2 Unix SMB/CIFS implementation.
4 server side dcerpc authentication code
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Stefan (metze) Metzmacher 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/rpc/dcesrv_core.h"
25 #include "librpc/rpc/dcesrv_core_proto.h"
26 #include "librpc/rpc/dcerpc_util.h"
27 #include "librpc/rpc/dcerpc_pkt_auth.h"
28 #include "librpc/gen_ndr/ndr_dcerpc.h"
29 #include "auth/credentials/credentials.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/auth.h"
32 #include "param/param.h"
34 static NTSTATUS dcesrv_auth_negotiate_hdr_signing(struct dcesrv_call_state *call,
35 struct ncacn_packet *pkt)
37 struct dcesrv_connection *dce_conn = call->conn;
38 struct dcesrv_auth *a = NULL;
40 if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
44 if (dce_conn->client_hdr_signing) {
45 if (dce_conn->negotiated_hdr_signing && pkt != NULL) {
46 pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
51 dce_conn->client_hdr_signing = true;
52 dce_conn->negotiated_hdr_signing = dce_conn->support_hdr_signing;
54 if (!dce_conn->negotiated_hdr_signing) {
59 pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
62 a = call->conn->default_auth_state;
63 if (a->gensec_security != NULL) {
64 gensec_want_feature(a->gensec_security,
65 GENSEC_FEATURE_SIGN_PKT_HEADER);
68 for (a = call->conn->auth_states; a != NULL; a = a->next) {
69 if (a->gensec_security == NULL) {
73 gensec_want_feature(a->gensec_security,
74 GENSEC_FEATURE_SIGN_PKT_HEADER);
80 static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
82 struct dcesrv_connection *dce_conn = call->conn;
83 struct dcesrv_auth *auth = call->auth_state;
86 if (auth->auth_started) {
90 auth->auth_started = true;
92 if (auth->auth_invalid) {
96 if (auth->auth_finished) {
100 if (auth->gensec_security != NULL) {
104 switch (call->in_auth_info.auth_level) {
105 case DCERPC_AUTH_LEVEL_CONNECT:
106 case DCERPC_AUTH_LEVEL_CALL:
107 case DCERPC_AUTH_LEVEL_PACKET:
108 case DCERPC_AUTH_LEVEL_INTEGRITY:
109 case DCERPC_AUTH_LEVEL_PRIVACY:
111 * We evaluate auth_type only if auth_level was valid
116 * Setting DCERPC_AUTH_LEVEL_NONE,
117 * gives the caller the reject_reason
118 * as auth_context_id.
120 * Note: DCERPC_AUTH_LEVEL_NONE == 1
122 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
123 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
124 auth->auth_context_id = DCERPC_BIND_NAK_REASON_NOT_SPECIFIED;
128 auth->auth_type = call->in_auth_info.auth_type;
129 auth->auth_level = call->in_auth_info.auth_level;
130 auth->auth_context_id = call->in_auth_info.auth_context_id;
132 status = call->conn->dce_ctx->callbacks.auth.gensec_prepare(auth,
134 &auth->gensec_security);
135 if (!NT_STATUS_IS_OK(status)) {
136 DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
142 * We have to call this because we set the target_service for
143 * Kerberos to NULL above, and in any case we wish to log a
144 * more specific service target.
147 status = gensec_set_target_service_description(auth->gensec_security,
149 if (!NT_STATUS_IS_OK(status)) {
150 DEBUG(1, ("Failed to call gensec_set_target_service_description %s\n",
155 if (call->conn->remote_address != NULL) {
156 status = gensec_set_remote_address(auth->gensec_security,
157 call->conn->remote_address);
158 if (!NT_STATUS_IS_OK(status)) {
159 DEBUG(1, ("Failed to call gensec_set_remote_address() %s\n",
165 if (call->conn->local_address != NULL) {
166 status = gensec_set_local_address(auth->gensec_security,
167 call->conn->local_address);
168 if (!NT_STATUS_IS_OK(status)) {
169 DEBUG(1, ("Failed to call gensec_set_local_address() %s\n",
175 status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
177 if (!NT_STATUS_IS_OK(status)) {
178 const char *backend_name =
179 gensec_get_name_by_authtype(auth->gensec_security,
182 DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: "
183 "auth_type=%d (%s), auth_level=%d: %s\n",
184 (int)auth->auth_type, backend_name,
185 (int)auth->auth_level,
189 * Setting DCERPC_AUTH_LEVEL_NONE,
190 * gives the caller the reject_reason
191 * as auth_context_id.
193 * Note: DCERPC_AUTH_LEVEL_NONE == 1
195 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
196 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
197 if (backend_name != NULL) {
198 auth->auth_context_id =
199 DCERPC_BIND_NAK_REASON_INVALID_CHECKSUM;
201 auth->auth_context_id =
202 DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE;
207 if (dce_conn->negotiated_hdr_signing) {
208 gensec_want_feature(auth->gensec_security,
209 GENSEC_FEATURE_SIGN_PKT_HEADER);
215 static void dcesrv_default_auth_state_finish_bind(struct dcesrv_call_state *call)
217 SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_BIND);
219 if (call->auth_state == call->conn->default_auth_state) {
223 if (call->conn->default_auth_state->auth_started) {
227 if (call->conn->default_auth_state->auth_invalid) {
231 call->conn->default_auth_state->auth_type = DCERPC_AUTH_TYPE_NONE;
232 call->conn->default_auth_state->auth_level = DCERPC_AUTH_LEVEL_NONE;
233 call->conn->default_auth_state->auth_context_id = 0;
234 call->conn->default_auth_state->auth_started = true;
235 call->conn->default_auth_state->auth_finished = true;
239 * We defer log_successful_dcesrv_authz_event()
240 * to dcesrv_default_auth_state_prepare_request()
242 * As we don't want to trigger authz_events
243 * just for alter_context requests without authentication
247 void dcesrv_default_auth_state_prepare_request(struct dcesrv_call_state *call)
249 struct dcesrv_connection *dce_conn = call->conn;
250 struct dcesrv_auth *auth = call->auth_state;
252 if (auth->auth_audited) {
256 if (call->pkt.ptype != DCERPC_PKT_REQUEST) {
260 if (auth != dce_conn->default_auth_state) {
264 if (auth->auth_invalid) {
268 if (!auth->auth_finished) {
272 if (!call->conn->dce_ctx->callbacks.log.successful_authz) {
276 call->conn->dce_ctx->callbacks.log.successful_authz(call);
280 parse any auth information from a dcerpc bind request
281 return false if we can't handle the auth request for some
282 reason (in which case we send a bind_nak)
284 bool dcesrv_auth_bind(struct dcesrv_call_state *call)
286 struct ncacn_packet *pkt = &call->pkt;
287 struct dcesrv_auth *auth = call->auth_state;
290 if (pkt->auth_length == 0) {
291 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
292 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
293 auth->auth_context_id = 0;
294 auth->auth_started = true;
296 if (call->conn->dce_ctx->callbacks.log.successful_authz) {
297 call->conn->dce_ctx->callbacks.log.successful_authz(call);
303 status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
306 if (!NT_STATUS_IS_OK(status)) {
308 * Setting DCERPC_AUTH_LEVEL_NONE,
309 * gives the caller the reject_reason
310 * as auth_context_id.
312 * Note: DCERPC_AUTH_LEVEL_NONE == 1
314 auth->auth_type = DCERPC_AUTH_TYPE_NONE;
315 auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
316 auth->auth_context_id =
317 DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED;
321 return dcesrv_auth_prepare_gensec(call);
324 NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
326 struct dcesrv_auth *auth = call->auth_state;
327 const char *pdu = "<unknown>";
329 switch (call->pkt.ptype) {
330 case DCERPC_PKT_BIND:
333 case DCERPC_PKT_ALTER:
336 case DCERPC_PKT_AUTH3:
338 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
339 DEBUG(4, ("GENSEC not finished at at %s\n", pdu));
340 return NT_STATUS_RPC_SEC_PKG_ERROR;
344 return NT_STATUS_INTERNAL_ERROR;
347 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
351 if (!NT_STATUS_IS_OK(status)) {
352 DEBUG(4, ("GENSEC mech rejected the incoming authentication "
353 "at %s: %s\n", pdu, nt_errstr(status)));
357 status = gensec_session_info(auth->gensec_security,
359 &auth->session_info);
360 if (!NT_STATUS_IS_OK(status)) {
361 DEBUG(1, ("Failed to establish session_info: %s\n",
365 auth->auth_finished = true;
367 if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
368 !call->conn->got_explicit_auth_level_connect)
370 call->conn->default_auth_level_connect = auth;
373 if (call->pkt.ptype != DCERPC_PKT_AUTH3) {
377 if (call->out_auth_info->credentials.length != 0) {
378 DEBUG(4, ("GENSEC produced output token (len=%zu) at %s\n",
379 call->out_auth_info->credentials.length, pdu));
380 return NT_STATUS_RPC_SEC_PKG_ERROR;
387 add any auth information needed in a bind ack, and process the authentication
388 information found in the bind.
390 NTSTATUS dcesrv_auth_prepare_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
392 struct dcesrv_connection *dce_conn = call->conn;
393 struct dcesrv_auth *auth = call->auth_state;
396 status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
397 if (!NT_STATUS_IS_OK(status)) {
401 dce_conn->allow_alter = true;
402 dcesrv_default_auth_state_finish_bind(call);
404 if (call->pkt.auth_length == 0) {
405 auth->auth_finished = true;
409 /* We can't work without an existing gensec state */
410 if (auth->gensec_security == NULL) {
411 return NT_STATUS_INTERNAL_ERROR;
414 call->_out_auth_info = (struct dcerpc_auth) {
415 .auth_type = auth->auth_type,
416 .auth_level = auth->auth_level,
417 .auth_context_id = auth->auth_context_id,
419 call->out_auth_info = &call->_out_auth_info;
425 process the final stage of a auth request
427 bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call)
429 struct ncacn_packet *pkt = &call->pkt;
430 struct dcesrv_auth *auth = call->auth_state;
433 if (pkt->auth_length == 0) {
437 if (auth->auth_finished) {
441 /* We can't work without an existing gensec state */
442 if (auth->gensec_security == NULL) {
446 status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.auth3.auth_info,
447 &call->in_auth_info, NULL, true);
448 if (!NT_STATUS_IS_OK(status)) {
450 * Windows returns DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY
451 * instead of DCERPC_NCA_S_PROTO_ERROR.
453 call->fault_code = DCERPC_NCA_S_FAULT_REMOTE_NO_MEMORY;
457 if (call->in_auth_info.auth_type != auth->auth_type) {
461 if (call->in_auth_info.auth_level != auth->auth_level) {
465 if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
469 call->_out_auth_info = (struct dcerpc_auth) {
470 .auth_type = auth->auth_type,
471 .auth_level = auth->auth_level,
472 .auth_context_id = auth->auth_context_id,
474 call->out_auth_info = &call->_out_auth_info;
480 parse any auth information from a dcerpc alter request
481 return false if we can't handle the auth request for some
482 reason (in which case we send a bind_nak (is this true for here?))
484 bool dcesrv_auth_alter(struct dcesrv_call_state *call)
486 struct ncacn_packet *pkt = &call->pkt;
487 struct dcesrv_auth *auth = call->auth_state;
490 /* on a pure interface change there is no auth blob */
491 if (pkt->auth_length == 0) {
492 if (!auth->auth_finished) {
498 if (auth->auth_finished) {
499 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
503 status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.alter.auth_info,
504 &call->in_auth_info, NULL, true);
505 if (!NT_STATUS_IS_OK(status)) {
506 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
510 if (!auth->auth_started) {
513 ok = dcesrv_auth_prepare_gensec(call);
515 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
522 if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
523 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
527 if (call->in_auth_info.auth_type != auth->auth_type) {
531 if (call->in_auth_info.auth_level != auth->auth_level) {
535 if (call->in_auth_info.auth_context_id != auth->auth_context_id) {
543 add any auth information needed in a alter ack, and process the authentication
544 information found in the alter.
546 NTSTATUS dcesrv_auth_prepare_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
548 struct dcesrv_auth *auth = call->auth_state;
551 status = dcesrv_auth_negotiate_hdr_signing(call, pkt);
552 if (!NT_STATUS_IS_OK(status)) {
556 /* on a pure interface change there is no auth_info structure
558 if (call->pkt.auth_length == 0) {
562 if (auth->gensec_security == NULL) {
563 return NT_STATUS_INTERNAL_ERROR;
566 call->_out_auth_info = (struct dcerpc_auth) {
567 .auth_type = auth->auth_type,
568 .auth_level = auth->auth_level,
569 .auth_context_id = auth->auth_context_id,
571 call->out_auth_info = &call->_out_auth_info;
577 check credentials on a packet
579 bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
580 DATA_BLOB *full_packet,
581 uint8_t required_flags,
582 uint8_t optional_flags,
583 uint8_t payload_offset,
584 DATA_BLOB *payload_and_verifier)
586 struct ncacn_packet *pkt = &call->pkt;
587 struct dcesrv_auth *auth = call->auth_state;
588 const struct dcerpc_auth tmp_auth = {
589 .auth_type = auth->auth_type,
590 .auth_level = auth->auth_level,
591 .auth_context_id = auth->auth_context_id,
595 if (!auth->auth_started) {
599 if (!auth->auth_finished) {
600 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
604 if (auth->auth_invalid) {
608 status = dcerpc_ncacn_pull_pkt_auth(&tmp_auth,
609 auth->gensec_security,
615 payload_and_verifier,
618 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
619 call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
622 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL)) {
623 call->fault_code = DCERPC_NCA_S_UNSUPPORTED_AUTHN_LEVEL;
626 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
627 call->fault_code = DCERPC_FAULT_SEC_PKG_ERROR;
630 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
631 call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
634 if (!NT_STATUS_IS_OK(status)) {
642 push a signed or sealed dcerpc request packet into a blob
644 bool dcesrv_auth_pkt_push(struct dcesrv_call_state *call,
645 DATA_BLOB *blob, size_t sig_size,
646 uint8_t payload_offset,
647 const DATA_BLOB *payload,
648 const struct ncacn_packet *pkt)
650 struct dcesrv_auth *auth = call->auth_state;
651 const struct dcerpc_auth tmp_auth = {
652 .auth_type = auth->auth_type,
653 .auth_level = auth->auth_level,
654 .auth_context_id = auth->auth_context_id,
658 status = dcerpc_ncacn_push_pkt_auth(&tmp_auth,
659 auth->gensec_security,
660 call, blob, sig_size,
664 return NT_STATUS_IS_OK(status);