2 Unix SMB/CIFS implementation.
4 server side dcerpc authentication code
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Stefan (metze) Metzmacher 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "rpc_server/dcerpc_server.h"
25 #include "rpc_server/dcerpc_server_proto.h"
26 #include "librpc/rpc/dcerpc_proto.h"
27 #include "librpc/gen_ndr/ndr_dcerpc.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "param/param.h"
33 parse any auth information from a dcerpc bind request
34 return false if we can't handle the auth request for some
35 reason (in which case we send a bind_nak)
37 bool dcesrv_auth_bind(struct dcesrv_call_state
*call
)
39 struct cli_credentials
*server_credentials
;
40 struct ncacn_packet
*pkt
= &call
->pkt
;
41 struct dcesrv_connection
*dce_conn
= call
->conn
;
42 struct dcesrv_auth
*auth
= &dce_conn
->auth_state
;
44 enum ndr_err_code ndr_err
;
46 if (pkt
->u
.bind
.auth_info
.length
== 0) {
47 dce_conn
->auth_state
.auth_info
= NULL
;
51 dce_conn
->auth_state
.auth_info
= talloc(dce_conn
, struct dcerpc_auth
);
52 if (!dce_conn
->auth_state
.auth_info
) {
56 ndr_err
= ndr_pull_struct_blob(&pkt
->u
.bind
.auth_info
,
58 dce_conn
->auth_state
.auth_info
,
59 (ndr_pull_flags_fn_t
)ndr_pull_dcerpc_auth
);
60 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
64 status
= gensec_server_start(dce_conn
, call
->event_ctx
,
65 lp_gensec_settings(dce_conn
, call
->conn
->dce_ctx
->lp_ctx
),
66 call
->msg_ctx
, &auth
->gensec_security
);
67 if (!NT_STATUS_IS_OK(status
)) {
68 DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status
)));
73 = cli_credentials_init(call
);
74 if (!server_credentials
) {
75 DEBUG(1, ("Failed to init server credentials\n"));
79 cli_credentials_set_conf(server_credentials
, call
->conn
->dce_ctx
->lp_ctx
);
80 status
= cli_credentials_set_machine_account(server_credentials
, call
->conn
->dce_ctx
->lp_ctx
);
81 if (!NT_STATUS_IS_OK(status
)) {
82 DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status
)));
83 talloc_free(server_credentials
);
84 server_credentials
= NULL
;
87 gensec_set_credentials(auth
->gensec_security
, server_credentials
);
89 status
= gensec_start_mech_by_authtype(auth
->gensec_security
, auth
->auth_info
->auth_type
,
90 auth
->auth_info
->auth_level
);
92 if (!NT_STATUS_IS_OK(status
)) {
93 DEBUG(1, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
94 (int)auth
->auth_info
->auth_type
,
95 (int)auth
->auth_info
->auth_level
,
100 if (call
->conn
->state_flags
& DCESRV_CALL_STATE_FLAG_HEADER_SIGNING
) {
101 gensec_want_feature(auth
->gensec_security
, GENSEC_FEATURE_SIGN_PKT_HEADER
);
108 add any auth information needed in a bind ack, and process the authentication
109 information found in the bind.
111 NTSTATUS
dcesrv_auth_bind_ack(struct dcesrv_call_state
*call
, struct ncacn_packet
*pkt
)
113 struct dcesrv_connection
*dce_conn
= call
->conn
;
116 if (!call
->conn
->auth_state
.gensec_security
) {
120 status
= gensec_update(dce_conn
->auth_state
.gensec_security
,
122 dce_conn
->auth_state
.auth_info
->credentials
,
123 &dce_conn
->auth_state
.auth_info
->credentials
);
125 if (NT_STATUS_IS_OK(status
)) {
126 status
= gensec_session_info(dce_conn
->auth_state
.gensec_security
,
127 &dce_conn
->auth_state
.session_info
);
128 if (!NT_STATUS_IS_OK(status
)) {
129 DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status
)));
133 if (dce_conn
->state_flags
& DCESRV_CALL_STATE_FLAG_HEADER_SIGNING
) {
134 gensec_want_feature(dce_conn
->auth_state
.gensec_security
,
135 GENSEC_FEATURE_SIGN_PKT_HEADER
);
138 /* Now that we are authenticated, go back to the generic session key... */
139 dce_conn
->auth_state
.session_key
= dcesrv_generic_session_key
;
141 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
142 dce_conn
->auth_state
.auth_info
->auth_pad_length
= 0;
143 dce_conn
->auth_state
.auth_info
->auth_reserved
= 0;
146 DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status
)));
153 process the final stage of a auth request
155 bool dcesrv_auth_auth3(struct dcesrv_call_state
*call
)
157 struct ncacn_packet
*pkt
= &call
->pkt
;
158 struct dcesrv_connection
*dce_conn
= call
->conn
;
160 enum ndr_err_code ndr_err
;
162 /* We can't work without an existing gensec state, and an new blob to feed it */
163 if (!dce_conn
->auth_state
.auth_info
||
164 !dce_conn
->auth_state
.gensec_security
||
165 pkt
->u
.auth3
.auth_info
.length
== 0) {
169 ndr_err
= ndr_pull_struct_blob(&pkt
->u
.auth3
.auth_info
,
171 dce_conn
->auth_state
.auth_info
,
172 (ndr_pull_flags_fn_t
)ndr_pull_dcerpc_auth
);
173 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
177 /* Pass the extra data we got from the client down to gensec for processing */
178 status
= gensec_update(dce_conn
->auth_state
.gensec_security
,
180 dce_conn
->auth_state
.auth_info
->credentials
,
181 &dce_conn
->auth_state
.auth_info
->credentials
);
182 if (NT_STATUS_IS_OK(status
)) {
183 status
= gensec_session_info(dce_conn
->auth_state
.gensec_security
,
184 &dce_conn
->auth_state
.session_info
);
185 if (!NT_STATUS_IS_OK(status
)) {
186 DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status
)));
189 /* Now that we are authenticated, go back to the generic session key... */
190 dce_conn
->auth_state
.session_key
= dcesrv_generic_session_key
;
193 DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n",
202 parse any auth information from a dcerpc alter request
203 return false if we can't handle the auth request for some
204 reason (in which case we send a bind_nak (is this true for here?))
206 bool dcesrv_auth_alter(struct dcesrv_call_state
*call
)
208 struct ncacn_packet
*pkt
= &call
->pkt
;
209 struct dcesrv_connection
*dce_conn
= call
->conn
;
210 enum ndr_err_code ndr_err
;
212 /* on a pure interface change there is no auth blob */
213 if (pkt
->u
.alter
.auth_info
.length
== 0) {
217 /* We can't work without an existing gensec state */
218 if (!dce_conn
->auth_state
.gensec_security
) {
222 dce_conn
->auth_state
.auth_info
= talloc(dce_conn
, struct dcerpc_auth
);
223 if (!dce_conn
->auth_state
.auth_info
) {
227 ndr_err
= ndr_pull_struct_blob(&pkt
->u
.alter
.auth_info
,
229 dce_conn
->auth_state
.auth_info
,
230 (ndr_pull_flags_fn_t
)ndr_pull_dcerpc_auth
);
231 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
239 add any auth information needed in a alter ack, and process the authentication
240 information found in the alter.
242 NTSTATUS
dcesrv_auth_alter_ack(struct dcesrv_call_state
*call
, struct ncacn_packet
*pkt
)
244 struct dcesrv_connection
*dce_conn
= call
->conn
;
247 /* on a pure interface change there is no auth_info structure
249 if (!call
->conn
->auth_state
.auth_info
||
250 dce_conn
->auth_state
.auth_info
->credentials
.length
== 0) {
254 if (!call
->conn
->auth_state
.gensec_security
) {
255 return NT_STATUS_INVALID_PARAMETER
;
258 status
= gensec_update(dce_conn
->auth_state
.gensec_security
,
260 dce_conn
->auth_state
.auth_info
->credentials
,
261 &dce_conn
->auth_state
.auth_info
->credentials
);
263 if (NT_STATUS_IS_OK(status
)) {
264 status
= gensec_session_info(dce_conn
->auth_state
.gensec_security
,
265 &dce_conn
->auth_state
.session_info
);
266 if (!NT_STATUS_IS_OK(status
)) {
267 DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status
)));
271 /* Now that we are authenticated, got back to the generic session key... */
272 dce_conn
->auth_state
.session_key
= dcesrv_generic_session_key
;
274 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
275 dce_conn
->auth_state
.auth_info
->auth_pad_length
= 0;
276 dce_conn
->auth_state
.auth_info
->auth_reserved
= 0;
280 DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status
)));
285 check credentials on a request
287 bool dcesrv_auth_request(struct dcesrv_call_state
*call
, DATA_BLOB
*full_packet
)
289 struct ncacn_packet
*pkt
= &call
->pkt
;
290 struct dcesrv_connection
*dce_conn
= call
->conn
;
292 struct dcerpc_auth auth
;
293 struct ndr_pull
*ndr
;
295 enum ndr_err_code ndr_err
;
296 size_t hdr_size
= DCERPC_REQUEST_LENGTH
;
298 if (!dce_conn
->auth_state
.auth_info
||
299 !dce_conn
->auth_state
.gensec_security
) {
303 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
304 case DCERPC_AUTH_LEVEL_PRIVACY
:
305 case DCERPC_AUTH_LEVEL_INTEGRITY
:
308 case DCERPC_AUTH_LEVEL_CONNECT
:
309 if (pkt
->auth_length
!= 0) {
313 case DCERPC_AUTH_LEVEL_NONE
:
314 if (pkt
->auth_length
!= 0) {
323 auth_blob
.length
= 8 + pkt
->auth_length
;
325 /* check for a valid length */
326 if (pkt
->u
.request
.stub_and_verifier
.length
< auth_blob
.length
) {
331 pkt
->u
.request
.stub_and_verifier
.data
+
332 pkt
->u
.request
.stub_and_verifier
.length
- auth_blob
.length
;
333 pkt
->u
.request
.stub_and_verifier
.length
-= auth_blob
.length
;
335 /* pull the auth structure */
336 ndr
= ndr_pull_init_blob(&auth_blob
, call
, lp_iconv_convenience(call
->conn
->dce_ctx
->lp_ctx
));
341 if (!(pkt
->drep
[0] & DCERPC_DREP_LE
)) {
342 ndr
->flags
|= LIBNDR_FLAG_BIGENDIAN
;
345 if (pkt
->pfc_flags
& DCERPC_PFC_FLAG_OBJECT_UUID
) {
346 ndr
->flags
|= LIBNDR_FLAG_OBJECT_PRESENT
;
350 ndr_err
= ndr_pull_dcerpc_auth(ndr
, NDR_SCALARS
|NDR_BUFFERS
, &auth
);
351 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
356 /* check signature or unseal the packet */
357 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
358 case DCERPC_AUTH_LEVEL_PRIVACY
:
359 status
= gensec_unseal_packet(dce_conn
->auth_state
.gensec_security
,
361 full_packet
->data
+ hdr_size
,
362 pkt
->u
.request
.stub_and_verifier
.length
,
364 full_packet
->length
-auth
.credentials
.length
,
366 memcpy(pkt
->u
.request
.stub_and_verifier
.data
,
367 full_packet
->data
+ hdr_size
,
368 pkt
->u
.request
.stub_and_verifier
.length
);
371 case DCERPC_AUTH_LEVEL_INTEGRITY
:
372 status
= gensec_check_packet(dce_conn
->auth_state
.gensec_security
,
374 pkt
->u
.request
.stub_and_verifier
.data
,
375 pkt
->u
.request
.stub_and_verifier
.length
,
377 full_packet
->length
-auth
.credentials
.length
,
381 case DCERPC_AUTH_LEVEL_CONNECT
:
382 /* for now we ignore possible signatures here */
383 status
= NT_STATUS_OK
;
387 status
= NT_STATUS_INVALID_LEVEL
;
391 /* remove the indicated amount of padding */
392 if (pkt
->u
.request
.stub_and_verifier
.length
< auth
.auth_pad_length
) {
396 pkt
->u
.request
.stub_and_verifier
.length
-= auth
.auth_pad_length
;
399 return NT_STATUS_IS_OK(status
);
404 push a signed or sealed dcerpc request packet into a blob
406 bool dcesrv_auth_response(struct dcesrv_call_state
*call
,
407 DATA_BLOB
*blob
, size_t sig_size
,
408 struct ncacn_packet
*pkt
)
410 struct dcesrv_connection
*dce_conn
= call
->conn
;
412 enum ndr_err_code ndr_err
;
413 struct ndr_push
*ndr
;
414 uint32_t payload_length
;
417 /* non-signed packets are simple */
419 status
= ncacn_push_auth(blob
, call
, lp_iconv_convenience(dce_conn
->dce_ctx
->lp_ctx
), pkt
, NULL
);
420 return NT_STATUS_IS_OK(status
);
423 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
424 case DCERPC_AUTH_LEVEL_PRIVACY
:
425 case DCERPC_AUTH_LEVEL_INTEGRITY
:
428 case DCERPC_AUTH_LEVEL_CONNECT
:
430 * TODO: let the gensec mech decide if it wants to generate a signature
431 * that might be needed for schannel...
433 status
= ncacn_push_auth(blob
, call
, lp_iconv_convenience(dce_conn
->dce_ctx
->lp_ctx
), pkt
, NULL
);
434 return NT_STATUS_IS_OK(status
);
436 case DCERPC_AUTH_LEVEL_NONE
:
437 status
= ncacn_push_auth(blob
, call
, lp_iconv_convenience(dce_conn
->dce_ctx
->lp_ctx
), pkt
, NULL
);
438 return NT_STATUS_IS_OK(status
);
444 ndr
= ndr_push_init_ctx(call
, lp_iconv_convenience(dce_conn
->dce_ctx
->lp_ctx
));
449 if (!(pkt
->drep
[0] & DCERPC_DREP_LE
)) {
450 ndr
->flags
|= LIBNDR_FLAG_BIGENDIAN
;
453 ndr_err
= ndr_push_ncacn_packet(ndr
, NDR_SCALARS
|NDR_BUFFERS
, pkt
);
454 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
458 /* pad to 16 byte multiple, match win2k3 */
459 dce_conn
->auth_state
.auth_info
->auth_pad_length
=
460 (16 - (pkt
->u
.response
.stub_and_verifier
.length
& 15)) & 15;
461 ndr_err
= ndr_push_zero(ndr
, dce_conn
->auth_state
.auth_info
->auth_pad_length
);
462 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
466 payload_length
= pkt
->u
.response
.stub_and_verifier
.length
+
467 dce_conn
->auth_state
.auth_info
->auth_pad_length
;
469 /* we start without signature, it will appended later */
470 dce_conn
->auth_state
.auth_info
->credentials
= data_blob(NULL
, 0);
472 /* add the auth verifier */
473 ndr_err
= ndr_push_dcerpc_auth(ndr
, NDR_SCALARS
|NDR_BUFFERS
,
474 dce_conn
->auth_state
.auth_info
);
475 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
479 /* extract the whole packet as a blob */
480 *blob
= ndr_push_blob(ndr
);
483 * Setup the frag and auth length in the packet buffer.
484 * This is needed if the GENSEC mech does AEAD signing
485 * of the packet headers. The signature itself will be
488 dcerpc_set_frag_length(blob
, blob
->length
+ sig_size
);
489 dcerpc_set_auth_length(blob
, sig_size
);
491 /* sign or seal the packet */
492 switch (dce_conn
->auth_state
.auth_info
->auth_level
) {
493 case DCERPC_AUTH_LEVEL_PRIVACY
:
494 status
= gensec_seal_packet(dce_conn
->auth_state
.gensec_security
,
496 ndr
->data
+ DCERPC_REQUEST_LENGTH
,
503 case DCERPC_AUTH_LEVEL_INTEGRITY
:
504 status
= gensec_sign_packet(dce_conn
->auth_state
.gensec_security
,
506 ndr
->data
+ DCERPC_REQUEST_LENGTH
,
514 status
= NT_STATUS_INVALID_LEVEL
;
518 if (NT_STATUS_IS_OK(status
)) {
519 if (creds2
.length
!= sig_size
) {
520 DEBUG(0,("dcesrv_auth_response: creds2.length[%u] != sig_size[%u] pad[%u] stub[%u]\n",
521 creds2
.length
, (uint32_t)sig_size
,
522 dce_conn
->auth_state
.auth_info
->auth_pad_length
,
523 pkt
->u
.response
.stub_and_verifier
.length
));
524 data_blob_free(&creds2
);
525 status
= NT_STATUS_INTERNAL_ERROR
;
529 if (NT_STATUS_IS_OK(status
)) {
530 if (!data_blob_append(call
, blob
, creds2
.data
, creds2
.length
)) {
531 status
= NT_STATUS_NO_MEMORY
;
533 data_blob_free(&creds2
);
536 if (!NT_STATUS_IS_OK(status
)) {