2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "auth/auth.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_proto.h"
29 #include "../libcli/auth/schannel.h"
30 #include "auth/gensec/schannel_state.h"
31 #include "librpc/rpc/dcerpc.h"
32 #include "param/param.h"
33 #include "auth/session_proto.h"
35 static size_t schannel_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
40 static NTSTATUS
schannel_session_key(struct gensec_security
*gensec_security
,
41 DATA_BLOB
*session_key
)
43 return NT_STATUS_NOT_IMPLEMENTED
;
46 static NTSTATUS
schannel_update(struct gensec_security
*gensec_security
, TALLOC_CTX
*out_mem_ctx
,
47 const DATA_BLOB in
, DATA_BLOB
*out
)
49 struct schannel_state
*state
= (struct schannel_state
*)gensec_security
->private_data
;
51 enum ndr_err_code ndr_err
;
52 struct NL_AUTH_MESSAGE bind_schannel
;
53 struct NL_AUTH_MESSAGE bind_schannel_ack
;
54 struct netlogon_creds_CredentialState
*creds
;
55 struct ldb_context
*schannel_ldb
;
56 const char *workstation
;
58 uint32_t required_flags
;
60 *out
= data_blob(NULL
, 0);
62 switch (gensec_security
->gensec_role
) {
64 if (state
->state
!= SCHANNEL_STATE_START
) {
65 /* we could parse the bind ack, but we don't know what it is yet */
69 state
->creds
= talloc_reference(state
, cli_credentials_get_netlogon_creds(gensec_security
->credentials
));
71 bind_schannel
.MessageType
= NL_NEGOTIATE_REQUEST
;
73 /* to support this we'd need to have access to the full domain name */
75 bind_schannel
.Flags
= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
|
76 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
|
77 NL_FLAG_UTF8_DNS_DOMAIN_NAME
|
78 NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME
;
79 bind_schannel
.oem_netbios_domain
.a
= cli_credentials_get_domain(gensec_security
->credentials
);
80 bind_schannel
.oem_netbios_computer
.a
= cli_credentials_get_workstation(gensec_security
->credentials
);
81 bind_schannel
.utf8_dns_domain
= cli_credentials_get_realm(gensec_security
->credentials
);
82 /* w2k3 refuses us if we use the full DNS workstation?
83 why? perhaps because we don't fill in the dNSHostName
84 attribute in the machine account? */
85 bind_schannel
.utf8_netbios_computer
= cli_credentials_get_workstation(gensec_security
->credentials
);
87 bind_schannel
.Flags
= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
|
88 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
;
89 bind_schannel
.oem_netbios_domain
.a
= cli_credentials_get_domain(gensec_security
->credentials
);
90 bind_schannel
.oem_netbios_computer
.a
= cli_credentials_get_workstation(gensec_security
->credentials
);
93 ndr_err
= ndr_push_struct_blob(out
, out_mem_ctx
,
94 gensec_security
->settings
->iconv_convenience
, &bind_schannel
,
95 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
96 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
97 status
= ndr_map_error2ntstatus(ndr_err
);
98 DEBUG(3, ("Could not create schannel bind: %s\n",
103 state
->state
= SCHANNEL_STATE_UPDATE_1
;
105 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
108 required_flags
= NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
|
109 NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
;
111 if (state
->state
!= SCHANNEL_STATE_START
) {
112 /* no third leg on this protocol */
113 return NT_STATUS_INVALID_PARAMETER
;
116 /* parse the schannel startup blob */
117 ndr_err
= ndr_pull_struct_blob(&in
, out_mem_ctx
,
118 gensec_security
->settings
->iconv_convenience
,
120 (ndr_pull_flags_fn_t
)ndr_pull_NL_AUTH_MESSAGE
);
121 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
122 status
= ndr_map_error2ntstatus(ndr_err
);
123 DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
128 if (!(required_flags
== (bind_schannel
.Flags
& required_flags
))) {
129 return NT_STATUS_INVALID_PARAMETER
;
132 workstation
= bind_schannel
.oem_netbios_computer
.a
;
133 domain
= bind_schannel
.oem_netbios_domain
.a
;
135 if (strcasecmp_m(domain
, lp_workgroup(gensec_security
->settings
->lp_ctx
)) != 0) {
136 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
137 domain
, lp_workgroup(gensec_security
->settings
->lp_ctx
)));
139 return NT_STATUS_LOGON_FAILURE
;
142 schannel_ldb
= schannel_db_connect(out_mem_ctx
, gensec_security
->event_ctx
,
143 gensec_security
->settings
->lp_ctx
);
145 return NT_STATUS_ACCESS_DENIED
;
147 /* pull the session key for this client */
148 status
= schannel_fetch_session_key_ldb(schannel_ldb
,
149 out_mem_ctx
, workstation
, &creds
);
150 talloc_free(schannel_ldb
);
151 if (!NT_STATUS_IS_OK(status
)) {
152 DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
153 workstation
, nt_errstr(status
)));
154 if (NT_STATUS_EQUAL(status
, NT_STATUS_INVALID_HANDLE
)) {
155 return NT_STATUS_LOGON_FAILURE
;
160 state
->creds
= talloc_reference(state
, creds
);
162 bind_schannel_ack
.MessageType
= NL_NEGOTIATE_RESPONSE
;
163 bind_schannel_ack
.Flags
= 0;
164 bind_schannel_ack
.Buffer
.dummy
= 0x6c0000; /* actually I think
169 ndr_err
= ndr_push_struct_blob(out
, out_mem_ctx
,
170 gensec_security
->settings
->iconv_convenience
, &bind_schannel_ack
,
171 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
172 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
173 status
= ndr_map_error2ntstatus(ndr_err
);
174 DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
175 workstation
, nt_errstr(status
)));
179 state
->state
= SCHANNEL_STATE_UPDATE_1
;
183 return NT_STATUS_INVALID_PARAMETER
;
187 * Return the struct netlogon_creds_CredentialState.
189 * Make sure not to call this unless gensec is using schannel...
192 /* TODO: make this non-public */
194 _PUBLIC_ NTSTATUS
dcerpc_schannel_creds(struct gensec_security
*gensec_security
,
196 struct netlogon_creds_CredentialState
**creds
)
198 struct schannel_state
*state
= talloc_get_type(gensec_security
->private_data
, struct schannel_state
);
200 *creds
= talloc_reference(mem_ctx
, state
->creds
);
202 return NT_STATUS_NO_MEMORY
;
209 * Returns anonymous credentials for schannel, matching Win2k3.
213 static NTSTATUS
schannel_session_info(struct gensec_security
*gensec_security
,
214 struct auth_session_info
**_session_info
)
216 struct schannel_state
*state
= talloc_get_type(gensec_security
->private_data
, struct schannel_state
);
217 return auth_anonymous_session_info(state
, gensec_security
->event_ctx
, gensec_security
->settings
->lp_ctx
, _session_info
);
220 static NTSTATUS
schannel_start(struct gensec_security
*gensec_security
)
222 struct schannel_state
*state
;
224 state
= talloc(gensec_security
, struct schannel_state
);
226 return NT_STATUS_NO_MEMORY
;
229 state
->state
= SCHANNEL_STATE_START
;
231 gensec_security
->private_data
= state
;
236 static NTSTATUS
schannel_server_start(struct gensec_security
*gensec_security
)
239 struct schannel_state
*state
;
241 status
= schannel_start(gensec_security
);
242 if (!NT_STATUS_IS_OK(status
)) {
246 state
= (struct schannel_state
*)gensec_security
->private_data
;
247 state
->initiator
= false;
252 static NTSTATUS
schannel_client_start(struct gensec_security
*gensec_security
)
255 struct schannel_state
*state
;
257 status
= schannel_start(gensec_security
);
258 if (!NT_STATUS_IS_OK(status
)) {
262 state
= (struct schannel_state
*)gensec_security
->private_data
;
263 state
->initiator
= true;
269 static bool schannel_have_feature(struct gensec_security
*gensec_security
,
272 if (feature
& (GENSEC_FEATURE_SIGN
|
273 GENSEC_FEATURE_SEAL
)) {
276 if (feature
& GENSEC_FEATURE_DCE_STYLE
) {
279 if (feature
& GENSEC_FEATURE_ASYNC_REPLIES
) {
288 static NTSTATUS
schannel_unseal_packet(struct gensec_security
*gensec_security
,
290 uint8_t *data
, size_t length
,
291 const uint8_t *whole_pdu
, size_t pdu_length
,
292 const DATA_BLOB
*sig
)
294 struct schannel_state
*state
=
295 talloc_get_type(gensec_security
->private_data
,
296 struct schannel_state
);
298 return netsec_incoming_packet(state
, mem_ctx
, true,
299 discard_const_p(uint8_t, data
),
304 check the signature on a packet
306 static NTSTATUS
schannel_check_packet(struct gensec_security
*gensec_security
,
308 const uint8_t *data
, size_t length
,
309 const uint8_t *whole_pdu
, size_t pdu_length
,
310 const DATA_BLOB
*sig
)
312 struct schannel_state
*state
=
313 talloc_get_type(gensec_security
->private_data
,
314 struct schannel_state
);
316 return netsec_incoming_packet(state
, mem_ctx
, false,
317 discard_const_p(uint8_t, data
),
323 static NTSTATUS
schannel_seal_packet(struct gensec_security
*gensec_security
,
325 uint8_t *data
, size_t length
,
326 const uint8_t *whole_pdu
, size_t pdu_length
,
329 struct schannel_state
*state
=
330 talloc_get_type(gensec_security
->private_data
,
331 struct schannel_state
);
333 return netsec_outgoing_packet(state
, mem_ctx
, true,
340 static NTSTATUS
schannel_sign_packet(struct gensec_security
*gensec_security
,
342 const uint8_t *data
, size_t length
,
343 const uint8_t *whole_pdu
, size_t pdu_length
,
346 struct schannel_state
*state
=
347 talloc_get_type(gensec_security
->private_data
,
348 struct schannel_state
);
350 return netsec_outgoing_packet(state
, mem_ctx
, false,
351 discard_const_p(uint8_t, data
),
355 static const struct gensec_security_ops gensec_schannel_security_ops
= {
357 .auth_type
= DCERPC_AUTH_TYPE_SCHANNEL
,
358 .client_start
= schannel_client_start
,
359 .server_start
= schannel_server_start
,
360 .update
= schannel_update
,
361 .seal_packet
= schannel_seal_packet
,
362 .sign_packet
= schannel_sign_packet
,
363 .check_packet
= schannel_check_packet
,
364 .unseal_packet
= schannel_unseal_packet
,
365 .session_key
= schannel_session_key
,
366 .session_info
= schannel_session_info
,
367 .sig_size
= schannel_sig_size
,
368 .have_feature
= schannel_have_feature
,
370 .priority
= GENSEC_SCHANNEL
373 _PUBLIC_ NTSTATUS
gensec_schannel_init(void)
376 ret
= gensec_register(&gensec_schannel_security_ops
);
377 if (!NT_STATUS_IS_OK(ret
)) {
378 DEBUG(0,("Failed to register '%s' gensec backend!\n",
379 gensec_schannel_security_ops
.name
));