Generic Authentication Interface
Copyright (C) Andrew Tridgell 2003
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "libcli/composite/composite.h"
+#include "auth/gensec/gensec.h"
+#include "librpc/rpc/dcerpc.h"
+#include "librpc/rpc/dcerpc_proto.h"
+#include "param/param.h"
/*
- do a non-athenticated dcerpc bind
+ return the rpc syntax and transfer syntax given the pipe uuid and version
*/
-NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
- const char *uuid, uint_t version)
+static NTSTATUS dcerpc_init_syntaxes(const struct ndr_interface_table *table,
+ struct ndr_syntax_id *syntax,
+ struct ndr_syntax_id *transfer_syntax)
{
- TALLOC_CTX *tmp_ctx = talloc_new(p);
- NTSTATUS status;
+ syntax->uuid = table->syntax_id.uuid;
+ syntax->if_version = table->syntax_id.if_version;
- status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
- talloc_free(tmp_ctx);
+ *transfer_syntax = ndr_transfer_syntax;
- return status;
+ return NT_STATUS_OK;
}
+
+/*
+ Send request to do a non-authenticated dcerpc bind
+*/
+struct composite_context *dcerpc_bind_auth_none_send(TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table)
+{
+ struct ndr_syntax_id syntax;
+ struct ndr_syntax_id transfer_syntax;
+
+ struct composite_context *c;
+
+ c = composite_create(mem_ctx, p->conn->event_ctx);
+ if (c == NULL) return NULL;
+
+ c->status = dcerpc_init_syntaxes(table,
+ &syntax, &transfer_syntax);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(2,("Invalid uuid string in "
+ "dcerpc_bind_auth_none_send\n"));
+ composite_error(c, c->status);
+ return c;
+ }
+
+ /* c was only allocated as a container for a possible error */
+ talloc_free(c);
+
+ return dcerpc_bind_send(p, mem_ctx, &syntax, &transfer_syntax);
+}
+
+
+/*
+ Receive result of a non-authenticated dcerpc bind
+*/
+NTSTATUS dcerpc_bind_auth_none_recv(struct composite_context *ctx)
+{
+ return dcerpc_bind_recv(ctx);
+}
+
+
/*
- perform a multi-part authenticated bind
+ Perform sync non-authenticated dcerpc bind
*/
-NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
- const char *uuid, uint_t version)
+_PUBLIC_ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table)
{
- NTSTATUS status;
- TALLOC_CTX *tmp_ctx = talloc_new(p);
+ struct composite_context *ctx;
+
+ ctx = dcerpc_bind_auth_none_send(p, p, table);
+ return dcerpc_bind_auth_none_recv(ctx);
+}
+
+
+struct bind_auth_state {
+ struct dcerpc_pipe *pipe;
DATA_BLOB credentials;
- DATA_BLOB null_data_blob = data_blob(NULL, 0);
+ bool more_processing; /* Is there anything more to do after the
+ * first bind itself received? */
+};
+
+static void bind_auth_recv_alter(struct composite_context *creq);
+
+static void bind_auth_next_step(struct composite_context *c)
+{
+ struct bind_auth_state *state;
+ struct dcerpc_security *sec;
+ struct composite_context *creq;
+ bool more_processing = false;
+
+ state = talloc_get_type(c->private_data, struct bind_auth_state);
+ sec = &state->pipe->conn->security_state;
+
+ /* The status value here, from GENSEC is vital to the security
+ * of the system. Even if the other end accepts, if GENSEC
+ * claims 'MORE_PROCESSING_REQUIRED' then you must keep
+ * feeding it blobs, or else the remote host/attacker might
+ * avoid mutal authentication requirements.
+ *
+ * Likewise, you must not feed GENSEC too much (after the OK),
+ * it doesn't like that either
+ */
- if (!p->conn->security_state.generic_state) {
- status = gensec_client_start(p, &p->conn->security_state.generic_state);
- if (!NT_STATUS_IS_OK(status)) goto done;
+ c->status = gensec_update(sec->generic_state, state,
+ sec->auth_info->credentials,
+ &state->credentials);
+ data_blob_free(&sec->auth_info->credentials);
- status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
- auth_type, auth_level);
- if (!NT_STATUS_IS_OK(status)) goto done;
+ if (NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ more_processing = true;
+ c->status = NT_STATUS_OK;
}
- p->conn->security_state.auth_info = talloc(p, struct dcerpc_auth);
- if (!p->conn->security_state.auth_info) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
+ if (!composite_is_ok(c)) return;
+
+ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
+ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
}
- p->conn->security_state.auth_info->auth_type = auth_type;
- p->conn->security_state.auth_info->auth_level = auth_level;
- p->conn->security_state.auth_info->auth_pad_length = 0;
- p->conn->security_state.auth_info->auth_reserved = 0;
- p->conn->security_state.auth_info->auth_context_id = random();
- p->conn->security_state.auth_info->credentials = null_data_blob;
+ if (state->credentials.length == 0) {
+ composite_done(c);
+ return;
+ }
- status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
- null_data_blob,
- &credentials);
+ sec->auth_info->credentials = state->credentials;
- p->conn->security_state.auth_info->credentials = credentials;
+ if (!more_processing) {
+ /* NO reply expected, so just send it */
+ c->status = dcerpc_auth3(state->pipe, state);
+ data_blob_free(&state->credentials);
+ sec->auth_info->credentials = data_blob(NULL, 0);
+ if (!composite_is_ok(c)) return;
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- /* We are demanding a reply, so use a request that will get us one */
- status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- } else if (NT_STATUS_IS_OK(status)) {
- /* We don't care for the reply, so jump to the end */
- status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
- goto done;
- } else {
- /* Something broke in GENSEC - bail */
- goto done;
+ composite_done(c);
+ return;
}
- while (1) {
- status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
- p->conn->security_state.auth_info->credentials,
- &credentials);
- if (!NT_STATUS_IS_OK(status)
- && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- break;
- }
+ /* We are demanding a reply, so use a request that will get us one */
- if (!credentials.length) {
- break;
- }
+ creq = dcerpc_alter_context_send(state->pipe, state,
+ &state->pipe->syntax,
+ &state->pipe->transfer_syntax);
+ data_blob_free(&state->credentials);
+ sec->auth_info->credentials = data_blob(NULL, 0);
+ if (composite_nomem(creq, c)) return;
+
+ composite_continue(c, creq, bind_auth_recv_alter, c);
+}
+
+
+static void bind_auth_recv_alter(struct composite_context *creq)
+{
+ struct composite_context *c = talloc_get_type(creq->async.private_data,
+ struct composite_context);
+
+ c->status = dcerpc_alter_context_recv(creq);
+ if (!composite_is_ok(c)) return;
+
+ bind_auth_next_step(c);
+}
- p->conn->security_state.auth_info->credentials = credentials;
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- /* We are demanding a reply, so use a request that will get us one */
- status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
- if (!NT_STATUS_IS_OK(status)) {
- break;
- }
- } else {
- /* NO reply expected, so just send it */
- status = dcerpc_auth3(p->conn, tmp_ctx);
- credentials = data_blob(NULL, 0);
- if (!NT_STATUS_IS_OK(status)) {
- break;
- }
- }
- };
-done:
- talloc_free(tmp_ctx);
+static void bind_auth_recv_bindreply(struct composite_context *creq)
+{
+ struct composite_context *c = talloc_get_type(creq->async.private_data,
+ struct composite_context);
+ struct bind_auth_state *state = talloc_get_type(c->private_data,
+ struct bind_auth_state);
+
+ c->status = dcerpc_bind_recv(creq);
+ if (!composite_is_ok(c)) return;
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(p->conn->security_state.generic_state);
- ZERO_STRUCT(p->conn->security_state);
- } else {
- /* Authenticated connections use the generic session key */
- p->conn->security_state.session_key = dcerpc_generic_session_key;
+ if (!state->more_processing) {
+ /* The first gensec_update has not requested a second run, so
+ * we're done here. */
+ composite_done(c);
+ return;
}
- return status;
+ bind_auth_next_step(c);
}
-/*
- setup GENSEC on a DCE-RPC pipe
+
+/**
+ Bind to a DCE/RPC pipe, send async request
+ @param mem_ctx TALLOC_CTX for the allocation of the composite_context
+ @param p The dcerpc_pipe to bind (must already be connected)
+ @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
+ @param credentials The credentials of the account to connect with
+ @param auth_type Select the authentication scheme to use
+ @param auth_level Chooses between unprotected (connect), signed or sealed
+ @param service The service (used by Kerberos to select the service principal to contact)
+ @retval A composite context describing the partial state of the bind
*/
-NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
- const char *uuid, uint_t version,
- const char *workstation,
- const char *domain,
- const char *username,
- const char *password,
- uint8_t auth_type,
- const char *service)
+
+struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table,
+ struct cli_credentials *credentials,
+ struct loadparm_context *lp_ctx,
+ uint8_t auth_type, uint8_t auth_level,
+ const char *service)
{
- NTSTATUS status;
+ struct composite_context *c, *creq;
+ struct bind_auth_state *state;
+ struct dcerpc_security *sec;
- if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) {
- p->conn->flags |= DCERPC_CONNECT;
- }
+ struct ndr_syntax_id syntax, transfer_syntax;
+
+ /* composite context allocation and setup */
+ c = composite_create(mem_ctx, p->conn->event_ctx);
+ if (c == NULL) return NULL;
+
+ state = talloc(c, struct bind_auth_state);
+ if (composite_nomem(state, c)) return c;
+ c->private_data = state;
+
+ state->pipe = p;
+
+ c->status = dcerpc_init_syntaxes(table,
+ &syntax,
+ &transfer_syntax);
+ if (!composite_is_ok(c)) return c;
- status = gensec_client_start(p, &p->conn->security_state.generic_state);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
- return status;
+ sec = &p->conn->security_state;
+
+ c->status = gensec_client_start(p, &sec->generic_state,
+ p->conn->event_ctx,
+ lp_ctx);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to start GENSEC client mode: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
}
- status = gensec_set_workstation(p->conn->security_state.generic_state, workstation);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client workstation name to %s: %s\n",
- workstation, nt_errstr(status)));
- return status;
+ c->status = gensec_set_credentials(sec->generic_state, credentials);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to set GENSEC client credentials: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
}
- status = gensec_set_domain(p->conn->security_state.generic_state, domain);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
- domain, nt_errstr(status)));
- return status;
+ c->status = gensec_set_target_hostname(sec->generic_state,
+ p->conn->transport.target_hostname(p->conn));
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to set GENSEC target hostname: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
}
- status = gensec_set_username(p->conn->security_state.generic_state, username);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
- username, nt_errstr(status)));
- return status;
+ if (service != NULL) {
+ c->status = gensec_set_target_service(sec->generic_state,
+ service);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to set GENSEC target service: %s\n",
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
+ }
}
- status = gensec_set_password(p->conn->security_state.generic_state, password);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
- nt_errstr(status)));
- return status;
+ c->status = gensec_start_mech_by_authtype(sec->generic_state,
+ auth_type, auth_level);
+ if (!NT_STATUS_IS_OK(c->status)) {
+ DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
+ gensec_get_name_by_authtype(auth_type),
+ nt_errstr(c->status)));
+ composite_error(c, c->status);
+ return c;
}
- status = gensec_set_target_hostname(p->conn->security_state.generic_state,
- p->conn->transport.peer_name(p->conn));
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
- nt_errstr(status)));
- return status;
+ sec->auth_info = talloc(p, struct dcerpc_auth);
+ if (composite_nomem(sec->auth_info, c)) return c;
+
+ sec->auth_info->auth_type = auth_type;
+ sec->auth_info->auth_level = auth_level,
+ sec->auth_info->auth_pad_length = 0;
+ sec->auth_info->auth_reserved = 0;
+ sec->auth_info->auth_context_id = random();
+ sec->auth_info->credentials = data_blob(NULL, 0);
+
+ /* The status value here, from GENSEC is vital to the security
+ * of the system. Even if the other end accepts, if GENSEC
+ * claims 'MORE_PROCESSING_REQUIRED' then you must keep
+ * feeding it blobs, or else the remote host/attacker might
+ * avoid mutal authentication requirements.
+ *
+ * Likewise, you must not feed GENSEC too much (after the OK),
+ * it doesn't like that either
+ */
+
+ c->status = gensec_update(sec->generic_state, state,
+ sec->auth_info->credentials,
+ &state->credentials);
+ if (!NT_STATUS_IS_OK(c->status) &&
+ !NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ composite_error(c, c->status);
+ return c;
}
- if (service) {
- status = gensec_set_target_service(p->conn->security_state.generic_state, service);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
- nt_errstr(status)));
- return status;
- }
+ state->more_processing = NT_STATUS_EQUAL(c->status,
+ NT_STATUS_MORE_PROCESSING_REQUIRED);
+
+ if (state->credentials.length == 0) {
+ composite_done(c);
+ return c;
}
- status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
- auth_type,
- dcerpc_auth_level(p->conn));
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
- gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
- return status;
+ sec->auth_info->credentials = state->credentials;
+
+ /* The first request always is a dcerpc_bind. The subsequent ones
+ * depend on gensec results */
+ creq = dcerpc_bind_send(p, state, &syntax, &transfer_syntax);
+ data_blob_free(&state->credentials);
+ sec->auth_info->credentials = data_blob(NULL, 0);
+ if (composite_nomem(creq, c)) return c;
+
+ composite_continue(c, creq, bind_auth_recv_bindreply, c);
+ return c;
+}
+
+
+/**
+ Bind to a DCE/RPC pipe, receive result
+ @param creq A composite context describing state of async call
+ @retval NTSTATUS code
+*/
+
+NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
+{
+ NTSTATUS result = composite_wait(creq);
+ struct bind_auth_state *state = talloc_get_type(creq->private_data,
+ struct bind_auth_state);
+
+ if (NT_STATUS_IS_OK(result)) {
+ /*
+ after a successful authenticated bind the session
+ key reverts to the generic session key
+ */
+ state->pipe->conn->security_state.session_key = dcerpc_generic_session_key;
}
- status = dcerpc_bind_auth(p, auth_type,
- dcerpc_auth_level(p->conn),
- uuid, version);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(2, ("Failed to bind to pipe with %s: %s\n",
- gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
- return status;
- }
+ talloc_free(creq);
+ return result;
+}
- return status;
+
+/**
+ Perform a GENSEC authenticated bind to a DCE/RPC pipe, sync
+ @param p The dcerpc_pipe to bind (must already be connected)
+ @param table The interface table to use (the DCE/RPC bind both selects and interface and authenticates)
+ @param credentials The credentials of the account to connect with
+ @param auth_type Select the authentication scheme to use
+ @param auth_level Chooses between unprotected (connect), signed or sealed
+ @param service The service (used by Kerberos to select the service principal to contact)
+ @retval NTSTATUS status code
+*/
+
+_PUBLIC_ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
+ const struct ndr_interface_table *table,
+ struct cli_credentials *credentials,
+ struct loadparm_context *lp_ctx,
+ uint8_t auth_type, uint8_t auth_level,
+ const char *service)
+{
+ struct composite_context *creq;
+ creq = dcerpc_bind_auth_send(p, p, table, credentials, lp_ctx,
+ auth_type, auth_level, service);
+ return dcerpc_bind_auth_recv(creq);
}
git.samba.org / metze / samba / wb-ndr.git / blobdiff