search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:librpc/rpc: add DCERPC_SCHANNEL_AES support
[Samba.git] / source4 / librpc / rpc / dcerpc_schannel.c
blobf3e52585ae15882e7589b16f683cd4de6a886779
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
34
35 struct schannel_key_state {
36 struct dcerpc_pipe *pipe;
37 struct dcerpc_pipe *pipe2;
38 struct dcerpc_binding *binding;
39 bool dcerpc_schannel_auto;
40 struct cli_credentials *credentials;
41 struct netlogon_creds_CredentialState *creds;
42 uint32_t local_negotiate_flags;
43 uint32_t remote_negotiate_flags;
44 struct netr_Credential credentials1;
45 struct netr_Credential credentials2;
46 struct netr_Credential credentials3;
47 struct netr_ServerReqChallenge r;
48 struct netr_ServerAuthenticate2 a;
49 const struct samr_Password *mach_pwd;
50 };
51
52
53 static void continue_secondary_connection(struct composite_context *ctx);
54 static void continue_bind_auth_none(struct composite_context *ctx);
55 static void continue_srv_challenge(struct tevent_req *subreq);
56 static void continue_srv_auth2(struct tevent_req *subreq);
57
58
59 /*
60 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
61 rpc connection
62 */
63 static void continue_epm_map_binding(struct composite_context *ctx)
64 {
65 struct composite_context *c;
66 struct schannel_key_state *s;
67 struct composite_context *sec_conn_req;
68
69 c = talloc_get_type(ctx->async.private_data, struct composite_context);
70 s = talloc_get_type(c->private_data, struct schannel_key_state);
71
72 /* receive endpoint mapping */
73 c->status = dcerpc_epm_map_binding_recv(ctx);
74 if (!NT_STATUS_IS_OK(c->status)) {
75 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
76 NDR_NETLOGON_UUID, nt_errstr(c->status)));
77 composite_error(c, c->status);
78 return;
79 }
80
81 /* send a request for secondary rpc connection */
82 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
83 s->binding);
84 if (composite_nomem(sec_conn_req, c)) return;
85
86 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
87 }
88
89
90 /*
91 Stage 3 of schannel_key: Receive secondary rpc connection and perform
92 non-authenticated bind request
93 */
94 static void continue_secondary_connection(struct composite_context *ctx)
95 {
96 struct composite_context *c;
97 struct schannel_key_state *s;
98 struct composite_context *auth_none_req;
99
100 c = talloc_get_type(ctx->async.private_data, struct composite_context);
101 s = talloc_get_type(c->private_data, struct schannel_key_state);
102
103 /* receive secondary rpc connection */
104 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
105 if (!composite_is_ok(c)) return;
106
107 talloc_steal(s, s->pipe2);
108
109 /* initiate a non-authenticated bind */
110 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
111 if (composite_nomem(auth_none_req, c)) return;
112
113 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
114 }
115
116
117 /*
118 Stage 4 of schannel_key: Receive non-authenticated bind and get
119 a netlogon challenge
120 */
121 static void continue_bind_auth_none(struct composite_context *ctx)
122 {
123 struct composite_context *c;
124 struct schannel_key_state *s;
125 struct tevent_req *subreq;
126
127 c = talloc_get_type(ctx->async.private_data, struct composite_context);
128 s = talloc_get_type(c->private_data, struct schannel_key_state);
129
130 /* receive result of non-authenticated bind request */
131 c->status = dcerpc_bind_auth_none_recv(ctx);
132 if (!composite_is_ok(c)) return;
133
134 /* prepare a challenge request */
135 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
136 if (composite_nomem(s->r.in.server_name, c)) return;
137 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
138 s->r.in.credentials = &s->credentials1;
139 s->r.out.return_credentials = &s->credentials2;
140
141 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
142
143 /*
144 request a netlogon challenge - a rpc request over opened secondary pipe
145 */
146 subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
147 s->pipe2->binding_handle,
148 &s->r);
149 if (composite_nomem(subreq, c)) return;
150
151 tevent_req_set_callback(subreq, continue_srv_challenge, c);
152 }
153
154
155 /*
156 Stage 5 of schannel_key: Receive a challenge and perform authentication
157 on the netlogon pipe
158 */
159 static void continue_srv_challenge(struct tevent_req *subreq)
160 {
161 struct composite_context *c;
162 struct schannel_key_state *s;
163
164 c = tevent_req_callback_data(subreq, struct composite_context);
165 s = talloc_get_type(c->private_data, struct schannel_key_state);
166
167 /* receive rpc request result - netlogon challenge */
168 c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
169 TALLOC_FREE(subreq);
170 if (!composite_is_ok(c)) return;
171
172 /* prepare credentials for auth2 request */
173 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
174
175 /* auth2 request arguments */
176 s->a.in.server_name = s->r.in.server_name;
177 s->a.in.account_name = cli_credentials_get_username(s->credentials);
178 s->a.in.secure_channel_type =
179 cli_credentials_get_secure_channel_type(s->credentials);
180 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
181 s->a.in.negotiate_flags = &s->local_negotiate_flags;
182 s->a.in.credentials = &s->credentials3;
183 s->a.out.negotiate_flags = &s->remote_negotiate_flags;
184 s->a.out.return_credentials = &s->credentials3;
185
186 s->creds = netlogon_creds_client_init(s,
187 s->a.in.account_name,
188 s->a.in.computer_name,
189 &s->credentials1, &s->credentials2,
190 s->mach_pwd, &s->credentials3,
191 s->local_negotiate_flags);
192 if (composite_nomem(s->creds, c)) {
193 return;
194 }
195 /*
196 authenticate on the netlogon pipe - a rpc request over secondary pipe
197 */
198 subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
199 s->pipe2->binding_handle,
200 &s->a);
201 if (composite_nomem(subreq, c)) return;
202
203 tevent_req_set_callback(subreq, continue_srv_auth2, c);
204 }
205
206
207 /*
208 Stage 6 of schannel_key: Receive authentication request result and verify
209 received credentials
210 */
211 static void continue_srv_auth2(struct tevent_req *subreq)
212 {
213 struct composite_context *c;
214 struct schannel_key_state *s;
215
216 c = tevent_req_callback_data(subreq, struct composite_context);
217 s = talloc_get_type(c->private_data, struct schannel_key_state);
218
219 /* receive rpc request result - auth2 credentials */
220 c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
221 TALLOC_FREE(subreq);
222 if (!composite_is_ok(c)) return;
223
224 if (!NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
225 !NT_STATUS_IS_OK(s->a.out.result)) {
226 composite_error(c, s->a.out.result);
227 return;
228 }
229
230 /*
231 * Strong keys could be unsupported (NT4) or disables. So retry with the
232 * flags returned by the server. - asn
233 */
234 if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED)) {
235 uint32_t lf = s->local_negotiate_flags;
236 const char *ln = NULL;
237 uint32_t rf = s->remote_negotiate_flags;
238 const char *rn = NULL;
239
240 if (!s->dcerpc_schannel_auto) {
241 composite_error(c, s->a.out.result);
242 return;
243 }
244 s->dcerpc_schannel_auto = false;
245
246 if (lf & NETLOGON_NEG_SUPPORTS_AES) {
247 ln = "aes";
248 if (rf & NETLOGON_NEG_SUPPORTS_AES) {
249 composite_error(c, s->a.out.result);
250 return;
251 }
252 } else if (lf & NETLOGON_NEG_STRONG_KEYS) {
253 ln = "strong";
254 if (rf & NETLOGON_NEG_STRONG_KEYS) {
255 composite_error(c, s->a.out.result);
256 return;
257 }
258 } else {
259 ln = "des";
260 }
261
262 if (rf & NETLOGON_NEG_SUPPORTS_AES) {
263 rn = "aes";
264 } else if (rf & NETLOGON_NEG_STRONG_KEYS) {
265 rn = "strong";
266 } else {
267 rn = "des";
268 }
269
270 DEBUG(3, ("Server doesn't support %s keys, downgrade to %s"
271 "and retry! local[0x%08X] remote[0x%08X]\n",
272 ln, rn, lf, rf));
273
274 s->local_negotiate_flags = s->remote_negotiate_flags;
275
276 generate_random_buffer(s->credentials1.data,
277 sizeof(s->credentials1.data));
278
279 subreq = dcerpc_netr_ServerReqChallenge_r_send(s,
280 c->event_ctx,
281 s->pipe2->binding_handle,
282 &s->r);
283 if (composite_nomem(subreq, c)) return;
284
285 tevent_req_set_callback(subreq, continue_srv_challenge, c);
286 return;
287 }
288
289 s->creds->negotiate_flags = s->remote_negotiate_flags;
290
291 /* verify credentials */
292 if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
293 composite_error(c, NT_STATUS_UNSUCCESSFUL);
294 return;
295 }
296
297 /* setup current netlogon credentials */
298 cli_credentials_set_netlogon_creds(s->credentials, s->creds);
299
300 composite_done(c);
301 }
302
303
304 /*
305 Initiate establishing a schannel key using netlogon challenge
306 on a secondary pipe
307 */
308 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
309 struct dcerpc_pipe *p,
310 struct cli_credentials *credentials,
311 struct loadparm_context *lp_ctx)
312 {
313 struct composite_context *c;
314 struct schannel_key_state *s;
315 struct composite_context *epm_map_req;
316 enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
317
318 /* composite context allocation and setup */
319 c = composite_create(mem_ctx, p->conn->event_ctx);
320 if (c == NULL) return NULL;
321
322 s = talloc_zero(c, struct schannel_key_state);
323 if (composite_nomem(s, c)) return c;
324 c->private_data = s;
325
326 /* store parameters in the state structure */
327 s->pipe = p;
328 s->credentials = credentials;
329 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
330
331 /* allocate credentials */
332 if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
333 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
334 }
335 if (s->pipe->conn->flags & DCERPC_SCHANNEL_AES) {
336 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
337 s->local_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
338 }
339 if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) {
340 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
341 s->local_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
342 s->dcerpc_schannel_auto = true;
343 }
344
345 /* type of authentication depends on schannel type */
346 if (schannel_type == SEC_CHAN_RODC) {
347 s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
348 }
349
350 /* allocate binding structure */
351 s->binding = talloc_zero(c, struct dcerpc_binding);
352 if (composite_nomem(s->binding, c)) return c;
353
354 *s->binding = *s->pipe->binding;
355
356 /* request the netlogon endpoint mapping */
357 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
358 &ndr_table_netlogon,
359 s->pipe->conn->event_ctx,
360 lp_ctx);
361 if (composite_nomem(epm_map_req, c)) return c;
362
363 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
364 return c;
365 }
366
367
368 /*
369 Receive result of schannel key request
370 */
371 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
372 {
373 NTSTATUS status = composite_wait(c);
374
375 talloc_free(c);
376 return status;
377 }
378
379
380 struct auth_schannel_state {
381 struct dcerpc_pipe *pipe;
382 struct cli_credentials *credentials;
383 const struct ndr_interface_table *table;
384 struct loadparm_context *lp_ctx;
385 uint8_t auth_level;
386 };
387
388
389 static void continue_bind_auth(struct composite_context *ctx);
390
391
392 /*
393 Stage 2 of auth_schannel: Receive schannel key and intitiate an
394 authenticated bind using received credentials
395 */
396 static void continue_schannel_key(struct composite_context *ctx)
397 {
398 struct composite_context *auth_req;
399 struct composite_context *c = talloc_get_type(ctx->async.private_data,
400 struct composite_context);
401 struct auth_schannel_state *s = talloc_get_type(c->private_data,
402 struct auth_schannel_state);
403 NTSTATUS status;
404
405 /* receive schannel key */
406 status = c->status = dcerpc_schannel_key_recv(ctx);
407 if (!composite_is_ok(c)) {
408 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
409 return;
410 }
411
412 /* send bind auth request with received creds */
413 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
414 lpcfg_gensec_settings(c, s->lp_ctx),
415 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
416 NULL);
417 if (composite_nomem(auth_req, c)) return;
418
419 composite_continue(c, auth_req, continue_bind_auth, c);
420 }
421
422
423 /*
424 Stage 3 of auth_schannel: Receivce result of authenticated bind
425 and say if we're done ok.
426 */
427 static void continue_bind_auth(struct composite_context *ctx)
428 {
429 struct composite_context *c = talloc_get_type(ctx->async.private_data,
430 struct composite_context);
431
432 c->status = dcerpc_bind_auth_recv(ctx);
433 if (!composite_is_ok(c)) return;
434
435 composite_done(c);
436 }
437
438
439 /*
440 Initiate schannel authentication request
441 */
442 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
443 struct dcerpc_pipe *p,
444 const struct ndr_interface_table *table,
445 struct cli_credentials *credentials,
446 struct loadparm_context *lp_ctx,
447 uint8_t auth_level)
448 {
449 struct composite_context *c;
450 struct auth_schannel_state *s;
451 struct composite_context *schan_key_req;
452
453 /* composite context allocation and setup */
454 c = composite_create(tmp_ctx, p->conn->event_ctx);
455 if (c == NULL) return NULL;
456
457 s = talloc_zero(c, struct auth_schannel_state);
458 if (composite_nomem(s, c)) return c;
459 c->private_data = s;
460
461 /* store parameters in the state structure */
462 s->pipe = p;
463 s->credentials = credentials;
464 s->table = table;
465 s->auth_level = auth_level;
466 s->lp_ctx = lp_ctx;
467
468 /* start getting schannel key first */
469 schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
470 if (composite_nomem(schan_key_req, c)) return c;
471
472 composite_continue(c, schan_key_req, continue_schannel_key, c);
473 return c;
474 }
475
476
477 /*
478 Receive result of schannel authentication request
479 */
480 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
481 {
482 NTSTATUS status = composite_wait(c);
483
484 talloc_free(c);
485 return status;
486 }
487
488
489 /*
490 Perform schannel authenticated bind - sync version
491 */
492 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
493 struct dcerpc_pipe *p,
494 const struct ndr_interface_table *table,
495 struct cli_credentials *credentials,
496 struct loadparm_context *lp_ctx,
497 uint8_t auth_level)
498 {
499 struct composite_context *c;
500
501 c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
502 auth_level);
503 return dcerpc_bind_auth_schannel_recv(c);
504 }
Samba GIT mirror