Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : Copyright (C) Andrew Tridgell 2005
5 :
6 : This program is free software; you can redistribute it and/or modify
7 : it under the terms of the GNU General Public License as published by
8 : the Free Software Foundation; either version 3 of the License, or
9 : (at your option) any later version.
10 :
11 : This program is distributed in the hope that it will be useful,
12 : but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : GNU General Public License for more details.
15 :
16 : You should have received a copy of the GNU General Public License
17 : along with this program. If not, see <http://www.gnu.org/licenses/>.
18 : */
19 : /*
20 : a composite API for making handling a generic async session setup
21 : */
22 :
23 : #include "includes.h"
24 : #include <tevent.h>
25 : #include "libcli/raw/libcliraw.h"
26 : #include "libcli/raw/raw_proto.h"
27 : #include "libcli/composite/composite.h"
28 : #include "libcli/smb_composite/smb_composite.h"
29 : #include "libcli/auth/libcli_auth.h"
30 : #include "auth/auth.h"
31 : #include "auth/gensec/gensec.h"
32 : #include "auth/credentials/credentials.h"
33 : #include "version.h"
34 : #include "param/param.h"
35 : #include "libcli/smb/smbXcli_base.h"
36 :
37 : struct sesssetup_state {
38 : struct smbcli_session *session;
39 : union smb_sesssetup setup;
40 : const char *chosen_oid;
41 : NTSTATUS remote_status;
42 : NTSTATUS gensec_status;
43 : struct smb_composite_sesssetup *io;
44 : struct smbcli_request *req;
45 : struct smbcli_request *check_req;
46 : unsigned int logon_retries;
47 : };
48 :
49 5253 : static int sesssetup_state_destructor(struct sesssetup_state *state)
50 : {
51 5253 : if (state->req) {
52 0 : talloc_free(state->req);
53 0 : state->req = NULL;
54 : }
55 :
56 5253 : return 0;
57 : }
58 :
59 : static NTSTATUS session_setup_old(struct composite_context *c,
60 : struct smbcli_session *session,
61 : struct smb_composite_sesssetup *io,
62 : struct smbcli_request **req);
63 : static NTSTATUS session_setup_nt1(struct composite_context *c,
64 : struct smbcli_session *session,
65 : struct smb_composite_sesssetup *io,
66 : struct smbcli_request **req);
67 : static NTSTATUS session_setup_spnego_restart(struct composite_context *c,
68 : struct smbcli_session *session,
69 : struct smb_composite_sesssetup *io);
70 : static NTSTATUS session_setup_spnego(struct composite_context *c,
71 : struct smbcli_session *session,
72 : struct smb_composite_sesssetup *io,
73 : struct smbcli_request **req);
74 : static void smb_composite_sesssetup_spnego_done1(struct tevent_req *subreq);
75 : static void smb_composite_sesssetup_spnego_done2(struct tevent_req *subreq);
76 :
77 :
78 : /*
79 : handler for completion of a smbcli_request sub-request
80 : */
81 8999 : static void request_handler(struct smbcli_request *req)
82 : {
83 8999 : struct composite_context *c = (struct composite_context *)req->async.private_data;
84 8999 : struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
85 8999 : struct smbcli_session *session = req->session;
86 8999 : DATA_BLOB null_data_blob = data_blob(NULL, 0);
87 133 : NTSTATUS session_key_err, nt_status;
88 8999 : struct smbcli_request *check_req = NULL;
89 8999 : const char *os = NULL;
90 8999 : const char *lanman = NULL;
91 :
92 8999 : if (req->sign_caller_checks) {
93 8354 : req->do_not_free = true;
94 8354 : check_req = req;
95 : }
96 :
97 8999 : state->remote_status = smb_raw_sesssetup_recv(req, state, &state->setup);
98 8999 : c->status = state->remote_status;
99 8999 : state->req = NULL;
100 :
101 : /*
102 : * we only need to check the signature if the
103 : * NT_STATUS_OK is returned
104 : */
105 8999 : if (!NT_STATUS_IS_OK(state->remote_status)) {
106 6177 : talloc_free(check_req);
107 6177 : check_req = NULL;
108 : }
109 :
110 8999 : switch (state->setup.old.level) {
111 4 : case RAW_SESSSETUP_OLD:
112 4 : state->io->out.vuid = state->setup.old.out.vuid;
113 : /* This doesn't work, as this only happens on old
114 : * protocols, where this comparison won't match. */
115 4 : if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
116 : /* we need to reset the vuid for a new try */
117 0 : session->vuid = 0;
118 0 : if (cli_credentials_wrong_password(state->io->in.credentials)) {
119 0 : nt_status = session_setup_old(c, session,
120 : state->io,
121 : &state->req);
122 0 : if (NT_STATUS_IS_OK(nt_status)) {
123 0 : talloc_free(check_req);
124 0 : c->status = nt_status;
125 0 : composite_continue_smb(c, state->req, request_handler, c);
126 0 : return;
127 : }
128 : }
129 : }
130 4 : if (!NT_STATUS_IS_OK(c->status)) {
131 4 : composite_error(c, c->status);
132 4 : return;
133 : }
134 0 : os = state->setup.old.out.os;
135 0 : lanman = state->setup.old.out.lanman;
136 15 : break;
137 :
138 17 : case RAW_SESSSETUP_NT1:
139 17 : state->io->out.vuid = state->setup.nt1.out.vuid;
140 17 : if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
141 : /* we need to reset the vuid for a new try */
142 0 : session->vuid = 0;
143 0 : if (cli_credentials_wrong_password(state->io->in.credentials)) {
144 0 : nt_status = session_setup_nt1(c, session,
145 : state->io,
146 : &state->req);
147 0 : if (NT_STATUS_IS_OK(nt_status)) {
148 0 : talloc_free(check_req);
149 0 : c->status = nt_status;
150 0 : composite_continue_smb(c, state->req, request_handler, c);
151 0 : return;
152 : }
153 : }
154 : }
155 17 : if (!NT_STATUS_IS_OK(c->status)) {
156 2 : composite_error(c, c->status);
157 2 : return;
158 : }
159 15 : os = state->setup.nt1.out.os;
160 15 : lanman = state->setup.nt1.out.lanman;
161 15 : break;
162 :
163 8978 : case RAW_SESSSETUP_SPNEGO:
164 8978 : state->io->out.vuid = state->setup.spnego.out.vuid;
165 8978 : if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
166 0 : const char *principal;
167 :
168 : /* we need to reset the vuid for a new try */
169 2421 : session->vuid = 0;
170 :
171 2421 : principal = gensec_get_target_principal(session->gensec);
172 2421 : if (principal == NULL) {
173 2421 : const char *hostname = gensec_get_target_hostname(session->gensec);
174 2421 : const char *service = gensec_get_target_service(session->gensec);
175 2421 : if (hostname != NULL && service != NULL) {
176 2421 : principal = talloc_asprintf(state, "%s/%s", service, hostname);
177 : }
178 : }
179 4842 : if (cli_credentials_failed_kerberos_login(state->io->in.credentials, principal, &state->logon_retries) ||
180 2421 : cli_credentials_wrong_password(state->io->in.credentials)) {
181 0 : struct tevent_req *subreq = NULL;
182 :
183 0 : nt_status = session_setup_spnego_restart(c, session, state->io);
184 0 : if (!NT_STATUS_IS_OK(nt_status)) {
185 0 : DEBUG(1, ("session_setup_spnego_restart() failed: %s\n",
186 : nt_errstr(nt_status)));
187 0 : c->status = nt_status;
188 0 : composite_error(c, c->status);
189 0 : return;
190 : }
191 :
192 0 : subreq = gensec_update_send(state, c->event_ctx,
193 : session->gensec,
194 : state->setup.spnego.out.secblob);
195 0 : if (composite_nomem(subreq, c)) {
196 0 : return;
197 : }
198 0 : tevent_req_set_callback(subreq,
199 : smb_composite_sesssetup_spnego_done1,
200 : c);
201 0 : return;
202 : }
203 : }
204 8978 : if (GENSEC_UPDATE_IS_NTERROR(c->status)) {
205 2424 : composite_error(c, c->status);
206 2424 : return;
207 : }
208 6554 : if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
209 6554 : struct tevent_req *subreq = NULL;
210 :
211 : /* The status value here, from the earlier pass at GENSEC is
212 : * vital to the security of the system. Even if the other end
213 : * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
214 : * you must keep feeding it blobs, or else the remote
215 : * host/attacker might avoid mutual authentication
216 : * requirements */
217 :
218 6554 : subreq = gensec_update_send(state, c->event_ctx,
219 : session->gensec,
220 : state->setup.spnego.out.secblob);
221 6554 : if (composite_nomem(subreq, c)) {
222 6421 : return;
223 : }
224 6554 : tevent_req_set_callback(subreq,
225 : smb_composite_sesssetup_spnego_done2,
226 : c);
227 6554 : if (NT_STATUS_IS_OK(state->remote_status)) {
228 2807 : state->check_req = check_req;
229 : } else {
230 3747 : TALLOC_FREE(check_req);
231 : }
232 6554 : return;
233 : } else {
234 0 : state->setup.spnego.in.secblob = data_blob(NULL, 0);
235 : }
236 :
237 0 : if (cli_credentials_is_anonymous(state->io->in.credentials)) {
238 : /*
239 : * anonymous => no signing
240 : */
241 0 : } else if (NT_STATUS_IS_OK(state->remote_status)) {
242 0 : DATA_BLOB session_key;
243 :
244 0 : if (state->setup.spnego.in.secblob.length) {
245 0 : c->status = NT_STATUS_INTERNAL_ERROR;
246 0 : composite_error(c, c->status);
247 0 : return;
248 : }
249 0 : session_key_err = gensec_session_key(session->gensec, session, &session_key);
250 0 : if (NT_STATUS_IS_OK(session_key_err)) {
251 0 : smb1cli_conn_activate_signing(session->transport->conn,
252 : session_key,
253 : null_data_blob);
254 : }
255 :
256 0 : c->status = smb1cli_session_set_session_key(session->smbXcli,
257 : session_key);
258 0 : data_blob_free(&session_key);
259 0 : if (!NT_STATUS_IS_OK(c->status)) {
260 0 : composite_error(c, c->status);
261 0 : return;
262 : }
263 : }
264 :
265 0 : os = state->setup.spnego.out.os;
266 0 : lanman = state->setup.spnego.out.lanman;
267 0 : break;
268 :
269 0 : case RAW_SESSSETUP_SMB2:
270 0 : c->status = NT_STATUS_INTERNAL_ERROR;
271 0 : composite_error(c, c->status);
272 0 : return;
273 : }
274 :
275 15 : if (check_req) {
276 0 : bool ok;
277 :
278 0 : check_req->sign_caller_checks = false;
279 :
280 0 : ok = smb1cli_conn_check_signing(check_req->transport->conn,
281 0 : check_req->in.buffer, 1);
282 0 : TALLOC_FREE(check_req);
283 0 : if (!ok) {
284 0 : c->status = NT_STATUS_ACCESS_DENIED;
285 0 : composite_error(c, c->status);
286 0 : return;
287 : }
288 : }
289 :
290 15 : if (!NT_STATUS_IS_OK(c->status)) {
291 0 : composite_error(c, c->status);
292 0 : return;
293 : }
294 :
295 15 : if (os) {
296 15 : session->os = talloc_strdup(session, os);
297 15 : if (composite_nomem(session->os, c)) return;
298 : } else {
299 0 : session->os = NULL;
300 : }
301 15 : if (lanman) {
302 15 : session->lanman = talloc_strdup(session, lanman);
303 15 : if (composite_nomem(session->lanman, c)) return;
304 : } else {
305 0 : session->lanman = NULL;
306 : }
307 :
308 15 : composite_done(c);
309 : }
310 :
311 :
312 : /*
313 : send a nt1 style session setup
314 : */
315 18 : static NTSTATUS session_setup_nt1(struct composite_context *c,
316 : struct smbcli_session *session,
317 : struct smb_composite_sesssetup *io,
318 : struct smbcli_request **req)
319 : {
320 18 : NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
321 18 : struct sesssetup_state *state = talloc_get_type(c->private_data,
322 : struct sesssetup_state);
323 18 : const char *domain = cli_credentials_get_domain(io->in.credentials);
324 :
325 : /*
326 : * domain controllers tend to reject the NTLM v2 blob
327 : * if the netbiosname is not valid (e.g. IP address or FQDN)
328 : * so just leave it away (as Windows client do)
329 : */
330 18 : DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, NULL, domain);
331 :
332 18 : DATA_BLOB session_key = data_blob(NULL, 0);
333 18 : int flags = CLI_CRED_NTLM_AUTH;
334 :
335 18 : if (session->options.lanman_auth) {
336 18 : flags |= CLI_CRED_LANMAN_AUTH;
337 : }
338 :
339 18 : if (session->options.ntlmv2_auth) {
340 8 : flags |= CLI_CRED_NTLMv2_AUTH;
341 : }
342 :
343 18 : state->setup.nt1.level = RAW_SESSSETUP_NT1;
344 18 : state->setup.nt1.in.bufsize = session->transport->options.max_xmit;
345 18 : state->setup.nt1.in.mpx_max = session->transport->options.max_mux;
346 18 : state->setup.nt1.in.vc_num = 1;
347 18 : state->setup.nt1.in.sesskey = io->in.sesskey;
348 18 : state->setup.nt1.in.capabilities = io->in.capabilities;
349 18 : state->setup.nt1.in.os = "Unix";
350 18 : state->setup.nt1.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
351 :
352 18 : cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
353 : &state->setup.nt1.in.user,
354 : &state->setup.nt1.in.domain);
355 :
356 :
357 18 : if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
358 18 : if (!cli_credentials_is_anonymous(io->in.credentials) &&
359 7 : session->options.ntlmv2_auth &&
360 7 : session->transport->options.use_spnego)
361 : {
362 : /*
363 : * Don't send an NTLMv2_RESPONSE without NTLMSSP
364 : * if we want to use spnego
365 : */
366 1 : return NT_STATUS_INVALID_PARAMETER;
367 : }
368 :
369 17 : nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state,
370 : &flags,
371 17 : session->transport->negotiate.secblob,
372 : NULL, /* server_timestamp */
373 : names_blob,
374 : &state->setup.nt1.in.password1,
375 : &state->setup.nt1.in.password2,
376 : NULL, &session_key);
377 17 : NT_STATUS_NOT_OK_RETURN(nt_status);
378 0 : } else if (session->options.plaintext_auth) {
379 0 : const char *password = cli_credentials_get_password(io->in.credentials);
380 0 : state->setup.nt1.in.password1 = data_blob_talloc(state, password, strlen(password));
381 0 : state->setup.nt1.in.password2 = data_blob(NULL, 0);
382 : } else {
383 : /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
384 0 : return NT_STATUS_INVALID_PARAMETER;
385 : }
386 :
387 17 : *req = smb_raw_sesssetup_send(session, &state->setup);
388 17 : if (!*req) {
389 0 : return NT_STATUS_NO_MEMORY;
390 : }
391 :
392 17 : if (!NT_STATUS_IS_OK(nt_status)) {
393 : /*
394 : * plain text => no signing
395 : */
396 0 : return (*req)->status;
397 : }
398 :
399 17 : if (cli_credentials_is_anonymous(io->in.credentials)) {
400 : /*
401 : * anonymous => no signing
402 : */
403 1 : return (*req)->status;
404 : }
405 :
406 16 : smb1cli_conn_activate_signing(session->transport->conn,
407 : session_key,
408 : state->setup.nt1.in.password2);
409 :
410 16 : nt_status = smb1cli_session_set_session_key(session->smbXcli,
411 : session_key);
412 16 : data_blob_free(&session_key);
413 16 : if (!NT_STATUS_IS_OK(nt_status)) {
414 0 : return nt_status;
415 : }
416 :
417 16 : return (*req)->status;
418 : }
419 :
420 :
421 : /*
422 : old style session setup (pre NT1 protocol level)
423 : */
424 4 : static NTSTATUS session_setup_old(struct composite_context *c,
425 : struct smbcli_session *session,
426 : struct smb_composite_sesssetup *io,
427 : struct smbcli_request **req)
428 : {
429 0 : NTSTATUS nt_status;
430 4 : struct sesssetup_state *state = talloc_get_type(c->private_data,
431 : struct sesssetup_state);
432 4 : const char *password = cli_credentials_get_password(io->in.credentials);
433 :
434 : /*
435 : * domain controllers tend to reject the NTLM v2 blob
436 : * if the netbiosname is not valid (e.g. IP address or FQDN)
437 : * so just leave it away (as Windows client do)
438 : */
439 0 : DATA_BLOB session_key;
440 :
441 4 : state->setup.old.level = RAW_SESSSETUP_OLD;
442 4 : state->setup.old.in.bufsize = session->transport->options.max_xmit;
443 4 : state->setup.old.in.mpx_max = session->transport->options.max_mux;
444 4 : state->setup.old.in.vc_num = 1;
445 4 : state->setup.old.in.sesskey = io->in.sesskey;
446 4 : state->setup.old.in.os = "Unix";
447 4 : state->setup.old.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
448 4 : cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
449 : &state->setup.old.in.user,
450 : &state->setup.old.in.domain);
451 :
452 4 : if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
453 4 : DATA_BLOB names_blob = data_blob_null;
454 4 : int flags = 0;
455 :
456 4 : if (!cli_credentials_is_anonymous(io->in.credentials) &&
457 4 : !session->options.lanman_auth)
458 : {
459 0 : return NT_STATUS_INVALID_PARAMETER;
460 : }
461 :
462 4 : flags |= CLI_CRED_LANMAN_AUTH;
463 :
464 4 : nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state,
465 : &flags,
466 4 : session->transport->negotiate.secblob,
467 : NULL, /* server_timestamp */
468 : names_blob,
469 : &state->setup.old.in.password,
470 : NULL,
471 : NULL, &session_key);
472 4 : NT_STATUS_NOT_OK_RETURN(nt_status);
473 :
474 4 : nt_status = smb1cli_session_set_session_key(session->smbXcli,
475 : session_key);
476 4 : data_blob_free(&session_key);
477 4 : if (!NT_STATUS_IS_OK(nt_status)) {
478 0 : return nt_status;
479 : }
480 0 : } else if (session->options.plaintext_auth) {
481 0 : state->setup.old.in.password = data_blob_talloc(state, password, strlen(password));
482 : } else {
483 : /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
484 0 : return NT_STATUS_INVALID_PARAMETER;
485 : }
486 :
487 4 : *req = smb_raw_sesssetup_send(session, &state->setup);
488 4 : if (!*req) {
489 0 : return NT_STATUS_NO_MEMORY;
490 : }
491 4 : return (*req)->status;
492 : }
493 :
494 5231 : static NTSTATUS session_setup_spnego_restart(struct composite_context *c,
495 : struct smbcli_session *session,
496 : struct smb_composite_sesssetup *io)
497 : {
498 5231 : struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
499 133 : NTSTATUS status;
500 :
501 5231 : status = gensec_client_start(session, &session->gensec,
502 : io->in.gensec_settings);
503 5231 : if (!NT_STATUS_IS_OK(status)) {
504 0 : DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
505 0 : return status;
506 : }
507 :
508 5231 : gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY);
509 :
510 5231 : status = gensec_set_credentials(session->gensec, io->in.credentials);
511 5231 : if (!NT_STATUS_IS_OK(status)) {
512 0 : DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
513 : nt_errstr(status)));
514 0 : return status;
515 : }
516 :
517 5231 : status = gensec_set_target_hostname(session->gensec,
518 5231 : smbXcli_conn_remote_name(session->transport->conn));
519 5231 : if (!NT_STATUS_IS_OK(status)) {
520 0 : DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
521 : nt_errstr(status)));
522 0 : return status;
523 : }
524 :
525 5231 : status = gensec_set_target_service(session->gensec, "cifs");
526 5231 : if (!NT_STATUS_IS_OK(status)) {
527 0 : DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
528 : nt_errstr(status)));
529 0 : return status;
530 : }
531 :
532 5231 : state->setup.spnego.out.secblob =
533 5231 : session->transport->negotiate.secblob;
534 5231 : if (session->transport->negotiate.secblob.length) {
535 5231 : state->chosen_oid = GENSEC_OID_SPNEGO;
536 5231 : status = gensec_start_mech_by_oid(session->gensec,
537 : state->chosen_oid);
538 5231 : if (!NT_STATUS_IS_OK(status)) {
539 0 : DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
540 : gensec_get_name_by_oid(session->gensec,
541 : state->chosen_oid),
542 : nt_errstr(status)));
543 0 : state->setup.spnego.out.secblob = data_blob_null;
544 0 : state->chosen_oid = GENSEC_OID_NTLMSSP;
545 0 : status = gensec_start_mech_by_oid(session->gensec,
546 : state->chosen_oid);
547 0 : if (!NT_STATUS_IS_OK(status)) {
548 0 : DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
549 : gensec_get_name_by_oid(session->gensec,
550 : state->chosen_oid),
551 : nt_errstr(status)));
552 0 : return status;
553 : }
554 : }
555 : } else {
556 : /* without a sec blob, means raw NTLMSSP */
557 0 : state->chosen_oid = GENSEC_OID_NTLMSSP;
558 0 : status = gensec_start_mech_by_oid(session->gensec,
559 : state->chosen_oid);
560 0 : if (!NT_STATUS_IS_OK(status)) {
561 0 : DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
562 : gensec_get_name_by_oid(session->gensec,
563 : state->chosen_oid),
564 : nt_errstr(status)));
565 0 : return status;
566 : }
567 : }
568 :
569 5231 : state->gensec_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
570 5231 : state->remote_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
571 5231 : return NT_STATUS_OK;
572 : }
573 :
574 : /*
575 : Modern, all singing, all dancing extended security (and possibly SPNEGO) request
576 : */
577 5231 : static NTSTATUS session_setup_spnego(struct composite_context *c,
578 : struct smbcli_session *session,
579 : struct smb_composite_sesssetup *io,
580 : struct smbcli_request **req)
581 : {
582 5231 : struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
583 :
584 5231 : state->setup.spnego.level = RAW_SESSSETUP_SPNEGO;
585 5231 : state->setup.spnego.in.bufsize = session->transport->options.max_xmit;
586 5231 : state->setup.spnego.in.mpx_max = session->transport->options.max_mux;
587 5231 : state->setup.spnego.in.vc_num = 1;
588 5231 : state->setup.spnego.in.sesskey = io->in.sesskey;
589 5231 : state->setup.spnego.in.capabilities = io->in.capabilities;
590 5231 : state->setup.spnego.in.os = "Unix";
591 5231 : state->setup.spnego.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
592 5231 : state->setup.spnego.in.workgroup = io->in.workgroup;
593 :
594 5231 : *req = smb_raw_sesssetup_send(session, &state->setup);
595 5231 : if (!*req) {
596 0 : return NT_STATUS_NO_MEMORY;
597 : }
598 :
599 : /*
600 : * we need to check the signature ourself
601 : * as the session key might be the acceptor subkey
602 : * which comes within the response itself
603 : */
604 5231 : if (!smb1cli_conn_signing_is_active((*req)->transport->conn)) {
605 4900 : (*req)->sign_caller_checks = true;
606 : }
607 :
608 5231 : return (*req)->status;
609 : }
610 :
611 :
612 : /*
613 : composite session setup function that hides the details of all the
614 : different session setup variants, including the multi-pass nature of
615 : the spnego variant
616 : */
617 5255 : struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *session,
618 : struct smb_composite_sesssetup *io)
619 : {
620 133 : struct composite_context *c;
621 133 : struct sesssetup_state *state;
622 133 : NTSTATUS status;
623 133 : enum smb_encryption_setting encryption_state =
624 5255 : cli_credentials_get_smb_encryption(io->in.credentials);
625 133 : enum credentials_use_kerberos krb5_state =
626 5255 : cli_credentials_get_kerberos_state(io->in.credentials);
627 :
628 5255 : c = composite_create(session, session->transport->ev);
629 5255 : if (c == NULL) return NULL;
630 :
631 5255 : if (encryption_state > SMB_ENCRYPTION_DESIRED) {
632 2 : composite_error(c, NT_STATUS_PROTOCOL_NOT_SUPPORTED);
633 2 : return c;
634 : }
635 :
636 5253 : state = talloc_zero(c, struct sesssetup_state);
637 5253 : if (composite_nomem(state, c)) return c;
638 5253 : c->private_data = state;
639 :
640 5253 : state->session = session;
641 5253 : state->io = io;
642 :
643 5253 : talloc_set_destructor(state, sesssetup_state_destructor);
644 :
645 : /* no session setup at all in earliest protocol variants */
646 5253 : if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
647 0 : if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
648 0 : composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
649 0 : return c;
650 : }
651 0 : ZERO_STRUCT(io->out);
652 0 : composite_done(c);
653 0 : return c;
654 : }
655 :
656 : /* see what session setup interface we will use */
657 5253 : if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
658 4 : if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
659 0 : composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
660 0 : return c;
661 : }
662 4 : status = session_setup_old(c, session, io, &state->req);
663 5249 : } else if (!session->transport->options.use_spnego ||
664 5233 : !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
665 18 : if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
666 0 : composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
667 0 : return c;
668 : }
669 18 : status = session_setup_nt1(c, session, io, &state->req);
670 : } else {
671 5231 : struct tevent_req *subreq = NULL;
672 :
673 5231 : status = session_setup_spnego_restart(c, session, io);
674 5231 : if (!NT_STATUS_IS_OK(status)) {
675 0 : DEBUG(1, ("session_setup_spnego_restart() failed: %s\n",
676 : nt_errstr(status)));
677 0 : c->status = status;
678 0 : composite_error(c, c->status);
679 0 : return c;
680 : }
681 :
682 5231 : subreq = gensec_update_send(state, c->event_ctx,
683 : session->gensec,
684 : state->setup.spnego.out.secblob);
685 5231 : if (composite_nomem(subreq, c)) {
686 0 : return c;
687 : }
688 5231 : tevent_req_set_callback(subreq,
689 : smb_composite_sesssetup_spnego_done1,
690 : c);
691 5231 : return c;
692 : }
693 :
694 22 : if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) ||
695 22 : NT_STATUS_IS_OK(status)) {
696 21 : composite_continue_smb(c, state->req, request_handler, c);
697 21 : return c;
698 : }
699 :
700 1 : composite_error(c, status);
701 1 : return c;
702 : }
703 :
704 5231 : static void smb_composite_sesssetup_spnego_done1(struct tevent_req *subreq)
705 : {
706 133 : struct composite_context *c =
707 5231 : tevent_req_callback_data(subreq,
708 : struct composite_context);
709 133 : struct sesssetup_state *state =
710 5231 : talloc_get_type_abort(c->private_data,
711 : struct sesssetup_state);
712 133 : NTSTATUS status;
713 :
714 5231 : status = gensec_update_recv(subreq, state,
715 : &state->setup.spnego.in.secblob);
716 5231 : TALLOC_FREE(subreq);
717 5231 : if (GENSEC_UPDATE_IS_NTERROR(status)) {
718 0 : DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
719 : gensec_get_name_by_oid(state->session->gensec,
720 : state->chosen_oid),
721 : nt_errstr(status)));
722 0 : c->status = status;
723 0 : composite_error(c, c->status);
724 0 : return;
725 : }
726 5231 : state->gensec_status = status;
727 :
728 5231 : status = session_setup_spnego(c, state->session, state->io, &state->req);
729 5231 : if (!NT_STATUS_IS_OK(status)) {
730 0 : c->status = status;
731 0 : composite_error(c, c->status);
732 0 : return;
733 : }
734 :
735 5231 : composite_continue_smb(c, state->req, request_handler, c);
736 : }
737 :
738 6554 : static void smb_composite_sesssetup_spnego_done2(struct tevent_req *subreq)
739 : {
740 133 : struct composite_context *c =
741 6554 : tevent_req_callback_data(subreq,
742 : struct composite_context);
743 133 : struct sesssetup_state *state =
744 6554 : talloc_get_type_abort(c->private_data,
745 : struct sesssetup_state);
746 6554 : struct smbcli_session *session = state->session;
747 133 : NTSTATUS status;
748 6554 : const char *os = NULL;
749 6554 : const char *lanman = NULL;
750 :
751 6554 : status = gensec_update_recv(subreq, state,
752 : &state->setup.spnego.in.secblob);
753 6554 : TALLOC_FREE(subreq);
754 6554 : if (GENSEC_UPDATE_IS_NTERROR(status)) {
755 0 : DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
756 : gensec_get_name_by_oid(state->session->gensec,
757 : state->chosen_oid),
758 : nt_errstr(status)));
759 0 : c->status = status;
760 0 : composite_error(c, c->status);
761 0 : return;
762 : }
763 6554 : state->gensec_status = status;
764 :
765 6554 : if (NT_STATUS_IS_OK(state->remote_status)) {
766 2807 : if (state->setup.spnego.in.secblob.length) {
767 0 : c->status = NT_STATUS_INTERNAL_ERROR;
768 0 : composite_error(c, c->status);
769 0 : return;
770 : }
771 : }
772 :
773 6554 : if (state->setup.spnego.in.secblob.length) {
774 : /*
775 : * set the session->vuid value only for calling
776 : * smb_raw_sesssetup_send()
777 : */
778 3747 : uint16_t vuid = session->vuid;
779 3747 : session->vuid = state->io->out.vuid;
780 3747 : state->req = smb_raw_sesssetup_send(session, &state->setup);
781 3747 : session->vuid = vuid;
782 3747 : if (state->req &&
783 3747 : !smb1cli_conn_signing_is_active(state->req->transport->conn)) {
784 3454 : state->req->sign_caller_checks = true;
785 : }
786 3747 : composite_continue_smb(c, state->req, request_handler, c);
787 3747 : return;
788 : }
789 :
790 2807 : if (cli_credentials_is_anonymous(state->io->in.credentials)) {
791 : /*
792 : * anonymous => no signing
793 : */
794 2762 : } else if (NT_STATUS_IS_OK(state->remote_status)) {
795 133 : NTSTATUS session_key_err;
796 133 : DATA_BLOB session_key;
797 :
798 2762 : session_key_err = gensec_session_key(session->gensec, session, &session_key);
799 2762 : if (NT_STATUS_IS_OK(session_key_err)) {
800 2762 : smb1cli_conn_activate_signing(session->transport->conn,
801 : session_key,
802 : data_blob_null);
803 : }
804 :
805 2762 : c->status = smb1cli_session_set_session_key(session->smbXcli,
806 : session_key);
807 2762 : data_blob_free(&session_key);
808 2762 : if (!NT_STATUS_IS_OK(c->status)) {
809 0 : composite_error(c, c->status);
810 0 : return;
811 : }
812 : }
813 :
814 2807 : os = state->setup.spnego.out.os;
815 2807 : lanman = state->setup.spnego.out.lanman;
816 :
817 2807 : if (state->check_req) {
818 2745 : struct smbcli_request *check_req = state->check_req;
819 133 : bool ok;
820 :
821 2745 : check_req->sign_caller_checks = false;
822 :
823 2878 : ok = smb1cli_conn_check_signing(check_req->transport->conn,
824 2745 : check_req->in.buffer, 1);
825 2745 : TALLOC_FREE(check_req);
826 2745 : if (!ok) {
827 0 : c->status = NT_STATUS_ACCESS_DENIED;
828 0 : composite_error(c, c->status);
829 0 : return;
830 : }
831 : }
832 :
833 2807 : if (os) {
834 2807 : session->os = talloc_strdup(session, os);
835 2807 : if (composite_nomem(session->os, c)) return;
836 : } else {
837 0 : session->os = NULL;
838 : }
839 2807 : if (lanman) {
840 2807 : session->lanman = talloc_strdup(session, lanman);
841 2807 : if (composite_nomem(session->lanman, c)) return;
842 : } else {
843 0 : session->lanman = NULL;
844 : }
845 :
846 2807 : composite_done(c);
847 : }
848 :
849 : /*
850 : receive a composite session setup reply
851 : */
852 5253 : NTSTATUS smb_composite_sesssetup_recv(struct composite_context *c)
853 : {
854 133 : NTSTATUS status;
855 5253 : status = composite_wait(c);
856 5253 : talloc_free(c);
857 5253 : return status;
858 : }
859 :
860 : /*
861 : sync version of smb_composite_sesssetup
862 : */
863 2491 : NTSTATUS smb_composite_sesssetup(struct smbcli_session *session, struct smb_composite_sesssetup *io)
864 : {
865 2491 : struct composite_context *c = smb_composite_sesssetup_send(session, io);
866 2491 : return smb_composite_sesssetup_recv(c);
867 : }
|
