2 Unix SMB/CIFS implementation.
4 NTP packet signing server
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "smbd/service_task.h"
26 #include "smbd/service.h"
27 #include "smbd/service_stream.h"
28 #include "smbd/process_model.h"
29 #include "lib/stream/packet.h"
30 #include "librpc/gen_ndr/ndr_ntp_signd.h"
31 #include "param/param.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "auth/auth.h"
34 #include "libcli/security/security.h"
35 #include "lib/ldb/include/ldb.h"
36 #include "lib/ldb/include/ldb_errors.h"
37 #include "lib/crypto/md5.h"
38 #include "system/passwd.h"
41 top level context structure for the ntp_signd server
43 struct ntp_signd_server {
44 struct task_server *task;
45 struct ldb_context *samdb;
49 state of an open connection
51 struct ntp_signd_connection {
52 /* stream connection we belong to */
53 struct stream_connection *conn;
55 /* the ntp_signd_server the connection belongs to */
56 struct ntp_signd_server *ntp_signd;
58 struct packet_context *packet;
61 static void ntp_signd_terminate_connection(struct ntp_signd_connection *ntp_signdconn, const char *reason)
63 stream_terminate_connection(ntp_signdconn->conn, reason);
66 static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
70 struct signed_reply signed_reply;
71 TALLOC_CTX *tmp_ctx = talloc_new(ntp_signdconn);
72 DATA_BLOB reply, blob;
73 enum ndr_err_code ndr_err;
75 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
77 signed_reply.version = 1;
78 signed_reply.op = SIGNING_FAILURE;
79 signed_reply.packet_id = packet_id;
80 signed_reply.signed_packet = data_blob(NULL, 0);
82 ndr_err = ndr_push_struct_blob(&reply, tmp_ctx,
83 lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx),
85 (ndr_push_flags_fn_t)ndr_push_signed_reply);
87 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
88 DEBUG(1,("failed to push ntp error reply\n"));
90 return ndr_map_error2ntstatus(ndr_err);
93 blob = data_blob_talloc(ntp_signdconn, NULL, reply.length + 4);
96 return NT_STATUS_NO_MEMORY;
99 RSIVAL(blob.data, 0, reply.length);
100 memcpy(blob.data + 4, reply.data, reply.length);
102 status = packet_send(ntp_signdconn->packet, blob);
104 /* the call isn't needed any more */
105 talloc_free(tmp_ctx);
111 receive a full packet on a NTP_SIGND connection
113 static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input)
115 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(private,
116 struct ntp_signd_connection);
117 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
118 TALLOC_CTX *tmp_ctx = talloc_new(ntp_signdconn);
119 DATA_BLOB input, output, wrapped_output;
120 const struct dom_sid *domain_sid;
122 struct sign_request sign_request;
123 struct signed_reply signed_reply;
124 enum ndr_err_code ndr_err;
125 struct ldb_result *res;
126 const char *attrs[] = { "unicodePwd", NULL };
127 struct MD5Context ctx;
128 struct samr_Password *nt_hash;
131 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
133 talloc_steal(tmp_ctx, wrapped_input.data);
135 input = data_blob_const(wrapped_input.data + 4, wrapped_input.length - 4);
137 ndr_err = ndr_pull_struct_blob_all(&input, tmp_ctx,
138 lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx),
140 (ndr_pull_flags_fn_t)ndr_pull_sign_request);
142 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
143 DEBUG(1,("failed to parse ntp signing request\n"));
144 dump_data(1, input.data, input.length);
145 return ndr_map_error2ntstatus(ndr_err);
148 /* We need to implement 'check signature' and 'request server
149 * to sign' operations at some point */
150 if (sign_request.op != SIGN_TO_CLIENT) {
151 talloc_free(tmp_ctx);
152 return signing_failure(ntp_signdconn, sign_request.packet_id);
155 domain_sid = samdb_domain_sid(ntp_signdconn->ntp_signd->samdb);
157 talloc_free(tmp_ctx);
158 return signing_failure(ntp_signdconn, sign_request.packet_id);
161 /* The top bit is a 'key selector' */
162 sid = dom_sid_add_rid(tmp_ctx, domain_sid, sign_request.key_id & 0x7FFFFFFF);
164 talloc_free(tmp_ctx);
165 return signing_failure(ntp_signdconn, sign_request.packet_id);
168 ret = ldb_search_exp_fmt(ntp_signdconn->ntp_signd->samdb, tmp_ctx,
169 &res, samdb_base_dn(ntp_signdconn->ntp_signd->samdb),
170 LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=computer))",
171 dom_sid_string(tmp_ctx, sid));
172 if (ret != LDB_SUCCESS) {
173 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: %s\n", dom_sid_string(tmp_ctx, sid),
174 ldb_errstring(ntp_signdconn->ntp_signd->samdb)));
175 talloc_free(tmp_ctx);
176 return signing_failure(ntp_signdconn, sign_request.packet_id);
179 if (res->count == 0) {
180 DEBUG(5, ("Failed to find SID %s in SAM for NTP signing\n", dom_sid_string(tmp_ctx, sid)));
181 } else if (res->count != 1) {
182 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n", dom_sid_string(tmp_ctx, sid), res->count));
183 talloc_free(tmp_ctx);
184 return signing_failure(ntp_signdconn, sign_request.packet_id);
187 nt_hash = samdb_result_hash(tmp_ctx, res->msgs[0], "unicodePwd");
189 DEBUG(1, ("No unicodePwd found on record of SID %s for NTP signing\n", dom_sid_string(tmp_ctx, sid)));
190 talloc_free(tmp_ctx);
191 return signing_failure(ntp_signdconn, sign_request.packet_id);
194 /* Generate the reply packet */
195 signed_reply.version = 1;
196 signed_reply.packet_id = sign_request.packet_id;
197 signed_reply.op = SIGNING_SUCCESS;
198 signed_reply.signed_packet = data_blob_talloc(tmp_ctx,
200 sign_request.packet_to_sign.length + 20);
202 if (!signed_reply.signed_packet.data) {
203 talloc_free(tmp_ctx);
204 return signing_failure(ntp_signdconn, sign_request.packet_id);
207 memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
208 SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
210 /* Sign the NTP response with the unicodePwd */
212 MD5Update(&ctx, nt_hash->hash, sizeof(nt_hash->hash));
213 MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
214 MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx);
217 /* Place it into the packet for the wire */
218 ndr_err = ndr_push_struct_blob(&output, tmp_ctx,
219 lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx),
221 (ndr_push_flags_fn_t)ndr_push_signed_reply);
223 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
224 DEBUG(1,("failed to push ntp error reply\n"));
225 talloc_free(tmp_ctx);
226 return ndr_map_error2ntstatus(ndr_err);
229 wrapped_output = data_blob_talloc(ntp_signdconn, NULL, output.length + 4);
230 if (!wrapped_output.data) {
231 talloc_free(tmp_ctx);
232 return NT_STATUS_NO_MEMORY;
235 /* The 'wire' transport for this is wrapped with a 4 byte network byte order length */
236 RSIVAL(wrapped_output.data, 0, output.length);
237 memcpy(wrapped_output.data + 4, output.data, output.length);
239 status = packet_send(ntp_signdconn->packet, wrapped_output);
241 /* the call isn't needed any more */
242 talloc_free(tmp_ctx);
247 receive some data on a NTP_SIGND connection
249 static void ntp_signd_recv_handler(struct stream_connection *conn, uint16_t flags)
251 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(conn->private,
252 struct ntp_signd_connection);
253 packet_recv(ntp_signdconn->packet);
257 called on a tcp recv error
259 static void ntp_signd_recv_error(void *private, NTSTATUS status)
261 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(private, struct ntp_signd_connection);
262 ntp_signd_terminate_connection(ntp_signdconn, nt_errstr(status));
266 called when we can write to a connection
268 static void ntp_signd_send(struct stream_connection *conn, uint16_t flags)
270 struct ntp_signd_connection *ntp_signdconn = talloc_get_type(conn->private,
271 struct ntp_signd_connection);
272 packet_queue_run(ntp_signdconn->packet);
276 called when we get a new connection
278 static void ntp_signd_accept(struct stream_connection *conn)
280 struct ntp_signd_server *ntp_signd = talloc_get_type(conn->private, struct ntp_signd_server);
281 struct ntp_signd_connection *ntp_signdconn;
283 ntp_signdconn = talloc_zero(conn, struct ntp_signd_connection);
284 if (!ntp_signdconn) {
285 stream_terminate_connection(conn, "ntp_signd_accept: out of memory");
288 ntp_signdconn->conn = conn;
289 ntp_signdconn->ntp_signd = ntp_signd;
290 conn->private = ntp_signdconn;
292 ntp_signdconn->packet = packet_init(ntp_signdconn);
293 if (ntp_signdconn->packet == NULL) {
294 ntp_signd_terminate_connection(ntp_signdconn, "ntp_signd_accept: out of memory");
297 packet_set_private(ntp_signdconn->packet, ntp_signdconn);
298 packet_set_socket(ntp_signdconn->packet, conn->socket);
299 packet_set_callback(ntp_signdconn->packet, ntp_signd_recv);
300 packet_set_full_request(ntp_signdconn->packet, packet_full_request_u32);
301 packet_set_error_handler(ntp_signdconn->packet, ntp_signd_recv_error);
302 packet_set_event_context(ntp_signdconn->packet, conn->event.ctx);
303 packet_set_fde(ntp_signdconn->packet, conn->event.fde);
304 packet_set_serialise(ntp_signdconn->packet);
307 static const struct stream_server_ops ntp_signd_stream_ops = {
309 .accept_connection = ntp_signd_accept,
310 .recv_handler = ntp_signd_recv_handler,
311 .send_handler = ntp_signd_send
315 startup the ntp_signd task
317 static void ntp_signd_task_init(struct task_server *task)
319 struct ntp_signd_server *ntp_signd;
322 const struct model_ops *model_ops;
326 if (!directory_create_or_exist(lp_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) {
327 char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s",
328 lp_ntp_signd_socket_directory(task->lp_ctx));
329 task_server_terminate(task,
334 /* within the ntp_signd task we want to be a single process, so
335 ask for the single process model ops and pass these to the
336 stream_setup_socket() call. */
337 model_ops = process_model_byname("single");
339 DEBUG(0,("Can't find 'single' process model_ops\n"));
343 task_server_set_title(task, "task[ntp_signd]");
345 ntp_signd = talloc(task, struct ntp_signd_server);
346 if (ntp_signd == NULL) {
347 task_server_terminate(task, "ntp_signd: out of memory");
351 ntp_signd->task = task;
353 /* Must be system to get at the password hashes */
354 ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(ntp_signd, task->lp_ctx));
355 if (ntp_signd->samdb == NULL) {
356 task_server_terminate(task, "ntp_signd failed to open samdb");
360 address = talloc_asprintf(ntp_signd, "%s/socket", lp_ntp_signd_socket_directory(task->lp_ctx));
362 status = stream_setup_socket(ntp_signd->task->event_ctx,
363 ntp_signd->task->lp_ctx,
365 &ntp_signd_stream_ops,
366 "unix", address, NULL,
367 lp_socket_options(ntp_signd->task->lp_ctx),
369 if (!NT_STATUS_IS_OK(status)) {
370 DEBUG(0,("Failed to bind to %s - %s\n",
371 address, nt_errstr(status)));
378 /* called at smbd startup - register ourselves as a server service */
379 NTSTATUS server_service_ntp_signd_init(void)
381 return register_server_service("ntp_signd", ntp_signd_task_init);
git.samba.org / kai / samba-autobuild / .git / blob