2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "libcli/composite/composite.h"
27 #include "auth/gensec/gensec.h"
28 #include "librpc/rpc/dcerpc.h"
31 do a non-athenticated dcerpc bind
34 struct composite_context
*dcerpc_bind_auth_none_send(TALLOC_CTX
*mem_ctx
,
35 struct dcerpc_pipe
*p
,
36 const struct dcerpc_interface_table
*table
)
38 struct dcerpc_syntax_id syntax
;
39 struct dcerpc_syntax_id transfer_syntax
;
41 struct composite_context
*c
;
43 c
= talloc_zero(mem_ctx
, struct composite_context
);
44 if (c
== NULL
) return NULL
;
46 c
->status
= dcerpc_init_syntaxes(table
,
47 &syntax
, &transfer_syntax
);
48 if (!NT_STATUS_IS_OK(c
->status
)) {
49 DEBUG(2,("Invalid uuid string in "
50 "dcerpc_bind_auth_none_send\n"));
51 composite_error(c
, c
->status
);
55 /* c was only allocated as a container for a possible error */
58 return dcerpc_bind_send(p
, mem_ctx
, &syntax
, &transfer_syntax
);
61 NTSTATUS
dcerpc_bind_auth_none_recv(struct composite_context
*ctx
)
63 return dcerpc_bind_recv(ctx
);
66 NTSTATUS
dcerpc_bind_auth_none(struct dcerpc_pipe
*p
,
67 const struct dcerpc_interface_table
*table
)
69 struct composite_context
*ctx
;
70 ctx
= dcerpc_bind_auth_none_send(p
, p
, table
);
71 return dcerpc_bind_auth_none_recv(ctx
);
74 struct bind_auth_state
{
75 struct dcerpc_pipe
*pipe
;
76 DATA_BLOB credentials
;
77 BOOL more_processing
; /* Is there anything more to do after the
78 * first bind itself received? */
81 static void bind_auth_recv_alter(struct composite_context
*creq
);
83 static void bind_auth_next_step(struct composite_context
*c
)
85 struct bind_auth_state
*state
=
86 talloc_get_type(c
->private_data
, struct bind_auth_state
);
87 struct dcerpc_security
*sec
= &state
->pipe
->conn
->security_state
;
88 struct composite_context
*creq
;
89 BOOL more_processing
= False
;
91 /* The status value here, from GENSEC is vital to the security
92 * of the system. Even if the other end accepts, if GENSEC
93 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
94 * feeding it blobs, or else the remote host/attacker might
95 * avoid mutal authentication requirements.
97 * Likewise, you must not feed GENSEC too much (after the OK),
98 * it doesn't like that either
101 c
->status
= gensec_update(sec
->generic_state
, state
,
102 sec
->auth_info
->credentials
,
103 &state
->credentials
);
105 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
106 more_processing
= True
;
107 c
->status
= NT_STATUS_OK
;
110 if (!composite_is_ok(c
)) return;
112 if (state
->credentials
.length
== 0) {
117 sec
->auth_info
->credentials
= state
->credentials
;
119 if (!more_processing
) {
120 /* NO reply expected, so just send it */
121 c
->status
= dcerpc_auth3(state
->pipe
->conn
, state
);
122 if (!composite_is_ok(c
)) return;
127 /* We are demanding a reply, so use a request that will get us one */
129 creq
= dcerpc_alter_context_send(state
->pipe
, state
,
130 &state
->pipe
->syntax
,
131 &state
->pipe
->transfer_syntax
);
132 composite_continue(c
, creq
, bind_auth_recv_alter
, c
);
135 static void bind_auth_recv_alter(struct composite_context
*creq
)
137 struct composite_context
*c
=
138 talloc_get_type(creq
->async
.private_data
,
139 struct composite_context
);
141 c
->status
= dcerpc_alter_context_recv(creq
);
142 if (!composite_is_ok(c
)) return;
144 bind_auth_next_step(c
);
147 static void bind_auth_recv_bindreply(struct composite_context
*creq
)
149 struct composite_context
*c
=
150 talloc_get_type(creq
->async
.private_data
,
151 struct composite_context
);
152 struct bind_auth_state
*state
=
153 talloc_get_type(c
->private_data
, struct bind_auth_state
);
155 c
->status
= dcerpc_bind_recv(creq
);
156 if (!composite_is_ok(c
)) return;
158 if (!state
->more_processing
) {
159 /* The first gensec_update has not requested a second run, so
160 * we're done here. */
165 bind_auth_next_step(c
);
169 Bind to a DCE/RPC pipe, async
170 @param mem_ctx TALLOC_CTX for the allocation of the composite_context
171 @param p The dcerpc_pipe to bind (must already be connected)
172 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
173 @param credentials The credentials of the account to connect with
174 @param auth_type Select the authentication scheme to use
175 @param auth_level Chooses between unprotected (connect), signed or sealed
176 @param service The service (used by Kerberos to select the service principal to contact)
177 @retval A composite context describing the partial state of the bind
180 struct composite_context
*dcerpc_bind_auth_send(TALLOC_CTX
*mem_ctx
,
181 struct dcerpc_pipe
*p
,
182 const struct dcerpc_interface_table
*table
,
183 struct cli_credentials
*credentials
,
184 uint8_t auth_type
, uint8_t auth_level
,
187 struct composite_context
*c
, *creq
;
188 struct bind_auth_state
*state
;
189 struct dcerpc_security
*sec
;
191 struct dcerpc_syntax_id syntax
, transfer_syntax
;
193 c
= talloc_zero(mem_ctx
, struct composite_context
);
194 if (c
== NULL
) return NULL
;
196 state
= talloc(c
, struct bind_auth_state
);
198 c
->status
= NT_STATUS_NO_MEMORY
;
202 c
->state
= COMPOSITE_STATE_IN_PROGRESS
;
203 c
->private_data
= state
;
204 c
->event_ctx
= p
->conn
->event_ctx
;
208 c
->status
= dcerpc_init_syntaxes(table
,
211 if (!NT_STATUS_IS_OK(c
->status
)) goto failed
;
213 sec
= &p
->conn
->security_state
;
215 c
->status
= gensec_client_start(p
, &sec
->generic_state
,
217 if (!NT_STATUS_IS_OK(c
->status
)) {
218 DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
219 nt_errstr(c
->status
)));
223 c
->status
= gensec_set_credentials(sec
->generic_state
, credentials
);
224 if (!NT_STATUS_IS_OK(c
->status
)) {
225 DEBUG(1, ("Failed to set GENSEC client credentails: %s\n",
226 nt_errstr(c
->status
)));
230 c
->status
= gensec_set_target_hostname(
231 sec
->generic_state
, p
->conn
->transport
.peer_name(p
->conn
));
232 if (!NT_STATUS_IS_OK(c
->status
)) {
233 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
234 nt_errstr(c
->status
)));
238 if (service
!= NULL
) {
239 c
->status
= gensec_set_target_service(sec
->generic_state
,
241 if (!NT_STATUS_IS_OK(c
->status
)) {
242 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
243 nt_errstr(c
->status
)));
248 c
->status
= gensec_start_mech_by_authtype(sec
->generic_state
,
249 auth_type
, auth_level
);
250 if (!NT_STATUS_IS_OK(c
->status
)) {
251 DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
252 gensec_get_name_by_authtype(auth_type
),
253 nt_errstr(c
->status
)));
257 sec
->auth_info
= talloc(p
, struct dcerpc_auth
);
258 if (sec
->auth_info
== NULL
) {
259 c
->status
= NT_STATUS_NO_MEMORY
;
263 sec
->auth_info
->auth_type
= auth_type
;
264 sec
->auth_info
->auth_level
= auth_level
,
265 sec
->auth_info
->auth_pad_length
= 0;
266 sec
->auth_info
->auth_reserved
= 0;
267 sec
->auth_info
->auth_context_id
= random();
268 sec
->auth_info
->credentials
= data_blob(NULL
, 0);
270 /* The status value here, from GENSEC is vital to the security
271 * of the system. Even if the other end accepts, if GENSEC
272 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
273 * feeding it blobs, or else the remote host/attacker might
274 * avoid mutal authentication requirements.
276 * Likewise, you must not feed GENSEC too much (after the OK),
277 * it doesn't like that either
280 c
->status
= gensec_update(sec
->generic_state
, state
,
281 sec
->auth_info
->credentials
,
282 &state
->credentials
);
283 if (!NT_STATUS_IS_OK(c
->status
) &&
284 !NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
288 state
->more_processing
=
289 NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
);
291 if (state
->credentials
.length
== 0) {
296 sec
->auth_info
->credentials
= state
->credentials
;
298 /* The first request always is a dcerpc_bind. The subsequent ones
299 * depend on gensec results */
300 creq
= dcerpc_bind_send(p
, state
, &syntax
, &transfer_syntax
);
302 c
->status
= NT_STATUS_NO_MEMORY
;
306 creq
->async
.fn
= bind_auth_recv_bindreply
;
307 creq
->async
.private_data
= c
;
311 composite_error(c
, c
->status
);
315 NTSTATUS
dcerpc_bind_auth_recv(struct composite_context
*creq
)
317 NTSTATUS result
= composite_wait(creq
);
318 struct bind_auth_state
*state
= talloc_get_type(creq
->private_data
, struct bind_auth_state
);
320 if (NT_STATUS_IS_OK(result
)) {
322 after a successful authenticated bind the session
323 key reverts to the generic session key
325 state
->pipe
->conn
->security_state
.session_key
= dcerpc_generic_session_key
;
333 Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
334 @param p The dcerpc_pipe to bind (must already be connected)
335 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
336 @param credentials The credentials of the account to connect with
337 @param auth_type Select the authentication scheme to use
338 @param auth_level Chooses between unprotected (connect), signed or sealed
339 @param service The service (used by Kerberos to select the service principal to contact)
340 @retval NTSTATUS status code
342 NTSTATUS
dcerpc_bind_auth(struct dcerpc_pipe
*p
,
343 const struct dcerpc_interface_table
*table
,
344 struct cli_credentials
*credentials
,
345 uint8_t auth_type
, uint8_t auth_level
,
348 struct composite_context
*creq
;
349 creq
= dcerpc_bind_auth_send(p
, p
, table
, credentials
,
350 auth_type
, auth_level
, service
);
351 return dcerpc_bind_auth_recv(creq
);