source/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "librpc/gen_ndr/ndr_schannel.h"
  25 #include "auth/auth.h"
  26
  27 enum schannel_position {
  28         DCERPC_SCHANNEL_STATE_START = 0,
  29         DCERPC_SCHANNEL_STATE_UPDATE_1
  30 };
  31
  32 struct dcerpc_schannel_state {
  33         enum schannel_position state;
  34         struct schannel_state *schannel_state;
  35         struct creds_CredentialState *creds;
  36 };
  37
  38 /*
  39   wrappers for the schannel_*() functions
  40
  41   These will become static again, when we get dynamic registration, and
  42   decrpc_schannel_security_ops come back here.
  43 */
  44 static NTSTATUS dcerpc_schannel_unseal_packet(struct gensec_security *gensec_security,
  45                                               TALLOC_CTX *mem_ctx,
  46                                               uint8_t *data, size_t length,
  47                                               const uint8_t *whole_pdu, size_t pdu_length,
  48                                               DATA_BLOB *sig)
  49 {
  50         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  51
  52         return schannel_unseal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
  53 }
  54
  55 static NTSTATUS dcerpc_schannel_check_packet(struct gensec_security *gensec_security,
  56                                              TALLOC_CTX *mem_ctx,
  57                                              const uint8_t *data, size_t length,
  58                                              const uint8_t *whole_pdu, size_t pdu_length,
  59                                              const DATA_BLOB *sig)
  60 {
  61         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  62
  63         return schannel_check_packet(dce_schan_state->schannel_state, data, length, sig);
  64 }
  65
  66 static NTSTATUS dcerpc_schannel_seal_packet(struct gensec_security *gensec_security,
  67                                             TALLOC_CTX *mem_ctx,
  68                                             uint8_t *data, size_t length,
  69                                             const uint8_t *whole_pdu, size_t pdu_length,
  70                                             DATA_BLOB *sig)
  71 {
  72         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  73
  74         return schannel_seal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
  75 }
  76
  77 static NTSTATUS dcerpc_schannel_sign_packet(struct gensec_security *gensec_security,
  78                                             TALLOC_CTX *mem_ctx,
  79                                             const uint8_t *data, size_t length,
  80                                             const uint8_t *whole_pdu, size_t pdu_length,
  81                                             DATA_BLOB *sig)
  82 {
  83         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
  84
  85         return schannel_sign_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
  86 }
  87
  88 static size_t dcerpc_schannel_sig_size(struct gensec_security *gensec_security)
  89 {
  90         return 32;
  91 }
  92
  93 static NTSTATUS dcerpc_schannel_session_key(struct gensec_security *gensec_security,
  94                                             DATA_BLOB *session_key)
  95 {
  96         return NT_STATUS_NOT_IMPLEMENTED;
  97 }
  98
  99 static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 100                                        const DATA_BLOB in, DATA_BLOB *out)
 101 {
 102         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
 103         NTSTATUS status;
 104         struct schannel_bind bind_schannel;
 105         struct schannel_bind_ack bind_schannel_ack;
 106         const char *workstation;
 107         const char *domain;
 108         *out = data_blob(NULL, 0);
 109
 110         switch (gensec_security->gensec_role) {
 111         case GENSEC_CLIENT:
 112                 if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) {
 113                         /* we could parse the bind ack, but we don't know what it is yet */
 114                         return NT_STATUS_OK;
 115                 }
 116
 117                 status = schannel_start(dce_schan_state,
 118                                         &dce_schan_state->schannel_state,
 119                                         dce_schan_state->creds->session_key,
 120                                         True);
 121                 if (!NT_STATUS_IS_OK(status)) {
 122                         DEBUG(1, ("Failed to start schannel client\n"));
 123                         return status;
 124                 }
 125                 talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
 126
 127                 bind_schannel.unknown1 = 0;
 128 #if 0
 129                 /* to support this we'd need to have access to the full domain name */
 130                 bind_schannel.bind_type = 23;
 131                 bind_schannel.u.info23.domain = gensec_security->user.domain;
 132                 bind_schannel.u.info23.account_name = gensec_security->user.name;
 133                 bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(out_mem_ctx, fulldomainname);
 134                 bind_schannel.u.info23.workstation = str_format_nbt_domain(out_mem_ctx, gensec_get_workstation(gensec_security));
 135 #else
 136                 bind_schannel.bind_type = 3;
 137                 bind_schannel.u.info3.domain = gensec_security->user.domain;
 138                 bind_schannel.u.info3.workstation = gensec_get_workstation(gensec_security);
 139 #endif
 140
 141                 status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
 142                                               (ndr_push_flags_fn_t)ndr_push_schannel_bind);
 143                 if (!NT_STATUS_IS_OK(status)) {
 144                         DEBUG(3, ("Could not create schannel bind: %s\n",
 145                                   nt_errstr(status)));
 146                         return status;
 147                 }
 148
 149                 dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1;
 150
 151                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 152         case GENSEC_SERVER:
 153
 154                 if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) {
 155                         /* no third leg on this protocol */
 156                         return NT_STATUS_INVALID_PARAMETER;
 157                 }
 158
 159                 /* parse the schannel startup blob */
 160                 status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
 161                                               (ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
 162                 if (!NT_STATUS_IS_OK(status)) {
 163                         return status;
 164                 }
 165
 166                 if (bind_schannel.bind_type == 23) {
 167                         workstation = bind_schannel.u.info23.workstation;
 168                         domain = bind_schannel.u.info23.domain;
 169                 } else {
 170                         workstation = bind_schannel.u.info3.workstation;
 171                         domain = bind_schannel.u.info3.domain;
 172                 }
 173
 174                 /* pull the session key for this client */
 175                 status = schannel_fetch_session_key(out_mem_ctx, workstation,
 176                                                     domain, &dce_schan_state->creds);
 177                 if (!NT_STATUS_IS_OK(status)) {
 178                         DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
 179                                   workstation, nt_errstr(status)));
 180                         return status;
 181                 }
 182
 183                 /* start up the schannel server code */
 184                 status = schannel_start(dce_schan_state,
 185                                         &dce_schan_state->schannel_state,
 186                                         dce_schan_state->creds->session_key, False);
 187                 if (!NT_STATUS_IS_OK(status)) {
 188                         DEBUG(3, ("Could not initialise schannel state from client %s: %s\n",
 189                                   workstation, nt_errstr(status)));
 190                         return status;
 191                 }
 192                 talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
 193
 194                 bind_schannel_ack.unknown1 = 1;
 195                 bind_schannel_ack.unknown2 = 0;
 196                 bind_schannel_ack.unknown3 = 0x6c0000;
 197
 198                 status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
 199                                               (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
 200                 if (!NT_STATUS_IS_OK(status)) {
 201                         DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
 202                                   workstation, nt_errstr(status)));
 203                         return status;
 204                 }
 205
 206                 dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1;
 207
 208                 return NT_STATUS_OK;
 209         }
 210         return NT_STATUS_INVALID_PARAMETER;
 211 }
 212
 213 /**
 214  * Return the credentials of a logged on user, including session keys
 215  * etc.
 216  *
 217  * Only valid after a successful authentication
 218  *
 219  * May only be called once per authentication.
 220  *
 221  */
 222
 223 NTSTATUS dcerpc_schannel_session_info(struct gensec_security *gensec_security,
 224                                       struct auth_session_info **session_info)
 225 {
 226         (*session_info) = talloc(gensec_security, struct auth_session_info);
 227         NT_STATUS_HAVE_NO_MEMORY(*session_info);
 228
 229         ZERO_STRUCTP(*session_info);
 230
 231         return NT_STATUS_OK;
 232 }
 233
 234 /**
 235  * Return the struct creds_CredentialState.
 236  *
 237  * Make sure not to call this unless gensec is using schannel...
 238  */
 239
 240 NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 241                                TALLOC_CTX *mem_ctx,
 242                                struct creds_CredentialState **creds)
 243 {
 244         struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
 245
 246         *creds = talloc_reference(mem_ctx, dce_schan_state->creds);
 247         if (!*creds) {
 248                 return NT_STATUS_NO_MEMORY;
 249         }
 250         return NT_STATUS_OK;
 251 }
 252
 253
 254 static NTSTATUS dcerpc_schannel_start(struct gensec_security *gensec_security)
 255 {
 256         struct dcerpc_schannel_state *dce_schan_state;
 257
 258         dce_schan_state = talloc(gensec_security, struct dcerpc_schannel_state);
 259         if (!dce_schan_state) {
 260                 return NT_STATUS_NO_MEMORY;
 261         }
 262
 263         dce_schan_state->state = DCERPC_SCHANNEL_STATE_START;
 264         gensec_security->private_data = dce_schan_state;
 265
 266         return NT_STATUS_OK;
 267 }
 268
 269 static NTSTATUS dcerpc_schannel_server_start(struct gensec_security *gensec_security)
 270 {
 271         NTSTATUS status;
 272
 273         status = dcerpc_schannel_start(gensec_security);
 274         if (!NT_STATUS_IS_OK(status)) {
 275                 return status;
 276         }
 277
 278         return NT_STATUS_OK;
 279 }
 280
 281 static NTSTATUS dcerpc_schannel_client_start(struct gensec_security *gensec_security)
 282 {
 283         NTSTATUS status;
 284
 285         status = dcerpc_schannel_start(gensec_security);
 286         if (!NT_STATUS_IS_OK(status)) {
 287                 return status;
 288         }
 289
 290         return NT_STATUS_OK;
 291 }
 292
 293
 294 /*
 295   get a schannel key using a netlogon challenge on a secondary pipe
 296 */
 297 static NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
 298                                                                         struct cli_credentials *credentials,
 299                                     int chan_type,
 300                                     struct creds_CredentialState *creds)
 301 {
 302         NTSTATUS status;
 303         struct dcerpc_binding *b;
 304         struct dcerpc_pipe *p2;
 305         struct netr_ServerReqChallenge r;
 306         struct netr_ServerAuthenticate2 a;
 307         struct netr_Credential credentials1, credentials2, credentials3;
 308         struct samr_Password mach_pwd;
 309         const char *workgroup;
 310         uint32_t negotiate_flags;
 311         TALLOC_CTX *tmp_ctx;
 312
 313         if (p->conn->flags & DCERPC_SCHANNEL_128) {
 314                 negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 315         } else {
 316                 negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 317         }
 318
 319         workgroup = cli_credentials_get_domain(credentials);
 320
 321         tmp_ctx = talloc_new(NULL);
 322
 323         /*
 324           step 1 - establish a netlogon connection, with no authentication
 325         */
 326
 327         /* Find the original binding string */
 328         status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b);
 329         if (!NT_STATUS_IS_OK(status)) {
 330                 DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string));
 331                 talloc_free(tmp_ctx);
 332                 return status;
 333         }
 334
 335         /* Make binding string for netlogon, not the other pipe */
 336         status = dcerpc_epm_map_binding(tmp_ctx, b, DCERPC_NETLOGON_UUID, DCERPC_NETLOGON_VERSION);
 337         if (!NT_STATUS_IS_OK(status)) {
 338                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
 339                          DCERPC_NETLOGON_UUID, nt_errstr(status)));
 340                 talloc_free(p);
 341                 return status;
 342         }
 343
 344         status = dcerpc_secondary_connection(p, &p2, b);
 345         if (!NT_STATUS_IS_OK(status)) {
 346                 talloc_free(tmp_ctx);
 347                 return status;
 348         }
 349
 350         talloc_free(tmp_ctx);
 351
 352         status = dcerpc_bind_auth_none(p2, DCERPC_NETLOGON_UUID,
 353                                        DCERPC_NETLOGON_VERSION);
 354         if (!NT_STATUS_IS_OK(status)) {
 355                 talloc_free(p2);
 356                 return status;
 357         }
 358
 359         /*
 360           step 2 - request a netlogon challenge
 361         */
 362         r.in.server_name = talloc_asprintf(p, "\\\\%s", dcerpc_server_name(p));
 363         r.in.computer_name = cli_credentials_get_workstation(credentials);
 364         r.in.credentials = &credentials1;
 365         r.out.credentials = &credentials2;
 366
 367         generate_random_buffer(credentials1.data, sizeof(credentials1.data));
 368
 369         status = dcerpc_netr_ServerReqChallenge(p2, p, &r);
 370         if (!NT_STATUS_IS_OK(status)) {
 371                 return status;
 372         }
 373
 374         /*
 375           step 3 - authenticate on the netlogon pipe
 376         */
 377         E_md4hash(cli_credentials_get_password(credentials), mach_pwd.hash);
 378         creds_client_init(creds, &credentials1, &credentials2,
 379                           cli_credentials_get_workstation(credentials),
 380                           cli_credentials_get_domain(credentials),
 381                           cli_credentials_get_username(credentials),
 382                           &mach_pwd, &credentials3,
 383                           negotiate_flags);
 384
 385         a.in.server_name = r.in.server_name;
 386         a.in.account_name = cli_credentials_get_username(credentials);
 387         a.in.secure_channel_type = chan_type;
 388         a.in.computer_name = cli_credentials_get_workstation(credentials);
 389         a.in.negotiate_flags = &negotiate_flags;
 390         a.out.negotiate_flags = &negotiate_flags;
 391         a.in.credentials = &credentials3;
 392         a.out.credentials = &credentials3;
 393
 394         status = dcerpc_netr_ServerAuthenticate2(p2, p, &a);
 395         if (!NT_STATUS_IS_OK(status)) {
 396                 return status;
 397         }
 398
 399         if (!creds_client_check(creds, a.out.credentials)) {
 400                 return NT_STATUS_UNSUCCESSFUL;
 401         }
 402
 403         /*
 404           the schannel session key is now in creds.session_key
 405
 406           we no longer need the netlogon pipe open
 407         */
 408         dcerpc_pipe_close(p2);
 409
 410         return NT_STATUS_OK;
 411 }
 412
 413 /*
 414   do a schannel style bind on a dcerpc pipe. The username is usually
 415   of the form HOSTNAME$ and the password is the domain trust password
 416 */
 417 NTSTATUS dcerpc_bind_auth_schannel_withkey(struct dcerpc_pipe *p,
 418                                            const char *uuid, uint_t version,
 419                                            struct creds_CredentialState *creds)
 420 {
 421         NTSTATUS status;
 422         struct dcerpc_schannel_state *dce_schan_state;
 423
 424         status = gensec_client_start(p, &p->conn->security_state.generic_state);
 425         if (!NT_STATUS_IS_OK(status)) {
 426                 return status;
 427         }
 428
 429         status = gensec_set_workstation(p->conn->security_state.generic_state, creds->computer_name);
 430         if (!NT_STATUS_IS_OK(status)) {
 431                 DEBUG(1, ("Failed to set schannel workstation to %s: %s\n",
 432                           creds->computer_name, nt_errstr(status)));
 433                 talloc_free(p->conn->security_state.generic_state);
 434                 p->conn->security_state.generic_state = NULL;
 435                 return status;
 436         }
 437
 438         status = gensec_set_username(p->conn->security_state.generic_state, creds->account_name);
 439         if (!NT_STATUS_IS_OK(status)) {
 440                 DEBUG(1, ("Failed to set schannel username to %s: %s\n",
 441                           creds->account_name, nt_errstr(status)));
 442                 talloc_free(p->conn->security_state.generic_state);
 443                 p->conn->security_state.generic_state = NULL;
 444                 return status;
 445         }
 446
 447         status = gensec_set_domain(p->conn->security_state.generic_state, creds->domain);
 448         if (!NT_STATUS_IS_OK(status)) {
 449                 DEBUG(1, ("Failed to set schannel domain to %s: %s\n",
 450                           creds->domain, nt_errstr(status)));
 451                 talloc_free(p->conn->security_state.generic_state);
 452                 p->conn->security_state.generic_state = NULL;
 453                 return status;
 454         }
 455
 456         status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
 457                                                DCERPC_AUTH_TYPE_SCHANNEL,
 458                                                dcerpc_auth_level(p->conn));
 459
 460         if (!NT_STATUS_IS_OK(status)) {
 461                 DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status)));
 462                 talloc_free(p->conn->security_state.generic_state);
 463                 p->conn->security_state.generic_state = NULL;
 464                 return status;
 465         }
 466
 467         dce_schan_state = p->conn->security_state.generic_state->private_data;
 468         dce_schan_state->creds = talloc_reference(dce_schan_state, creds);
 469
 470         status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p->conn),
 471                                   uuid, version);
 472
 473         if (!NT_STATUS_IS_OK(status)) {
 474                 DEBUG(1, ("Failed to bind to pipe with SCHANNEL: %s\n", nt_errstr(status)));
 475                 talloc_free(p->conn->security_state.generic_state);
 476                 p->conn->security_state.generic_state = NULL;
 477                 return status;
 478         }
 479
 480         return NT_STATUS_OK;
 481 }
 482
 483 NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
 484                                    const char *uuid, uint_t version,
 485                                    struct cli_credentials *credentials)
 486 {
 487         NTSTATUS status;
 488         int chan_type = 0;
 489         struct creds_CredentialState *creds;
 490         creds = talloc(p, struct creds_CredentialState);
 491         if (!creds) {
 492                 return NT_STATUS_NO_MEMORY;
 493         }
 494
 495         if (p->conn->flags & DCERPC_SCHANNEL_BDC) {
 496                 chan_type = SEC_CHAN_BDC;
 497         } else if (p->conn->flags & DCERPC_SCHANNEL_WORKSTATION) {
 498                 chan_type = SEC_CHAN_WKSTA;
 499         } else if (p->conn->flags & DCERPC_SCHANNEL_DOMAIN) {
 500                 chan_type = SEC_CHAN_DOMAIN;
 501         }
 502
 503         status = dcerpc_schannel_key(p, credentials,
 504                                      chan_type,
 505                                      creds);
 506
 507         if (!NT_STATUS_IS_OK(status)) {
 508                 DEBUG(1, ("Failed to fetch schannel session key: %s\n",
 509                           nt_errstr(status)));
 510                 return status;
 511         }
 512
 513         return dcerpc_bind_auth_schannel_withkey(p, uuid, version, creds);
 514 }
 515
 516 static BOOL dcerpc_schannel_have_feature(struct gensec_security *gensec_security,
 517                                           uint32_t feature)
 518 {
 519         if (feature & (GENSEC_FEATURE_SESSION_KEY |
 520                        GENSEC_FEATURE_SIGN |
 521                        GENSEC_FEATURE_SEAL)) {
 522                 return True;
 523         }
 524         return False;
 525 }
 526
 527
 528 static const struct gensec_security_ops gensec_dcerpc_schannel_security_ops = {
 529         .name           = "dcerpc_schannel",
 530         .auth_type      = DCERPC_AUTH_TYPE_SCHANNEL,
 531         .client_start   = dcerpc_schannel_client_start,
 532         .server_start   = dcerpc_schannel_server_start,
 533         .update         = dcerpc_schannel_update,
 534         .seal_packet    = dcerpc_schannel_seal_packet,
 535         .sign_packet    = dcerpc_schannel_sign_packet,
 536         .check_packet   = dcerpc_schannel_check_packet,
 537         .unseal_packet  = dcerpc_schannel_unseal_packet,
 538         .session_key    = dcerpc_schannel_session_key,
 539         .session_info   = dcerpc_schannel_session_info,
 540         .sig_size       = dcerpc_schannel_sig_size,
 541         .have_feature   = dcerpc_schannel_have_feature,
 542         .enabled        = True
 543 };
 544
 545 NTSTATUS gensec_dcerpc_schannel_init(void)
 546 {
 547         NTSTATUS ret;
 548         ret = gensec_register(&gensec_dcerpc_schannel_security_ops);
 549         if (!NT_STATUS_IS_OK(ret)) {
 550                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 551                         gensec_dcerpc_schannel_security_ops.name));
 552                 return ret;
 553         }
 554
 555         return ret;
 556 }