2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "libcli/composite/composite.h"
27 #include "auth/gensec/gensec.h"
28 #include "librpc/rpc/dcerpc.h"
29 #include "librpc/rpc/dcerpc_proto.h"
30 #include "param/param.h"
33 return the rpc syntax and transfer syntax given the pipe uuid and version
35 static NTSTATUS dcerpc_init_syntaxes(const struct ndr_interface_table *table,
37 struct ndr_syntax_id *syntax,
38 struct ndr_syntax_id *transfer_syntax)
40 syntax->uuid = table->syntax_id.uuid;
41 syntax->if_version = table->syntax_id.if_version;
43 if (pipe_flags & DCERPC_NDR64) {
44 *transfer_syntax = ndr64_transfer_syntax;
46 *transfer_syntax = ndr_transfer_syntax;
54 Send request to do a non-authenticated dcerpc bind
56 static void dcerpc_bind_auth_none_done(struct tevent_req *subreq);
58 struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
59 struct dcerpc_pipe *p,
60 const struct ndr_interface_table *table)
62 struct ndr_syntax_id syntax;
63 struct ndr_syntax_id transfer_syntax;
65 struct composite_context *c;
66 struct tevent_req *subreq;
68 c = composite_create(mem_ctx, p->conn->event_ctx);
69 if (c == NULL) return NULL;
71 c->status = dcerpc_init_syntaxes(table, p->conn->flags,
72 &syntax, &transfer_syntax);
73 if (!NT_STATUS_IS_OK(c->status)) {
74 DEBUG(2,("Invalid uuid string in "
75 "dcerpc_bind_auth_none_send\n"));
76 composite_error(c, c->status);
80 subreq = dcerpc_bind_send(mem_ctx, p->conn->event_ctx, p,
81 &syntax, &transfer_syntax);
82 if (composite_nomem(subreq, c)) return c;
83 tevent_req_set_callback(subreq, dcerpc_bind_auth_none_done, c);
88 static void dcerpc_bind_auth_none_done(struct tevent_req *subreq)
90 struct composite_context *ctx =
91 tevent_req_callback_data(subreq,
92 struct composite_context);
94 ctx->status = dcerpc_bind_recv(subreq);
96 if (!composite_is_ok(ctx)) return;
102 Receive result of a non-authenticated dcerpc bind
104 NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
106 NTSTATUS result = composite_wait(ctx);
113 Perform sync non-authenticated dcerpc bind
115 _PUBLIC_ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
116 const struct ndr_interface_table *table)
118 struct composite_context *ctx;
120 ctx = dcerpc_bind_auth_none_send(p, p, table);
121 return dcerpc_bind_auth_none_recv(ctx);
125 struct bind_auth_state {
126 struct dcerpc_pipe *pipe;
127 DATA_BLOB credentials;
128 bool more_processing; /* Is there anything more to do after the
129 * first bind itself received? */
132 static void bind_auth_recv_alter(struct composite_context *creq);
134 static void bind_auth_next_step(struct composite_context *c)
136 struct bind_auth_state *state;
137 struct dcecli_security *sec;
138 struct composite_context *creq;
139 bool more_processing = false;
141 state = talloc_get_type(c->private_data, struct bind_auth_state);
142 sec = &state->pipe->conn->security_state;
144 /* The status value here, from GENSEC is vital to the security
145 * of the system. Even if the other end accepts, if GENSEC
146 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
147 * feeding it blobs, or else the remote host/attacker might
148 * avoid mutal authentication requirements.
150 * Likewise, you must not feed GENSEC too much (after the OK),
151 * it doesn't like that either
154 c->status = gensec_update(sec->generic_state, state,
155 state->pipe->conn->event_ctx,
156 sec->auth_info->credentials,
157 &state->credentials);
158 data_blob_free(&sec->auth_info->credentials);
160 if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
161 more_processing = true;
162 c->status = NT_STATUS_OK;
165 if (!composite_is_ok(c)) return;
167 if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
168 gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
171 if (state->credentials.length == 0) {
176 sec->auth_info->credentials = state->credentials;
178 if (!more_processing) {
179 /* NO reply expected, so just send it */
180 c->status = dcerpc_auth3(state->pipe, state);
181 data_blob_free(&state->credentials);
182 sec->auth_info->credentials = data_blob(NULL, 0);
183 if (!composite_is_ok(c)) return;
189 /* We are demanding a reply, so use a request that will get us one */
191 creq = dcerpc_alter_context_send(state->pipe, state,
192 &state->pipe->syntax,
193 &state->pipe->transfer_syntax);
194 data_blob_free(&state->credentials);
195 sec->auth_info->credentials = data_blob(NULL, 0);
196 if (composite_nomem(creq, c)) return;
198 composite_continue(c, creq, bind_auth_recv_alter, c);
202 static void bind_auth_recv_alter(struct composite_context *creq)
204 struct composite_context *c = talloc_get_type(creq->async.private_data,
205 struct composite_context);
207 c->status = dcerpc_alter_context_recv(creq);
208 if (!composite_is_ok(c)) return;
210 bind_auth_next_step(c);
214 static void bind_auth_recv_bindreply(struct tevent_req *subreq)
216 struct composite_context *c =
217 tevent_req_callback_data(subreq,
218 struct composite_context);
219 struct bind_auth_state *state = talloc_get_type(c->private_data,
220 struct bind_auth_state);
222 c->status = dcerpc_bind_recv(subreq);
224 if (!composite_is_ok(c)) return;
226 if (!state->more_processing) {
227 /* The first gensec_update has not requested a second run, so
228 * we're done here. */
233 bind_auth_next_step(c);
238 Bind to a DCE/RPC pipe, send async request
239 @param mem_ctx TALLOC_CTX for the allocation of the composite_context
240 @param p The dcerpc_pipe to bind (must already be connected)
241 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
242 @param credentials The credentials of the account to connect with
243 @param auth_type Select the authentication scheme to use
244 @param auth_level Chooses between unprotected (connect), signed or sealed
245 @param service The service (used by Kerberos to select the service principal to contact)
246 @retval A composite context describing the partial state of the bind
249 struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
250 struct dcerpc_pipe *p,
251 const struct ndr_interface_table *table,
252 struct cli_credentials *credentials,
253 struct gensec_settings *gensec_settings,
254 uint8_t auth_type, uint8_t auth_level,
257 struct composite_context *c;
258 struct bind_auth_state *state;
259 struct dcecli_security *sec;
260 struct tevent_req *subreq;
262 struct ndr_syntax_id syntax, transfer_syntax;
264 /* composite context allocation and setup */
265 c = composite_create(mem_ctx, p->conn->event_ctx);
266 if (c == NULL) return NULL;
268 state = talloc(c, struct bind_auth_state);
269 if (composite_nomem(state, c)) return c;
270 c->private_data = state;
274 c->status = dcerpc_init_syntaxes(table, p->conn->flags,
277 if (!composite_is_ok(c)) return c;
279 sec = &p->conn->security_state;
281 c->status = gensec_client_start(p, &sec->generic_state,
283 if (!NT_STATUS_IS_OK(c->status)) {
284 DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
285 nt_errstr(c->status)));
286 composite_error(c, c->status);
290 c->status = gensec_set_credentials(sec->generic_state, credentials);
291 if (!NT_STATUS_IS_OK(c->status)) {
292 DEBUG(1, ("Failed to set GENSEC client credentials: %s\n",
293 nt_errstr(c->status)));
294 composite_error(c, c->status);
298 c->status = gensec_set_target_hostname(sec->generic_state,
299 p->conn->transport.target_hostname(p->conn));
300 if (!NT_STATUS_IS_OK(c->status)) {
301 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
302 nt_errstr(c->status)));
303 composite_error(c, c->status);
307 if (service != NULL) {
308 c->status = gensec_set_target_service(sec->generic_state,
310 if (!NT_STATUS_IS_OK(c->status)) {
311 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
312 nt_errstr(c->status)));
313 composite_error(c, c->status);
318 if (p->binding && p->binding->target_principal) {
319 c->status = gensec_set_target_principal(sec->generic_state,
320 p->binding->target_principal);
321 if (!NT_STATUS_IS_OK(c->status)) {
322 DEBUG(1, ("Failed to set GENSEC target principal to %s: %s\n",
323 p->binding->target_principal, nt_errstr(c->status)));
324 composite_error(c, c->status);
329 c->status = gensec_start_mech_by_authtype(sec->generic_state,
330 auth_type, auth_level);
331 if (!NT_STATUS_IS_OK(c->status)) {
332 DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
333 gensec_get_name_by_authtype(sec->generic_state, auth_type),
334 nt_errstr(c->status)));
335 composite_error(c, c->status);
339 sec->auth_info = talloc(p, struct dcerpc_auth);
340 if (composite_nomem(sec->auth_info, c)) return c;
342 sec->auth_info->auth_type = auth_type;
343 sec->auth_info->auth_level = auth_level,
344 sec->auth_info->auth_pad_length = 0;
345 sec->auth_info->auth_reserved = 0;
346 sec->auth_info->auth_context_id = random();
347 sec->auth_info->credentials = data_blob(NULL, 0);
349 /* The status value here, from GENSEC is vital to the security
350 * of the system. Even if the other end accepts, if GENSEC
351 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
352 * feeding it blobs, or else the remote host/attacker might
353 * avoid mutal authentication requirements.
355 * Likewise, you must not feed GENSEC too much (after the OK),
356 * it doesn't like that either
359 c->status = gensec_update(sec->generic_state, state,
361 sec->auth_info->credentials,
362 &state->credentials);
363 if (!NT_STATUS_IS_OK(c->status) &&
364 !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
365 composite_error(c, c->status);
369 state->more_processing = NT_STATUS_EQUAL(c->status,
370 NT_STATUS_MORE_PROCESSING_REQUIRED);
372 if (state->credentials.length == 0) {
377 sec->auth_info->credentials = state->credentials;
379 /* The first request always is a dcerpc_bind. The subsequent ones
380 * depend on gensec results */
381 subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
382 &syntax, &transfer_syntax);
383 data_blob_free(&state->credentials);
384 sec->auth_info->credentials = data_blob(NULL, 0);
385 if (composite_nomem(subreq, c)) return c;
386 tevent_req_set_callback(subreq, bind_auth_recv_bindreply, c);
393 Bind to a DCE/RPC pipe, receive result
394 @param creq A composite context describing state of async call
395 @retval NTSTATUS code
398 NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
400 NTSTATUS result = composite_wait(creq);
401 struct bind_auth_state *state = talloc_get_type(creq->private_data,
402 struct bind_auth_state);
404 if (NT_STATUS_IS_OK(result)) {
406 after a successful authenticated bind the session
407 key reverts to the generic session key
409 state->pipe->conn->security_state.session_key = dcerpc_generic_session_key;
418 Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
419 @param p The dcerpc_pipe to bind (must already be connected)
420 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
421 @param credentials The credentials of the account to connect with
422 @param auth_type Select the authentication scheme to use
423 @param auth_level Chooses between unprotected (connect), signed or sealed
424 @param service The service (used by Kerberos to select the service principal to contact)
425 @retval NTSTATUS status code
428 _PUBLIC_ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
429 const struct ndr_interface_table *table,
430 struct cli_credentials *credentials,
431 struct gensec_settings *gensec_settings,
432 uint8_t auth_type, uint8_t auth_level,
435 struct composite_context *creq;
436 creq = dcerpc_bind_auth_send(p, p, table, credentials, gensec_settings,
437 auth_type, auth_level, service);
438 return dcerpc_bind_auth_recv(creq);