CVE-2015-5370: s4:rpc_server: let a failing auth3 mark the authentication as invalid
[samba.git] / source4 / rpc_server / dcesrv_auth.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    server side dcerpc authentication code
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Stefan (metze) Metzmacher 2004
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/dcerpc_server.h"
25 #include "rpc_server/dcerpc_server_proto.h"
26 #include "rpc_server/common/proto.h"
27 #include "librpc/rpc/dcerpc_proto.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "auth/credentials/credentials.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/auth.h"
32 #include "param/param.h"
33 #include "librpc/rpc/rpc_common.h"
34
35 /*
36   parse any auth information from a dcerpc bind request
37   return false if we can't handle the auth request for some 
38   reason (in which case we send a bind_nak)
39 */
40 bool dcesrv_auth_bind(struct dcesrv_call_state *call)
41 {
42         struct cli_credentials *server_credentials = NULL;
43         struct ncacn_packet *pkt = &call->pkt;
44         struct dcesrv_connection *dce_conn = call->conn;
45         struct dcesrv_auth *auth = &dce_conn->auth_state;
46         NTSTATUS status;
47         uint32_t auth_length;
48
49         if (pkt->auth_length == 0) {
50                 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
51                 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
52                 auth->auth_context_id = 0;
53                 return true;
54         }
55
56         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
57                                           &call->in_auth_info,
58                                           &auth_length, false);
59         if (!NT_STATUS_IS_OK(status)) {
60                 return false;
61         }
62
63         auth->auth_type = call->in_auth_info.auth_type;
64         auth->auth_level = call->in_auth_info.auth_level;
65         auth->auth_context_id = call->in_auth_info.auth_context_id;
66
67         server_credentials 
68                 = cli_credentials_init(call);
69         if (!server_credentials) {
70                 DEBUG(1, ("Failed to init server credentials\n"));
71                 return false;
72         }
73         
74         cli_credentials_set_conf(server_credentials, call->conn->dce_ctx->lp_ctx);
75         status = cli_credentials_set_machine_account(server_credentials, call->conn->dce_ctx->lp_ctx);
76         if (!NT_STATUS_IS_OK(status)) {
77                 DEBUG(1, ("Failed to obtain server credentials: %s\n",
78                           nt_errstr(status)));
79                 return false;
80         }
81
82         status = samba_server_gensec_start(dce_conn, call->event_ctx, 
83                                            call->msg_ctx,
84                                            call->conn->dce_ctx->lp_ctx,
85                                            server_credentials,
86                                            NULL,
87                                            &auth->gensec_security);
88         if (!NT_STATUS_IS_OK(status)) {
89                 DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
90                           nt_errstr(status)));
91                 return false;
92         }
93
94         if (call->conn->remote_address != NULL) {
95                 status = gensec_set_remote_address(auth->gensec_security,
96                                                 call->conn->remote_address);
97                 if (!NT_STATUS_IS_OK(status)) {
98                         DEBUG(1, ("Failed to call gensec_set_remote_address() %s\n",
99                                   nt_errstr(status)));
100                         return false;
101                 }
102         }
103
104         status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
105                                                auth->auth_level);
106         if (!NT_STATUS_IS_OK(status)) {
107                 DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
108                           (int)auth->auth_type,
109                           (int)auth->auth_level,
110                           nt_errstr(status)));
111                 return false;
112         }
113
114         return true;
115 }
116
117 /*
118   add any auth information needed in a bind ack, and process the authentication
119   information found in the bind.
120 */
121 NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
122 {
123         struct dcesrv_connection *dce_conn = call->conn;
124         NTSTATUS status;
125         bool want_header_signing = false;
126
127         dce_conn->allow_alter = true;
128         dce_conn->allow_auth3 = true;
129
130         if (call->pkt.auth_length == 0) {
131                 dce_conn->auth_state.auth_finished = true;
132                 dce_conn->allow_request = true;
133                 return NT_STATUS_OK;
134         }
135
136         /* We can't work without an existing gensec state */
137         if (!call->conn->auth_state.gensec_security) {
138                 return NT_STATUS_INTERNAL_ERROR;
139         }
140
141         if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
142                 dce_conn->auth_state.client_hdr_signing = true;
143                 want_header_signing = true;
144         }
145
146         if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
147                 want_header_signing = false;
148         }
149
150         call->_out_auth_info = (struct dcerpc_auth) {
151                 .auth_type = dce_conn->auth_state.auth_type,
152                 .auth_level = dce_conn->auth_state.auth_level,
153                 .auth_context_id = dce_conn->auth_state.auth_context_id,
154         };
155         call->out_auth_info = &call->_out_auth_info;
156
157         status = gensec_update_ev(dce_conn->auth_state.gensec_security,
158                                call, call->event_ctx,
159                                call->in_auth_info.credentials,
160                                &call->out_auth_info->credentials);
161         
162         if (NT_STATUS_IS_OK(status)) {
163                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
164                                              dce_conn,
165                                              &dce_conn->auth_state.session_info);
166                 if (!NT_STATUS_IS_OK(status)) {
167                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
168                         return status;
169                 }
170                 dce_conn->auth_state.auth_finished = true;
171                 dce_conn->allow_request = true;
172
173                 if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
174                                          GENSEC_FEATURE_SIGN_PKT_HEADER))
175                 {
176                         want_header_signing = false;
177                 }
178
179                 if (want_header_signing) {
180                         gensec_want_feature(dce_conn->auth_state.gensec_security,
181                                             GENSEC_FEATURE_SIGN_PKT_HEADER);
182                         dce_conn->auth_state.hdr_signing = true;
183                         pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
184                 }
185
186                 /* Now that we are authenticated, go back to the generic session key... */
187                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
188                 return NT_STATUS_OK;
189         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
190                 if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
191                                          GENSEC_FEATURE_SIGN_PKT_HEADER))
192                 {
193                         want_header_signing = false;
194                 }
195
196                 if (want_header_signing) {
197                         gensec_want_feature(dce_conn->auth_state.gensec_security,
198                                             GENSEC_FEATURE_SIGN_PKT_HEADER);
199                         dce_conn->auth_state.hdr_signing = true;
200                         pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
201                 }
202
203                 return NT_STATUS_OK;
204         } else {
205                 DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
206                           nt_errstr(status)));
207                 return status;
208         }
209 }
210
211
212 /*
213   process the final stage of a auth request
214 */
215 bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
216 {
217         struct ncacn_packet *pkt = &call->pkt;
218         struct dcesrv_connection *dce_conn = call->conn;
219         NTSTATUS status;
220         uint32_t auth_length;
221
222         if (pkt->auth_length == 0) {
223                 return false;
224         }
225
226         if (dce_conn->auth_state.auth_finished) {
227                 return false;
228         }
229
230         /* We can't work without an existing gensec state */
231         if (!dce_conn->auth_state.gensec_security) {
232                 return false;
233         }
234
235         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
236                                           &call->in_auth_info, &auth_length, true);
237         if (!NT_STATUS_IS_OK(status)) {
238                 return false;
239         }
240
241         if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
242                 return false;
243         }
244
245         if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
246                 return false;
247         }
248
249         if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
250                 return false;
251         }
252
253         call->_out_auth_info = (struct dcerpc_auth) {
254                 .auth_type = dce_conn->auth_state.auth_type,
255                 .auth_level = dce_conn->auth_state.auth_level,
256                 .auth_context_id = dce_conn->auth_state.auth_context_id,
257         };
258         call->out_auth_info = &call->_out_auth_info;
259
260         /* Pass the extra data we got from the client down to gensec for processing */
261         status = gensec_update_ev(dce_conn->auth_state.gensec_security,
262                                call, call->event_ctx,
263                                call->in_auth_info.credentials,
264                                &call->out_auth_info->credentials);
265         if (NT_STATUS_IS_OK(status)) {
266                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
267                                              dce_conn,
268                                              &dce_conn->auth_state.session_info);
269                 if (!NT_STATUS_IS_OK(status)) {
270                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
271                         return false;
272                 }
273                 dce_conn->auth_state.auth_finished = true;
274                 dce_conn->allow_request = true;
275
276                 /* Now that we are authenticated, go back to the generic session key... */
277                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
278
279                 if (call->out_auth_info->credentials.length != 0) {
280
281                         DEBUG(4, ("GENSEC produced output token (len=%u) at bind_auth3\n",
282                                   (unsigned)call->out_auth_info->credentials.length));
283                         return false;
284                 }
285                 return true;
286         } else {
287                 DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
288                           nt_errstr(status)));
289                 return false;
290         }
291 }
292
293 /*
294   parse any auth information from a dcerpc alter request
295   return false if we can't handle the auth request for some 
296   reason (in which case we send a bind_nak (is this true for here?))
297 */
298 bool dcesrv_auth_alter(struct dcesrv_call_state *call)
299 {
300         struct ncacn_packet *pkt = &call->pkt;
301         struct dcesrv_connection *dce_conn = call->conn;
302         NTSTATUS status;
303         uint32_t auth_length;
304
305         /* on a pure interface change there is no auth blob */
306         if (pkt->auth_length == 0) {
307                 if (!dce_conn->auth_state.auth_finished) {
308                         return false;
309                 }
310                 return true;
311         }
312
313         if (dce_conn->auth_state.auth_finished) {
314                 return false;
315         }
316
317         /* We can't work without an existing gensec state */
318         if (!dce_conn->auth_state.gensec_security) {
319                 return false;
320         }
321
322         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
323                                           &call->in_auth_info, &auth_length, true);
324         if (!NT_STATUS_IS_OK(status)) {
325                 return false;
326         }
327
328         if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
329                 return false;
330         }
331
332         if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
333                 return false;
334         }
335
336         if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
337                 return false;
338         }
339
340         return true;
341 }
342
343 /*
344   add any auth information needed in a alter ack, and process the authentication
345   information found in the alter.
346 */
347 NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
348 {
349         struct dcesrv_connection *dce_conn = call->conn;
350         NTSTATUS status;
351
352         /* on a pure interface change there is no auth_info structure
353            setup */
354         if (call->pkt.auth_length == 0) {
355                 return NT_STATUS_OK;
356         }
357
358         if (!call->conn->auth_state.gensec_security) {
359                 return NT_STATUS_INTERNAL_ERROR;
360         }
361
362         call->_out_auth_info = (struct dcerpc_auth) {
363                 .auth_type = dce_conn->auth_state.auth_type,
364                 .auth_level = dce_conn->auth_state.auth_level,
365                 .auth_context_id = dce_conn->auth_state.auth_context_id,
366         };
367         call->out_auth_info = &call->_out_auth_info;
368
369         status = gensec_update_ev(dce_conn->auth_state.gensec_security,
370                                call, call->event_ctx,
371                                call->in_auth_info.credentials,
372                                &call->out_auth_info->credentials);
373
374         if (NT_STATUS_IS_OK(status)) {
375                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
376                                              dce_conn,
377                                              &dce_conn->auth_state.session_info);
378                 if (!NT_STATUS_IS_OK(status)) {
379                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
380                         return status;
381                 }
382                 dce_conn->auth_state.auth_finished = true;
383                 dce_conn->allow_request = true;
384
385                 /* Now that we are authenticated, got back to the generic session key... */
386                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
387                 return NT_STATUS_OK;
388         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
389                 return NT_STATUS_OK;
390         }
391
392         DEBUG(4, ("GENSEC mech rejected the incoming authentication at auth alter_ack: %s\n",
393                   nt_errstr(status)));
394         return status;
395 }
396
397 /*
398   check credentials on a request
399 */
400 bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
401 {
402         struct ncacn_packet *pkt = &call->pkt;
403         struct dcesrv_connection *dce_conn = call->conn;
404         NTSTATUS status;
405         uint32_t auth_length;
406         size_t hdr_size = DCERPC_REQUEST_LENGTH;
407
408         if (!dce_conn->allow_request) {
409                 return false;
410         }
411
412         if (dce_conn->auth_state.auth_invalid) {
413                 return false;
414         }
415
416         if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
417                 hdr_size += 16;
418         }
419
420         switch (dce_conn->auth_state.auth_level) {
421         case DCERPC_AUTH_LEVEL_PRIVACY:
422         case DCERPC_AUTH_LEVEL_INTEGRITY:
423                 break;
424
425         case DCERPC_AUTH_LEVEL_CONNECT:
426                 if (pkt->auth_length != 0) {
427                         break;
428                 }
429                 return true;
430         case DCERPC_AUTH_LEVEL_NONE:
431                 if (pkt->auth_length != 0) {
432                         return false;
433                 }
434                 return true;
435
436         default:
437                 return false;
438         }
439
440         if (!dce_conn->auth_state.gensec_security) {
441                 return false;
442         }
443
444         status = dcerpc_pull_auth_trailer(pkt, call,
445                                           &pkt->u.request.stub_and_verifier,
446                                           &call->in_auth_info, &auth_length, false);
447         if (!NT_STATUS_IS_OK(status)) {
448                 return false;
449         }
450
451         if (call->in_auth_info.auth_type != dce_conn->auth_state.auth_type) {
452                 return false;
453         }
454
455         if (call->in_auth_info.auth_level != dce_conn->auth_state.auth_level) {
456                 return false;
457         }
458
459         if (call->in_auth_info.auth_context_id != dce_conn->auth_state.auth_context_id) {
460                 return false;
461         }
462
463         pkt->u.request.stub_and_verifier.length -= auth_length;
464
465         /* check signature or unseal the packet */
466         switch (dce_conn->auth_state.auth_level) {
467         case DCERPC_AUTH_LEVEL_PRIVACY:
468                 status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
469                                               full_packet->data + hdr_size,
470                                               pkt->u.request.stub_and_verifier.length, 
471                                               full_packet->data,
472                                               full_packet->length-
473                                               call->in_auth_info.credentials.length,
474                                               &call->in_auth_info.credentials);
475                 memcpy(pkt->u.request.stub_and_verifier.data, 
476                        full_packet->data + hdr_size,
477                        pkt->u.request.stub_and_verifier.length);
478                 break;
479
480         case DCERPC_AUTH_LEVEL_INTEGRITY:
481                 status = gensec_check_packet(dce_conn->auth_state.gensec_security,
482                                              pkt->u.request.stub_and_verifier.data, 
483                                              pkt->u.request.stub_and_verifier.length,
484                                              full_packet->data,
485                                              full_packet->length-
486                                              call->in_auth_info.credentials.length,
487                                              &call->in_auth_info.credentials);
488                 break;
489
490         case DCERPC_AUTH_LEVEL_CONNECT:
491                 /* for now we ignore possible signatures here */
492                 status = NT_STATUS_OK;
493                 break;
494
495         default:
496                 status = NT_STATUS_INVALID_LEVEL;
497                 break;
498         }
499
500         /* remove the indicated amount of padding */
501         if (pkt->u.request.stub_and_verifier.length < call->in_auth_info.auth_pad_length) {
502                 return false;
503         }
504         pkt->u.request.stub_and_verifier.length -= call->in_auth_info.auth_pad_length;
505
506         return NT_STATUS_IS_OK(status);
507 }
508
509
510 /* 
511    push a signed or sealed dcerpc request packet into a blob
512 */
513 bool dcesrv_auth_response(struct dcesrv_call_state *call,
514                           DATA_BLOB *blob, size_t sig_size,
515                           struct ncacn_packet *pkt)
516 {
517         struct dcesrv_connection *dce_conn = call->conn;
518         NTSTATUS status;
519         enum ndr_err_code ndr_err;
520         struct ndr_push *ndr;
521         uint32_t payload_length;
522         DATA_BLOB creds2;
523
524         switch (dce_conn->auth_state.auth_level) {
525         case DCERPC_AUTH_LEVEL_PRIVACY:
526         case DCERPC_AUTH_LEVEL_INTEGRITY:
527                 if (sig_size == 0) {
528                         return false;
529                 }
530
531                 break;
532
533         case DCERPC_AUTH_LEVEL_CONNECT:
534                 /*
535                  * TODO: let the gensec mech decide if it wants to generate a
536                  *       signature that might be needed for schannel...
537                  */
538                 status = ncacn_push_auth(blob, call, pkt, NULL);
539                 return NT_STATUS_IS_OK(status);
540
541         case DCERPC_AUTH_LEVEL_NONE:
542                 status = ncacn_push_auth(blob, call, pkt, NULL);
543                 return NT_STATUS_IS_OK(status);
544
545         default:
546                 return false;
547         }
548
549         if (!dce_conn->auth_state.gensec_security) {
550                 return false;
551         }
552
553         ndr = ndr_push_init_ctx(call);
554         if (!ndr) {
555                 return false;
556         }
557
558         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
559                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
560         }
561
562         ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
563         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
564                 return false;
565         }
566
567         call->_out_auth_info = (struct dcerpc_auth) {
568                 .auth_type = dce_conn->auth_state.auth_type,
569                 .auth_level = dce_conn->auth_state.auth_level,
570                 .auth_context_id = dce_conn->auth_state.auth_context_id,
571         };
572         call->out_auth_info = &call->_out_auth_info;
573
574         /* pad to 16 byte multiple in the payload portion of the
575            packet. This matches what w2k3 does. Note that we can't use
576            ndr_push_align() as that is relative to the start of the
577            whole packet, whereas w2k8 wants it relative to the start
578            of the stub */
579         call->out_auth_info->auth_pad_length =
580                 DCERPC_AUTH_PAD_LENGTH(pkt->u.response.stub_and_verifier.length);
581         ndr_err = ndr_push_zero(ndr, call->out_auth_info->auth_pad_length);
582         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
583                 return false;
584         }
585
586         payload_length = pkt->u.response.stub_and_verifier.length +
587                 call->out_auth_info->auth_pad_length;
588
589         /* add the auth verifier */
590         ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS,
591                                        call->out_auth_info);
592         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
593                 return false;
594         }
595
596         /* extract the whole packet as a blob */
597         *blob = ndr_push_blob(ndr);
598
599         /*
600          * Setup the frag and auth length in the packet buffer.
601          * This is needed if the GENSEC mech does AEAD signing
602          * of the packet headers. The signature itself will be
603          * appended later.
604          */
605         dcerpc_set_frag_length(blob, blob->length + sig_size);
606         dcerpc_set_auth_length(blob, sig_size);
607
608         /* sign or seal the packet */
609         switch (dce_conn->auth_state.auth_level) {
610         case DCERPC_AUTH_LEVEL_PRIVACY:
611                 status = gensec_seal_packet(dce_conn->auth_state.gensec_security, 
612                                             call,
613                                             ndr->data + DCERPC_REQUEST_LENGTH, 
614                                             payload_length,
615                                             blob->data,
616                                             blob->length,
617                                             &creds2);
618                 break;
619
620         case DCERPC_AUTH_LEVEL_INTEGRITY:
621                 status = gensec_sign_packet(dce_conn->auth_state.gensec_security, 
622                                             call,
623                                             ndr->data + DCERPC_REQUEST_LENGTH, 
624                                             payload_length,
625                                             blob->data,
626                                             blob->length,
627                                             &creds2);
628                 break;
629
630         default:
631                 status = NT_STATUS_INVALID_LEVEL;
632                 break;
633         }
634
635         if (!NT_STATUS_IS_OK(status)) {
636                 return false;
637         }       
638
639         if (creds2.length != sig_size) {
640                 DEBUG(3,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n",
641                          (unsigned)creds2.length, (uint32_t)sig_size,
642                          (unsigned)call->out_auth_info->auth_pad_length,
643                          (unsigned)pkt->u.response.stub_and_verifier.length));
644                 dcerpc_set_frag_length(blob, blob->length + creds2.length);
645                 dcerpc_set_auth_length(blob, creds2.length);
646         }
647
648         if (!data_blob_append(call, blob, creds2.data, creds2.length)) {
649                 status = NT_STATUS_NO_MEMORY;
650                 return false;
651         }
652         data_blob_free(&creds2);
653
654         return true;
655 }