pkt->frag_length) {
172 return NT_STATUS_INTERNAL_ERROR;
174 if (pkt_trailer->length > UINT16_MAX) {
175 return NT_STATUS_INTERNAL_ERROR;
178 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
179 if (pkt_trailer->length < auth_length) {
180 return NT_STATUS_RPC_PROTOCOL_ERROR;
183 data_and_pad = pkt_trailer->length - auth_length;
185 ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
187 return NT_STATUS_NO_MEMORY;
190 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
191 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
194 ndr_err = ndr_pull_advance(ndr, data_and_pad);
195 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
197 return ndr_map_error2ntstatus(ndr_err);
200 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
201 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
204 return ndr_map_error2ntstatus(ndr_err);
208 * Make sure the padding would not exceed
211 * Here we assume at least 24 bytes for the
212 * payload specific header the value of
213 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
215 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
217 * We need this check before we ignore possible
218 * invalid values. See also bug #11982.
220 * This check is mainly used to generate the correct
221 * error for BIND_*, ALTER_* and AUTH3 pdus.
223 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
224 * protection for REQUEST and RESPONSE pdus, where the
225 * auth_pad_length field is actually used by the caller.
227 tmp_length = DCERPC_REQUEST_LENGTH;
228 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
229 tmp_length += pkt->auth_length;
230 if (tmp_length < pkt->frag_length) {
231 max_pad_len = pkt->frag_length - tmp_length;
233 if (max_pad_len < auth->auth_pad_length) {
234 DEBUG(1, (__location__ ": ERROR: pad length to large. "
236 (unsigned)max_pad_len,
237 (unsigned)auth->auth_pad_length));
240 return NT_STATUS_RPC_PROTOCOL_ERROR;
244 * This is a workarround for a bug in old
245 * Samba releases. For BIND_ACK <= 3.5.x
246 * and for ALTER_RESP <= 4.2.x (see bug #11061)
248 * See also bug #11982.
250 if (auth_data_only && data_and_pad == 0 &&
251 auth->auth_pad_length > 0) {
253 * we need to ignore invalid auth_pad_length
254 * values for BIND_*, ALTER_* and AUTH3 pdus.
256 auth->auth_pad_length = 0;
259 if (data_and_pad < auth->auth_pad_length) {
260 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
261 "Calculated %u got %u\n",
262 (unsigned)data_and_pad,
263 (unsigned)auth->auth_pad_length));
266 return NT_STATUS_RPC_PROTOCOL_ERROR;
269 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
270 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
271 "Calculated %u got %u\n",
272 (unsigned)data_and_pad,
273 (unsigned)auth->auth_pad_length));
276 return NT_STATUS_RPC_PROTOCOL_ERROR;
279 DBG_DEBUG("auth_pad_length %u\n",
280 (unsigned)auth->auth_pad_length);
282 talloc_steal(mem_ctx, auth->credentials.data);
285 if (_auth_length != NULL) {
286 *_auth_length = auth_length;
293 * @brief Verify the fields in ncacn_packet header.
295 * @param pkt - The ncacn_packet strcuture
296 * @param ptype - The expected PDU type
297 * @param max_auth_info - The maximum size of a possible auth trailer
298 * @param required_flags - The required flags for the pdu.
299 * @param optional_flags - The possible optional flags for the pdu.
301 * @return - A NTSTATUS error code.
303 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
304 enum dcerpc_pkt_type ptype,
305 size_t max_auth_info,
306 uint8_t required_flags,
307 uint8_t optional_flags)
309 if (pkt->rpc_vers != 5) {
310 return NT_STATUS_RPC_PROTOCOL_ERROR;
313 if (pkt->rpc_vers_minor != 0) {
314 return NT_STATUS_RPC_PROTOCOL_ERROR;
317 if (pkt->auth_length > pkt->frag_length) {
318 return NT_STATUS_RPC_PROTOCOL_ERROR;
321 if (pkt->ptype != ptype) {
322 return NT_STATUS_RPC_PROTOCOL_ERROR;
325 if (max_auth_info > UINT16_MAX) {
326 return NT_STATUS_INTERNAL_ERROR;
329 if (pkt->auth_length > 0) {
330 size_t max_auth_length;
332 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
333 return NT_STATUS_RPC_PROTOCOL_ERROR;
335 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
337 if (pkt->auth_length > max_auth_length) {
338 return NT_STATUS_RPC_PROTOCOL_ERROR;
342 if ((pkt->pfc_flags & required_flags) != required_flags) {
343 return NT_STATUS_RPC_PROTOCOL_ERROR;
345 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
346 return NT_STATUS_RPC_PROTOCOL_ERROR;
349 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
350 return NT_STATUS_RPC_PROTOCOL_ERROR;
352 if (pkt->drep[1] != 0) {
353 return NT_STATUS_RPC_PROTOCOL_ERROR;
355 if (pkt->drep[2] != 0) {
356 return NT_STATUS_RPC_PROTOCOL_ERROR;
358 if (pkt->drep[3] != 0) {
359 return NT_STATUS_RPC_PROTOCOL_ERROR;
365 NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state,
366 struct gensec_security *gensec,
368 enum dcerpc_pkt_type ptype,
369 uint8_t required_flags,
370 uint8_t optional_flags,
371 uint8_t payload_offset,
372 DATA_BLOB *payload_and_verifier,
373 DATA_BLOB *raw_packet,
374 const struct ncacn_packet *pkt)
377 struct dcerpc_auth auth;
378 uint32_t auth_length;
380 if (auth_state == NULL) {
381 return NT_STATUS_INTERNAL_ERROR;
384 status = dcerpc_verify_ncacn_packet_header(pkt, ptype,
385 payload_and_verifier->length,
386 required_flags, optional_flags);
387 if (!NT_STATUS_IS_OK(status)) {
391 switch (auth_state->auth_level) {
392 case DCERPC_AUTH_LEVEL_PRIVACY:
393 case DCERPC_AUTH_LEVEL_INTEGRITY:
394 case DCERPC_AUTH_LEVEL_PACKET:
397 case DCERPC_AUTH_LEVEL_CONNECT:
398 if (pkt->auth_length != 0) {
402 case DCERPC_AUTH_LEVEL_NONE:
403 if (pkt->auth_length != 0) {
404 return NT_STATUS_ACCESS_DENIED;
409 return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL;
412 if (pkt->auth_length == 0) {
413 return NT_STATUS_RPC_PROTOCOL_ERROR;
416 if (gensec == NULL) {
417 return NT_STATUS_INTERNAL_ERROR;
420 status = dcerpc_pull_auth_trailer(pkt, mem_ctx,
421 payload_and_verifier,
422 &auth, &auth_length, false);
423 if (!NT_STATUS_IS_OK(status)) {
427 if (payload_and_verifier->length < auth_length) {
429 * should be checked in dcerpc_pull_auth_trailer()
431 return NT_STATUS_INTERNAL_ERROR;
434 payload_and_verifier->length -= auth_length;
436 if (payload_and_verifier->length < auth.auth_pad_length) {
438 * should be checked in dcerpc_pull_auth_trailer()
440 return NT_STATUS_INTERNAL_ERROR;
443 if (auth.auth_type != auth_state->auth_type) {
444 return NT_STATUS_ACCESS_DENIED;
447 if (auth.auth_level != auth_state->auth_level) {
448 return NT_STATUS_ACCESS_DENIED;
451 if (auth.auth_context_id != auth_state->auth_context_id) {
452 return NT_STATUS_ACCESS_DENIED;
455 /* check signature or unseal the packet */
456 switch (auth_state->auth_level) {
457 case DCERPC_AUTH_LEVEL_PRIVACY:
458 status = gensec_unseal_packet(gensec,
459 raw_packet->data + payload_offset,
460 payload_and_verifier->length,
463 auth.credentials.length,
465 if (!NT_STATUS_IS_OK(status)) {
466 return NT_STATUS_RPC_SEC_PKG_ERROR;
468 memcpy(payload_and_verifier->data,
469 raw_packet->data + payload_offset,
470 payload_and_verifier->length);
473 case DCERPC_AUTH_LEVEL_INTEGRITY:
474 case DCERPC_AUTH_LEVEL_PACKET:
475 status = gensec_check_packet(gensec,
476 payload_and_verifier->data,
477 payload_and_verifier->length,
480 auth.credentials.length,
482 if (!NT_STATUS_IS_OK(status)) {
483 return NT_STATUS_RPC_SEC_PKG_ERROR;
487 case DCERPC_AUTH_LEVEL_CONNECT:
488 /* for now we ignore possible signatures here */
492 return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL;
496 * remove the indicated amount of padding
498 * A possible overflow is checked above.
500 payload_and_verifier->length -= auth.auth_pad_length;
505 NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state,
506 struct gensec_security *gensec,
508 DATA_BLOB *raw_packet,
510 uint8_t payload_offset,
511 const DATA_BLOB *payload,
512 const struct ncacn_packet *pkt)
514 TALLOC_CTX *frame = talloc_stackframe();
516 enum ndr_err_code ndr_err;
517 struct ndr_push *ndr = NULL;
518 uint32_t payload_length;
519 uint32_t whole_length;
520 DATA_BLOB blob = data_blob_null;
521 DATA_BLOB sig = data_blob_null;
522 struct dcerpc_auth _out_auth_info;
523 struct dcerpc_auth *out_auth_info = NULL;
525 *raw_packet = data_blob_null;
527 if (auth_state == NULL) {
529 return NT_STATUS_INTERNAL_ERROR;
532 switch (auth_state->auth_level) {
533 case DCERPC_AUTH_LEVEL_PRIVACY:
534 case DCERPC_AUTH_LEVEL_INTEGRITY:
535 case DCERPC_AUTH_LEVEL_PACKET:
538 return NT_STATUS_INTERNAL_ERROR;
541 if (gensec == NULL) {
543 return NT_STATUS_INTERNAL_ERROR;
546 _out_auth_info = (struct dcerpc_auth) {
547 .auth_type = auth_state->auth_type,
548 .auth_level = auth_state->auth_level,
549 .auth_context_id = auth_state->auth_context_id,
551 out_auth_info = &_out_auth_info;
554 case DCERPC_AUTH_LEVEL_CONNECT:
556 * TODO: let the gensec mech decide if it wants to generate a
557 * signature that might be needed for schannel...
561 return NT_STATUS_INTERNAL_ERROR;
564 if (gensec == NULL) {
566 return NT_STATUS_INTERNAL_ERROR;
570 case DCERPC_AUTH_LEVEL_NONE:
573 return NT_STATUS_INTERNAL_ERROR;
579 return NT_STATUS_INTERNAL_ERROR;
582 ndr = ndr_push_init_ctx(frame);
585 return NT_STATUS_NO_MEMORY;
588 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
589 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
591 return ndr_map_error2ntstatus(ndr_err);
594 if (out_auth_info != NULL) {
596 * pad to 16 byte multiple in the payload portion of the
597 * packet. This matches what w2k3 does. Note that we can't use
598 * ndr_push_align() as that is relative to the start of the
599 * whole packet, whereas w2k8 wants it relative to the start
602 out_auth_info->auth_pad_length =
603 DCERPC_AUTH_PAD_LENGTH(payload->length);
604 ndr_err = ndr_push_zero(ndr, out_auth_info->auth_pad_length);
605 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
607 return ndr_map_error2ntstatus(ndr_err);
610 payload_length = payload->length +
611 out_auth_info->auth_pad_length;
613 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS,
615 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
617 return ndr_map_error2ntstatus(ndr_err);
620 whole_length = ndr->offset;
622 ndr_err = ndr_push_zero(ndr, sig_size);
623 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
625 return ndr_map_error2ntstatus(ndr_err);
628 payload_length = payload->length;
629 whole_length = ndr->offset;
632 /* extract the whole packet as a blob */
633 blob = ndr_push_blob(ndr);
636 * Setup the frag and auth length in the packet buffer.
637 * This is needed if the GENSEC mech does AEAD signing
638 * of the packet headers. The signature itself will be
641 dcerpc_set_frag_length(&blob, blob.length);
642 dcerpc_set_auth_length(&blob, sig_size);
644 /* sign or seal the packet */
645 switch (auth_state->auth_level) {
646 case DCERPC_AUTH_LEVEL_PRIVACY:
647 status = gensec_seal_packet(gensec,
649 blob.data + payload_offset,
654 if (!NT_STATUS_IS_OK(status)) {
660 case DCERPC_AUTH_LEVEL_INTEGRITY:
661 case DCERPC_AUTH_LEVEL_PACKET:
662 status = gensec_sign_packet(gensec,
664 blob.data + payload_offset,
669 if (!NT_STATUS_IS_OK(status)) {
675 case DCERPC_AUTH_LEVEL_CONNECT:
676 case DCERPC_AUTH_LEVEL_NONE:
681 return NT_STATUS_INTERNAL_ERROR;
684 if (sig.length != sig_size) {
686 return NT_STATUS_RPC_SEC_PKG_ERROR;
690 memcpy(blob.data + whole_length, sig.data, sig_size);
694 talloc_steal(mem_ctx, raw_packet->data);
699 struct dcerpc_read_ncacn_packet_state {
705 struct ncacn_packet *pkt;
708 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
711 struct iovec **_vector,
713 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
715 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
716 struct tevent_context *ev,
717 struct tstream_context *stream)
719 struct tevent_req *req;
720 struct dcerpc_read_ncacn_packet_state *state;
721 struct tevent_req *subreq;
723 req = tevent_req_create(mem_ctx, &state,
724 struct dcerpc_read_ncacn_packet_state);
729 state->pkt = talloc_zero(state, struct ncacn_packet);
730 if (tevent_req_nomem(state->pkt, req)) {
734 subreq = tstream_readv_pdu_send(state, ev,
736 dcerpc_read_ncacn_packet_next_vector,
738 if (tevent_req_nomem(subreq, req)) {
741 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
745 tevent_req_post(req, ev);
749 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
752 struct iovec **_vector,
755 struct dcerpc_read_ncacn_packet_state *state =
756 talloc_get_type_abort(private_data,
757 struct dcerpc_read_ncacn_packet_state);
758 struct iovec *vector;
761 if (state->buffer.length == 0) {
763 * first get enough to read the fragment length
765 * We read the full fixed ncacn_packet header
766 * in order to make wireshark happy with
767 * pcap files from socket_wrapper.
770 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
771 state->buffer.data = talloc_array(state, uint8_t,
772 state->buffer.length);
773 if (!state->buffer.data) {
776 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
777 /* now read the fragment length and allocate the full buffer */
778 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
780 ofs = state->buffer.length;
782 if (frag_len < ofs) {
784 * something is wrong, let the caller deal with it
791 state->buffer.data = talloc_realloc(state,
794 if (!state->buffer.data) {
797 state->buffer.length = frag_len;
799 /* if we reach this we have a full fragment */
805 /* now create the vector that we want to be filled */
806 vector = talloc_array(mem_ctx, struct iovec, 1);
811 vector[0].iov_base = (void *) (state->buffer.data + ofs);
812 vector[0].iov_len = state->buffer.length - ofs;
819 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
821 struct tevent_req *req = tevent_req_callback_data(subreq,
823 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
824 struct dcerpc_read_ncacn_packet_state);
829 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
832 status = map_nt_error_from_unix_common(sys_errno);
833 tevent_req_nterror(req, status);
837 status = dcerpc_pull_ncacn_packet(state->pkt,
840 if (tevent_req_nterror(req, status)) {
844 tevent_req_done(req);
847 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
849 struct ncacn_packet **pkt,
852 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
853 struct dcerpc_read_ncacn_packet_state);
856 if (tevent_req_is_nterror(req, &status)) {
857 tevent_req_received(req);
861 *pkt = talloc_move(mem_ctx, &state->pkt);
863 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
864 buffer->length = state->buffer.length;
867 tevent_req_received(req);
871 const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
872 enum dcerpc_transport_t transport,
873 const struct ndr_interface_table *table)
876 const char *p = NULL;
877 const char *endpoint = NULL;
879 struct dcerpc_binding *default_binding = NULL;
880 TALLOC_CTX *frame = talloc_stackframe();
882 /* Find one of the default pipes for this interface */
884 for (i = 0; i < table->endpoints->count; i++) {
885 enum dcerpc_transport_t dtransport;
886 const char *dendpoint;
888 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
890 if (!NT_STATUS_IS_OK(status)) {
894 dtransport = dcerpc_binding_get_transport(default_binding);
895 dendpoint = dcerpc_binding_get_string_option(default_binding,
897 if (dendpoint == NULL) {
898 TALLOC_FREE(default_binding);
902 if (transport == NCA_UNKNOWN) {
903 transport = dtransport;
906 if (transport != dtransport) {
907 TALLOC_FREE(default_binding);
920 * extract the pipe name without \\pipe from for example
921 * ncacn_np:[\\pipe\\epmapper]
923 if (transport == NCACN_NP) {
924 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
927 if (strncmp(p, "\\", 1) == 0) {
932 endpoint = talloc_strdup(mem_ctx, p);
939 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
941 struct dcerpc_sec_vt_header2 ret;
944 ret.ptype = pkt->ptype;
945 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
946 ret.call_id = pkt->call_id;
948 switch (pkt->ptype) {
949 case DCERPC_PKT_REQUEST:
950 ret.context_id = pkt->u.request.context_id;
951 ret.opnum = pkt->u.request.opnum;
954 case DCERPC_PKT_RESPONSE:
955 ret.context_id = pkt->u.response.context_id;
958 case DCERPC_PKT_FAULT:
959 ret.context_id = pkt->u.fault.context_id;
969 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
970 const struct dcerpc_sec_vt_header2 *v2)
972 if (v1->ptype != v2->ptype) {
976 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
980 if (v1->call_id != v2->call_id) {
984 if (v1->context_id != v2->context_id) {
988 if (v1->opnum != v2->opnum) {
995 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
998 TALLOC_CTX *frame = talloc_stackframe();
999 struct bitmap *commands_seen;
1002 if (r->count.count == 0) {
1007 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
1011 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
1012 if (commands_seen == NULL) {
1016 for (i=0; i < r->count.count; i++) {
1017 enum dcerpc_sec_vt_command_enum cmd =
1018 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
1020 if (bitmap_query(commands_seen, cmd)) {
1021 /* Each command must appear at most once. */
1024 bitmap_set(commands_seen, cmd);
1027 case DCERPC_SEC_VT_COMMAND_BITMASK1:
1028 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
1029 case DCERPC_SEC_VT_COMMAND_HEADER2:
1032 if ((r->commands[i].u._unknown.length % 4) != 0) {
1044 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
1045 struct dcerpc_sec_vt *c)
1047 if (bitmask1 == NULL) {
1048 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1049 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
1057 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
1058 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
1059 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
1066 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
1067 struct dcerpc_sec_vt *c)
1069 TALLOC_CTX *mem_ctx;
1072 if (pcontext == NULL) {
1073 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1074 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
1082 mem_ctx = talloc_stackframe();
1083 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
1084 &c->u.pcontext.abstract_syntax);
1086 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
1088 ndr_syntax_id_to_string(mem_ctx,
1089 &pcontext->abstract_syntax),
1090 ndr_syntax_id_to_string(mem_ctx,
1091 &c->u.pcontext.abstract_syntax)));
1094 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
1095 &c->u.pcontext.transfer_syntax);
1097 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
1099 ndr_syntax_id_to_string(mem_ctx,
1100 &pcontext->transfer_syntax),
1101 ndr_syntax_id_to_string(mem_ctx,
1102 &c->u.pcontext.transfer_syntax)));
1108 talloc_free(mem_ctx);
1112 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
1113 struct dcerpc_sec_vt *c)
1115 if (header2 == NULL) {
1116 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1117 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
1124 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
1125 DEBUG(10, ("SEC_VT check Header2 failed\n"));
1132 bool dcerpc_sec_verification_trailer_check(
1133 const struct dcerpc_sec_verification_trailer *vt,
1134 const uint32_t *bitmask1,
1135 const struct dcerpc_sec_vt_pcontext *pcontext,
1136 const struct dcerpc_sec_vt_header2 *header2)
1140 if (!dcerpc_sec_vt_is_valid(vt)) {
1144 for (i=0; i < vt->count.count; i++) {
1146 struct dcerpc_sec_vt *c = &vt->commands[i];
1148 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
1149 case DCERPC_SEC_VT_COMMAND_BITMASK1:
1150 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
1156 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
1157 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
1163 case DCERPC_SEC_VT_COMMAND_HEADER2: {
1164 ok = dcerpc_sec_vt_hdr2_check(header2, c);
1172 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
1173 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
1184 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
1186 .time_low = 0x6cb71c2c,
1188 .time_hi_and_version = 0x4540,
1189 .clock_seq = {0x00, 0x00},
1190 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
1195 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
1198 uint64_t features = 0;
1200 values[0] = s.uuid.clock_seq[0];
1201 values[1] = s.uuid.clock_seq[1];
1202 values[2] = s.uuid.node[0];
1203 values[3] = s.uuid.node[1];
1204 values[4] = s.uuid.node[2];
1205 values[5] = s.uuid.node[3];
1206 values[6] = s.uuid.node[4];
1207 values[7] = s.uuid.node[5];
1209 ZERO_STRUCT(s.uuid.clock_seq);
1210 ZERO_STRUCT(s.uuid.node);
1212 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
1213 if (_features != NULL) {
1219 features = BVAL(values, 0);
1221 if (_features != NULL) {
1222 *_features = features;
1228 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1230 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1233 SBVAL(values, 0, features);
1235 s.uuid.clock_seq[0] = values[0];
1236 s.uuid.clock_seq[1] = values[1];
1237 s.uuid.node[0] = values[2];
1238 s.uuid.node[1] = values[3];
1239 s.uuid.node[2] = values[4];
1240 s.uuid.node[3] = values[5];
1241 s.uuid.node[4] = values[6];
1242 s.uuid.node[5] = values[7];