2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/composite/composite.h"
26 #include "auth/gensec/gensec.h"
27 #include "librpc/rpc/dcerpc.h"
30 return the rpc syntax and transfer syntax given the pipe uuid and version
32 static NTSTATUS dcerpc_init_syntaxes(const struct ndr_interface_table *table,
33 struct ndr_syntax_id *syntax,
34 struct ndr_syntax_id *transfer_syntax)
36 syntax->uuid = table->syntax_id.uuid;
37 syntax->if_version = table->syntax_id.if_version;
39 *transfer_syntax = ndr_transfer_syntax;
46 Send request to do a non-authenticated dcerpc bind
48 struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
49 struct dcerpc_pipe *p,
50 const struct ndr_interface_table *table)
52 struct ndr_syntax_id syntax;
53 struct ndr_syntax_id transfer_syntax;
55 struct composite_context *c;
57 c = composite_create(mem_ctx, p->conn->event_ctx);
58 if (c == NULL) return NULL;
60 c->status = dcerpc_init_syntaxes(table,
61 &syntax, &transfer_syntax);
62 if (!NT_STATUS_IS_OK(c->status)) {
63 DEBUG(2,("Invalid uuid string in "
64 "dcerpc_bind_auth_none_send\n"));
65 composite_error(c, c->status);
69 /* c was only allocated as a container for a possible error */
72 return dcerpc_bind_send(p, mem_ctx, &syntax, &transfer_syntax);
77 Receive result of a non-authenticated dcerpc bind
79 NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
81 return dcerpc_bind_recv(ctx);
86 Perform sync non-authenticated dcerpc bind
88 NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
89 const struct ndr_interface_table *table)
91 struct composite_context *ctx;
93 ctx = dcerpc_bind_auth_none_send(p, p, table);
94 return dcerpc_bind_auth_none_recv(ctx);
98 struct bind_auth_state {
99 struct dcerpc_pipe *pipe;
100 DATA_BLOB credentials;
101 bool more_processing; /* Is there anything more to do after the
102 * first bind itself received? */
105 static void bind_auth_recv_alter(struct composite_context *creq);
107 static void bind_auth_next_step(struct composite_context *c)
109 struct bind_auth_state *state;
110 struct dcerpc_security *sec;
111 struct composite_context *creq;
112 bool more_processing = false;
114 state = talloc_get_type(c->private_data, struct bind_auth_state);
115 sec = &state->pipe->conn->security_state;
117 /* The status value here, from GENSEC is vital to the security
118 * of the system. Even if the other end accepts, if GENSEC
119 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
120 * feeding it blobs, or else the remote host/attacker might
121 * avoid mutal authentication requirements.
123 * Likewise, you must not feed GENSEC too much (after the OK),
124 * it doesn't like that either
127 c->status = gensec_update(sec->generic_state, state,
128 sec->auth_info->credentials,
129 &state->credentials);
131 if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
132 more_processing = true;
133 c->status = NT_STATUS_OK;
136 if (!composite_is_ok(c)) return;
138 if (state->credentials.length == 0) {
143 sec->auth_info->credentials = state->credentials;
145 if (!more_processing) {
146 /* NO reply expected, so just send it */
147 c->status = dcerpc_auth3(state->pipe->conn, state);
148 if (!composite_is_ok(c)) return;
154 /* We are demanding a reply, so use a request that will get us one */
156 creq = dcerpc_alter_context_send(state->pipe, state,
157 &state->pipe->syntax,
158 &state->pipe->transfer_syntax);
159 if (composite_nomem(creq, c)) return;
161 composite_continue(c, creq, bind_auth_recv_alter, c);
165 static void bind_auth_recv_alter(struct composite_context *creq)
167 struct composite_context *c = talloc_get_type(creq->async.private_data,
168 struct composite_context);
170 c->status = dcerpc_alter_context_recv(creq);
171 if (!composite_is_ok(c)) return;
173 bind_auth_next_step(c);
177 static void bind_auth_recv_bindreply(struct composite_context *creq)
179 struct composite_context *c = talloc_get_type(creq->async.private_data,
180 struct composite_context);
181 struct bind_auth_state *state = talloc_get_type(c->private_data,
182 struct bind_auth_state);
184 c->status = dcerpc_bind_recv(creq);
185 if (!composite_is_ok(c)) return;
187 if (!state->more_processing) {
188 /* The first gensec_update has not requested a second run, so
189 * we're done here. */
194 bind_auth_next_step(c);
199 Bind to a DCE/RPC pipe, send async request
200 @param mem_ctx TALLOC_CTX for the allocation of the composite_context
201 @param p The dcerpc_pipe to bind (must already be connected)
202 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
203 @param credentials The credentials of the account to connect with
204 @param auth_type Select the authentication scheme to use
205 @param auth_level Chooses between unprotected (connect), signed or sealed
206 @param service The service (used by Kerberos to select the service principal to contact)
207 @retval A composite context describing the partial state of the bind
210 struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
211 struct dcerpc_pipe *p,
212 const struct ndr_interface_table *table,
213 struct cli_credentials *credentials,
214 uint8_t auth_type, uint8_t auth_level,
217 struct composite_context *c, *creq;
218 struct bind_auth_state *state;
219 struct dcerpc_security *sec;
221 struct ndr_syntax_id syntax, transfer_syntax;
223 /* composite context allocation and setup */
224 c = composite_create(mem_ctx, p->conn->event_ctx);
225 if (c == NULL) return NULL;
227 state = talloc(c, struct bind_auth_state);
228 if (composite_nomem(state, c)) return c;
229 c->private_data = state;
233 c->status = dcerpc_init_syntaxes(table,
236 if (!composite_is_ok(c)) return c;
238 sec = &p->conn->security_state;
240 c->status = gensec_client_start(p, &sec->generic_state,
242 if (!NT_STATUS_IS_OK(c->status)) {
243 DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
244 nt_errstr(c->status)));
245 composite_error(c, c->status);
249 c->status = gensec_set_credentials(sec->generic_state, credentials);
250 if (!NT_STATUS_IS_OK(c->status)) {
251 DEBUG(1, ("Failed to set GENSEC client credentials: %s\n",
252 nt_errstr(c->status)));
253 composite_error(c, c->status);
257 c->status = gensec_set_target_hostname(sec->generic_state,
258 p->conn->transport.target_hostname(p->conn));
259 if (!NT_STATUS_IS_OK(c->status)) {
260 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
261 nt_errstr(c->status)));
262 composite_error(c, c->status);
266 if (service != NULL) {
267 c->status = gensec_set_target_service(sec->generic_state,
269 if (!NT_STATUS_IS_OK(c->status)) {
270 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
271 nt_errstr(c->status)));
272 composite_error(c, c->status);
277 c->status = gensec_start_mech_by_authtype(sec->generic_state,
278 auth_type, auth_level);
279 if (!NT_STATUS_IS_OK(c->status)) {
280 DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
281 gensec_get_name_by_authtype(auth_type),
282 nt_errstr(c->status)));
283 composite_error(c, c->status);
287 sec->auth_info = talloc(p, struct dcerpc_auth);
288 if (composite_nomem(sec->auth_info, c)) return c;
290 sec->auth_info->auth_type = auth_type;
291 sec->auth_info->auth_level = auth_level,
292 sec->auth_info->auth_pad_length = 0;
293 sec->auth_info->auth_reserved = 0;
294 sec->auth_info->auth_context_id = random();
295 sec->auth_info->credentials = data_blob(NULL, 0);
297 /* The status value here, from GENSEC is vital to the security
298 * of the system. Even if the other end accepts, if GENSEC
299 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
300 * feeding it blobs, or else the remote host/attacker might
301 * avoid mutal authentication requirements.
303 * Likewise, you must not feed GENSEC too much (after the OK),
304 * it doesn't like that either
307 c->status = gensec_update(sec->generic_state, state,
308 sec->auth_info->credentials,
309 &state->credentials);
310 if (!NT_STATUS_IS_OK(c->status) &&
311 !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
312 composite_error(c, c->status);
316 state->more_processing = NT_STATUS_EQUAL(c->status,
317 NT_STATUS_MORE_PROCESSING_REQUIRED);
319 if (state->credentials.length == 0) {
324 sec->auth_info->credentials = state->credentials;
326 /* The first request always is a dcerpc_bind. The subsequent ones
327 * depend on gensec results */
328 creq = dcerpc_bind_send(p, state, &syntax, &transfer_syntax);
329 if (composite_nomem(creq, c)) return c;
331 composite_continue(c, creq, bind_auth_recv_bindreply, c);
337 Bind to a DCE/RPC pipe, receive result
338 @param creq A composite context describing state of async call
339 @retval NTSTATUS code
342 NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
344 NTSTATUS result = composite_wait(creq);
345 struct bind_auth_state *state = talloc_get_type(creq->private_data,
346 struct bind_auth_state);
348 if (NT_STATUS_IS_OK(result)) {
350 after a successful authenticated bind the session
351 key reverts to the generic session key
353 state->pipe->conn->security_state.session_key = dcerpc_generic_session_key;
362 Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
363 @param p The dcerpc_pipe to bind (must already be connected)
364 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
365 @param credentials The credentials of the account to connect with
366 @param auth_type Select the authentication scheme to use
367 @param auth_level Chooses between unprotected (connect), signed or sealed
368 @param service The service (used by Kerberos to select the service principal to contact)
369 @retval NTSTATUS status code
372 NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
373 const struct ndr_interface_table *table,
374 struct cli_credentials *credentials,
375 uint8_t auth_type, uint8_t auth_level,
378 struct composite_context *creq;
379 creq = dcerpc_bind_auth_send(p, p, table, credentials,
380 auth_type, auth_level, service);
381 return dcerpc_bind_auth_recv(creq);