2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 a composite API for making handling a generic async session setup
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/raw/raw_proto.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/smb_composite/smb_composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/credentials/credentials.h"
33 #include "param/param.h"
34 #include "libcli/smb/smbXcli_base.h"
36 struct sesssetup_state
{
37 union smb_sesssetup setup
;
38 NTSTATUS remote_status
;
39 NTSTATUS gensec_status
;
40 struct smb_composite_sesssetup
*io
;
41 struct smbcli_request
*req
;
42 unsigned int logon_retries
;
45 static int sesssetup_state_destructor(struct sesssetup_state
*state
)
48 talloc_free(state
->req
);
55 static NTSTATUS
session_setup_old(struct composite_context
*c
,
56 struct smbcli_session
*session
,
57 struct smb_composite_sesssetup
*io
,
58 struct smbcli_request
**req
);
59 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
60 struct smbcli_session
*session
,
61 struct smb_composite_sesssetup
*io
,
62 struct smbcli_request
**req
);
63 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
64 struct smbcli_session
*session
,
65 struct smb_composite_sesssetup
*io
,
66 struct smbcli_request
**req
);
69 handler for completion of a smbcli_request sub-request
71 static void request_handler(struct smbcli_request
*req
)
73 struct composite_context
*c
= (struct composite_context
*)req
->async
.private_data
;
74 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
75 struct smbcli_session
*session
= req
->session
;
76 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
77 NTSTATUS session_key_err
, nt_status
;
78 struct smbcli_request
*check_req
= NULL
;
79 const char *os
= NULL
;
80 const char *lanman
= NULL
;
82 if (req
->sign_caller_checks
) {
83 req
->do_not_free
= true;
87 state
->remote_status
= smb_raw_sesssetup_recv(req
, state
, &state
->setup
);
88 c
->status
= state
->remote_status
;
92 * we only need to check the signature if the
93 * NT_STATUS_OK is returned
95 if (!NT_STATUS_IS_OK(state
->remote_status
)) {
96 talloc_free(check_req
);
100 switch (state
->setup
.old
.level
) {
101 case RAW_SESSSETUP_OLD
:
102 state
->io
->out
.vuid
= state
->setup
.old
.out
.vuid
;
103 /* This doesn't work, as this only happens on old
104 * protocols, where this comparison won't match. */
105 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
106 /* we neet to reset the vuid for a new try */
108 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
109 nt_status
= session_setup_old(c
, session
,
112 if (NT_STATUS_IS_OK(nt_status
)) {
113 talloc_free(check_req
);
114 c
->status
= nt_status
;
115 composite_continue_smb(c
, state
->req
, request_handler
, c
);
120 os
= state
->setup
.old
.out
.os
;
121 lanman
= state
->setup
.old
.out
.lanman
;
124 case RAW_SESSSETUP_NT1
:
125 state
->io
->out
.vuid
= state
->setup
.nt1
.out
.vuid
;
126 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
127 /* we need to reset the vuid for a new try */
129 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
130 nt_status
= session_setup_nt1(c
, session
,
133 if (NT_STATUS_IS_OK(nt_status
)) {
134 talloc_free(check_req
);
135 c
->status
= nt_status
;
136 composite_continue_smb(c
, state
->req
, request_handler
, c
);
141 os
= state
->setup
.nt1
.out
.os
;
142 lanman
= state
->setup
.nt1
.out
.lanman
;
145 case RAW_SESSSETUP_SPNEGO
:
146 state
->io
->out
.vuid
= state
->setup
.spnego
.out
.vuid
;
147 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
148 const char *principal
;
150 /* we need to reset the vuid for a new try */
153 principal
= gensec_get_target_principal(session
->gensec
);
154 if (principal
== NULL
) {
155 const char *hostname
= gensec_get_target_hostname(session
->gensec
);
156 const char *service
= gensec_get_target_service(session
->gensec
);
157 if (hostname
!= NULL
&& service
!= NULL
) {
158 principal
= talloc_asprintf(state
, "%s/%s", service
, hostname
);
161 if (cli_credentials_failed_kerberos_login(state
->io
->in
.credentials
, principal
, &state
->logon_retries
) ||
162 cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
163 nt_status
= session_setup_spnego(c
, session
,
166 if (NT_STATUS_IS_OK(nt_status
)) {
167 talloc_free(check_req
);
168 c
->status
= nt_status
;
169 composite_continue_smb(c
, state
->req
, request_handler
, c
);
174 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
175 !NT_STATUS_IS_OK(c
->status
)) {
178 if (NT_STATUS_EQUAL(state
->gensec_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
180 /* The status value here, from the earlier pass at GENSEC is
181 * vital to the security of the system. Even if the other end
182 * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
183 * you must keep feeding it blobs, or else the remote
184 * host/attacker might avoid mutal authentication
187 state
->gensec_status
= gensec_update_ev(session
->gensec
, state
, c
->event_ctx
,
188 state
->setup
.spnego
.out
.secblob
,
189 &state
->setup
.spnego
.in
.secblob
);
190 c
->status
= state
->gensec_status
;
191 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
192 !NT_STATUS_IS_OK(c
->status
)) {
196 state
->setup
.spnego
.in
.secblob
= data_blob(NULL
, 0);
199 if (cli_credentials_is_anonymous(state
->io
->in
.credentials
)) {
201 * anonymous => no signing
203 } else if (NT_STATUS_IS_OK(state
->remote_status
)) {
204 DATA_BLOB session_key
;
206 if (state
->setup
.spnego
.in
.secblob
.length
) {
207 c
->status
= NT_STATUS_INTERNAL_ERROR
;
210 session_key_err
= gensec_session_key(session
->gensec
, session
, &session_key
);
211 if (NT_STATUS_IS_OK(session_key_err
)) {
212 smb1cli_conn_activate_signing(session
->transport
->conn
,
217 c
->status
= smb1cli_session_set_session_key(session
->smbXcli
,
219 data_blob_free(&session_key
);
220 if (!NT_STATUS_IS_OK(c
->status
)) {
225 if (state
->setup
.spnego
.in
.secblob
.length
) {
227 * set the session->vuid value only for calling
228 * smb_raw_sesssetup_send()
230 uint16_t vuid
= session
->vuid
;
231 session
->vuid
= state
->io
->out
.vuid
;
232 state
->req
= smb_raw_sesssetup_send(session
, &state
->setup
);
233 session
->vuid
= vuid
;
235 !smb1cli_conn_signing_is_active(state
->req
->transport
->conn
)) {
236 state
->req
->sign_caller_checks
= true;
238 composite_continue_smb(c
, state
->req
, request_handler
, c
);
241 os
= state
->setup
.spnego
.out
.os
;
242 lanman
= state
->setup
.spnego
.out
.lanman
;
245 case RAW_SESSSETUP_SMB2
:
246 c
->status
= NT_STATUS_INTERNAL_ERROR
;
253 check_req
->sign_caller_checks
= false;
255 ok
= smb1cli_conn_check_signing(check_req
->transport
->conn
,
256 check_req
->in
.buffer
, 1);
258 c
->status
= NT_STATUS_ACCESS_DENIED
;
260 talloc_free(check_req
);
264 if (!NT_STATUS_IS_OK(c
->status
)) {
265 composite_error(c
, c
->status
);
270 session
->os
= talloc_strdup(session
, os
);
271 if (composite_nomem(session
->os
, c
)) return;
276 session
->lanman
= talloc_strdup(session
, lanman
);
277 if (composite_nomem(session
->lanman
, c
)) return;
279 session
->lanman
= NULL
;
287 send a nt1 style session setup
289 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
290 struct smbcli_session
*session
,
291 struct smb_composite_sesssetup
*io
,
292 struct smbcli_request
**req
)
294 NTSTATUS nt_status
= NT_STATUS_INTERNAL_ERROR
;
295 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
296 struct sesssetup_state
);
297 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
300 * domain controllers tend to reject the NTLM v2 blob
301 * if the netbiosname is not valid (e.g. IP address or FQDN)
302 * so just leave it away (as Windows client do)
304 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
306 DATA_BLOB session_key
= data_blob(NULL
, 0);
307 int flags
= CLI_CRED_NTLM_AUTH
;
309 if (session
->options
.lanman_auth
) {
310 flags
|= CLI_CRED_LANMAN_AUTH
;
313 if (session
->options
.ntlmv2_auth
) {
314 flags
|= CLI_CRED_NTLMv2_AUTH
;
317 state
->setup
.nt1
.level
= RAW_SESSSETUP_NT1
;
318 state
->setup
.nt1
.in
.bufsize
= session
->transport
->options
.max_xmit
;
319 state
->setup
.nt1
.in
.mpx_max
= session
->transport
->options
.max_mux
;
320 state
->setup
.nt1
.in
.vc_num
= 1;
321 state
->setup
.nt1
.in
.sesskey
= io
->in
.sesskey
;
322 state
->setup
.nt1
.in
.capabilities
= io
->in
.capabilities
;
323 state
->setup
.nt1
.in
.os
= "Unix";
324 state
->setup
.nt1
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
326 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
327 &state
->setup
.nt1
.in
.user
,
328 &state
->setup
.nt1
.in
.domain
);
331 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
332 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
334 session
->transport
->negotiate
.secblob
,
336 &state
->setup
.nt1
.in
.password1
,
337 &state
->setup
.nt1
.in
.password2
,
339 NT_STATUS_NOT_OK_RETURN(nt_status
);
340 } else if (session
->options
.plaintext_auth
) {
341 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
342 state
->setup
.nt1
.in
.password1
= data_blob_talloc(state
, password
, strlen(password
));
343 state
->setup
.nt1
.in
.password2
= data_blob(NULL
, 0);
345 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
346 return NT_STATUS_INVALID_PARAMETER
;
349 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
351 return NT_STATUS_NO_MEMORY
;
354 if (!NT_STATUS_IS_OK(nt_status
)) {
356 * plain text => no signing
358 return (*req
)->status
;
361 if (cli_credentials_is_anonymous(io
->in
.credentials
)) {
363 * anonymous => no signing
365 return (*req
)->status
;
368 smb1cli_conn_activate_signing(session
->transport
->conn
,
370 state
->setup
.nt1
.in
.password2
);
372 nt_status
= smb1cli_session_set_session_key(session
->smbXcli
,
374 data_blob_free(&session_key
);
375 if (!NT_STATUS_IS_OK(nt_status
)) {
379 return (*req
)->status
;
384 old style session setup (pre NT1 protocol level)
386 static NTSTATUS
session_setup_old(struct composite_context
*c
,
387 struct smbcli_session
*session
,
388 struct smb_composite_sesssetup
*io
,
389 struct smbcli_request
**req
)
392 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
393 struct sesssetup_state
);
394 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
395 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
398 * domain controllers tend to reject the NTLM v2 blob
399 * if the netbiosname is not valid (e.g. IP address or FQDN)
400 * so just leave it away (as Windows client do)
402 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
404 DATA_BLOB session_key
;
406 if (session
->options
.lanman_auth
) {
407 flags
|= CLI_CRED_LANMAN_AUTH
;
410 if (session
->options
.ntlmv2_auth
) {
411 flags
|= CLI_CRED_NTLMv2_AUTH
;
414 state
->setup
.old
.level
= RAW_SESSSETUP_OLD
;
415 state
->setup
.old
.in
.bufsize
= session
->transport
->options
.max_xmit
;
416 state
->setup
.old
.in
.mpx_max
= session
->transport
->options
.max_mux
;
417 state
->setup
.old
.in
.vc_num
= 1;
418 state
->setup
.old
.in
.sesskey
= io
->in
.sesskey
;
419 state
->setup
.old
.in
.os
= "Unix";
420 state
->setup
.old
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
421 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
422 &state
->setup
.old
.in
.user
,
423 &state
->setup
.old
.in
.domain
);
425 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
426 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
428 session
->transport
->negotiate
.secblob
,
430 &state
->setup
.old
.in
.password
,
433 NT_STATUS_NOT_OK_RETURN(nt_status
);
435 nt_status
= smb1cli_session_set_session_key(session
->smbXcli
,
437 data_blob_free(&session_key
);
438 if (!NT_STATUS_IS_OK(nt_status
)) {
441 } else if (session
->options
.plaintext_auth
) {
442 state
->setup
.old
.in
.password
= data_blob_talloc(state
, password
, strlen(password
));
444 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
445 return NT_STATUS_INVALID_PARAMETER
;
448 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
450 return NT_STATUS_NO_MEMORY
;
452 return (*req
)->status
;
457 Modern, all singing, all dancing extended security (and possibly SPNEGO) request
459 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
460 struct smbcli_session
*session
,
461 struct smb_composite_sesssetup
*io
,
462 struct smbcli_request
**req
)
464 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
466 const char *chosen_oid
= NULL
;
468 state
->setup
.spnego
.level
= RAW_SESSSETUP_SPNEGO
;
469 state
->setup
.spnego
.in
.bufsize
= session
->transport
->options
.max_xmit
;
470 state
->setup
.spnego
.in
.mpx_max
= session
->transport
->options
.max_mux
;
471 state
->setup
.spnego
.in
.vc_num
= 1;
472 state
->setup
.spnego
.in
.sesskey
= io
->in
.sesskey
;
473 state
->setup
.spnego
.in
.capabilities
= io
->in
.capabilities
;
474 state
->setup
.spnego
.in
.os
= "Unix";
475 state
->setup
.spnego
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
476 state
->setup
.spnego
.in
.workgroup
= io
->in
.workgroup
;
478 status
= gensec_client_start(session
, &session
->gensec
,
479 io
->in
.gensec_settings
);
480 if (!NT_STATUS_IS_OK(status
)) {
481 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status
)));
485 gensec_want_feature(session
->gensec
, GENSEC_FEATURE_SESSION_KEY
);
487 status
= gensec_set_credentials(session
->gensec
, io
->in
.credentials
);
488 if (!NT_STATUS_IS_OK(status
)) {
489 DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
494 status
= gensec_set_target_hostname(session
->gensec
,
495 smbXcli_conn_remote_name(session
->transport
->conn
));
496 if (!NT_STATUS_IS_OK(status
)) {
497 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
502 status
= gensec_set_target_service(session
->gensec
, "cifs");
503 if (!NT_STATUS_IS_OK(status
)) {
504 DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
509 if (session
->transport
->negotiate
.secblob
.length
) {
510 chosen_oid
= GENSEC_OID_SPNEGO
;
511 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
512 if (!NT_STATUS_IS_OK(status
)) {
513 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
514 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
515 chosen_oid
= GENSEC_OID_NTLMSSP
;
516 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
517 if (!NT_STATUS_IS_OK(status
)) {
518 DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
519 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
525 /* without a sec blob, means raw NTLMSSP */
526 chosen_oid
= GENSEC_OID_NTLMSSP
;
527 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
528 if (!NT_STATUS_IS_OK(status
)) {
529 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
530 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
534 if (strequal(chosen_oid
, GENSEC_OID_SPNEGO
)) {
535 status
= gensec_update_ev(session
->gensec
, state
,
537 session
->transport
->negotiate
.secblob
,
538 &state
->setup
.spnego
.in
.secblob
);
540 status
= gensec_update_ev(session
->gensec
, state
,
543 &state
->setup
.spnego
.in
.secblob
);
547 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
548 !NT_STATUS_IS_OK(status
)) {
549 DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
550 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
554 state
->gensec_status
= status
;
556 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
558 return NT_STATUS_NO_MEMORY
;
562 * we need to check the signature ourself
563 * as the session key might be the acceptor subkey
564 * which comes within the response itself
566 if (!smb1cli_conn_signing_is_active((*req
)->transport
->conn
)) {
567 (*req
)->sign_caller_checks
= true;
570 return (*req
)->status
;
575 composite session setup function that hides the details of all the
576 different session setup varients, including the multi-pass nature of
579 struct composite_context
*smb_composite_sesssetup_send(struct smbcli_session
*session
,
580 struct smb_composite_sesssetup
*io
)
582 struct composite_context
*c
;
583 struct sesssetup_state
*state
;
586 c
= composite_create(session
, session
->transport
->ev
);
587 if (c
== NULL
) return NULL
;
589 state
= talloc_zero(c
, struct sesssetup_state
);
590 if (composite_nomem(state
, c
)) return c
;
591 c
->private_data
= state
;
595 talloc_set_destructor(state
, sesssetup_state_destructor
);
597 /* no session setup at all in earliest protocol varients */
598 if (session
->transport
->negotiate
.protocol
< PROTOCOL_LANMAN1
) {
599 ZERO_STRUCT(io
->out
);
604 /* see what session setup interface we will use */
605 if (session
->transport
->negotiate
.protocol
< PROTOCOL_NT1
) {
606 status
= session_setup_old(c
, session
, io
, &state
->req
);
607 } else if (!session
->transport
->options
.use_spnego
||
608 !(io
->in
.capabilities
& CAP_EXTENDED_SECURITY
)) {
609 status
= session_setup_nt1(c
, session
, io
, &state
->req
);
611 status
= session_setup_spnego(c
, session
, io
, &state
->req
);
614 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) ||
615 NT_STATUS_IS_OK(status
)) {
616 composite_continue_smb(c
, state
->req
, request_handler
, c
);
620 composite_error(c
, status
);
626 receive a composite session setup reply
628 NTSTATUS
smb_composite_sesssetup_recv(struct composite_context
*c
)
631 status
= composite_wait(c
);
637 sync version of smb_composite_sesssetup
639 NTSTATUS
smb_composite_sesssetup(struct smbcli_session
*session
, struct smb_composite_sesssetup
*io
)
641 struct composite_context
*c
= smb_composite_sesssetup_send(session
, io
);
642 return smb_composite_sesssetup_recv(c
);