2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "auth/auth.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_proto.h"
29 #include "../libcli/auth/schannel.h"
30 #include "librpc/rpc/dcerpc.h"
31 #include "param/param.h"
32 #include "auth/gensec/schannel.h"
33 #include "auth/gensec/gensec_toplevel_proto.h"
35 _PUBLIC_ NTSTATUS
gensec_schannel_init(void);
37 static size_t schannel_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
39 struct schannel_state
*state
= (struct schannel_state
*)gensec_security
->private_data
;
42 sig_size
= netsec_outgoing_sig_size(state
);
47 static NTSTATUS
schannel_session_key(struct gensec_security
*gensec_security
,
49 DATA_BLOB
*session_key
)
51 return NT_STATUS_NOT_IMPLEMENTED
;
54 static NTSTATUS
schannel_update(struct gensec_security
*gensec_security
, TALLOC_CTX
*out_mem_ctx
,
55 struct tevent_context
*ev
,
56 const DATA_BLOB in
, DATA_BLOB
*out
)
58 struct schannel_state
*state
= (struct schannel_state
*)gensec_security
->private_data
;
60 enum ndr_err_code ndr_err
;
61 struct NL_AUTH_MESSAGE bind_schannel
;
62 struct NL_AUTH_MESSAGE bind_schannel_ack
;
63 struct netlogon_creds_CredentialState
*creds
;
64 const char *workstation
;
67 *out
= data_blob(NULL
, 0);
69 switch (gensec_security
->gensec_role
) {
71 if (state
->state
!= SCHANNEL_STATE_START
) {
72 /* we could parse the bind ack, but we don't know what it is yet */
76 state
->creds
= cli_credentials_get_netlogon_creds(gensec_security
->credentials
);
77 if (state
->creds
== NULL
) {
78 return NT_STATUS_INVALID_PARAMETER_MIX
;
80 state
->creds
= netlogon_creds_copy(state
, state
->creds
);
81 if (state
->creds
== NULL
) {
82 return NT_STATUS_NO_MEMORY
;
85 bind_schannel
.MessageType
= NL_NEGOTIATE_REQUEST
;
87 /* to support this we'd need to have access to the full domain name */
89 bind_schannel
.Flags
= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
|
90 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
|
91 NL_FLAG_UTF8_DNS_DOMAIN_NAME
|
92 NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME
;
93 bind_schannel
.oem_netbios_domain
.a
= cli_credentials_get_domain(gensec_security
->credentials
);
94 bind_schannel
.oem_netbios_computer
.a
= cli_credentials_get_workstation(gensec_security
->credentials
);
95 bind_schannel
.utf8_dns_domain
= cli_credentials_get_realm(gensec_security
->credentials
);
96 /* w2k3 refuses us if we use the full DNS workstation?
97 why? perhaps because we don't fill in the dNSHostName
98 attribute in the machine account? */
99 bind_schannel
.utf8_netbios_computer
= cli_credentials_get_workstation(gensec_security
->credentials
);
101 bind_schannel
.Flags
= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
|
102 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
;
103 bind_schannel
.oem_netbios_domain
.a
= cli_credentials_get_domain(gensec_security
->credentials
);
104 bind_schannel
.oem_netbios_computer
.a
= cli_credentials_get_workstation(gensec_security
->credentials
);
107 ndr_err
= ndr_push_struct_blob(out
, out_mem_ctx
, &bind_schannel
,
108 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
109 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
110 status
= ndr_map_error2ntstatus(ndr_err
);
111 DEBUG(3, ("Could not create schannel bind: %s\n",
116 state
->state
= SCHANNEL_STATE_UPDATE_1
;
118 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
121 if (state
->state
!= SCHANNEL_STATE_START
) {
122 /* no third leg on this protocol */
123 return NT_STATUS_INVALID_PARAMETER
;
126 /* parse the schannel startup blob */
127 ndr_err
= ndr_pull_struct_blob(&in
, out_mem_ctx
, &bind_schannel
,
128 (ndr_pull_flags_fn_t
)ndr_pull_NL_AUTH_MESSAGE
);
129 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
130 status
= ndr_map_error2ntstatus(ndr_err
);
131 DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
136 if (bind_schannel
.Flags
& NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
) {
137 domain
= bind_schannel
.oem_netbios_domain
.a
;
138 if (strcasecmp_m(domain
, lpcfg_workgroup(gensec_security
->settings
->lp_ctx
)) != 0) {
139 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
140 domain
, lpcfg_workgroup(gensec_security
->settings
->lp_ctx
)));
141 return NT_STATUS_LOGON_FAILURE
;
143 } else if (bind_schannel
.Flags
& NL_FLAG_UTF8_DNS_DOMAIN_NAME
) {
144 domain
= bind_schannel
.utf8_dns_domain
.u
;
145 if (strcasecmp_m(domain
, lpcfg_dnsdomain(gensec_security
->settings
->lp_ctx
)) != 0) {
146 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
147 domain
, lpcfg_dnsdomain(gensec_security
->settings
->lp_ctx
)));
148 return NT_STATUS_LOGON_FAILURE
;
151 DEBUG(3, ("Request for schannel to without domain\n"));
152 return NT_STATUS_LOGON_FAILURE
;
155 if (bind_schannel
.Flags
& NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
) {
156 workstation
= bind_schannel
.oem_netbios_computer
.a
;
157 } else if (bind_schannel
.Flags
& NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME
) {
158 workstation
= bind_schannel
.utf8_netbios_computer
.u
;
160 DEBUG(3, ("Request for schannel to without netbios workstation\n"));
161 return NT_STATUS_LOGON_FAILURE
;
164 status
= schannel_get_creds_state(out_mem_ctx
,
165 gensec_security
->settings
->lp_ctx
,
166 workstation
, &creds
);
167 if (!NT_STATUS_IS_OK(status
)) {
168 DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
169 workstation
, nt_errstr(status
)));
170 if (NT_STATUS_EQUAL(status
, NT_STATUS_INVALID_HANDLE
)) {
171 return NT_STATUS_LOGON_FAILURE
;
176 state
->creds
= talloc_steal(state
, creds
);
178 bind_schannel_ack
.MessageType
= NL_NEGOTIATE_RESPONSE
;
179 bind_schannel_ack
.Flags
= 0;
180 bind_schannel_ack
.Buffer
.dummy
= 0x6c0000; /* actually I think
185 ndr_err
= ndr_push_struct_blob(out
, out_mem_ctx
, &bind_schannel_ack
,
186 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
187 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
188 status
= ndr_map_error2ntstatus(ndr_err
);
189 DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
190 workstation
, nt_errstr(status
)));
194 state
->state
= SCHANNEL_STATE_UPDATE_1
;
198 return NT_STATUS_INVALID_PARAMETER
;
202 * Return the struct netlogon_creds_CredentialState.
204 * Make sure not to call this unless gensec is using schannel...
207 /* TODO: make this non-public */
209 _PUBLIC_ NTSTATUS
dcerpc_schannel_creds(struct gensec_security
*gensec_security
,
211 struct netlogon_creds_CredentialState
**creds
)
213 struct schannel_state
*state
= talloc_get_type(gensec_security
->private_data
, struct schannel_state
);
215 *creds
= talloc_reference(mem_ctx
, state
->creds
);
217 return NT_STATUS_NO_MEMORY
;
224 * Returns anonymous credentials for schannel, matching Win2k3.
228 static NTSTATUS
schannel_session_info(struct gensec_security
*gensec_security
,
230 struct auth_session_info
**_session_info
)
232 return auth_anonymous_session_info(mem_ctx
, gensec_security
->settings
->lp_ctx
, _session_info
);
235 static NTSTATUS
schannel_start(struct gensec_security
*gensec_security
)
237 struct schannel_state
*state
;
239 state
= talloc(gensec_security
, struct schannel_state
);
241 return NT_STATUS_NO_MEMORY
;
244 state
->state
= SCHANNEL_STATE_START
;
246 gensec_security
->private_data
= state
;
251 static NTSTATUS
schannel_server_start(struct gensec_security
*gensec_security
)
254 struct schannel_state
*state
;
256 status
= schannel_start(gensec_security
);
257 if (!NT_STATUS_IS_OK(status
)) {
261 state
= (struct schannel_state
*)gensec_security
->private_data
;
262 state
->initiator
= false;
267 static NTSTATUS
schannel_client_start(struct gensec_security
*gensec_security
)
270 struct schannel_state
*state
;
272 status
= schannel_start(gensec_security
);
273 if (!NT_STATUS_IS_OK(status
)) {
277 state
= (struct schannel_state
*)gensec_security
->private_data
;
278 state
->initiator
= true;
284 static bool schannel_have_feature(struct gensec_security
*gensec_security
,
287 if (feature
& (GENSEC_FEATURE_SIGN
|
288 GENSEC_FEATURE_SEAL
)) {
291 if (feature
& GENSEC_FEATURE_DCE_STYLE
) {
294 if (feature
& GENSEC_FEATURE_ASYNC_REPLIES
) {
303 static NTSTATUS
schannel_unseal_packet(struct gensec_security
*gensec_security
,
304 uint8_t *data
, size_t length
,
305 const uint8_t *whole_pdu
, size_t pdu_length
,
306 const DATA_BLOB
*sig
)
308 struct schannel_state
*state
=
309 talloc_get_type(gensec_security
->private_data
,
310 struct schannel_state
);
312 return netsec_incoming_packet(state
, true,
313 discard_const_p(uint8_t, data
),
318 check the signature on a packet
320 static NTSTATUS
schannel_check_packet(struct gensec_security
*gensec_security
,
321 const uint8_t *data
, size_t length
,
322 const uint8_t *whole_pdu
, size_t pdu_length
,
323 const DATA_BLOB
*sig
)
325 struct schannel_state
*state
=
326 talloc_get_type(gensec_security
->private_data
,
327 struct schannel_state
);
329 return netsec_incoming_packet(state
, false,
330 discard_const_p(uint8_t, data
),
336 static NTSTATUS
schannel_seal_packet(struct gensec_security
*gensec_security
,
338 uint8_t *data
, size_t length
,
339 const uint8_t *whole_pdu
, size_t pdu_length
,
342 struct schannel_state
*state
=
343 talloc_get_type(gensec_security
->private_data
,
344 struct schannel_state
);
346 return netsec_outgoing_packet(state
, mem_ctx
, true,
353 static NTSTATUS
schannel_sign_packet(struct gensec_security
*gensec_security
,
355 const uint8_t *data
, size_t length
,
356 const uint8_t *whole_pdu
, size_t pdu_length
,
359 struct schannel_state
*state
=
360 talloc_get_type(gensec_security
->private_data
,
361 struct schannel_state
);
363 return netsec_outgoing_packet(state
, mem_ctx
, false,
364 discard_const_p(uint8_t, data
),
368 static const struct gensec_security_ops gensec_schannel_security_ops
= {
370 .auth_type
= DCERPC_AUTH_TYPE_SCHANNEL
,
371 .client_start
= schannel_client_start
,
372 .server_start
= schannel_server_start
,
373 .update
= schannel_update
,
374 .seal_packet
= schannel_seal_packet
,
375 .sign_packet
= schannel_sign_packet
,
376 .check_packet
= schannel_check_packet
,
377 .unseal_packet
= schannel_unseal_packet
,
378 .session_key
= schannel_session_key
,
379 .session_info
= schannel_session_info
,
380 .sig_size
= schannel_sig_size
,
381 .have_feature
= schannel_have_feature
,
383 .priority
= GENSEC_SCHANNEL
386 _PUBLIC_ NTSTATUS
gensec_schannel_init(void)
389 ret
= gensec_register(&gensec_schannel_security_ops
);
390 if (!NT_STATUS_IS_OK(ret
)) {
391 DEBUG(0,("Failed to register '%s' gensec backend!\n",
392 gensec_schannel_security_ops
.name
));