From 3b12c38ac09ad253cf56099c243659a3a362ea67 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 18 Feb 2010 14:44:09 -0500 Subject: s3:schannel streamline interface Make calling schannel much easier by removing the need to explicitly open the database. Let the abstraction do it instead. --- libcli/auth/schannel_state.h | 27 +++--- libcli/auth/schannel_state_tdb.c | 196 +++++++++++++++++++++++++++++++++------ 2 files changed, 181 insertions(+), 42 deletions(-) (limited to 'libcli') diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h index efa8d20b08..c1fa1245cf 100644 --- a/libcli/auth/schannel_state.h +++ b/libcli/auth/schannel_state.h @@ -23,8 +23,20 @@ #ifndef _LIBCLI_AUTH_SCHANNEL_STATE_H__ #define _LIBCLI_AUTH_SCHANNEL_STATE_H__ +NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, + const char *computer_name, + struct netlogon_creds_CredentialState **creds); + +NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, + struct netlogon_creds_CredentialState *creds); + +NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, + const char *computer_name, + struct netr_Authenticator *received_authenticator, + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out); + struct ldb_context; -struct tdb_context; NTSTATUS schannel_store_session_key_ldb(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, @@ -39,17 +51,4 @@ NTSTATUS schannel_creds_server_step_check_ldb(struct ldb_context *ldb, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, struct netlogon_creds_CredentialState **creds_out); -NTSTATUS schannel_store_session_key_tdb(struct tdb_context *tdb, - TALLOC_CTX *mem_ctx, - struct netlogon_creds_CredentialState *creds); -NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb, - TALLOC_CTX *mem_ctx, - const char *computer_name, - struct netlogon_creds_CredentialState **creds); -NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb, - TALLOC_CTX *mem_ctx, - const char *computer_name, - struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator, - struct netlogon_creds_CredentialState **creds_out); #endif diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index 49c89085be..434d7d7f8c 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -26,9 +26,75 @@ #include "../libcli/auth/schannel_state.h" #include "../librpc/gen_ndr/ndr_schannel.h" +#define SECRETS_SCHANNEL_STATE "SECRETS/SCHANNEL" + +/****************************************************************************** + Open or create the schannel session store tdb. +*******************************************************************************/ + +#define SCHANNEL_STORE_VERSION_1 1 +#define SCHANNEL_STORE_VERSION_2 2 /* should not be used */ +#define SCHANNEL_STORE_VERSION_CURRENT SCHANNEL_STORE_VERSION_1 + +static TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx) +{ + TDB_DATA vers; + uint32 ver; + TDB_CONTEXT *tdb_sc = NULL; + char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", lp_private_dir()); + + if (!fname) { + return NULL; + } + + tdb_sc = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + + if (!tdb_sc) { + DEBUG(0,("open_schannel_session_store: Failed to open %s\n", fname)); + TALLOC_FREE(fname); + return NULL; + } + + again: + vers = tdb_fetch_bystring(tdb_sc, "SCHANNEL_STORE_VERSION"); + if (vers.dptr == NULL) { + /* First opener, no version. */ + SIVAL(&ver,0,SCHANNEL_STORE_VERSION_CURRENT); + vers.dptr = (uint8 *)&ver; + vers.dsize = 4; + tdb_store_bystring(tdb_sc, "SCHANNEL_STORE_VERSION", vers, TDB_REPLACE); + vers.dptr = NULL; + } else if (vers.dsize == 4) { + ver = IVAL(vers.dptr,0); + if (ver == SCHANNEL_STORE_VERSION_2) { + DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n", + (int)ver, fname )); + tdb_wipe_all(tdb_sc); + goto again; + } + if (ver != SCHANNEL_STORE_VERSION_CURRENT) { + DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n", + (int)ver, fname )); + tdb_close(tdb_sc); + tdb_sc = NULL; + } + } else { + tdb_close(tdb_sc); + tdb_sc = NULL; + DEBUG(0,("open_schannel_session_store: wrong version number size %d in %s\n", + (int)vers.dsize, fname )); + } + + SAFE_FREE(vers.dptr); + TALLOC_FREE(fname); + + return tdb_sc; +} + /******************************************************************** ********************************************************************/ +static NTSTATUS schannel_store_session_key_tdb(struct tdb_context *tdb, TALLOC_CTX *mem_ctx, struct netlogon_creds_CredentialState *creds) @@ -79,6 +145,7 @@ NTSTATUS schannel_store_session_key_tdb(struct tdb_context *tdb, /******************************************************************** ********************************************************************/ +static NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb, TALLOC_CTX *mem_ctx, const char *computer_name, @@ -147,61 +214,134 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb, return NT_STATUS_OK; } -/******************************************************************** +/****************************************************************************** + Wrapper around schannel_fetch_session_key_tdb() + Note we must be root here. +*******************************************************************************/ + +NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, + const char *computer_name, + struct netlogon_creds_CredentialState **creds) +{ + struct tdb_context *tdb; + NTSTATUS status; + + tdb = open_schannel_session_store(mem_ctx); + if (!tdb) { + return NT_STATUS_ACCESS_DENIED; + } - Validate an incoming authenticator against the credentials for the remote - machine. + status = schannel_fetch_session_key_tdb(tdb, mem_ctx, + computer_name, creds); - The credentials are (re)read and from the schannel database, and - written back after the caclulations are performed. + tdb_close(tdb); - The creds_out parameter (if not NULL) returns the credentials, if - the caller needs some of that information. + return status; +} + +/****************************************************************************** + Wrapper around schannel_store_session_key_tdb() + Note we must be root here. +*******************************************************************************/ + +NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, + struct netlogon_creds_CredentialState *creds) +{ + struct tdb_context *tdb; + NTSTATUS status; + + tdb = open_schannel_session_store(mem_ctx); + if (!tdb) { + return NT_STATUS_ACCESS_DENIED; + } + status = schannel_store_session_key_tdb(tdb, mem_ctx, creds); + + tdb_close(tdb); + + return status; +} + +/******************************************************************** + Validate an incoming authenticator against the credentials for the + remote machine stored in the schannel database. + + The credentials are (re)read and from the schannel database, and + written back after the caclulations are performed. + + If the creds_out parameter is not NULL returns the credentials. ********************************************************************/ -NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb, - TALLOC_CTX *mem_ctx, - const char *computer_name, - struct netr_Authenticator *received_authenticator, - struct netr_Authenticator *return_authenticator, - struct netlogon_creds_CredentialState **creds_out) +NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, + const char *computer_name, + struct netr_Authenticator *received_authenticator, + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out) { + TALLOC_CTX *tmpctx; + struct tdb_context *tdb; struct netlogon_creds_CredentialState *creds; NTSTATUS status; int ret; + tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state"); + if (!tmpctx) { + return NT_STATUS_NO_MEMORY; + } + + tdb = open_schannel_session_store(tmpctx); + if (!tdb) { + status = NT_STATUS_ACCESS_DENIED; + goto done; + } + ret = tdb_transaction_start(tdb); if (ret != 0) { return NT_STATUS_INTERNAL_DB_CORRUPTION; + status = NT_STATUS_INTERNAL_DB_CORRUPTION; + goto done; } /* Because this is a shared structure (even across * disconnects) we must update the database every time we * update the structure */ - status = schannel_fetch_session_key_tdb(tdb, mem_ctx, computer_name, - &creds); + status = schannel_fetch_session_key_tdb(tdb, tmpctx, + computer_name, &creds); + if (!NT_STATUS_IS_OK(status)) { + tdb_transaction_cancel(tdb); + goto done; + } - if (NT_STATUS_IS_OK(status)) { - status = netlogon_creds_server_step_check(creds, - received_authenticator, - return_authenticator); + status = netlogon_creds_server_step_check(creds, + received_authenticator, + return_authenticator); + if (!NT_STATUS_IS_OK(status)) { + tdb_transaction_cancel(tdb); + goto done; } - if (NT_STATUS_IS_OK(status)) { - status = schannel_store_session_key_tdb(tdb, mem_ctx, creds); + status = schannel_store_session_key_tdb(tdb, tmpctx, creds); + if (!NT_STATUS_IS_OK(status)) { + tdb_transaction_cancel(tdb); + goto done; } - if (NT_STATUS_IS_OK(status)) { - tdb_transaction_commit(tdb); - if (creds_out) { - *creds_out = creds; - talloc_steal(mem_ctx, creds); + tdb_transaction_commit(tdb); + + if (creds_out) { + *creds_out = talloc_steal(mem_ctx, creds); + if (!*creds_out) { + status = NT_STATUS_NO_MEMORY; + goto done; } - } else { - tdb_transaction_cancel(tdb); } + status = NT_STATUS_OK; + +done: + talloc_free(tmpctx); + if (tdb) tdb_close(tdb); return status; } + -- cgit