2 * DCERPC Helper routines
3 * Günther Deschner <gd@samba.org> 2010.
4 * Simo Sorce <idra@samba.org> 2010.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "librpc/rpc/dcerpc.h"
23 #include "librpc/gen_ndr/ndr_dcerpc.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
27 #include "../auth/ntlmssp/ntlmssp.h"
28 #include "ntlmssp_wrap.h"
29 #include "librpc/crypto/gse.h"
30 #include "librpc/crypto/spnego.h"
31 #include "auth/gensec/gensec.h"
34 #define DBGC_CLASS DBGC_RPC_PARSE
37 * @brief NDR Encodes a ncacn_packet
39 * @param mem_ctx The memory context the blob will be allocated on
40 * @param ptype The DCERPC packet type
41 * @param pfc_flags The DCERPC PFC Falgs
42 * @param auth_length The length of the trailing auth blob
43 * @param call_id The call ID
44 * @param u The payload of the packet
45 * @param blob [out] The encoded blob if successful
47 * @return an NTSTATUS error code
49 NTSTATUS dcerpc_push_ncacn_packet(TALLOC_CTX *mem_ctx,
50 enum dcerpc_pkt_type ptype,
54 union dcerpc_payload *u,
57 struct ncacn_packet r;
58 enum ndr_err_code ndr_err;
63 r.pfc_flags = pfc_flags;
64 r.drep[0] = DCERPC_DREP_LE;
68 r.auth_length = auth_length;
72 ndr_err = ndr_push_struct_blob(blob, mem_ctx, &r,
73 (ndr_push_flags_fn_t)ndr_push_ncacn_packet);
74 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
75 return ndr_map_error2ntstatus(ndr_err);
78 dcerpc_set_frag_length(blob, blob->length);
81 if (DEBUGLEVEL >= 10) {
82 /* set frag len for print function */
83 r.frag_length = blob->length;
84 NDR_PRINT_DEBUG(ncacn_packet, &r);
91 * @brief Decodes a ncacn_packet
93 * @param mem_ctx The memory context on which to allocate the packet
95 * @param blob The blob of data to decode
96 * @param r An empty ncacn_packet, must not be NULL
97 * @param bigendian Whether the packet is bignedian encoded
99 * @return a NTSTATUS error code
101 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
102 const DATA_BLOB *blob,
103 struct ncacn_packet *r,
106 enum ndr_err_code ndr_err;
107 struct ndr_pull *ndr;
109 ndr = ndr_pull_init_blob(blob, mem_ctx);
111 return NT_STATUS_NO_MEMORY;
114 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
117 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
119 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
121 return ndr_map_error2ntstatus(ndr_err);
125 if (DEBUGLEVEL >= 10) {
126 NDR_PRINT_DEBUG(ncacn_packet, r);
133 * @brief NDR Encodes a NL_AUTH_MESSAGE
135 * @param mem_ctx The memory context the blob will be allocated on
136 * @param r The NL_AUTH_MESSAGE to encode
137 * @param blob [out] The encoded blob if successful
139 * @return a NTSTATUS error code
141 NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
142 struct NL_AUTH_MESSAGE *r,
145 enum ndr_err_code ndr_err;
147 ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
148 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
149 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
150 return ndr_map_error2ntstatus(ndr_err);
153 if (DEBUGLEVEL >= 10) {
154 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
161 * @brief NDR Encodes a dcerpc_auth structure
163 * @param mem_ctx The memory context the blob will be allocated on
164 * @param auth_type The DCERPC Authentication Type
165 * @param auth_level The DCERPC Authentication Level
166 * @param auth_pad_length The padding added to the packet this blob will be
168 * @param auth_context_id The context id
169 * @param credentials The authentication credentials blob (signature)
170 * @param blob [out] The encoded blob if successful
172 * @return a NTSTATUS error code
174 NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
175 enum dcerpc_AuthType auth_type,
176 enum dcerpc_AuthLevel auth_level,
177 uint8_t auth_pad_length,
178 uint32_t auth_context_id,
179 const DATA_BLOB *credentials,
182 struct dcerpc_auth r;
183 enum ndr_err_code ndr_err;
185 r.auth_type = auth_type;
186 r.auth_level = auth_level;
187 r.auth_pad_length = auth_pad_length;
189 r.auth_context_id = auth_context_id;
190 r.credentials = *credentials;
192 ndr_err = ndr_push_struct_blob(blob, mem_ctx, &r,
193 (ndr_push_flags_fn_t)ndr_push_dcerpc_auth);
194 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
195 return ndr_map_error2ntstatus(ndr_err);
198 if (DEBUGLEVEL >= 10) {
199 NDR_PRINT_DEBUG(dcerpc_auth, &r);
206 * @brief Decodes a dcerpc_auth blob
208 * @param mem_ctx The memory context on which to allocate the packet
210 * @param blob The blob of data to decode
211 * @param r An empty dcerpc_auth structure, must not be NULL
213 * @return a NTSTATUS error code
215 NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
216 const DATA_BLOB *blob,
217 struct dcerpc_auth *r,
220 enum ndr_err_code ndr_err;
221 struct ndr_pull *ndr;
223 ndr = ndr_pull_init_blob(blob, mem_ctx);
225 return NT_STATUS_NO_MEMORY;
228 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
231 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, r);
233 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
235 return ndr_map_error2ntstatus(ndr_err);
239 if (DEBUGLEVEL >= 10) {
240 NDR_PRINT_DEBUG(dcerpc_auth, r);
247 * @brief Calculate how much data we can in a packet, including calculating
248 * auth token and pad lengths.
250 * @param auth The pipe_auth_data structure for this pipe.
251 * @param header_len The length of the packet header
252 * @param data_left The data left in the send buffer
253 * @param max_xmit_frag The max fragment size.
254 * @param pad_alignment The NDR padding size.
255 * @param data_to_send [out] The max data we will send in the pdu
256 * @param frag_len [out] The total length of the fragment
257 * @param auth_len [out] The length of the auth trailer
258 * @param pad_len [out] The padding to be applied
260 * @return A NT Error status code.
262 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
263 size_t header_len, size_t data_left,
264 size_t max_xmit_frag, size_t pad_alignment,
265 size_t *data_to_send, size_t *frag_len,
266 size_t *auth_len, size_t *pad_len)
270 struct gensec_security *gensec_security;
271 struct schannel_state *schannel_auth;
272 struct spnego_context *spnego_ctx;
273 struct gse_context *gse_ctx;
274 enum spnego_mech auth_type;
279 /* no auth token cases first */
280 switch (auth->auth_level) {
281 case DCERPC_AUTH_LEVEL_NONE:
282 case DCERPC_AUTH_LEVEL_CONNECT:
283 case DCERPC_AUTH_LEVEL_PACKET:
284 max_len = max_xmit_frag - header_len;
285 *data_to_send = MIN(max_len, data_left);
288 *frag_len = header_len + *data_to_send;
291 case DCERPC_AUTH_LEVEL_PRIVACY:
295 case DCERPC_AUTH_LEVEL_INTEGRITY:
299 return NT_STATUS_INVALID_PARAMETER;
303 /* Sign/seal case, calculate auth and pad lengths */
305 max_len = max_xmit_frag - header_len - DCERPC_AUTH_TRAILER_LENGTH;
307 /* Treat the same for all authenticated rpc requests. */
308 switch (auth->auth_type) {
309 case DCERPC_AUTH_TYPE_SPNEGO:
310 spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
311 struct spnego_context);
312 status = spnego_get_negotiated_mech(spnego_ctx,
313 &auth_type, &auth_ctx);
314 if (!NT_STATUS_IS_OK(status)) {
319 gensec_security = talloc_get_type_abort(auth_ctx,
320 struct gensec_security);
321 *auth_len = gensec_sig_size(gensec_security, max_len);
325 gse_ctx = talloc_get_type_abort(auth_ctx,
328 return NT_STATUS_INVALID_PARAMETER;
330 *auth_len = gse_get_signature_length(gse_ctx,
335 return NT_STATUS_INVALID_PARAMETER;
339 case DCERPC_AUTH_TYPE_NTLMSSP:
340 gensec_security = talloc_get_type_abort(auth->auth_ctx,
341 struct gensec_security);
342 *auth_len = gensec_sig_size(gensec_security, max_len);
345 case DCERPC_AUTH_TYPE_SCHANNEL:
346 schannel_auth = talloc_get_type_abort(auth->auth_ctx,
347 struct schannel_state);
348 *auth_len = netsec_outgoing_sig_size(schannel_auth);
351 case DCERPC_AUTH_TYPE_KRB5:
352 gse_ctx = talloc_get_type_abort(auth->auth_ctx,
354 *auth_len = gse_get_signature_length(gse_ctx,
359 return NT_STATUS_INVALID_PARAMETER;
362 max_len -= *auth_len;
364 *data_to_send = MIN(max_len, data_left);
366 mod_len = (header_len + *data_to_send) % pad_alignment;
368 *pad_len = pad_alignment - mod_len;
373 if (*data_to_send + *pad_len > max_len) {
374 *data_to_send -= pad_alignment;
377 *frag_len = header_len + *data_to_send + *pad_len
378 + DCERPC_AUTH_TRAILER_LENGTH + *auth_len;
383 /*******************************************************************
384 Create and add the NTLMSSP sign/seal auth data.
385 ********************************************************************/
387 static NTSTATUS add_ntlmssp_auth_footer(struct gensec_security *gensec_security,
388 enum dcerpc_AuthLevel auth_level,
391 uint16_t data_and_pad_len = rpc_out->length
392 - DCERPC_RESPONSE_LENGTH
393 - DCERPC_AUTH_TRAILER_LENGTH;
397 if (!gensec_security) {
398 return NT_STATUS_INVALID_PARAMETER;
401 switch (auth_level) {
402 case DCERPC_AUTH_LEVEL_PRIVACY:
403 /* Data portion is encrypted. */
404 status = gensec_seal_packet(gensec_security,
407 + DCERPC_RESPONSE_LENGTH,
412 if (!NT_STATUS_IS_OK(status)) {
417 case DCERPC_AUTH_LEVEL_INTEGRITY:
418 /* Data is signed. */
419 status = gensec_sign_packet(gensec_security,
422 + DCERPC_RESPONSE_LENGTH,
427 if (!NT_STATUS_IS_OK(status)) {
434 smb_panic("bad auth level");
436 return NT_STATUS_INVALID_PARAMETER;
439 /* Finally attach the blob. */
440 if (!data_blob_append(NULL, rpc_out,
441 auth_blob.data, auth_blob.length)) {
442 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
443 (unsigned int)auth_blob.length));
444 return NT_STATUS_NO_MEMORY;
446 data_blob_free(&auth_blob);
451 /*******************************************************************
452 Check/unseal the NTLMSSP auth data. (Unseal in place).
453 ********************************************************************/
455 static NTSTATUS get_ntlmssp_auth_footer(struct gensec_security *gensec_security,
456 enum dcerpc_AuthLevel auth_level,
457 DATA_BLOB *data, DATA_BLOB *full_pkt,
458 DATA_BLOB *auth_token)
460 switch (auth_level) {
461 case DCERPC_AUTH_LEVEL_PRIVACY:
462 /* Data portion is encrypted. */
463 return gensec_unseal_packet(gensec_security,
470 case DCERPC_AUTH_LEVEL_INTEGRITY:
471 /* Data is signed. */
472 return gensec_check_packet(gensec_security,
480 return NT_STATUS_INVALID_PARAMETER;
484 /*******************************************************************
485 Create and add the schannel sign/seal auth data.
486 ********************************************************************/
488 static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
489 enum dcerpc_AuthLevel auth_level,
492 uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
493 size_t data_and_pad_len = rpc_out->length
494 - DCERPC_RESPONSE_LENGTH
495 - DCERPC_AUTH_TRAILER_LENGTH;
500 return NT_STATUS_INVALID_PARAMETER;
503 DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
506 switch (auth_level) {
507 case DCERPC_AUTH_LEVEL_PRIVACY:
508 status = netsec_outgoing_packet(sas,
515 case DCERPC_AUTH_LEVEL_INTEGRITY:
516 status = netsec_outgoing_packet(sas,
524 status = NT_STATUS_INTERNAL_ERROR;
528 if (!NT_STATUS_IS_OK(status)) {
529 DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
534 if (DEBUGLEVEL >= 10) {
535 dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
538 /* Finally attach the blob. */
539 if (!data_blob_append(NULL, rpc_out,
540 auth_blob.data, auth_blob.length)) {
541 return NT_STATUS_NO_MEMORY;
543 data_blob_free(&auth_blob);
548 /*******************************************************************
549 Check/unseal the Schannel auth data. (Unseal in place).
550 ********************************************************************/
552 static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
553 struct schannel_state *auth_state,
554 enum dcerpc_AuthLevel auth_level,
555 DATA_BLOB *data, DATA_BLOB *full_pkt,
556 DATA_BLOB *auth_token)
558 switch (auth_level) {
559 case DCERPC_AUTH_LEVEL_PRIVACY:
560 /* Data portion is encrypted. */
561 return netsec_incoming_packet(auth_state,
567 case DCERPC_AUTH_LEVEL_INTEGRITY:
568 /* Data is signed. */
569 return netsec_incoming_packet(auth_state,
576 return NT_STATUS_INVALID_PARAMETER;
580 /*******************************************************************
581 Create and add the gssapi sign/seal auth data.
582 ********************************************************************/
584 static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx,
585 enum dcerpc_AuthLevel auth_level,
593 return NT_STATUS_INVALID_PARAMETER;
596 data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH;
597 data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH
598 - DCERPC_AUTH_TRAILER_LENGTH;
600 switch (auth_level) {
601 case DCERPC_AUTH_LEVEL_PRIVACY:
602 status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob);
604 case DCERPC_AUTH_LEVEL_INTEGRITY:
605 status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob);
608 status = NT_STATUS_INTERNAL_ERROR;
612 if (!NT_STATUS_IS_OK(status)) {
613 DEBUG(1, ("Failed to process packet: %s\n",
618 /* Finally attach the blob. */
619 if (!data_blob_append(NULL, rpc_out,
620 auth_blob.data, auth_blob.length)) {
621 return NT_STATUS_NO_MEMORY;
624 data_blob_free(&auth_blob);
629 /*******************************************************************
630 Check/unseal the gssapi auth data. (Unseal in place).
631 ********************************************************************/
633 static NTSTATUS get_gssapi_auth_footer(TALLOC_CTX *mem_ctx,
634 struct gse_context *gse_ctx,
635 enum dcerpc_AuthLevel auth_level,
636 DATA_BLOB *data, DATA_BLOB *full_pkt,
637 DATA_BLOB *auth_token)
639 /* TODO: pass in full_pkt when
640 * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
641 switch (auth_level) {
642 case DCERPC_AUTH_LEVEL_PRIVACY:
643 /* Data portion is encrypted. */
644 return gse_unseal(mem_ctx, gse_ctx,
647 case DCERPC_AUTH_LEVEL_INTEGRITY:
648 /* Data is signed. */
649 return gse_sigcheck(mem_ctx, gse_ctx,
652 return NT_STATUS_INVALID_PARAMETER;
656 /*******************************************************************
657 Create and add the spnego-negotiated sign/seal auth data.
658 ********************************************************************/
660 static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
661 enum dcerpc_AuthLevel auth_level,
669 return NT_STATUS_INVALID_PARAMETER;
672 rpc_data = data_blob_const(rpc_out->data
673 + DCERPC_RESPONSE_LENGTH,
675 - DCERPC_RESPONSE_LENGTH
676 - DCERPC_AUTH_TRAILER_LENGTH);
678 switch (auth_level) {
679 case DCERPC_AUTH_LEVEL_PRIVACY:
680 /* Data portion is encrypted. */
681 status = spnego_seal(rpc_out->data, spnego_ctx,
682 &rpc_data, rpc_out, &auth_blob);
685 if (!NT_STATUS_IS_OK(status)) {
690 case DCERPC_AUTH_LEVEL_INTEGRITY:
691 /* Data is signed. */
692 status = spnego_sign(rpc_out->data, spnego_ctx,
693 &rpc_data, rpc_out, &auth_blob);
696 if (!NT_STATUS_IS_OK(status)) {
703 smb_panic("bad auth level");
705 return NT_STATUS_INVALID_PARAMETER;
708 /* Finally attach the blob. */
709 if (!data_blob_append(NULL, rpc_out,
710 auth_blob.data, auth_blob.length)) {
711 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
712 (unsigned int)auth_blob.length));
713 return NT_STATUS_NO_MEMORY;
715 data_blob_free(&auth_blob);
720 static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
721 struct spnego_context *sp_ctx,
722 enum dcerpc_AuthLevel auth_level,
723 DATA_BLOB *data, DATA_BLOB *full_pkt,
724 DATA_BLOB *auth_token)
726 switch (auth_level) {
727 case DCERPC_AUTH_LEVEL_PRIVACY:
728 /* Data portion is encrypted. */
729 return spnego_unseal(mem_ctx, sp_ctx,
730 data, full_pkt, auth_token);
732 case DCERPC_AUTH_LEVEL_INTEGRITY:
733 /* Data is signed. */
734 return spnego_sigcheck(mem_ctx, sp_ctx,
735 data, full_pkt, auth_token);
738 return NT_STATUS_INVALID_PARAMETER;
743 * @brief Append an auth footer according to what is the current mechanism
745 * @param auth The pipe_auth_data associated with the connection
746 * @param pad_len The padding used in the packet
747 * @param rpc_out Packet blob up to and including the auth header
749 * @return A NTSTATUS error code.
751 NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
752 size_t pad_len, DATA_BLOB *rpc_out)
754 struct schannel_state *schannel_auth;
755 struct gensec_security *gensec_security;
756 struct spnego_context *spnego_ctx;
757 struct gse_context *gse_ctx;
758 char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
763 if (auth->auth_type == DCERPC_AUTH_TYPE_NONE ||
764 auth->auth_type == DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM) {
769 /* Copy the sign/seal padding data. */
770 if (!data_blob_append(NULL, rpc_out, pad, pad_len)) {
771 return NT_STATUS_NO_MEMORY;
775 /* marshall the dcerpc_auth with an actually empty auth_blob.
776 * This is needed because the ntmlssp signature includes the
777 * auth header. We will append the actual blob later. */
778 auth_blob = data_blob_null;
779 status = dcerpc_push_dcerpc_auth(rpc_out->data,
786 if (!NT_STATUS_IS_OK(status)) {
790 /* append the header */
791 if (!data_blob_append(NULL, rpc_out,
792 auth_info.data, auth_info.length)) {
793 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
794 (unsigned int)auth_info.length));
795 return NT_STATUS_NO_MEMORY;
797 data_blob_free(&auth_info);
799 /* Generate any auth sign/seal and add the auth footer. */
800 switch (auth->auth_type) {
801 case DCERPC_AUTH_TYPE_NONE:
802 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
803 status = NT_STATUS_OK;
805 case DCERPC_AUTH_TYPE_SPNEGO:
806 spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
807 struct spnego_context);
808 status = add_spnego_auth_footer(spnego_ctx,
809 auth->auth_level, rpc_out);
811 case DCERPC_AUTH_TYPE_NTLMSSP:
812 gensec_security = talloc_get_type_abort(auth->auth_ctx,
813 struct gensec_security);
814 status = add_ntlmssp_auth_footer(gensec_security,
818 case DCERPC_AUTH_TYPE_SCHANNEL:
819 schannel_auth = talloc_get_type_abort(auth->auth_ctx,
820 struct schannel_state);
821 status = add_schannel_auth_footer(schannel_auth,
825 case DCERPC_AUTH_TYPE_KRB5:
826 gse_ctx = talloc_get_type_abort(auth->auth_ctx,
828 status = add_gssapi_auth_footer(gse_ctx,
833 status = NT_STATUS_INVALID_PARAMETER;
841 * @brief Check authentication for request/response packets
843 * @param auth The auth data for the connection
844 * @param pkt The actual ncacn_packet
845 * @param pkt_trailer The stub_and_verifier part of the packet
846 * @param header_size The header size
847 * @param raw_pkt The whole raw packet data blob
848 * @param pad_len [out] The padding length used in the packet
850 * @return A NTSTATUS error code
852 NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
853 struct ncacn_packet *pkt,
854 DATA_BLOB *pkt_trailer,
859 struct schannel_state *schannel_auth;
860 struct gensec_security *gensec_security;
861 struct spnego_context *spnego_ctx;
862 struct gse_context *gse_ctx;
864 struct dcerpc_auth auth_info;
865 uint32_t auth_length;
869 switch (auth->auth_level) {
870 case DCERPC_AUTH_LEVEL_PRIVACY:
871 DEBUG(10, ("Requested Privacy.\n"));
874 case DCERPC_AUTH_LEVEL_INTEGRITY:
875 DEBUG(10, ("Requested Integrity.\n"));
878 case DCERPC_AUTH_LEVEL_CONNECT:
879 if (pkt->auth_length != 0) {
885 case DCERPC_AUTH_LEVEL_NONE:
886 if (pkt->auth_length != 0) {
887 DEBUG(3, ("Got non-zero auth len on non "
888 "authenticated connection!\n"));
889 return NT_STATUS_INVALID_PARAMETER;
895 DEBUG(3, ("Unimplemented Auth Level %d",
897 return NT_STATUS_INVALID_PARAMETER;
900 /* Paranioa checks for auth_length. */
901 if (pkt->auth_length > pkt->frag_length) {
902 return NT_STATUS_INFO_LENGTH_MISMATCH;
904 if (((unsigned int)pkt->auth_length
905 + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
906 ((unsigned int)pkt->auth_length
907 + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
908 /* Integer wrap attempt. */
909 return NT_STATUS_INFO_LENGTH_MISMATCH;
912 status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
913 &auth_info, &auth_length, false);
914 if (!NT_STATUS_IS_OK(status)) {
918 data = data_blob_const(raw_pkt->data + header_size,
919 pkt_trailer->length - auth_length);
920 full_pkt = data_blob_const(raw_pkt->data,
921 raw_pkt->length - auth_info.credentials.length);
923 switch (auth->auth_type) {
924 case DCERPC_AUTH_TYPE_NONE:
925 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
928 case DCERPC_AUTH_TYPE_SPNEGO:
929 spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
930 struct spnego_context);
931 status = get_spnego_auth_footer(pkt, spnego_ctx,
934 &auth_info.credentials);
935 if (!NT_STATUS_IS_OK(status)) {
940 case DCERPC_AUTH_TYPE_NTLMSSP:
942 DEBUG(10, ("NTLMSSP auth\n"));
944 gensec_security = talloc_get_type_abort(auth->auth_ctx,
945 struct gensec_security);
946 status = get_ntlmssp_auth_footer(gensec_security,
949 &auth_info.credentials);
950 if (!NT_STATUS_IS_OK(status)) {
955 case DCERPC_AUTH_TYPE_SCHANNEL:
957 DEBUG(10, ("SCHANNEL auth\n"));
959 schannel_auth = talloc_get_type_abort(auth->auth_ctx,
960 struct schannel_state);
961 status = get_schannel_auth_footer(pkt, schannel_auth,
964 &auth_info.credentials);
965 if (!NT_STATUS_IS_OK(status)) {
970 case DCERPC_AUTH_TYPE_KRB5:
972 DEBUG(10, ("KRB5 auth\n"));
974 gse_ctx = talloc_get_type_abort(auth->auth_ctx,
976 status = get_gssapi_auth_footer(pkt, gse_ctx,
979 &auth_info.credentials);
980 if (!NT_STATUS_IS_OK(status)) {
986 DEBUG(0, ("process_request_pdu: "
987 "unknown auth type %u set.\n",
988 (unsigned int)auth->auth_type));
989 return NT_STATUS_INVALID_PARAMETER;
992 /* TODO: remove later
993 * this is still needed because in the server code the
994 * pkt_trailer actually has a copy of the raw data, and they
995 * are still both used in later calls */
996 if (auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
997 memcpy(pkt_trailer->data, data.data, data.length);
1000 *pad_len = auth_info.auth_pad_length;
1001 data_blob_free(&auth_info.credentials);
1002 return NT_STATUS_OK;