search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'master' of /home/tridge/samba/git/combined
[Samba/aatanasov.git] / source4 / librpc / rpc / dcerpc_schannel.c
blobc678a674c17bfc6aa5fa6ae9dfdcb29ec922b0b9
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth/auth.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "librpc/gen_ndr/ndr_netlogon.h"
29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
30 #include "auth/credentials/credentials.h"
31 #include "librpc/rpc/dcerpc_proto.h"
32 #include "param/param.h"
33
34 struct schannel_key_state {
35 struct dcerpc_pipe *pipe;
36 struct dcerpc_pipe *pipe2;
37 struct dcerpc_binding *binding;
38 struct cli_credentials *credentials;
39 struct netlogon_creds_CredentialState *creds;
40 uint32_t negotiate_flags;
41 struct netr_Credential credentials1;
42 struct netr_Credential credentials2;
43 struct netr_Credential credentials3;
44 struct netr_ServerReqChallenge r;
45 struct netr_ServerAuthenticate2 a;
46 const struct samr_Password *mach_pwd;
47 };
48
49
50 static void continue_secondary_connection(struct composite_context *ctx);
51 static void continue_bind_auth_none(struct composite_context *ctx);
52 static void continue_srv_challenge(struct rpc_request *req);
53 static void continue_srv_auth2(struct rpc_request *req);
54
55
56 /*
57 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
58 rpc connection
59 */
60 static void continue_epm_map_binding(struct composite_context *ctx)
61 {
62 struct composite_context *c;
63 struct schannel_key_state *s;
64 struct composite_context *sec_conn_req;
65
66 c = talloc_get_type(ctx->async.private_data, struct composite_context);
67 s = talloc_get_type(c->private_data, struct schannel_key_state);
68
69 /* receive endpoint mapping */
70 c->status = dcerpc_epm_map_binding_recv(ctx);
71 if (!NT_STATUS_IS_OK(c->status)) {
72 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
73 NDR_NETLOGON_UUID, nt_errstr(c->status)));
74 composite_error(c, c->status);
75 return;
76 }
77
78 /* send a request for secondary rpc connection */
79 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
80 s->binding);
81 if (composite_nomem(sec_conn_req, c)) return;
82
83 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
84 }
85
86
87 /*
88 Stage 3 of schannel_key: Receive secondary rpc connection and perform
89 non-authenticated bind request
90 */
91 static void continue_secondary_connection(struct composite_context *ctx)
92 {
93 struct composite_context *c;
94 struct schannel_key_state *s;
95 struct composite_context *auth_none_req;
96
97 c = talloc_get_type(ctx->async.private_data, struct composite_context);
98 s = talloc_get_type(c->private_data, struct schannel_key_state);
99
100 /* receive secondary rpc connection */
101 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
102 if (!composite_is_ok(c)) return;
103
104 talloc_steal(s, s->pipe2);
105
106 /* initiate a non-authenticated bind */
107 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
108 if (composite_nomem(auth_none_req, c)) return;
109
110 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
111 }
112
113
114 /*
115 Stage 4 of schannel_key: Receive non-authenticated bind and get
116 a netlogon challenge
117 */
118 static void continue_bind_auth_none(struct composite_context *ctx)
119 {
120 struct composite_context *c;
121 struct schannel_key_state *s;
122 struct rpc_request *srv_challenge_req;
123
124 c = talloc_get_type(ctx->async.private_data, struct composite_context);
125 s = talloc_get_type(c->private_data, struct schannel_key_state);
126
127 /* receive result of non-authenticated bind request */
128 c->status = dcerpc_bind_auth_none_recv(ctx);
129 if (!composite_is_ok(c)) return;
130
131 /* prepare a challenge request */
132 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
133 if (composite_nomem(s->r.in.server_name, c)) return;
134 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
135 s->r.in.credentials = &s->credentials1;
136 s->r.out.return_credentials = &s->credentials2;
137
138 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
139
140 /*
141 request a netlogon challenge - a rpc request over opened secondary pipe
142 */
143 srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
144 if (composite_nomem(srv_challenge_req, c)) return;
145
146 composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
147 }
148
149
150 /*
151 Stage 5 of schannel_key: Receive a challenge and perform authentication
152 on the netlogon pipe
153 */
154 static void continue_srv_challenge(struct rpc_request *req)
155 {
156 struct composite_context *c;
157 struct schannel_key_state *s;
158 struct rpc_request *srv_auth2_req;
159
160 c = talloc_get_type(req->async.private_data, struct composite_context);
161 s = talloc_get_type(c->private_data, struct schannel_key_state);
162
163 /* receive rpc request result - netlogon challenge */
164 c->status = dcerpc_ndr_request_recv(req);
165 if (!composite_is_ok(c)) return;
166
167 /* prepare credentials for auth2 request */
168 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
169
170 /* auth2 request arguments */
171 s->a.in.server_name = s->r.in.server_name;
172 s->a.in.account_name = cli_credentials_get_username(s->credentials);
173 s->a.in.secure_channel_type =
174 cli_credentials_get_secure_channel_type(s->credentials);
175 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
176 s->a.in.negotiate_flags = &s->negotiate_flags;
177 s->a.in.credentials = &s->credentials3;
178 s->a.out.negotiate_flags = &s->negotiate_flags;
179 s->a.out.return_credentials = &s->credentials3;
180
181 s->creds = netlogon_creds_client_init(s,
182 s->a.in.account_name,
183 s->a.in.computer_name,
184 &s->credentials1, &s->credentials2,
185 s->mach_pwd, &s->credentials3, s->negotiate_flags);
186 if (composite_nomem(s->creds, c)) {
187 return;
188 }
189 /*
190 authenticate on the netlogon pipe - a rpc request over secondary pipe
191 */
192 srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
193 if (composite_nomem(srv_auth2_req, c)) return;
194
195 composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
196 }
197
198
199 /*
200 Stage 6 of schannel_key: Receive authentication request result and verify
201 received credentials
202 */
203 static void continue_srv_auth2(struct rpc_request *req)
204 {
205 struct composite_context *c;
206 struct schannel_key_state *s;
207
208 c = talloc_get_type(req->async.private_data, struct composite_context);
209 s = talloc_get_type(c->private_data, struct schannel_key_state);
210
211 /* receive rpc request result - auth2 credentials */
212 c->status = dcerpc_ndr_request_recv(req);
213 if (!composite_is_ok(c)) return;
214
215 /* verify credentials */
216 if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
217 composite_error(c, NT_STATUS_UNSUCCESSFUL);
218 return;
219 }
220
221 /* setup current netlogon credentials */
222 cli_credentials_set_netlogon_creds(s->credentials, s->creds);
223
224 composite_done(c);
225 }
226
227
228 /*
229 Initiate establishing a schannel key using netlogon challenge
230 on a secondary pipe
231 */
232 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
233 struct dcerpc_pipe *p,
234 struct cli_credentials *credentials,
235 struct loadparm_context *lp_ctx)
236 {
237 struct composite_context *c;
238 struct schannel_key_state *s;
239 struct composite_context *epm_map_req;
240
241 /* composite context allocation and setup */
242 c = composite_create(mem_ctx, p->conn->event_ctx);
243 if (c == NULL) return NULL;
244
245 s = talloc_zero(c, struct schannel_key_state);
246 if (composite_nomem(s, c)) return c;
247 c->private_data = s;
248
249 /* store parameters in the state structure */
250 s->pipe = p;
251 s->credentials = credentials;
252
253 /* allocate credentials */
254 /* type of authentication depends on schannel type */
255 if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
256 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
257 } else {
258 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
259 }
260
261 /* allocate binding structure */
262 s->binding = talloc(c, struct dcerpc_binding);
263 if (composite_nomem(s->binding, c)) return c;
264
265 *s->binding = *s->pipe->binding;
266
267 /* request the netlogon endpoint mapping */
268 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
269 &ndr_table_netlogon,
270 s->pipe->conn->event_ctx,
271 lp_ctx);
272 if (composite_nomem(epm_map_req, c)) return c;
273
274 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
275 return c;
276 }
277
278
279 /*
280 Receive result of schannel key request
281 */
282 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
283 {
284 NTSTATUS status = composite_wait(c);
285
286 talloc_free(c);
287 return status;
288 }
289
290
291 struct auth_schannel_state {
292 struct dcerpc_pipe *pipe;
293 struct cli_credentials *credentials;
294 const struct ndr_interface_table *table;
295 struct loadparm_context *lp_ctx;
296 uint8_t auth_level;
297 };
298
299
300 static void continue_bind_auth(struct composite_context *ctx);
301
302
303 /*
304 Stage 2 of auth_schannel: Receive schannel key and intitiate an
305 authenticated bind using received credentials
306 */
307 static void continue_schannel_key(struct composite_context *ctx)
308 {
309 struct composite_context *auth_req;
310 struct composite_context *c = talloc_get_type(ctx->async.private_data,
311 struct composite_context);
312 struct auth_schannel_state *s = talloc_get_type(c->private_data,
313 struct auth_schannel_state);
314
315 /* receive schannel key */
316 c->status = dcerpc_schannel_key_recv(ctx);
317 if (!composite_is_ok(c)) {
318 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
319 cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
320 return;
321 }
322
323 /* send bind auth request with received creds */
324 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
325 lp_gensec_settings(c, s->lp_ctx),
326 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
327 NULL);
328 if (composite_nomem(auth_req, c)) return;
329
330 composite_continue(c, auth_req, continue_bind_auth, c);
331 }
332
333
334 /*
335 Stage 3 of auth_schannel: Receivce result of authenticated bind
336 and say if we're done ok.
337 */
338 static void continue_bind_auth(struct composite_context *ctx)
339 {
340 struct composite_context *c = talloc_get_type(ctx->async.private_data,
341 struct composite_context);
342
343 c->status = dcerpc_bind_auth_recv(ctx);
344 if (!composite_is_ok(c)) return;
345
346 composite_done(c);
347 }
348
349
350 /*
351 Initiate schannel authentication request
352 */
353 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
354 struct dcerpc_pipe *p,
355 const struct ndr_interface_table *table,
356 struct cli_credentials *credentials,
357 struct loadparm_context *lp_ctx,
358 uint8_t auth_level)
359 {
360 struct composite_context *c;
361 struct auth_schannel_state *s;
362 struct composite_context *schan_key_req;
363
364 /* composite context allocation and setup */
365 c = composite_create(tmp_ctx, p->conn->event_ctx);
366 if (c == NULL) return NULL;
367
368 s = talloc_zero(c, struct auth_schannel_state);
369 if (composite_nomem(s, c)) return c;
370 c->private_data = s;
371
372 /* store parameters in the state structure */
373 s->pipe = p;
374 s->credentials = credentials;
375 s->table = table;
376 s->auth_level = auth_level;
377 s->lp_ctx = lp_ctx;
378
379 /* start getting schannel key first */
380 schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
381 if (composite_nomem(schan_key_req, c)) return c;
382
383 composite_continue(c, schan_key_req, continue_schannel_key, c);
384 return c;
385 }
386
387
388 /*
389 Receive result of schannel authentication request
390 */
391 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
392 {
393 NTSTATUS status = composite_wait(c);
394
395 talloc_free(c);
396 return status;
397 }
398
399
400 /*
401 Perform schannel authenticated bind - sync version
402 */
403 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
404 struct dcerpc_pipe *p,
405 const struct ndr_interface_table *table,
406 struct cli_credentials *credentials,
407 struct loadparm_context *lp_ctx,
408 uint8_t auth_level)
409 {
410 struct composite_context *c;
411
412 c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
413 auth_level);
414 return dcerpc_bind_auth_schannel_recv(c);
415 }
aatanasov's samba4 branch