2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 a composite API for making handling a generic async session setup
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/raw/raw_proto.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/smb_composite/smb_composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/credentials/credentials.h"
33 #include "param/param.h"
34 #include "libcli/smb/smbXcli_base.h"
36 struct sesssetup_state
{
37 union smb_sesssetup setup
;
38 NTSTATUS remote_status
;
39 NTSTATUS gensec_status
;
40 struct smb_composite_sesssetup
*io
;
41 struct smbcli_request
*req
;
44 static int sesssetup_state_destructor(struct sesssetup_state
*state
)
47 talloc_free(state
->req
);
54 static NTSTATUS
session_setup_old(struct composite_context
*c
,
55 struct smbcli_session
*session
,
56 struct smb_composite_sesssetup
*io
,
57 struct smbcli_request
**req
);
58 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
59 struct smbcli_session
*session
,
60 struct smb_composite_sesssetup
*io
,
61 struct smbcli_request
**req
);
62 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
63 struct smbcli_session
*session
,
64 struct smb_composite_sesssetup
*io
,
65 struct smbcli_request
**req
);
68 store the user session key for a transport
70 static void set_user_session_key(struct smbcli_session
*session
,
71 const DATA_BLOB
*session_key
)
73 session
->user_session_key
= data_blob_talloc(session
,
79 handler for completion of a smbcli_request sub-request
81 static void request_handler(struct smbcli_request
*req
)
83 struct composite_context
*c
= (struct composite_context
*)req
->async
.private_data
;
84 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
85 struct smbcli_session
*session
= req
->session
;
86 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
87 NTSTATUS session_key_err
, nt_status
;
88 struct smbcli_request
*check_req
= NULL
;
89 const char *os
= NULL
;
90 const char *lanman
= NULL
;
92 if (req
->sign_caller_checks
) {
93 req
->do_not_free
= true;
97 state
->remote_status
= smb_raw_sesssetup_recv(req
, state
, &state
->setup
);
98 c
->status
= state
->remote_status
;
102 * we only need to check the signature if the
103 * NT_STATUS_OK is returned
105 if (!NT_STATUS_IS_OK(state
->remote_status
)) {
106 talloc_free(check_req
);
110 switch (state
->setup
.old
.level
) {
111 case RAW_SESSSETUP_OLD
:
112 state
->io
->out
.vuid
= state
->setup
.old
.out
.vuid
;
113 /* This doesn't work, as this only happens on old
114 * protocols, where this comparison won't match. */
115 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
116 /* we neet to reset the vuid for a new try */
118 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
119 nt_status
= session_setup_old(c
, session
,
122 if (NT_STATUS_IS_OK(nt_status
)) {
123 talloc_free(check_req
);
124 c
->status
= nt_status
;
125 composite_continue_smb(c
, state
->req
, request_handler
, c
);
130 os
= state
->setup
.old
.out
.os
;
131 lanman
= state
->setup
.old
.out
.lanman
;
134 case RAW_SESSSETUP_NT1
:
135 state
->io
->out
.vuid
= state
->setup
.nt1
.out
.vuid
;
136 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
137 /* we neet to reset the vuid for a new try */
139 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
140 nt_status
= session_setup_nt1(c
, session
,
143 if (NT_STATUS_IS_OK(nt_status
)) {
144 talloc_free(check_req
);
145 c
->status
= nt_status
;
146 composite_continue_smb(c
, state
->req
, request_handler
, c
);
151 os
= state
->setup
.nt1
.out
.os
;
152 lanman
= state
->setup
.nt1
.out
.lanman
;
155 case RAW_SESSSETUP_SPNEGO
:
156 state
->io
->out
.vuid
= state
->setup
.spnego
.out
.vuid
;
157 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
158 /* we need to reset the vuid for a new try */
160 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
161 nt_status
= session_setup_spnego(c
, session
,
164 if (NT_STATUS_IS_OK(nt_status
)) {
165 talloc_free(check_req
);
166 c
->status
= nt_status
;
167 composite_continue_smb(c
, state
->req
, request_handler
, c
);
172 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
173 !NT_STATUS_IS_OK(c
->status
)) {
176 if (NT_STATUS_EQUAL(state
->gensec_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
178 /* The status value here, from the earlier pass at GENSEC is
179 * vital to the security of the system. Even if the other end
180 * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
181 * you must keep feeding it blobs, or else the remote
182 * host/attacker might avoid mutal authentication
185 state
->gensec_status
= gensec_update(session
->gensec
, state
, c
->event_ctx
,
186 state
->setup
.spnego
.out
.secblob
,
187 &state
->setup
.spnego
.in
.secblob
);
188 c
->status
= state
->gensec_status
;
189 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
190 !NT_STATUS_IS_OK(c
->status
)) {
194 state
->setup
.spnego
.in
.secblob
= data_blob(NULL
, 0);
197 if (NT_STATUS_IS_OK(state
->remote_status
)) {
198 if (state
->setup
.spnego
.in
.secblob
.length
) {
199 c
->status
= NT_STATUS_INTERNAL_ERROR
;
202 session_key_err
= gensec_session_key(session
->gensec
, session
, &session
->user_session_key
);
203 if (NT_STATUS_IS_OK(session_key_err
)) {
204 smb1cli_conn_activate_signing(session
->transport
->conn
,
205 session
->user_session_key
,
210 if (state
->setup
.spnego
.in
.secblob
.length
) {
212 * set the session->vuid value only for calling
213 * smb_raw_sesssetup_send()
215 uint16_t vuid
= session
->vuid
;
216 session
->vuid
= state
->io
->out
.vuid
;
217 state
->req
= smb_raw_sesssetup_send(session
, &state
->setup
);
218 session
->vuid
= vuid
;
220 !smb1cli_conn_signing_is_active(state
->req
->transport
->conn
)) {
221 state
->req
->sign_caller_checks
= true;
223 composite_continue_smb(c
, state
->req
, request_handler
, c
);
226 os
= state
->setup
.spnego
.out
.os
;
227 lanman
= state
->setup
.spnego
.out
.lanman
;
230 case RAW_SESSSETUP_SMB2
:
231 c
->status
= NT_STATUS_INTERNAL_ERROR
;
238 check_req
->sign_caller_checks
= false;
240 ok
= smb1cli_conn_check_signing(check_req
->transport
->conn
,
241 check_req
->in
.buffer
, 1);
243 c
->status
= NT_STATUS_ACCESS_DENIED
;
245 talloc_free(check_req
);
249 if (!NT_STATUS_IS_OK(c
->status
)) {
250 composite_error(c
, c
->status
);
255 session
->os
= talloc_strdup(session
, os
);
256 if (composite_nomem(session
->os
, c
)) return;
261 session
->lanman
= talloc_strdup(session
, lanman
);
262 if (composite_nomem(session
->lanman
, c
)) return;
264 session
->lanman
= NULL
;
272 send a nt1 style session setup
274 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
275 struct smbcli_session
*session
,
276 struct smb_composite_sesssetup
*io
,
277 struct smbcli_request
**req
)
279 NTSTATUS nt_status
= NT_STATUS_INTERNAL_ERROR
;
280 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
281 struct sesssetup_state
);
282 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
285 * domain controllers tend to reject the NTLM v2 blob
286 * if the netbiosname is not valid (e.g. IP address or FQDN)
287 * so just leave it away (as Windows client do)
289 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
291 DATA_BLOB session_key
= data_blob(NULL
, 0);
292 int flags
= CLI_CRED_NTLM_AUTH
;
294 if (session
->options
.lanman_auth
) {
295 flags
|= CLI_CRED_LANMAN_AUTH
;
298 if (session
->options
.ntlmv2_auth
) {
299 flags
|= CLI_CRED_NTLMv2_AUTH
;
302 state
->setup
.nt1
.level
= RAW_SESSSETUP_NT1
;
303 state
->setup
.nt1
.in
.bufsize
= session
->transport
->options
.max_xmit
;
304 state
->setup
.nt1
.in
.mpx_max
= session
->transport
->options
.max_mux
;
305 state
->setup
.nt1
.in
.vc_num
= 1;
306 state
->setup
.nt1
.in
.sesskey
= io
->in
.sesskey
;
307 state
->setup
.nt1
.in
.capabilities
= io
->in
.capabilities
;
308 state
->setup
.nt1
.in
.os
= "Unix";
309 state
->setup
.nt1
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
311 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
312 &state
->setup
.nt1
.in
.user
,
313 &state
->setup
.nt1
.in
.domain
);
316 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
317 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
319 session
->transport
->negotiate
.secblob
,
321 &state
->setup
.nt1
.in
.password1
,
322 &state
->setup
.nt1
.in
.password2
,
324 NT_STATUS_NOT_OK_RETURN(nt_status
);
325 } else if (session
->options
.plaintext_auth
) {
326 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
327 state
->setup
.nt1
.in
.password1
= data_blob_talloc(state
, password
, strlen(password
));
328 state
->setup
.nt1
.in
.password2
= data_blob(NULL
, 0);
330 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
331 return NT_STATUS_INVALID_PARAMETER
;
334 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
336 return NT_STATUS_NO_MEMORY
;
339 if (NT_STATUS_IS_OK(nt_status
)) {
340 smb1cli_conn_activate_signing(session
->transport
->conn
,
342 state
->setup
.nt1
.in
.password2
);
343 set_user_session_key(session
, &session_key
);
345 data_blob_free(&session_key
);
348 return (*req
)->status
;
353 old style session setup (pre NT1 protocol level)
355 static NTSTATUS
session_setup_old(struct composite_context
*c
,
356 struct smbcli_session
*session
,
357 struct smb_composite_sesssetup
*io
,
358 struct smbcli_request
**req
)
361 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
362 struct sesssetup_state
);
363 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
364 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
367 * domain controllers tend to reject the NTLM v2 blob
368 * if the netbiosname is not valid (e.g. IP address or FQDN)
369 * so just leave it away (as Windows client do)
371 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
373 DATA_BLOB session_key
;
375 if (session
->options
.lanman_auth
) {
376 flags
|= CLI_CRED_LANMAN_AUTH
;
379 if (session
->options
.ntlmv2_auth
) {
380 flags
|= CLI_CRED_NTLMv2_AUTH
;
383 state
->setup
.old
.level
= RAW_SESSSETUP_OLD
;
384 state
->setup
.old
.in
.bufsize
= session
->transport
->options
.max_xmit
;
385 state
->setup
.old
.in
.mpx_max
= session
->transport
->options
.max_mux
;
386 state
->setup
.old
.in
.vc_num
= 1;
387 state
->setup
.old
.in
.sesskey
= io
->in
.sesskey
;
388 state
->setup
.old
.in
.os
= "Unix";
389 state
->setup
.old
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
390 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
391 &state
->setup
.old
.in
.user
,
392 &state
->setup
.old
.in
.domain
);
394 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
395 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
397 session
->transport
->negotiate
.secblob
,
399 &state
->setup
.old
.in
.password
,
402 NT_STATUS_NOT_OK_RETURN(nt_status
);
403 set_user_session_key(session
, &session_key
);
405 data_blob_free(&session_key
);
406 } else if (session
->options
.plaintext_auth
) {
407 state
->setup
.old
.in
.password
= data_blob_talloc(state
, password
, strlen(password
));
409 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
410 return NT_STATUS_INVALID_PARAMETER
;
413 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
415 return NT_STATUS_NO_MEMORY
;
417 return (*req
)->status
;
422 Modern, all singing, all dancing extended security (and possibly SPNEGO) request
424 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
425 struct smbcli_session
*session
,
426 struct smb_composite_sesssetup
*io
,
427 struct smbcli_request
**req
)
429 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
431 const char *chosen_oid
= NULL
;
433 state
->setup
.spnego
.level
= RAW_SESSSETUP_SPNEGO
;
434 state
->setup
.spnego
.in
.bufsize
= session
->transport
->options
.max_xmit
;
435 state
->setup
.spnego
.in
.mpx_max
= session
->transport
->options
.max_mux
;
436 state
->setup
.spnego
.in
.vc_num
= 1;
437 state
->setup
.spnego
.in
.sesskey
= io
->in
.sesskey
;
438 state
->setup
.spnego
.in
.capabilities
= io
->in
.capabilities
;
439 state
->setup
.spnego
.in
.os
= "Unix";
440 state
->setup
.spnego
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
441 state
->setup
.spnego
.in
.workgroup
= io
->in
.workgroup
;
443 status
= gensec_client_start(session
, &session
->gensec
,
444 io
->in
.gensec_settings
);
445 if (!NT_STATUS_IS_OK(status
)) {
446 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status
)));
450 gensec_want_feature(session
->gensec
, GENSEC_FEATURE_SESSION_KEY
);
452 status
= gensec_set_credentials(session
->gensec
, io
->in
.credentials
);
453 if (!NT_STATUS_IS_OK(status
)) {
454 DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
459 status
= gensec_set_target_hostname(session
->gensec
,
460 smbXcli_conn_remote_name(session
->transport
->conn
));
461 if (!NT_STATUS_IS_OK(status
)) {
462 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
467 status
= gensec_set_target_service(session
->gensec
, "cifs");
468 if (!NT_STATUS_IS_OK(status
)) {
469 DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
474 if (session
->transport
->negotiate
.secblob
.length
) {
475 chosen_oid
= GENSEC_OID_SPNEGO
;
476 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
477 if (!NT_STATUS_IS_OK(status
)) {
478 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
479 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
480 chosen_oid
= GENSEC_OID_NTLMSSP
;
481 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
482 if (!NT_STATUS_IS_OK(status
)) {
483 DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
484 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
490 /* without a sec blob, means raw NTLMSSP */
491 chosen_oid
= GENSEC_OID_NTLMSSP
;
492 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
493 if (!NT_STATUS_IS_OK(status
)) {
494 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
495 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
499 if ((const void *)chosen_oid
== (const void *)GENSEC_OID_SPNEGO
) {
500 status
= gensec_update(session
->gensec
, state
,
502 session
->transport
->negotiate
.secblob
,
503 &state
->setup
.spnego
.in
.secblob
);
505 status
= gensec_update(session
->gensec
, state
,
508 &state
->setup
.spnego
.in
.secblob
);
512 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
513 !NT_STATUS_IS_OK(status
)) {
514 DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
515 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
519 state
->gensec_status
= status
;
521 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
523 return NT_STATUS_NO_MEMORY
;
527 * we need to check the signature ourself
528 * as the session key might be the acceptor subkey
529 * which comes within the response itself
531 if (!smb1cli_conn_signing_is_active((*req
)->transport
->conn
)) {
532 (*req
)->sign_caller_checks
= true;
535 return (*req
)->status
;
540 composite session setup function that hides the details of all the
541 different session setup varients, including the multi-pass nature of
544 struct composite_context
*smb_composite_sesssetup_send(struct smbcli_session
*session
,
545 struct smb_composite_sesssetup
*io
)
547 struct composite_context
*c
;
548 struct sesssetup_state
*state
;
551 c
= composite_create(session
, session
->transport
->ev
);
552 if (c
== NULL
) return NULL
;
554 state
= talloc_zero(c
, struct sesssetup_state
);
555 if (composite_nomem(state
, c
)) return c
;
556 c
->private_data
= state
;
560 talloc_set_destructor(state
, sesssetup_state_destructor
);
562 /* no session setup at all in earliest protocol varients */
563 if (session
->transport
->negotiate
.protocol
< PROTOCOL_LANMAN1
) {
564 ZERO_STRUCT(io
->out
);
569 /* see what session setup interface we will use */
570 if (session
->transport
->negotiate
.protocol
< PROTOCOL_NT1
) {
571 status
= session_setup_old(c
, session
, io
, &state
->req
);
572 } else if (!session
->transport
->options
.use_spnego
||
573 !(io
->in
.capabilities
& CAP_EXTENDED_SECURITY
)) {
574 status
= session_setup_nt1(c
, session
, io
, &state
->req
);
576 status
= session_setup_spnego(c
, session
, io
, &state
->req
);
579 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) ||
580 NT_STATUS_IS_OK(status
)) {
581 composite_continue_smb(c
, state
->req
, request_handler
, c
);
585 composite_error(c
, status
);
591 receive a composite session setup reply
593 NTSTATUS
smb_composite_sesssetup_recv(struct composite_context
*c
)
596 status
= composite_wait(c
);
602 sync version of smb_composite_sesssetup
604 NTSTATUS
smb_composite_sesssetup(struct smbcli_session
*session
, struct smb_composite_sesssetup
*io
)
606 struct composite_context
*c
= smb_composite_sesssetup_send(session
, io
);
607 return smb_composite_sesssetup_recv(c
);