source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Rafal Szczesniak 2006
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include <tevent.h>
  26 #include "auth/auth.h"
  27 #include "libcli/composite/composite.h"
  28 #include "libcli/auth/libcli_auth.h"
  29 #include "librpc/gen_ndr/ndr_netlogon.h"
  30 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  31 #include "auth/credentials/credentials.h"
  32 #include "librpc/rpc/dcerpc_proto.h"
  33 #include "param/param.h"
  34
  35 struct schannel_key_state {
  36         struct dcerpc_pipe *pipe;
  37         struct dcerpc_pipe *pipe2;
  38         struct dcerpc_binding *binding;
  39         bool dcerpc_schannel_auto;
  40         struct cli_credentials *credentials;
  41         struct netlogon_creds_CredentialState *creds;
  42         uint32_t local_negotiate_flags;
  43         uint32_t remote_negotiate_flags;
  44         struct netr_Credential credentials1;
  45         struct netr_Credential credentials2;
  46         struct netr_Credential credentials3;
  47         struct netr_ServerReqChallenge r;
  48         struct netr_ServerAuthenticate2 a;
  49         const struct samr_Password *mach_pwd;
  50 };
  51
  52
  53 static void continue_secondary_connection(struct composite_context *ctx);
  54 static void continue_bind_auth_none(struct composite_context *ctx);
  55 static void continue_srv_challenge(struct tevent_req *subreq);
  56 static void continue_srv_auth2(struct tevent_req *subreq);
  57
  58
  59 /*
  60   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
  61   rpc connection
  62 */
  63 static void continue_epm_map_binding(struct composite_context *ctx)
  64 {
  65         struct composite_context *c;
  66         struct schannel_key_state *s;
  67         struct composite_context *sec_conn_req;
  68
  69         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  70         s = talloc_get_type(c->private_data, struct schannel_key_state);
  71
  72         /* receive endpoint mapping */
  73         c->status = dcerpc_epm_map_binding_recv(ctx);
  74         if (!NT_STATUS_IS_OK(c->status)) {
  75                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
  76                          NDR_NETLOGON_UUID, nt_errstr(c->status)));
  77                 composite_error(c, c->status);
  78                 return;
  79         }
  80
  81         /* send a request for secondary rpc connection */
  82         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
  83                                                         s->binding);
  84         if (composite_nomem(sec_conn_req, c)) return;
  85
  86         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
  87 }
  88
  89
  90 /*
  91   Stage 3 of schannel_key: Receive secondary rpc connection and perform
  92   non-authenticated bind request
  93 */
  94 static void continue_secondary_connection(struct composite_context *ctx)
  95 {
  96         struct composite_context *c;
  97         struct schannel_key_state *s;
  98         struct composite_context *auth_none_req;
  99
 100         c = talloc_get_type(ctx->async.private_data, struct composite_context);
 101         s = talloc_get_type(c->private_data, struct schannel_key_state);
 102
 103         /* receive secondary rpc connection */
 104         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
 105         if (!composite_is_ok(c)) return;
 106
 107         talloc_steal(s, s->pipe2);
 108
 109         /* initiate a non-authenticated bind */
 110         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
 111         if (composite_nomem(auth_none_req, c)) return;
 112
 113         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
 114 }
 115
 116
 117 /*
 118   Stage 4 of schannel_key: Receive non-authenticated bind and get
 119   a netlogon challenge
 120 */
 121 static void continue_bind_auth_none(struct composite_context *ctx)
 122 {
 123         struct composite_context *c;
 124         struct schannel_key_state *s;
 125         struct tevent_req *subreq;
 126
 127         c = talloc_get_type(ctx->async.private_data, struct composite_context);
 128         s = talloc_get_type(c->private_data, struct schannel_key_state);
 129
 130         /* receive result of non-authenticated bind request */
 131         c->status = dcerpc_bind_auth_none_recv(ctx);
 132         if (!composite_is_ok(c)) return;
 133
 134         /* prepare a challenge request */
 135         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
 136         if (composite_nomem(s->r.in.server_name, c)) return;
 137         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
 138         s->r.in.credentials   = &s->credentials1;
 139         s->r.out.return_credentials  = &s->credentials2;
 140
 141         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
 142
 143         /*
 144           request a netlogon challenge - a rpc request over opened secondary pipe
 145         */
 146         subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
 147                                                        s->pipe2->binding_handle,
 148                                                        &s->r);
 149         if (composite_nomem(subreq, c)) return;
 150
 151         tevent_req_set_callback(subreq, continue_srv_challenge, c);
 152 }
 153
 154
 155 /*
 156   Stage 5 of schannel_key: Receive a challenge and perform authentication
 157   on the netlogon pipe
 158 */
 159 static void continue_srv_challenge(struct tevent_req *subreq)
 160 {
 161         struct composite_context *c;
 162         struct schannel_key_state *s;
 163
 164         c = tevent_req_callback_data(subreq, struct composite_context);
 165         s = talloc_get_type(c->private_data, struct schannel_key_state);
 166
 167         /* receive rpc request result - netlogon challenge */
 168         c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
 169         TALLOC_FREE(subreq);
 170         if (!composite_is_ok(c)) return;
 171
 172         /* prepare credentials for auth2 request */
 173         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
 174
 175         /* auth2 request arguments */
 176         s->a.in.server_name      = s->r.in.server_name;
 177         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
 178         s->a.in.secure_channel_type =
 179                 cli_credentials_get_secure_channel_type(s->credentials);
 180         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
 181         s->a.in.negotiate_flags  = &s->local_negotiate_flags;
 182         s->a.in.credentials      = &s->credentials3;
 183         s->a.out.negotiate_flags = &s->remote_negotiate_flags;
 184         s->a.out.return_credentials     = &s->credentials3;
 185
 186         s->creds = netlogon_creds_client_init(s,
 187                                               s->a.in.account_name,
 188                                               s->a.in.computer_name,
 189                                               &s->credentials1, &s->credentials2,
 190                                               s->mach_pwd, &s->credentials3,
 191                                               s->local_negotiate_flags);
 192         if (composite_nomem(s->creds, c)) {
 193                 return;
 194         }
 195         /*
 196           authenticate on the netlogon pipe - a rpc request over secondary pipe
 197         */
 198         subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
 199                                                         s->pipe2->binding_handle,
 200                                                         &s->a);
 201         if (composite_nomem(subreq, c)) return;
 202
 203         tevent_req_set_callback(subreq, continue_srv_auth2, c);
 204 }
 205
 206
 207 /*
 208   Stage 6 of schannel_key: Receive authentication request result and verify
 209   received credentials
 210 */
 211 static void continue_srv_auth2(struct tevent_req *subreq)
 212 {
 213         struct composite_context *c;
 214         struct schannel_key_state *s;
 215
 216         c = tevent_req_callback_data(subreq, struct composite_context);
 217         s = talloc_get_type(c->private_data, struct schannel_key_state);
 218
 219         /* receive rpc request result - auth2 credentials */
 220         c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
 221         TALLOC_FREE(subreq);
 222         if (!composite_is_ok(c)) return;
 223
 224         /*
 225          * Strong keys could be unsupported (NT4) or disables. So retry with the
 226          * flags returned by the server. - asn
 227          */
 228         if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
 229             s->dcerpc_schannel_auto &&
 230             (s->local_negotiate_flags & NETLOGON_NEG_STRONG_KEYS)) {
 231                 DEBUG(3, ("Server doesn't support strong keys, "
 232                           "downgrade and retry!\n"));
 233                 s->local_negotiate_flags = s->remote_negotiate_flags;
 234
 235                 generate_random_buffer(s->credentials1.data,
 236                                        sizeof(s->credentials1.data));
 237
 238                 subreq = dcerpc_netr_ServerReqChallenge_r_send(s,
 239                                                                c->event_ctx,
 240                                                                s->pipe2->binding_handle,
 241                                                                &s->r);
 242                 if (composite_nomem(subreq, c)) return;
 243
 244                 tevent_req_set_callback(subreq, continue_srv_challenge, c);
 245                 return;
 246         }
 247
 248         s->creds->negotiate_flags = s->remote_negotiate_flags;
 249
 250         /* verify credentials */
 251         if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
 252                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
 253                 return;
 254         }
 255
 256         /* setup current netlogon credentials */
 257         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
 258
 259         composite_done(c);
 260 }
 261
 262
 263 /*
 264   Initiate establishing a schannel key using netlogon challenge
 265   on a secondary pipe
 266 */
 267 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 268                                                    struct dcerpc_pipe *p,
 269                                                    struct cli_credentials *credentials,
 270                                                    struct loadparm_context *lp_ctx)
 271 {
 272         struct composite_context *c;
 273         struct schannel_key_state *s;
 274         struct composite_context *epm_map_req;
 275         enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
 276
 277         /* composite context allocation and setup */
 278         c = composite_create(mem_ctx, p->conn->event_ctx);
 279         if (c == NULL) return NULL;
 280
 281         s = talloc_zero(c, struct schannel_key_state);
 282         if (composite_nomem(s, c)) return c;
 283         c->private_data = s;
 284
 285         /* store parameters in the state structure */
 286         s->pipe        = p;
 287         s->credentials = credentials;
 288         s->local_negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 289
 290         /* allocate credentials */
 291         /* type of authentication depends on schannel type */
 292         if (schannel_type == SEC_CHAN_RODC) {
 293                 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_RODC_FLAGS;
 294         }
 295         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
 296                 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 297         }
 298         if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) {
 299                 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 300                 s->dcerpc_schannel_auto = true;
 301         }
 302
 303         /* allocate binding structure */
 304         s->binding = talloc_zero(c, struct dcerpc_binding);
 305         if (composite_nomem(s->binding, c)) return c;
 306
 307         *s->binding = *s->pipe->binding;
 308
 309         /* request the netlogon endpoint mapping */
 310         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
 311                                                   &ndr_table_netlogon,
 312                                                   s->pipe->conn->event_ctx,
 313                                                   lp_ctx);
 314         if (composite_nomem(epm_map_req, c)) return c;
 315
 316         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
 317         return c;
 318 }
 319
 320
 321 /*
 322   Receive result of schannel key request
 323  */
 324 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
 325 {
 326         NTSTATUS status = composite_wait(c);
 327
 328         talloc_free(c);
 329         return status;
 330 }
 331
 332
 333 struct auth_schannel_state {
 334         struct dcerpc_pipe *pipe;
 335         struct cli_credentials *credentials;
 336         const struct ndr_interface_table *table;
 337         struct loadparm_context *lp_ctx;
 338         uint8_t auth_level;
 339 };
 340
 341
 342 static void continue_bind_auth(struct composite_context *ctx);
 343
 344
 345 /*
 346   Stage 2 of auth_schannel: Receive schannel key and intitiate an
 347   authenticated bind using received credentials
 348  */
 349 static void continue_schannel_key(struct composite_context *ctx)
 350 {
 351         struct composite_context *auth_req;
 352         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 353                                                       struct composite_context);
 354         struct auth_schannel_state *s = talloc_get_type(c->private_data,
 355                                                         struct auth_schannel_state);
 356         NTSTATUS status;
 357
 358         /* receive schannel key */
 359         status = c->status = dcerpc_schannel_key_recv(ctx);
 360         if (!composite_is_ok(c)) {
 361                 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
 362                 return;
 363         }
 364
 365         /* send bind auth request with received creds */
 366         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
 367                                          lpcfg_gensec_settings(c, s->lp_ctx),
 368                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
 369                                          NULL);
 370         if (composite_nomem(auth_req, c)) return;
 371
 372         composite_continue(c, auth_req, continue_bind_auth, c);
 373 }
 374
 375
 376 /*
 377   Stage 3 of auth_schannel: Receivce result of authenticated bind
 378   and say if we're done ok.
 379 */
 380 static void continue_bind_auth(struct composite_context *ctx)
 381 {
 382         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 383                                                       struct composite_context);
 384
 385         c->status = dcerpc_bind_auth_recv(ctx);
 386         if (!composite_is_ok(c)) return;
 387
 388         composite_done(c);
 389 }
 390
 391
 392 /*
 393   Initiate schannel authentication request
 394 */
 395 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
 396                                                          struct dcerpc_pipe *p,
 397                                                          const struct ndr_interface_table *table,
 398                                                          struct cli_credentials *credentials,
 399                                                          struct loadparm_context *lp_ctx,
 400                                                          uint8_t auth_level)
 401 {
 402         struct composite_context *c;
 403         struct auth_schannel_state *s;
 404         struct composite_context *schan_key_req;
 405
 406         /* composite context allocation and setup */
 407         c = composite_create(tmp_ctx, p->conn->event_ctx);
 408         if (c == NULL) return NULL;
 409
 410         s = talloc_zero(c, struct auth_schannel_state);
 411         if (composite_nomem(s, c)) return c;
 412         c->private_data = s;
 413
 414         /* store parameters in the state structure */
 415         s->pipe        = p;
 416         s->credentials = credentials;
 417         s->table       = table;
 418         s->auth_level  = auth_level;
 419         s->lp_ctx      = lp_ctx;
 420
 421         /* start getting schannel key first */
 422         schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
 423         if (composite_nomem(schan_key_req, c)) return c;
 424
 425         composite_continue(c, schan_key_req, continue_schannel_key, c);
 426         return c;
 427 }
 428
 429
 430 /*
 431   Receive result of schannel authentication request
 432 */
 433 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
 434 {
 435         NTSTATUS status = composite_wait(c);
 436
 437         talloc_free(c);
 438         return status;
 439 }
 440
 441
 442 /*
 443   Perform schannel authenticated bind - sync version
 444  */
 445 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 446                                    struct dcerpc_pipe *p,
 447                                    const struct ndr_interface_table *table,
 448                                    struct cli_credentials *credentials,
 449                                    struct loadparm_context *lp_ctx,
 450                                    uint8_t auth_level)
 451 {
 452         struct composite_context *c;
 453
 454         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
 455                                            auth_level);
 456         return dcerpc_bind_auth_schannel_recv(c);
 457 }