Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source4/auth/gensec/schannel.c

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 11.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	dcerpc schannel operations
5
6	Copyright (C) Andrew Tridgell 2004
7	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#include "includes.h"
24	#include "librpc/gen_ndr/ndr_schannel.h"
25	#include "auth/auth.h"
26	#include "auth/credentials/credentials.h"
27	#include "auth/gensec/gensec.h"
28	#include "auth/gensec/gensec_proto.h"
29	#include "../libcli/auth/schannel.h"
30	#include "auth/gensec/schannel_state.h"
31	#include "librpc/rpc/dcerpc.h"
32	#include "param/param.h"
33	#include "auth/session_proto.h"
34
35	static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
36	{
37	return 32;
38	}
39
40	static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
41	DATA_BLOB *session_key)
42	{
43	return NT_STATUS_NOT_IMPLEMENTED;
44	}
45
46	static NTSTATUS schannel_update(struct gensec_security gensec_security, TALLOC_CTX out_mem_ctx,
47	const DATA_BLOB in, DATA_BLOB *out)
48	{
49	struct schannel_state state = (struct schannel_state )gensec_security->private_data;
50	NTSTATUS status;
51	enum ndr_err_code ndr_err;
52	struct NL_AUTH_MESSAGE bind_schannel;
53	struct NL_AUTH_MESSAGE bind_schannel_ack;
54	struct netlogon_creds_CredentialState *creds;
55	struct ldb_context *schannel_ldb;
56	const char *workstation;
57	const char *domain;
58	uint32_t required_flags;
59
60	*out = data_blob(NULL, 0);
61
62	switch (gensec_security->gensec_role) {
63	case GENSEC_CLIENT:
64	if (state->state != SCHANNEL_STATE_START) {
65	/* we could parse the bind ack, but we don't know what it is yet */
66	return NT_STATUS_OK;
67	}
68
69	state->creds = talloc_reference(state, cli_credentials_get_netlogon_creds(gensec_security->credentials));
70
71	bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
72	#if 0
73	/* to support this we'd need to have access to the full domain name */
74	/* 0x17, 23 */
75	bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME \|
76	NL_FLAG_OEM_NETBIOS_COMPUTER_NAME \|
77	NL_FLAG_UTF8_DNS_DOMAIN_NAME \|
78	NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
79	bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
80	bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
81	bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
82	/* w2k3 refuses us if we use the full DNS workstation?
83	why? perhaps because we don't fill in the dNSHostName
84	attribute in the machine account? */
85	bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
86	#else
87	bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME \|
88	NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
89	bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
90	bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
91	#endif
92
93	ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
94	gensec_security->settings->iconv_convenience, &bind_schannel,
95	(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
96	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
97	status = ndr_map_error2ntstatus(ndr_err);
98	DEBUG(3, ("Could not create schannel bind: %s\n",
99	nt_errstr(status)));
100	return status;
101	}
102
103	state->state = SCHANNEL_STATE_UPDATE_1;
104
105	return NT_STATUS_MORE_PROCESSING_REQUIRED;
106	case GENSEC_SERVER:
107
108	required_flags = NL_FLAG_OEM_NETBIOS_COMPUTER_NAME \|
109	NL_FLAG_OEM_NETBIOS_DOMAIN_NAME;
110
111	if (state->state != SCHANNEL_STATE_START) {
112	/* no third leg on this protocol */
113	return NT_STATUS_INVALID_PARAMETER;
114	}
115
116	/* parse the schannel startup blob */
117	ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx,
118	gensec_security->settings->iconv_convenience,
119	&bind_schannel,
120	(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
121	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
122	status = ndr_map_error2ntstatus(ndr_err);
123	DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
124	nt_errstr(status)));
125	return status;
126	}
127
128	if (!(required_flags == (bind_schannel.Flags & required_flags))) {
129	return NT_STATUS_INVALID_PARAMETER;
130	}
131
132	workstation = bind_schannel.oem_netbios_computer.a;
133	domain = bind_schannel.oem_netbios_domain.a;
134
135	if (strcasecmp_m(domain, lp_workgroup(gensec_security->settings->lp_ctx)) != 0) {
136	DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
137	domain, lp_workgroup(gensec_security->settings->lp_ctx)));
138
139	return NT_STATUS_LOGON_FAILURE;
140	}
141
142	schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx,
143	gensec_security->settings->lp_ctx);
144	if (!schannel_ldb) {
145	return NT_STATUS_ACCESS_DENIED;
146	}
147	/* pull the session key for this client */
148	status = schannel_fetch_session_key_ldb(schannel_ldb,
149	out_mem_ctx, workstation, &creds);
150	talloc_free(schannel_ldb);
151	if (!NT_STATUS_IS_OK(status)) {
152	DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
153	workstation, nt_errstr(status)));
154	if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
155	return NT_STATUS_LOGON_FAILURE;
156	}
157	return status;
158	}
159
160	state->creds = talloc_reference(state, creds);
161
162	bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
163	bind_schannel_ack.Flags = 0;
164	bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
165	* this does not have
166	* any meaning here
167	* - gd */
168
169	ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
170	gensec_security->settings->iconv_convenience, &bind_schannel_ack,
171	(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
172	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
173	status = ndr_map_error2ntstatus(ndr_err);
174	DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
175	workstation, nt_errstr(status)));
176	return status;
177	}
178
179	state->state = SCHANNEL_STATE_UPDATE_1;
180
181	return NT_STATUS_OK;
182	}
183	return NT_STATUS_INVALID_PARAMETER;
184	}
185
186	/**
187	* Return the struct netlogon_creds_CredentialState.
188	*
189	* Make sure not to call this unless gensec is using schannel...
190	*/
191
192	/* TODO: make this non-public */
193
194	_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
195	TALLOC_CTX *mem_ctx,
196	struct netlogon_creds_CredentialState **creds)
197	{
198	struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
199
200	*creds = talloc_reference(mem_ctx, state->creds);
201	if (!*creds) {
202	return NT_STATUS_NO_MEMORY;
203	}
204	return NT_STATUS_OK;
205	}
206
207
208	/**
209	* Returns anonymous credentials for schannel, matching Win2k3.
210	*
211	*/
212
213	static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
214	struct auth_session_info **_session_info)
215	{
216	struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
217	return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info);
218	}
219
220	static NTSTATUS schannel_start(struct gensec_security *gensec_security)
221	{
222	struct schannel_state *state;
223
224	state = talloc(gensec_security, struct schannel_state);
225	if (!state) {
226	return NT_STATUS_NO_MEMORY;
227	}
228
229	state->state = SCHANNEL_STATE_START;
230	state->seq_num = 0;
231	gensec_security->private_data = state;
232
233	return NT_STATUS_OK;
234	}
235
236	static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
237	{
238	NTSTATUS status;
239	struct schannel_state *state;
240
241	status = schannel_start(gensec_security);
242	if (!NT_STATUS_IS_OK(status)) {
243	return status;
244	}
245
246	state = (struct schannel_state *)gensec_security->private_data;
247	state->initiator = false;
248
249	return NT_STATUS_OK;
250	}
251
252	static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
253	{
254	NTSTATUS status;
255	struct schannel_state *state;
256
257	status = schannel_start(gensec_security);
258	if (!NT_STATUS_IS_OK(status)) {
259	return status;
260	}
261
262	state = (struct schannel_state *)gensec_security->private_data;
263	state->initiator = true;
264
265	return NT_STATUS_OK;
266	}
267
268
269	static bool schannel_have_feature(struct gensec_security *gensec_security,
270	uint32_t feature)
271	{
272	if (feature & (GENSEC_FEATURE_SIGN \|
273	GENSEC_FEATURE_SEAL)) {
274	return true;
275	}
276	if (feature & GENSEC_FEATURE_DCE_STYLE) {
277	return true;
278	}
279	if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
280	return true;
281	}
282	return false;
283	}
284
285	/*
286	unseal a packet
287	*/
288	static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
289	TALLOC_CTX *mem_ctx,
290	uint8_t *data, size_t length,
291	const uint8_t *whole_pdu, size_t pdu_length,
292	const DATA_BLOB *sig)
293	{
294	struct schannel_state *state =
295	talloc_get_type(gensec_security->private_data,
296	struct schannel_state);
297
298	return netsec_incoming_packet(state, mem_ctx, true,
299	discard_const_p(uint8_t, data),
300	length, sig);
301	}
302
303	/*
304	check the signature on a packet
305	*/
306	static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
307	TALLOC_CTX *mem_ctx,
308	const uint8_t *data, size_t length,
309	const uint8_t *whole_pdu, size_t pdu_length,
310	const DATA_BLOB *sig)
311	{
312	struct schannel_state *state =
313	talloc_get_type(gensec_security->private_data,
314	struct schannel_state);
315
316	return netsec_incoming_packet(state, mem_ctx, false,
317	discard_const_p(uint8_t, data),
318	length, sig);
319	}
320	/*
321	seal a packet
322	*/
323	static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
324	TALLOC_CTX *mem_ctx,
325	uint8_t *data, size_t length,
326	const uint8_t *whole_pdu, size_t pdu_length,
327	DATA_BLOB *sig)
328	{
329	struct schannel_state *state =
330	talloc_get_type(gensec_security->private_data,
331	struct schannel_state);
332
333	return netsec_outgoing_packet(state, mem_ctx, true,
334	data, length, sig);
335	}
336
337	/*
338	sign a packet
339	*/
340	static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
341	TALLOC_CTX *mem_ctx,
342	const uint8_t *data, size_t length,
343	const uint8_t *whole_pdu, size_t pdu_length,
344	DATA_BLOB *sig)
345	{
346	struct schannel_state *state =
347	talloc_get_type(gensec_security->private_data,
348	struct schannel_state);
349
350	return netsec_outgoing_packet(state, mem_ctx, false,
351	discard_const_p(uint8_t, data),
352	length, sig);
353	}
354
355	static const struct gensec_security_ops gensec_schannel_security_ops = {
356	.name = "schannel",
357	.auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
358	.client_start = schannel_client_start,
359	.server_start = schannel_server_start,
360	.update = schannel_update,
361	.seal_packet = schannel_seal_packet,
362	.sign_packet = schannel_sign_packet,
363	.check_packet = schannel_check_packet,
364	.unseal_packet = schannel_unseal_packet,
365	.session_key = schannel_session_key,
366	.session_info = schannel_session_info,
367	.sig_size = schannel_sig_size,
368	.have_feature = schannel_have_feature,
369	.enabled = true,
370	.priority = GENSEC_SCHANNEL
371	};
372
373	_PUBLIC_ NTSTATUS gensec_schannel_init(void)
374	{
375	NTSTATUS ret;
376	ret = gensec_register(&gensec_schannel_security_ops);
377	if (!NT_STATUS_IS_OK(ret)) {
378	DEBUG(0,("Failed to register '%s' gensec backend!\n",
379	gensec_schannel_security_ops.name));
380	return ret;
381	}
382
383	return ret;
384	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: