git.samba.org / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
r4358: At metze's request, the Christmas elves have removed gensec_end in
[samba.git] / source4 / librpc / rpc / dcerpc_schannel.c
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 057e20f49721d8e5a7f879bc806c6481b8f66b3f..6df48b7dd34d976b450d510a3261b89c1179ca7d 100644 (file)
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -21,6 +21,8 @@
 */
 
 #include "includes.h"
+#include "librpc/gen_ndr/ndr_schannel.h"
+#include "auth/auth.h"
 
 enum schannel_position {
        DCERPC_SCHANNEL_STATE_START = 0,
@@ -28,10 +30,9 @@ enum schannel_position {
 };
 
 struct dcerpc_schannel_state {
-       TALLOC_CTX *mem_ctx;
        enum schannel_position state;
        struct schannel_state *schannel_state;
-       struct creds_CredentialState creds;
+       struct creds_CredentialState *creds;
        char *account_name;
 };
 
@@ -40,7 +41,7 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
                                    const char *username,
                                    const char *password,
                                    int chan_type,
-                                   uint8_t new_session_key[16]);
+                                   struct creds_CredentialState *creds);
 
 /*
   wrappers for the schannel_*() functions
@@ -92,6 +93,11 @@ static NTSTATUS dcerpc_schannel_sign_packet(struct gensec_security *gensec_secur
        return schannel_sign_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
 }
 
+static size_t dcerpc_schannel_sig_size(struct gensec_security *gensec_security)
+{
+       return 32;
+}
+
 static NTSTATUS dcerpc_schannel_session_key(struct gensec_security *gensec_security, 
                                            DATA_BLOB *session_key)
 {
@@ -115,6 +121,15 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
                        return NT_STATUS_OK;
                }
                
+               status = schannel_start(&dce_schan_state->schannel_state, 
+                                       dce_schan_state->creds->session_key,
+                                       True);
+               if (!NT_STATUS_IS_OK(status)) {
+                       DEBUG(1, ("Failed to start schannel client\n"));
+                       return status;
+               }
+               talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
+       
                bind_schannel.unknown1 = 0;
 #if 0
                /* to support this we'd need to have access to the full domain name */
@@ -168,16 +183,17 @@ static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security,
                        return status;
                }
 
-               dce_schan_state->account_name = talloc_strdup(dce_schan_state->mem_ctx, account_name);
+               dce_schan_state->account_name = talloc_strdup(dce_schan_state, account_name);
                
                /* start up the schannel server code */
                status = schannel_start(&dce_schan_state->schannel_state, 
-                                       dce_schan_state->creds.session_key, False);
+                                       dce_schan_state->creds->session_key, False);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(3, ("Could not initialise schannel state for account %s: %s\n",
                                  account_name, nt_errstr(status)));
                        return status;
                }
+               talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
                
                bind_schannel_ack.unknown1 = 1;
                bind_schannel_ack.unknown2 = 0;
@@ -212,25 +228,18 @@ NTSTATUS dcerpc_schannel_session_info(struct gensec_security *gensec_security,
                                      struct auth_session_info **session_info)
 { 
        struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-       TALLOC_CTX *mem_ctx;
-       mem_ctx = talloc_init("dcerpc_schannel_start");
-       if (!mem_ctx) {
-               return NT_STATUS_NO_MEMORY;
-       }
 
-       (*session_info) = talloc_p(mem_ctx, struct auth_session_info);
+       (*session_info) = talloc_p(gensec_security, struct auth_session_info);
        if (*session_info == NULL) {
-               talloc_destroy(mem_ctx);
                return NT_STATUS_NO_MEMORY;
        }
 
        ZERO_STRUCTP(*session_info);
-       (*session_info)->mem_ctx = mem_ctx;
        (*session_info)->refcount = 1;
        
-       (*session_info)->workstation = talloc_strdup(mem_ctx, dce_schan_state->account_name);
+       (*session_info)->workstation = talloc_strdup(*session_info, dce_schan_state->account_name);
        if ((*session_info)->workstation == NULL) {
-               talloc_destroy(mem_ctx);
+               talloc_free(*session_info);
                return NT_STATUS_NO_MEMORY;
        }
        return NT_STATUS_OK;
@@ -249,36 +258,43 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 { 
        struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
 
-       *creds = talloc_p(mem_ctx, struct creds_CredentialState);
+       *creds = talloc_reference(mem_ctx, dce_schan_state->creds);
        if (!*creds) {
                return NT_STATUS_NO_MEMORY;
        }
-
-       **creds = dce_schan_state->creds;
        return NT_STATUS_OK;
 }
                
 
+/*
+  end crypto state
+*/
+static int dcerpc_schannel_destroy(void *ptr)
+{
+       struct dcerpc_schannel_state *dce_schan_state = ptr;
+
+       schannel_end(&dce_schan_state->schannel_state);
+
+       return 0;
+}
+
 static NTSTATUS dcerpc_schannel_start(struct gensec_security *gensec_security)
 {
        struct dcerpc_schannel_state *dce_schan_state;
-       TALLOC_CTX *mem_ctx;
-       mem_ctx = talloc_init("dcerpc_schannel_start");
-       if (!mem_ctx) {
-               return NT_STATUS_NO_MEMORY;
-       }
 
-       dce_schan_state = talloc_p(mem_ctx, struct dcerpc_schannel_state);
+       dce_schan_state = talloc_p(gensec_security, struct dcerpc_schannel_state);
        if (!dce_schan_state) {
-               talloc_destroy(mem_ctx);
                return NT_STATUS_NO_MEMORY;
        }
 
-       dce_schan_state->mem_ctx = mem_ctx;
        dce_schan_state->state = DCERPC_SCHANNEL_STATE_START;
-       
-
        gensec_security->private_data = dce_schan_state;
+       gensec_security->have_features = 
+               GENSEC_FEATURE_SESSION_KEY | 
+               GENSEC_FEATURE_SIGN | 
+               GENSEC_FEATURE_SEAL;
+
+       talloc_set_destructor(dce_schan_state, dcerpc_schannel_destroy);
        
        return NT_STATUS_OK;
 }
@@ -288,50 +304,25 @@ static NTSTATUS dcerpc_schannel_server_start(struct gensec_security *gensec_secu
        NTSTATUS status;
 
        status = dcerpc_schannel_start(gensec_security);
-
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
+
        return NT_STATUS_OK;
 }
 
 static NTSTATUS dcerpc_schannel_client_start(struct gensec_security *gensec_security) 
 {
        NTSTATUS status;
-       struct dcerpc_schannel_state *dce_schan_state;
 
        status = dcerpc_schannel_start(gensec_security);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
-       dce_schan_state = gensec_security->private_data;
-
-       status = schannel_start(&dce_schan_state->schannel_state, 
-                               gensec_security->user.schan_session_key, 
-                               True);
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Failed to start schannel client\n"));
-               return status;
-       }
 
-       dump_data_pw("session key:\n", dce_schan_state->schannel_state->session_key, 16);
        return NT_STATUS_OK;
 }
 
-/*
-  end crypto state
-*/
-static void dcerpc_schannel_end(struct gensec_security *gensec_security)
-{
-       struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
-       schannel_end(&dce_schan_state->schannel_state);
-
-       talloc_destroy(dce_schan_state->mem_ctx);
-
-       gensec_security->private_data = NULL;
-}
-
 
 /*
   get a schannel key using a netlogon challenge on a secondary pipe
@@ -341,7 +332,7 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
                                    const char *username,
                                    const char *password,
                                    int chan_type,
-                                   uint8_t new_session_key[16])
+                                   struct creds_CredentialState *creds)
 {
        NTSTATUS status;
        struct dcerpc_pipe *p2;
@@ -349,7 +340,6 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
        struct netr_ServerAuthenticate2 a;
        struct netr_Credential credentials1, credentials2, credentials3;
        struct samr_Password mach_pwd;
-       struct creds_CredentialState creds;
        const char *workgroup, *workstation;
        uint32_t negotiate_flags;
 
@@ -369,6 +359,9 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
                                             DCERPC_NETLOGON_NAME, 
                                             DCERPC_NETLOGON_UUID, 
                                             DCERPC_NETLOGON_VERSION);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
 
 
        /*
@@ -390,7 +383,7 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
          step 3 - authenticate on the netlogon pipe
        */
        E_md4hash(password, mach_pwd.hash);
-       creds_client_init(&creds, &credentials1, &credentials2, &mach_pwd, &credentials3,
+       creds_client_init(creds, &credentials1, &credentials2, &mach_pwd, &credentials3,
                          negotiate_flags);
 
        a.in.server_name = r.in.server_name;
@@ -407,7 +400,7 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
                return status;
        }
 
-       if (!creds_client_check(&creds, a.out.credentials)) {
+       if (!creds_client_check(creds, a.out.credentials)) {
                return NT_STATUS_UNSUCCESSFUL;
        }
 
@@ -418,8 +411,6 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
        */
        dcerpc_pipe_close(p2);
 
-       memcpy(new_session_key, creds.session_key, 16);
-
        return NT_STATUS_OK;
 }
 
@@ -427,50 +418,34 @@ static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
   do a schannel style bind on a dcerpc pipe. The username is usually
   of the form HOSTNAME$ and the password is the domain trust password
 */
-NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
-                                  const char *uuid, uint_t version,
-                                  const char *domain,
-                                  const char *username,
-                                  const char *password)
+NTSTATUS dcerpc_bind_auth_schannel_withkey(struct dcerpc_pipe *p,
+                                          const char *uuid, uint_t version,
+                                          const char *domain,
+                                          const char *username,
+                                          const char *password,
+                                          struct creds_CredentialState *creds)
 {
        NTSTATUS status;
-       int chan_type = 0;
+       struct dcerpc_schannel_state *dce_schan_state;
 
        status = gensec_client_start(p, &p->security_state.generic_state);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
 
-       if (p->flags & DCERPC_SCHANNEL_BDC) {
-               chan_type = SEC_CHAN_BDC;
-       } else if (p->flags & DCERPC_SCHANNEL_WORKSTATION) {
-               chan_type = SEC_CHAN_WKSTA;
-       } else if (p->flags & DCERPC_SCHANNEL_DOMAIN) {
-               chan_type = SEC_CHAN_DOMAIN;
-       }
-
-       status = dcerpc_schannel_key(p, domain, 
-                                    username,
-                                    password, 
-                                    chan_type, 
-                                    p->security_state.generic_state->user.schan_session_key);
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Failed to fetch schannel session key: %s\n", nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
-               return status;
-       }
-       
        status = gensec_set_username(p->security_state.generic_state, username);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to set schannel username to %s: %s\n", username, nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               talloc_free(p->security_state.generic_state);
+               p->security_state.generic_state = NULL;
                return status;
        }
        
        status = gensec_set_domain(p->security_state.generic_state, domain);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to set schannel domain to %s: %s\n", domain, nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               talloc_free(p->security_state.generic_state);
+               p->security_state.generic_state = NULL;
                return status;
        }
        
@@ -478,22 +453,65 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               talloc_free(p->security_state.generic_state);
+               p->security_state.generic_state = NULL;
                return status;
        }
 
+       dce_schan_state = p->security_state.generic_state->private_data;
+       dce_schan_state->creds = talloc_reference(dce_schan_state, creds);
+
        status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p),
                                  uuid, version);
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to bind to pipe with SCHANNEL: %s\n", nt_errstr(status)));
-               gensec_end(&p->security_state.generic_state);
+               talloc_free(p->security_state.generic_state);
+               p->security_state.generic_state = NULL;
                return status;
        }
 
        return NT_STATUS_OK;
 }
 
+NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
+                                  const char *uuid, uint_t version,
+                                  const char *domain,
+                                  const char *username,
+                                  const char *password)
+{
+       NTSTATUS status;
+       int chan_type = 0;
+       struct creds_CredentialState *creds;
+       creds = talloc_p(p, struct creds_CredentialState);
+       if (!creds) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if (p->flags & DCERPC_SCHANNEL_BDC) {
+               chan_type = SEC_CHAN_BDC;
+       } else if (p->flags & DCERPC_SCHANNEL_WORKSTATION) {
+               chan_type = SEC_CHAN_WKSTA;
+       } else if (p->flags & DCERPC_SCHANNEL_DOMAIN) {
+               chan_type = SEC_CHAN_DOMAIN;
+       }
+
+       status = dcerpc_schannel_key(p, domain, 
+                                    username,
+                                    password, 
+                                    chan_type,
+                                    creds);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Failed to fetch schannel session key: %s\n",
+                         nt_errstr(status)));
+               return status;
+       }
+
+       return dcerpc_bind_auth_schannel_withkey(p, uuid, version, domain,
+                                                username, password,
+                                                creds);
+}
 
 static const struct gensec_security_ops gensec_dcerpc_schannel_security_ops = {
        .name           = "dcerpc_schannel",
@@ -507,13 +525,13 @@ static const struct gensec_security_ops gensec_dcerpc_schannel_security_ops = {
        .unseal_packet  = dcerpc_schannel_unseal_packet,
        .session_key    = dcerpc_schannel_session_key,
        .session_info   = dcerpc_schannel_session_info,
-       .end            = dcerpc_schannel_end
+       .sig_size       = dcerpc_schannel_sig_size,
 };
 
 NTSTATUS gensec_dcerpc_schannel_init(void)
 {
        NTSTATUS ret;
-       ret = register_backend("gensec", &gensec_dcerpc_schannel_security_ops);
+       ret = gensec_register(&gensec_dcerpc_schannel_security_ops);
        if (!NT_STATUS_IS_OK(ret)) {
                DEBUG(0,("Failed to register '%s' gensec backend!\n",
                        gensec_dcerpc_schannel_security_ops.name));
Samba Shared Repository