search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
replace/waf: add rt to deps at this place
[Samba/gebeck_regimport.git] / source4 / ntp_signd / ntp_signd.c
blob029071e2c24afdb20175ce2f75f65b855d36f57a
1 /*
2 Unix SMB/CIFS implementation.
3
4 NTP packet signing server
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smbd/service_task.h"
26 #include "smbd/service.h"
27 #include "smbd/service_stream.h"
28 #include "smbd/process_model.h"
29 #include "lib/stream/packet.h"
30 #include "lib/tsocket/tsocket.h"
31 #include "libcli/util/tstream.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "dsdb/samdb/samdb.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "lib/ldb/include/ldb.h"
38 #include "lib/ldb/include/ldb_errors.h"
39 #include "../lib/crypto/md5.h"
40 #include "system/network.h"
41 #include "system/passwd.h"
42
43 /*
44 top level context structure for the ntp_signd server
45 */
46 struct ntp_signd_server {
47 struct task_server *task;
48 struct ldb_context *samdb;
49 };
50
51 /*
52 state of an open connection
53 */
54 struct ntp_signd_connection {
55 /* stream connection we belong to */
56 struct stream_connection *conn;
57
58 /* the ntp_signd_server the connection belongs to */
59 struct ntp_signd_server *ntp_signd;
60
61 struct tstream_context *tstream;
62
63 struct tevent_queue *send_queue;
64 };
65
66 static void ntp_signd_terminate_connection(struct ntp_signd_connection *ntp_signd_conn, const char *reason)
67 {
68 stream_terminate_connection(ntp_signd_conn->conn, reason);
69 }
70
71 static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
72 TALLOC_CTX *mem_ctx,
73 DATA_BLOB *output,
74 uint32_t packet_id)
75 {
76 struct signed_reply signed_reply;
77 enum ndr_err_code ndr_err;
78
79 signed_reply.op = SIGNING_FAILURE;
80 signed_reply.packet_id = packet_id;
81 signed_reply.signed_packet = data_blob(NULL, 0);
82
83 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
84 (ndr_push_flags_fn_t)ndr_push_signed_reply);
85
86 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
87 DEBUG(1,("failed to push ntp error reply\n"));
88 return ndr_map_error2ntstatus(ndr_err);
89 }
90
91 return NT_STATUS_OK;
92 }
93
94 /*
95 receive a full packet on a NTP_SIGND connection
96 */
97 static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
98 TALLOC_CTX *mem_ctx,
99 DATA_BLOB *input,
100 DATA_BLOB *output)
101 {
102 const struct dom_sid *domain_sid;
103 struct dom_sid *sid;
104 struct sign_request sign_request;
105 struct signed_reply signed_reply;
106 enum ndr_err_code ndr_err;
107 struct ldb_result *res;
108 const char *attrs[] = { "unicodePwd", "userAccountControl", "cn", NULL };
109 struct MD5Context ctx;
110 struct samr_Password *nt_hash;
111 uint32_t user_account_control;
112 int ret;
113
114 ndr_err = ndr_pull_struct_blob_all(input, mem_ctx,
115 &sign_request,
116 (ndr_pull_flags_fn_t)ndr_pull_sign_request);
117
118 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
119 DEBUG(1,("failed to parse ntp signing request\n"));
120 dump_data(1, input->data, input->length);
121 return ndr_map_error2ntstatus(ndr_err);
122 }
123
124 /* We need to implement 'check signature' and 'request server
125 * to sign' operations at some point */
126 if (sign_request.op != SIGN_TO_CLIENT) {
127 return signing_failure(ntp_signd_conn,
128 mem_ctx,
129 output,
130 sign_request.packet_id);
131 }
132
133 /* We need to implement 'check signature' and 'request server
134 * to sign' operations at some point */
135 if (sign_request.version != NTP_SIGND_PROTOCOL_VERSION_0) {
136 return signing_failure(ntp_signd_conn,
137 mem_ctx,
138 output,
139 sign_request.packet_id);
140 }
141
142 domain_sid = samdb_domain_sid(ntp_signd_conn->ntp_signd->samdb);
143 if (domain_sid == NULL) {
144 return signing_failure(ntp_signd_conn,
145 mem_ctx,
146 output,
147 sign_request.packet_id);
148 }
149
150 /* The top bit is a 'key selector' */
151 sid = dom_sid_add_rid(mem_ctx, domain_sid,
152 sign_request.key_id & 0x7FFFFFFF);
153 if (sid == NULL) {
154 talloc_free(mem_ctx);
155 return signing_failure(ntp_signd_conn,
156 mem_ctx,
157 output,
158 sign_request.packet_id);
159 }
160
161 ret = ldb_search(ntp_signd_conn->ntp_signd->samdb, mem_ctx,
162 &res,
163 ldb_get_default_basedn(ntp_signd_conn->ntp_signd->samdb),
164 LDB_SCOPE_SUBTREE,
165 attrs,
166 "(&(objectSid=%s)(objectClass=user))",
167 dom_sid_string(mem_ctx, sid));
168 if (ret != LDB_SUCCESS) {
169 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
170 "%s\n",
171 dom_sid_string(mem_ctx, sid),
172 ldb_errstring(ntp_signd_conn->ntp_signd->samdb)));
173 return signing_failure(ntp_signd_conn,
174 mem_ctx,
175 output,
176 sign_request.packet_id);
177 }
178
179 if (res->count == 0) {
180 DEBUG(5, ("Failed to find SID %s in SAM for NTP signing\n",
181 dom_sid_string(mem_ctx, sid)));
182 } else if (res->count != 1) {
183 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n",
184 dom_sid_string(mem_ctx, sid), res->count));
185 return signing_failure(ntp_signd_conn,
186 mem_ctx,
187 output,
188 sign_request.packet_id);
189 }
190
191 user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0],
192 "userAccountControl",
193 0);
194
195 if (user_account_control & UF_ACCOUNTDISABLE) {
196 DEBUG(1, ("Account %s for SID [%s] is disabled\n",
197 ldb_dn_get_linearized(res->msgs[0]->dn),
198 dom_sid_string(mem_ctx, sid)));
199 return NT_STATUS_ACCESS_DENIED;
200 }
201
202 if (!(user_account_control & (UF_INTERDOMAIN_TRUST_ACCOUNT|UF_SERVER_TRUST_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT))) {
203 DEBUG(1, ("Account %s for SID [%s] is not a trust account\n",
204 ldb_dn_get_linearized(res->msgs[0]->dn),
205 dom_sid_string(mem_ctx, sid)));
206 return NT_STATUS_ACCESS_DENIED;
207 }
208
209 nt_hash = samdb_result_hash(mem_ctx, res->msgs[0], "unicodePwd");
210 if (!nt_hash) {
211 DEBUG(1, ("No unicodePwd found on record of SID %s "
212 "for NTP signing\n", dom_sid_string(mem_ctx, sid)));
213 return signing_failure(ntp_signd_conn,
214 mem_ctx,
215 output,
216 sign_request.packet_id);
217 }
218
219 /* Generate the reply packet */
220 signed_reply.packet_id = sign_request.packet_id;
221 signed_reply.op = SIGNING_SUCCESS;
222 signed_reply.signed_packet = data_blob_talloc(mem_ctx,
223 NULL,
224 sign_request.packet_to_sign.length + 20);
225
226 if (!signed_reply.signed_packet.data) {
227 return signing_failure(ntp_signd_conn,
228 mem_ctx,
229 output,
230 sign_request.packet_id);
231 }
232
233 memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
234 SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
235
236 /* Sign the NTP response with the unicodePwd */
237 MD5Init(&ctx);
238 MD5Update(&ctx, nt_hash->hash, sizeof(nt_hash->hash));
239 MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
240 MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx);
241
242
243 /* Place it into the packet for the wire */
244 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
245 (ndr_push_flags_fn_t)ndr_push_signed_reply);
246
247 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
248 DEBUG(1,("failed to push ntp error reply\n"));
249 return ndr_map_error2ntstatus(ndr_err);
250 }
251
252 return NT_STATUS_OK;
253 }
254
255 /*
256 called on a tcp recv
257 */
258 static void ntp_signd_recv(struct stream_connection *conn, uint16_t flags)
259 {
260 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
261 struct ntp_signd_connection);
262 ntp_signd_terminate_connection(ntp_signd_conn,
263 "ntp_signd_recv: called");
264 }
265
266 /*
267 called when we can write to a connection
268 */
269 static void ntp_signd_send(struct stream_connection *conn, uint16_t flags)
270 {
271 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
272 struct ntp_signd_connection);
273 /* this should never be triggered! */
274 ntp_signd_terminate_connection(ntp_signd_conn,
275 "ntp_signd_send: called");
276 }
277
278 struct ntp_signd_call {
279 struct ntp_signd_connection *ntp_signd_conn;
280 DATA_BLOB in;
281 DATA_BLOB out;
282 uint8_t out_hdr[4];
283 struct iovec out_iov[2];
284 };
285
286 static void ntp_signd_call_writev_done(struct tevent_req *subreq);
287
288 static void ntp_signd_call_loop(struct tevent_req *subreq)
289 {
290 struct ntp_signd_connection *ntp_signd_conn = tevent_req_callback_data(subreq,
291 struct ntp_signd_connection);
292 struct ntp_signd_call *call;
293 NTSTATUS status;
294
295 call = talloc(ntp_signd_conn, struct ntp_signd_call);
296 if (call == NULL) {
297 ntp_signd_terminate_connection(ntp_signd_conn,
298 "ntp_signd_call_loop: "
299 "no memory for ntp_signd_call");
300 return;
301 }
302 call->ntp_signd_conn = ntp_signd_conn;
303
304 status = tstream_read_pdu_blob_recv(subreq,
305 call,
306 &call->in);
307 TALLOC_FREE(subreq);
308 if (!NT_STATUS_IS_OK(status)) {
309 const char *reason;
310
311 reason = talloc_asprintf(call, "ntp_signd_call_loop: "
312 "tstream_read_pdu_blob_recv() - %s",
313 nt_errstr(status));
314 if (reason == NULL) {
315 reason = nt_errstr(status);
316 }
317
318 ntp_signd_terminate_connection(ntp_signd_conn, reason);
319 return;
320 }
321
322 DEBUG(10,("Received NTP TCP packet of length %lu from %s\n",
323 (long) call->in.length,
324 tsocket_address_string(ntp_signd_conn->conn->remote_address, call)));
325
326 /* skip length header */
327 call->in.data +=4;
328 call->in.length -= 4;
329
330 status = ntp_signd_process(ntp_signd_conn,
331 call,
332 &call->in,
333 &call->out);
334 if (! NT_STATUS_IS_OK(status)) {
335 const char *reason;
336
337 reason = talloc_asprintf(call, "ntp_signd_process failed: %s",
338 nt_errstr(status));
339 if (reason == NULL) {
340 reason = nt_errstr(status);
341 }
342
343 ntp_signd_terminate_connection(ntp_signd_conn, reason);
344 return;
345 }
346
347 /* First add the length of the out buffer */
348 RSIVAL(call->out_hdr, 0, call->out.length);
349 call->out_iov[0].iov_base = (char *) call->out_hdr;
350 call->out_iov[0].iov_len = 4;
351
352 call->out_iov[1].iov_base = (char *) call->out.data;
353 call->out_iov[1].iov_len = call->out.length;
354
355 subreq = tstream_writev_queue_send(call,
356 ntp_signd_conn->conn->event.ctx,
357 ntp_signd_conn->tstream,
358 ntp_signd_conn->send_queue,
359 call->out_iov, 2);
360 if (subreq == NULL) {
361 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
362 "no memory for tstream_writev_queue_send");
363 return;
364 }
365
366 tevent_req_set_callback(subreq, ntp_signd_call_writev_done, call);
367
368 /*
369 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
370 * packet_full_request_u32 provides the pdu length then.
371 */
372 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
373 ntp_signd_conn->conn->event.ctx,
374 ntp_signd_conn->tstream,
375 4, /* initial_read_size */
376 packet_full_request_u32,
377 ntp_signd_conn);
378 if (subreq == NULL) {
379 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
380 "no memory for tstream_read_pdu_blob_send");
381 return;
382 }
383 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
384 }
385
386 static void ntp_signd_call_writev_done(struct tevent_req *subreq)
387 {
388 struct ntp_signd_call *call = tevent_req_callback_data(subreq,
389 struct ntp_signd_call);
390 int sys_errno;
391 int rc;
392
393 rc = tstream_writev_queue_recv(subreq, &sys_errno);
394 TALLOC_FREE(subreq);
395 if (rc == -1) {
396 const char *reason;
397
398 reason = talloc_asprintf(call, "ntp_signd_call_writev_done: "
399 "tstream_writev_queue_recv() - %d:%s",
400 sys_errno, strerror(sys_errno));
401 if (!reason) {
402 reason = "ntp_signd_call_writev_done: "
403 "tstream_writev_queue_recv() failed";
404 }
405
406 ntp_signd_terminate_connection(call->ntp_signd_conn, reason);
407 return;
408 }
409
410 /* We don't care about errors */
411
412 talloc_free(call);
413 }
414
415 /*
416 called when we get a new connection
417 */
418 static void ntp_signd_accept(struct stream_connection *conn)
419 {
420 struct ntp_signd_server *ntp_signd = talloc_get_type(conn->private_data,
421 struct ntp_signd_server);
422 struct ntp_signd_connection *ntp_signd_conn;
423 struct tevent_req *subreq;
424 int rc;
425
426 ntp_signd_conn = talloc_zero(conn, struct ntp_signd_connection);
427 if (ntp_signd_conn == NULL) {
428 stream_terminate_connection(conn,
429 "ntp_signd_accept: out of memory");
430 return;
431 }
432
433 ntp_signd_conn->send_queue = tevent_queue_create(conn,
434 "ntp_signd_accept");
435 if (ntp_signd_conn->send_queue == NULL) {
436 stream_terminate_connection(conn,
437 "ntp_signd_accept: out of memory");
438 return;
439 }
440
441 TALLOC_FREE(conn->event.fde);
442
443 rc = tstream_bsd_existing_socket(ntp_signd_conn,
444 socket_get_fd(conn->socket),
445 &ntp_signd_conn->tstream);
446 if (rc < 0) {
447 stream_terminate_connection(conn,
448 "ntp_signd_accept: out of memory");
449 return;
450 }
451
452 ntp_signd_conn->conn = conn;
453 ntp_signd_conn->ntp_signd = ntp_signd;
454 conn->private_data = ntp_signd_conn;
455
456 /*
457 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
458 * packet_full_request_u32 provides the pdu length then.
459 */
460 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
461 ntp_signd_conn->conn->event.ctx,
462 ntp_signd_conn->tstream,
463 4, /* initial_read_size */
464 packet_full_request_u32,
465 ntp_signd_conn);
466 if (subreq == NULL) {
467 ntp_signd_terminate_connection(ntp_signd_conn,
468 "ntp_signd_accept: "
469 "no memory for tstream_read_pdu_blob_send");
470 return;
471 }
472 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
473 }
474
475 static const struct stream_server_ops ntp_signd_stream_ops = {
476 .name = "ntp_signd",
477 .accept_connection = ntp_signd_accept,
478 .recv_handler = ntp_signd_recv,
479 .send_handler = ntp_signd_send
480 };
481
482 /*
483 startup the ntp_signd task
484 */
485 static void ntp_signd_task_init(struct task_server *task)
486 {
487 struct ntp_signd_server *ntp_signd;
488 NTSTATUS status;
489
490 const struct model_ops *model_ops;
491
492 const char *address;
493
494 if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) {
495 char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s",
496 lpcfg_ntp_signd_socket_directory(task->lp_ctx));
497 task_server_terminate(task,
498 error, true);
499 return;
500 }
501
502 /* within the ntp_signd task we want to be a single process, so
503 ask for the single process model ops and pass these to the
504 stream_setup_socket() call. */
505 model_ops = process_model_startup(task->event_ctx, "single");
506 if (!model_ops) {
507 DEBUG(0,("Can't find 'single' process model_ops\n"));
508 return;
509 }
510
511 task_server_set_title(task, "task[ntp_signd]");
512
513 ntp_signd = talloc(task, struct ntp_signd_server);
514 if (ntp_signd == NULL) {
515 task_server_terminate(task, "ntp_signd: out of memory", true);
516 return;
517 }
518
519 ntp_signd->task = task;
520
521 /* Must be system to get at the password hashes */
522 ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx));
523 if (ntp_signd->samdb == NULL) {
524 task_server_terminate(task, "ntp_signd failed to open samdb", true);
525 return;
526 }
527
528 address = talloc_asprintf(ntp_signd, "%s/socket", lpcfg_ntp_signd_socket_directory(task->lp_ctx));
529
530 status = stream_setup_socket(ntp_signd->task->event_ctx,
531 ntp_signd->task->lp_ctx,
532 model_ops,
533 &ntp_signd_stream_ops,
534 "unix", address, NULL,
535 lpcfg_socket_options(ntp_signd->task->lp_ctx),
536 ntp_signd);
537 if (!NT_STATUS_IS_OK(status)) {
538 DEBUG(0,("Failed to bind to %s - %s\n",
539 address, nt_errstr(status)));
540 return;
541 }
542
543 }
544
545
546 /* called at smbd startup - register ourselves as a server service */
547 NTSTATUS server_service_ntp_signd_init(void)
548 {
549 return register_server_service("ntp_signd", ntp_signd_task_init);
550 }
reg import