Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : server side dcerpc authentication code
5 :
6 : Copyright (C) Andrew Tridgell 2003
7 : Copyright (C) Stefan (metze) Metzmacher 2004
8 :
9 : This program is free software; you can redistribute it and/or modify
10 : it under the terms of the GNU General Public License as published by
11 : the Free Software Foundation; either version 3 of the License, or
12 : (at your option) any later version.
13 :
14 : This program is distributed in the hope that it will be useful,
15 : but WITHOUT ANY WARRANTY; without even the implied warranty of
16 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 : GNU General Public License for more details.
18 :
19 : You should have received a copy of the GNU General Public License
20 : along with this program. If not, see <http://www.gnu.org/licenses/>.
21 : */
22 :
23 : #include "includes.h"
24 : #include "librpc/rpc/dcesrv_core.h"
25 : #include "librpc/rpc/dcesrv_core_proto.h"
26 : #include "librpc/rpc/dcerpc_util.h"
27 : #include "librpc/rpc/dcerpc_pkt_auth.h"
28 : #include "librpc/gen_ndr/ndr_dcerpc.h"
29 : #include "auth/credentials/credentials.h"
30 : #include "auth/gensec/gensec.h"
31 : #include "auth/auth.h"
32 : #include "param/param.h"
33 :
34 68832 : static NTSTATUS dcesrv_auth_negotiate_hdr_signing(struct dcesrv_call_state *call,
35 : struct ncacn_packet *pkt)
36 : {
37 68832 : struct dcesrv_connection *dce_conn = call->conn;
38 68832 : struct dcesrv_auth *a = NULL;
39 :
40 68832 : if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
41 60513 : return NT_STATUS_OK;
42 : }
43 :
44 8319 : if (dce_conn->client_hdr_signing) {
45 0 : if (dce_conn->negotiated_hdr_signing && pkt != NULL) {
46 0 : pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
47 : }
48 0 : return NT_STATUS_OK;
49 : }
50 :
51 8319 : dce_conn->client_hdr_signing = true;
52 8319 : dce_conn->negotiated_hdr_signing = dce_conn->support_hdr_signing;
53 :
54 8319 : if (!dce_conn->negotiated_hdr_signing) {
55 496 : return NT_STATUS_OK;
56 : }
57 :
58 7823 : if (pkt != NULL) {
59 7823 : pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
60 : }
61 :
62 7823 : a = call->conn->default_auth_state;
63 7823 : if (a->gensec_security != NULL) {
64 0 : gensec_want_feature(a->gensec_security,
65 : GENSEC_FEATURE_SIGN_PKT_HEADER);
66 : }
67 :
68 15640 : for (a = call->conn->auth_states; a != NULL; a = a->next) {
69 7817 : if (a->gensec_security == NULL) {
70 0 : continue;
71 : }
72 :
73 7817 : gensec_want_feature(a->gensec_security,
74 : GENSEC_FEATURE_SIGN_PKT_HEADER);
75 : }
76 :
77 7823 : return NT_STATUS_OK;
78 : }
79 :
80 9262 : static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
81 : {
82 9262 : struct dcesrv_connection *dce_conn = call->conn;
83 9262 : struct dcesrv_auth *auth = call->auth_state;
84 9262 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
85 424 : NTSTATUS status;
86 :
87 9262 : if (auth->auth_started) {
88 0 : return false;
89 : }
90 :
91 9262 : auth->auth_started = true;
92 :
93 9262 : if (auth->auth_invalid) {
94 0 : return false;
95 : }
96 :
97 9262 : if (auth->auth_finished) {
98 0 : return false;
99 : }
100 :
101 9262 : if (auth->gensec_security != NULL) {
102 0 : return false;
103 : }
104 :
105 9262 : switch (call->in_auth_info.auth_level) {
106 8814 : case DCERPC_AUTH_LEVEL_CONNECT:
107 : case DCERPC_AUTH_LEVEL_CALL:
108 : case DCERPC_AUTH_LEVEL_PACKET:
109 : case DCERPC_AUTH_LEVEL_INTEGRITY:
110 : case DCERPC_AUTH_LEVEL_PRIVACY:
111 : /*
112 : * We evaluate auth_type only if auth_level was valid
113 : */
114 9238 : break;
115 24 : default:
116 : /*
117 : * Setting DCERPC_AUTH_LEVEL_NONE,
118 : * gives the caller the reject_reason
119 : * as auth_context_id.
120 : *
121 : * Note: DCERPC_AUTH_LEVEL_NONE == 1
122 : */
123 24 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
124 24 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
125 24 : auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
126 24 : return false;
127 : }
128 :
129 9238 : auth->auth_type = call->in_auth_info.auth_type;
130 9238 : auth->auth_level = call->in_auth_info.auth_level;
131 9238 : auth->auth_context_id = call->in_auth_info.auth_context_id;
132 :
133 9238 : cb->auth.become_root();
134 9238 : status = cb->auth.gensec_prepare(
135 : auth,
136 : call,
137 : &auth->gensec_security,
138 : cb->auth.private_data);
139 9238 : cb->auth.unbecome_root();
140 9238 : if (!NT_STATUS_IS_OK(status)) {
141 0 : DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
142 : nt_errstr(status)));
143 0 : return false;
144 : }
145 :
146 : /*
147 : * We have to call this because we set the target_service for
148 : * Kerberos to NULL above, and in any case we wish to log a
149 : * more specific service target.
150 : *
151 : */
152 9238 : status = gensec_set_target_service_description(auth->gensec_security,
153 : "DCE/RPC");
154 9238 : if (!NT_STATUS_IS_OK(status)) {
155 0 : DEBUG(1, ("Failed to call gensec_set_target_service_description %s\n",
156 : nt_errstr(status)));
157 0 : return false;
158 : }
159 :
160 9238 : if (call->conn->remote_address != NULL) {
161 9238 : status = gensec_set_remote_address(auth->gensec_security,
162 8814 : call->conn->remote_address);
163 9238 : if (!NT_STATUS_IS_OK(status)) {
164 0 : DEBUG(1, ("Failed to call gensec_set_remote_address() %s\n",
165 : nt_errstr(status)));
166 0 : return false;
167 : }
168 : }
169 :
170 9238 : if (call->conn->local_address != NULL) {
171 9238 : status = gensec_set_local_address(auth->gensec_security,
172 8814 : call->conn->local_address);
173 9238 : if (!NT_STATUS_IS_OK(status)) {
174 0 : DEBUG(1, ("Failed to call gensec_set_local_address() %s\n",
175 : nt_errstr(status)));
176 0 : return false;
177 : }
178 : }
179 :
180 9662 : status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
181 9238 : auth->auth_level);
182 9238 : if (!NT_STATUS_IS_OK(status)) {
183 0 : const char *backend_name =
184 18 : gensec_get_name_by_authtype(auth->gensec_security,
185 18 : auth->auth_type);
186 :
187 18 : DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: "
188 : "auth_type=%d (%s), auth_level=%d: %s\n",
189 : (int)auth->auth_type, backend_name,
190 : (int)auth->auth_level,
191 : nt_errstr(status)));
192 :
193 : /*
194 : * Setting DCERPC_AUTH_LEVEL_NONE,
195 : * gives the caller the reject_reason
196 : * as auth_context_id.
197 : *
198 : * Note: DCERPC_AUTH_LEVEL_NONE == 1
199 : */
200 18 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
201 18 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
202 18 : if (backend_name != NULL) {
203 3 : auth->auth_context_id =
204 : DCERPC_BIND_NAK_REASON_INVALID_CHECKSUM;
205 : } else {
206 15 : auth->auth_context_id =
207 : DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE;
208 : }
209 18 : return false;
210 : }
211 :
212 9220 : if (dce_conn->negotiated_hdr_signing) {
213 0 : gensec_want_feature(auth->gensec_security,
214 : GENSEC_FEATURE_SIGN_PKT_HEADER);
215 : }
216 :
217 8796 : return true;
218 : }
219 :
220 62585 : static void dcesrv_default_auth_state_finish_bind(struct dcesrv_call_state *call)
221 : {
222 62585 : SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_BIND);
223 :
224 62585 : if (call->auth_state == call->conn->default_auth_state) {
225 53668 : return;
226 : }
227 :
228 8481 : if (call->conn->default_auth_state->auth_started) {
229 0 : return;
230 : }
231 :
232 8481 : if (call->conn->default_auth_state->auth_invalid) {
233 0 : return;
234 : }
235 :
236 8481 : call->conn->default_auth_state->auth_type = DCERPC_AUTH_TYPE_NONE;
237 8481 : call->conn->default_auth_state->auth_level = DCERPC_AUTH_LEVEL_NONE;
238 8481 : call->conn->default_auth_state->auth_context_id = 0;
239 8481 : call->conn->default_auth_state->auth_started = true;
240 8481 : call->conn->default_auth_state->auth_finished = true;
241 :
242 : /*
243 : *
244 : * We defer log_successful_dcesrv_authz_event()
245 : * to dcesrv_default_auth_state_prepare_request()
246 : *
247 : * As we don't want to trigger authz_events
248 : * just for alter_context requests without authentication
249 : */
250 : }
251 :
252 868715 : void dcesrv_default_auth_state_prepare_request(struct dcesrv_call_state *call)
253 : {
254 868715 : struct dcesrv_connection *dce_conn = call->conn;
255 868715 : struct dcesrv_auth *auth = call->auth_state;
256 868715 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
257 :
258 868715 : if (auth->auth_audited) {
259 766171 : return;
260 : }
261 :
262 98988 : if (call->pkt.ptype != DCERPC_PKT_REQUEST) {
263 0 : return;
264 : }
265 :
266 98988 : if (auth != dce_conn->default_auth_state) {
267 94866 : return;
268 : }
269 :
270 562 : if (auth->auth_invalid) {
271 0 : return;
272 : }
273 :
274 562 : if (!auth->auth_finished) {
275 0 : return;
276 : }
277 :
278 562 : if (cb->log.successful_authz == NULL) {
279 0 : return;
280 : }
281 :
282 562 : cb->log.successful_authz(call, cb->log.private_data);
283 : }
284 :
285 : /*
286 : parse any auth information from a dcerpc bind request
287 : return false if we can't handle the auth request for some
288 : reason (in which case we send a bind_nak)
289 : */
290 62630 : bool dcesrv_auth_bind(struct dcesrv_call_state *call)
291 : {
292 62630 : struct ncacn_packet *pkt = &call->pkt;
293 62630 : struct dcesrv_auth *auth = call->auth_state;
294 62630 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
295 860 : NTSTATUS status;
296 :
297 62630 : if (pkt->auth_length == 0) {
298 53546 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
299 53546 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
300 53546 : auth->auth_context_id = 0;
301 53546 : auth->auth_started = true;
302 :
303 53546 : if (cb->log.successful_authz != NULL) {
304 53546 : cb->log.successful_authz(call, cb->log.private_data);
305 : }
306 :
307 53546 : return true;
308 : }
309 :
310 9084 : status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
311 : &call->in_auth_info,
312 : NULL, true);
313 9084 : if (!NT_STATUS_IS_OK(status)) {
314 : /*
315 : * Setting DCERPC_AUTH_LEVEL_NONE,
316 : * gives the caller the reject_reason
317 : * as auth_context_id.
318 : *
319 : * Note: DCERPC_AUTH_LEVEL_NONE == 1
320 : */
321 3 : auth->auth_type = DCERPC_AUTH_TYPE_NONE;
322 3 : auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
323 3 : auth->auth_context_id =
324 : DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED;
325 3 : return false;
326 : }
327 :
328 9081 : return dcesrv_auth_prepare_gensec(call);
329 : }
330 :
331 15319 : NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
332 : {
333 15319 : struct dcesrv_auth *auth = call->auth_state;
334 15319 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
335 15319 : const char *pdu = "<unknown>";
336 :
337 15319 : switch (call->pkt.ptype) {
338 8615 : case DCERPC_PKT_BIND:
339 8615 : pdu = "BIND";
340 8615 : break;
341 6052 : case DCERPC_PKT_ALTER:
342 6052 : pdu = "ALTER";
343 6052 : break;
344 228 : case DCERPC_PKT_AUTH3:
345 228 : pdu = "AUTH3";
346 228 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
347 0 : DEBUG(4, ("GENSEC not finished at %s\n", pdu));
348 0 : return NT_STATUS_RPC_SEC_PKG_ERROR;
349 : }
350 228 : break;
351 0 : default:
352 0 : return NT_STATUS_INTERNAL_ERROR;
353 : }
354 :
355 15319 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
356 6126 : return NT_STATUS_OK;
357 : }
358 :
359 9193 : if (!NT_STATUS_IS_OK(status)) {
360 7 : DEBUG(4, ("GENSEC mech rejected the incoming authentication "
361 : "at %s: %s\n", pdu, nt_errstr(status)));
362 7 : return status;
363 : }
364 :
365 9186 : cb->auth.become_root();
366 9186 : status = gensec_session_info(auth->gensec_security,
367 : auth,
368 : &auth->session_info);
369 9186 : cb->auth.unbecome_root();
370 9186 : if (!NT_STATUS_IS_OK(status)) {
371 0 : DEBUG(1, ("Failed to establish session_info: %s\n",
372 : nt_errstr(status)));
373 0 : return status;
374 : }
375 9186 : auth->auth_finished = true;
376 :
377 9186 : if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
378 672 : !call->conn->got_explicit_auth_level_connect)
379 : {
380 666 : call->conn->default_auth_level_connect = auth;
381 : }
382 :
383 9186 : if (call->pkt.ptype != DCERPC_PKT_AUTH3) {
384 8958 : return NT_STATUS_OK;
385 : }
386 :
387 228 : if (call->out_auth_info->credentials.length != 0) {
388 3 : DEBUG(4, ("GENSEC produced output token (len=%zu) at %s\n",
389 : call->out_auth_info->credentials.length, pdu));
390 3 : return NT_STATUS_RPC_SEC_PKG_ERROR;
391 : }
392 :
393 225 : return NT_STATUS_OK;
394 : }
395 :
396 : /*
397 : add any auth information needed in a bind ack, and process the authentication
398 : information found in the bind.
399 : */
400 62585 : NTSTATUS dcesrv_auth_prepare_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
401 : {
402 62585 : struct dcesrv_connection *dce_conn = call->conn;
403 62585 : struct dcesrv_auth *auth = call->auth_state;
404 860 : NTSTATUS status;
405 :
406 62585 : status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
407 62585 : if (!NT_STATUS_IS_OK(status)) {
408 0 : return status;
409 : }
410 :
411 62585 : dce_conn->allow_alter = true;
412 62585 : dcesrv_default_auth_state_finish_bind(call);
413 :
414 62585 : if (call->pkt.auth_length == 0) {
415 53546 : auth->auth_finished = true;
416 53546 : return NT_STATUS_OK;
417 : }
418 :
419 : /* We can't work without an existing gensec state */
420 9039 : if (auth->gensec_security == NULL) {
421 0 : return NT_STATUS_INTERNAL_ERROR;
422 : }
423 :
424 9039 : call->_out_auth_info = (struct dcerpc_auth) {
425 9039 : .auth_type = auth->auth_type,
426 9039 : .auth_level = auth->auth_level,
427 9039 : .auth_context_id = auth->auth_context_id,
428 : };
429 9039 : call->out_auth_info = &call->_out_auth_info;
430 :
431 9039 : return NT_STATUS_OK;
432 : }
433 :
434 : /*
435 : process the final stage of a auth request
436 : */
437 231 : bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call)
438 : {
439 231 : struct ncacn_packet *pkt = &call->pkt;
440 231 : struct dcesrv_auth *auth = call->auth_state;
441 0 : NTSTATUS status;
442 :
443 231 : if (pkt->auth_length == 0) {
444 0 : return false;
445 : }
446 :
447 231 : if (auth->auth_finished) {
448 0 : return false;
449 : }
450 :
451 231 : if (auth->auth_invalid) {
452 0 : return false;
453 : }
454 :
455 : /* We can't work without an existing gensec state */
456 231 : if (auth->gensec_security == NULL) {
457 0 : return false;
458 : }
459 :
460 231 : status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
461 : &call->in_auth_info, NULL, true);
462 231 : if (!NT_STATUS_IS_OK(status)) {
463 : /*
464 : * Windows returns DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY
465 : * instead of DCERPC_NCA_S_PROTO_ERROR.
466 : */
467 3 : call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
468 3 : return false;
469 : }
470 :
471 228 : if (call->in_auth_info.auth_type != auth->auth_type) {
472 0 : return false;
473 : }
474 :
475 228 : if (call->in_auth_info.auth_level != auth->auth_level) {
476 0 : return false;
477 : }
478 :
479 228 : if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
480 0 : return false;
481 : }
482 :
483 228 : call->_out_auth_info = (struct dcerpc_auth) {
484 228 : .auth_type = auth->auth_type,
485 228 : .auth_level = auth->auth_level,
486 228 : .auth_context_id = auth->auth_context_id,
487 : };
488 228 : call->out_auth_info = &call->_out_auth_info;
489 :
490 228 : return true;
491 : }
492 :
493 : /*
494 : parse any auth information from a dcerpc alter request
495 : return false if we can't handle the auth request for some
496 : reason (in which case we send a bind_nak (is this true for here?))
497 : */
498 6292 : bool dcesrv_auth_alter(struct dcesrv_call_state *call)
499 : {
500 6292 : struct ncacn_packet *pkt = &call->pkt;
501 6292 : struct dcesrv_auth *auth = call->auth_state;
502 117 : NTSTATUS status;
503 :
504 : /* on a pure interface change there is no auth blob */
505 6292 : if (pkt->auth_length == 0) {
506 216 : if (!auth->auth_finished) {
507 0 : return false;
508 : }
509 216 : return true;
510 : }
511 :
512 6076 : if (auth->auth_finished) {
513 3 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
514 3 : return false;
515 : }
516 :
517 6073 : status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
518 : &call->in_auth_info, NULL, true);
519 6073 : if (!NT_STATUS_IS_OK(status)) {
520 3 : call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
521 3 : return false;
522 : }
523 :
524 6070 : if (!auth->auth_started) {
525 0 : bool ok;
526 :
527 181 : ok = dcesrv_auth_prepare_gensec(call);
528 181 : if (!ok) {
529 0 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
530 0 : return false;
531 : }
532 :
533 181 : return true;
534 : }
535 :
536 5889 : if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
537 3 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
538 3 : return false;
539 : }
540 :
541 5886 : if (auth->auth_invalid) {
542 15 : return false;
543 : }
544 :
545 5871 : if (call->in_auth_info.auth_type != auth->auth_type) {
546 0 : return false;
547 : }
548 :
549 5871 : if (call->in_auth_info.auth_level != auth->auth_level) {
550 0 : return false;
551 : }
552 :
553 5871 : if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
554 0 : return false;
555 : }
556 :
557 5775 : return true;
558 : }
559 :
560 : /*
561 : add any auth information needed in a alter ack, and process the authentication
562 : information found in the alter.
563 : */
564 6247 : NTSTATUS dcesrv_auth_prepare_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
565 : {
566 6247 : struct dcesrv_auth *auth = call->auth_state;
567 114 : NTSTATUS status;
568 :
569 6247 : status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
570 6247 : if (!NT_STATUS_IS_OK(status)) {
571 0 : return status;
572 : }
573 :
574 : /* on a pure interface change there is no auth_info structure
575 : setup */
576 6247 : if (call->pkt.auth_length == 0) {
577 195 : return NT_STATUS_OK;
578 : }
579 :
580 6052 : if (auth->gensec_security == NULL) {
581 0 : return NT_STATUS_INTERNAL_ERROR;
582 : }
583 :
584 6052 : call->_out_auth_info = (struct dcerpc_auth) {
585 6052 : .auth_type = auth->auth_type,
586 6052 : .auth_level = auth->auth_level,
587 6052 : .auth_context_id = auth->auth_context_id,
588 : };
589 6052 : call->out_auth_info = &call->_out_auth_info;
590 :
591 6052 : return NT_STATUS_OK;
592 : }
593 :
594 : /*
595 : check credentials on a packet
596 : */
597 868564 : bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
598 : DATA_BLOB *full_packet,
599 : uint8_t required_flags,
600 : uint8_t optional_flags,
601 : uint8_t payload_offset,
602 : DATA_BLOB *payload_and_verifier)
603 : {
604 868564 : struct ncacn_packet *pkt = &call->pkt;
605 868564 : struct dcesrv_auth *auth = call->auth_state;
606 868564 : const struct dcerpc_auth tmp_auth = {
607 868564 : .auth_type = auth->auth_type,
608 868564 : .auth_level = auth->auth_level,
609 868564 : .auth_context_id = auth->auth_context_id,
610 : };
611 7116 : bool check_pkt_auth_fields;
612 7116 : NTSTATUS status;
613 :
614 868564 : if (!auth->auth_started) {
615 12 : return false;
616 : }
617 :
618 868552 : if (!auth->auth_finished) {
619 0 : call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
620 0 : return false;
621 : }
622 :
623 868552 : if (auth->auth_invalid) {
624 27 : return false;
625 : }
626 :
627 868522 : if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
628 : /*
629 : * The caller most likely checked this
630 : * already, but we better double check.
631 : */
632 844939 : check_pkt_auth_fields = true;
633 : } else {
634 : /*
635 : * The caller already found first fragment
636 : * and is passing the auth_state of it.
637 : * A server is supposed to use the
638 : * setting of the first fragment and
639 : * completely ignore the values
640 : * on the remaining fragments
641 : */
642 16552 : check_pkt_auth_fields = false;
643 : }
644 :
645 868522 : status = dcerpc_ncacn_pull_pkt_auth(&tmp_auth,
646 : auth->gensec_security,
647 : check_pkt_auth_fields,
648 : call,
649 : pkt->ptype,
650 : required_flags,
651 : optional_flags,
652 : payload_offset,
653 : payload_and_verifier,
654 : full_packet,
655 : pkt);
656 868522 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
657 12 : call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
658 12 : return false;
659 : }
660 868510 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL)) {
661 0 : call->fault_code = DCERPC_NCA_S_UNSUPPORTED_AUTHN_LEVEL;
662 0 : return false;
663 : }
664 868510 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
665 21 : call->fault_code = DCERPC_FAULT_SEC_PKG_ERROR;
666 21 : return false;
667 : }
668 868489 : if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
669 0 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
670 0 : return false;
671 : }
672 868489 : if (!NT_STATUS_IS_OK(status)) {
673 0 : return false;
674 : }
675 :
676 861376 : return true;
677 : }
678 :
679 : /*
680 : push a signed or sealed dcerpc request packet into a blob
681 : */
682 1142922 : bool dcesrv_auth_pkt_push(struct dcesrv_call_state *call,
683 : DATA_BLOB *blob, size_t sig_size,
684 : uint8_t payload_offset,
685 : const DATA_BLOB *payload,
686 : const struct ncacn_packet *pkt)
687 : {
688 1142922 : struct dcesrv_auth *auth = call->auth_state;
689 1142922 : const struct dcerpc_auth tmp_auth = {
690 1142922 : .auth_type = auth->auth_type,
691 1142922 : .auth_level = auth->auth_level,
692 1142922 : .auth_context_id = auth->auth_context_id,
693 : };
694 6773 : NTSTATUS status;
695 :
696 1142922 : status = dcerpc_ncacn_push_pkt_auth(&tmp_auth,
697 : auth->gensec_security,
698 : call, blob, sig_size,
699 : payload_offset,
700 : payload,
701 : pkt);
702 1142922 : return NT_STATUS_IS_OK(status);
703 : }
|
