search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
lib/replace: define HAVE_WORKING_STRPTIME instead of REPLACE_STRPTIME
[Samba/gebeck_regimport.git] / source4 / auth / gensec / schannel.c
blob2465e53bff2b87504a0a6ea8d4f9c91aca2d2e51
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "librpc/gen_ndr/ndr_schannel.h"
25 #include "auth/auth.h"
26 #include "auth/credentials/credentials.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth/gensec/gensec_proto.h"
29 #include "../libcli/auth/schannel.h"
30 #include "librpc/rpc/dcerpc.h"
31 #include "param/param.h"
32 #include "auth/gensec/schannel.h"
33 #include "auth/gensec/gensec_toplevel_proto.h"
34
35 _PUBLIC_ NTSTATUS gensec_schannel_init(void);
36
37 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
38 {
39 struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
40 uint32_t sig_size;
41
42 sig_size = netsec_outgoing_sig_size(state);
43
44 return sig_size;
45 }
46
47 static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
48 TALLOC_CTX *mem_ctx,
49 DATA_BLOB *session_key)
50 {
51 return NT_STATUS_NOT_IMPLEMENTED;
52 }
53
54 static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
55 struct tevent_context *ev,
56 const DATA_BLOB in, DATA_BLOB *out)
57 {
58 struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
59 NTSTATUS status;
60 enum ndr_err_code ndr_err;
61 struct NL_AUTH_MESSAGE bind_schannel;
62 struct NL_AUTH_MESSAGE bind_schannel_ack;
63 struct netlogon_creds_CredentialState *creds;
64 const char *workstation;
65 const char *domain;
66
67 *out = data_blob(NULL, 0);
68
69 switch (gensec_security->gensec_role) {
70 case GENSEC_CLIENT:
71 if (state->state != SCHANNEL_STATE_START) {
72 /* we could parse the bind ack, but we don't know what it is yet */
73 return NT_STATUS_OK;
74 }
75
76 state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
77 if (state->creds == NULL) {
78 return NT_STATUS_INVALID_PARAMETER_MIX;
79 }
80 state->creds = netlogon_creds_copy(state, state->creds);
81 if (state->creds == NULL) {
82 return NT_STATUS_NO_MEMORY;
83 }
84
85 bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
86 #if 0
87 /* to support this we'd need to have access to the full domain name */
88 /* 0x17, 23 */
89 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
90 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
91 NL_FLAG_UTF8_DNS_DOMAIN_NAME |
92 NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
93 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
94 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
95 bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
96 /* w2k3 refuses us if we use the full DNS workstation?
97 why? perhaps because we don't fill in the dNSHostName
98 attribute in the machine account? */
99 bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
100 #else
101 bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
102 NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
103 bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
104 bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
105 #endif
106
107 ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
108 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
109 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
110 status = ndr_map_error2ntstatus(ndr_err);
111 DEBUG(3, ("Could not create schannel bind: %s\n",
112 nt_errstr(status)));
113 return status;
114 }
115
116 state->state = SCHANNEL_STATE_UPDATE_1;
117
118 return NT_STATUS_MORE_PROCESSING_REQUIRED;
119 case GENSEC_SERVER:
120
121 if (state->state != SCHANNEL_STATE_START) {
122 /* no third leg on this protocol */
123 return NT_STATUS_INVALID_PARAMETER;
124 }
125
126 /* parse the schannel startup blob */
127 ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
128 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
129 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
130 status = ndr_map_error2ntstatus(ndr_err);
131 DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
132 nt_errstr(status)));
133 return status;
134 }
135
136 if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
137 domain = bind_schannel.oem_netbios_domain.a;
138 if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
139 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
140 domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
141 return NT_STATUS_LOGON_FAILURE;
142 }
143 } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
144 domain = bind_schannel.utf8_dns_domain.u;
145 if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
146 DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
147 domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
148 return NT_STATUS_LOGON_FAILURE;
149 }
150 } else {
151 DEBUG(3, ("Request for schannel to without domain\n"));
152 return NT_STATUS_LOGON_FAILURE;
153 }
154
155 if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
156 workstation = bind_schannel.oem_netbios_computer.a;
157 } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
158 workstation = bind_schannel.utf8_netbios_computer.u;
159 } else {
160 DEBUG(3, ("Request for schannel to without netbios workstation\n"));
161 return NT_STATUS_LOGON_FAILURE;
162 }
163
164 status = schannel_get_creds_state(out_mem_ctx,
165 gensec_security->settings->lp_ctx,
166 workstation, &creds);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
169 workstation, nt_errstr(status)));
170 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
171 return NT_STATUS_LOGON_FAILURE;
172 }
173 return status;
174 }
175
176 state->creds = talloc_steal(state, creds);
177
178 bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
179 bind_schannel_ack.Flags = 0;
180 bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
181 * this does not have
182 * any meaning here
183 * - gd */
184
185 ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
186 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
187 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
188 status = ndr_map_error2ntstatus(ndr_err);
189 DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
190 workstation, nt_errstr(status)));
191 return status;
192 }
193
194 state->state = SCHANNEL_STATE_UPDATE_1;
195
196 return NT_STATUS_OK;
197 }
198 return NT_STATUS_INVALID_PARAMETER;
199 }
200
201 /**
202 * Return the struct netlogon_creds_CredentialState.
203 *
204 * Make sure not to call this unless gensec is using schannel...
205 */
206
207 /* TODO: make this non-public */
208
209 _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
210 TALLOC_CTX *mem_ctx,
211 struct netlogon_creds_CredentialState **creds)
212 {
213 struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
214
215 *creds = talloc_reference(mem_ctx, state->creds);
216 if (!*creds) {
217 return NT_STATUS_NO_MEMORY;
218 }
219 return NT_STATUS_OK;
220 }
221
222
223 /**
224 * Returns anonymous credentials for schannel, matching Win2k3.
225 *
226 */
227
228 static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
229 TALLOC_CTX *mem_ctx,
230 struct auth_session_info **_session_info)
231 {
232 return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
233 }
234
235 static NTSTATUS schannel_start(struct gensec_security *gensec_security)
236 {
237 struct schannel_state *state;
238
239 state = talloc_zero(gensec_security, struct schannel_state);
240 if (!state) {
241 return NT_STATUS_NO_MEMORY;
242 }
243
244 state->state = SCHANNEL_STATE_START;
245 gensec_security->private_data = state;
246
247 return NT_STATUS_OK;
248 }
249
250 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
251 {
252 NTSTATUS status;
253 struct schannel_state *state;
254
255 status = schannel_start(gensec_security);
256 if (!NT_STATUS_IS_OK(status)) {
257 return status;
258 }
259
260 state = (struct schannel_state *)gensec_security->private_data;
261 state->initiator = false;
262
263 return NT_STATUS_OK;
264 }
265
266 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
267 {
268 NTSTATUS status;
269 struct schannel_state *state;
270
271 status = schannel_start(gensec_security);
272 if (!NT_STATUS_IS_OK(status)) {
273 return status;
274 }
275
276 state = (struct schannel_state *)gensec_security->private_data;
277 state->initiator = true;
278
279 return NT_STATUS_OK;
280 }
281
282
283 static bool schannel_have_feature(struct gensec_security *gensec_security,
284 uint32_t feature)
285 {
286 if (feature & (GENSEC_FEATURE_SIGN |
287 GENSEC_FEATURE_SEAL)) {
288 return true;
289 }
290 if (feature & GENSEC_FEATURE_DCE_STYLE) {
291 return true;
292 }
293 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
294 return true;
295 }
296 return false;
297 }
298
299 /*
300 unseal a packet
301 */
302 static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
303 uint8_t *data, size_t length,
304 const uint8_t *whole_pdu, size_t pdu_length,
305 const DATA_BLOB *sig)
306 {
307 struct schannel_state *state =
308 talloc_get_type(gensec_security->private_data,
309 struct schannel_state);
310
311 return netsec_incoming_packet(state, true,
312 discard_const_p(uint8_t, data),
313 length, sig);
314 }
315
316 /*
317 check the signature on a packet
318 */
319 static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
320 const uint8_t *data, size_t length,
321 const uint8_t *whole_pdu, size_t pdu_length,
322 const DATA_BLOB *sig)
323 {
324 struct schannel_state *state =
325 talloc_get_type(gensec_security->private_data,
326 struct schannel_state);
327
328 return netsec_incoming_packet(state, false,
329 discard_const_p(uint8_t, data),
330 length, sig);
331 }
332 /*
333 seal a packet
334 */
335 static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
336 TALLOC_CTX *mem_ctx,
337 uint8_t *data, size_t length,
338 const uint8_t *whole_pdu, size_t pdu_length,
339 DATA_BLOB *sig)
340 {
341 struct schannel_state *state =
342 talloc_get_type(gensec_security->private_data,
343 struct schannel_state);
344
345 return netsec_outgoing_packet(state, mem_ctx, true,
346 data, length, sig);
347 }
348
349 /*
350 sign a packet
351 */
352 static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
353 TALLOC_CTX *mem_ctx,
354 const uint8_t *data, size_t length,
355 const uint8_t *whole_pdu, size_t pdu_length,
356 DATA_BLOB *sig)
357 {
358 struct schannel_state *state =
359 talloc_get_type(gensec_security->private_data,
360 struct schannel_state);
361
362 return netsec_outgoing_packet(state, mem_ctx, false,
363 discard_const_p(uint8_t, data),
364 length, sig);
365 }
366
367 static const struct gensec_security_ops gensec_schannel_security_ops = {
368 .name = "schannel",
369 .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
370 .client_start = schannel_client_start,
371 .server_start = schannel_server_start,
372 .update = schannel_update,
373 .seal_packet = schannel_seal_packet,
374 .sign_packet = schannel_sign_packet,
375 .check_packet = schannel_check_packet,
376 .unseal_packet = schannel_unseal_packet,
377 .session_key = schannel_session_key,
378 .session_info = schannel_session_info,
379 .sig_size = schannel_sig_size,
380 .have_feature = schannel_have_feature,
381 .enabled = true,
382 .priority = GENSEC_SCHANNEL
383 };
384
385 _PUBLIC_ NTSTATUS gensec_schannel_init(void)
386 {
387 NTSTATUS ret;
388 ret = gensec_register(&gensec_schannel_security_ops);
389 if (!NT_STATUS_IS_OK(ret)) {
390 DEBUG(0,("Failed to register '%s' gensec backend!\n",
391 gensec_schannel_security_ops.name));
392 return ret;
393 }
394
395 return ret;
396 }
reg import