2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher 2004
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "libcli/composite/composite.h"
29 do a non-athenticated dcerpc bind
32 struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
33 struct dcerpc_pipe *p,
37 struct dcerpc_syntax_id syntax;
38 struct dcerpc_syntax_id transfer_syntax;
40 struct composite_context *c;
42 c = talloc_zero(mem_ctx, struct composite_context);
43 if (c == NULL) return NULL;
45 c->status = dcerpc_init_syntaxes(uuid, &syntax, &transfer_syntax,
47 if (!NT_STATUS_IS_OK(c->status)) {
48 DEBUG(2,("Invalid uuid string in "
49 "dcerpc_bind_auth_none_send\n"));
53 /* c was only allocated as a container for a possible error */
56 return dcerpc_bind_send(p, mem_ctx, &syntax, &transfer_syntax);
59 composite_trigger_error(c);
63 NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
65 return dcerpc_bind_recv(ctx);
68 NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
69 const char *uuid, uint_t version)
71 struct composite_context *ctx;
72 ctx = dcerpc_bind_auth_none_send(p, p, uuid, version);
73 return dcerpc_bind_auth_none_recv(ctx);
77 perform a multi-part authenticated bind
79 static NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
80 const char *uuid, uint_t version)
83 TALLOC_CTX *tmp_ctx = talloc_new(p);
84 DATA_BLOB credentials;
85 DATA_BLOB null_data_blob = data_blob(NULL, 0);
89 if (!p->conn->security_state.generic_state) {
90 status = gensec_client_start(p, &p->conn->security_state.generic_state,
92 if (!NT_STATUS_IS_OK(status)) goto done;
94 status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
95 auth_type, auth_level);
96 if (!NT_STATUS_IS_OK(status)) goto done;
99 p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth);
100 if (!p->conn->security_state.auth_info) {
101 status = NT_STATUS_NO_MEMORY;
105 p->conn->security_state.auth_info->auth_type = auth_type;
106 p->conn->security_state.auth_info->auth_level = auth_level;
107 p->conn->security_state.auth_info->auth_pad_length = 0;
108 p->conn->security_state.auth_info->auth_reserved = 0;
109 p->conn->security_state.auth_info->auth_context_id = random();
110 p->conn->security_state.auth_info->credentials = null_data_blob;
114 status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
115 p->conn->security_state.auth_info->credentials,
118 /* The status value here, from GENSEC is vital to the security
119 * of the system. Even if the other end accepts, if GENSEC
120 * claims 'MORE_PROCESSING_REQUIRED' then you must keep
121 * feeding it blobs, or else the remote host/attacker might
122 * avoid mutal authentication requirements.
124 * Likewise, you must not feed GENSEC too much (after the OK),
125 * it doesn't like that either
128 if (!NT_STATUS_IS_OK(status)
129 && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
130 DEBUG(1, ("Failed DCERPC client gensec_update with mechanism %s: %s\n",
131 gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
136 if (!credentials.length) {
140 p->conn->security_state.auth_info->credentials = credentials;
142 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
143 if (num_passes == 1) {
144 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
146 /* We are demanding a reply, so use a request that will get us one */
147 status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
149 if (!NT_STATUS_IS_OK(status)) {
152 } else if (NT_STATUS_IS_OK(status)) {
153 /* NO reply expected, so just send it */
154 if (num_passes == 1) {
155 status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
157 status = dcerpc_auth3(p->conn, tmp_ctx);
166 talloc_free(tmp_ctx);
168 if (!NT_STATUS_IS_OK(status)) {
169 talloc_free(p->conn->security_state.generic_state);
170 ZERO_STRUCT(p->conn->security_state);
172 /* Authenticated connections use the generic session key */
173 p->conn->security_state.session_key = dcerpc_generic_session_key;
180 setup GENSEC on a DCE-RPC pipe
182 NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
183 const char *uuid, uint_t version,
184 struct cli_credentials *credentials,
190 if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
191 p->conn->flags |= DCERPC_CONNECT;
194 status = gensec_client_start(p, &p->conn->security_state.generic_state,
196 if (!NT_STATUS_IS_OK(status)) {
197 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
201 status = gensec_set_credentials(p->conn->security_state.generic_state,
203 if (!NT_STATUS_IS_OK(status)) {
204 DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n",
209 status = gensec_set_target_hostname(p->conn->security_state.generic_state,
210 p->conn->transport.peer_name(p->conn));
211 if (!NT_STATUS_IS_OK(status)) {
212 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
218 status = gensec_set_target_service(p->conn->security_state.generic_state, service);
219 if (!NT_STATUS_IS_OK(status)) {
220 DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
226 status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
228 dcerpc_auth_level(p->conn));
229 if (!NT_STATUS_IS_OK(status)) {
230 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
231 gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
235 status = dcerpc_bind_auth(p, auth_type,
236 dcerpc_auth_level(p->conn),
238 if (!NT_STATUS_IS_OK(status)) {
239 DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
240 gensec_get_name_by_authtype(auth_type), nt_errstr(status)));