source4/rpc_server/dcesrv_auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    server side dcerpc authentication code
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Stefan (metze) Metzmacher 2004
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "rpc_server/dcerpc_server.h"
  26 #include "librpc/gen_ndr/ndr_dcerpc.h"
  27
  28 /*
  29   parse any auth information from a dcerpc bind request
  30   return False if we can't handle the auth request for some
  31   reason (in which case we send a bind_nak)
  32 */
  33 BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
  34 {
  35         struct cli_credentials *server_credentials;
  36         struct ncacn_packet *pkt = &call->pkt;
  37         struct dcesrv_connection *dce_conn = call->conn;
  38         struct dcesrv_auth *auth = &dce_conn->auth_state;
  39         NTSTATUS status;
  40
  41         if (pkt->u.bind.auth_info.length == 0) {
  42                 dce_conn->auth_state.auth_info = NULL;
  43                 return True;
  44         }
  45
  46         dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth);
  47         if (!dce_conn->auth_state.auth_info) {
  48                 return False;
  49         }
  50
  51         status = ndr_pull_struct_blob(&pkt->u.bind.auth_info,
  52                                       call,
  53                                       dce_conn->auth_state.auth_info,
  54                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
  55         if (!NT_STATUS_IS_OK(status)) {
  56                 return False;
  57         }
  58
  59         status = gensec_server_start(dce_conn, &auth->gensec_security, call->event_ctx);
  60         if (!NT_STATUS_IS_OK(status)) {
  61                 DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status)));
  62                 return False;
  63         }
  64
  65         server_credentials
  66                 = cli_credentials_init(call);
  67         if (!server_credentials) {
  68                 DEBUG(1, ("Failed to init server credentials\n"));
  69                 return False;
  70         }
  71
  72         cli_credentials_set_conf(server_credentials);
  73         status = cli_credentials_set_machine_account(server_credentials);
  74         if (!NT_STATUS_IS_OK(status)) {
  75                 DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
  76                 talloc_free(server_credentials);
  77                 server_credentials = NULL;
  78         }
  79
  80         gensec_set_credentials(auth->gensec_security, server_credentials);
  81
  82         status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type,
  83                                                auth->auth_info->auth_level);
  84
  85         if (!NT_STATUS_IS_OK(status)) {
  86                 DEBUG(1, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
  87                           (int)auth->auth_info->auth_type,
  88                           (int)auth->auth_info->auth_level,
  89                           nt_errstr(status)));
  90                 return False;
  91         }
  92
  93         return True;
  94 }
  95
  96 /*
  97   add any auth information needed in a bind ack, and process the authentication
  98   information found in the bind.
  99 */
 100 BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
 101 {
 102         struct dcesrv_connection *dce_conn = call->conn;
 103         NTSTATUS status;
 104
 105         if (!call->conn->auth_state.gensec_security) {
 106                 return True;
 107         }
 108
 109         status = gensec_update(dce_conn->auth_state.gensec_security,
 110                                call,
 111                                dce_conn->auth_state.auth_info->credentials,
 112                                &dce_conn->auth_state.auth_info->credentials);
 113
 114         if (NT_STATUS_IS_OK(status)) {
 115                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
 116                                              &dce_conn->auth_state.session_info);
 117                 if (!NT_STATUS_IS_OK(status)) {
 118                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 119                         return False;
 120                 }
 121
 122                 /* Now that we are authenticated, go back to the generic session key... */
 123                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
 124                 return True;
 125         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 126                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
 127                 dce_conn->auth_state.auth_info->auth_reserved = 0;
 128                 return True;
 129         } else {
 130                 DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status)));
 131                 return False;
 132         }
 133 }
 134
 135
 136 /*
 137   process the final stage of a auth request
 138 */
 139 BOOL dcesrv_auth_auth3(struct dcesrv_call_state *call)
 140 {
 141         struct ncacn_packet *pkt = &call->pkt;
 142         struct dcesrv_connection *dce_conn = call->conn;
 143         NTSTATUS status;
 144
 145         /* We can't work without an existing gensec state, and an new blob to feed it */
 146         if (!dce_conn->auth_state.auth_info ||
 147             !dce_conn->auth_state.gensec_security ||
 148             pkt->u.auth3.auth_info.length == 0) {
 149                 return False;
 150         }
 151
 152         status = ndr_pull_struct_blob(&pkt->u.auth3.auth_info,
 153                                       call,
 154                                       dce_conn->auth_state.auth_info,
 155                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
 156         if (!NT_STATUS_IS_OK(status)) {
 157                 return False;
 158         }
 159
 160         /* Pass the extra data we got from the client down to gensec for processing */
 161         status = gensec_update(dce_conn->auth_state.gensec_security,
 162                                call,
 163                                dce_conn->auth_state.auth_info->credentials,
 164                                &dce_conn->auth_state.auth_info->credentials);
 165         if (NT_STATUS_IS_OK(status)) {
 166                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
 167                                              &dce_conn->auth_state.session_info);
 168                 if (!NT_STATUS_IS_OK(status)) {
 169                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 170                         return False;
 171                 }
 172                 /* Now that we are authenticated, go back to the generic session key... */
 173                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
 174                 return True;
 175         } else {
 176                 DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n",
 177                           nt_errstr(status)));
 178                 return False;
 179         }
 180
 181         return True;
 182 }
 183
 184 /*
 185   parse any auth information from a dcerpc alter request
 186   return False if we can't handle the auth request for some
 187   reason (in which case we send a bind_nak (is this true for here?))
 188 */
 189 BOOL dcesrv_auth_alter(struct dcesrv_call_state *call)
 190 {
 191         struct ncacn_packet *pkt = &call->pkt;
 192         struct dcesrv_connection *dce_conn = call->conn;
 193         NTSTATUS status;
 194
 195         /* on a pure interface change there is no auth blob */
 196         if (pkt->u.alter.auth_info.length == 0) {
 197                 return True;
 198         }
 199
 200         /* We can't work without an existing gensec state */
 201         if (!dce_conn->auth_state.gensec_security) {
 202                 return False;
 203         }
 204
 205         dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth);
 206         if (!dce_conn->auth_state.auth_info) {
 207                 return False;
 208         }
 209
 210         status = ndr_pull_struct_blob(&pkt->u.alter.auth_info,
 211                                       call,
 212                                       dce_conn->auth_state.auth_info,
 213                                       (ndr_pull_flags_fn_t)ndr_pull_dcerpc_auth);
 214         if (!NT_STATUS_IS_OK(status)) {
 215                 return False;
 216         }
 217
 218         return True;
 219 }
 220
 221 /*
 222   add any auth information needed in a alter ack, and process the authentication
 223   information found in the alter.
 224 */
 225 BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
 226 {
 227         struct dcesrv_connection *dce_conn = call->conn;
 228         NTSTATUS status;
 229
 230         /* on a pure interface change there is no auth_info structure
 231            setup */
 232         if (!call->conn->auth_state.auth_info) {
 233                 return True;
 234         }
 235
 236         if (!call->conn->auth_state.gensec_security) {
 237                 return False;
 238         }
 239
 240         status = gensec_update(dce_conn->auth_state.gensec_security,
 241                                call,
 242                                dce_conn->auth_state.auth_info->credentials,
 243                                &dce_conn->auth_state.auth_info->credentials);
 244
 245         if (NT_STATUS_IS_OK(status)) {
 246                 status = gensec_session_info(dce_conn->auth_state.gensec_security,
 247                                              &dce_conn->auth_state.session_info);
 248                 if (!NT_STATUS_IS_OK(status)) {
 249                         DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 250                         return False;
 251                 }
 252
 253                 /* Now that we are authenticated, got back to the generic session key... */
 254                 dce_conn->auth_state.session_key = dcesrv_generic_session_key;
 255                 return True;
 256         } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 257                 dce_conn->auth_state.auth_info->auth_pad_length = 0;
 258                 dce_conn->auth_state.auth_info->auth_reserved = 0;
 259                 return True;
 260         } else {
 261                 DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status)));
 262                 return True;
 263         }
 264 }
 265
 266 /*
 267   generate a CONNECT level verifier
 268 */
 269 static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
 270 {
 271         *blob = data_blob_talloc(mem_ctx, NULL, 16);
 272         if (blob->data == NULL) {
 273                 return NT_STATUS_NO_MEMORY;
 274         }
 275         SIVAL(blob->data, 0, 1);
 276         memset(blob->data+4, 0, 12);
 277         return NT_STATUS_OK;
 278 }
 279
 280 /*
 281   generate a CONNECT level verifier
 282 */
 283 static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob)
 284 {
 285         if (blob->length != 16 ||
 286             IVAL(blob->data, 0) != 1) {
 287                 return NT_STATUS_ACCESS_DENIED;
 288         }
 289         return NT_STATUS_OK;
 290 }
 291
 292
 293 /*
 294   check credentials on a request
 295 */
 296 BOOL dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
 297 {
 298         struct ncacn_packet *pkt = &call->pkt;
 299         struct dcesrv_connection *dce_conn = call->conn;
 300         DATA_BLOB auth_blob;
 301         struct dcerpc_auth auth;
 302         struct ndr_pull *ndr;
 303         NTSTATUS status;
 304
 305         if (!dce_conn->auth_state.auth_info ||
 306             !dce_conn->auth_state.gensec_security) {
 307                 return True;
 308         }
 309
 310         auth_blob.length = 8 + pkt->auth_length;
 311
 312         /* check for a valid length */
 313         if (pkt->u.request.stub_and_verifier.length < auth_blob.length) {
 314                 return False;
 315         }
 316
 317         auth_blob.data =
 318                 pkt->u.request.stub_and_verifier.data +
 319                 pkt->u.request.stub_and_verifier.length - auth_blob.length;
 320         pkt->u.request.stub_and_verifier.length -= auth_blob.length;
 321
 322         /* pull the auth structure */
 323         ndr = ndr_pull_init_blob(&auth_blob, call);
 324         if (!ndr) {
 325                 return False;
 326         }
 327
 328         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
 329                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
 330         }
 331
 332         status = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth);
 333         if (!NT_STATUS_IS_OK(status)) {
 334                 talloc_free(ndr);
 335                 return False;
 336         }
 337
 338         /* check signature or unseal the packet */
 339         switch (dce_conn->auth_state.auth_info->auth_level) {
 340         case DCERPC_AUTH_LEVEL_PRIVACY:
 341                 status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
 342                                               call,
 343                                               full_packet->data + DCERPC_REQUEST_LENGTH,
 344                                               pkt->u.request.stub_and_verifier.length,
 345                                               full_packet->data,
 346                                               full_packet->length-auth.credentials.length,
 347                                               &auth.credentials);
 348                 memcpy(pkt->u.request.stub_and_verifier.data,
 349                        full_packet->data + DCERPC_REQUEST_LENGTH,
 350                        pkt->u.request.stub_and_verifier.length);
 351                 break;
 352
 353         case DCERPC_AUTH_LEVEL_INTEGRITY:
 354                 status = gensec_check_packet(dce_conn->auth_state.gensec_security,
 355                                              call,
 356                                              pkt->u.request.stub_and_verifier.data,
 357                                              pkt->u.request.stub_and_verifier.length,
 358                                              full_packet->data,
 359                                              full_packet->length-auth.credentials.length,
 360                                              &auth.credentials);
 361                 break;
 362
 363         case DCERPC_AUTH_LEVEL_CONNECT:
 364                 status = dcesrv_check_connect_verifier(&auth.credentials);
 365                 break;
 366
 367         default:
 368                 status = NT_STATUS_INVALID_LEVEL;
 369                 break;
 370         }
 371
 372         /* remove the indicated amount of padding */
 373         if (pkt->u.request.stub_and_verifier.length < auth.auth_pad_length) {
 374                 talloc_free(ndr);
 375                 return False;
 376         }
 377         pkt->u.request.stub_and_verifier.length -= auth.auth_pad_length;
 378         talloc_free(ndr);
 379
 380         return NT_STATUS_IS_OK(status);
 381 }
 382
 383
 384 /*
 385    push a signed or sealed dcerpc request packet into a blob
 386 */
 387 BOOL dcesrv_auth_response(struct dcesrv_call_state *call,
 388                           DATA_BLOB *blob, struct ncacn_packet *pkt)
 389 {
 390         struct dcesrv_connection *dce_conn = call->conn;
 391         NTSTATUS status;
 392         struct ndr_push *ndr;
 393         uint32_t payload_length;
 394
 395         /* non-signed packets are simple */
 396         if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) {
 397                 status = ncacn_push_auth(blob, call, pkt, NULL);
 398                 return NT_STATUS_IS_OK(status);
 399         }
 400
 401         ndr = ndr_push_init_ctx(call);
 402         if (!ndr) {
 403                 return False;
 404         }
 405
 406         if (!(pkt->drep[0] & DCERPC_DREP_LE)) {
 407                 ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
 408         }
 409
 410         status = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
 411         if (!NT_STATUS_IS_OK(status)) {
 412                 return False;
 413         }
 414
 415         /* pad to 16 byte multiple, match win2k3 */
 416         dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16);
 417         ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
 418
 419         payload_length = ndr->offset - DCERPC_REQUEST_LENGTH;
 420
 421         if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
 422                 status = dcesrv_connect_verifier(call,
 423                                                  &dce_conn->auth_state.auth_info->credentials);
 424                 if (!NT_STATUS_IS_OK(status)) {
 425                         return False;
 426                 }
 427         } else {
 428                 dce_conn->auth_state.auth_info->credentials
 429                         = data_blob_talloc(call, NULL,
 430                                            gensec_sig_size(dce_conn->auth_state.gensec_security,
 431                                                            payload_length));
 432         }
 433
 434         /* add the auth verifier */
 435         status = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, dce_conn->auth_state.auth_info);
 436         if (!NT_STATUS_IS_OK(status)) {
 437                 return False;
 438         }
 439
 440         /* extract the whole packet as a blob */
 441         *blob = ndr_push_blob(ndr);
 442
 443         /* fill in the fragment length and auth_length, we can't fill
 444            in these earlier as we don't know the signature length (it
 445            could be variable length) */
 446         dcerpc_set_frag_length(blob, blob->length);
 447         dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length);
 448
 449         /* sign or seal the packet */
 450         switch (dce_conn->auth_state.auth_info->auth_level) {
 451         case DCERPC_AUTH_LEVEL_PRIVACY:
 452                 status = gensec_seal_packet(dce_conn->auth_state.gensec_security,
 453                                             call,
 454                                             ndr->data + DCERPC_REQUEST_LENGTH,
 455                                             payload_length,
 456                                             blob->data,
 457                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
 458                                             &dce_conn->auth_state.auth_info->credentials);
 459                 break;
 460
 461         case DCERPC_AUTH_LEVEL_INTEGRITY:
 462                 status = gensec_sign_packet(dce_conn->auth_state.gensec_security,
 463                                             call,
 464                                             ndr->data + DCERPC_REQUEST_LENGTH,
 465                                             payload_length,
 466                                             blob->data,
 467                                             blob->length - dce_conn->auth_state.auth_info->credentials.length,
 468                                             &dce_conn->auth_state.auth_info->credentials);
 469
 470                 break;
 471
 472         case DCERPC_AUTH_LEVEL_CONNECT:
 473                 break;
 474
 475         default:
 476                 status = NT_STATUS_INVALID_LEVEL;
 477                 break;
 478         }
 479
 480         if (!NT_STATUS_IS_OK(status)) {
 481                 return False;
 482         }
 483
 484         memcpy(blob->data + blob->length - dce_conn->auth_state.auth_info->credentials.length,
 485                dce_conn->auth_state.auth_info->credentials.data, dce_conn->auth_state.auth_info->credentials.length);
 486
 487         data_blob_free(&dce_conn->auth_state.auth_info->credentials);
 488
 489         return True;
 490 }