2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
35 struct schannel_key_state
{
36 struct dcerpc_pipe
*pipe
;
37 struct dcerpc_pipe
*pipe2
;
38 struct dcerpc_binding
*binding
;
39 bool dcerpc_schannel_auto
;
40 struct cli_credentials
*credentials
;
41 struct netlogon_creds_CredentialState
*creds
;
42 uint32_t local_negotiate_flags
;
43 uint32_t remote_negotiate_flags
;
44 struct netr_Credential credentials1
;
45 struct netr_Credential credentials2
;
46 struct netr_Credential credentials3
;
47 struct netr_ServerReqChallenge r
;
48 struct netr_ServerAuthenticate2 a
;
49 const struct samr_Password
*mach_pwd
;
53 static void continue_secondary_connection(struct composite_context
*ctx
);
54 static void continue_bind_auth_none(struct composite_context
*ctx
);
55 static void continue_srv_challenge(struct tevent_req
*subreq
);
56 static void continue_srv_auth2(struct tevent_req
*subreq
);
60 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
63 static void continue_epm_map_binding(struct composite_context
*ctx
)
65 struct composite_context
*c
;
66 struct schannel_key_state
*s
;
67 struct composite_context
*sec_conn_req
;
69 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
70 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
72 /* receive endpoint mapping */
73 c
->status
= dcerpc_epm_map_binding_recv(ctx
);
74 if (!NT_STATUS_IS_OK(c
->status
)) {
75 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
76 NDR_NETLOGON_UUID
, nt_errstr(c
->status
)));
77 composite_error(c
, c
->status
);
81 /* send a request for secondary rpc connection */
82 sec_conn_req
= dcerpc_secondary_connection_send(s
->pipe
,
84 if (composite_nomem(sec_conn_req
, c
)) return;
86 composite_continue(c
, sec_conn_req
, continue_secondary_connection
, c
);
91 Stage 3 of schannel_key: Receive secondary rpc connection and perform
92 non-authenticated bind request
94 static void continue_secondary_connection(struct composite_context
*ctx
)
96 struct composite_context
*c
;
97 struct schannel_key_state
*s
;
98 struct composite_context
*auth_none_req
;
100 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
101 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
103 /* receive secondary rpc connection */
104 c
->status
= dcerpc_secondary_connection_recv(ctx
, &s
->pipe2
);
105 if (!composite_is_ok(c
)) return;
107 talloc_steal(s
, s
->pipe2
);
109 /* initiate a non-authenticated bind */
110 auth_none_req
= dcerpc_bind_auth_none_send(c
, s
->pipe2
, &ndr_table_netlogon
);
111 if (composite_nomem(auth_none_req
, c
)) return;
113 composite_continue(c
, auth_none_req
, continue_bind_auth_none
, c
);
118 Stage 4 of schannel_key: Receive non-authenticated bind and get
121 static void continue_bind_auth_none(struct composite_context
*ctx
)
123 struct composite_context
*c
;
124 struct schannel_key_state
*s
;
125 struct tevent_req
*subreq
;
127 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
128 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
130 /* receive result of non-authenticated bind request */
131 c
->status
= dcerpc_bind_auth_none_recv(ctx
);
132 if (!composite_is_ok(c
)) return;
134 /* prepare a challenge request */
135 s
->r
.in
.server_name
= talloc_asprintf(c
, "\\\\%s", dcerpc_server_name(s
->pipe
));
136 if (composite_nomem(s
->r
.in
.server_name
, c
)) return;
137 s
->r
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
138 s
->r
.in
.credentials
= &s
->credentials1
;
139 s
->r
.out
.return_credentials
= &s
->credentials2
;
141 generate_random_buffer(s
->credentials1
.data
, sizeof(s
->credentials1
.data
));
144 request a netlogon challenge - a rpc request over opened secondary pipe
146 subreq
= dcerpc_netr_ServerReqChallenge_r_send(s
, c
->event_ctx
,
147 s
->pipe2
->binding_handle
,
149 if (composite_nomem(subreq
, c
)) return;
151 tevent_req_set_callback(subreq
, continue_srv_challenge
, c
);
156 Stage 5 of schannel_key: Receive a challenge and perform authentication
159 static void continue_srv_challenge(struct tevent_req
*subreq
)
161 struct composite_context
*c
;
162 struct schannel_key_state
*s
;
164 c
= tevent_req_callback_data(subreq
, struct composite_context
);
165 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
167 /* receive rpc request result - netlogon challenge */
168 c
->status
= dcerpc_netr_ServerReqChallenge_r_recv(subreq
, s
);
170 if (!composite_is_ok(c
)) return;
172 /* prepare credentials for auth2 request */
173 s
->mach_pwd
= cli_credentials_get_nt_hash(s
->credentials
, c
);
175 /* auth2 request arguments */
176 s
->a
.in
.server_name
= s
->r
.in
.server_name
;
177 s
->a
.in
.account_name
= cli_credentials_get_username(s
->credentials
);
178 s
->a
.in
.secure_channel_type
=
179 cli_credentials_get_secure_channel_type(s
->credentials
);
180 s
->a
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
181 s
->a
.in
.negotiate_flags
= &s
->local_negotiate_flags
;
182 s
->a
.in
.credentials
= &s
->credentials3
;
183 s
->a
.out
.negotiate_flags
= &s
->remote_negotiate_flags
;
184 s
->a
.out
.return_credentials
= &s
->credentials3
;
186 s
->creds
= netlogon_creds_client_init(s
,
187 s
->a
.in
.account_name
,
188 s
->a
.in
.computer_name
,
189 &s
->credentials1
, &s
->credentials2
,
190 s
->mach_pwd
, &s
->credentials3
,
191 s
->local_negotiate_flags
);
192 if (composite_nomem(s
->creds
, c
)) {
196 authenticate on the netlogon pipe - a rpc request over secondary pipe
198 subreq
= dcerpc_netr_ServerAuthenticate2_r_send(s
, c
->event_ctx
,
199 s
->pipe2
->binding_handle
,
201 if (composite_nomem(subreq
, c
)) return;
203 tevent_req_set_callback(subreq
, continue_srv_auth2
, c
);
208 Stage 6 of schannel_key: Receive authentication request result and verify
211 static void continue_srv_auth2(struct tevent_req
*subreq
)
213 struct composite_context
*c
;
214 struct schannel_key_state
*s
;
216 c
= tevent_req_callback_data(subreq
, struct composite_context
);
217 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
219 /* receive rpc request result - auth2 credentials */
220 c
->status
= dcerpc_netr_ServerAuthenticate2_r_recv(subreq
, s
);
222 if (!composite_is_ok(c
)) return;
224 if (!NT_STATUS_EQUAL(s
->a
.out
.result
, NT_STATUS_ACCESS_DENIED
) &&
225 !NT_STATUS_IS_OK(s
->a
.out
.result
)) {
226 composite_error(c
, s
->a
.out
.result
);
231 * Strong keys could be unsupported (NT4) or disables. So retry with the
232 * flags returned by the server. - asn
234 if (NT_STATUS_EQUAL(s
->a
.out
.result
, NT_STATUS_ACCESS_DENIED
)) {
235 uint32_t lf
= s
->local_negotiate_flags
;
236 const char *ln
= NULL
;
237 uint32_t rf
= s
->remote_negotiate_flags
;
238 const char *rn
= NULL
;
240 if (!s
->dcerpc_schannel_auto
) {
241 composite_error(c
, s
->a
.out
.result
);
244 s
->dcerpc_schannel_auto
= false;
246 if (lf
& NETLOGON_NEG_SUPPORTS_AES
) {
248 if (rf
& NETLOGON_NEG_SUPPORTS_AES
) {
249 composite_error(c
, s
->a
.out
.result
);
252 } else if (lf
& NETLOGON_NEG_STRONG_KEYS
) {
254 if (rf
& NETLOGON_NEG_STRONG_KEYS
) {
255 composite_error(c
, s
->a
.out
.result
);
262 if (rf
& NETLOGON_NEG_SUPPORTS_AES
) {
264 } else if (rf
& NETLOGON_NEG_STRONG_KEYS
) {
270 DEBUG(3, ("Server doesn't support %s keys, downgrade to %s"
271 "and retry! local[0x%08X] remote[0x%08X]\n",
274 s
->local_negotiate_flags
= s
->remote_negotiate_flags
;
276 generate_random_buffer(s
->credentials1
.data
,
277 sizeof(s
->credentials1
.data
));
279 subreq
= dcerpc_netr_ServerReqChallenge_r_send(s
,
281 s
->pipe2
->binding_handle
,
283 if (composite_nomem(subreq
, c
)) return;
285 tevent_req_set_callback(subreq
, continue_srv_challenge
, c
);
289 s
->creds
->negotiate_flags
= s
->remote_negotiate_flags
;
291 /* verify credentials */
292 if (!netlogon_creds_client_check(s
->creds
, s
->a
.out
.return_credentials
)) {
293 composite_error(c
, NT_STATUS_UNSUCCESSFUL
);
297 /* setup current netlogon credentials */
298 cli_credentials_set_netlogon_creds(s
->credentials
, s
->creds
);
305 Initiate establishing a schannel key using netlogon challenge
308 struct composite_context
*dcerpc_schannel_key_send(TALLOC_CTX
*mem_ctx
,
309 struct dcerpc_pipe
*p
,
310 struct cli_credentials
*credentials
,
311 struct loadparm_context
*lp_ctx
)
313 struct composite_context
*c
;
314 struct schannel_key_state
*s
;
315 struct composite_context
*epm_map_req
;
316 enum netr_SchannelType schannel_type
= cli_credentials_get_secure_channel_type(credentials
);
318 /* composite context allocation and setup */
319 c
= composite_create(mem_ctx
, p
->conn
->event_ctx
);
320 if (c
== NULL
) return NULL
;
322 s
= talloc_zero(c
, struct schannel_key_state
);
323 if (composite_nomem(s
, c
)) return c
;
326 /* store parameters in the state structure */
328 s
->credentials
= credentials
;
329 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_FLAGS
;
331 /* allocate credentials */
332 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_128
) {
333 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
335 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_AES
) {
336 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
337 s
->local_negotiate_flags
|= NETLOGON_NEG_SUPPORTS_AES
;
339 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_AUTO
) {
340 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
341 s
->local_negotiate_flags
|= NETLOGON_NEG_SUPPORTS_AES
;
342 s
->dcerpc_schannel_auto
= true;
345 /* type of authentication depends on schannel type */
346 if (schannel_type
== SEC_CHAN_RODC
) {
347 s
->local_negotiate_flags
|= NETLOGON_NEG_RODC_PASSTHROUGH
;
350 /* allocate binding structure */
351 s
->binding
= talloc_zero(c
, struct dcerpc_binding
);
352 if (composite_nomem(s
->binding
, c
)) return c
;
354 *s
->binding
= *s
->pipe
->binding
;
356 /* request the netlogon endpoint mapping */
357 epm_map_req
= dcerpc_epm_map_binding_send(c
, s
->binding
,
359 s
->pipe
->conn
->event_ctx
,
361 if (composite_nomem(epm_map_req
, c
)) return c
;
363 composite_continue(c
, epm_map_req
, continue_epm_map_binding
, c
);
369 Receive result of schannel key request
371 NTSTATUS
dcerpc_schannel_key_recv(struct composite_context
*c
)
373 NTSTATUS status
= composite_wait(c
);
380 struct auth_schannel_state
{
381 struct dcerpc_pipe
*pipe
;
382 struct cli_credentials
*credentials
;
383 const struct ndr_interface_table
*table
;
384 struct loadparm_context
*lp_ctx
;
389 static void continue_bind_auth(struct composite_context
*ctx
);
393 Stage 2 of auth_schannel: Receive schannel key and intitiate an
394 authenticated bind using received credentials
396 static void continue_schannel_key(struct composite_context
*ctx
)
398 struct composite_context
*auth_req
;
399 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
400 struct composite_context
);
401 struct auth_schannel_state
*s
= talloc_get_type(c
->private_data
,
402 struct auth_schannel_state
);
405 /* receive schannel key */
406 status
= c
->status
= dcerpc_schannel_key_recv(ctx
);
407 if (!composite_is_ok(c
)) {
408 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status
)));
412 /* send bind auth request with received creds */
413 auth_req
= dcerpc_bind_auth_send(c
, s
->pipe
, s
->table
, s
->credentials
,
414 lpcfg_gensec_settings(c
, s
->lp_ctx
),
415 DCERPC_AUTH_TYPE_SCHANNEL
, s
->auth_level
,
417 if (composite_nomem(auth_req
, c
)) return;
419 composite_continue(c
, auth_req
, continue_bind_auth
, c
);
424 Stage 3 of auth_schannel: Receivce result of authenticated bind
425 and say if we're done ok.
427 static void continue_bind_auth(struct composite_context
*ctx
)
429 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
430 struct composite_context
);
432 c
->status
= dcerpc_bind_auth_recv(ctx
);
433 if (!composite_is_ok(c
)) return;
440 Initiate schannel authentication request
442 struct composite_context
*dcerpc_bind_auth_schannel_send(TALLOC_CTX
*tmp_ctx
,
443 struct dcerpc_pipe
*p
,
444 const struct ndr_interface_table
*table
,
445 struct cli_credentials
*credentials
,
446 struct loadparm_context
*lp_ctx
,
449 struct composite_context
*c
;
450 struct auth_schannel_state
*s
;
451 struct composite_context
*schan_key_req
;
453 /* composite context allocation and setup */
454 c
= composite_create(tmp_ctx
, p
->conn
->event_ctx
);
455 if (c
== NULL
) return NULL
;
457 s
= talloc_zero(c
, struct auth_schannel_state
);
458 if (composite_nomem(s
, c
)) return c
;
461 /* store parameters in the state structure */
463 s
->credentials
= credentials
;
465 s
->auth_level
= auth_level
;
468 /* start getting schannel key first */
469 schan_key_req
= dcerpc_schannel_key_send(c
, p
, credentials
, lp_ctx
);
470 if (composite_nomem(schan_key_req
, c
)) return c
;
472 composite_continue(c
, schan_key_req
, continue_schannel_key
, c
);
478 Receive result of schannel authentication request
480 NTSTATUS
dcerpc_bind_auth_schannel_recv(struct composite_context
*c
)
482 NTSTATUS status
= composite_wait(c
);
490 Perform schannel authenticated bind - sync version
492 _PUBLIC_ NTSTATUS
dcerpc_bind_auth_schannel(TALLOC_CTX
*tmp_ctx
,
493 struct dcerpc_pipe
*p
,
494 const struct ndr_interface_table
*table
,
495 struct cli_credentials
*credentials
,
496 struct loadparm_context
*lp_ctx
,
499 struct composite_context
*c
;
501 c
= dcerpc_bind_auth_schannel_send(tmp_ctx
, p
, table
, credentials
, lp_ctx
,
503 return dcerpc_bind_auth_schannel_recv(c
);