search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smb.conf(5): client min protocol: add hint at list of available protocols
[Samba/gebeck_regimport.git] / source4 / ntp_signd / ntp_signd.c
blobd1d8483ad7abe9e34ad5d18402a69c753e6fbdc5
1 /*
2 Unix SMB/CIFS implementation.
3
4 NTP packet signing server
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smbd/service_task.h"
26 #include "smbd/service.h"
27 #include "smbd/service_stream.h"
28 #include "smbd/process_model.h"
29 #include "lib/stream/packet.h"
30 #include "lib/tsocket/tsocket.h"
31 #include "libcli/util/tstream.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "dsdb/samdb/samdb.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "libcli/ldap/ldap_ndr.h"
38 #include <ldb.h>
39 #include <ldb_errors.h>
40 #include "../lib/crypto/md5.h"
41 #include "system/network.h"
42 #include "system/passwd.h"
43
44 NTSTATUS server_service_ntp_signd_init(void);
45
46 /*
47 top level context structure for the ntp_signd server
48 */
49 struct ntp_signd_server {
50 struct task_server *task;
51 struct ldb_context *samdb;
52 };
53
54 /*
55 state of an open connection
56 */
57 struct ntp_signd_connection {
58 /* stream connection we belong to */
59 struct stream_connection *conn;
60
61 /* the ntp_signd_server the connection belongs to */
62 struct ntp_signd_server *ntp_signd;
63
64 struct tstream_context *tstream;
65
66 struct tevent_queue *send_queue;
67 };
68
69 static void ntp_signd_terminate_connection(struct ntp_signd_connection *ntp_signd_conn, const char *reason)
70 {
71 stream_terminate_connection(ntp_signd_conn->conn, reason);
72 }
73
74 static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
75 TALLOC_CTX *mem_ctx,
76 DATA_BLOB *output,
77 uint32_t packet_id)
78 {
79 struct signed_reply signed_reply;
80 enum ndr_err_code ndr_err;
81
82 signed_reply.op = SIGNING_FAILURE;
83 signed_reply.packet_id = packet_id;
84 signed_reply.signed_packet = data_blob(NULL, 0);
85
86 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
87 (ndr_push_flags_fn_t)ndr_push_signed_reply);
88
89 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
90 DEBUG(1,("failed to push ntp error reply\n"));
91 return ndr_map_error2ntstatus(ndr_err);
92 }
93
94 return NT_STATUS_OK;
95 }
96
97 /*
98 receive a full packet on a NTP_SIGND connection
99 */
100 static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
101 TALLOC_CTX *mem_ctx,
102 DATA_BLOB *input,
103 DATA_BLOB *output)
104 {
105 const struct dom_sid *domain_sid;
106 struct dom_sid *sid;
107 struct sign_request sign_request;
108 struct signed_reply signed_reply;
109 enum ndr_err_code ndr_err;
110 struct ldb_result *res;
111 const char *attrs[] = { "unicodePwd", "userAccountControl", "cn", NULL };
112 struct MD5Context ctx;
113 struct samr_Password *nt_hash;
114 uint32_t user_account_control;
115 int ret;
116
117 ndr_err = ndr_pull_struct_blob_all(input, mem_ctx,
118 &sign_request,
119 (ndr_pull_flags_fn_t)ndr_pull_sign_request);
120
121 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
122 DEBUG(1,("failed to parse ntp signing request\n"));
123 dump_data(1, input->data, input->length);
124 return ndr_map_error2ntstatus(ndr_err);
125 }
126
127 /* We need to implement 'check signature' and 'request server
128 * to sign' operations at some point */
129 if (sign_request.op != SIGN_TO_CLIENT) {
130 return signing_failure(ntp_signd_conn,
131 mem_ctx,
132 output,
133 sign_request.packet_id);
134 }
135
136 /* We need to implement 'check signature' and 'request server
137 * to sign' operations at some point */
138 if (sign_request.version != NTP_SIGND_PROTOCOL_VERSION_0) {
139 return signing_failure(ntp_signd_conn,
140 mem_ctx,
141 output,
142 sign_request.packet_id);
143 }
144
145 domain_sid = samdb_domain_sid(ntp_signd_conn->ntp_signd->samdb);
146 if (domain_sid == NULL) {
147 return signing_failure(ntp_signd_conn,
148 mem_ctx,
149 output,
150 sign_request.packet_id);
151 }
152
153 /* The top bit is a 'key selector' */
154 sid = dom_sid_add_rid(mem_ctx, domain_sid,
155 sign_request.key_id & 0x7FFFFFFF);
156 if (sid == NULL) {
157 talloc_free(mem_ctx);
158 return signing_failure(ntp_signd_conn,
159 mem_ctx,
160 output,
161 sign_request.packet_id);
162 }
163
164 ret = ldb_search(ntp_signd_conn->ntp_signd->samdb, mem_ctx,
165 &res,
166 ldb_get_default_basedn(ntp_signd_conn->ntp_signd->samdb),
167 LDB_SCOPE_SUBTREE,
168 attrs,
169 "(&(objectSid=%s)(objectClass=user))",
170 ldap_encode_ndr_dom_sid(mem_ctx, sid));
171 if (ret != LDB_SUCCESS) {
172 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
173 "%s\n",
174 dom_sid_string(mem_ctx, sid),
175 ldb_errstring(ntp_signd_conn->ntp_signd->samdb)));
176 return signing_failure(ntp_signd_conn,
177 mem_ctx,
178 output,
179 sign_request.packet_id);
180 }
181
182 if (res->count == 0) {
183 DEBUG(2, ("Failed to find SID %s in SAM for NTP signing\n",
184 dom_sid_string(mem_ctx, sid)));
185 return signing_failure(ntp_signd_conn,
186 mem_ctx,
187 output,
188 sign_request.packet_id);
189 } else if (res->count != 1) {
190 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n",
191 dom_sid_string(mem_ctx, sid), res->count));
192 return signing_failure(ntp_signd_conn,
193 mem_ctx,
194 output,
195 sign_request.packet_id);
196 }
197
198 user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0],
199 "userAccountControl",
200 0);
201
202 if (user_account_control & UF_ACCOUNTDISABLE) {
203 DEBUG(1, ("Account %s for SID [%s] is disabled\n",
204 ldb_dn_get_linearized(res->msgs[0]->dn),
205 dom_sid_string(mem_ctx, sid)));
206 return NT_STATUS_ACCESS_DENIED;
207 }
208
209 if (!(user_account_control & (UF_INTERDOMAIN_TRUST_ACCOUNT|UF_SERVER_TRUST_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT))) {
210 DEBUG(1, ("Account %s for SID [%s] is not a trust account\n",
211 ldb_dn_get_linearized(res->msgs[0]->dn),
212 dom_sid_string(mem_ctx, sid)));
213 return NT_STATUS_ACCESS_DENIED;
214 }
215
216 nt_hash = samdb_result_hash(mem_ctx, res->msgs[0], "unicodePwd");
217 if (!nt_hash) {
218 DEBUG(1, ("No unicodePwd found on record of SID %s "
219 "for NTP signing\n", dom_sid_string(mem_ctx, sid)));
220 return signing_failure(ntp_signd_conn,
221 mem_ctx,
222 output,
223 sign_request.packet_id);
224 }
225
226 /* Generate the reply packet */
227 signed_reply.packet_id = sign_request.packet_id;
228 signed_reply.op = SIGNING_SUCCESS;
229 signed_reply.signed_packet = data_blob_talloc(mem_ctx,
230 NULL,
231 sign_request.packet_to_sign.length + 20);
232
233 if (!signed_reply.signed_packet.data) {
234 return signing_failure(ntp_signd_conn,
235 mem_ctx,
236 output,
237 sign_request.packet_id);
238 }
239
240 memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
241 SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
242
243 /* Sign the NTP response with the unicodePwd */
244 MD5Init(&ctx);
245 MD5Update(&ctx, nt_hash->hash, sizeof(nt_hash->hash));
246 MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
247 MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx);
248
249
250 /* Place it into the packet for the wire */
251 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
252 (ndr_push_flags_fn_t)ndr_push_signed_reply);
253
254 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
255 DEBUG(1,("failed to push ntp error reply\n"));
256 return ndr_map_error2ntstatus(ndr_err);
257 }
258
259 return NT_STATUS_OK;
260 }
261
262 /*
263 called on a tcp recv
264 */
265 static void ntp_signd_recv(struct stream_connection *conn, uint16_t flags)
266 {
267 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
268 struct ntp_signd_connection);
269 ntp_signd_terminate_connection(ntp_signd_conn,
270 "ntp_signd_recv: called");
271 }
272
273 /*
274 called when we can write to a connection
275 */
276 static void ntp_signd_send(struct stream_connection *conn, uint16_t flags)
277 {
278 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
279 struct ntp_signd_connection);
280 /* this should never be triggered! */
281 ntp_signd_terminate_connection(ntp_signd_conn,
282 "ntp_signd_send: called");
283 }
284
285 struct ntp_signd_call {
286 struct ntp_signd_connection *ntp_signd_conn;
287 DATA_BLOB in;
288 DATA_BLOB out;
289 uint8_t out_hdr[4];
290 struct iovec out_iov[2];
291 };
292
293 static void ntp_signd_call_writev_done(struct tevent_req *subreq);
294
295 static void ntp_signd_call_loop(struct tevent_req *subreq)
296 {
297 struct ntp_signd_connection *ntp_signd_conn = tevent_req_callback_data(subreq,
298 struct ntp_signd_connection);
299 struct ntp_signd_call *call;
300 NTSTATUS status;
301
302 call = talloc(ntp_signd_conn, struct ntp_signd_call);
303 if (call == NULL) {
304 ntp_signd_terminate_connection(ntp_signd_conn,
305 "ntp_signd_call_loop: "
306 "no memory for ntp_signd_call");
307 return;
308 }
309 call->ntp_signd_conn = ntp_signd_conn;
310
311 status = tstream_read_pdu_blob_recv(subreq,
312 call,
313 &call->in);
314 TALLOC_FREE(subreq);
315 if (!NT_STATUS_IS_OK(status)) {
316 const char *reason;
317
318 reason = talloc_asprintf(call, "ntp_signd_call_loop: "
319 "tstream_read_pdu_blob_recv() - %s",
320 nt_errstr(status));
321 if (reason == NULL) {
322 reason = nt_errstr(status);
323 }
324
325 ntp_signd_terminate_connection(ntp_signd_conn, reason);
326 return;
327 }
328
329 DEBUG(10,("Received NTP TCP packet of length %lu from %s\n",
330 (long) call->in.length,
331 tsocket_address_string(ntp_signd_conn->conn->remote_address, call)));
332
333 /* skip length header */
334 call->in.data +=4;
335 call->in.length -= 4;
336
337 status = ntp_signd_process(ntp_signd_conn,
338 call,
339 &call->in,
340 &call->out);
341 if (! NT_STATUS_IS_OK(status)) {
342 const char *reason;
343
344 reason = talloc_asprintf(call, "ntp_signd_process failed: %s",
345 nt_errstr(status));
346 if (reason == NULL) {
347 reason = nt_errstr(status);
348 }
349
350 ntp_signd_terminate_connection(ntp_signd_conn, reason);
351 return;
352 }
353
354 /* First add the length of the out buffer */
355 RSIVAL(call->out_hdr, 0, call->out.length);
356 call->out_iov[0].iov_base = (char *) call->out_hdr;
357 call->out_iov[0].iov_len = 4;
358
359 call->out_iov[1].iov_base = (char *) call->out.data;
360 call->out_iov[1].iov_len = call->out.length;
361
362 subreq = tstream_writev_queue_send(call,
363 ntp_signd_conn->conn->event.ctx,
364 ntp_signd_conn->tstream,
365 ntp_signd_conn->send_queue,
366 call->out_iov, 2);
367 if (subreq == NULL) {
368 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
369 "no memory for tstream_writev_queue_send");
370 return;
371 }
372
373 tevent_req_set_callback(subreq, ntp_signd_call_writev_done, call);
374
375 /*
376 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
377 * packet_full_request_u32 provides the pdu length then.
378 */
379 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
380 ntp_signd_conn->conn->event.ctx,
381 ntp_signd_conn->tstream,
382 4, /* initial_read_size */
383 packet_full_request_u32,
384 ntp_signd_conn);
385 if (subreq == NULL) {
386 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
387 "no memory for tstream_read_pdu_blob_send");
388 return;
389 }
390 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
391 }
392
393 static void ntp_signd_call_writev_done(struct tevent_req *subreq)
394 {
395 struct ntp_signd_call *call = tevent_req_callback_data(subreq,
396 struct ntp_signd_call);
397 int sys_errno;
398 int rc;
399
400 rc = tstream_writev_queue_recv(subreq, &sys_errno);
401 TALLOC_FREE(subreq);
402 if (rc == -1) {
403 const char *reason;
404
405 reason = talloc_asprintf(call, "ntp_signd_call_writev_done: "
406 "tstream_writev_queue_recv() - %d:%s",
407 sys_errno, strerror(sys_errno));
408 if (!reason) {
409 reason = "ntp_signd_call_writev_done: "
410 "tstream_writev_queue_recv() failed";
411 }
412
413 ntp_signd_terminate_connection(call->ntp_signd_conn, reason);
414 return;
415 }
416
417 /* We don't care about errors */
418
419 talloc_free(call);
420 }
421
422 /*
423 called when we get a new connection
424 */
425 static void ntp_signd_accept(struct stream_connection *conn)
426 {
427 struct ntp_signd_server *ntp_signd = talloc_get_type(conn->private_data,
428 struct ntp_signd_server);
429 struct ntp_signd_connection *ntp_signd_conn;
430 struct tevent_req *subreq;
431 int rc;
432
433 ntp_signd_conn = talloc_zero(conn, struct ntp_signd_connection);
434 if (ntp_signd_conn == NULL) {
435 stream_terminate_connection(conn,
436 "ntp_signd_accept: out of memory");
437 return;
438 }
439
440 ntp_signd_conn->send_queue = tevent_queue_create(conn,
441 "ntp_signd_accept");
442 if (ntp_signd_conn->send_queue == NULL) {
443 stream_terminate_connection(conn,
444 "ntp_signd_accept: out of memory");
445 return;
446 }
447
448 TALLOC_FREE(conn->event.fde);
449
450 rc = tstream_bsd_existing_socket(ntp_signd_conn,
451 socket_get_fd(conn->socket),
452 &ntp_signd_conn->tstream);
453 if (rc < 0) {
454 stream_terminate_connection(conn,
455 "ntp_signd_accept: out of memory");
456 return;
457 }
458
459 ntp_signd_conn->conn = conn;
460 ntp_signd_conn->ntp_signd = ntp_signd;
461 conn->private_data = ntp_signd_conn;
462
463 /*
464 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
465 * packet_full_request_u32 provides the pdu length then.
466 */
467 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
468 ntp_signd_conn->conn->event.ctx,
469 ntp_signd_conn->tstream,
470 4, /* initial_read_size */
471 packet_full_request_u32,
472 ntp_signd_conn);
473 if (subreq == NULL) {
474 ntp_signd_terminate_connection(ntp_signd_conn,
475 "ntp_signd_accept: "
476 "no memory for tstream_read_pdu_blob_send");
477 return;
478 }
479 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
480 }
481
482 static const struct stream_server_ops ntp_signd_stream_ops = {
483 .name = "ntp_signd",
484 .accept_connection = ntp_signd_accept,
485 .recv_handler = ntp_signd_recv,
486 .send_handler = ntp_signd_send
487 };
488
489 /*
490 startup the ntp_signd task
491 */
492 static void ntp_signd_task_init(struct task_server *task)
493 {
494 struct ntp_signd_server *ntp_signd;
495 NTSTATUS status;
496
497 const struct model_ops *model_ops;
498
499 const char *address;
500
501 if (!directory_create_or_exist_strict(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0750)) {
502 char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s",
503 lpcfg_ntp_signd_socket_directory(task->lp_ctx));
504 task_server_terminate(task,
505 error, true);
506 return;
507 }
508
509 /* within the ntp_signd task we want to be a single process, so
510 ask for the single process model ops and pass these to the
511 stream_setup_socket() call. */
512 model_ops = process_model_startup("single");
513 if (!model_ops) {
514 DEBUG(0,("Can't find 'single' process model_ops\n"));
515 return;
516 }
517
518 task_server_set_title(task, "task[ntp_signd]");
519
520 ntp_signd = talloc(task, struct ntp_signd_server);
521 if (ntp_signd == NULL) {
522 task_server_terminate(task, "ntp_signd: out of memory", true);
523 return;
524 }
525
526 ntp_signd->task = task;
527
528 /* Must be system to get at the password hashes */
529 ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx), 0);
530 if (ntp_signd->samdb == NULL) {
531 task_server_terminate(task, "ntp_signd failed to open samdb", true);
532 return;
533 }
534
535 address = talloc_asprintf(ntp_signd, "%s/socket", lpcfg_ntp_signd_socket_directory(task->lp_ctx));
536
537 status = stream_setup_socket(ntp_signd->task,
538 ntp_signd->task->event_ctx,
539 ntp_signd->task->lp_ctx,
540 model_ops,
541 &ntp_signd_stream_ops,
542 "unix", address, NULL,
543 lpcfg_socket_options(ntp_signd->task->lp_ctx),
544 ntp_signd);
545 if (!NT_STATUS_IS_OK(status)) {
546 DEBUG(0,("Failed to bind to %s - %s\n",
547 address, nt_errstr(status)));
548 return;
549 }
550
551 }
552
553
554 /* called at smbd startup - register ourselves as a server service */
555 NTSTATUS server_service_ntp_signd_init(void)
556 {
557 return register_server_service("ntp_signd", ntp_signd_task_init);
558 }
reg import