2 * DCERPC Helper routines
3 * Günther Deschner <gd@samba.org> 2010.
4 * Simo Sorce <idra@samba.org> 2010.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "librpc/rpc/dcerpc.h"
23 #include "librpc/gen_ndr/ndr_dcerpc.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
27 #include "../libcli/auth/ntlmssp.h"
28 #include "ntlmssp_wrap.h"
29 #include "librpc/crypto/gse.h"
30 #include "librpc/crypto/spnego.h"
33 #define DBGC_CLASS DBGC_RPC_PARSE
36 * @brief NDR Encodes a ncacn_packet
38 * @param mem_ctx The memory context the blob will be allocated on
39 * @param ptype The DCERPC packet type
40 * @param pfc_flags The DCERPC PFC Falgs
41 * @param auth_length The length of the trailing auth blob
42 * @param call_id The call ID
43 * @param u The payload of the packet
44 * @param blob [out] The encoded blob if successful
46 * @return an NTSTATUS error code
48 NTSTATUS
dcerpc_push_ncacn_packet(TALLOC_CTX
*mem_ctx
,
49 enum dcerpc_pkt_type ptype
,
53 union dcerpc_payload
*u
,
56 struct ncacn_packet r
;
57 enum ndr_err_code ndr_err
;
62 r
.pfc_flags
= pfc_flags
;
63 r
.drep
[0] = DCERPC_DREP_LE
;
67 r
.auth_length
= auth_length
;
71 ndr_err
= ndr_push_struct_blob(blob
, mem_ctx
, &r
,
72 (ndr_push_flags_fn_t
)ndr_push_ncacn_packet
);
73 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
74 return ndr_map_error2ntstatus(ndr_err
);
77 dcerpc_set_frag_length(blob
, blob
->length
);
80 if (DEBUGLEVEL
>= 10) {
81 /* set frag len for print function */
82 r
.frag_length
= blob
->length
;
83 NDR_PRINT_DEBUG(ncacn_packet
, &r
);
90 * @brief Decodes a ncacn_packet
92 * @param mem_ctx The memory context on which to allocate the packet
94 * @param blob The blob of data to decode
95 * @param r An empty ncacn_packet, must not be NULL
96 * @param bigendian Whether the packet is bignedian encoded
98 * @return a NTSTATUS error code
100 NTSTATUS
dcerpc_pull_ncacn_packet(TALLOC_CTX
*mem_ctx
,
101 const DATA_BLOB
*blob
,
102 struct ncacn_packet
*r
,
105 enum ndr_err_code ndr_err
;
106 struct ndr_pull
*ndr
;
108 ndr
= ndr_pull_init_blob(blob
, mem_ctx
);
110 return NT_STATUS_NO_MEMORY
;
113 ndr
->flags
|= LIBNDR_FLAG_BIGENDIAN
;
116 ndr_err
= ndr_pull_ncacn_packet(ndr
, NDR_SCALARS
|NDR_BUFFERS
, r
);
118 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
120 return ndr_map_error2ntstatus(ndr_err
);
124 if (DEBUGLEVEL
>= 10) {
125 NDR_PRINT_DEBUG(ncacn_packet
, r
);
132 * @brief NDR Encodes a NL_AUTH_MESSAGE
134 * @param mem_ctx The memory context the blob will be allocated on
135 * @param r The NL_AUTH_MESSAGE to encode
136 * @param blob [out] The encoded blob if successful
138 * @return a NTSTATUS error code
140 NTSTATUS
dcerpc_push_schannel_bind(TALLOC_CTX
*mem_ctx
,
141 struct NL_AUTH_MESSAGE
*r
,
144 enum ndr_err_code ndr_err
;
146 ndr_err
= ndr_push_struct_blob(blob
, mem_ctx
, r
,
147 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
148 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
149 return ndr_map_error2ntstatus(ndr_err
);
152 if (DEBUGLEVEL
>= 10) {
153 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE
, r
);
160 * @brief NDR Encodes a dcerpc_auth structure
162 * @param mem_ctx The memory context the blob will be allocated on
163 * @param auth_type The DCERPC Authentication Type
164 * @param auth_level The DCERPC Authentication Level
165 * @param auth_pad_length The padding added to the packet this blob will be
167 * @param auth_context_id The context id
168 * @param credentials The authentication credentials blob (signature)
169 * @param blob [out] The encoded blob if successful
171 * @return a NTSTATUS error code
173 NTSTATUS
dcerpc_push_dcerpc_auth(TALLOC_CTX
*mem_ctx
,
174 enum dcerpc_AuthType auth_type
,
175 enum dcerpc_AuthLevel auth_level
,
176 uint8_t auth_pad_length
,
177 uint32_t auth_context_id
,
178 const DATA_BLOB
*credentials
,
181 struct dcerpc_auth r
;
182 enum ndr_err_code ndr_err
;
184 r
.auth_type
= auth_type
;
185 r
.auth_level
= auth_level
;
186 r
.auth_pad_length
= auth_pad_length
;
188 r
.auth_context_id
= auth_context_id
;
189 r
.credentials
= *credentials
;
191 ndr_err
= ndr_push_struct_blob(blob
, mem_ctx
, &r
,
192 (ndr_push_flags_fn_t
)ndr_push_dcerpc_auth
);
193 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
194 return ndr_map_error2ntstatus(ndr_err
);
197 if (DEBUGLEVEL
>= 10) {
198 NDR_PRINT_DEBUG(dcerpc_auth
, &r
);
205 * @brief Decodes a dcerpc_auth blob
207 * @param mem_ctx The memory context on which to allocate the packet
209 * @param blob The blob of data to decode
210 * @param r An empty dcerpc_auth structure, must not be NULL
212 * @return a NTSTATUS error code
214 NTSTATUS
dcerpc_pull_dcerpc_auth(TALLOC_CTX
*mem_ctx
,
215 const DATA_BLOB
*blob
,
216 struct dcerpc_auth
*r
,
219 enum ndr_err_code ndr_err
;
220 struct ndr_pull
*ndr
;
222 ndr
= ndr_pull_init_blob(blob
, mem_ctx
);
224 return NT_STATUS_NO_MEMORY
;
227 ndr
->flags
|= LIBNDR_FLAG_BIGENDIAN
;
230 ndr_err
= ndr_pull_dcerpc_auth(ndr
, NDR_SCALARS
|NDR_BUFFERS
, r
);
232 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
234 return ndr_map_error2ntstatus(ndr_err
);
238 if (DEBUGLEVEL
>= 10) {
239 NDR_PRINT_DEBUG(dcerpc_auth
, r
);
246 * @brief Calculate how much data we can in a packet, including calculating
247 * auth token and pad lengths.
249 * @param auth The pipe_auth_data structure for this pipe.
250 * @param header_len The length of the packet header
251 * @param data_left The data left in the send buffer
252 * @param max_xmit_frag The max fragment size.
253 * @param pad_alignment The NDR padding size.
254 * @param data_to_send [out] The max data we will send in the pdu
255 * @param frag_len [out] The total length of the fragment
256 * @param auth_len [out] The length of the auth trailer
257 * @param pad_len [out] The padding to be applied
259 * @return A NT Error status code.
261 NTSTATUS
dcerpc_guess_sizes(struct pipe_auth_data
*auth
,
262 size_t header_len
, size_t data_left
,
263 size_t max_xmit_frag
, size_t pad_alignment
,
264 size_t *data_to_send
, size_t *frag_len
,
265 size_t *auth_len
, size_t *pad_len
)
269 struct spnego_context
*spnego_ctx
;
270 struct gse_context
*gse_ctx
;
271 enum spnego_mech auth_type
;
276 /* no auth token cases first */
277 switch (auth
->auth_level
) {
278 case DCERPC_AUTH_LEVEL_NONE
:
279 case DCERPC_AUTH_LEVEL_CONNECT
:
280 case DCERPC_AUTH_LEVEL_PACKET
:
281 max_len
= max_xmit_frag
- header_len
;
282 *data_to_send
= MIN(max_len
, data_left
);
285 *frag_len
= header_len
+ *data_to_send
;
288 case DCERPC_AUTH_LEVEL_PRIVACY
:
292 case DCERPC_AUTH_LEVEL_INTEGRITY
:
296 return NT_STATUS_INVALID_PARAMETER
;
300 /* Sign/seal case, calculate auth and pad lengths */
302 max_len
= max_xmit_frag
- header_len
- DCERPC_AUTH_TRAILER_LENGTH
;
304 /* Treat the same for all authenticated rpc requests. */
305 switch (auth
->auth_type
) {
306 case DCERPC_AUTH_TYPE_SPNEGO
:
307 spnego_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
308 struct spnego_context
);
309 status
= spnego_get_negotiated_mech(spnego_ctx
,
310 &auth_type
, &auth_ctx
);
311 if (!NT_STATUS_IS_OK(status
)) {
316 *auth_len
= NTLMSSP_SIG_SIZE
;
320 gse_ctx
= talloc_get_type_abort(auth_ctx
,
323 return NT_STATUS_INVALID_PARAMETER
;
325 *auth_len
= gse_get_signature_length(gse_ctx
,
330 return NT_STATUS_INVALID_PARAMETER
;
334 case DCERPC_AUTH_TYPE_NTLMSSP
:
335 *auth_len
= NTLMSSP_SIG_SIZE
;
338 case DCERPC_AUTH_TYPE_SCHANNEL
:
339 *auth_len
= NL_AUTH_SIGNATURE_SIZE
;
342 case DCERPC_AUTH_TYPE_KRB5
:
343 gse_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
345 *auth_len
= gse_get_signature_length(gse_ctx
,
350 return NT_STATUS_INVALID_PARAMETER
;
353 max_len
-= *auth_len
;
355 *data_to_send
= MIN(max_len
, data_left
);
357 mod_len
= (header_len
+ *data_to_send
) % pad_alignment
;
359 *pad_len
= pad_alignment
- mod_len
;
364 if (*data_to_send
+ *pad_len
> max_len
) {
365 *data_to_send
-= pad_alignment
;
368 *frag_len
= header_len
+ *data_to_send
+ *pad_len
369 + DCERPC_AUTH_TRAILER_LENGTH
+ *auth_len
;
374 /*******************************************************************
375 Create and add the NTLMSSP sign/seal auth data.
376 ********************************************************************/
378 static NTSTATUS
add_ntlmssp_auth_footer(struct auth_ntlmssp_state
*auth_state
,
379 enum dcerpc_AuthLevel auth_level
,
382 uint16_t data_and_pad_len
= rpc_out
->length
383 - DCERPC_RESPONSE_LENGTH
384 - DCERPC_AUTH_TRAILER_LENGTH
;
389 return NT_STATUS_INVALID_PARAMETER
;
392 switch (auth_level
) {
393 case DCERPC_AUTH_LEVEL_PRIVACY
:
394 /* Data portion is encrypted. */
395 status
= auth_ntlmssp_seal_packet(auth_state
,
398 + DCERPC_RESPONSE_LENGTH
,
403 if (!NT_STATUS_IS_OK(status
)) {
408 case DCERPC_AUTH_LEVEL_INTEGRITY
:
409 /* Data is signed. */
410 status
= auth_ntlmssp_sign_packet(auth_state
,
413 + DCERPC_RESPONSE_LENGTH
,
418 if (!NT_STATUS_IS_OK(status
)) {
425 smb_panic("bad auth level");
427 return NT_STATUS_INVALID_PARAMETER
;
430 /* Finally attach the blob. */
431 if (!data_blob_append(NULL
, rpc_out
,
432 auth_blob
.data
, auth_blob
.length
)) {
433 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
434 (unsigned int)auth_blob
.length
));
435 return NT_STATUS_NO_MEMORY
;
437 data_blob_free(&auth_blob
);
442 /*******************************************************************
443 Check/unseal the NTLMSSP auth data. (Unseal in place).
444 ********************************************************************/
446 static NTSTATUS
get_ntlmssp_auth_footer(struct auth_ntlmssp_state
*auth_state
,
447 enum dcerpc_AuthLevel auth_level
,
448 DATA_BLOB
*data
, DATA_BLOB
*full_pkt
,
449 DATA_BLOB
*auth_token
)
451 switch (auth_level
) {
452 case DCERPC_AUTH_LEVEL_PRIVACY
:
453 /* Data portion is encrypted. */
454 return auth_ntlmssp_unseal_packet(auth_state
,
461 case DCERPC_AUTH_LEVEL_INTEGRITY
:
462 /* Data is signed. */
463 return auth_ntlmssp_check_packet(auth_state
,
471 return NT_STATUS_INVALID_PARAMETER
;
475 /*******************************************************************
476 Create and add the schannel sign/seal auth data.
477 ********************************************************************/
479 static NTSTATUS
add_schannel_auth_footer(struct schannel_state
*sas
,
480 enum dcerpc_AuthLevel auth_level
,
483 uint8_t *data_p
= rpc_out
->data
+ DCERPC_RESPONSE_LENGTH
;
484 size_t data_and_pad_len
= rpc_out
->length
485 - DCERPC_RESPONSE_LENGTH
486 - DCERPC_AUTH_TRAILER_LENGTH
;
491 return NT_STATUS_INVALID_PARAMETER
;
494 DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
497 switch (auth_level
) {
498 case DCERPC_AUTH_LEVEL_PRIVACY
:
499 status
= netsec_outgoing_packet(sas
,
506 case DCERPC_AUTH_LEVEL_INTEGRITY
:
507 status
= netsec_outgoing_packet(sas
,
515 status
= NT_STATUS_INTERNAL_ERROR
;
519 if (!NT_STATUS_IS_OK(status
)) {
520 DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
525 if (DEBUGLEVEL
>= 10) {
526 dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob
);
529 /* Finally attach the blob. */
530 if (!data_blob_append(NULL
, rpc_out
,
531 auth_blob
.data
, auth_blob
.length
)) {
532 return NT_STATUS_NO_MEMORY
;
534 data_blob_free(&auth_blob
);
539 /*******************************************************************
540 Check/unseal the Schannel auth data. (Unseal in place).
541 ********************************************************************/
543 static NTSTATUS
get_schannel_auth_footer(TALLOC_CTX
*mem_ctx
,
544 struct schannel_state
*auth_state
,
545 enum dcerpc_AuthLevel auth_level
,
546 DATA_BLOB
*data
, DATA_BLOB
*full_pkt
,
547 DATA_BLOB
*auth_token
)
549 switch (auth_level
) {
550 case DCERPC_AUTH_LEVEL_PRIVACY
:
551 /* Data portion is encrypted. */
552 return netsec_incoming_packet(auth_state
,
558 case DCERPC_AUTH_LEVEL_INTEGRITY
:
559 /* Data is signed. */
560 return netsec_incoming_packet(auth_state
,
567 return NT_STATUS_INVALID_PARAMETER
;
571 /*******************************************************************
572 Create and add the gssapi sign/seal auth data.
573 ********************************************************************/
575 static NTSTATUS
add_gssapi_auth_footer(struct gse_context
*gse_ctx
,
576 enum dcerpc_AuthLevel auth_level
,
584 return NT_STATUS_INVALID_PARAMETER
;
587 data
.data
= rpc_out
->data
+ DCERPC_RESPONSE_LENGTH
;
588 data
.length
= rpc_out
->length
- DCERPC_RESPONSE_LENGTH
589 - DCERPC_AUTH_TRAILER_LENGTH
;
591 switch (auth_level
) {
592 case DCERPC_AUTH_LEVEL_PRIVACY
:
593 status
= gse_seal(talloc_tos(), gse_ctx
, &data
, &auth_blob
);
595 case DCERPC_AUTH_LEVEL_INTEGRITY
:
596 status
= gse_sign(talloc_tos(), gse_ctx
, &data
, &auth_blob
);
599 status
= NT_STATUS_INTERNAL_ERROR
;
603 if (!NT_STATUS_IS_OK(status
)) {
604 DEBUG(1, ("Failed to process packet: %s\n",
609 /* Finally attach the blob. */
610 if (!data_blob_append(NULL
, rpc_out
,
611 auth_blob
.data
, auth_blob
.length
)) {
612 return NT_STATUS_NO_MEMORY
;
615 data_blob_free(&auth_blob
);
620 /*******************************************************************
621 Check/unseal the gssapi auth data. (Unseal in place).
622 ********************************************************************/
624 static NTSTATUS
get_gssapi_auth_footer(TALLOC_CTX
*mem_ctx
,
625 struct gse_context
*gse_ctx
,
626 enum dcerpc_AuthLevel auth_level
,
627 DATA_BLOB
*data
, DATA_BLOB
*full_pkt
,
628 DATA_BLOB
*auth_token
)
630 /* TODO: pass in full_pkt when
631 * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
632 switch (auth_level
) {
633 case DCERPC_AUTH_LEVEL_PRIVACY
:
634 /* Data portion is encrypted. */
635 return gse_unseal(mem_ctx
, gse_ctx
,
638 case DCERPC_AUTH_LEVEL_INTEGRITY
:
639 /* Data is signed. */
640 return gse_sigcheck(mem_ctx
, gse_ctx
,
643 return NT_STATUS_INVALID_PARAMETER
;
647 /*******************************************************************
648 Create and add the spnego-negotiated sign/seal auth data.
649 ********************************************************************/
651 static NTSTATUS
add_spnego_auth_footer(struct spnego_context
*spnego_ctx
,
652 enum dcerpc_AuthLevel auth_level
,
655 enum spnego_mech auth_type
;
656 struct gse_context
*gse_ctx
;
657 struct auth_ntlmssp_state
*ntlmssp_ctx
;
662 return NT_STATUS_INVALID_PARAMETER
;
665 status
= spnego_get_negotiated_mech(spnego_ctx
,
666 &auth_type
, &auth_ctx
);
667 if (!NT_STATUS_IS_OK(status
)) {
673 gse_ctx
= talloc_get_type(auth_ctx
, struct gse_context
);
675 status
= NT_STATUS_INTERNAL_ERROR
;
678 status
= add_gssapi_auth_footer(gse_ctx
,
679 auth_level
, rpc_out
);
683 ntlmssp_ctx
= talloc_get_type(auth_ctx
,
684 struct auth_ntlmssp_state
);
686 status
= NT_STATUS_INTERNAL_ERROR
;
689 status
= add_ntlmssp_auth_footer(ntlmssp_ctx
,
690 auth_level
, rpc_out
);
694 status
= NT_STATUS_INTERNAL_ERROR
;
701 static NTSTATUS
get_spnego_auth_footer(TALLOC_CTX
*mem_ctx
,
702 struct spnego_context
*sp_ctx
,
703 enum dcerpc_AuthLevel auth_level
,
704 DATA_BLOB
*data
, DATA_BLOB
*full_pkt
,
705 DATA_BLOB
*auth_token
)
707 enum spnego_mech auth_type
;
708 struct auth_ntlmssp_state
*ntlmssp_ctx
;
709 struct gse_context
*gse_ctx
;
713 status
= spnego_get_negotiated_mech(sp_ctx
, &auth_type
, &auth_ctx
);
714 if (!NT_STATUS_IS_OK(status
)) {
720 gse_ctx
= talloc_get_type(auth_ctx
,
723 return NT_STATUS_INVALID_PARAMETER
;
726 DEBUG(10, ("KRB5 auth\n"));
728 return get_gssapi_auth_footer(mem_ctx
, gse_ctx
,
733 ntlmssp_ctx
= talloc_get_type(auth_ctx
,
734 struct auth_ntlmssp_state
);
736 return NT_STATUS_INVALID_PARAMETER
;
739 DEBUG(10, ("NTLMSSP auth\n"));
741 return get_ntlmssp_auth_footer(ntlmssp_ctx
,
746 return NT_STATUS_INVALID_PARAMETER
;
751 * @brief Append an auth footer according to what is the current mechanism
753 * @param auth The pipe_auth_data associated with the connection
754 * @param pad_len The padding used in the packet
755 * @param rpc_out Packet blob up to and including the auth header
757 * @return A NTSTATUS error code.
759 NTSTATUS
dcerpc_add_auth_footer(struct pipe_auth_data
*auth
,
760 size_t pad_len
, DATA_BLOB
*rpc_out
)
762 struct schannel_state
*schannel_auth
;
763 struct auth_ntlmssp_state
*ntlmssp_ctx
;
764 struct spnego_context
*spnego_ctx
;
765 struct gse_context
*gse_ctx
;
766 char pad
[CLIENT_NDR_PADDING_SIZE
] = { 0, };
771 if (auth
->auth_type
== DCERPC_AUTH_TYPE_NONE
) {
776 /* Copy the sign/seal padding data. */
777 if (!data_blob_append(NULL
, rpc_out
, pad
, pad_len
)) {
778 return NT_STATUS_NO_MEMORY
;
782 /* marshall the dcerpc_auth with an actually empty auth_blob.
783 * This is needed because the ntmlssp signature includes the
784 * auth header. We will append the actual blob later. */
785 auth_blob
= data_blob_null
;
786 status
= dcerpc_push_dcerpc_auth(rpc_out
->data
,
793 if (!NT_STATUS_IS_OK(status
)) {
797 /* append the header */
798 if (!data_blob_append(NULL
, rpc_out
,
799 auth_info
.data
, auth_info
.length
)) {
800 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
801 (unsigned int)auth_info
.length
));
802 return NT_STATUS_NO_MEMORY
;
804 data_blob_free(&auth_info
);
806 /* Generate any auth sign/seal and add the auth footer. */
807 switch (auth
->auth_type
) {
808 case DCERPC_AUTH_TYPE_NONE
:
809 status
= NT_STATUS_OK
;
811 case DCERPC_AUTH_TYPE_SPNEGO
:
812 spnego_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
813 struct spnego_context
);
814 status
= add_spnego_auth_footer(spnego_ctx
,
815 auth
->auth_level
, rpc_out
);
817 case DCERPC_AUTH_TYPE_NTLMSSP
:
818 ntlmssp_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
819 struct auth_ntlmssp_state
);
820 status
= add_ntlmssp_auth_footer(ntlmssp_ctx
,
824 case DCERPC_AUTH_TYPE_SCHANNEL
:
825 schannel_auth
= talloc_get_type_abort(auth
->auth_ctx
,
826 struct schannel_state
);
827 status
= add_schannel_auth_footer(schannel_auth
,
831 case DCERPC_AUTH_TYPE_KRB5
:
832 gse_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
834 status
= add_gssapi_auth_footer(gse_ctx
,
839 status
= NT_STATUS_INVALID_PARAMETER
;
847 * @brief Check authentication for request/response packets
849 * @param auth The auth data for the connection
850 * @param pkt The actual ncacn_packet
851 * @param pkt_trailer The stub_and_verifier part of the packet
852 * @param header_size The header size
853 * @param raw_pkt The whole raw packet data blob
854 * @param pad_len [out] The padding length used in the packet
856 * @return A NTSTATUS error code
858 NTSTATUS
dcerpc_check_auth(struct pipe_auth_data
*auth
,
859 struct ncacn_packet
*pkt
,
860 DATA_BLOB
*pkt_trailer
,
865 struct schannel_state
*schannel_auth
;
866 struct auth_ntlmssp_state
*ntlmssp_ctx
;
867 struct spnego_context
*spnego_ctx
;
868 struct gse_context
*gse_ctx
;
870 struct dcerpc_auth auth_info
;
871 uint32_t auth_length
;
875 switch (auth
->auth_level
) {
876 case DCERPC_AUTH_LEVEL_PRIVACY
:
877 DEBUG(10, ("Requested Privacy.\n"));
880 case DCERPC_AUTH_LEVEL_INTEGRITY
:
881 DEBUG(10, ("Requested Integrity.\n"));
884 case DCERPC_AUTH_LEVEL_CONNECT
:
885 if (pkt
->auth_length
!= 0) {
891 case DCERPC_AUTH_LEVEL_NONE
:
892 if (pkt
->auth_length
!= 0) {
893 DEBUG(3, ("Got non-zero auth len on non "
894 "authenticated connection!\n"));
895 return NT_STATUS_INVALID_PARAMETER
;
901 DEBUG(3, ("Unimplemented Auth Level %d",
903 return NT_STATUS_INVALID_PARAMETER
;
906 /* Paranioa checks for auth_length. */
907 if (pkt
->auth_length
> pkt
->frag_length
) {
908 return NT_STATUS_INFO_LENGTH_MISMATCH
;
910 if (((unsigned int)pkt
->auth_length
911 + DCERPC_AUTH_TRAILER_LENGTH
< (unsigned int)pkt
->auth_length
) ||
912 ((unsigned int)pkt
->auth_length
913 + DCERPC_AUTH_TRAILER_LENGTH
< DCERPC_AUTH_TRAILER_LENGTH
)) {
914 /* Integer wrap attempt. */
915 return NT_STATUS_INFO_LENGTH_MISMATCH
;
918 status
= dcerpc_pull_auth_trailer(pkt
, pkt
, pkt_trailer
,
919 &auth_info
, &auth_length
, false);
920 if (!NT_STATUS_IS_OK(status
)) {
924 data
= data_blob_const(raw_pkt
->data
+ header_size
,
925 pkt_trailer
->length
- auth_length
);
926 full_pkt
= data_blob_const(raw_pkt
->data
,
927 raw_pkt
->length
- auth_info
.credentials
.length
);
929 switch (auth
->auth_type
) {
930 case DCERPC_AUTH_TYPE_NONE
:
933 case DCERPC_AUTH_TYPE_SPNEGO
:
934 spnego_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
935 struct spnego_context
);
936 status
= get_spnego_auth_footer(pkt
, spnego_ctx
,
939 &auth_info
.credentials
);
940 if (!NT_STATUS_IS_OK(status
)) {
945 case DCERPC_AUTH_TYPE_NTLMSSP
:
947 DEBUG(10, ("NTLMSSP auth\n"));
949 ntlmssp_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
950 struct auth_ntlmssp_state
);
951 status
= get_ntlmssp_auth_footer(ntlmssp_ctx
,
954 &auth_info
.credentials
);
955 if (!NT_STATUS_IS_OK(status
)) {
960 case DCERPC_AUTH_TYPE_SCHANNEL
:
962 DEBUG(10, ("SCHANNEL auth\n"));
964 schannel_auth
= talloc_get_type_abort(auth
->auth_ctx
,
965 struct schannel_state
);
966 status
= get_schannel_auth_footer(pkt
, schannel_auth
,
969 &auth_info
.credentials
);
970 if (!NT_STATUS_IS_OK(status
)) {
975 case DCERPC_AUTH_TYPE_KRB5
:
977 DEBUG(10, ("KRB5 auth\n"));
979 gse_ctx
= talloc_get_type_abort(auth
->auth_ctx
,
981 status
= get_gssapi_auth_footer(pkt
, gse_ctx
,
984 &auth_info
.credentials
);
985 if (!NT_STATUS_IS_OK(status
)) {
991 DEBUG(0, ("process_request_pdu: "
992 "unknown auth type %u set.\n",
993 (unsigned int)auth
->auth_type
));
994 return NT_STATUS_INVALID_PARAMETER
;
997 /* TODO: remove later
998 * this is still needed because in the server code the
999 * pkt_trailer actually has a copy of the raw data, and they
1000 * are still both used in later calls */
1001 if (auth
->auth_level
== DCERPC_AUTH_LEVEL_PRIVACY
) {
1002 memcpy(pkt_trailer
->data
, data
.data
, data
.length
);
1005 *pad_len
= auth_info
.auth_pad_length
;
1006 data_blob_free(&auth_info
.credentials
);
1007 return NT_STATUS_OK
;