source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Rafal Szczesniak 2006
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "auth/auth.h"
  26 #include "libcli/composite/composite.h"
  27 #include "libcli/auth/libcli_auth.h"
  28 #include "librpc/gen_ndr/ndr_netlogon.h"
  29 #include "librpc/gen_ndr/ndr_netlogon_c.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "librpc/rpc/dcerpc_proto.h"
  32 #include "param/param.h"
  33
  34 struct schannel_key_state {
  35         struct dcerpc_pipe *pipe;
  36         struct dcerpc_pipe *pipe2;
  37         struct dcerpc_binding *binding;
  38         struct cli_credentials *credentials;
  39         struct netlogon_creds_CredentialState *creds;
  40         uint32_t negotiate_flags;
  41         struct netr_Credential credentials1;
  42         struct netr_Credential credentials2;
  43         struct netr_Credential credentials3;
  44         struct netr_ServerReqChallenge r;
  45         struct netr_ServerAuthenticate2 a;
  46         const struct samr_Password *mach_pwd;
  47 };
  48
  49
  50 static void continue_secondary_connection(struct composite_context *ctx);
  51 static void continue_bind_auth_none(struct composite_context *ctx);
  52 static void continue_srv_challenge(struct rpc_request *req);
  53 static void continue_srv_auth2(struct rpc_request *req);
  54
  55
  56 /*
  57   Stage 2 of schannel_key: Receive endpoint mapping and request secondary
  58   rpc connection
  59 */
  60 static void continue_epm_map_binding(struct composite_context *ctx)
  61 {
  62         struct composite_context *c;
  63         struct schannel_key_state *s;
  64         struct composite_context *sec_conn_req;
  65
  66         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  67         s = talloc_get_type(c->private_data, struct schannel_key_state);
  68
  69         /* receive endpoint mapping */
  70         c->status = dcerpc_epm_map_binding_recv(ctx);
  71         if (!NT_STATUS_IS_OK(c->status)) {
  72                 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
  73                          NDR_NETLOGON_UUID, nt_errstr(c->status)));
  74                 composite_error(c, c->status);
  75                 return;
  76         }
  77
  78         /* send a request for secondary rpc connection */
  79         sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
  80                                                         s->binding);
  81         if (composite_nomem(sec_conn_req, c)) return;
  82
  83         composite_continue(c, sec_conn_req, continue_secondary_connection, c);
  84 }
  85
  86
  87 /*
  88   Stage 3 of schannel_key: Receive secondary rpc connection and perform
  89   non-authenticated bind request
  90 */
  91 static void continue_secondary_connection(struct composite_context *ctx)
  92 {
  93         struct composite_context *c;
  94         struct schannel_key_state *s;
  95         struct composite_context *auth_none_req;
  96
  97         c = talloc_get_type(ctx->async.private_data, struct composite_context);
  98         s = talloc_get_type(c->private_data, struct schannel_key_state);
  99
 100         /* receive secondary rpc connection */
 101         c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
 102         if (!composite_is_ok(c)) return;
 103
 104         talloc_steal(s, s->pipe2);
 105
 106         /* initiate a non-authenticated bind */
 107         auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
 108         if (composite_nomem(auth_none_req, c)) return;
 109
 110         composite_continue(c, auth_none_req, continue_bind_auth_none, c);
 111 }
 112
 113
 114 /*
 115   Stage 4 of schannel_key: Receive non-authenticated bind and get
 116   a netlogon challenge
 117 */
 118 static void continue_bind_auth_none(struct composite_context *ctx)
 119 {
 120         struct composite_context *c;
 121         struct schannel_key_state *s;
 122         struct rpc_request *srv_challenge_req;
 123
 124         c = talloc_get_type(ctx->async.private_data, struct composite_context);
 125         s = talloc_get_type(c->private_data, struct schannel_key_state);
 126
 127         /* receive result of non-authenticated bind request */
 128         c->status = dcerpc_bind_auth_none_recv(ctx);
 129         if (!composite_is_ok(c)) return;
 130
 131         /* prepare a challenge request */
 132         s->r.in.server_name   = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
 133         if (composite_nomem(s->r.in.server_name, c)) return;
 134         s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
 135         s->r.in.credentials   = &s->credentials1;
 136         s->r.out.return_credentials  = &s->credentials2;
 137
 138         generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
 139
 140         /*
 141           request a netlogon challenge - a rpc request over opened secondary pipe
 142         */
 143         srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
 144         if (composite_nomem(srv_challenge_req, c)) return;
 145
 146         composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
 147 }
 148
 149
 150 /*
 151   Stage 5 of schannel_key: Receive a challenge and perform authentication
 152   on the netlogon pipe
 153 */
 154 static void continue_srv_challenge(struct rpc_request *req)
 155 {
 156         struct composite_context *c;
 157         struct schannel_key_state *s;
 158         struct rpc_request *srv_auth2_req;
 159
 160         c = talloc_get_type(req->async.private_data, struct composite_context);
 161         s = talloc_get_type(c->private_data, struct schannel_key_state);
 162
 163         /* receive rpc request result - netlogon challenge */
 164         c->status = dcerpc_ndr_request_recv(req);
 165         if (!composite_is_ok(c)) return;
 166
 167         /* prepare credentials for auth2 request */
 168         s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
 169
 170         /* auth2 request arguments */
 171         s->a.in.server_name      = s->r.in.server_name;
 172         s->a.in.account_name     = cli_credentials_get_username(s->credentials);
 173         s->a.in.secure_channel_type =
 174                 cli_credentials_get_secure_channel_type(s->credentials);
 175         s->a.in.computer_name    = cli_credentials_get_workstation(s->credentials);
 176         s->a.in.negotiate_flags  = &s->negotiate_flags;
 177         s->a.in.credentials      = &s->credentials3;
 178         s->a.out.negotiate_flags = &s->negotiate_flags;
 179         s->a.out.return_credentials     = &s->credentials3;
 180
 181         s->creds = netlogon_creds_client_init(s,
 182                                               s->a.in.account_name,
 183                                               s->a.in.computer_name,
 184                                               &s->credentials1, &s->credentials2,
 185                                               s->mach_pwd, &s->credentials3, s->negotiate_flags);
 186         if (composite_nomem(s->creds, c)) {
 187                 return;
 188         }
 189         /*
 190           authenticate on the netlogon pipe - a rpc request over secondary pipe
 191         */
 192         srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
 193         if (composite_nomem(srv_auth2_req, c)) return;
 194
 195         composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
 196 }
 197
 198
 199 /*
 200   Stage 6 of schannel_key: Receive authentication request result and verify
 201   received credentials
 202 */
 203 static void continue_srv_auth2(struct rpc_request *req)
 204 {
 205         struct composite_context *c;
 206         struct schannel_key_state *s;
 207
 208         c = talloc_get_type(req->async.private_data, struct composite_context);
 209         s = talloc_get_type(c->private_data, struct schannel_key_state);
 210
 211         /* receive rpc request result - auth2 credentials */
 212         c->status = dcerpc_ndr_request_recv(req);
 213         if (!composite_is_ok(c)) return;
 214
 215         /* verify credentials */
 216         if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
 217                 composite_error(c, NT_STATUS_UNSUCCESSFUL);
 218                 return;
 219         }
 220
 221         /* setup current netlogon credentials */
 222         cli_credentials_set_netlogon_creds(s->credentials, s->creds);
 223
 224         composite_done(c);
 225 }
 226
 227
 228 /*
 229   Initiate establishing a schannel key using netlogon challenge
 230   on a secondary pipe
 231 */
 232 struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 233                                                    struct dcerpc_pipe *p,
 234                                                    struct cli_credentials *credentials,
 235                                                    struct loadparm_context *lp_ctx)
 236 {
 237         struct composite_context *c;
 238         struct schannel_key_state *s;
 239         struct composite_context *epm_map_req;
 240
 241         /* composite context allocation and setup */
 242         c = composite_create(mem_ctx, p->conn->event_ctx);
 243         if (c == NULL) return NULL;
 244
 245         s = talloc_zero(c, struct schannel_key_state);
 246         if (composite_nomem(s, c)) return c;
 247         c->private_data = s;
 248
 249         /* store parameters in the state structure */
 250         s->pipe        = p;
 251         s->credentials = credentials;
 252
 253         /* allocate credentials */
 254         /* type of authentication depends on schannel type */
 255         if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
 256                 s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 257         } else {
 258                 s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
 259         }
 260
 261         /* allocate binding structure */
 262         s->binding = talloc(c, struct dcerpc_binding);
 263         if (composite_nomem(s->binding, c)) return c;
 264
 265         *s->binding = *s->pipe->binding;
 266
 267         /* request the netlogon endpoint mapping */
 268         epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
 269                                                   &ndr_table_netlogon,
 270                                                   s->pipe->conn->event_ctx,
 271                                                   lp_ctx);
 272         if (composite_nomem(epm_map_req, c)) return c;
 273
 274         composite_continue(c, epm_map_req, continue_epm_map_binding, c);
 275         return c;
 276 }
 277
 278
 279 /*
 280   Receive result of schannel key request
 281  */
 282 NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
 283 {
 284         NTSTATUS status = composite_wait(c);
 285
 286         talloc_free(c);
 287         return status;
 288 }
 289
 290
 291 struct auth_schannel_state {
 292         struct dcerpc_pipe *pipe;
 293         struct cli_credentials *credentials;
 294         const struct ndr_interface_table *table;
 295         struct loadparm_context *lp_ctx;
 296         uint8_t auth_level;
 297 };
 298
 299
 300 static void continue_bind_auth(struct composite_context *ctx);
 301
 302
 303 /*
 304   Stage 2 of auth_schannel: Receive schannel key and intitiate an
 305   authenticated bind using received credentials
 306  */
 307 static void continue_schannel_key(struct composite_context *ctx)
 308 {
 309         struct composite_context *auth_req;
 310         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 311                                                       struct composite_context);
 312         struct auth_schannel_state *s = talloc_get_type(c->private_data,
 313                                                         struct auth_schannel_state);
 314
 315         /* receive schannel key */
 316         c->status = dcerpc_schannel_key_recv(ctx);
 317         if (!composite_is_ok(c)) {
 318                 DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
 319                           cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
 320                 return;
 321         }
 322
 323         /* send bind auth request with received creds */
 324         auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
 325                                          lp_gensec_settings(c, s->lp_ctx),
 326                                          DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
 327                                          NULL);
 328         if (composite_nomem(auth_req, c)) return;
 329
 330         composite_continue(c, auth_req, continue_bind_auth, c);
 331 }
 332
 333
 334 /*
 335   Stage 3 of auth_schannel: Receivce result of authenticated bind
 336   and say if we're done ok.
 337 */
 338 static void continue_bind_auth(struct composite_context *ctx)
 339 {
 340         struct composite_context *c = talloc_get_type(ctx->async.private_data,
 341                                                       struct composite_context);
 342
 343         c->status = dcerpc_bind_auth_recv(ctx);
 344         if (!composite_is_ok(c)) return;
 345
 346         composite_done(c);
 347 }
 348
 349
 350 /*
 351   Initiate schannel authentication request
 352 */
 353 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
 354                                                          struct dcerpc_pipe *p,
 355                                                          const struct ndr_interface_table *table,
 356                                                          struct cli_credentials *credentials,
 357                                                          struct loadparm_context *lp_ctx,
 358                                                          uint8_t auth_level)
 359 {
 360         struct composite_context *c;
 361         struct auth_schannel_state *s;
 362         struct composite_context *schan_key_req;
 363
 364         /* composite context allocation and setup */
 365         c = composite_create(tmp_ctx, p->conn->event_ctx);
 366         if (c == NULL) return NULL;
 367
 368         s = talloc_zero(c, struct auth_schannel_state);
 369         if (composite_nomem(s, c)) return c;
 370         c->private_data = s;
 371
 372         /* store parameters in the state structure */
 373         s->pipe        = p;
 374         s->credentials = credentials;
 375         s->table       = table;
 376         s->auth_level  = auth_level;
 377         s->lp_ctx      = lp_ctx;
 378
 379         /* start getting schannel key first */
 380         schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
 381         if (composite_nomem(schan_key_req, c)) return c;
 382
 383         composite_continue(c, schan_key_req, continue_schannel_key, c);
 384         return c;
 385 }
 386
 387
 388 /*
 389   Receive result of schannel authentication request
 390 */
 391 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
 392 {
 393         NTSTATUS status = composite_wait(c);
 394
 395         talloc_free(c);
 396         return status;
 397 }
 398
 399
 400 /*
 401   Perform schannel authenticated bind - sync version
 402  */
 403 _PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 404                                    struct dcerpc_pipe *p,
 405                                    const struct ndr_interface_table *table,
 406                                    struct cli_credentials *credentials,
 407                                    struct loadparm_context *lp_ctx,
 408                                    uint8_t auth_level)
 409 {
 410         struct composite_context *c;
 411
 412         c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
 413                                            auth_level);
 414         return dcerpc_bind_auth_schannel_recv(c);
 415 }