969d698a16f51777e4af3ead95c6917895df65d4
[sfrench/samba-autobuild/.git] / source4 / ntp_signd / ntp_signd.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    NTP packet signing server
5
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7    Copyright (C) Andrew Tridgell        2005
8    Copyright (C) Stefan Metzmacher      2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smbd/service_task.h"
26 #include "smbd/service.h"
27 #include "smbd/service_stream.h"
28 #include "smbd/process_model.h"
29 #include "lib/stream/packet.h"
30 #include "lib/tsocket/tsocket.h"
31 #include "libcli/util/tstream.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "dsdb/samdb/samdb.h"
35 #include "auth/auth.h"
36 #include "libcli/security/security.h"
37 #include "libcli/ldap/ldap_ndr.h"
38 #include <ldb.h>
39 #include <ldb_errors.h>
40 #include "../lib/crypto/md5.h"
41 #include "system/network.h"
42 #include "system/passwd.h"
43
44 /*
45   top level context structure for the ntp_signd server
46 */
47 struct ntp_signd_server {
48         struct task_server *task;
49         struct ldb_context *samdb;
50 };
51
52 /*
53   state of an open connection
54 */
55 struct ntp_signd_connection {
56         /* stream connection we belong to */
57         struct stream_connection *conn;
58
59         /* the ntp_signd_server the connection belongs to */
60         struct ntp_signd_server *ntp_signd;
61
62         struct tstream_context *tstream;
63
64         struct tevent_queue *send_queue;
65 };
66
67 static void ntp_signd_terminate_connection(struct ntp_signd_connection *ntp_signd_conn, const char *reason)
68 {
69         stream_terminate_connection(ntp_signd_conn->conn, reason);
70 }
71
72 static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
73                                 TALLOC_CTX *mem_ctx,
74                                 DATA_BLOB *output,
75                                 uint32_t packet_id)
76 {
77         struct signed_reply signed_reply;
78         enum ndr_err_code ndr_err;
79
80         signed_reply.op = SIGNING_FAILURE;
81         signed_reply.packet_id = packet_id;
82         signed_reply.signed_packet = data_blob(NULL, 0);
83         
84         ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
85                                        (ndr_push_flags_fn_t)ndr_push_signed_reply);
86
87         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
88                 DEBUG(1,("failed to push ntp error reply\n"));
89                 return ndr_map_error2ntstatus(ndr_err);
90         }
91
92         return NT_STATUS_OK;
93 }
94
95 /*
96   receive a full packet on a NTP_SIGND connection
97 */
98 static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
99                                   TALLOC_CTX *mem_ctx,
100                                   DATA_BLOB *input,
101                                   DATA_BLOB *output)
102 {
103         const struct dom_sid *domain_sid;
104         struct dom_sid *sid;
105         struct sign_request sign_request;
106         struct signed_reply signed_reply;
107         enum ndr_err_code ndr_err;
108         struct ldb_result *res;
109         const char *attrs[] = { "unicodePwd", "userAccountControl", "cn", NULL };
110         struct MD5Context ctx;
111         struct samr_Password *nt_hash;
112         uint32_t user_account_control;
113         int ret;
114
115         ndr_err = ndr_pull_struct_blob_all(input, mem_ctx,
116                                            &sign_request,
117                                            (ndr_pull_flags_fn_t)ndr_pull_sign_request);
118
119         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
120                 DEBUG(1,("failed to parse ntp signing request\n"));
121                 dump_data(1, input->data, input->length);
122                 return ndr_map_error2ntstatus(ndr_err);
123         }
124
125         /* We need to implement 'check signature' and 'request server
126          * to sign' operations at some point */
127         if (sign_request.op != SIGN_TO_CLIENT) {
128                 return signing_failure(ntp_signd_conn,
129                                        mem_ctx,
130                                        output,
131                                        sign_request.packet_id);
132         }
133
134         /* We need to implement 'check signature' and 'request server
135          * to sign' operations at some point */
136         if (sign_request.version != NTP_SIGND_PROTOCOL_VERSION_0) {
137                 return signing_failure(ntp_signd_conn,
138                                        mem_ctx,
139                                        output,
140                                        sign_request.packet_id);
141         }
142
143         domain_sid = samdb_domain_sid(ntp_signd_conn->ntp_signd->samdb);
144         if (domain_sid == NULL) {
145                 return signing_failure(ntp_signd_conn,
146                                        mem_ctx,
147                                        output,
148                                        sign_request.packet_id);
149         }
150         
151         /* The top bit is a 'key selector' */
152         sid = dom_sid_add_rid(mem_ctx, domain_sid,
153                               sign_request.key_id & 0x7FFFFFFF);
154         if (sid == NULL) {
155                 talloc_free(mem_ctx);
156                 return signing_failure(ntp_signd_conn,
157                                        mem_ctx,
158                                        output,
159                                        sign_request.packet_id);
160         }
161
162         ret = ldb_search(ntp_signd_conn->ntp_signd->samdb, mem_ctx,
163                                  &res,
164                                  ldb_get_default_basedn(ntp_signd_conn->ntp_signd->samdb),
165                                  LDB_SCOPE_SUBTREE,
166                                  attrs,
167                                  "(&(objectSid=%s)(objectClass=user))",
168                                  ldap_encode_ndr_dom_sid(mem_ctx, sid));
169         if (ret != LDB_SUCCESS) {
170                 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
171                           "%s\n",
172                           dom_sid_string(mem_ctx, sid),
173                           ldb_errstring(ntp_signd_conn->ntp_signd->samdb)));
174                 return signing_failure(ntp_signd_conn,
175                                        mem_ctx,
176                                        output,
177                                        sign_request.packet_id);
178         }
179
180         if (res->count == 0) {
181                 DEBUG(5, ("Failed to find SID %s in SAM for NTP signing\n",
182                           dom_sid_string(mem_ctx, sid)));
183         } else if (res->count != 1) {
184                 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n",
185                           dom_sid_string(mem_ctx, sid), res->count));
186                 return signing_failure(ntp_signd_conn,
187                                        mem_ctx,
188                                        output,
189                                        sign_request.packet_id);
190         }
191
192         user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0],
193                                                          "userAccountControl",
194                                                          0);
195
196         if (user_account_control & UF_ACCOUNTDISABLE) {
197                 DEBUG(1, ("Account %s for SID [%s] is disabled\n",
198                           ldb_dn_get_linearized(res->msgs[0]->dn),
199                           dom_sid_string(mem_ctx, sid)));
200                 return NT_STATUS_ACCESS_DENIED;
201         }
202
203         if (!(user_account_control & (UF_INTERDOMAIN_TRUST_ACCOUNT|UF_SERVER_TRUST_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT))) {
204                 DEBUG(1, ("Account %s for SID [%s] is not a trust account\n",
205                           ldb_dn_get_linearized(res->msgs[0]->dn),
206                           dom_sid_string(mem_ctx, sid)));
207                 return NT_STATUS_ACCESS_DENIED;
208         }
209
210         nt_hash = samdb_result_hash(mem_ctx, res->msgs[0], "unicodePwd");
211         if (!nt_hash) {
212                 DEBUG(1, ("No unicodePwd found on record of SID %s "
213                           "for NTP signing\n", dom_sid_string(mem_ctx, sid)));
214                 return signing_failure(ntp_signd_conn,
215                                        mem_ctx,
216                                        output,
217                                        sign_request.packet_id);
218         }
219
220         /* Generate the reply packet */
221         signed_reply.packet_id = sign_request.packet_id;
222         signed_reply.op = SIGNING_SUCCESS;
223         signed_reply.signed_packet = data_blob_talloc(mem_ctx,
224                                                       NULL,
225                                                       sign_request.packet_to_sign.length + 20);
226
227         if (!signed_reply.signed_packet.data) {
228                 return signing_failure(ntp_signd_conn,
229                                        mem_ctx,
230                                        output,
231                                        sign_request.packet_id);
232         }
233
234         memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
235         SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
236
237         /* Sign the NTP response with the unicodePwd */
238         MD5Init(&ctx);
239         MD5Update(&ctx, nt_hash->hash, sizeof(nt_hash->hash));
240         MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
241         MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx);
242
243
244         /* Place it into the packet for the wire */
245         ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
246                                        (ndr_push_flags_fn_t)ndr_push_signed_reply);
247
248         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
249                 DEBUG(1,("failed to push ntp error reply\n"));
250                 return ndr_map_error2ntstatus(ndr_err);
251         }
252
253         return NT_STATUS_OK;
254 }
255
256 /*
257   called on a tcp recv
258 */
259 static void ntp_signd_recv(struct stream_connection *conn, uint16_t flags)
260 {
261         struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
262                                                         struct ntp_signd_connection);
263         ntp_signd_terminate_connection(ntp_signd_conn,
264                                        "ntp_signd_recv: called");
265 }
266
267 /*
268   called when we can write to a connection
269 */
270 static void ntp_signd_send(struct stream_connection *conn, uint16_t flags)
271 {
272         struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
273                                                         struct ntp_signd_connection);
274         /* this should never be triggered! */
275         ntp_signd_terminate_connection(ntp_signd_conn,
276                                        "ntp_signd_send: called");
277 }
278
279 struct ntp_signd_call {
280         struct ntp_signd_connection *ntp_signd_conn;
281         DATA_BLOB in;
282         DATA_BLOB out;
283         uint8_t out_hdr[4];
284         struct iovec out_iov[2];
285 };
286
287 static void ntp_signd_call_writev_done(struct tevent_req *subreq);
288
289 static void ntp_signd_call_loop(struct tevent_req *subreq)
290 {
291         struct ntp_signd_connection *ntp_signd_conn = tevent_req_callback_data(subreq,
292                                       struct ntp_signd_connection);
293         struct ntp_signd_call *call;
294         NTSTATUS status;
295
296         call = talloc(ntp_signd_conn, struct ntp_signd_call);
297         if (call == NULL) {
298                 ntp_signd_terminate_connection(ntp_signd_conn,
299                                 "ntp_signd_call_loop: "
300                                 "no memory for ntp_signd_call");
301                 return;
302         }
303         call->ntp_signd_conn = ntp_signd_conn;
304
305         status = tstream_read_pdu_blob_recv(subreq,
306                                             call,
307                                             &call->in);
308         TALLOC_FREE(subreq);
309         if (!NT_STATUS_IS_OK(status)) {
310                 const char *reason;
311
312                 reason = talloc_asprintf(call, "ntp_signd_call_loop: "
313                                          "tstream_read_pdu_blob_recv() - %s",
314                                          nt_errstr(status));
315                 if (reason == NULL) {
316                         reason = nt_errstr(status);
317                 }
318
319                 ntp_signd_terminate_connection(ntp_signd_conn, reason);
320                 return;
321         }
322
323         DEBUG(10,("Received NTP TCP packet of length %lu from %s\n",
324                  (long) call->in.length,
325                  tsocket_address_string(ntp_signd_conn->conn->remote_address, call)));
326
327         /* skip length header */
328         call->in.data +=4;
329         call->in.length -= 4;
330
331         status = ntp_signd_process(ntp_signd_conn,
332                                      call,
333                                      &call->in,
334                                      &call->out);
335         if (! NT_STATUS_IS_OK(status)) {
336                 const char *reason;
337
338                 reason = talloc_asprintf(call, "ntp_signd_process failed: %s",
339                                          nt_errstr(status));
340                 if (reason == NULL) {
341                         reason = nt_errstr(status);
342                 }
343
344                 ntp_signd_terminate_connection(ntp_signd_conn, reason);
345                 return;
346         }
347
348         /* First add the length of the out buffer */
349         RSIVAL(call->out_hdr, 0, call->out.length);
350         call->out_iov[0].iov_base = (char *) call->out_hdr;
351         call->out_iov[0].iov_len = 4;
352
353         call->out_iov[1].iov_base = (char *) call->out.data;
354         call->out_iov[1].iov_len = call->out.length;
355
356         subreq = tstream_writev_queue_send(call,
357                                            ntp_signd_conn->conn->event.ctx,
358                                            ntp_signd_conn->tstream,
359                                            ntp_signd_conn->send_queue,
360                                            call->out_iov, 2);
361         if (subreq == NULL) {
362                 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
363                                 "no memory for tstream_writev_queue_send");
364                 return;
365         }
366
367         tevent_req_set_callback(subreq, ntp_signd_call_writev_done, call);
368
369         /*
370          * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
371          * packet_full_request_u32 provides the pdu length then.
372          */
373         subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
374                                             ntp_signd_conn->conn->event.ctx,
375                                             ntp_signd_conn->tstream,
376                                             4, /* initial_read_size */
377                                             packet_full_request_u32,
378                                             ntp_signd_conn);
379         if (subreq == NULL) {
380                 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
381                                 "no memory for tstream_read_pdu_blob_send");
382                 return;
383         }
384         tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
385 }
386
387 static void ntp_signd_call_writev_done(struct tevent_req *subreq)
388 {
389         struct ntp_signd_call *call = tevent_req_callback_data(subreq,
390                         struct ntp_signd_call);
391         int sys_errno;
392         int rc;
393
394         rc = tstream_writev_queue_recv(subreq, &sys_errno);
395         TALLOC_FREE(subreq);
396         if (rc == -1) {
397                 const char *reason;
398
399                 reason = talloc_asprintf(call, "ntp_signd_call_writev_done: "
400                                          "tstream_writev_queue_recv() - %d:%s",
401                                          sys_errno, strerror(sys_errno));
402                 if (!reason) {
403                         reason = "ntp_signd_call_writev_done: "
404                                  "tstream_writev_queue_recv() failed";
405                 }
406
407                 ntp_signd_terminate_connection(call->ntp_signd_conn, reason);
408                 return;
409         }
410
411         /* We don't care about errors */
412
413         talloc_free(call);
414 }
415
416 /*
417   called when we get a new connection
418 */
419 static void ntp_signd_accept(struct stream_connection *conn)
420 {
421         struct ntp_signd_server *ntp_signd = talloc_get_type(conn->private_data,
422                                                 struct ntp_signd_server);
423         struct ntp_signd_connection *ntp_signd_conn;
424         struct tevent_req *subreq;
425         int rc;
426
427         ntp_signd_conn = talloc_zero(conn, struct ntp_signd_connection);
428         if (ntp_signd_conn == NULL) {
429                 stream_terminate_connection(conn,
430                                 "ntp_signd_accept: out of memory");
431                 return;
432         }
433
434         ntp_signd_conn->send_queue = tevent_queue_create(conn,
435                         "ntp_signd_accept");
436         if (ntp_signd_conn->send_queue == NULL) {
437                 stream_terminate_connection(conn,
438                                 "ntp_signd_accept: out of memory");
439                 return;
440         }
441
442         TALLOC_FREE(conn->event.fde);
443
444         rc = tstream_bsd_existing_socket(ntp_signd_conn,
445                         socket_get_fd(conn->socket),
446                         &ntp_signd_conn->tstream);
447         if (rc < 0) {
448                 stream_terminate_connection(conn,
449                                 "ntp_signd_accept: out of memory");
450                 return;
451         }
452
453         ntp_signd_conn->conn = conn;
454         ntp_signd_conn->ntp_signd = ntp_signd;
455         conn->private_data = ntp_signd_conn;
456
457         /*
458          * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
459          * packet_full_request_u32 provides the pdu length then.
460          */
461         subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
462                                             ntp_signd_conn->conn->event.ctx,
463                                             ntp_signd_conn->tstream,
464                                             4, /* initial_read_size */
465                                             packet_full_request_u32,
466                                             ntp_signd_conn);
467         if (subreq == NULL) {
468                 ntp_signd_terminate_connection(ntp_signd_conn,
469                                 "ntp_signd_accept: "
470                                 "no memory for tstream_read_pdu_blob_send");
471                 return;
472         }
473         tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
474 }
475
476 static const struct stream_server_ops ntp_signd_stream_ops = {
477         .name                   = "ntp_signd",
478         .accept_connection      = ntp_signd_accept,
479         .recv_handler           = ntp_signd_recv,
480         .send_handler           = ntp_signd_send
481 };
482
483 /*
484   startup the ntp_signd task
485 */
486 static void ntp_signd_task_init(struct task_server *task)
487 {
488         struct ntp_signd_server *ntp_signd;
489         NTSTATUS status;
490
491         const struct model_ops *model_ops;
492
493         const char *address;
494
495         if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) {
496                 char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s", 
497                                               lpcfg_ntp_signd_socket_directory(task->lp_ctx));
498                 task_server_terminate(task,
499                                       error, true);
500                 return;
501         }
502
503         /* within the ntp_signd task we want to be a single process, so
504            ask for the single process model ops and pass these to the
505            stream_setup_socket() call. */
506         model_ops = process_model_startup("single");
507         if (!model_ops) {
508                 DEBUG(0,("Can't find 'single' process model_ops\n"));
509                 return;
510         }
511
512         task_server_set_title(task, "task[ntp_signd]");
513
514         ntp_signd = talloc(task, struct ntp_signd_server);
515         if (ntp_signd == NULL) {
516                 task_server_terminate(task, "ntp_signd: out of memory", true);
517                 return;
518         }
519
520         ntp_signd->task = task;
521
522         /* Must be system to get at the password hashes */
523         ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx), 0);
524         if (ntp_signd->samdb == NULL) {
525                 task_server_terminate(task, "ntp_signd failed to open samdb", true);
526                 return;
527         }
528
529         address = talloc_asprintf(ntp_signd, "%s/socket", lpcfg_ntp_signd_socket_directory(task->lp_ctx));
530
531         status = stream_setup_socket(ntp_signd->task,
532                                      ntp_signd->task->event_ctx,
533                                      ntp_signd->task->lp_ctx,
534                                      model_ops, 
535                                      &ntp_signd_stream_ops, 
536                                      "unix", address, NULL,
537                                      lpcfg_socket_options(ntp_signd->task->lp_ctx),
538                                      ntp_signd);
539         if (!NT_STATUS_IS_OK(status)) {
540                 DEBUG(0,("Failed to bind to %s - %s\n",
541                          address, nt_errstr(status)));
542                 return;
543         }
544
545 }
546
547
548 /* called at smbd startup - register ourselves as a server service */
549 NTSTATUS server_service_ntp_signd_init(void)
550 {
551         return register_server_service("ntp_signd", ntp_signd_task_init);
552 }