search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VERSION: Move on to beta9
[Samba/bb.git] / libcli / auth / schannel_state_tdb.c
blob6abb69b2e128b41b60c28010150ce2f0d4507d7f
1 /*
2 Unix SMB/CIFS implementation.
3
4 module to store/fetch session keys for the schannel server
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006-2009
8 Copyright (C) Guenther Deschner 2009
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/filesys.h"
26 #include "../lib/tdb/include/tdb.h"
27 #include "../lib/util/util_tdb.h"
28 #include "../lib/param/param.h"
29 #include "../libcli/auth/schannel.h"
30 #include "../librpc/gen_ndr/ndr_schannel.h"
31 #include "lib/tdb_wrap/tdb_wrap.h"
32
33 #define SECRETS_SCHANNEL_STATE "SECRETS/SCHANNEL"
34
35 /******************************************************************************
36 Open or create the schannel session store tdb. Non-static so it can
37 be called from parent processes to corectly handle TDB_CLEAR_IF_FIRST
38 *******************************************************************************/
39
40 struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
41 struct loadparm_context *lp_ctx)
42 {
43 struct tdb_wrap *tdb_sc = NULL;
44 char *fname = lpcfg_private_path(mem_ctx, lp_ctx, "schannel_store.tdb");
45
46 if (!fname) {
47 return NULL;
48 }
49
50 tdb_sc = tdb_wrap_open(mem_ctx, fname, 0, TDB_CLEAR_IF_FIRST|TDB_NOSYNC, O_RDWR|O_CREAT, 0600, lp_ctx);
51
52 if (!tdb_sc) {
53 DEBUG(0,("open_schannel_session_store: Failed to open %s - %s\n",
54 fname, strerror(errno)));
55 TALLOC_FREE(fname);
56 return NULL;
57 }
58
59 TALLOC_FREE(fname);
60
61 return tdb_sc;
62 }
63
64 /********************************************************************
65 ********************************************************************/
66
67 static
68 NTSTATUS schannel_store_session_key_tdb(struct tdb_wrap *tdb_sc,
69 TALLOC_CTX *mem_ctx,
70 struct netlogon_creds_CredentialState *creds)
71 {
72 enum ndr_err_code ndr_err;
73 DATA_BLOB blob;
74 TDB_DATA value;
75 int ret;
76 char *keystr;
77 char *name_upper;
78
79 name_upper = strupper_talloc(mem_ctx, creds->computer_name);
80 if (!name_upper) {
81 return NT_STATUS_NO_MEMORY;
82 }
83
84 keystr = talloc_asprintf(mem_ctx, "%s/%s",
85 SECRETS_SCHANNEL_STATE, name_upper);
86 TALLOC_FREE(name_upper);
87 if (!keystr) {
88 return NT_STATUS_NO_MEMORY;
89 }
90
91 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, creds,
92 (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
93 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
94 talloc_free(keystr);
95 return ndr_map_error2ntstatus(ndr_err);
96 }
97
98 value.dptr = blob.data;
99 value.dsize = blob.length;
100
101 ret = tdb_store_bystring(tdb_sc->tdb, keystr, value, TDB_REPLACE);
102 if (ret != TDB_SUCCESS) {
103 DEBUG(0,("Unable to add %s to session key db - %s\n",
104 keystr, tdb_errorstr(tdb_sc->tdb)));
105 talloc_free(keystr);
106 return NT_STATUS_INTERNAL_DB_CORRUPTION;
107 }
108
109 DEBUG(3,("schannel_store_session_key_tdb: stored schannel info with key %s\n",
110 keystr));
111
112 if (DEBUGLEVEL >= 10) {
113 NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
114 }
115
116 talloc_free(keystr);
117
118 return NT_STATUS_OK;
119 }
120
121 /********************************************************************
122 ********************************************************************/
123
124 static
125 NTSTATUS schannel_fetch_session_key_tdb(struct tdb_wrap *tdb_sc,
126 TALLOC_CTX *mem_ctx,
127 const char *computer_name,
128 struct netlogon_creds_CredentialState **pcreds)
129 {
130 NTSTATUS status;
131 TDB_DATA value;
132 enum ndr_err_code ndr_err;
133 DATA_BLOB blob;
134 struct netlogon_creds_CredentialState *creds = NULL;
135 char *keystr = NULL;
136 char *name_upper;
137
138 *pcreds = NULL;
139
140 name_upper = strupper_talloc(mem_ctx, computer_name);
141 if (!name_upper) {
142 return NT_STATUS_NO_MEMORY;
143 }
144
145 keystr = talloc_asprintf(mem_ctx, "%s/%s",
146 SECRETS_SCHANNEL_STATE, name_upper);
147 TALLOC_FREE(name_upper);
148 if (!keystr) {
149 return NT_STATUS_NO_MEMORY;
150 }
151
152 value = tdb_fetch_bystring(tdb_sc->tdb, keystr);
153 if (!value.dptr) {
154 DEBUG(10,("schannel_fetch_session_key_tdb: Failed to find entry with key %s\n",
155 keystr ));
156 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
157 goto done;
158 }
159
160 creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
161 if (!creds) {
162 status = NT_STATUS_NO_MEMORY;
163 goto done;
164 }
165
166 blob = data_blob_const(value.dptr, value.dsize);
167
168 ndr_err = ndr_pull_struct_blob(&blob, creds, creds,
169 (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
170 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
171 status = ndr_map_error2ntstatus(ndr_err);
172 goto done;
173 }
174
175 if (DEBUGLEVEL >= 10) {
176 NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
177 }
178
179 DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n",
180 keystr));
181
182 status = NT_STATUS_OK;
183
184 done:
185
186 talloc_free(keystr);
187 SAFE_FREE(value.dptr);
188
189 if (!NT_STATUS_IS_OK(status)) {
190 talloc_free(creds);
191 return status;
192 }
193
194 *pcreds = creds;
195
196 return NT_STATUS_OK;
197 }
198
199 /******************************************************************************
200 Wrapper around schannel_fetch_session_key_tdb()
201 Note we must be root here.
202 *******************************************************************************/
203
204 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
205 struct loadparm_context *lp_ctx,
206 const char *computer_name,
207 struct netlogon_creds_CredentialState **_creds)
208 {
209 TALLOC_CTX *tmpctx;
210 struct tdb_wrap *tdb_sc;
211 struct netlogon_creds_CredentialState *creds;
212 NTSTATUS status;
213
214 tmpctx = talloc_named(mem_ctx, 0, "schannel_get_creds_state");
215 if (!tmpctx) {
216 return NT_STATUS_NO_MEMORY;
217 }
218
219 tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
220 if (!tdb_sc) {
221 return NT_STATUS_ACCESS_DENIED;
222 }
223
224 status = schannel_fetch_session_key_tdb(tdb_sc, tmpctx,
225 computer_name, &creds);
226 if (NT_STATUS_IS_OK(status)) {
227 *_creds = talloc_steal(mem_ctx, creds);
228 if (!*_creds) {
229 status = NT_STATUS_NO_MEMORY;
230 }
231 }
232
233 talloc_free(tmpctx);
234 return status;
235 }
236
237 /******************************************************************************
238 Wrapper around schannel_store_session_key_tdb()
239 Note we must be root here.
240 *******************************************************************************/
241
242 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
243 struct loadparm_context *lp_ctx,
244 struct netlogon_creds_CredentialState *creds)
245 {
246 TALLOC_CTX *tmpctx;
247 struct tdb_wrap *tdb_sc;
248 NTSTATUS status;
249
250 tmpctx = talloc_named(mem_ctx, 0, "schannel_save_creds_state");
251 if (!tmpctx) {
252 return NT_STATUS_NO_MEMORY;
253 }
254
255 tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
256 if (!tdb_sc) {
257 return NT_STATUS_ACCESS_DENIED;
258 }
259
260 status = schannel_store_session_key_tdb(tdb_sc, tmpctx, creds);
261
262 talloc_free(tmpctx);
263 return status;
264 }
265
266 /********************************************************************
267 Validate an incoming authenticator against the credentials for the
268 remote machine stored in the schannel database.
269
270 The credentials are (re)read and from the schannel database, and
271 written back after the caclulations are performed.
272
273 If the creds_out parameter is not NULL returns the credentials.
274 ********************************************************************/
275
276 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
277 struct loadparm_context *lp_ctx,
278 const char *computer_name,
279 struct netr_Authenticator *received_authenticator,
280 struct netr_Authenticator *return_authenticator,
281 struct netlogon_creds_CredentialState **creds_out)
282 {
283 TALLOC_CTX *tmpctx;
284 struct tdb_wrap *tdb_sc;
285 struct netlogon_creds_CredentialState *creds;
286 NTSTATUS status;
287 int ret;
288
289 tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state");
290 if (!tmpctx) {
291 return NT_STATUS_NO_MEMORY;
292 }
293
294 tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
295 if (!tdb_sc) {
296 status = NT_STATUS_ACCESS_DENIED;
297 goto done;
298 }
299
300 ret = tdb_transaction_start(tdb_sc->tdb);
301 if (ret != 0) {
302 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
303 goto done;
304 }
305
306 /* Because this is a shared structure (even across
307 * disconnects) we must update the database every time we
308 * update the structure */
309
310 status = schannel_fetch_session_key_tdb(tdb_sc, tmpctx,
311 computer_name, &creds);
312 if (!NT_STATUS_IS_OK(status)) {
313 tdb_transaction_cancel(tdb_sc->tdb);
314 goto done;
315 }
316
317 status = netlogon_creds_server_step_check(creds,
318 received_authenticator,
319 return_authenticator);
320 if (!NT_STATUS_IS_OK(status)) {
321 tdb_transaction_cancel(tdb_sc->tdb);
322 goto done;
323 }
324
325 status = schannel_store_session_key_tdb(tdb_sc, tmpctx, creds);
326 if (!NT_STATUS_IS_OK(status)) {
327 tdb_transaction_cancel(tdb_sc->tdb);
328 goto done;
329 }
330
331 tdb_transaction_commit(tdb_sc->tdb);
332
333 if (creds_out) {
334 *creds_out = talloc_steal(mem_ctx, creds);
335 if (!*creds_out) {
336 status = NT_STATUS_NO_MEMORY;
337 goto done;
338 }
339 }
340
341 status = NT_STATUS_OK;
342
343 done:
344 talloc_free(tmpctx);
345 return status;
346 }
347