search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-tests: Update statd-callout tests to handle both modes
[samba4-gss.git] / librpc / rpc / dcesrv_auth.c
blobb2f6e607a24d0ac06ed7e5d5450ded9f7d1596f6
1 /*
2 Unix SMB/CIFS implementation.
3
4 server side dcerpc authentication code
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Stefan (metze) Metzmacher 2004
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "librpc/rpc/dcesrv_core.h"
25 #include "librpc/rpc/dcesrv_core_proto.h"
26 #include "librpc/rpc/dcerpc_util.h"
27 #include "librpc/rpc/dcerpc_pkt_auth.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "auth/credentials/credentials.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/auth.h"
32 #include "param/param.h"
33
34 static NTSTATUS dcesrv_auth_negotiate_hdr_signing(struct dcesrv_call_state *call,
35 struct ncacn_packet *pkt)
36 {
37 struct dcesrv_connection *dce_conn = call->conn;
38 struct dcesrv_auth *a = NULL;
39
40 if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
41 return NT_STATUS_OK;
42 }
43
44 if (dce_conn->client_hdr_signing) {
45 if (dce_conn->negotiated_hdr_signing && pkt != NULL) {
46 pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
47 }
48 return NT_STATUS_OK;
49 }
50
51 dce_conn->client_hdr_signing = true;
52 dce_conn->negotiated_hdr_signing = dce_conn->support_hdr_signing;
53
54 if (!dce_conn->negotiated_hdr_signing) {
55 return NT_STATUS_OK;
56 }
57
58 if (pkt != NULL) {
59 pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
60 }
61
62 a = call->conn->default_auth_state;
63 if (a->gensec_security != NULL) {
64 gensec_want_feature(a->gensec_security,
65 GENSEC_FEATURE_SIGN_PKT_HEADER);
66 }
67
68 for (a = call->conn->auth_states; a != NULL; a = a->next) {
69 if (a->gensec_security == NULL) {
70 continue;
71 }
72
73 gensec_want_feature(a->gensec_security,
74 GENSEC_FEATURE_SIGN_PKT_HEADER);
75 }
76
77 return NT_STATUS_OK;
78 }
79
80 static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
81 {
82 struct dcesrv_connection *dce_conn = call->conn;
83 struct dcesrv_auth *auth = call->auth_state;
84 struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
85 NTSTATUS status;
86
87 if (auth->auth_started) {
88 return false;
89 }
90
91 auth->auth_started = true;
92
93 if (auth->auth_invalid) {
94 return false;
95 }
96
97 if (auth->auth_finished) {
98 return false;
99 }
100
101 if (auth->gensec_security != NULL) {
102 return false;
103 }
104
105 switch (call->in_auth_info.auth_level) {
106 case DCERPC_AUTH_LEVEL_CONNECT:
107 case DCERPC_AUTH_LEVEL_CALL:
108 case DCERPC_AUTH_LEVEL_PACKET:
109 case DCERPC_AUTH_LEVEL_INTEGRITY:
110 case DCERPC_AUTH_LEVEL_PRIVACY:
111 /*
112 * We evaluate auth_type only if auth_level was valid
113 */
114 break;
115 default:
116 /*
117 * Setting DCERPC_AUTH_LEVEL_NONE,
118 * gives the caller the reject_reason
119 * as auth_context_id.
120 *
121 * Note: DCERPC_AUTH_LEVEL_NONE == 1
122 */
123 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
124 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
125 auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
126 return false;
127 }
128
129 auth->auth_type = call->in_auth_info.auth_type;
130 auth->auth_level = call->in_auth_info.auth_level;
131 auth->auth_context_id = call->in_auth_info.auth_context_id;
132
133 if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
134 !call->conn->got_explicit_auth_level_connect)
135 {
136 call->conn->default_auth_level_connect = auth;
137 }
138
139 cb->auth.become_root();
140 status = cb->auth.gensec_prepare(
141 auth,
142 call,
143 &auth->gensec_security,
144 cb->auth.private_data);
145 cb->auth.unbecome_root();
146 if (!NT_STATUS_IS_OK(status)) {
147 DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
148 nt_errstr(status)));
149 return false;
150 }
151
152 /*
153 * We have to call this because we set the target_service for
154 * Kerberos to NULL above, and in any case we wish to log a
155 * more specific service target.
156 *
157 */
158 status = gensec_set_target_service_description(auth->gensec_security,
159 "DCE/RPC");
160 if (!NT_STATUS_IS_OK(status)) {
161 DEBUG(1, ("Failed to call gensec_set_target_service_description %s\n",
162 nt_errstr(status)));
163 return false;
164 }
165
166 if (call->conn->remote_address != NULL) {
167 status = gensec_set_remote_address(auth->gensec_security,
168 call->conn->remote_address);
169 if (!NT_STATUS_IS_OK(status)) {
170 DEBUG(1, ("Failed to call gensec_set_remote_address() %s\n",
171 nt_errstr(status)));
172 return false;
173 }
174 }
175
176 if (call->conn->local_address != NULL) {
177 status = gensec_set_local_address(auth->gensec_security,
178 call->conn->local_address);
179 if (!NT_STATUS_IS_OK(status)) {
180 DEBUG(1, ("Failed to call gensec_set_local_address() %s\n",
181 nt_errstr(status)));
182 return false;
183 }
184 }
185
186 status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
187 auth->auth_level);
188 if (!NT_STATUS_IS_OK(status)) {
189 const char *backend_name =
190 gensec_get_name_by_authtype(auth->gensec_security,
191 auth->auth_type);
192
193 DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: "
194 "auth_type=%d (%s), auth_level=%d: %s\n",
195 (int)auth->auth_type, backend_name,
196 (int)auth->auth_level,
197 nt_errstr(status)));
198
199 /*
200 * Setting DCERPC_AUTH_LEVEL_NONE,
201 * gives the caller the reject_reason
202 * as auth_context_id.
203 *
204 * Note: DCERPC_AUTH_LEVEL_NONE == 1
205 */
206 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
207 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
208 if (backend_name != NULL) {
209 auth->auth_context_id =
210 DCERPC_BIND_NAK_REASON_INVALID_CHECKSUM;
211 } else {
212 auth->auth_context_id =
213 DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE;
214 }
215 return false;
216 }
217
218 if (dce_conn->negotiated_hdr_signing) {
219 gensec_want_feature(auth->gensec_security,
220 GENSEC_FEATURE_SIGN_PKT_HEADER);
221 }
222
223 return true;
224 }
225
226 static void dcesrv_default_auth_state_finish_bind(struct dcesrv_call_state *call)
227 {
228 SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_BIND);
229
230 if (call->auth_state == call->conn->default_auth_state) {
231 return;
232 }
233
234 if (call->conn->default_auth_state->auth_started) {
235 return;
236 }
237
238 if (call->conn->default_auth_state->auth_invalid) {
239 return;
240 }
241
242 call->conn->default_auth_state->auth_type = DCERPC_AUTH_TYPE_NONE;
243 call->conn->default_auth_state->auth_level = DCERPC_AUTH_LEVEL_NONE;
244 call->conn->default_auth_state->auth_context_id = 0;
245 call->conn->default_auth_state->auth_started = true;
246 call->conn->default_auth_state->auth_finished = true;
247
248 /*
249 *
250 * We defer log_successful_dcesrv_authz_event()
251 * to dcesrv_default_auth_state_prepare_request()
252 *
253 * As we don't want to trigger authz_events
254 * just for alter_context requests without authentication
255 */
256 }
257
258 void dcesrv_default_auth_state_prepare_request(struct dcesrv_call_state *call)
259 {
260 struct dcesrv_connection *dce_conn = call->conn;
261 struct dcesrv_auth *auth = call->auth_state;
262 struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
263
264 if (auth->auth_audited) {
265 return;
266 }
267
268 if (call->pkt.ptype != DCERPC_PKT_REQUEST) {
269 return;
270 }
271
272 if (auth != dce_conn->default_auth_state) {
273 return;
274 }
275
276 if (auth->auth_invalid) {
277 return;
278 }
279
280 if (!auth->auth_finished) {
281 return;
282 }
283
284 if (cb->log.successful_authz == NULL) {
285 return;
286 }
287
288 cb->log.successful_authz(call, cb->log.private_data);
289 }
290
291 /*
292 parse any auth information from a dcerpc bind request
293 return false if we can't handle the auth request for some
294 reason (in which case we send a bind_nak)
295 */
296 bool dcesrv_auth_bind(struct dcesrv_call_state *call)
297 {
298 struct ncacn_packet *pkt = &call->pkt;
299 struct dcesrv_auth *auth = call->auth_state;
300 struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
301 NTSTATUS status;
302
303 if (pkt->auth_length == 0) {
304 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
305 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
306 auth->auth_context_id = 0;
307 auth->auth_started = true;
308
309 if (cb->log.successful_authz != NULL) {
310 cb->log.successful_authz(call, cb->log.private_data);
311 }
312
313 return true;
314 }
315
316 status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
317 &call->in_auth_info,
318 NULL, true);
319 if (!NT_STATUS_IS_OK(status)) {
320 /*
321 * Setting DCERPC_AUTH_LEVEL_NONE,
322 * gives the caller the reject_reason
323 * as auth_context_id.
324 *
325 * Note: DCERPC_AUTH_LEVEL_NONE == 1
326 */
327 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
328 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
329 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
330 auth->auth_context_id =
331 call->in_auth_info.auth_context_id;
332 } else {
333 auth->auth_context_id =
334 DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
335 }
336 return false;
337 }
338
339 return dcesrv_auth_prepare_gensec(call);
340 }
341
342 NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
343 {
344 struct dcesrv_auth *auth = call->auth_state;
345 struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
346 const char *pdu = "<unknown>";
347
348 switch (call->pkt.ptype) {
349 case DCERPC_PKT_BIND:
350 pdu = "BIND";
351 break;
352 case DCERPC_PKT_ALTER:
353 pdu = "ALTER";
354 break;
355 case DCERPC_PKT_AUTH3:
356 pdu = "AUTH3";
357 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
358 DEBUG(4, ("GENSEC not finished at %s\n", pdu));
359 return NT_STATUS_RPC_SEC_PKG_ERROR;
360 }
361 break;
362 default:
363 return NT_STATUS_INTERNAL_ERROR;
364 }
365
366 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
367 return NT_STATUS_OK;
368 }
369
370 if (!NT_STATUS_IS_OK(status)) {
371 DEBUG(4, ("GENSEC mech rejected the incoming authentication "
372 "at %s: %s\n", pdu, nt_errstr(status)));
373 return status;
374 }
375
376 cb->auth.become_root();
377 status = gensec_session_info(auth->gensec_security,
378 auth,
379 &auth->session_info);
380 cb->auth.unbecome_root();
381 if (!NT_STATUS_IS_OK(status)) {
382 DEBUG(1, ("Failed to establish session_info: %s\n",
383 nt_errstr(status)));
384 return status;
385 }
386 auth->auth_finished = true;
387
388 if (call->pkt.ptype != DCERPC_PKT_AUTH3) {
389 return NT_STATUS_OK;
390 }
391
392 if (call->out_auth_info->credentials.length != 0) {
393 DEBUG(4, ("GENSEC produced output token (len=%zu) at %s\n",
394 call->out_auth_info->credentials.length, pdu));
395 return NT_STATUS_RPC_SEC_PKG_ERROR;
396 }
397
398 return NT_STATUS_OK;
399 }
400
401 /*
402 add any auth information needed in a bind ack, and process the authentication
403 information found in the bind.
404 */
405 NTSTATUS dcesrv_auth_prepare_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
406 {
407 struct dcesrv_connection *dce_conn = call->conn;
408 struct dcesrv_auth *auth = call->auth_state;
409 NTSTATUS status;
410
411 status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
412 if (!NT_STATUS_IS_OK(status)) {
413 return status;
414 }
415
416 dce_conn->allow_alter = true;
417 dcesrv_default_auth_state_finish_bind(call);
418
419 if (call->pkt.auth_length == 0) {
420 auth->auth_finished = true;
421 return NT_STATUS_OK;
422 }
423
424 /* We can't work without an existing gensec state */
425 if (auth->gensec_security == NULL) {
426 return NT_STATUS_INTERNAL_ERROR;
427 }
428
429 call->_out_auth_info = (struct dcerpc_auth) {
430 .auth_type = auth->auth_type,
431 .auth_level = auth->auth_level,
432 .auth_context_id = auth->auth_context_id,
433 };
434 call->out_auth_info = &call->_out_auth_info;
435
436 return NT_STATUS_OK;
437 }
438
439 /*
440 process the final stage of a auth request
441 */
442 bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call)
443 {
444 struct ncacn_packet *pkt = &call->pkt;
445 struct dcesrv_auth *auth = call->auth_state;
446 NTSTATUS status;
447
448 if (pkt->frag_length > call->conn->transport_max_recv_frag) {
449 /*
450 * Note that we don't check against the negotiated
451 * max_recv_frag, but a hard coded value from
452 * the transport.
453 */
454 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
455 return false;
456 }
457
458 if (pkt->auth_length > 4096) {
459 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
460 return false;
461 }
462
463 if (auth->auth_finished) {
464 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
465 return false;
466 }
467
468 if (!auth->auth_started) {
469 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
470 return false;
471 }
472
473 if (auth->auth_invalid) {
474 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
475 return false;
476 }
477
478 if (pkt->auth_length == 0) {
479 call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
480 return false;
481 }
482
483 if (auth->auth_invalid) {
484 return false;
485 }
486
487 /* We can't work without an existing gensec state */
488 if (auth->gensec_security == NULL) {
489 return false;
490 }
491
492 status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
493 &call->in_auth_info, NULL, true);
494 if (!NT_STATUS_IS_OK(status)) {
495 struct dcerpc_auth *auth_info = &call->in_auth_info;
496 uint32_t nr = auth_info->auth_context_id;
497
498 /*
499 * Windows returns DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY
500 * instead of DCERPC_NCA_S_PROTO_ERROR in most cases.
501 */
502 call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
503
504 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR) &&
505 nr != DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED)
506 {
507 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
508 }
509
510 return false;
511 }
512
513 if (call->in_auth_info.auth_type != auth->auth_type) {
514 call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
515 return false;
516 }
517
518 if (call->in_auth_info.auth_level != auth->auth_level) {
519 call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
520 return false;
521 }
522
523 if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
524 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
525 return false;
526 }
527
528 call->_out_auth_info = (struct dcerpc_auth) {
529 .auth_type = auth->auth_type,
530 .auth_level = auth->auth_level,
531 .auth_context_id = auth->auth_context_id,
532 };
533 call->out_auth_info = &call->_out_auth_info;
534
535 return true;
536 }
537
538 /*
539 parse any auth information from a dcerpc alter request
540 return false if we can't handle the auth request for some
541 reason (in which case we send a bind_nak (is this true for here?))
542 */
543 bool dcesrv_auth_alter(struct dcesrv_call_state *call)
544 {
545 struct ncacn_packet *pkt = &call->pkt;
546 struct dcesrv_auth *auth = call->auth_state;
547 NTSTATUS status;
548
549 /* on a pure interface change there is no auth blob */
550 if (pkt->auth_length == 0) {
551 if (!auth->auth_finished) {
552 return false;
553 }
554 return true;
555 }
556
557 if (auth->auth_finished) {
558 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
559 return false;
560 }
561
562 status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
563 &call->in_auth_info, NULL, true);
564 if (!NT_STATUS_IS_OK(status)) {
565 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
566 return false;
567 }
568
569 if (!auth->auth_started) {
570 bool ok;
571
572 ok = dcesrv_auth_prepare_gensec(call);
573 if (!ok) {
574 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
575 return false;
576 }
577
578 return true;
579 }
580
581 if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
582 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
583 return false;
584 }
585
586 if (auth->auth_invalid) {
587 return false;
588 }
589
590 if (call->in_auth_info.auth_type != auth->auth_type) {
591 return false;
592 }
593
594 if (call->in_auth_info.auth_level != auth->auth_level) {
595 return false;
596 }
597
598 if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
599 return false;
600 }
601
602 return true;
603 }
604
605 /*
606 add any auth information needed in a alter ack, and process the authentication
607 information found in the alter.
608 */
609 NTSTATUS dcesrv_auth_prepare_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
610 {
611 struct dcesrv_auth *auth = call->auth_state;
612 NTSTATUS status;
613
614 status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
615 if (!NT_STATUS_IS_OK(status)) {
616 return status;
617 }
618
619 /* on a pure interface change there is no auth_info structure
620 setup */
621 if (call->pkt.auth_length == 0) {
622 return NT_STATUS_OK;
623 }
624
625 if (auth->gensec_security == NULL) {
626 return NT_STATUS_INTERNAL_ERROR;
627 }
628
629 call->_out_auth_info = (struct dcerpc_auth) {
630 .auth_type = auth->auth_type,
631 .auth_level = auth->auth_level,
632 .auth_context_id = auth->auth_context_id,
633 };
634 call->out_auth_info = &call->_out_auth_info;
635
636 return NT_STATUS_OK;
637 }
638
639 /*
640 check credentials on a packet
641 */
642 bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
643 DATA_BLOB *full_packet,
644 uint8_t required_flags,
645 uint8_t optional_flags,
646 uint8_t payload_offset,
647 DATA_BLOB *payload_and_verifier)
648 {
649 struct ncacn_packet *pkt = &call->pkt;
650 struct dcesrv_auth *auth = call->auth_state;
651 const struct dcerpc_auth tmp_auth = {
652 .auth_type = auth->auth_type,
653 .auth_level = auth->auth_level,
654 .auth_context_id = auth->auth_context_id,
655 };
656 bool check_pkt_auth_fields;
657 NTSTATUS status;
658
659 if (!auth->auth_started) {
660 return false;
661 }
662
663 if (auth->auth_invalid) {
664 return false;
665 }
666
667 if (!auth->auth_finished) {
668 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
669 return false;
670 }
671
672 if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
673 /*
674 * The caller most likely checked this
675 * already, but we better double check.
676 */
677 check_pkt_auth_fields = true;
678 } else {
679 /*
680 * The caller already found first fragment
681 * and is passing the auth_state of it.
682 * A server is supposed to use the
683 * setting of the first fragment and
684 * completely ignore the values
685 * on the remaining fragments
686 */
687 check_pkt_auth_fields = false;
688 }
689
690 status = dcerpc_ncacn_pull_pkt_auth(&tmp_auth,
691 auth->gensec_security,
692 check_pkt_auth_fields,
693 call,
694 pkt->ptype,
695 required_flags,
696 optional_flags,
697 payload_offset,
698 payload_and_verifier,
699 full_packet,
700 pkt);
701 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
702 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
703 return false;
704 }
705 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL)) {
706 call->fault_code = DCERPC_NCA_S_UNSUPPORTED_AUTHN_LEVEL;
707 return false;
708 }
709 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
710 call->fault_code = DCERPC_FAULT_SEC_PKG_ERROR;
711 return false;
712 }
713 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
714 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
715 return false;
716 }
717 if (!NT_STATUS_IS_OK(status)) {
718 return false;
719 }
720
721 return true;
722 }
723
724 /*
725 push a signed or sealed dcerpc request packet into a blob
726 */
727 bool dcesrv_auth_pkt_push(struct dcesrv_call_state *call,
728 DATA_BLOB *blob, size_t sig_size,
729 uint8_t payload_offset,
730 const DATA_BLOB *payload,
731 const struct ncacn_packet *pkt)
732 {
733 struct dcesrv_auth *auth = call->auth_state;
734 const struct dcerpc_auth tmp_auth = {
735 .auth_type = auth->auth_type,
736 .auth_level = auth->auth_level,
737 .auth_context_id = auth->auth_context_id,
738 };
739 NTSTATUS status;
740
741 status = dcerpc_ncacn_push_pkt_auth(&tmp_auth,
742 auth->gensec_security,
743 call, blob, sig_size,
744 payload_offset,
745 payload,
746 pkt);
747 return NT_STATUS_IS_OK(status);
748 }
GSS-enabled samba4