search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-libnet: avoid using lp_dns_hostname() in join code
[samba.git] / librpc / rpc / dcerpc_util.c
blobe01391e6dcd78f6e7e15cf93442415f745e689a6
1 /*
2 Unix SMB/CIFS implementation.
3 raw dcerpc operations
4
5 Copyright (C) Andrew Tridgell 2003-2005
6 Copyright (C) Jelmer Vernooij 2004-2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include <tevent.h>
25 #include "lib/tsocket/tsocket.h"
26 #include "lib/util/util_file.h"
27 #include "lib/util/tevent_ntstatus.h"
28 #include "librpc/rpc/dcerpc.h"
29 #include "librpc/rpc/dcerpc_util.h"
30 #include "librpc/gen_ndr/ndr_dcerpc.h"
31 #include "rpc_common.h"
32 #include "lib/util/bitmap.h"
33
34 #undef strncasecmp
35
36 /* we need to be able to get/set the fragment length without doing a full
37 decode */
38 void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v)
39 {
40 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
41
42 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
43 SSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
44 } else {
45 RSSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET, v);
46 }
47 }
48
49 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob)
50 {
51 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
52
53 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
54 return SVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
55 } else {
56 return RSVAL(blob->data, DCERPC_FRAG_LEN_OFFSET);
57 }
58 }
59
60 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v)
61 {
62 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
63
64 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
65 SSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
66 } else {
67 RSSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET, v);
68 }
69 }
70
71 uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob)
72 {
73 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
74
75 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
76 return SVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
77 } else {
78 return RSVAL(blob->data, DCERPC_AUTH_LEN_OFFSET);
79 }
80 }
81
82 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
83 {
84 SMB_ASSERT(blob->length >= DCERPC_NCACN_PAYLOAD_OFFSET);
85
86 return blob->data[DCERPC_DREP_OFFSET];
87 }
88
89 static uint16_t dcerpc_get_auth_context_offset(const DATA_BLOB *blob)
90 {
91 uint16_t frag_len = dcerpc_get_frag_length(blob);
92 uint16_t auth_len = dcerpc_get_auth_length(blob);
93 uint16_t min_offset;
94 uint16_t offset;
95
96 if (auth_len == 0) {
97 return 0;
98 }
99
100 if (frag_len > blob->length) {
101 return 0;
102 }
103
104 if (auth_len > frag_len) {
105 return 0;
106 }
107
108 min_offset = DCERPC_NCACN_PAYLOAD_OFFSET + DCERPC_AUTH_TRAILER_LENGTH;
109 offset = frag_len - auth_len;
110 if (offset < min_offset) {
111 return 0;
112 }
113 offset -= DCERPC_AUTH_TRAILER_LENGTH;
114
115 return offset;
116 }
117
118 uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob)
119 {
120 uint16_t offset;
121
122 offset = dcerpc_get_auth_context_offset(blob);
123 if (offset == 0) {
124 return 0;
125 }
126
127 /*
128 * auth_typw is in the 1st byte
129 * of the auth trailer
130 */
131 offset += 0;
132
133 return blob->data[offset];
134 }
135
136 uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob)
137 {
138 uint16_t offset;
139
140 offset = dcerpc_get_auth_context_offset(blob);
141 if (offset == 0) {
142 return 0;
143 }
144
145 /*
146 * auth_level is in 2nd byte
147 * of the auth trailer
148 */
149 offset += 1;
150
151 return blob->data[offset];
152 }
153
154 uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob)
155 {
156 uint16_t offset;
157
158 offset = dcerpc_get_auth_context_offset(blob);
159 if (offset == 0) {
160 return 0;
161 }
162
163 /*
164 * auth_context_id is in the last 4 byte
165 * of the auth trailer
166 */
167 offset += 4;
168
169 if (CVAL(blob->data,DCERPC_DREP_OFFSET) & DCERPC_DREP_LE) {
170 return IVAL(blob->data, offset);
171 } else {
172 return RIVAL(blob->data, offset);
173 }
174 }
175
176 /**
177 * @brief Decodes a ncacn_packet
178 *
179 * @param mem_ctx The memory context on which to allocate the packet
180 * elements
181 * @param blob The blob of data to decode
182 * @param r An empty ncacn_packet, must not be NULL
183 *
184 * @return a NTSTATUS error code
185 */
186 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
187 const DATA_BLOB *blob,
188 struct ncacn_packet *r)
189 {
190 enum ndr_err_code ndr_err;
191 struct ndr_pull *ndr;
192
193 ndr = ndr_pull_init_blob(blob, mem_ctx);
194 if (!ndr) {
195 return NT_STATUS_NO_MEMORY;
196 }
197
198 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
199
200 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
201 talloc_free(ndr);
202 return ndr_map_error2ntstatus(ndr_err);
203 }
204 talloc_free(ndr);
205
206 if (r->frag_length != blob->length) {
207 return NT_STATUS_RPC_PROTOCOL_ERROR;
208 }
209
210 return NT_STATUS_OK;
211 }
212
213 /**
214 * @brief Pull a dcerpc_auth structure, taking account of any auth
215 * padding in the blob. For request/response packets we pass
216 * the whole data blob, so auth_data_only must be set to false
217 * as the blob contains data+pad+auth and no just pad+auth.
218 *
219 * @param pkt - The ncacn_packet structure
220 * @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements
221 * @param pkt_trailer - The packet trailer data, usually the trailing
222 * auth_info blob, but in the request/response case
223 * this is the stub_and_verifier blob.
224 * @param auth - A preallocated dcerpc_auth *empty* structure
225 * @param auth_length - The length of the auth trail, sum of auth header
226 * length and pkt->auth_length
227 * @param auth_data_only - Whether the pkt_trailer includes only the auth_blob
228 * (+ padding) or also other data.
229 *
230 * @return - A NTSTATUS error code.
231 */
232 NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
233 TALLOC_CTX *mem_ctx,
234 const DATA_BLOB *pkt_trailer,
235 struct dcerpc_auth *auth,
236 uint32_t *_auth_length,
237 bool auth_data_only)
238 {
239 struct ndr_pull *ndr;
240 enum ndr_err_code ndr_err;
241 uint16_t data_and_pad;
242 uint16_t auth_length;
243 uint16_t auth_offset;
244 uint32_t tmp_length;
245 uint32_t max_pad_len = 0;
246 DATA_BLOB auth_blob;
247
248 ZERO_STRUCTP(auth);
249 if (_auth_length != NULL) {
250 *_auth_length = 0;
251
252 if (auth_data_only) {
253 return NT_STATUS_INTERNAL_ERROR;
254 }
255 } else {
256 if (!auth_data_only) {
257 return NT_STATUS_INTERNAL_ERROR;
258 }
259 }
260
261 /* Paranoia checks for auth_length. The caller should check this... */
262 if (pkt->auth_length == 0) {
263 return NT_STATUS_INTERNAL_ERROR;
264 }
265
266 /* Paranoia checks for auth_length. The caller should check this... */
267 if (pkt->auth_length > pkt->frag_length) {
268 return NT_STATUS_INTERNAL_ERROR;
269 }
270 tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
271 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
272 tmp_length += pkt->auth_length;
273 if (tmp_length > pkt->frag_length) {
274 return NT_STATUS_INTERNAL_ERROR;
275 }
276 if (pkt_trailer->length > UINT16_MAX) {
277 return NT_STATUS_INTERNAL_ERROR;
278 }
279
280 auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
281 if (pkt_trailer->length < auth_length) {
282 return NT_STATUS_INTERNAL_ERROR;
283 }
284
285 data_and_pad = pkt_trailer->length - auth_length;
286 auth_offset = pkt->frag_length - auth_length;
287 if ((auth_offset % 4) != 0) {
288 DBG_WARNING("auth_offset[%u] not 4 byte aligned\n",
289 (unsigned)auth_offset);
290 auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
291 return NT_STATUS_RPC_PROTOCOL_ERROR;
292 }
293
294 auth_blob = data_blob_const(pkt_trailer->data + data_and_pad,
295 auth_length);
296 ndr = ndr_pull_init_blob(&auth_blob, mem_ctx);
297 if (!ndr) {
298 return NT_STATUS_NO_MEMORY;
299 }
300
301 if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
302 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
303 }
304
305 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
306 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
307 talloc_free(ndr);
308 ZERO_STRUCTP(auth);
309 return ndr_map_error2ntstatus(ndr_err);
310 }
311
312 /*
313 * Make sure the padding would not exceed
314 * the frag_length.
315 *
316 * Here we assume at least 24 bytes for the
317 * payload specific header the value of
318 * DCERPC_{REQUEST,RESPONSE}_LENGTH.
319 *
320 * We use this also for BIND_*, ALTER_* and AUTH3 pdus.
321 *
322 * We need this check before we ignore possible
323 * invalid values. See also bug #11982.
324 *
325 * This check is mainly used to generate the correct
326 * error for BIND_*, ALTER_* and AUTH3 pdus.
327 *
328 * We always have the 'if (data_and_pad < auth->auth_pad_length)'
329 * protection for REQUEST and RESPONSE pdus, where the
330 * auth_pad_length field is actually used by the caller.
331 */
332 switch (pkt->ptype) {
333 case DCERPC_PKT_BIND:
334 case DCERPC_PKT_ALTER:
335 case DCERPC_PKT_AUTH3:
336 max_pad_len = 0;
337 break;
338 default:
339 tmp_length = DCERPC_REQUEST_LENGTH;
340 tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
341 tmp_length += pkt->auth_length;
342 if (tmp_length < pkt->frag_length) {
343 max_pad_len = pkt->frag_length - tmp_length;
344 }
345 break;
346 }
347 if (max_pad_len < auth->auth_pad_length) {
348 DEBUG(1, (__location__ ": ERROR: pad length too large. "
349 "max %"PRIu32" got %"PRIu8"\n",
350 max_pad_len,
351 auth->auth_pad_length));
352 talloc_free(ndr);
353 ZERO_STRUCTP(auth);
354 auth->auth_context_id = DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED;
355 return NT_STATUS_RPC_PROTOCOL_ERROR;
356 }
357
358 /*
359 * This is a workaround for a bug in old
360 * Samba releases. For BIND_ACK <= 3.5.x
361 * and for ALTER_RESP <= 4.2.x (see bug #11061)
362 *
363 * See also bug #11982.
364 */
365 if (auth_data_only) {
366 /*
367 * We need to ignore auth_pad_length
368 * values for BIND_*, ALTER_* and AUTH3 pdus.
369 */
370 auth->auth_pad_length = 0;
371 }
372
373 if (data_and_pad < auth->auth_pad_length) {
374 DBG_WARNING(__location__ ": ERROR: pad length too long. "
375 "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
376 "was less than auth_pad_length=%"PRIu8"\n",
377 data_and_pad,
378 pkt_trailer->length,
379 auth_length,
380 auth->auth_pad_length);
381 talloc_free(ndr);
382 ZERO_STRUCTP(auth);
383 auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
384 return NT_STATUS_RPC_PROTOCOL_ERROR;
385 }
386
387 DBG_DEBUG("auth_pad_length %"PRIu8"\n",
388 auth->auth_pad_length);
389
390 talloc_steal(mem_ctx, auth->credentials.data);
391 talloc_free(ndr);
392
393 if (_auth_length != NULL) {
394 *_auth_length = auth_length;
395 }
396
397 return NT_STATUS_OK;
398 }
399
400 /**
401 * @brief Verify the fields in ncacn_packet header.
402 *
403 * @param pkt - The ncacn_packet structure
404 * @param ptype - The expected PDU type
405 * @param max_auth_info - The maximum size of a possible auth trailer
406 * @param required_flags - The required flags for the pdu.
407 * @param optional_flags - The possible optional flags for the pdu.
408 *
409 * @return - A NTSTATUS error code.
410 */
411 NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
412 enum dcerpc_pkt_type ptype,
413 size_t max_auth_info,
414 uint8_t required_flags,
415 uint8_t optional_flags)
416 {
417 if (pkt->rpc_vers != 5) {
418 return NT_STATUS_RPC_PROTOCOL_ERROR;
419 }
420
421 if (pkt->rpc_vers_minor != 0) {
422 return NT_STATUS_RPC_PROTOCOL_ERROR;
423 }
424
425 if (pkt->auth_length > pkt->frag_length) {
426 return NT_STATUS_RPC_PROTOCOL_ERROR;
427 }
428
429 if (pkt->ptype != ptype) {
430 return NT_STATUS_RPC_PROTOCOL_ERROR;
431 }
432
433 if (max_auth_info > UINT16_MAX) {
434 return NT_STATUS_INTERNAL_ERROR;
435 }
436
437 if (pkt->auth_length > 0) {
438 size_t max_auth_length;
439
440 if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
441 return NT_STATUS_RPC_PROTOCOL_ERROR;
442 }
443 max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
444
445 if (pkt->auth_length > max_auth_length) {
446 return NT_STATUS_RPC_PROTOCOL_ERROR;
447 }
448 }
449
450 if ((pkt->pfc_flags & required_flags) != required_flags) {
451 return NT_STATUS_RPC_PROTOCOL_ERROR;
452 }
453 if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
454 return NT_STATUS_RPC_PROTOCOL_ERROR;
455 }
456
457 if (pkt->drep[0] & ~DCERPC_DREP_LE) {
458 return NT_STATUS_RPC_PROTOCOL_ERROR;
459 }
460 if (pkt->drep[1] != 0) {
461 return NT_STATUS_RPC_PROTOCOL_ERROR;
462 }
463 if (pkt->drep[2] != 0) {
464 return NT_STATUS_RPC_PROTOCOL_ERROR;
465 }
466 if (pkt->drep[3] != 0) {
467 return NT_STATUS_RPC_PROTOCOL_ERROR;
468 }
469
470 return NT_STATUS_OK;
471 }
472
473 struct dcerpc_read_ncacn_packet_state {
474 #if 0
475 struct {
476 } caller;
477 #endif
478 DATA_BLOB buffer;
479 struct ncacn_packet *pkt;
480 };
481
482 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
483 void *private_data,
484 TALLOC_CTX *mem_ctx,
485 struct iovec **_vector,
486 size_t *_count);
487 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq);
488
489 struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
490 struct tevent_context *ev,
491 struct tstream_context *stream)
492 {
493 struct tevent_req *req;
494 struct dcerpc_read_ncacn_packet_state *state;
495 struct tevent_req *subreq;
496
497 req = tevent_req_create(mem_ctx, &state,
498 struct dcerpc_read_ncacn_packet_state);
499 if (req == NULL) {
500 return NULL;
501 }
502
503 state->pkt = talloc_zero(state, struct ncacn_packet);
504 if (tevent_req_nomem(state->pkt, req)) {
505 goto post;
506 }
507
508 subreq = tstream_readv_pdu_send(state, ev,
509 stream,
510 dcerpc_read_ncacn_packet_next_vector,
511 state);
512 if (tevent_req_nomem(subreq, req)) {
513 goto post;
514 }
515 tevent_req_set_callback(subreq, dcerpc_read_ncacn_packet_done, req);
516
517 return req;
518 post:
519 tevent_req_post(req, ev);
520 return req;
521 }
522
523 static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
524 void *private_data,
525 TALLOC_CTX *mem_ctx,
526 struct iovec **_vector,
527 size_t *_count)
528 {
529 struct dcerpc_read_ncacn_packet_state *state =
530 talloc_get_type_abort(private_data,
531 struct dcerpc_read_ncacn_packet_state);
532 struct iovec *vector;
533 off_t ofs = 0;
534
535 if (state->buffer.length == 0) {
536 /*
537 * first get enough to read the fragment length
538 *
539 * We read the full fixed ncacn_packet header
540 * in order to make wireshark happy with
541 * pcap files from socket_wrapper.
542 */
543 ofs = 0;
544 state->buffer.length = DCERPC_NCACN_PAYLOAD_OFFSET;
545 state->buffer.data = talloc_array(state, uint8_t,
546 state->buffer.length);
547 if (!state->buffer.data) {
548 return -1;
549 }
550 } else if (state->buffer.length == DCERPC_NCACN_PAYLOAD_OFFSET) {
551 /* now read the fragment length and allocate the full buffer */
552 size_t frag_len = dcerpc_get_frag_length(&state->buffer);
553
554 ofs = state->buffer.length;
555
556 if (frag_len <= ofs) {
557 /*
558 * With frag_len == ofs, we are done, this is likely
559 * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
560 * without any payload.
561 *
562 * Otherwise it's a broken packet and we
563 * let the caller deal with it.
564 */
565 *_vector = NULL;
566 *_count = 0;
567 return 0;
568 }
569
570 state->buffer.data = talloc_realloc(state,
571 state->buffer.data,
572 uint8_t, frag_len);
573 if (!state->buffer.data) {
574 return -1;
575 }
576 state->buffer.length = frag_len;
577 } else {
578 /* if we reach this we have a full fragment */
579 *_vector = NULL;
580 *_count = 0;
581 return 0;
582 }
583
584 /* now create the vector that we want to be filled */
585 vector = talloc_array(mem_ctx, struct iovec, 1);
586 if (!vector) {
587 return -1;
588 }
589
590 vector[0].iov_base = (void *) (state->buffer.data + ofs);
591 vector[0].iov_len = state->buffer.length - ofs;
592
593 *_vector = vector;
594 *_count = 1;
595 return 0;
596 }
597
598 static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
599 {
600 struct tevent_req *req = tevent_req_callback_data(subreq,
601 struct tevent_req);
602 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
603 struct dcerpc_read_ncacn_packet_state);
604 int ret;
605 int sys_errno;
606 NTSTATUS status;
607
608 ret = tstream_readv_pdu_recv(subreq, &sys_errno);
609 TALLOC_FREE(subreq);
610 if (ret == -1) {
611 status = map_nt_error_from_unix_common(sys_errno);
612 tevent_req_nterror(req, status);
613 return;
614 }
615
616 status = dcerpc_pull_ncacn_packet(state->pkt,
617 &state->buffer,
618 state->pkt);
619 if (tevent_req_nterror(req, status)) {
620 return;
621 }
622
623 tevent_req_done(req);
624 }
625
626 NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
627 TALLOC_CTX *mem_ctx,
628 struct ncacn_packet **pkt,
629 DATA_BLOB *buffer)
630 {
631 struct dcerpc_read_ncacn_packet_state *state = tevent_req_data(req,
632 struct dcerpc_read_ncacn_packet_state);
633 NTSTATUS status;
634
635 if (tevent_req_is_nterror(req, &status)) {
636 tevent_req_received(req);
637 return status;
638 }
639
640 *pkt = talloc_move(mem_ctx, &state->pkt);
641 if (buffer) {
642 buffer->data = talloc_move(mem_ctx, &state->buffer.data);
643 buffer->length = state->buffer.length;
644 }
645
646 tevent_req_received(req);
647 return NT_STATUS_OK;
648 }
649
650 char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
651 enum dcerpc_transport_t transport,
652 const struct ndr_interface_table *table)
653 {
654 NTSTATUS status;
655 const char *p = NULL;
656 char *endpoint = NULL;
657 uint32_t i;
658 struct dcerpc_binding *default_binding = NULL;
659 TALLOC_CTX *frame = talloc_stackframe();
660
661 /* Find one of the default pipes for this interface */
662
663 for (i = 0; i < table->endpoints->count; i++) {
664 enum dcerpc_transport_t dtransport;
665 const char *dendpoint;
666
667 status = dcerpc_parse_binding(frame, table->endpoints->names[i],
668 &default_binding);
669 if (!NT_STATUS_IS_OK(status)) {
670 continue;
671 }
672
673 dtransport = dcerpc_binding_get_transport(default_binding);
674 dendpoint = dcerpc_binding_get_string_option(default_binding,
675 "endpoint");
676 if (dendpoint == NULL) {
677 TALLOC_FREE(default_binding);
678 continue;
679 }
680
681 if (transport == NCA_UNKNOWN) {
682 transport = dtransport;
683 }
684
685 if (transport != dtransport) {
686 TALLOC_FREE(default_binding);
687 continue;
688 }
689
690 p = dendpoint;
691 break;
692 }
693
694 if (p == NULL) {
695 goto done;
696 }
697
698 /*
699 * extract the pipe name without \\pipe from for example
700 * ncacn_np:[\\pipe\\epmapper]
701 */
702 if (transport == NCACN_NP) {
703 if (strncasecmp(p, "\\pipe\\", 6) == 0) {
704 p += 6;
705 }
706 if (p[0] == '\\') {
707 p += 1;
708 }
709 }
710
711 endpoint = talloc_strdup(mem_ctx, p);
712
713 done:
714 talloc_free(frame);
715 return endpoint;
716 }
717
718 struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
719 {
720 struct dcerpc_sec_vt_header2 ret;
721
722 ZERO_STRUCT(ret);
723 ret.ptype = pkt->ptype;
724 memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
725 ret.call_id = pkt->call_id;
726
727 switch (pkt->ptype) {
728 case DCERPC_PKT_REQUEST:
729 ret.context_id = pkt->u.request.context_id;
730 ret.opnum = pkt->u.request.opnum;
731 break;
732
733 case DCERPC_PKT_RESPONSE:
734 ret.context_id = pkt->u.response.context_id;
735 break;
736
737 case DCERPC_PKT_FAULT:
738 ret.context_id = pkt->u.fault.context_id;
739 break;
740
741 default:
742 break;
743 }
744
745 return ret;
746 }
747
748 bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
749 const struct dcerpc_sec_vt_header2 *v2)
750 {
751 if (v1->ptype != v2->ptype) {
752 return false;
753 }
754
755 if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
756 return false;
757 }
758
759 if (v1->call_id != v2->call_id) {
760 return false;
761 }
762
763 if (v1->context_id != v2->context_id) {
764 return false;
765 }
766
767 if (v1->opnum != v2->opnum) {
768 return false;
769 }
770
771 return true;
772 }
773
774 static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
775 {
776 bool ret = false;
777 TALLOC_CTX *frame = talloc_stackframe();
778 struct bitmap *commands_seen;
779 int i;
780
781 if (r->count.count == 0) {
782 ret = true;
783 goto done;
784 }
785
786 if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
787 goto done;
788 }
789
790 commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
791 if (commands_seen == NULL) {
792 goto done;
793 }
794
795 for (i=0; i < r->count.count; i++) {
796 enum dcerpc_sec_vt_command_enum cmd =
797 r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
798
799 if (bitmap_query(commands_seen, cmd)) {
800 /* Each command must appear at most once. */
801 goto done;
802 }
803 bitmap_set(commands_seen, cmd);
804
805 switch (cmd) {
806 case DCERPC_SEC_VT_COMMAND_BITMASK1:
807 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
808 case DCERPC_SEC_VT_COMMAND_HEADER2:
809 break;
810 default:
811 if ((r->commands[i].u._unknown.length % 4) != 0) {
812 goto done;
813 }
814 break;
815 }
816 }
817 ret = true;
818 done:
819 TALLOC_FREE(frame);
820 return ret;
821 }
822
823 static bool dcerpc_sec_vt_bitmask_check(const uint32_t *bitmask1,
824 struct dcerpc_sec_vt *c)
825 {
826 if (bitmask1 == NULL) {
827 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
828 DEBUG(10, ("SEC_VT check Bitmask1 must_process_command "
829 "failed\n"));
830 return false;
831 }
832
833 return true;
834 }
835
836 if ((c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING)
837 && (!(*bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING))) {
838 DEBUG(10, ("SEC_VT check Bitmask1 client_header_signing "
839 "failed\n"));
840 return false;
841 }
842 return true;
843 }
844
845 static bool dcerpc_sec_vt_pctx_check(const struct dcerpc_sec_vt_pcontext *pcontext,
846 struct dcerpc_sec_vt *c)
847 {
848 bool ok;
849
850 if (pcontext == NULL) {
851 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
852 DEBUG(10, ("SEC_VT check Pcontext must_process_command "
853 "failed\n"));
854 return false;
855 }
856
857 return true;
858 }
859
860 ok = ndr_syntax_id_equal(&pcontext->abstract_syntax,
861 &c->u.pcontext.abstract_syntax);
862 if (!ok) {
863 struct ndr_syntax_id_buf buf1, buf2;
864 DEBUG(10, ("SEC_VT check pcontext abstract_syntax failed: "
865 "%s vs. %s\n",
866 ndr_syntax_id_buf_string(
867 &pcontext->abstract_syntax, &buf1),
868 ndr_syntax_id_buf_string(
869 &c->u.pcontext.abstract_syntax, &buf2)));
870 return false;
871 }
872 ok = ndr_syntax_id_equal(&pcontext->transfer_syntax,
873 &c->u.pcontext.transfer_syntax);
874 if (!ok) {
875 struct ndr_syntax_id_buf buf1, buf2;
876 DEBUG(10, ("SEC_VT check pcontext transfer_syntax failed: "
877 "%s vs. %s\n",
878 ndr_syntax_id_buf_string(
879 &pcontext->transfer_syntax, &buf1),
880 ndr_syntax_id_buf_string(
881 &c->u.pcontext.transfer_syntax, &buf2)));
882 return false;
883 }
884
885 return true;
886 }
887
888 static bool dcerpc_sec_vt_hdr2_check(const struct dcerpc_sec_vt_header2 *header2,
889 struct dcerpc_sec_vt *c)
890 {
891 if (header2 == NULL) {
892 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
893 DEBUG(10, ("SEC_VT check Header2 must_process_command failed\n"));
894 return false;
895 }
896
897 return true;
898 }
899
900 if (!dcerpc_sec_vt_header2_equal(header2, &c->u.header2)) {
901 DEBUG(10, ("SEC_VT check Header2 failed\n"));
902 return false;
903 }
904
905 return true;
906 }
907
908 bool dcerpc_sec_verification_trailer_check(
909 const struct dcerpc_sec_verification_trailer *vt,
910 const uint32_t *bitmask1,
911 const struct dcerpc_sec_vt_pcontext *pcontext,
912 const struct dcerpc_sec_vt_header2 *header2)
913 {
914 size_t i;
915
916 if (!dcerpc_sec_vt_is_valid(vt)) {
917 return false;
918 }
919
920 for (i=0; i < vt->count.count; i++) {
921 bool ok;
922 struct dcerpc_sec_vt *c = &vt->commands[i];
923
924 switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
925 case DCERPC_SEC_VT_COMMAND_BITMASK1:
926 ok = dcerpc_sec_vt_bitmask_check(bitmask1, c);
927 if (!ok) {
928 return false;
929 }
930 break;
931
932 case DCERPC_SEC_VT_COMMAND_PCONTEXT:
933 ok = dcerpc_sec_vt_pctx_check(pcontext, c);
934 if (!ok) {
935 return false;
936 }
937 break;
938
939 case DCERPC_SEC_VT_COMMAND_HEADER2: {
940 ok = dcerpc_sec_vt_hdr2_check(header2, c);
941 if (!ok) {
942 return false;
943 }
944 break;
945 }
946
947 default:
948 if (c->command & DCERPC_SEC_VT_MUST_PROCESS) {
949 DEBUG(10, ("SEC_VT check Unknown must_process_command failed\n"));
950 return false;
951 }
952
953 break;
954 }
955 }
956
957 return true;
958 }
959
960 static const struct ndr_syntax_id dcerpc_bind_time_features_prefix = {
961 .uuid = {
962 .time_low = 0x6cb71c2c,
963 .time_mid = 0x9812,
964 .time_hi_and_version = 0x4540,
965 .clock_seq = {0x00, 0x00},
966 .node = {0x00,0x00,0x00,0x00,0x00,0x00}
967 },
968 .if_version = 1,
969 };
970
971 bool dcerpc_extract_bind_time_features(struct ndr_syntax_id s, uint64_t *_features)
972 {
973 uint8_t values[8];
974 uint64_t features = 0;
975
976 values[0] = s.uuid.clock_seq[0];
977 values[1] = s.uuid.clock_seq[1];
978 values[2] = s.uuid.node[0];
979 values[3] = s.uuid.node[1];
980 values[4] = s.uuid.node[2];
981 values[5] = s.uuid.node[3];
982 values[6] = s.uuid.node[4];
983 values[7] = s.uuid.node[5];
984
985 ZERO_STRUCT(s.uuid.clock_seq);
986 ZERO_STRUCT(s.uuid.node);
987
988 if (!ndr_syntax_id_equal(&s, &dcerpc_bind_time_features_prefix)) {
989 if (_features != NULL) {
990 *_features = 0;
991 }
992 return false;
993 }
994
995 features = BVAL(values, 0);
996
997 if (_features != NULL) {
998 *_features = features;
999 }
1000
1001 return true;
1002 }
1003
1004 struct ndr_syntax_id dcerpc_construct_bind_time_features(uint64_t features)
1005 {
1006 struct ndr_syntax_id s = dcerpc_bind_time_features_prefix;
1007 uint8_t values[8];
1008
1009 SBVAL(values, 0, features);
1010
1011 s.uuid.clock_seq[0] = values[0];
1012 s.uuid.clock_seq[1] = values[1];
1013 s.uuid.node[0] = values[2];
1014 s.uuid.node[1] = values[3];
1015 s.uuid.node[2] = values[4];
1016 s.uuid.node[3] = values[5];
1017 s.uuid.node[4] = values[6];
1018 s.uuid.node[5] = values[7];
1019
1020 return s;
1021 }
1022
1023 NTSTATUS dcerpc_generic_session_key(DATA_BLOB *session_key)
1024 {
1025 *session_key = data_blob_null;
1026
1027 /* this took quite a few CPU cycles to find ... */
1028 session_key->data = discard_const_p(unsigned char, "SystemLibraryDTC");
1029 session_key->length = 16;
1030 return NT_STATUS_OK;
1031 }
1032
1033 /*
1034 push a ncacn_packet into a blob, potentially with auth info
1035 */
1036 NTSTATUS dcerpc_ncacn_push_auth(DATA_BLOB *blob,
1037 TALLOC_CTX *mem_ctx,
1038 struct ncacn_packet *pkt,
1039 struct dcerpc_auth *auth_info)
1040 {
1041 struct ndr_push *ndr;
1042 enum ndr_err_code ndr_err;
1043
1044 ndr = ndr_push_init_ctx(mem_ctx);
1045 if (!ndr) {
1046 return NT_STATUS_NO_MEMORY;
1047 }
1048
1049 if (auth_info) {
1050 pkt->auth_length = auth_info->credentials.length;
1051 } else {
1052 pkt->auth_length = 0;
1053 }
1054
1055 ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
1056 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1057 return ndr_map_error2ntstatus(ndr_err);
1058 }
1059
1060 if (auth_info) {
1061 #if 0
1062 /* the s3 rpc server doesn't handle auth padding in
1063 bind requests. Use zero auth padding to keep us
1064 working with old servers */
1065 uint32_t offset = ndr->offset;
1066 ndr_err = ndr_push_align(ndr, 16);
1067 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1068 return ndr_map_error2ntstatus(ndr_err);
1069 }
1070 auth_info->auth_pad_length = ndr->offset - offset;
1071 #else
1072 auth_info->auth_pad_length = 0;
1073 #endif
1074 ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth_info);
1075 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1076 return ndr_map_error2ntstatus(ndr_err);
1077 }
1078 }
1079
1080 *blob = ndr_push_blob(ndr);
1081
1082 /* fill in the frag length */
1083 dcerpc_set_frag_length(blob, blob->length);
1084
1085 return NT_STATUS_OK;
1086 }
1087
1088 /*
1089 log a rpc packet in a format suitable for ndrdump. This is especially useful
1090 for sealed packets, where ethereal cannot easily see the contents
1091
1092 this triggers if "dcesrv:stubs directory" is set and present
1093 for all packets that fail to parse
1094 */
1095 void dcerpc_log_packet(const char *packet_log_dir,
1096 const char *interface_name,
1097 uint32_t opnum, ndr_flags_type flags,
1098 const DATA_BLOB *pkt,
1099 const char *why)
1100 {
1101 const int num_examples = 20;
1102 int i;
1103
1104 if (packet_log_dir == NULL) {
1105 return;
1106 }
1107
1108 for (i=0;i<num_examples;i++) {
1109 char *name=NULL;
1110 int ret;
1111 bool saved;
1112 ret = asprintf(&name, "%s/%s-%"PRIu32".%d.%s.%s",
1113 packet_log_dir, interface_name, opnum, i,
1114 (flags&NDR_IN)?"in":"out",
1115 why);
1116 if (ret == -1) {
1117 return;
1118 }
1119
1120 saved = file_save(name, pkt->data, pkt->length);
1121 if (saved) {
1122 DBG_DEBUG("Logged rpc packet to %s\n", name);
1123 free(name);
1124 break;
1125 }
1126 free(name);
1127 }
1128 }
Samba git mirror