4d708e4dffd06fd633d333d0ae687f4d50bc9347
[ira/wip.git] / source4 / rpc_server / dcesrv_auth.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    server side dcerpc authentication code
5
6    Copyright (C) Andrew Tridgell 2003
7    Copyright (C) Stefan (metze) Metzmacher 2004
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "rpc_server/dcerpc_server.h"
25 #include "rpc_server/dcerpc_server_proto.h"
26 #include "librpc/rpc/dcerpc_proto.h"
27 #include "librpc/gen_ndr/ndr_dcerpc.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/auth.h"
31 #include "param/param.h"
32
33 /*
34   parse any auth information from a dcerpc bind request
35   return false if we can't handle the auth request for some 
36   reason (in which case we send a bind_nak)
37 */
38 bool dcesrv_auth_bind(struct dcesrv_call_state *call)
39 {
40         struct cli_credentials *server_credentials;
41         struct ncacn_packet *pkt = &call->pkt;
42         struct dcesrv_connection *dce_conn = call->conn;
43         struct dcesrv_auth *auth = &dce_conn->auth_state;
44         NTSTATUS status;
45         uint32_t auth_length;
46
47         if (pkt->u.bind.auth_info.length == 0) {
48                 dce_conn->auth_state.auth_info = NULL;
49                 return true;
50         }
51
52         dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth);
53         if (!dce_conn->auth_state.auth_info) {
54                 return false;
55         }
56
57         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
58                                           dce_conn->auth_state.auth_info,
59                                           &auth_length, false);
60         server_credentials 
61                 = cli_credentials_init(call);
62         if (!server_credentials) {
63                 DEBUG(1, ("Failed to init server credentials\n"));
64                 return false;
65         }
66         
67         cli_credentials_set_conf(server_credentials, call->conn->dce_ctx->lp_ctx);
68         status = cli_credentials_set_machine_account(server_credentials, call->conn->dce_ctx->lp_ctx);
69         if (!NT_STATUS_IS_OK(status)) {
70                 DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
71                 talloc_free(server_credentials);
72                 server_credentials = NULL;
73         }
74
75         status = samba_server_gensec_start(dce_conn, call->event_ctx, 
76                                            call->msg_ctx,
77                                            call->conn->dce_ctx->lp_ctx, 
78                                            server_credentials,
79                                            NULL,
80                                            &auth->gensec_security);
81
82         status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, 
83                                                auth->auth_info->auth_level);
84
85         if (!NT_STATUS_IS_OK(status)) {
86                 DEBUG(1, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n", 
87                           (int)auth->auth_info->auth_type,
88                           (int)auth->auth_info->auth_level,
89                           nt_errstr(status)));
90                 return false;
91         }
92
93         if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
94                 gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
95         }
96
97         return true;
98 }
99
100 /*
101   add any auth information needed in a bind ack, and process the authentication
102   information found in the bind.
103 */
104 NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
105 {
106         struct dcesrv_connection *dce_conn = call->conn;
107         NTSTATUS status;
108
109         if (!call->conn->auth_state.gensec_security) {
110                 return NT_STATUS_OK;
111         }
112
113         status = gensec_update(dce_conn->auth_state.gensec_security,
114                                call,
115                                dce_conn->auth_state.auth_info->credentials, 
116                                &dce_conn->auth_state.auth_info->credentials);
117         
118         if (NT_STATUS_IS_OK(status)) {
119                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
120                                              &dce_conn->auth_state.session_info);
121                 if (!NT_STATUS_IS_OK(status)) {
122                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
123                         return status;
124                 }
125
126                 if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
127                         gensec_want_feature(dce_conn->auth_state.gensec_security,
128                                             GENSEC_FEATURE_SIGN_PKT_HEADER);
129                 }
130
131                 /* Now that we are authenticated, go back to the generic session key... */
132                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
133                 return NT_STATUS_OK;
134         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
135                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
136                 dce_conn->auth_state.auth_info->auth_reserved = 0;
137                 return NT_STATUS_OK;
138         } else {
139                 DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status)));
140                 return status;
141         }
142 }
143
144
145 /*
146   process the final stage of a auth request
147 */
148 bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
149 {
150         struct ncacn_packet *pkt = &call->pkt;
151         struct dcesrv_connection *dce_conn = call->conn;
152         NTSTATUS status;
153         uint32_t auth_length;
154
155         /* We can't work without an existing gensec state, and an new blob to feed it */
156         if (!dce_conn->auth_state.auth_info ||
157             !dce_conn->auth_state.gensec_security ||
158             pkt->u.auth3.auth_info.length == 0) {
159                 return false;
160         }
161
162         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
163                                           dce_conn->auth_state.auth_info, &auth_length, true);
164         if (!NT_STATUS_IS_OK(status)) {
165                 return false;
166         }
167
168         /* Pass the extra data we got from the client down to gensec for processing */
169         status = gensec_update(dce_conn->auth_state.gensec_security,
170                                call,
171                                dce_conn->auth_state.auth_info->credentials, 
172                                &dce_conn->auth_state.auth_info->credentials);
173         if (NT_STATUS_IS_OK(status)) {
174                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
175                                              &dce_conn->auth_state.session_info);
176                 if (!NT_STATUS_IS_OK(status)) {
177                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
178                         return false;
179                 }
180                 /* Now that we are authenticated, go back to the generic session key... */
181                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
182                 return true;
183         } else {
184                 DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n", 
185                           nt_errstr(status)));
186                 return false;
187         }
188
189         return true;
190 }
191
192 /*
193   parse any auth information from a dcerpc alter request
194   return false if we can't handle the auth request for some 
195   reason (in which case we send a bind_nak (is this true for here?))
196 */
197 bool dcesrv_auth_alter(struct dcesrv_call_state *call)
198 {
199         struct ncacn_packet *pkt = &call->pkt;
200         struct dcesrv_connection *dce_conn = call->conn;
201         NTSTATUS status;
202         uint32_t auth_length;
203
204         /* on a pure interface change there is no auth blob */
205         if (pkt->u.alter.auth_info.length == 0) {
206                 return true;
207         }
208
209         /* We can't work without an existing gensec state */
210         if (!dce_conn->auth_state.gensec_security) {
211                 return false;
212         }
213
214         dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth);
215         if (!dce_conn->auth_state.auth_info) {
216                 return false;
217         }
218
219         status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
220                                           dce_conn->auth_state.auth_info,
221                                           &auth_length, true);
222         if (!NT_STATUS_IS_OK(status)) {
223                 return false;
224         }
225
226         return true;
227 }
228
229 /*
230   add any auth information needed in a alter ack, and process the authentication
231   information found in the alter.
232 */
233 NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
234 {
235         struct dcesrv_connection *dce_conn = call->conn;
236         NTSTATUS status;
237
238         /* on a pure interface change there is no auth_info structure
239            setup */
240         if (!call->conn->auth_state.auth_info ||
241             dce_conn->auth_state.auth_info->credentials.length == 0) {
242                 return NT_STATUS_OK;
243         }
244
245         if (!call->conn->auth_state.gensec_security) {
246                 return NT_STATUS_INVALID_PARAMETER;
247         }
248
249         status = gensec_update(dce_conn->auth_state.gensec_security,
250                                call,
251                                dce_conn->auth_state.auth_info->credentials, 
252                                &dce_conn->auth_state.auth_info->credentials);
253
254         if (NT_STATUS_IS_OK(status)) {
255                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
256                                              &dce_conn->auth_state.session_info);
257                 if (!NT_STATUS_IS_OK(status)) {
258                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
259                         return status;
260                 }
261
262                 /* Now that we are authenticated, got back to the generic session key... */
263                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
264                 return NT_STATUS_OK;
265         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
266                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
267                 dce_conn->auth_state.auth_info->auth_reserved = 0;
268                 return NT_STATUS_OK;
269         }
270
271         DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status)));
272         return status;
273 }
274
275 /*
276   check credentials on a request
277 */
278 bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
279 {
280         struct ncacn_packet *pkt = &call->pkt;
281         struct dcesrv_connection *dce_conn = call->conn;
282         struct dcerpc_auth auth;
283         NTSTATUS status;
284         uint32_t auth_length;
285         size_t hdr_size = DCERPC_REQUEST_LENGTH;
286
287         if (!dce_conn->auth_state.auth_info ||
288             !dce_conn->auth_state.gensec_security) {
289                 return true;
290         }
291
292         if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
293                 hdr_size += 16;
294         }
295
296         switch (dce_conn->auth_state.auth_info->auth_level) {
297         case DCERPC_AUTH_LEVEL_PRIVACY:
298         case DCERPC_AUTH_LEVEL_INTEGRITY:
299                 break;
300
301         case DCERPC_AUTH_LEVEL_CONNECT:
302                 if (pkt->auth_length != 0) {
303                         break;
304                 }
305                 return true;
306         case DCERPC_AUTH_LEVEL_NONE:
307                 if (pkt->auth_length != 0) {
308                         return false;
309                 }
310                 return true;
311
312         default:
313                 return false;
314         }
315
316         status = dcerpc_pull_auth_trailer(pkt, call,
317                                           &pkt->u.request.stub_and_verifier,
318                                           &auth, &auth_length, false);
319         if (!NT_STATUS_IS_OK(status)) {
320                 return false;
321         }
322
323         pkt->u.request.stub_and_verifier.length -= auth_length;
324
325         /* check signature or unseal the packet */
326         switch (dce_conn->auth_state.auth_info->auth_level) {
327         case DCERPC_AUTH_LEVEL_PRIVACY:
328                 status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
329                                               call,
330                                               full_packet->data + hdr_size,
331                                               pkt->u.request.stub_and_verifier.length, 
332                                               full_packet->data,
333                                               full_packet->length-auth.credentials.length,
334                                               &auth.credentials);
335                 memcpy(pkt->u.request.stub_and_verifier.data, 
336                        full_packet->data + hdr_size,
337                        pkt->u.request.stub_and_verifier.length);
338                 break;
339
340         case DCERPC_AUTH_LEVEL_INTEGRITY:
341                 status = gensec_check_packet(dce_conn->auth_state.gensec_security,
342                                              call,
343                                              pkt->u.request.stub_and_verifier.data, 
344                                              pkt->u.request.stub_and_verifier.length,
345                                              full_packet->data,
346                                              full_packet->length-auth.credentials.length,
347                                              &auth.credentials);
348                 break;
349
350         case DCERPC_AUTH_LEVEL_CONNECT:
351                 /* for now we ignore possible signatures here */
352                 status = NT_STATUS_OK;
353                 break;
354
355         default:
356                 status = NT_STATUS_INVALID_LEVEL;
357                 break;
358         }
359
360         /* remove the indicated amount of padding */
361         if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) {
362                 return false;
363         }
364         pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length;
365
366         return NT_STATUS_IS_OK(status);
367 }
368
369
370 /* 
371    push a signed or sealed dcerpc request packet into a blob
372 */
373 bool dcesrv_auth_response(struct dcesrv_call_state *call,
374                           DATA_BLOB *blob, size_t sig_size,
375                           struct ncacn_packet *pkt)
376 {
377         struct dcesrv_connection *dce_conn = call->conn;
378         NTSTATUS status;
379         enum ndr_err_code ndr_err;
380         struct ndr_push *ndr;
381         uint32_t payload_length, offset;
382         DATA_BLOB creds2;
383
384         /* non-signed packets are simple */
385         if (sig_size == 0) {
386                 status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL);
387                 return NT_STATUS_IS_OK(status);
388         }
389
390         switch (dce_conn->auth_state.auth_info->auth_level) {
391         case DCERPC_AUTH_LEVEL_PRIVACY:
392         case DCERPC_AUTH_LEVEL_INTEGRITY:
393                 break;
394
395         case DCERPC_AUTH_LEVEL_CONNECT:
396                 /*
397                  * TODO: let the gensec mech decide if it wants to generate a signature
398                  *       that might be needed for schannel...
399                  */
400                 status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL);
401                 return NT_STATUS_IS_OK(status);
402
403         case DCERPC_AUTH_LEVEL_NONE:
404                 status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL);
405                 return NT_STATUS_IS_OK(status);
406
407         default:
408                 return false;
409         }
410
411         ndr = ndr_push_init_ctx(call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx));
412         if (!ndr) {
413                 return false;
414         }
415
416         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
417                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
418         }
419
420         ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
421         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
422                 return false;
423         }
424
425         /* pad to 16 byte multiple, match win2k3 */
426         offset = ndr->offset;
427         ndr_err = ndr_push_align(ndr, 16);
428         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
429                 return false;
430         }
431         dce_conn->auth_state.auth_info->auth_pad_length = ndr->offset - offset;
432
433         payload_length = pkt->u.response.stub_and_verifier.length +
434                 dce_conn->auth_state.auth_info->auth_pad_length;
435
436         /* we start without signature, it will appended later */
437         dce_conn->auth_state.auth_info->credentials = data_blob(NULL, 0);
438
439         /* add the auth verifier */
440         ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS,
441                                       dce_conn->auth_state.auth_info);
442         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
443                 return false;
444         }
445
446         /* extract the whole packet as a blob */
447         *blob = ndr_push_blob(ndr);
448
449         /*
450          * Setup the frag and auth length in the packet buffer.
451          * This is needed if the GENSEC mech does AEAD signing
452          * of the packet headers. The signature itself will be
453          * appended later.
454          */
455         dcerpc_set_frag_length(blob, blob->length + sig_size);
456         dcerpc_set_auth_length(blob, sig_size);
457
458         /* sign or seal the packet */
459         switch (dce_conn->auth_state.auth_info->auth_level) {
460         case DCERPC_AUTH_LEVEL_PRIVACY:
461                 status = gensec_seal_packet(dce_conn->auth_state.gensec_security, 
462                                             call,
463                                             ndr->data + DCERPC_REQUEST_LENGTH, 
464                                             payload_length,
465                                             blob->data,
466                                             blob->length,
467                                             &creds2);
468                 break;
469
470         case DCERPC_AUTH_LEVEL_INTEGRITY:
471                 status = gensec_sign_packet(dce_conn->auth_state.gensec_security, 
472                                             call,
473                                             ndr->data + DCERPC_REQUEST_LENGTH, 
474                                             payload_length,
475                                             blob->data,
476                                             blob->length,
477                                             &creds2);
478                 break;
479
480         default:
481                 status = NT_STATUS_INVALID_LEVEL;
482                 break;
483         }
484
485         if (NT_STATUS_IS_OK(status)) {
486                 if (creds2.length != sig_size) {
487                         DEBUG(0,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n",
488                                  (unsigned)creds2.length, (uint32_t)sig_size,
489                                  (unsigned)dce_conn->auth_state.auth_info->auth_pad_length,
490                                  (unsigned)pkt->u.response.stub_and_verifier.length));
491                         data_blob_free(&creds2);
492                         status = NT_STATUS_INTERNAL_ERROR;
493                 }
494         }
495
496         if (NT_STATUS_IS_OK(status)) {
497                 if (!data_blob_append(call, blob, creds2.data, creds2.length)) {
498                         status = NT_STATUS_NO_MEMORY;
499                 }
500                 data_blob_free(&creds2);
501         }
502
503         if (!NT_STATUS_IS_OK(status)) {
504                 return false;
505         }       
506
507         return true;
508 }