search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:auth/gensec/schannel: make a copy of netlogon_creds_CredentialState in the client
[Samba.git] / source4 / auth / gensec / schannel.c
blob4c846c02c8f4311c94fc6d78fd3d16584c0152af
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "auth/auth.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_proto.h"
29 #include "../libcli/auth/schannel.h"
30 #include "librpc/rpc/dcerpc.h"
31 #include "param/param.h"
32 #include "auth/gensec/schannel.h"
33 #include "auth/gensec/gensec_toplevel_proto.h"
34
35 _PUBLIC_ NTSTATUS gensec_schannel_init(void);
36
37 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
38 {
39 struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
40 uint32_t sig_size;
41
42 sig_size = netsec_outgoing_sig_size(state);
43
44 return sig_size;
45 }
46
47 static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
48 TALLOC_CTX *mem_ctx,
49 DATA_BLOB *session_key)
50 {
51 return NT_STATUS_NOT_IMPLEMENTED;
52 }
53
54 static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
55 struct tevent_context *ev,
56 const DATA_BLOB in, DATA_BLOB *out)
57 {
58 struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
59 NTSTATUS status;
60 enum ndr_err_code ndr_err;
61 struct NL_AUTH_MESSAGE bind_schannel;
62 struct NL_AUTH_MESSAGE bind_schannel_ack;
63 struct netlogon_creds_CredentialState *creds;
64 const char *workstation;
65 const char *domain;
66
67 *out = data_blob(NULL, 0);
68
69 switch (gensec_security->gensec_role) {
70 case GENSEC_CLIENT:
71 if (state->state != SCHANNEL_STATE_START) {
72 /* we could parse the bind ack, but we don't know what it is yet */
73 return NT_STATUS_OK;
74 }
75
76 state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
77 if (state->creds == NULL) {
78 return NT_STATUS_INVALID_PARAMETER_MIX;
79 }
80 state->creds = netlogon_creds_copy(state, state->creds);
81 if (state->creds == NULL) {
82 return NT_STATUS_NO_MEMORY;
83 }
84
85 bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
86 #if 0
87 /* to support this we'd need to have access to the full domain name */
88 /* 0x17, 23 */
89 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
90 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
91 NL_FLAG_UTF8_DNS_DOMAIN_NAME |
92 NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
93 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
94 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
95 bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
96 /* w2k3 refuses us if we use the full DNS workstation?
97 why? perhaps because we don't fill in the dNSHostName
98 attribute in the machine account? */
99 bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
100 #else
101 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
102 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
103 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
104 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
105 #endif
106
107 ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
108 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
109 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
110 status = ndr_map_error2ntstatus(ndr_err);
111 DEBUG(3, ("Could not create schannel bind: %s\n",
112 nt_errstr(status)));
113 return status;
114 }
115
116 state->state = SCHANNEL_STATE_UPDATE_1;
117
118 return NT_STATUS_MORE_PROCESSING_REQUIRED;
119 case GENSEC_SERVER:
120
121 if (state->state != SCHANNEL_STATE_START) {
122 /* no third leg on this protocol */
123 return NT_STATUS_INVALID_PARAMETER;
124 }
125
126 /* parse the schannel startup blob */
127 ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
128 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
129 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
130 status = ndr_map_error2ntstatus(ndr_err);
131 DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
132 nt_errstr(status)));
133 return status;
134 }
135
136 if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
137 domain = bind_schannel.oem_netbios_domain.a;
138 if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
139 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
140 domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
141 return NT_STATUS_LOGON_FAILURE;
142 }
143 } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
144 domain = bind_schannel.utf8_dns_domain.u;
145 if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
146 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
147 domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
148 return NT_STATUS_LOGON_FAILURE;
149 }
150 } else {
151 DEBUG(3, ("Request for schannel to without domain\n"));
152 return NT_STATUS_LOGON_FAILURE;
153 }
154
155 if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
156 workstation = bind_schannel.oem_netbios_computer.a;
157 } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
158 workstation = bind_schannel.utf8_netbios_computer.u;
159 } else {
160 DEBUG(3, ("Request for schannel to without netbios workstation\n"));
161 return NT_STATUS_LOGON_FAILURE;
162 }
163
164 status = schannel_get_creds_state(out_mem_ctx,
165 gensec_security->settings->lp_ctx,
166 workstation, &creds);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
169 workstation, nt_errstr(status)));
170 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
171 return NT_STATUS_LOGON_FAILURE;
172 }
173 return status;
174 }
175
176 state->creds = talloc_steal(state, creds);
177
178 bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
179 bind_schannel_ack.Flags = 0;
180 bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
181 * this does not have
182 * any meaning here
183 * - gd */
184
185 ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
186 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
187 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
188 status = ndr_map_error2ntstatus(ndr_err);
189 DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
190 workstation, nt_errstr(status)));
191 return status;
192 }
193
194 state->state = SCHANNEL_STATE_UPDATE_1;
195
196 return NT_STATUS_OK;
197 }
198 return NT_STATUS_INVALID_PARAMETER;
199 }
200
201 /**
202 * Return the struct netlogon_creds_CredentialState.
203 *
204 * Make sure not to call this unless gensec is using schannel...
205 */
206
207 /* TODO: make this non-public */
208
209 _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
210 TALLOC_CTX *mem_ctx,
211 struct netlogon_creds_CredentialState **creds)
212 {
213 struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
214
215 *creds = talloc_reference(mem_ctx, state->creds);
216 if (!*creds) {
217 return NT_STATUS_NO_MEMORY;
218 }
219 return NT_STATUS_OK;
220 }
221
222
223 /**
224 * Returns anonymous credentials for schannel, matching Win2k3.
225 *
226 */
227
228 static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
229 TALLOC_CTX *mem_ctx,
230 struct auth_session_info **_session_info)
231 {
232 return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
233 }
234
235 static NTSTATUS schannel_start(struct gensec_security *gensec_security)
236 {
237 struct schannel_state *state;
238
239 state = talloc(gensec_security, struct schannel_state);
240 if (!state) {
241 return NT_STATUS_NO_MEMORY;
242 }
243
244 state->state = SCHANNEL_STATE_START;
245 state->seq_num = 0;
246 gensec_security->private_data = state;
247
248 return NT_STATUS_OK;
249 }
250
251 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
252 {
253 NTSTATUS status;
254 struct schannel_state *state;
255
256 status = schannel_start(gensec_security);
257 if (!NT_STATUS_IS_OK(status)) {
258 return status;
259 }
260
261 state = (struct schannel_state *)gensec_security->private_data;
262 state->initiator = false;
263
264 return NT_STATUS_OK;
265 }
266
267 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
268 {
269 NTSTATUS status;
270 struct schannel_state *state;
271
272 status = schannel_start(gensec_security);
273 if (!NT_STATUS_IS_OK(status)) {
274 return status;
275 }
276
277 state = (struct schannel_state *)gensec_security->private_data;
278 state->initiator = true;
279
280 return NT_STATUS_OK;
281 }
282
283
284 static bool schannel_have_feature(struct gensec_security *gensec_security,
285 uint32_t feature)
286 {
287 if (feature & (GENSEC_FEATURE_SIGN |
288 GENSEC_FEATURE_SEAL)) {
289 return true;
290 }
291 if (feature & GENSEC_FEATURE_DCE_STYLE) {
292 return true;
293 }
294 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
295 return true;
296 }
297 return false;
298 }
299
300 /*
301 unseal a packet
302 */
303 static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
304 uint8_t *data, size_t length,
305 const uint8_t *whole_pdu, size_t pdu_length,
306 const DATA_BLOB *sig)
307 {
308 struct schannel_state *state =
309 talloc_get_type(gensec_security->private_data,
310 struct schannel_state);
311
312 return netsec_incoming_packet(state, true,
313 discard_const_p(uint8_t, data),
314 length, sig);
315 }
316
317 /*
318 check the signature on a packet
319 */
320 static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
321 const uint8_t *data, size_t length,
322 const uint8_t *whole_pdu, size_t pdu_length,
323 const DATA_BLOB *sig)
324 {
325 struct schannel_state *state =
326 talloc_get_type(gensec_security->private_data,
327 struct schannel_state);
328
329 return netsec_incoming_packet(state, false,
330 discard_const_p(uint8_t, data),
331 length, sig);
332 }
333 /*
334 seal a packet
335 */
336 static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
337 TALLOC_CTX *mem_ctx,
338 uint8_t *data, size_t length,
339 const uint8_t *whole_pdu, size_t pdu_length,
340 DATA_BLOB *sig)
341 {
342 struct schannel_state *state =
343 talloc_get_type(gensec_security->private_data,
344 struct schannel_state);
345
346 return netsec_outgoing_packet(state, mem_ctx, true,
347 data, length, sig);
348 }
349
350 /*
351 sign a packet
352 */
353 static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
354 TALLOC_CTX *mem_ctx,
355 const uint8_t *data, size_t length,
356 const uint8_t *whole_pdu, size_t pdu_length,
357 DATA_BLOB *sig)
358 {
359 struct schannel_state *state =
360 talloc_get_type(gensec_security->private_data,
361 struct schannel_state);
362
363 return netsec_outgoing_packet(state, mem_ctx, false,
364 discard_const_p(uint8_t, data),
365 length, sig);
366 }
367
368 static const struct gensec_security_ops gensec_schannel_security_ops = {
369 .name = "schannel",
370 .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
371 .client_start = schannel_client_start,
372 .server_start = schannel_server_start,
373 .update = schannel_update,
374 .seal_packet = schannel_seal_packet,
375 .sign_packet = schannel_sign_packet,
376 .check_packet = schannel_check_packet,
377 .unseal_packet = schannel_unseal_packet,
378 .session_key = schannel_session_key,
379 .session_info = schannel_session_info,
380 .sig_size = schannel_sig_size,
381 .have_feature = schannel_have_feature,
382 .enabled = true,
383 .priority = GENSEC_SCHANNEL
384 };
385
386 _PUBLIC_ NTSTATUS gensec_schannel_init(void)
387 {
388 NTSTATUS ret;
389 ret = gensec_register(&gensec_schannel_security_ops);
390 if (!NT_STATUS_IS_OK(ret)) {
391 DEBUG(0,("Failed to register '%s' gensec backend!\n",
392 gensec_schannel_security_ops.name));
393 return ret;
394 }
395
396 return ret;
397 }
Samba GIT mirror