2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
33 struct schannel_key_state
{
34 struct dcerpc_pipe
*pipe
;
35 struct dcerpc_pipe
*pipe2
;
36 struct dcerpc_binding
*binding
;
37 struct cli_credentials
*credentials
;
38 struct creds_CredentialState
*creds
;
39 uint32_t negotiate_flags
;
40 struct netr_Credential credentials1
;
41 struct netr_Credential credentials2
;
42 struct netr_Credential credentials3
;
43 struct netr_ServerReqChallenge r
;
44 struct netr_ServerAuthenticate2 a
;
45 const struct samr_Password
*mach_pwd
;
49 static void continue_secondary_connection(struct composite_context
*ctx
);
50 static void continue_bind_auth_none(struct composite_context
*ctx
);
51 static void continue_srv_challenge(struct rpc_request
*req
);
52 static void continue_srv_auth2(struct rpc_request
*req
);
56 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
59 static void continue_epm_map_binding(struct composite_context
*ctx
)
61 struct composite_context
*c
;
62 struct schannel_key_state
*s
;
63 struct composite_context
*sec_conn_req
;
65 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
66 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
68 /* receive endpoint mapping */
69 c
->status
= dcerpc_epm_map_binding_recv(ctx
);
70 if (!NT_STATUS_IS_OK(c
->status
)) {
71 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
72 DCERPC_NETLOGON_UUID
, nt_errstr(c
->status
)));
73 composite_error(c
, c
->status
);
77 /* send a request for secondary rpc connection */
78 sec_conn_req
= dcerpc_secondary_connection_send(s
->pipe
,
80 if (composite_nomem(sec_conn_req
, c
)) return;
82 composite_continue(c
, sec_conn_req
, continue_secondary_connection
, c
);
87 Stage 3 of schannel_key: Receive secondary rpc connection and perform
88 non-authenticated bind request
90 static void continue_secondary_connection(struct composite_context
*ctx
)
92 struct composite_context
*c
;
93 struct schannel_key_state
*s
;
94 struct composite_context
*auth_none_req
;
96 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
97 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
99 /* receive secondary rpc connection */
100 c
->status
= dcerpc_secondary_connection_recv(ctx
, &s
->pipe2
);
101 if (!composite_is_ok(c
)) return;
103 talloc_steal(s
, s
->pipe2
);
105 /* initiate a non-authenticated bind */
106 auth_none_req
= dcerpc_bind_auth_none_send(c
, s
->pipe2
, &dcerpc_table_netlogon
);
107 if (composite_nomem(auth_none_req
, c
)) return;
109 composite_continue(c
, auth_none_req
, continue_bind_auth_none
, c
);
114 Stage 4 of schannel_key: Receive non-authenticated bind and get
117 static void continue_bind_auth_none(struct composite_context
*ctx
)
119 struct composite_context
*c
;
120 struct schannel_key_state
*s
;
121 struct rpc_request
*srv_challenge_req
;
123 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
124 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
126 /* receive result of non-authenticated bind request */
127 c
->status
= dcerpc_bind_auth_none_recv(ctx
);
128 if (!composite_is_ok(c
)) return;
130 /* prepare a challenge request */
131 s
->r
.in
.server_name
= talloc_asprintf(c
, "\\\\%s", dcerpc_server_name(s
->pipe
));
132 if (composite_nomem(s
->r
.in
.server_name
, c
)) return;
133 s
->r
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
134 s
->r
.in
.credentials
= &s
->credentials1
;
135 s
->r
.out
.credentials
= &s
->credentials2
;
137 generate_random_buffer(s
->credentials1
.data
, sizeof(s
->credentials1
.data
));
140 request a netlogon challenge - a rpc request over opened secondary pipe
142 srv_challenge_req
= dcerpc_netr_ServerReqChallenge_send(s
->pipe2
, c
, &s
->r
);
143 if (composite_nomem(srv_challenge_req
, c
)) return;
145 composite_continue_rpc(c
, srv_challenge_req
, continue_srv_challenge
, c
);
150 Stage 5 of schannel_key: Receive a challenge and perform authentication
153 static void continue_srv_challenge(struct rpc_request
*req
)
155 struct composite_context
*c
;
156 struct schannel_key_state
*s
;
157 struct rpc_request
*srv_auth2_req
;
159 c
= talloc_get_type(req
->async
.private, struct composite_context
);
160 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
162 /* receive rpc request result - netlogon challenge */
163 c
->status
= dcerpc_ndr_request_recv(req
);
164 if (!composite_is_ok(c
)) return;
166 /* prepare credentials for auth2 request */
167 s
->mach_pwd
= cli_credentials_get_nt_hash(s
->credentials
, c
);
169 creds_client_init(s
->creds
, &s
->credentials1
, &s
->credentials2
,
170 s
->mach_pwd
, &s
->credentials3
, s
->negotiate_flags
);
172 /* auth2 request arguments */
173 s
->a
.in
.server_name
= s
->r
.in
.server_name
;
174 s
->a
.in
.account_name
= cli_credentials_get_username(s
->credentials
);
175 s
->a
.in
.secure_channel_type
=
176 cli_credentials_get_secure_channel_type(s
->credentials
);
177 s
->a
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
178 s
->a
.in
.negotiate_flags
= &s
->negotiate_flags
;
179 s
->a
.in
.credentials
= &s
->credentials3
;
180 s
->a
.out
.negotiate_flags
= &s
->negotiate_flags
;
181 s
->a
.out
.credentials
= &s
->credentials3
;
184 authenticate on the netlogon pipe - a rpc request over secondary pipe
186 srv_auth2_req
= dcerpc_netr_ServerAuthenticate2_send(s
->pipe2
, c
, &s
->a
);
187 if (composite_nomem(srv_auth2_req
, c
)) return;
189 composite_continue_rpc(c
, srv_auth2_req
, continue_srv_auth2
, c
);
194 Stage 6 of schannel_key: Receive authentication request result and verify
197 static void continue_srv_auth2(struct rpc_request
*req
)
199 struct composite_context
*c
;
200 struct schannel_key_state
*s
;
202 c
= talloc_get_type(req
->async
.private, struct composite_context
);
203 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
205 /* receive rpc request result - auth2 credentials */
206 c
->status
= dcerpc_ndr_request_recv(req
);
207 if (!composite_is_ok(c
)) return;
209 /* verify credentials */
210 if (!creds_client_check(s
->creds
, s
->a
.out
.credentials
)) {
211 composite_error(c
, NT_STATUS_UNSUCCESSFUL
);
215 /* setup current netlogon credentials */
216 cli_credentials_set_netlogon_creds(s
->credentials
, s
->creds
);
223 Initiate establishing a schannel key using netlogon challenge
226 struct composite_context
*dcerpc_schannel_key_send(TALLOC_CTX
*mem_ctx
,
227 struct dcerpc_pipe
*p
,
228 struct cli_credentials
*credentials
)
230 struct composite_context
*c
;
231 struct schannel_key_state
*s
;
232 struct composite_context
*epm_map_req
;
234 /* composite context allocation and setup */
235 c
= composite_create(mem_ctx
, p
->conn
->event_ctx
);
236 if (c
== NULL
) return NULL
;
238 s
= talloc_zero(c
, struct schannel_key_state
);
239 if (composite_nomem(s
, c
)) return c
;
242 /* store parameters in the state structure */
244 s
->credentials
= credentials
;
246 /* allocate credentials */
247 s
->creds
= talloc(c
, struct creds_CredentialState
);
248 if (composite_nomem(s
->creds
, c
)) return c
;
250 /* type of authentication depends on schannel type */
251 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_128
) {
252 s
->negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
254 s
->negotiate_flags
= NETLOGON_NEG_AUTH2_FLAGS
;
257 /* allocate binding structure */
258 s
->binding
= talloc(c
, struct dcerpc_binding
);
259 if (composite_nomem(s
->binding
, c
)) return c
;
261 *s
->binding
= *s
->pipe
->binding
;
263 /* request the netlogon endpoint mapping */
264 epm_map_req
= dcerpc_epm_map_binding_send(c
, s
->binding
,
265 &dcerpc_table_netlogon
,
266 s
->pipe
->conn
->event_ctx
);
267 if (composite_nomem(epm_map_req
, c
)) return c
;
269 composite_continue(c
, epm_map_req
, continue_epm_map_binding
, c
);
275 Receive result of schannel key request
277 NTSTATUS
dcerpc_schannel_key_recv(struct composite_context
*c
)
279 NTSTATUS status
= composite_wait(c
);
286 struct auth_schannel_state
{
287 struct dcerpc_pipe
*pipe
;
288 struct cli_credentials
*credentials
;
289 const struct dcerpc_interface_table
*table
;
294 static void continue_bind_auth(struct composite_context
*ctx
);
298 Stage 2 of auth_schannel: Receive schannel key and intitiate an
299 authenticated bind using received credentials
301 static void continue_schannel_key(struct composite_context
*ctx
)
303 struct composite_context
*auth_req
;
304 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
305 struct composite_context
);
306 struct auth_schannel_state
*s
= talloc_get_type(c
->private_data
,
307 struct auth_schannel_state
);
309 /* receive schannel key */
310 c
->status
= dcerpc_schannel_key_recv(ctx
);
311 if (!composite_is_ok(c
)) {
312 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
313 cli_credentials_get_username(s
->credentials
), nt_errstr(c
->status
)));
317 /* send bind auth request with received creds */
318 auth_req
= dcerpc_bind_auth_send(c
, s
->pipe
, s
->table
, s
->credentials
,
319 DCERPC_AUTH_TYPE_SCHANNEL
, s
->auth_level
,
321 if (composite_nomem(auth_req
, c
)) return;
323 composite_continue(c
, auth_req
, continue_bind_auth
, c
);
328 Stage 3 of auth_schannel: Receivce result of authenticated bind
329 and say if we're done ok.
331 static void continue_bind_auth(struct composite_context
*ctx
)
333 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
334 struct composite_context
);
336 c
->status
= dcerpc_bind_auth_recv(ctx
);
337 if (!composite_is_ok(c
)) return;
344 Initiate schannel authentication request
346 struct composite_context
*dcerpc_bind_auth_schannel_send(TALLOC_CTX
*tmp_ctx
,
347 struct dcerpc_pipe
*p
,
348 const struct dcerpc_interface_table
*table
,
349 struct cli_credentials
*credentials
,
352 struct composite_context
*c
;
353 struct auth_schannel_state
*s
;
354 struct composite_context
*schan_key_req
;
356 /* composite context allocation and setup */
357 c
= composite_create(tmp_ctx
, p
->conn
->event_ctx
);
358 if (c
== NULL
) return NULL
;
360 s
= talloc_zero(c
, struct auth_schannel_state
);
361 if (composite_nomem(s
, c
)) return c
;
364 /* store parameters in the state structure */
366 s
->credentials
= credentials
;
368 s
->auth_level
= auth_level
;
370 /* start getting schannel key first */
371 schan_key_req
= dcerpc_schannel_key_send(c
, p
, credentials
);
372 if (composite_nomem(schan_key_req
, c
)) return c
;
374 composite_continue(c
, schan_key_req
, continue_schannel_key
, c
);
380 Receive result of schannel authentication request
382 NTSTATUS
dcerpc_bind_auth_schannel_recv(struct composite_context
*c
)
384 NTSTATUS status
= composite_wait(c
);
392 Perform schannel authenticated bind - sync version
394 NTSTATUS
dcerpc_bind_auth_schannel(TALLOC_CTX
*tmp_ctx
,
395 struct dcerpc_pipe
*p
,
396 const struct dcerpc_interface_table
*table
,
397 struct cli_credentials
*credentials
,
400 struct composite_context
*c
;
402 c
= dcerpc_bind_auth_schannel_send(tmp_ctx
, p
, table
, credentials
,
404 return dcerpc_bind_auth_schannel_recv(c
);