From 50f82609b5833b2f242bc7d5adddeb56480fa2bb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 6 Aug 2008 21:35:07 +0200 Subject: librpc/rpc: add support DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN You can trigger it like this: ncacn_ip_tcp:172.31.9.234[sign,hdrsign] or ncacn_ip_tcp:172.31.9.234[seal,hdrsign] metze (This used to be commit 54f1fca582b1474693b5ee11b7b847086d27f75f) --- source4/librpc/rpc/binding.c | 3 ++- source4/librpc/rpc/dcerpc.c | 26 ++++++++++++++++++++++++++ source4/librpc/rpc/dcerpc.h | 3 +++ source4/librpc/rpc/dcerpc_auth.c | 4 ++++ 4 files changed, 35 insertions(+), 1 deletion(-) (limited to 'source4/librpc/rpc') diff --git a/source4/librpc/rpc/binding.c b/source4/librpc/rpc/binding.c index ae88dce1be..bfe62c4054 100644 --- a/source4/librpc/rpc/binding.c +++ b/source4/librpc/rpc/binding.c @@ -83,7 +83,8 @@ static const struct { {"print", DCERPC_DEBUG_PRINT_BOTH}, {"padcheck", DCERPC_DEBUG_PAD_CHECK}, {"bigendian", DCERPC_PUSH_BIGENDIAN}, - {"smb2", DCERPC_SMB2} + {"smb2", DCERPC_SMB2}, + {"hdrsign", DCERPC_HEADER_SIGNING} }; const char *epm_floor_string(TALLOC_CTX *mem_ctx, struct epm_floor *epm_floor) diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 33a8ed569a..a6c7e0020d 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -658,6 +658,16 @@ static void dcerpc_bind_recv_handler(struct rpc_request *req, conn->srv_max_xmit_frag = pkt->u.bind_ack.max_xmit_frag; conn->srv_max_recv_frag = pkt->u.bind_ack.max_recv_frag; + if ((req->p->binding->flags & DCERPC_CONCURRENT_MULTIPLEX) && + (pkt->pfc_flags & DCERPC_PFC_FLAG_CONC_MPX)) { + conn->flags |= DCERPC_CONCURRENT_MULTIPLEX; + } + + if ((req->p->binding->flags & DCERPC_HEADER_SIGNING) && + (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) { + conn->flags |= DCERPC_HEADER_SIGNING; + } + /* the bind_ack might contain a reply set of credentials */ if (conn->security_state.auth_info && pkt->u.bind_ack.auth_info.length) { @@ -731,6 +741,10 @@ struct composite_context *dcerpc_bind_send(struct dcerpc_pipe *p, pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX; } + if (p->binding->flags & DCERPC_HEADER_SIGNING) { + pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; + } + pkt.u.bind.max_xmit_frag = 5840; pkt.u.bind.max_recv_frag = 5840; pkt.u.bind.assoc_group_id = p->binding->assoc_group_id; @@ -806,6 +820,14 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p, pkt.u.auth3._pad = 0; pkt.u.auth3.auth_info = data_blob(NULL, 0); + if (p->binding->flags & DCERPC_CONCURRENT_MULTIPLEX) { + pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX; + } + + if (p->binding->flags & DCERPC_HEADER_SIGNING) { + pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; + } + /* construct the NDR form of the packet */ status = ncacn_push_auth(&blob, mem_ctx, p->conn->iconv_convenience, @@ -1630,6 +1652,10 @@ struct composite_context *dcerpc_alter_context_send(struct dcerpc_pipe *p, pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX; } + if (p->binding->flags & DCERPC_HEADER_SIGNING) { + pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN; + } + pkt.u.alter.max_xmit_frag = 5840; pkt.u.alter.max_recv_frag = 5840; pkt.u.alter.assoc_group_id = p->binding->assoc_group_id; diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index 487f9f2eda..1fd56cb052 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -163,6 +163,9 @@ struct dcerpc_pipe { /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */ #define DCERPC_CONCURRENT_MULTIPLEX (1<<19) +/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */ +#define DCERPC_HEADER_SIGNING (1<<20) + /* this describes a binding to a particular transport/pipe */ struct dcerpc_binding { enum dcerpc_transport_t transport; diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index 661cd13c5a..49fc3d9294 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -137,6 +137,10 @@ static void bind_auth_next_step(struct composite_context *c) if (!composite_is_ok(c)) return; + if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) { + gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER); + } + if (state->credentials.length == 0) { composite_done(c); return; -- cgit