*/
#include "includes.h"
+#include <tevent.h>
+#include "lib/util/tevent_ntstatus.h"
#include "librpc/gen_ndr/ndr_schannel.h"
#include "auth/auth.h"
#include "auth/credentials/credentials.h"
#include "param/param.h"
#include "auth/gensec/gensec_toplevel_proto.h"
#include "lib/crypto/crypto.h"
+#include "libds/common/roles.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
struct schannel_state {
struct gensec_security *gensec;
return NT_STATUS_OK;
}
-_PUBLIC_ NTSTATUS gensec_schannel_init(void);
+_PUBLIC_ NTSTATUS gensec_schannel_init(TALLOC_CTX *ctx);
static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
{
return netsec_outgoing_sig_size(state);
}
-static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+struct schannel_update_state {
+ NTSTATUS status;
+ DATA_BLOB out;
+};
+
+static NTSTATUS schannel_update_internal(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB in, DATA_BLOB *out);
+
+static struct tevent_req *schannel_update_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct gensec_security *gensec_security,
+ const DATA_BLOB in)
+{
+ struct tevent_req *req;
+ struct schannel_update_state *state = NULL;
+ NTSTATUS status;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct schannel_update_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ status = schannel_update_internal(gensec_security,
+ state, in,
+ &state->out);
+ state->status = status;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ status = NT_STATUS_OK;
+ }
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+static NTSTATUS schannel_update_internal(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB in, DATA_BLOB *out)
{
struct schannel_state *state =
talloc_get_type(gensec_security->private_data,
*out = data_blob(NULL, 0);
+ if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ case GENSEC_SERVER:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
if (state != NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
+static NTSTATUS schannel_update_recv(struct tevent_req *req,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ struct schannel_update_state *state =
+ tevent_req_data(req,
+ struct schannel_update_state);
+ NTSTATUS status;
+
+ *out = data_blob_null;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ status = state->status;
+ talloc_steal(out_mem_ctx, state->out.data);
+ *out = state->out;
+ tevent_req_received(req);
+ return status;
+}
+
/**
* Returns anonymous credentials for schannel, matching Win2k3.
*
return NT_STATUS_OK;
}
+/*
+ * Reduce the attack surface by ensuring schannel is not availble when
+ * we are not a DC
+ */
static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
{
- return NT_STATUS_OK;
+ enum server_role server_role
+ = lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+ switch (server_role) {
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ return NT_STATUS_OK;
+ default:
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
}
static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
static bool schannel_have_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
- if (feature & (GENSEC_FEATURE_SIGN |
- GENSEC_FEATURE_SEAL)) {
- return true;
+ if (gensec_security->dcerpc_auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
+ if (feature & GENSEC_FEATURE_SIGN) {
+ return true;
+ }
+ }
+ if (gensec_security->dcerpc_auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ if (feature & GENSEC_FEATURE_SEAL) {
+ return true;
+ }
}
if (feature & GENSEC_FEATURE_DCE_STYLE) {
return true;
.auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
.client_start = schannel_client_start,
.server_start = schannel_server_start,
- .update = schannel_update,
+ .update_send = schannel_update_send,
+ .update_recv = schannel_update_recv,
.seal_packet = schannel_seal_packet,
.sign_packet = schannel_sign_packet,
.check_packet = schannel_check_packet,
.priority = GENSEC_SCHANNEL
};
-_PUBLIC_ NTSTATUS gensec_schannel_init(void)
+_PUBLIC_ NTSTATUS gensec_schannel_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
- ret = gensec_register(&gensec_schannel_security_ops);
+ ret = gensec_register(ctx, &gensec_schannel_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_schannel_security_ops.name));