source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Rafal Szczesniak 2006
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include <tevent.h>
  26 #include "auth/auth.h"
  27 #include "libcli/composite/composite.h"
  28 #include "libcli/auth/libcli_auth.h"
  29 #include "librpc/gen_ndr/ndr_netlogon.h"
  30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  31 #include "auth/credentials/credentials.h"
  32 #include "librpc/rpc/dcerpc_proto.h"
  33 #include "param/param.h"
  34
  35 struct schannel_key_state {
  36         struct dcerpc_pipe *pipe;
  37         struct dcerpc_pipe *pipe2;
  38         struct dcerpc_binding *binding;
  39         struct cli_credentials *credentials;
  40         struct netlogon_creds_CredentialState *creds;
  41         uint32_t negotiate_flags;
  42         struct netr_Credential credentials1;
  43         struct netr_Credential credentials2;
  44         struct netr_Credential credentials3;
  45         struct netr_ServerReqChallenge r;
  46         struct netr_ServerAuthenticate2 a;
  47         const struct samr_Password *mach_pwd;
  48 };
  49
  50
  51 static void continue_secondary_connection(struct composite_context *ctx);
  52 static void continue_bind_auth_none(struct composite_context *ctx);
  53 static void continue_srv_challenge(struct tevent_req *subreq);
  54 static void continue_srv_auth2(struct tevent_req *subreq);
  55
  56
  57 /*
  58   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
  59   rpc connection
  60 */
  61 static void continue_epm_map_binding(struct composite_context *ctx)
  62 {
  63         struct composite_context *c;
  64         struct schannel_key_state *s;
  65         struct composite_context *sec_conn_req;
  66
  67         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  68         s = talloc_get_type(c->private_data, struct schannel_key_state);
  69
  70         /* receive endpoint mapping */
  71         c->status = dcerpc_epm_map_binding_recv(ctx);
  72         if (!NT_STATUS_IS_OK(c->status)) {
  73                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
  74                          NDR_NETLOGON_UUID, nt_errstr(c->status)));
  75                 composite_error(c, c->status);
  76                 return;
  77         }
  78
  79         /* send a request for secondary rpc connection */
  80         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
  81                                                         s->binding);
  82         if (composite_nomem(sec_conn_req, c)) return;
  83
  84         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
  85 }
  86
  87
  88 /*
  89   Stage 3 of schannel_key: Receive secondary rpc connection and perform
  90   non-authenticated bind request
  91 */
  92 static void continue_secondary_connection(struct composite_context *ctx)
  93 {
  94         struct composite_context *c;
  95         struct schannel_key_state *s;
  96         struct composite_context *auth_none_req;
  97
  98         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  99         s = talloc_get_type(c->private_data, struct schannel_key_state);
 100
 101         /* receive secondary rpc connection */
 102         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
 103         if (!composite_is_ok(c)) return;
 104
 105         talloc_steal(s, s->pipe2);
 106
 107         /* initiate a non-authenticated bind */
 108         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
 109         if (composite_nomem(auth_none_req, c)) return;
 110
 111         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
 112 }
 113
 114
 115 /*
 116   Stage 4 of schannel_key: Receive non-authenticated bind and get
 117   a netlogon challenge
 118 */
 119 static void continue_bind_auth_none(struct composite_context *ctx)
 120 {
 121         struct composite_context *c;
 122         struct schannel_key_state *s;
 123         struct tevent_req *subreq;
 124
 125         c = talloc_get_type(ctx->async.private_data, struct composite_context);
 126         s = talloc_get_type(c->private_data, struct schannel_key_state);
 127
 128         /* receive result of non-authenticated bind request */
 129         c->status = dcerpc_bind_auth_none_recv(ctx);
 130         if (!composite_is_ok(c)) return;
 131
 132         /* prepare a challenge request */
 133         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
 134         if (composite_nomem(s->r.in.server_name, c)) return;
 135         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
 136         s->r.in.credentials   = &s->credentials1;
 137         s->r.out.return_credentials  = &s->credentials2;
 138
 139         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
 140
 141         /*
 142           request a netlogon challenge - a rpc request over opened secondary pipe
 143         */
 144         subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
 145                                                        s->pipe2->binding_handle,
 146                                                        &s->r);
 147         if (composite_nomem(subreq, c)) return;
 148
 149         tevent_req_set_callback(subreq, continue_srv_challenge, c);
 150 }
 151
 152
 153 /*
 154   Stage 5 of schannel_key: Receive a challenge and perform authentication
 155   on the netlogon pipe
 156 */
 157 static void continue_srv_challenge(struct tevent_req *subreq)
 158 {
 159         struct composite_context *c;
 160         struct schannel_key_state *s;
 161
 162         c = tevent_req_callback_data(subreq, struct composite_context);
 163         s = talloc_get_type(c->private_data, struct schannel_key_state);
 164
 165         /* receive rpc request result - netlogon challenge */
 166         c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
 167         TALLOC_FREE(subreq);
 168         if (!composite_is_ok(c)) return;
 169
 170         /* prepare credentials for auth2 request */
 171         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
 172
 173         /* auth2 request arguments */
 174         s->a.in.server_name      = s->r.in.server_name;
 175         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
 176         s->a.in.secure_channel_type =
 177                 cli_credentials_get_secure_channel_type(s->credentials);
 178         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
 179         s->a.in.negotiate_flags  = &s->negotiate_flags;
 180         s->a.in.credentials      = &s->credentials3;
 181         s->a.out.negotiate_flags = &s->negotiate_flags;
 182         s->a.out.return_credentials     = &s->credentials3;
 183
 184         s->creds = netlogon_creds_client_init(s,
 185                                               s->a.in.account_name,
 186                                               s->a.in.computer_name,
 187                                               &s->credentials1, &s->credentials2,
 188                                               s->mach_pwd, &s->credentials3, s->negotiate_flags);
 189         if (composite_nomem(s->creds, c)) {
 190                 return;
 191         }
 192         /*
 193           authenticate on the netlogon pipe - a rpc request over secondary pipe
 194         */
 195         subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
 196                                                         s->pipe2->binding_handle,
 197                                                         &s->a);
 198         if (composite_nomem(subreq, c)) return;
 199
 200         tevent_req_set_callback(subreq, continue_srv_auth2, c);
 201 }
 202
 203
 204 /*
 205   Stage 6 of schannel_key: Receive authentication request result and verify
 206   received credentials
 207 */
 208 static void continue_srv_auth2(struct tevent_req *subreq)
 209 {
 210         struct composite_context *c;
 211         struct schannel_key_state *s;
 212
 213         c = tevent_req_callback_data(subreq, struct composite_context);
 214         s = talloc_get_type(c->private_data, struct schannel_key_state);
 215
 216         /* receive rpc request result - auth2 credentials */
 217         c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
 218         TALLOC_FREE(subreq);
 219         if (!composite_is_ok(c)) return;
 220
 221         /* verify credentials */
 222         if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
 223                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
 224                 return;
 225         }
 226
 227         /* setup current netlogon credentials */
 228         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
 229
 230         composite_done(c);
 231 }
 232
 233
 234 /*
 235   Initiate establishing a schannel key using netlogon challenge
 236   on a secondary pipe
 237 */
 238 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 239                                                    struct dcerpc_pipe *p,
 240                                                    struct cli_credentials *credentials,
 241                                                    struct loadparm_context *lp_ctx)
 242 {
 243         struct composite_context *c;
 244         struct schannel_key_state *s;
 245         struct composite_context *epm_map_req;
 246         enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
 247
 248         /* composite context allocation and setup */
 249         c = composite_create(mem_ctx, p->conn->event_ctx);
 250         if (c == NULL) return NULL;
 251
 252         s = talloc_zero(c, struct schannel_key_state);
 253         if (composite_nomem(s, c)) return c;
 254         c->private_data = s;
 255
 256         /* store parameters in the state structure */
 257         s->pipe        = p;
 258         s->credentials = credentials;
 259
 260         /* allocate credentials */
 261         /* type of authentication depends on schannel type */
 262         if (schannel_type == SEC_CHAN_RODC) {
 263                 s->negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS;
 264         } else if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
 265                 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 266         } else {
 267                 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 268         }
 269
 270         /* allocate binding structure */
 271         s->binding = talloc_zero(c, struct dcerpc_binding);
 272         if (composite_nomem(s->binding, c)) return c;
 273
 274         *s->binding = *s->pipe->binding;
 275
 276         /* request the netlogon endpoint mapping */
 277         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
 278                                                   &ndr_table_netlogon,
 279                                                   s->pipe->conn->event_ctx,
 280                                                   lp_ctx);
 281         if (composite_nomem(epm_map_req, c)) return c;
 282
 283         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
 284         return c;
 285 }
 286
 287
 288 /*
 289   Receive result of schannel key request
 290  */
 291 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
 292 {
 293         NTSTATUS status = composite_wait(c);
 294
 295         talloc_free(c);
 296         return status;
 297 }
 298
 299
 300 struct auth_schannel_state {
 301         struct dcerpc_pipe *pipe;
 302         struct cli_credentials *credentials;
 303         const struct ndr_interface_table *table;
 304         struct loadparm_context *lp_ctx;
 305         uint8_t auth_level;
 306 };
 307
 308
 309 static void continue_bind_auth(struct composite_context *ctx);
 310
 311
 312 /*
 313   Stage 2 of auth_schannel: Receive schannel key and intitiate an
 314   authenticated bind using received credentials
 315  */
 316 static void continue_schannel_key(struct composite_context *ctx)
 317 {
 318         struct composite_context *auth_req;
 319         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 320                                                       struct composite_context);
 321         struct auth_schannel_state *s = talloc_get_type(c->private_data,
 322                                                         struct auth_schannel_state);
 323         NTSTATUS status;
 324
 325         /* receive schannel key */
 326         status = c->status = dcerpc_schannel_key_recv(ctx);
 327         if (!composite_is_ok(c)) {
 328                 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
 329                 return;
 330         }
 331
 332         /* send bind auth request with received creds */
 333         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
 334                                          lpcfg_gensec_settings(c, s->lp_ctx),
 335                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
 336                                          NULL);
 337         if (composite_nomem(auth_req, c)) return;
 338
 339         composite_continue(c, auth_req, continue_bind_auth, c);
 340 }
 341
 342
 343 /*
 344   Stage 3 of auth_schannel: Receivce result of authenticated bind
 345   and say if we're done ok.
 346 */
 347 static void continue_bind_auth(struct composite_context *ctx)
 348 {
 349         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 350                                                       struct composite_context);
 351
 352         c->status = dcerpc_bind_auth_recv(ctx);
 353         if (!composite_is_ok(c)) return;
 354
 355         composite_done(c);
 356 }
 357
 358
 359 /*
 360   Initiate schannel authentication request
 361 */
 362 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
 363                                                          struct dcerpc_pipe *p,
 364                                                          const struct ndr_interface_table *table,
 365                                                          struct cli_credentials *credentials,
 366                                                          struct loadparm_context *lp_ctx,
 367                                                          uint8_t auth_level)
 368 {
 369         struct composite_context *c;
 370         struct auth_schannel_state *s;
 371         struct composite_context *schan_key_req;
 372
 373         /* composite context allocation and setup */
 374         c = composite_create(tmp_ctx, p->conn->event_ctx);
 375         if (c == NULL) return NULL;
 376
 377         s = talloc_zero(c, struct auth_schannel_state);
 378         if (composite_nomem(s, c)) return c;
 379         c->private_data = s;
 380
 381         /* store parameters in the state structure */
 382         s->pipe        = p;
 383         s->credentials = credentials;
 384         s->table       = table;
 385         s->auth_level  = auth_level;
 386         s->lp_ctx      = lp_ctx;
 387
 388         /* start getting schannel key first */
 389         schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
 390         if (composite_nomem(schan_key_req, c)) return c;
 391
 392         composite_continue(c, schan_key_req, continue_schannel_key, c);
 393         return c;
 394 }
 395
 396
 397 /*
 398   Receive result of schannel authentication request
 399 */
 400 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
 401 {
 402         NTSTATUS status = composite_wait(c);
 403
 404         talloc_free(c);
 405         return status;
 406 }
 407
 408
 409 /*
 410   Perform schannel authenticated bind - sync version
 411  */
 412 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 413                                    struct dcerpc_pipe *p,
 414                                    const struct ndr_interface_table *table,
 415                                    struct cli_credentials *credentials,
 416                                    struct loadparm_context *lp_ctx,
 417                                    uint8_t auth_level)
 418 {
 419         struct composite_context *c;
 420
 421         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
 422                                            auth_level);
 423         return dcerpc_bind_auth_schannel_recv(c);
 424 }