Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : server side dcerpc authentication code
5 :
6 : Copyright (C) Andrew Tridgell 2003
7 : Copyright (C) Stefan (metze) Metzmacher 2004
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "librpc/rpc/dcesrv_core.h"
25 : #include "librpc/rpc/dcesrv_core_proto.h"
26 : #include "librpc/rpc/dcerpc_util.h"
27 : #include "librpc/rpc/dcerpc_pkt_auth.h"
28 : #include "librpc/gen_ndr/ndr_dcerpc.h"
29 : #include "auth/credentials/credentials.h"
30 : #include "auth/gensec/gensec.h"
31 : #include "auth/auth.h"
32 : #include "param/param.h"
33 :
34 22530 : static NTSTATUS dcesrv_auth_negotiate_hdr_signing(struct dcesrv_call_state *call,
35 : struct ncacn_packet *pkt)
36 : {
37 22530 : struct dcesrv_connection *dce_conn = call->conn;
38 22530 : struct dcesrv_auth *a = NULL;
39 :
40 22530 : if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
41 16198 : return NT_STATUS_OK;
42 : }
43 :
44 6332 : if (dce_conn->client_hdr_signing) {
45 0 : if (dce_conn->negotiated_hdr_signing && pkt != NULL) {
46 0 : pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
47 : }
48 0 : return NT_STATUS_OK;
49 : }
50 :
51 6332 : dce_conn->client_hdr_signing = true;
52 6332 : dce_conn->negotiated_hdr_signing = dce_conn->support_hdr_signing;
53 :
54 6332 : if (!dce_conn->negotiated_hdr_signing) {
55 568 : return NT_STATUS_OK;
56 : }
57 :
58 5764 : if (pkt != NULL) {
59 5764 : pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
60 : }
61 :
62 5764 : a = call->conn->default_auth_state;
63 5764 : if (a->gensec_security != NULL) {
64 0 : gensec_want_feature(a->gensec_security,
65 : GENSEC_FEATURE_SIGN_PKT_HEADER);
66 : }
67 :
68 11522 : for (a = call->conn->auth_states; a != NULL; a = a->next) {
69 5758 : if (a->gensec_security == NULL) {
70 0 : continue;
71 : }
72 :
73 5758 : gensec_want_feature(a->gensec_security,
74 : GENSEC_FEATURE_SIGN_PKT_HEADER);
75 : }
76 :
77 5764 : return NT_STATUS_OK;
78 : }
79 :
80 7080 : static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
81 : {
82 7080 : struct dcesrv_connection *dce_conn = call->conn;
83 7080 : struct dcesrv_auth *auth = call->auth_state;
84 7080 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
85 : NTSTATUS status;
86 :
87 7080 : if (auth->auth_started) {
88 0 : return false;
89 : }
90 :
91 7080 : auth->auth_started = true;
92 :
93 7080 : if (auth->auth_invalid) {
94 0 : return false;
95 : }
96 :
97 7080 : if (auth->auth_finished) {
98 0 : return false;
99 : }
100 :
101 7080 : if (auth->gensec_security != NULL) {
102 0 : return false;
103 : }
104 :
105 7080 : switch (call->in_auth_info.auth_level) {
106 7056 : case DCERPC_AUTH_LEVEL_CONNECT:
107 : case DCERPC_AUTH_LEVEL_CALL:
108 : case DCERPC_AUTH_LEVEL_PACKET:
109 : case DCERPC_AUTH_LEVEL_INTEGRITY:
110 : case DCERPC_AUTH_LEVEL_PRIVACY:
111 : /*
112 : * We evaluate auth_type only if auth_level was valid
113 : */
114 7056 : break;
115 24 : default:
116 : /*
117 : * Setting DCERPC_AUTH_LEVEL_NONE,
118 : * gives the caller the reject_reason
119 : * as auth_context_id.
120 : *
121 : * Note: DCERPC_AUTH_LEVEL_NONE == 1
122 : */
123 24 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
124 24 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
125 24 : auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
126 24 : return false;
127 : }
128 :
129 7056 : auth->auth_type = call->in_auth_info.auth_type;
130 7056 : auth->auth_level = call->in_auth_info.auth_level;
131 7056 : auth->auth_context_id = call->in_auth_info.auth_context_id;
132 :
133 7056 : cb->auth.become_root();
134 7056 : status = cb->auth.gensec_prepare(
135 : auth,
136 : call,
137 : &auth->gensec_security,
138 : cb->auth.private_data);
139 7056 : cb->auth.unbecome_root();
140 7056 : if (!NT_STATUS_IS_OK(status)) {
141 0 : DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
142 : nt_errstr(status)));
143 0 : return false;
144 : }
145 :
146 : /*
147 : * We have to call this because we set the target_service for
148 : * Kerberos to NULL above, and in any case we wish to log a
149 : * more specific service target.
150 : *
151 : */
152 7056 : status = gensec_set_target_service_description(auth->gensec_security,
153 : "DCE/RPC");
154 7056 : if (!NT_STATUS_IS_OK(status)) {
155 0 : DEBUG(1, ("Failed to call gensec_set_target_service_description %s\n",
156 : nt_errstr(status)));
157 0 : return false;
158 : }
159 :
160 7056 : if (call->conn->remote_address != NULL) {
161 7056 : status = gensec_set_remote_address(auth->gensec_security,
162 7056 : call->conn->remote_address);
163 7056 : if (!NT_STATUS_IS_OK(status)) {
164 0 : DEBUG(1, ("Failed to call gensec_set_remote_address() %s\n",
165 : nt_errstr(status)));
166 0 : return false;
167 : }
168 : }
169 :
170 7056 : if (call->conn->local_address != NULL) {
171 7056 : status = gensec_set_local_address(auth->gensec_security,
172 7056 : call->conn->local_address);
173 7056 : if (!NT_STATUS_IS_OK(status)) {
174 0 : DEBUG(1, ("Failed to call gensec_set_local_address() %s\n",
175 : nt_errstr(status)));
176 0 : return false;
177 : }
178 : }
179 :
180 7056 : status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
181 7056 : auth->auth_level);
182 7056 : if (!NT_STATUS_IS_OK(status)) {
183 12 : const char *backend_name =
184 18 : gensec_get_name_by_authtype(auth->gensec_security,
185 18 : auth->auth_type);
186 :
187 18 : DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: "
188 : "auth_type=%d (%s), auth_level=%d: %s\n",
189 : (int)auth->auth_type, backend_name,
190 : (int)auth->auth_level,
191 : nt_errstr(status)));
192 :
193 : /*
194 : * Setting DCERPC_AUTH_LEVEL_NONE,
195 : * gives the caller the reject_reason
196 : * as auth_context_id.
197 : *
198 : * Note: DCERPC_AUTH_LEVEL_NONE == 1
199 : */
200 18 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
201 18 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
202 18 : if (backend_name != NULL) {
203 3 : auth->auth_context_id =
204 : DCERPC_BIND_NAK_REASON_INVALID_CHECKSUM;
205 : } else {
206 15 : auth->auth_context_id =
207 : DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE;
208 : }
209 18 : return false;
210 : }
211 :
212 7038 : if (dce_conn->negotiated_hdr_signing) {
213 0 : gensec_want_feature(auth->gensec_security,
214 : GENSEC_FEATURE_SIGN_PKT_HEADER);
215 : }
216 :
217 7038 : return true;
218 : }
219 :
220 16867 : static void dcesrv_default_auth_state_finish_bind(struct dcesrv_call_state *call)
221 : {
222 16867 : SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_BIND);
223 :
224 16867 : if (call->auth_state == call->conn->default_auth_state) {
225 10640 : return;
226 : }
227 :
228 6227 : if (call->conn->default_auth_state->auth_started) {
229 0 : return;
230 : }
231 :
232 6227 : if (call->conn->default_auth_state->auth_invalid) {
233 0 : return;
234 : }
235 :
236 6227 : call->conn->default_auth_state->auth_type = DCERPC_AUTH_TYPE_NONE;
237 6227 : call->conn->default_auth_state->auth_level = DCERPC_AUTH_LEVEL_NONE;
238 6227 : call->conn->default_auth_state->auth_context_id = 0;
239 6227 : call->conn->default_auth_state->auth_started = true;
240 6227 : call->conn->default_auth_state->auth_finished = true;
241 :
242 : /*
243 : *
244 : * We defer log_successful_dcesrv_authz_event()
245 : * to dcesrv_default_auth_state_prepare_request()
246 : *
247 : * As we don't want to trigger authz_events
248 : * just for alter_context requests without authentication
249 : */
250 : }
251 :
252 189531 : void dcesrv_default_auth_state_prepare_request(struct dcesrv_call_state *call)
253 : {
254 189531 : struct dcesrv_connection *dce_conn = call->conn;
255 189531 : struct dcesrv_auth *auth = call->auth_state;
256 189531 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
257 :
258 189531 : if (auth->auth_audited) {
259 113442 : return;
260 : }
261 :
262 76089 : if (call->pkt.ptype != DCERPC_PKT_REQUEST) {
263 0 : return;
264 : }
265 :
266 76089 : if (auth != dce_conn->default_auth_state) {
267 75455 : return;
268 : }
269 :
270 634 : if (auth->auth_invalid) {
271 0 : return;
272 : }
273 :
274 634 : if (!auth->auth_finished) {
275 0 : return;
276 : }
277 :
278 634 : if (cb->log.successful_authz == NULL) {
279 0 : return;
280 : }
281 :
282 634 : cb->log.successful_authz(call, cb->log.private_data);
283 : }
284 :
285 : /*
286 : parse any auth information from a dcerpc bind request
287 : return false if we can't handle the auth request for some
288 : reason (in which case we send a bind_nak)
289 : */
290 16912 : bool dcesrv_auth_bind(struct dcesrv_call_state *call)
291 : {
292 16912 : struct ncacn_packet *pkt = &call->pkt;
293 16912 : struct dcesrv_auth *auth = call->auth_state;
294 16912 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
295 : NTSTATUS status;
296 :
297 16912 : if (pkt->auth_length == 0) {
298 10010 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
299 10010 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
300 10010 : auth->auth_context_id = 0;
301 10010 : auth->auth_started = true;
302 :
303 10010 : if (cb->log.successful_authz != NULL) {
304 10010 : cb->log.successful_authz(call, cb->log.private_data);
305 : }
306 :
307 10010 : return true;
308 : }
309 :
310 6902 : status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
311 : &call->in_auth_info,
312 : NULL, true);
313 6902 : if (!NT_STATUS_IS_OK(status)) {
314 : /*
315 : * Setting DCERPC_AUTH_LEVEL_NONE,
316 : * gives the caller the reject_reason
317 : * as auth_context_id.
318 : *
319 : * Note: DCERPC_AUTH_LEVEL_NONE == 1
320 : */
321 3 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
322 3 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
323 3 : auth->auth_context_id =
324 : DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED;
325 3 : return false;
326 : }
327 :
328 6899 : return dcesrv_auth_prepare_gensec(call);
329 : }
330 :
331 12508 : NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
332 : {
333 12508 : struct dcesrv_auth *auth = call->auth_state;
334 12508 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
335 12508 : const char *pdu = "<unknown>";
336 :
337 12508 : switch (call->pkt.ptype) {
338 6857 : case DCERPC_PKT_BIND:
339 6857 : pdu = "BIND";
340 6857 : break;
341 5522 : case DCERPC_PKT_ALTER:
342 5522 : pdu = "ALTER";
343 5522 : break;
344 129 : case DCERPC_PKT_AUTH3:
345 129 : pdu = "AUTH3";
346 129 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
347 0 : DEBUG(4, ("GENSEC not finished at at %s\n", pdu));
348 0 : return NT_STATUS_RPC_SEC_PKG_ERROR;
349 : }
350 129 : break;
351 0 : default:
352 0 : return NT_STATUS_INTERNAL_ERROR;
353 : }
354 :
355 12508 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
356 5497 : return NT_STATUS_OK;
357 : }
358 :
359 7011 : if (!NT_STATUS_IS_OK(status)) {
360 12 : DEBUG(4, ("GENSEC mech rejected the incoming authentication "
361 : "at %s: %s\n", pdu, nt_errstr(status)));
362 12 : return status;
363 : }
364 :
365 6999 : cb->auth.become_root();
366 6999 : status = gensec_session_info(auth->gensec_security,
367 : auth,
368 : &auth->session_info);
369 6999 : cb->auth.unbecome_root();
370 6999 : if (!NT_STATUS_IS_OK(status)) {
371 0 : DEBUG(1, ("Failed to establish session_info: %s\n",
372 : nt_errstr(status)));
373 0 : return status;
374 : }
375 6999 : auth->auth_finished = true;
376 :
377 7280 : if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
378 477 : !call->conn->got_explicit_auth_level_connect)
379 : {
380 471 : call->conn->default_auth_level_connect = auth;
381 : }
382 :
383 6999 : if (call->pkt.ptype != DCERPC_PKT_AUTH3) {
384 6870 : return NT_STATUS_OK;
385 : }
386 :
387 129 : if (call->out_auth_info->credentials.length != 0) {
388 3 : DEBUG(4, ("GENSEC produced output token (len=%zu) at %s\n",
389 : call->out_auth_info->credentials.length, pdu));
390 3 : return NT_STATUS_RPC_SEC_PKG_ERROR;
391 : }
392 :
393 126 : return NT_STATUS_OK;
394 : }
395 :
396 : /*
397 : add any auth information needed in a bind ack, and process the authentication
398 : information found in the bind.
399 : */
400 16867 : NTSTATUS dcesrv_auth_prepare_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
401 : {
402 16867 : struct dcesrv_connection *dce_conn = call->conn;
403 16867 : struct dcesrv_auth *auth = call->auth_state;
404 : NTSTATUS status;
405 :
406 16867 : status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
407 16867 : if (!NT_STATUS_IS_OK(status)) {
408 0 : return status;
409 : }
410 :
411 16867 : dce_conn->allow_alter = true;
412 16867 : dcesrv_default_auth_state_finish_bind(call);
413 :
414 16867 : if (call->pkt.auth_length == 0) {
415 10010 : auth->auth_finished = true;
416 10010 : return NT_STATUS_OK;
417 : }
418 :
419 : /* We can't work without an existing gensec state */
420 6857 : if (auth->gensec_security == NULL) {
421 0 : return NT_STATUS_INTERNAL_ERROR;
422 : }
423 :
424 6857 : call->_out_auth_info = (struct dcerpc_auth) {
425 6857 : .auth_type = auth->auth_type,
426 6857 : .auth_level = auth->auth_level,
427 6857 : .auth_context_id = auth->auth_context_id,
428 : };
429 6857 : call->out_auth_info = &call->_out_auth_info;
430 :
431 6857 : return NT_STATUS_OK;
432 : }
433 :
434 : /*
435 : process the final stage of a auth request
436 : */
437 132 : bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call)
438 : {
439 132 : struct ncacn_packet *pkt = &call->pkt;
440 132 : struct dcesrv_auth *auth = call->auth_state;
441 : NTSTATUS status;
442 :
443 132 : if (pkt->auth_length == 0) {
444 0 : return false;
445 : }
446 :
447 132 : if (auth->auth_finished) {
448 0 : return false;
449 : }
450 :
451 132 : if (auth->auth_invalid) {
452 0 : return false;
453 : }
454 :
455 : /* We can't work without an existing gensec state */
456 132 : if (auth->gensec_security == NULL) {
457 0 : return false;
458 : }
459 :
460 132 : status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
461 : &call->in_auth_info, NULL, true);
462 132 : if (!NT_STATUS_IS_OK(status)) {
463 : /*
464 : * Windows returns DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY
465 : * instead of DCERPC_NCA_S_PROTO_ERROR.
466 : */
467 3 : call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
468 3 : return false;
469 : }
470 :
471 129 : if (call->in_auth_info.auth_type != auth->auth_type) {
472 0 : return false;
473 : }
474 :
475 129 : if (call->in_auth_info.auth_level != auth->auth_level) {
476 0 : return false;
477 : }
478 :
479 129 : if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
480 0 : return false;
481 : }
482 :
483 129 : call->_out_auth_info = (struct dcerpc_auth) {
484 129 : .auth_type = auth->auth_type,
485 129 : .auth_level = auth->auth_level,
486 129 : .auth_context_id = auth->auth_context_id,
487 : };
488 129 : call->out_auth_info = &call->_out_auth_info;
489 :
490 129 : return true;
491 : }
492 :
493 : /*
494 : parse any auth information from a dcerpc alter request
495 : return false if we can't handle the auth request for some
496 : reason (in which case we send a bind_nak (is this true for here?))
497 : */
498 5699 : bool dcesrv_auth_alter(struct dcesrv_call_state *call)
499 : {
500 5699 : struct ncacn_packet *pkt = &call->pkt;
501 5699 : struct dcesrv_auth *auth = call->auth_state;
502 : NTSTATUS status;
503 :
504 : /* on a pure interface change there is no auth blob */
505 5699 : if (pkt->auth_length == 0) {
506 153 : if (!auth->auth_finished) {
507 0 : return false;
508 : }
509 153 : return true;
510 : }
511 :
512 5546 : if (auth->auth_finished) {
513 3 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
514 3 : return false;
515 : }
516 :
517 5543 : status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
518 : &call->in_auth_info, NULL, true);
519 5543 : if (!NT_STATUS_IS_OK(status)) {
520 3 : call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
521 3 : return false;
522 : }
523 :
524 5540 : if (!auth->auth_started) {
525 : bool ok;
526 :
527 181 : ok = dcesrv_auth_prepare_gensec(call);
528 181 : if (!ok) {
529 0 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
530 0 : return false;
531 : }
532 :
533 181 : return true;
534 : }
535 :
536 5359 : if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
537 3 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
538 3 : return false;
539 : }
540 :
541 5356 : if (auth->auth_invalid) {
542 15 : return false;
543 : }
544 :
545 5341 : if (call->in_auth_info.auth_type != auth->auth_type) {
546 0 : return false;
547 : }
548 :
549 5341 : if (call->in_auth_info.auth_level != auth->auth_level) {
550 0 : return false;
551 : }
552 :
553 5341 : if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
554 0 : return false;
555 : }
556 :
557 5341 : return true;
558 : }
559 :
560 : /*
561 : add any auth information needed in a alter ack, and process the authentication
562 : information found in the alter.
563 : */
564 5663 : NTSTATUS dcesrv_auth_prepare_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
565 : {
566 5663 : struct dcesrv_auth *auth = call->auth_state;
567 : NTSTATUS status;
568 :
569 5663 : status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
570 5663 : if (!NT_STATUS_IS_OK(status)) {
571 0 : return status;
572 : }
573 :
574 : /* on a pure interface change there is no auth_info structure
575 : setup */
576 5663 : if (call->pkt.auth_length == 0) {
577 141 : return NT_STATUS_OK;
578 : }
579 :
580 5522 : if (auth->gensec_security == NULL) {
581 0 : return NT_STATUS_INTERNAL_ERROR;
582 : }
583 :
584 5522 : call->_out_auth_info = (struct dcerpc_auth) {
585 5522 : .auth_type = auth->auth_type,
586 5522 : .auth_level = auth->auth_level,
587 5522 : .auth_context_id = auth->auth_context_id,
588 : };
589 5522 : call->out_auth_info = &call->_out_auth_info;
590 :
591 5522 : return NT_STATUS_OK;
592 : }
593 :
594 : /*
595 : check credentials on a packet
596 : */
597 189380 : bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
598 : DATA_BLOB *full_packet,
599 : uint8_t required_flags,
600 : uint8_t optional_flags,
601 : uint8_t payload_offset,
602 : DATA_BLOB *payload_and_verifier)
603 : {
604 189380 : struct ncacn_packet *pkt = &call->pkt;
605 189380 : struct dcesrv_auth *auth = call->auth_state;
606 648149 : const struct dcerpc_auth tmp_auth = {
607 189380 : .auth_type = auth->auth_type,
608 189380 : .auth_level = auth->auth_level,
609 189380 : .auth_context_id = auth->auth_context_id,
610 : };
611 : bool check_pkt_auth_fields;
612 : NTSTATUS status;
613 :
614 189380 : if (!auth->auth_started) {
615 12 : return false;
616 : }
617 :
618 189368 : if (!auth->auth_finished) {
619 0 : call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
620 0 : return false;
621 : }
622 :
623 189368 : if (auth->auth_invalid) {
624 21 : return false;
625 : }
626 :
627 189347 : if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
628 : /*
629 : * The caller most likely checked this
630 : * already, but we better double check.
631 : */
632 173654 : check_pkt_auth_fields = true;
633 : } else {
634 : /*
635 : * The caller already found first fragment
636 : * and is passing the auth_state of it.
637 : * A server is supposed to use the
638 : * setting of the first fragment and
639 : * completely ignore the values
640 : * on the remaining fragments
641 : */
642 15693 : check_pkt_auth_fields = false;
643 : }
644 :
645 189347 : status = dcerpc_ncacn_pull_pkt_auth(&tmp_auth,
646 : auth->gensec_security,
647 : check_pkt_auth_fields,
648 : call,
649 : pkt->ptype,
650 : required_flags,
651 : optional_flags,
652 : payload_offset,
653 : payload_and_verifier,
654 : full_packet,
655 : pkt);
656 189347 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
657 12 : call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
658 12 : return false;
659 : }
660 189335 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL)) {
661 0 : call->fault_code = DCERPC_NCA_S_UNSUPPORTED_AUTHN_LEVEL;
662 0 : return false;
663 : }
664 189335 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
665 21 : call->fault_code = DCERPC_FAULT_SEC_PKG_ERROR;
666 21 : return false;
667 : }
668 189314 : if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
669 0 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
670 0 : return false;
671 : }
672 189314 : if (!NT_STATUS_IS_OK(status)) {
673 0 : return false;
674 : }
675 :
676 189314 : return true;
677 : }
678 :
679 : /*
680 : push a signed or sealed dcerpc request packet into a blob
681 : */
682 385340 : bool dcesrv_auth_pkt_push(struct dcesrv_call_state *call,
683 : DATA_BLOB *blob, size_t sig_size,
684 : uint8_t payload_offset,
685 : const DATA_BLOB *payload,
686 : const struct ncacn_packet *pkt)
687 : {
688 385340 : struct dcesrv_auth *auth = call->auth_state;
689 1423925 : const struct dcerpc_auth tmp_auth = {
690 385340 : .auth_type = auth->auth_type,
691 385340 : .auth_level = auth->auth_level,
692 385340 : .auth_context_id = auth->auth_context_id,
693 : };
694 : NTSTATUS status;
695 :
696 385340 : status = dcerpc_ncacn_push_pkt_auth(&tmp_auth,
697 : auth->gensec_security,
698 : call, blob, sig_size,
699 : payload_offset,
700 : payload,
701 : pkt);
702 385340 : return NT_STATUS_IS_OK(status);
703 : }
|