2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 a composite API for making handling a generic async session setup
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/raw/raw_proto.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/smb_composite/smb_composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/credentials/credentials.h"
33 #include "param/param.h"
34 #include "libcli/smb/smbXcli_base.h"
36 struct sesssetup_state
{
37 union smb_sesssetup setup
;
38 NTSTATUS remote_status
;
39 NTSTATUS gensec_status
;
40 struct smb_composite_sesssetup
*io
;
41 struct smbcli_request
*req
;
42 unsigned int logon_retries
;
45 static int sesssetup_state_destructor(struct sesssetup_state
*state
)
48 talloc_free(state
->req
);
55 static NTSTATUS
session_setup_old(struct composite_context
*c
,
56 struct smbcli_session
*session
,
57 struct smb_composite_sesssetup
*io
,
58 struct smbcli_request
**req
);
59 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
60 struct smbcli_session
*session
,
61 struct smb_composite_sesssetup
*io
,
62 struct smbcli_request
**req
);
63 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
64 struct smbcli_session
*session
,
65 struct smb_composite_sesssetup
*io
,
66 struct smbcli_request
**req
);
69 handler for completion of a smbcli_request sub-request
71 static void request_handler(struct smbcli_request
*req
)
73 struct composite_context
*c
= (struct composite_context
*)req
->async
.private_data
;
74 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
75 struct smbcli_session
*session
= req
->session
;
76 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
77 NTSTATUS session_key_err
, nt_status
;
78 struct smbcli_request
*check_req
= NULL
;
79 const char *os
= NULL
;
80 const char *lanman
= NULL
;
82 if (req
->sign_caller_checks
) {
83 req
->do_not_free
= true;
87 state
->remote_status
= smb_raw_sesssetup_recv(req
, state
, &state
->setup
);
88 c
->status
= state
->remote_status
;
92 * we only need to check the signature if the
93 * NT_STATUS_OK is returned
95 if (!NT_STATUS_IS_OK(state
->remote_status
)) {
96 talloc_free(check_req
);
100 switch (state
->setup
.old
.level
) {
101 case RAW_SESSSETUP_OLD
:
102 state
->io
->out
.vuid
= state
->setup
.old
.out
.vuid
;
103 /* This doesn't work, as this only happens on old
104 * protocols, where this comparison won't match. */
105 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
106 /* we neet to reset the vuid for a new try */
108 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
109 nt_status
= session_setup_old(c
, session
,
112 if (NT_STATUS_IS_OK(nt_status
)) {
113 talloc_free(check_req
);
114 c
->status
= nt_status
;
115 composite_continue_smb(c
, state
->req
, request_handler
, c
);
120 os
= state
->setup
.old
.out
.os
;
121 lanman
= state
->setup
.old
.out
.lanman
;
124 case RAW_SESSSETUP_NT1
:
125 state
->io
->out
.vuid
= state
->setup
.nt1
.out
.vuid
;
126 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
127 /* we need to reset the vuid for a new try */
129 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
130 nt_status
= session_setup_nt1(c
, session
,
133 if (NT_STATUS_IS_OK(nt_status
)) {
134 talloc_free(check_req
);
135 c
->status
= nt_status
;
136 composite_continue_smb(c
, state
->req
, request_handler
, c
);
141 os
= state
->setup
.nt1
.out
.os
;
142 lanman
= state
->setup
.nt1
.out
.lanman
;
145 case RAW_SESSSETUP_SPNEGO
:
146 state
->io
->out
.vuid
= state
->setup
.spnego
.out
.vuid
;
147 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
148 const char *principal
;
150 /* we need to reset the vuid for a new try */
153 principal
= gensec_get_target_principal(session
->gensec
);
154 if (principal
== NULL
) {
155 const char *hostname
= gensec_get_target_hostname(session
->gensec
);
156 const char *service
= gensec_get_target_service(session
->gensec
);
157 if (hostname
!= NULL
&& service
!= NULL
) {
158 principal
= talloc_asprintf(state
, "%s/%s", service
, hostname
);
161 if (cli_credentials_failed_kerberos_login(state
->io
->in
.credentials
, principal
, &state
->logon_retries
) ||
162 cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
163 nt_status
= session_setup_spnego(c
, session
,
166 if (NT_STATUS_IS_OK(nt_status
)) {
167 talloc_free(check_req
);
168 c
->status
= nt_status
;
169 composite_continue_smb(c
, state
->req
, request_handler
, c
);
174 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
175 !NT_STATUS_IS_OK(c
->status
)) {
178 if (NT_STATUS_EQUAL(state
->gensec_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
180 /* The status value here, from the earlier pass at GENSEC is
181 * vital to the security of the system. Even if the other end
182 * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
183 * you must keep feeding it blobs, or else the remote
184 * host/attacker might avoid mutal authentication
187 state
->gensec_status
= gensec_update(session
->gensec
, state
, c
->event_ctx
,
188 state
->setup
.spnego
.out
.secblob
,
189 &state
->setup
.spnego
.in
.secblob
);
190 c
->status
= state
->gensec_status
;
191 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
192 !NT_STATUS_IS_OK(c
->status
)) {
196 state
->setup
.spnego
.in
.secblob
= data_blob(NULL
, 0);
199 if (NT_STATUS_IS_OK(state
->remote_status
)) {
200 DATA_BLOB session_key
;
202 if (state
->setup
.spnego
.in
.secblob
.length
) {
203 c
->status
= NT_STATUS_INTERNAL_ERROR
;
206 session_key_err
= gensec_session_key(session
->gensec
, session
, &session_key
);
207 if (NT_STATUS_IS_OK(session_key_err
)) {
208 smb1cli_conn_activate_signing(session
->transport
->conn
,
213 c
->status
= smb1cli_session_set_session_key(session
->smbXcli
,
215 data_blob_free(&session_key
);
216 if (!NT_STATUS_IS_OK(c
->status
)) {
221 if (state
->setup
.spnego
.in
.secblob
.length
) {
223 * set the session->vuid value only for calling
224 * smb_raw_sesssetup_send()
226 uint16_t vuid
= session
->vuid
;
227 session
->vuid
= state
->io
->out
.vuid
;
228 state
->req
= smb_raw_sesssetup_send(session
, &state
->setup
);
229 session
->vuid
= vuid
;
231 !smb1cli_conn_signing_is_active(state
->req
->transport
->conn
)) {
232 state
->req
->sign_caller_checks
= true;
234 composite_continue_smb(c
, state
->req
, request_handler
, c
);
237 os
= state
->setup
.spnego
.out
.os
;
238 lanman
= state
->setup
.spnego
.out
.lanman
;
241 case RAW_SESSSETUP_SMB2
:
242 c
->status
= NT_STATUS_INTERNAL_ERROR
;
249 check_req
->sign_caller_checks
= false;
251 ok
= smb1cli_conn_check_signing(check_req
->transport
->conn
,
252 check_req
->in
.buffer
, 1);
254 c
->status
= NT_STATUS_ACCESS_DENIED
;
256 talloc_free(check_req
);
260 if (!NT_STATUS_IS_OK(c
->status
)) {
261 composite_error(c
, c
->status
);
266 session
->os
= talloc_strdup(session
, os
);
267 if (composite_nomem(session
->os
, c
)) return;
272 session
->lanman
= talloc_strdup(session
, lanman
);
273 if (composite_nomem(session
->lanman
, c
)) return;
275 session
->lanman
= NULL
;
283 send a nt1 style session setup
285 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
286 struct smbcli_session
*session
,
287 struct smb_composite_sesssetup
*io
,
288 struct smbcli_request
**req
)
290 NTSTATUS nt_status
= NT_STATUS_INTERNAL_ERROR
;
291 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
292 struct sesssetup_state
);
293 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
296 * domain controllers tend to reject the NTLM v2 blob
297 * if the netbiosname is not valid (e.g. IP address or FQDN)
298 * so just leave it away (as Windows client do)
300 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
302 DATA_BLOB session_key
= data_blob(NULL
, 0);
303 int flags
= CLI_CRED_NTLM_AUTH
;
305 if (session
->options
.lanman_auth
) {
306 flags
|= CLI_CRED_LANMAN_AUTH
;
309 if (session
->options
.ntlmv2_auth
) {
310 flags
|= CLI_CRED_NTLMv2_AUTH
;
313 state
->setup
.nt1
.level
= RAW_SESSSETUP_NT1
;
314 state
->setup
.nt1
.in
.bufsize
= session
->transport
->options
.max_xmit
;
315 state
->setup
.nt1
.in
.mpx_max
= session
->transport
->options
.max_mux
;
316 state
->setup
.nt1
.in
.vc_num
= 1;
317 state
->setup
.nt1
.in
.sesskey
= io
->in
.sesskey
;
318 state
->setup
.nt1
.in
.capabilities
= io
->in
.capabilities
;
319 state
->setup
.nt1
.in
.os
= "Unix";
320 state
->setup
.nt1
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
322 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
323 &state
->setup
.nt1
.in
.user
,
324 &state
->setup
.nt1
.in
.domain
);
327 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
328 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
330 session
->transport
->negotiate
.secblob
,
332 &state
->setup
.nt1
.in
.password1
,
333 &state
->setup
.nt1
.in
.password2
,
335 NT_STATUS_NOT_OK_RETURN(nt_status
);
336 } else if (session
->options
.plaintext_auth
) {
337 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
338 state
->setup
.nt1
.in
.password1
= data_blob_talloc(state
, password
, strlen(password
));
339 state
->setup
.nt1
.in
.password2
= data_blob(NULL
, 0);
341 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
342 return NT_STATUS_INVALID_PARAMETER
;
345 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
347 return NT_STATUS_NO_MEMORY
;
350 if (NT_STATUS_IS_OK(nt_status
)) {
351 smb1cli_conn_activate_signing(session
->transport
->conn
,
353 state
->setup
.nt1
.in
.password2
);
355 nt_status
= smb1cli_session_set_session_key(session
->smbXcli
,
357 data_blob_free(&session_key
);
358 if (!NT_STATUS_IS_OK(nt_status
)) {
363 return (*req
)->status
;
368 old style session setup (pre NT1 protocol level)
370 static NTSTATUS
session_setup_old(struct composite_context
*c
,
371 struct smbcli_session
*session
,
372 struct smb_composite_sesssetup
*io
,
373 struct smbcli_request
**req
)
376 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
377 struct sesssetup_state
);
378 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
379 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
382 * domain controllers tend to reject the NTLM v2 blob
383 * if the netbiosname is not valid (e.g. IP address or FQDN)
384 * so just leave it away (as Windows client do)
386 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
388 DATA_BLOB session_key
;
390 if (session
->options
.lanman_auth
) {
391 flags
|= CLI_CRED_LANMAN_AUTH
;
394 if (session
->options
.ntlmv2_auth
) {
395 flags
|= CLI_CRED_NTLMv2_AUTH
;
398 state
->setup
.old
.level
= RAW_SESSSETUP_OLD
;
399 state
->setup
.old
.in
.bufsize
= session
->transport
->options
.max_xmit
;
400 state
->setup
.old
.in
.mpx_max
= session
->transport
->options
.max_mux
;
401 state
->setup
.old
.in
.vc_num
= 1;
402 state
->setup
.old
.in
.sesskey
= io
->in
.sesskey
;
403 state
->setup
.old
.in
.os
= "Unix";
404 state
->setup
.old
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
405 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
406 &state
->setup
.old
.in
.user
,
407 &state
->setup
.old
.in
.domain
);
409 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
410 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
412 session
->transport
->negotiate
.secblob
,
414 &state
->setup
.old
.in
.password
,
417 NT_STATUS_NOT_OK_RETURN(nt_status
);
419 nt_status
= smb1cli_session_set_session_key(session
->smbXcli
,
421 data_blob_free(&session_key
);
422 if (!NT_STATUS_IS_OK(nt_status
)) {
425 } else if (session
->options
.plaintext_auth
) {
426 state
->setup
.old
.in
.password
= data_blob_talloc(state
, password
, strlen(password
));
428 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
429 return NT_STATUS_INVALID_PARAMETER
;
432 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
434 return NT_STATUS_NO_MEMORY
;
436 return (*req
)->status
;
441 Modern, all singing, all dancing extended security (and possibly SPNEGO) request
443 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
444 struct smbcli_session
*session
,
445 struct smb_composite_sesssetup
*io
,
446 struct smbcli_request
**req
)
448 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
450 const char *chosen_oid
= NULL
;
452 state
->setup
.spnego
.level
= RAW_SESSSETUP_SPNEGO
;
453 state
->setup
.spnego
.in
.bufsize
= session
->transport
->options
.max_xmit
;
454 state
->setup
.spnego
.in
.mpx_max
= session
->transport
->options
.max_mux
;
455 state
->setup
.spnego
.in
.vc_num
= 1;
456 state
->setup
.spnego
.in
.sesskey
= io
->in
.sesskey
;
457 state
->setup
.spnego
.in
.capabilities
= io
->in
.capabilities
;
458 state
->setup
.spnego
.in
.os
= "Unix";
459 state
->setup
.spnego
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
460 state
->setup
.spnego
.in
.workgroup
= io
->in
.workgroup
;
462 status
= gensec_client_start(session
, &session
->gensec
,
463 io
->in
.gensec_settings
);
464 if (!NT_STATUS_IS_OK(status
)) {
465 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status
)));
469 gensec_want_feature(session
->gensec
, GENSEC_FEATURE_SESSION_KEY
);
471 status
= gensec_set_credentials(session
->gensec
, io
->in
.credentials
);
472 if (!NT_STATUS_IS_OK(status
)) {
473 DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
478 status
= gensec_set_target_hostname(session
->gensec
,
479 smbXcli_conn_remote_name(session
->transport
->conn
));
480 if (!NT_STATUS_IS_OK(status
)) {
481 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
486 status
= gensec_set_target_service(session
->gensec
, "cifs");
487 if (!NT_STATUS_IS_OK(status
)) {
488 DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
493 if (session
->transport
->negotiate
.secblob
.length
) {
494 chosen_oid
= GENSEC_OID_SPNEGO
;
495 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
496 if (!NT_STATUS_IS_OK(status
)) {
497 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
498 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
499 chosen_oid
= GENSEC_OID_NTLMSSP
;
500 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
501 if (!NT_STATUS_IS_OK(status
)) {
502 DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
503 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
509 /* without a sec blob, means raw NTLMSSP */
510 chosen_oid
= GENSEC_OID_NTLMSSP
;
511 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
512 if (!NT_STATUS_IS_OK(status
)) {
513 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
514 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
518 if (strequal(chosen_oid
, GENSEC_OID_SPNEGO
)) {
519 status
= gensec_update(session
->gensec
, state
,
521 session
->transport
->negotiate
.secblob
,
522 &state
->setup
.spnego
.in
.secblob
);
524 status
= gensec_update(session
->gensec
, state
,
527 &state
->setup
.spnego
.in
.secblob
);
531 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
532 !NT_STATUS_IS_OK(status
)) {
533 DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
534 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
538 state
->gensec_status
= status
;
540 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
542 return NT_STATUS_NO_MEMORY
;
546 * we need to check the signature ourself
547 * as the session key might be the acceptor subkey
548 * which comes within the response itself
550 if (!smb1cli_conn_signing_is_active((*req
)->transport
->conn
)) {
551 (*req
)->sign_caller_checks
= true;
554 return (*req
)->status
;
559 composite session setup function that hides the details of all the
560 different session setup varients, including the multi-pass nature of
563 struct composite_context
*smb_composite_sesssetup_send(struct smbcli_session
*session
,
564 struct smb_composite_sesssetup
*io
)
566 struct composite_context
*c
;
567 struct sesssetup_state
*state
;
570 c
= composite_create(session
, session
->transport
->ev
);
571 if (c
== NULL
) return NULL
;
573 state
= talloc_zero(c
, struct sesssetup_state
);
574 if (composite_nomem(state
, c
)) return c
;
575 c
->private_data
= state
;
579 talloc_set_destructor(state
, sesssetup_state_destructor
);
581 /* no session setup at all in earliest protocol varients */
582 if (session
->transport
->negotiate
.protocol
< PROTOCOL_LANMAN1
) {
583 ZERO_STRUCT(io
->out
);
588 /* see what session setup interface we will use */
589 if (session
->transport
->negotiate
.protocol
< PROTOCOL_NT1
) {
590 status
= session_setup_old(c
, session
, io
, &state
->req
);
591 } else if (!session
->transport
->options
.use_spnego
||
592 !(io
->in
.capabilities
& CAP_EXTENDED_SECURITY
)) {
593 status
= session_setup_nt1(c
, session
, io
, &state
->req
);
595 status
= session_setup_spnego(c
, session
, io
, &state
->req
);
598 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) ||
599 NT_STATUS_IS_OK(status
)) {
600 composite_continue_smb(c
, state
->req
, request_handler
, c
);
604 composite_error(c
, status
);
610 receive a composite session setup reply
612 NTSTATUS
smb_composite_sesssetup_recv(struct composite_context
*c
)
615 status
= composite_wait(c
);
621 sync version of smb_composite_sesssetup
623 NTSTATUS
smb_composite_sesssetup(struct smbcli_session
*session
, struct smb_composite_sesssetup
*io
)
625 struct composite_context
*c
= smb_composite_sesssetup_send(session
, io
);
626 return smb_composite_sesssetup_recv(c
);