auth/gensec/ncalrpc.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc ncalrpc as system operations
   5
   6    Copyright (C) 2014      Andreas Schneider <asn@samba.org>
   7    Copyright (C) 2014      Stefan Metzmacher <metze@samba.org>
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include <tevent.h>
  25 #include "lib/util/tevent_ntstatus.h"
  26 #include "auth/auth.h"
  27 #include "auth/gensec/gensec.h"
  28 #include "auth/gensec/gensec_internal.h"
  29 #include "librpc/gen_ndr/dcerpc.h"
  30 #include "lib/param/param.h"
  31 #include "tsocket.h"
  32
  33 _PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(void);
  34
  35 struct gensec_ncalrpc_state {
  36         enum {
  37                 GENSEC_NCALRPC_START,
  38                 GENSEC_NCALRPC_MORE,
  39                 GENSEC_NCALRPC_DONE,
  40                 GENSEC_NCALRPC_ERROR,
  41         } step;
  42
  43         struct auth_user_info_dc *user_info_dc;
  44 };
  45
  46 static NTSTATUS gensec_ncalrpc_client_start(struct gensec_security *gensec_security)
  47 {
  48         struct gensec_ncalrpc_state *state;
  49
  50         state = talloc_zero(gensec_security,
  51                             struct gensec_ncalrpc_state);
  52         if (state == NULL) {
  53                 return NT_STATUS_NO_MEMORY;
  54         }
  55         gensec_security->private_data = state;
  56
  57         state->step = GENSEC_NCALRPC_START;
  58         return NT_STATUS_OK;
  59 }
  60
  61 static NTSTATUS gensec_ncalrpc_server_start(struct gensec_security *gensec_security)
  62 {
  63         struct gensec_ncalrpc_state *state;
  64
  65         state = talloc_zero(gensec_security,
  66                             struct gensec_ncalrpc_state);
  67         if (state == NULL) {
  68                 return NT_STATUS_NO_MEMORY;
  69         }
  70         gensec_security->private_data = state;
  71
  72         state->step = GENSEC_NCALRPC_START;
  73         return NT_STATUS_OK;
  74 }
  75
  76 struct gensec_ncalrpc_update_state {
  77         NTSTATUS status;
  78         DATA_BLOB out;
  79 };
  80
  81 static NTSTATUS gensec_ncalrpc_update_internal(
  82                                 struct gensec_security *gensec_security,
  83                                 TALLOC_CTX *mem_ctx,
  84                                 const DATA_BLOB in,
  85                                 DATA_BLOB *out);
  86
  87 static struct tevent_req *gensec_ncalrpc_update_send(TALLOC_CTX *mem_ctx,
  88                                         struct tevent_context *ev,
  89                                         struct gensec_security *gensec_security,
  90                                         const DATA_BLOB in)
  91 {
  92         struct tevent_req *req;
  93         struct gensec_ncalrpc_update_state *state = NULL;
  94         NTSTATUS status;
  95
  96         req = tevent_req_create(mem_ctx, &state,
  97                                 struct gensec_ncalrpc_update_state);
  98         if (req == NULL) {
  99                 return NULL;
 100         }
 101
 102         status = gensec_ncalrpc_update_internal(gensec_security,
 103                                                 state, in,
 104                                                 &state->out);
 105         state->status = status;
 106         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 107                 status = NT_STATUS_OK;
 108         }
 109         if (tevent_req_nterror(req, status)) {
 110                 return tevent_req_post(req, ev);
 111         }
 112
 113         tevent_req_done(req);
 114         return tevent_req_post(req, ev);
 115 }
 116
 117 static NTSTATUS gensec_ncalrpc_update_internal(
 118                                 struct gensec_security *gensec_security,
 119                                 TALLOC_CTX *mem_ctx,
 120                                 const DATA_BLOB in,
 121                                 DATA_BLOB *out)
 122 {
 123         struct gensec_ncalrpc_state *state =
 124                 talloc_get_type_abort(gensec_security->private_data,
 125                 struct gensec_ncalrpc_state);
 126         DATA_BLOB magic_req = data_blob_string_const("NCALRPC_AUTH_TOKEN");
 127         DATA_BLOB magic_ok = data_blob_string_const("NCALRPC_AUTH_OK");
 128         DATA_BLOB magic_fail = data_blob_string_const("NCALRPC_AUTH_FAIL");
 129         char *unix_path = NULL;
 130         int cmp;
 131         NTSTATUS status;
 132
 133         *out = data_blob_null;
 134
 135         if (state->step >= GENSEC_NCALRPC_DONE) {
 136                 return NT_STATUS_INVALID_PARAMETER;
 137         }
 138
 139         switch (gensec_security->gensec_role) {
 140         case GENSEC_CLIENT:
 141                 switch (state->step) {
 142                 case GENSEC_NCALRPC_START:
 143                         *out = data_blob_dup_talloc(mem_ctx, magic_req);
 144                         if (out->data == NULL) {
 145                                 state->step = GENSEC_NCALRPC_ERROR;
 146                                 return NT_STATUS_NO_MEMORY;
 147                         }
 148
 149                         state->step = GENSEC_NCALRPC_MORE;
 150                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
 151
 152                 case GENSEC_NCALRPC_MORE:
 153                         cmp = data_blob_cmp(&in, &magic_ok);
 154                         if (cmp != 0) {
 155                                 state->step = GENSEC_NCALRPC_ERROR;
 156                                 return NT_STATUS_LOGON_FAILURE;
 157                         }
 158
 159                         state->step = GENSEC_NCALRPC_DONE;
 160                         return NT_STATUS_OK;
 161
 162                 case GENSEC_NCALRPC_DONE:
 163                 case GENSEC_NCALRPC_ERROR:
 164                         break;
 165                 }
 166
 167                 state->step = GENSEC_NCALRPC_ERROR;
 168                 return NT_STATUS_INTERNAL_ERROR;
 169
 170         case GENSEC_SERVER:
 171                 if (state->step != GENSEC_NCALRPC_START) {
 172                         state->step = GENSEC_NCALRPC_ERROR;
 173                         return NT_STATUS_INTERNAL_ERROR;
 174                 }
 175
 176                 cmp = data_blob_cmp(&in, &magic_req);
 177                 if (cmp != 0) {
 178                         state->step = GENSEC_NCALRPC_ERROR;
 179                         *out = data_blob_dup_talloc(mem_ctx, magic_fail);
 180                         if (out->data == NULL) {
 181                                 return NT_STATUS_NO_MEMORY;
 182                         }
 183                         return NT_STATUS_LOGON_FAILURE;
 184                 }
 185
 186                 if (gensec_security->remote_addr == NULL) {
 187                         state->step = GENSEC_NCALRPC_ERROR;
 188                         *out = data_blob_dup_talloc(mem_ctx, magic_fail);
 189                         if (out->data == NULL) {
 190                                 return NT_STATUS_NO_MEMORY;
 191                         }
 192                         return NT_STATUS_LOGON_FAILURE;
 193                 }
 194
 195                 unix_path = tsocket_address_unix_path(gensec_security->remote_addr,
 196                                                       state);
 197                 if (unix_path == NULL) {
 198                         state->step = GENSEC_NCALRPC_ERROR;
 199                         *out = data_blob_dup_talloc(mem_ctx, magic_fail);
 200                         if (out->data == NULL) {
 201                                 return NT_STATUS_NO_MEMORY;
 202                         }
 203                         return NT_STATUS_LOGON_FAILURE;
 204                 }
 205
 206                 cmp = strcmp(unix_path, "/root/ncalrpc_as_system");
 207                 TALLOC_FREE(unix_path);
 208                 if (cmp != 0) {
 209                         state->step = GENSEC_NCALRPC_ERROR;
 210                         *out = data_blob_dup_talloc(mem_ctx, magic_fail);
 211                         if (out->data == NULL) {
 212                                 return NT_STATUS_NO_MEMORY;
 213                         }
 214                         return NT_STATUS_LOGON_FAILURE;
 215                 }
 216
 217                 status = auth_system_user_info_dc(state,
 218                                 lpcfg_netbios_name(gensec_security->settings->lp_ctx),
 219                                 &state->user_info_dc);
 220                 if (!NT_STATUS_IS_OK(status)) {
 221                         state->step = GENSEC_NCALRPC_ERROR;
 222                         *out = data_blob_dup_talloc(mem_ctx, magic_fail);
 223                         if (out->data == NULL) {
 224                                 return NT_STATUS_NO_MEMORY;
 225                         }
 226                         return status;
 227                 }
 228
 229                 *out = data_blob_dup_talloc(mem_ctx, magic_ok);
 230                 if (out->data == NULL) {
 231                         state->step = GENSEC_NCALRPC_ERROR;
 232                         return NT_STATUS_NO_MEMORY;
 233                 }
 234
 235                 state->step = GENSEC_NCALRPC_DONE;
 236                 return NT_STATUS_OK;
 237         }
 238
 239         state->step = GENSEC_NCALRPC_ERROR;
 240         return NT_STATUS_INTERNAL_ERROR;
 241 }
 242
 243 static NTSTATUS gensec_ncalrpc_update_recv(struct tevent_req *req,
 244                                            TALLOC_CTX *out_mem_ctx,
 245                                            DATA_BLOB *out)
 246 {
 247         struct gensec_ncalrpc_update_state *state =
 248                 tevent_req_data(req,
 249                 struct gensec_ncalrpc_update_state);
 250         NTSTATUS status;
 251
 252         *out = data_blob_null;
 253
 254         if (tevent_req_is_nterror(req, &status)) {
 255                 tevent_req_received(req);
 256                 return status;
 257         }
 258
 259         status = state->status;
 260         talloc_steal(out_mem_ctx, state->out.data);
 261         *out = state->out;
 262         tevent_req_received(req);
 263         return status;
 264 }
 265
 266 static NTSTATUS gensec_ncalrpc_session_info(struct gensec_security *gensec_security,
 267                                             TALLOC_CTX *mem_ctx,
 268                                             struct auth_session_info **psession_info)
 269 {
 270         struct gensec_ncalrpc_state *state =
 271                 talloc_get_type_abort(gensec_security->private_data,
 272                 struct gensec_ncalrpc_state);
 273         struct auth4_context *auth_ctx = gensec_security->auth_context;
 274         struct auth_session_info *session_info = NULL;
 275         uint32_t session_info_flags = 0;
 276         NTSTATUS status;
 277
 278         if (gensec_security->gensec_role != GENSEC_SERVER) {
 279                 return NT_STATUS_INVALID_PARAMETER;
 280         }
 281
 282         if (state->step != GENSEC_NCALRPC_DONE) {
 283                 return NT_STATUS_INVALID_PARAMETER;
 284         }
 285
 286         if (auth_ctx == NULL) {
 287                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
 288                 return NT_STATUS_INTERNAL_ERROR;
 289         }
 290
 291         if (auth_ctx->generate_session_info == NULL) {
 292                 DEBUG(0, ("Cannot generate a session_info without the generate_session_info hook\n"));
 293                 return NT_STATUS_INTERNAL_ERROR;
 294         }
 295
 296         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
 297                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
 298         }
 299
 300         session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
 301
 302         status = auth_ctx->generate_session_info(
 303                                 auth_ctx,
 304                                 mem_ctx,
 305                                 state->user_info_dc,
 306                                 state->user_info_dc->info->account_name,
 307                                 session_info_flags,
 308                                 &session_info);
 309         if (!NT_STATUS_IS_OK(status)) {
 310                 return status;
 311         }
 312
 313         *psession_info = session_info;
 314         return NT_STATUS_OK;
 315 }
 316
 317 /* We have no features */
 318 static bool gensec_ncalrpc_have_feature(struct gensec_security *gensec_security,
 319                                  uint32_t feature)
 320 {
 321         if (feature & GENSEC_FEATURE_DCE_STYLE) {
 322                 return true;
 323         }
 324
 325         return false;
 326 }
 327
 328 static const struct gensec_security_ops gensec_ncalrpc_security_ops = {
 329         .name           = "naclrpc_as_system",
 330         .auth_type      = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM,
 331         .client_start   = gensec_ncalrpc_client_start,
 332         .server_start   = gensec_ncalrpc_server_start,
 333         .update_send    = gensec_ncalrpc_update_send,
 334         .update_recv    = gensec_ncalrpc_update_recv,
 335         .session_info   = gensec_ncalrpc_session_info,
 336         .have_feature   = gensec_ncalrpc_have_feature,
 337         .enabled        = true,
 338         .priority       = GENSEC_EXTERNAL,
 339 };
 340
 341 _PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(void)
 342 {
 343         NTSTATUS status;
 344
 345         status = gensec_register(&gensec_ncalrpc_security_ops);
 346         if (!NT_STATUS_IS_OK(status)) {
 347                 DEBUG(0, ("Failed to register '%s' gensec backend!\n",
 348                           gensec_ncalrpc_security_ops.name));
 349                 return status;
 350         }
 351
 352         return status;
 353 }