source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Rafal Szczesniak 2006
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth/auth.h"
  26 #include "libcli/composite/composite.h"
  27 #include "libcli/auth/libcli_auth.h"
  28 #include "librpc/gen_ndr/ndr_netlogon.h"
  29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  30 #include "auth/credentials/credentials.h"
  31
  32 struct schannel_key_state {
  33         struct dcerpc_pipe *pipe;
  34         struct dcerpc_pipe *pipe2;
  35         struct dcerpc_binding *binding;
  36         struct cli_credentials *credentials;
  37         struct creds_CredentialState *creds;
  38         uint32_t negotiate_flags;
  39         struct netr_Credential credentials1;
  40         struct netr_Credential credentials2;
  41         struct netr_Credential credentials3;
  42         struct netr_ServerReqChallenge r;
  43         struct netr_ServerAuthenticate2 a;
  44         const struct samr_Password *mach_pwd;
  45 };
  46
  47
  48 static void continue_secondary_connection(struct composite_context *ctx);
  49 static void continue_bind_auth_none(struct composite_context *ctx);
  50 static void continue_srv_challenge(struct rpc_request *req);
  51 static void continue_srv_auth2(struct rpc_request *req);
  52
  53
  54 /*
  55   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
  56   rpc connection
  57 */
  58 static void continue_epm_map_binding(struct composite_context *ctx)
  59 {
  60         struct composite_context *c;
  61         struct schannel_key_state *s;
  62         struct composite_context *sec_conn_req;
  63
  64         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  65         s = talloc_get_type(c->private_data, struct schannel_key_state);
  66
  67         /* receive endpoint mapping */
  68         c->status = dcerpc_epm_map_binding_recv(ctx);
  69         if (!NT_STATUS_IS_OK(c->status)) {
  70                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
  71                          DCERPC_NETLOGON_UUID, nt_errstr(c->status)));
  72                 composite_error(c, c->status);
  73                 return;
  74         }
  75
  76         /* send a request for secondary rpc connection */
  77         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
  78                                                         s->binding);
  79         if (composite_nomem(sec_conn_req, c)) return;
  80
  81         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
  82 }
  83
  84
  85 /*
  86   Stage 3 of schannel_key: Receive secondary rpc connection and perform
  87   non-authenticated bind request
  88 */
  89 static void continue_secondary_connection(struct composite_context *ctx)
  90 {
  91         struct composite_context *c;
  92         struct schannel_key_state *s;
  93         struct composite_context *auth_none_req;
  94
  95         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  96         s = talloc_get_type(c->private_data, struct schannel_key_state);
  97
  98         /* receive secondary rpc connection */
  99         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
 100         if (!composite_is_ok(c)) return;
 101
 102         talloc_steal(s, s->pipe2);
 103
 104         /* initiate a non-authenticated bind */
 105         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &dcerpc_table_netlogon);
 106         if (composite_nomem(auth_none_req, c)) return;
 107
 108         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
 109 }
 110
 111
 112 /*
 113   Stage 4 of schannel_key: Receive non-authenticated bind and get
 114   a netlogon challenge
 115 */
 116 static void continue_bind_auth_none(struct composite_context *ctx)
 117 {
 118         struct composite_context *c;
 119         struct schannel_key_state *s;
 120         struct rpc_request *srv_challenge_req;
 121
 122         c = talloc_get_type(ctx->async.private_data, struct composite_context);
 123         s = talloc_get_type(c->private_data, struct schannel_key_state);
 124
 125         /* receive result of non-authenticated bind request */
 126         c->status = dcerpc_bind_auth_none_recv(ctx);
 127         if (!composite_is_ok(c)) return;
 128
 129         /* prepare a challenge request */
 130         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
 131         if (composite_nomem(s->r.in.server_name, c)) return;
 132         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
 133         s->r.in.credentials   = &s->credentials1;
 134         s->r.out.credentials  = &s->credentials2;
 135
 136         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
 137
 138         /*
 139           request a netlogon challenge - a rpc request over opened secondary pipe
 140         */
 141         srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
 142         if (composite_nomem(srv_challenge_req, c)) return;
 143
 144         composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
 145 }
 146
 147
 148 /*
 149   Stage 5 of schannel_key: Receive a challenge and perform authentication
 150   on the netlogon pipe
 151 */
 152 static void continue_srv_challenge(struct rpc_request *req)
 153 {
 154         struct composite_context *c;
 155         struct schannel_key_state *s;
 156         struct rpc_request *srv_auth2_req;
 157
 158         c = talloc_get_type(req->async.private_data, struct composite_context);
 159         s = talloc_get_type(c->private_data, struct schannel_key_state);
 160
 161         /* receive rpc request result - netlogon challenge */
 162         c->status = dcerpc_ndr_request_recv(req);
 163         if (!composite_is_ok(c)) return;
 164
 165         /* prepare credentials for auth2 request */
 166         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
 167
 168         creds_client_init(s->creds, &s->credentials1, &s->credentials2,
 169                           s->mach_pwd, &s->credentials3, s->negotiate_flags);
 170
 171         /* auth2 request arguments */
 172         s->a.in.server_name      = s->r.in.server_name;
 173         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
 174         s->a.in.secure_channel_type =
 175                 cli_credentials_get_secure_channel_type(s->credentials);
 176         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
 177         s->a.in.negotiate_flags  = &s->negotiate_flags;
 178         s->a.in.credentials      = &s->credentials3;
 179         s->a.out.negotiate_flags = &s->negotiate_flags;
 180         s->a.out.credentials     = &s->credentials3;
 181
 182         /*
 183           authenticate on the netlogon pipe - a rpc request over secondary pipe
 184         */
 185         srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
 186         if (composite_nomem(srv_auth2_req, c)) return;
 187
 188         composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
 189 }
 190
 191
 192 /*
 193   Stage 6 of schannel_key: Receive authentication request result and verify
 194   received credentials
 195 */
 196 static void continue_srv_auth2(struct rpc_request *req)
 197 {
 198         struct composite_context *c;
 199         struct schannel_key_state *s;
 200
 201         c = talloc_get_type(req->async.private_data, struct composite_context);
 202         s = talloc_get_type(c->private_data, struct schannel_key_state);
 203
 204         /* receive rpc request result - auth2 credentials */
 205         c->status = dcerpc_ndr_request_recv(req);
 206         if (!composite_is_ok(c)) return;
 207
 208         /* verify credentials */
 209         if (!creds_client_check(s->creds, s->a.out.credentials)) {
 210                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
 211                 return;
 212         }
 213
 214         /* setup current netlogon credentials */
 215         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
 216
 217         composite_done(c);
 218 }
 219
 220
 221 /*
 222   Initiate establishing a schannel key using netlogon challenge
 223   on a secondary pipe
 224 */
 225 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 226                                                    struct dcerpc_pipe *p,
 227                                                    struct cli_credentials *credentials)
 228 {
 229         struct composite_context *c;
 230         struct schannel_key_state *s;
 231         struct composite_context *epm_map_req;
 232
 233         /* composite context allocation and setup */
 234         c = composite_create(mem_ctx, p->conn->event_ctx);
 235         if (c == NULL) return NULL;
 236
 237         s = talloc_zero(c, struct schannel_key_state);
 238         if (composite_nomem(s, c)) return c;
 239         c->private_data = s;
 240
 241         /* store parameters in the state structure */
 242         s->pipe        = p;
 243         s->credentials = credentials;
 244
 245         /* allocate credentials */
 246         s->creds = talloc(c, struct creds_CredentialState);
 247         if (composite_nomem(s->creds, c)) return c;
 248
 249         /* type of authentication depends on schannel type */
 250         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
 251                 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 252         } else {
 253                 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 254         }
 255
 256         /* allocate binding structure */
 257         s->binding = talloc(c, struct dcerpc_binding);
 258         if (composite_nomem(s->binding, c)) return c;
 259
 260         *s->binding = *s->pipe->binding;
 261
 262         /* request the netlogon endpoint mapping */
 263         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
 264                                                   &dcerpc_table_netlogon,
 265                                                   s->pipe->conn->event_ctx);
 266         if (composite_nomem(epm_map_req, c)) return c;
 267
 268         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
 269         return c;
 270 }
 271
 272
 273 /*
 274   Receive result of schannel key request
 275  */
 276 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
 277 {
 278         NTSTATUS status = composite_wait(c);
 279
 280         talloc_free(c);
 281         return status;
 282 }
 283
 284
 285 struct auth_schannel_state {
 286         struct dcerpc_pipe *pipe;
 287         struct cli_credentials *credentials;
 288         const struct dcerpc_interface_table *table;
 289         uint8_t auth_level;
 290 };
 291
 292
 293 static void continue_bind_auth(struct composite_context *ctx);
 294
 295
 296 /*
 297   Stage 2 of auth_schannel: Receive schannel key and intitiate an
 298   authenticated bind using received credentials
 299  */
 300 static void continue_schannel_key(struct composite_context *ctx)
 301 {
 302         struct composite_context *auth_req;
 303         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 304                                                       struct composite_context);
 305         struct auth_schannel_state *s = talloc_get_type(c->private_data,
 306                                                         struct auth_schannel_state);
 307
 308         /* receive schannel key */
 309         c->status = dcerpc_schannel_key_recv(ctx);
 310         if (!composite_is_ok(c)) {
 311                 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
 312                           cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
 313                 return;
 314         }
 315
 316         /* send bind auth request with received creds */
 317         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
 318                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
 319                                          NULL);
 320         if (composite_nomem(auth_req, c)) return;
 321
 322         composite_continue(c, auth_req, continue_bind_auth, c);
 323 }
 324
 325
 326 /*
 327   Stage 3 of auth_schannel: Receivce result of authenticated bind
 328   and say if we're done ok.
 329 */
 330 static void continue_bind_auth(struct composite_context *ctx)
 331 {
 332         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 333                                                       struct composite_context);
 334
 335         c->status = dcerpc_bind_auth_recv(ctx);
 336         if (!composite_is_ok(c)) return;
 337
 338         composite_done(c);
 339 }
 340
 341
 342 /*
 343   Initiate schannel authentication request
 344 */
 345 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
 346                                                          struct dcerpc_pipe *p,
 347                                                          const struct dcerpc_interface_table *table,
 348                                                          struct cli_credentials *credentials,
 349                                                          uint8_t auth_level)
 350 {
 351         struct composite_context *c;
 352         struct auth_schannel_state *s;
 353         struct composite_context *schan_key_req;
 354
 355         /* composite context allocation and setup */
 356         c = composite_create(tmp_ctx, p->conn->event_ctx);
 357         if (c == NULL) return NULL;
 358
 359         s = talloc_zero(c, struct auth_schannel_state);
 360         if (composite_nomem(s, c)) return c;
 361         c->private_data = s;
 362
 363         /* store parameters in the state structure */
 364         s->pipe        = p;
 365         s->credentials = credentials;
 366         s->table       = table;
 367         s->auth_level  = auth_level;
 368
 369         /* start getting schannel key first */
 370         schan_key_req = dcerpc_schannel_key_send(c, p, credentials);
 371         if (composite_nomem(schan_key_req, c)) return c;
 372
 373         composite_continue(c, schan_key_req, continue_schannel_key, c);
 374         return c;
 375 }
 376
 377
 378 /*
 379   Receive result of schannel authentication request
 380 */
 381 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
 382 {
 383         NTSTATUS status = composite_wait(c);
 384
 385         talloc_free(c);
 386         return status;
 387 }
 388
 389
 390 /*
 391   Perform schannel authenticated bind - sync version
 392  */
 393 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 394                                    struct dcerpc_pipe *p,
 395                                    const struct dcerpc_interface_table *table,
 396                                    struct cli_credentials *credentials,
 397                                    uint8_t auth_level)
 398 {
 399         struct composite_context *c;
 400
 401         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials,
 402                                            auth_level);
 403         return dcerpc_bind_auth_schannel_recv(c);
 404 }