summaryrefslogtreecommitdiffstats
path: root/source4/librpc/rpc/dcerpc_auth.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /source4/librpc/rpc/dcerpc_auth.c
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source4/librpc/rpc/dcerpc_auth.c')
-rw-r--r--source4/librpc/rpc/dcerpc_auth.c556
1 files changed, 556 insertions, 0 deletions
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
new file mode 100644
index 0000000..52dffec
--- /dev/null
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -0,0 +1,556 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Generic Authentication Interface
+
+ Copyright (C) Andrew Tridgell 2003
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ Copyright (C) Stefan Metzmacher 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include <tevent.h>
+#include "libcli/composite/composite.h"
+#include "auth/gensec/gensec.h"
+#include "librpc/rpc/dcerpc.h"
+#include "librpc/rpc/dcerpc_proto.h"
+#include "param/param.h"
+
+/*
+ return the rpc syntax and transfer syntax given the pipe uuid and version
+*/
+static NTSTATUS dcerpc_init_syntaxes(struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table,
+ struct ndr_syntax_id *syntax,
+ struct ndr_syntax_id *transfer_syntax)
+{
+ struct GUID *object = NULL;
+
+ p->object = dcerpc_binding_get_object(p->binding);
+ if (!GUID_all_zero(&p->object)) {
+ object = &p->object;
+ }
+
+ p->binding_handle = dcerpc_pipe_binding_handle(p, object, table);
+ if (p->binding_handle == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ syntax->uuid = table->syntax_id.uuid;
+ syntax->if_version = table->syntax_id.if_version;
+
+ if (p->conn->flags & DCERPC_NDR64) {
+ *transfer_syntax = ndr_transfer_syntax_ndr64;
+ } else {
+ *transfer_syntax = ndr_transfer_syntax_ndr;
+ }
+
+ return NT_STATUS_OK;
+}
+
+
+/*
+ Send request to do a non-authenticated dcerpc bind
+*/
+static void dcerpc_bind_auth_none_done(struct tevent_req *subreq);
+
+struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table)
+{
+ struct ndr_syntax_id syntax;
+ struct ndr_syntax_id transfer_syntax;
+
+ struct composite_context *c;
+ struct tevent_req *subreq;
+
+ c = composite_create(mem_ctx, p->conn->event_ctx);
+ if (c == NULL) return NULL;
+
+ c->status = dcerpc_init_syntaxes(p, table,
+ &syntax, &transfer_syntax);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(2,("Invalid uuid string in "
+ "dcerpc_bind_auth_none_send\n"));
+ composite_error(c, c->status);
+ return c;
+ }
+
+ subreq = dcerpc_bind_send(mem_ctx, p->conn->event_ctx, p,
+ &syntax, &transfer_syntax);
+ if (composite_nomem(subreq, c)) return c;
+ tevent_req_set_callback(subreq, dcerpc_bind_auth_none_done, c);
+
+ return c;
+}
+
+static void dcerpc_bind_auth_none_done(struct tevent_req *subreq)
+{
+ struct composite_context *ctx =
+ tevent_req_callback_data(subreq,
+ struct composite_context);
+
+ ctx->status = dcerpc_bind_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!composite_is_ok(ctx)) return;
+
+ composite_done(ctx);
+}
+
+/*
+ Receive result of a non-authenticated dcerpc bind
+*/
+NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
+{
+ NTSTATUS result = composite_wait(ctx);
+ TALLOC_FREE(ctx);
+ return result;
+}
+
+
+/*
+ Perform sync non-authenticated dcerpc bind
+*/
+_PUBLIC_ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table)
+{
+ struct composite_context *ctx;
+
+ ctx = dcerpc_bind_auth_none_send(p, p, table);
+ return dcerpc_bind_auth_none_recv(ctx);
+}
+
+
+struct bind_auth_state {
+ struct dcerpc_pipe *pipe;
+ struct ndr_syntax_id syntax;
+ struct ndr_syntax_id transfer_syntax;
+ struct dcerpc_auth out_auth_info;
+ struct dcerpc_auth in_auth_info;
+ bool more_processing; /* Is there anything more to do after the
+ * first bind itself received? */
+};
+
+static void bind_auth_next_gensec_done(struct tevent_req *subreq);
+static void bind_auth_recv_alter(struct tevent_req *subreq);
+
+static void bind_auth_next_step(struct composite_context *c)
+{
+ struct bind_auth_state *state;
+ struct dcecli_security *sec;
+ struct tevent_req *subreq;
+
+ state = talloc_get_type(c->private_data, struct bind_auth_state);
+ sec = &state->pipe->conn->security_state;
+
+ if (state->in_auth_info.auth_type != sec->auth_type) {
+ composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+ return;
+ }
+
+ if (state->in_auth_info.auth_level != sec->auth_level) {
+ composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+ return;
+ }
+
+ if (state->in_auth_info.auth_context_id != sec->auth_context_id) {
+ composite_error(c, NT_STATUS_RPC_PROTOCOL_ERROR);
+ return;
+ }
+
+ state->out_auth_info = (struct dcerpc_auth) {
+ .auth_type = sec->auth_type,
+ .auth_level = sec->auth_level,
+ .auth_context_id = sec->auth_context_id,
+ };
+
+ /* The status value here, from GENSEC is vital to the security
+ * of the system. Even if the other end accepts, if GENSEC
+ * claims 'MORE_PROCESSING_REQUIRED' then you must keep
+ * feeding it blobs, or else the remote host/attacker might
+ * avoid mutal authentication requirements.
+ *
+ * Likewise, you must not feed GENSEC too much (after the OK),
+ * it doesn't like that either
+ */
+
+ state->pipe->inhibit_timeout_processing = true;
+ state->pipe->timed_out = false;
+
+ subreq = gensec_update_send(state,
+ state->pipe->conn->event_ctx,
+ sec->generic_state,
+ state->in_auth_info.credentials);
+ if (composite_nomem(subreq, c)) return;
+ tevent_req_set_callback(subreq, bind_auth_next_gensec_done, c);
+}
+
+static void bind_auth_next_gensec_done(struct tevent_req *subreq)
+{
+ struct composite_context *c =
+ tevent_req_callback_data(subreq,
+ struct composite_context);
+ struct bind_auth_state *state =
+ talloc_get_type_abort(c->private_data,
+ struct bind_auth_state);
+ struct dcerpc_pipe *p = state->pipe;
+ struct dcecli_security *sec = &p->conn->security_state;
+ bool more_processing = false;
+
+ state->pipe->inhibit_timeout_processing = false;
+
+ c->status = gensec_update_recv(subreq, state,
+ &state->out_auth_info.credentials);
+ TALLOC_FREE(subreq);
+
+ if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ more_processing = true;
+ c->status = NT_STATUS_OK;
+ }
+
+ if (!composite_is_ok(c)) return;
+
+ if (!more_processing) {
+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
+ gensec_want_feature(sec->generic_state,
+ GENSEC_FEATURE_SIGN_PKT_HEADER);
+ }
+ }
+
+ if (state->out_auth_info.credentials.length == 0) {
+ composite_done(c);
+ return;
+ }
+
+ state->in_auth_info = (struct dcerpc_auth) {
+ .auth_type = DCERPC_AUTH_TYPE_NONE,
+ };
+ sec->tmp_auth_info.in = &state->in_auth_info;
+ sec->tmp_auth_info.mem = state;
+ sec->tmp_auth_info.out = &state->out_auth_info;
+
+ if (!more_processing) {
+ /* NO reply expected, so just send it */
+ c->status = dcerpc_auth3(state->pipe, state);
+ if (!composite_is_ok(c)) return;
+
+ composite_done(c);
+ return;
+ }
+
+ /* We are demanding a reply, so use a request that will get us one */
+
+ subreq = dcerpc_alter_context_send(state, state->pipe->conn->event_ctx,
+ state->pipe,
+ &state->pipe->syntax,
+ &state->pipe->transfer_syntax);
+ if (composite_nomem(subreq, c)) return;
+ tevent_req_set_callback(subreq, bind_auth_recv_alter, c);
+}
+
+
+static void bind_auth_recv_alter(struct tevent_req *subreq)
+{
+ struct composite_context *c =
+ tevent_req_callback_data(subreq,
+ struct composite_context);
+ struct bind_auth_state *state = talloc_get_type(c->private_data,
+ struct bind_auth_state);
+ struct dcecli_security *sec = &state->pipe->conn->security_state;
+
+ ZERO_STRUCT(sec->tmp_auth_info);
+
+ c->status = dcerpc_alter_context_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!composite_is_ok(c)) return;
+
+ bind_auth_next_step(c);
+}
+
+
+static void bind_auth_recv_bindreply(struct tevent_req *subreq)
+{
+ struct composite_context *c =
+ tevent_req_callback_data(subreq,
+ struct composite_context);
+ struct bind_auth_state *state = talloc_get_type(c->private_data,
+ struct bind_auth_state);
+ struct dcecli_security *sec = &state->pipe->conn->security_state;
+
+ ZERO_STRUCT(sec->tmp_auth_info);
+
+ c->status = dcerpc_bind_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!composite_is_ok(c)) return;
+
+ if (!state->more_processing) {
+ /* The first gensec_update has not requested a second run, so
+ * we're done here. */
+ composite_done(c);
+ return;
+ }
+
+ bind_auth_next_step(c);
+}
+
+
+static void dcerpc_bind_auth_gensec_done(struct tevent_req *subreq);
+
+/**
+ Bind to a DCE/RPC pipe, send async request
+ @param mem_ctx TALLOC_CTX for the allocation of the composite_context
+ @param p The dcerpc_pipe to bind (must already be connected)
+ @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
+ @param credentials The credentials of the account to connect with
+ @param auth_type Select the authentication scheme to use
+ @param auth_level Chooses between unprotected (connect), signed or sealed
+ @param service The service (used by Kerberos to select the service principal to contact)
+ @retval A composite context describing the partial state of the bind
+*/
+
+struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table,
+ struct cli_credentials *credentials,
+ struct gensec_settings *gensec_settings,
+ uint8_t auth_type, uint8_t auth_level,
+ const char *service)
+{
+ struct composite_context *c;
+ struct bind_auth_state *state;
+ struct dcecli_security *sec;
+ struct tevent_req *subreq;
+ const char *target_principal = NULL;
+
+ /* composite context allocation and setup */
+ c = composite_create(mem_ctx, p->conn->event_ctx);
+ if (c == NULL) return NULL;
+
+ state = talloc(c, struct bind_auth_state);
+ if (composite_nomem(state, c)) return c;
+ c->private_data = state;
+
+ state->pipe = p;
+
+ c->status = dcerpc_init_syntaxes(p, table,
+ &state->syntax,
+ &state->transfer_syntax);
+ if (!composite_is_ok(c)) return c;
+
+ sec = &p->conn->security_state;
+
+ c->status = gensec_client_start(p, &sec->generic_state,
+ gensec_settings);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
+ }
+
+ c->status = gensec_set_credentials(sec->generic_state, credentials);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to set GENSEC client credentials: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
+ }
+
+ c->status = gensec_set_target_hostname(sec->generic_state,
+ dcerpc_server_name(p));
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
+ }
+
+ if (service != NULL) {
+ c->status = gensec_set_target_service(sec->generic_state,
+ service);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to set GENSEC target service: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
+ }
+ }
+
+ if (p->binding != NULL) {
+ target_principal = dcerpc_binding_get_string_option(p->binding,
+ "target_principal");
+ }
+ if (target_principal != NULL) {
+ c->status = gensec_set_target_principal(sec->generic_state,
+ target_principal);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to set GENSEC target principal to %s: %s\n",
+ target_principal, nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
+ }
+ }
+
+ c->status = gensec_start_mech_by_authtype(sec->generic_state,
+ auth_type, auth_level);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
+ gensec_get_name_by_authtype(sec->generic_state, auth_type),
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
+ }
+
+ sec->auth_type = auth_type;
+ sec->auth_level = auth_level,
+ /*
+ * We use auth_context_id = 1 as some older
+ * Samba versions (<= 4.2.3) use that value hardcoded
+ * in a response.
+ */
+ sec->auth_context_id = 1;
+
+ state->out_auth_info = (struct dcerpc_auth) {
+ .auth_type = sec->auth_type,
+ .auth_level = sec->auth_level,
+ .auth_context_id = sec->auth_context_id,
+ };
+
+ /* The status value here, from GENSEC is vital to the security
+ * of the system. Even if the other end accepts, if GENSEC
+ * claims 'MORE_PROCESSING_REQUIRED' then you must keep
+ * feeding it blobs, or else the remote host/attacker might
+ * avoid mutal authentication requirements.
+ *
+ * Likewise, you must not feed GENSEC too much (after the OK),
+ * it doesn't like that either
+ */
+
+ state->pipe->inhibit_timeout_processing = true;
+ state->pipe->timed_out = false;
+
+ subreq = gensec_update_send(state,
+ p->conn->event_ctx,
+ sec->generic_state,
+ data_blob_null);
+ if (composite_nomem(subreq, c)) return c;
+ tevent_req_set_callback(subreq, dcerpc_bind_auth_gensec_done, c);
+
+ return c;
+}
+
+static void dcerpc_bind_auth_gensec_done(struct tevent_req *subreq)
+{
+ struct composite_context *c =
+ tevent_req_callback_data(subreq,
+ struct composite_context);
+ struct bind_auth_state *state =
+ talloc_get_type_abort(c->private_data,
+ struct bind_auth_state);
+ struct dcerpc_pipe *p = state->pipe;
+ struct dcecli_security *sec = &p->conn->security_state;
+
+ state->pipe->inhibit_timeout_processing = false;
+
+ c->status = gensec_update_recv(subreq, state,
+ &state->out_auth_info.credentials);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(c->status) &&
+ !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ composite_error(c, c->status);
+ return;
+ }
+
+ state->more_processing = NT_STATUS_EQUAL(c->status,
+ NT_STATUS_MORE_PROCESSING_REQUIRED);
+
+ if (state->out_auth_info.credentials.length == 0) {
+ composite_done(c);
+ return;
+ }
+
+ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
+ if (sec->auth_level >= DCERPC_AUTH_LEVEL_PACKET) {
+ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
+ }
+ }
+
+ state->in_auth_info = (struct dcerpc_auth) {
+ .auth_type = DCERPC_AUTH_TYPE_NONE,
+ };
+ sec->tmp_auth_info.in = &state->in_auth_info;
+ sec->tmp_auth_info.mem = state;
+ sec->tmp_auth_info.out = &state->out_auth_info;
+
+ /* The first request always is a dcerpc_bind. The subsequent ones
+ * depend on gensec results */
+ subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
+ &state->syntax, &state->transfer_syntax);
+ if (composite_nomem(subreq, c)) return;
+ tevent_req_set_callback(subreq, bind_auth_recv_bindreply, c);
+
+ return;
+}
+
+
+/**
+ Bind to a DCE/RPC pipe, receive result
+ @param creq A composite context describing state of async call
+ @retval NTSTATUS code
+*/
+
+NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
+{
+ NTSTATUS result = composite_wait(creq);
+ struct bind_auth_state *state = talloc_get_type(creq->private_data,
+ struct bind_auth_state);
+
+ if (NT_STATUS_IS_OK(result)) {
+ /*
+ after a successful authenticated bind the session
+ key reverts to the generic session key
+ */
+ state->pipe->conn->security_state.session_key = dcecli_generic_session_key;
+ }
+
+ talloc_free(creq);
+ return result;
+}
+
+
+/**
+ Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
+ @param p The dcerpc_pipe to bind (must already be connected)
+ @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
+ @param credentials The credentials of the account to connect with
+ @param auth_type Select the authentication scheme to use
+ @param auth_level Chooses between unprotected (connect), signed or sealed
+ @param service The service (used by Kerberos to select the service principal to contact)
+ @retval NTSTATUS status code
+*/
+
+_PUBLIC_ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table,
+ struct cli_credentials *credentials,
+ struct gensec_settings *gensec_settings,
+ uint8_t auth_type, uint8_t auth_level,
+ const char *service)
+{
+ struct composite_context *creq;
+ creq = dcerpc_bind_auth_send(p, p, table, credentials, gensec_settings,
+ auth_type, auth_level, service);
+ return dcerpc_bind_auth_recv(creq);
+}