afa584b164bc9328eb3d78cce7440de73f098b5c
[samba.git] / source4 / rpc_server / dcesrv_auth.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    server side dcerpc authentication code
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Stefan (metze) Metzmacher 2004
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/dcerpc_server.h"
25 #include "rpc_server/dcerpc_server_proto.h"
26 #include "rpc_server/common/proto.h"
27 #include "librpc/rpc/dcerpc_proto.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "auth/credentials/credentials.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/auth.h"
32 #include "param/param.h"
33 #include "librpc/rpc/rpc_common.h"
34
35 /*
36   parse any auth information from a dcerpc bind request
37   return false if we can't handle the auth request for some 
38   reason (in which case we send a bind_nak)
39 */
40 bool dcesrv_auth_bind(struct dcesrv_call_state *call)
41 {
42         struct cli_credentials *server_credentials = NULL;
43         struct ncacn_packet *pkt = &call->pkt;
44         struct dcesrv_connection *dce_conn = call->conn;
45         struct dcesrv_auth *auth = &dce_conn->auth_state;
46         NTSTATUS status;
47         uint32_t auth_length;
48
49         if (pkt->auth_length == 0) {
50                 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
51                 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
52                 auth->auth_context_id = 0;
53                 return true;
54         }
55
56         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
57                                           &call->in_auth_info,
58                                           &auth_length, false);
59         if (!NT_STATUS_IS_OK(status)) {
60                 return false;
61         }
62
63         auth->auth_type = call->in_auth_info.auth_type;
64         auth->auth_level = call->in_auth_info.auth_level;
65         auth->auth_context_id = call->in_auth_info.auth_context_id;
66
67         server_credentials 
68                 = cli_credentials_init(call);
69         if (!server_credentials) {
70                 DEBUG(1, ("Failed to init server credentials\n"));
71                 return false;
72         }
73         
74         cli_credentials_set_conf(server_credentials, call->conn->dce_ctx->lp_ctx);
75         status = cli_credentials_set_machine_account(server_credentials, call->conn->dce_ctx->lp_ctx);
76         if (!NT_STATUS_IS_OK(status)) {
77                 DEBUG(1, ("Failed to obtain server credentials: %s\n",
78                           nt_errstr(status)));
79                 return false;
80         }
81
82         status = samba_server_gensec_start(dce_conn, call->event_ctx, 
83                                            call->msg_ctx,
84                                            call->conn->dce_ctx->lp_ctx,
85                                            server_credentials,
86                                            NULL,
87                                            &auth->gensec_security);
88         if (!NT_STATUS_IS_OK(status)) {
89                 DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
90                           nt_errstr(status)));
91                 return false;
92         }
93
94         if (call->conn->remote_address != NULL) {
95                 status = gensec_set_remote_address(auth->gensec_security,
96                                                 call->conn->remote_address);
97                 if (!NT_STATUS_IS_OK(status)) {
98                         DEBUG(1, ("Failed to call gensec_set_remote_address() %s\n",
99                                   nt_errstr(status)));
100                         return false;
101                 }
102         }
103
104         status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
105                                                auth->auth_level);
106         if (!NT_STATUS_IS_OK(status)) {
107                 DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
108                           (int)auth->auth_type,
109                           (int)auth->auth_level,
110                           nt_errstr(status)));
111                 return false;
112         }
113
114         return true;
115 }
116
117 /*
118   add any auth information needed in a bind ack, and process the authentication
119   information found in the bind.
120 */
121 NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
122 {
123         struct dcesrv_connection *dce_conn = call->conn;
124         NTSTATUS status;
125         bool want_header_signing = false;
126
127         dce_conn->allow_alter = true;
128         dce_conn->allow_auth3 = true;
129
130         if (call->pkt.auth_length == 0) {
131                 dce_conn->auth_state.auth_finished = true;
132                 dce_conn->allow_request = true;
133                 return NT_STATUS_OK;
134         }
135
136         /* We can't work without an existing gensec state */
137         if (!call->conn->auth_state.gensec_security) {
138                 return NT_STATUS_INTERNAL_ERROR;
139         }
140
141         if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
142                 dce_conn->auth_state.client_hdr_signing = true;
143                 want_header_signing = true;
144         }
145
146         if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
147                 want_header_signing = false;
148         }
149
150         call->_out_auth_info = (struct dcerpc_auth) {
151                 .auth_type = dce_conn->auth_state.auth_type,
152                 .auth_level = dce_conn->auth_state.auth_level,
153                 .auth_context_id = dce_conn->auth_state.auth_context_id,
154         };
155         call->out_auth_info = &call->_out_auth_info;
156
157         status = gensec_update_ev(dce_conn->auth_state.gensec_security,
158                                call, call->event_ctx,
159                                call->in_auth_info.credentials,
160                                &call->out_auth_info->credentials);
161         
162         if (NT_STATUS_IS_OK(status)) {
163                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
164                                              dce_conn,
165                                              &dce_conn->auth_state.session_info);
166                 if (!NT_STATUS_IS_OK(status)) {
167                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
168                         return status;
169                 }
170                 dce_conn->auth_state.auth_finished = true;
171                 dce_conn->allow_request = true;
172
173                 if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
174                                          GENSEC_FEATURE_SIGN_PKT_HEADER))
175                 {
176                         want_header_signing = false;
177                 }
178
179                 if (want_header_signing) {
180                         gensec_want_feature(dce_conn->auth_state.gensec_security,
181                                             GENSEC_FEATURE_SIGN_PKT_HEADER);
182                         dce_conn->auth_state.hdr_signing = true;
183                         pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
184                 }
185
186                 /* Now that we are authenticated, go back to the generic session key... */
187                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
188                 return NT_STATUS_OK;
189         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
190                 if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
191                                          GENSEC_FEATURE_SIGN_PKT_HEADER))
192                 {
193                         want_header_signing = false;
194                 }
195
196                 if (want_header_signing) {
197                         gensec_want_feature(dce_conn->auth_state.gensec_security,
198                                             GENSEC_FEATURE_SIGN_PKT_HEADER);
199                         dce_conn->auth_state.hdr_signing = true;
200                         pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
201                 }
202
203                 return NT_STATUS_OK;
204         } else {
205                 DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
206                           nt_errstr(status)));
207                 return status;
208         }
209 }
210
211
212 /*
213   process the final stage of a auth request
214 */
215 bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
216 {
217         struct ncacn_packet *pkt = &call->pkt;
218         struct dcesrv_connection *dce_conn = call->conn;
219         NTSTATUS status;
220         uint32_t auth_length;
221
222         if (pkt->auth_length == 0) {
223                 return false;
224         }
225
226         if (dce_conn->auth_state.auth_finished) {
227                 return false;
228         }
229
230         /* We can't work without an existing gensec state */
231         if (!dce_conn->auth_state.gensec_security) {
232                 return false;
233         }
234
235         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
236                                           &call->in_auth_info, &auth_length, true);
237         if (!NT_STATUS_IS_OK(status)) {
238                 return false;
239         }
240
241         if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
242                 return false;
243         }
244
245         if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
246                 return false;
247         }
248
249         if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
250                 return false;
251         }
252
253         call->_out_auth_info = (struct dcerpc_auth) {
254                 .auth_type = dce_conn->auth_state.auth_type,
255                 .auth_level = dce_conn->auth_state.auth_level,
256                 .auth_context_id = dce_conn->auth_state.auth_context_id,
257         };
258         call->out_auth_info = &call->_out_auth_info;
259
260         /* Pass the extra data we got from the client down to gensec for processing */
261         status = gensec_update_ev(dce_conn->auth_state.gensec_security,
262                                call, call->event_ctx,
263                                call->in_auth_info.credentials,
264                                &call->out_auth_info->credentials);
265         if (NT_STATUS_IS_OK(status)) {
266                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
267                                              dce_conn,
268                                              &dce_conn->auth_state.session_info);
269                 if (!NT_STATUS_IS_OK(status)) {
270                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
271                         return false;
272                 }
273                 dce_conn->auth_state.auth_finished = true;
274                 dce_conn->allow_request = true;
275
276                 /* Now that we are authenticated, go back to the generic session key... */
277                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
278                 return true;
279         } else {
280                 DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
281                           nt_errstr(status)));
282                 return false;
283         }
284 }
285
286 /*
287   parse any auth information from a dcerpc alter request
288   return false if we can't handle the auth request for some 
289   reason (in which case we send a bind_nak (is this true for here?))
290 */
291 bool dcesrv_auth_alter(struct dcesrv_call_state *call)
292 {
293         struct ncacn_packet *pkt = &call->pkt;
294         struct dcesrv_connection *dce_conn = call->conn;
295         NTSTATUS status;
296         uint32_t auth_length;
297
298         /* on a pure interface change there is no auth blob */
299         if (pkt->auth_length == 0) {
300                 if (!dce_conn->auth_state.auth_finished) {
301                         return false;
302                 }
303                 return true;
304         }
305
306         if (dce_conn->auth_state.auth_finished) {
307                 return false;
308         }
309
310         /* We can't work without an existing gensec state */
311         if (!dce_conn->auth_state.gensec_security) {
312                 return false;
313         }
314
315         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
316                                           &call->in_auth_info, &auth_length, true);
317         if (!NT_STATUS_IS_OK(status)) {
318                 return false;
319         }
320
321         if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
322                 return false;
323         }
324
325         if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
326                 return false;
327         }
328
329         if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
330                 return false;
331         }
332
333         return true;
334 }
335
336 /*
337   add any auth information needed in a alter ack, and process the authentication
338   information found in the alter.
339 */
340 NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
341 {
342         struct dcesrv_connection *dce_conn = call->conn;
343         NTSTATUS status;
344
345         /* on a pure interface change there is no auth_info structure
346            setup */
347         if (call->pkt.auth_length == 0) {
348                 return NT_STATUS_OK;
349         }
350
351         if (!call->conn->auth_state.gensec_security) {
352                 return NT_STATUS_INTERNAL_ERROR;
353         }
354
355         call->_out_auth_info = (struct dcerpc_auth) {
356                 .auth_type = dce_conn->auth_state.auth_type,
357                 .auth_level = dce_conn->auth_state.auth_level,
358                 .auth_context_id = dce_conn->auth_state.auth_context_id,
359         };
360         call->out_auth_info = &call->_out_auth_info;
361
362         status = gensec_update_ev(dce_conn->auth_state.gensec_security,
363                                call, call->event_ctx,
364                                call->in_auth_info.credentials,
365                                &call->out_auth_info->credentials);
366
367         if (NT_STATUS_IS_OK(status)) {
368                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
369                                              dce_conn,
370                                              &dce_conn->auth_state.session_info);
371                 if (!NT_STATUS_IS_OK(status)) {
372                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
373                         return status;
374                 }
375                 dce_conn->auth_state.auth_finished = true;
376                 dce_conn->allow_request = true;
377
378                 /* Now that we are authenticated, got back to the generic session key... */
379                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
380                 return NT_STATUS_OK;
381         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
382                 return NT_STATUS_OK;
383         }
384
385         DEBUG(4, ("GENSEC mech rejected the incoming authentication at auth alter_ack: %s\n",
386                   nt_errstr(status)));
387         return status;
388 }
389
390 /*
391   check credentials on a request
392 */
393 bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
394 {
395         struct ncacn_packet *pkt = &call->pkt;
396         struct dcesrv_connection *dce_conn = call->conn;
397         NTSTATUS status;
398         uint32_t auth_length;
399         size_t hdr_size = DCERPC_REQUEST_LENGTH;
400
401         if (!dce_conn->allow_request) {
402                 return false;
403         }
404
405         if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
406                 hdr_size += 16;
407         }
408
409         switch (dce_conn->auth_state.auth_level) {
410         case DCERPC_AUTH_LEVEL_PRIVACY:
411         case DCERPC_AUTH_LEVEL_INTEGRITY:
412                 break;
413
414         case DCERPC_AUTH_LEVEL_CONNECT:
415                 if (pkt->auth_length != 0) {
416                         break;
417                 }
418                 return true;
419         case DCERPC_AUTH_LEVEL_NONE:
420                 if (pkt->auth_length != 0) {
421                         return false;
422                 }
423                 return true;
424
425         default:
426                 return false;
427         }
428
429         if (!dce_conn->auth_state.gensec_security) {
430                 return false;
431         }
432
433         status = dcerpc_pull_auth_trailer(pkt, call,
434                                           &pkt->u.request.stub_and_verifier,
435                                           &call->in_auth_info, &auth_length, false);
436         if (!NT_STATUS_IS_OK(status)) {
437                 return false;
438         }
439
440         if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
441                 return false;
442         }
443
444         if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
445                 return false;
446         }
447
448         if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
449                 return false;
450         }
451
452         pkt->u.request.stub_and_verifier.length -= auth_length;
453
454         /* check signature or unseal the packet */
455         switch (dce_conn->auth_state.auth_level) {
456         case DCERPC_AUTH_LEVEL_PRIVACY:
457                 status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
458                                               full_packet->data + hdr_size,
459                                               pkt->u.request.stub_and_verifier.length, 
460                                               full_packet->data,
461                                               full_packet->length-
462                                               call->in_auth_info.credentials.length,
463                                               &call->in_auth_info.credentials);
464                 memcpy(pkt->u.request.stub_and_verifier.data, 
465                        full_packet->data + hdr_size,
466                        pkt->u.request.stub_and_verifier.length);
467                 break;
468
469         case DCERPC_AUTH_LEVEL_INTEGRITY:
470                 status = gensec_check_packet(dce_conn->auth_state.gensec_security,
471                                              pkt->u.request.stub_and_verifier.data, 
472                                              pkt->u.request.stub_and_verifier.length,
473                                              full_packet->data,
474                                              full_packet->length-
475                                              call->in_auth_info.credentials.length,
476                                              &call->in_auth_info.credentials);
477                 break;
478
479         case DCERPC_AUTH_LEVEL_CONNECT:
480                 /* for now we ignore possible signatures here */
481                 status = NT_STATUS_OK;
482                 break;
483
484         default:
485                 status = NT_STATUS_INVALID_LEVEL;
486                 break;
487         }
488
489         /* remove the indicated amount of padding */
490         if (pkt->u.request.stub_and_verifier.length < call->in_auth_info.auth_pad_length) {
491                 return false;
492         }
493         pkt->u.request.stub_and_verifier.length -= call->in_auth_info.auth_pad_length;
494
495         return NT_STATUS_IS_OK(status);
496 }
497
498
499 /* 
500    push a signed or sealed dcerpc request packet into a blob
501 */
502 bool dcesrv_auth_response(struct dcesrv_call_state *call,
503                           DATA_BLOB *blob, size_t sig_size,
504                           struct ncacn_packet *pkt)
505 {
506         struct dcesrv_connection *dce_conn = call->conn;
507         NTSTATUS status;
508         enum ndr_err_code ndr_err;
509         struct ndr_push *ndr;
510         uint32_t payload_length;
511         DATA_BLOB creds2;
512
513         switch (dce_conn->auth_state.auth_level) {
514         case DCERPC_AUTH_LEVEL_PRIVACY:
515         case DCERPC_AUTH_LEVEL_INTEGRITY:
516                 if (sig_size == 0) {
517                         return false;
518                 }
519
520                 break;
521
522         case DCERPC_AUTH_LEVEL_CONNECT:
523                 /*
524                  * TODO: let the gensec mech decide if it wants to generate a
525                  *       signature that might be needed for schannel...
526                  */
527                 status = ncacn_push_auth(blob, call, pkt, NULL);
528                 return NT_STATUS_IS_OK(status);
529
530         case DCERPC_AUTH_LEVEL_NONE:
531                 status = ncacn_push_auth(blob, call, pkt, NULL);
532                 return NT_STATUS_IS_OK(status);
533
534         default:
535                 return false;
536         }
537
538         if (!dce_conn->auth_state.gensec_security) {
539                 return false;
540         }
541
542         ndr = ndr_push_init_ctx(call);
543         if (!ndr) {
544                 return false;
545         }
546
547         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
548                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
549         }
550
551         ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
552         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
553                 return false;
554         }
555
556         call->_out_auth_info = (struct dcerpc_auth) {
557                 .auth_type = dce_conn->auth_state.auth_type,
558                 .auth_level = dce_conn->auth_state.auth_level,
559                 .auth_context_id = dce_conn->auth_state.auth_context_id,
560         };
561         call->out_auth_info = &call->_out_auth_info;
562
563         /* pad to 16 byte multiple in the payload portion of the
564            packet. This matches what w2k3 does. Note that we can't use
565            ndr_push_align() as that is relative to the start of the
566            whole packet, whereas w2k8 wants it relative to the start
567            of the stub */
568         call->out_auth_info->auth_pad_length =
569                 DCERPC_AUTH_PAD_LENGTH(pkt->u.response.stub_and_verifier.length);
570         ndr_err = ndr_push_zero(ndr, call->out_auth_info->auth_pad_length);
571         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
572                 return false;
573         }
574
575         payload_length = pkt->u.response.stub_and_verifier.length +
576                 call->out_auth_info->auth_pad_length;
577
578         /* add the auth verifier */
579         ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS,
580                                        call->out_auth_info);
581         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
582                 return false;
583         }
584
585         /* extract the whole packet as a blob */
586         *blob = ndr_push_blob(ndr);
587
588         /*
589          * Setup the frag and auth length in the packet buffer.
590          * This is needed if the GENSEC mech does AEAD signing
591          * of the packet headers. The signature itself will be
592          * appended later.
593          */
594         dcerpc_set_frag_length(blob, blob->length + sig_size);
595         dcerpc_set_auth_length(blob, sig_size);
596
597         /* sign or seal the packet */
598         switch (dce_conn->auth_state.auth_level) {
599         case DCERPC_AUTH_LEVEL_PRIVACY:
600                 status = gensec_seal_packet(dce_conn->auth_state.gensec_security, 
601                                             call,
602                                             ndr->data + DCERPC_REQUEST_LENGTH, 
603                                             payload_length,
604                                             blob->data,
605                                             blob->length,
606                                             &creds2);
607                 break;
608
609         case DCERPC_AUTH_LEVEL_INTEGRITY:
610                 status = gensec_sign_packet(dce_conn->auth_state.gensec_security, 
611                                             call,
612                                             ndr->data + DCERPC_REQUEST_LENGTH, 
613                                             payload_length,
614                                             blob->data,
615                                             blob->length,
616                                             &creds2);
617                 break;
618
619         default:
620                 status = NT_STATUS_INVALID_LEVEL;
621                 break;
622         }
623
624         if (!NT_STATUS_IS_OK(status)) {
625                 return false;
626         }       
627
628         if (creds2.length != sig_size) {
629                 DEBUG(3,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n",
630                          (unsigned)creds2.length, (uint32_t)sig_size,
631                          (unsigned)call->out_auth_info->auth_pad_length,
632                          (unsigned)pkt->u.response.stub_and_verifier.length));
633                 dcerpc_set_frag_length(blob, blob->length + creds2.length);
634                 dcerpc_set_auth_length(blob, creds2.length);
635         }
636
637         if (!data_blob_append(call, blob, creds2.data, creds2.length)) {
638                 status = NT_STATUS_NO_MEMORY;
639                 return false;
640         }
641         data_blob_free(&creds2);
642
643         return true;
644 }