s4-rpc: don't use s->credentials after it is freed
[ira/wip.git] / source4 / librpc / rpc / dcerpc_schannel.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    dcerpc schannel operations
5
6    Copyright (C) Andrew Tridgell 2004
7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8    Copyright (C) Rafal Szczesniak 2006
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth/auth.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "librpc/gen_ndr/ndr_netlogon.h"
29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
30 #include "auth/credentials/credentials.h"
31 #include "librpc/rpc/dcerpc_proto.h"
32 #include "param/param.h"
33
34 struct schannel_key_state {
35         struct dcerpc_pipe *pipe;
36         struct dcerpc_pipe *pipe2;
37         struct dcerpc_binding *binding;
38         struct cli_credentials *credentials;
39         struct netlogon_creds_CredentialState *creds;
40         uint32_t negotiate_flags;
41         struct netr_Credential credentials1;
42         struct netr_Credential credentials2;
43         struct netr_Credential credentials3;
44         struct netr_ServerReqChallenge r;
45         struct netr_ServerAuthenticate2 a;
46         const struct samr_Password *mach_pwd;
47 };
48
49
50 static void continue_secondary_connection(struct composite_context *ctx);
51 static void continue_bind_auth_none(struct composite_context *ctx);
52 static void continue_srv_challenge(struct rpc_request *req);
53 static void continue_srv_auth2(struct rpc_request *req);
54
55
56 /*
57   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
58   rpc connection
59 */
60 static void continue_epm_map_binding(struct composite_context *ctx)
61 {
62         struct composite_context *c;
63         struct schannel_key_state *s;
64         struct composite_context *sec_conn_req;
65
66         c = talloc_get_type(ctx->async.private_data, struct composite_context);
67         s = talloc_get_type(c->private_data, struct schannel_key_state);
68
69         /* receive endpoint mapping */
70         c->status = dcerpc_epm_map_binding_recv(ctx);
71         if (!NT_STATUS_IS_OK(c->status)) {
72                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
73                          NDR_NETLOGON_UUID, nt_errstr(c->status)));
74                 composite_error(c, c->status);
75                 return;
76         }
77
78         /* send a request for secondary rpc connection */
79         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
80                                                         s->binding);
81         if (composite_nomem(sec_conn_req, c)) return;
82
83         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
84 }
85
86
87 /*
88   Stage 3 of schannel_key: Receive secondary rpc connection and perform
89   non-authenticated bind request
90 */
91 static void continue_secondary_connection(struct composite_context *ctx)
92 {
93         struct composite_context *c;
94         struct schannel_key_state *s;
95         struct composite_context *auth_none_req;
96
97         c = talloc_get_type(ctx->async.private_data, struct composite_context);
98         s = talloc_get_type(c->private_data, struct schannel_key_state);
99
100         /* receive secondary rpc connection */
101         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
102         if (!composite_is_ok(c)) return;
103
104         talloc_steal(s, s->pipe2);
105
106         /* initiate a non-authenticated bind */
107         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
108         if (composite_nomem(auth_none_req, c)) return;
109
110         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
111 }
112
113
114 /*
115   Stage 4 of schannel_key: Receive non-authenticated bind and get
116   a netlogon challenge
117 */
118 static void continue_bind_auth_none(struct composite_context *ctx)
119 {
120         struct composite_context *c;
121         struct schannel_key_state *s;
122         struct rpc_request *srv_challenge_req;
123
124         c = talloc_get_type(ctx->async.private_data, struct composite_context);
125         s = talloc_get_type(c->private_data, struct schannel_key_state);
126
127         /* receive result of non-authenticated bind request */
128         c->status = dcerpc_bind_auth_none_recv(ctx);
129         if (!composite_is_ok(c)) return;
130         
131         /* prepare a challenge request */
132         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
133         if (composite_nomem(s->r.in.server_name, c)) return;
134         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
135         s->r.in.credentials   = &s->credentials1;
136         s->r.out.return_credentials  = &s->credentials2;
137         
138         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
139
140         /*
141           request a netlogon challenge - a rpc request over opened secondary pipe
142         */
143         srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
144         if (composite_nomem(srv_challenge_req, c)) return;
145
146         composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
147 }
148
149
150 /*
151   Stage 5 of schannel_key: Receive a challenge and perform authentication
152   on the netlogon pipe
153 */
154 static void continue_srv_challenge(struct rpc_request *req)
155 {
156         struct composite_context *c;
157         struct schannel_key_state *s;
158         struct rpc_request *srv_auth2_req;
159
160         c = talloc_get_type(req->async.private_data, struct composite_context);
161         s = talloc_get_type(c->private_data, struct schannel_key_state);
162
163         /* receive rpc request result - netlogon challenge */
164         c->status = dcerpc_netr_ServerReqChallenge_recv(req);
165         if (!composite_is_ok(c)) return;
166
167         /* prepare credentials for auth2 request */
168         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
169
170         /* auth2 request arguments */
171         s->a.in.server_name      = s->r.in.server_name;
172         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
173         s->a.in.secure_channel_type =
174                 cli_credentials_get_secure_channel_type(s->credentials);
175         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
176         s->a.in.negotiate_flags  = &s->negotiate_flags;
177         s->a.in.credentials      = &s->credentials3;
178         s->a.out.negotiate_flags = &s->negotiate_flags;
179         s->a.out.return_credentials     = &s->credentials3;
180
181         s->creds = netlogon_creds_client_init(s, 
182                                               s->a.in.account_name, 
183                                               s->a.in.computer_name,
184                                               &s->credentials1, &s->credentials2,
185                                               s->mach_pwd, &s->credentials3, s->negotiate_flags);
186         if (composite_nomem(s->creds, c)) {
187                 return;
188         }
189         /*
190           authenticate on the netlogon pipe - a rpc request over secondary pipe
191         */
192         srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
193         if (composite_nomem(srv_auth2_req, c)) return;
194
195         composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
196 }
197
198
199 /*
200   Stage 6 of schannel_key: Receive authentication request result and verify
201   received credentials
202 */
203 static void continue_srv_auth2(struct rpc_request *req)
204 {
205         struct composite_context *c;
206         struct schannel_key_state *s;
207
208         c = talloc_get_type(req->async.private_data, struct composite_context);
209         s = talloc_get_type(c->private_data, struct schannel_key_state);
210
211         /* receive rpc request result - auth2 credentials */ 
212         c->status = dcerpc_netr_ServerAuthenticate2_recv(req);
213         if (!composite_is_ok(c)) return;
214
215         /* verify credentials */
216         if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
217                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
218                 return;
219         }
220
221         /* setup current netlogon credentials */
222         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
223
224         composite_done(c);
225 }
226
227
228 /*
229   Initiate establishing a schannel key using netlogon challenge
230   on a secondary pipe
231 */
232 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
233                                                    struct dcerpc_pipe *p,
234                                                    struct cli_credentials *credentials,
235                                                    struct loadparm_context *lp_ctx)
236 {
237         struct composite_context *c;
238         struct schannel_key_state *s;
239         struct composite_context *epm_map_req;
240         
241         /* composite context allocation and setup */
242         c = composite_create(mem_ctx, p->conn->event_ctx);
243         if (c == NULL) return NULL;
244
245         s = talloc_zero(c, struct schannel_key_state);
246         if (composite_nomem(s, c)) return c;
247         c->private_data = s;
248
249         /* store parameters in the state structure */
250         s->pipe        = p;
251         s->credentials = credentials;
252
253         /* allocate credentials */
254         /* type of authentication depends on schannel type */
255         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
256                 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
257         } else {
258                 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
259         }
260
261         /* allocate binding structure */
262         s->binding = talloc(c, struct dcerpc_binding);
263         if (composite_nomem(s->binding, c)) return c;
264
265         *s->binding = *s->pipe->binding;
266
267         /* request the netlogon endpoint mapping */
268         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
269                                                   &ndr_table_netlogon,
270                                                   s->pipe->conn->event_ctx,
271                                                   lp_ctx);
272         if (composite_nomem(epm_map_req, c)) return c;
273
274         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
275         return c;
276 }
277
278
279 /*
280   Receive result of schannel key request
281  */
282 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
283 {
284         NTSTATUS status = composite_wait(c);
285         
286         talloc_free(c);
287         return status;
288 }
289
290
291 struct auth_schannel_state {
292         struct dcerpc_pipe *pipe;
293         struct cli_credentials *credentials;
294         const struct ndr_interface_table *table;
295         struct loadparm_context *lp_ctx;
296         uint8_t auth_level;
297 };
298
299
300 static void continue_bind_auth(struct composite_context *ctx);
301
302
303 /*
304   Stage 2 of auth_schannel: Receive schannel key and intitiate an
305   authenticated bind using received credentials
306  */
307 static void continue_schannel_key(struct composite_context *ctx)
308 {
309         struct composite_context *auth_req;
310         struct composite_context *c = talloc_get_type(ctx->async.private_data,
311                                                       struct composite_context);
312         struct auth_schannel_state *s = talloc_get_type(c->private_data,
313                                                         struct auth_schannel_state);
314
315         /* receive schannel key */
316         c->status = dcerpc_schannel_key_recv(ctx);
317         if (!composite_is_ok(c)) {
318                 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(c->status)));
319                 return;
320         }
321
322         /* send bind auth request with received creds */
323         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials, 
324                                          lp_gensec_settings(c, s->lp_ctx),
325                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
326                                          NULL);
327         if (composite_nomem(auth_req, c)) return;
328         
329         composite_continue(c, auth_req, continue_bind_auth, c);
330 }
331
332
333 /*
334   Stage 3 of auth_schannel: Receivce result of authenticated bind
335   and say if we're done ok.
336 */
337 static void continue_bind_auth(struct composite_context *ctx)
338 {
339         struct composite_context *c = talloc_get_type(ctx->async.private_data,
340                                                       struct composite_context);
341
342         c->status = dcerpc_bind_auth_recv(ctx);
343         if (!composite_is_ok(c)) return;
344
345         composite_done(c);
346 }
347
348
349 /*
350   Initiate schannel authentication request
351 */
352 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx, 
353                                                          struct dcerpc_pipe *p,
354                                                          const struct ndr_interface_table *table,
355                                                          struct cli_credentials *credentials,
356                                                          struct loadparm_context *lp_ctx,
357                                                          uint8_t auth_level)
358 {
359         struct composite_context *c;
360         struct auth_schannel_state *s;
361         struct composite_context *schan_key_req;
362
363         /* composite context allocation and setup */
364         c = composite_create(tmp_ctx, p->conn->event_ctx);
365         if (c == NULL) return NULL;
366         
367         s = talloc_zero(c, struct auth_schannel_state);
368         if (composite_nomem(s, c)) return c;
369         c->private_data = s;
370
371         /* store parameters in the state structure */
372         s->pipe        = p;
373         s->credentials = credentials;
374         s->table       = table;
375         s->auth_level  = auth_level;
376         s->lp_ctx      = lp_ctx;
377
378         /* start getting schannel key first */
379         schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
380         if (composite_nomem(schan_key_req, c)) return c;
381
382         composite_continue(c, schan_key_req, continue_schannel_key, c);
383         return c;
384 }
385
386
387 /*
388   Receive result of schannel authentication request
389 */
390 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
391 {
392         NTSTATUS status = composite_wait(c);
393         
394         talloc_free(c);
395         return status;
396 }
397
398
399 /*
400   Perform schannel authenticated bind - sync version
401  */
402 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, 
403                                    struct dcerpc_pipe *p,
404                                    const struct ndr_interface_table *table,
405                                    struct cli_credentials *credentials,
406                                    struct loadparm_context *lp_ctx,
407                                    uint8_t auth_level)
408 {
409         struct composite_context *c;
410
411         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
412                                            auth_level);
413         return dcerpc_bind_auth_schannel_recv(c);
414 }