git.samba.org / kai / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s4:rpc_server: correctly handle dcerpc requests with object uuids
[kai/samba.git] / source4 / rpc_server / dcesrv_auth.c
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 75b13bb82436b64b37379445827418f878483986..52d5631cfd1572937eb448a3b3f5b823e5e66518 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -22,6 +22,8 @@
 
 #include "includes.h"
 #include "rpc_server/dcerpc_server.h"
+#include "rpc_server/dcerpc_server_proto.h"
+#include "librpc/rpc/dcerpc_proto.h"
 #include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
@@ -122,6 +124,11 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
                        return status;
                }
 
+               if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
+                       gensec_want_feature(dce_conn->auth_state.gensec_security,
+                                           GENSEC_FEATURE_SIGN_PKT_HEADER);
+               }
+
                /* Now that we are authenticated, go back to the generic session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
                return NT_STATUS_OK;
@@ -268,33 +275,6 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack
        return status;
 }
 
-/*
-  generate a CONNECT level verifier
-*/
-static NTSTATUS dcesrv_connect_verifier(TALLOC_CTX *mem_ctx, DATA_BLOB *blob)
-{
-       *blob = data_blob_talloc(mem_ctx, NULL, 16);
-       if (blob->data == NULL) {
-               return NT_STATUS_NO_MEMORY;
-       }
-       SIVAL(blob->data, 0, 1);
-       memset(blob->data+4, 0, 12);
-       return NT_STATUS_OK;
-}
-
-/*
-  generate a CONNECT level verifier
-*/
-static NTSTATUS dcesrv_check_connect_verifier(DATA_BLOB *blob)
-{
-       if (blob->length != 16 ||
-           IVAL(blob->data, 0) != 1) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
-       return NT_STATUS_OK;
-}
-
-
 /*
   check credentials on a request
 */
@@ -307,12 +287,33 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
        struct ndr_pull *ndr;
        NTSTATUS status;
        enum ndr_err_code ndr_err;
+       size_t hdr_size = DCERPC_REQUEST_LENGTH;
 
        if (!dce_conn->auth_state.auth_info ||
            !dce_conn->auth_state.gensec_security) {
                return true;
        }
 
+       switch (dce_conn->auth_state.auth_info->auth_level) {
+       case DCERPC_AUTH_LEVEL_PRIVACY:
+       case DCERPC_AUTH_LEVEL_INTEGRITY:
+               break;
+
+       case DCERPC_AUTH_LEVEL_CONNECT:
+               if (pkt->auth_length != 0) {
+                       break;
+               }
+               return true;
+       case DCERPC_AUTH_LEVEL_NONE:
+               if (pkt->auth_length != 0) {
+                       return false;
+               }
+               return true;
+
+       default:
+               return false;
+       }
+
        auth_blob.length = 8 + pkt->auth_length;
 
        /* check for a valid length */
@@ -335,6 +336,11 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
                ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
        }
 
+       if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
+               ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
+               hdr_size += 16;
+       }
+
        ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, &auth);
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                talloc_free(ndr);
@@ -346,13 +352,13 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
        case DCERPC_AUTH_LEVEL_PRIVACY:
                status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
                                              call,
-                                             full_packet->data + DCERPC_REQUEST_LENGTH,
+                                             full_packet->data + hdr_size,
                                              pkt->u.request.stub_and_verifier.length, 
                                              full_packet->data,
                                              full_packet->length-auth.credentials.length,
                                              &auth.credentials);
                memcpy(pkt->u.request.stub_and_verifier.data, 
-                      full_packet->data + DCERPC_REQUEST_LENGTH,
+                      full_packet->data + hdr_size,
                       pkt->u.request.stub_and_verifier.length);
                break;
 
@@ -367,7 +373,8 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
                break;
 
        case DCERPC_AUTH_LEVEL_CONNECT:
-               status = dcesrv_check_connect_verifier(&auth.credentials);
+               /* for now we ignore possible signatures here */
+               status = NT_STATUS_OK;
                break;
 
        default:
@@ -391,7 +398,8 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
    push a signed or sealed dcerpc request packet into a blob
 */
 bool dcesrv_auth_response(struct dcesrv_call_state *call,
-                         DATA_BLOB *blob, struct ncacn_packet *pkt)
+                         DATA_BLOB *blob, size_t sig_size,
+                         struct ncacn_packet *pkt)
 {
        struct dcesrv_connection *dce_conn = call->conn;
        NTSTATUS status;
@@ -401,11 +409,32 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
        DATA_BLOB creds2;
 
        /* non-signed packets are simple */
-       if (!dce_conn->auth_state.auth_info || !dce_conn->auth_state.gensec_security) {
+       if (sig_size == 0) {
                status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL);
                return NT_STATUS_IS_OK(status);
        }
 
+       switch (dce_conn->auth_state.auth_info->auth_level) {
+       case DCERPC_AUTH_LEVEL_PRIVACY:
+       case DCERPC_AUTH_LEVEL_INTEGRITY:
+               break;
+
+       case DCERPC_AUTH_LEVEL_CONNECT:
+               /*
+                * TODO: let the gensec mech decide if it wants to generate a signature
+                *       that might be needed for schannel...
+                */
+               status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL);
+               return NT_STATUS_IS_OK(status);
+
+       case DCERPC_AUTH_LEVEL_NONE:
+               status = ncacn_push_auth(blob, call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx), pkt, NULL);
+               return NT_STATUS_IS_OK(status);
+
+       default:
+               return false;
+       }
+
        ndr = ndr_push_init_ctx(call, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx));
        if (!ndr) {
                return false;
@@ -421,28 +450,18 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
        }
 
        /* pad to 16 byte multiple, match win2k3 */
-       dce_conn->auth_state.auth_info->auth_pad_length = NDR_ALIGN(ndr, 16);
-       ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
+       dce_conn->auth_state.auth_info->auth_pad_length =
+               (16 - (pkt->u.response.stub_and_verifier.length & 15)) & 15;
+       ndr_err = ndr_push_zero(ndr, dce_conn->auth_state.auth_info->auth_pad_length);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               return false;
+       }
 
-       payload_length = ndr->offset - DCERPC_REQUEST_LENGTH;
+       payload_length = pkt->u.response.stub_and_verifier.length +
+               dce_conn->auth_state.auth_info->auth_pad_length;
 
-       if (dce_conn->auth_state.auth_info->auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
-               status = dcesrv_connect_verifier(call,
-                                                &dce_conn->auth_state.auth_info->credentials);
-               if (!NT_STATUS_IS_OK(status)) {
-                       return false;
-               }
-       } else {
-
-               /* We hope this length is accruate.  If must be if the
-                * GENSEC mech does AEAD signing of the packet
-                * headers */
-               dce_conn->auth_state.auth_info->credentials
-                       = data_blob_talloc(call, NULL, 
-                                          gensec_sig_size(dce_conn->auth_state.gensec_security, 
-                                                          payload_length));
-               data_blob_clear(&dce_conn->auth_state.auth_info->credentials);
-       }
+       /* we start without signature, it will appended later */
+       dce_conn->auth_state.auth_info->credentials = data_blob(NULL, 0);
 
        /* add the auth verifier */
        ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS,
@@ -454,14 +473,14 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
        /* extract the whole packet as a blob */
        *blob = ndr_push_blob(ndr);
 
-       /* fill in the fragment length and auth_length, we can't fill
-          in these earlier as we don't know the signature length (it
-          could be variable length) */
-       dcerpc_set_frag_length(blob, blob->length);
-
-       /* We hope this value is accruate.  If must be if the GENSEC
-        * mech does AEAD signing of the packet headers */
-       dcerpc_set_auth_length(blob, dce_conn->auth_state.auth_info->credentials.length);
+       /*
+        * Setup the frag and auth length in the packet buffer.
+        * This is needed if the GENSEC mech does AEAD signing
+        * of the packet headers. The signature itself will be
+        * appended later.
+        */
+       dcerpc_set_frag_length(blob, blob->length + sig_size);
+       dcerpc_set_auth_length(blob, sig_size);
 
        /* sign or seal the packet */
        switch (dce_conn->auth_state.auth_info->auth_level) {
@@ -471,22 +490,8 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
                                            ndr->data + DCERPC_REQUEST_LENGTH, 
                                            payload_length,
                                            blob->data,
-                                           blob->length - dce_conn->auth_state.auth_info->credentials.length,
+                                           blob->length,
                                            &creds2);
-
-               if (NT_STATUS_IS_OK(status)) {
-                       blob->length -= dce_conn->auth_state.auth_info->credentials.length;
-                       if (!data_blob_append(call, blob, creds2.data, creds2.length))
-                               status = NT_STATUS_NO_MEMORY;
-                       else
-                               status = NT_STATUS_OK;
-               }
-
-               /* If we did AEAD signing of the packet headers, then we hope
-                * this value didn't change... */
-               dcerpc_set_auth_length(blob, creds2.length);
-               dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
-               data_blob_free(&creds2);
                break;
 
        case DCERPC_AUTH_LEVEL_INTEGRITY:
@@ -495,24 +500,8 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
                                            ndr->data + DCERPC_REQUEST_LENGTH, 
                                            payload_length,
                                            blob->data,
-                                           blob->length - dce_conn->auth_state.auth_info->credentials.length,
+                                           blob->length,
                                            &creds2);
-               if (NT_STATUS_IS_OK(status)) {
-                       blob->length -= dce_conn->auth_state.auth_info->credentials.length;
-                       if (!data_blob_append(call, blob, creds2.data, creds2.length))
-                               status = NT_STATUS_NO_MEMORY;
-                       else
-                               status = NT_STATUS_OK;
-               }
-
-               /* If we did AEAD signing of the packet headers, then we hope
-                * this value didn't change... */
-               dcerpc_set_auth_length(blob, creds2.length);
-               dcerpc_set_frag_length(blob, dcerpc_get_frag_length(blob)+creds2.length);
-               data_blob_free(&creds2);
-               break;
-
-       case DCERPC_AUTH_LEVEL_CONNECT:
                break;
 
        default:
@@ -520,7 +509,23 @@ bool dcesrv_auth_response(struct dcesrv_call_state *call,
                break;
        }
 
-       data_blob_free(&dce_conn->auth_state.auth_info->credentials);
+       if (NT_STATUS_IS_OK(status)) {
+               if (creds2.length != sig_size) {
+                       DEBUG(0,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n",
+                               creds2.length, (uint32_t)sig_size,
+                               dce_conn->auth_state.auth_info->auth_pad_length,
+                               pkt->u.response.stub_and_verifier.length));
+                       data_blob_free(&creds2);
+                       status = NT_STATUS_INTERNAL_ERROR;
+               }
+       }
+
+       if (NT_STATUS_IS_OK(status)) {
+               if (!data_blob_append(call, blob, creds2.data, creds2.length)) {
+                       status = NT_STATUS_NO_MEMORY;
+               }
+               data_blob_free(&creds2);
+       }
 
        if (!NT_STATUS_IS_OK(status)) {
                return false;
Kai's WIP code