search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r19598: Ahead of a merge to current lorikeet-heimdal:
[Samba.git] / source / librpc / rpc / dcerpc_schannel.c
blobd5a83b1bfafa65ca79203beeb551569f72257d72
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32
33 struct schannel_key_state {
34 struct dcerpc_pipe *pipe;
35 struct dcerpc_pipe *pipe2;
36 struct dcerpc_binding *binding;
37 struct cli_credentials *credentials;
38 struct creds_CredentialState *creds;
39 uint32_t negotiate_flags;
40 struct netr_Credential credentials1;
41 struct netr_Credential credentials2;
42 struct netr_Credential credentials3;
43 struct netr_ServerReqChallenge r;
44 struct netr_ServerAuthenticate2 a;
45 const struct samr_Password *mach_pwd;
46 };
47
48
49 static void continue_secondary_connection(struct composite_context *ctx);
50 static void continue_bind_auth_none(struct composite_context *ctx);
51 static void continue_srv_challenge(struct rpc_request *req);
52 static void continue_srv_auth2(struct rpc_request *req);
53
54
55 /*
56 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
57 rpc connection
58 */
59 static void continue_epm_map_binding(struct composite_context *ctx)
60 {
61 struct composite_context *c;
62 struct schannel_key_state *s;
63 struct composite_context *sec_conn_req;
64
65 c = talloc_get_type(ctx->async.private_data, struct composite_context);
66 s = talloc_get_type(c->private_data, struct schannel_key_state);
67
68 /* receive endpoint mapping */
69 c->status = dcerpc_epm_map_binding_recv(ctx);
70 if (!NT_STATUS_IS_OK(c->status)) {
71 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
72 DCERPC_NETLOGON_UUID, nt_errstr(c->status)));
73 composite_error(c, c->status);
74 return;
75 }
76
77 /* send a request for secondary rpc connection */
78 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
79 s->binding);
80 if (composite_nomem(sec_conn_req, c)) return;
81
82 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
83 }
84
85
86 /*
87 Stage 3 of schannel_key: Receive secondary rpc connection and perform
88 non-authenticated bind request
89 */
90 static void continue_secondary_connection(struct composite_context *ctx)
91 {
92 struct composite_context *c;
93 struct schannel_key_state *s;
94 struct composite_context *auth_none_req;
95
96 c = talloc_get_type(ctx->async.private_data, struct composite_context);
97 s = talloc_get_type(c->private_data, struct schannel_key_state);
98
99 /* receive secondary rpc connection */
100 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
101 if (!composite_is_ok(c)) return;
102
103 talloc_steal(s, s->pipe2);
104
105 /* initiate a non-authenticated bind */
106 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &dcerpc_table_netlogon);
107 if (composite_nomem(auth_none_req, c)) return;
108
109 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
110 }
111
112
113 /*
114 Stage 4 of schannel_key: Receive non-authenticated bind and get
115 a netlogon challenge
116 */
117 static void continue_bind_auth_none(struct composite_context *ctx)
118 {
119 struct composite_context *c;
120 struct schannel_key_state *s;
121 struct rpc_request *srv_challenge_req;
122
123 c = talloc_get_type(ctx->async.private_data, struct composite_context);
124 s = talloc_get_type(c->private_data, struct schannel_key_state);
125
126 /* receive result of non-authenticated bind request */
127 c->status = dcerpc_bind_auth_none_recv(ctx);
128 if (!composite_is_ok(c)) return;
129
130 /* prepare a challenge request */
131 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
132 if (composite_nomem(s->r.in.server_name, c)) return;
133 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
134 s->r.in.credentials = &s->credentials1;
135 s->r.out.credentials = &s->credentials2;
136
137 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
138
139 /*
140 request a netlogon challenge - a rpc request over opened secondary pipe
141 */
142 srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
143 if (composite_nomem(srv_challenge_req, c)) return;
144
145 composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
146 }
147
148
149 /*
150 Stage 5 of schannel_key: Receive a challenge and perform authentication
151 on the netlogon pipe
152 */
153 static void continue_srv_challenge(struct rpc_request *req)
154 {
155 struct composite_context *c;
156 struct schannel_key_state *s;
157 struct rpc_request *srv_auth2_req;
158
159 c = talloc_get_type(req->async.private, struct composite_context);
160 s = talloc_get_type(c->private_data, struct schannel_key_state);
161
162 /* receive rpc request result - netlogon challenge */
163 c->status = dcerpc_ndr_request_recv(req);
164 if (!composite_is_ok(c)) return;
165
166 /* prepare credentials for auth2 request */
167 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
168
169 creds_client_init(s->creds, &s->credentials1, &s->credentials2,
170 s->mach_pwd, &s->credentials3, s->negotiate_flags);
171
172 /* auth2 request arguments */
173 s->a.in.server_name = s->r.in.server_name;
174 s->a.in.account_name = cli_credentials_get_username(s->credentials);
175 s->a.in.secure_channel_type =
176 cli_credentials_get_secure_channel_type(s->credentials);
177 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
178 s->a.in.negotiate_flags = &s->negotiate_flags;
179 s->a.in.credentials = &s->credentials3;
180 s->a.out.negotiate_flags = &s->negotiate_flags;
181 s->a.out.credentials = &s->credentials3;
182
183 /*
184 authenticate on the netlogon pipe - a rpc request over secondary pipe
185 */
186 srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
187 if (composite_nomem(srv_auth2_req, c)) return;
188
189 composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
190 }
191
192
193 /*
194 Stage 6 of schannel_key: Receive authentication request result and verify
195 received credentials
196 */
197 static void continue_srv_auth2(struct rpc_request *req)
198 {
199 struct composite_context *c;
200 struct schannel_key_state *s;
201
202 c = talloc_get_type(req->async.private, struct composite_context);
203 s = talloc_get_type(c->private_data, struct schannel_key_state);
204
205 /* receive rpc request result - auth2 credentials */
206 c->status = dcerpc_ndr_request_recv(req);
207 if (!composite_is_ok(c)) return;
208
209 /* verify credentials */
210 if (!creds_client_check(s->creds, s->a.out.credentials)) {
211 composite_error(c, NT_STATUS_UNSUCCESSFUL);
212 return;
213 }
214
215 /* setup current netlogon credentials */
216 cli_credentials_set_netlogon_creds(s->credentials, s->creds);
217
218 composite_done(c);
219 }
220
221
222 /*
223 Initiate establishing a schannel key using netlogon challenge
224 on a secondary pipe
225 */
226 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
227 struct dcerpc_pipe *p,
228 struct cli_credentials *credentials)
229 {
230 struct composite_context *c;
231 struct schannel_key_state *s;
232 struct composite_context *epm_map_req;
233
234 /* composite context allocation and setup */
235 c = composite_create(mem_ctx, p->conn->event_ctx);
236 if (c == NULL) return NULL;
237
238 s = talloc_zero(c, struct schannel_key_state);
239 if (composite_nomem(s, c)) return c;
240 c->private_data = s;
241
242 /* store parameters in the state structure */
243 s->pipe = p;
244 s->credentials = credentials;
245
246 /* allocate credentials */
247 s->creds = talloc(c, struct creds_CredentialState);
248 if (composite_nomem(s->creds, c)) return c;
249
250 /* type of authentication depends on schannel type */
251 if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
252 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
253 } else {
254 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
255 }
256
257 /* allocate binding structure */
258 s->binding = talloc(c, struct dcerpc_binding);
259 if (composite_nomem(s->binding, c)) return c;
260
261 *s->binding = *s->pipe->binding;
262
263 /* request the netlogon endpoint mapping */
264 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
265 &dcerpc_table_netlogon,
266 s->pipe->conn->event_ctx);
267 if (composite_nomem(epm_map_req, c)) return c;
268
269 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
270 return c;
271 }
272
273
274 /*
275 Receive result of schannel key request
276 */
277 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
278 {
279 NTSTATUS status = composite_wait(c);
280
281 talloc_free(c);
282 return status;
283 }
284
285
286 struct auth_schannel_state {
287 struct dcerpc_pipe *pipe;
288 struct cli_credentials *credentials;
289 const struct dcerpc_interface_table *table;
290 uint8_t auth_level;
291 };
292
293
294 static void continue_bind_auth(struct composite_context *ctx);
295
296
297 /*
298 Stage 2 of auth_schannel: Receive schannel key and intitiate an
299 authenticated bind using received credentials
300 */
301 static void continue_schannel_key(struct composite_context *ctx)
302 {
303 struct composite_context *auth_req;
304 struct composite_context *c = talloc_get_type(ctx->async.private_data,
305 struct composite_context);
306 struct auth_schannel_state *s = talloc_get_type(c->private_data,
307 struct auth_schannel_state);
308
309 /* receive schannel key */
310 c->status = dcerpc_schannel_key_recv(ctx);
311 if (!composite_is_ok(c)) {
312 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
313 cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
314 return;
315 }
316
317 /* send bind auth request with received creds */
318 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
319 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
320 NULL);
321 if (composite_nomem(auth_req, c)) return;
322
323 composite_continue(c, auth_req, continue_bind_auth, c);
324 }
325
326
327 /*
328 Stage 3 of auth_schannel: Receivce result of authenticated bind
329 and say if we're done ok.
330 */
331 static void continue_bind_auth(struct composite_context *ctx)
332 {
333 struct composite_context *c = talloc_get_type(ctx->async.private_data,
334 struct composite_context);
335
336 c->status = dcerpc_bind_auth_recv(ctx);
337 if (!composite_is_ok(c)) return;
338
339 composite_done(c);
340 }
341
342
343 /*
344 Initiate schannel authentication request
345 */
346 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
347 struct dcerpc_pipe *p,
348 const struct dcerpc_interface_table *table,
349 struct cli_credentials *credentials,
350 uint8_t auth_level)
351 {
352 struct composite_context *c;
353 struct auth_schannel_state *s;
354 struct composite_context *schan_key_req;
355
356 /* composite context allocation and setup */
357 c = composite_create(tmp_ctx, p->conn->event_ctx);
358 if (c == NULL) return NULL;
359
360 s = talloc_zero(c, struct auth_schannel_state);
361 if (composite_nomem(s, c)) return c;
362 c->private_data = s;
363
364 /* store parameters in the state structure */
365 s->pipe = p;
366 s->credentials = credentials;
367 s->table = table;
368 s->auth_level = auth_level;
369
370 /* start getting schannel key first */
371 schan_key_req = dcerpc_schannel_key_send(c, p, credentials);
372 if (composite_nomem(schan_key_req, c)) return c;
373
374 composite_continue(c, schan_key_req, continue_schannel_key, c);
375 return c;
376 }
377
378
379 /*
380 Receive result of schannel authentication request
381 */
382 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
383 {
384 NTSTATUS status = composite_wait(c);
385
386 talloc_free(c);
387 return status;
388 }
389
390
391 /*
392 Perform schannel authenticated bind - sync version
393 */
394 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
395 struct dcerpc_pipe *p,
396 const struct dcerpc_interface_table *table,
397 struct cli_credentials *credentials,
398 uint8_t auth_level)
399 {
400 struct composite_context *c;
401
402 c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials,
403 auth_level);
404 return dcerpc_bind_auth_schannel_recv(c);
405 }
Samba GIT mirror