search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Talloc doc: talloc_set_log_fn()
[Samba/vl.git] / source4 / librpc / rpc / dcerpc_schannel.c
blob335c34ca35d30c92a53a29c22525e4c3557a0395
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
34
35 struct schannel_key_state {
36 struct dcerpc_pipe *pipe;
37 struct dcerpc_pipe *pipe2;
38 struct dcerpc_binding *binding;
39 bool dcerpc_schannel_auto;
40 struct cli_credentials *credentials;
41 struct netlogon_creds_CredentialState *creds;
42 uint32_t local_negotiate_flags;
43 uint32_t remote_negotiate_flags;
44 struct netr_Credential credentials1;
45 struct netr_Credential credentials2;
46 struct netr_Credential credentials3;
47 struct netr_ServerReqChallenge r;
48 struct netr_ServerAuthenticate2 a;
49 const struct samr_Password *mach_pwd;
50 };
51
52
53 static void continue_secondary_connection(struct composite_context *ctx);
54 static void continue_bind_auth_none(struct composite_context *ctx);
55 static void continue_srv_challenge(struct tevent_req *subreq);
56 static void continue_srv_auth2(struct tevent_req *subreq);
57
58
59 /*
60 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
61 rpc connection
62 */
63 static void continue_epm_map_binding(struct composite_context *ctx)
64 {
65 struct composite_context *c;
66 struct schannel_key_state *s;
67 struct composite_context *sec_conn_req;
68
69 c = talloc_get_type(ctx->async.private_data, struct composite_context);
70 s = talloc_get_type(c->private_data, struct schannel_key_state);
71
72 /* receive endpoint mapping */
73 c->status = dcerpc_epm_map_binding_recv(ctx);
74 if (!NT_STATUS_IS_OK(c->status)) {
75 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
76 NDR_NETLOGON_UUID, nt_errstr(c->status)));
77 composite_error(c, c->status);
78 return;
79 }
80
81 /* send a request for secondary rpc connection */
82 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
83 s->binding);
84 if (composite_nomem(sec_conn_req, c)) return;
85
86 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
87 }
88
89
90 /*
91 Stage 3 of schannel_key: Receive secondary rpc connection and perform
92 non-authenticated bind request
93 */
94 static void continue_secondary_connection(struct composite_context *ctx)
95 {
96 struct composite_context *c;
97 struct schannel_key_state *s;
98 struct composite_context *auth_none_req;
99
100 c = talloc_get_type(ctx->async.private_data, struct composite_context);
101 s = talloc_get_type(c->private_data, struct schannel_key_state);
102
103 /* receive secondary rpc connection */
104 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
105 if (!composite_is_ok(c)) return;
106
107 talloc_steal(s, s->pipe2);
108
109 /* initiate a non-authenticated bind */
110 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
111 if (composite_nomem(auth_none_req, c)) return;
112
113 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
114 }
115
116
117 /*
118 Stage 4 of schannel_key: Receive non-authenticated bind and get
119 a netlogon challenge
120 */
121 static void continue_bind_auth_none(struct composite_context *ctx)
122 {
123 struct composite_context *c;
124 struct schannel_key_state *s;
125 struct tevent_req *subreq;
126
127 c = talloc_get_type(ctx->async.private_data, struct composite_context);
128 s = talloc_get_type(c->private_data, struct schannel_key_state);
129
130 /* receive result of non-authenticated bind request */
131 c->status = dcerpc_bind_auth_none_recv(ctx);
132 if (!composite_is_ok(c)) return;
133
134 /* prepare a challenge request */
135 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
136 if (composite_nomem(s->r.in.server_name, c)) return;
137 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
138 s->r.in.credentials = &s->credentials1;
139 s->r.out.return_credentials = &s->credentials2;
140
141 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
142
143 /*
144 request a netlogon challenge - a rpc request over opened secondary pipe
145 */
146 subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
147 s->pipe2->binding_handle,
148 &s->r);
149 if (composite_nomem(subreq, c)) return;
150
151 tevent_req_set_callback(subreq, continue_srv_challenge, c);
152 }
153
154
155 /*
156 Stage 5 of schannel_key: Receive a challenge and perform authentication
157 on the netlogon pipe
158 */
159 static void continue_srv_challenge(struct tevent_req *subreq)
160 {
161 struct composite_context *c;
162 struct schannel_key_state *s;
163
164 c = tevent_req_callback_data(subreq, struct composite_context);
165 s = talloc_get_type(c->private_data, struct schannel_key_state);
166
167 /* receive rpc request result - netlogon challenge */
168 c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
169 TALLOC_FREE(subreq);
170 if (!composite_is_ok(c)) return;
171
172 /* prepare credentials for auth2 request */
173 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
174
175 /* auth2 request arguments */
176 s->a.in.server_name = s->r.in.server_name;
177 s->a.in.account_name = cli_credentials_get_username(s->credentials);
178 s->a.in.secure_channel_type =
179 cli_credentials_get_secure_channel_type(s->credentials);
180 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
181 s->a.in.negotiate_flags = &s->local_negotiate_flags;
182 s->a.in.credentials = &s->credentials3;
183 s->a.out.negotiate_flags = &s->remote_negotiate_flags;
184 s->a.out.return_credentials = &s->credentials3;
185
186 s->creds = netlogon_creds_client_init(s,
187 s->a.in.account_name,
188 s->a.in.computer_name,
189 &s->credentials1, &s->credentials2,
190 s->mach_pwd, &s->credentials3,
191 s->local_negotiate_flags);
192 if (composite_nomem(s->creds, c)) {
193 return;
194 }
195 /*
196 authenticate on the netlogon pipe - a rpc request over secondary pipe
197 */
198 subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
199 s->pipe2->binding_handle,
200 &s->a);
201 if (composite_nomem(subreq, c)) return;
202
203 tevent_req_set_callback(subreq, continue_srv_auth2, c);
204 }
205
206
207 /*
208 Stage 6 of schannel_key: Receive authentication request result and verify
209 received credentials
210 */
211 static void continue_srv_auth2(struct tevent_req *subreq)
212 {
213 struct composite_context *c;
214 struct schannel_key_state *s;
215
216 c = tevent_req_callback_data(subreq, struct composite_context);
217 s = talloc_get_type(c->private_data, struct schannel_key_state);
218
219 /* receive rpc request result - auth2 credentials */
220 c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
221 TALLOC_FREE(subreq);
222 if (!composite_is_ok(c)) return;
223
224 /*
225 * Strong keys could be unsupported (NT4) or disables. So retry with the
226 * flags returned by the server. - asn
227 */
228 if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
229 s->dcerpc_schannel_auto &&
230 (s->local_negotiate_flags & NETLOGON_NEG_STRONG_KEYS)) {
231 DEBUG(3, ("Server doesn't support strong keys, "
232 "downgrade and retry!\n"));
233 s->local_negotiate_flags = s->remote_negotiate_flags;
234
235 generate_random_buffer(s->credentials1.data,
236 sizeof(s->credentials1.data));
237
238 subreq = dcerpc_netr_ServerReqChallenge_r_send(s,
239 c->event_ctx,
240 s->pipe2->binding_handle,
241 &s->r);
242 if (composite_nomem(subreq, c)) return;
243
244 tevent_req_set_callback(subreq, continue_srv_challenge, c);
245 return;
246 }
247
248 s->creds->negotiate_flags = s->remote_negotiate_flags;
249
250 /* verify credentials */
251 if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
252 composite_error(c, NT_STATUS_UNSUCCESSFUL);
253 return;
254 }
255
256 /* setup current netlogon credentials */
257 cli_credentials_set_netlogon_creds(s->credentials, s->creds);
258
259 composite_done(c);
260 }
261
262
263 /*
264 Initiate establishing a schannel key using netlogon challenge
265 on a secondary pipe
266 */
267 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
268 struct dcerpc_pipe *p,
269 struct cli_credentials *credentials,
270 struct loadparm_context *lp_ctx)
271 {
272 struct composite_context *c;
273 struct schannel_key_state *s;
274 struct composite_context *epm_map_req;
275 enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
276
277 /* composite context allocation and setup */
278 c = composite_create(mem_ctx, p->conn->event_ctx);
279 if (c == NULL) return NULL;
280
281 s = talloc_zero(c, struct schannel_key_state);
282 if (composite_nomem(s, c)) return c;
283 c->private_data = s;
284
285 /* store parameters in the state structure */
286 s->pipe = p;
287 s->credentials = credentials;
288 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
289
290 /* allocate credentials */
291 /* type of authentication depends on schannel type */
292 if (schannel_type == SEC_CHAN_RODC) {
293 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS;
294 }
295 if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
296 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
297 }
298 if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) {
299 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
300 s->dcerpc_schannel_auto = true;
301 }
302
303 /* allocate binding structure */
304 s->binding = talloc_zero(c, struct dcerpc_binding);
305 if (composite_nomem(s->binding, c)) return c;
306
307 *s->binding = *s->pipe->binding;
308
309 /* request the netlogon endpoint mapping */
310 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
311 &ndr_table_netlogon,
312 s->pipe->conn->event_ctx,
313 lp_ctx);
314 if (composite_nomem(epm_map_req, c)) return c;
315
316 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
317 return c;
318 }
319
320
321 /*
322 Receive result of schannel key request
323 */
324 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
325 {
326 NTSTATUS status = composite_wait(c);
327
328 talloc_free(c);
329 return status;
330 }
331
332
333 struct auth_schannel_state {
334 struct dcerpc_pipe *pipe;
335 struct cli_credentials *credentials;
336 const struct ndr_interface_table *table;
337 struct loadparm_context *lp_ctx;
338 uint8_t auth_level;
339 };
340
341
342 static void continue_bind_auth(struct composite_context *ctx);
343
344
345 /*
346 Stage 2 of auth_schannel: Receive schannel key and intitiate an
347 authenticated bind using received credentials
348 */
349 static void continue_schannel_key(struct composite_context *ctx)
350 {
351 struct composite_context *auth_req;
352 struct composite_context *c = talloc_get_type(ctx->async.private_data,
353 struct composite_context);
354 struct auth_schannel_state *s = talloc_get_type(c->private_data,
355 struct auth_schannel_state);
356 NTSTATUS status;
357
358 /* receive schannel key */
359 status = c->status = dcerpc_schannel_key_recv(ctx);
360 if (!composite_is_ok(c)) {
361 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
362 return;
363 }
364
365 /* send bind auth request with received creds */
366 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
367 lpcfg_gensec_settings(c, s->lp_ctx),
368 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
369 NULL);
370 if (composite_nomem(auth_req, c)) return;
371
372 composite_continue(c, auth_req, continue_bind_auth, c);
373 }
374
375
376 /*
377 Stage 3 of auth_schannel: Receivce result of authenticated bind
378 and say if we're done ok.
379 */
380 static void continue_bind_auth(struct composite_context *ctx)
381 {
382 struct composite_context *c = talloc_get_type(ctx->async.private_data,
383 struct composite_context);
384
385 c->status = dcerpc_bind_auth_recv(ctx);
386 if (!composite_is_ok(c)) return;
387
388 composite_done(c);
389 }
390
391
392 /*
393 Initiate schannel authentication request
394 */
395 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
396 struct dcerpc_pipe *p,
397 const struct ndr_interface_table *table,
398 struct cli_credentials *credentials,
399 struct loadparm_context *lp_ctx,
400 uint8_t auth_level)
401 {
402 struct composite_context *c;
403 struct auth_schannel_state *s;
404 struct composite_context *schan_key_req;
405
406 /* composite context allocation and setup */
407 c = composite_create(tmp_ctx, p->conn->event_ctx);
408 if (c == NULL) return NULL;
409
410 s = talloc_zero(c, struct auth_schannel_state);
411 if (composite_nomem(s, c)) return c;
412 c->private_data = s;
413
414 /* store parameters in the state structure */
415 s->pipe = p;
416 s->credentials = credentials;
417 s->table = table;
418 s->auth_level = auth_level;
419 s->lp_ctx = lp_ctx;
420
421 /* start getting schannel key first */
422 schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
423 if (composite_nomem(schan_key_req, c)) return c;
424
425 composite_continue(c, schan_key_req, continue_schannel_key, c);
426 return c;
427 }
428
429
430 /*
431 Receive result of schannel authentication request
432 */
433 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
434 {
435 NTSTATUS status = composite_wait(c);
436
437 talloc_free(c);
438 return status;
439 }
440
441
442 /*
443 Perform schannel authenticated bind - sync version
444 */
445 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
446 struct dcerpc_pipe *p,
447 const struct ndr_interface_table *table,
448 struct cli_credentials *credentials,
449 struct loadparm_context *lp_ctx,
450 uint8_t auth_level)
451 {
452 struct composite_context *c;
453
454 c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
455 auth_level);
456 return dcerpc_bind_auth_schannel_recv(c);
457 }