source4/rpc_server/dcesrv_auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    server side dcerpc authentication code
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Stefan (metze) Metzmacher 2004
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "rpc_server/dcerpc_server.h"
  26 #include "librpc/gen_ndr/ndr_dcerpc.h"
  27
  28 /*
  29   parse any auth information from a dcerpc bind request
  30   return False if we can't handle the auth request for some
  31   reason (in which case we send a bind_nak)
  32 */
  33 BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
  34 {
  35         struct ncacn_packet *pkt = &call->pkt;
  36         struct dcesrv_connection *dce_conn = call->conn;
  37         struct dcesrv_auth *auth = &dce_conn->auth_state;
  38         NTSTATUS status;
  39
  40         if (pkt->u.bind.auth_info.length == 0) {
  41                 dce_conn->auth_state.auth_info = NULL;
  42                 return True;
  43         }
  44
  45         dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth);
  46         if (!dce_conn->auth_state.auth_info) {
  47                 return False;
  48         }
  49
  50         status = ndr_pull_struct_blob(&pkt->u.bind.auth_info,
  51                                       call,
  52                                       dce_conn->auth_state.auth_info,
  53                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
  54         if (!NT_STATUS_IS_OK(status)) {
  55                 return False;
  56         }
  57
  58         status = gensec_server_start(dce_conn, &auth->gensec_security, call->event_ctx);
  59         if (!NT_STATUS_IS_OK(status)) {
  60                 DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status)));
  61                 return False;
  62         }
  63
  64         status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type,
  65                                                auth->auth_info->auth_level);
  66
  67         if (!NT_STATUS_IS_OK(status)) {
  68                 DEBUG(1, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
  69                           (int)auth->auth_info->auth_type,
  70                           (int)auth->auth_info->auth_level,
  71                           nt_errstr(status)));
  72                 return False;
  73         }
  74
  75         return True;
  76 }
  77
  78 /*
  79   add any auth information needed in a bind ack, and process the authentication
  80   information found in the bind.
  81 */
  82 BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
  83 {
  84         struct dcesrv_connection *dce_conn = call->conn;
  85         NTSTATUS status;
  86
  87         if (!call->conn->auth_state.gensec_security) {
  88                 return True;
  89         }
  90
  91         status = gensec_update(dce_conn->auth_state.gensec_security,
  92                                call,
  93                                dce_conn->auth_state.auth_info->credentials,
  94                                &dce_conn->auth_state.auth_info->credentials);
  95
  96         if (NT_STATUS_IS_OK(status)) {
  97                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
  98                                              &dce_conn->auth_state.session_info);
  99                 if (!NT_STATUS_IS_OK(status)) {
 100                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 101                         return False;
 102                 }
 103
 104                 /* Now that we are authenticated, go back to the generic session key... */
 105                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
 106                 return True;
 107         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 108                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
 109                 dce_conn->auth_state.auth_info->auth_reserved = 0;
 110                 return True;
 111         } else {
 112                 DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status)));
 113                 return False;
 114         }
 115 }
 116
 117
 118 /*
 119   process the final stage of a auth request
 120 */
 121 BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call)
 122 {
 123         struct ncacn_packet *pkt = &call->pkt;
 124         struct dcesrv_connection *dce_conn = call->conn;
 125         NTSTATUS status;
 126
 127         /* We can't work without an existing gensec state, and an new blob to feed it */
 128         if (!dce_conn->auth_state.auth_info ||
 129             !dce_conn->auth_state.gensec_security ||
 130             pkt->u.auth3.auth_info.length == 0) {
 131                 return False;
 132         }
 133
 134         status = ndr_pull_struct_blob(&pkt->u.auth3.auth_info,
 135                                       call,
 136                                       dce_conn->auth_state.auth_info,
 137                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
 138         if (!NT_STATUS_IS_OK(status)) {
 139                 return False;
 140         }
 141
 142         /* Pass the extra data we got from the client down to gensec for processing */
 143         status = gensec_update(dce_conn->auth_state.gensec_security,
 144                                call,
 145                                dce_conn->auth_state.auth_info->credentials,
 146                                &dce_conn->auth_state.auth_info->credentials);
 147         if (NT_STATUS_IS_OK(status)) {
 148                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
 149                                              &dce_conn->auth_state.session_info);
 150                 if (!NT_STATUS_IS_OK(status)) {
 151                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 152                         return False;
 153                 }
 154                 /* Now that we are authenticated, go back to the generic session key... */
 155                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
 156                 return True;
 157         } else {
 158                 DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n",
 159                           nt_errstr(status)));
 160                 return False;
 161         }
 162
 163         return True;
 164 }
 165
 166 /*
 167   parse any auth information from a dcerpc alter request
 168   return False if we can't handle the auth request for some
 169   reason (in which case we send a bind_nak (is this true for here?))
 170 */
 171 BOOL dcesrv_auth_alter(struct dcesrv_call_state *call)
 172 {
 173         struct ncacn_packet *pkt = &call->pkt;
 174         struct dcesrv_connection *dce_conn = call->conn;
 175         NTSTATUS status;
 176
 177         /* on a pure interface change there is no auth blob */
 178         if (pkt->u.alter.auth_info.length == 0) {
 179                 return True;
 180         }
 181
 182         /* We can't work without an existing gensec state */
 183         if (!dce_conn->auth_state.gensec_security) {
 184                 return False;
 185         }
 186
 187         dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth);
 188         if (!dce_conn->auth_state.auth_info) {
 189                 return False;
 190         }
 191
 192         status = ndr_pull_struct_blob(&pkt->u.alter.auth_info,
 193                                       call,
 194                                       dce_conn->auth_state.auth_info,
 195                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
 196         if (!NT_STATUS_IS_OK(status)) {
 197                 return False;
 198         }
 199
 200         return True;
 201 }
 202
 203 /*
 204   add any auth information needed in a alter ack, and process the authentication
 205   information found in the alter.
 206 */
 207 BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
 208 {
 209         struct dcesrv_connection *dce_conn = call->conn;
 210         NTSTATUS status;
 211
 212         /* on a pure interface change there is no auth_info structure
 213            setup */
 214         if (!call->conn->auth_state.auth_info) {
 215                 return True;
 216         }
 217
 218         if (!call->conn->auth_state.gensec_security) {
 219                 return False;
 220         }
 221
 222         status = gensec_update(dce_conn->auth_state.gensec_security,
 223                                call,
 224                                dce_conn->auth_state.auth_info->credentials,
 225                                &dce_conn->auth_state.auth_info->credentials);
 226
 227         if (NT_STATUS_IS_OK(status)) {
 228                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
 229                                              &dce_conn->auth_state.session_info);
 230                 if (!NT_STATUS_IS_OK(status)) {
 231                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 232                         return False;
 233                 }
 234
 235                 /* Now that we are authenticated, got back to the generic session key... */
 236                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
 237                 return True;
 238         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 239                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
 240                 dce_conn->auth_state.auth_info->auth_reserved = 0;
 241                 return True;
 242         } else {
 243                 DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status)));
 244                 return True;
 245         }
 246 }
 247
 248 /*
 249   generate a CONNECT level verifier
 250 */
 251 static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
 252 {
 253         *blob = data_blob_talloc(mem_ctx, NULL, 16);
 254         if (blob->data == NULL) {
 255                 return NT_STATUS_NO_MEMORY;
 256         }
 257         SIVAL(blob->data, 0, 1);
 258         memset(blob->data+4, 0, 12);
 259         return NT_STATUS_OK;
 260 }
 261
 262 /*
 263   generate a CONNECT level verifier
 264 */
 265 static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob)
 266 {
 267         if (blob->length != 16 ||
 268             IVAL(blob->data, 0) != 1) {
 269                 return NT_STATUS_ACCESS_DENIED;
 270         }
 271         return NT_STATUS_OK;
 272 }
 273
 274
 275 /*
 276   check credentials on a request
 277 */
 278 BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
 279 {
 280         struct ncacn_packet *pkt = &call->pkt;
 281         struct dcesrv_connection *dce_conn = call->conn;
 282         DATA_BLOB auth_blob;
 283         struct dcerpc_auth auth;
 284         struct ndr_pull *ndr;
 285         NTSTATUS status;
 286
 287         if (!dce_conn->auth_state.auth_info ||
 288             !dce_conn->auth_state.gensec_security) {
 289                 return True;
 290         }
 291
 292         auth_blob.length = 8 + pkt->auth_length;
 293
 294         /* check for a valid length */
 295         if (pkt->u.request.stub_and_verifier.length < auth_blob.length) {
 296                 return False;
 297         }
 298
 299         auth_blob.data =
 300                 pkt->u.request.stub_and_verifier.data +
 301                 pkt->u.request.stub_and_verifier.length - auth_blob.length;
 302         pkt->u.request.stub_and_verifier.length -= auth_blob.length;
 303
 304         /* pull the auth structure */
 305         ndr = ndr_pull_init_blob(&auth_blob, call);
 306         if (!ndr) {
 307                 return False;
 308         }
 309
 310         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
 311                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
 312         }
 313
 314         status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth);
 315         if (!NT_STATUS_IS_OK(status)) {
 316                 talloc_free(ndr);
 317                 return False;
 318         }
 319
 320         /* check signature or unseal the packet */
 321         switch (dce_conn->auth_state.auth_info->auth_level) {
 322         case DCERPC_AUTH_LEVEL_PRIVACY:
 323                 status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
 324                                               call,
 325                                               full_packet->data + DCERPC_REQUEST_LENGTH,
 326                                               pkt->u.request.stub_and_verifier.length,
 327                                               full_packet->data,
 328                                               full_packet->length-auth.credentials.length,
 329                                               &auth.credentials);
 330                 memcpy(pkt->u.request.stub_and_verifier.data,
 331                        full_packet->data + DCERPC_REQUEST_LENGTH,
 332                        pkt->u.request.stub_and_verifier.length);
 333                 break;
 334
 335         case DCERPC_AUTH_LEVEL_INTEGRITY:
 336                 status = gensec_check_packet(dce_conn->auth_state.gensec_security,
 337                                              call,
 338                                              pkt->u.request.stub_and_verifier.data,
 339                                              pkt->u.request.stub_and_verifier.length,
 340                                              full_packet->data,
 341                                              full_packet->length-auth.credentials.length,
 342                                              &auth.credentials);
 343                 break;
 344
 345         case DCERPC_AUTH_LEVEL_CONNECT:
 346                 status = dcesrv_check_connect_verifier(&auth.credentials);
 347                 break;
 348
 349         default:
 350                 status = NT_STATUS_INVALID_LEVEL;
 351                 break;
 352         }
 353
 354         /* remove the indicated amount of padding */
 355         if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) {
 356                 talloc_free(ndr);
 357                 return False;
 358         }
 359         pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length;
 360         talloc_free(ndr);
 361
 362         return NT_STATUS_IS_OK(status);
 363 }
 364
 365
 366 /*
 367    push a signed or sealed dcerpc request packet into a blob
 368 */
 369 BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
 370                           DATA_BLOB *blob, struct ncacn_packet *pkt)
 371 {
 372         struct dcesrv_connection *dce_conn = call->conn;
 373         NTSTATUS status;
 374         struct ndr_push *ndr;
 375         uint32_t payload_length;
 376
 377         /* non-signed packets are simple */
 378         if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) {
 379                 status = ncacn_push_auth(blob, call, pkt, NULL);
 380                 return NT_STATUS_IS_OK(status);
 381         }
 382
 383         ndr = ndr_push_init_ctx(call);
 384         if (!ndr) {
 385                 return False;
 386         }
 387
 388         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
 389                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
 390         }
 391
 392         status = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
 393         if (!NT_STATUS_IS_OK(status)) {
 394                 return False;
 395         }
 396
 397         /* pad to 16 byte multiple, match win2k3 */
 398         dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16);
 399         ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
 400
 401         payload_length = ndr->offset - DCERPC_REQUEST_LENGTH;
 402
 403         if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
 404                 status = dcesrv_connect_verifier(call,
 405                                                  &dce_conn->auth_state.auth_info->credentials);
 406                 if (!NT_STATUS_IS_OK(status)) {
 407                         return False;
 408                 }
 409         } else {
 410                 dce_conn->auth_state.auth_info->credentials
 411                         = data_blob_talloc(call, NULL,
 412                                            gensec_sig_size(dce_conn->auth_state.gensec_security,
 413                                                            payload_length));
 414         }
 415
 416         /* add the auth verifier */
 417         status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info);
 418         if (!NT_STATUS_IS_OK(status)) {
 419                 return False;
 420         }
 421
 422         /* extract the whole packet as a blob */
 423         *blob = ndr_push_blob(ndr);
 424
 425         /* fill in the fragment length and auth_length, we can't fill
 426            in these earlier as we don't know the signature length (it
 427            could be variable length) */
 428         dcerpc_set_frag_length(blob, blob->length);
 429         dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length);
 430
 431         /* sign or seal the packet */
 432         switch (dce_conn->auth_state.auth_info->auth_level) {
 433         case DCERPC_AUTH_LEVEL_PRIVACY:
 434                 status = gensec_seal_packet(dce_conn->auth_state.gensec_security,
 435                                             call,
 436                                             ndr->data + DCERPC_REQUEST_LENGTH,
 437                                             payload_length,
 438                                             blob->data,
 439                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
 440                                             &dce_conn->auth_state.auth_info->credentials);
 441                 break;
 442
 443         case DCERPC_AUTH_LEVEL_INTEGRITY:
 444                 status = gensec_sign_packet(dce_conn->auth_state.gensec_security,
 445                                             call,
 446                                             ndr->data + DCERPC_REQUEST_LENGTH,
 447                                             payload_length,
 448                                             blob->data,
 449                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
 450                                             &dce_conn->auth_state.auth_info->credentials);
 451
 452                 break;
 453
 454         case DCERPC_AUTH_LEVEL_CONNECT:
 455                 break;
 456
 457         default:
 458                 status = NT_STATUS_INVALID_LEVEL;
 459                 break;
 460         }
 461
 462         if (!NT_STATUS_IS_OK(status)) {
 463                 return False;
 464         }
 465
 466         memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length,
 467                dce_conn->auth_state.auth_info->credentials.data, dce_conn->auth_state.auth_info->credentials.length);
 468
 469         data_blob_free(&dce_conn->auth_state.auth_info->credentials);
 470
 471         return True;
 472 }