libcli/auth/schannel_state_tdb.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    module to store/fetch session keys for the schannel server
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006-2009
   8    Copyright (C) Guenther Deschner 2009
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "system/filesys.h"
  26 #include "../lib/tdb/include/tdb.h"
  27 #include "../lib/util/util_tdb.h"
  28 #include "../lib/param/param.h"
  29 #include "../libcli/auth/schannel.h"
  30 #include "../librpc/gen_ndr/ndr_schannel.h"
  31 #include "lib/dbwrap/dbwrap.h"
  32
  33 #define SECRETS_SCHANNEL_STATE "SECRETS/SCHANNEL"
  34
  35 /******************************************************************************
  36  Open or create the schannel session store tdb.  Non-static so it can
  37  be called from parent processes to corectly handle TDB_CLEAR_IF_FIRST
  38 *******************************************************************************/
  39
  40 struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
  41                                                struct loadparm_context *lp_ctx)
  42 {
  43         struct db_context *db_sc = NULL;
  44         char *fname = lpcfg_private_db_path(mem_ctx, lp_ctx, "schannel_store");
  45         int hash_size, tdb_flags;
  46
  47         if (!fname) {
  48                 return NULL;
  49         }
  50
  51         hash_size = lpcfg_tdb_hash_size(lp_ctx, fname);
  52         tdb_flags = lpcfg_tdb_flags(lp_ctx, TDB_CLEAR_IF_FIRST|TDB_NOSYNC);
  53
  54         db_sc = dbwrap_local_open(
  55                 mem_ctx,
  56                 fname,
  57                 hash_size,
  58                 tdb_flags,
  59                 O_RDWR|O_CREAT,
  60                 0600,
  61                 DBWRAP_LOCK_ORDER_NONE,
  62                 DBWRAP_FLAG_NONE);
  63
  64         if (!db_sc) {
  65                 DEBUG(0,("open_schannel_session_store: Failed to open %s - %s\n",
  66                          fname, strerror(errno)));
  67                 TALLOC_FREE(fname);
  68                 return NULL;
  69         }
  70
  71         TALLOC_FREE(fname);
  72
  73         return db_sc;
  74 }
  75
  76 /********************************************************************
  77  ********************************************************************/
  78
  79 static
  80 NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
  81                                         TALLOC_CTX *mem_ctx,
  82                                         struct netlogon_creds_CredentialState *creds)
  83 {
  84         enum ndr_err_code ndr_err;
  85         DATA_BLOB blob;
  86         TDB_DATA value;
  87         char *keystr;
  88         char *name_upper;
  89         NTSTATUS status;
  90
  91         if (strlen(creds->computer_name) > 15) {
  92                 /*
  93                  * We may want to check for a completely
  94                  * valid netbios name.
  95                  */
  96                 return STATUS_BUFFER_OVERFLOW;
  97         }
  98
  99         name_upper = strupper_talloc(mem_ctx, creds->computer_name);
 100         if (!name_upper) {
 101                 return NT_STATUS_NO_MEMORY;
 102         }
 103
 104         keystr = talloc_asprintf(mem_ctx, "%s/%s",
 105                                  SECRETS_SCHANNEL_STATE, name_upper);
 106         TALLOC_FREE(name_upper);
 107         if (!keystr) {
 108                 return NT_STATUS_NO_MEMORY;
 109         }
 110
 111         ndr_err = ndr_push_struct_blob(&blob, mem_ctx, creds,
 112                         (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
 113         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 114                 talloc_free(keystr);
 115                 return ndr_map_error2ntstatus(ndr_err);
 116         }
 117
 118         value.dptr = blob.data;
 119         value.dsize = blob.length;
 120
 121         status = dbwrap_store_bystring(db_sc, keystr, value, TDB_REPLACE);
 122         if (!NT_STATUS_IS_OK(status)) {
 123                 DEBUG(0,("Unable to add %s to session key db - %s\n",
 124                          keystr, nt_errstr(status)));
 125                 talloc_free(keystr);
 126                 return status;
 127         }
 128
 129         DEBUG(3,("schannel_store_session_key_tdb: stored schannel info with key %s\n",
 130                 keystr));
 131
 132         if (DEBUGLEVEL >= 10) {
 133                 NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
 134         }
 135
 136         talloc_free(keystr);
 137
 138         return NT_STATUS_OK;
 139 }
 140
 141 /********************************************************************
 142  ********************************************************************/
 143
 144 static
 145 NTSTATUS schannel_fetch_session_key_tdb(struct db_context *db_sc,
 146                                         TALLOC_CTX *mem_ctx,
 147                                         const char *computer_name,
 148                                         struct netlogon_creds_CredentialState **pcreds)
 149 {
 150         NTSTATUS status;
 151         TDB_DATA value;
 152         enum ndr_err_code ndr_err;
 153         DATA_BLOB blob;
 154         struct netlogon_creds_CredentialState *creds = NULL;
 155         char *keystr = NULL;
 156         char *name_upper;
 157
 158         *pcreds = NULL;
 159
 160         name_upper = strupper_talloc(mem_ctx, computer_name);
 161         if (!name_upper) {
 162                 return NT_STATUS_NO_MEMORY;
 163         }
 164
 165         keystr = talloc_asprintf(mem_ctx, "%s/%s",
 166                                  SECRETS_SCHANNEL_STATE, name_upper);
 167         TALLOC_FREE(name_upper);
 168         if (!keystr) {
 169                 return NT_STATUS_NO_MEMORY;
 170         }
 171
 172         status = dbwrap_fetch_bystring(db_sc, keystr, keystr, &value);
 173         if (!NT_STATUS_IS_OK(status)) {
 174                 DEBUG(10,("schannel_fetch_session_key_tdb: Failed to find entry with key %s\n",
 175                         keystr ));
 176                 goto done;
 177         }
 178
 179         creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
 180         if (!creds) {
 181                 status = NT_STATUS_NO_MEMORY;
 182                 goto done;
 183         }
 184
 185         blob = data_blob_const(value.dptr, value.dsize);
 186
 187         ndr_err = ndr_pull_struct_blob(&blob, creds, creds,
 188                         (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
 189         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 190                 status = ndr_map_error2ntstatus(ndr_err);
 191                 goto done;
 192         }
 193
 194         if (DEBUGLEVEL >= 10) {
 195                 NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
 196         }
 197
 198         DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n",
 199                 keystr));
 200
 201         status = NT_STATUS_OK;
 202
 203  done:
 204
 205         talloc_free(keystr);
 206
 207         if (!NT_STATUS_IS_OK(status)) {
 208                 talloc_free(creds);
 209                 return status;
 210         }
 211
 212         *pcreds = creds;
 213
 214         return NT_STATUS_OK;
 215 }
 216
 217 /******************************************************************************
 218  Wrapper around schannel_fetch_session_key_tdb()
 219  Note we must be root here.
 220 *******************************************************************************/
 221
 222 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
 223                                   struct loadparm_context *lp_ctx,
 224                                   const char *computer_name,
 225                                   struct netlogon_creds_CredentialState **_creds)
 226 {
 227         TALLOC_CTX *tmpctx;
 228         struct db_context *db_sc;
 229         struct netlogon_creds_CredentialState *creds;
 230         NTSTATUS status;
 231
 232         tmpctx = talloc_named(mem_ctx, 0, "schannel_get_creds_state");
 233         if (!tmpctx) {
 234                 return NT_STATUS_NO_MEMORY;
 235         }
 236
 237         db_sc = open_schannel_session_store(tmpctx, lp_ctx);
 238         if (!db_sc) {
 239                 return NT_STATUS_ACCESS_DENIED;
 240         }
 241
 242         status = schannel_fetch_session_key_tdb(db_sc, tmpctx,
 243                                                 computer_name, &creds);
 244         if (NT_STATUS_IS_OK(status)) {
 245                 *_creds = talloc_steal(mem_ctx, creds);
 246                 if (!*_creds) {
 247                         status = NT_STATUS_NO_MEMORY;
 248                 }
 249         }
 250
 251         talloc_free(tmpctx);
 252         return status;
 253 }
 254
 255 /******************************************************************************
 256  Wrapper around schannel_store_session_key_tdb()
 257  Note we must be root here.
 258 *******************************************************************************/
 259
 260 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
 261                                    struct loadparm_context *lp_ctx,
 262                                    struct netlogon_creds_CredentialState *creds)
 263 {
 264         TALLOC_CTX *tmpctx;
 265         struct db_context *db_sc;
 266         NTSTATUS status;
 267
 268         tmpctx = talloc_named(mem_ctx, 0, "schannel_save_creds_state");
 269         if (!tmpctx) {
 270                 return NT_STATUS_NO_MEMORY;
 271         }
 272
 273         db_sc = open_schannel_session_store(tmpctx, lp_ctx);
 274         if (!db_sc) {
 275                 status = NT_STATUS_ACCESS_DENIED;
 276                 goto fail;
 277         }
 278
 279         status = schannel_store_session_key_tdb(db_sc, tmpctx, creds);
 280
 281 fail:
 282         talloc_free(tmpctx);
 283         return status;
 284 }
 285
 286
 287 /*
 288  * Create a very lossy hash of the computer name.
 289  *
 290  * The idea here is to compress the computer name into small space so
 291  * that malicious clients cannot fill the database with junk, as only a
 292  * maximum of 16k of entries are possible.
 293  *
 294  * Collisions are certainly possible, and the design behaves in the
 295  * same way as when the hostname is reused, but clients that use the
 296  * same connection do not go via the cache, and the cache only needs
 297  * to function between the ReqChallenge and ServerAuthenticate
 298  * packets.
 299  */
 300 static void hash_computer_name(const char *computer_name,
 301                                char keystr[16])
 302 {
 303         unsigned int hash;
 304         TDB_DATA computer_tdb_data = {
 305                 .dptr = (uint8_t *)discard_const_p(char, computer_name),
 306                 .dsize = strlen(computer_name)
 307         };
 308         hash = tdb_jenkins_hash(&computer_tdb_data);
 309
 310         /* we are using 14 bits of the digest to index our connections, so
 311            that we use at most 16,384 buckets.*/
 312         snprintf(keystr, 15, "CHALLENGE/%x%x", hash & 0xFF,
 313                  (hash & 0xFF00 >> 8) & 0x3f);
 314         return;
 315 }
 316
 317
 318 static
 319 NTSTATUS schannel_store_challenge_tdb(struct db_context *db_sc,
 320                                       TALLOC_CTX *mem_ctx,
 321                                       const struct netr_Credential *client_challenge,
 322                                       const struct netr_Credential *server_challenge,
 323                                       const char *computer_name)
 324 {
 325         enum ndr_err_code ndr_err;
 326         DATA_BLOB blob;
 327         TDB_DATA value;
 328         char *name_upper = NULL;
 329         NTSTATUS status;
 330         char keystr[16] = { 0, };
 331         struct netlogon_cache_entry cache_entry;
 332
 333         if (strlen(computer_name) > 255) {
 334                 /*
 335                  * We don't make this a limit at 15 chars as Samba has
 336                  * a test showing this can be longer :-(
 337                  */
 338                 return STATUS_BUFFER_OVERFLOW;
 339         }
 340
 341         name_upper = strupper_talloc(mem_ctx, computer_name);
 342         if (name_upper == NULL) {
 343                 return NT_STATUS_NO_MEMORY;
 344         }
 345
 346         hash_computer_name(name_upper, keystr);
 347
 348         cache_entry.computer_name = name_upper;
 349         cache_entry.client_challenge = *client_challenge;
 350         cache_entry.server_challenge = *server_challenge;
 351
 352         ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &cache_entry,
 353                                (ndr_push_flags_fn_t)ndr_push_netlogon_cache_entry);
 354         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 355                 return NT_STATUS_UNSUCCESSFUL;
 356         }
 357
 358         value.dptr = blob.data;
 359         value.dsize = blob.length;
 360
 361         status = dbwrap_store_bystring(db_sc, keystr, value, TDB_REPLACE);
 362         if (!NT_STATUS_IS_OK(status)) {
 363                 DEBUG(0,("%s: failed to stored challenge info for '%s' "
 364                          "with key %s - %s\n",
 365                          __func__, cache_entry.computer_name, keystr,
 366                          nt_errstr(status)));
 367                 return status;
 368         }
 369
 370         DEBUG(3,("%s: stored challenge info for '%s' with key %s\n",
 371                 __func__, cache_entry.computer_name, keystr));
 372
 373         if (DEBUGLEVEL >= 10) {
 374                 NDR_PRINT_DEBUG(netlogon_cache_entry, &cache_entry);
 375         }
 376
 377         return NT_STATUS_OK;
 378 }
 379
 380 /********************************************************************
 381  Fetch a single challenge from the TDB.
 382  ********************************************************************/
 383
 384 static
 385 NTSTATUS schannel_fetch_challenge_tdb(struct db_context *db_sc,
 386                                       TALLOC_CTX *mem_ctx,
 387                                       struct netr_Credential *client_challenge,
 388                                       struct netr_Credential *server_challenge,
 389                                       const char *computer_name)
 390 {
 391         NTSTATUS status;
 392         TDB_DATA value;
 393         enum ndr_err_code ndr_err;
 394         DATA_BLOB blob;
 395         char keystr[16] = { 0, };
 396         struct netlogon_cache_entry cache_entry;
 397         char *name_upper = NULL;
 398
 399         name_upper = strupper_talloc(mem_ctx, computer_name);
 400         if (name_upper == NULL) {
 401                 return NT_STATUS_NO_MEMORY;
 402         }
 403
 404         hash_computer_name(name_upper, keystr);
 405
 406         status = dbwrap_fetch_bystring(db_sc, mem_ctx, keystr, &value);
 407         if (!NT_STATUS_IS_OK(status)) {
 408                 DEBUG(3,("%s: Failed to find entry for %s with key %s - %s\n",
 409                         __func__, name_upper, keystr, nt_errstr(status)));
 410                 goto done;
 411         }
 412
 413         blob = data_blob_const(value.dptr, value.dsize);
 414
 415         ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &cache_entry,
 416                                            (ndr_pull_flags_fn_t)ndr_pull_netlogon_cache_entry);
 417         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 418                 status = ndr_map_error2ntstatus(ndr_err);
 419                 DEBUG(3,("%s: Failed to parse entry for %s with key %s - %s\n",
 420                         __func__, name_upper, keystr, nt_errstr(status)));
 421                 goto done;
 422         }
 423
 424         if (DEBUGLEVEL >= 10) {
 425                 NDR_PRINT_DEBUG(netlogon_cache_entry, &cache_entry);
 426         }
 427
 428         if (strcmp(cache_entry.computer_name, name_upper) != 0) {
 429                 status = NT_STATUS_NOT_FOUND;
 430
 431                 DEBUG(1, ("%s: HASH COLLISION with key %s ! "
 432                           "Wanted to fetch record for %s but got %s.",
 433                           __func__, keystr, name_upper,
 434                           cache_entry.computer_name));
 435         } else {
 436
 437                 DEBUG(3,("%s: restored key %s for %s\n",
 438                          __func__, keystr, cache_entry.computer_name));
 439
 440                 *client_challenge = cache_entry.client_challenge;
 441                 *server_challenge = cache_entry.server_challenge;
 442         }
 443  done:
 444
 445         if (!NT_STATUS_IS_OK(status)) {
 446                 return status;
 447         }
 448
 449         return NT_STATUS_OK;
 450 }
 451
 452 /******************************************************************************
 453  Wrapper around schannel_fetch_challenge_tdb()
 454  Note we must be root here.
 455
 456 *******************************************************************************/
 457
 458 NTSTATUS schannel_get_challenge(struct loadparm_context *lp_ctx,
 459                                 struct netr_Credential *client_challenge,
 460                                 struct netr_Credential *server_challenge,
 461                                 const char *computer_name)
 462 {
 463         TALLOC_CTX *frame = talloc_stackframe();
 464         struct db_context *db_sc;
 465         NTSTATUS status;
 466
 467         db_sc = open_schannel_session_store(frame, lp_ctx);
 468         if (!db_sc) {
 469                 TALLOC_FREE(frame);
 470                 return NT_STATUS_ACCESS_DENIED;
 471         }
 472
 473         status = schannel_fetch_challenge_tdb(db_sc, frame,
 474                                               client_challenge,
 475                                               server_challenge,
 476                                               computer_name);
 477         TALLOC_FREE(frame);
 478         return status;
 479 }
 480
 481 /******************************************************************************
 482  Wrapper around dbwrap_delete_bystring()
 483  Note we must be root here.
 484
 485  This allows the challenge to be removed from the TDB, which should be
 486  as soon as the TDB or in-memory copy it is used, to avoid reuse.
 487 *******************************************************************************/
 488
 489 NTSTATUS schannel_delete_challenge(struct loadparm_context *lp_ctx,
 490                                    const char *computer_name)
 491 {
 492         TALLOC_CTX *frame = talloc_stackframe();
 493         struct db_context *db_sc;
 494         char *name_upper;
 495         char keystr[16] = { 0, };
 496
 497         db_sc = open_schannel_session_store(frame, lp_ctx);
 498         if (!db_sc) {
 499                 TALLOC_FREE(frame);
 500                 return NT_STATUS_ACCESS_DENIED;
 501         }
 502
 503         name_upper = strupper_talloc(frame, computer_name);
 504         if (!name_upper) {
 505                 TALLOC_FREE(frame);
 506                 return NT_STATUS_NO_MEMORY;
 507         }
 508
 509         hash_computer_name(name_upper, keystr);
 510
 511         /* Now delete it, we do not want to permit fetch of this twice */
 512         dbwrap_delete_bystring(db_sc, keystr);
 513
 514         TALLOC_FREE(frame);
 515         return NT_STATUS_OK;
 516 }
 517
 518 /******************************************************************************
 519  Wrapper around schannel_store_session_key_tdb()
 520  Note we must be root here.
 521 *******************************************************************************/
 522
 523 NTSTATUS schannel_save_challenge(struct loadparm_context *lp_ctx,
 524                                  const struct netr_Credential *client_challenge,
 525                                  const struct netr_Credential *server_challenge,
 526                                  const char *computer_name)
 527 {
 528         TALLOC_CTX *frame = talloc_stackframe();
 529         struct db_context *db_sc;
 530         NTSTATUS status;
 531
 532         db_sc = open_schannel_session_store(frame, lp_ctx);
 533         if (!db_sc) {
 534                 TALLOC_FREE(frame);
 535                 return NT_STATUS_ACCESS_DENIED;
 536         }
 537
 538         status = schannel_store_challenge_tdb(db_sc, frame,
 539                                               client_challenge,
 540                                               server_challenge,
 541                                               computer_name);
 542
 543         TALLOC_FREE(frame);
 544         return status;
 545 }
 546
 547 /********************************************************************
 548  Validate an incoming authenticator against the credentials for the
 549  remote machine stored in the schannel database.
 550
 551  The credentials are (re)read and from the schannel database, and
 552  written back after the caclulations are performed.
 553
 554  If the creds_out parameter is not NULL returns the credentials.
 555  ********************************************************************/
 556
 557 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
 558                                     struct loadparm_context *lp_ctx,
 559                                     const char *computer_name,
 560                                     struct netr_Authenticator *received_authenticator,
 561                                     struct netr_Authenticator *return_authenticator,
 562                                     struct netlogon_creds_CredentialState **creds_out)
 563 {
 564         TALLOC_CTX *tmpctx;
 565         struct db_context *db_sc;
 566         struct netlogon_creds_CredentialState *creds;
 567         NTSTATUS status;
 568         char *name_upper = NULL;
 569         char *keystr = NULL;
 570         struct db_record *record;
 571         TDB_DATA key;
 572
 573         if (creds_out != NULL) {
 574                 *creds_out = NULL;
 575         }
 576
 577         tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state");
 578         if (!tmpctx) {
 579                 return NT_STATUS_NO_MEMORY;
 580         }
 581
 582         name_upper = strupper_talloc(tmpctx, computer_name);
 583         if (!name_upper) {
 584                 status = NT_STATUS_NO_MEMORY;
 585                 goto done;
 586         }
 587
 588         keystr = talloc_asprintf(tmpctx, "%s/%s",
 589                                  SECRETS_SCHANNEL_STATE, name_upper);
 590         if (!keystr) {
 591                 status = NT_STATUS_NO_MEMORY;
 592                 goto done;
 593         }
 594
 595         key = string_term_tdb_data(keystr);
 596
 597         db_sc = open_schannel_session_store(tmpctx, lp_ctx);
 598         if (!db_sc) {
 599                 status = NT_STATUS_ACCESS_DENIED;
 600                 goto done;
 601         }
 602
 603         record = dbwrap_fetch_locked(db_sc, tmpctx, key);
 604         if (!record) {
 605                 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
 606                 goto done;
 607         }
 608
 609         /* Because this is a shared structure (even across
 610          * disconnects) we must update the database every time we
 611          * update the structure */
 612
 613         status = schannel_fetch_session_key_tdb(db_sc, tmpctx,
 614                                                 computer_name, &creds);
 615         if (!NT_STATUS_IS_OK(status)) {
 616                 goto done;
 617         }
 618
 619         status = netlogon_creds_server_step_check(creds,
 620                                                   received_authenticator,
 621                                                   return_authenticator);
 622         if (!NT_STATUS_IS_OK(status)) {
 623                 goto done;
 624         }
 625
 626         status = schannel_store_session_key_tdb(db_sc, tmpctx, creds);
 627         if (!NT_STATUS_IS_OK(status)) {
 628                 goto done;
 629         }
 630
 631         if (creds_out) {
 632                 *creds_out = talloc_steal(mem_ctx, creds);
 633                 if (!*creds_out) {
 634                         status = NT_STATUS_NO_MEMORY;
 635                         goto done;
 636                 }
 637         }
 638
 639         status = NT_STATUS_OK;
 640
 641 done:
 642         talloc_free(tmpctx);
 643         return status;
 644 }
 645