s3:schannel streamline interface
[ira/wip.git] / libcli / auth / schannel_state_tdb.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    module to store/fetch session keys for the schannel server
5
6    Copyright (C) Andrew Tridgell 2004
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006-2009
8    Copyright (C) Guenther Deschner 2009
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "../libcli/auth/libcli_auth.h"
26 #include "../libcli/auth/schannel_state.h"
27 #include "../librpc/gen_ndr/ndr_schannel.h"
28
29 #define SECRETS_SCHANNEL_STATE "SECRETS/SCHANNEL"
30
31 /******************************************************************************
32  Open or create the schannel session store tdb.
33 *******************************************************************************/
34
35 #define SCHANNEL_STORE_VERSION_1 1
36 #define SCHANNEL_STORE_VERSION_2 2 /* should not be used */
37 #define SCHANNEL_STORE_VERSION_CURRENT SCHANNEL_STORE_VERSION_1
38
39 static TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx)
40 {
41         TDB_DATA vers;
42         uint32 ver;
43         TDB_CONTEXT *tdb_sc = NULL;
44         char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", lp_private_dir());
45
46         if (!fname) {
47                 return NULL;
48         }
49
50         tdb_sc = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
51
52         if (!tdb_sc) {
53                 DEBUG(0,("open_schannel_session_store: Failed to open %s\n", fname));
54                 TALLOC_FREE(fname);
55                 return NULL;
56         }
57
58  again:
59         vers = tdb_fetch_bystring(tdb_sc, "SCHANNEL_STORE_VERSION");
60         if (vers.dptr == NULL) {
61                 /* First opener, no version. */
62                 SIVAL(&ver,0,SCHANNEL_STORE_VERSION_CURRENT);
63                 vers.dptr = (uint8 *)&ver;
64                 vers.dsize = 4;
65                 tdb_store_bystring(tdb_sc, "SCHANNEL_STORE_VERSION", vers, TDB_REPLACE);
66                 vers.dptr = NULL;
67         } else if (vers.dsize == 4) {
68                 ver = IVAL(vers.dptr,0);
69                 if (ver == SCHANNEL_STORE_VERSION_2) {
70                         DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
71                                 (int)ver, fname ));
72                         tdb_wipe_all(tdb_sc);
73                         goto again;
74                 }
75                 if (ver != SCHANNEL_STORE_VERSION_CURRENT) {
76                         DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
77                                 (int)ver, fname ));
78                         tdb_close(tdb_sc);
79                         tdb_sc = NULL;
80                 }
81         } else {
82                 tdb_close(tdb_sc);
83                 tdb_sc = NULL;
84                 DEBUG(0,("open_schannel_session_store: wrong version number size %d in %s\n",
85                         (int)vers.dsize, fname ));
86         }
87
88         SAFE_FREE(vers.dptr);
89         TALLOC_FREE(fname);
90
91         return tdb_sc;
92 }
93
94 /********************************************************************
95  ********************************************************************/
96
97 static
98 NTSTATUS schannel_store_session_key_tdb(struct tdb_context *tdb,
99                                         TALLOC_CTX *mem_ctx,
100                                         struct netlogon_creds_CredentialState *creds)
101 {
102         enum ndr_err_code ndr_err;
103         DATA_BLOB blob;
104         TDB_DATA value;
105         int ret;
106         char *keystr;
107
108         keystr = talloc_asprintf_strupper_m(mem_ctx, "%s/%s",
109                                             SECRETS_SCHANNEL_STATE,
110                                             creds->computer_name);
111         if (!keystr) {
112                 return NT_STATUS_NO_MEMORY;
113         }
114
115         ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL, creds,
116                         (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
117         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
118                 talloc_free(keystr);
119                 return ndr_map_error2ntstatus(ndr_err);
120         }
121
122         value.dptr = blob.data;
123         value.dsize = blob.length;
124
125         ret = tdb_store_bystring(tdb, keystr, value, TDB_REPLACE);
126         if (ret != TDB_SUCCESS) {
127                 DEBUG(0,("Unable to add %s to session key db - %s\n",
128                          keystr, tdb_errorstr(tdb)));
129                 talloc_free(keystr);
130                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
131         }
132
133         DEBUG(3,("schannel_store_session_key_tdb: stored schannel info with key %s\n",
134                 keystr));
135
136         if (DEBUGLEVEL >= 10) {
137                 NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
138         }
139
140         talloc_free(keystr);
141
142         return NT_STATUS_OK;
143 }
144
145 /********************************************************************
146  ********************************************************************/
147
148 static
149 NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb,
150                                         TALLOC_CTX *mem_ctx,
151                                         const char *computer_name,
152                                         struct netlogon_creds_CredentialState **pcreds)
153 {
154         NTSTATUS status;
155         TDB_DATA value;
156         enum ndr_err_code ndr_err;
157         DATA_BLOB blob;
158         struct netlogon_creds_CredentialState *creds = NULL;
159         char *keystr = NULL;
160
161         *pcreds = NULL;
162
163         keystr = talloc_asprintf_strupper_m(mem_ctx, "%s/%s",
164                                             SECRETS_SCHANNEL_STATE,
165                                             computer_name);
166         if (!keystr) {
167                 status = NT_STATUS_NO_MEMORY;
168                 goto done;
169         }
170
171         value = tdb_fetch_bystring(tdb, keystr);
172         if (!value.dptr) {
173                 DEBUG(0,("schannel_fetch_session_key_tdb: Failed to find entry with key %s\n",
174                         keystr ));
175                 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
176                 goto done;
177         }
178
179         creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
180         if (!creds) {
181                 status = NT_STATUS_NO_MEMORY;
182                 goto done;
183         }
184
185         blob = data_blob_const(value.dptr, value.dsize);
186
187         ndr_err = ndr_pull_struct_blob(&blob, creds, NULL, creds,
188                         (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
189         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
190                 status = ndr_map_error2ntstatus(ndr_err);
191                 goto done;
192         }
193
194         if (DEBUGLEVEL >= 10) {
195                 NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
196         }
197
198         DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n",
199                 keystr));
200
201         status = NT_STATUS_OK;
202
203  done:
204
205         talloc_free(keystr);
206
207         if (!NT_STATUS_IS_OK(status)) {
208                 talloc_free(creds);
209                 return status;
210         }
211
212         *pcreds = creds;
213
214         return NT_STATUS_OK;
215 }
216
217 /******************************************************************************
218  Wrapper around schannel_fetch_session_key_tdb()
219  Note we must be root here.
220 *******************************************************************************/
221
222 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
223                                   const char *computer_name,
224                                   struct netlogon_creds_CredentialState **creds)
225 {
226         struct tdb_context *tdb;
227         NTSTATUS status;
228
229         tdb = open_schannel_session_store(mem_ctx);
230         if (!tdb) {
231                 return NT_STATUS_ACCESS_DENIED;
232         }
233
234         status = schannel_fetch_session_key_tdb(tdb, mem_ctx,
235                                                 computer_name, creds);
236
237         tdb_close(tdb);
238
239         return status;
240 }
241
242 /******************************************************************************
243  Wrapper around schannel_store_session_key_tdb()
244  Note we must be root here.
245 *******************************************************************************/
246
247 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
248                                    struct netlogon_creds_CredentialState *creds)
249 {
250         struct tdb_context *tdb;
251         NTSTATUS status;
252
253         tdb = open_schannel_session_store(mem_ctx);
254         if (!tdb) {
255                 return NT_STATUS_ACCESS_DENIED;
256         }
257
258         status = schannel_store_session_key_tdb(tdb, mem_ctx, creds);
259
260         tdb_close(tdb);
261
262         return status;
263 }
264
265 /********************************************************************
266  Validate an incoming authenticator against the credentials for the
267  remote machine stored in the schannel database.
268
269  The credentials are (re)read and from the schannel database, and
270  written back after the caclulations are performed.
271
272  If the creds_out parameter is not NULL returns the credentials.
273  ********************************************************************/
274
275 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
276                                     const char *computer_name,
277                                     struct netr_Authenticator *received_authenticator,
278                                     struct netr_Authenticator *return_authenticator,
279                                     struct netlogon_creds_CredentialState **creds_out)
280 {
281         TALLOC_CTX *tmpctx;
282         struct tdb_context *tdb;
283         struct netlogon_creds_CredentialState *creds;
284         NTSTATUS status;
285         int ret;
286
287         tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state");
288         if (!tmpctx) {
289                 return NT_STATUS_NO_MEMORY;
290         }
291
292         tdb = open_schannel_session_store(tmpctx);
293         if (!tdb) {
294                 status = NT_STATUS_ACCESS_DENIED;
295                 goto done;
296         }
297
298         ret = tdb_transaction_start(tdb);
299         if (ret != 0) {
300                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
301                 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
302                 goto done;
303         }
304
305         /* Because this is a shared structure (even across
306          * disconnects) we must update the database every time we
307          * update the structure */
308
309         status = schannel_fetch_session_key_tdb(tdb, tmpctx,
310                                                 computer_name, &creds);
311         if (!NT_STATUS_IS_OK(status)) {
312                 tdb_transaction_cancel(tdb);
313                 goto done;
314         }
315
316         status = netlogon_creds_server_step_check(creds,
317                                                   received_authenticator,
318                                                   return_authenticator);
319         if (!NT_STATUS_IS_OK(status)) {
320                 tdb_transaction_cancel(tdb);
321                 goto done;
322         }
323
324         status = schannel_store_session_key_tdb(tdb, tmpctx, creds);
325         if (!NT_STATUS_IS_OK(status)) {
326                 tdb_transaction_cancel(tdb);
327                 goto done;
328         }
329
330         tdb_transaction_commit(tdb);
331
332         if (creds_out) {
333                 *creds_out = talloc_steal(mem_ctx, creds);
334                 if (!*creds_out) {
335                         status = NT_STATUS_NO_MEMORY;
336                         goto done;
337                 }
338         }
339
340         status = NT_STATUS_OK;
341
342 done:
343         talloc_free(tmpctx);
344         if (tdb) tdb_close(tdb);
345         return status;
346 }
347