source/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24
  25 /*
  26   wrappers for the schannel_*() functions
  27 */
  28 static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security,
  29                                     TALLOC_CTX *mem_ctx,
  30                                     uchar *data, size_t length, DATA_BLOB *sig)
  31 {
  32         struct schannel_state *schannel_state = dcerpc_security->private;
  33         return schannel_unseal_packet(schannel_state, mem_ctx, data, length, sig);
  34 }
  35
  36 static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security,
  37                                    TALLOC_CTX *mem_ctx,
  38                                    const uchar *data, size_t length,
  39                                    const DATA_BLOB *sig)
  40 {
  41         struct schannel_state *schannel_state = dcerpc_security->private;
  42         return schannel_check_packet(schannel_state, data, length, sig);
  43 }
  44
  45 static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security,
  46                                   TALLOC_CTX *mem_ctx,
  47                                   uchar *data, size_t length,
  48                                   DATA_BLOB *sig)
  49 {
  50         struct schannel_state *schannel_state = dcerpc_security->private;
  51         return schannel_seal_packet(schannel_state, mem_ctx, data, length, sig);
  52 }
  53
  54 static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security,
  55                                  TALLOC_CTX *mem_ctx,
  56                                  const uchar *data, size_t length,
  57                                  DATA_BLOB *sig)
  58 {
  59         struct schannel_state *schannel_state = dcerpc_security->private;
  60         return schannel_sign_packet(schannel_state, mem_ctx, data, length, sig);
  61 }
  62
  63 static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security,
  64                                   DATA_BLOB *session_key)
  65 {
  66         return NT_STATUS_NOT_IMPLEMENTED;
  67 }
  68
  69 static void schan_security_end(struct dcerpc_security *dcerpc_security)
  70 {
  71         struct schannel_state *schannel_state = dcerpc_security->private;
  72         schannel_end(&schannel_state);
  73 }
  74
  75
  76 /*
  77   get a schannel key using a netlogon challenge on a secondary pipe
  78 */
  79 NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
  80                              const char *domain,
  81                              const char *username,
  82                              const char *password,
  83                              int chan_type,
  84                              uint8 new_session_key[8])
  85 {
  86         NTSTATUS status;
  87         struct dcerpc_pipe *p2;
  88         struct netr_ServerReqChallenge r;
  89         struct netr_ServerAuthenticate2 a;
  90         uint8 mach_pwd[16];
  91         struct creds_CredentialState creds;
  92         const char *workgroup, *workstation;
  93         uint32_t negotiate_flags = 0;
  94
  95         workstation = username;
  96         workgroup = domain;
  97
  98         /*
  99           step 1 - establish a netlogon connection, with no authentication
 100         */
 101         status = dcerpc_secondary_smb(p, &p2,
 102                                       DCERPC_NETLOGON_NAME,
 103                                       DCERPC_NETLOGON_UUID,
 104                                       DCERPC_NETLOGON_VERSION);
 105
 106
 107         /*
 108           step 2 - request a netlogon challenge
 109         */
 110         r.in.server_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dcerpc_server_name(p));
 111         r.in.computer_name = workstation;
 112         generate_random_buffer(r.in.credentials.data, sizeof(r.in.credentials.data), False);
 113
 114         status = dcerpc_netr_ServerReqChallenge(p2, p->mem_ctx, &r);
 115         if (!NT_STATUS_IS_OK(status)) {
 116                 return status;
 117         }
 118
 119         /*
 120           step 3 - authenticate on the netlogon pipe
 121         */
 122         E_md4hash(password, mach_pwd);
 123         creds_client_init(&creds, &r.in.credentials, &r.out.credentials, mach_pwd,
 124                           &a.in.credentials);
 125
 126         a.in.server_name = r.in.server_name;
 127         a.in.username = talloc_asprintf(p->mem_ctx, "%s$", workstation);
 128         a.in.secure_channel_type = chan_type;
 129         a.in.computer_name = workstation;
 130         a.in.negotiate_flags = &negotiate_flags;
 131         a.out.negotiate_flags = &negotiate_flags;
 132
 133         status = dcerpc_netr_ServerAuthenticate2(p2, p->mem_ctx, &a);
 134         if (!NT_STATUS_IS_OK(status)) {
 135                 return status;
 136         }
 137         if (!creds_client_check(&creds, &a.out.credentials)) {
 138                 return NT_STATUS_UNSUCCESSFUL;
 139         }
 140
 141         /*
 142           the schannel session key is now in creds.session_key
 143
 144           we no longer need the netlogon pipe open
 145         */
 146         dcerpc_pipe_close(p2);
 147
 148         memcpy(new_session_key, creds.session_key, 8);
 149
 150         return NT_STATUS_OK;
 151 }
 152
 153
 154 /*
 155   do a schannel style bind on a dcerpc pipe with the given schannel
 156   key. The username is usually of the form HOSTNAME$ and the password
 157   is the domain trust password
 158 */
 159 NTSTATUS dcerpc_bind_auth_schannel_key(struct dcerpc_pipe *p,
 160                                        const char *uuid, unsigned version,
 161                                        const char *domain,
 162                                        const char *username,
 163                                        const uint8 session_key[8])
 164 {
 165         NTSTATUS status;
 166         uint8 full_session_key[16];
 167         struct schannel_state *schannel_state;
 168         const char *workgroup, *workstation;
 169
 170         memcpy(full_session_key, session_key, 8);
 171         memset(full_session_key+8, 0, 8);
 172
 173         workstation = username;
 174         workgroup = domain;
 175
 176         /*
 177           perform a bind with security type schannel
 178         */
 179         p->auth_info = talloc(p->mem_ctx, sizeof(*p->auth_info));
 180         if (!p->auth_info) {
 181                 status = NT_STATUS_NO_MEMORY;
 182                 goto done;
 183         }
 184
 185         p->auth_info->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 186
 187         if (p->flags & DCERPC_SEAL) {
 188                 p->auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
 189         } else {
 190                 /* note that DCERPC_AUTH_LEVEL_NONE does not make any
 191                    sense, and would be rejected by the server */
 192                 p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
 193         }
 194         p->auth_info->auth_pad_length = 0;
 195         p->auth_info->auth_reserved = 0;
 196         p->auth_info->auth_context_id = random();
 197         p->security_state = NULL;
 198
 199         p->auth_info->credentials = data_blob_talloc(p->mem_ctx,
 200                                                      NULL,
 201                                                      8 +
 202                                                      strlen(workgroup)+1 +
 203                                                      strlen(workstation)+1);
 204         if (!p->auth_info->credentials.data) {
 205                 return NT_STATUS_NO_MEMORY;
 206         }
 207
 208         /* oh, this is ugly! */
 209         SIVAL(p->auth_info->credentials.data, 0, 0);
 210         SIVAL(p->auth_info->credentials.data, 4, 3);
 211         memcpy(p->auth_info->credentials.data+8, workgroup, strlen(workgroup)+1);
 212         memcpy(p->auth_info->credentials.data+8+strlen(workgroup)+1,
 213                workstation, strlen(workstation)+1);
 214
 215         /* send the authenticated bind request */
 216         status = dcerpc_bind_byuuid(p, p->mem_ctx, uuid, version);
 217         if (!NT_STATUS_IS_OK(status)) {
 218                 goto done;
 219         }
 220
 221         p->security_state = talloc_p(p->mem_ctx, struct dcerpc_security);
 222         if (!p->security_state) {
 223                 status = NT_STATUS_NO_MEMORY;
 224                 goto done;
 225         }
 226
 227         schannel_state = talloc_p(p->mem_ctx, struct schannel_state);
 228         if (!schannel_state) {
 229                 status = NT_STATUS_NO_MEMORY;
 230                 goto done;
 231         }
 232
 233         status = schannel_start(&schannel_state, full_session_key, True);
 234         if (!NT_STATUS_IS_OK(status)) {
 235                 goto done;
 236         }
 237
 238         dump_data_pw("session key:\n", schannel_state->session_key, 16);
 239
 240         p->security_state->private = schannel_state;
 241         p->security_state->unseal_packet = schan_unseal_packet;
 242         p->security_state->check_packet = schan_check_packet;
 243         p->security_state->seal_packet = schan_seal_packet;
 244         p->security_state->sign_packet = schan_sign_packet;
 245         p->security_state->session_key = schan_session_key;
 246         p->security_state->security_end = schan_security_end;
 247
 248 done:
 249         return status;
 250 }
 251
 252
 253 /*
 254   do a schannel style bind on a dcerpc pipe. The username is usually
 255   of the form HOSTNAME$ and the password is the domain trust password
 256 */
 257 NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
 258                                    const char *uuid, unsigned version,
 259                                    const char *domain,
 260                                    const char *username,
 261                                    const char *password)
 262 {
 263         NTSTATUS status;
 264         uint8 session_key[8];
 265
 266         status = dcerpc_schannel_key(p, domain, username, password,
 267                                      lp_server_role() == ROLE_DOMAIN_BDC? SEC_CHAN_BDC:SEC_CHAN_WKSTA,
 268                                      session_key);
 269         if (!NT_STATUS_IS_OK(status)) {
 270                 return status;
 271         }
 272
 273         status = dcerpc_bind_auth_schannel_key(p, uuid, version, domain, username, session_key);
 274
 275         return status;
 276 }
 277