2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 do a non-athenticated dcerpc bind
30 NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
31 const char *uuid, uint_t version)
33 TALLOC_CTX *tmp_ctx = talloc_new(p);
36 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
43 perform a multi-part authenticated bind
45 NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
46 const char *uuid, uint_t version)
49 TALLOC_CTX *tmp_ctx = talloc_new(p);
50 DATA_BLOB credentials;
51 DATA_BLOB null_data_blob = data_blob(NULL, 0);
53 if (!p->conn->security_state.generic_state) {
54 status = gensec_client_start(p, &p->conn->security_state.generic_state);
55 if (!NT_STATUS_IS_OK(status)) goto done;
57 status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
58 auth_type, auth_level);
59 if (!NT_STATUS_IS_OK(status)) goto done;
62 p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth);
63 if (!p->conn->security_state.auth_info) {
64 status = NT_STATUS_NO_MEMORY;
68 p->conn->security_state.auth_info->auth_type = auth_type;
69 p->conn->security_state.auth_info->auth_level = auth_level;
70 p->conn->security_state.auth_info->auth_pad_length = 0;
71 p->conn->security_state.auth_info->auth_reserved = 0;
72 p->conn->security_state.auth_info->auth_context_id = random();
73 p->conn->security_state.auth_info->credentials = null_data_blob;
75 status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
79 p->conn->security_state.auth_info->credentials = credentials;
81 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
82 /* We are demanding a reply, so use a request that will get us one */
83 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
84 if (!NT_STATUS_IS_OK(status)) {
87 } else if (NT_STATUS_IS_OK(status)) {
88 /* We don't care for the reply, so jump to the end */
89 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
92 /* Something broke in GENSEC - bail */
97 status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
98 p->conn->security_state.auth_info->credentials,
100 if (!NT_STATUS_IS_OK(status)
101 && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
105 if (!credentials.length) {
109 p->conn->security_state.auth_info->credentials = credentials;
111 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
112 /* We are demanding a reply, so use a request that will get us one */
113 status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
114 if (!NT_STATUS_IS_OK(status)) {
118 /* NO reply expected, so just send it */
119 status = dcerpc_auth3(p->conn, tmp_ctx);
120 credentials = data_blob(NULL, 0);
121 if (!NT_STATUS_IS_OK(status)) {
128 talloc_free(tmp_ctx);
130 if (!NT_STATUS_IS_OK(status)) {
131 talloc_free(p->conn->security_state.generic_state);
132 ZERO_STRUCT(p->conn->security_state);
134 /* Authenticated connections use the generic session key */
135 p->conn->security_state.session_key = dcerpc_generic_session_key;
142 setup GENSEC on a DCE-RPC pipe
144 NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
145 const char *uuid, uint_t version,
147 const char *username,
148 const char *password,
153 if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
154 p->conn->flags |= DCERPC_CONNECT;
157 status = gensec_client_start(p, &p->conn->security_state.generic_state);
158 if (!NT_STATUS_IS_OK(status)) {
159 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
163 status = gensec_set_domain(p->conn->security_state.generic_state, domain);
164 if (!NT_STATUS_IS_OK(status)) {
165 DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
166 domain, nt_errstr(status)));
170 status = gensec_set_username(p->conn->security_state.generic_state, username);
171 if (!NT_STATUS_IS_OK(status)) {
172 DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
173 username, nt_errstr(status)));
177 status = gensec_set_password(p->conn->security_state.generic_state, password);
178 if (!NT_STATUS_IS_OK(status)) {
179 DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
184 status = gensec_set_target_hostname(p->conn->security_state.generic_state,
185 p->conn->transport.peer_name(p->conn));
186 if (!NT_STATUS_IS_OK(status)) {
187 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
192 status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
194 dcerpc_auth_level(p->conn));
195 if (!NT_STATUS_IS_OK(status)) {
196 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
197 gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
201 status = dcerpc_bind_auth(p, auth_type,
202 dcerpc_auth_level(p->conn),
204 if (!NT_STATUS_IS_OK(status)) {
205 DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
206 gensec_get_name_by_authtype(auth_type), nt_errstr(status)));