source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_schannel.h"
  25 #include "auth/auth.h"
  26
  27 enum schannel_position {
  28         DCERPC_SCHANNEL_STATE_START = 0,
  29         DCERPC_SCHANNEL_STATE_UPDATE_1
  30 };
  31
  32 struct dcerpc_schannel_state {
  33         enum schannel_position state;
  34         struct schannel_state *schannel_state;
  35         struct creds_CredentialState *creds;
  36         char *account_name;
  37 };
  38
  39 /*
  40   wrappers for the schannel_*() functions
  41
  42   These will become static again, when we get dynamic registration, and
  43   decrpc_schannel_security_ops come back here.
  44 */
  45 static NTSTATUS dcerpc_schannel_unseal_packet(struct gensec_security *gensec_security,
  46                                               TALLOC_CTX *mem_ctx,
  47                                               uint8_t *data, size_t length,
  48                                               const uint8_t *whole_pdu, size_t pdu_length,
  49                                               DATA_BLOB *sig)
  50 {
  51         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  52
  53         return schannel_unseal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
  54 }
  55
  56 static NTSTATUS dcerpc_schannel_check_packet(struct gensec_security *gensec_security,
  57                                              TALLOC_CTX *mem_ctx,
  58                                              const uint8_t *data, size_t length,
  59                                              const uint8_t *whole_pdu, size_t pdu_length,
  60                                              const DATA_BLOB *sig)
  61 {
  62         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  63
  64         return schannel_check_packet(dce_schan_state->schannel_state, data, length, sig);
  65 }
  66
  67 static NTSTATUS dcerpc_schannel_seal_packet(struct gensec_security *gensec_security,
  68                                             TALLOC_CTX *mem_ctx,
  69                                             uint8_t *data, size_t length,
  70                                             const uint8_t *whole_pdu, size_t pdu_length,
  71                                             DATA_BLOB *sig)
  72 {
  73         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  74
  75         return schannel_seal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
  76 }
  77
  78 static NTSTATUS dcerpc_schannel_sign_packet(struct gensec_security *gensec_security,
  79                                             TALLOC_CTX *mem_ctx,
  80                                             const uint8_t *data, size_t length,
  81                                             const uint8_t *whole_pdu, size_t pdu_length,
  82                                             DATA_BLOB *sig)
  83 {
  84         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  85
  86         return schannel_sign_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
  87 }
  88
  89 static size_t dcerpc_schannel_sig_size(struct gensec_security *gensec_security)
  90 {
  91         return 32;
  92 }
  93
  94 static NTSTATUS dcerpc_schannel_session_key(struct gensec_security *gensec_security,
  95                                             DATA_BLOB *session_key)
  96 {
  97         return NT_STATUS_NOT_IMPLEMENTED;
  98 }
  99
 100 static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 101                                        const DATA_BLOB in, DATA_BLOB *out)
 102 {
 103         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
 104         NTSTATUS status;
 105         struct schannel_bind bind_schannel;
 106         struct schannel_bind_ack bind_schannel_ack;
 107         const char *account_name;
 108         *out = data_blob(NULL, 0);
 109
 110         switch (gensec_security->gensec_role) {
 111         case GENSEC_CLIENT:
 112                 if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) {
 113                         /* we could parse the bind ack, but we don't know what it is yet */
 114                         return NT_STATUS_OK;
 115                 }
 116
 117                 status = schannel_start(&dce_schan_state->schannel_state,
 118                                         dce_schan_state->creds->session_key,
 119                                         True);
 120                 if (!NT_STATUS_IS_OK(status)) {
 121                         DEBUG(1, ("Failed to start schannel client\n"));
 122                         return status;
 123                 }
 124                 talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
 125
 126                 bind_schannel.unknown1 = 0;
 127 #if 0
 128                 /* to support this we'd need to have access to the full domain name */
 129                 bind_schannel.bind_type = 23;
 130                 bind_schannel.u.info23.domain = gensec_security->user.domain;
 131                 bind_schannel.u.info23.account_name = gensec_security->user.name;
 132                 bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(out_mem_ctx, fulldomainname);
 133                 bind_schannel.u.info23.workstation = str_format_nbt_domain(out_mem_ctx, gensec_security->user.name);
 134 #else
 135                 bind_schannel.bind_type = 3;
 136                 bind_schannel.u.info3.domain = gensec_security->user.domain;
 137                 bind_schannel.u.info3.account_name = gensec_security->user.name;
 138 #endif
 139
 140                 status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
 141                                               (ndr_push_flags_fn_t)ndr_push_schannel_bind);
 142                 if (!NT_STATUS_IS_OK(status)) {
 143                         DEBUG(3, ("Could not create schannel bind: %s\n",
 144                                   nt_errstr(status)));
 145                         return status;
 146                 }
 147
 148                 dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1;
 149
 150                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 151         case GENSEC_SERVER:
 152
 153                 if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) {
 154                         /* no third leg on this protocol */
 155                         return NT_STATUS_INVALID_PARAMETER;
 156                 }
 157
 158                 /* parse the schannel startup blob */
 159                 status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
 160                                               (ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
 161                 if (!NT_STATUS_IS_OK(status)) {
 162                         return status;
 163                 }
 164
 165                 if (bind_schannel.bind_type == 23) {
 166                         account_name = bind_schannel.u.info23.account_name;
 167                 } else {
 168                         account_name = bind_schannel.u.info3.account_name;
 169                 }
 170
 171                 /* pull the session key for this client */
 172                 status = schannel_fetch_session_key(out_mem_ctx, account_name, &dce_schan_state->creds);
 173                 if (!NT_STATUS_IS_OK(status)) {
 174                         DEBUG(3, ("Could not find session key for attempted schannel connection on %s: %s\n",
 175                                   account_name, nt_errstr(status)));
 176                         return status;
 177                 }
 178
 179                 dce_schan_state->account_name = talloc_strdup(dce_schan_state, account_name);
 180
 181                 /* start up the schannel server code */
 182                 status = schannel_start(&dce_schan_state->schannel_state,
 183                                         dce_schan_state->creds->session_key, False);
 184                 if (!NT_STATUS_IS_OK(status)) {
 185                         DEBUG(3, ("Could not initialise schannel state for account %s: %s\n",
 186                                   account_name, nt_errstr(status)));
 187                         return status;
 188                 }
 189                 talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
 190
 191                 bind_schannel_ack.unknown1 = 1;
 192                 bind_schannel_ack.unknown2 = 0;
 193                 bind_schannel_ack.unknown3 = 0x6c0000;
 194
 195                 status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
 196                                               (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
 197                 if (!NT_STATUS_IS_OK(status)) {
 198                         DEBUG(3, ("Could not return schannel bind ack for account %s: %s\n",
 199                                   account_name, nt_errstr(status)));
 200                         return status;
 201                 }
 202
 203                 dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1;
 204
 205                 return NT_STATUS_OK;
 206         }
 207         return NT_STATUS_INVALID_PARAMETER;
 208 }
 209
 210 /**
 211  * Return the credentials of a logged on user, including session keys
 212  * etc.
 213  *
 214  * Only valid after a successful authentication
 215  *
 216  * May only be called once per authentication.
 217  *
 218  */
 219
 220 NTSTATUS dcerpc_schannel_session_info(struct gensec_security *gensec_security,
 221                                       struct auth_session_info **session_info)
 222 {
 223         (*session_info) = talloc(gensec_security, struct auth_session_info);
 224         NT_STATUS_HAVE_NO_MEMORY(*session_info);
 225
 226         ZERO_STRUCTP(*session_info);
 227
 228         return NT_STATUS_OK;
 229 }
 230
 231 /**
 232  * Return the struct creds_CredentialState.
 233  *
 234  * Make sure not to call this unless gensec is using schannel...
 235  */
 236
 237 NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 238                                TALLOC_CTX *mem_ctx,
 239                                struct creds_CredentialState **creds)
 240 {
 241         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
 242
 243         *creds = talloc_reference(mem_ctx, dce_schan_state->creds);
 244         if (!*creds) {
 245                 return NT_STATUS_NO_MEMORY;
 246         }
 247         return NT_STATUS_OK;
 248 }
 249
 250
 251 /*
 252   end crypto state
 253 */
 254 static int dcerpc_schannel_destroy(void *ptr)
 255 {
 256         struct dcerpc_schannel_state *dce_schan_state = ptr;
 257
 258         schannel_end(&dce_schan_state->schannel_state);
 259
 260         return 0;
 261 }
 262
 263 static NTSTATUS dcerpc_schannel_start(struct gensec_security *gensec_security)
 264 {
 265         struct dcerpc_schannel_state *dce_schan_state;
 266
 267         dce_schan_state = talloc(gensec_security, struct dcerpc_schannel_state);
 268         if (!dce_schan_state) {
 269                 return NT_STATUS_NO_MEMORY;
 270         }
 271
 272         dce_schan_state->state = DCERPC_SCHANNEL_STATE_START;
 273         gensec_security->private_data = dce_schan_state;
 274
 275         talloc_set_destructor(dce_schan_state, dcerpc_schannel_destroy);
 276
 277         return NT_STATUS_OK;
 278 }
 279
 280 static NTSTATUS dcerpc_schannel_server_start(struct gensec_security *gensec_security)
 281 {
 282         NTSTATUS status;
 283
 284         status = dcerpc_schannel_start(gensec_security);
 285         if (!NT_STATUS_IS_OK(status)) {
 286                 return status;
 287         }
 288
 289         return NT_STATUS_OK;
 290 }
 291
 292 static NTSTATUS dcerpc_schannel_client_start(struct gensec_security *gensec_security)
 293 {
 294         NTSTATUS status;
 295
 296         status = dcerpc_schannel_start(gensec_security);
 297         if (!NT_STATUS_IS_OK(status)) {
 298                 return status;
 299         }
 300
 301         return NT_STATUS_OK;
 302 }
 303
 304
 305 /*
 306   get a schannel key using a netlogon challenge on a secondary pipe
 307 */
 308 static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
 309                                     const char *domain,
 310                                     const char *username,
 311                                     const char *password,
 312                                     int chan_type,
 313                                     struct creds_CredentialState *creds)
 314 {
 315         NTSTATUS status;
 316         struct dcerpc_pipe *p2;
 317         struct netr_ServerReqChallenge r;
 318         struct netr_ServerAuthenticate2 a;
 319         struct netr_Credential credentials1, credentials2, credentials3;
 320         struct samr_Password mach_pwd;
 321         const char *workgroup, *workstation;
 322         uint32_t negotiate_flags;
 323
 324         if (p->conn->flags & DCERPC_SCHANNEL_128) {
 325                 negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 326         } else {
 327                 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 328         }
 329
 330         workstation = username;
 331         workgroup = domain;
 332
 333         /*
 334           step 1 - establish a netlogon connection, with no authentication
 335         */
 336         status = dcerpc_secondary_connection(p, &p2,
 337                                              DCERPC_NETLOGON_NAME,
 338                                              DCERPC_NETLOGON_UUID,
 339                                              DCERPC_NETLOGON_VERSION);
 340         if (!NT_STATUS_IS_OK(status)) {
 341                 return status;
 342         }
 343
 344
 345         /*
 346           step 2 - request a netlogon challenge
 347         */
 348         r.in.server_name = talloc_asprintf(p, "\\\\%s", dcerpc_server_name(p));
 349         r.in.computer_name = workstation;
 350         r.in.credentials = &credentials1;
 351         r.out.credentials = &credentials2;
 352
 353         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
 354
 355         status = dcerpc_netr_ServerReqChallenge(p2, p, &r);
 356         if (!NT_STATUS_IS_OK(status)) {
 357                 return status;
 358         }
 359
 360         /*
 361           step 3 - authenticate on the netlogon pipe
 362         */
 363         E_md4hash(password, mach_pwd.hash);
 364         creds_client_init(creds, &credentials1, &credentials2, &mach_pwd, &credentials3,
 365                           negotiate_flags);
 366
 367         a.in.server_name = r.in.server_name;
 368         a.in.account_name = talloc_asprintf(p, "%s$", workstation);
 369         a.in.secure_channel_type = chan_type;
 370         a.in.computer_name = workstation;
 371         a.in.negotiate_flags = &negotiate_flags;
 372         a.out.negotiate_flags = &negotiate_flags;
 373         a.in.credentials = &credentials3;
 374         a.out.credentials = &credentials3;
 375
 376         status = dcerpc_netr_ServerAuthenticate2(p2, p, &a);
 377         if (!NT_STATUS_IS_OK(status)) {
 378                 return status;
 379         }
 380
 381         if (!creds_client_check(creds, a.out.credentials)) {
 382                 return NT_STATUS_UNSUCCESSFUL;
 383         }
 384
 385         /*
 386           the schannel session key is now in creds.session_key
 387
 388           we no longer need the netlogon pipe open
 389         */
 390         dcerpc_pipe_close(p2);
 391
 392         return NT_STATUS_OK;
 393 }
 394
 395 /*
 396   do a schannel style bind on a dcerpc pipe. The username is usually
 397   of the form HOSTNAME$ and the password is the domain trust password
 398 */
 399 NTSTATUS dcerpc_bind_auth_schannel_withkey(struct dcerpc_pipe *p,
 400                                            const char *uuid, uint_t version,
 401                                            const char *domain,
 402                                            const char *username,
 403                                            const char *password,
 404                                            struct creds_CredentialState *creds)
 405 {
 406         NTSTATUS status;
 407         struct dcerpc_schannel_state *dce_schan_state;
 408
 409         status = gensec_client_start(p, &p->conn->security_state.generic_state);
 410         if (!NT_STATUS_IS_OK(status)) {
 411                 return status;
 412         }
 413
 414         status = gensec_set_username(p->conn->security_state.generic_state, username);
 415         if (!NT_STATUS_IS_OK(status)) {
 416                 DEBUG(1, ("Failed to set schannel username to %s: %s\n", username, nt_errstr(status)));
 417                 talloc_free(p->conn->security_state.generic_state);
 418                 p->conn->security_state.generic_state = NULL;
 419                 return status;
 420         }
 421
 422         status = gensec_set_domain(p->conn->security_state.generic_state, domain);
 423         if (!NT_STATUS_IS_OK(status)) {
 424                 DEBUG(1, ("Failed to set schannel domain to %s: %s\n", domain, nt_errstr(status)));
 425                 talloc_free(p->conn->security_state.generic_state);
 426                 p->conn->security_state.generic_state = NULL;
 427                 return status;
 428         }
 429
 430         status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
 431                                                DCERPC_AUTH_TYPE_SCHANNEL,
 432                                                dcerpc_auth_level(p->conn));
 433
 434         if (!NT_STATUS_IS_OK(status)) {
 435                 DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status)));
 436                 talloc_free(p->conn->security_state.generic_state);
 437                 p->conn->security_state.generic_state = NULL;
 438                 return status;
 439         }
 440
 441         dce_schan_state = p->conn->security_state.generic_state->private_data;
 442         dce_schan_state->creds = talloc_reference(dce_schan_state, creds);
 443
 444         status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p->conn),
 445                                   uuid, version);
 446
 447         if (!NT_STATUS_IS_OK(status)) {
 448                 DEBUG(1, ("Failed to bind to pipe with SCHANNEL: %s\n", nt_errstr(status)));
 449                 talloc_free(p->conn->security_state.generic_state);
 450                 p->conn->security_state.generic_state = NULL;
 451                 return status;
 452         }
 453
 454         return NT_STATUS_OK;
 455 }
 456
 457 NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
 458                                    const char *uuid, uint_t version,
 459                                    const char *domain,
 460                                    const char *username,
 461                                    const char *password)
 462 {
 463         NTSTATUS status;
 464         int chan_type = 0;
 465         struct creds_CredentialState *creds;
 466         creds = talloc(p, struct creds_CredentialState);
 467         if (!creds) {
 468                 return NT_STATUS_NO_MEMORY;
 469         }
 470
 471         if (p->conn->flags & DCERPC_SCHANNEL_BDC) {
 472                 chan_type = SEC_CHAN_BDC;
 473         } else if (p->conn->flags & DCERPC_SCHANNEL_WORKSTATION) {
 474                 chan_type = SEC_CHAN_WKSTA;
 475         } else if (p->conn->flags & DCERPC_SCHANNEL_DOMAIN) {
 476                 chan_type = SEC_CHAN_DOMAIN;
 477         }
 478
 479         status = dcerpc_schannel_key(p, domain,
 480                                      username,
 481                                      password,
 482                                      chan_type,
 483                                      creds);
 484
 485         if (!NT_STATUS_IS_OK(status)) {
 486                 DEBUG(1, ("Failed to fetch schannel session key: %s\n",
 487                           nt_errstr(status)));
 488                 return status;
 489         }
 490
 491         return dcerpc_bind_auth_schannel_withkey(p, uuid, version, domain,
 492                                                  username, password,
 493                                                  creds);
 494 }
 495
 496 static BOOL dcerpc_schannel_have_feature(struct gensec_security *gensec_security,
 497                                           uint32_t feature)
 498 {
 499         if (feature & (GENSEC_FEATURE_SESSION_KEY |
 500                        GENSEC_FEATURE_SIGN |
 501                        GENSEC_FEATURE_SEAL)) {
 502                 return True;
 503         }
 504         return False;
 505 }
 506
 507
 508 static const struct gensec_security_ops gensec_dcerpc_schannel_security_ops = {
 509         .name           = "dcerpc_schannel",
 510         .auth_type      = DCERPC_AUTH_TYPE_SCHANNEL,
 511         .client_start   = dcerpc_schannel_client_start,
 512         .server_start   = dcerpc_schannel_server_start,
 513         .update         = dcerpc_schannel_update,
 514         .seal_packet    = dcerpc_schannel_seal_packet,
 515         .sign_packet    = dcerpc_schannel_sign_packet,
 516         .check_packet   = dcerpc_schannel_check_packet,
 517         .unseal_packet  = dcerpc_schannel_unseal_packet,
 518         .session_key    = dcerpc_schannel_session_key,
 519         .session_info   = dcerpc_schannel_session_info,
 520         .sig_size       = dcerpc_schannel_sig_size,
 521         .have_feature   = dcerpc_schannel_have_feature,
 522         .enabled        = True
 523 };
 524
 525 NTSTATUS gensec_dcerpc_schannel_init(void)
 526 {
 527         NTSTATUS ret;
 528         ret = gensec_register(&gensec_dcerpc_schannel_security_ops);
 529         if (!NT_STATUS_IS_OK(ret)) {
 530                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 531                         gensec_dcerpc_schannel_security_ops.name));
 532                 return ret;
 533         }
 534
 535         return ret;
 536 }