search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Support storing statd-callout state in cluster filesystem
[samba4-gss.git] / source4 / librpc / rpc / dcerpc_schannel.c
blob42d072b90c3c301f2cfbed804768947bb3223e05
1 /*
2 Unix SMB/CIFS implementation.
3
4 dcerpc schannel operations
5
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Rafal Szczesniak 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #define SOURCE4_LIBRPC_INTERNALS 1
25
26 #include "includes.h"
27 #include <tevent.h>
28 #include "auth/auth.h"
29 #include "libcli/composite/composite.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon.h"
32 #include "librpc/gen_ndr/ndr_netlogon_c.h"
33 #include "auth/credentials/credentials.h"
34 #include "librpc/rpc/dcerpc_proto.h"
35 #include "param/param.h"
36 #include "lib/param/loadparm.h"
37
38 struct schannel_key_state {
39 struct dcerpc_pipe *pipe;
40 struct dcerpc_pipe *pipe2;
41 struct dcerpc_binding *binding;
42 bool dcerpc_schannel_auto;
43 struct cli_credentials *credentials;
44 struct netlogon_creds_CredentialState *creds;
45 uint32_t requested_negotiate_flags;
46 uint32_t required_negotiate_flags;
47 uint32_t local_negotiate_flags;
48 uint32_t remote_negotiate_flags;
49 struct netr_Credential credentials1;
50 struct netr_Credential credentials2;
51 struct netr_Credential credentials3;
52 struct netr_ServerReqChallenge r;
53 struct netr_ServerAuthenticate2 a;
54 const struct samr_Password *mach_pwd;
55 };
56
57
58 static void continue_secondary_connection(struct composite_context *ctx);
59 static void continue_bind_auth_none(struct composite_context *ctx);
60 static void continue_srv_challenge(struct tevent_req *subreq);
61 static void continue_srv_auth2(struct tevent_req *subreq);
62 static void continue_get_negotiated_capabilities(struct tevent_req *subreq);
63 static void continue_get_client_capabilities(struct tevent_req *subreq);
64
65
66 /*
67 Stage 2 of schannel_key: Receive endpoint mapping and request secondary
68 rpc connection
69 */
70 static void continue_epm_map_binding(struct composite_context *ctx)
71 {
72 struct composite_context *c;
73 struct schannel_key_state *s;
74 struct composite_context *sec_conn_req;
75
76 c = talloc_get_type(ctx->async.private_data, struct composite_context);
77 s = talloc_get_type(c->private_data, struct schannel_key_state);
78
79 /* receive endpoint mapping */
80 c->status = dcerpc_epm_map_binding_recv(ctx);
81 if (!NT_STATUS_IS_OK(c->status)) {
82 DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n",
83 NDR_NETLOGON_UUID, nt_errstr(c->status)));
84 composite_error(c, c->status);
85 return;
86 }
87
88 /* send a request for secondary rpc connection */
89 sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
90 s->binding);
91 if (composite_nomem(sec_conn_req, c)) return;
92
93 composite_continue(c, sec_conn_req, continue_secondary_connection, c);
94 }
95
96
97 /*
98 Stage 3 of schannel_key: Receive secondary rpc connection and perform
99 non-authenticated bind request
100 */
101 static void continue_secondary_connection(struct composite_context *ctx)
102 {
103 struct composite_context *c;
104 struct schannel_key_state *s;
105 struct composite_context *auth_none_req;
106
107 c = talloc_get_type(ctx->async.private_data, struct composite_context);
108 s = talloc_get_type(c->private_data, struct schannel_key_state);
109
110 /* receive secondary rpc connection */
111 c->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
112 if (!composite_is_ok(c)) return;
113
114 talloc_steal(s, s->pipe2);
115
116 /* initiate a non-authenticated bind */
117 auth_none_req = dcerpc_bind_auth_none_send(c, s->pipe2, &ndr_table_netlogon);
118 if (composite_nomem(auth_none_req, c)) return;
119
120 composite_continue(c, auth_none_req, continue_bind_auth_none, c);
121 }
122
123
124 /*
125 Stage 4 of schannel_key: Receive non-authenticated bind and get
126 a netlogon challenge
127 */
128 static void continue_bind_auth_none(struct composite_context *ctx)
129 {
130 struct composite_context *c;
131 struct schannel_key_state *s;
132 struct tevent_req *subreq;
133
134 c = talloc_get_type(ctx->async.private_data, struct composite_context);
135 s = talloc_get_type(c->private_data, struct schannel_key_state);
136
137 /* receive result of non-authenticated bind request */
138 c->status = dcerpc_bind_auth_none_recv(ctx);
139 if (!composite_is_ok(c)) return;
140
141 /* prepare a challenge request */
142 s->r.in.server_name = talloc_asprintf(c, "\\\\%s", dcerpc_server_name(s->pipe));
143 if (composite_nomem(s->r.in.server_name, c)) return;
144 s->r.in.computer_name = cli_credentials_get_workstation(s->credentials);
145 s->r.in.credentials = &s->credentials1;
146 s->r.out.return_credentials = &s->credentials2;
147
148 generate_random_buffer(s->credentials1.data, sizeof(s->credentials1.data));
149
150 /*
151 request a netlogon challenge - a rpc request over opened secondary pipe
152 */
153 subreq = dcerpc_netr_ServerReqChallenge_r_send(s, c->event_ctx,
154 s->pipe2->binding_handle,
155 &s->r);
156 if (composite_nomem(subreq, c)) return;
157
158 tevent_req_set_callback(subreq, continue_srv_challenge, c);
159 }
160
161
162 /*
163 Stage 5 of schannel_key: Receive a challenge and perform authentication
164 on the netlogon pipe
165 */
166 static void continue_srv_challenge(struct tevent_req *subreq)
167 {
168 struct composite_context *c;
169 struct schannel_key_state *s;
170
171 c = tevent_req_callback_data(subreq, struct composite_context);
172 s = talloc_get_type(c->private_data, struct schannel_key_state);
173
174 /* receive rpc request result - netlogon challenge */
175 c->status = dcerpc_netr_ServerReqChallenge_r_recv(subreq, s);
176 TALLOC_FREE(subreq);
177 if (!composite_is_ok(c)) return;
178
179 /* prepare credentials for auth2 request */
180 s->mach_pwd = cli_credentials_get_nt_hash(s->credentials, c);
181 if (s->mach_pwd == NULL) {
182 return composite_error(c, NT_STATUS_INTERNAL_ERROR);
183 }
184
185 /* auth2 request arguments */
186 s->a.in.server_name = s->r.in.server_name;
187 s->a.in.account_name = cli_credentials_get_username(s->credentials);
188 s->a.in.secure_channel_type =
189 cli_credentials_get_secure_channel_type(s->credentials);
190 s->a.in.computer_name = cli_credentials_get_workstation(s->credentials);
191 s->a.in.negotiate_flags = &s->requested_negotiate_flags;
192 s->a.in.credentials = &s->credentials3;
193 s->a.out.negotiate_flags = &s->remote_negotiate_flags;
194 s->a.out.return_credentials = &s->credentials3;
195
196 s->creds = netlogon_creds_client_init(s,
197 s->a.in.account_name,
198 s->a.in.computer_name,
199 s->a.in.secure_channel_type,
200 &s->credentials1, &s->credentials2,
201 s->mach_pwd, &s->credentials3,
202 s->requested_negotiate_flags,
203 s->local_negotiate_flags);
204 if (composite_nomem(s->creds, c)) {
205 return;
206 }
207 /*
208 authenticate on the netlogon pipe - a rpc request over secondary pipe
209 */
210 subreq = dcerpc_netr_ServerAuthenticate2_r_send(s, c->event_ctx,
211 s->pipe2->binding_handle,
212 &s->a);
213 if (composite_nomem(subreq, c)) return;
214
215 tevent_req_set_callback(subreq, continue_srv_auth2, c);
216 }
217
218
219 /*
220 Stage 6 of schannel_key: Receive authentication request result and verify
221 received credentials
222 */
223 static void continue_srv_auth2(struct tevent_req *subreq)
224 {
225 struct composite_context *c;
226 struct schannel_key_state *s;
227 enum dcerpc_AuthType auth_type;
228 enum dcerpc_AuthLevel auth_level;
229 NTSTATUS status;
230
231 c = tevent_req_callback_data(subreq, struct composite_context);
232 s = talloc_get_type(c->private_data, struct schannel_key_state);
233
234 dcerpc_binding_handle_auth_info(s->pipe2->binding_handle,
235 &auth_type,
236 &auth_level);
237
238 /* receive rpc request result - auth2 credentials */
239 c->status = dcerpc_netr_ServerAuthenticate2_r_recv(subreq, s);
240 TALLOC_FREE(subreq);
241 if (!composite_is_ok(c)) return;
242
243 if (!NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED) &&
244 !NT_STATUS_IS_OK(s->a.out.result)) {
245 composite_error(c, s->a.out.result);
246 return;
247 }
248
249 {
250 uint32_t rqf = s->required_negotiate_flags;
251 uint32_t rf = s->remote_negotiate_flags;
252 uint32_t lf = s->local_negotiate_flags;
253
254 if ((rf & NETLOGON_NEG_SUPPORTS_AES) &&
255 (lf & NETLOGON_NEG_SUPPORTS_AES))
256 {
257 rqf &= ~NETLOGON_NEG_ARCFOUR;
258 rqf &= ~NETLOGON_NEG_STRONG_KEYS;
259 }
260
261 if ((rqf & rf) != rqf) {
262 rqf = s->required_negotiate_flags;
263 DBG_ERR("The client capabilities don't match "
264 "the server capabilities: local[0x%08X] "
265 "required[0x%08X] remote[0x%08X]\n",
266 lf, rqf, rf);
267 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
268 return;
269 }
270 }
271
272 /*
273 * Strong keys could be unsupported (NT4) or disabled. So retry with the
274 * flags returned by the server. - asn
275 */
276 if (NT_STATUS_EQUAL(s->a.out.result, NT_STATUS_ACCESS_DENIED)) {
277 uint32_t lf = s->local_negotiate_flags;
278 const char *ln = NULL;
279 uint32_t rf = s->remote_negotiate_flags;
280 const char *rn = NULL;
281
282 if ((lf & rf) == lf) {
283 /*
284 * without a change in flags
285 * there's no need to retry...
286 */
287 s->dcerpc_schannel_auto = false;
288 }
289
290 if (!s->dcerpc_schannel_auto) {
291 composite_error(c, s->a.out.result);
292 return;
293 }
294 s->dcerpc_schannel_auto = false;
295
296 if (lf & NETLOGON_NEG_SUPPORTS_AES) {
297 ln = "aes";
298 if (rf & NETLOGON_NEG_SUPPORTS_AES) {
299 composite_error(c, s->a.out.result);
300 return;
301 }
302 } else if (lf & NETLOGON_NEG_STRONG_KEYS) {
303 ln = "strong";
304 if (rf & NETLOGON_NEG_STRONG_KEYS) {
305 composite_error(c, s->a.out.result);
306 return;
307 }
308 } else {
309 ln = "des";
310 }
311
312 if (rf & NETLOGON_NEG_SUPPORTS_AES) {
313 rn = "aes";
314 } else if (rf & NETLOGON_NEG_STRONG_KEYS) {
315 rn = "strong";
316 } else {
317 rn = "des";
318 }
319
320 DEBUG(3, ("Server doesn't support %s keys, downgrade to %s"
321 "and retry! local[0x%08X] remote[0x%08X]\n",
322 ln, rn, lf, rf));
323
324 s->local_negotiate_flags &= s->remote_negotiate_flags;
325
326 generate_random_buffer(s->credentials1.data,
327 sizeof(s->credentials1.data));
328
329 subreq = dcerpc_netr_ServerReqChallenge_r_send(s,
330 c->event_ctx,
331 s->pipe2->binding_handle,
332 &s->r);
333 if (composite_nomem(subreq, c)) return;
334
335 tevent_req_set_callback(subreq, continue_srv_challenge, c);
336 return;
337 }
338
339 /* verify credentials */
340 status = netlogon_creds_client_verify(s->creds,
341 s->a.out.return_credentials,
342 auth_type,
343 auth_level);
344 if (!NT_STATUS_IS_OK(status)) {
345 composite_error(c, status);
346 return;
347 }
348
349 if (s->requested_negotiate_flags == s->local_negotiate_flags) {
350 /*
351 * Without a downgrade in the crypto we proposed
352 * we can adjust the otherwise downgraded flags
353 * before storing.
354 */
355 s->creds->negotiate_flags &= s->remote_negotiate_flags;
356 } else if (s->local_negotiate_flags != s->remote_negotiate_flags) {
357 /*
358 * We downgraded our crypto once, we should not
359 * allow any additional downgrade!
360 */
361 DBG_ERR("%s: NT_STATUS_DOWNGRADE_DETECTED\n", __location__);
362 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
363 return;
364 }
365
366 composite_done(c);
367 }
368
369 /*
370 Initiate establishing a schannel key using netlogon challenge
371 on a secondary pipe
372 */
373 static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
374 struct dcerpc_pipe *p,
375 struct cli_credentials *credentials,
376 struct loadparm_context *lp_ctx)
377 {
378 struct composite_context *c;
379 struct schannel_key_state *s;
380 struct composite_context *epm_map_req;
381 enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials);
382 struct cli_credentials *epm_creds = NULL;
383 bool reject_md5_servers = false;
384 bool require_strong_key = false;
385
386 /* composite context allocation and setup */
387 c = composite_create(mem_ctx, p->conn->event_ctx);
388 if (c == NULL) return NULL;
389
390 s = talloc_zero(c, struct schannel_key_state);
391 if (composite_nomem(s, c)) return c;
392 c->private_data = s;
393
394 /* store parameters in the state structure */
395 s->pipe = p;
396 s->credentials = credentials;
397 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
398 s->required_negotiate_flags = NETLOGON_NEG_AUTHENTICATED_RPC;
399
400 /* allocate credentials */
401 if (s->pipe->conn->flags & DCERPC_SCHANNEL_128) {
402 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
403 require_strong_key = true;
404 }
405 if (s->pipe->conn->flags & DCERPC_SCHANNEL_AES) {
406 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
407 reject_md5_servers = true;
408 }
409 if (s->pipe->conn->flags & DCERPC_SCHANNEL_AUTO) {
410 s->local_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
411 s->local_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
412 s->dcerpc_schannel_auto = true;
413 reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
414 require_strong_key = lpcfg_require_strong_key(lp_ctx);
415 }
416
417 if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
418 reject_md5_servers = true;
419 }
420
421 if (reject_md5_servers) {
422 require_strong_key = true;
423 }
424
425 if (require_strong_key) {
426 s->required_negotiate_flags |= NETLOGON_NEG_ARCFOUR;
427 s->required_negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
428 }
429
430 if (reject_md5_servers) {
431 s->required_negotiate_flags |= NETLOGON_NEG_PASSWORD_SET2;
432 s->required_negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
433 }
434
435 s->local_negotiate_flags |= s->required_negotiate_flags;
436
437 if (s->required_negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
438 s->required_negotiate_flags &= ~NETLOGON_NEG_ARCFOUR;
439 s->required_negotiate_flags &= ~NETLOGON_NEG_STRONG_KEYS;
440 }
441
442 /* type of authentication depends on schannel type */
443 if (schannel_type == SEC_CHAN_RODC) {
444 s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
445 }
446
447 s->requested_negotiate_flags = s->local_negotiate_flags;
448
449 epm_creds = cli_credentials_init_anon(s);
450 if (composite_nomem(epm_creds, c)) return c;
451
452 /* allocate binding structure */
453 s->binding = dcerpc_binding_dup(s, s->pipe->binding);
454 if (composite_nomem(s->binding, c)) return c;
455
456 /* request the netlogon endpoint mapping */
457 epm_map_req = dcerpc_epm_map_binding_send(c, s->binding,
458 &ndr_table_netlogon,
459 epm_creds,
460 s->pipe->conn->event_ctx,
461 lp_ctx);
462 if (composite_nomem(epm_map_req, c)) return c;
463
464 composite_continue(c, epm_map_req, continue_epm_map_binding, c);
465 return c;
466 }
467
468
469 /*
470 Receive result of schannel key request
471 */
472 static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
473 TALLOC_CTX *mem_ctx,
474 struct netlogon_creds_CredentialState **creds)
475 {
476 NTSTATUS status = composite_wait(c);
477
478 if (NT_STATUS_IS_OK(status)) {
479 struct schannel_key_state *s =
480 talloc_get_type_abort(c->private_data,
481 struct schannel_key_state);
482 *creds = talloc_move(mem_ctx, &s->creds);
483 }
484
485 talloc_free(c);
486 return status;
487 }
488
489
490 struct auth_schannel_state {
491 struct dcerpc_pipe *pipe;
492 struct cli_credentials *credentials;
493 uint32_t requested_negotiate_flags;
494 const struct ndr_interface_table *table;
495 struct loadparm_context *lp_ctx;
496 uint8_t auth_level;
497 struct netlogon_creds_CredentialState *creds_state;
498 struct netlogon_creds_CredentialState save_creds_state;
499 struct netr_Authenticator auth;
500 struct netr_Authenticator return_auth;
501 union netr_Capabilities capabilities;
502 union netr_Capabilities client_caps;
503 struct netr_LogonGetCapabilities c;
504 union netr_CONTROL_QUERY_INFORMATION ctrl_info;
505 };
506
507
508 static void continue_bind_auth(struct composite_context *ctx);
509
510
511 /*
512 Stage 2 of auth_schannel: Receive schannel key and initiate an
513 authenticated bind using received credentials
514 */
515 static void continue_schannel_key(struct composite_context *ctx)
516 {
517 struct composite_context *auth_req;
518 struct composite_context *c = talloc_get_type(ctx->async.private_data,
519 struct composite_context);
520 struct auth_schannel_state *s = talloc_get_type(c->private_data,
521 struct auth_schannel_state);
522 NTSTATUS status;
523
524 /* receive schannel key */
525 c->status = dcerpc_schannel_key_recv(ctx,
526 s,
527 &s->creds_state);
528 status = c->status;
529 if (!composite_is_ok(c)) {
530 DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
531 return;
532 }
533
534 s->requested_negotiate_flags =
535 s->creds_state->client_requested_flags;
536
537 /* send bind auth request with received creds */
538 cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
539
540 auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
541 lpcfg_gensec_settings(c, s->lp_ctx),
542 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
543 NULL);
544 if (composite_nomem(auth_req, c)) return;
545
546 composite_continue(c, auth_req, continue_bind_auth, c);
547 }
548
549
550 /*
551 Stage 3 of auth_schannel: Receive result of authenticated bind
552 and say if we're done ok.
553 */
554 static void continue_bind_auth(struct composite_context *ctx)
555 {
556 struct composite_context *c = talloc_get_type(ctx->async.private_data,
557 struct composite_context);
558 struct auth_schannel_state *s = talloc_get_type(c->private_data,
559 struct auth_schannel_state);
560 struct tevent_req *subreq;
561
562 c->status = dcerpc_bind_auth_recv(ctx);
563 if (!composite_is_ok(c)) return;
564
565 /* if we have a AES encrypted connection, verify the capabilities */
566 if (ndr_syntax_id_equal(&s->table->syntax_id,
567 &ndr_table_netlogon.syntax_id)) {
568 NTSTATUS status;
569 ZERO_STRUCT(s->return_auth);
570
571 s->save_creds_state = *s->creds_state;
572 status = netlogon_creds_client_authenticator(&s->save_creds_state,
573 &s->auth);
574 if (!NT_STATUS_IS_OK(status)) {
575 composite_error(c, status);
576 return;
577 }
578
579 s->c.in.server_name = talloc_asprintf(c,
580 "\\\\%s",
581 dcerpc_server_name(s->pipe));
582 if (composite_nomem(s->c.in.server_name, c)) return;
583 s->c.in.computer_name = cli_credentials_get_workstation(s->credentials);
584 s->c.in.credential = &s->auth;
585 s->c.in.return_authenticator = &s->return_auth;
586 s->c.in.query_level = 1;
587
588 s->c.out.capabilities = &s->capabilities;
589 s->c.out.return_authenticator = &s->return_auth;
590
591 DEBUG(5, ("We established a AES connection, verifying logon "
592 "capabilities\n"));
593
594 subreq = dcerpc_netr_LogonGetCapabilities_r_send(s,
595 c->event_ctx,
596 s->pipe->binding_handle,
597 &s->c);
598 if (composite_nomem(subreq, c)) return;
599
600 tevent_req_set_callback(subreq,
601 continue_get_negotiated_capabilities,
602 c);
603 return;
604 }
605
606 composite_done(c);
607 }
608
609 static void continue_logon_control_do(struct composite_context *c);
610
611 /*
612 Stage 4 of auth_schannel: Get the Logon Capabilities and verify them.
613 */
614 static void continue_get_negotiated_capabilities(struct tevent_req *subreq)
615 {
616 struct composite_context *c;
617 struct auth_schannel_state *s;
618 enum dcerpc_AuthType auth_type;
619 enum dcerpc_AuthLevel auth_level;
620 NTSTATUS status;
621
622 c = tevent_req_callback_data(subreq, struct composite_context);
623 s = talloc_get_type(c->private_data, struct auth_schannel_state);
624
625 dcerpc_binding_handle_auth_info(s->pipe->binding_handle,
626 &auth_type,
627 &auth_level);
628
629 /* receive rpc request result */
630 c->status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, s);
631 TALLOC_FREE(subreq);
632 if (NT_STATUS_EQUAL(c->status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
633 if (s->creds_state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
634 DBG_ERR("%s: NT_STATUS_DOWNGRADE_DETECTED\n", __location__);
635 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
636 return;
637 } else if (s->creds_state->negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
638 DBG_ERR("%s: NT_STATUS_DOWNGRADE_DETECTED\n", __location__);
639 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
640 return;
641 }
642
643 /* This is probably NT */
644 continue_logon_control_do(c);
645 return;
646 } else if (!composite_is_ok(c)) {
647 return;
648 }
649
650 if (NT_STATUS_EQUAL(s->c.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
651 if (s->creds_state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
652 /* This means AES isn't supported. */
653 DBG_ERR("%s: NT_STATUS_DOWNGRADE_DETECTED\n", __location__);
654 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
655 return;
656 }
657
658 /* This is probably an old Samba version */
659 composite_done(c);
660 return;
661 }
662
663 /* verify credentials */
664 status = netlogon_creds_client_verify(&s->save_creds_state,
665 &s->c.out.return_authenticator->cred,
666 auth_type,
667 auth_level);
668 if (!NT_STATUS_IS_OK(status)) {
669 composite_error(c, status);
670 return;
671 }
672
673 *s->creds_state = s->save_creds_state;
674 cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
675
676 if (!NT_STATUS_IS_OK(s->c.out.result)) {
677 composite_error(c, s->c.out.result);
678 return;
679 }
680
681 /* compare capabilities */
682 if (s->creds_state->negotiate_flags != s->capabilities.server_capabilities) {
683 DBG_ERR("The client capabilities don't match the server "
684 "capabilities: local[0x%08X] remote[0x%08X]\n",
685 s->creds_state->negotiate_flags,
686 s->capabilities.server_capabilities);
687 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
688 return;
689 }
690
691 if ((s->requested_negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) &&
692 (!(s->creds_state->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)))
693 {
694 DBG_ERR("%s: NT_STATUS_DOWNGRADE_DETECTED\n", __location__);
695 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
696 return;
697 }
698
699 ZERO_STRUCT(s->return_auth);
700
701 s->save_creds_state = *s->creds_state;
702 status = netlogon_creds_client_authenticator(&s->save_creds_state,
703 &s->auth);
704 if (!NT_STATUS_IS_OK(status)) {
705 composite_error(c, status);
706 return;
707 }
708
709 s->c.in.credential = &s->auth;
710 s->c.in.return_authenticator = &s->return_auth;
711 s->c.in.query_level = 2;
712
713 s->c.out.capabilities = &s->client_caps;
714 s->c.out.return_authenticator = &s->return_auth;
715
716 subreq = dcerpc_netr_LogonGetCapabilities_r_send(s,
717 c->event_ctx,
718 s->pipe->binding_handle,
719 &s->c);
720 if (composite_nomem(subreq, c)) return;
721
722 tevent_req_set_callback(subreq, continue_get_client_capabilities, c);
723 return;
724 }
725
726 static void continue_get_client_capabilities(struct tevent_req *subreq)
727 {
728 struct composite_context *c;
729 struct auth_schannel_state *s;
730 enum dcerpc_AuthType auth_type;
731 enum dcerpc_AuthLevel auth_level;
732 NTSTATUS status;
733
734 c = tevent_req_callback_data(subreq, struct composite_context);
735 s = talloc_get_type(c->private_data, struct auth_schannel_state);
736
737 dcerpc_binding_handle_auth_info(s->pipe->binding_handle,
738 &auth_type,
739 &auth_level);
740
741 /* receive rpc request result */
742 c->status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, s);
743 TALLOC_FREE(subreq);
744 if (NT_STATUS_EQUAL(c->status, NT_STATUS_RPC_BAD_STUB_DATA)) {
745 /*
746 * unpatched Samba server, see
747 * https://bugzilla.samba.org/show_bug.cgi?id=15418
748 */
749 c->status = NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE;
750 }
751 if (NT_STATUS_EQUAL(c->status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
752 /*
753 * Here we know the negotiated flags were already
754 * verified with query_level=1, which means
755 * the server supported NETLOGON_NEG_SUPPORTS_AES
756 * and also NETLOGON_NEG_AUTHENTICATED_RPC
757 *
758 * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
759 * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
760 * we should detect a faked
761 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
762 * with the next request as the sequence number processing
763 * gets out of sync.
764 *
765 * So we'll do a LogonControl message to check that...
766 */
767 continue_logon_control_do(c);
768 return;
769 }
770 if (!composite_is_ok(c)) {
771 return;
772 }
773
774 /* verify credentials */
775 status = netlogon_creds_client_verify(&s->save_creds_state,
776 &s->c.out.return_authenticator->cred,
777 auth_type,
778 auth_level);
779 if (!NT_STATUS_IS_OK(status)) {
780 composite_error(c, status);
781 return;
782 }
783
784 if (!NT_STATUS_IS_OK(s->c.out.result)) {
785 composite_error(c, s->c.out.result);
786 return;
787 }
788
789 /* compare capabilities */
790 if (s->requested_negotiate_flags != s->client_caps.requested_flags) {
791 DBG_ERR("The client requested capabilities did not reach"
792 "the server! local[0x%08X] remote[0x%08X]\n",
793 s->requested_negotiate_flags,
794 s->client_caps.requested_flags);
795 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
796 return;
797 }
798
799 *s->creds_state = s->save_creds_state;
800 cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
801
802 composite_done(c);
803 }
804
805 static void continue_logon_control_done(struct tevent_req *subreq);
806
807 static void continue_logon_control_do(struct composite_context *c)
808 {
809 struct auth_schannel_state *s = NULL;
810 struct tevent_req *subreq = NULL;
811
812 s = talloc_get_type(c->private_data, struct auth_schannel_state);
813
814 subreq = dcerpc_netr_LogonControl_send(s,
815 c->event_ctx,
816 s->pipe->binding_handle,
817 s->c.in.server_name,
818 NETLOGON_CONTROL_QUERY,
819 2,
820 &s->ctrl_info);
821 if (composite_nomem(subreq, c)) return;
822
823 tevent_req_set_callback(subreq, continue_logon_control_done, c);
824 }
825
826 static void continue_logon_control_done(struct tevent_req *subreq)
827 {
828 struct composite_context *c = NULL;
829 struct auth_schannel_state *s = NULL;
830 WERROR werr;
831
832 c = tevent_req_callback_data(subreq, struct composite_context);
833 s = talloc_get_type(c->private_data, struct auth_schannel_state);
834
835 /* receive rpc request result */
836 c->status = dcerpc_netr_LogonControl_recv(subreq, s, &werr);
837 TALLOC_FREE(subreq);
838 if (!NT_STATUS_IS_OK(c->status)) {
839 DBG_ERR("%s: NT_STATUS_DOWNGRADE_DETECTED\n", __location__);
840 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
841 return;
842 }
843
844 if (!W_ERROR_EQUAL(werr, WERR_NOT_SUPPORTED)) {
845 DBG_ERR("%s: NT_STATUS_DOWNGRADE_DETECTED\n", __location__);
846 composite_error(c, NT_STATUS_DOWNGRADE_DETECTED);
847 return;
848 }
849
850 composite_done(c);
851 }
852
853 /*
854 Initiate schannel authentication request
855 */
856 struct composite_context *dcerpc_bind_auth_schannel_send(TALLOC_CTX *tmp_ctx,
857 struct dcerpc_pipe *p,
858 const struct ndr_interface_table *table,
859 struct cli_credentials *credentials,
860 struct loadparm_context *lp_ctx,
861 uint8_t auth_level)
862 {
863 struct composite_context *c;
864 struct auth_schannel_state *s;
865 struct composite_context *schan_key_req;
866
867 /* composite context allocation and setup */
868 c = composite_create(tmp_ctx, p->conn->event_ctx);
869 if (c == NULL) return NULL;
870
871 s = talloc_zero(c, struct auth_schannel_state);
872 if (composite_nomem(s, c)) return c;
873 c->private_data = s;
874
875 /* store parameters in the state structure */
876 s->pipe = p;
877 s->credentials = credentials;
878 s->table = table;
879 s->auth_level = auth_level;
880 s->lp_ctx = lp_ctx;
881
882 /* start getting schannel key first */
883 schan_key_req = dcerpc_schannel_key_send(c, p, credentials, lp_ctx);
884 if (composite_nomem(schan_key_req, c)) return c;
885
886 composite_continue(c, schan_key_req, continue_schannel_key, c);
887 return c;
888 }
889
890
891 /*
892 Receive result of schannel authentication request
893 */
894 NTSTATUS dcerpc_bind_auth_schannel_recv(struct composite_context *c)
895 {
896 NTSTATUS status = composite_wait(c);
897
898 talloc_free(c);
899 return status;
900 }
GSS-enabled samba4