feat: add fragmented bind/alter-context auth support

Author: oiweiwei

dcerpc/packet.go

@@ -38,6 +38,21 @@ type Packet struct {
 	start, end int
 }
 
+func (p *Packet) Unset(flag PacketFlag) {
+	p.Header.PacketFlags &^= flag
+}
+
+func (p *Packet) Set(flag PacketFlag) {
+	p.Header.PacketFlags |= flag
+}
+
+func (p *Packet) PDUHeaderSize() int {
+	if sizer := p.PDU.(interface{ Size() int }); sizer != nil {
+		return HeaderSize + sizer.Size() + MaxPad + SecurityTrailerSize
+	}
+	return 0
+}
+
 func (p *Packet) IsLastFrag() bool {
 	return p.Header.PacketFlags&PacketFlagLastFrag != 0
 }
@@ -332,7 +347,7 @@ func (c *transport) EncodePacket(ctx context.Context, pkt *Packet, raw []byte) e
 	pkt.raw, pkt.end = raw, len(raw)
 
 	// set packet rpc version.
-	pkt.Header.RPCVersion, pkt.Header.RPCVersionMinor = 5, 0
+	pkt.Header.RPCVersion = 5
 	// set packet drep.
 	pkt.Header.PacketDRep = c.settings.DataRepresentation
 	// set packet type.
@@ -364,14 +379,20 @@ func (c *transport) EncodePacket(ctx context.Context, pkt *Packet, raw []byte) e
 
 	// adjust stub buffer to include security trailer.
 	if pkt.Header.AuthLength > 0 {
-		pkt.end -= MaxPad + SecurityTrailerSize + int(pkt.Header.AuthLength)
+		sz := MaxPad + SecurityTrailerSize + int(pkt.Header.AuthLength)
+		if pkt.end -= sz; pkt.end <= 0 {
+			return fmt.Errorf("encode_packet: insufficient buffer size for security trailer (%d bytes)", sz)
+		}
 	}
 
 	// XXX: verification is computed for every fragment, however it's being
 	// written only for last fragment.
 	verifyLen := pkt.VerificationTrailer.Size()
 	if verifyLen > 0 {
-		pkt.end -= VerificationTrailerMaxPad + verifyLen /* VerificationMaxPad */
+		sz := VerificationTrailerMaxPad + verifyLen /* VerificationMaxPad */
+		if pkt.end -= sz; pkt.end <= 0 {
+			return fmt.Errorf("encode_packet: insufficient buffer size for verification trailer (%d bytes)", verifyLen)
+		}
 	}
 
 	w := c.Codec(raw, pkt.Header.PacketDRep)

dcerpc/pdu.go

@@ -70,6 +70,10 @@ type Auth3 struct {
 	Pad [4]byte
 }
 
+func (pdu *Auth3) Size() int {
+	return 4
+}
+
 func (pdu *Auth3) MarshalZerologObject(e *zerolog.Event) {}
 
 // marshal function ...
@@ -101,6 +105,14 @@ type AlterContext struct {
 	ContextList  []*Context
 }
 
+func (pdu *AlterContext) Size() int {
+	size := 8 + 1
+	for _, ctx := range pdu.ContextList {
+		size += ctx.Size()
+	}
+	return size
+}
+
 func (pdu *AlterContext) MarshalZerologObject(e *zerolog.Event) {}
 
 func (pdu *AlterContext) WriteTo(ctx context.Context, w ndr.Writer) error {
@@ -201,6 +213,14 @@ type Bind struct {
 	ContextList  []*Context
 }
 
+func (pdu *Bind) Size() int {
+	size := 8 + 1
+	for _, ctx := range pdu.ContextList {
+		size += ctx.Size()
+	}
+	return size
+}
+
 func (pdu *Bind) MarshalZerologObject(e *zerolog.Event) {}
 
 func (pdu *Bind) WriteTo(ctx context.Context, w ndr.Writer) error {

dcerpc/transport.go

@@ -153,6 +153,40 @@ func (c *transport) ExportSMBSecurity(o *Security) {
 
 }
 
+// writePacketFragmentedAuth writes the packet with fragmented authentication data.
+func (c *transport) writePacketFragmentedAuth(ctx context.Context, call Call, pkt *Packet) error {
+
+	authData, maxSize := pkt.AuthData, c.settings.MaxXmitFrag-pkt.PDUHeaderSize()
+
+	// https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm:
+	//
+	// If pfc_flags does not have PFC_LAST_FRAG set and rpc_vers_minor is 1,
+	// then the PDU has fragmented auth_verifier data. The server will assemble
+	// the data concatenating sequentially each auth_verifier field until a
+	// PDU is sent with PFC_LAST_FRAG flag set. This completed buffer is then
+	// used as auth_verifier data.
+
+	for {
+
+		if pkt.Set(PacketFlagLastFrag); len(authData) > maxSize {
+			pkt.AuthData, authData = authData[:maxSize], authData[maxSize:]
+			pkt.Header.RPCVersionMinor = 1
+			pkt.Unset(PacketFlagLastFrag)
+		}
+
+		// write bind pdu.
+		if err := c.WritePacket(ctx, call, pkt); err != nil {
+			return fmt.Errorf("alter context: write packet: %w", err)
+		}
+
+		if pkt.Unset(PacketFlagFirstFrag); len(pkt.AuthData) <= maxSize {
+			break
+		}
+	}
+
+	return nil
+}
+
 // AlterContext function establishes new presentation or security (or both) context(s).
 func (c *transport) AlterContext(ctx context.Context, opts ...Option) (Conn, error) {
 
@@ -193,11 +227,13 @@ func (c *transport) AlterContext(ctx context.Context, opts ...Option) (Conn, err
 	if pkt.AuthData, err = o.Security.Init(ctx, nil); err != nil {
 		return nil, fmt.Errorf("alter context: init security: %w", err)
 	}
-	// write bind pdu.
-	if err = c.WritePacket(ctx, call, pkt); err != nil {
-		return nil, fmt.Errorf("alter context: write packet: %w", err)
+
+	// write alter-context pdu.
+	if err := c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
+		return nil, err
 	}
-	// read bind response (bind-ack, bind-nak).
+
+	// read alter-context response (alter-context-response).
 	if pkt, err = c.ReadPacket(ctx, call, pkt); err != nil {
 		return nil, fmt.Errorf("alter context: read packet: %w", err)
 	}
@@ -243,14 +279,14 @@ func (c *transport) AlterContext(ctx context.Context, opts ...Option) (Conn, err
 			// replace type with auth3.
 			pkt.PDU = &Auth3{}
 			// write auth3 pdu.
-			if err = c.WritePacket(ctx, call, pkt); err != nil {
+			if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
 				return nil, fmt.Errorf("alter context: auth3: write packet: %w", err)
 			}
 			// no response is assumed.
 			break
 		}
 		// write alter_context request.
-		if err = c.WritePacket(ctx, call, pkt); err != nil {
+		if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
 			return nil, fmt.Errorf("alter context: write packet: %w", err)
 		}
 		// read alter_context response.
@@ -385,7 +421,7 @@ func (c *transport) Bind(ctx context.Context, opts ...Option) (Conn, error) {
 		return nil, fmt.Errorf("bind: %w", err)
 	}
 	// write bind pdu.
-	if err = c.WritePacket(ctx, call, pkt); err != nil {
+	if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
 		return nil, fmt.Errorf("bind: write packet: %w", err)
 	}
 	// read bind response (bind-ack, bind-nak).
@@ -463,14 +499,14 @@ func (c *transport) Bind(ctx context.Context, opts ...Option) (Conn, error) {
 			// replace type with auth3.
 			pkt.PDU = &Auth3{}
 			// write auth3 pdu.
-			if err = c.WritePacket(ctx, call, pkt); err != nil {
+			if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
 				return nil, fmt.Errorf("bind: alter context: auth3: write packet: %w", err)
 			}
 			// no response is assumed.
 			break
 		}
 		// write alter_context request.
-		if err = c.WritePacket(ctx, call, pkt); err != nil {
+		if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
 			return nil, fmt.Errorf("bind: alter context: write packet: %w", err)
 		}
 		// read alter_context response.

dcerpc/types.go

@@ -14,6 +14,10 @@ type SyntaxID struct {
 	IfVersionMinor uint16
 }
 
+func (v *SyntaxID) Size() int {
+	return 16 + 2 + 2
+}
+
 func (v *SyntaxID) Is(other *SyntaxID) bool {
 	if v == nil || other == nil {
 		return false
@@ -85,6 +89,14 @@ type Context struct {
 	TransferSyntaxes []*SyntaxID
 }
 
+func (c *Context) Size() int {
+	size := 4 + c.AbstractSyntax.Size()
+	for i := range c.TransferSyntaxes {
+		size += c.TransferSyntaxes[i].Size()
+	}
+	return size
+}
+
 // marshal function ...
 func (c *Context) WriteTo(ctx context.Context, w ndr.Writer) error {
 	w.WriteData(c.ContextID)