search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug #10097 - MacOSX 10.9 will not follow path-based DFS referrals handed out...
[Samba.git] / source4 / librpc / rpc / dcerpc_auth.c
blobd5e56206b0416d01818a5f8c215d241a0cf401f2
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher 2004
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "libcli/composite/composite.h"
27 #include "auth/gensec/gensec.h"
28 #include "librpc/rpc/dcerpc.h"
29 #include "librpc/rpc/dcerpc_proto.h"
30 #include "param/param.h"
31
32 /*
33 return the rpc syntax and transfer syntax given the pipe uuid and version
34 */
35 static NTSTATUS dcerpc_init_syntaxes(const struct ndr_interface_table *table,
36 uint32_t pipe_flags,
37 struct ndr_syntax_id *syntax,
38 struct ndr_syntax_id *transfer_syntax)
39 {
40 syntax->uuid = table->syntax_id.uuid;
41 syntax->if_version = table->syntax_id.if_version;
42
43 if (pipe_flags & DCERPC_NDR64) {
44 *transfer_syntax = ndr_transfer_syntax_ndr64;
45 } else {
46 *transfer_syntax = ndr_transfer_syntax_ndr;
47 }
48
49 return NT_STATUS_OK;
50 }
51
52
53 /*
54 Send request to do a non-authenticated dcerpc bind
55 */
56 static void dcerpc_bind_auth_none_done(struct tevent_req *subreq);
57
58 struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
59 struct dcerpc_pipe *p,
60 const struct ndr_interface_table *table)
61 {
62 struct ndr_syntax_id syntax;
63 struct ndr_syntax_id transfer_syntax;
64
65 struct composite_context *c;
66 struct tevent_req *subreq;
67
68 c = composite_create(mem_ctx, p->conn->event_ctx);
69 if (c == NULL) return NULL;
70
71 c->status = dcerpc_init_syntaxes(table, p->conn->flags,
72 &syntax, &transfer_syntax);
73 if (!NT_STATUS_IS_OK(c->status)) {
74 DEBUG(2,("Invalid uuid string in "
75 "dcerpc_bind_auth_none_send\n"));
76 composite_error(c, c->status);
77 return c;
78 }
79
80 subreq = dcerpc_bind_send(mem_ctx, p->conn->event_ctx, p,
81 &syntax, &transfer_syntax);
82 if (composite_nomem(subreq, c)) return c;
83 tevent_req_set_callback(subreq, dcerpc_bind_auth_none_done, c);
84
85 return c;
86 }
87
88 static void dcerpc_bind_auth_none_done(struct tevent_req *subreq)
89 {
90 struct composite_context *ctx =
91 tevent_req_callback_data(subreq,
92 struct composite_context);
93
94 ctx->status = dcerpc_bind_recv(subreq);
95 TALLOC_FREE(subreq);
96 if (!composite_is_ok(ctx)) return;
97
98 composite_done(ctx);
99 }
100
101 /*
102 Receive result of a non-authenticated dcerpc bind
103 */
104 NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
105 {
106 NTSTATUS result = composite_wait(ctx);
107 TALLOC_FREE(ctx);
108 return result;
109 }
110
111
112 /*
113 Perform sync non-authenticated dcerpc bind
114 */
115 _PUBLIC_ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
116 const struct ndr_interface_table *table)
117 {
118 struct composite_context *ctx;
119
120 ctx = dcerpc_bind_auth_none_send(p, p, table);
121 return dcerpc_bind_auth_none_recv(ctx);
122 }
123
124
125 struct bind_auth_state {
126 struct dcerpc_pipe *pipe;
127 DATA_BLOB credentials;
128 bool more_processing; /* Is there anything more to do after the
129 * first bind itself received? */
130 };
131
132 static void bind_auth_recv_alter(struct tevent_req *subreq);
133
134 static void bind_auth_next_step(struct composite_context *c)
135 {
136 struct bind_auth_state *state;
137 struct dcecli_security *sec;
138 struct tevent_req *subreq;
139 bool more_processing = false;
140
141 state = talloc_get_type(c->private_data, struct bind_auth_state);
142 sec = &state->pipe->conn->security_state;
143
144 /* The status value here, from GENSEC is vital to the security
145 * of the system. Even if the other end accepts, if GENSEC
146 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
147 * feeding it blobs, or else the remote host/attacker might
148 * avoid mutal authentication requirements.
149 *
150 * Likewise, you must not feed GENSEC too much (after the OK),
151 * it doesn't like that either
152 */
153
154 state->pipe->inhibit_timeout_processing = true;
155 state->pipe->timed_out = false;
156
157 c->status = gensec_update(sec->generic_state, state,
158 state->pipe->conn->event_ctx,
159 sec->auth_info->credentials,
160 &state->credentials);
161 if (state->pipe->timed_out) {
162 composite_error(c, NT_STATUS_IO_TIMEOUT);
163 return;
164 }
165 state->pipe->inhibit_timeout_processing = false;
166
167 data_blob_free(&sec->auth_info->credentials);
168
169 if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
170 more_processing = true;
171 c->status = NT_STATUS_OK;
172 }
173
174 if (!composite_is_ok(c)) return;
175
176 if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
177 gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
178 }
179
180 if (state->credentials.length == 0) {
181 composite_done(c);
182 return;
183 }
184
185 sec->auth_info->credentials = state->credentials;
186
187 if (!more_processing) {
188 /* NO reply expected, so just send it */
189 c->status = dcerpc_auth3(state->pipe, state);
190 data_blob_free(&state->credentials);
191 sec->auth_info->credentials = data_blob(NULL, 0);
192 if (!composite_is_ok(c)) return;
193
194 composite_done(c);
195 return;
196 }
197
198 /* We are demanding a reply, so use a request that will get us one */
199
200 subreq = dcerpc_alter_context_send(state, state->pipe->conn->event_ctx,
201 state->pipe,
202 &state->pipe->syntax,
203 &state->pipe->transfer_syntax);
204 data_blob_free(&state->credentials);
205 sec->auth_info->credentials = data_blob(NULL, 0);
206 if (composite_nomem(subreq, c)) return;
207 tevent_req_set_callback(subreq, bind_auth_recv_alter, c);
208 }
209
210
211 static void bind_auth_recv_alter(struct tevent_req *subreq)
212 {
213 struct composite_context *c =
214 tevent_req_callback_data(subreq,
215 struct composite_context);
216
217 c->status = dcerpc_alter_context_recv(subreq);
218 TALLOC_FREE(subreq);
219 if (!composite_is_ok(c)) return;
220
221 bind_auth_next_step(c);
222 }
223
224
225 static void bind_auth_recv_bindreply(struct tevent_req *subreq)
226 {
227 struct composite_context *c =
228 tevent_req_callback_data(subreq,
229 struct composite_context);
230 struct bind_auth_state *state = talloc_get_type(c->private_data,
231 struct bind_auth_state);
232
233 c->status = dcerpc_bind_recv(subreq);
234 TALLOC_FREE(subreq);
235 if (!composite_is_ok(c)) return;
236
237 if (!state->more_processing) {
238 /* The first gensec_update has not requested a second run, so
239 * we're done here. */
240 composite_done(c);
241 return;
242 }
243
244 bind_auth_next_step(c);
245 }
246
247
248 /**
249 Bind to a DCE/RPC pipe, send async request
250 @param mem_ctx TALLOC_CTX for the allocation of the composite_context
251 @param p The dcerpc_pipe to bind (must already be connected)
252 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
253 @param credentials The credentials of the account to connect with
254 @param auth_type Select the authentication scheme to use
255 @param auth_level Chooses between unprotected (connect), signed or sealed
256 @param service The service (used by Kerberos to select the service principal to contact)
257 @retval A composite context describing the partial state of the bind
258 */
259
260 struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
261 struct dcerpc_pipe *p,
262 const struct ndr_interface_table *table,
263 struct cli_credentials *credentials,
264 struct gensec_settings *gensec_settings,
265 uint8_t auth_type, uint8_t auth_level,
266 const char *service)
267 {
268 struct composite_context *c;
269 struct bind_auth_state *state;
270 struct dcecli_security *sec;
271 struct tevent_req *subreq;
272
273 struct ndr_syntax_id syntax, transfer_syntax;
274
275 /* composite context allocation and setup */
276 c = composite_create(mem_ctx, p->conn->event_ctx);
277 if (c == NULL) return NULL;
278
279 state = talloc(c, struct bind_auth_state);
280 if (composite_nomem(state, c)) return c;
281 c->private_data = state;
282
283 state->pipe = p;
284
285 c->status = dcerpc_init_syntaxes(table, p->conn->flags,
286 &syntax,
287 &transfer_syntax);
288 if (!composite_is_ok(c)) return c;
289
290 sec = &p->conn->security_state;
291
292 c->status = gensec_client_start(p, &sec->generic_state,
293 gensec_settings);
294 if (!NT_STATUS_IS_OK(c->status)) {
295 DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
296 nt_errstr(c->status)));
297 composite_error(c, c->status);
298 return c;
299 }
300
301 c->status = gensec_set_credentials(sec->generic_state, credentials);
302 if (!NT_STATUS_IS_OK(c->status)) {
303 DEBUG(1, ("Failed to set GENSEC client credentials: %s\n",
304 nt_errstr(c->status)));
305 composite_error(c, c->status);
306 return c;
307 }
308
309 c->status = gensec_set_target_hostname(sec->generic_state,
310 p->conn->transport.target_hostname(p->conn));
311 if (!NT_STATUS_IS_OK(c->status)) {
312 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
313 nt_errstr(c->status)));
314 composite_error(c, c->status);
315 return c;
316 }
317
318 if (service != NULL) {
319 c->status = gensec_set_target_service(sec->generic_state,
320 service);
321 if (!NT_STATUS_IS_OK(c->status)) {
322 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
323 nt_errstr(c->status)));
324 composite_error(c, c->status);
325 return c;
326 }
327 }
328
329 if (p->binding && p->binding->target_principal) {
330 c->status = gensec_set_target_principal(sec->generic_state,
331 p->binding->target_principal);
332 if (!NT_STATUS_IS_OK(c->status)) {
333 DEBUG(1, ("Failed to set GENSEC target principal to %s: %s\n",
334 p->binding->target_principal, nt_errstr(c->status)));
335 composite_error(c, c->status);
336 return c;
337 }
338 }
339
340 c->status = gensec_start_mech_by_authtype(sec->generic_state,
341 auth_type, auth_level);
342 if (!NT_STATUS_IS_OK(c->status)) {
343 DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
344 gensec_get_name_by_authtype(sec->generic_state, auth_type),
345 nt_errstr(c->status)));
346 composite_error(c, c->status);
347 return c;
348 }
349
350 sec->auth_info = talloc(p, struct dcerpc_auth);
351 if (composite_nomem(sec->auth_info, c)) return c;
352
353 sec->auth_info->auth_type = auth_type;
354 sec->auth_info->auth_level = auth_level,
355 sec->auth_info->auth_pad_length = 0;
356 sec->auth_info->auth_reserved = 0;
357 sec->auth_info->auth_context_id = random();
358 sec->auth_info->credentials = data_blob(NULL, 0);
359
360 /* The status value here, from GENSEC is vital to the security
361 * of the system. Even if the other end accepts, if GENSEC
362 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
363 * feeding it blobs, or else the remote host/attacker might
364 * avoid mutal authentication requirements.
365 *
366 * Likewise, you must not feed GENSEC too much (after the OK),
367 * it doesn't like that either
368 */
369
370 state->pipe->inhibit_timeout_processing = true;
371 state->pipe->timed_out = false;
372 c->status = gensec_update(sec->generic_state, state,
373 p->conn->event_ctx,
374 sec->auth_info->credentials,
375 &state->credentials);
376 if (state->pipe->timed_out) {
377 composite_error(c, NT_STATUS_IO_TIMEOUT);
378 return c;
379 }
380 state->pipe->inhibit_timeout_processing = false;
381
382 if (!NT_STATUS_IS_OK(c->status) &&
383 !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
384 composite_error(c, c->status);
385 return c;
386 }
387
388 state->more_processing = NT_STATUS_EQUAL(c->status,
389 NT_STATUS_MORE_PROCESSING_REQUIRED);
390
391 if (state->credentials.length == 0) {
392 composite_done(c);
393 return c;
394 }
395
396 sec->auth_info->credentials = state->credentials;
397
398 /* The first request always is a dcerpc_bind. The subsequent ones
399 * depend on gensec results */
400 subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
401 &syntax, &transfer_syntax);
402 data_blob_free(&state->credentials);
403 sec->auth_info->credentials = data_blob(NULL, 0);
404 if (composite_nomem(subreq, c)) return c;
405 tevent_req_set_callback(subreq, bind_auth_recv_bindreply, c);
406
407 return c;
408 }
409
410
411 /**
412 Bind to a DCE/RPC pipe, receive result
413 @param creq A composite context describing state of async call
414 @retval NTSTATUS code
415 */
416
417 NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
418 {
419 NTSTATUS result = composite_wait(creq);
420 struct bind_auth_state *state = talloc_get_type(creq->private_data,
421 struct bind_auth_state);
422
423 if (NT_STATUS_IS_OK(result)) {
424 /*
425 after a successful authenticated bind the session
426 key reverts to the generic session key
427 */
428 state->pipe->conn->security_state.session_key = dcerpc_generic_session_key;
429 }
430
431 talloc_free(creq);
432 return result;
433 }
434
435
436 /**
437 Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
438 @param p The dcerpc_pipe to bind (must already be connected)
439 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
440 @param credentials The credentials of the account to connect with
441 @param auth_type Select the authentication scheme to use
442 @param auth_level Chooses between unprotected (connect), signed or sealed
443 @param service The service (used by Kerberos to select the service principal to contact)
444 @retval NTSTATUS status code
445 */
446
447 _PUBLIC_ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
448 const struct ndr_interface_table *table,
449 struct cli_credentials *credentials,
450 struct gensec_settings *gensec_settings,
451 uint8_t auth_type, uint8_t auth_level,
452 const char *service)
453 {
454 struct composite_context *creq;
455 creq = dcerpc_bind_auth_send(p, p, table, credentials, gensec_settings,
456 auth_type, auth_level, service);
457 return dcerpc_bind_auth_recv(creq);
458 }
Samba GIT mirror