source: trunk/server/source4/ntp_signd/ntp_signd.c

Last change on this file was 752, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.9 2nd part
File size: 16.2 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 NTP packet signing server
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22*/
23
24#include "includes.h"
25#include "smbd/service_task.h"
26#include "smbd/service.h"
27#include "smbd/service_stream.h"
28#include "smbd/process_model.h"
29#include "lib/stream/packet.h"
30#include "lib/tsocket/tsocket.h"
31#include "libcli/util/tstream.h"
32#include "librpc/gen_ndr/ndr_ntp_signd.h"
33#include "param/param.h"
34#include "dsdb/samdb/samdb.h"
35#include "auth/auth.h"
36#include "libcli/security/security.h"
37#include "libcli/ldap/ldap_ndr.h"
38#include <ldb.h>
39#include <ldb_errors.h>
40#include "../lib/crypto/md5.h"
41#include "system/network.h"
42#include "system/passwd.h"
43
44/*
45 top level context structure for the ntp_signd server
46*/
47struct ntp_signd_server {
48 struct task_server *task;
49 struct ldb_context *samdb;
50};
51
52/*
53 state of an open connection
54*/
55struct ntp_signd_connection {
56 /* stream connection we belong to */
57 struct stream_connection *conn;
58
59 /* the ntp_signd_server the connection belongs to */
60 struct ntp_signd_server *ntp_signd;
61
62 struct tstream_context *tstream;
63
64 struct tevent_queue *send_queue;
65};
66
67static void ntp_signd_terminate_connection(struct ntp_signd_connection *ntp_signd_conn, const char *reason)
68{
69 stream_terminate_connection(ntp_signd_conn->conn, reason);
70}
71
72static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
73 TALLOC_CTX *mem_ctx,
74 DATA_BLOB *output,
75 uint32_t packet_id)
76{
77 struct signed_reply signed_reply;
78 enum ndr_err_code ndr_err;
79
80 signed_reply.op = SIGNING_FAILURE;
81 signed_reply.packet_id = packet_id;
82 signed_reply.signed_packet = data_blob(NULL, 0);
83
84 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
85 (ndr_push_flags_fn_t)ndr_push_signed_reply);
86
87 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
88 DEBUG(1,("failed to push ntp error reply\n"));
89 return ndr_map_error2ntstatus(ndr_err);
90 }
91
92 return NT_STATUS_OK;
93}
94
95/*
96 receive a full packet on a NTP_SIGND connection
97*/
98static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
99 TALLOC_CTX *mem_ctx,
100 DATA_BLOB *input,
101 DATA_BLOB *output)
102{
103 const struct dom_sid *domain_sid;
104 struct dom_sid *sid;
105 struct sign_request sign_request;
106 struct signed_reply signed_reply;
107 enum ndr_err_code ndr_err;
108 struct ldb_result *res;
109 const char *attrs[] = { "unicodePwd", "userAccountControl", "cn", NULL };
110 MD5_CTX ctx;
111 struct samr_Password *nt_hash;
112 uint32_t user_account_control;
113 int ret;
114
115 ndr_err = ndr_pull_struct_blob_all(input, mem_ctx,
116 &sign_request,
117 (ndr_pull_flags_fn_t)ndr_pull_sign_request);
118
119 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
120 DEBUG(1,("failed to parse ntp signing request\n"));
121 dump_data(1, input->data, input->length);
122 return ndr_map_error2ntstatus(ndr_err);
123 }
124
125 /* We need to implement 'check signature' and 'request server
126 * to sign' operations at some point */
127 if (sign_request.op != SIGN_TO_CLIENT) {
128 return signing_failure(ntp_signd_conn,
129 mem_ctx,
130 output,
131 sign_request.packet_id);
132 }
133
134 /* We need to implement 'check signature' and 'request server
135 * to sign' operations at some point */
136 if (sign_request.version != NTP_SIGND_PROTOCOL_VERSION_0) {
137 return signing_failure(ntp_signd_conn,
138 mem_ctx,
139 output,
140 sign_request.packet_id);
141 }
142
143 domain_sid = samdb_domain_sid(ntp_signd_conn->ntp_signd->samdb);
144 if (domain_sid == NULL) {
145 return signing_failure(ntp_signd_conn,
146 mem_ctx,
147 output,
148 sign_request.packet_id);
149 }
150
151 /* The top bit is a 'key selector' */
152 sid = dom_sid_add_rid(mem_ctx, domain_sid,
153 sign_request.key_id & 0x7FFFFFFF);
154 if (sid == NULL) {
155 talloc_free(mem_ctx);
156 return signing_failure(ntp_signd_conn,
157 mem_ctx,
158 output,
159 sign_request.packet_id);
160 }
161
162 ret = ldb_search(ntp_signd_conn->ntp_signd->samdb, mem_ctx,
163 &res,
164 ldb_get_default_basedn(ntp_signd_conn->ntp_signd->samdb),
165 LDB_SCOPE_SUBTREE,
166 attrs,
167 "(&(objectSid=%s)(objectClass=user))",
168 ldap_encode_ndr_dom_sid(mem_ctx, sid));
169 if (ret != LDB_SUCCESS) {
170 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
171 "%s\n",
172 dom_sid_string(mem_ctx, sid),
173 ldb_errstring(ntp_signd_conn->ntp_signd->samdb)));
174 return signing_failure(ntp_signd_conn,
175 mem_ctx,
176 output,
177 sign_request.packet_id);
178 }
179
180 if (res->count == 0) {
181 DEBUG(5, ("Failed to find SID %s in SAM for NTP signing\n",
182 dom_sid_string(mem_ctx, sid)));
183 } else if (res->count != 1) {
184 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n",
185 dom_sid_string(mem_ctx, sid), res->count));
186 return signing_failure(ntp_signd_conn,
187 mem_ctx,
188 output,
189 sign_request.packet_id);
190 }
191
192 user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0],
193 "userAccountControl",
194 0);
195
196 if (user_account_control & UF_ACCOUNTDISABLE) {
197 DEBUG(1, ("Account %s for SID [%s] is disabled\n",
198 ldb_dn_get_linearized(res->msgs[0]->dn),
199 dom_sid_string(mem_ctx, sid)));
200 return NT_STATUS_ACCESS_DENIED;
201 }
202
203 if (!(user_account_control & (UF_INTERDOMAIN_TRUST_ACCOUNT|UF_SERVER_TRUST_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT))) {
204 DEBUG(1, ("Account %s for SID [%s] is not a trust account\n",
205 ldb_dn_get_linearized(res->msgs[0]->dn),
206 dom_sid_string(mem_ctx, sid)));
207 return NT_STATUS_ACCESS_DENIED;
208 }
209
210 nt_hash = samdb_result_hash(mem_ctx, res->msgs[0], "unicodePwd");
211 if (!nt_hash) {
212 DEBUG(1, ("No unicodePwd found on record of SID %s "
213 "for NTP signing\n", dom_sid_string(mem_ctx, sid)));
214 return signing_failure(ntp_signd_conn,
215 mem_ctx,
216 output,
217 sign_request.packet_id);
218 }
219
220 /* Generate the reply packet */
221 signed_reply.packet_id = sign_request.packet_id;
222 signed_reply.op = SIGNING_SUCCESS;
223 signed_reply.signed_packet = data_blob_talloc(mem_ctx,
224 NULL,
225 sign_request.packet_to_sign.length + 20);
226
227 if (!signed_reply.signed_packet.data) {
228 return signing_failure(ntp_signd_conn,
229 mem_ctx,
230 output,
231 sign_request.packet_id);
232 }
233
234 memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
235 SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
236
237 /* Sign the NTP response with the unicodePwd */
238 MD5Init(&ctx);
239 MD5Update(&ctx, nt_hash->hash, sizeof(nt_hash->hash));
240 MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
241 MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx);
242
243
244 /* Place it into the packet for the wire */
245 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
246 (ndr_push_flags_fn_t)ndr_push_signed_reply);
247
248 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
249 DEBUG(1,("failed to push ntp error reply\n"));
250 return ndr_map_error2ntstatus(ndr_err);
251 }
252
253 return NT_STATUS_OK;
254}
255
256/*
257 called on a tcp recv
258*/
259static void ntp_signd_recv(struct stream_connection *conn, uint16_t flags)
260{
261 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
262 struct ntp_signd_connection);
263 ntp_signd_terminate_connection(ntp_signd_conn,
264 "ntp_signd_recv: called");
265}
266
267/*
268 called when we can write to a connection
269*/
270static void ntp_signd_send(struct stream_connection *conn, uint16_t flags)
271{
272 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
273 struct ntp_signd_connection);
274 /* this should never be triggered! */
275 ntp_signd_terminate_connection(ntp_signd_conn,
276 "ntp_signd_send: called");
277}
278
279struct ntp_signd_call {
280 struct ntp_signd_connection *ntp_signd_conn;
281 DATA_BLOB in;
282 DATA_BLOB out;
283 uint8_t out_hdr[4];
284 struct iovec out_iov[2];
285};
286
287static void ntp_signd_call_writev_done(struct tevent_req *subreq);
288
289static void ntp_signd_call_loop(struct tevent_req *subreq)
290{
291 struct ntp_signd_connection *ntp_signd_conn = tevent_req_callback_data(subreq,
292 struct ntp_signd_connection);
293 struct ntp_signd_call *call;
294 NTSTATUS status;
295
296 call = talloc(ntp_signd_conn, struct ntp_signd_call);
297 if (call == NULL) {
298 ntp_signd_terminate_connection(ntp_signd_conn,
299 "ntp_signd_call_loop: "
300 "no memory for ntp_signd_call");
301 return;
302 }
303 call->ntp_signd_conn = ntp_signd_conn;
304
305 status = tstream_read_pdu_blob_recv(subreq,
306 call,
307 &call->in);
308 TALLOC_FREE(subreq);
309 if (!NT_STATUS_IS_OK(status)) {
310 const char *reason;
311
312 reason = talloc_asprintf(call, "ntp_signd_call_loop: "
313 "tstream_read_pdu_blob_recv() - %s",
314 nt_errstr(status));
315 if (reason == NULL) {
316 reason = nt_errstr(status);
317 }
318
319 ntp_signd_terminate_connection(ntp_signd_conn, reason);
320 return;
321 }
322
323 DEBUG(10,("Received NTP TCP packet of length %lu from %s\n",
324 (long) call->in.length,
325 tsocket_address_string(ntp_signd_conn->conn->remote_address, call)));
326
327 /* skip length header */
328 call->in.data +=4;
329 call->in.length -= 4;
330
331 status = ntp_signd_process(ntp_signd_conn,
332 call,
333 &call->in,
334 &call->out);
335 if (! NT_STATUS_IS_OK(status)) {
336 const char *reason;
337
338 reason = talloc_asprintf(call, "ntp_signd_process failed: %s",
339 nt_errstr(status));
340 if (reason == NULL) {
341 reason = nt_errstr(status);
342 }
343
344 ntp_signd_terminate_connection(ntp_signd_conn, reason);
345 return;
346 }
347
348 /* First add the length of the out buffer */
349 RSIVAL(call->out_hdr, 0, call->out.length);
350 call->out_iov[0].iov_base = (char *) call->out_hdr;
351 call->out_iov[0].iov_len = 4;
352
353 call->out_iov[1].iov_base = (char *) call->out.data;
354 call->out_iov[1].iov_len = call->out.length;
355
356 subreq = tstream_writev_queue_send(call,
357 ntp_signd_conn->conn->event.ctx,
358 ntp_signd_conn->tstream,
359 ntp_signd_conn->send_queue,
360 call->out_iov, 2);
361 if (subreq == NULL) {
362 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
363 "no memory for tstream_writev_queue_send");
364 return;
365 }
366
367 tevent_req_set_callback(subreq, ntp_signd_call_writev_done, call);
368
369 /*
370 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
371 * packet_full_request_u32 provides the pdu length then.
372 */
373 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
374 ntp_signd_conn->conn->event.ctx,
375 ntp_signd_conn->tstream,
376 4, /* initial_read_size */
377 packet_full_request_u32,
378 ntp_signd_conn);
379 if (subreq == NULL) {
380 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
381 "no memory for tstream_read_pdu_blob_send");
382 return;
383 }
384 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
385}
386
387static void ntp_signd_call_writev_done(struct tevent_req *subreq)
388{
389 struct ntp_signd_call *call = tevent_req_callback_data(subreq,
390 struct ntp_signd_call);
391 int sys_errno;
392 int rc;
393
394 rc = tstream_writev_queue_recv(subreq, &sys_errno);
395 TALLOC_FREE(subreq);
396 if (rc == -1) {
397 const char *reason;
398
399 reason = talloc_asprintf(call, "ntp_signd_call_writev_done: "
400 "tstream_writev_queue_recv() - %d:%s",
401 sys_errno, strerror(sys_errno));
402 if (!reason) {
403 reason = "ntp_signd_call_writev_done: "
404 "tstream_writev_queue_recv() failed";
405 }
406
407 ntp_signd_terminate_connection(call->ntp_signd_conn, reason);
408 return;
409 }
410
411 /* We don't care about errors */
412
413 talloc_free(call);
414}
415
416/*
417 called when we get a new connection
418*/
419static void ntp_signd_accept(struct stream_connection *conn)
420{
421 struct ntp_signd_server *ntp_signd = talloc_get_type(conn->private_data,
422 struct ntp_signd_server);
423 struct ntp_signd_connection *ntp_signd_conn;
424 struct tevent_req *subreq;
425 int rc;
426
427 ntp_signd_conn = talloc_zero(conn, struct ntp_signd_connection);
428 if (ntp_signd_conn == NULL) {
429 stream_terminate_connection(conn,
430 "ntp_signd_accept: out of memory");
431 return;
432 }
433
434 ntp_signd_conn->send_queue = tevent_queue_create(conn,
435 "ntp_signd_accept");
436 if (ntp_signd_conn->send_queue == NULL) {
437 stream_terminate_connection(conn,
438 "ntp_signd_accept: out of memory");
439 return;
440 }
441
442 TALLOC_FREE(conn->event.fde);
443
444 rc = tstream_bsd_existing_socket(ntp_signd_conn,
445 socket_get_fd(conn->socket),
446 &ntp_signd_conn->tstream);
447 if (rc < 0) {
448 stream_terminate_connection(conn,
449 "ntp_signd_accept: out of memory");
450 return;
451 }
452
453 ntp_signd_conn->conn = conn;
454 ntp_signd_conn->ntp_signd = ntp_signd;
455 conn->private_data = ntp_signd_conn;
456
457 /*
458 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
459 * packet_full_request_u32 provides the pdu length then.
460 */
461 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
462 ntp_signd_conn->conn->event.ctx,
463 ntp_signd_conn->tstream,
464 4, /* initial_read_size */
465 packet_full_request_u32,
466 ntp_signd_conn);
467 if (subreq == NULL) {
468 ntp_signd_terminate_connection(ntp_signd_conn,
469 "ntp_signd_accept: "
470 "no memory for tstream_read_pdu_blob_send");
471 return;
472 }
473 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
474}
475
476static const struct stream_server_ops ntp_signd_stream_ops = {
477 .name = "ntp_signd",
478 .accept_connection = ntp_signd_accept,
479 .recv_handler = ntp_signd_recv,
480 .send_handler = ntp_signd_send
481};
482
483/*
484 startup the ntp_signd task
485*/
486static void ntp_signd_task_init(struct task_server *task)
487{
488 struct ntp_signd_server *ntp_signd;
489 NTSTATUS status;
490
491 const struct model_ops *model_ops;
492
493 const char *address;
494
495 if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) {
496 char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s",
497 lpcfg_ntp_signd_socket_directory(task->lp_ctx));
498 task_server_terminate(task,
499 error, true);
500 return;
501 }
502
503 /* within the ntp_signd task we want to be a single process, so
504 ask for the single process model ops and pass these to the
505 stream_setup_socket() call. */
506 model_ops = process_model_startup("single");
507 if (!model_ops) {
508 DEBUG(0,("Can't find 'single' process model_ops\n"));
509 return;
510 }
511
512 task_server_set_title(task, "task[ntp_signd]");
513
514 ntp_signd = talloc(task, struct ntp_signd_server);
515 if (ntp_signd == NULL) {
516 task_server_terminate(task, "ntp_signd: out of memory", true);
517 return;
518 }
519
520 ntp_signd->task = task;
521
522 /* Must be system to get at the password hashes */
523 ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx), 0);
524 if (ntp_signd->samdb == NULL) {
525 task_server_terminate(task, "ntp_signd failed to open samdb", true);
526 return;
527 }
528
529 address = talloc_asprintf(ntp_signd, "%s/socket", lpcfg_ntp_signd_socket_directory(task->lp_ctx));
530
531 status = stream_setup_socket(ntp_signd->task,
532 ntp_signd->task->event_ctx,
533 ntp_signd->task->lp_ctx,
534 model_ops,
535 &ntp_signd_stream_ops,
536 "unix", address, NULL,
537 lpcfg_socket_options(ntp_signd->task->lp_ctx),
538 ntp_signd);
539 if (!NT_STATUS_IS_OK(status)) {
540 DEBUG(0,("Failed to bind to %s - %s\n",
541 address, nt_errstr(status)));
542 return;
543 }
544
545}
546
547
548/* called at smbd startup - register ourselves as a server service */
549NTSTATUS server_service_ntp_signd_init(void)
550{
551 return register_server_service("ntp_signd", ntp_signd_task_init);
552}
Note: See TracBrowser for help on using the repository browser.