2 Unix SMB/CIFS implementation.
4 NTP packet signing server
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "smbd/service_task.h"
26 #include "smbd/service.h"
27 #include "smbd/service_stream.h"
28 #include "smbd/process_model.h"
29 #include "lib/stream/packet.h"
30 #include "lib/tsocket/tsocket.h"
31 #include "libcli/util/tstream.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "dsdb/samdb/samdb.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "libcli/ldap/ldap_ndr.h"
39 #include <ldb_errors.h>
40 #include "../lib/crypto/md5.h"
41 #include "system/network.h"
42 #include "system/passwd.h"
44 NTSTATUS
server_service_ntp_signd_init(void);
47 top level context structure for the ntp_signd server
49 struct ntp_signd_server
{
50 struct task_server
*task
;
51 struct ldb_context
*samdb
;
55 state of an open connection
57 struct ntp_signd_connection
{
58 /* stream connection we belong to */
59 struct stream_connection
*conn
;
61 /* the ntp_signd_server the connection belongs to */
62 struct ntp_signd_server
*ntp_signd
;
64 struct tstream_context
*tstream
;
66 struct tevent_queue
*send_queue
;
69 static void ntp_signd_terminate_connection(struct ntp_signd_connection
*ntp_signd_conn
, const char *reason
)
71 stream_terminate_connection(ntp_signd_conn
->conn
, reason
);
74 static NTSTATUS
signing_failure(struct ntp_signd_connection
*ntp_signdconn
,
79 struct signed_reply signed_reply
;
80 enum ndr_err_code ndr_err
;
82 signed_reply
.op
= SIGNING_FAILURE
;
83 signed_reply
.packet_id
= packet_id
;
84 signed_reply
.signed_packet
= data_blob(NULL
, 0);
86 ndr_err
= ndr_push_struct_blob(output
, mem_ctx
, &signed_reply
,
87 (ndr_push_flags_fn_t
)ndr_push_signed_reply
);
89 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
90 DEBUG(1,("failed to push ntp error reply\n"));
91 return ndr_map_error2ntstatus(ndr_err
);
98 receive a full packet on a NTP_SIGND connection
100 static NTSTATUS
ntp_signd_process(struct ntp_signd_connection
*ntp_signd_conn
,
105 const struct dom_sid
*domain_sid
;
107 struct sign_request sign_request
;
108 struct signed_reply signed_reply
;
109 enum ndr_err_code ndr_err
;
110 struct ldb_result
*res
;
111 const char *attrs
[] = { "unicodePwd", "userAccountControl", "cn", NULL
};
112 struct MD5Context ctx
;
113 struct samr_Password
*nt_hash
;
114 uint32_t user_account_control
;
117 ndr_err
= ndr_pull_struct_blob_all(input
, mem_ctx
,
119 (ndr_pull_flags_fn_t
)ndr_pull_sign_request
);
121 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
122 DEBUG(1,("failed to parse ntp signing request\n"));
123 dump_data(1, input
->data
, input
->length
);
124 return ndr_map_error2ntstatus(ndr_err
);
127 /* We need to implement 'check signature' and 'request server
128 * to sign' operations at some point */
129 if (sign_request
.op
!= SIGN_TO_CLIENT
) {
130 return signing_failure(ntp_signd_conn
,
133 sign_request
.packet_id
);
136 /* We need to implement 'check signature' and 'request server
137 * to sign' operations at some point */
138 if (sign_request
.version
!= NTP_SIGND_PROTOCOL_VERSION_0
) {
139 return signing_failure(ntp_signd_conn
,
142 sign_request
.packet_id
);
145 domain_sid
= samdb_domain_sid(ntp_signd_conn
->ntp_signd
->samdb
);
146 if (domain_sid
== NULL
) {
147 return signing_failure(ntp_signd_conn
,
150 sign_request
.packet_id
);
153 /* The top bit is a 'key selector' */
154 sid
= dom_sid_add_rid(mem_ctx
, domain_sid
,
155 sign_request
.key_id
& 0x7FFFFFFF);
157 talloc_free(mem_ctx
);
158 return signing_failure(ntp_signd_conn
,
161 sign_request
.packet_id
);
164 ret
= ldb_search(ntp_signd_conn
->ntp_signd
->samdb
, mem_ctx
,
166 ldb_get_default_basedn(ntp_signd_conn
->ntp_signd
->samdb
),
169 "(&(objectSid=%s)(objectClass=user))",
170 ldap_encode_ndr_dom_sid(mem_ctx
, sid
));
171 if (ret
!= LDB_SUCCESS
) {
172 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
174 dom_sid_string(mem_ctx
, sid
),
175 ldb_errstring(ntp_signd_conn
->ntp_signd
->samdb
)));
176 return signing_failure(ntp_signd_conn
,
179 sign_request
.packet_id
);
182 if (res
->count
== 0) {
183 DEBUG(2, ("Failed to find SID %s in SAM for NTP signing\n",
184 dom_sid_string(mem_ctx
, sid
)));
185 return signing_failure(ntp_signd_conn
,
188 sign_request
.packet_id
);
189 } else if (res
->count
!= 1) {
190 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n",
191 dom_sid_string(mem_ctx
, sid
), res
->count
));
192 return signing_failure(ntp_signd_conn
,
195 sign_request
.packet_id
);
198 user_account_control
= ldb_msg_find_attr_as_uint(res
->msgs
[0],
199 "userAccountControl",
202 if (user_account_control
& UF_ACCOUNTDISABLE
) {
203 DEBUG(1, ("Account %s for SID [%s] is disabled\n",
204 ldb_dn_get_linearized(res
->msgs
[0]->dn
),
205 dom_sid_string(mem_ctx
, sid
)));
206 return NT_STATUS_ACCESS_DENIED
;
209 if (!(user_account_control
& (UF_INTERDOMAIN_TRUST_ACCOUNT
|UF_SERVER_TRUST_ACCOUNT
|UF_WORKSTATION_TRUST_ACCOUNT
))) {
210 DEBUG(1, ("Account %s for SID [%s] is not a trust account\n",
211 ldb_dn_get_linearized(res
->msgs
[0]->dn
),
212 dom_sid_string(mem_ctx
, sid
)));
213 return NT_STATUS_ACCESS_DENIED
;
216 nt_hash
= samdb_result_hash(mem_ctx
, res
->msgs
[0], "unicodePwd");
218 DEBUG(1, ("No unicodePwd found on record of SID %s "
219 "for NTP signing\n", dom_sid_string(mem_ctx
, sid
)));
220 return signing_failure(ntp_signd_conn
,
223 sign_request
.packet_id
);
226 /* Generate the reply packet */
227 signed_reply
.packet_id
= sign_request
.packet_id
;
228 signed_reply
.op
= SIGNING_SUCCESS
;
229 signed_reply
.signed_packet
= data_blob_talloc(mem_ctx
,
231 sign_request
.packet_to_sign
.length
+ 20);
233 if (!signed_reply
.signed_packet
.data
) {
234 return signing_failure(ntp_signd_conn
,
237 sign_request
.packet_id
);
240 memcpy(signed_reply
.signed_packet
.data
, sign_request
.packet_to_sign
.data
, sign_request
.packet_to_sign
.length
);
241 SIVAL(signed_reply
.signed_packet
.data
, sign_request
.packet_to_sign
.length
, sign_request
.key_id
);
243 /* Sign the NTP response with the unicodePwd */
245 MD5Update(&ctx
, nt_hash
->hash
, sizeof(nt_hash
->hash
));
246 MD5Update(&ctx
, sign_request
.packet_to_sign
.data
, sign_request
.packet_to_sign
.length
);
247 MD5Final(signed_reply
.signed_packet
.data
+ sign_request
.packet_to_sign
.length
+ 4, &ctx
);
250 /* Place it into the packet for the wire */
251 ndr_err
= ndr_push_struct_blob(output
, mem_ctx
, &signed_reply
,
252 (ndr_push_flags_fn_t
)ndr_push_signed_reply
);
254 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
255 DEBUG(1,("failed to push ntp error reply\n"));
256 return ndr_map_error2ntstatus(ndr_err
);
265 static void ntp_signd_recv(struct stream_connection
*conn
, uint16_t flags
)
267 struct ntp_signd_connection
*ntp_signd_conn
= talloc_get_type(conn
->private_data
,
268 struct ntp_signd_connection
);
269 ntp_signd_terminate_connection(ntp_signd_conn
,
270 "ntp_signd_recv: called");
274 called when we can write to a connection
276 static void ntp_signd_send(struct stream_connection
*conn
, uint16_t flags
)
278 struct ntp_signd_connection
*ntp_signd_conn
= talloc_get_type(conn
->private_data
,
279 struct ntp_signd_connection
);
280 /* this should never be triggered! */
281 ntp_signd_terminate_connection(ntp_signd_conn
,
282 "ntp_signd_send: called");
285 struct ntp_signd_call
{
286 struct ntp_signd_connection
*ntp_signd_conn
;
290 struct iovec out_iov
[2];
293 static void ntp_signd_call_writev_done(struct tevent_req
*subreq
);
295 static void ntp_signd_call_loop(struct tevent_req
*subreq
)
297 struct ntp_signd_connection
*ntp_signd_conn
= tevent_req_callback_data(subreq
,
298 struct ntp_signd_connection
);
299 struct ntp_signd_call
*call
;
302 call
= talloc(ntp_signd_conn
, struct ntp_signd_call
);
304 ntp_signd_terminate_connection(ntp_signd_conn
,
305 "ntp_signd_call_loop: "
306 "no memory for ntp_signd_call");
309 call
->ntp_signd_conn
= ntp_signd_conn
;
311 status
= tstream_read_pdu_blob_recv(subreq
,
315 if (!NT_STATUS_IS_OK(status
)) {
318 reason
= talloc_asprintf(call
, "ntp_signd_call_loop: "
319 "tstream_read_pdu_blob_recv() - %s",
321 if (reason
== NULL
) {
322 reason
= nt_errstr(status
);
325 ntp_signd_terminate_connection(ntp_signd_conn
, reason
);
329 DEBUG(10,("Received NTP TCP packet of length %lu from %s\n",
330 (long) call
->in
.length
,
331 tsocket_address_string(ntp_signd_conn
->conn
->remote_address
, call
)));
333 /* skip length header */
335 call
->in
.length
-= 4;
337 status
= ntp_signd_process(ntp_signd_conn
,
341 if (! NT_STATUS_IS_OK(status
)) {
344 reason
= talloc_asprintf(call
, "ntp_signd_process failed: %s",
346 if (reason
== NULL
) {
347 reason
= nt_errstr(status
);
350 ntp_signd_terminate_connection(ntp_signd_conn
, reason
);
354 /* First add the length of the out buffer */
355 RSIVAL(call
->out_hdr
, 0, call
->out
.length
);
356 call
->out_iov
[0].iov_base
= (char *) call
->out_hdr
;
357 call
->out_iov
[0].iov_len
= 4;
359 call
->out_iov
[1].iov_base
= (char *) call
->out
.data
;
360 call
->out_iov
[1].iov_len
= call
->out
.length
;
362 subreq
= tstream_writev_queue_send(call
,
363 ntp_signd_conn
->conn
->event
.ctx
,
364 ntp_signd_conn
->tstream
,
365 ntp_signd_conn
->send_queue
,
367 if (subreq
== NULL
) {
368 ntp_signd_terminate_connection(ntp_signd_conn
, "ntp_signd_call_loop: "
369 "no memory for tstream_writev_queue_send");
373 tevent_req_set_callback(subreq
, ntp_signd_call_writev_done
, call
);
376 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
377 * packet_full_request_u32 provides the pdu length then.
379 subreq
= tstream_read_pdu_blob_send(ntp_signd_conn
,
380 ntp_signd_conn
->conn
->event
.ctx
,
381 ntp_signd_conn
->tstream
,
382 4, /* initial_read_size */
383 packet_full_request_u32
,
385 if (subreq
== NULL
) {
386 ntp_signd_terminate_connection(ntp_signd_conn
, "ntp_signd_call_loop: "
387 "no memory for tstream_read_pdu_blob_send");
390 tevent_req_set_callback(subreq
, ntp_signd_call_loop
, ntp_signd_conn
);
393 static void ntp_signd_call_writev_done(struct tevent_req
*subreq
)
395 struct ntp_signd_call
*call
= tevent_req_callback_data(subreq
,
396 struct ntp_signd_call
);
400 rc
= tstream_writev_queue_recv(subreq
, &sys_errno
);
405 reason
= talloc_asprintf(call
, "ntp_signd_call_writev_done: "
406 "tstream_writev_queue_recv() - %d:%s",
407 sys_errno
, strerror(sys_errno
));
409 reason
= "ntp_signd_call_writev_done: "
410 "tstream_writev_queue_recv() failed";
413 ntp_signd_terminate_connection(call
->ntp_signd_conn
, reason
);
417 /* We don't care about errors */
423 called when we get a new connection
425 static void ntp_signd_accept(struct stream_connection
*conn
)
427 struct ntp_signd_server
*ntp_signd
= talloc_get_type(conn
->private_data
,
428 struct ntp_signd_server
);
429 struct ntp_signd_connection
*ntp_signd_conn
;
430 struct tevent_req
*subreq
;
433 ntp_signd_conn
= talloc_zero(conn
, struct ntp_signd_connection
);
434 if (ntp_signd_conn
== NULL
) {
435 stream_terminate_connection(conn
,
436 "ntp_signd_accept: out of memory");
440 ntp_signd_conn
->send_queue
= tevent_queue_create(conn
,
442 if (ntp_signd_conn
->send_queue
== NULL
) {
443 stream_terminate_connection(conn
,
444 "ntp_signd_accept: out of memory");
448 TALLOC_FREE(conn
->event
.fde
);
450 rc
= tstream_bsd_existing_socket(ntp_signd_conn
,
451 socket_get_fd(conn
->socket
),
452 &ntp_signd_conn
->tstream
);
454 stream_terminate_connection(conn
,
455 "ntp_signd_accept: out of memory");
459 ntp_signd_conn
->conn
= conn
;
460 ntp_signd_conn
->ntp_signd
= ntp_signd
;
461 conn
->private_data
= ntp_signd_conn
;
464 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
465 * packet_full_request_u32 provides the pdu length then.
467 subreq
= tstream_read_pdu_blob_send(ntp_signd_conn
,
468 ntp_signd_conn
->conn
->event
.ctx
,
469 ntp_signd_conn
->tstream
,
470 4, /* initial_read_size */
471 packet_full_request_u32
,
473 if (subreq
== NULL
) {
474 ntp_signd_terminate_connection(ntp_signd_conn
,
476 "no memory for tstream_read_pdu_blob_send");
479 tevent_req_set_callback(subreq
, ntp_signd_call_loop
, ntp_signd_conn
);
482 static const struct stream_server_ops ntp_signd_stream_ops
= {
484 .accept_connection
= ntp_signd_accept
,
485 .recv_handler
= ntp_signd_recv
,
486 .send_handler
= ntp_signd_send
490 startup the ntp_signd task
492 static void ntp_signd_task_init(struct task_server
*task
)
494 struct ntp_signd_server
*ntp_signd
;
497 const struct model_ops
*model_ops
;
501 if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task
->lp_ctx
), geteuid(), 0755)) {
502 char *error
= talloc_asprintf(task
, "Cannot create NTP signd pipe directory: %s",
503 lpcfg_ntp_signd_socket_directory(task
->lp_ctx
));
504 task_server_terminate(task
,
509 /* within the ntp_signd task we want to be a single process, so
510 ask for the single process model ops and pass these to the
511 stream_setup_socket() call. */
512 model_ops
= process_model_startup("single");
514 DEBUG(0,("Can't find 'single' process model_ops\n"));
518 task_server_set_title(task
, "task[ntp_signd]");
520 ntp_signd
= talloc(task
, struct ntp_signd_server
);
521 if (ntp_signd
== NULL
) {
522 task_server_terminate(task
, "ntp_signd: out of memory", true);
526 ntp_signd
->task
= task
;
528 /* Must be system to get at the password hashes */
529 ntp_signd
->samdb
= samdb_connect(ntp_signd
, task
->event_ctx
, task
->lp_ctx
, system_session(task
->lp_ctx
), 0);
530 if (ntp_signd
->samdb
== NULL
) {
531 task_server_terminate(task
, "ntp_signd failed to open samdb", true);
535 address
= talloc_asprintf(ntp_signd
, "%s/socket", lpcfg_ntp_signd_socket_directory(task
->lp_ctx
));
537 status
= stream_setup_socket(ntp_signd
->task
,
538 ntp_signd
->task
->event_ctx
,
539 ntp_signd
->task
->lp_ctx
,
541 &ntp_signd_stream_ops
,
542 "unix", address
, NULL
,
543 lpcfg_socket_options(ntp_signd
->task
->lp_ctx
),
545 if (!NT_STATUS_IS_OK(status
)) {
546 DEBUG(0,("Failed to bind to %s - %s\n",
547 address
, nt_errstr(status
)));
554 /* called at smbd startup - register ourselves as a server service */
555 NTSTATUS
server_service_ntp_signd_init(void)
557 return register_server_service("ntp_signd", ntp_signd_task_init
);