diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/gensec/schannel.c | 4 | ||||
-rw-r--r-- | source4/auth/gensec/schannel_sign.c | 8 | ||||
-rw-r--r-- | source4/auth/gensec/schannel_state.c | 127 |
3 files changed, 89 insertions, 50 deletions
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index dd0bc1eddd..10c8f9853a 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -149,7 +149,7 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, struct creds_CredentialState **creds) { - struct schannel_state *state = gensec_security->private_data; + struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); *creds = talloc_reference(mem_ctx, state->creds); if (!*creds) { @@ -167,7 +167,7 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, struct auth_session_info **_session_info) { - struct schannel_state *state = gensec_security->private_data; + struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); return auth_anonymous_session_info(state, _session_info); } diff --git a/source4/auth/gensec/schannel_sign.c b/source4/auth/gensec/schannel_sign.c index f143ccd4c7..b4549ddefd 100644 --- a/source4/auth/gensec/schannel_sign.c +++ b/source4/auth/gensec/schannel_sign.c @@ -105,7 +105,7 @@ NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) { - struct schannel_state *state = gensec_security->private_data; + struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); uint8_t digest_final[16]; uint8_t confounder[8]; @@ -156,7 +156,7 @@ NTSTATUS schannel_check_packet(struct gensec_security *gensec_security, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) { - struct schannel_state *state = gensec_security->private_data; + struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); uint8_t digest_final[16]; uint8_t seq_num[8]; @@ -204,7 +204,7 @@ NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security, const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig) { - struct schannel_state *state = gensec_security->private_data; + struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); uint8_t digest_final[16]; uint8_t confounder[8]; @@ -252,7 +252,7 @@ NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security, const uint8_t *whole_pdu, size_t pdu_length, DATA_BLOB *sig) { - struct schannel_state *state = gensec_security->private_data; + struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); uint8_t digest_final[16]; uint8_t seq_num[8]; diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c index 7ef64ca00b..a73e450ec8 100644 --- a/source4/auth/gensec/schannel_state.c +++ b/source4/auth/gensec/schannel_state.c @@ -29,7 +29,7 @@ /* connect to the schannel ldb */ -static struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx) +struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx) { char *path; struct ldb_context *ldb; @@ -64,44 +64,35 @@ static struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx) remember an established session key for a netr server authentication use a simple ldb structure */ -NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, - struct creds_CredentialState *creds) +NTSTATUS schannel_store_session_key_ldb(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + struct creds_CredentialState *creds) { - struct ldb_context *ldb; struct ldb_message *msg; - struct ldb_val val, seed; + struct ldb_val val, seed, client_state, server_state; char *f; char *sct; int ret; - ldb = schannel_db_connect(mem_ctx); - if (ldb == NULL) { - return NT_STATUS_NO_MEMORY; - } - f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags); if (f == NULL) { - talloc_free(ldb); return NT_STATUS_NO_MEMORY; } sct = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->secure_channel_type); if (sct == NULL) { - talloc_free(ldb); return NT_STATUS_NO_MEMORY; } msg = ldb_msg_new(ldb); if (msg == NULL) { - talloc_free(ldb); return NT_STATUS_NO_MEMORY; } msg->dn = ldb_dn_build_child(msg, "computerName", creds->computer_name, NULL); if (msg->dn == NULL) { - talloc_free(ldb); return NT_STATUS_NO_MEMORY; } @@ -111,9 +102,16 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, seed.data = creds->seed.data; seed.length = sizeof(creds->seed.data); + client_state.data = creds->client.data; + client_state.length = sizeof(creds->client.data); + server_state.data = creds->server.data; + server_state.length = sizeof(creds->server.data); + ldb_msg_add_string(msg, "objectClass", "schannelState"); ldb_msg_add_value(msg, "sessionKey", &val); ldb_msg_add_value(msg, "seed", &seed); + ldb_msg_add_value(msg, "clientState", &client_state); + ldb_msg_add_value(msg, "serverState", &server_state); ldb_msg_add_string(msg, "negotiateFlags", f); ldb_msg_add_string(msg, "secureChannelType", sct); ldb_msg_add_string(msg, "accountName", creds->account_name); @@ -121,49 +119,65 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, ldb_msg_add_string(msg, "flatname", creds->domain); samdb_msg_add_dom_sid(ldb, mem_ctx, msg, "objectSid", creds->sid); - ret = ldb_transaction_start(ldb); + ldb_delete(ldb, msg->dn); + + ret = ldb_add(ldb, msg); + if (ret != 0) { - DEBUG(0,("Unable to start transaction to add %s to session key db - %s\n", + DEBUG(0,("Unable to add %s to session key db - %s\n", ldb_dn_linearize(msg, msg->dn), ldb_errstring(ldb))); - talloc_free(ldb); return NT_STATUS_INTERNAL_DB_CORRUPTION; } - ldb_delete(ldb, msg->dn); + return NT_STATUS_OK; +} - ret = ldb_add(ldb, msg); +NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, + struct creds_CredentialState *creds) +{ + struct ldb_context *ldb; + NTSTATUS nt_status; + int ret; + + ldb = schannel_db_connect(mem_ctx); + if (!ldb) { + return NT_STATUS_ACCESS_DENIED; + } + ret = ldb_transaction_start(ldb); if (ret != 0) { - DEBUG(0,("Unable to add %s to session key db - %s\n", - ldb_dn_linearize(msg, msg->dn), ldb_errstring(ldb))); talloc_free(ldb); return NT_STATUS_INTERNAL_DB_CORRUPTION; } - ret = ldb_transaction_commit(ldb); + nt_status = schannel_store_session_key_ldb(mem_ctx, ldb, creds); + + if (NT_STATUS_IS_OK(nt_status)) { + ret = ldb_transaction_commit(ldb); + } else { + ret = ldb_transaction_cancel(ldb); + } if (ret != 0) { - DEBUG(0,("Unable to commit adding %s to session key db - %s\n", - ldb_dn_linearize(msg, msg->dn), ldb_errstring(ldb))); + DEBUG(0,("Unable to commit adding credentials for %s to schannel key db - %s\n", + creds->computer_name, ldb_errstring(ldb))); talloc_free(ldb); return NT_STATUS_INTERNAL_DB_CORRUPTION; } talloc_free(ldb); - - return NT_STATUS_OK; + return nt_status; } - /* read back a credentials back for a computer */ -NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, - const char *computer_name, - const char *domain, - struct creds_CredentialState **creds) +NTSTATUS schannel_fetch_session_key_ldb(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + const char *computer_name, + const char *domain, + struct creds_CredentialState **creds) { - struct ldb_context *ldb; struct ldb_result *res; int ret; const struct ldb_val *val; @@ -174,27 +188,21 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - ldb = schannel_db_connect(mem_ctx); - if (ldb == NULL) { - return NT_STATUS_NO_MEMORY; - } - - expr = talloc_asprintf(mem_ctx, "(&(computerName=%s)(flatname=%s))", computer_name, domain); + expr = talloc_asprintf(mem_ctx, "(&(computerName=%s)(flatname=%s))", + computer_name, domain); if (expr == NULL) { - talloc_free(ldb); return NT_STATUS_NO_MEMORY; } ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, NULL, &res); if (ret != LDB_SUCCESS || res->count != 1) { - talloc_free(ldb); + DEBUG(3,("schannel: Failed to find a record for client: %s\n", computer_name)); return NT_STATUS_INVALID_HANDLE; } val = ldb_msg_find_ldb_val(res->msgs[0], "sessionKey"); if (val == NULL || val->length != 16) { DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name)); - talloc_free(ldb); return NT_STATUS_INTERNAL_ERROR; } @@ -203,12 +211,25 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, val = ldb_msg_find_ldb_val(res->msgs[0], "seed"); if (val == NULL || val->length != 8) { DEBUG(1,("schannel: record in schannel DB must contain a vaid seed of length 8, when searching for client: %s\n", computer_name)); - talloc_free(ldb); return NT_STATUS_INTERNAL_ERROR; } memcpy((*creds)->seed.data, val->data, 8); + val = ldb_msg_find_ldb_val(res->msgs[0], "clientState"); + if (val == NULL || val->length != 8) { + DEBUG(1,("schannel: record in schannel DB must contain a vaid clientState of length 8, when searching for client: %s\n", computer_name)); + return NT_STATUS_INTERNAL_ERROR; + } + memcpy((*creds)->client.data, val->data, 8); + + val = ldb_msg_find_ldb_val(res->msgs[0], "serverState"); + if (val == NULL || val->length != 8) { + DEBUG(1,("schannel: record in schannel DB must contain a vaid serverState of length 8, when searching for client: %s\n", computer_name)); + return NT_STATUS_INTERNAL_ERROR; + } + memcpy((*creds)->server.data, val->data, 8); + (*creds)->negotiate_flags = ldb_msg_find_int(res->msgs[0], "negotiateFlags", 0); (*creds)->secure_channel_type = ldb_msg_find_int(res->msgs[0], "secureChannelType", 0); @@ -221,7 +242,25 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, (*creds)->sid = samdb_result_dom_sid(*creds, res->msgs[0], "objectSid"); - talloc_free(ldb); - return NT_STATUS_OK; } + +NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, + const char *computer_name, + const char *domain, + struct creds_CredentialState **creds) +{ + NTSTATUS nt_status; + struct ldb_context *ldb; + + ldb = schannel_db_connect(mem_ctx); + if (!ldb) { + return NT_STATUS_ACCESS_DENIED; + } + + nt_status = schannel_fetch_session_key_ldb(mem_ctx, ldb, + computer_name, domain, + creds); + talloc_free(ldb); + return nt_status; +} |