search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4: Remove targetdir as it can cause some trouble and can be replaced by an adapted...
[Samba/ekacnet.git] / source4 / ntp_signd / ntp_signd.c
blobc611a756926312f0aa822fee504b5f3c42898cf5
1 /*
2 Unix SMB/CIFS implementation.
3
4 NTP packet signing server
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smbd/service_task.h"
26 #include "smbd/service.h"
27 #include "smbd/service_stream.h"
28 #include "smbd/process_model.h"
29 #include "lib/stream/packet.h"
30 #include "librpc/gen_ndr/ndr_ntp_signd.h"
31 #include "param/param.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "auth/auth.h"
34 #include "libcli/security/security.h"
35 #include "lib/ldb/include/ldb.h"
36 #include "lib/ldb/include/ldb_errors.h"
37 #include "../lib/crypto/md5.h"
38 #include "system/passwd.h"
39
40 /*
41 top level context structure for the ntp_signd server
42 */
43 struct ntp_signd_server {
44 struct task_server *task;
45 struct ldb_context *samdb;
46 };
47
48 /*
49 state of an open connection
50 */
51 struct ntp_signd_connection {
52 /* stream connection we belong to */
53 struct stream_connection *conn;
54
55 /* the ntp_signd_server the connection belongs to */
56 struct ntp_signd_server *ntp_signd;
57
58 struct packet_context *packet;
59 };
60
61 static void ntp_signd_terminate_connection(struct ntp_signd_connection *ntp_signdconn, const char *reason)
62 {
63 stream_terminate_connection(ntp_signdconn->conn, reason);
64 }
65
66 static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
67 uint32_t packet_id)
68 {
69 NTSTATUS status;
70 struct signed_reply signed_reply;
71 TALLOC_CTX *tmp_ctx = talloc_new(ntp_signdconn);
72 DATA_BLOB reply, blob;
73 enum ndr_err_code ndr_err;
74
75 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
76
77 signed_reply.op = SIGNING_FAILURE;
78 signed_reply.packet_id = packet_id;
79 signed_reply.signed_packet = data_blob(NULL, 0);
80
81 ndr_err = ndr_push_struct_blob(&reply, tmp_ctx,
82 lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx),
83 &signed_reply,
84 (ndr_push_flags_fn_t)ndr_push_signed_reply);
85
86 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
87 DEBUG(1,("failed to push ntp error reply\n"));
88 talloc_free(tmp_ctx);
89 return ndr_map_error2ntstatus(ndr_err);
90 }
91
92 blob = data_blob_talloc(ntp_signdconn, NULL, reply.length + 4);
93 if (!blob.data) {
94 talloc_free(tmp_ctx);
95 return NT_STATUS_NO_MEMORY;
96 }
97
98 RSIVAL(blob.data, 0, reply.length);
99 memcpy(blob.data + 4, reply.data, reply.length);
100
101 status = packet_send(ntp_signdconn->packet, blob);
102
103 /* the call isn't needed any more */
104 talloc_free(tmp_ctx);
105
106 return status;
107 }
108
109 /*
110 receive a full packet on a NTP_SIGND connection
111 */
112 static NTSTATUS ntp_signd_recv(void *private_data, DATA_BLOB wrapped_input)
113 {
114 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(private_data,
115 struct ntp_signd_connection);
116 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
117 TALLOC_CTX *tmp_ctx = talloc_new(ntp_signdconn);
118 DATA_BLOB input, output, wrapped_output;
119 const struct dom_sid *domain_sid;
120 struct dom_sid *sid;
121 struct sign_request sign_request;
122 struct signed_reply signed_reply;
123 enum ndr_err_code ndr_err;
124 struct ldb_result *res;
125 const char *attrs[] = { "unicodePwd", "userAccountControl", "cn", NULL };
126 struct MD5Context ctx;
127 struct samr_Password *nt_hash;
128 uint32_t user_account_control;
129 int ret;
130
131 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
132
133 talloc_steal(tmp_ctx, wrapped_input.data);
134
135 input = data_blob_const(wrapped_input.data + 4, wrapped_input.length - 4);
136
137 ndr_err = ndr_pull_struct_blob_all(&input, tmp_ctx,
138 lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx),
139 &sign_request,
140 (ndr_pull_flags_fn_t)ndr_pull_sign_request);
141
142 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
143 DEBUG(1,("failed to parse ntp signing request\n"));
144 dump_data(1, input.data, input.length);
145 return ndr_map_error2ntstatus(ndr_err);
146 }
147
148 /* We need to implement 'check signature' and 'request server
149 * to sign' operations at some point */
150 if (sign_request.op != SIGN_TO_CLIENT) {
151 talloc_free(tmp_ctx);
152 return signing_failure(ntp_signdconn, sign_request.packet_id);
153 }
154
155 /* We need to implement 'check signature' and 'request server
156 * to sign' operations at some point */
157 if (sign_request.version != NTP_SIGND_PROTOCOL_VERSION_0) {
158 talloc_free(tmp_ctx);
159 return signing_failure(ntp_signdconn, sign_request.packet_id);
160 }
161
162 domain_sid = samdb_domain_sid(ntp_signdconn->ntp_signd->samdb);
163 if (!domain_sid) {
164 talloc_free(tmp_ctx);
165 return signing_failure(ntp_signdconn, sign_request.packet_id);
166 }
167
168 /* The top bit is a 'key selector' */
169 sid = dom_sid_add_rid(tmp_ctx, domain_sid, sign_request.key_id & 0x7FFFFFFF);
170 if (!sid) {
171 talloc_free(tmp_ctx);
172 return signing_failure(ntp_signdconn, sign_request.packet_id);
173 }
174
175 ret = ldb_search(ntp_signdconn->ntp_signd->samdb, tmp_ctx,
176 &res, samdb_base_dn(ntp_signdconn->ntp_signd->samdb),
177 LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=user))",
178 dom_sid_string(tmp_ctx, sid));
179 if (ret != LDB_SUCCESS) {
180 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: %s\n", dom_sid_string(tmp_ctx, sid),
181 ldb_errstring(ntp_signdconn->ntp_signd->samdb)));
182 talloc_free(tmp_ctx);
183 return signing_failure(ntp_signdconn, sign_request.packet_id);
184 }
185
186 if (res->count == 0) {
187 DEBUG(5, ("Failed to find SID %s in SAM for NTP signing\n", dom_sid_string(tmp_ctx, sid)));
188 } else if (res->count != 1) {
189 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n", dom_sid_string(tmp_ctx, sid), res->count));
190 talloc_free(tmp_ctx);
191 return signing_failure(ntp_signdconn, sign_request.packet_id);
192 }
193
194 user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0], "userAccountControl", 0);
195
196 if (user_account_control & UF_ACCOUNTDISABLE) {
197 DEBUG(1, ("Account %s for SID [%s] is disabled\n", ldb_dn_get_linearized(res->msgs[0]->dn), dom_sid_string(tmp_ctx, sid)));
198 talloc_free(tmp_ctx);
199 return NT_STATUS_ACCESS_DENIED;
200 }
201
202 if (!(user_account_control & (UF_INTERDOMAIN_TRUST_ACCOUNT|UF_SERVER_TRUST_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT))) {
203 DEBUG(1, ("Account %s for SID [%s] is not a trust account\n", ldb_dn_get_linearized(res->msgs[0]->dn), dom_sid_string(tmp_ctx, sid)));
204 talloc_free(tmp_ctx);
205 return NT_STATUS_ACCESS_DENIED;
206 }
207
208 nt_hash = samdb_result_hash(tmp_ctx, res->msgs[0], "unicodePwd");
209 if (!nt_hash) {
210 DEBUG(1, ("No unicodePwd found on record of SID %s for NTP signing\n", dom_sid_string(tmp_ctx, sid)));
211 talloc_free(tmp_ctx);
212 return signing_failure(ntp_signdconn, sign_request.packet_id);
213 }
214
215 /* Generate the reply packet */
216 signed_reply.packet_id = sign_request.packet_id;
217 signed_reply.op = SIGNING_SUCCESS;
218 signed_reply.signed_packet = data_blob_talloc(tmp_ctx,
219 NULL,
220 sign_request.packet_to_sign.length + 20);
221
222 if (!signed_reply.signed_packet.data) {
223 talloc_free(tmp_ctx);
224 return signing_failure(ntp_signdconn, sign_request.packet_id);
225 }
226
227 memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
228 SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
229
230 /* Sign the NTP response with the unicodePwd */
231 MD5Init(&ctx);
232 MD5Update(&ctx, nt_hash->hash, sizeof(nt_hash->hash));
233 MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
234 MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx);
235
236
237 /* Place it into the packet for the wire */
238 ndr_err = ndr_push_struct_blob(&output, tmp_ctx,
239 lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx),
240 &signed_reply,
241 (ndr_push_flags_fn_t)ndr_push_signed_reply);
242
243 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
244 DEBUG(1,("failed to push ntp error reply\n"));
245 talloc_free(tmp_ctx);
246 return ndr_map_error2ntstatus(ndr_err);
247 }
248
249 wrapped_output = data_blob_talloc(ntp_signdconn, NULL, output.length + 4);
250 if (!wrapped_output.data) {
251 talloc_free(tmp_ctx);
252 return NT_STATUS_NO_MEMORY;
253 }
254
255 /* The 'wire' transport for this is wrapped with a 4 byte network byte order length */
256 RSIVAL(wrapped_output.data, 0, output.length);
257 memcpy(wrapped_output.data + 4, output.data, output.length);
258
259 status = packet_send(ntp_signdconn->packet, wrapped_output);
260
261 /* the call isn't needed any more */
262 talloc_free(tmp_ctx);
263 return status;
264 }
265
266 /*
267 receive some data on a NTP_SIGND connection
268 */
269 static void ntp_signd_recv_handler(struct stream_connection *conn, uint16_t flags)
270 {
271 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(conn->private_data,
272 struct ntp_signd_connection);
273 packet_recv(ntp_signdconn->packet);
274 }
275
276 /*
277 called on a tcp recv error
278 */
279 static void ntp_signd_recv_error(void *private_data, NTSTATUS status)
280 {
281 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(private_data, struct ntp_signd_connection);
282 ntp_signd_terminate_connection(ntp_signdconn, nt_errstr(status));
283 }
284
285 /*
286 called when we can write to a connection
287 */
288 static void ntp_signd_send(struct stream_connection *conn, uint16_t flags)
289 {
290 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(conn->private_data,
291 struct ntp_signd_connection);
292 packet_queue_run(ntp_signdconn->packet);
293 }
294
295 /*
296 called when we get a new connection
297 */
298 static void ntp_signd_accept(struct stream_connection *conn)
299 {
300 struct ntp_signd_server *ntp_signd = talloc_get_type(conn->private_data, struct ntp_signd_server);
301 struct ntp_signd_connection *ntp_signdconn;
302
303 ntp_signdconn = talloc_zero(conn, struct ntp_signd_connection);
304 if (!ntp_signdconn) {
305 stream_terminate_connection(conn, "ntp_signd_accept: out of memory");
306 return;
307 }
308 ntp_signdconn->conn = conn;
309 ntp_signdconn->ntp_signd = ntp_signd;
310 conn->private_data = ntp_signdconn;
311
312 ntp_signdconn->packet = packet_init(ntp_signdconn);
313 if (ntp_signdconn->packet == NULL) {
314 ntp_signd_terminate_connection(ntp_signdconn, "ntp_signd_accept: out of memory");
315 return;
316 }
317 packet_set_private(ntp_signdconn->packet, ntp_signdconn);
318 packet_set_socket(ntp_signdconn->packet, conn->socket);
319 packet_set_callback(ntp_signdconn->packet, ntp_signd_recv);
320 packet_set_full_request(ntp_signdconn->packet, packet_full_request_u32);
321 packet_set_error_handler(ntp_signdconn->packet, ntp_signd_recv_error);
322 packet_set_event_context(ntp_signdconn->packet, conn->event.ctx);
323 packet_set_fde(ntp_signdconn->packet, conn->event.fde);
324 packet_set_serialise(ntp_signdconn->packet);
325 }
326
327 static const struct stream_server_ops ntp_signd_stream_ops = {
328 .name = "ntp_signd",
329 .accept_connection = ntp_signd_accept,
330 .recv_handler = ntp_signd_recv_handler,
331 .send_handler = ntp_signd_send
332 };
333
334 /*
335 startup the ntp_signd task
336 */
337 static void ntp_signd_task_init(struct task_server *task)
338 {
339 struct ntp_signd_server *ntp_signd;
340 NTSTATUS status;
341
342 const struct model_ops *model_ops;
343
344 const char *address;
345
346 if (!directory_create_or_exist(lp_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) {
347 char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s",
348 lp_ntp_signd_socket_directory(task->lp_ctx));
349 task_server_terminate(task,
350 error, true);
351 return;
352 }
353
354 /* within the ntp_signd task we want to be a single process, so
355 ask for the single process model ops and pass these to the
356 stream_setup_socket() call. */
357 model_ops = process_model_startup(task->event_ctx, "single");
358 if (!model_ops) {
359 DEBUG(0,("Can't find 'single' process model_ops\n"));
360 return;
361 }
362
363 task_server_set_title(task, "task[ntp_signd]");
364
365 ntp_signd = talloc(task, struct ntp_signd_server);
366 if (ntp_signd == NULL) {
367 task_server_terminate(task, "ntp_signd: out of memory", true);
368 return;
369 }
370
371 ntp_signd->task = task;
372
373 /* Must be system to get at the password hashes */
374 ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx));
375 if (ntp_signd->samdb == NULL) {
376 task_server_terminate(task, "ntp_signd failed to open samdb", true);
377 return;
378 }
379
380 address = talloc_asprintf(ntp_signd, "%s/socket", lp_ntp_signd_socket_directory(task->lp_ctx));
381
382 status = stream_setup_socket(ntp_signd->task->event_ctx,
383 ntp_signd->task->lp_ctx,
384 model_ops,
385 &ntp_signd_stream_ops,
386 "unix", address, NULL,
387 lp_socket_options(ntp_signd->task->lp_ctx),
388 ntp_signd);
389 if (!NT_STATUS_IS_OK(status)) {
390 DEBUG(0,("Failed to bind to %s - %s\n",
391 address, nt_errstr(status)));
392 return;
393 }
394
395 }
396
397
398 /* called at smbd startup - register ourselves as a server service */
399 NTSTATUS server_service_ntp_signd_init(void)
400 {
401 return register_server_service("ntp_signd", ntp_signd_task_init);
402 }