source/librpc/rpc/dcerpc_auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Stefan Metzmacher 2004
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "libcli/composite/composite.h"
  27
  28 /*
  29   do a non-athenticated dcerpc bind
  30 */
  31
  32 struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
  33                                                      struct dcerpc_pipe *p,
  34                                                      const char *uuid,
  35                                                      uint_t version)
  36 {
  37         struct dcerpc_syntax_id syntax;
  38         struct dcerpc_syntax_id transfer_syntax;
  39
  40         struct composite_context *c;
  41
  42         c = talloc_zero(mem_ctx, struct composite_context);
  43         if (c == NULL) return NULL;
  44
  45         c->status = dcerpc_init_syntaxes(uuid, &syntax, &transfer_syntax,
  46                                          version);
  47         if (!NT_STATUS_IS_OK(c->status)) {
  48                 DEBUG(2,("Invalid uuid string in "
  49                          "dcerpc_bind_auth_none_send\n"));
  50                 goto failed;
  51         }
  52
  53         /* c was only allocated as a container for a possible error */
  54         talloc_free(c);
  55
  56         return dcerpc_bind_send(p, mem_ctx, &syntax, &transfer_syntax);
  57
  58  failed:
  59         composite_trigger_error(c);
  60         return c;
  61 }
  62
  63 NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
  64 {
  65         return dcerpc_bind_recv(ctx);
  66 }
  67
  68 NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
  69                                const char *uuid, uint_t version)
  70 {
  71         struct composite_context *ctx;
  72         ctx = dcerpc_bind_auth_none_send(p, p, uuid, version);
  73         return dcerpc_bind_auth_none_recv(ctx);
  74 }
  75
  76 /*
  77   perform a multi-part authenticated bind
  78 */
  79 static NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
  80                                  const char *uuid, uint_t version)
  81 {
  82         NTSTATUS status;
  83         TALLOC_CTX *tmp_ctx = talloc_new(p);
  84         DATA_BLOB credentials;
  85         DATA_BLOB null_data_blob = data_blob(NULL, 0);
  86
  87         int num_passes = 0;
  88
  89         if (!p->conn->security_state.generic_state) {
  90                 status = gensec_client_start(p, &p->conn->security_state.generic_state,
  91                                              p->conn->event_ctx);
  92                 if (!NT_STATUS_IS_OK(status)) goto done;
  93
  94                 status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
  95                                                        auth_type, auth_level);
  96                 if (!NT_STATUS_IS_OK(status)) goto done;
  97         }
  98
  99         p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth);
 100         if (!p->conn->security_state.auth_info) {
 101                 status = NT_STATUS_NO_MEMORY;
 102                 goto done;
 103         }
 104
 105         p->conn->security_state.auth_info->auth_type = auth_type;
 106         p->conn->security_state.auth_info->auth_level = auth_level;
 107         p->conn->security_state.auth_info->auth_pad_length = 0;
 108         p->conn->security_state.auth_info->auth_reserved = 0;
 109         p->conn->security_state.auth_info->auth_context_id = random();
 110         p->conn->security_state.auth_info->credentials = null_data_blob;
 111
 112         while (1) {
 113                 num_passes++;
 114                 status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
 115                                        p->conn->security_state.auth_info->credentials,
 116                                        &credentials);
 117
 118                 /* The status value here, from GENSEC is vital to the security
 119                  * of the system.  Even if the other end accepts, if GENSEC
 120                  * claims 'MORE_PROCESSING_REQUIRED' then you must keep
 121                  * feeding it blobs, or else the remote host/attacker might
 122                  * avoid mutal authentication requirements.
 123                  *
 124                  * Likewise, you must not feed GENSEC too much (after the OK),
 125                  * it doesn't like that either
 126                  */
 127
 128                 if (!NT_STATUS_IS_OK(status)
 129                     && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 130                         DEBUG(1, ("Failed DCERPC client gensec_update with mechanism %s: %s\n",
 131                                   gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
 132
 133                         break;
 134                 }
 135
 136                 if (!credentials.length) {
 137                         break;
 138                 }
 139
 140                 p->conn->security_state.auth_info->credentials = credentials;
 141
 142                 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 143                         if (num_passes == 1) {
 144                                 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
 145                         } else {
 146                                 /* We are demanding a reply, so use a request that will get us one */
 147                                 status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
 148                         }
 149                         if (!NT_STATUS_IS_OK(status)) {
 150                                 break;
 151                         }
 152                 } else if (NT_STATUS_IS_OK(status)) {
 153                         /* NO reply expected, so just send it */
 154                         if (num_passes == 1) {
 155                                 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
 156                         } else {
 157                                 status = dcerpc_auth3(p->conn, tmp_ctx);
 158                         }
 159                         break;
 160                 } else {
 161                         break;
 162                 }
 163         };
 164
 165 done:
 166         talloc_free(tmp_ctx);
 167
 168         if (!NT_STATUS_IS_OK(status)) {
 169                 talloc_free(p->conn->security_state.generic_state);
 170                 ZERO_STRUCT(p->conn->security_state);
 171         } else {
 172                 /* Authenticated connections use the generic session key */
 173                 p->conn->security_state.session_key = dcerpc_generic_session_key;
 174         }
 175
 176         return status;
 177 }
 178
 179 /*
 180   setup GENSEC on a DCE-RPC pipe
 181 */
 182 NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
 183                                    const char *uuid, uint_t version,
 184                                    struct cli_credentials *credentials,
 185                                    uint8_t auth_type,
 186                                    const char *service)
 187 {
 188         NTSTATUS status;
 189
 190         if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
 191                 p->conn->flags |= DCERPC_CONNECT;
 192         }
 193
 194         status = gensec_client_start(p, &p->conn->security_state.generic_state,
 195                                      p->conn->event_ctx);
 196         if (!NT_STATUS_IS_OK(status)) {
 197                 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
 198                 return status;
 199         }
 200
 201         status = gensec_set_credentials(p->conn->security_state.generic_state,
 202                                         credentials);
 203         if (!NT_STATUS_IS_OK(status)) {
 204                 DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n",
 205                           nt_errstr(status)));
 206                 return status;
 207         }
 208
 209         status = gensec_set_target_hostname(p->conn->security_state.generic_state,
 210                                             p->conn->transport.peer_name(p->conn));
 211         if (!NT_STATUS_IS_OK(status)) {
 212                 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
 213                           nt_errstr(status)));
 214                 return status;
 215         }
 216
 217         if (service) {
 218                 status = gensec_set_target_service(p->conn->security_state.generic_state, service);
 219                 if (!NT_STATUS_IS_OK(status)) {
 220                         DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
 221                                   nt_errstr(status)));
 222                         return status;
 223                 }
 224         }
 225
 226         status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
 227                                                auth_type,
 228                                                dcerpc_auth_level(p->conn));
 229         if (!NT_STATUS_IS_OK(status)) {
 230                 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
 231                           gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
 232                 return status;
 233         }
 234
 235         status = dcerpc_bind_auth(p, auth_type,
 236                                   dcerpc_auth_level(p->conn),
 237                                   uuid, version);
 238         if (!NT_STATUS_IS_OK(status)) {
 239                 DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
 240                           gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
 241                 return status;
 242         }
 243
 244         return status;
 245 }