diff options
Diffstat (limited to 'librpc/rpc/dcerpc_helper.c')
-rw-r--r-- | librpc/rpc/dcerpc_helper.c | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c new file mode 100644 index 0000000..e1589f9 --- /dev/null +++ b/librpc/rpc/dcerpc_helper.c @@ -0,0 +1,132 @@ +/* + * Copyright (c) 2020 Andreas Schneider <asn@samba.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "librpc/gen_ndr/security.h" +#include "librpc/gen_ndr/auth.h" +#include "lib/crypto/gnutls_helpers.h" +#include "libcli/security/dom_sid.h" +#include "libcli/security/security_token.h" +#include "libcli/smb/smb2_constants.h" + +#include "dcerpc_helper.h" + +static bool smb3_sid_parse(const struct dom_sid *sid, + uint16_t *pdialect, + uint16_t *pencrypt, + uint16_t *pcipher) +{ + uint16_t dialect; + uint16_t encrypt; + uint16_t cipher; + + if (sid->sub_auths[0] != global_sid_Samba_SMB3.sub_auths[0]) { + return false; + } + + dialect = sid->sub_auths[1]; + if (dialect > 0x03ff) { + return false; + } + + encrypt = sid->sub_auths[2]; + if (encrypt > 0x0002) { + return false; + } + + cipher = sid->sub_auths[3]; + if (cipher > 256) { + /* + * It is unlikely that we + * ever have more then 256 + * encryption algorithms + */ + return false; + } + + if (pdialect != NULL) { + *pdialect = dialect; + } + + if (pencrypt != NULL) { + *pencrypt = encrypt; + } + + if (pcipher != NULL) { + *pcipher = cipher; + } + + return true; +} + +bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info) +{ + struct security_token *token = session_info->security_token; + struct dom_sid smb3_dom_sid = global_sid_Samba_SMB3; + const struct dom_sid *smb3_sid = NULL; + uint16_t dialect = 0; + uint16_t encrypt = 0; + uint16_t cipher = 0; + size_t num_smb3_sids; + bool ok; + + num_smb3_sids = security_token_count_flag_sids(token, + &smb3_dom_sid, + 3, + &smb3_sid); + if (num_smb3_sids > 1) { + DBG_ERR("ERROR: The SMB3 SID has been detected %zu times\n", + num_smb3_sids); + return false; + } + + if (smb3_sid == NULL) { + return false; + } + + ok = smb3_sid_parse(smb3_sid, &dialect, &encrypt, &cipher); + if (!ok) { + DBG_ERR("Failed to parse SMB3 SID!\n"); + return false; + } + + DBG_DEBUG("SMB SID - dialect: %#04x, encrypt: %#04x, cipher: %#04x\n", + dialect, + encrypt, + cipher); + + if (dialect < SMB3_DIALECT_REVISION_300) { + DBG_DEBUG("Invalid SMB3 dialect!\n"); + return false; + } + + if (encrypt != DCERPC_SMB_ENCRYPTION_REQUIRED) { + DBG_DEBUG("Invalid SMB3 encryption!\n"); + return false; + } + + switch (cipher) { + case SMB2_ENCRYPTION_AES128_CCM: + case SMB2_ENCRYPTION_AES128_GCM: + break; + default: + DBG_DEBUG("Invalid SMB3 cipher!\n"); + return false; + } + + return true; +} |