search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:libcli/raw: remove unused SMB_SIGNING_AUTO handling
[Samba/gebeck_regimport.git] / source4 / librpc / rpc / dcerpc_schannel.c
blobfc56eccf7c534f05d8aee69f5dfecc435aeecafa
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
34
35 struct schannel_key_state {
36 struct dcerpc_pipe *pipe;
37 struct dcerpc_pipe *pipe2;
38 struct dcerpc_binding *binding;
39 struct cli_credentials *credentials;
40 struct netlogon_creds_CredentialState *creds;
41 uint32_t negotiate_flags;
42 struct netr_Credential credentials1;
43 struct netr_Credential credentials2;
44 struct netr_Credential credentials3;
45 struct netr_ServerReqChallenge r;
46 struct netr_ServerAuthenticate2 a;
47 const struct samr_Password *mach_pwd;
48 };
49
50
51 static void continue_secondary_connection(struct composite_context *ctx);
52 static void continue_bind_auth_none(struct composite_context *ctx);
53 static void continue_srv_challenge(struct tevent_req *subreq);
54 static void continue_srv_auth2(struct tevent_req *subreq);
55
56
57 /*
58 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
59 rpc connection
60 */
61 static void continue_epm_map_binding(struct composite_context *ctx)
62 {
63 struct composite_context *c;
64 struct schannel_key_state *s;
65 struct composite_context *sec_conn_req;
66
67 c = talloc_get_type(ctx->async.private_data, struct composite_context);
68 s = talloc_get_type(c->private_data, struct schannel_key_state);
69
70 /* receive endpoint mapping */
71 c->status = dcerpc_epm_map_binding_recv(ctx);
72 if (!NT_STATUS_IS_OK(c->status)) {
73 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
74 NDR_NETLOGON_UUID, nt_errstr(c->status)));
75 composite_error(c, c->status);
76 return;
77 }
78
79 /* send a request for secondary rpc connection */
80 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
81 s->binding);
82 if (composite_nomem(sec_conn_req, c)) return;
83
84 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
85 }
86
87
88 /*
89 Stage 3 of schannel_key: Receive secondary rpc connection and perform
90 non-authenticated bind request
91 */
92 static void continue_secondary_connection(struct composite_context *ctx)
93 {
94 struct composite_context *c;
95 struct schannel_key_state *s;
96 struct composite_context *auth_none_req;
97
98 c = talloc_get_type(ctx->async.private_data, struct composite_context);
99 s = talloc_get_type(c->private_data, struct schannel_key_state);
100
101 /* receive secondary rpc connection */
102 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
103 if (!composite_is_ok(c)) return;
104
105 talloc_steal(s, s->pipe2);
106
107 /* initiate a non-authenticated bind */
108 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
109 if (composite_nomem(auth_none_req, c)) return;
110
111 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
112 }
113
114
115 /*
116 Stage 4 of schannel_key: Receive non-authenticated bind and get
117 a netlogon challenge
118 */
119 static void continue_bind_auth_none(struct composite_context *ctx)
120 {
121 struct composite_context *c;
122 struct schannel_key_state *s;
123 struct tevent_req *subreq;
124
125 c = talloc_get_type(ctx->async.private_data, struct composite_context);
126 s = talloc_get_type(c->private_data, struct schannel_key_state);
127
128 /* receive result of non-authenticated bind request */
129 c->status = dcerpc_bind_auth_none_recv(ctx);
130 if (!composite_is_ok(c)) return;
131
132 /* prepare a challenge request */
133 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
134 if (composite_nomem(s->r.in.server_name, c)) return;
135 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
136 s->r.in.credentials = &s->credentials1;
137 s->r.out.return_credentials = &s->credentials2;
138
139 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
140
141 /*
142 request a netlogon challenge - a rpc request over opened secondary pipe
143 */
144 subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
145 s->pipe2->binding_handle,
146 &s->r);
147 if (composite_nomem(subreq, c)) return;
148
149 tevent_req_set_callback(subreq, continue_srv_challenge, c);
150 }
151
152
153 /*
154 Stage 5 of schannel_key: Receive a challenge and perform authentication
155 on the netlogon pipe
156 */
157 static void continue_srv_challenge(struct tevent_req *subreq)
158 {
159 struct composite_context *c;
160 struct schannel_key_state *s;
161
162 c = tevent_req_callback_data(subreq, struct composite_context);
163 s = talloc_get_type(c->private_data, struct schannel_key_state);
164
165 /* receive rpc request result - netlogon challenge */
166 c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
167 TALLOC_FREE(subreq);
168 if (!composite_is_ok(c)) return;
169
170 /* prepare credentials for auth2 request */
171 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
172
173 /* auth2 request arguments */
174 s->a.in.server_name = s->r.in.server_name;
175 s->a.in.account_name = cli_credentials_get_username(s->credentials);
176 s->a.in.secure_channel_type =
177 cli_credentials_get_secure_channel_type(s->credentials);
178 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
179 s->a.in.negotiate_flags = &s->negotiate_flags;
180 s->a.in.credentials = &s->credentials3;
181 s->a.out.negotiate_flags = &s->negotiate_flags;
182 s->a.out.return_credentials = &s->credentials3;
183
184 s->creds = netlogon_creds_client_init(s,
185 s->a.in.account_name,
186 s->a.in.computer_name,
187 &s->credentials1, &s->credentials2,
188 s->mach_pwd, &s->credentials3, s->negotiate_flags);
189 if (composite_nomem(s->creds, c)) {
190 return;
191 }
192 /*
193 authenticate on the netlogon pipe - a rpc request over secondary pipe
194 */
195 subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
196 s->pipe2->binding_handle,
197 &s->a);
198 if (composite_nomem(subreq, c)) return;
199
200 tevent_req_set_callback(subreq, continue_srv_auth2, c);
201 }
202
203
204 /*
205 Stage 6 of schannel_key: Receive authentication request result and verify
206 received credentials
207 */
208 static void continue_srv_auth2(struct tevent_req *subreq)
209 {
210 struct composite_context *c;
211 struct schannel_key_state *s;
212
213 c = tevent_req_callback_data(subreq, struct composite_context);
214 s = talloc_get_type(c->private_data, struct schannel_key_state);
215
216 /* receive rpc request result - auth2 credentials */
217 c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
218 TALLOC_FREE(subreq);
219 if (!composite_is_ok(c)) return;
220
221 /* verify credentials */
222 if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
223 composite_error(c, NT_STATUS_UNSUCCESSFUL);
224 return;
225 }
226
227 /* setup current netlogon credentials */
228 cli_credentials_set_netlogon_creds(s->credentials, s->creds);
229
230 composite_done(c);
231 }
232
233
234 /*
235 Initiate establishing a schannel key using netlogon challenge
236 on a secondary pipe
237 */
238 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
239 struct dcerpc_pipe *p,
240 struct cli_credentials *credentials,
241 struct loadparm_context *lp_ctx)
242 {
243 struct composite_context *c;
244 struct schannel_key_state *s;
245 struct composite_context *epm_map_req;
246 enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
247
248 /* composite context allocation and setup */
249 c = composite_create(mem_ctx, p->conn->event_ctx);
250 if (c == NULL) return NULL;
251
252 s = talloc_zero(c, struct schannel_key_state);
253 if (composite_nomem(s, c)) return c;
254 c->private_data = s;
255
256 /* store parameters in the state structure */
257 s->pipe = p;
258 s->credentials = credentials;
259
260 /* allocate credentials */
261 /* type of authentication depends on schannel type */
262 if (schannel_type == SEC_CHAN_RODC) {
263 s->negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS;
264 } else if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
265 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
266 } else {
267 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
268 }
269
270 /* allocate binding structure */
271 s->binding = talloc_zero(c, struct dcerpc_binding);
272 if (composite_nomem(s->binding, c)) return c;
273
274 *s->binding = *s->pipe->binding;
275
276 /* request the netlogon endpoint mapping */
277 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
278 &ndr_table_netlogon,
279 s->pipe->conn->event_ctx,
280 lp_ctx);
281 if (composite_nomem(epm_map_req, c)) return c;
282
283 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
284 return c;
285 }
286
287
288 /*
289 Receive result of schannel key request
290 */
291 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
292 {
293 NTSTATUS status = composite_wait(c);
294
295 talloc_free(c);
296 return status;
297 }
298
299
300 struct auth_schannel_state {
301 struct dcerpc_pipe *pipe;
302 struct cli_credentials *credentials;
303 const struct ndr_interface_table *table;
304 struct loadparm_context *lp_ctx;
305 uint8_t auth_level;
306 };
307
308
309 static void continue_bind_auth(struct composite_context *ctx);
310
311
312 /*
313 Stage 2 of auth_schannel: Receive schannel key and intitiate an
314 authenticated bind using received credentials
315 */
316 static void continue_schannel_key(struct composite_context *ctx)
317 {
318 struct composite_context *auth_req;
319 struct composite_context *c = talloc_get_type(ctx->async.private_data,
320 struct composite_context);
321 struct auth_schannel_state *s = talloc_get_type(c->private_data,
322 struct auth_schannel_state);
323 NTSTATUS status;
324
325 /* receive schannel key */
326 status = c->status = dcerpc_schannel_key_recv(ctx);
327 if (!composite_is_ok(c)) {
328 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
329 return;
330 }
331
332 /* send bind auth request with received creds */
333 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
334 lpcfg_gensec_settings(c, s->lp_ctx),
335 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
336 NULL);
337 if (composite_nomem(auth_req, c)) return;
338
339 composite_continue(c, auth_req, continue_bind_auth, c);
340 }
341
342
343 /*
344 Stage 3 of auth_schannel: Receivce result of authenticated bind
345 and say if we're done ok.
346 */
347 static void continue_bind_auth(struct composite_context *ctx)
348 {
349 struct composite_context *c = talloc_get_type(ctx->async.private_data,
350 struct composite_context);
351
352 c->status = dcerpc_bind_auth_recv(ctx);
353 if (!composite_is_ok(c)) return;
354
355 composite_done(c);
356 }
357
358
359 /*
360 Initiate schannel authentication request
361 */
362 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
363 struct dcerpc_pipe *p,
364 const struct ndr_interface_table *table,
365 struct cli_credentials *credentials,
366 struct loadparm_context *lp_ctx,
367 uint8_t auth_level)
368 {
369 struct composite_context *c;
370 struct auth_schannel_state *s;
371 struct composite_context *schan_key_req;
372
373 /* composite context allocation and setup */
374 c = composite_create(tmp_ctx, p->conn->event_ctx);
375 if (c == NULL) return NULL;
376
377 s = talloc_zero(c, struct auth_schannel_state);
378 if (composite_nomem(s, c)) return c;
379 c->private_data = s;
380
381 /* store parameters in the state structure */
382 s->pipe = p;
383 s->credentials = credentials;
384 s->table = table;
385 s->auth_level = auth_level;
386 s->lp_ctx = lp_ctx;
387
388 /* start getting schannel key first */
389 schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
390 if (composite_nomem(schan_key_req, c)) return c;
391
392 composite_continue(c, schan_key_req, continue_schannel_key, c);
393 return c;
394 }
395
396
397 /*
398 Receive result of schannel authentication request
399 */
400 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
401 {
402 NTSTATUS status = composite_wait(c);
403
404 talloc_free(c);
405 return status;
406 }
407
408
409 /*
410 Perform schannel authenticated bind - sync version
411 */
412 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
413 struct dcerpc_pipe *p,
414 const struct ndr_interface_table *table,
415 struct cli_credentials *credentials,
416 struct loadparm_context *lp_ctx,
417 uint8_t auth_level)
418 {
419 struct composite_context *c;
420
421 c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
422 auth_level);
423 return dcerpc_bind_auth_schannel_recv(c);
424 }
reg import