2 Unix SMB/CIFS implementation.
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/network.h"
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/tevent_ntstatus.h"
27 #include "librpc/rpc/dcerpc.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "rpc_common.h"
30 #include "lib/util/bitmap.h"
32 /* we need to be able to get/set the fragment length without doing a full
34 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
36 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
37 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
39 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
43 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
45 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
46 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
48 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
52 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
54 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
55 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
57 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
61 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
63 return blob->data[DCERPC_DREP_OFFSET];
68 * @brief Pull a dcerpc_auth structure, taking account of any auth
69 * padding in the blob. For request/response packets we pass
70 * the whole data blob, so auth_data_only must be set to false
71 * as the blob contains data+pad+auth and no just pad+auth.
73 * @param pkt - The ncacn_packet strcuture
74 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
75 * @param pkt_trailer - The packet trailer data, usually the trailing
76 * auth_info blob, but in the request/response case
77 * this is the stub_and_verifier blob.
78 * @param auth - A preallocated dcerpc_auth *empty* structure
79 * @param auth_length - The length of the auth trail, sum of auth header
80 * lenght and pkt->auth_length
81 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
82 * (+ padding) or also other data.
84 * @return - A NTSTATUS error code.
86 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
88 const DATA_BLOB *pkt_trailer,
89 struct dcerpc_auth *auth,
90 uint32_t *_auth_length,
94 enum ndr_err_code ndr_err;
95 uint16_t data_and_pad;
100 if (_auth_length != NULL) {
104 /* Paranoia checks for auth_length. The caller should check this... */
105 if (pkt->auth_length == 0) {
106 return NT_STATUS_INTERNAL_ERROR;
109 /* Paranoia checks for auth_length. The caller should check this... */
110 if (pkt->auth_length > pkt->frag_length) {
111 return NT_STATUS_INTERNAL_ERROR;
113 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
114 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
115 tmp_length += pkt->auth_length;
116 if (tmp_length > pkt->frag_length) {
117 return NT_STATUS_INTERNAL_ERROR;
119 if (pkt_trailer->length > UINT16_MAX) {
120 return NT_STATUS_INTERNAL_ERROR;
123 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
124 if (pkt_trailer->length < auth_length) {
125 return NT_STATUS_RPC_PROTOCOL_ERROR;
128 data_and_pad = pkt_trailer->length - auth_length;
130 ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
132 return NT_STATUS_NO_MEMORY;
135 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
136 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
139 ndr_err = ndr_pull_advance(ndr, data_and_pad);
140 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
142 return ndr_map_error2ntstatus(ndr_err);
145 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
146 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
149 return ndr_map_error2ntstatus(ndr_err);
152 if (data_and_pad < auth->auth_pad_length) {
153 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
154 "Calculated %u got %u\n",
155 (unsigned)data_and_pad,
156 (unsigned)auth->auth_pad_length));
159 return NT_STATUS_RPC_PROTOCOL_ERROR;
162 if (auth_data_only && data_and_pad != auth->auth_pad_length) {
163 DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
164 "Calculated %u got %u\n",
165 (unsigned)data_and_pad,
166 (unsigned)auth->auth_pad_length));
169 return NT_STATUS_RPC_PROTOCOL_ERROR;
172 DEBUG(6,(__location__ ": auth_pad_length %u\n",
173 (unsigned)auth->auth_pad_length));
175 talloc_steal(mem_ctx, auth->credentials.data);
178 if (_auth_length != NULL) {
179 *_auth_length = auth_length;
186 * @brief Verify the fields in ncacn_packet header.
188 * @param pkt - The ncacn_packet strcuture
189 * @param ptype - The expected PDU type
190 * @param max_auth_info - The maximum size of a possible auth trailer
191 * @param required_flags - The required flags for the pdu.
192 * @param optional_flags - The possible optional flags for the pdu.
194 * @return - A NTSTATUS error code.
196 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
197 enum dcerpc_pkt_type ptype,
198 size_t max_auth_info,
199 uint8_t required_flags,
200 uint8_t optional_flags)
202 if (pkt->rpc_vers != 5) {
203 return NT_STATUS_RPC_PROTOCOL_ERROR;
206 if (pkt->rpc_vers_minor != 0) {
207 return NT_STATUS_RPC_PROTOCOL_ERROR;
210 if (pkt->auth_length > pkt->frag_length) {
211 return NT_STATUS_RPC_PROTOCOL_ERROR;
214 if (pkt->ptype != ptype) {
215 return NT_STATUS_RPC_PROTOCOL_ERROR;
218 if (max_auth_info > UINT16_MAX) {
219 return NT_STATUS_INTERNAL_ERROR;
222 if (pkt->auth_length > 0) {
223 size_t max_auth_length;
225 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
226 return NT_STATUS_RPC_PROTOCOL_ERROR;
228 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
230 if (pkt->auth_length > max_auth_length) {
231 return NT_STATUS_RPC_PROTOCOL_ERROR;
235 if ((pkt->pfc_flags & required_flags) != required_flags) {
236 return NT_STATUS_RPC_PROTOCOL_ERROR;
238 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
239 return NT_STATUS_RPC_PROTOCOL_ERROR;
242 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
243 return NT_STATUS_RPC_PROTOCOL_ERROR;
245 if (pkt->drep[1] != 0) {
246 return NT_STATUS_RPC_PROTOCOL_ERROR;
248 if (pkt->drep[2] != 0) {
249 return NT_STATUS_RPC_PROTOCOL_ERROR;
251 if (pkt->drep[3] != 0) {
252 return NT_STATUS_RPC_PROTOCOL_ERROR;
258 struct dcerpc_read_ncacn_packet_state {
264 struct ncacn_packet *pkt;
267 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
270 struct iovec **_vector,
272 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
274 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
275 struct tevent_context *ev,
276 struct tstream_context *stream)
278 struct tevent_req *req;
279 struct dcerpc_read_ncacn_packet_state *state;
280 struct tevent_req *subreq;
282 req = tevent_req_create(mem_ctx, &state,
283 struct dcerpc_read_ncacn_packet_state);
288 state->buffer = data_blob_const(NULL, 0);
289 state->pkt = talloc(state, struct ncacn_packet);
290 if (tevent_req_nomem(state->pkt, req)) {
294 subreq = tstream_readv_pdu_send(state, ev,
296 dcerpc_read_ncacn_packet_next_vector,
298 if (tevent_req_nomem(subreq, req)) {
301 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
305 tevent_req_post(req, ev);
309 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
312 struct iovec **_vector,
315 struct dcerpc_read_ncacn_packet_state *state =
316 talloc_get_type_abort(private_data,
317 struct dcerpc_read_ncacn_packet_state);
318 struct iovec *vector;
321 if (state->buffer.length == 0) {
323 * first get enough to read the fragment length
325 * We read the full fixed ncacn_packet header
326 * in order to make wireshark happy with
327 * pcap files from socket_wrapper.
330 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
331 state->buffer.data = talloc_array(state, uint8_t,
332 state->buffer.length);
333 if (!state->buffer.data) {
336 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
337 /* now read the fragment length and allocate the full buffer */
338 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
340 ofs = state->buffer.length;
342 if (frag_len < ofs) {
344 * something is wrong, let the caller deal with it
351 state->buffer.data = talloc_realloc(state,
354 if (!state->buffer.data) {
357 state->buffer.length = frag_len;
359 /* if we reach this we have a full fragment */
365 /* now create the vector that we want to be filled */
366 vector = talloc_array(mem_ctx, struct iovec, 1);
371 vector[0].iov_base = (void *) (state->buffer.data + ofs);
372 vector[0].iov_len = state->buffer.length - ofs;
379 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
381 struct tevent_req *req = tevent_req_callback_data(subreq,
383 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
384 struct dcerpc_read_ncacn_packet_state);
387 struct ndr_pull *ndr;
388 enum ndr_err_code ndr_err;
391 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
394 status = map_nt_error_from_unix_common(sys_errno);
395 tevent_req_nterror(req, status);
399 ndr = ndr_pull_init_blob(&state->buffer, state->pkt);
400 if (tevent_req_nomem(ndr, req)) {
404 if (!(CVAL(ndr->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
405 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
408 if (CVAL(ndr->data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) {
409 ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
412 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, state->pkt);
414 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
415 status = ndr_map_error2ntstatus(ndr_err);
416 tevent_req_nterror(req, status);
420 if (state->pkt->frag_length != state->buffer.length) {
421 tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
425 tevent_req_done(req);
428 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
430 struct ncacn_packet **pkt,
433 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
434 struct dcerpc_read_ncacn_packet_state);
437 if (tevent_req_is_nterror(req, &status)) {
438 tevent_req_received(req);
442 *pkt = talloc_move(mem_ctx, &state->pkt);
444 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
445 buffer->length = state->buffer.length;
448 tevent_req_received(req);
452 const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
453 enum dcerpc_transport_t transport,
454 const struct ndr_interface_table *table)
457 const char *p = NULL;
458 const char *endpoint = NULL;
460 struct dcerpc_binding *default_binding = NULL;
461 TALLOC_CTX *frame = talloc_stackframe();
463 /* Find one of the default pipes for this interface */
465 for (i = 0; i < table->endpoints->count; i++) {
466 enum dcerpc_transport_t dtransport;
467 const char *dendpoint;
469 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
471 if (!NT_STATUS_IS_OK(status)) {
475 dtransport = dcerpc_binding_get_transport(default_binding);
476 dendpoint = dcerpc_binding_get_string_option(default_binding,
478 if (dendpoint == NULL) {
479 TALLOC_FREE(default_binding);
483 if (transport == NCA_UNKNOWN) {
484 transport = dtransport;
487 if (transport != dtransport) {
488 TALLOC_FREE(default_binding);
501 * extract the pipe name without \\pipe from for example
502 * ncacn_np:[\\pipe\\epmapper]
504 if (transport == NCACN_NP) {
505 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
508 if (strncmp(p, "\\", 1) == 0) {
513 endpoint = talloc_strdup(mem_ctx, p);
520 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
522 struct dcerpc_sec_vt_header2 ret;
525 ret.ptype = pkt->ptype;
526 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
527 ret.call_id = pkt->call_id;
529 switch (pkt->ptype) {
530 case DCERPC_PKT_REQUEST:
531 ret.context_id = pkt->u.request.context_id;
532 ret.opnum = pkt->u.request.opnum;
535 case DCERPC_PKT_RESPONSE:
536 ret.context_id = pkt->u.response.context_id;
539 case DCERPC_PKT_FAULT:
540 ret.context_id = pkt->u.fault.context_id;
550 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
551 const struct dcerpc_sec_vt_header2 *v2)
553 if (v1->ptype != v2->ptype) {
557 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
561 if (v1->call_id != v2->call_id) {
565 if (v1->context_id != v2->context_id) {
569 if (v1->opnum != v2->opnum) {
576 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
579 TALLOC_CTX *frame = talloc_stackframe();
580 struct bitmap *commands_seen;
583 if (r->count.count == 0) {
588 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
592 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
593 if (commands_seen == NULL) {
597 for (i=0; i < r->count.count; i++) {
598 enum dcerpc_sec_vt_command_enum cmd =
599 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
601 if (bitmap_query(commands_seen, cmd)) {
602 /* Each command must appear at most once. */
605 bitmap_set(commands_seen, cmd);
608 case DCERPC_SEC_VT_COMMAND_BITMASK1:
609 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
610 case DCERPC_SEC_VT_COMMAND_HEADER2:
613 if ((r->commands[i].u._unknown.length % 4) != 0) {
625 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
626 struct dcerpc_sec_vt *c)
628 if (bitmask1 == NULL) {
629 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
630 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
638 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
639 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
640 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
647 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
648 struct dcerpc_sec_vt *c)
653 if (pcontext == NULL) {
654 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
655 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
663 mem_ctx = talloc_stackframe();
664 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
665 &c->u.pcontext.abstract_syntax);
667 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
669 ndr_syntax_id_to_string(mem_ctx,
670 &pcontext->abstract_syntax),
671 ndr_syntax_id_to_string(mem_ctx,
672 &c->u.pcontext.abstract_syntax)));
675 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
676 &c->u.pcontext.transfer_syntax);
678 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
680 ndr_syntax_id_to_string(mem_ctx,
681 &pcontext->transfer_syntax),
682 ndr_syntax_id_to_string(mem_ctx,
683 &c->u.pcontext.transfer_syntax)));
689 talloc_free(mem_ctx);
693 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
694 struct dcerpc_sec_vt *c)
696 if (header2 == NULL) {
697 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
698 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
705 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
706 DEBUG(10, ("SEC_VT check Header2 failed\n"));
713 bool dcerpc_sec_verification_trailer_check(
714 const struct dcerpc_sec_verification_trailer *vt,
715 const uint32_t *bitmask1,
716 const struct dcerpc_sec_vt_pcontext *pcontext,
717 const struct dcerpc_sec_vt_header2 *header2)
721 if (!dcerpc_sec_vt_is_valid(vt)) {
725 for (i=0; i < vt->count.count; i++) {
727 struct dcerpc_sec_vt *c = &vt->commands[i];
729 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
730 case DCERPC_SEC_VT_COMMAND_BITMASK1:
731 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
737 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
738 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
744 case DCERPC_SEC_VT_COMMAND_HEADER2: {
745 ok = dcerpc_sec_vt_hdr2_check(header2, c);
753 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
754 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
765 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
767 .time_low = 0x6cb71c2c,
769 .time_hi_and_version = 0x4540,
770 .clock_seq = {0x00, 0x00},
771 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
776 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
779 uint64_t features = 0;
781 values[0] = s.uuid.clock_seq[0];
782 values[1] = s.uuid.clock_seq[1];
783 values[2] = s.uuid.node[0];
784 values[3] = s.uuid.node[1];
785 values[4] = s.uuid.node[2];
786 values[5] = s.uuid.node[3];
787 values[6] = s.uuid.node[4];
788 values[7] = s.uuid.node[5];
790 ZERO_STRUCT(s.uuid.clock_seq);
791 ZERO_STRUCT(s.uuid.node);
793 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
794 if (_features != NULL) {
800 features = BVAL(values, 0);
802 if (_features != NULL) {
803 *_features = features;
809 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
811 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
814 SBVAL(values, 0, features);
816 s.uuid.clock_seq[0] = values[0];
817 s.uuid.clock_seq[1] = values[1];
818 s.uuid.node[0] = values[2];
819 s.uuid.node[1] = values[3];
820 s.uuid.node[2] = values[4];
821 s.uuid.node[3] = values[5];
822 s.uuid.node[4] = values[6];
823 s.uuid.node[5] = values[7];