2 * DCERPC Helper routines
3 * Günther Deschner <gd@samba.org> 2010.
4 * Simo Sorce <idra@samba.org> 2010.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "librpc/rpc/dcerpc.h"
23 #include "librpc/gen_ndr/ndr_dcerpc.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
27 #include "../auth/ntlmssp/ntlmssp.h"
28 #include "ntlmssp_wrap.h"
29 #include "librpc/crypto/gse.h"
30 #include "librpc/crypto/spnego.h"
33 #define DBGC_CLASS DBGC_RPC_PARSE
36 * @brief NDR Encodes a ncacn_packet
38 * @param mem_ctx The memory context the blob will be allocated on
39 * @param ptype The DCERPC packet type
40 * @param pfc_flags The DCERPC PFC Falgs
41 * @param auth_length The length of the trailing auth blob
42 * @param call_id The call ID
43 * @param u The payload of the packet
44 * @param blob [out] The encoded blob if successful
46 * @return an NTSTATUS error code
48 NTSTATUS dcerpc_push_ncacn_packet(TALLOC_CTX *mem_ctx,
49 enum dcerpc_pkt_type ptype,
53 union dcerpc_payload *u,
56 struct ncacn_packet r;
57 enum ndr_err_code ndr_err;
62 r.pfc_flags = pfc_flags;
63 r.drep[0] = DCERPC_DREP_LE;
67 r.auth_length = auth_length;
71 ndr_err = ndr_push_struct_blob(blob, mem_ctx, &r,
72 (ndr_push_flags_fn_t)ndr_push_ncacn_packet);
73 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
74 return ndr_map_error2ntstatus(ndr_err);
77 dcerpc_set_frag_length(blob, blob->length);
80 if (DEBUGLEVEL >= 10) {
81 /* set frag len for print function */
82 r.frag_length = blob->length;
83 NDR_PRINT_DEBUG(ncacn_packet, &r);
90 * @brief Decodes a ncacn_packet
92 * @param mem_ctx The memory context on which to allocate the packet
94 * @param blob The blob of data to decode
95 * @param r An empty ncacn_packet, must not be NULL
96 * @param bigendian Whether the packet is bignedian encoded
98 * @return a NTSTATUS error code
100 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
101 const DATA_BLOB *blob,
102 struct ncacn_packet *r,
105 enum ndr_err_code ndr_err;
106 struct ndr_pull *ndr;
108 ndr = ndr_pull_init_blob(blob, mem_ctx);
110 return NT_STATUS_NO_MEMORY;
113 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
116 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
118 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
120 return ndr_map_error2ntstatus(ndr_err);
124 if (DEBUGLEVEL >= 10) {
125 NDR_PRINT_DEBUG(ncacn_packet, r);
132 * @brief NDR Encodes a NL_AUTH_MESSAGE
134 * @param mem_ctx The memory context the blob will be allocated on
135 * @param r The NL_AUTH_MESSAGE to encode
136 * @param blob [out] The encoded blob if successful
138 * @return a NTSTATUS error code
140 NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
141 struct NL_AUTH_MESSAGE *r,
144 enum ndr_err_code ndr_err;
146 ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
147 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
148 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
149 return ndr_map_error2ntstatus(ndr_err);
152 if (DEBUGLEVEL >= 10) {
153 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
160 * @brief NDR Encodes a dcerpc_auth structure
162 * @param mem_ctx The memory context the blob will be allocated on
163 * @param auth_type The DCERPC Authentication Type
164 * @param auth_level The DCERPC Authentication Level
165 * @param auth_pad_length The padding added to the packet this blob will be
167 * @param auth_context_id The context id
168 * @param credentials The authentication credentials blob (signature)
169 * @param blob [out] The encoded blob if successful
171 * @return a NTSTATUS error code
173 NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
174 enum dcerpc_AuthType auth_type,
175 enum dcerpc_AuthLevel auth_level,
176 uint8_t auth_pad_length,
177 uint32_t auth_context_id,
178 const DATA_BLOB *credentials,
181 struct dcerpc_auth r;
182 enum ndr_err_code ndr_err;
184 r.auth_type = auth_type;
185 r.auth_level = auth_level;
186 r.auth_pad_length = auth_pad_length;
188 r.auth_context_id = auth_context_id;
189 r.credentials = *credentials;
191 ndr_err = ndr_push_struct_blob(blob, mem_ctx, &r,
192 (ndr_push_flags_fn_t)ndr_push_dcerpc_auth);
193 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
194 return ndr_map_error2ntstatus(ndr_err);
197 if (DEBUGLEVEL >= 10) {
198 NDR_PRINT_DEBUG(dcerpc_auth, &r);
205 * @brief Decodes a dcerpc_auth blob
207 * @param mem_ctx The memory context on which to allocate the packet
209 * @param blob The blob of data to decode
210 * @param r An empty dcerpc_auth structure, must not be NULL
212 * @return a NTSTATUS error code
214 NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
215 const DATA_BLOB *blob,
216 struct dcerpc_auth *r,
219 enum ndr_err_code ndr_err;
220 struct ndr_pull *ndr;
222 ndr = ndr_pull_init_blob(blob, mem_ctx);
224 return NT_STATUS_NO_MEMORY;
227 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
230 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, r);
232 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
234 return ndr_map_error2ntstatus(ndr_err);
238 if (DEBUGLEVEL >= 10) {
239 NDR_PRINT_DEBUG(dcerpc_auth, r);
246 * @brief Calculate how much data we can in a packet, including calculating
247 * auth token and pad lengths.
249 * @param auth The pipe_auth_data structure for this pipe.
250 * @param header_len The length of the packet header
251 * @param data_left The data left in the send buffer
252 * @param max_xmit_frag The max fragment size.
253 * @param pad_alignment The NDR padding size.
254 * @param data_to_send [out] The max data we will send in the pdu
255 * @param frag_len [out] The total length of the fragment
256 * @param auth_len [out] The length of the auth trailer
257 * @param pad_len [out] The padding to be applied
259 * @return A NT Error status code.
261 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
262 size_t header_len, size_t data_left,
263 size_t max_xmit_frag, size_t pad_alignment,
264 size_t *data_to_send, size_t *frag_len,
265 size_t *auth_len, size_t *pad_len)
269 struct schannel_state *schannel_auth;
270 struct spnego_context *spnego_ctx;
271 struct gse_context *gse_ctx;
272 enum spnego_mech auth_type;
277 /* no auth token cases first */
278 switch (auth->auth_level) {
279 case DCERPC_AUTH_LEVEL_NONE:
280 case DCERPC_AUTH_LEVEL_CONNECT:
281 case DCERPC_AUTH_LEVEL_PACKET:
282 max_len = max_xmit_frag - header_len;
283 *data_to_send = MIN(max_len, data_left);
286 *frag_len = header_len + *data_to_send;
289 case DCERPC_AUTH_LEVEL_PRIVACY:
293 case DCERPC_AUTH_LEVEL_INTEGRITY:
297 return NT_STATUS_INVALID_PARAMETER;
301 /* Sign/seal case, calculate auth and pad lengths */
303 max_len = max_xmit_frag - header_len - DCERPC_AUTH_TRAILER_LENGTH;
305 /* Treat the same for all authenticated rpc requests. */
306 switch (auth->auth_type) {
307 case DCERPC_AUTH_TYPE_SPNEGO:
308 spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
309 struct spnego_context);
310 status = spnego_get_negotiated_mech(spnego_ctx,
311 &auth_type, &auth_ctx);
312 if (!NT_STATUS_IS_OK(status)) {
317 *auth_len = NTLMSSP_SIG_SIZE;
321 gse_ctx = talloc_get_type_abort(auth_ctx,
324 return NT_STATUS_INVALID_PARAMETER;
326 *auth_len = gse_get_signature_length(gse_ctx,
331 return NT_STATUS_INVALID_PARAMETER;
335 case DCERPC_AUTH_TYPE_NTLMSSP:
336 *auth_len = NTLMSSP_SIG_SIZE;
339 case DCERPC_AUTH_TYPE_SCHANNEL:
340 schannel_auth = talloc_get_type_abort(auth->auth_ctx,
341 struct schannel_state);
342 *auth_len = netsec_outgoing_sig_size(schannel_auth);
345 case DCERPC_AUTH_TYPE_KRB5:
346 gse_ctx = talloc_get_type_abort(auth->auth_ctx,
348 *auth_len = gse_get_signature_length(gse_ctx,
353 return NT_STATUS_INVALID_PARAMETER;
356 max_len -= *auth_len;
358 *data_to_send = MIN(max_len, data_left);
360 mod_len = (header_len + *data_to_send) % pad_alignment;
362 *pad_len = pad_alignment - mod_len;
367 if (*data_to_send + *pad_len > max_len) {
368 *data_to_send -= pad_alignment;
371 *frag_len = header_len + *data_to_send + *pad_len
372 + DCERPC_AUTH_TRAILER_LENGTH + *auth_len;
377 /*******************************************************************
378 Create and add the NTLMSSP sign/seal auth data.
379 ********************************************************************/
381 static NTSTATUS add_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
382 enum dcerpc_AuthLevel auth_level,
385 uint16_t data_and_pad_len = rpc_out->length
386 - DCERPC_RESPONSE_LENGTH
387 - DCERPC_AUTH_TRAILER_LENGTH;
392 return NT_STATUS_INVALID_PARAMETER;
395 switch (auth_level) {
396 case DCERPC_AUTH_LEVEL_PRIVACY:
397 /* Data portion is encrypted. */
398 status = auth_ntlmssp_seal_packet(auth_state,
401 + DCERPC_RESPONSE_LENGTH,
406 if (!NT_STATUS_IS_OK(status)) {
411 case DCERPC_AUTH_LEVEL_INTEGRITY:
412 /* Data is signed. */
413 status = auth_ntlmssp_sign_packet(auth_state,
416 + DCERPC_RESPONSE_LENGTH,
421 if (!NT_STATUS_IS_OK(status)) {
428 smb_panic("bad auth level");
430 return NT_STATUS_INVALID_PARAMETER;
433 /* Finally attach the blob. */
434 if (!data_blob_append(NULL, rpc_out,
435 auth_blob.data, auth_blob.length)) {
436 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
437 (unsigned int)auth_blob.length));
438 return NT_STATUS_NO_MEMORY;
440 data_blob_free(&auth_blob);
445 /*******************************************************************
446 Check/unseal the NTLMSSP auth data. (Unseal in place).
447 ********************************************************************/
449 static NTSTATUS get_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
450 enum dcerpc_AuthLevel auth_level,
451 DATA_BLOB *data, DATA_BLOB *full_pkt,
452 DATA_BLOB *auth_token)
454 switch (auth_level) {
455 case DCERPC_AUTH_LEVEL_PRIVACY:
456 /* Data portion is encrypted. */
457 return auth_ntlmssp_unseal_packet(auth_state,
464 case DCERPC_AUTH_LEVEL_INTEGRITY:
465 /* Data is signed. */
466 return auth_ntlmssp_check_packet(auth_state,
474 return NT_STATUS_INVALID_PARAMETER;
478 /*******************************************************************
479 Create and add the schannel sign/seal auth data.
480 ********************************************************************/
482 static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
483 enum dcerpc_AuthLevel auth_level,
486 uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
487 size_t data_and_pad_len = rpc_out->length
488 - DCERPC_RESPONSE_LENGTH
489 - DCERPC_AUTH_TRAILER_LENGTH;
494 return NT_STATUS_INVALID_PARAMETER;
497 DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
500 switch (auth_level) {
501 case DCERPC_AUTH_LEVEL_PRIVACY:
502 status = netsec_outgoing_packet(sas,
509 case DCERPC_AUTH_LEVEL_INTEGRITY:
510 status = netsec_outgoing_packet(sas,
518 status = NT_STATUS_INTERNAL_ERROR;
522 if (!NT_STATUS_IS_OK(status)) {
523 DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
528 if (DEBUGLEVEL >= 10) {
529 dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
532 /* Finally attach the blob. */
533 if (!data_blob_append(NULL, rpc_out,
534 auth_blob.data, auth_blob.length)) {
535 return NT_STATUS_NO_MEMORY;
537 data_blob_free(&auth_blob);
542 /*******************************************************************
543 Check/unseal the Schannel auth data. (Unseal in place).
544 ********************************************************************/
546 static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
547 struct schannel_state *auth_state,
548 enum dcerpc_AuthLevel auth_level,
549 DATA_BLOB *data, DATA_BLOB *full_pkt,
550 DATA_BLOB *auth_token)
552 switch (auth_level) {
553 case DCERPC_AUTH_LEVEL_PRIVACY:
554 /* Data portion is encrypted. */
555 return netsec_incoming_packet(auth_state,
561 case DCERPC_AUTH_LEVEL_INTEGRITY:
562 /* Data is signed. */
563 return netsec_incoming_packet(auth_state,
570 return NT_STATUS_INVALID_PARAMETER;
574 /*******************************************************************
575 Create and add the gssapi sign/seal auth data.
576 ********************************************************************/
578 static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx,
579 enum dcerpc_AuthLevel auth_level,
587 return NT_STATUS_INVALID_PARAMETER;
590 data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH;
591 data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH
592 - DCERPC_AUTH_TRAILER_LENGTH;
594 switch (auth_level) {
595 case DCERPC_AUTH_LEVEL_PRIVACY:
596 status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob);
598 case DCERPC_AUTH_LEVEL_INTEGRITY:
599 status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob);
602 status = NT_STATUS_INTERNAL_ERROR;
606 if (!NT_STATUS_IS_OK(status)) {
607 DEBUG(1, ("Failed to process packet: %s\n",
612 /* Finally attach the blob. */
613 if (!data_blob_append(NULL, rpc_out,
614 auth_blob.data, auth_blob.length)) {
615 return NT_STATUS_NO_MEMORY;
618 data_blob_free(&auth_blob);
623 /*******************************************************************
624 Check/unseal the gssapi auth data. (Unseal in place).
625 ********************************************************************/
627 static NTSTATUS get_gssapi_auth_footer(TALLOC_CTX *mem_ctx,
628 struct gse_context *gse_ctx,
629 enum dcerpc_AuthLevel auth_level,
630 DATA_BLOB *data, DATA_BLOB *full_pkt,
631 DATA_BLOB *auth_token)
633 /* TODO: pass in full_pkt when
634 * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
635 switch (auth_level) {
636 case DCERPC_AUTH_LEVEL_PRIVACY:
637 /* Data portion is encrypted. */
638 return gse_unseal(mem_ctx, gse_ctx,
641 case DCERPC_AUTH_LEVEL_INTEGRITY:
642 /* Data is signed. */
643 return gse_sigcheck(mem_ctx, gse_ctx,
646 return NT_STATUS_INVALID_PARAMETER;
650 /*******************************************************************
651 Create and add the spnego-negotiated sign/seal auth data.
652 ********************************************************************/
654 static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
655 enum dcerpc_AuthLevel auth_level,
663 return NT_STATUS_INVALID_PARAMETER;
666 rpc_data = data_blob_const(rpc_out->data
667 + DCERPC_RESPONSE_LENGTH,
669 - DCERPC_RESPONSE_LENGTH
670 - DCERPC_AUTH_TRAILER_LENGTH);
672 switch (auth_level) {
673 case DCERPC_AUTH_LEVEL_PRIVACY:
674 /* Data portion is encrypted. */
675 status = spnego_seal(rpc_out->data, spnego_ctx,
676 &rpc_data, rpc_out, &auth_blob);
679 if (!NT_STATUS_IS_OK(status)) {
684 case DCERPC_AUTH_LEVEL_INTEGRITY:
685 /* Data is signed. */
686 status = spnego_sign(rpc_out->data, spnego_ctx,
687 &rpc_data, rpc_out, &auth_blob);
690 if (!NT_STATUS_IS_OK(status)) {
697 smb_panic("bad auth level");
699 return NT_STATUS_INVALID_PARAMETER;
702 /* Finally attach the blob. */
703 if (!data_blob_append(NULL, rpc_out,
704 auth_blob.data, auth_blob.length)) {
705 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
706 (unsigned int)auth_blob.length));
707 return NT_STATUS_NO_MEMORY;
709 data_blob_free(&auth_blob);
714 static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
715 struct spnego_context *sp_ctx,
716 enum dcerpc_AuthLevel auth_level,
717 DATA_BLOB *data, DATA_BLOB *full_pkt,
718 DATA_BLOB *auth_token)
720 switch (auth_level) {
721 case DCERPC_AUTH_LEVEL_PRIVACY:
722 /* Data portion is encrypted. */
723 return spnego_unseal(mem_ctx, sp_ctx,
724 data, full_pkt, auth_token);
726 case DCERPC_AUTH_LEVEL_INTEGRITY:
727 /* Data is signed. */
728 return spnego_sigcheck(mem_ctx, sp_ctx,
729 data, full_pkt, auth_token);
732 return NT_STATUS_INVALID_PARAMETER;
737 * @brief Append an auth footer according to what is the current mechanism
739 * @param auth The pipe_auth_data associated with the connection
740 * @param pad_len The padding used in the packet
741 * @param rpc_out Packet blob up to and including the auth header
743 * @return A NTSTATUS error code.
745 NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
746 size_t pad_len, DATA_BLOB *rpc_out)
748 struct schannel_state *schannel_auth;
749 struct auth_ntlmssp_state *ntlmssp_ctx;
750 struct spnego_context *spnego_ctx;
751 struct gse_context *gse_ctx;
752 char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
757 if (auth->auth_type == DCERPC_AUTH_TYPE_NONE ||
758 auth->auth_type == DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM) {
763 /* Copy the sign/seal padding data. */
764 if (!data_blob_append(NULL, rpc_out, pad, pad_len)) {
765 return NT_STATUS_NO_MEMORY;
769 /* marshall the dcerpc_auth with an actually empty auth_blob.
770 * This is needed because the ntmlssp signature includes the
771 * auth header. We will append the actual blob later. */
772 auth_blob = data_blob_null;
773 status = dcerpc_push_dcerpc_auth(rpc_out->data,
780 if (!NT_STATUS_IS_OK(status)) {
784 /* append the header */
785 if (!data_blob_append(NULL, rpc_out,
786 auth_info.data, auth_info.length)) {
787 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
788 (unsigned int)auth_info.length));
789 return NT_STATUS_NO_MEMORY;
791 data_blob_free(&auth_info);
793 /* Generate any auth sign/seal and add the auth footer. */
794 switch (auth->auth_type) {
795 case DCERPC_AUTH_TYPE_NONE:
796 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
797 status = NT_STATUS_OK;
799 case DCERPC_AUTH_TYPE_SPNEGO:
800 spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
801 struct spnego_context);
802 status = add_spnego_auth_footer(spnego_ctx,
803 auth->auth_level, rpc_out);
805 case DCERPC_AUTH_TYPE_NTLMSSP:
806 ntlmssp_ctx = talloc_get_type_abort(auth->auth_ctx,
807 struct auth_ntlmssp_state);
808 status = add_ntlmssp_auth_footer(ntlmssp_ctx,
812 case DCERPC_AUTH_TYPE_SCHANNEL:
813 schannel_auth = talloc_get_type_abort(auth->auth_ctx,
814 struct schannel_state);
815 status = add_schannel_auth_footer(schannel_auth,
819 case DCERPC_AUTH_TYPE_KRB5:
820 gse_ctx = talloc_get_type_abort(auth->auth_ctx,
822 status = add_gssapi_auth_footer(gse_ctx,
827 status = NT_STATUS_INVALID_PARAMETER;
835 * @brief Check authentication for request/response packets
837 * @param auth The auth data for the connection
838 * @param pkt The actual ncacn_packet
839 * @param pkt_trailer The stub_and_verifier part of the packet
840 * @param header_size The header size
841 * @param raw_pkt The whole raw packet data blob
842 * @param pad_len [out] The padding length used in the packet
844 * @return A NTSTATUS error code
846 NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
847 struct ncacn_packet *pkt,
848 DATA_BLOB *pkt_trailer,
853 struct schannel_state *schannel_auth;
854 struct auth_ntlmssp_state *ntlmssp_ctx;
855 struct spnego_context *spnego_ctx;
856 struct gse_context *gse_ctx;
858 struct dcerpc_auth auth_info;
859 uint32_t auth_length;
863 switch (auth->auth_level) {
864 case DCERPC_AUTH_LEVEL_PRIVACY:
865 DEBUG(10, ("Requested Privacy.\n"));
868 case DCERPC_AUTH_LEVEL_INTEGRITY:
869 DEBUG(10, ("Requested Integrity.\n"));
872 case DCERPC_AUTH_LEVEL_CONNECT:
873 if (pkt->auth_length != 0) {
879 case DCERPC_AUTH_LEVEL_NONE:
880 if (pkt->auth_length != 0) {
881 DEBUG(3, ("Got non-zero auth len on non "
882 "authenticated connection!\n"));
883 return NT_STATUS_INVALID_PARAMETER;
889 DEBUG(3, ("Unimplemented Auth Level %d",
891 return NT_STATUS_INVALID_PARAMETER;
894 /* Paranioa checks for auth_length. */
895 if (pkt->auth_length > pkt->frag_length) {
896 return NT_STATUS_INFO_LENGTH_MISMATCH;
898 if (((unsigned int)pkt->auth_length
899 + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
900 ((unsigned int)pkt->auth_length
901 + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
902 /* Integer wrap attempt. */
903 return NT_STATUS_INFO_LENGTH_MISMATCH;
906 status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
907 &auth_info, &auth_length, false);
908 if (!NT_STATUS_IS_OK(status)) {
912 data = data_blob_const(raw_pkt->data + header_size,
913 pkt_trailer->length - auth_length);
914 full_pkt = data_blob_const(raw_pkt->data,
915 raw_pkt->length - auth_info.credentials.length);
917 switch (auth->auth_type) {
918 case DCERPC_AUTH_TYPE_NONE:
919 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
922 case DCERPC_AUTH_TYPE_SPNEGO:
923 spnego_ctx = talloc_get_type_abort(auth->auth_ctx,
924 struct spnego_context);
925 status = get_spnego_auth_footer(pkt, spnego_ctx,
928 &auth_info.credentials);
929 if (!NT_STATUS_IS_OK(status)) {
934 case DCERPC_AUTH_TYPE_NTLMSSP:
936 DEBUG(10, ("NTLMSSP auth\n"));
938 ntlmssp_ctx = talloc_get_type_abort(auth->auth_ctx,
939 struct auth_ntlmssp_state);
940 status = get_ntlmssp_auth_footer(ntlmssp_ctx,
943 &auth_info.credentials);
944 if (!NT_STATUS_IS_OK(status)) {
949 case DCERPC_AUTH_TYPE_SCHANNEL:
951 DEBUG(10, ("SCHANNEL auth\n"));
953 schannel_auth = talloc_get_type_abort(auth->auth_ctx,
954 struct schannel_state);
955 status = get_schannel_auth_footer(pkt, schannel_auth,
958 &auth_info.credentials);
959 if (!NT_STATUS_IS_OK(status)) {
964 case DCERPC_AUTH_TYPE_KRB5:
966 DEBUG(10, ("KRB5 auth\n"));
968 gse_ctx = talloc_get_type_abort(auth->auth_ctx,
970 status = get_gssapi_auth_footer(pkt, gse_ctx,
973 &auth_info.credentials);
974 if (!NT_STATUS_IS_OK(status)) {
980 DEBUG(0, ("process_request_pdu: "
981 "unknown auth type %u set.\n",
982 (unsigned int)auth->auth_type));
983 return NT_STATUS_INVALID_PARAMETER;
986 /* TODO: remove later
987 * this is still needed because in the server code the
988 * pkt_trailer actually has a copy of the raw data, and they
989 * are still both used in later calls */
990 if (auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
991 memcpy(pkt_trailer->data, data.data, data.length);
994 *pad_len = auth_info.auth_pad_length;
995 data_blob_free(&auth_info.credentials);