source4/librpc/rpc/dcerpc_schannel.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    dcerpc schannel operations
   5
   6    Copyright (C) Andrew Tridgell 2004
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24
  25 /*
  26   wrappers for the schannel_*() functions
  27 */
  28 static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security,
  29                                     TALLOC_CTX *mem_ctx,
  30                                     uint8_t *data, size_t length, DATA_BLOB *sig)
  31 {
  32         struct schannel_state *schannel_state = dcerpc_security->private;
  33         return schannel_unseal_packet(schannel_state, mem_ctx, data, length, sig);
  34 }
  35
  36 static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security,
  37                                    TALLOC_CTX *mem_ctx,
  38                                    const uint8_t *data, size_t length,
  39                                    const DATA_BLOB *sig)
  40 {
  41         struct schannel_state *schannel_state = dcerpc_security->private;
  42         return schannel_check_packet(schannel_state, data, length, sig);
  43 }
  44
  45 static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security,
  46                                   TALLOC_CTX *mem_ctx,
  47                                   uint8_t *data, size_t length,
  48                                   DATA_BLOB *sig)
  49 {
  50         struct schannel_state *schannel_state = dcerpc_security->private;
  51         return schannel_seal_packet(schannel_state, mem_ctx, data, length, sig);
  52 }
  53
  54 static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security,
  55                                  TALLOC_CTX *mem_ctx,
  56                                  const uint8_t *data, size_t length,
  57                                  DATA_BLOB *sig)
  58 {
  59         struct schannel_state *schannel_state = dcerpc_security->private;
  60         return schannel_sign_packet(schannel_state, mem_ctx, data, length, sig);
  61 }
  62
  63 static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security,
  64                                   DATA_BLOB *session_key)
  65 {
  66         return NT_STATUS_NOT_IMPLEMENTED;
  67 }
  68
  69 static void schan_security_end(struct dcerpc_security *dcerpc_security)
  70 {
  71         struct schannel_state *schannel_state = dcerpc_security->private;
  72         schannel_end(&schannel_state);
  73 }
  74
  75
  76 /*
  77   get a schannel key using a netlogon challenge on a secondary pipe
  78 */
  79 NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
  80                              const char *domain,
  81                              const char *username,
  82                              const char *password,
  83                              int chan_type,
  84                              uint8_t new_session_key[8])
  85 {
  86         NTSTATUS status;
  87         struct dcerpc_pipe *p2;
  88         struct netr_ServerReqChallenge r;
  89         struct netr_ServerAuthenticate2 a;
  90         struct netr_Credential credentials1, credentials2, credentials3;
  91         struct samr_Password mach_pwd;
  92         struct creds_CredentialState creds;
  93         const char *workgroup, *workstation;
  94         uint32_t negotiate_flags = 0;
  95
  96         workstation = username;
  97         workgroup = domain;
  98
  99         /*
 100           step 1 - establish a netlogon connection, with no authentication
 101         */
 102         status = dcerpc_secondary_smb(p, &p2,
 103                                       DCERPC_NETLOGON_NAME,
 104                                       DCERPC_NETLOGON_UUID,
 105                                       DCERPC_NETLOGON_VERSION);
 106
 107
 108         /*
 109           step 2 - request a netlogon challenge
 110         */
 111         r.in.server_name = talloc_asprintf(p->mem_ctx, "\\\\%s", dcerpc_server_name(p));
 112         r.in.computer_name = workstation;
 113         r.in.credentials = &credentials1;
 114         r.out.credentials = &credentials2;
 115
 116         generate_random_buffer(credentials1.data, sizeof(credentials1.data), False);
 117
 118         status = dcerpc_netr_ServerReqChallenge(p2, p->mem_ctx, &r);
 119         if (!NT_STATUS_IS_OK(status)) {
 120                 return status;
 121         }
 122
 123         /*
 124           step 3 - authenticate on the netlogon pipe
 125         */
 126         E_md4hash(password, mach_pwd.hash);
 127         creds_client_init(&creds, &credentials1, &credentials2, &mach_pwd, &credentials3,
 128                           negotiate_flags);
 129
 130         a.in.server_name = r.in.server_name;
 131         a.in.account_name = talloc_asprintf(p->mem_ctx, "%s$", workstation);
 132         a.in.secure_channel_type = chan_type;
 133         a.in.computer_name = workstation;
 134         a.in.negotiate_flags = &negotiate_flags;
 135         a.out.negotiate_flags = &negotiate_flags;
 136         a.in.credentials = &credentials3;
 137         a.out.credentials = &credentials3;
 138
 139         status = dcerpc_netr_ServerAuthenticate2(p2, p->mem_ctx, &a);
 140         if (!NT_STATUS_IS_OK(status)) {
 141                 return status;
 142         }
 143
 144         if (!creds_client_check(&creds, a.out.credentials)) {
 145                 return NT_STATUS_UNSUCCESSFUL;
 146         }
 147
 148         /*
 149           the schannel session key is now in creds.session_key
 150
 151           we no longer need the netlogon pipe open
 152         */
 153         dcerpc_pipe_close(p2);
 154
 155         memcpy(new_session_key, creds.session_key, 8);
 156
 157         return NT_STATUS_OK;
 158 }
 159
 160
 161 /*
 162   do a schannel style bind on a dcerpc pipe with the given schannel
 163   key. The username is usually of the form HOSTNAME$ and the password
 164   is the domain trust password
 165 */
 166 NTSTATUS dcerpc_bind_auth_schannel_key(struct dcerpc_pipe *p,
 167                                        const char *uuid, uint_t version,
 168                                        const char *domain,
 169                                        const char *username,
 170                                        const uint8_t session_key[8])
 171 {
 172         NTSTATUS status;
 173         uint8_t full_session_key[16];
 174         struct schannel_state *schannel_state;
 175         const char *workgroup, *workstation;
 176         struct dcerpc_bind_schannel bind_schannel;
 177
 178         memcpy(full_session_key, session_key, 8);
 179         memset(full_session_key+8, 0, 8);
 180
 181         workstation = username;
 182         workgroup = domain;
 183
 184         /*
 185           perform a bind with security type schannel
 186         */
 187         p->auth_info = talloc(p->mem_ctx, sizeof(*p->auth_info));
 188         if (!p->auth_info) {
 189                 status = NT_STATUS_NO_MEMORY;
 190                 goto done;
 191         }
 192
 193         p->auth_info->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 194
 195         if (p->flags & DCERPC_SEAL) {
 196                 p->auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
 197         } else {
 198                 /* note that DCERPC_AUTH_LEVEL_NONE does not make any
 199                    sense, and would be rejected by the server */
 200                 p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
 201         }
 202         p->auth_info->auth_pad_length = 0;
 203         p->auth_info->auth_reserved = 0;
 204         p->auth_info->auth_context_id = random();
 205         p->security_state = NULL;
 206
 207         /* TODO: what are these?? */
 208         bind_schannel.unknown1 = 0;
 209         bind_schannel.unknown2 = 3;
 210         bind_schannel.domain = workgroup;
 211         bind_schannel.hostname = workstation;
 212
 213         status = ndr_push_struct_blob(&p->auth_info->credentials, p->mem_ctx, &bind_schannel,
 214                                       (ndr_push_flags_fn_t)ndr_push_dcerpc_bind_schannel);
 215         if (!NT_STATUS_IS_OK(status)) {
 216                 goto done;
 217         }
 218
 219         /* send the authenticated bind request */
 220         status = dcerpc_bind_byuuid(p, p->mem_ctx, uuid, version);
 221         if (!NT_STATUS_IS_OK(status)) {
 222                 goto done;
 223         }
 224
 225         p->security_state = talloc_p(p->mem_ctx, struct dcerpc_security);
 226         if (!p->security_state) {
 227                 status = NT_STATUS_NO_MEMORY;
 228                 goto done;
 229         }
 230
 231         schannel_state = talloc_p(p->mem_ctx, struct schannel_state);
 232         if (!schannel_state) {
 233                 status = NT_STATUS_NO_MEMORY;
 234                 goto done;
 235         }
 236
 237         status = schannel_start(&schannel_state, full_session_key, True);
 238         if (!NT_STATUS_IS_OK(status)) {
 239                 goto done;
 240         }
 241
 242         dump_data_pw("session key:\n", schannel_state->session_key, 16);
 243
 244         p->security_state->private = schannel_state;
 245         p->security_state->unseal_packet = schan_unseal_packet;
 246         p->security_state->check_packet = schan_check_packet;
 247         p->security_state->seal_packet = schan_seal_packet;
 248         p->security_state->sign_packet = schan_sign_packet;
 249         p->security_state->session_key = schan_session_key;
 250         p->security_state->security_end = schan_security_end;
 251
 252 done:
 253         return status;
 254 }
 255
 256
 257 /*
 258   do a schannel style bind on a dcerpc pipe. The username is usually
 259   of the form HOSTNAME$ and the password is the domain trust password
 260 */
 261 NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
 262                                    const char *uuid, uint_t version,
 263                                    const char *domain,
 264                                    const char *username,
 265                                    const char *password)
 266 {
 267         NTSTATUS status;
 268         uint8_t session_key[8];
 269
 270         status = dcerpc_schannel_key(p, domain, username, password,
 271                                      lp_server_role() == ROLE_DOMAIN_BDC? SEC_CHAN_BDC:SEC_CHAN_WKSTA,
 272                                      session_key);
 273         if (!NT_STATUS_IS_OK(status)) {
 274                 return status;
 275         }
 276
 277         status = dcerpc_bind_auth_schannel_key(p, uuid, version, domain, username, session_key);
 278
 279         return status;
 280 }
 281