git.samba.org / nivanova / samba-autobuild / .git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
r5902: A rather large change...
[nivanova/samba-autobuild/.git] / source4 / librpc / rpc / dcerpc_schannel.c
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index d6fc7ad5116db1a6a7bed9657a863f7a4f9497c0..170ddee1f300545135d53e802c73ff561c243288 100644 (file)
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_schannel.h"
+#include "auth/auth.h"
 
 enum schannel_position {
        DCERPC_SCHANNEL_STATE_START = 0,
@@ -31,17 +32,9 @@ enum schannel_position {
 struct dcerpc_schannel_state {
        enum schannel_position state;
        struct schannel_state *schannel_state;
-       struct creds_CredentialState creds;
-       char *account_name;
+       struct creds_CredentialState *creds;
 };
 
-static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
-                                   const char *domain,
-                                   const char *username,
-                                   const char *password,
-                                   int chan_type,
-                                   uint8_t new_session_key[16]);
-
 /*
   wrappers for the schannel_*() functions
 
@@ -110,7 +103,8 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
        NTSTATUS status;
        struct schannel_bind bind_schannel;
        struct schannel_bind_ack bind_schannel_ack;
-       const char *account_name;
+       const char *workstation;
+       const char *domain;
        *out = data_blob(NULL, 0);
 
        switch (gensec_security->gensec_role) {
@@ -120,6 +114,16 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
                        return NT_STATUS_OK;
                }
                
+               status = schannel_start(dce_schan_state,
+                                       &dce_schan_state->schannel_state, 
+                                       dce_schan_state->creds->session_key,
+                                       True);
+               if (!NT_STATUS_IS_OK(status)) {
+                       DEBUG(1, ("Failed to start schannel client\n"));
+                       return status;
+               }
+               talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
+       
                bind_schannel.unknown1 = 0;
 #if 0
                /* to support this we'd need to have access to the full domain name */
@@ -127,11 +131,11 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
                bind_schannel.u.info23.domain = gensec_security->user.domain;
                bind_schannel.u.info23.account_name = gensec_security->user.name;
                bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(out_mem_ctx, fulldomainname);
-               bind_schannel.u.info23.workstation = str_format_nbt_domain(out_mem_ctx, gensec_security->user.name);
+               bind_schannel.u.info23.workstation = str_format_nbt_domain(out_mem_ctx, gensec_get_workstation(gensec_security));
 #else
                bind_schannel.bind_type = 3;
                bind_schannel.u.info3.domain = gensec_security->user.domain;
-               bind_schannel.u.info3.account_name = gensec_security->user.name;
+               bind_schannel.u.info3.workstation = gensec_get_workstation(gensec_security);
 #endif
                
                status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
@@ -160,27 +164,29 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
                }
                
                if (bind_schannel.bind_type == 23) {
-                       account_name = bind_schannel.u.info23.account_name;
+                       workstation = bind_schannel.u.info23.workstation;
+                       domain = bind_schannel.u.info23.domain;
                } else {
-                       account_name = bind_schannel.u.info3.account_name;
+                       workstation = bind_schannel.u.info3.workstation;
+                       domain = bind_schannel.u.info3.domain;
                }
                
                /* pull the session key for this client */
-               status = schannel_fetch_session_key(out_mem_ctx, account_name, &dce_schan_state->creds);
+               status = schannel_fetch_session_key(out_mem_ctx, workstation, 
+                                                   domain, &dce_schan_state->creds);
                if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(3, ("Could not find session key for attempted schannel connection on %s: %s\n",
-                                 account_name, nt_errstr(status)));
+                       DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
+                                 workstation, nt_errstr(status)));
                        return status;
                }
 
-               dce_schan_state->account_name = talloc_strdup(dce_schan_state, account_name);
-               
                /* start up the schannel server code */
-               status = schannel_start(&dce_schan_state->schannel_state, 
-                                       dce_schan_state->creds.session_key, False);
+               status = schannel_start(dce_schan_state,
+                                       &dce_schan_state->schannel_state, 
+                                       dce_schan_state->creds->session_key, False);
                if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(3, ("Could not initialise schannel state for account %s: %s\n",
-                                 account_name, nt_errstr(status)));
+                       DEBUG(3, ("Could not initialise schannel state from client %s: %s\n",
+                                 workstation, nt_errstr(status)));
                        return status;
                }
                talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
@@ -192,8 +198,8 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
                status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack, 
                                              (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
                if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(3, ("Could not return schannel bind ack for account %s: %s\n",
-                                 account_name, nt_errstr(status)));
+                       DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
+                                 workstation, nt_errstr(status)));
                        return status;
                }
 
@@ -216,25 +222,14 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
 
 NTSTATUS dcerpc_schannel_session_info(struct gensec_security *gensec_security,
                                      struct auth_session_info **session_info)
-{ 
-       struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
-       (*session_info) = talloc_p(gensec_security, struct auth_session_info);
-       if (*session_info == NULL) {
-               return NT_STATUS_NO_MEMORY;
-       }
+{
+       (*session_info) = talloc(gensec_security, struct auth_session_info);
+       NT_STATUS_HAVE_NO_MEMORY(*session_info);
 
        ZERO_STRUCTP(*session_info);
-       (*session_info)->refcount = 1;
-       
-       (*session_info)->workstation = talloc_strdup(*session_info, dce_schan_state->account_name);
-       if ((*session_info)->workstation == NULL) {
-               talloc_free(*session_info);
-               return NT_STATUS_NO_MEMORY;
-       }
+
        return NT_STATUS_OK;
 }
-               
 
 /**
  * Return the struct creds_CredentialState.
@@ -248,12 +243,10 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 { 
        struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
 
-       *creds = talloc_p(mem_ctx, struct creds_CredentialState);
+       *creds = talloc_reference(mem_ctx, dce_schan_state->creds);
        if (!*creds) {
                return NT_STATUS_NO_MEMORY;
        }
-
-       **creds = dce_schan_state->creds;
        return NT_STATUS_OK;
 }
                
@@ -262,111 +255,109 @@ static NTSTATUS dcerpc_schannel_start(struct gensec_security *gensec_security)
 {
        struct dcerpc_schannel_state *dce_schan_state;
 
-       dce_schan_state = talloc_p(gensec_security, struct dcerpc_schannel_state);
+       dce_schan_state = talloc(gensec_security, struct dcerpc_schannel_state);
        if (!dce_schan_state) {
                return NT_STATUS_NO_MEMORY;
        }
 
        dce_schan_state->state = DCERPC_SCHANNEL_STATE_START;
        gensec_security->private_data = dce_schan_state;
-       
+
        return NT_STATUS_OK;
 }
 
 static NTSTATUS dcerpc_schannel_server_start(struct gensec_security *gensec_security) 
 {
        NTSTATUS status;
-       struct dcerpc_schannel_state *dce_schan_state;
 
        status = dcerpc_schannel_start(gensec_security);
-
-       dce_schan_state = gensec_security->private_data;
-       dce_schan_state->schannel_state = NULL;
-
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
+
        return NT_STATUS_OK;
 }
 
 static NTSTATUS dcerpc_schannel_client_start(struct gensec_security *gensec_security) 
 {
        NTSTATUS status;
-       struct dcerpc_schannel_state *dce_schan_state;
 
        status = dcerpc_schannel_start(gensec_security);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
-       dce_schan_state = gensec_security->private_data;
-
-       status = schannel_start(&dce_schan_state->schannel_state, 
-                               gensec_security->user.schan_session_key, 
-                               True);
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Failed to start schannel client\n"));
-               return status;
-       }
-       talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
 
        return NT_STATUS_OK;
 }
 
-/*
-  end crypto state
-*/
-static void dcerpc_schannel_end(struct gensec_security *gensec_security)
-{
-       struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
-       schannel_end(&dce_schan_state->schannel_state);
-
-       talloc_free(dce_schan_state);
-
-       gensec_security->private_data = NULL;
-}
-
 
 /*
   get a schannel key using a netlogon challenge on a secondary pipe
 */
 static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
+                                   const char *workstation,
                                    const char *domain,
                                    const char *username,
                                    const char *password,
                                    int chan_type,
-                                   uint8_t new_session_key[16])
+                                   struct creds_CredentialState *creds)
 {
        NTSTATUS status;
+       struct dcerpc_binding *b;
        struct dcerpc_pipe *p2;
        struct netr_ServerReqChallenge r;
        struct netr_ServerAuthenticate2 a;
        struct netr_Credential credentials1, credentials2, credentials3;
        struct samr_Password mach_pwd;
-       struct creds_CredentialState creds;
-       const char *workgroup, *workstation;
+       const char *workgroup;
        uint32_t negotiate_flags;
+       TALLOC_CTX *tmp_ctx;
 
-       if (p->flags & DCERPC_SCHANNEL_128) {
+       if (p->conn->flags & DCERPC_SCHANNEL_128) {
                negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
        } else {
                negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
        }
 
-       workstation = username;
        workgroup = domain;
 
+       tmp_ctx = talloc_new(NULL);
+
        /*
          step 1 - establish a netlogon connection, with no authentication
        */
-       status = dcerpc_secondary_connection(p, &p2, 
-                                            DCERPC_NETLOGON_NAME, 
-                                            DCERPC_NETLOGON_UUID, 
-                                            DCERPC_NETLOGON_VERSION);
+
+       /* Find the original binding string */
+       status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b);
        if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string));
+               talloc_free(tmp_ctx);
                return status;
        }
 
+       /* Make binding string for netlogon, not the other pipe */
+       status = dcerpc_epm_map_binding(tmp_ctx, b, DCERPC_NETLOGON_UUID, DCERPC_NETLOGON_VERSION);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n", 
+                        DCERPC_NETLOGON_UUID, nt_errstr(status)));
+               talloc_free(p);
+               return status;
+       }
+
+       status = dcerpc_secondary_connection(p, &p2, b);
+       if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(tmp_ctx);
+               return status;
+       }
+
+       talloc_free(tmp_ctx);
+
+       status = dcerpc_bind_auth_none(p2, DCERPC_NETLOGON_UUID, 
+                                      DCERPC_NETLOGON_VERSION);
+       if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(p2);
+                return status;
+        }
 
        /*
          step 2 - request a netlogon challenge
@@ -387,11 +378,13 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
          step 3 - authenticate on the netlogon pipe
        */
        E_md4hash(password, mach_pwd.hash);
-       creds_client_init(&creds, &credentials1, &credentials2, &mach_pwd, &credentials3,
+       creds_client_init(creds, &credentials1, &credentials2, 
+                         workstation, domain, username, 
+                         &mach_pwd, &credentials3,
                          negotiate_flags);
 
        a.in.server_name = r.in.server_name;
-       a.in.account_name = talloc_asprintf(p, "%s$", workstation);
+       a.in.account_name = username;
        a.in.secure_channel_type = chan_type;
        a.in.computer_name = workstation;
        a.in.negotiate_flags = &negotiate_flags;
@@ -404,7 +397,7 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
                return status;
        }
 
-       if (!creds_client_check(&creds, a.out.credentials)) {
+       if (!creds_client_check(creds, a.out.credentials)) {
                return NT_STATUS_UNSUCCESSFUL;
        }
 
@@ -415,8 +408,6 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
        */
        dcerpc_pipe_close(p2);
 
-       memcpy(new_session_key, creds.session_key, 16);
-
        return NT_STATUS_OK;
 }
 
@@ -424,73 +415,122 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
   do a schannel style bind on a dcerpc pipe. The username is usually
   of the form HOSTNAME$ and the password is the domain trust password
 */
-NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
-                                  const char *uuid, uint_t version,
-                                  const char *domain,
-                                  const char *username,
-                                  const char *password)
+NTSTATUS dcerpc_bind_auth_schannel_withkey(struct dcerpc_pipe *p,
+                                          const char *uuid, uint_t version,
+                                          struct creds_CredentialState *creds)
 {
        NTSTATUS status;
-       int chan_type = 0;
+       struct dcerpc_schannel_state *dce_schan_state;
 
-       status = gensec_client_start(p, &p->security_state.generic_state);
+       status = gensec_client_start(p, &p->conn->security_state.generic_state);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
 
-       if (p->flags & DCERPC_SCHANNEL_BDC) {
-               chan_type = SEC_CHAN_BDC;
-       } else if (p->flags & DCERPC_SCHANNEL_WORKSTATION) {
-               chan_type = SEC_CHAN_WKSTA;
-       } else if (p->flags & DCERPC_SCHANNEL_DOMAIN) {
-               chan_type = SEC_CHAN_DOMAIN;
-       }
-
-       status = dcerpc_schannel_key(p, domain, 
-                                    username,
-                                    password, 
-                                    chan_type, 
-                                    p->security_state.generic_state->user.schan_session_key);
+       status = gensec_set_workstation(p->conn->security_state.generic_state, creds->computer_name);
        if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Failed to fetch schannel session key: %s\n", nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               DEBUG(1, ("Failed to set schannel workstation to %s: %s\n", 
+                         creds->computer_name, nt_errstr(status)));
+               talloc_free(p->conn->security_state.generic_state);
+               p->conn->security_state.generic_state = NULL;
                return status;
        }
        
-       status = gensec_set_username(p->security_state.generic_state, username);
+       status = gensec_set_username(p->conn->security_state.generic_state, creds->account_name);
        if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Failed to set schannel username to %s: %s\n", username, nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               DEBUG(1, ("Failed to set schannel username to %s: %s\n", 
+                         creds->account_name, nt_errstr(status)));
+               talloc_free(p->conn->security_state.generic_state);
+               p->conn->security_state.generic_state = NULL;
                return status;
        }
        
-       status = gensec_set_domain(p->security_state.generic_state, domain);
+       status = gensec_set_domain(p->conn->security_state.generic_state, creds->domain);
        if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Failed to set schannel domain to %s: %s\n", domain, nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               DEBUG(1, ("Failed to set schannel domain to %s: %s\n", 
+                         creds->domain, nt_errstr(status)));
+               talloc_free(p->conn->security_state.generic_state);
+               p->conn->security_state.generic_state = NULL;
                return status;
        }
        
-       status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p));
+       status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, 
+                                              DCERPC_AUTH_TYPE_SCHANNEL, 
+                                              dcerpc_auth_level(p->conn));
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               talloc_free(p->conn->security_state.generic_state);
+               p->conn->security_state.generic_state = NULL;
                return status;
        }
 
-       status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p),
+       dce_schan_state = p->conn->security_state.generic_state->private_data;
+       dce_schan_state->creds = talloc_reference(dce_schan_state, creds);
+
+       status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p->conn),
                                  uuid, version);
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to bind to pipe with SCHANNEL: %s\n", nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               talloc_free(p->conn->security_state.generic_state);
+               p->conn->security_state.generic_state = NULL;
                return status;
        }
 
        return NT_STATUS_OK;
 }
 
+NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
+                                  const char *uuid, uint_t version,
+                                  const char *workstation,
+                                  const char *domain,
+                                  const char *username,
+                                  const char *password)
+{
+       NTSTATUS status;
+       int chan_type = 0;
+       struct creds_CredentialState *creds;
+       creds = talloc(p, struct creds_CredentialState);
+       if (!creds) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if (p->conn->flags & DCERPC_SCHANNEL_BDC) {
+               chan_type = SEC_CHAN_BDC;
+       } else if (p->conn->flags & DCERPC_SCHANNEL_WORKSTATION) {
+               chan_type = SEC_CHAN_WKSTA;
+       } else if (p->conn->flags & DCERPC_SCHANNEL_DOMAIN) {
+               chan_type = SEC_CHAN_DOMAIN;
+       }
+
+       status = dcerpc_schannel_key(p, domain, 
+                                    workstation,
+                                    username,
+                                    password, 
+                                    chan_type,
+                                    creds);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Failed to fetch schannel session key: %s\n",
+                         nt_errstr(status)));
+               return status;
+       }
+
+       return dcerpc_bind_auth_schannel_withkey(p, uuid, version, creds);
+}
+
+static BOOL dcerpc_schannel_have_feature(struct gensec_security *gensec_security,
+                                         uint32_t feature)
+{
+       if (feature & (GENSEC_FEATURE_SESSION_KEY | 
+                      GENSEC_FEATURE_SIGN | 
+                      GENSEC_FEATURE_SEAL)) {
+               return True;
+       }
+       return False;
+}
+
 
 static const struct gensec_security_ops gensec_dcerpc_schannel_security_ops = {
        .name           = "dcerpc_schannel",
@@ -505,13 +545,14 @@ static const struct gensec_security_ops gensec_dcerpc_schannel_security_ops = {
        .session_key    = dcerpc_schannel_session_key,
        .session_info   = dcerpc_schannel_session_info,
        .sig_size       = dcerpc_schannel_sig_size,
-       .end            = dcerpc_schannel_end
+       .have_feature   = dcerpc_schannel_have_feature,
+       .enabled        = True
 };
 
 NTSTATUS gensec_dcerpc_schannel_init(void)
 {
        NTSTATUS ret;
-       ret = register_backend("gensec", &gensec_dcerpc_schannel_security_ops);
+       ret = gensec_register(&gensec_dcerpc_schannel_security_ops);
        if (!NT_STATUS_IS_OK(ret)) {
                DEBUG(0,("Failed to register '%s' gensec backend!\n",
                        gensec_dcerpc_schannel_security_ops.name));
Unnamed repository; edit this file 'description' to name the repository.