DCE/RPC v5 'connection-oriented' packet
| 843 | |
| 844 | |
| 845 | class DceRpc5(DceRpc): |
| 846 | """ |
| 847 | DCE/RPC v5 'connection-oriented' packet |
| 848 | """ |
| 849 | |
| 850 | name = "DCE/RPC v5" |
| 851 | fields_desc = ( |
| 852 | [ |
| 853 | ByteEnumField( |
| 854 | "rpc_vers", 5, {4: "4 (connection-less)", 5: "5 (connection-oriented)"} |
| 855 | ), |
| 856 | ByteField("rpc_vers_minor", 0), |
| 857 | ByteEnumField("ptype", 0, DCE_RPC_TYPE), |
| 858 | MultipleTypeField( |
| 859 | # [MS-RPCE] sect 2.2.2.3 |
| 860 | [ |
| 861 | ( |
| 862 | FlagsField("pfc_flags", 0x3, 8, _DCE_RPC_5_FLAGS_2), |
| 863 | lambda pkt: pkt.ptype in [11, 12, 13, 14, 15, 16], |
| 864 | ) |
| 865 | ], |
| 866 | FlagsField("pfc_flags", 0x3, 8, _DCE_RPC_5_FLAGS), |
| 867 | ), |
| 868 | ] |
| 869 | + _drep |
| 870 | + [ |
| 871 | ByteField("reserved2", 0), |
| 872 | _EField(ShortField("frag_len", None)), |
| 873 | _EField( |
| 874 | FieldLenField( |
| 875 | "auth_len", |
| 876 | None, |
| 877 | fmt="H", |
| 878 | length_of="auth_verifier", |
| 879 | adjust=lambda _, x: 0 if not x else (x - 8), |
| 880 | ) |
| 881 | ), |
| 882 | _EField(IntField("call_id", None)), |
| 883 | # Now let's proceed with trailer fields, i.e. at the end of the PACKET |
| 884 | # (below all payloads, etc.). Have a look at Figure 3 in sect 2.2.2.13 |
| 885 | # of [MS-RPCE] but note the following: |
| 886 | # - auth_verifier includes sec_trailer + the authentication token |
| 887 | # - auth_padding is the authentication padding |
| 888 | # - vt_trailer is the verification trailer |
| 889 | ConditionalField( |
| 890 | TrailerField( |
| 891 | PacketLenField( |
| 892 | "auth_verifier", |
| 893 | None, |
| 894 | CommonAuthVerifier, |
| 895 | length_from=lambda pkt: pkt.auth_len + 8, |
| 896 | ) |
| 897 | ), |
| 898 | lambda pkt: pkt.auth_len != 0, |
| 899 | ), |
| 900 | ConditionalField( |
| 901 | TrailerField( |
| 902 | StrLenField( |
no test coverage detected