From 3731bbfdc4aa955fe73b1fd3458b068c0c5b69d0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 15 Sep 2024 17:58:53 +0200
Subject: [PATCH] s3:rpc_client: header signing is negotiated per transport
 connection

All gensec backends support GENSEC_FEATURE_SIGN_PKT_HEADER, so there's
no point in negotiating header signing based on the
auth context used during the DCERPC Bind.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 72b79a771fdbf54aa73b4c1b0372b9dffd81bfa6)
---
 source3/librpc/rpc/dcerpc.h     |  1 -
 source3/rpc_client/cli_pipe.c   | 32 +++++++++-----------------------
 source3/rpc_client/rpc_client.h |  6 ++++++
 3 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index 76f2fa05ae0..fdd3beda46d 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -39,7 +39,6 @@ struct pipe_auth_data {
 	enum dcerpc_AuthType auth_type;
 	enum dcerpc_AuthLevel auth_level;
 	uint32_t auth_context_id;
-	bool client_hdr_signing;
 	bool hdr_signing;
 	bool verified_bitmask1;
 
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 645820de191..c1819ad991d 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1082,8 +1082,7 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
 
 static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
 						 TALLOC_CTX *mem_ctx,
-						 DATA_BLOB *auth_token,
-						 bool *client_hdr_signing)
+						 DATA_BLOB *auth_token)
 {
 	struct gensec_security *gensec_security;
 	DATA_BLOB null_blob = { .data = NULL };
@@ -1100,18 +1099,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
 		return status;
 	}
 
-	if (client_hdr_signing == NULL) {
-		return status;
-	}
-
-	if (cli->auth->auth_level < DCERPC_AUTH_LEVEL_PACKET) {
-		*client_hdr_signing = false;
-		return status;
-	}
-
-	*client_hdr_signing = gensec_have_feature(gensec_security,
-						GENSEC_FEATURE_SIGN_PKT_HEADER);
-
 	return status;
 }
 
@@ -1125,7 +1112,6 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
 						const struct ndr_syntax_id *abstract,
 						const struct ndr_syntax_id *transfer,
 						const DATA_BLOB *auth_info,
-						bool client_hdr_signing,
 						DATA_BLOB *blob)
 {
 	uint16_t auth_len = auth_info->length;
@@ -1160,7 +1146,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
 		auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
 	}
 
-	if (client_hdr_signing) {
+	if (ptype == DCERPC_PKT_BIND) {
 		pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
 	}
 
@@ -1196,7 +1182,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
 
 	if (auth->auth_type != DCERPC_AUTH_TYPE_NONE) {
 		ret = create_generic_auth_rpc_bind_req(
-			cli, mem_ctx, &auth_token, &auth->client_hdr_signing);
+			cli, mem_ctx, &auth_token);
 
 		if (!NT_STATUS_IS_OK(ret) &&
 		    !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -1224,7 +1210,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
 					      abstract,
 					      transfer,
 					      &auth_info,
-					      auth->client_hdr_signing,
 					      rpc_out);
 	data_blob_free(&auth_info);
 
@@ -1354,7 +1339,7 @@ static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *stat
 		}
 		t->commands[t->count.count++] = (struct dcerpc_sec_vt) {
 			.command = DCERPC_SEC_VT_COMMAND_BITMASK1,
-			.u.bitmask1 = (a->client_hdr_signing) ?
+			.u.bitmask1 = (state->cli->client_hdr_signing) ?
 				DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING :
 				0,
 		};
@@ -1790,7 +1775,6 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
 						 abstract,
 						 transfer,
 						 &auth_info,
-					         false, /* client_hdr_signing */
 						 rpc_out);
 	data_blob_free(&auth_info);
 	return status;
@@ -1839,6 +1823,8 @@ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
 	state->cli = cli;
 	state->rpc_call_id = get_rpc_call_id();
 
+	cli->client_hdr_signing = true;
+
 	cli->auth = talloc_move(cli, &auth);
 
 	/* Marshall the outgoing data. */
@@ -1899,9 +1885,7 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 
 	if (pkt->ptype == DCERPC_PKT_BIND_ACK) {
 		if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
-			if (pauth->client_hdr_signing) {
-				pauth->hdr_signing = true;
-			}
+			state->cli->hdr_signing = true;
 		}
 	}
 
@@ -1918,6 +1902,8 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 		return;
 	}
 
+	pauth->hdr_signing = state->cli->hdr_signing;
+
 	/* get auth credentials */
 	status = dcerpc_pull_auth_trailer(pkt, talloc_tos(),
 					  &pkt->u.bind_ack.auth_info,
diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
index 9ba78351851..b2f02b01b3d 100644
--- a/source3/rpc_client/rpc_client.h
+++ b/source3/rpc_client/rpc_client.h
@@ -38,6 +38,12 @@ struct rpc_pipe_client {
 	struct rpc_cli_transport *transport;
 	struct dcerpc_binding_handle *binding_handle;
 
+	/*
+	 * This is per connection
+	 */
+	bool client_hdr_signing;
+	bool hdr_signing;
+
 	/*
 	 * This is per association_group, but
 	 * for now we only have one connection
-- 
2.47.2