source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Rafal Szczesniak 2006
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth/auth.h"
  26 #include "libcli/composite/composite.h"
  27 #include "libcli/auth/libcli_auth.h"
  28 #include "librpc/gen_ndr/ndr_netlogon.h"
  29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "librpc/rpc/dcerpc_proto.h"
  32
  33 struct schannel_key_state {
  34         struct dcerpc_pipe *pipe;
  35         struct dcerpc_pipe *pipe2;
  36         struct dcerpc_binding *binding;
  37         struct cli_credentials *credentials;
  38         struct creds_CredentialState *creds;
  39         uint32_t negotiate_flags;
  40         struct netr_Credential credentials1;
  41         struct netr_Credential credentials2;
  42         struct netr_Credential credentials3;
  43         struct netr_ServerReqChallenge r;
  44         struct netr_ServerAuthenticate2 a;
  45         const struct samr_Password *mach_pwd;
  46 };
  47
  48
  49 static void continue_secondary_connection(struct composite_context *ctx);
  50 static void continue_bind_auth_none(struct composite_context *ctx);
  51 static void continue_srv_challenge(struct rpc_request *req);
  52 static void continue_srv_auth2(struct rpc_request *req);
  53
  54
  55 /*
  56   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
  57   rpc connection
  58 */
  59 static void continue_epm_map_binding(struct composite_context *ctx)
  60 {
  61         struct composite_context *c;
  62         struct schannel_key_state *s;
  63         struct composite_context *sec_conn_req;
  64
  65         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  66         s = talloc_get_type(c->private_data, struct schannel_key_state);
  67
  68         /* receive endpoint mapping */
  69         c->status = dcerpc_epm_map_binding_recv(ctx);
  70         if (!NT_STATUS_IS_OK(c->status)) {
  71                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
  72                          NDR_NETLOGON_UUID, nt_errstr(c->status)));
  73                 composite_error(c, c->status);
  74                 return;
  75         }
  76
  77         /* send a request for secondary rpc connection */
  78         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
  79                                                         s->binding);
  80         if (composite_nomem(sec_conn_req, c)) return;
  81
  82         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
  83 }
  84
  85
  86 /*
  87   Stage 3 of schannel_key: Receive secondary rpc connection and perform
  88   non-authenticated bind request
  89 */
  90 static void continue_secondary_connection(struct composite_context *ctx)
  91 {
  92         struct composite_context *c;
  93         struct schannel_key_state *s;
  94         struct composite_context *auth_none_req;
  95
  96         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  97         s = talloc_get_type(c->private_data, struct schannel_key_state);
  98
  99         /* receive secondary rpc connection */
 100         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
 101         if (!composite_is_ok(c)) return;
 102
 103         talloc_steal(s, s->pipe2);
 104
 105         /* initiate a non-authenticated bind */
 106         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
 107         if (composite_nomem(auth_none_req, c)) return;
 108
 109         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
 110 }
 111
 112
 113 /*
 114   Stage 4 of schannel_key: Receive non-authenticated bind and get
 115   a netlogon challenge
 116 */
 117 static void continue_bind_auth_none(struct composite_context *ctx)
 118 {
 119         struct composite_context *c;
 120         struct schannel_key_state *s;
 121         struct rpc_request *srv_challenge_req;
 122
 123         c = talloc_get_type(ctx->async.private_data, struct composite_context);
 124         s = talloc_get_type(c->private_data, struct schannel_key_state);
 125
 126         /* receive result of non-authenticated bind request */
 127         c->status = dcerpc_bind_auth_none_recv(ctx);
 128         if (!composite_is_ok(c)) return;
 129
 130         /* prepare a challenge request */
 131         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
 132         if (composite_nomem(s->r.in.server_name, c)) return;
 133         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
 134         s->r.in.credentials   = &s->credentials1;
 135         s->r.out.credentials  = &s->credentials2;
 136
 137         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
 138
 139         /*
 140           request a netlogon challenge - a rpc request over opened secondary pipe
 141         */
 142         srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
 143         if (composite_nomem(srv_challenge_req, c)) return;
 144
 145         composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
 146 }
 147
 148
 149 /*
 150   Stage 5 of schannel_key: Receive a challenge and perform authentication
 151   on the netlogon pipe
 152 */
 153 static void continue_srv_challenge(struct rpc_request *req)
 154 {
 155         struct composite_context *c;
 156         struct schannel_key_state *s;
 157         struct rpc_request *srv_auth2_req;
 158
 159         c = talloc_get_type(req->async.private_data, struct composite_context);
 160         s = talloc_get_type(c->private_data, struct schannel_key_state);
 161
 162         /* receive rpc request result - netlogon challenge */
 163         c->status = dcerpc_ndr_request_recv(req);
 164         if (!composite_is_ok(c)) return;
 165
 166         /* prepare credentials for auth2 request */
 167         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
 168
 169         creds_client_init(s->creds, &s->credentials1, &s->credentials2,
 170                           s->mach_pwd, &s->credentials3, s->negotiate_flags);
 171
 172         /* auth2 request arguments */
 173         s->a.in.server_name      = s->r.in.server_name;
 174         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
 175         s->a.in.secure_channel_type =
 176                 cli_credentials_get_secure_channel_type(s->credentials);
 177         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
 178         s->a.in.negotiate_flags  = &s->negotiate_flags;
 179         s->a.in.credentials      = &s->credentials3;
 180         s->a.out.negotiate_flags = &s->negotiate_flags;
 181         s->a.out.credentials     = &s->credentials3;
 182
 183         /*
 184           authenticate on the netlogon pipe - a rpc request over secondary pipe
 185         */
 186         srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
 187         if (composite_nomem(srv_auth2_req, c)) return;
 188
 189         composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
 190 }
 191
 192
 193 /*
 194   Stage 6 of schannel_key: Receive authentication request result and verify
 195   received credentials
 196 */
 197 static void continue_srv_auth2(struct rpc_request *req)
 198 {
 199         struct composite_context *c;
 200         struct schannel_key_state *s;
 201
 202         c = talloc_get_type(req->async.private_data, struct composite_context);
 203         s = talloc_get_type(c->private_data, struct schannel_key_state);
 204
 205         /* receive rpc request result - auth2 credentials */
 206         c->status = dcerpc_ndr_request_recv(req);
 207         if (!composite_is_ok(c)) return;
 208
 209         /* verify credentials */
 210         if (!creds_client_check(s->creds, s->a.out.credentials)) {
 211                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
 212                 return;
 213         }
 214
 215         /* setup current netlogon credentials */
 216         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
 217
 218         composite_done(c);
 219 }
 220
 221
 222 /*
 223   Initiate establishing a schannel key using netlogon challenge
 224   on a secondary pipe
 225 */
 226 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 227                                                    struct dcerpc_pipe *p,
 228                                                    struct cli_credentials *credentials,
 229                                                    struct loadparm_context *lp_ctx)
 230 {
 231         struct composite_context *c;
 232         struct schannel_key_state *s;
 233         struct composite_context *epm_map_req;
 234
 235         /* composite context allocation and setup */
 236         c = composite_create(mem_ctx, p->conn->event_ctx);
 237         if (c == NULL) return NULL;
 238
 239         s = talloc_zero(c, struct schannel_key_state);
 240         if (composite_nomem(s, c)) return c;
 241         c->private_data = s;
 242
 243         /* store parameters in the state structure */
 244         s->pipe        = p;
 245         s->credentials = credentials;
 246
 247         /* allocate credentials */
 248         s->creds = talloc(c, struct creds_CredentialState);
 249         if (composite_nomem(s->creds, c)) return c;
 250
 251         /* type of authentication depends on schannel type */
 252         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
 253                 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 254         } else {
 255                 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 256         }
 257
 258         /* allocate binding structure */
 259         s->binding = talloc(c, struct dcerpc_binding);
 260         if (composite_nomem(s->binding, c)) return c;
 261
 262         *s->binding = *s->pipe->binding;
 263
 264         /* request the netlogon endpoint mapping */
 265         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
 266                                                   &ndr_table_netlogon,
 267                                                   s->pipe->conn->event_ctx,
 268                                                   lp_ctx);
 269         if (composite_nomem(epm_map_req, c)) return c;
 270
 271         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
 272         return c;
 273 }
 274
 275
 276 /*
 277   Receive result of schannel key request
 278  */
 279 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
 280 {
 281         NTSTATUS status = composite_wait(c);
 282
 283         talloc_free(c);
 284         return status;
 285 }
 286
 287
 288 struct auth_schannel_state {
 289         struct dcerpc_pipe *pipe;
 290         struct cli_credentials *credentials;
 291         const struct ndr_interface_table *table;
 292         struct loadparm_context *lp_ctx;
 293         uint8_t auth_level;
 294 };
 295
 296
 297 static void continue_bind_auth(struct composite_context *ctx);
 298
 299
 300 /*
 301   Stage 2 of auth_schannel: Receive schannel key and intitiate an
 302   authenticated bind using received credentials
 303  */
 304 static void continue_schannel_key(struct composite_context *ctx)
 305 {
 306         struct composite_context *auth_req;
 307         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 308                                                       struct composite_context);
 309         struct auth_schannel_state *s = talloc_get_type(c->private_data,
 310                                                         struct auth_schannel_state);
 311
 312         /* receive schannel key */
 313         c->status = dcerpc_schannel_key_recv(ctx);
 314         if (!composite_is_ok(c)) {
 315                 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
 316                           cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
 317                 return;
 318         }
 319
 320         /* send bind auth request with received creds */
 321         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
 322                                          s->lp_ctx,
 323                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
 324                                          NULL);
 325         if (composite_nomem(auth_req, c)) return;
 326
 327         composite_continue(c, auth_req, continue_bind_auth, c);
 328 }
 329
 330
 331 /*
 332   Stage 3 of auth_schannel: Receivce result of authenticated bind
 333   and say if we're done ok.
 334 */
 335 static void continue_bind_auth(struct composite_context *ctx)
 336 {
 337         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 338                                                       struct composite_context);
 339
 340         c->status = dcerpc_bind_auth_recv(ctx);
 341         if (!composite_is_ok(c)) return;
 342
 343         composite_done(c);
 344 }
 345
 346
 347 /*
 348   Initiate schannel authentication request
 349 */
 350 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
 351                                                          struct dcerpc_pipe *p,
 352                                                          const struct ndr_interface_table *table,
 353                                                          struct cli_credentials *credentials,
 354                                                          struct loadparm_context *lp_ctx,
 355                                                          uint8_t auth_level)
 356 {
 357         struct composite_context *c;
 358         struct auth_schannel_state *s;
 359         struct composite_context *schan_key_req;
 360
 361         /* composite context allocation and setup */
 362         c = composite_create(tmp_ctx, p->conn->event_ctx);
 363         if (c == NULL) return NULL;
 364
 365         s = talloc_zero(c, struct auth_schannel_state);
 366         if (composite_nomem(s, c)) return c;
 367         c->private_data = s;
 368
 369         /* store parameters in the state structure */
 370         s->pipe        = p;
 371         s->credentials = credentials;
 372         s->table       = table;
 373         s->auth_level  = auth_level;
 374         s->lp_ctx      = lp_ctx;
 375
 376         /* start getting schannel key first */
 377         schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
 378         if (composite_nomem(schan_key_req, c)) return c;
 379
 380         composite_continue(c, schan_key_req, continue_schannel_key, c);
 381         return c;
 382 }
 383
 384
 385 /*
 386   Receive result of schannel authentication request
 387 */
 388 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
 389 {
 390         NTSTATUS status = composite_wait(c);
 391
 392         talloc_free(c);
 393         return status;
 394 }
 395
 396
 397 /*
 398   Perform schannel authenticated bind - sync version
 399  */
 400 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 401                                    struct dcerpc_pipe *p,
 402                                    const struct ndr_interface_table *table,
 403                                    struct cli_credentials *credentials,
 404                                    struct loadparm_context *lp_ctx,
 405                                    uint8_t auth_level)
 406 {
 407         struct composite_context *c;
 408
 409         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
 410                                            auth_level);
 411         return dcerpc_bind_auth_schannel_recv(c);
 412 }