source4/librpc/rpc/dcerpc_auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
   8    Copyright (C) Stefan Metzmacher 2004
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26
  27 /*
  28   do a non-athenticated dcerpc bind
  29 */
  30 NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
  31                                const char *uuid, uint_t version)
  32 {
  33         TALLOC_CTX *tmp_ctx = talloc_new(p);
  34         NTSTATUS status;
  35
  36         status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
  37         talloc_free(tmp_ctx);
  38
  39         return status;
  40 }
  41
  42 /*
  43   perform a multi-part authenticated bind
  44 */
  45 NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
  46                            const char *uuid, uint_t version)
  47 {
  48         NTSTATUS status;
  49         TALLOC_CTX *tmp_ctx = talloc_new(p);
  50         DATA_BLOB credentials;
  51         DATA_BLOB null_data_blob = data_blob(NULL, 0);
  52
  53         if (!p->conn->security_state.generic_state) {
  54                 status = gensec_client_start(p, &p->conn->security_state.generic_state);
  55                 if (!NT_STATUS_IS_OK(status)) goto done;
  56
  57                 status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
  58                                                        auth_type, auth_level);
  59                 if (!NT_STATUS_IS_OK(status)) goto done;
  60         }
  61
  62         p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth);
  63         if (!p->conn->security_state.auth_info) {
  64                 status = NT_STATUS_NO_MEMORY;
  65                 goto done;
  66         }
  67
  68         p->conn->security_state.auth_info->auth_type = auth_type;
  69         p->conn->security_state.auth_info->auth_level = auth_level;
  70         p->conn->security_state.auth_info->auth_pad_length = 0;
  71         p->conn->security_state.auth_info->auth_reserved = 0;
  72         p->conn->security_state.auth_info->auth_context_id = random();
  73         p->conn->security_state.auth_info->credentials = null_data_blob;
  74
  75         status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
  76                                null_data_blob,
  77                                &credentials);
  78
  79         p->conn->security_state.auth_info->credentials = credentials;
  80
  81         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
  82                 /* We are demanding a reply, so use a request that will get us one */
  83                 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
  84                 if (!NT_STATUS_IS_OK(status)) {
  85                         goto done;
  86                 }
  87         } else if (NT_STATUS_IS_OK(status)) {
  88                 /* We don't care for the reply, so jump to the end */
  89                 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
  90                 goto done;
  91         } else {
  92                 /* Something broke in GENSEC - bail */
  93                 goto done;
  94         }
  95
  96         while (1) {
  97                 status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
  98                                        p->conn->security_state.auth_info->credentials,
  99                                        &credentials);
 100                 if (!NT_STATUS_IS_OK(status)
 101                     && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 102                         break;
 103                 }
 104
 105                 if (!credentials.length) {
 106                         break;
 107                 }
 108
 109                 p->conn->security_state.auth_info->credentials = credentials;
 110
 111                 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 112                         /* We are demanding a reply, so use a request that will get us one */
 113                         status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
 114                         if (!NT_STATUS_IS_OK(status)) {
 115                                 break;
 116                         }
 117                 } else {
 118                         /* NO reply expected, so just send it */
 119                         status = dcerpc_auth3(p->conn, tmp_ctx);
 120                         credentials = data_blob(NULL, 0);
 121                         if (!NT_STATUS_IS_OK(status)) {
 122                                 break;
 123                         }
 124                 }
 125         };
 126
 127 done:
 128         talloc_free(tmp_ctx);
 129
 130         if (!NT_STATUS_IS_OK(status)) {
 131                 talloc_free(p->conn->security_state.generic_state);
 132                 ZERO_STRUCT(p->conn->security_state);
 133         } else {
 134                 /* Authenticated connections use the generic session key */
 135                 p->conn->security_state.session_key = dcerpc_generic_session_key;
 136         }
 137
 138         return status;
 139 }
 140
 141 /*
 142   setup GENSEC on a DCE-RPC pipe
 143 */
 144 NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
 145                                    const char *uuid, uint_t version,
 146                                    const char *domain,
 147                                    const char *username,
 148                                    const char *password,
 149                                    uint8_t auth_type)
 150 {
 151         NTSTATUS status;
 152
 153         if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
 154                 p->conn->flags |= DCERPC_CONNECT;
 155         }
 156
 157         status = gensec_client_start(p, &p->conn->security_state.generic_state);
 158         if (!NT_STATUS_IS_OK(status)) {
 159                 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
 160                 return status;
 161         }
 162
 163         status = gensec_set_domain(p->conn->security_state.generic_state, domain);
 164         if (!NT_STATUS_IS_OK(status)) {
 165                 DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
 166                           domain, nt_errstr(status)));
 167                 return status;
 168         }
 169
 170         status = gensec_set_username(p->conn->security_state.generic_state, username);
 171         if (!NT_STATUS_IS_OK(status)) {
 172                 DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
 173                           username, nt_errstr(status)));
 174                 return status;
 175         }
 176
 177         status = gensec_set_password(p->conn->security_state.generic_state, password);
 178         if (!NT_STATUS_IS_OK(status)) {
 179                 DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
 180                           nt_errstr(status)));
 181                 return status;
 182         }
 183
 184         status = gensec_set_target_hostname(p->conn->security_state.generic_state,
 185                                             p->conn->transport.peer_name(p->conn));
 186         if (!NT_STATUS_IS_OK(status)) {
 187                 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
 188                           nt_errstr(status)));
 189                 return status;
 190         }
 191
 192         status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
 193                                                auth_type,
 194                                                dcerpc_auth_level(p->conn));
 195         if (!NT_STATUS_IS_OK(status)) {
 196                 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
 197                           gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
 198                 return status;
 199         }
 200
 201         status = dcerpc_bind_auth(p, auth_type,
 202                                   dcerpc_auth_level(p->conn),
 203                                   uuid, version);
 204         if (!NT_STATUS_IS_OK(status)) {
 205                 DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
 206                           gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
 207                 return status;
 208         }
 209
 210         return status;
 211 }