2 Unix SMB/CIFS implementation.
4 dcerpc schannel operations
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "auth/auth.h"
27 #include "libcli/composite/composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "librpc/gen_ndr/ndr_netlogon.h"
30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
31 #include "auth/credentials/credentials.h"
32 #include "librpc/rpc/dcerpc_proto.h"
33 #include "param/param.h"
35 struct schannel_key_state
{
36 struct dcerpc_pipe
*pipe
;
37 struct dcerpc_pipe
*pipe2
;
38 struct dcerpc_binding
*binding
;
39 bool dcerpc_schannel_auto
;
40 struct cli_credentials
*credentials
;
41 struct netlogon_creds_CredentialState
*creds
;
42 uint32_t local_negotiate_flags
;
43 uint32_t remote_negotiate_flags
;
44 struct netr_Credential credentials1
;
45 struct netr_Credential credentials2
;
46 struct netr_Credential credentials3
;
47 struct netr_ServerReqChallenge r
;
48 struct netr_ServerAuthenticate2 a
;
49 const struct samr_Password
*mach_pwd
;
53 static void continue_secondary_connection(struct composite_context
*ctx
);
54 static void continue_bind_auth_none(struct composite_context
*ctx
);
55 static void continue_srv_challenge(struct tevent_req
*subreq
);
56 static void continue_srv_auth2(struct tevent_req
*subreq
);
60 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
63 static void continue_epm_map_binding(struct composite_context
*ctx
)
65 struct composite_context
*c
;
66 struct schannel_key_state
*s
;
67 struct composite_context
*sec_conn_req
;
69 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
70 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
72 /* receive endpoint mapping */
73 c
->status
= dcerpc_epm_map_binding_recv(ctx
);
74 if (!NT_STATUS_IS_OK(c
->status
)) {
75 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
76 NDR_NETLOGON_UUID
, nt_errstr(c
->status
)));
77 composite_error(c
, c
->status
);
81 /* send a request for secondary rpc connection */
82 sec_conn_req
= dcerpc_secondary_connection_send(s
->pipe
,
84 if (composite_nomem(sec_conn_req
, c
)) return;
86 composite_continue(c
, sec_conn_req
, continue_secondary_connection
, c
);
91 Stage 3 of schannel_key: Receive secondary rpc connection and perform
92 non-authenticated bind request
94 static void continue_secondary_connection(struct composite_context
*ctx
)
96 struct composite_context
*c
;
97 struct schannel_key_state
*s
;
98 struct composite_context
*auth_none_req
;
100 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
101 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
103 /* receive secondary rpc connection */
104 c
->status
= dcerpc_secondary_connection_recv(ctx
, &s
->pipe2
);
105 if (!composite_is_ok(c
)) return;
107 talloc_steal(s
, s
->pipe2
);
109 /* initiate a non-authenticated bind */
110 auth_none_req
= dcerpc_bind_auth_none_send(c
, s
->pipe2
, &ndr_table_netlogon
);
111 if (composite_nomem(auth_none_req
, c
)) return;
113 composite_continue(c
, auth_none_req
, continue_bind_auth_none
, c
);
118 Stage 4 of schannel_key: Receive non-authenticated bind and get
121 static void continue_bind_auth_none(struct composite_context
*ctx
)
123 struct composite_context
*c
;
124 struct schannel_key_state
*s
;
125 struct tevent_req
*subreq
;
127 c
= talloc_get_type(ctx
->async
.private_data
, struct composite_context
);
128 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
130 /* receive result of non-authenticated bind request */
131 c
->status
= dcerpc_bind_auth_none_recv(ctx
);
132 if (!composite_is_ok(c
)) return;
134 /* prepare a challenge request */
135 s
->r
.in
.server_name
= talloc_asprintf(c
, "\\\\%s", dcerpc_server_name(s
->pipe
));
136 if (composite_nomem(s
->r
.in
.server_name
, c
)) return;
137 s
->r
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
138 s
->r
.in
.credentials
= &s
->credentials1
;
139 s
->r
.out
.return_credentials
= &s
->credentials2
;
141 generate_random_buffer(s
->credentials1
.data
, sizeof(s
->credentials1
.data
));
144 request a netlogon challenge - a rpc request over opened secondary pipe
146 subreq
= dcerpc_netr_ServerReqChallenge_r_send(s
, c
->event_ctx
,
147 s
->pipe2
->binding_handle
,
149 if (composite_nomem(subreq
, c
)) return;
151 tevent_req_set_callback(subreq
, continue_srv_challenge
, c
);
156 Stage 5 of schannel_key: Receive a challenge and perform authentication
159 static void continue_srv_challenge(struct tevent_req
*subreq
)
161 struct composite_context
*c
;
162 struct schannel_key_state
*s
;
164 c
= tevent_req_callback_data(subreq
, struct composite_context
);
165 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
167 /* receive rpc request result - netlogon challenge */
168 c
->status
= dcerpc_netr_ServerReqChallenge_r_recv(subreq
, s
);
170 if (!composite_is_ok(c
)) return;
172 /* prepare credentials for auth2 request */
173 s
->mach_pwd
= cli_credentials_get_nt_hash(s
->credentials
, c
);
175 /* auth2 request arguments */
176 s
->a
.in
.server_name
= s
->r
.in
.server_name
;
177 s
->a
.in
.account_name
= cli_credentials_get_username(s
->credentials
);
178 s
->a
.in
.secure_channel_type
=
179 cli_credentials_get_secure_channel_type(s
->credentials
);
180 s
->a
.in
.computer_name
= cli_credentials_get_workstation(s
->credentials
);
181 s
->a
.in
.negotiate_flags
= &s
->local_negotiate_flags
;
182 s
->a
.in
.credentials
= &s
->credentials3
;
183 s
->a
.out
.negotiate_flags
= &s
->remote_negotiate_flags
;
184 s
->a
.out
.return_credentials
= &s
->credentials3
;
186 s
->creds
= netlogon_creds_client_init(s
,
187 s
->a
.in
.account_name
,
188 s
->a
.in
.computer_name
,
189 &s
->credentials1
, &s
->credentials2
,
190 s
->mach_pwd
, &s
->credentials3
,
191 s
->local_negotiate_flags
);
192 if (composite_nomem(s
->creds
, c
)) {
196 authenticate on the netlogon pipe - a rpc request over secondary pipe
198 subreq
= dcerpc_netr_ServerAuthenticate2_r_send(s
, c
->event_ctx
,
199 s
->pipe2
->binding_handle
,
201 if (composite_nomem(subreq
, c
)) return;
203 tevent_req_set_callback(subreq
, continue_srv_auth2
, c
);
208 Stage 6 of schannel_key: Receive authentication request result and verify
211 static void continue_srv_auth2(struct tevent_req
*subreq
)
213 struct composite_context
*c
;
214 struct schannel_key_state
*s
;
216 c
= tevent_req_callback_data(subreq
, struct composite_context
);
217 s
= talloc_get_type(c
->private_data
, struct schannel_key_state
);
219 /* receive rpc request result - auth2 credentials */
220 c
->status
= dcerpc_netr_ServerAuthenticate2_r_recv(subreq
, s
);
222 if (!composite_is_ok(c
)) return;
225 * Strong keys could be unsupported (NT4) or disables. So retry with the
226 * flags returned by the server. - asn
228 if (NT_STATUS_EQUAL(s
->a
.out
.result
, NT_STATUS_ACCESS_DENIED
) &&
229 s
->dcerpc_schannel_auto
&&
230 (s
->local_negotiate_flags
& NETLOGON_NEG_STRONG_KEYS
)) {
231 DEBUG(3, ("Server doesn't support strong keys, "
232 "downgrade and retry!\n"));
233 s
->local_negotiate_flags
= s
->remote_negotiate_flags
;
235 generate_random_buffer(s
->credentials1
.data
,
236 sizeof(s
->credentials1
.data
));
238 subreq
= dcerpc_netr_ServerReqChallenge_r_send(s
,
240 s
->pipe2
->binding_handle
,
242 if (composite_nomem(subreq
, c
)) return;
244 tevent_req_set_callback(subreq
, continue_srv_challenge
, c
);
248 s
->creds
->negotiate_flags
= s
->remote_negotiate_flags
;
250 /* verify credentials */
251 if (!netlogon_creds_client_check(s
->creds
, s
->a
.out
.return_credentials
)) {
252 composite_error(c
, NT_STATUS_UNSUCCESSFUL
);
256 /* setup current netlogon credentials */
257 cli_credentials_set_netlogon_creds(s
->credentials
, s
->creds
);
264 Initiate establishing a schannel key using netlogon challenge
267 struct composite_context
*dcerpc_schannel_key_send(TALLOC_CTX
*mem_ctx
,
268 struct dcerpc_pipe
*p
,
269 struct cli_credentials
*credentials
,
270 struct loadparm_context
*lp_ctx
)
272 struct composite_context
*c
;
273 struct schannel_key_state
*s
;
274 struct composite_context
*epm_map_req
;
275 enum netr_SchannelType schannel_type
= cli_credentials_get_secure_channel_type(credentials
);
277 /* composite context allocation and setup */
278 c
= composite_create(mem_ctx
, p
->conn
->event_ctx
);
279 if (c
== NULL
) return NULL
;
281 s
= talloc_zero(c
, struct schannel_key_state
);
282 if (composite_nomem(s
, c
)) return c
;
285 /* store parameters in the state structure */
287 s
->credentials
= credentials
;
288 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_FLAGS
;
290 /* allocate credentials */
291 /* type of authentication depends on schannel type */
292 if (schannel_type
== SEC_CHAN_RODC
) {
293 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_RODC_FLAGS
;
295 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_128
) {
296 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
298 if (s
->pipe
->conn
->flags
& DCERPC_SCHANNEL_AUTO
) {
299 s
->local_negotiate_flags
= NETLOGON_NEG_AUTH2_ADS_FLAGS
;
300 s
->dcerpc_schannel_auto
= true;
303 /* allocate binding structure */
304 s
->binding
= talloc_zero(c
, struct dcerpc_binding
);
305 if (composite_nomem(s
->binding
, c
)) return c
;
307 *s
->binding
= *s
->pipe
->binding
;
309 /* request the netlogon endpoint mapping */
310 epm_map_req
= dcerpc_epm_map_binding_send(c
, s
->binding
,
312 s
->pipe
->conn
->event_ctx
,
314 if (composite_nomem(epm_map_req
, c
)) return c
;
316 composite_continue(c
, epm_map_req
, continue_epm_map_binding
, c
);
322 Receive result of schannel key request
324 NTSTATUS
dcerpc_schannel_key_recv(struct composite_context
*c
)
326 NTSTATUS status
= composite_wait(c
);
333 struct auth_schannel_state
{
334 struct dcerpc_pipe
*pipe
;
335 struct cli_credentials
*credentials
;
336 const struct ndr_interface_table
*table
;
337 struct loadparm_context
*lp_ctx
;
342 static void continue_bind_auth(struct composite_context
*ctx
);
346 Stage 2 of auth_schannel: Receive schannel key and intitiate an
347 authenticated bind using received credentials
349 static void continue_schannel_key(struct composite_context
*ctx
)
351 struct composite_context
*auth_req
;
352 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
353 struct composite_context
);
354 struct auth_schannel_state
*s
= talloc_get_type(c
->private_data
,
355 struct auth_schannel_state
);
358 /* receive schannel key */
359 status
= c
->status
= dcerpc_schannel_key_recv(ctx
);
360 if (!composite_is_ok(c
)) {
361 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status
)));
365 /* send bind auth request with received creds */
366 auth_req
= dcerpc_bind_auth_send(c
, s
->pipe
, s
->table
, s
->credentials
,
367 lpcfg_gensec_settings(c
, s
->lp_ctx
),
368 DCERPC_AUTH_TYPE_SCHANNEL
, s
->auth_level
,
370 if (composite_nomem(auth_req
, c
)) return;
372 composite_continue(c
, auth_req
, continue_bind_auth
, c
);
377 Stage 3 of auth_schannel: Receivce result of authenticated bind
378 and say if we're done ok.
380 static void continue_bind_auth(struct composite_context
*ctx
)
382 struct composite_context
*c
= talloc_get_type(ctx
->async
.private_data
,
383 struct composite_context
);
385 c
->status
= dcerpc_bind_auth_recv(ctx
);
386 if (!composite_is_ok(c
)) return;
393 Initiate schannel authentication request
395 struct composite_context
*dcerpc_bind_auth_schannel_send(TALLOC_CTX
*tmp_ctx
,
396 struct dcerpc_pipe
*p
,
397 const struct ndr_interface_table
*table
,
398 struct cli_credentials
*credentials
,
399 struct loadparm_context
*lp_ctx
,
402 struct composite_context
*c
;
403 struct auth_schannel_state
*s
;
404 struct composite_context
*schan_key_req
;
406 /* composite context allocation and setup */
407 c
= composite_create(tmp_ctx
, p
->conn
->event_ctx
);
408 if (c
== NULL
) return NULL
;
410 s
= talloc_zero(c
, struct auth_schannel_state
);
411 if (composite_nomem(s
, c
)) return c
;
414 /* store parameters in the state structure */
416 s
->credentials
= credentials
;
418 s
->auth_level
= auth_level
;
421 /* start getting schannel key first */
422 schan_key_req
= dcerpc_schannel_key_send(c
, p
, credentials
, lp_ctx
);
423 if (composite_nomem(schan_key_req
, c
)) return c
;
425 composite_continue(c
, schan_key_req
, continue_schannel_key
, c
);
431 Receive result of schannel authentication request
433 NTSTATUS
dcerpc_bind_auth_schannel_recv(struct composite_context
*c
)
435 NTSTATUS status
= composite_wait(c
);
443 Perform schannel authenticated bind - sync version
445 _PUBLIC_ NTSTATUS
dcerpc_bind_auth_schannel(TALLOC_CTX
*tmp_ctx
,
446 struct dcerpc_pipe
*p
,
447 const struct ndr_interface_table
*table
,
448 struct cli_credentials
*credentials
,
449 struct loadparm_context
*lp_ctx
,
452 struct composite_context
*c
;
454 c
= dcerpc_bind_auth_schannel_send(tmp_ctx
, p
, table
, credentials
, lp_ctx
,
456 return dcerpc_bind_auth_schannel_recv(c
);