2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 a composite API for making handling a generic async session setup
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/raw/raw_proto.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/smb_composite/smb_composite.h"
28 #include "libcli/smb_composite/proto.h"
29 #include "libcli/auth/libcli_auth.h"
30 #include "auth/auth.h"
31 #include "auth/gensec/gensec.h"
32 #include "auth/credentials/credentials.h"
34 #include "param/param.h"
36 struct sesssetup_state
{
37 union smb_sesssetup setup
;
38 NTSTATUS remote_status
;
39 NTSTATUS gensec_status
;
40 struct smb_composite_sesssetup
*io
;
41 struct smbcli_request
*req
;
44 static int sesssetup_state_destructor(struct sesssetup_state
*state
)
47 talloc_free(state
->req
);
54 static NTSTATUS
session_setup_old(struct composite_context
*c
,
55 struct smbcli_session
*session
,
56 struct smb_composite_sesssetup
*io
,
57 struct smbcli_request
**req
);
58 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
59 struct smbcli_session
*session
,
60 struct smb_composite_sesssetup
*io
,
61 struct smbcli_request
**req
);
62 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
63 struct smbcli_session
*session
,
64 struct smb_composite_sesssetup
*io
,
65 struct smbcli_request
**req
);
68 store the user session key for a transport
70 static void set_user_session_key(struct smbcli_session
*session
,
71 const DATA_BLOB
*session_key
)
73 session
->user_session_key
= data_blob_talloc(session
,
79 handler for completion of a smbcli_request sub-request
81 static void request_handler(struct smbcli_request
*req
)
83 struct composite_context
*c
= (struct composite_context
*)req
->async
.private;
84 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
85 struct smbcli_session
*session
= req
->session
;
86 DATA_BLOB session_key
= data_blob(NULL
, 0);
87 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
88 NTSTATUS session_key_err
, nt_status
;
89 struct smbcli_request
*check_req
= NULL
;
91 if (req
->sign_caller_checks
) {
92 req
->do_not_free
= true;
96 state
->remote_status
= smb_raw_sesssetup_recv(req
, state
, &state
->setup
);
97 c
->status
= state
->remote_status
;
101 * we only need to check the signature if the
102 * NT_STATUS_OK is returned
104 if (!NT_STATUS_IS_OK(state
->remote_status
)) {
105 talloc_free(check_req
);
109 switch (state
->setup
.old
.level
) {
110 case RAW_SESSSETUP_OLD
:
111 state
->io
->out
.vuid
= state
->setup
.old
.out
.vuid
;
112 /* This doesn't work, as this only happens on old
113 * protocols, where this comparison won't match. */
114 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
115 /* we neet to reset the vuid for a new try */
117 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
118 nt_status
= session_setup_old(c
, session
,
121 if (NT_STATUS_IS_OK(nt_status
)) {
122 talloc_free(check_req
);
123 c
->status
= nt_status
;
124 composite_continue_smb(c
, state
->req
, request_handler
, c
);
131 case RAW_SESSSETUP_NT1
:
132 state
->io
->out
.vuid
= state
->setup
.nt1
.out
.vuid
;
133 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
134 /* we neet to reset the vuid for a new try */
136 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
137 nt_status
= session_setup_nt1(c
, session
,
140 if (NT_STATUS_IS_OK(nt_status
)) {
141 talloc_free(check_req
);
142 c
->status
= nt_status
;
143 composite_continue_smb(c
, state
->req
, request_handler
, c
);
150 case RAW_SESSSETUP_SPNEGO
:
151 state
->io
->out
.vuid
= state
->setup
.spnego
.out
.vuid
;
152 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
153 /* we need to reset the vuid for a new try */
155 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
156 nt_status
= session_setup_spnego(c
, session
,
159 if (NT_STATUS_IS_OK(nt_status
)) {
160 talloc_free(check_req
);
161 c
->status
= nt_status
;
162 composite_continue_smb(c
, state
->req
, request_handler
, c
);
167 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
168 !NT_STATUS_IS_OK(c
->status
)) {
171 if (NT_STATUS_EQUAL(state
->gensec_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
173 /* The status value here, from the earlier pass at GENSEC is
174 * vital to the security of the system. Even if the other end
175 * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
176 * you must keep feeding it blobs, or else the remote
177 * host/attacker might avoid mutal authentication
180 state
->gensec_status
= gensec_update(session
->gensec
, state
,
181 state
->setup
.spnego
.out
.secblob
,
182 &state
->setup
.spnego
.in
.secblob
);
183 c
->status
= state
->gensec_status
;
184 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
185 !NT_STATUS_IS_OK(c
->status
)) {
189 state
->setup
.spnego
.in
.secblob
= data_blob(NULL
, 0);
192 if (NT_STATUS_IS_OK(state
->remote_status
)) {
193 if (state
->setup
.spnego
.in
.secblob
.length
) {
194 c
->status
= NT_STATUS_INTERNAL_ERROR
;
197 session_key_err
= gensec_session_key(session
->gensec
, &session_key
);
198 if (NT_STATUS_IS_OK(session_key_err
)) {
199 set_user_session_key(session
, &session_key
);
200 smbcli_transport_simple_set_signing(session
->transport
, session_key
, null_data_blob
);
204 if (state
->setup
.spnego
.in
.secblob
.length
) {
206 * set the session->vuid value only for calling
207 * smb_raw_sesssetup_send()
209 uint16_t vuid
= session
->vuid
;
210 session
->vuid
= state
->io
->out
.vuid
;
211 state
->req
= smb_raw_sesssetup_send(session
, &state
->setup
);
212 session
->vuid
= vuid
;
214 state
->req
->sign_caller_checks
= true;
216 composite_continue_smb(c
, state
->req
, request_handler
, c
);
221 case RAW_SESSSETUP_SMB2
:
222 c
->status
= NT_STATUS_INTERNAL_ERROR
;
227 check_req
->sign_caller_checks
= false;
228 if (!smbcli_request_check_sign_mac(check_req
)) {
229 c
->status
= NT_STATUS_ACCESS_DENIED
;
231 talloc_free(check_req
);
235 /* enforce the local signing required flag */
236 if (NT_STATUS_IS_OK(c
->status
) && !cli_credentials_is_anonymous(state
->io
->in
.credentials
)) {
237 if (!session
->transport
->negotiate
.sign_info
.doing_signing
238 && session
->transport
->negotiate
.sign_info
.mandatory_signing
) {
239 DEBUG(0, ("SMB signing required, but server does not support it\n"));
240 c
->status
= NT_STATUS_ACCESS_DENIED
;
244 if (!NT_STATUS_IS_OK(c
->status
)) {
245 composite_error(c
, c
->status
);
254 send a nt1 style session setup
256 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
257 struct smbcli_session
*session
,
258 struct smb_composite_sesssetup
*io
,
259 struct smbcli_request
**req
)
261 NTSTATUS nt_status
= NT_STATUS_INTERNAL_ERROR
;
262 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
263 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, lp_iconv_convenience(global_loadparm
), session
->transport
->socket
->hostname
, lp_workgroup(global_loadparm
));
264 DATA_BLOB session_key
= data_blob(NULL
, 0);
265 int flags
= CLI_CRED_NTLM_AUTH
;
267 smbcli_temp_set_signing(session
->transport
);
269 if (session
->options
.lanman_auth
) {
270 flags
|= CLI_CRED_LANMAN_AUTH
;
273 if (session
->options
.ntlmv2_auth
) {
274 flags
|= CLI_CRED_NTLMv2_AUTH
;
277 state
->setup
.nt1
.level
= RAW_SESSSETUP_NT1
;
278 state
->setup
.nt1
.in
.bufsize
= session
->transport
->options
.max_xmit
;
279 state
->setup
.nt1
.in
.mpx_max
= session
->transport
->options
.max_mux
;
280 state
->setup
.nt1
.in
.vc_num
= 1;
281 state
->setup
.nt1
.in
.sesskey
= io
->in
.sesskey
;
282 state
->setup
.nt1
.in
.capabilities
= io
->in
.capabilities
;
283 state
->setup
.nt1
.in
.os
= "Unix";
284 state
->setup
.nt1
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
286 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
287 &state
->setup
.nt1
.in
.user
,
288 &state
->setup
.nt1
.in
.domain
);
291 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
292 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
294 session
->transport
->negotiate
.secblob
,
296 &state
->setup
.nt1
.in
.password1
,
297 &state
->setup
.nt1
.in
.password2
,
299 NT_STATUS_NOT_OK_RETURN(nt_status
);
300 } else if (session
->options
.plaintext_auth
) {
301 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
302 state
->setup
.nt1
.in
.password1
= data_blob_talloc(state
, password
, strlen(password
));
303 state
->setup
.nt1
.in
.password2
= data_blob(NULL
, 0);
305 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
306 return NT_STATUS_INVALID_PARAMETER
;
309 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
311 return NT_STATUS_NO_MEMORY
;
314 if (NT_STATUS_IS_OK(nt_status
)) {
315 smbcli_transport_simple_set_signing(session
->transport
, session_key
,
316 state
->setup
.nt1
.in
.password2
);
317 set_user_session_key(session
, &session_key
);
319 data_blob_free(&session_key
);
322 return (*req
)->status
;
327 old style session setup (pre NT1 protocol level)
329 static NTSTATUS
session_setup_old(struct composite_context
*c
,
330 struct smbcli_session
*session
,
331 struct smb_composite_sesssetup
*io
,
332 struct smbcli_request
**req
)
335 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
336 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
337 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, lp_iconv_convenience(global_loadparm
), session
->transport
->socket
->hostname
, lp_workgroup(global_loadparm
));
338 DATA_BLOB session_key
;
340 if (session
->options
.lanman_auth
) {
341 flags
|= CLI_CRED_LANMAN_AUTH
;
344 if (session
->options
.ntlmv2_auth
) {
345 flags
|= CLI_CRED_NTLMv2_AUTH
;
348 state
->setup
.old
.level
= RAW_SESSSETUP_OLD
;
349 state
->setup
.old
.in
.bufsize
= session
->transport
->options
.max_xmit
;
350 state
->setup
.old
.in
.mpx_max
= session
->transport
->options
.max_mux
;
351 state
->setup
.old
.in
.vc_num
= 1;
352 state
->setup
.old
.in
.sesskey
= io
->in
.sesskey
;
353 state
->setup
.old
.in
.os
= "Unix";
354 state
->setup
.old
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
355 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
356 &state
->setup
.old
.in
.user
,
357 &state
->setup
.old
.in
.domain
);
359 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
360 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
362 session
->transport
->negotiate
.secblob
,
364 &state
->setup
.old
.in
.password
,
367 NT_STATUS_NOT_OK_RETURN(nt_status
);
368 set_user_session_key(session
, &session_key
);
370 data_blob_free(&session_key
);
371 } else if (session
->options
.plaintext_auth
) {
372 state
->setup
.old
.in
.password
= data_blob_talloc(state
, password
, strlen(password
));
374 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
375 return NT_STATUS_INVALID_PARAMETER
;
378 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
380 return NT_STATUS_NO_MEMORY
;
382 return (*req
)->status
;
387 Modern, all singing, all dancing extended security (and possibly SPNEGO) request
389 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
390 struct smbcli_session
*session
,
391 struct smb_composite_sesssetup
*io
,
392 struct smbcli_request
**req
)
394 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
396 const char *chosen_oid
= NULL
;
398 state
->setup
.spnego
.level
= RAW_SESSSETUP_SPNEGO
;
399 state
->setup
.spnego
.in
.bufsize
= session
->transport
->options
.max_xmit
;
400 state
->setup
.spnego
.in
.mpx_max
= session
->transport
->options
.max_mux
;
401 state
->setup
.spnego
.in
.vc_num
= 1;
402 state
->setup
.spnego
.in
.sesskey
= io
->in
.sesskey
;
403 state
->setup
.spnego
.in
.capabilities
= io
->in
.capabilities
;
404 state
->setup
.spnego
.in
.os
= "Unix";
405 state
->setup
.spnego
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
406 state
->setup
.spnego
.in
.workgroup
= io
->in
.workgroup
;
408 smbcli_temp_set_signing(session
->transport
);
410 status
= gensec_client_start(session
, &session
->gensec
, c
->event_ctx
,
412 if (!NT_STATUS_IS_OK(status
)) {
413 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status
)));
417 gensec_want_feature(session
->gensec
, GENSEC_FEATURE_SESSION_KEY
);
419 status
= gensec_set_credentials(session
->gensec
, io
->in
.credentials
);
420 if (!NT_STATUS_IS_OK(status
)) {
421 DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
426 status
= gensec_set_target_hostname(session
->gensec
, session
->transport
->socket
->hostname
);
427 if (!NT_STATUS_IS_OK(status
)) {
428 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
433 status
= gensec_set_target_service(session
->gensec
, "cifs");
434 if (!NT_STATUS_IS_OK(status
)) {
435 DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
440 if (session
->transport
->negotiate
.secblob
.length
) {
441 chosen_oid
= GENSEC_OID_SPNEGO
;
442 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
443 if (!NT_STATUS_IS_OK(status
)) {
444 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
445 gensec_get_name_by_oid(chosen_oid
), nt_errstr(status
)));
446 chosen_oid
= GENSEC_OID_NTLMSSP
;
447 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
448 if (!NT_STATUS_IS_OK(status
)) {
449 DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
450 gensec_get_name_by_oid(chosen_oid
), nt_errstr(status
)));
455 /* without a sec blob, means raw NTLMSSP */
456 chosen_oid
= GENSEC_OID_NTLMSSP
;
457 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
458 if (!NT_STATUS_IS_OK(status
)) {
459 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
460 gensec_get_name_by_oid(chosen_oid
), nt_errstr(status
)));
464 if ((const void *)chosen_oid
== (const void *)GENSEC_OID_SPNEGO
) {
465 status
= gensec_update(session
->gensec
, state
,
466 session
->transport
->negotiate
.secblob
,
467 &state
->setup
.spnego
.in
.secblob
);
469 status
= gensec_update(session
->gensec
, state
,
471 &state
->setup
.spnego
.in
.secblob
);
475 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
476 !NT_STATUS_IS_OK(status
)) {
477 DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
478 gensec_get_name_by_oid(chosen_oid
), nt_errstr(status
)));
481 state
->gensec_status
= status
;
483 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
485 return NT_STATUS_NO_MEMORY
;
489 * we need to check the signature ourself
490 * as the session key might be the acceptor subkey
491 * which comes within the response itself
493 (*req
)->sign_caller_checks
= true;
495 return (*req
)->status
;
500 composite session setup function that hides the details of all the
501 different session setup varients, including the multi-pass nature of
504 struct composite_context
*smb_composite_sesssetup_send(struct smbcli_session
*session
,
505 struct smb_composite_sesssetup
*io
)
507 struct composite_context
*c
;
508 struct sesssetup_state
*state
;
511 c
= composite_create(session
, session
->transport
->socket
->event
.ctx
);
512 if (c
== NULL
) return NULL
;
514 state
= talloc_zero(c
, struct sesssetup_state
);
515 if (composite_nomem(state
, c
)) return c
;
516 c
->private_data
= state
;
520 talloc_set_destructor(state
, sesssetup_state_destructor
);
522 /* no session setup at all in earliest protocol varients */
523 if (session
->transport
->negotiate
.protocol
< PROTOCOL_LANMAN1
) {
524 ZERO_STRUCT(io
->out
);
529 /* see what session setup interface we will use */
530 if (session
->transport
->negotiate
.protocol
< PROTOCOL_NT1
) {
531 status
= session_setup_old(c
, session
, io
, &state
->req
);
532 } else if (!session
->transport
->options
.use_spnego
||
533 !(io
->in
.capabilities
& CAP_EXTENDED_SECURITY
)) {
534 status
= session_setup_nt1(c
, session
, io
, &state
->req
);
536 status
= session_setup_spnego(c
, session
, io
, &state
->req
);
539 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) ||
540 NT_STATUS_IS_OK(status
)) {
541 composite_continue_smb(c
, state
->req
, request_handler
, c
);
545 composite_error(c
, status
);
551 receive a composite session setup reply
553 NTSTATUS
smb_composite_sesssetup_recv(struct composite_context
*c
)
556 status
= composite_wait(c
);
562 sync version of smb_composite_sesssetup
564 NTSTATUS
smb_composite_sesssetup(struct smbcli_session
*session
, struct smb_composite_sesssetup
*io
)
566 struct composite_context
*c
= smb_composite_sesssetup_send(session
, io
);
567 return smb_composite_sesssetup_recv(c
);