2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "libcli/composite/composite.h"
27 #include "auth/gensec/gensec.h"
28 #include "librpc/rpc/dcerpc.h"
32 Send request to do a non-authenticated dcerpc bind
34 struct composite_context
*dcerpc_bind_auth_none_send(TALLOC_CTX
*mem_ctx
,
35 struct dcerpc_pipe
*p
,
36 const struct dcerpc_interface_table
*table
)
38 struct dcerpc_syntax_id syntax
;
39 struct dcerpc_syntax_id transfer_syntax
;
41 struct composite_context
*c
;
43 c
= talloc_zero(mem_ctx
, struct composite_context
);
44 if (c
== NULL
) return NULL
;
46 c
->status
= dcerpc_init_syntaxes(table
,
47 &syntax
, &transfer_syntax
);
48 if (!NT_STATUS_IS_OK(c
->status
)) {
49 DEBUG(2,("Invalid uuid string in "
50 "dcerpc_bind_auth_none_send\n"));
51 composite_error(c
, c
->status
);
55 /* c was only allocated as a container for a possible error */
58 return dcerpc_bind_send(p
, mem_ctx
, &syntax
, &transfer_syntax
);
63 Receive result of a non-authenticated dcerpc bind
65 NTSTATUS
dcerpc_bind_auth_none_recv(struct composite_context
*ctx
)
67 return dcerpc_bind_recv(ctx
);
72 Perform sync non-authenticated dcerpc bind
74 NTSTATUS
dcerpc_bind_auth_none(struct dcerpc_pipe
*p
,
75 const struct dcerpc_interface_table
*table
)
77 struct composite_context
*ctx
;
79 ctx
= dcerpc_bind_auth_none_send(p
, p
, table
);
80 return dcerpc_bind_auth_none_recv(ctx
);
84 struct bind_auth_state
{
85 struct dcerpc_pipe
*pipe
;
86 DATA_BLOB credentials
;
87 BOOL more_processing
; /* Is there anything more to do after the
88 * first bind itself received? */
91 static void bind_auth_recv_alter(struct composite_context
*creq
);
93 static void bind_auth_next_step(struct composite_context
*c
)
95 struct bind_auth_state
*state
;
96 struct dcerpc_security
*sec
;
97 struct composite_context
*creq
;
98 BOOL more_processing
= False
;
100 state
= talloc_get_type(c
->private_data
, struct bind_auth_state
);
101 sec
= &state
->pipe
->conn
->security_state
;
103 /* The status value here, from GENSEC is vital to the security
104 * of the system. Even if the other end accepts, if GENSEC
105 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
106 * feeding it blobs, or else the remote host/attacker might
107 * avoid mutal authentication requirements.
109 * Likewise, you must not feed GENSEC too much (after the OK),
110 * it doesn't like that either
113 c
->status
= gensec_update(sec
->generic_state
, state
,
114 sec
->auth_info
->credentials
,
115 &state
->credentials
);
117 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
118 more_processing
= True
;
119 c
->status
= NT_STATUS_OK
;
122 if (!composite_is_ok(c
)) return;
124 if (state
->credentials
.length
== 0) {
129 sec
->auth_info
->credentials
= state
->credentials
;
131 if (!more_processing
) {
132 /* NO reply expected, so just send it */
133 c
->status
= dcerpc_auth3(state
->pipe
->conn
, state
);
134 if (!composite_is_ok(c
)) return;
140 /* We are demanding a reply, so use a request that will get us one */
142 creq
= dcerpc_alter_context_send(state
->pipe
, state
,
143 &state
->pipe
->syntax
,
144 &state
->pipe
->transfer_syntax
);
145 if (composite_nomem(creq
, c
)) return;
147 composite_continue(c
, creq
, bind_auth_recv_alter
, c
);
151 static void bind_auth_recv_alter(struct composite_context
*creq
)
153 struct composite_context
*c
= talloc_get_type(creq
->async
.private_data
,
154 struct composite_context
);
156 c
->status
= dcerpc_alter_context_recv(creq
);
157 if (!composite_is_ok(c
)) return;
159 bind_auth_next_step(c
);
163 static void bind_auth_recv_bindreply(struct composite_context
*creq
)
165 struct composite_context
*c
= talloc_get_type(creq
->async
.private_data
,
166 struct composite_context
);
167 struct bind_auth_state
*state
= talloc_get_type(c
->private_data
,
168 struct bind_auth_state
);
170 c
->status
= dcerpc_bind_recv(creq
);
171 if (!composite_is_ok(c
)) return;
173 if (!state
->more_processing
) {
174 /* The first gensec_update has not requested a second run, so
175 * we're done here. */
180 bind_auth_next_step(c
);
185 Bind to a DCE/RPC pipe, send async request
186 @param mem_ctx TALLOC_CTX for the allocation of the composite_context
187 @param p The dcerpc_pipe to bind (must already be connected)
188 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
189 @param credentials The credentials of the account to connect with
190 @param auth_type Select the authentication scheme to use
191 @param auth_level Chooses between unprotected (connect), signed or sealed
192 @param service The service (used by Kerberos to select the service principal to contact)
193 @retval A composite context describing the partial state of the bind
196 struct composite_context
*dcerpc_bind_auth_send(TALLOC_CTX
*mem_ctx
,
197 struct dcerpc_pipe
*p
,
198 const struct dcerpc_interface_table
*table
,
199 struct cli_credentials
*credentials
,
200 uint8_t auth_type
, uint8_t auth_level
,
203 struct composite_context
*c
, *creq
;
204 struct bind_auth_state
*state
;
205 struct dcerpc_security
*sec
;
207 struct dcerpc_syntax_id syntax
, transfer_syntax
;
209 /* composite context allocation and setup */
210 c
= talloc_zero(mem_ctx
, struct composite_context
);
211 if (c
== NULL
) return NULL
;
213 state
= talloc(c
, struct bind_auth_state
);
214 if (composite_nomem(state
, c
)) return c
;
216 c
->state
= COMPOSITE_STATE_IN_PROGRESS
;
217 c
->private_data
= state
;
218 c
->event_ctx
= p
->conn
->event_ctx
;
222 c
->status
= dcerpc_init_syntaxes(table
,
225 if (!NT_STATUS_IS_OK(c
->status
)) goto failed
;
227 sec
= &p
->conn
->security_state
;
229 c
->status
= gensec_client_start(p
, &sec
->generic_state
,
231 if (!NT_STATUS_IS_OK(c
->status
)) {
232 DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
233 nt_errstr(c
->status
)));
237 c
->status
= gensec_set_credentials(sec
->generic_state
, credentials
);
238 if (!NT_STATUS_IS_OK(c
->status
)) {
239 DEBUG(1, ("Failed to set GENSEC client credentails: %s\n",
240 nt_errstr(c
->status
)));
244 c
->status
= gensec_set_target_hostname(
245 sec
->generic_state
, p
->conn
->transport
.target_hostname(p
->conn
));
246 if (!NT_STATUS_IS_OK(c
->status
)) {
247 DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
248 nt_errstr(c
->status
)));
252 if (service
!= NULL
) {
253 c
->status
= gensec_set_target_service(sec
->generic_state
,
255 if (!NT_STATUS_IS_OK(c
->status
)) {
256 DEBUG(1, ("Failed to set GENSEC target service: %s\n",
257 nt_errstr(c
->status
)));
262 c
->status
= gensec_start_mech_by_authtype(sec
->generic_state
,
263 auth_type
, auth_level
);
264 if (!NT_STATUS_IS_OK(c
->status
)) {
265 DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
266 gensec_get_name_by_authtype(auth_type
),
267 nt_errstr(c
->status
)));
271 sec
->auth_info
= talloc(p
, struct dcerpc_auth
);
272 if (composite_nomem(sec
->auth_info
, c
)) return c
;
274 sec
->auth_info
->auth_type
= auth_type
;
275 sec
->auth_info
->auth_level
= auth_level
,
276 sec
->auth_info
->auth_pad_length
= 0;
277 sec
->auth_info
->auth_reserved
= 0;
278 sec
->auth_info
->auth_context_id
= random();
279 sec
->auth_info
->credentials
= data_blob(NULL
, 0);
281 /* The status value here, from GENSEC is vital to the security
282 * of the system. Even if the other end accepts, if GENSEC
283 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
284 * feeding it blobs, or else the remote host/attacker might
285 * avoid mutal authentication requirements.
287 * Likewise, you must not feed GENSEC too much (after the OK),
288 * it doesn't like that either
291 c
->status
= gensec_update(sec
->generic_state
, state
,
292 sec
->auth_info
->credentials
,
293 &state
->credentials
);
294 if (!NT_STATUS_IS_OK(c
->status
) &&
295 !NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
299 state
->more_processing
=
300 NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
);
302 if (state
->credentials
.length
== 0) {
307 sec
->auth_info
->credentials
= state
->credentials
;
309 /* The first request always is a dcerpc_bind. The subsequent ones
310 * depend on gensec results */
311 creq
= dcerpc_bind_send(p
, state
, &syntax
, &transfer_syntax
);
312 if (composite_nomem(creq
, c
)) return c
;
314 composite_continue(c
, creq
, bind_auth_recv_bindreply
, c
);
318 composite_error(c
, c
->status
);
324 Bind to a DCE/RPC pipe, receive result
325 @param creq A composite context describing state of async call
326 @retval NTSTATUS code
329 NTSTATUS
dcerpc_bind_auth_recv(struct composite_context
*creq
)
331 NTSTATUS result
= composite_wait(creq
);
332 struct bind_auth_state
*state
= talloc_get_type(creq
->private_data
,
333 struct bind_auth_state
);
335 if (NT_STATUS_IS_OK(result
)) {
337 after a successful authenticated bind the session
338 key reverts to the generic session key
340 state
->pipe
->conn
->security_state
.session_key
= dcerpc_generic_session_key
;
349 Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
350 @param p The dcerpc_pipe to bind (must already be connected)
351 @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
352 @param credentials The credentials of the account to connect with
353 @param auth_type Select the authentication scheme to use
354 @param auth_level Chooses between unprotected (connect), signed or sealed
355 @param service The service (used by Kerberos to select the service principal to contact)
356 @retval NTSTATUS status code
359 NTSTATUS
dcerpc_bind_auth(struct dcerpc_pipe
*p
,
360 const struct dcerpc_interface_table
*table
,
361 struct cli_credentials
*credentials
,
362 uint8_t auth_type
, uint8_t auth_level
,
365 struct composite_context
*creq
;
366 creq
= dcerpc_bind_auth_send(p
, p
, table
, credentials
,
367 auth_type
, auth_level
, service
);
368 return dcerpc_bind_auth_recv(creq
);