s3:rpc_client: header signing is negotiated per transport connection

author Stefan Metzmacher <metze@samba.org>

Sun, 15 Sep 2024 15:58:53 +0000 (17:58 +0200)

committer Jule Anger <janger@samba.org>

Thu, 12 Jun 2025 11:27:15 +0000 (11:27 +0000)
author Stefan Metzmacher <metze@samba.org>
Sun, 15 Sep 2024 15:58:53 +0000 (17:58 +0200)
committer Jule Anger <janger@samba.org>
Thu, 12 Jun 2025 11:27:15 +0000 (11:27 +0000)
diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h

index 76f2fa05ae079c63640855e03f258f39caefd44f..fdd3beda46d8c4f077c1e615340dd1a38a9d9844 100644 (file)
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -39,7 +39,6 @@ struct pipe_auth_data {
         enum dcerpc_AuthType auth_type;
         enum dcerpc_AuthLevel auth_level;
         uint32_t auth_context_id;
-       bool client_hdr_signing;
         bool hdr_signing;
         bool verified_bitmask1;
  
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c

index 645820de191c1d1bc9552cb1b20da12e777676de..c1819ad991d048c02eeba08e8f5de54ed190edb1 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1082,8 +1082,7 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
  
  static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
                                                  TALLOC_CTX *mem_ctx,
-                                                DATA_BLOB *auth_token,
-                                                bool *client_hdr_signing)
+                                                DATA_BLOB *auth_token)
  {
         struct gensec_security *gensec_security;
         DATA_BLOB null_blob = { .data = NULL };
@@ -1100,18 +1099,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
                 return status;
         }
  
-       if (client_hdr_signing == NULL) {
-               return status;
-       }
-
-       if (cli->auth->auth_level < DCERPC_AUTH_LEVEL_PACKET) {
-               *client_hdr_signing = false;
-               return status;
-       }
-
-       *client_hdr_signing = gensec_have_feature(gensec_security,
-                                               GENSEC_FEATURE_SIGN_PKT_HEADER);
-
         return status;
  }
  
@@ -1125,7 +1112,6 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
                                                 const struct ndr_syntax_id *abstract,
                                                 const struct ndr_syntax_id *transfer,
                                                 const DATA_BLOB *auth_info,
-                                               bool client_hdr_signing,
                                                 DATA_BLOB *blob)
  {
         uint16_t auth_len = auth_info->length;
@@ -1160,7 +1146,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
                 auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
         }
  
-       if (client_hdr_signing) {
+       if (ptype == DCERPC_PKT_BIND) {
                 pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
         }
  
@@ -1196,7 +1182,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
  
         if (auth->auth_type != DCERPC_AUTH_TYPE_NONE) {
                 ret = create_generic_auth_rpc_bind_req(
-                       cli, mem_ctx, &auth_token, &auth->client_hdr_signing);
+                       cli, mem_ctx, &auth_token);
  
                 if (!NT_STATUS_IS_OK(ret) &&
                     !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -1224,7 +1210,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
                                               abstract,
                                               transfer,
                                               &auth_info,
-                                             auth->client_hdr_signing,
                                               rpc_out);
         data_blob_free(&auth_info);
  
@@ -1354,7 +1339,7 @@ static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *stat
                 }
                 t->commands[t->count.count++] = (struct dcerpc_sec_vt) {
                         .command = DCERPC_SEC_VT_COMMAND_BITMASK1,
-                       .u.bitmask1 = (a->client_hdr_signing) ?
+                       .u.bitmask1 = (state->cli->client_hdr_signing) ?
                                 DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING :
                                 0,
                 };
@@ -1790,7 +1775,6 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
                                                  abstract,
                                                  transfer,
                                                  &auth_info,
-                                                false, /* client_hdr_signing */
                                                  rpc_out);
         data_blob_free(&auth_info);
         return status;
@@ -1839,6 +1823,8 @@ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
         state->cli = cli;
         state->rpc_call_id = get_rpc_call_id();
  
+       cli->client_hdr_signing = true;
+
         cli->auth = talloc_move(cli, &auth);
  
         /* Marshall the outgoing data. */
@@ -1899,9 +1885,7 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
  
         if (pkt->ptype == DCERPC_PKT_BIND_ACK) {
                 if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
-                       if (pauth->client_hdr_signing) {
-                               pauth->hdr_signing = true;
-                       }
+                       state->cli->hdr_signing = true;
                 }
         }
  
@@ -1918,6 +1902,8 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
                 return;
         }
  
+       pauth->hdr_signing = state->cli->hdr_signing;
+
         /* get auth credentials */
         status = dcerpc_pull_auth_trailer(pkt, talloc_tos(),
                                           &pkt->u.bind_ack.auth_info,
diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h

index 9ba783518516c1011b4b465f34cde7daf93fc957..b2f02b01b3d4e7ae9638e5ef4045c429ceb62136 100644 (file)
--- a/source3/rpc_client/rpc_client.h
+++ b/source3/rpc_client/rpc_client.h
@@ -38,6 +38,12 @@ struct rpc_pipe_client {
         struct rpc_cli_transport *transport;
         struct dcerpc_binding_handle *binding_handle;
  
+       /*
+        * This is per connection
+        */
+       bool client_hdr_signing;
+       bool hdr_signing;
+
         /*
          * This is per association_group, but
          * for now we only have one connection
author	Stefan Metzmacher <metze@samba.org>
	Sun, 15 Sep 2024 15:58:53 +0000 (17:58 +0200)
committer	Jule Anger <janger@samba.org>
	Thu, 12 Jun 2025 11:27:15 +0000 (11:27 +0000)
source3/librpc/rpc/dcerpc.h		patch \| blob \| blame \| history
source3/rpc_client/cli_pipe.c		patch \| blob \| blame \| history
source3/rpc_client/rpc_client.h		patch \| blob \| blame \| history