r1068: make the dcerpc client side auth/crypto code much more generic

metze (This used to be commit 1706ff88a72c6578a109c2cf24f2f009812c3892)
author: Stefan Metzmacher <metze@samba.org> 2004-06-07 12:30:22 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:56:36 -0500
commit: c0871cb0c13599039f4e8243bd8d60d472653930 (patch)
tree: d8f1908ed723d9d78060aa4bfb105795c7421918 /source4/librpc/rpc/dcerpc_schannel.c
parent: 6564fd402d500b1e24f76f63e4335b38ef1164db (diff)
download: samba-c0871cb0c13599039f4e8243bd8d60d472653930.tar.gz
samba-c0871cb0c13599039f4e8243bd8d60d472653930.tar.bz2
samba-c0871cb0c13599039f4e8243bd8d60d472653930.zip
1 files changed, 141 insertions, 132 deletions
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index c2645d36a2..df15edfb6f 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -22,54 +22,160 @@
 
 #include "includes.h"
 
+#define DCERPC_SCHANNEL_STATE_START 0
+#define DCERPC_SCHANNEL_STATE_UPDATE_1 1
+
+struct dcerpc_schannel_state {
+	TALLOC_CTX *mem_ctx;
+	uint8_t state;
+	struct schannel_bind bind_schannel;
+	struct schannel_state *schannel_state;
+};
+
 /*
   wrappers for the schannel_*() functions
 */
-static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security, 
+static NTSTATUS dcerpc_schannel_unseal(struct dcerpc_security *dcerpc_security, 
 				    TALLOC_CTX *mem_ctx, 
 				    uint8_t *data, size_t length, DATA_BLOB *sig)
 {
-	struct schannel_state *schannel_state = dcerpc_security->private;
-	return schannel_unseal_packet(schannel_state, mem_ctx, data, length, sig);
+	struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data;
+
+	return schannel_unseal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
 }
 
-static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security, 
+static NTSTATUS dcerpc_schannel_check_sig(struct dcerpc_security *dcerpc_security, 
 				   TALLOC_CTX *mem_ctx, 
 				   const uint8_t *data, size_t length, 
 				   const DATA_BLOB *sig)
 {
-	struct schannel_state *schannel_state = dcerpc_security->private;
-	return schannel_check_packet(schannel_state, data, length, sig);
+	struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data;
+
+	return schannel_check_packet(dce_schan_state->schannel_state, data, length, sig);
 }
 
-static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security, 
+static NTSTATUS dcerpc_schannel_seal(struct dcerpc_security *dcerpc_security, 
 				  TALLOC_CTX *mem_ctx, 
 				  uint8_t *data, size_t length, 
 				  DATA_BLOB *sig)
 {
-	struct schannel_state *schannel_state = dcerpc_security->private;
-	return schannel_seal_packet(schannel_state, mem_ctx, data, length, sig);
+	struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data;
+
+	return schannel_seal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
 }
 
-static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security, 
+static NTSTATUS dcerpc_schannel_sign(struct dcerpc_security *dcerpc_security, 
 				 TALLOC_CTX *mem_ctx, 
 				 const uint8_t *data, size_t length, 
 				 DATA_BLOB *sig)
 {
-	struct schannel_state *schannel_state = dcerpc_security->private;
-	return schannel_sign_packet(schannel_state, mem_ctx, data, length, sig);
+	struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data;
+
+	return schannel_sign_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
 }
 
-static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security, 
+static NTSTATUS dcerpc_schannel_session_key(struct dcerpc_security *dcerpc_security, 
 				  DATA_BLOB *session_key)
 {
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-static void schan_security_end(struct dcerpc_security *dcerpc_security)
+static NTSTATUS dcerpc_schannel_start(struct dcerpc_pipe *p, struct dcerpc_security *dcerpc_security)
+{
+	struct dcerpc_schannel_state *dce_schan_state;
+	TALLOC_CTX *mem_ctx;
+	NTSTATUS status;
+	uint8_t session_key[16];
+	int chan_type = 0;
+
+	if (p->flags & DCERPC_SCHANNEL_BDC) {
+		chan_type = SEC_CHAN_BDC;
+	} else if (p->flags & DCERPC_SCHANNEL_WORKSTATION) {
+		chan_type = SEC_CHAN_WKSTA;
+	} else if (p->flags & DCERPC_SCHANNEL_DOMAIN) {
+		chan_type = SEC_CHAN_DOMAIN;
+	}
+
+	status = dcerpc_schannel_key(p, dcerpc_security->user.domain, 
+					dcerpc_security->user.name,
+					dcerpc_security->user.password, 
+					chan_type, session_key);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	mem_ctx = talloc_init("dcerpc_schannel_start");
+	if (!mem_ctx) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	dce_schan_state = talloc_p(mem_ctx, struct dcerpc_schannel_state);
+	if (!dce_schan_state) {
+		talloc_destroy(mem_ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	dce_schan_state->mem_ctx = mem_ctx;
+
+	status = schannel_start(&dce_schan_state->schannel_state, session_key, True);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	dce_schan_state->state = DCERPC_SCHANNEL_STATE_START;
+
+	dcerpc_security->private_data = dce_schan_state;
+
+	dump_data_pw("session key:\n", dce_schan_state->schannel_state->session_key, 16);
+
+	return status;
+}
+
+static NTSTATUS dcerpc_schannel_update(struct dcerpc_security *dcerpc_security, TALLOC_CTX *out_mem_ctx, 
+						const DATA_BLOB in, DATA_BLOB *out) 
 {
-	struct schannel_state *schannel_state = dcerpc_security->private;
-	schannel_end(&schannel_state);
+	struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data;
+	NTSTATUS status;
+	struct schannel_bind bind_schannel;
+
+	if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) {
+		return NT_STATUS_OK;
+	}
+
+	dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1;
+
+	bind_schannel.unknown1 = 0;
+#if 0
+	/* to support this we'd need to have access to the full domain name */
+	bind_schannel.bind_type = 23;
+	bind_schannel.u.info23.domain = dcerpc_security->user.domain;
+	bind_schannel.u.info23.account_name = dcerpc_security->user.name;
+	bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(dce_schan_state->mem_ctx, fulldomainname);
+	bind_schannel.u.info23.workstation = str_format_nbt_domain(dce_schan_state->mem_ctx, dcerpc_security->user.name);
+#else
+	bind_schannel.bind_type = 3;
+	bind_schannel.u.info3.domain = dcerpc_security->user.domain;
+	bind_schannel.u.info3.account_name = dcerpc_security->user.name;
+#endif
+
+	status = ndr_push_struct_blob(out, dce_schan_state->mem_ctx, &bind_schannel,
+				      (ndr_push_flags_fn_t)ndr_push_schannel_bind);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
+
+static void dcerpc_schannel_end(struct dcerpc_security *dcerpc_security)
+{
+	struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data;
+
+	schannel_end(&dce_schan_state->schannel_state);
+
+	talloc_destroy(dce_schan_state->mem_ctx);
+
+	dcerpc_security->private_data = NULL;
 }
 
 
@@ -163,107 +269,24 @@ NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p,
 	return NT_STATUS_OK;
 }
 
-
-/*
-  do a schannel style bind on a dcerpc pipe with the given schannel
-  key. The username is usually of the form HOSTNAME$ and the password
-  is the domain trust password
-*/
-NTSTATUS dcerpc_bind_auth_schannel_key(struct dcerpc_pipe *p,
-				       const char *uuid, uint_t version,
-				       const char *domain,
-				       const char *username,
-				       const uint8_t session_key[16])
+const struct dcesrv_security_ops dcerpc_schannel_security_ops = {
+	.name		= "schannel",
+	.auth_type	= DCERPC_AUTH_TYPE_SCHANNEL,
+	.start 		= dcerpc_schannel_start,
+	.update 	= dcerpc_schannel_update,
+	.seal 		= dcerpc_schannel_seal,
+	.sign		= dcerpc_schannel_sign,
+	.check_sig	= dcerpc_schannel_check_sig,
+	.unseal		= dcerpc_schannel_unseal,
+	.session_key	= dcerpc_schannel_session_key,
+	.end		= dcerpc_schannel_end
+};
+
+const struct dcesrv_security_ops *dcerpc_schannel_security_get_ops(void)
 {
-	NTSTATUS status;
-	struct schannel_state *schannel_state;
-	const char *workgroup, *workstation;
-	struct schannel_bind bind_schannel;
-
-	workstation = username;
-	workgroup = domain;
-
-	/*
-	  perform a bind with security type schannel
-	*/
-	p->auth_info = talloc(p->mem_ctx, sizeof(*p->auth_info));
-	if (!p->auth_info) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-
-	p->auth_info->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
-	
-	if (p->flags & DCERPC_SEAL) {
-		p->auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-	} else {
-		/* note that DCERPC_AUTH_LEVEL_NONE does not make any 
-		   sense, and would be rejected by the server */
-		p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
-	}
-	p->auth_info->auth_pad_length = 0;
-	p->auth_info->auth_reserved = 0;
-	p->auth_info->auth_context_id = random();
-	p->security_state = NULL;
-
-	bind_schannel.unknown1 = 0;
-#if 0
-	/* to support this we'd need to have access to the full domain name */
-	bind_schannel.bind_type = 23;
-	bind_schannel.u.info23.domain = domain;
-	bind_schannel.u.info23.account_name = username;
-	bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(p->mem_ctx, fulldomainname);
-	bind_schannel.u.info23.workstation = str_format_nbt_domain(p->mem_ctx, username);
-#else
-	bind_schannel.bind_type = 3;
-	bind_schannel.u.info3.domain = domain;
-	bind_schannel.u.info3.account_name = username;
-#endif
-
-	status = ndr_push_struct_blob(&p->auth_info->credentials, p->mem_ctx, &bind_schannel,
-				      (ndr_push_flags_fn_t)ndr_push_schannel_bind);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto done;
-	}
-
-	/* send the authenticated bind request */
-	status = dcerpc_bind_byuuid(p, p->mem_ctx, uuid, version);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto done;
-	}
-
-	p->security_state = talloc_p(p->mem_ctx, struct dcerpc_security);
-	if (!p->security_state) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-
-	schannel_state = talloc_p(p->mem_ctx, struct schannel_state);
-	if (!schannel_state) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-
-	status = schannel_start(&schannel_state, session_key, True);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto done;
-	}
-
-	dump_data_pw("session key:\n", schannel_state->session_key, 16);
-
-	p->security_state->private = schannel_state;
-	p->security_state->unseal_packet = schan_unseal_packet;
-	p->security_state->check_packet = schan_check_packet;
-	p->security_state->seal_packet = schan_seal_packet;
-	p->security_state->sign_packet = schan_sign_packet;
-	p->security_state->session_key = schan_session_key;
-	p->security_state->security_end = schan_security_end;
-
-done:
-	return status;
+	return &dcerpc_schannel_security_ops;
 }
 
-
 /*
   do a schannel style bind on a dcerpc pipe. The username is usually
   of the form HOSTNAME$ and the password is the domain trust password
@@ -275,25 +298,11 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
 				   const char *password)
 {
 	NTSTATUS status;
-	uint8_t session_key[16];
-	int chan_type = 0;
 
-	if (p->flags & DCERPC_SCHANNEL_BDC) {
-		chan_type = SEC_CHAN_BDC;
-	} else if (p->flags & DCERPC_SCHANNEL_WORKSTATION) {
-		chan_type = SEC_CHAN_WKSTA;
-	} else if (p->flags & DCERPC_SCHANNEL_DOMAIN) {
-		chan_type = SEC_CHAN_DOMAIN;
-	} 
-
-	status = dcerpc_schannel_key(p, domain, username, password, 
-				     chan_type, session_key);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	status = dcerpc_bind_auth_schannel_key(p, uuid, version, domain, username, session_key);
+	status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SCHANNEL,
+				uuid, version,
+				domain, username, 
+				password);
 
 	return status;
 }
-
author	Stefan Metzmacher <metze@samba.org>	2004-06-07 12:30:22 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:56:36 -0500
commit	c0871cb0c13599039f4e8243bd8d60d472653930 (patch)
tree	d8f1908ed723d9d78060aa4bfb105795c7421918 /source4/librpc/rpc/dcerpc_schannel.c
parent	6564fd402d500b1e24f76f63e4335b38ef1164db (diff)
download	samba-c0871cb0c13599039f4e8243bd8d60d472653930.tar.gz samba-c0871cb0c13599039f4e8243bd8d60d472653930.tar.bz2 samba-c0871cb0c13599039f4e8243bd8d60d472653930.zip