2 Unix SMB/CIFS implementation.
4 server side dcerpc authentication code
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Stefan (metze) Metzmacher 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "rpc_server/dcerpc_server.h"
25 #include "rpc_server/dcerpc_server_proto.h"
26 #include "rpc_server/common/proto.h"
27 #include "librpc/rpc/dcerpc_proto.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "auth/credentials/credentials.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/auth.h"
32 #include "param/param.h"
33 #include "librpc/rpc/rpc_common.h"
36 parse any auth information from a dcerpc bind request
37 return false if we can't handle the auth request for some
38 reason (in which case we send a bind_nak)
40 bool dcesrv_auth_bind(struct dcesrv_call_state
*call
)
42 struct cli_credentials
*server_credentials
;
43 struct ncacn_packet
*pkt
= &call
->pkt
;
44 struct dcesrv_connection
*dce_conn
= call
->conn
;
45 struct dcesrv_auth
*auth
= &dce_conn
->auth_state
;
49 if (pkt
->u
.bind
.auth_info
.length
== 0) {
50 dce_conn
->auth_state
.auth_info
= NULL
;
54 dce_conn
->auth_state
.auth_info
= talloc(dce_conn
, struct dcerpc_auth
);
55 if (!dce_conn
->auth_state
.auth_info
) {
59 status
= dcerpc_pull_auth_trailer(pkt
, call
, &pkt
->u
.bind
.auth_info
,
60 dce_conn
->auth_state
.auth_info
,
63 = cli_credentials_init(call
);
64 if (!server_credentials
) {
65 DEBUG(1, ("Failed to init server credentials\n"));
69 cli_credentials_set_conf(server_credentials
, call
->conn
->dce_ctx
->lp_ctx
);
70 status
= cli_credentials_set_machine_account(server_credentials
, call
->conn
->dce_ctx
->lp_ctx
);
71 if (!NT_STATUS_IS_OK(status
)) {
72 DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status
)));
73 talloc_free(server_credentials
);
74 server_credentials
= NULL
;
77 status
= samba_server_gensec_start(dce_conn
, call
->event_ctx
,
79 call
->conn
->dce_ctx
->lp_ctx
,
82 &auth
->gensec_security
);
83 if (!NT_STATUS_IS_OK(status
)) {
84 DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
89 if (call
->conn
->remote_address
!= NULL
) {
90 status
= gensec_set_remote_address(auth
->gensec_security
,
91 call
->conn
->remote_address
);
92 if (!NT_STATUS_IS_OK(status
)) {
93 DEBUG(1, ("Failed to call gensec_set_remote_address() %s\n",
99 status
= gensec_start_mech_by_authtype(auth
->gensec_security
, auth
->auth_info
->auth_type
,
100 auth
->auth_info
->auth_level
);
101 if (!NT_STATUS_IS_OK(status
)) {
102 DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
103 (int)auth
->auth_info
->auth_type
,
104 (int)auth
->auth_info
->auth_level
,
113 add any auth information needed in a bind ack, and process the authentication
114 information found in the bind.
116 NTSTATUS
dcesrv_auth_bind_ack(struct dcesrv_call_state
*call
, struct ncacn_packet
*pkt
)
118 struct dcesrv_connection
*dce_conn
= call
->conn
;
120 bool want_header_signing
= false;
122 if (!call
->conn
->auth_state
.gensec_security
) {
126 if (call
->pkt
.pfc_flags
& DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
) {
127 dce_conn
->auth_state
.client_hdr_signing
= true;
128 want_header_signing
= true;
131 if (!lpcfg_parm_bool(call
->conn
->dce_ctx
->lp_ctx
, NULL
, "dcesrv","header signing", true)) {
132 want_header_signing
= false;
135 status
= gensec_update_ev(dce_conn
->auth_state
.gensec_security
,
136 call
, call
->event_ctx
,
137 dce_conn
->auth_state
.auth_info
->credentials
,
138 &dce_conn
->auth_state
.auth_info
->credentials
);
140 if (NT_STATUS_IS_OK(status
)) {
141 status
= gensec_session_info(dce_conn
->auth_state
.gensec_security
,
143 &dce_conn
->auth_state
.session_info
);
144 if (!NT_STATUS_IS_OK(status
)) {
145 DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status
)));
149 if (!gensec_have_feature(dce_conn
->auth_state
.gensec_security
,
150 GENSEC_FEATURE_SIGN_PKT_HEADER
))
152 want_header_signing
= false;
155 if (want_header_signing
) {
156 gensec_want_feature(dce_conn
->auth_state
.gensec_security
,
157 GENSEC_FEATURE_SIGN_PKT_HEADER
);
158 dce_conn
->auth_state
.hdr_signing
= true;
159 pkt
->pfc_flags
|= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
;
162 /* Now that we are authenticated, go back to the generic session key... */
163 dce_conn
->auth_state
.session_key
= dcesrv_generic_session_key
;
165 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
166 dce_conn
->auth_state
.auth_info
->auth_pad_length
= 0;
167 dce_conn
->auth_state
.auth_info
->auth_reserved
= 0;
169 if (!gensec_have_feature(dce_conn
->auth_state
.gensec_security
,
170 GENSEC_FEATURE_SIGN_PKT_HEADER
))
172 want_header_signing
= false;
175 if (want_header_signing
) {
176 gensec_want_feature(dce_conn
->auth_state
.gensec_security
,
177 GENSEC_FEATURE_SIGN_PKT_HEADER
);
178 dce_conn
->auth_state
.hdr_signing
= true;
179 pkt
->pfc_flags
|= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
;
184 DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
192 process the final stage of a auth request
194 bool dcesrv_auth_auth3(struct dcesrv_call_state
*call
)
196 struct ncacn_packet
*pkt
= &call
->pkt
;
197 struct dcesrv_connection
*dce_conn
= call
->conn
;
199 uint32_t auth_length
;
201 /* We can't work without an existing gensec state, and an new blob to feed it */
202 if (!dce_conn
->auth_state
.auth_info
||
203 !dce_conn
->auth_state
.gensec_security
||
204 pkt
->u
.auth3
.auth_info
.length
== 0) {
208 status
= dcerpc_pull_auth_trailer(pkt
, call
, &pkt
->u
.auth3
.auth_info
,
209 dce_conn
->auth_state
.auth_info
, &auth_length
, true);
210 if (!NT_STATUS_IS_OK(status
)) {
214 /* Pass the extra data we got from the client down to gensec for processing */
215 status
= gensec_update_ev(dce_conn
->auth_state
.gensec_security
,
216 call
, call
->event_ctx
,
217 dce_conn
->auth_state
.auth_info
->credentials
,
218 &dce_conn
->auth_state
.auth_info
->credentials
);
219 if (NT_STATUS_IS_OK(status
)) {
220 status
= gensec_session_info(dce_conn
->auth_state
.gensec_security
,
222 &dce_conn
->auth_state
.session_info
);
223 if (!NT_STATUS_IS_OK(status
)) {
224 DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status
)));
227 /* Now that we are authenticated, go back to the generic session key... */
228 dce_conn
->auth_state
.session_key
= dcesrv_generic_session_key
;
231 DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_auth3: %s\n",
238 parse any auth information from a dcerpc alter request
239 return false if we can't handle the auth request for some
240 reason (in which case we send a bind_nak (is this true for here?))
242 bool dcesrv_auth_alter(struct dcesrv_call_state
*call
)
244 struct ncacn_packet
*pkt
= &call
->pkt
;
245 struct dcesrv_connection
*dce_conn
= call
->conn
;
247 uint32_t auth_length
;
249 /* on a pure interface change there is no auth blob */
250 if (pkt
->u
.alter
.auth_info
.length
== 0) {
254 /* We can't work without an existing gensec state */
255 if (!dce_conn
->auth_state
.gensec_security
) {
259 dce_conn
->auth_state
.auth_info
= talloc(dce_conn
, struct dcerpc_auth
);
260 if (!dce_conn
->auth_state
.auth_info
) {
264 status
= dcerpc_pull_auth_trailer(pkt
, call
, &pkt
->u
.alter
.auth_info
,
265 dce_conn
->auth_state
.auth_info
,
267 if (!NT_STATUS_IS_OK(status
)) {
275 add any auth information needed in a alter ack, and process the authentication
276 information found in the alter.
278 NTSTATUS
dcesrv_auth_alter_ack(struct dcesrv_call_state
*call
, struct ncacn_packet
*pkt
)
280 struct dcesrv_connection
*dce_conn
= call
->conn
;
283 /* on a pure interface change there is no auth_info structure
285 if (!call
->conn
->auth_state
.auth_info
||
286 dce_conn
->auth_state
.auth_info
->credentials
.length
== 0) {
290 if (!call
->conn
->auth_state
.gensec_security
) {
291 return NT_STATUS_INVALID_PARAMETER
;
294 status
= gensec_update_ev(dce_conn
->auth_state
.gensec_security
,
295 call
, call
->event_ctx
,
296 dce_conn
->auth_state
.auth_info
->credentials
,
297 &dce_conn
->auth_state
.auth_info
->credentials
);
299 if (NT_STATUS_IS_OK(status
)) {
300 status
= gensec_session_info(dce_conn
->auth_state
.gensec_security
,
302 &dce_conn
->auth_state
.session_info
);
303 if (!NT_STATUS_IS_OK(status
)) {
304 DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status
)));
308 /* Now that we are authenticated, got back to the generic session key... */
309 dce_conn
->auth_state
.session_key
= dcesrv_generic_session_key
;
311 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
312 dce_conn
->auth_state
.auth_info
->auth_pad_length
= 0;
313 dce_conn
->auth_state
.auth_info
->auth_reserved
= 0;
317 DEBUG(4, ("GENSEC mech rejected the incoming authentication at auth alter_ack: %s\n",
323 check credentials on a request
325 bool dcesrv_auth_request(struct dcesrv_call_state
*call
, DATA_BLOB
*full_packet
)
327 struct ncacn_packet
*pkt
= &call
->pkt
;
328 struct dcesrv_connection
*dce_conn
= call
->conn
;
329 struct dcerpc_auth auth
;
331 uint32_t auth_length
;
332 size_t hdr_size
= DCERPC_REQUEST_LENGTH
;
334 if (!dce_conn
->auth_state
.auth_info
||
335 !dce_conn
->auth_state
.gensec_security
) {
336 if (pkt
->auth_length
!= 0) {
342 if (pkt
->pfc_flags
& DCERPC_PFC_FLAG_OBJECT_UUID
) {
346 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
347 case DCERPC_AUTH_LEVEL_PRIVACY
:
348 case DCERPC_AUTH_LEVEL_INTEGRITY
:
351 case DCERPC_AUTH_LEVEL_CONNECT
:
352 if (pkt
->auth_length
!= 0) {
356 case DCERPC_AUTH_LEVEL_NONE
:
357 if (pkt
->auth_length
!= 0) {
366 status
= dcerpc_pull_auth_trailer(pkt
, call
,
367 &pkt
->u
.request
.stub_and_verifier
,
368 &auth
, &auth_length
, false);
369 if (!NT_STATUS_IS_OK(status
)) {
373 if (auth
.auth_type
!= dce_conn
->auth_state
.auth_info
->auth_type
) {
377 if (auth
.auth_level
!= dce_conn
->auth_state
.auth_info
->auth_level
) {
381 if (auth
.auth_context_id
!= dce_conn
->auth_state
.auth_info
->auth_context_id
) {
385 pkt
->u
.request
.stub_and_verifier
.length
-= auth_length
;
387 /* check signature or unseal the packet */
388 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
389 case DCERPC_AUTH_LEVEL_PRIVACY
:
390 status
= gensec_unseal_packet(dce_conn
->auth_state
.gensec_security
,
391 full_packet
->data
+ hdr_size
,
392 pkt
->u
.request
.stub_and_verifier
.length
,
394 full_packet
->length
-auth
.credentials
.length
,
396 memcpy(pkt
->u
.request
.stub_and_verifier
.data
,
397 full_packet
->data
+ hdr_size
,
398 pkt
->u
.request
.stub_and_verifier
.length
);
401 case DCERPC_AUTH_LEVEL_INTEGRITY
:
402 status
= gensec_check_packet(dce_conn
->auth_state
.gensec_security
,
403 pkt
->u
.request
.stub_and_verifier
.data
,
404 pkt
->u
.request
.stub_and_verifier
.length
,
406 full_packet
->length
-auth
.credentials
.length
,
410 case DCERPC_AUTH_LEVEL_CONNECT
:
411 /* for now we ignore possible signatures here */
412 status
= NT_STATUS_OK
;
416 status
= NT_STATUS_INVALID_LEVEL
;
420 /* remove the indicated amount of padding */
421 if (pkt
->u
.request
.stub_and_verifier
.length
< auth
.auth_pad_length
) {
424 pkt
->u
.request
.stub_and_verifier
.length
-= auth
.auth_pad_length
;
426 return NT_STATUS_IS_OK(status
);
431 push a signed or sealed dcerpc request packet into a blob
433 bool dcesrv_auth_response(struct dcesrv_call_state
*call
,
434 DATA_BLOB
*blob
, size_t sig_size
,
435 struct ncacn_packet
*pkt
)
437 struct dcesrv_connection
*dce_conn
= call
->conn
;
439 enum ndr_err_code ndr_err
;
440 struct ndr_push
*ndr
;
441 uint32_t payload_length
;
444 /* non-signed packets are simple */
446 status
= ncacn_push_auth(blob
, call
, pkt
, NULL
);
447 return NT_STATUS_IS_OK(status
);
450 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
451 case DCERPC_AUTH_LEVEL_PRIVACY
:
452 case DCERPC_AUTH_LEVEL_INTEGRITY
:
455 case DCERPC_AUTH_LEVEL_CONNECT
:
457 * TODO: let the gensec mech decide if it wants to generate a
458 * signature that might be needed for schannel...
460 status
= ncacn_push_auth(blob
, call
, pkt
, NULL
);
461 return NT_STATUS_IS_OK(status
);
463 case DCERPC_AUTH_LEVEL_NONE
:
464 status
= ncacn_push_auth(blob
, call
, pkt
, NULL
);
465 return NT_STATUS_IS_OK(status
);
471 ndr
= ndr_push_init_ctx(call
);
476 if (!(pkt
->drep
[0] & DCERPC_DREP_LE
)) {
477 ndr
->flags
|= LIBNDR_FLAG_BIGENDIAN
;
480 ndr_err
= ndr_push_ncacn_packet(ndr
, NDR_SCALARS
|NDR_BUFFERS
, pkt
);
481 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
485 /* pad to 16 byte multiple in the payload portion of the
486 packet. This matches what w2k3 does. Note that we can't use
487 ndr_push_align() as that is relative to the start of the
488 whole packet, whereas w2k8 wants it relative to the start
490 dce_conn
->auth_state
.auth_info
->auth_pad_length
=
491 (16 - (pkt
->u
.response
.stub_and_verifier
.length
& 15)) & 15;
492 ndr_err
= ndr_push_zero(ndr
,
493 dce_conn
->auth_state
.auth_info
->auth_pad_length
);
494 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
498 payload_length
= pkt
->u
.response
.stub_and_verifier
.length
+
499 dce_conn
->auth_state
.auth_info
->auth_pad_length
;
501 /* we start without signature, it will appended later */
502 dce_conn
->auth_state
.auth_info
->credentials
= data_blob(NULL
, 0);
504 /* add the auth verifier */
505 ndr_err
= ndr_push_dcerpc_auth(ndr
, NDR_SCALARS
|NDR_BUFFERS
,
506 dce_conn
->auth_state
.auth_info
);
507 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
511 /* extract the whole packet as a blob */
512 *blob
= ndr_push_blob(ndr
);
515 * Setup the frag and auth length in the packet buffer.
516 * This is needed if the GENSEC mech does AEAD signing
517 * of the packet headers. The signature itself will be
520 dcerpc_set_frag_length(blob
, blob
->length
+ sig_size
);
521 dcerpc_set_auth_length(blob
, sig_size
);
523 /* sign or seal the packet */
524 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
525 case DCERPC_AUTH_LEVEL_PRIVACY
:
526 status
= gensec_seal_packet(dce_conn
->auth_state
.gensec_security
,
528 ndr
->data
+ DCERPC_REQUEST_LENGTH
,
535 case DCERPC_AUTH_LEVEL_INTEGRITY
:
536 status
= gensec_sign_packet(dce_conn
->auth_state
.gensec_security
,
538 ndr
->data
+ DCERPC_REQUEST_LENGTH
,
546 status
= NT_STATUS_INVALID_LEVEL
;
550 if (!NT_STATUS_IS_OK(status
)) {
554 if (creds2
.length
!= sig_size
) {
555 DEBUG(3,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n",
556 (unsigned)creds2
.length
, (uint32_t)sig_size
,
557 (unsigned)dce_conn
->auth_state
.auth_info
->auth_pad_length
,
558 (unsigned)pkt
->u
.response
.stub_and_verifier
.length
));
559 dcerpc_set_frag_length(blob
, blob
->length
+ creds2
.length
);
560 dcerpc_set_auth_length(blob
, creds2
.length
);
563 if (!data_blob_append(call
, blob
, creds2
.data
, creds2
.length
)) {
564 status
= NT_STATUS_NO_MEMORY
;
567 data_blob_free(&creds2
);