Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source4/librpc/rpc/dcerpc_schannel.c

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 12.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	dcerpc schannel operations
5
6	Copyright (C) Andrew Tridgell 2004
7	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8	Copyright (C) Rafal Szczesniak 2006
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "auth/auth.h"
26	#include "libcli/composite/composite.h"
27	#include "libcli/auth/libcli_auth.h"
28	#include "librpc/gen_ndr/ndr_netlogon.h"
29	#include "librpc/gen_ndr/ndr_netlogon_c.h"
30	#include "auth/credentials/credentials.h"
31	#include "librpc/rpc/dcerpc_proto.h"
32	#include "param/param.h"
33
34	struct schannel_key_state {
35	struct dcerpc_pipe *pipe;
36	struct dcerpc_pipe *pipe2;
37	struct dcerpc_binding *binding;
38	struct cli_credentials *credentials;
39	struct netlogon_creds_CredentialState *creds;
40	uint32_t negotiate_flags;
41	struct netr_Credential credentials1;
42	struct netr_Credential credentials2;
43	struct netr_Credential credentials3;
44	struct netr_ServerReqChallenge r;
45	struct netr_ServerAuthenticate2 a;
46	const struct samr_Password *mach_pwd;
47	};
48
49
50	static void continue_secondary_connection(struct composite_context *ctx);
51	static void continue_bind_auth_none(struct composite_context *ctx);
52	static void continue_srv_challenge(struct rpc_request *req);
53	static void continue_srv_auth2(struct rpc_request *req);
54
55
56	/*
57	Stage 2 of schannel_key: Receive endpoint mapping and request secondary
58	rpc connection
59	*/
60	static void continue_epm_map_binding(struct composite_context *ctx)
61	{
62	struct composite_context *c;
63	struct schannel_key_state *s;
64	struct composite_context *sec_conn_req;
65
66	c = talloc_get_type(ctx->async.private_data, struct composite_context);
67	s = talloc_get_type(c->private_data, struct schannel_key_state);
68
69	/* receive endpoint mapping */
70	c->status = dcerpc_epm_map_binding_recv(ctx);
71	if (!NT_STATUS_IS_OK(c->status)) {
72	DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
73	NDR_NETLOGON_UUID, nt_errstr(c->status)));
74	composite_error(c, c->status);
75	return;
76	}
77
78	/* send a request for secondary rpc connection */
79	sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
80	s->binding);
81	if (composite_nomem(sec_conn_req, c)) return;
82
83	composite_continue(c, sec_conn_req, continue_secondary_connection, c);
84	}
85
86
87	/*
88	Stage 3 of schannel_key: Receive secondary rpc connection and perform
89	non-authenticated bind request
90	*/
91	static void continue_secondary_connection(struct composite_context *ctx)
92	{
93	struct composite_context *c;
94	struct schannel_key_state *s;
95	struct composite_context *auth_none_req;
96
97	c = talloc_get_type(ctx->async.private_data, struct composite_context);
98	s = talloc_get_type(c->private_data, struct schannel_key_state);
99
100	/* receive secondary rpc connection */
101	c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
102	if (!composite_is_ok(c)) return;
103
104	talloc_steal(s, s->pipe2);
105
106	/* initiate a non-authenticated bind */
107	auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
108	if (composite_nomem(auth_none_req, c)) return;
109
110	composite_continue(c, auth_none_req, continue_bind_auth_none, c);
111	}
112
113
114	/*
115	Stage 4 of schannel_key: Receive non-authenticated bind and get
116	a netlogon challenge
117	*/
118	static void continue_bind_auth_none(struct composite_context *ctx)
119	{
120	struct composite_context *c;
121	struct schannel_key_state *s;
122	struct rpc_request *srv_challenge_req;
123
124	c = talloc_get_type(ctx->async.private_data, struct composite_context);
125	s = talloc_get_type(c->private_data, struct schannel_key_state);
126
127	/* receive result of non-authenticated bind request */
128	c->status = dcerpc_bind_auth_none_recv(ctx);
129	if (!composite_is_ok(c)) return;
130
131	/* prepare a challenge request */
132	s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
133	if (composite_nomem(s->r.in.server_name, c)) return;
134	s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
135	s->r.in.credentials = &s->credentials1;
136	s->r.out.return_credentials = &s->credentials2;
137
138	generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
139
140	/*
141	request a netlogon challenge - a rpc request over opened secondary pipe
142	*/
143	srv_challenge_req = dcerpc_netr_ServerReqChallenge_send(s->pipe2, c, &s->r);
144	if (composite_nomem(srv_challenge_req, c)) return;
145
146	composite_continue_rpc(c, srv_challenge_req, continue_srv_challenge, c);
147	}
148
149
150	/*
151	Stage 5 of schannel_key: Receive a challenge and perform authentication
152	on the netlogon pipe
153	*/
154	static void continue_srv_challenge(struct rpc_request *req)
155	{
156	struct composite_context *c;
157	struct schannel_key_state *s;
158	struct rpc_request *srv_auth2_req;
159
160	c = talloc_get_type(req->async.private_data, struct composite_context);
161	s = talloc_get_type(c->private_data, struct schannel_key_state);
162
163	/* receive rpc request result - netlogon challenge */
164	c->status = dcerpc_ndr_request_recv(req);
165	if (!composite_is_ok(c)) return;
166
167	/* prepare credentials for auth2 request */
168	s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
169
170	/* auth2 request arguments */
171	s->a.in.server_name = s->r.in.server_name;
172	s->a.in.account_name = cli_credentials_get_username(s->credentials);
173	s->a.in.secure_channel_type =
174	cli_credentials_get_secure_channel_type(s->credentials);
175	s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
176	s->a.in.negotiate_flags = &s->negotiate_flags;
177	s->a.in.credentials = &s->credentials3;
178	s->a.out.negotiate_flags = &s->negotiate_flags;
179	s->a.out.return_credentials = &s->credentials3;
180
181	s->creds = netlogon_creds_client_init(s,
182	s->a.in.account_name,
183	s->a.in.computer_name,
184	&s->credentials1, &s->credentials2,
185	s->mach_pwd, &s->credentials3, s->negotiate_flags);
186	if (composite_nomem(s->creds, c)) {
187	return;
188	}
189	/*
190	authenticate on the netlogon pipe - a rpc request over secondary pipe
191	*/
192	srv_auth2_req = dcerpc_netr_ServerAuthenticate2_send(s->pipe2, c, &s->a);
193	if (composite_nomem(srv_auth2_req, c)) return;
194
195	composite_continue_rpc(c, srv_auth2_req, continue_srv_auth2, c);
196	}
197
198
199	/*
200	Stage 6 of schannel_key: Receive authentication request result and verify
201	received credentials
202	*/
203	static void continue_srv_auth2(struct rpc_request *req)
204	{
205	struct composite_context *c;
206	struct schannel_key_state *s;
207
208	c = talloc_get_type(req->async.private_data, struct composite_context);
209	s = talloc_get_type(c->private_data, struct schannel_key_state);
210
211	/* receive rpc request result - auth2 credentials */
212	c->status = dcerpc_ndr_request_recv(req);
213	if (!composite_is_ok(c)) return;
214
215	/* verify credentials */
216	if (!netlogon_creds_client_check(s->creds, s->a.out.return_credentials)) {
217	composite_error(c, NT_STATUS_UNSUCCESSFUL);
218	return;
219	}
220
221	/* setup current netlogon credentials */
222	cli_credentials_set_netlogon_creds(s->credentials, s->creds);
223
224	composite_done(c);
225	}
226
227
228	/*
229	Initiate establishing a schannel key using netlogon challenge
230	on a secondary pipe
231	*/
232	struct composite_context dcerpc_schannel_key_send(TALLOC_CTX mem_ctx,
233	struct dcerpc_pipe *p,
234	struct cli_credentials *credentials,
235	struct loadparm_context *lp_ctx)
236	{
237	struct composite_context *c;
238	struct schannel_key_state *s;
239	struct composite_context *epm_map_req;
240
241	/* composite context allocation and setup */
242	c = composite_create(mem_ctx, p->conn->event_ctx);
243	if (c == NULL) return NULL;
244
245	s = talloc_zero(c, struct schannel_key_state);
246	if (composite_nomem(s, c)) return c;
247	c->private_data = s;
248
249	/* store parameters in the state structure */
250	s->pipe = p;
251	s->credentials = credentials;
252
253	/* allocate credentials */
254	/* type of authentication depends on schannel type */
255	if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
256	s->negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
257	} else {
258	s->negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
259	}
260
261	/* allocate binding structure */
262	s->binding = talloc(c, struct dcerpc_binding);
263	if (composite_nomem(s->binding, c)) return c;
264
265	s->binding = s->pipe->binding;
266
267	/* request the netlogon endpoint mapping */
268	epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
269	&ndr_table_netlogon,
270	s->pipe->conn->event_ctx,
271	lp_ctx);
272	if (composite_nomem(epm_map_req, c)) return c;
273
274	composite_continue(c, epm_map_req, continue_epm_map_binding, c);
275	return c;
276	}
277
278
279	/*
280	Receive result of schannel key request
281	*/
282	NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
283	{
284	NTSTATUS status = composite_wait(c);
285
286	talloc_free(c);
287	return status;
288	}
289
290
291	struct auth_schannel_state {
292	struct dcerpc_pipe *pipe;
293	struct cli_credentials *credentials;
294	const struct ndr_interface_table *table;
295	struct loadparm_context *lp_ctx;
296	uint8_t auth_level;
297	};
298
299
300	static void continue_bind_auth(struct composite_context *ctx);
301
302
303	/*
304	Stage 2 of auth_schannel: Receive schannel key and intitiate an
305	authenticated bind using received credentials
306	*/
307	static void continue_schannel_key(struct composite_context *ctx)
308	{
309	struct composite_context *auth_req;
310	struct composite_context *c = talloc_get_type(ctx->async.private_data,
311	struct composite_context);
312	struct auth_schannel_state *s = talloc_get_type(c->private_data,
313	struct auth_schannel_state);
314
315	/* receive schannel key */
316	c->status = dcerpc_schannel_key_recv(ctx);
317	if (!composite_is_ok(c)) {
318	DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
319	cli_credentials_get_username(s->credentials), nt_errstr(c->status)));
320	return;
321	}
322
323	/* send bind auth request with received creds */
324	auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
325	lp_gensec_settings(c, s->lp_ctx),
326	DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
327	NULL);
328	if (composite_nomem(auth_req, c)) return;
329
330	composite_continue(c, auth_req, continue_bind_auth, c);
331	}
332
333
334	/*
335	Stage 3 of auth_schannel: Receivce result of authenticated bind
336	and say if we're done ok.
337	*/
338	static void continue_bind_auth(struct composite_context *ctx)
339	{
340	struct composite_context *c = talloc_get_type(ctx->async.private_data,
341	struct composite_context);
342
343	c->status = dcerpc_bind_auth_recv(ctx);
344	if (!composite_is_ok(c)) return;
345
346	composite_done(c);
347	}
348
349
350	/*
351	Initiate schannel authentication request
352	*/
353	struct composite_context dcerpc_bind_auth_schannel_send(TALLOC_CTX tmp_ctx,
354	struct dcerpc_pipe *p,
355	const struct ndr_interface_table *table,
356	struct cli_credentials *credentials,
357	struct loadparm_context *lp_ctx,
358	uint8_t auth_level)
359	{
360	struct composite_context *c;
361	struct auth_schannel_state *s;
362	struct composite_context *schan_key_req;
363
364	/* composite context allocation and setup */
365	c = composite_create(tmp_ctx, p->conn->event_ctx);
366	if (c == NULL) return NULL;
367
368	s = talloc_zero(c, struct auth_schannel_state);
369	if (composite_nomem(s, c)) return c;
370	c->private_data = s;
371
372	/* store parameters in the state structure */
373	s->pipe = p;
374	s->credentials = credentials;
375	s->table = table;
376	s->auth_level = auth_level;
377	s->lp_ctx = lp_ctx;
378
379	/* start getting schannel key first */
380	schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
381	if (composite_nomem(schan_key_req, c)) return c;
382
383	composite_continue(c, schan_key_req, continue_schannel_key, c);
384	return c;
385	}
386
387
388	/*
389	Receive result of schannel authentication request
390	*/
391	NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
392	{
393	NTSTATUS status = composite_wait(c);
394
395	talloc_free(c);
396	return status;
397	}
398
399
400	/*
401	Perform schannel authenticated bind - sync version
402	*/
403	_PUBLIC_ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
404	struct dcerpc_pipe *p,
405	const struct ndr_interface_table *table,
406	struct cli_credentials *credentials,
407	struct loadparm_context *lp_ctx,
408	uint8_t auth_level)
409	{
410	struct composite_context *c;
411
412	c = dcerpc_bind_auth_schannel_send(tmp_ctx, p, table, credentials, lp_ctx,
413	auth_level);
414	return dcerpc_bind_auth_schannel_recv(c);
415	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: