source4/librpc/rpc/dcerpc_auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Stefan Metzmacher 2004
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "libcli/composite/composite.h"
  27
  28 /*
  29   do a non-athenticated dcerpc bind
  30 */
  31
  32 struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
  33                                                      struct dcerpc_pipe *p,
  34                                                      const char *uuid,
  35                                                      uint_t version)
  36 {
  37         struct dcerpc_syntax_id syntax;
  38         struct dcerpc_syntax_id transfer_syntax;
  39
  40         struct composite_context *c;
  41
  42         c = talloc_zero(mem_ctx, struct composite_context);
  43         if (c == NULL) return NULL;
  44
  45         c->status = dcerpc_init_syntaxes(uuid, version,
  46                                          &syntax, &transfer_syntax);
  47         if (!NT_STATUS_IS_OK(c->status)) {
  48                 DEBUG(2,("Invalid uuid string in "
  49                          "dcerpc_bind_auth_none_send\n"));
  50                 composite_trigger_error(c);
  51                 return c;
  52         }
  53
  54         /* c was only allocated as a container for a possible error */
  55         talloc_free(c);
  56
  57         return dcerpc_bind_send(p, mem_ctx, &syntax, &transfer_syntax);
  58 }
  59
  60 NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
  61 {
  62         return dcerpc_bind_recv(ctx);
  63 }
  64
  65 NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
  66                                const char *uuid, uint_t version)
  67 {
  68         struct composite_context *ctx;
  69         ctx = dcerpc_bind_auth_none_send(p, p, uuid, version);
  70         return dcerpc_bind_auth_none_recv(ctx);
  71 }
  72
  73 struct bind_auth_state {
  74         struct dcerpc_pipe *pipe;
  75         DATA_BLOB credentials;
  76         BOOL more_processing;
  77 };
  78
  79 static void bind_auth_recv_alter(struct composite_context *creq);
  80
  81 static void bind_auth_next_step(struct composite_context *c)
  82 {
  83         struct bind_auth_state *state =
  84                 talloc_get_type(c->private_data, struct bind_auth_state);
  85         struct dcerpc_security *sec = &state->pipe->conn->security_state;
  86         struct composite_context *creq;
  87         BOOL more_processing = False;
  88
  89         c->status = gensec_update(sec->generic_state, state,
  90                                   sec->auth_info->credentials,
  91                                   &state->credentials);
  92
  93         if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
  94                 more_processing = True;
  95                 c->status = NT_STATUS_OK;
  96         }
  97
  98         if (!composite_is_ok(c)) return;
  99
 100         if (state->credentials.length == 0) {
 101                 composite_done(c);
 102                 return;
 103         }
 104
 105         sec->auth_info->credentials = state->credentials;
 106
 107         if (!more_processing) {
 108                 /* NO reply expected, so just send it */
 109                 c->status = dcerpc_auth3(state->pipe->conn, state);
 110                 if (!composite_is_ok(c)) return;
 111                 composite_done(c);
 112                 return;
 113         }
 114
 115         creq = dcerpc_alter_context_send(state->pipe, state,
 116                                          &state->pipe->syntax,
 117                                          &state->pipe->transfer_syntax);
 118         composite_continue(c, creq, bind_auth_recv_alter, c);
 119 }
 120
 121 static void bind_auth_recv_alter(struct composite_context *creq)
 122 {
 123         struct composite_context *c =
 124                 talloc_get_type(creq->async.private_data,
 125                                 struct composite_context);
 126
 127         c->status = dcerpc_alter_context_recv(creq);
 128         if (!composite_is_ok(c)) return;
 129
 130         bind_auth_next_step(c);
 131 }
 132
 133 static void bind_auth_recv_bindreply(struct composite_context *creq)
 134 {
 135         struct composite_context *c =
 136                 talloc_get_type(creq->async.private_data,
 137                                 struct composite_context);
 138         struct bind_auth_state *state =
 139                 talloc_get_type(c->private_data, struct bind_auth_state);
 140
 141         c->status = dcerpc_bind_recv(creq);
 142         if (!composite_is_ok(c)) return;
 143
 144         if (!state->more_processing) {
 145                 composite_done(c);
 146                 return;
 147         }
 148
 149         bind_auth_next_step(c);
 150 }
 151
 152 struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 153                                                 struct dcerpc_pipe *p,
 154                                                 const char *uuid, uint_t version,
 155                                                 struct cli_credentials *credentials,
 156                                                 uint8_t auth_type,
 157                                                 const char *service)
 158 {
 159         struct composite_context *c, *creq;
 160         struct bind_auth_state *state;
 161         struct dcerpc_security *sec;
 162
 163         struct dcerpc_syntax_id syntax, transfer_syntax;
 164
 165         c = talloc_zero(mem_ctx, struct composite_context);
 166         if (c == NULL) return NULL;
 167
 168         state = talloc(c, struct bind_auth_state);
 169         if (state == NULL) {
 170                 c->status = NT_STATUS_NO_MEMORY;
 171                 goto failed;
 172         }
 173
 174         c->state = COMPOSITE_STATE_IN_PROGRESS;
 175         c->private_data = state;
 176         c->event_ctx = p->conn->event_ctx;
 177
 178         state->pipe = p;
 179
 180         c->status = dcerpc_init_syntaxes(uuid, version,
 181                                          &syntax,
 182                                          &transfer_syntax);
 183         if (!NT_STATUS_IS_OK(c->status)) goto failed;
 184
 185         sec = &p->conn->security_state;
 186
 187         c->status = gensec_client_start(p, &sec->generic_state,
 188                                         p->conn->event_ctx);
 189         if (!NT_STATUS_IS_OK(c->status)) {
 190                 DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
 191                           nt_errstr(c->status)));
 192                 goto failed;
 193         }
 194
 195         c->status = gensec_set_credentials(sec->generic_state, credentials);
 196         if (!NT_STATUS_IS_OK(c->status)) {
 197                 DEBUG(1, ("Failed to set GENSEC client credentails: %s\n",
 198                           nt_errstr(c->status)));
 199                 goto failed;
 200         }
 201
 202         c->status = gensec_set_target_hostname(
 203                 sec->generic_state, p->conn->transport.peer_name(p->conn));
 204         if (!NT_STATUS_IS_OK(c->status)) {
 205                 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
 206                           nt_errstr(c->status)));
 207                 goto failed;
 208         }
 209
 210         if (service != NULL) {
 211                 c->status = gensec_set_target_service(sec->generic_state,
 212                                                       service);
 213                 if (!NT_STATUS_IS_OK(c->status)) {
 214                         DEBUG(1, ("Failed to set GENSEC target service: %s\n",
 215                                   nt_errstr(c->status)));
 216                         goto failed;
 217                 }
 218         }
 219
 220         c->status = gensec_start_mech_by_authtype(sec->generic_state,
 221                                                   auth_type,
 222                                                   dcerpc_auth_level(p->conn));
 223         if (!NT_STATUS_IS_OK(c->status)) {
 224                 DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
 225                           gensec_get_name_by_authtype(auth_type),
 226                           nt_errstr(c->status)));
 227                 goto failed;
 228         }
 229
 230         sec->auth_info = talloc(p, struct dcerpc_auth);
 231         if (sec->auth_info == NULL) {
 232                 c->status = NT_STATUS_NO_MEMORY;
 233                 goto failed;
 234         }
 235
 236         sec->auth_info->auth_type = auth_type;
 237         sec->auth_info->auth_level = dcerpc_auth_level(p->conn);
 238         sec->auth_info->auth_pad_length = 0;
 239         sec->auth_info->auth_reserved = 0;
 240         sec->auth_info->auth_context_id = random();
 241         sec->auth_info->credentials = data_blob(NULL, 0);
 242
 243         c->status = gensec_update(sec->generic_state, state,
 244                                   sec->auth_info->credentials,
 245                                   &state->credentials);
 246         if (!NT_STATUS_IS_OK(c->status) &&
 247             !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 248                 goto failed;
 249         }
 250
 251         state->more_processing =
 252                 NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED);
 253
 254         if (state->credentials.length == 0) {
 255                 composite_trigger_done(c);
 256                 return c;
 257         }
 258
 259         sec->auth_info->credentials = state->credentials;
 260
 261         creq = dcerpc_bind_send(p, state, &syntax, &transfer_syntax);
 262         if (creq == NULL) {
 263                 c->status = NT_STATUS_NO_MEMORY;
 264                 goto failed;
 265         }
 266
 267         creq->async.fn = bind_auth_recv_bindreply;
 268         creq->async.private_data = c;
 269         return c;
 270
 271  failed:
 272         composite_trigger_error(c);
 273         return c;
 274 }
 275
 276 NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
 277 {
 278         NTSTATUS result = composite_wait(creq);
 279         talloc_free(creq);
 280         return result;
 281 }
 282
 283 /*
 284   setup GENSEC on a DCE-RPC pipe
 285 */
 286 NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
 287                           const char *uuid, uint_t version,
 288                           struct cli_credentials *credentials,
 289                           uint8_t auth_type,
 290                           const char *service)
 291 {
 292         struct composite_context *creq;
 293         creq = dcerpc_bind_auth_send(p, p, uuid, version, credentials,
 294                                      auth_type, service);
 295         return dcerpc_bind_auth_recv(creq);
 296 }