source4/librpc/rpc/dcerpc_auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
   8    Copyright (C) Stefan Metzmacher 2004
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26
  27 /*
  28   do a non-athenticated dcerpc bind
  29 */
  30 NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
  31                                const char *uuid, uint_t version)
  32 {
  33         TALLOC_CTX *tmp_ctx = talloc_new(p);
  34         NTSTATUS status;
  35
  36         status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
  37         talloc_free(tmp_ctx);
  38
  39         return status;
  40 }
  41
  42 /*
  43   perform a multi-part authenticated bind
  44 */
  45 NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
  46                            const char *uuid, uint_t version)
  47 {
  48         NTSTATUS status;
  49         TALLOC_CTX *tmp_ctx = talloc_new(p);
  50         DATA_BLOB credentials;
  51         DATA_BLOB null_data_blob = data_blob(NULL, 0);
  52
  53         if (!p->conn->security_state.generic_state) {
  54                 status = gensec_client_start(p, &p->conn->security_state.generic_state);
  55                 if (!NT_STATUS_IS_OK(status)) goto done;
  56
  57                 status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
  58                                                        auth_type, auth_level);
  59                 if (!NT_STATUS_IS_OK(status)) goto done;
  60         }
  61
  62         p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth);
  63         if (!p->conn->security_state.auth_info) {
  64                 status = NT_STATUS_NO_MEMORY;
  65                 goto done;
  66         }
  67
  68         p->conn->security_state.auth_info->auth_type = auth_type;
  69         p->conn->security_state.auth_info->auth_level = auth_level;
  70         p->conn->security_state.auth_info->auth_pad_length = 0;
  71         p->conn->security_state.auth_info->auth_reserved = 0;
  72         p->conn->security_state.auth_info->auth_context_id = random();
  73         p->conn->security_state.auth_info->credentials = null_data_blob;
  74
  75         status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
  76                                null_data_blob,
  77                                &credentials);
  78
  79         p->conn->security_state.auth_info->credentials = credentials;
  80
  81         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
  82                 /* We are demanding a reply, so use a request that will get us one */
  83                 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
  84                 if (!NT_STATUS_IS_OK(status)) {
  85                         goto done;
  86                 }
  87         } else if (NT_STATUS_IS_OK(status)) {
  88                 /* We don't care for the reply, so jump to the end */
  89                 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
  90                 goto done;
  91         } else {
  92                 /* Something broke in GENSEC - bail */
  93                 goto done;
  94         }
  95
  96         while (1) {
  97                 status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
  98                                        p->conn->security_state.auth_info->credentials,
  99                                        &credentials);
 100                 if (!NT_STATUS_IS_OK(status)
 101                     && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 102                         break;
 103                 }
 104
 105                 if (!credentials.length) {
 106                         break;
 107                 }
 108
 109                 p->conn->security_state.auth_info->credentials = credentials;
 110
 111                 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 112                         /* We are demanding a reply, so use a request that will get us one */
 113                         status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
 114                         if (!NT_STATUS_IS_OK(status)) {
 115                                 break;
 116                         }
 117                 } else {
 118                         /* NO reply expected, so just send it */
 119                         status = dcerpc_auth3(p->conn, tmp_ctx);
 120                         credentials = data_blob(NULL, 0);
 121                         if (!NT_STATUS_IS_OK(status)) {
 122                                 break;
 123                         }
 124                 }
 125         };
 126
 127 done:
 128         talloc_free(tmp_ctx);
 129
 130         if (!NT_STATUS_IS_OK(status)) {
 131                 talloc_free(p->conn->security_state.generic_state);
 132                 ZERO_STRUCT(p->conn->security_state);
 133         } else {
 134                 /* Authenticated connections use the generic session key */
 135                 p->conn->security_state.session_key = dcerpc_generic_session_key;
 136         }
 137
 138         return status;
 139 }
 140
 141 /*
 142   setup GENSEC on a DCE-RPC pipe
 143 */
 144 NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
 145                                    const char *uuid, uint_t version,
 146                                    const char *workstation,
 147                                    const char *domain,
 148                                    const char *username,
 149                                    const char *password,
 150                                    uint8_t auth_type,
 151                                    const char *service)
 152 {
 153         NTSTATUS status;
 154
 155         if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
 156                 p->conn->flags |= DCERPC_CONNECT;
 157         }
 158
 159         status = gensec_client_start(p, &p->conn->security_state.generic_state);
 160         if (!NT_STATUS_IS_OK(status)) {
 161                 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
 162                 return status;
 163         }
 164
 165         status = gensec_set_workstation(p->conn->security_state.generic_state, workstation);
 166         if (!NT_STATUS_IS_OK(status)) {
 167                 DEBUG(1, ("Failed to start set GENSEC client workstation name to %s: %s\n",
 168                           workstation, nt_errstr(status)));
 169                 return status;
 170         }
 171
 172         status = gensec_set_domain(p->conn->security_state.generic_state, domain);
 173         if (!NT_STATUS_IS_OK(status)) {
 174                 DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
 175                           domain, nt_errstr(status)));
 176                 return status;
 177         }
 178
 179         status = gensec_set_username(p->conn->security_state.generic_state, username);
 180         if (!NT_STATUS_IS_OK(status)) {
 181                 DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
 182                           username, nt_errstr(status)));
 183                 return status;
 184         }
 185
 186         status = gensec_set_password(p->conn->security_state.generic_state, password);
 187         if (!NT_STATUS_IS_OK(status)) {
 188                 DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
 189                           nt_errstr(status)));
 190                 return status;
 191         }
 192
 193         status = gensec_set_target_hostname(p->conn->security_state.generic_state,
 194                                             p->conn->transport.peer_name(p->conn));
 195         if (!NT_STATUS_IS_OK(status)) {
 196                 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
 197                           nt_errstr(status)));
 198                 return status;
 199         }
 200
 201         if (service) {
 202                 status = gensec_set_target_service(p->conn->security_state.generic_state, service);
 203                 if (!NT_STATUS_IS_OK(status)) {
 204                         DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
 205                                   nt_errstr(status)));
 206                         return status;
 207                 }
 208         }
 209
 210         status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
 211                                                auth_type,
 212                                                dcerpc_auth_level(p->conn));
 213         if (!NT_STATUS_IS_OK(status)) {
 214                 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
 215                           gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
 216                 return status;
 217         }
 218
 219         status = dcerpc_bind_auth(p, auth_type,
 220                                   dcerpc_auth_level(p->conn),
 221                                   uuid, version);
 222         if (!NT_STATUS_IS_OK(status)) {
 223                 DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
 224                           gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
 225                 return status;
 226         }
 227
 228         return status;
 229 }