2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "auth/auth.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_proto.h"
29 #include "../libcli/auth/schannel.h"
30 #include "librpc/rpc/dcerpc.h"
31 #include "param/param.h"
32 #include "auth/gensec/schannel.h"
33 #include "auth/gensec/gensec_toplevel_proto.h"
35 _PUBLIC_ NTSTATUS
gensec_schannel_init(void);
37 static size_t schannel_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
39 struct schannel_state
*state
= (struct schannel_state
*)gensec_security
->private_data
;
42 sig_size
= netsec_outgoing_sig_size(state
);
47 static NTSTATUS
schannel_session_key(struct gensec_security
*gensec_security
,
49 DATA_BLOB
*session_key
)
51 return NT_STATUS_NOT_IMPLEMENTED
;
54 static NTSTATUS
schannel_update(struct gensec_security
*gensec_security
, TALLOC_CTX
*out_mem_ctx
,
55 struct tevent_context
*ev
,
56 const DATA_BLOB in
, DATA_BLOB
*out
)
58 struct schannel_state
*state
= (struct schannel_state
*)gensec_security
->private_data
;
60 enum ndr_err_code ndr_err
;
61 struct NL_AUTH_MESSAGE bind_schannel
;
62 struct NL_AUTH_MESSAGE bind_schannel_ack
;
63 struct netlogon_creds_CredentialState
*creds
;
64 const char *workstation
;
67 *out
= data_blob(NULL
, 0);
69 switch (gensec_security
->gensec_role
) {
71 if (state
->state
!= SCHANNEL_STATE_START
) {
72 /* we could parse the bind ack, but we don't know what it is yet */
76 state
->creds
= talloc_reference(state
, cli_credentials_get_netlogon_creds(gensec_security
->credentials
));
78 bind_schannel
.MessageType
= NL_NEGOTIATE_REQUEST
;
80 /* to support this we'd need to have access to the full domain name */
82 bind_schannel
.Flags
= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
|
83 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
|
84 NL_FLAG_UTF8_DNS_DOMAIN_NAME
|
85 NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME
;
86 bind_schannel
.oem_netbios_domain
.a
= cli_credentials_get_domain(gensec_security
->credentials
);
87 bind_schannel
.oem_netbios_computer
.a
= cli_credentials_get_workstation(gensec_security
->credentials
);
88 bind_schannel
.utf8_dns_domain
= cli_credentials_get_realm(gensec_security
->credentials
);
89 /* w2k3 refuses us if we use the full DNS workstation?
90 why? perhaps because we don't fill in the dNSHostName
91 attribute in the machine account? */
92 bind_schannel
.utf8_netbios_computer
= cli_credentials_get_workstation(gensec_security
->credentials
);
94 bind_schannel
.Flags
= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
|
95 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
;
96 bind_schannel
.oem_netbios_domain
.a
= cli_credentials_get_domain(gensec_security
->credentials
);
97 bind_schannel
.oem_netbios_computer
.a
= cli_credentials_get_workstation(gensec_security
->credentials
);
100 ndr_err
= ndr_push_struct_blob(out
, out_mem_ctx
, &bind_schannel
,
101 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
102 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
103 status
= ndr_map_error2ntstatus(ndr_err
);
104 DEBUG(3, ("Could not create schannel bind: %s\n",
109 state
->state
= SCHANNEL_STATE_UPDATE_1
;
111 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
114 if (state
->state
!= SCHANNEL_STATE_START
) {
115 /* no third leg on this protocol */
116 return NT_STATUS_INVALID_PARAMETER
;
119 /* parse the schannel startup blob */
120 ndr_err
= ndr_pull_struct_blob(&in
, out_mem_ctx
, &bind_schannel
,
121 (ndr_pull_flags_fn_t
)ndr_pull_NL_AUTH_MESSAGE
);
122 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
123 status
= ndr_map_error2ntstatus(ndr_err
);
124 DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
129 if (bind_schannel
.Flags
& NL_FLAG_OEM_NETBIOS_DOMAIN_NAME
) {
130 domain
= bind_schannel
.oem_netbios_domain
.a
;
131 if (strcasecmp_m(domain
, lpcfg_workgroup(gensec_security
->settings
->lp_ctx
)) != 0) {
132 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
133 domain
, lpcfg_workgroup(gensec_security
->settings
->lp_ctx
)));
134 return NT_STATUS_LOGON_FAILURE
;
136 } else if (bind_schannel
.Flags
& NL_FLAG_UTF8_DNS_DOMAIN_NAME
) {
137 domain
= bind_schannel
.utf8_dns_domain
.u
;
138 if (strcasecmp_m(domain
, lpcfg_dnsdomain(gensec_security
->settings
->lp_ctx
)) != 0) {
139 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
140 domain
, lpcfg_dnsdomain(gensec_security
->settings
->lp_ctx
)));
141 return NT_STATUS_LOGON_FAILURE
;
144 DEBUG(3, ("Request for schannel to without domain\n"));
145 return NT_STATUS_LOGON_FAILURE
;
148 if (bind_schannel
.Flags
& NL_FLAG_OEM_NETBIOS_COMPUTER_NAME
) {
149 workstation
= bind_schannel
.oem_netbios_computer
.a
;
150 } else if (bind_schannel
.Flags
& NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME
) {
151 workstation
= bind_schannel
.utf8_netbios_computer
.u
;
153 DEBUG(3, ("Request for schannel to without netbios workstation\n"));
154 return NT_STATUS_LOGON_FAILURE
;
157 status
= schannel_get_creds_state(out_mem_ctx
,
158 gensec_security
->settings
->lp_ctx
,
159 workstation
, &creds
);
160 if (!NT_STATUS_IS_OK(status
)) {
161 DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
162 workstation
, nt_errstr(status
)));
163 if (NT_STATUS_EQUAL(status
, NT_STATUS_INVALID_HANDLE
)) {
164 return NT_STATUS_LOGON_FAILURE
;
169 state
->creds
= talloc_steal(state
, creds
);
171 bind_schannel_ack
.MessageType
= NL_NEGOTIATE_RESPONSE
;
172 bind_schannel_ack
.Flags
= 0;
173 bind_schannel_ack
.Buffer
.dummy
= 0x6c0000; /* actually I think
178 ndr_err
= ndr_push_struct_blob(out
, out_mem_ctx
, &bind_schannel_ack
,
179 (ndr_push_flags_fn_t
)ndr_push_NL_AUTH_MESSAGE
);
180 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
181 status
= ndr_map_error2ntstatus(ndr_err
);
182 DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
183 workstation
, nt_errstr(status
)));
187 state
->state
= SCHANNEL_STATE_UPDATE_1
;
191 return NT_STATUS_INVALID_PARAMETER
;
195 * Return the struct netlogon_creds_CredentialState.
197 * Make sure not to call this unless gensec is using schannel...
200 /* TODO: make this non-public */
202 _PUBLIC_ NTSTATUS
dcerpc_schannel_creds(struct gensec_security
*gensec_security
,
204 struct netlogon_creds_CredentialState
**creds
)
206 struct schannel_state
*state
= talloc_get_type(gensec_security
->private_data
, struct schannel_state
);
208 *creds
= talloc_reference(mem_ctx
, state
->creds
);
210 return NT_STATUS_NO_MEMORY
;
217 * Returns anonymous credentials for schannel, matching Win2k3.
221 static NTSTATUS
schannel_session_info(struct gensec_security
*gensec_security
,
223 struct auth_session_info
**_session_info
)
225 return auth_anonymous_session_info(mem_ctx
, gensec_security
->settings
->lp_ctx
, _session_info
);
228 static NTSTATUS
schannel_start(struct gensec_security
*gensec_security
)
230 struct schannel_state
*state
;
232 state
= talloc(gensec_security
, struct schannel_state
);
234 return NT_STATUS_NO_MEMORY
;
237 state
->state
= SCHANNEL_STATE_START
;
239 gensec_security
->private_data
= state
;
244 static NTSTATUS
schannel_server_start(struct gensec_security
*gensec_security
)
247 struct schannel_state
*state
;
249 status
= schannel_start(gensec_security
);
250 if (!NT_STATUS_IS_OK(status
)) {
254 state
= (struct schannel_state
*)gensec_security
->private_data
;
255 state
->initiator
= false;
260 static NTSTATUS
schannel_client_start(struct gensec_security
*gensec_security
)
263 struct schannel_state
*state
;
265 status
= schannel_start(gensec_security
);
266 if (!NT_STATUS_IS_OK(status
)) {
270 state
= (struct schannel_state
*)gensec_security
->private_data
;
271 state
->initiator
= true;
277 static bool schannel_have_feature(struct gensec_security
*gensec_security
,
280 if (feature
& (GENSEC_FEATURE_SIGN
|
281 GENSEC_FEATURE_SEAL
)) {
284 if (feature
& GENSEC_FEATURE_DCE_STYLE
) {
287 if (feature
& GENSEC_FEATURE_ASYNC_REPLIES
) {
296 static NTSTATUS
schannel_unseal_packet(struct gensec_security
*gensec_security
,
297 uint8_t *data
, size_t length
,
298 const uint8_t *whole_pdu
, size_t pdu_length
,
299 const DATA_BLOB
*sig
)
301 struct schannel_state
*state
=
302 talloc_get_type(gensec_security
->private_data
,
303 struct schannel_state
);
305 return netsec_incoming_packet(state
, true,
306 discard_const_p(uint8_t, data
),
311 check the signature on a packet
313 static NTSTATUS
schannel_check_packet(struct gensec_security
*gensec_security
,
314 const uint8_t *data
, size_t length
,
315 const uint8_t *whole_pdu
, size_t pdu_length
,
316 const DATA_BLOB
*sig
)
318 struct schannel_state
*state
=
319 talloc_get_type(gensec_security
->private_data
,
320 struct schannel_state
);
322 return netsec_incoming_packet(state
, false,
323 discard_const_p(uint8_t, data
),
329 static NTSTATUS
schannel_seal_packet(struct gensec_security
*gensec_security
,
331 uint8_t *data
, size_t length
,
332 const uint8_t *whole_pdu
, size_t pdu_length
,
335 struct schannel_state
*state
=
336 talloc_get_type(gensec_security
->private_data
,
337 struct schannel_state
);
339 return netsec_outgoing_packet(state
, mem_ctx
, true,
346 static NTSTATUS
schannel_sign_packet(struct gensec_security
*gensec_security
,
348 const uint8_t *data
, size_t length
,
349 const uint8_t *whole_pdu
, size_t pdu_length
,
352 struct schannel_state
*state
=
353 talloc_get_type(gensec_security
->private_data
,
354 struct schannel_state
);
356 return netsec_outgoing_packet(state
, mem_ctx
, false,
357 discard_const_p(uint8_t, data
),
361 static const struct gensec_security_ops gensec_schannel_security_ops
= {
363 .auth_type
= DCERPC_AUTH_TYPE_SCHANNEL
,
364 .client_start
= schannel_client_start
,
365 .server_start
= schannel_server_start
,
366 .update
= schannel_update
,
367 .seal_packet
= schannel_seal_packet
,
368 .sign_packet
= schannel_sign_packet
,
369 .check_packet
= schannel_check_packet
,
370 .unseal_packet
= schannel_unseal_packet
,
371 .session_key
= schannel_session_key
,
372 .session_info
= schannel_session_info
,
373 .sig_size
= schannel_sig_size
,
374 .have_feature
= schannel_have_feature
,
376 .priority
= GENSEC_SCHANNEL
379 _PUBLIC_ NTSTATUS
gensec_schannel_init(void)
382 ret
= gensec_register(&gensec_schannel_security_ops
);
383 if (!NT_STATUS_IS_OK(ret
)) {
384 DEBUG(0,("Failed to register '%s' gensec backend!\n",
385 gensec_schannel_security_ops
.name
));