source4/auth/gensec/schannel_state.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    module to store/fetch session keys for the schannel server
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "lib/events/events.h"
  24 #include "lib/ldb/include/ldb.h"
  25 #include "lib/ldb/include/ldb_errors.h"
  26 #include "dsdb/samdb/samdb.h"
  27 #include "ldb_wrap.h"
  28 #include "../lib/util/util_ldb.h"
  29 #include "libcli/auth/libcli_auth.h"
  30 #include "auth/auth.h"
  31 #include "param/param.h"
  32
  33 /**
  34   connect to the schannel ldb
  35 */
  36 struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct event_context *ev_ctx,
  37                                         struct loadparm_context *lp_ctx)
  38 {
  39         char *path;
  40         struct ldb_context *ldb;
  41         bool existed;
  42         const char *init_ldif =
  43                 "dn: @ATTRIBUTES\n" \
  44                 "computerName: CASE_INSENSITIVE\n" \
  45                 "flatname: CASE_INSENSITIVE\n";
  46
  47         path = private_path(mem_ctx, lp_ctx, "schannel.ldb");
  48         if (!path) {
  49                 return NULL;
  50         }
  51
  52         existed = file_exist(path);
  53
  54         ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, path,
  55                                system_session(mem_ctx, lp_ctx),
  56                                NULL, LDB_FLG_NOSYNC, NULL);
  57         talloc_free(path);
  58         if (!ldb) {
  59                 return NULL;
  60         }
  61
  62         if (!existed) {
  63                 gendb_add_ldif(ldb, init_ldif);
  64         }
  65
  66         return ldb;
  67 }
  68
  69 /*
  70   remember an established session key for a netr server authentication
  71   use a simple ldb structure
  72 */
  73 NTSTATUS schannel_store_session_key_ldb(TALLOC_CTX *mem_ctx,
  74                                         struct ldb_context *ldb,
  75                                         struct creds_CredentialState *creds)
  76 {
  77         struct ldb_message *msg;
  78         struct ldb_val val, seed, client_state, server_state;
  79         char *f;
  80         char *sct;
  81         int ret;
  82
  83         f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
  84
  85         if (f == NULL) {
  86                 return NT_STATUS_NO_MEMORY;
  87         }
  88
  89         sct = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->secure_channel_type);
  90
  91         if (sct == NULL) {
  92                 return NT_STATUS_NO_MEMORY;
  93         }
  94
  95         msg = ldb_msg_new(ldb);
  96         if (msg == NULL) {
  97                 return NT_STATUS_NO_MEMORY;
  98         }
  99
 100         msg->dn = ldb_dn_new_fmt(msg, ldb, "computerName=%s", creds->computer_name);
 101         if ( ! msg->dn) {
 102                 return NT_STATUS_NO_MEMORY;
 103         }
 104
 105         val.data = creds->session_key;
 106         val.length = sizeof(creds->session_key);
 107
 108         seed.data = creds->seed.data;
 109         seed.length = sizeof(creds->seed.data);
 110
 111         client_state.data = creds->client.data;
 112         client_state.length = sizeof(creds->client.data);
 113         server_state.data = creds->server.data;
 114         server_state.length = sizeof(creds->server.data);
 115
 116         ldb_msg_add_string(msg, "objectClass", "schannelState");
 117         ldb_msg_add_value(msg, "sessionKey", &val, NULL);
 118         ldb_msg_add_value(msg, "seed", &seed, NULL);
 119         ldb_msg_add_value(msg, "clientState", &client_state, NULL);
 120         ldb_msg_add_value(msg, "serverState", &server_state, NULL);
 121         ldb_msg_add_string(msg, "negotiateFlags", f);
 122         ldb_msg_add_string(msg, "secureChannelType", sct);
 123         ldb_msg_add_string(msg, "accountName", creds->account_name);
 124         ldb_msg_add_string(msg, "computerName", creds->computer_name);
 125         ldb_msg_add_string(msg, "flatname", creds->domain);
 126         samdb_msg_add_dom_sid(ldb, mem_ctx, msg, "objectSid", creds->sid);
 127
 128         ldb_delete(ldb, msg->dn);
 129
 130         ret = ldb_add(ldb, msg);
 131
 132         if (ret != 0) {
 133                 DEBUG(0,("Unable to add %s to session key db - %s\n",
 134                          ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb)));
 135                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
 136         }
 137
 138         return NT_STATUS_OK;
 139 }
 140
 141 NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
 142                                     struct event_context *ev_ctx,
 143                                     struct loadparm_context *lp_ctx,
 144                                     struct creds_CredentialState *creds)
 145 {
 146         struct ldb_context *ldb;
 147         NTSTATUS nt_status;
 148         int ret;
 149
 150         ldb = schannel_db_connect(mem_ctx, ev_ctx, lp_ctx);
 151         if (!ldb) {
 152                 return NT_STATUS_ACCESS_DENIED;
 153         }
 154
 155         ret = ldb_transaction_start(ldb);
 156         if (ret != 0) {
 157                 talloc_free(ldb);
 158                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
 159         }
 160
 161         nt_status = schannel_store_session_key_ldb(mem_ctx, ldb, creds);
 162
 163         if (NT_STATUS_IS_OK(nt_status)) {
 164                 ret = ldb_transaction_commit(ldb);
 165         } else {
 166                 ret = ldb_transaction_cancel(ldb);
 167         }
 168
 169         if (ret != 0) {
 170                 DEBUG(0,("Unable to commit adding credentials for %s to schannel key db - %s\n",
 171                          creds->computer_name, ldb_errstring(ldb)));
 172                 talloc_free(ldb);
 173                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
 174         }
 175
 176         talloc_free(ldb);
 177         return nt_status;
 178 }
 179
 180 /*
 181   read back a credentials back for a computer
 182 */
 183 NTSTATUS schannel_fetch_session_key_ldb(TALLOC_CTX *mem_ctx,
 184                                         struct ldb_context *ldb,
 185                                         const char *computer_name,
 186                                         const char *domain,
 187                                         struct creds_CredentialState **creds)
 188 {
 189         struct ldb_result *res;
 190         int ret;
 191         const struct ldb_val *val;
 192
 193         *creds = talloc_zero(mem_ctx, struct creds_CredentialState);
 194         if (!*creds) {
 195                 return NT_STATUS_NO_MEMORY;
 196         }
 197
 198         ret = ldb_search(ldb, mem_ctx, &res,
 199                                  NULL, LDB_SCOPE_SUBTREE, NULL,
 200                                 "(&(computerName=%s)(flatname=%s))", computer_name, domain);
 201         if (ret != LDB_SUCCESS) {
 202                 DEBUG(3,("schannel: Failed to find a record for client %s: %s\n", computer_name, ldb_errstring(ldb)));
 203                 return NT_STATUS_INVALID_HANDLE;
 204         }
 205         if (res->count != 1) {
 206                 DEBUG(3,("schannel: Failed to find a record for client: %s (found %d records)\n", computer_name, res->count));
 207                 talloc_free(res);
 208                 return NT_STATUS_INVALID_HANDLE;
 209         }
 210
 211         val = ldb_msg_find_ldb_val(res->msgs[0], "sessionKey");
 212         if (val == NULL || val->length != 16) {
 213                 DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));
 214                 talloc_free(res);
 215                 return NT_STATUS_INTERNAL_ERROR;
 216         }
 217
 218         memcpy((*creds)->session_key, val->data, 16);
 219
 220         val = ldb_msg_find_ldb_val(res->msgs[0], "seed");
 221         if (val == NULL || val->length != 8) {
 222                 DEBUG(1,("schannel: record in schannel DB must contain a vaid seed of length 8, when searching for client: %s\n", computer_name));
 223                 talloc_free(res);
 224                 return NT_STATUS_INTERNAL_ERROR;
 225         }
 226
 227         memcpy((*creds)->seed.data, val->data, 8);
 228
 229         val = ldb_msg_find_ldb_val(res->msgs[0], "clientState");
 230         if (val == NULL || val->length != 8) {
 231                 DEBUG(1,("schannel: record in schannel DB must contain a vaid clientState of length 8, when searching for client: %s\n", computer_name));
 232                 talloc_free(res);
 233                 return NT_STATUS_INTERNAL_ERROR;
 234         }
 235         memcpy((*creds)->client.data, val->data, 8);
 236
 237         val = ldb_msg_find_ldb_val(res->msgs[0], "serverState");
 238         if (val == NULL || val->length != 8) {
 239                 DEBUG(1,("schannel: record in schannel DB must contain a vaid serverState of length 8, when searching for client: %s\n", computer_name));
 240                 talloc_free(res);
 241                 return NT_STATUS_INTERNAL_ERROR;
 242         }
 243         memcpy((*creds)->server.data, val->data, 8);
 244
 245         (*creds)->negotiate_flags = ldb_msg_find_attr_as_int(res->msgs[0], "negotiateFlags", 0);
 246
 247         (*creds)->secure_channel_type = ldb_msg_find_attr_as_int(res->msgs[0], "secureChannelType", 0);
 248
 249         (*creds)->account_name = talloc_strdup(*creds, ldb_msg_find_attr_as_string(res->msgs[0], "accountName", NULL));
 250         if ((*creds)->account_name == NULL) {
 251                 talloc_free(res);
 252                 return NT_STATUS_NO_MEMORY;
 253         }
 254
 255         (*creds)->computer_name = talloc_strdup(*creds, ldb_msg_find_attr_as_string(res->msgs[0], "computerName", NULL));
 256         if ((*creds)->computer_name == NULL) {
 257                 talloc_free(res);
 258                 return NT_STATUS_NO_MEMORY;
 259         }
 260
 261         (*creds)->domain = talloc_strdup(*creds, ldb_msg_find_attr_as_string(res->msgs[0], "flatname", NULL));
 262         if ((*creds)->domain == NULL) {
 263                 talloc_free(res);
 264                 return NT_STATUS_NO_MEMORY;
 265         }
 266
 267         (*creds)->sid = samdb_result_dom_sid(*creds, res->msgs[0], "objectSid");
 268
 269         talloc_free(res);
 270         return NT_STATUS_OK;
 271 }
 272
 273 NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
 274                                     struct event_context *ev_ctx,
 275                                     struct loadparm_context *lp_ctx,
 276                                         const char *computer_name,
 277                                         const char *domain,
 278                                         struct creds_CredentialState **creds)
 279 {
 280         NTSTATUS nt_status;
 281         struct ldb_context *ldb;
 282
 283         ldb = schannel_db_connect(mem_ctx, ev_ctx, lp_ctx);
 284         if (!ldb) {
 285                 return NT_STATUS_ACCESS_DENIED;
 286         }
 287
 288         nt_status = schannel_fetch_session_key_ldb(mem_ctx, ldb,
 289                                                    computer_name, domain,
 290                                                    creds);
 291         talloc_free(ldb);
 292         return nt_status;
 293 }