source4/librpc/rpc/dcerpc_auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Stefan Metzmacher 2004
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "libcli/composite/composite.h"
  26 #include "auth/gensec/gensec.h"
  27 #include "librpc/rpc/dcerpc.h"
  28 #include "librpc/rpc/dcerpc_proto.h"
  29 #include "param/param.h"
  30
  31 /*
  32   return the rpc syntax and transfer syntax given the pipe uuid and version
  33 */
  34 static NTSTATUS dcerpc_init_syntaxes(const struct ndr_interface_table *table,
  35                                      uint32_t pipe_flags,
  36                                      struct ndr_syntax_id *syntax,
  37                                      struct ndr_syntax_id *transfer_syntax)
  38 {
  39         syntax->uuid = table->syntax_id.uuid;
  40         syntax->if_version = table->syntax_id.if_version;
  41
  42         if (pipe_flags & DCERPC_NDR64) {
  43                 *transfer_syntax = ndr64_transfer_syntax;
  44         } else {
  45                 *transfer_syntax = ndr_transfer_syntax;
  46         }
  47
  48         return NT_STATUS_OK;
  49 }
  50
  51
  52 /*
  53   Send request to do a non-authenticated dcerpc bind
  54 */
  55 struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
  56                                                      struct dcerpc_pipe *p,
  57                                                      const struct ndr_interface_table *table)
  58 {
  59         struct ndr_syntax_id syntax;
  60         struct ndr_syntax_id transfer_syntax;
  61
  62         struct composite_context *c;
  63
  64         c = composite_create(mem_ctx, p->conn->event_ctx);
  65         if (c == NULL) return NULL;
  66
  67         c->status = dcerpc_init_syntaxes(table, p->conn->flags,
  68                                          &syntax, &transfer_syntax);
  69         if (!NT_STATUS_IS_OK(c->status)) {
  70                 DEBUG(2,("Invalid uuid string in "
  71                          "dcerpc_bind_auth_none_send\n"));
  72                 composite_error(c, c->status);
  73                 return c;
  74         }
  75
  76         /* c was only allocated as a container for a possible error */
  77         talloc_free(c);
  78
  79         return dcerpc_bind_send(p, mem_ctx, &syntax, &transfer_syntax);
  80 }
  81
  82
  83 /*
  84   Receive result of a non-authenticated dcerpc bind
  85 */
  86 NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
  87 {
  88         return dcerpc_bind_recv(ctx);
  89 }
  90
  91
  92 /*
  93   Perform sync non-authenticated dcerpc bind
  94 */
  95 _PUBLIC_ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
  96                                const struct ndr_interface_table *table)
  97 {
  98         struct composite_context *ctx;
  99
 100         ctx = dcerpc_bind_auth_none_send(p, p, table);
 101         return dcerpc_bind_auth_none_recv(ctx);
 102 }
 103
 104
 105 struct bind_auth_state {
 106         struct dcerpc_pipe *pipe;
 107         DATA_BLOB credentials;
 108         bool more_processing;   /* Is there anything more to do after the
 109                                  * first bind itself received? */
 110 };
 111
 112 static void bind_auth_recv_alter(struct composite_context *creq);
 113
 114 static void bind_auth_next_step(struct composite_context *c)
 115 {
 116         struct bind_auth_state *state;
 117         struct dcecli_security *sec;
 118         struct composite_context *creq;
 119         bool more_processing = false;
 120
 121         state = talloc_get_type(c->private_data, struct bind_auth_state);
 122         sec = &state->pipe->conn->security_state;
 123
 124         /* The status value here, from GENSEC is vital to the security
 125          * of the system.  Even if the other end accepts, if GENSEC
 126          * claims 'MORE_PROCESSING_REQUIRED' then you must keep
 127          * feeding it blobs, or else the remote host/attacker might
 128          * avoid mutal authentication requirements.
 129          *
 130          * Likewise, you must not feed GENSEC too much (after the OK),
 131          * it doesn't like that either
 132          */
 133
 134         c->status = gensec_update(sec->generic_state, state,
 135                                   state->pipe->conn->event_ctx,
 136                                   sec->auth_info->credentials,
 137                                   &state->credentials);
 138         data_blob_free(&sec->auth_info->credentials);
 139
 140         if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 141                 more_processing = true;
 142                 c->status = NT_STATUS_OK;
 143         }
 144
 145         if (!composite_is_ok(c)) return;
 146
 147         if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
 148                 gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
 149         }
 150
 151         if (state->credentials.length == 0) {
 152                 composite_done(c);
 153                 return;
 154         }
 155
 156         sec->auth_info->credentials = state->credentials;
 157
 158         if (!more_processing) {
 159                 /* NO reply expected, so just send it */
 160                 c->status = dcerpc_auth3(state->pipe, state);
 161                 data_blob_free(&state->credentials);
 162                 sec->auth_info->credentials = data_blob(NULL, 0);
 163                 if (!composite_is_ok(c)) return;
 164
 165                 composite_done(c);
 166                 return;
 167         }
 168
 169         /* We are demanding a reply, so use a request that will get us one */
 170
 171         creq = dcerpc_alter_context_send(state->pipe, state,
 172                                          &state->pipe->syntax,
 173                                          &state->pipe->transfer_syntax);
 174         data_blob_free(&state->credentials);
 175         sec->auth_info->credentials = data_blob(NULL, 0);
 176         if (composite_nomem(creq, c)) return;
 177
 178         composite_continue(c, creq, bind_auth_recv_alter, c);
 179 }
 180
 181
 182 static void bind_auth_recv_alter(struct composite_context *creq)
 183 {
 184         struct composite_context *c = talloc_get_type(creq->async.private_data,
 185                                                       struct composite_context);
 186
 187         c->status = dcerpc_alter_context_recv(creq);
 188         if (!composite_is_ok(c)) return;
 189
 190         bind_auth_next_step(c);
 191 }
 192
 193
 194 static void bind_auth_recv_bindreply(struct composite_context *creq)
 195 {
 196         struct composite_context *c = talloc_get_type(creq->async.private_data,
 197                                                       struct composite_context);
 198         struct bind_auth_state *state = talloc_get_type(c->private_data,
 199                                                         struct bind_auth_state);
 200
 201         c->status = dcerpc_bind_recv(creq);
 202         if (!composite_is_ok(c)) return;
 203
 204         if (!state->more_processing) {
 205                 /* The first gensec_update has not requested a second run, so
 206                  * we're done here. */
 207                 composite_done(c);
 208                 return;
 209         }
 210
 211         bind_auth_next_step(c);
 212 }
 213
 214
 215 /**
 216    Bind to a DCE/RPC pipe, send async request
 217    @param mem_ctx TALLOC_CTX for the allocation of the composite_context
 218    @param p The dcerpc_pipe to bind (must already be connected)
 219    @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
 220    @param credentials The credentials of the account to connect with
 221    @param auth_type Select the authentication scheme to use
 222    @param auth_level Chooses between unprotected (connect), signed or sealed
 223    @param service The service (used by Kerberos to select the service principal to contact)
 224    @retval A composite context describing the partial state of the bind
 225 */
 226
 227 struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 228                                                 struct dcerpc_pipe *p,
 229                                                 const struct ndr_interface_table *table,
 230                                                 struct cli_credentials *credentials,
 231                                                 struct gensec_settings *gensec_settings,
 232                                                 uint8_t auth_type, uint8_t auth_level,
 233                                                 const char *service)
 234 {
 235         struct composite_context *c, *creq;
 236         struct bind_auth_state *state;
 237         struct dcecli_security *sec;
 238
 239         struct ndr_syntax_id syntax, transfer_syntax;
 240
 241         /* composite context allocation and setup */
 242         c = composite_create(mem_ctx, p->conn->event_ctx);
 243         if (c == NULL) return NULL;
 244
 245         state = talloc(c, struct bind_auth_state);
 246         if (composite_nomem(state, c)) return c;
 247         c->private_data = state;
 248
 249         state->pipe = p;
 250
 251         c->status = dcerpc_init_syntaxes(table, p->conn->flags,
 252                                          &syntax,
 253                                          &transfer_syntax);
 254         if (!composite_is_ok(c)) return c;
 255
 256         sec = &p->conn->security_state;
 257
 258         c->status = gensec_client_start(p, &sec->generic_state,
 259                                         gensec_settings);
 260         if (!NT_STATUS_IS_OK(c->status)) {
 261                 DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
 262                           nt_errstr(c->status)));
 263                 composite_error(c, c->status);
 264                 return c;
 265         }
 266
 267         c->status = gensec_set_credentials(sec->generic_state, credentials);
 268         if (!NT_STATUS_IS_OK(c->status)) {
 269                 DEBUG(1, ("Failed to set GENSEC client credentials: %s\n",
 270                           nt_errstr(c->status)));
 271                 composite_error(c, c->status);
 272                 return c;
 273         }
 274
 275         c->status = gensec_set_target_hostname(sec->generic_state,
 276                                                p->conn->transport.target_hostname(p->conn));
 277         if (!NT_STATUS_IS_OK(c->status)) {
 278                 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
 279                           nt_errstr(c->status)));
 280                 composite_error(c, c->status);
 281                 return c;
 282         }
 283
 284         if (service != NULL) {
 285                 c->status = gensec_set_target_service(sec->generic_state,
 286                                                       service);
 287                 if (!NT_STATUS_IS_OK(c->status)) {
 288                         DEBUG(1, ("Failed to set GENSEC target service: %s\n",
 289                                   nt_errstr(c->status)));
 290                         composite_error(c, c->status);
 291                         return c;
 292                 }
 293         }
 294
 295         if (p->binding && p->binding->target_principal) {
 296                 c->status = gensec_set_target_principal(sec->generic_state,
 297                                                         p->binding->target_principal);
 298                 if (!NT_STATUS_IS_OK(c->status)) {
 299                         DEBUG(1, ("Failed to set GENSEC target principal to %s: %s\n",
 300                                   p->binding->target_principal, nt_errstr(c->status)));
 301                         composite_error(c, c->status);
 302                         return c;
 303                 }
 304         }
 305
 306         c->status = gensec_start_mech_by_authtype(sec->generic_state,
 307                                                   auth_type, auth_level);
 308         if (!NT_STATUS_IS_OK(c->status)) {
 309                 DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
 310                           gensec_get_name_by_authtype(sec->generic_state, auth_type),
 311                           nt_errstr(c->status)));
 312                 composite_error(c, c->status);
 313                 return c;
 314         }
 315
 316         sec->auth_info = talloc(p, struct dcerpc_auth);
 317         if (composite_nomem(sec->auth_info, c)) return c;
 318
 319         sec->auth_info->auth_type = auth_type;
 320         sec->auth_info->auth_level = auth_level,
 321         sec->auth_info->auth_pad_length = 0;
 322         sec->auth_info->auth_reserved = 0;
 323         sec->auth_info->auth_context_id = random();
 324         sec->auth_info->credentials = data_blob(NULL, 0);
 325
 326         /* The status value here, from GENSEC is vital to the security
 327          * of the system.  Even if the other end accepts, if GENSEC
 328          * claims 'MORE_PROCESSING_REQUIRED' then you must keep
 329          * feeding it blobs, or else the remote host/attacker might
 330          * avoid mutal authentication requirements.
 331          *
 332          * Likewise, you must not feed GENSEC too much (after the OK),
 333          * it doesn't like that either
 334          */
 335
 336         c->status = gensec_update(sec->generic_state, state,
 337                                   p->conn->event_ctx,
 338                                   sec->auth_info->credentials,
 339                                   &state->credentials);
 340         if (!NT_STATUS_IS_OK(c->status) &&
 341             !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 342                 composite_error(c, c->status);
 343                 return c;
 344         }
 345
 346         state->more_processing = NT_STATUS_EQUAL(c->status,
 347                                                  NT_STATUS_MORE_PROCESSING_REQUIRED);
 348
 349         if (state->credentials.length == 0) {
 350                 composite_done(c);
 351                 return c;
 352         }
 353
 354         sec->auth_info->credentials = state->credentials;
 355
 356         /* The first request always is a dcerpc_bind. The subsequent ones
 357          * depend on gensec results */
 358         creq = dcerpc_bind_send(p, state, &syntax, &transfer_syntax);
 359         data_blob_free(&state->credentials);
 360         sec->auth_info->credentials = data_blob(NULL, 0);
 361         if (composite_nomem(creq, c)) return c;
 362
 363         composite_continue(c, creq, bind_auth_recv_bindreply, c);
 364         return c;
 365 }
 366
 367
 368 /**
 369    Bind to a DCE/RPC pipe, receive result
 370    @param creq A composite context describing state of async call
 371    @retval NTSTATUS code
 372 */
 373
 374 NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
 375 {
 376         NTSTATUS result = composite_wait(creq);
 377         struct bind_auth_state *state = talloc_get_type(creq->private_data,
 378                                                         struct bind_auth_state);
 379
 380         if (NT_STATUS_IS_OK(result)) {
 381                 /*
 382                   after a successful authenticated bind the session
 383                   key reverts to the generic session key
 384                 */
 385                 state->pipe->conn->security_state.session_key = dcerpc_generic_session_key;
 386         }
 387
 388         talloc_free(creq);
 389         return result;
 390 }
 391
 392
 393 /**
 394    Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
 395    @param p The dcerpc_pipe to bind (must already be connected)
 396    @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
 397    @param credentials The credentials of the account to connect with
 398    @param auth_type Select the authentication scheme to use
 399    @param auth_level Chooses between unprotected (connect), signed or sealed
 400    @param service The service (used by Kerberos to select the service principal to contact)
 401    @retval NTSTATUS status code
 402 */
 403
 404 _PUBLIC_ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
 405                           const struct ndr_interface_table *table,
 406                           struct cli_credentials *credentials,
 407                           struct gensec_settings *gensec_settings,
 408                           uint8_t auth_type, uint8_t auth_level,
 409                           const char *service)
 410 {
 411         struct composite_context *creq;
 412         creq = dcerpc_bind_auth_send(p, p, table, credentials, gensec_settings,
 413                                      auth_type, auth_level, service);
 414         return dcerpc_bind_auth_recv(creq);
 415 }