search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-dcerpc: finally remove the legaqcy spnego_type variable from pipe_auth_data
[Samba/gbeck.git] / source3 / librpc / rpc / dcerpc_helpers.c
blobc83668f9b8e4abbaa8a1620492cac878bd923220
1 /*
2 * DCERPC Helper routines
3 * Günther Deschner <gd@samba.org> 2010.
4 * Simo Sorce <idra@samba.org> 2010.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20
21 #include "includes.h"
22 #include "librpc/rpc/dcerpc.h"
23 #include "librpc/gen_ndr/ndr_dcerpc.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "../libcli/auth/schannel.h"
26 #include "../libcli/auth/spnego.h"
27 #include "../libcli/auth/ntlmssp.h"
28 #include "ntlmssp_wrap.h"
29 #include "librpc/crypto/gse.h"
30 #include "librpc/crypto/spnego.h"
31
32 #undef DBGC_CLASS
33 #define DBGC_CLASS DBGC_RPC_PARSE
34
35 /**
36 * @brief NDR Encodes a ncacn_packet
37 *
38 * @param mem_ctx The memory context the blob will be allocated on
39 * @param ptype The DCERPC packet type
40 * @param pfc_flags The DCERPC PFC Falgs
41 * @param auth_length The length of the trailing auth blob
42 * @param call_id The call ID
43 * @param u The payload of the packet
44 * @param blob [out] The encoded blob if successful
45 *
46 * @return an NTSTATUS error code
47 */
48 NTSTATUS dcerpc_push_ncacn_packet(TALLOC_CTX *mem_ctx,
49 enum dcerpc_pkt_type ptype,
50 uint8_t pfc_flags,
51 uint16_t auth_length,
52 uint32_t call_id,
53 union dcerpc_payload *u,
54 DATA_BLOB *blob)
55 {
56 struct ncacn_packet r;
57 enum ndr_err_code ndr_err;
58
59 r.rpc_vers = 5;
60 r.rpc_vers_minor = 0;
61 r.ptype = ptype;
62 r.pfc_flags = pfc_flags;
63 r.drep[0] = DCERPC_DREP_LE;
64 r.drep[1] = 0;
65 r.drep[2] = 0;
66 r.drep[3] = 0;
67 r.auth_length = auth_length;
68 r.call_id = call_id;
69 r.u = *u;
70
71 ndr_err = ndr_push_struct_blob(blob, mem_ctx, &r,
72 (ndr_push_flags_fn_t)ndr_push_ncacn_packet);
73 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
74 return ndr_map_error2ntstatus(ndr_err);
75 }
76
77 dcerpc_set_frag_length(blob, blob->length);
78
79
80 if (DEBUGLEVEL >= 10) {
81 /* set frag len for print function */
82 r.frag_length = blob->length;
83 NDR_PRINT_DEBUG(ncacn_packet, &r);
84 }
85
86 return NT_STATUS_OK;
87 }
88
89 /**
90 * @brief Decodes a ncacn_packet
91 *
92 * @param mem_ctx The memory context on which to allocate the packet
93 * elements
94 * @param blob The blob of data to decode
95 * @param r An empty ncacn_packet, must not be NULL
96 * @param bigendian Whether the packet is bignedian encoded
97 *
98 * @return a NTSTATUS error code
99 */
100 NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
101 const DATA_BLOB *blob,
102 struct ncacn_packet *r,
103 bool bigendian)
104 {
105 enum ndr_err_code ndr_err;
106 struct ndr_pull *ndr;
107
108 ndr = ndr_pull_init_blob(blob, mem_ctx);
109 if (!ndr) {
110 return NT_STATUS_NO_MEMORY;
111 }
112 if (bigendian) {
113 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
114 }
115
116 ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, r);
117
118 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
119 talloc_free(ndr);
120 return ndr_map_error2ntstatus(ndr_err);
121 }
122 talloc_free(ndr);
123
124 if (DEBUGLEVEL >= 10) {
125 NDR_PRINT_DEBUG(ncacn_packet, r);
126 }
127
128 return NT_STATUS_OK;
129 }
130
131 /**
132 * @brief NDR Encodes a NL_AUTH_MESSAGE
133 *
134 * @param mem_ctx The memory context the blob will be allocated on
135 * @param r The NL_AUTH_MESSAGE to encode
136 * @param blob [out] The encoded blob if successful
137 *
138 * @return a NTSTATUS error code
139 */
140 NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
141 struct NL_AUTH_MESSAGE *r,
142 DATA_BLOB *blob)
143 {
144 enum ndr_err_code ndr_err;
145
146 ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
147 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
148 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
149 return ndr_map_error2ntstatus(ndr_err);
150 }
151
152 if (DEBUGLEVEL >= 10) {
153 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
154 }
155
156 return NT_STATUS_OK;
157 }
158
159 /**
160 * @brief NDR Encodes a dcerpc_auth structure
161 *
162 * @param mem_ctx The memory context the blob will be allocated on
163 * @param auth_type The DCERPC Authentication Type
164 * @param auth_level The DCERPC Authentication Level
165 * @param auth_pad_length The padding added to the packet this blob will be
166 * appended to.
167 * @param auth_context_id The context id
168 * @param credentials The authentication credentials blob (signature)
169 * @param blob [out] The encoded blob if successful
170 *
171 * @return a NTSTATUS error code
172 */
173 NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
174 enum dcerpc_AuthType auth_type,
175 enum dcerpc_AuthLevel auth_level,
176 uint8_t auth_pad_length,
177 uint32_t auth_context_id,
178 const DATA_BLOB *credentials,
179 DATA_BLOB *blob)
180 {
181 struct dcerpc_auth r;
182 enum ndr_err_code ndr_err;
183
184 r.auth_type = auth_type;
185 r.auth_level = auth_level;
186 r.auth_pad_length = auth_pad_length;
187 r.auth_reserved = 0;
188 r.auth_context_id = auth_context_id;
189 r.credentials = *credentials;
190
191 ndr_err = ndr_push_struct_blob(blob, mem_ctx, &r,
192 (ndr_push_flags_fn_t)ndr_push_dcerpc_auth);
193 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
194 return ndr_map_error2ntstatus(ndr_err);
195 }
196
197 if (DEBUGLEVEL >= 10) {
198 NDR_PRINT_DEBUG(dcerpc_auth, &r);
199 }
200
201 return NT_STATUS_OK;
202 }
203
204 /**
205 * @brief Decodes a dcerpc_auth blob
206 *
207 * @param mem_ctx The memory context on which to allocate the packet
208 * elements
209 * @param blob The blob of data to decode
210 * @param r An empty dcerpc_auth structure, must not be NULL
211 *
212 * @return a NTSTATUS error code
213 */
214 NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
215 const DATA_BLOB *blob,
216 struct dcerpc_auth *r,
217 bool bigendian)
218 {
219 enum ndr_err_code ndr_err;
220 struct ndr_pull *ndr;
221
222 ndr = ndr_pull_init_blob(blob, mem_ctx);
223 if (!ndr) {
224 return NT_STATUS_NO_MEMORY;
225 }
226 if (bigendian) {
227 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
228 }
229
230 ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, r);
231
232 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
233 talloc_free(ndr);
234 return ndr_map_error2ntstatus(ndr_err);
235 }
236 talloc_free(ndr);
237
238 if (DEBUGLEVEL >= 10) {
239 NDR_PRINT_DEBUG(dcerpc_auth, r);
240 }
241
242 return NT_STATUS_OK;
243 }
244
245 /**
246 * @brief Calculate how much data we can in a packet, including calculating
247 * auth token and pad lengths.
248 *
249 * @param auth The pipe_auth_data structure for this pipe.
250 * @param header_len The length of the packet header
251 * @param data_left The data left in the send buffer
252 * @param max_xmit_frag The max fragment size.
253 * @param pad_alignment The NDR padding size.
254 * @param data_to_send [out] The max data we will send in the pdu
255 * @param frag_len [out] The total length of the fragment
256 * @param auth_len [out] The length of the auth trailer
257 * @param pad_len [out] The padding to be applied
258 *
259 * @return A NT Error status code.
260 */
261 NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
262 size_t header_len, size_t data_left,
263 size_t max_xmit_frag, size_t pad_alignment,
264 size_t *data_to_send, size_t *frag_len,
265 size_t *auth_len, size_t *pad_len)
266 {
267 size_t max_len;
268 size_t mod_len;
269 struct gse_context *gse_ctx;
270 enum spnego_mech auth_type;
271 void *auth_ctx;
272 bool seal = false;
273 NTSTATUS status;
274
275 /* no auth token cases first */
276 switch (auth->auth_level) {
277 case DCERPC_AUTH_LEVEL_NONE:
278 case DCERPC_AUTH_LEVEL_CONNECT:
279 case DCERPC_AUTH_LEVEL_PACKET:
280 max_len = max_xmit_frag - header_len;
281 *data_to_send = MIN(max_len, data_left);
282 *pad_len = 0;
283 *auth_len = 0;
284 *frag_len = header_len + *data_to_send;
285 return NT_STATUS_OK;
286
287 case DCERPC_AUTH_LEVEL_PRIVACY:
288 seal = true;
289 break;
290
291 case DCERPC_AUTH_LEVEL_INTEGRITY:
292 break;
293
294 default:
295 return NT_STATUS_INVALID_PARAMETER;
296 }
297
298
299 /* Sign/seal case, calculate auth and pad lengths */
300
301 max_len = max_xmit_frag - header_len - DCERPC_AUTH_TRAILER_LENGTH;
302
303 /* Treat the same for all authenticated rpc requests. */
304 switch (auth->auth_type) {
305 case DCERPC_AUTH_TYPE_SPNEGO:
306
307 status = spnego_get_negotiated_mech(auth->a_u.spnego_state,
308 &auth_type, &auth_ctx);
309 if (!NT_STATUS_IS_OK(status)) {
310 return status;
311 }
312 switch (auth_type) {
313 case SPNEGO_NTLMSSP:
314 *auth_len = NTLMSSP_SIG_SIZE;
315 break;
316
317 case SPNEGO_KRB5:
318 gse_ctx = talloc_get_type(auth_ctx,
319 struct gse_context);
320 if (!gse_ctx) {
321 return NT_STATUS_INVALID_PARAMETER;
322 }
323 *auth_len = gse_get_signature_length(gse_ctx,
324 seal, max_len);
325 break;
326
327 default:
328 return NT_STATUS_INVALID_PARAMETER;
329 }
330 break;
331
332 case DCERPC_AUTH_TYPE_NTLMSSP:
333 *auth_len = NTLMSSP_SIG_SIZE;
334 break;
335
336 case DCERPC_AUTH_TYPE_SCHANNEL:
337 *auth_len = NL_AUTH_SIGNATURE_SIZE;
338 break;
339
340 case DCERPC_AUTH_TYPE_KRB5:
341 *auth_len = gse_get_signature_length(auth->a_u.gssapi_state,
342 seal, max_len);
343 break;
344
345 default:
346 return NT_STATUS_INVALID_PARAMETER;
347 }
348
349 max_len -= *auth_len;
350
351 *data_to_send = MIN(max_len, data_left);
352
353 mod_len = (header_len + *data_to_send) % pad_alignment;
354 if (mod_len) {
355 *pad_len = pad_alignment - mod_len;
356 } else {
357 *pad_len = 0;
358 }
359
360 if (*data_to_send + *pad_len > max_len) {
361 *data_to_send -= pad_alignment;
362 }
363
364 *frag_len = header_len + *data_to_send + *pad_len
365 + DCERPC_AUTH_TRAILER_LENGTH + *auth_len;
366
367 return NT_STATUS_OK;
368 }
369
370 /*******************************************************************
371 Create and add the NTLMSSP sign/seal auth data.
372 ********************************************************************/
373
374 static NTSTATUS add_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
375 enum dcerpc_AuthLevel auth_level,
376 DATA_BLOB *rpc_out)
377 {
378 uint16_t data_and_pad_len = rpc_out->length
379 - DCERPC_RESPONSE_LENGTH
380 - DCERPC_AUTH_TRAILER_LENGTH;
381 DATA_BLOB auth_blob;
382 NTSTATUS status;
383
384 if (!auth_state) {
385 return NT_STATUS_INVALID_PARAMETER;
386 }
387
388 switch (auth_level) {
389 case DCERPC_AUTH_LEVEL_PRIVACY:
390 /* Data portion is encrypted. */
391 status = auth_ntlmssp_seal_packet(auth_state,
392 rpc_out->data,
393 rpc_out->data
394 + DCERPC_RESPONSE_LENGTH,
395 data_and_pad_len,
396 rpc_out->data,
397 rpc_out->length,
398 &auth_blob);
399 if (!NT_STATUS_IS_OK(status)) {
400 return status;
401 }
402 break;
403
404 case DCERPC_AUTH_LEVEL_INTEGRITY:
405 /* Data is signed. */
406 status = auth_ntlmssp_sign_packet(auth_state,
407 rpc_out->data,
408 rpc_out->data
409 + DCERPC_RESPONSE_LENGTH,
410 data_and_pad_len,
411 rpc_out->data,
412 rpc_out->length,
413 &auth_blob);
414 if (!NT_STATUS_IS_OK(status)) {
415 return status;
416 }
417 break;
418
419 default:
420 /* Can't happen. */
421 smb_panic("bad auth level");
422 /* Notreached. */
423 return NT_STATUS_INVALID_PARAMETER;
424 }
425
426 /* Finally attach the blob. */
427 if (!data_blob_append(NULL, rpc_out,
428 auth_blob.data, auth_blob.length)) {
429 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
430 (unsigned int)auth_blob.length));
431 return NT_STATUS_NO_MEMORY;
432 }
433 data_blob_free(&auth_blob);
434
435 return NT_STATUS_OK;
436 }
437
438 /*******************************************************************
439 Check/unseal the NTLMSSP auth data. (Unseal in place).
440 ********************************************************************/
441
442 static NTSTATUS get_ntlmssp_auth_footer(struct auth_ntlmssp_state *auth_state,
443 enum dcerpc_AuthLevel auth_level,
444 DATA_BLOB *data, DATA_BLOB *full_pkt,
445 DATA_BLOB *auth_token)
446 {
447 switch (auth_level) {
448 case DCERPC_AUTH_LEVEL_PRIVACY:
449 /* Data portion is encrypted. */
450 return auth_ntlmssp_unseal_packet(auth_state,
451 data->data,
452 data->length,
453 full_pkt->data,
454 full_pkt->length,
455 auth_token);
456
457 case DCERPC_AUTH_LEVEL_INTEGRITY:
458 /* Data is signed. */
459 return auth_ntlmssp_check_packet(auth_state,
460 data->data,
461 data->length,
462 full_pkt->data,
463 full_pkt->length,
464 auth_token);
465
466 default:
467 return NT_STATUS_INVALID_PARAMETER;
468 }
469 }
470
471 /*******************************************************************
472 Create and add the schannel sign/seal auth data.
473 ********************************************************************/
474
475 static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
476 enum dcerpc_AuthLevel auth_level,
477 DATA_BLOB *rpc_out)
478 {
479 uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
480 size_t data_and_pad_len = rpc_out->length
481 - DCERPC_RESPONSE_LENGTH
482 - DCERPC_AUTH_TRAILER_LENGTH;
483 DATA_BLOB auth_blob;
484 NTSTATUS status;
485
486 if (!sas) {
487 return NT_STATUS_INVALID_PARAMETER;
488 }
489
490 DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
491 sas->seq_num));
492
493 switch (auth_level) {
494 case DCERPC_AUTH_LEVEL_PRIVACY:
495 status = netsec_outgoing_packet(sas,
496 rpc_out->data,
497 true,
498 data_p,
499 data_and_pad_len,
500 &auth_blob);
501 break;
502 case DCERPC_AUTH_LEVEL_INTEGRITY:
503 status = netsec_outgoing_packet(sas,
504 rpc_out->data,
505 false,
506 data_p,
507 data_and_pad_len,
508 &auth_blob);
509 break;
510 default:
511 status = NT_STATUS_INTERNAL_ERROR;
512 break;
513 }
514
515 if (!NT_STATUS_IS_OK(status)) {
516 DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
517 nt_errstr(status)));
518 return status;
519 }
520
521 if (DEBUGLEVEL >= 10) {
522 dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
523 }
524
525 /* Finally attach the blob. */
526 if (!data_blob_append(NULL, rpc_out,
527 auth_blob.data, auth_blob.length)) {
528 return NT_STATUS_NO_MEMORY;
529 }
530 data_blob_free(&auth_blob);
531
532 return NT_STATUS_OK;
533 }
534
535 /*******************************************************************
536 Check/unseal the Schannel auth data. (Unseal in place).
537 ********************************************************************/
538
539 static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
540 struct schannel_state *auth_state,
541 enum dcerpc_AuthLevel auth_level,
542 DATA_BLOB *data, DATA_BLOB *full_pkt,
543 DATA_BLOB *auth_token)
544 {
545 switch (auth_level) {
546 case DCERPC_AUTH_LEVEL_PRIVACY:
547 /* Data portion is encrypted. */
548 return netsec_incoming_packet(auth_state,
549 mem_ctx, true,
550 data->data,
551 data->length,
552 auth_token);
553
554 case DCERPC_AUTH_LEVEL_INTEGRITY:
555 /* Data is signed. */
556 return netsec_incoming_packet(auth_state,
557 mem_ctx, false,
558 data->data,
559 data->length,
560 auth_token);
561
562 default:
563 return NT_STATUS_INVALID_PARAMETER;
564 }
565 }
566
567 /*******************************************************************
568 Create and add the gssapi sign/seal auth data.
569 ********************************************************************/
570
571 static NTSTATUS add_gssapi_auth_footer(struct gse_context *gse_ctx,
572 enum dcerpc_AuthLevel auth_level,
573 DATA_BLOB *rpc_out)
574 {
575 DATA_BLOB data;
576 DATA_BLOB auth_blob;
577 NTSTATUS status;
578
579 if (!gse_ctx) {
580 return NT_STATUS_INVALID_PARAMETER;
581 }
582
583 data.data = rpc_out->data + DCERPC_RESPONSE_LENGTH;
584 data.length = rpc_out->length - DCERPC_RESPONSE_LENGTH
585 - DCERPC_AUTH_TRAILER_LENGTH;
586
587 switch (auth_level) {
588 case DCERPC_AUTH_LEVEL_PRIVACY:
589 status = gse_seal(talloc_tos(), gse_ctx, &data, &auth_blob);
590 break;
591 case DCERPC_AUTH_LEVEL_INTEGRITY:
592 status = gse_sign(talloc_tos(), gse_ctx, &data, &auth_blob);
593 break;
594 default:
595 status = NT_STATUS_INTERNAL_ERROR;
596 break;
597 }
598
599 if (!NT_STATUS_IS_OK(status)) {
600 DEBUG(1, ("Failed to process packet: %s\n",
601 nt_errstr(status)));
602 return status;
603 }
604
605 /* Finally attach the blob. */
606 if (!data_blob_append(NULL, rpc_out,
607 auth_blob.data, auth_blob.length)) {
608 return NT_STATUS_NO_MEMORY;
609 }
610
611 data_blob_free(&auth_blob);
612
613 return NT_STATUS_OK;
614 }
615
616 /*******************************************************************
617 Check/unseal the gssapi auth data. (Unseal in place).
618 ********************************************************************/
619
620 static NTSTATUS get_gssapi_auth_footer(TALLOC_CTX *mem_ctx,
621 struct gse_context *gse_ctx,
622 enum dcerpc_AuthLevel auth_level,
623 DATA_BLOB *data, DATA_BLOB *full_pkt,
624 DATA_BLOB *auth_token)
625 {
626 /* TODO: pass in full_pkt when
627 * DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN is set */
628 switch (auth_level) {
629 case DCERPC_AUTH_LEVEL_PRIVACY:
630 /* Data portion is encrypted. */
631 return gse_unseal(mem_ctx, gse_ctx,
632 data, auth_token);
633
634 case DCERPC_AUTH_LEVEL_INTEGRITY:
635 /* Data is signed. */
636 return gse_sigcheck(mem_ctx, gse_ctx,
637 data, auth_token);
638 default:
639 return NT_STATUS_INVALID_PARAMETER;
640 }
641 }
642
643 /*******************************************************************
644 Create and add the spnego-negotiated sign/seal auth data.
645 ********************************************************************/
646
647 static NTSTATUS add_spnego_auth_footer(struct spnego_context *spnego_ctx,
648 enum dcerpc_AuthLevel auth_level,
649 DATA_BLOB *rpc_out)
650 {
651 enum spnego_mech auth_type;
652 struct gse_context *gse_ctx;
653 struct auth_ntlmssp_state *ntlmssp_ctx;
654 void *auth_ctx;
655 NTSTATUS status;
656
657 if (!spnego_ctx) {
658 return NT_STATUS_INVALID_PARAMETER;
659 }
660
661 status = spnego_get_negotiated_mech(spnego_ctx,
662 &auth_type, &auth_ctx);
663 if (!NT_STATUS_IS_OK(status)) {
664 return status;
665 }
666
667 switch (auth_type) {
668 case SPNEGO_KRB5:
669 gse_ctx = talloc_get_type(auth_ctx, struct gse_context);
670 if (!gse_ctx) {
671 status = NT_STATUS_INTERNAL_ERROR;
672 break;
673 }
674 status = add_gssapi_auth_footer(gse_ctx,
675 auth_level, rpc_out);
676 break;
677
678 case SPNEGO_NTLMSSP:
679 ntlmssp_ctx = talloc_get_type(auth_ctx,
680 struct auth_ntlmssp_state);
681 if (!ntlmssp_ctx) {
682 status = NT_STATUS_INTERNAL_ERROR;
683 break;
684 }
685 status = add_ntlmssp_auth_footer(ntlmssp_ctx,
686 auth_level, rpc_out);
687 break;
688
689 default:
690 status = NT_STATUS_INTERNAL_ERROR;
691 break;
692 }
693
694 return status;
695 }
696
697 static NTSTATUS get_spnego_auth_footer(TALLOC_CTX *mem_ctx,
698 struct spnego_context *sp_ctx,
699 enum dcerpc_AuthLevel auth_level,
700 DATA_BLOB *data, DATA_BLOB *full_pkt,
701 DATA_BLOB *auth_token)
702 {
703 enum spnego_mech auth_type;
704 struct auth_ntlmssp_state *ntlmssp_ctx;
705 struct gse_context *gse_ctx;
706 void *auth_ctx;
707 NTSTATUS status;
708
709 status = spnego_get_negotiated_mech(sp_ctx, &auth_type, &auth_ctx);
710 if (!NT_STATUS_IS_OK(status)) {
711 return status;
712 }
713
714 switch (auth_type) {
715 case SPNEGO_KRB5:
716 gse_ctx = talloc_get_type(auth_ctx,
717 struct gse_context);
718 if (!gse_ctx) {
719 return NT_STATUS_INVALID_PARAMETER;
720 }
721
722 DEBUG(10, ("KRB5 auth\n"));
723
724 return get_gssapi_auth_footer(mem_ctx, gse_ctx,
725 auth_level,
726 data, full_pkt,
727 auth_token);
728 case SPNEGO_NTLMSSP:
729 ntlmssp_ctx = talloc_get_type(auth_ctx,
730 struct auth_ntlmssp_state);
731 if (!ntlmssp_ctx) {
732 return NT_STATUS_INVALID_PARAMETER;
733 }
734
735 DEBUG(10, ("NTLMSSP auth\n"));
736
737 return get_ntlmssp_auth_footer(ntlmssp_ctx,
738 auth_level,
739 data, full_pkt,
740 auth_token);
741 default:
742 return NT_STATUS_INVALID_PARAMETER;
743 }
744 }
745
746 /**
747 * @brief Append an auth footer according to what is the current mechanism
748 *
749 * @param auth The pipe_auth_data associated with the connection
750 * @param pad_len The padding used in the packet
751 * @param rpc_out Packet blob up to and including the auth header
752 *
753 * @return A NTSTATUS error code.
754 */
755 NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
756 size_t pad_len, DATA_BLOB *rpc_out)
757 {
758 char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
759 DATA_BLOB auth_info;
760 DATA_BLOB auth_blob;
761 NTSTATUS status;
762
763 if (auth->auth_type == DCERPC_AUTH_TYPE_NONE) {
764 return NT_STATUS_OK;
765 }
766
767 if (pad_len) {
768 /* Copy the sign/seal padding data. */
769 if (!data_blob_append(NULL, rpc_out, pad, pad_len)) {
770 return NT_STATUS_NO_MEMORY;
771 }
772 }
773
774 /* marshall the dcerpc_auth with an actually empty auth_blob.
775 * This is needed because the ntmlssp signature includes the
776 * auth header. We will append the actual blob later. */
777 auth_blob = data_blob_null;
778 status = dcerpc_push_dcerpc_auth(rpc_out->data,
779 auth->auth_type,
780 auth->auth_level,
781 pad_len,
782 1 /* context id. */,
783 &auth_blob,
784 &auth_info);
785 if (!NT_STATUS_IS_OK(status)) {
786 return status;
787 }
788
789 /* append the header */
790 if (!data_blob_append(NULL, rpc_out,
791 auth_info.data, auth_info.length)) {
792 DEBUG(0, ("Failed to add %u bytes auth blob.\n",
793 (unsigned int)auth_info.length));
794 return NT_STATUS_NO_MEMORY;
795 }
796 data_blob_free(&auth_info);
797
798 /* Generate any auth sign/seal and add the auth footer. */
799 switch (auth->auth_type) {
800 case DCERPC_AUTH_TYPE_NONE:
801 status = NT_STATUS_OK;
802 break;
803 case DCERPC_AUTH_TYPE_SPNEGO:
804 status = add_spnego_auth_footer(auth->a_u.spnego_state,
805 auth->auth_level, rpc_out);
806 break;
807 case DCERPC_AUTH_TYPE_NTLMSSP:
808 status = add_ntlmssp_auth_footer(auth->a_u.auth_ntlmssp_state,
809 auth->auth_level,
810 rpc_out);
811 break;
812 case DCERPC_AUTH_TYPE_SCHANNEL:
813 status = add_schannel_auth_footer(auth->a_u.schannel_auth,
814 auth->auth_level,
815 rpc_out);
816 break;
817 case DCERPC_AUTH_TYPE_KRB5:
818 status = add_gssapi_auth_footer(auth->a_u.gssapi_state,
819 auth->auth_level,
820 rpc_out);
821 break;
822 default:
823 status = NT_STATUS_INVALID_PARAMETER;
824 break;
825 }
826
827 return status;
828 }
829
830 /**
831 * @brief Check authentication for request/response packets
832 *
833 * @param auth The auth data for the connection
834 * @param pkt The actual ncacn_packet
835 * @param pkt_trailer The stub_and_verifier part of the packet
836 * @param header_size The header size
837 * @param raw_pkt The whole raw packet data blob
838 * @param pad_len [out] The padding length used in the packet
839 *
840 * @return A NTSTATUS error code
841 */
842 NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
843 struct ncacn_packet *pkt,
844 DATA_BLOB *pkt_trailer,
845 size_t header_size,
846 DATA_BLOB *raw_pkt,
847 size_t *pad_len)
848 {
849 NTSTATUS status;
850 struct dcerpc_auth auth_info;
851 uint32_t auth_length;
852 DATA_BLOB full_pkt;
853 DATA_BLOB data;
854
855 switch (auth->auth_level) {
856 case DCERPC_AUTH_LEVEL_PRIVACY:
857 DEBUG(10, ("Requested Privacy.\n"));
858 break;
859
860 case DCERPC_AUTH_LEVEL_INTEGRITY:
861 DEBUG(10, ("Requested Integrity.\n"));
862 break;
863
864 case DCERPC_AUTH_LEVEL_CONNECT:
865 if (pkt->auth_length != 0) {
866 break;
867 }
868 *pad_len = 0;
869 return NT_STATUS_OK;
870
871 case DCERPC_AUTH_LEVEL_NONE:
872 if (pkt->auth_length != 0) {
873 DEBUG(3, ("Got non-zero auth len on non "
874 "authenticated connection!\n"));
875 return NT_STATUS_INVALID_PARAMETER;
876 }
877 *pad_len = 0;
878 return NT_STATUS_OK;
879
880 default:
881 DEBUG(3, ("Unimplemented Auth Level %d",
882 auth->auth_level));
883 return NT_STATUS_INVALID_PARAMETER;
884 }
885
886 /* Paranioa checks for auth_length. */
887 if (pkt->auth_length > pkt->frag_length) {
888 return NT_STATUS_INFO_LENGTH_MISMATCH;
889 }
890 if (((unsigned int)pkt->auth_length
891 + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
892 ((unsigned int)pkt->auth_length
893 + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
894 /* Integer wrap attempt. */
895 return NT_STATUS_INFO_LENGTH_MISMATCH;
896 }
897
898 status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
899 &auth_info, &auth_length, false);
900 if (!NT_STATUS_IS_OK(status)) {
901 return status;
902 }
903
904 data = data_blob_const(raw_pkt->data + header_size,
905 pkt_trailer->length - auth_length);
906 full_pkt = data_blob_const(raw_pkt->data,
907 raw_pkt->length - auth_info.credentials.length);
908
909 switch (auth->auth_type) {
910 case DCERPC_AUTH_TYPE_NONE:
911 return NT_STATUS_OK;
912
913 case DCERPC_AUTH_TYPE_SPNEGO:
914
915 status = get_spnego_auth_footer(pkt, auth->a_u.spnego_state,
916 auth->auth_level,
917 &data, &full_pkt,
918 &auth_info.credentials);
919 if (!NT_STATUS_IS_OK(status)) {
920 return status;
921 }
922 break;
923
924 case DCERPC_AUTH_TYPE_NTLMSSP:
925
926 DEBUG(10, ("NTLMSSP auth\n"));
927
928 status = get_ntlmssp_auth_footer(auth->a_u.auth_ntlmssp_state,
929 auth->auth_level,
930 &data, &full_pkt,
931 &auth_info.credentials);
932 if (!NT_STATUS_IS_OK(status)) {
933 return status;
934 }
935 break;
936
937 case DCERPC_AUTH_TYPE_SCHANNEL:
938
939 DEBUG(10, ("SCHANNEL auth\n"));
940
941 status = get_schannel_auth_footer(pkt,
942 auth->a_u.schannel_auth,
943 auth->auth_level,
944 &data, &full_pkt,
945 &auth_info.credentials);
946 if (!NT_STATUS_IS_OK(status)) {
947 return status;
948 }
949 break;
950
951 case DCERPC_AUTH_TYPE_KRB5:
952
953 DEBUG(10, ("KRB5 auth\n"));
954
955 status = get_gssapi_auth_footer(pkt,
956 auth->a_u.gssapi_state,
957 auth->auth_level,
958 &data, &full_pkt,
959 &auth_info.credentials);
960 if (!NT_STATUS_IS_OK(status)) {
961 return status;
962 }
963 break;
964
965 default:
966 DEBUG(0, ("process_request_pdu: "
967 "unknown auth type %u set.\n",
968 (unsigned int)auth->auth_type));
969 return NT_STATUS_INVALID_PARAMETER;
970 }
971
972 /* TODO: remove later
973 * this is still needed because in the server code the
974 * pkt_trailer actually has a copy of the raw data, and they
975 * are still both used in later calls */
976 if (auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
977 memcpy(pkt_trailer->data, data.data, data.length);
978 }
979
980 *pad_len = auth_info.auth_pad_length;
981 data_blob_free(&auth_info.credentials);
982 return NT_STATUS_OK;
983 }
984
WIP