r4663: fixed SPNEGO auth in the rpc server
[samba.git] / source4 / rpc_server / dcesrv_auth.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    server side dcerpc authentication code
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Stefan (metze) Metzmacher 2004
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "rpc_server/dcerpc_server.h"
26
27 /*
28   startup the cryptographic side of an authenticated dcerpc server
29 */
30 NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn,
31                                struct dcesrv_auth *auth)
32 {
33         NTSTATUS status;
34         if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY &&
35             auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY &&
36             auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_CONNECT) {
37                 DEBUG(2,("auth_level %d not supported in dcesrv auth\n", 
38                          auth->auth_info->auth_level));
39                 return NT_STATUS_INVALID_PARAMETER;
40         }
41
42         if (auth->gensec_security != NULL) {
43                 /* TODO:
44                  * this this function should not be called
45                  * twice per dcesrv_connection!
46                  * 
47                  * so we need to find out the right
48                  * dcerpc error to return
49                  */
50         }
51
52         status = gensec_server_start(dce_conn, &auth->gensec_security);
53         if (!NT_STATUS_IS_OK(status)) {
54                 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
55                 return status;
56         }
57
58         status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, 
59                                                auth->auth_info->auth_level);
60
61         if (!NT_STATUS_IS_OK(status)) {
62                 DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", 
63                           (int)auth->auth_info->auth_type,
64                           nt_errstr(status)));
65                 return status;
66         }
67
68         return status;
69 }
70
71 /*
72   parse any auth information from a dcerpc bind request
73   return False if we can't handle the auth request for some 
74   reason (in which case we send a bind_nak)
75 */
76 BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
77 {
78         struct dcerpc_packet *pkt = &call->pkt;
79         struct dcesrv_connection *dce_conn = call->conn;
80         NTSTATUS status;
81
82         if (pkt->u.bind.auth_info.length == 0) {
83                 dce_conn->auth_state.auth_info = NULL;
84                 return True;
85         }
86
87         dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth);
88         if (!dce_conn->auth_state.auth_info) {
89                 return False;
90         }
91
92         status = ndr_pull_struct_blob(&pkt->u.bind.auth_info,
93                                       call,
94                                       dce_conn->auth_state.auth_info,
95                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
96         if (!NT_STATUS_IS_OK(status)) {
97                 return False;
98         }
99
100         status = dcesrv_crypto_select_type(dce_conn, &dce_conn->auth_state);
101         if (!NT_STATUS_IS_OK(status)) {
102                 return False;
103         }
104
105         return True;
106 }
107
108 /*
109   add any auth information needed in a bind ack, and process the authentication
110   information found in the bind.
111 */
112 BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt)
113 {
114         struct dcesrv_connection *dce_conn = call->conn;
115         NTSTATUS status;
116
117         if (!call->conn->auth_state.gensec_security) {
118                 return True;
119         }
120
121         status = gensec_update(dce_conn->auth_state.gensec_security,
122                                call,
123                                dce_conn->auth_state.auth_info->credentials, 
124                                &dce_conn->auth_state.auth_info->credentials);
125         
126         if (NT_STATUS_IS_OK(status)) {
127                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
128                                              &dce_conn->auth_state.session_info);
129                 if (!NT_STATUS_IS_OK(status)) {
130                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
131                         return False;
132                 }
133
134                 /* Now that we are authenticated, got back to the generic session key... */
135                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
136                 return True;
137         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
138                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
139                 dce_conn->auth_state.auth_info->auth_reserved = 0;
140                 return True;
141         } else {
142                 DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status)));
143                 return False;
144         }
145 }
146
147
148 /*
149   process the final stage of a auth request
150 */
151 BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call)
152 {
153         struct dcerpc_packet *pkt = &call->pkt;
154         struct dcesrv_connection *dce_conn = call->conn;
155         NTSTATUS status;
156
157         /* We can't work without an existing gensec state, and an new blob to feed it */
158         if (!dce_conn->auth_state.auth_info ||
159             !dce_conn->auth_state.gensec_security ||
160             pkt->u.auth3.auth_info.length == 0) {
161                 return False;
162         }
163
164         status = ndr_pull_struct_blob(&pkt->u.auth3.auth_info,
165                                       call,
166                                       dce_conn->auth_state.auth_info,
167                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
168         if (!NT_STATUS_IS_OK(status)) {
169                 return False;
170         }
171
172         /* Pass the extra data we got from the client down to gensec for processing */
173         status = gensec_update(dce_conn->auth_state.gensec_security,
174                                call,
175                                dce_conn->auth_state.auth_info->credentials, 
176                                &dce_conn->auth_state.auth_info->credentials);
177         if (NT_STATUS_IS_OK(status)) {
178                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
179                                              &dce_conn->auth_state.session_info);
180                 if (!NT_STATUS_IS_OK(status)) {
181                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
182                         return False;
183                 }
184                 /* Now that we are authenticated, got back to the generic session key... */
185                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
186                 return True;
187         } else {
188                 DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", 
189                           nt_errstr(status)));
190                 return False;
191         }
192
193         return True;
194 }
195
196 /*
197   parse any auth information from a dcerpc alter request
198   return False if we can't handle the auth request for some 
199   reason (in which case we send a bind_nak (is this true for here?))
200 */
201 BOOL dcesrv_auth_alter(struct dcesrv_call_state *call)
202 {
203         struct dcerpc_packet *pkt = &call->pkt;
204         struct dcesrv_connection *dce_conn = call->conn;
205         NTSTATUS status;
206
207         /* on a pure interface change there is no auth blob */
208         if (pkt->u.alter.auth_info.length == 0) {
209                 return True;
210         }
211
212         /* We can't work without an existing gensec state */
213         if (!dce_conn->auth_state.gensec_security) {
214                 return False;
215         }
216
217         dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth);
218         if (!dce_conn->auth_state.auth_info) {
219                 return False;
220         }
221
222         status = ndr_pull_struct_blob(&pkt->u.alter.auth_info,
223                                       call,
224                                       dce_conn->auth_state.auth_info,
225                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
226         if (!NT_STATUS_IS_OK(status)) {
227                 return False;
228         }
229
230         return True;
231 }
232
233 /*
234   add any auth information needed in a alter ack, and process the authentication
235   information found in the alter.
236 */
237 BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt)
238 {
239         struct dcesrv_connection *dce_conn = call->conn;
240         NTSTATUS status;
241
242         /* on a pure interface change there is no auth_info structure
243            setup */
244         if (!call->conn->auth_state.auth_info) {
245                 return True;
246         }
247
248         if (!call->conn->auth_state.gensec_security) {
249                 return False;
250         }
251
252         status = gensec_update(dce_conn->auth_state.gensec_security,
253                                call,
254                                dce_conn->auth_state.auth_info->credentials, 
255                                &dce_conn->auth_state.auth_info->credentials);
256
257         if (NT_STATUS_IS_OK(status)) {
258                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
259                                              &dce_conn->auth_state.session_info);
260                 if (!NT_STATUS_IS_OK(status)) {
261                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
262                         return False;
263                 }
264
265                 /* Now that we are authenticated, got back to the generic session key... */
266                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
267                 return True;
268         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
269                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
270                 dce_conn->auth_state.auth_info->auth_reserved = 0;
271                 return True;
272         } else {
273                 DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status)));
274                 return True;
275         }
276 }
277
278 /*
279   generate a CONNECT level verifier
280 */
281 static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
282 {
283         *blob = data_blob_talloc(mem_ctx, NULL, 16);
284         if (blob->data == NULL) {
285                 return NT_STATUS_NO_MEMORY;
286         }
287         SIVAL(blob->data, 0, 1);
288         memset(blob->data+4, 0, 12);
289         return NT_STATUS_OK;
290 }
291
292 /*
293   generate a CONNECT level verifier
294 */
295 static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob)
296 {
297         if (blob->length != 16 ||
298             IVAL(blob->data, 0) != 1) {
299                 return NT_STATUS_ACCESS_DENIED;
300         }
301         return NT_STATUS_OK;
302 }
303
304
305 /*
306   check credentials on a request
307 */
308 BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
309 {
310         struct dcerpc_packet *pkt = &call->pkt;
311         struct dcesrv_connection *dce_conn = call->conn;
312         DATA_BLOB auth_blob;
313         struct dcerpc_auth auth;
314         struct ndr_pull *ndr;
315         NTSTATUS status;
316
317         if (!dce_conn->auth_state.auth_info ||
318             !dce_conn->auth_state.gensec_security) {
319                 return True;
320         }
321
322         auth_blob.length = 8 + pkt->auth_length;
323
324         /* check for a valid length */
325         if (pkt->u.request.stub_and_verifier.length < auth_blob.length) {
326                 return False;
327         }
328
329         auth_blob.data = 
330                 pkt->u.request.stub_and_verifier.data + 
331                 pkt->u.request.stub_and_verifier.length - auth_blob.length;
332         pkt->u.request.stub_and_verifier.length -= auth_blob.length;
333
334         /* pull the auth structure */
335         ndr = ndr_pull_init_blob(&auth_blob, call);
336         if (!ndr) {
337                 return False;
338         }
339
340         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
341                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
342         }
343
344         status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth);
345         if (!NT_STATUS_IS_OK(status)) {
346                 talloc_free(ndr);
347                 return False;
348         }
349
350         /* check signature or unseal the packet */
351         switch (dce_conn->auth_state.auth_info->auth_level) {
352         case DCERPC_AUTH_LEVEL_PRIVACY:
353                 status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
354                                               call,
355                                               full_packet->data + DCERPC_REQUEST_LENGTH,
356                                               pkt->u.request.stub_and_verifier.length, 
357                                               full_packet->data,
358                                               full_packet->length-auth.credentials.length,
359                                               &auth.credentials);
360                 memcpy(pkt->u.request.stub_and_verifier.data, 
361                        full_packet->data + DCERPC_REQUEST_LENGTH,
362                        pkt->u.request.stub_and_verifier.length);
363                 break;
364
365         case DCERPC_AUTH_LEVEL_INTEGRITY:
366                 status = gensec_check_packet(dce_conn->auth_state.gensec_security,
367                                              call,
368                                              pkt->u.request.stub_and_verifier.data, 
369                                              pkt->u.request.stub_and_verifier.length,
370                                              full_packet->data,
371                                              full_packet->length-auth.credentials.length,
372                                              &auth.credentials);
373                 break;
374
375         case DCERPC_AUTH_LEVEL_CONNECT:
376                 status = dcesrv_check_connect_verifier(&auth.credentials);
377                 break;
378
379         default:
380                 status = NT_STATUS_INVALID_LEVEL;
381                 break;
382         }
383
384         /* remove the indicated amount of padding */
385         if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) {
386                 talloc_free(ndr);
387                 return False;
388         }
389         pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length;
390         talloc_free(ndr);
391
392         return NT_STATUS_IS_OK(status);
393 }
394
395
396 /* 
397    push a signed or sealed dcerpc request packet into a blob
398 */
399 BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
400                           DATA_BLOB *blob, struct dcerpc_packet *pkt)
401 {
402         struct dcesrv_connection *dce_conn = call->conn;
403         NTSTATUS status;
404         struct ndr_push *ndr;
405         uint32_t payload_length;
406
407         /* non-signed packets are simple */
408         if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) {
409                 status = dcerpc_push_auth(blob, call, pkt, NULL);
410                 return NT_STATUS_IS_OK(status);
411         }
412
413         ndr = ndr_push_init_ctx(call);
414         if (!ndr) {
415                 return False;
416         }
417
418         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
419                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
420         }
421
422         status = ndr_push_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
423         if (!NT_STATUS_IS_OK(status)) {
424                 return False;
425         }
426
427         /* pad to 8 byte multiple */
428         dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8);
429         ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
430
431         payload_length = ndr->offset - DCERPC_REQUEST_LENGTH;
432
433         if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
434                 status = dcesrv_connect_verifier(call,
435                                                  &dce_conn->auth_state.auth_info->credentials);
436                 if (!NT_STATUS_IS_OK(status)) {
437                         return False;
438                 }
439         } else {
440                 dce_conn->auth_state.auth_info->credentials
441                         = data_blob_talloc(call, NULL, 
442                                            gensec_sig_size(dce_conn->auth_state.gensec_security));
443         }
444
445         /* add the auth verifier */
446         status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info);
447         if (!NT_STATUS_IS_OK(status)) {
448                 return False;
449         }
450
451         /* extract the whole packet as a blob */
452         *blob = ndr_push_blob(ndr);
453
454         /* fill in the fragment length and auth_length, we can't fill
455            in these earlier as we don't know the signature length (it
456            could be variable length) */
457         dcerpc_set_frag_length(blob, blob->length);
458         dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length);
459
460         /* sign or seal the packet */
461         switch (dce_conn->auth_state.auth_info->auth_level) {
462         case DCERPC_AUTH_LEVEL_PRIVACY:
463                 status = gensec_seal_packet(dce_conn->auth_state.gensec_security, 
464                                             call,
465                                             ndr->data + DCERPC_REQUEST_LENGTH, 
466                                             payload_length,
467                                             blob->data,
468                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
469                                             &dce_conn->auth_state.auth_info->credentials);
470                 break;
471
472         case DCERPC_AUTH_LEVEL_INTEGRITY:
473                 status = gensec_sign_packet(dce_conn->auth_state.gensec_security, 
474                                             call,
475                                             ndr->data + DCERPC_REQUEST_LENGTH, 
476                                             payload_length,
477                                             blob->data,
478                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
479                                             &dce_conn->auth_state.auth_info->credentials);
480
481                 break;
482
483         case DCERPC_AUTH_LEVEL_CONNECT:
484                 break;
485
486         default:
487                 status = NT_STATUS_INVALID_LEVEL;
488                 break;
489         }
490
491         if (!NT_STATUS_IS_OK(status)) {
492                 return False;
493         }       
494
495         memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, 
496                dce_conn->auth_state.auth_info->credentials.data, dce_conn->auth_state.auth_info->credentials.length);
497         
498         data_blob_free(&dce_conn->auth_state.auth_info->credentials);
499
500         return True;
501 }