source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24
  25 /*
  26   wrappers for the schannel_*() functions
  27 */
  28 static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security,
  29                                     TALLOC_CTX *mem_ctx,
  30                                     uint8_t *data, size_t length, DATA_BLOB *sig)
  31 {
  32         struct schannel_state *schannel_state = dcerpc_security->private;
  33         return schannel_unseal_packet(schannel_state, mem_ctx, data, length, sig);
  34 }
  35
  36 static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security,
  37                                    TALLOC_CTX *mem_ctx,
  38                                    const uint8_t *data, size_t length,
  39                                    const DATA_BLOB *sig)
  40 {
  41         struct schannel_state *schannel_state = dcerpc_security->private;
  42         return schannel_check_packet(schannel_state, data, length, sig);
  43 }
  44
  45 static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security,
  46                                   TALLOC_CTX *mem_ctx,
  47                                   uint8_t *data, size_t length,
  48                                   DATA_BLOB *sig)
  49 {
  50         struct schannel_state *schannel_state = dcerpc_security->private;
  51         return schannel_seal_packet(schannel_state, mem_ctx, data, length, sig);
  52 }
  53
  54 static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security,
  55                                  TALLOC_CTX *mem_ctx,
  56                                  const uint8_t *data, size_t length,
  57                                  DATA_BLOB *sig)
  58 {
  59         struct schannel_state *schannel_state = dcerpc_security->private;
  60         return schannel_sign_packet(schannel_state, mem_ctx, data, length, sig);
  61 }
  62
  63 static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security,
  64                                   DATA_BLOB *session_key)
  65 {
  66         return NT_STATUS_NOT_IMPLEMENTED;
  67 }
  68
  69 static void schan_security_end(struct dcerpc_security *dcerpc_security)
  70 {
  71         struct schannel_state *schannel_state = dcerpc_security->private;
  72         schannel_end(&schannel_state);
  73 }
  74
  75
  76 /*
  77   get a schannel key using a netlogon challenge on a secondary pipe
  78 */
  79 NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
  80                              const char *domain,
  81                              const char *username,
  82                              const char *password,
  83                              int chan_type,
  84                              uint8_t new_session_key[8])
  85 {
  86         NTSTATUS status;
  87         struct dcerpc_pipe *p2;
  88         struct netr_ServerReqChallenge r;
  89         struct netr_ServerAuthenticate2 a;
  90         struct netr_Credential credentials1, credentials2, credentials3;
  91         uint8_t mach_pwd[16];
  92         struct creds_CredentialState creds;
  93         const char *workgroup, *workstation;
  94         uint32_t negotiate_flags = 0;
  95
  96         workstation = username;
  97         workgroup = domain;
  98
  99         /*
 100           step 1 - establish a netlogon connection, with no authentication
 101         */
 102         status = dcerpc_secondary_smb(p, &p2,
 103                                       DCERPC_NETLOGON_NAME,
 104                                       DCERPC_NETLOGON_UUID,
 105                                       DCERPC_NETLOGON_VERSION);
 106
 107
 108         /*
 109           step 2 - request a netlogon challenge
 110         */
 111         r.in.server_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dcerpc_server_name(p));
 112         r.in.computer_name = workstation;
 113         r.in.credentials = &credentials1;
 114         r.out.credentials = &credentials2;
 115
 116         generate_random_buffer(credentials1.data, sizeof(credentials1.data), False);
 117
 118         status = dcerpc_netr_ServerReqChallenge(p2, p->mem_ctx, &r);
 119         if (!NT_STATUS_IS_OK(status)) {
 120                 return status;
 121         }
 122
 123         /*
 124           step 3 - authenticate on the netlogon pipe
 125         */
 126         E_md4hash(password, mach_pwd);
 127         creds_client_init(&creds, &credentials1, &credentials2, mach_pwd, &credentials3);
 128
 129         a.in.server_name = r.in.server_name;
 130         a.in.username = talloc_asprintf(p->mem_ctx, "%s$", workstation);
 131         a.in.secure_channel_type = chan_type;
 132         a.in.computer_name = workstation;
 133         a.in.negotiate_flags = &negotiate_flags;
 134         a.out.negotiate_flags = &negotiate_flags;
 135         a.in.credentials = &credentials3;
 136         a.out.credentials = &credentials3;
 137
 138         status = dcerpc_netr_ServerAuthenticate2(p2, p->mem_ctx, &a);
 139         if (!NT_STATUS_IS_OK(status)) {
 140                 return status;
 141         }
 142
 143         if (!creds_client_check(&creds, a.out.credentials)) {
 144                 return NT_STATUS_UNSUCCESSFUL;
 145         }
 146
 147         /*
 148           the schannel session key is now in creds.session_key
 149
 150           we no longer need the netlogon pipe open
 151         */
 152         dcerpc_pipe_close(p2);
 153
 154         memcpy(new_session_key, creds.session_key, 8);
 155
 156         return NT_STATUS_OK;
 157 }
 158
 159
 160 /*
 161   do a schannel style bind on a dcerpc pipe with the given schannel
 162   key. The username is usually of the form HOSTNAME$ and the password
 163   is the domain trust password
 164 */
 165 NTSTATUS dcerpc_bind_auth_schannel_key(struct dcerpc_pipe *p,
 166                                        const char *uuid, unsigned version,
 167                                        const char *domain,
 168                                        const char *username,
 169                                        const uint8_t session_key[8])
 170 {
 171         NTSTATUS status;
 172         uint8_t full_session_key[16];
 173         struct schannel_state *schannel_state;
 174         const char *workgroup, *workstation;
 175
 176         memcpy(full_session_key, session_key, 8);
 177         memset(full_session_key+8, 0, 8);
 178
 179         workstation = username;
 180         workgroup = domain;
 181
 182         /*
 183           perform a bind with security type schannel
 184         */
 185         p->auth_info = talloc(p->mem_ctx, sizeof(*p->auth_info));
 186         if (!p->auth_info) {
 187                 status = NT_STATUS_NO_MEMORY;
 188                 goto done;
 189         }
 190
 191         p->auth_info->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 192
 193         if (p->flags & DCERPC_SEAL) {
 194                 p->auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
 195         } else {
 196                 /* note that DCERPC_AUTH_LEVEL_NONE does not make any
 197                    sense, and would be rejected by the server */
 198                 p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
 199         }
 200         p->auth_info->auth_pad_length = 0;
 201         p->auth_info->auth_reserved = 0;
 202         p->auth_info->auth_context_id = random();
 203         p->security_state = NULL;
 204
 205         p->auth_info->credentials = data_blob_talloc(p->mem_ctx,
 206                                                      NULL,
 207                                                      8 +
 208                                                      strlen(workgroup)+1 +
 209                                                      strlen(workstation)+1);
 210         if (!p->auth_info->credentials.data) {
 211                 return NT_STATUS_NO_MEMORY;
 212         }
 213
 214         /* oh, this is ugly! */
 215         SIVAL(p->auth_info->credentials.data, 0, 0);
 216         SIVAL(p->auth_info->credentials.data, 4, 3);
 217         memcpy(p->auth_info->credentials.data+8, workgroup, strlen(workgroup)+1);
 218         memcpy(p->auth_info->credentials.data+8+strlen(workgroup)+1,
 219                workstation, strlen(workstation)+1);
 220
 221         /* send the authenticated bind request */
 222         status = dcerpc_bind_byuuid(p, p->mem_ctx, uuid, version);
 223         if (!NT_STATUS_IS_OK(status)) {
 224                 goto done;
 225         }
 226
 227         p->security_state = talloc_p(p->mem_ctx, struct dcerpc_security);
 228         if (!p->security_state) {
 229                 status = NT_STATUS_NO_MEMORY;
 230                 goto done;
 231         }
 232
 233         schannel_state = talloc_p(p->mem_ctx, struct schannel_state);
 234         if (!schannel_state) {
 235                 status = NT_STATUS_NO_MEMORY;
 236                 goto done;
 237         }
 238
 239         status = schannel_start(&schannel_state, full_session_key, True);
 240         if (!NT_STATUS_IS_OK(status)) {
 241                 goto done;
 242         }
 243
 244         dump_data_pw("session key:\n", schannel_state->session_key, 16);
 245
 246         p->security_state->private = schannel_state;
 247         p->security_state->unseal_packet = schan_unseal_packet;
 248         p->security_state->check_packet = schan_check_packet;
 249         p->security_state->seal_packet = schan_seal_packet;
 250         p->security_state->sign_packet = schan_sign_packet;
 251         p->security_state->session_key = schan_session_key;
 252         p->security_state->security_end = schan_security_end;
 253
 254 done:
 255         return status;
 256 }
 257
 258
 259 /*
 260   do a schannel style bind on a dcerpc pipe. The username is usually
 261   of the form HOSTNAME$ and the password is the domain trust password
 262 */
 263 NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
 264                                    const char *uuid, unsigned version,
 265                                    const char *domain,
 266                                    const char *username,
 267                                    const char *password)
 268 {
 269         NTSTATUS status;
 270         uint8_t session_key[8];
 271
 272         status = dcerpc_schannel_key(p, domain, username, password,
 273                                      lp_server_role() == ROLE_DOMAIN_BDC? SEC_CHAN_BDC:SEC_CHAN_WKSTA,
 274                                      session_key);
 275         if (!NT_STATUS_IS_OK(status)) {
 276                 return status;
 277         }
 278
 279         status = dcerpc_bind_auth_schannel_key(p, uuid, version, domain, username, session_key);
 280
 281         return status;
 282 }
 283