From c0871cb0c13599039f4e8243bd8d60d472653930 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 7 Jun 2004 12:30:22 +0000 Subject: r1068: make the dcerpc client side auth/crypto code much more generic metze (This used to be commit 1706ff88a72c6578a109c2cf24f2f009812c3892) --- source4/librpc/rpc/dcerpc_schannel.c | 273 ++++++++++++++++++----------------- 1 file changed, 141 insertions(+), 132 deletions(-) (limited to 'source4/librpc/rpc/dcerpc_schannel.c') diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index c2645d36a2..df15edfb6f 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -22,54 +22,160 @@ #include "includes.h" +#define DCERPC_SCHANNEL_STATE_START 0 +#define DCERPC_SCHANNEL_STATE_UPDATE_1 1 + +struct dcerpc_schannel_state { + TALLOC_CTX *mem_ctx; + uint8_t state; + struct schannel_bind bind_schannel; + struct schannel_state *schannel_state; +}; + /* wrappers for the schannel_*() functions */ -static NTSTATUS schan_unseal_packet(struct dcerpc_security *dcerpc_security, +static NTSTATUS dcerpc_schannel_unseal(struct dcerpc_security *dcerpc_security, TALLOC_CTX *mem_ctx, uint8_t *data, size_t length, DATA_BLOB *sig) { - struct schannel_state *schannel_state = dcerpc_security->private; - return schannel_unseal_packet(schannel_state, mem_ctx, data, length, sig); + struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data; + + return schannel_unseal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig); } -static NTSTATUS schan_check_packet(struct dcerpc_security *dcerpc_security, +static NTSTATUS dcerpc_schannel_check_sig(struct dcerpc_security *dcerpc_security, TALLOC_CTX *mem_ctx, const uint8_t *data, size_t length, const DATA_BLOB *sig) { - struct schannel_state *schannel_state = dcerpc_security->private; - return schannel_check_packet(schannel_state, data, length, sig); + struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data; + + return schannel_check_packet(dce_schan_state->schannel_state, data, length, sig); } -static NTSTATUS schan_seal_packet(struct dcerpc_security *dcerpc_security, +static NTSTATUS dcerpc_schannel_seal(struct dcerpc_security *dcerpc_security, TALLOC_CTX *mem_ctx, uint8_t *data, size_t length, DATA_BLOB *sig) { - struct schannel_state *schannel_state = dcerpc_security->private; - return schannel_seal_packet(schannel_state, mem_ctx, data, length, sig); + struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data; + + return schannel_seal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig); } -static NTSTATUS schan_sign_packet(struct dcerpc_security *dcerpc_security, +static NTSTATUS dcerpc_schannel_sign(struct dcerpc_security *dcerpc_security, TALLOC_CTX *mem_ctx, const uint8_t *data, size_t length, DATA_BLOB *sig) { - struct schannel_state *schannel_state = dcerpc_security->private; - return schannel_sign_packet(schannel_state, mem_ctx, data, length, sig); + struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data; + + return schannel_sign_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig); } -static NTSTATUS schan_session_key(struct dcerpc_security *dcerpc_security, +static NTSTATUS dcerpc_schannel_session_key(struct dcerpc_security *dcerpc_security, DATA_BLOB *session_key) { return NT_STATUS_NOT_IMPLEMENTED; } -static void schan_security_end(struct dcerpc_security *dcerpc_security) +static NTSTATUS dcerpc_schannel_start(struct dcerpc_pipe *p, struct dcerpc_security *dcerpc_security) +{ + struct dcerpc_schannel_state *dce_schan_state; + TALLOC_CTX *mem_ctx; + NTSTATUS status; + uint8_t session_key[16]; + int chan_type = 0; + + if (p->flags & DCERPC_SCHANNEL_BDC) { + chan_type = SEC_CHAN_BDC; + } else if (p->flags & DCERPC_SCHANNEL_WORKSTATION) { + chan_type = SEC_CHAN_WKSTA; + } else if (p->flags & DCERPC_SCHANNEL_DOMAIN) { + chan_type = SEC_CHAN_DOMAIN; + } + + status = dcerpc_schannel_key(p, dcerpc_security->user.domain, + dcerpc_security->user.name, + dcerpc_security->user.password, + chan_type, session_key); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + mem_ctx = talloc_init("dcerpc_schannel_start"); + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + + dce_schan_state = talloc_p(mem_ctx, struct dcerpc_schannel_state); + if (!dce_schan_state) { + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + dce_schan_state->mem_ctx = mem_ctx; + + status = schannel_start(&dce_schan_state->schannel_state, session_key, True); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + dce_schan_state->state = DCERPC_SCHANNEL_STATE_START; + + dcerpc_security->private_data = dce_schan_state; + + dump_data_pw("session key:\n", dce_schan_state->schannel_state->session_key, 16); + + return status; +} + +static NTSTATUS dcerpc_schannel_update(struct dcerpc_security *dcerpc_security, TALLOC_CTX *out_mem_ctx, + const DATA_BLOB in, DATA_BLOB *out) { - struct schannel_state *schannel_state = dcerpc_security->private; - schannel_end(&schannel_state); + struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data; + NTSTATUS status; + struct schannel_bind bind_schannel; + + if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) { + return NT_STATUS_OK; + } + + dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1; + + bind_schannel.unknown1 = 0; +#if 0 + /* to support this we'd need to have access to the full domain name */ + bind_schannel.bind_type = 23; + bind_schannel.u.info23.domain = dcerpc_security->user.domain; + bind_schannel.u.info23.account_name = dcerpc_security->user.name; + bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(dce_schan_state->mem_ctx, fulldomainname); + bind_schannel.u.info23.workstation = str_format_nbt_domain(dce_schan_state->mem_ctx, dcerpc_security->user.name); +#else + bind_schannel.bind_type = 3; + bind_schannel.u.info3.domain = dcerpc_security->user.domain; + bind_schannel.u.info3.account_name = dcerpc_security->user.name; +#endif + + status = ndr_push_struct_blob(out, dce_schan_state->mem_ctx, &bind_schannel, + (ndr_push_flags_fn_t)ndr_push_schannel_bind); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_MORE_PROCESSING_REQUIRED; +} + +static void dcerpc_schannel_end(struct dcerpc_security *dcerpc_security) +{ + struct dcerpc_schannel_state *dce_schan_state = dcerpc_security->private_data; + + schannel_end(&dce_schan_state->schannel_state); + + talloc_destroy(dce_schan_state->mem_ctx); + + dcerpc_security->private_data = NULL; } @@ -163,107 +269,24 @@ NTSTATUS dcerpc_schannel_key(struct dcerpc_pipe *p, return NT_STATUS_OK; } - -/* - do a schannel style bind on a dcerpc pipe with the given schannel - key. The username is usually of the form HOSTNAME$ and the password - is the domain trust password -*/ -NTSTATUS dcerpc_bind_auth_schannel_key(struct dcerpc_pipe *p, - const char *uuid, uint_t version, - const char *domain, - const char *username, - const uint8_t session_key[16]) +const struct dcesrv_security_ops dcerpc_schannel_security_ops = { + .name = "schannel", + .auth_type = DCERPC_AUTH_TYPE_SCHANNEL, + .start = dcerpc_schannel_start, + .update = dcerpc_schannel_update, + .seal = dcerpc_schannel_seal, + .sign = dcerpc_schannel_sign, + .check_sig = dcerpc_schannel_check_sig, + .unseal = dcerpc_schannel_unseal, + .session_key = dcerpc_schannel_session_key, + .end = dcerpc_schannel_end +}; + +const struct dcesrv_security_ops *dcerpc_schannel_security_get_ops(void) { - NTSTATUS status; - struct schannel_state *schannel_state; - const char *workgroup, *workstation; - struct schannel_bind bind_schannel; - - workstation = username; - workgroup = domain; - - /* - perform a bind with security type schannel - */ - p->auth_info = talloc(p->mem_ctx, sizeof(*p->auth_info)); - if (!p->auth_info) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - p->auth_info->auth_type = DCERPC_AUTH_TYPE_SCHANNEL; - - if (p->flags & DCERPC_SEAL) { - p->auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY; - } else { - /* note that DCERPC_AUTH_LEVEL_NONE does not make any - sense, and would be rejected by the server */ - p->auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY; - } - p->auth_info->auth_pad_length = 0; - p->auth_info->auth_reserved = 0; - p->auth_info->auth_context_id = random(); - p->security_state = NULL; - - bind_schannel.unknown1 = 0; -#if 0 - /* to support this we'd need to have access to the full domain name */ - bind_schannel.bind_type = 23; - bind_schannel.u.info23.domain = domain; - bind_schannel.u.info23.account_name = username; - bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(p->mem_ctx, fulldomainname); - bind_schannel.u.info23.workstation = str_format_nbt_domain(p->mem_ctx, username); -#else - bind_schannel.bind_type = 3; - bind_schannel.u.info3.domain = domain; - bind_schannel.u.info3.account_name = username; -#endif - - status = ndr_push_struct_blob(&p->auth_info->credentials, p->mem_ctx, &bind_schannel, - (ndr_push_flags_fn_t)ndr_push_schannel_bind); - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - /* send the authenticated bind request */ - status = dcerpc_bind_byuuid(p, p->mem_ctx, uuid, version); - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - p->security_state = talloc_p(p->mem_ctx, struct dcerpc_security); - if (!p->security_state) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - schannel_state = talloc_p(p->mem_ctx, struct schannel_state); - if (!schannel_state) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - status = schannel_start(&schannel_state, session_key, True); - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - dump_data_pw("session key:\n", schannel_state->session_key, 16); - - p->security_state->private = schannel_state; - p->security_state->unseal_packet = schan_unseal_packet; - p->security_state->check_packet = schan_check_packet; - p->security_state->seal_packet = schan_seal_packet; - p->security_state->sign_packet = schan_sign_packet; - p->security_state->session_key = schan_session_key; - p->security_state->security_end = schan_security_end; - -done: - return status; + return &dcerpc_schannel_security_ops; } - /* do a schannel style bind on a dcerpc pipe. The username is usually of the form HOSTNAME$ and the password is the domain trust password @@ -275,25 +298,11 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p, const char *password) { NTSTATUS status; - uint8_t session_key[16]; - int chan_type = 0; - if (p->flags & DCERPC_SCHANNEL_BDC) { - chan_type = SEC_CHAN_BDC; - } else if (p->flags & DCERPC_SCHANNEL_WORKSTATION) { - chan_type = SEC_CHAN_WKSTA; - } else if (p->flags & DCERPC_SCHANNEL_DOMAIN) { - chan_type = SEC_CHAN_DOMAIN; - } - - status = dcerpc_schannel_key(p, domain, username, password, - chan_type, session_key); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - status = dcerpc_bind_auth_schannel_key(p, uuid, version, domain, username, session_key); + status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SCHANNEL, + uuid, version, + domain, username, + password); return status; } - -- cgit