91b579b9e45bf0edd470f33cd9e20d2cc4f3fc8f
[samba.git] / source4 / rpc_server / dcesrv_auth.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    server side dcerpc authentication code
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Stefan (metze) Metzmacher 2004
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "rpc_server/dcerpc_server.h"
26
27 /*
28   startup the cryptographic side of an authenticated dcerpc server
29 */
30 NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn,
31                                struct dcesrv_auth *auth)
32 {
33         NTSTATUS status;
34         if (auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_INTEGRITY &&
35             auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_PRIVACY &&
36             auth->auth_info->auth_level != DCERPC_AUTH_LEVEL_CONNECT) {
37                 DEBUG(2,("auth_level %d not supported in dcesrv auth\n", 
38                          auth->auth_info->auth_level));
39                 return NT_STATUS_INVALID_PARAMETER;
40         }
41
42         if (auth->gensec_security != NULL) {
43                 /* TODO:
44                  * this this function should not be called
45                  * twice per dcesrv_connection!
46                  * 
47                  * so we need to find out the right
48                  * dcerpc error to return
49                  */
50         }
51
52         status = gensec_server_start(dce_conn, &auth->gensec_security);
53         if (!NT_STATUS_IS_OK(status)) {
54                 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
55                 return status;
56         }
57
58         status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, 
59                                                auth->auth_info->auth_level);
60
61         if (!NT_STATUS_IS_OK(status)) {
62                 DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", 
63                           (int)auth->auth_info->auth_type,
64                           nt_errstr(status)));
65                 return status;
66         }
67
68         return status;
69 }
70
71 /*
72   parse any auth information from a dcerpc bind request
73   return False if we can't handle the auth request for some 
74   reason (in which case we send a bind_nak)
75 */
76 BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
77 {
78         struct dcerpc_packet *pkt = &call->pkt;
79         struct dcesrv_connection *dce_conn = call->conn;
80         NTSTATUS status;
81
82         if (pkt->u.bind.auth_info.length == 0) {
83                 dce_conn->auth_state.auth_info = NULL;
84                 return True;
85         }
86
87         dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth);
88         if (!dce_conn->auth_state.auth_info) {
89                 return False;
90         }
91
92         status = ndr_pull_struct_blob(&pkt->u.bind.auth_info,
93                                       call,
94                                       dce_conn->auth_state.auth_info,
95                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
96         if (!NT_STATUS_IS_OK(status)) {
97                 return False;
98         }
99
100         status = dcesrv_crypto_select_type(dce_conn, &dce_conn->auth_state);
101         if (!NT_STATUS_IS_OK(status)) {
102                 return False;
103         }
104
105         return True;
106 }
107
108 /*
109   add any auth information needed in a bind ack, and process the authentication
110   information found in the bind.
111 */
112 BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt)
113 {
114         struct dcesrv_connection *dce_conn = call->conn;
115         NTSTATUS status;
116
117         if (!call->conn->auth_state.gensec_security) {
118                 return True;
119         }
120
121         status = gensec_update(dce_conn->auth_state.gensec_security,
122                                call,
123                                dce_conn->auth_state.auth_info->credentials, 
124                                &dce_conn->auth_state.auth_info->credentials);
125         
126         if (NT_STATUS_IS_OK(status)) {
127                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
128                                              &dce_conn->auth_state.session_info);
129                 if (!NT_STATUS_IS_OK(status)) {
130                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
131                         return False;
132                 }
133
134                 /* Now that we are authenticated, got back to the generic session key... */
135                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
136                 return True;
137         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
138                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
139                 dce_conn->auth_state.auth_info->auth_reserved = 0;
140                 return True;
141         } else {
142                 DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status)));
143                 return False;
144         }
145 }
146
147
148 /*
149   process the final stage of a auth request
150 */
151 BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call)
152 {
153         struct dcerpc_packet *pkt = &call->pkt;
154         struct dcesrv_connection *dce_conn = call->conn;
155         NTSTATUS status;
156
157         /* We can't work without an existing gensec state, and an new blob to feed it */
158         if (!dce_conn->auth_state.auth_info ||
159             !dce_conn->auth_state.gensec_security ||
160             pkt->u.auth3.auth_info.length == 0) {
161                 return False;
162         }
163
164         status = ndr_pull_struct_blob(&pkt->u.auth3.auth_info,
165                                       call,
166                                       dce_conn->auth_state.auth_info,
167                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
168         if (!NT_STATUS_IS_OK(status)) {
169                 return False;
170         }
171
172         /* Pass the extra data we got from the client down to gensec for processing */
173         status = gensec_update(dce_conn->auth_state.gensec_security,
174                                call,
175                                dce_conn->auth_state.auth_info->credentials, 
176                                &dce_conn->auth_state.auth_info->credentials);
177         if (NT_STATUS_IS_OK(status)) {
178                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
179                                              &dce_conn->auth_state.session_info);
180                 if (!NT_STATUS_IS_OK(status)) {
181                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
182                         return False;
183                 }
184                 /* Now that we are authenticated, got back to the generic session key... */
185                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
186                 return True;
187         } else {
188                 DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", 
189                           nt_errstr(status)));
190                 return False;
191         }
192
193         return True;
194 }
195
196 /*
197   parse any auth information from a dcerpc alter request
198   return False if we can't handle the auth request for some 
199   reason (in which case we send a bind_nak (is this true for here?))
200 */
201 BOOL dcesrv_auth_alter(struct dcesrv_call_state *call)
202 {
203         struct dcerpc_packet *pkt = &call->pkt;
204         struct dcesrv_connection *dce_conn = call->conn;
205         NTSTATUS status;
206
207         /* on a pure interface change there is no auth blob */
208         if (pkt->u.alter.auth_info.length == 0) {
209                 return True;
210         }
211
212         /* We can't work without an existing gensec state */
213         if (!dce_conn->auth_state.gensec_security) {
214                 return False;
215         }
216
217         dce_conn->auth_state.auth_info = talloc_p(dce_conn, struct dcerpc_auth);
218         if (!dce_conn->auth_state.auth_info) {
219                 return False;
220         }
221
222         status = ndr_pull_struct_blob(&pkt->u.alter.auth_info,
223                                       call,
224                                       dce_conn->auth_state.auth_info,
225                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
226         if (!NT_STATUS_IS_OK(status)) {
227                 return False;
228         }
229
230         return True;
231 }
232
233 /*
234   add any auth information needed in a alter ack, and process the authentication
235   information found in the alter.
236 */
237 BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct dcerpc_packet *pkt)
238 {
239         struct dcesrv_connection *dce_conn = call->conn;
240         NTSTATUS status;
241
242         /* on a pure interface change there is no auth blob */
243         if (pkt->u.alter.auth_info.length == 0) {
244                 return True;
245         }
246
247         if (!call->conn->auth_state.gensec_security) {
248                 return False;
249         }
250
251         status = gensec_update(dce_conn->auth_state.gensec_security,
252                                call,
253                                dce_conn->auth_state.auth_info->credentials, 
254                                &dce_conn->auth_state.auth_info->credentials);
255         
256         if (NT_STATUS_IS_OK(status)) {
257                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
258                                              &dce_conn->auth_state.session_info);
259                 if (!NT_STATUS_IS_OK(status)) {
260                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
261                         return False;
262                 }
263
264                 /* Now that we are authenticated, got back to the generic session key... */
265                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
266                 return True;
267         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
268                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
269                 dce_conn->auth_state.auth_info->auth_reserved = 0;
270                 return True;
271         } else {
272                 DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status)));
273                 return True;
274         }
275 }
276
277 /*
278   generate a CONNECT level verifier
279 */
280 static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
281 {
282         *blob = data_blob_talloc(mem_ctx, NULL, 16);
283         if (blob->data == NULL) {
284                 return NT_STATUS_NO_MEMORY;
285         }
286         SIVAL(blob->data, 0, 1);
287         memset(blob->data+4, 0, 12);
288         return NT_STATUS_OK;
289 }
290
291 /*
292   generate a CONNECT level verifier
293 */
294 static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob)
295 {
296         if (blob->length != 16 ||
297             IVAL(blob->data, 0) != 1) {
298                 return NT_STATUS_ACCESS_DENIED;
299         }
300         return NT_STATUS_OK;
301 }
302
303
304 /*
305   check credentials on a request
306 */
307 BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
308 {
309         struct dcerpc_packet *pkt = &call->pkt;
310         struct dcesrv_connection *dce_conn = call->conn;
311         DATA_BLOB auth_blob;
312         struct dcerpc_auth auth;
313         struct ndr_pull *ndr;
314         NTSTATUS status;
315
316         if (!dce_conn->auth_state.auth_info ||
317             !dce_conn->auth_state.gensec_security) {
318                 return True;
319         }
320
321         auth_blob.length = 8 + pkt->auth_length;
322
323         /* check for a valid length */
324         if (pkt->u.request.stub_and_verifier.length < auth_blob.length) {
325                 return False;
326         }
327
328         auth_blob.data = 
329                 pkt->u.request.stub_and_verifier.data + 
330                 pkt->u.request.stub_and_verifier.length - auth_blob.length;
331         pkt->u.request.stub_and_verifier.length -= auth_blob.length;
332
333         /* pull the auth structure */
334         ndr = ndr_pull_init_blob(&auth_blob, call);
335         if (!ndr) {
336                 return False;
337         }
338
339         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
340                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
341         }
342
343         status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth);
344         if (!NT_STATUS_IS_OK(status)) {
345                 talloc_free(ndr);
346                 return False;
347         }
348
349         /* check signature or unseal the packet */
350         switch (dce_conn->auth_state.auth_info->auth_level) {
351         case DCERPC_AUTH_LEVEL_PRIVACY:
352                 status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
353                                               call,
354                                               full_packet->data + DCERPC_REQUEST_LENGTH,
355                                               pkt->u.request.stub_and_verifier.length, 
356                                               full_packet->data,
357                                               full_packet->length-auth.credentials.length,
358                                               &auth.credentials);
359                 memcpy(pkt->u.request.stub_and_verifier.data, 
360                        full_packet->data + DCERPC_REQUEST_LENGTH,
361                        pkt->u.request.stub_and_verifier.length);
362                 break;
363
364         case DCERPC_AUTH_LEVEL_INTEGRITY:
365                 status = gensec_check_packet(dce_conn->auth_state.gensec_security,
366                                              call,
367                                              pkt->u.request.stub_and_verifier.data, 
368                                              pkt->u.request.stub_and_verifier.length,
369                                              full_packet->data,
370                                              full_packet->length-auth.credentials.length,
371                                              &auth.credentials);
372                 break;
373
374         case DCERPC_AUTH_LEVEL_CONNECT:
375                 status = dcesrv_check_connect_verifier(&auth.credentials);
376                 break;
377
378         default:
379                 status = NT_STATUS_INVALID_LEVEL;
380                 break;
381         }
382
383         /* remove the indicated amount of padding */
384         if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) {
385                 talloc_free(ndr);
386                 return False;
387         }
388         pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length;
389         talloc_free(ndr);
390
391         return NT_STATUS_IS_OK(status);
392 }
393
394
395 /* 
396    push a signed or sealed dcerpc request packet into a blob
397 */
398 BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
399                           DATA_BLOB *blob, struct dcerpc_packet *pkt)
400 {
401         struct dcesrv_connection *dce_conn = call->conn;
402         NTSTATUS status;
403         struct ndr_push *ndr;
404         uint32_t payload_length;
405
406         /* non-signed packets are simple */
407         if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) {
408                 status = dcerpc_push_auth(blob, call, pkt, NULL);
409                 return NT_STATUS_IS_OK(status);
410         }
411
412         ndr = ndr_push_init_ctx(call);
413         if (!ndr) {
414                 return False;
415         }
416
417         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
418                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
419         }
420
421         status = ndr_push_dcerpc_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
422         if (!NT_STATUS_IS_OK(status)) {
423                 return False;
424         }
425
426         /* pad to 8 byte multiple */
427         dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 8);
428         ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
429
430         payload_length = ndr->offset - DCERPC_REQUEST_LENGTH;
431
432         if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
433                 status = dcesrv_connect_verifier(call,
434                                                  &dce_conn->auth_state.auth_info->credentials);
435                 if (!NT_STATUS_IS_OK(status)) {
436                         return False;
437                 }
438         } else {
439                 dce_conn->auth_state.auth_info->credentials
440                         = data_blob_talloc(call, NULL, 
441                                            gensec_sig_size(dce_conn->auth_state.gensec_security));
442         }
443
444         /* add the auth verifier */
445         status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info);
446         if (!NT_STATUS_IS_OK(status)) {
447                 return False;
448         }
449
450         /* extract the whole packet as a blob */
451         *blob = ndr_push_blob(ndr);
452
453         /* fill in the fragment length and auth_length, we can't fill
454            in these earlier as we don't know the signature length (it
455            could be variable length) */
456         dcerpc_set_frag_length(blob, blob->length);
457         dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length);
458
459         /* sign or seal the packet */
460         switch (dce_conn->auth_state.auth_info->auth_level) {
461         case DCERPC_AUTH_LEVEL_PRIVACY:
462                 status = gensec_seal_packet(dce_conn->auth_state.gensec_security, 
463                                             call,
464                                             ndr->data + DCERPC_REQUEST_LENGTH, 
465                                             payload_length,
466                                             blob->data,
467                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
468                                             &dce_conn->auth_state.auth_info->credentials);
469                 break;
470
471         case DCERPC_AUTH_LEVEL_INTEGRITY:
472                 status = gensec_sign_packet(dce_conn->auth_state.gensec_security, 
473                                             call,
474                                             ndr->data + DCERPC_REQUEST_LENGTH, 
475                                             payload_length,
476                                             blob->data,
477                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
478                                             &dce_conn->auth_state.auth_info->credentials);
479
480                 break;
481
482         case DCERPC_AUTH_LEVEL_CONNECT:
483                 break;
484
485         default:
486                 status = NT_STATUS_INVALID_LEVEL;
487                 break;
488         }
489
490         if (!NT_STATUS_IS_OK(status)) {
491                 return False;
492         }       
493
494         memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length, 
495                dce_conn->auth_state.auth_info->credentials.data, dce_conn->auth_state.auth_info->credentials.length);
496         
497         data_blob_free(&dce_conn->auth_state.auth_info->credentials);
498
499         return True;
500 }