search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
samba-tool: refuse to demote if the current DC has still roles
[Samba/gebeck_regimport.git] / source4 / auth / gensec / schannel.c
blob51be445dbb327e12a81f304a4faaca736d746829
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "auth/auth.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_proto.h"
29 #include "../libcli/auth/schannel.h"
30 #include "librpc/rpc/dcerpc.h"
31 #include "param/param.h"
32 #include "auth/gensec/schannel.h"
33 #include "auth/gensec/gensec_toplevel_proto.h"
34
35 _PUBLIC_ NTSTATUS gensec_schannel_init(void);
36
37 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
38 {
39 struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
40 uint32_t sig_size;
41
42 sig_size = netsec_outgoing_sig_size(state);
43
44 return sig_size;
45 }
46
47 static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
48 TALLOC_CTX *mem_ctx,
49 DATA_BLOB *session_key)
50 {
51 return NT_STATUS_NOT_IMPLEMENTED;
52 }
53
54 static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
55 struct tevent_context *ev,
56 const DATA_BLOB in, DATA_BLOB *out)
57 {
58 struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
59 NTSTATUS status;
60 enum ndr_err_code ndr_err;
61 struct NL_AUTH_MESSAGE bind_schannel;
62 struct NL_AUTH_MESSAGE bind_schannel_ack;
63 struct netlogon_creds_CredentialState *creds;
64 const char *workstation;
65 const char *domain;
66
67 *out = data_blob(NULL, 0);
68
69 switch (gensec_security->gensec_role) {
70 case GENSEC_CLIENT:
71 if (state->state != SCHANNEL_STATE_START) {
72 /* we could parse the bind ack, but we don't know what it is yet */
73 return NT_STATUS_OK;
74 }
75
76 state->creds = talloc_reference(state, cli_credentials_get_netlogon_creds(gensec_security->credentials));
77
78 bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
79 #if 0
80 /* to support this we'd need to have access to the full domain name */
81 /* 0x17, 23 */
82 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
83 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
84 NL_FLAG_UTF8_DNS_DOMAIN_NAME |
85 NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
86 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
87 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
88 bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
89 /* w2k3 refuses us if we use the full DNS workstation?
90 why? perhaps because we don't fill in the dNSHostName
91 attribute in the machine account? */
92 bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
93 #else
94 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
95 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
96 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
97 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
98 #endif
99
100 ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
101 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
102 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
103 status = ndr_map_error2ntstatus(ndr_err);
104 DEBUG(3, ("Could not create schannel bind: %s\n",
105 nt_errstr(status)));
106 return status;
107 }
108
109 state->state = SCHANNEL_STATE_UPDATE_1;
110
111 return NT_STATUS_MORE_PROCESSING_REQUIRED;
112 case GENSEC_SERVER:
113
114 if (state->state != SCHANNEL_STATE_START) {
115 /* no third leg on this protocol */
116 return NT_STATUS_INVALID_PARAMETER;
117 }
118
119 /* parse the schannel startup blob */
120 ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
121 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
122 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
123 status = ndr_map_error2ntstatus(ndr_err);
124 DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
125 nt_errstr(status)));
126 return status;
127 }
128
129 if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
130 domain = bind_schannel.oem_netbios_domain.a;
131 if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
132 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
133 domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
134 return NT_STATUS_LOGON_FAILURE;
135 }
136 } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
137 domain = bind_schannel.utf8_dns_domain.u;
138 if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
139 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
140 domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
141 return NT_STATUS_LOGON_FAILURE;
142 }
143 } else {
144 DEBUG(3, ("Request for schannel to without domain\n"));
145 return NT_STATUS_LOGON_FAILURE;
146 }
147
148 if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
149 workstation = bind_schannel.oem_netbios_computer.a;
150 } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
151 workstation = bind_schannel.utf8_netbios_computer.u;
152 } else {
153 DEBUG(3, ("Request for schannel to without netbios workstation\n"));
154 return NT_STATUS_LOGON_FAILURE;
155 }
156
157 status = schannel_get_creds_state(out_mem_ctx,
158 gensec_security->settings->lp_ctx,
159 workstation, &creds);
160 if (!NT_STATUS_IS_OK(status)) {
161 DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
162 workstation, nt_errstr(status)));
163 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
164 return NT_STATUS_LOGON_FAILURE;
165 }
166 return status;
167 }
168
169 state->creds = talloc_steal(state, creds);
170
171 bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
172 bind_schannel_ack.Flags = 0;
173 bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
174 * this does not have
175 * any meaning here
176 * - gd */
177
178 ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
179 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
180 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
181 status = ndr_map_error2ntstatus(ndr_err);
182 DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
183 workstation, nt_errstr(status)));
184 return status;
185 }
186
187 state->state = SCHANNEL_STATE_UPDATE_1;
188
189 return NT_STATUS_OK;
190 }
191 return NT_STATUS_INVALID_PARAMETER;
192 }
193
194 /**
195 * Return the struct netlogon_creds_CredentialState.
196 *
197 * Make sure not to call this unless gensec is using schannel...
198 */
199
200 /* TODO: make this non-public */
201
202 _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
203 TALLOC_CTX *mem_ctx,
204 struct netlogon_creds_CredentialState **creds)
205 {
206 struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
207
208 *creds = talloc_reference(mem_ctx, state->creds);
209 if (!*creds) {
210 return NT_STATUS_NO_MEMORY;
211 }
212 return NT_STATUS_OK;
213 }
214
215
216 /**
217 * Returns anonymous credentials for schannel, matching Win2k3.
218 *
219 */
220
221 static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
222 TALLOC_CTX *mem_ctx,
223 struct auth_session_info **_session_info)
224 {
225 return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
226 }
227
228 static NTSTATUS schannel_start(struct gensec_security *gensec_security)
229 {
230 struct schannel_state *state;
231
232 state = talloc(gensec_security, struct schannel_state);
233 if (!state) {
234 return NT_STATUS_NO_MEMORY;
235 }
236
237 state->state = SCHANNEL_STATE_START;
238 state->seq_num = 0;
239 gensec_security->private_data = state;
240
241 return NT_STATUS_OK;
242 }
243
244 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
245 {
246 NTSTATUS status;
247 struct schannel_state *state;
248
249 status = schannel_start(gensec_security);
250 if (!NT_STATUS_IS_OK(status)) {
251 return status;
252 }
253
254 state = (struct schannel_state *)gensec_security->private_data;
255 state->initiator = false;
256
257 return NT_STATUS_OK;
258 }
259
260 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
261 {
262 NTSTATUS status;
263 struct schannel_state *state;
264
265 status = schannel_start(gensec_security);
266 if (!NT_STATUS_IS_OK(status)) {
267 return status;
268 }
269
270 state = (struct schannel_state *)gensec_security->private_data;
271 state->initiator = true;
272
273 return NT_STATUS_OK;
274 }
275
276
277 static bool schannel_have_feature(struct gensec_security *gensec_security,
278 uint32_t feature)
279 {
280 if (feature & (GENSEC_FEATURE_SIGN |
281 GENSEC_FEATURE_SEAL)) {
282 return true;
283 }
284 if (feature & GENSEC_FEATURE_DCE_STYLE) {
285 return true;
286 }
287 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
288 return true;
289 }
290 return false;
291 }
292
293 /*
294 unseal a packet
295 */
296 static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
297 uint8_t *data, size_t length,
298 const uint8_t *whole_pdu, size_t pdu_length,
299 const DATA_BLOB *sig)
300 {
301 struct schannel_state *state =
302 talloc_get_type(gensec_security->private_data,
303 struct schannel_state);
304
305 return netsec_incoming_packet(state, true,
306 discard_const_p(uint8_t, data),
307 length, sig);
308 }
309
310 /*
311 check the signature on a packet
312 */
313 static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
314 const uint8_t *data, size_t length,
315 const uint8_t *whole_pdu, size_t pdu_length,
316 const DATA_BLOB *sig)
317 {
318 struct schannel_state *state =
319 talloc_get_type(gensec_security->private_data,
320 struct schannel_state);
321
322 return netsec_incoming_packet(state, false,
323 discard_const_p(uint8_t, data),
324 length, sig);
325 }
326 /*
327 seal a packet
328 */
329 static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
330 TALLOC_CTX *mem_ctx,
331 uint8_t *data, size_t length,
332 const uint8_t *whole_pdu, size_t pdu_length,
333 DATA_BLOB *sig)
334 {
335 struct schannel_state *state =
336 talloc_get_type(gensec_security->private_data,
337 struct schannel_state);
338
339 return netsec_outgoing_packet(state, mem_ctx, true,
340 data, length, sig);
341 }
342
343 /*
344 sign a packet
345 */
346 static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
347 TALLOC_CTX *mem_ctx,
348 const uint8_t *data, size_t length,
349 const uint8_t *whole_pdu, size_t pdu_length,
350 DATA_BLOB *sig)
351 {
352 struct schannel_state *state =
353 talloc_get_type(gensec_security->private_data,
354 struct schannel_state);
355
356 return netsec_outgoing_packet(state, mem_ctx, false,
357 discard_const_p(uint8_t, data),
358 length, sig);
359 }
360
361 static const struct gensec_security_ops gensec_schannel_security_ops = {
362 .name = "schannel",
363 .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
364 .client_start = schannel_client_start,
365 .server_start = schannel_server_start,
366 .update = schannel_update,
367 .seal_packet = schannel_seal_packet,
368 .sign_packet = schannel_sign_packet,
369 .check_packet = schannel_check_packet,
370 .unseal_packet = schannel_unseal_packet,
371 .session_key = schannel_session_key,
372 .session_info = schannel_session_info,
373 .sig_size = schannel_sig_size,
374 .have_feature = schannel_have_feature,
375 .enabled = true,
376 .priority = GENSEC_SCHANNEL
377 };
378
379 _PUBLIC_ NTSTATUS gensec_schannel_init(void)
380 {
381 NTSTATUS ret;
382 ret = gensec_register(&gensec_schannel_security_ops);
383 if (!NT_STATUS_IS_OK(ret)) {
384 DEBUG(0,("Failed to register '%s' gensec backend!\n",
385 gensec_schannel_security_ops.name));
386 return ret;
387 }
388
389 return ret;
390 }
reg import