s4:schannel merge code with s3

[ira/wip.git] / source4 / auth / gensec / schannel.c

diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 720ce77291ba31a1de20745caa317c46b997a93e..939a383a04aca8b49e9184267168f4ee4ca0b921 100644 (file)
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -26,10 +26,9 @@
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
-#include "auth/gensec/schannel.h"
+#include "../libcli/auth/schannel.h"
 #include "librpc/rpc/dcerpc.h"
 #include "param/param.h"
-#include "auth/session_proto.h"
 
 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
 {
@@ -48,12 +47,13 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
        struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
        NTSTATUS status;
        enum ndr_err_code ndr_err;
-       struct schannel_bind bind_schannel;
-       struct schannel_bind_ack bind_schannel_ack;
+       struct NL_AUTH_MESSAGE bind_schannel;
+       struct NL_AUTH_MESSAGE bind_schannel_ack;
        struct netlogon_creds_CredentialState *creds;
-       struct ldb_context *schannel_ldb;
        const char *workstation;
        const char *domain;
+       uint32_t required_flags;
+
        *out = data_blob(NULL, 0);
 
        switch (gensec_security->gensec_role) {
@@ -65,26 +65,31 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 
                state->creds = talloc_reference(state, cli_credentials_get_netlogon_creds(gensec_security->credentials));
 
-               bind_schannel.unknown1 = 0;
+               bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
 #if 0
                /* to support this we'd need to have access to the full domain name */
-               bind_schannel.bind_type = 23;
-               bind_schannel.u.info23.domain = cli_credentials_get_domain(gensec_security->credentials);
-               bind_schannel.u.info23.workstation = cli_credentials_get_workstation(gensec_security->credentials);
-               bind_schannel.u.info23.dnsdomain = cli_credentials_get_realm(gensec_security->credentials);
+               /* 0x17, 23 */
+               bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+                                     NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
+                                     NL_FLAG_UTF8_DNS_DOMAIN_NAME |
+                                     NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
+               bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+               bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
+               bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
                /* w2k3 refuses us if we use the full DNS workstation?
                 why? perhaps because we don't fill in the dNSHostName
                 attribute in the machine account? */
-               bind_schannel.u.info23.dnsworkstation = cli_credentials_get_workstation(gensec_security->credentials);
+               bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
 #else
-               bind_schannel.bind_type = 3;
-               bind_schannel.u.info3.domain = cli_credentials_get_domain(gensec_security->credentials);
-               bind_schannel.u.info3.workstation = cli_credentials_get_workstation(gensec_security->credentials);
+               bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+                                     NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
+               bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+               bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
 #endif
 
                ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
                                               gensec_security->settings->iconv_convenience, &bind_schannel,
-                                              (ndr_push_flags_fn_t)ndr_push_schannel_bind);
+                                              (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
                if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                        status = ndr_map_error2ntstatus(ndr_err);
                        DEBUG(3, ("Could not create schannel bind: %s\n",
@@ -97,6 +102,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                return NT_STATUS_MORE_PROCESSING_REQUIRED;
        case GENSEC_SERVER:
 
+               required_flags = NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
+                                NL_FLAG_OEM_NETBIOS_DOMAIN_NAME;
+
                if (state->state != SCHANNEL_STATE_START) {
                        /* no third leg on this protocol */
                        return NT_STATUS_INVALID_PARAMETER;
@@ -106,7 +114,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx,
                        gensec_security->settings->iconv_convenience,
                        &bind_schannel,
-                       (ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
+                       (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
                if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                        status = ndr_map_error2ntstatus(ndr_err);
                        DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
@@ -114,14 +122,13 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                        return status;
                }
 
-               if (bind_schannel.bind_type == 23) {
-                       workstation = bind_schannel.u.info23.workstation;
-                       domain = bind_schannel.u.info23.domain;
-               } else {
-                       workstation = bind_schannel.u.info3.workstation;
-                       domain = bind_schannel.u.info3.domain;
+               if (!(required_flags == (bind_schannel.Flags & required_flags))) {
+                       return NT_STATUS_INVALID_PARAMETER;
                }
 
+               workstation = bind_schannel.oem_netbios_computer.a;
+               domain = bind_schannel.oem_netbios_domain.a;
+
                if (strcasecmp_m(domain, lp_workgroup(gensec_security->settings->lp_ctx)) != 0) {
                        DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
                                  domain, lp_workgroup(gensec_security->settings->lp_ctx)));
@@ -129,15 +136,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                        return NT_STATUS_LOGON_FAILURE;
                }
 
-               schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx,
-                                                  gensec_security->settings->lp_ctx);
-               if (!schannel_ldb) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-               /* pull the session key for this client */
-               status = schannel_fetch_session_key_ldb(schannel_ldb,
-                                                       out_mem_ctx, workstation, &creds);
-               talloc_free(schannel_ldb);
+               status = schannel_get_creds_state(out_mem_ctx,
+                                                 gensec_security->settings->iconv_convenience,
+                                                 lp_private_dir(gensec_security->settings->lp_ctx),
+                                                 workstation, &creds);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
                                  workstation, nt_errstr(status)));
@@ -147,15 +149,18 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                        return status;
                }
 
-               state->creds = talloc_reference(state, creds);
+               state->creds = talloc_steal(state, creds);
 
-               bind_schannel_ack.unknown1 = 1;
-               bind_schannel_ack.unknown2 = 0;
-               bind_schannel_ack.unknown3 = 0x6c0000;
+               bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
+               bind_schannel_ack.Flags = 0;
+               bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
+                                                           * this does not have
+                                                           * any meaning here
+                                                           * - gd */
 
                ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
                                               gensec_security->settings->iconv_convenience, &bind_schannel_ack,
-                                              (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
+                                              (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
                if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                        status = ndr_map_error2ntstatus(ndr_err);
                        DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
@@ -269,6 +274,75 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
        return false;
 }
 
+/*
+  unseal a packet
+*/
+static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
+                                      TALLOC_CTX *mem_ctx,
+                                      uint8_t *data, size_t length,
+                                      const uint8_t *whole_pdu, size_t pdu_length,
+                                      const DATA_BLOB *sig)
+{
+       struct schannel_state *state =
+               talloc_get_type(gensec_security->private_data,
+                               struct schannel_state);
+
+       return netsec_incoming_packet(state, mem_ctx, true,
+                                     discard_const_p(uint8_t, data),
+                                     length, sig);
+}
+
+/*
+  check the signature on a packet
+*/
+static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
+                                     TALLOC_CTX *mem_ctx,
+                                     const uint8_t *data, size_t length,
+                                     const uint8_t *whole_pdu, size_t pdu_length,
+                                     const DATA_BLOB *sig)
+{
+       struct schannel_state *state =
+               talloc_get_type(gensec_security->private_data,
+                               struct schannel_state);
+
+       return netsec_incoming_packet(state, mem_ctx, false,
+                                     discard_const_p(uint8_t, data),
+                                     length, sig);
+}
+/*
+  seal a packet
+*/
+static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
+                                    TALLOC_CTX *mem_ctx,
+                                    uint8_t *data, size_t length,
+                                    const uint8_t *whole_pdu, size_t pdu_length,
+                                    DATA_BLOB *sig)
+{
+       struct schannel_state *state =
+               talloc_get_type(gensec_security->private_data,
+                               struct schannel_state);
+
+       return netsec_outgoing_packet(state, mem_ctx, true,
+                                     data, length, sig);
+}
+
+/*
+  sign a packet
+*/
+static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
+                                    TALLOC_CTX *mem_ctx,
+                                    const uint8_t *data, size_t length,
+                                    const uint8_t *whole_pdu, size_t pdu_length,
+                                    DATA_BLOB *sig)
+{
+       struct schannel_state *state =
+               talloc_get_type(gensec_security->private_data,
+                               struct schannel_state);
+
+       return netsec_outgoing_packet(state, mem_ctx, false,
+                                     discard_const_p(uint8_t, data),
+                                     length, sig);
+}
 
 static const struct gensec_security_ops gensec_schannel_security_ops = {
        .name           = "schannel",