source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Rafal Szczesniak 2006
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "auth/auth.h"
  27 #include "libcli/composite/composite.h"
  28 #include "libcli/auth/libcli_auth.h"
  29
  30
  31 struct schannel_key_state {
  32         struct dcerpc_pipe *pipe;
  33         struct dcerpc_pipe *pipe2;
  34         struct dcerpc_binding *binding;
  35         struct cli_credentials *credentials;
  36         struct creds_CredentialState *creds;
  37         uint32_t negotiate_flags;
  38         struct netr_Credential credentials1;
  39         struct netr_Credential credentials2;
  40         struct netr_Credential credentials3;
  41         struct netr_ServerReqChallenge r;
  42         struct netr_ServerAuthenticate2 a;
  43         const struct samr_Password *mach_pwd;
  44 };
  45
  46
  47 static void continue_secondary_connection(struct composite_context *ctx);
  48 static void continue_bind_auth_none(struct composite_context *ctx);
  49 static void continue_srv_challenge(struct rpc_request *req);
  50 static void continue_srv_auth2(struct rpc_request *req);
  51
  52
  53 /*
  54   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
  55   rpc connection
  56 */
  57 static void continue_epm_map_binding(struct composite_context *ctx)
  58 {
  59         struct composite_context *c;
  60         struct schannel_key_state *s;
  61         struct composite_context *sec_conn_req;
  62
  63         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  64         s = talloc_get_type(c->private_data, struct schannel_key_state);
  65
  66         /* receive endpoint mapping */
  67         c->status = dcerpc_epm_map_binding_recv(ctx);
  68         if (!composite_is_ok(c)) {
  69                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
  70                          DCERPC_NETLOGON_UUID, nt_errstr(c->status)));
  71                 return;
  72         }
  73
  74         /* send a request for secondary rpc connection */
  75         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
  76                                                         s->binding);
  77         if (composite_nomem(sec_conn_req, c)) return;
  78
  79         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
  80 }
  81
  82
  83 /*
  84   Stage 3 of schannel_key: Receive secondary rpc connection and perform
  85   non-authenticated bind request
  86 */
  87 static void continue_secondary_connection(struct composite_context *ctx)
  88 {
  89         struct composite_context *c;
  90         struct schannel_key_state *s;
  91         struct composite_context *auth_none_req;
  92
  93         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  94         s = talloc_get_type(c->private_data, struct schannel_key_state);
  95
  96         /* receive secondary rpc connection */
  97         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
  98         if (!composite_is_ok(c)) return;
  99
 100         /* initiate a non-authenticated bind */
 101         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &dcerpc_table_netlogon);
 102         if (composite_nomem(auth_none_req, c)) return;
 103
 104         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
 105 }
 106
 107
 108 /*
 109   Stage 4 of schannel_key: Receive non-authenticated bind and get
 110   a netlogon challenge
 111 */
 112 static void continue_bind_auth_none(struct composite_context *ctx)
 113 {
 114         struct composite_context *c;
 115         struct schannel_key_state *s;
 116         struct rpc_request *srv_challenge_req;
 117
 118         c = talloc_get_type(ctx->async.private_data, struct composite_context);
 119         s = talloc_get_type(c->private_data, struct schannel_key_state);
 120
 121         /* receive result of non-authenticated bind request */
 122         c->status = dcerpc_bind_auth_none_recv(ctx);
 123         if (!composite_is_ok(c)) {
 124                 talloc_free(s->pipe2);
 125                 return;
 126         }
 127
 128         /* prepare a challenge request */
 129         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
 130         if (composite_nomem(s->r.in.server_name, c)) return;
 131         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
 132         s->r.in.credentials   = &s->credentials1;
 133         s->r.out.credentials  = &s->credentials2;
 134
 135         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
 136
 137         /*
 138           request a netlogon challenge - a rpc request over opened secondary pipe
 139         */
 140         srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
 141         if (composite_nomem(srv_challenge_req, c)) return;
 142
 143         composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
 144 }
 145
 146
 147 /*
 148   Stage 5 of schannel_key: Receive a challenge and perform authentication
 149   on the netlogon pipe
 150 */
 151 static void continue_srv_challenge(struct rpc_request *req)
 152 {
 153         struct composite_context *c;
 154         struct schannel_key_state *s;
 155         struct rpc_request *srv_auth2_req;
 156
 157         c = talloc_get_type(req->async.private, struct composite_context);
 158         s = talloc_get_type(c->private_data, struct schannel_key_state);
 159
 160         /* receive rpc request result - netlogon challenge */
 161         c->status = dcerpc_ndr_request_recv(req);
 162         if (!composite_is_ok(c)) return;
 163
 164         /* prepare credentials for auth2 request */
 165         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
 166
 167         creds_client_init(s->creds, &s->credentials1, &s->credentials2,
 168                           s->mach_pwd, &s->credentials3, s->negotiate_flags);
 169
 170         /* auth2 request arguments */
 171         s->a.in.server_name      = s->r.in.server_name;
 172         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
 173         s->a.in.secure_channel_type =
 174                 cli_credentials_get_secure_channel_type(s->credentials);
 175         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
 176         s->a.in.negotiate_flags  = &s->negotiate_flags;
 177         s->a.in.credentials      = &s->credentials3;
 178         s->a.out.negotiate_flags = &s->negotiate_flags;
 179         s->a.out.credentials     = &s->credentials3;
 180
 181         /*
 182           authenticate on the netlogon pipe - a rpc request over secondary pipe
 183         */
 184         srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
 185         if (composite_nomem(srv_auth2_req, c)) return;
 186
 187         composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
 188 }
 189
 190
 191 /*
 192   Stage 6 of schannel_key: Receive authentication request result and verify
 193   received credentials
 194 */
 195 static void continue_srv_auth2(struct rpc_request *req)
 196 {
 197         struct composite_context *c;
 198         struct schannel_key_state *s;
 199
 200         c = talloc_get_type(req->async.private, struct composite_context);
 201         s = talloc_get_type(c->private_data, struct schannel_key_state);
 202
 203         /* receive rpc request result - auth2 credentials */
 204         c->status = dcerpc_ndr_request_recv(req);
 205         if (!composite_is_ok(c)) return;
 206
 207         /* verify credentials */
 208         if (!creds_client_check(s->creds, s->a.out.credentials)) {
 209                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
 210                 return;
 211         }
 212
 213         /* setup current netlogon credentials */
 214         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
 215         talloc_free(s->pipe2);
 216
 217         composite_done(c);
 218 }
 219
 220
 221 /*
 222   Initiate establishing a schannel key using netlogon challenge
 223   on a secondary pipe
 224 */
 225 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 226                                                    struct dcerpc_pipe *p,
 227                                                    struct cli_credentials *credentials)
 228 {
 229         struct composite_context *c;
 230         struct schannel_key_state *s;
 231         struct composite_context *epm_map_req;
 232
 233         /* composite context allocation and setup */
 234         c = talloc_zero(mem_ctx, struct composite_context);
 235         if (c == NULL) return NULL;
 236
 237         s = talloc_zero(c, struct schannel_key_state);
 238         if (composite_nomem(s, c)) return c;
 239
 240         c->state = COMPOSITE_STATE_IN_PROGRESS;
 241         c->private_data = s;
 242         c->event_ctx = p->conn->event_ctx;
 243
 244         /* store parameters in the state structure */
 245         s->pipe        = p;
 246         s->credentials = credentials;
 247
 248         /* allocate credentials */
 249         s->creds = talloc(c, struct creds_CredentialState);
 250         if (composite_nomem(s->creds, c)) return c;
 251
 252         /* type of authentication depends on schannel type */
 253         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
 254                 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 255         } else {
 256                 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 257         }
 258
 259         /* allocate binding structure */
 260         s->binding = talloc(c, struct dcerpc_binding);
 261         if (composite_nomem(s->binding, c)) return c;
 262
 263         *s->binding = *s->pipe->binding;
 264
 265         /* request the netlogon endpoint mapping */
 266         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
 267                                                   &dcerpc_table_netlogon,
 268                                                   s->pipe->conn->event_ctx);
 269         if (composite_nomem(epm_map_req, c)) return c;
 270
 271         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
 272         return c;
 273 }
 274
 275
 276 /*
 277   Receive result of schannel key request
 278  */
 279 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
 280 {
 281         NTSTATUS status = composite_wait(c);
 282
 283         talloc_free(c);
 284         return status;
 285 }
 286
 287
 288 struct auth_schannel_state {
 289         struct dcerpc_pipe *pipe;
 290         struct cli_credentials *credentials;
 291         const struct dcerpc_interface_table *table;
 292         uint8_t auth_level;
 293 };
 294
 295
 296 static void continue_bind_auth(struct composite_context *ctx);
 297
 298
 299 /*
 300   Stage 2 of auth_schannel: Receive schannel key and intitiate an
 301   authenticated bind using received credentials
 302  */
 303 static void continue_schannel_key(struct composite_context *ctx)
 304 {
 305         struct composite_context *auth_req;
 306         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 307                                                       struct composite_context);
 308         struct auth_schannel_state *s = talloc_get_type(c->private_data,
 309                                                         struct auth_schannel_state);
 310
 311         /* receive schannel key */
 312         c->status = dcerpc_schannel_key_recv(ctx);
 313         if (!composite_is_ok(c)) {
 314                 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
 315                           cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
 316                 return;
 317         }
 318
 319         /* send bind auth request with received creds */
 320         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
 321                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
 322                                          NULL);
 323         if (composite_nomem(auth_req, c)) return;
 324
 325         composite_continue(c, auth_req, continue_bind_auth, c);
 326 }
 327
 328
 329 /*
 330   Stage 3 of auth_schannel: Receivce result of authenticated bind
 331   and say if we're done ok.
 332 */
 333 static void continue_bind_auth(struct composite_context *ctx)
 334 {
 335         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 336                                                       struct composite_context);
 337
 338         c->status = dcerpc_bind_auth_recv(ctx);
 339         if (!composite_is_ok(c)) return;
 340
 341         composite_done(c);
 342 }
 343
 344
 345 /*
 346   Initiate schannel authentication request
 347 */
 348 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
 349                                                          struct dcerpc_pipe *p,
 350                                                          const struct dcerpc_interface_table *table,
 351                                                          struct cli_credentials *credentials,
 352                                                          uint8_t auth_level)
 353 {
 354         struct composite_context *c;
 355         struct auth_schannel_state *s;
 356         struct composite_context *schan_key_req;
 357
 358         /* composite context allocation and setup */
 359         c = talloc_zero(tmp_ctx, struct composite_context);
 360         if (c == NULL) return NULL;
 361
 362         s = talloc_zero(c, struct auth_schannel_state);
 363         if (composite_nomem(s, c)) return c;
 364
 365         c->state = COMPOSITE_STATE_IN_PROGRESS;
 366         c->private_data = s;
 367         c->event_ctx = p->conn->event_ctx;
 368
 369         /* store parameters in the state structure */
 370         s->pipe        = p;
 371         s->credentials = credentials;
 372         s->table       = table;
 373         s->auth_level  = auth_level;
 374
 375         /* start getting schannel key first */
 376         schan_key_req = dcerpc_schannel_key_send(c, p, credentials);
 377         if (composite_nomem(schan_key_req, c)) return c;
 378
 379         composite_continue(c, schan_key_req, continue_schannel_key, c);
 380         return c;
 381 }
 382
 383
 384 /*
 385   Receive result of schannel authentication request
 386 */
 387 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
 388 {
 389         NTSTATUS status = composite_wait(c);
 390
 391         talloc_free(c);
 392         return status;
 393 }
 394
 395
 396 /*
 397   Perform schannel authenticated bind - sync version
 398  */
 399 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 400                                    struct dcerpc_pipe *p,
 401                                    const struct dcerpc_interface_table *table,
 402                                    struct cli_credentials *credentials,
 403                                    uint8_t auth_level)
 404 {
 405         struct composite_context *c;
 406
 407         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials,
 408                                            auth_level);
 409         return dcerpc_bind_auth_schannel_recv(c);
 410 }