/* push a dom_sid28 - this is a dom_sid in a 28 byte fixed buffer */ enum ndr_err_code ndr_push_dom_sid28(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid) { uint32_t old_offset; uint32_t padding; if (!(ndr_flags & NDR_SCALARS)) { return NDR_ERR_SUCCESS; } if (sid->num_auths > 5) { return ndr_push_error(ndr, NDR_ERR_RANGE, "dom_sid28 allows only upto 5 sub auth [%u]", sid->num_auths); } old_offset = ndr->offset; NDR_CHECK(ndr_push_dom_sid(ndr, ndr_flags, sid)); padding = 28 - (ndr->offset - old_offset); if (padding > 0) { NDR_CHECK(ndr_push_zero(ndr, padding)); } return NDR_ERR_SUCCESS; }
/* push a relative object - stage2 start this is called during buffers processing */ _PUBLIC_ enum ndr_err_code ndr_push_relative_ptr2_start(struct ndr_push *ndr, const void *p) { if (p == NULL) { return NDR_ERR_SUCCESS; } if (!(ndr->flags & LIBNDR_FLAG_RELATIVE_REVERSE)) { uint32_t relative_offset; size_t pad; size_t align = 1; if (ndr->offset < ndr->relative_base_offset) { return ndr_push_error(ndr, NDR_ERR_BUFSIZE, "ndr_push_relative_ptr2_start ndr->offset(%u) < ndr->relative_base_offset(%u)", ndr->offset, ndr->relative_base_offset); } relative_offset = ndr->offset - ndr->relative_base_offset; if (ndr->flags & LIBNDR_FLAG_NOALIGN) { align = 1; } else if (ndr->flags & LIBNDR_FLAG_ALIGN2) { align = 2; } else if (ndr->flags & LIBNDR_FLAG_ALIGN4) { align = 4; } else if (ndr->flags & LIBNDR_FLAG_ALIGN8) { align = 8; } pad = ndr_align_size(relative_offset, align); if (pad) { NDR_CHECK(ndr_push_zero(ndr, pad)); } return ndr_push_relative_ptr2(ndr, p); } if (ndr->relative_end_offset == -1) { return ndr_push_error(ndr, NDR_ERR_RELATIVE, "ndr_push_relative_ptr2_start RELATIVE_REVERSE flag set and relative_end_offset %d", ndr->relative_end_offset); } NDR_CHECK(ndr_token_store(ndr, &ndr->relative_begin_list, p, ndr->offset)); return NDR_ERR_SUCCESS; }
_PUBLIC_ enum ndr_err_code ndr_push_subcontext_start(struct ndr_push *ndr, struct ndr_push **_subndr, size_t header_size, ssize_t size_is) { struct ndr_push *subndr; subndr = ndr_push_init_ctx(ndr, ndr->iconv_convenience); NDR_ERR_HAVE_NO_MEMORY(subndr); subndr->flags = ndr->flags & ~LIBNDR_FLAG_NDR64; if (size_is > 0) { NDR_CHECK(ndr_push_zero(subndr, size_is)); subndr->offset = 0; subndr->relative_end_offset = size_is; } *_subndr = subndr; return NDR_ERR_SUCCESS; }
/* We have manual push/pull because we didn't manage to do the alignment * purely in PIDL as the padding is sized so that the whole access_check_v3 * struct size is a multiple of 16 (as specified in 2.2.2.4 of ms-bkrp.pdf) */ _PUBLIC_ enum ndr_err_code ndr_push_bkrp_access_check_v3(struct ndr_push *ndr, int ndr_flags, const struct bkrp_access_check_v3 *r) { if (ndr_flags & NDR_SCALARS) { size_t ofs; size_t pad; NDR_CHECK(ndr_push_align(ndr, 4)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00000001)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->nonce_len)); NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len)); NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->sid)); /* We articially increment the offset of 64 bytes (size of hash * comming after the pad) so that ndr_align can determine easily * the correct pad size to make the whole struct 16 bytes aligned */ ofs = ndr->offset + 64; pad = ndr_align_size(ofs, 16); NDR_CHECK(ndr_push_zero(ndr, pad)); NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, 64)); NDR_CHECK(ndr_push_trailer_align(ndr, 4)); } if (ndr_flags & NDR_BUFFERS) { } return NDR_ERR_SUCCESS; }
/* push a dcerpc request packet into a blob, possibly signing it. */ static NTSTATUS ncacn_push_request_sign(struct dcerpc_connection *c, DATA_BLOB *blob, TALLOC_CTX *mem_ctx, size_t sig_size, struct ncacn_packet *pkt) { NTSTATUS status; struct ndr_push *ndr; DATA_BLOB creds2; size_t payload_length; enum ndr_err_code ndr_err; size_t hdr_size = DCERPC_REQUEST_LENGTH; /* non-signed packets are simpler */ if (sig_size == 0) { return ncacn_push_auth(blob, mem_ctx, c->iconv_convenience, pkt, NULL); } switch (c->security_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_INTEGRITY: break; case DCERPC_AUTH_LEVEL_CONNECT: /* TODO: let the gensec mech decide if it wants to generate a signature */ return ncacn_push_auth(blob, mem_ctx, c->iconv_convenience, pkt, NULL); case DCERPC_AUTH_LEVEL_NONE: return ncacn_push_auth(blob, mem_ctx, c->iconv_convenience, pkt, NULL); default: return NT_STATUS_INVALID_LEVEL; } ndr = ndr_push_init_ctx(mem_ctx, c->iconv_convenience); if (!ndr) { return NT_STATUS_NO_MEMORY; } if (c->flags & DCERPC_PUSH_BIGENDIAN) { ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } if (c->flags & DCERPC_NDR64) { ndr->flags |= LIBNDR_FLAG_NDR64; } if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) { ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT; hdr_size += 16; } ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return ndr_map_error2ntstatus(ndr_err); } status = NT_STATUS_OK; /* pad to 16 byte multiple in the payload portion of the packet. This matches what w2k3 does */ c->security_state.auth_info->auth_pad_length = (16 - (pkt->u.request.stub_and_verifier.length & 15)) & 15; ndr_err = ndr_push_zero(ndr, c->security_state.auth_info->auth_pad_length); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return ndr_map_error2ntstatus(ndr_err); } status = NT_STATUS_OK; payload_length = pkt->u.request.stub_and_verifier.length + c->security_state.auth_info->auth_pad_length; /* we start without signature, it will appended later */ c->security_state.auth_info->credentials = data_blob(NULL,0); /* add the auth verifier */ ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, c->security_state.auth_info); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return ndr_map_error2ntstatus(ndr_err); } status = NT_STATUS_OK; /* extract the whole packet as a blob */ *blob = ndr_push_blob(ndr); /* * Setup the frag and auth length in the packet buffer. * This is needed if the GENSEC mech does AEAD signing * of the packet headers. The signature itself will be * appended later. */ dcerpc_set_frag_length(blob, blob->length + sig_size); dcerpc_set_auth_length(blob, sig_size); /* sign or seal the packet */ switch (c->security_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_seal_packet(c->security_state.generic_state, mem_ctx, blob->data + hdr_size, payload_length, blob->data, blob->length, &creds2); if (!NT_STATUS_IS_OK(status)) { return status; } break; case DCERPC_AUTH_LEVEL_INTEGRITY: status = gensec_sign_packet(c->security_state.generic_state, mem_ctx, blob->data + hdr_size, payload_length, blob->data, blob->length, &creds2); if (!NT_STATUS_IS_OK(status)) { return status; } break; default: status = NT_STATUS_INVALID_LEVEL; break; } if (creds2.length != sig_size) { DEBUG(0,("ncacn_push_request_sign: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n", (unsigned) creds2.length, (unsigned) sig_size, (unsigned) c->security_state.auth_info->auth_pad_length, (unsigned) pkt->u.request.stub_and_verifier.length)); return NT_STATUS_INTERNAL_ERROR; } if (!data_blob_append(mem_ctx, blob, creds2.data, creds2.length)) { return NT_STATUS_NO_MEMORY; } return NT_STATUS_OK; }
/* push a subcontext header */ _PUBLIC_ enum ndr_err_code ndr_push_subcontext_end(struct ndr_push *ndr, struct ndr_push *subndr, size_t header_size, ssize_t size_is) { ssize_t padding_len; if (size_is >= 0) { padding_len = size_is - subndr->offset; if (padding_len < 0) { return ndr_push_error(ndr, NDR_ERR_SUBCONTEXT, "Bad subcontext (PUSH) content_size %d is larger than size_is(%d)", (int)subndr->offset, (int)size_is); } subndr->offset = size_is; } switch (header_size) { case 0: break; case 2: NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, subndr->offset)); break; case 4: NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, subndr->offset)); break; case 0xFFFFFC01: /* * Common Type Header for the Serialization Stream * See [MS-RPCE] 2.2.6 Type Serialization Version 1 */ padding_len = NDR_ROUND(subndr->offset, 8) - subndr->offset; if (padding_len > 0) { NDR_CHECK(ndr_push_zero(subndr, padding_len)); } /* version */ NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, 1)); /* * 0x10 little endian * 0x00 big endian */ NDR_CHECK(ndr_push_uint8(ndr, NDR_SCALARS, NDR_BE(ndr)?0x00:0x10)); /* length of the "Private Header for Constructed Type" */ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, 8)); /* filler */ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0xCCCCCCCC)); /* * Private Header for Constructed Type */ /* length - will be updated latter */ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, subndr->offset)); /* reserved */ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); break; default: return ndr_push_error(ndr, NDR_ERR_SUBCONTEXT, "Bad subcontext header size %d", (int)header_size); } NDR_CHECK(ndr_push_bytes(ndr, subndr->data, subndr->offset)); return NDR_ERR_SUCCESS; }
/* push a signed or sealed dcerpc request packet into a blob */ bool dcesrv_auth_response(struct dcesrv_call_state *call, DATA_BLOB *blob, size_t sig_size, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; enum ndr_err_code ndr_err; struct ndr_push *ndr; uint32_t payload_length; DATA_BLOB creds2; /* non-signed packets are simple */ if (sig_size == 0) { status = ncacn_push_auth(blob, call, pkt, NULL); return NT_STATUS_IS_OK(status); } switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: case DCERPC_AUTH_LEVEL_INTEGRITY: break; case DCERPC_AUTH_LEVEL_CONNECT: /* * TODO: let the gensec mech decide if it wants to generate a * signature that might be needed for schannel... */ status = ncacn_push_auth(blob, call, pkt, NULL); return NT_STATUS_IS_OK(status); case DCERPC_AUTH_LEVEL_NONE: status = ncacn_push_auth(blob, call, pkt, NULL); return NT_STATUS_IS_OK(status); default: return false; } ndr = ndr_push_init_ctx(call); if (!ndr) { return false; } if (!(pkt->drep[0] & DCERPC_DREP_LE)) { ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } /* pad to 16 byte multiple in the payload portion of the packet. This matches what w2k3 does. Note that we can't use ndr_push_align() as that is relative to the start of the whole packet, whereas w2k8 wants it relative to the start of the stub */ dce_conn->auth_state.auth_info->auth_pad_length = (16 - (pkt->u.response.stub_and_verifier.length & 15)) & 15; ndr_err = ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } payload_length = pkt->u.response.stub_and_verifier.length + dce_conn->auth_state.auth_info->auth_pad_length; /* we start without signature, it will appended later */ dce_conn->auth_state.auth_info->credentials = data_blob(NULL, 0); /* add the auth verifier */ ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return false; } /* extract the whole packet as a blob */ *blob = ndr_push_blob(ndr); /* * Setup the frag and auth length in the packet buffer. * This is needed if the GENSEC mech does AEAD signing * of the packet headers. The signature itself will be * appended later. */ dcerpc_set_frag_length(blob, blob->length + sig_size); dcerpc_set_auth_length(blob, sig_size); /* sign or seal the packet */ switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_seal_packet(dce_conn->auth_state.gensec_security, call, ndr->data + DCERPC_REQUEST_LENGTH, payload_length, blob->data, blob->length, &creds2); break; case DCERPC_AUTH_LEVEL_INTEGRITY: status = gensec_sign_packet(dce_conn->auth_state.gensec_security, call, ndr->data + DCERPC_REQUEST_LENGTH, payload_length, blob->data, blob->length, &creds2); break; default: status = NT_STATUS_INVALID_LEVEL; break; } if (!NT_STATUS_IS_OK(status)) { return false; } if (creds2.length != sig_size) { DEBUG(3,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n", (unsigned)creds2.length, (uint32_t)sig_size, (unsigned)dce_conn->auth_state.auth_info->auth_pad_length, (unsigned)pkt->u.response.stub_and_verifier.length)); dcerpc_set_frag_length(blob, blob->length + creds2.length); dcerpc_set_auth_length(blob, creds2.length); } if (!data_blob_append(call, blob, creds2.data, creds2.length)) { status = NT_STATUS_NO_MEMORY; return false; } data_blob_free(&creds2); return true; }
/** push a general string onto the wire */ NTSTATUS ndr_push_string(struct ndr_push *ndr, int ndr_flags, const char *s) { ssize_t s_len, c_len, d_len; charset_t chset = CH_UTF16LE; unsigned flags = ndr->flags; unsigned byte_mul = 2; uint8_t *dest = NULL; if (!(ndr_flags & NDR_SCALARS)) { return NT_STATUS_OK; } if (NDR_BE(ndr)) { chset = CH_UTF16BE; } s_len = s?strlen(s):0; if (flags & LIBNDR_FLAG_STR_ASCII) { chset = CH_DOS; byte_mul = 1; flags &= ~LIBNDR_FLAG_STR_ASCII; } if (flags & LIBNDR_FLAG_STR_UTF8) { chset = CH_UTF8; byte_mul = 1; flags &= ~LIBNDR_FLAG_STR_UTF8; } flags &= ~LIBNDR_FLAG_STR_CONFORMANT; if (!(flags & (LIBNDR_FLAG_STR_NOTERM | LIBNDR_FLAG_STR_FIXLEN15 | LIBNDR_FLAG_STR_FIXLEN32))) { s_len++; } d_len = convert_string_talloc(ndr, CH_UNIX, chset, s, s_len, &dest, False); if (d_len == -1) { return ndr_push_error(ndr, NDR_ERR_CHARCNV, "Bad character conversion"); } if (flags & LIBNDR_FLAG_STR_BYTESIZE) { c_len = d_len; flags &= ~LIBNDR_FLAG_STR_BYTESIZE; } else if (flags & LIBNDR_FLAG_STR_CHARLEN) { c_len = (d_len / byte_mul)-1; flags &= ~LIBNDR_FLAG_STR_CHARLEN; } else { c_len = d_len / byte_mul; } switch ((flags & LIBNDR_STRING_FLAGS) & ~LIBNDR_FLAG_STR_NOTERM) { case LIBNDR_FLAG_STR_LEN4|LIBNDR_FLAG_STR_SIZE4: NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, c_len)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, c_len)); NDR_CHECK(ndr_push_bytes(ndr, dest, d_len)); break; case LIBNDR_FLAG_STR_LEN4: NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0)); NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, c_len)); NDR_CHECK(ndr_push_bytes(ndr, dest, d_len)); break; case LIBNDR_FLAG_STR_SIZE4: NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, c_len)); NDR_CHECK(ndr_push_bytes(ndr, dest, d_len)); break; case LIBNDR_FLAG_STR_SIZE2: NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, c_len)); NDR_CHECK(ndr_push_bytes(ndr, dest, d_len)); break; case LIBNDR_FLAG_STR_NULLTERM: NDR_CHECK(ndr_push_bytes(ndr, dest, d_len)); break; case LIBNDR_FLAG_STR_FIXLEN15: case LIBNDR_FLAG_STR_FIXLEN32: { ssize_t fix_len = (flags & LIBNDR_FLAG_STR_FIXLEN32)?32:15; uint32_t pad_len = fix_len - d_len; if (d_len > fix_len) { return ndr_push_error(ndr, NDR_ERR_CHARCNV, "Bad character conversion"); } NDR_CHECK(ndr_push_bytes(ndr, dest, d_len)); if (pad_len != 0) { NDR_CHECK(ndr_push_zero(ndr, pad_len)); } break; } default: return ndr_push_error(ndr, NDR_ERR_STRING, "Bad string flags 0x%x\n", ndr->flags & LIBNDR_STRING_FLAGS); } talloc_free(dest); return NT_STATUS_OK; }