2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 a composite API for making handling a generic async session setup
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/raw/raw_proto.h"
26 #include "libcli/composite/composite.h"
27 #include "libcli/smb_composite/smb_composite.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "auth/credentials/credentials.h"
33 #include "param/param.h"
34 #include "libcli/smb/smbXcli_base.h"
36 struct sesssetup_state
{
37 union smb_sesssetup setup
;
38 NTSTATUS remote_status
;
39 NTSTATUS gensec_status
;
40 struct smb_composite_sesssetup
*io
;
41 struct smbcli_request
*req
;
44 static int sesssetup_state_destructor(struct sesssetup_state
*state
)
47 talloc_free(state
->req
);
54 static NTSTATUS
session_setup_old(struct composite_context
*c
,
55 struct smbcli_session
*session
,
56 struct smb_composite_sesssetup
*io
,
57 struct smbcli_request
**req
);
58 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
59 struct smbcli_session
*session
,
60 struct smb_composite_sesssetup
*io
,
61 struct smbcli_request
**req
);
62 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
63 struct smbcli_session
*session
,
64 struct smb_composite_sesssetup
*io
,
65 struct smbcli_request
**req
);
68 handler for completion of a smbcli_request sub-request
70 static void request_handler(struct smbcli_request
*req
)
72 struct composite_context
*c
= (struct composite_context
*)req
->async
.private_data
;
73 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
74 struct smbcli_session
*session
= req
->session
;
75 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
76 NTSTATUS session_key_err
, nt_status
;
77 struct smbcli_request
*check_req
= NULL
;
78 const char *os
= NULL
;
79 const char *lanman
= NULL
;
81 if (req
->sign_caller_checks
) {
82 req
->do_not_free
= true;
86 state
->remote_status
= smb_raw_sesssetup_recv(req
, state
, &state
->setup
);
87 c
->status
= state
->remote_status
;
91 * we only need to check the signature if the
92 * NT_STATUS_OK is returned
94 if (!NT_STATUS_IS_OK(state
->remote_status
)) {
95 talloc_free(check_req
);
99 switch (state
->setup
.old
.level
) {
100 case RAW_SESSSETUP_OLD
:
101 state
->io
->out
.vuid
= state
->setup
.old
.out
.vuid
;
102 /* This doesn't work, as this only happens on old
103 * protocols, where this comparison won't match. */
104 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
105 /* we neet to reset the vuid for a new try */
107 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
108 nt_status
= session_setup_old(c
, session
,
111 if (NT_STATUS_IS_OK(nt_status
)) {
112 talloc_free(check_req
);
113 c
->status
= nt_status
;
114 composite_continue_smb(c
, state
->req
, request_handler
, c
);
119 os
= state
->setup
.old
.out
.os
;
120 lanman
= state
->setup
.old
.out
.lanman
;
123 case RAW_SESSSETUP_NT1
:
124 state
->io
->out
.vuid
= state
->setup
.nt1
.out
.vuid
;
125 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
126 /* we neet to reset the vuid for a new try */
128 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
129 nt_status
= session_setup_nt1(c
, session
,
132 if (NT_STATUS_IS_OK(nt_status
)) {
133 talloc_free(check_req
);
134 c
->status
= nt_status
;
135 composite_continue_smb(c
, state
->req
, request_handler
, c
);
140 os
= state
->setup
.nt1
.out
.os
;
141 lanman
= state
->setup
.nt1
.out
.lanman
;
144 case RAW_SESSSETUP_SPNEGO
:
145 state
->io
->out
.vuid
= state
->setup
.spnego
.out
.vuid
;
146 if (NT_STATUS_EQUAL(c
->status
, NT_STATUS_LOGON_FAILURE
)) {
147 /* we need to reset the vuid for a new try */
149 if (cli_credentials_wrong_password(state
->io
->in
.credentials
)) {
150 nt_status
= session_setup_spnego(c
, session
,
153 if (NT_STATUS_IS_OK(nt_status
)) {
154 talloc_free(check_req
);
155 c
->status
= nt_status
;
156 composite_continue_smb(c
, state
->req
, request_handler
, c
);
161 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
162 !NT_STATUS_IS_OK(c
->status
)) {
165 if (NT_STATUS_EQUAL(state
->gensec_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
167 /* The status value here, from the earlier pass at GENSEC is
168 * vital to the security of the system. Even if the other end
169 * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
170 * you must keep feeding it blobs, or else the remote
171 * host/attacker might avoid mutal authentication
174 state
->gensec_status
= gensec_update(session
->gensec
, state
, c
->event_ctx
,
175 state
->setup
.spnego
.out
.secblob
,
176 &state
->setup
.spnego
.in
.secblob
);
177 c
->status
= state
->gensec_status
;
178 if (!NT_STATUS_EQUAL(c
->status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
179 !NT_STATUS_IS_OK(c
->status
)) {
183 state
->setup
.spnego
.in
.secblob
= data_blob(NULL
, 0);
186 if (NT_STATUS_IS_OK(state
->remote_status
)) {
187 DATA_BLOB session_key
;
189 if (state
->setup
.spnego
.in
.secblob
.length
) {
190 c
->status
= NT_STATUS_INTERNAL_ERROR
;
193 session_key_err
= gensec_session_key(session
->gensec
, session
, &session_key
);
194 if (NT_STATUS_IS_OK(session_key_err
)) {
195 smb1cli_conn_activate_signing(session
->transport
->conn
,
200 c
->status
= smb1cli_session_set_session_key(session
->smbXcli
,
202 data_blob_free(&session_key
);
203 if (!NT_STATUS_IS_OK(c
->status
)) {
208 if (state
->setup
.spnego
.in
.secblob
.length
) {
210 * set the session->vuid value only for calling
211 * smb_raw_sesssetup_send()
213 uint16_t vuid
= session
->vuid
;
214 session
->vuid
= state
->io
->out
.vuid
;
215 state
->req
= smb_raw_sesssetup_send(session
, &state
->setup
);
216 session
->vuid
= vuid
;
218 !smb1cli_conn_signing_is_active(state
->req
->transport
->conn
)) {
219 state
->req
->sign_caller_checks
= true;
221 composite_continue_smb(c
, state
->req
, request_handler
, c
);
224 os
= state
->setup
.spnego
.out
.os
;
225 lanman
= state
->setup
.spnego
.out
.lanman
;
228 case RAW_SESSSETUP_SMB2
:
229 c
->status
= NT_STATUS_INTERNAL_ERROR
;
236 check_req
->sign_caller_checks
= false;
238 ok
= smb1cli_conn_check_signing(check_req
->transport
->conn
,
239 check_req
->in
.buffer
, 1);
241 c
->status
= NT_STATUS_ACCESS_DENIED
;
243 talloc_free(check_req
);
247 if (!NT_STATUS_IS_OK(c
->status
)) {
248 composite_error(c
, c
->status
);
253 session
->os
= talloc_strdup(session
, os
);
254 if (composite_nomem(session
->os
, c
)) return;
259 session
->lanman
= talloc_strdup(session
, lanman
);
260 if (composite_nomem(session
->lanman
, c
)) return;
262 session
->lanman
= NULL
;
270 send a nt1 style session setup
272 static NTSTATUS
session_setup_nt1(struct composite_context
*c
,
273 struct smbcli_session
*session
,
274 struct smb_composite_sesssetup
*io
,
275 struct smbcli_request
**req
)
277 NTSTATUS nt_status
= NT_STATUS_INTERNAL_ERROR
;
278 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
279 struct sesssetup_state
);
280 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
283 * domain controllers tend to reject the NTLM v2 blob
284 * if the netbiosname is not valid (e.g. IP address or FQDN)
285 * so just leave it away (as Windows client do)
287 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
289 DATA_BLOB session_key
= data_blob(NULL
, 0);
290 int flags
= CLI_CRED_NTLM_AUTH
;
292 if (session
->options
.lanman_auth
) {
293 flags
|= CLI_CRED_LANMAN_AUTH
;
296 if (session
->options
.ntlmv2_auth
) {
297 flags
|= CLI_CRED_NTLMv2_AUTH
;
300 state
->setup
.nt1
.level
= RAW_SESSSETUP_NT1
;
301 state
->setup
.nt1
.in
.bufsize
= session
->transport
->options
.max_xmit
;
302 state
->setup
.nt1
.in
.mpx_max
= session
->transport
->options
.max_mux
;
303 state
->setup
.nt1
.in
.vc_num
= 1;
304 state
->setup
.nt1
.in
.sesskey
= io
->in
.sesskey
;
305 state
->setup
.nt1
.in
.capabilities
= io
->in
.capabilities
;
306 state
->setup
.nt1
.in
.os
= "Unix";
307 state
->setup
.nt1
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
309 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
310 &state
->setup
.nt1
.in
.user
,
311 &state
->setup
.nt1
.in
.domain
);
314 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
315 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
317 session
->transport
->negotiate
.secblob
,
319 &state
->setup
.nt1
.in
.password1
,
320 &state
->setup
.nt1
.in
.password2
,
322 NT_STATUS_NOT_OK_RETURN(nt_status
);
323 } else if (session
->options
.plaintext_auth
) {
324 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
325 state
->setup
.nt1
.in
.password1
= data_blob_talloc(state
, password
, strlen(password
));
326 state
->setup
.nt1
.in
.password2
= data_blob(NULL
, 0);
328 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
329 return NT_STATUS_INVALID_PARAMETER
;
332 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
334 return NT_STATUS_NO_MEMORY
;
337 if (NT_STATUS_IS_OK(nt_status
)) {
338 smb1cli_conn_activate_signing(session
->transport
->conn
,
340 state
->setup
.nt1
.in
.password2
);
342 nt_status
= smb1cli_session_set_session_key(session
->smbXcli
,
344 data_blob_free(&session_key
);
345 if (!NT_STATUS_IS_OK(nt_status
)) {
350 return (*req
)->status
;
355 old style session setup (pre NT1 protocol level)
357 static NTSTATUS
session_setup_old(struct composite_context
*c
,
358 struct smbcli_session
*session
,
359 struct smb_composite_sesssetup
*io
,
360 struct smbcli_request
**req
)
363 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
,
364 struct sesssetup_state
);
365 const char *password
= cli_credentials_get_password(io
->in
.credentials
);
366 const char *domain
= cli_credentials_get_domain(io
->in
.credentials
);
369 * domain controllers tend to reject the NTLM v2 blob
370 * if the netbiosname is not valid (e.g. IP address or FQDN)
371 * so just leave it away (as Windows client do)
373 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(state
, NULL
, domain
);
375 DATA_BLOB session_key
;
377 if (session
->options
.lanman_auth
) {
378 flags
|= CLI_CRED_LANMAN_AUTH
;
381 if (session
->options
.ntlmv2_auth
) {
382 flags
|= CLI_CRED_NTLMv2_AUTH
;
385 state
->setup
.old
.level
= RAW_SESSSETUP_OLD
;
386 state
->setup
.old
.in
.bufsize
= session
->transport
->options
.max_xmit
;
387 state
->setup
.old
.in
.mpx_max
= session
->transport
->options
.max_mux
;
388 state
->setup
.old
.in
.vc_num
= 1;
389 state
->setup
.old
.in
.sesskey
= io
->in
.sesskey
;
390 state
->setup
.old
.in
.os
= "Unix";
391 state
->setup
.old
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
392 cli_credentials_get_ntlm_username_domain(io
->in
.credentials
, state
,
393 &state
->setup
.old
.in
.user
,
394 &state
->setup
.old
.in
.domain
);
396 if (session
->transport
->negotiate
.sec_mode
& NEGOTIATE_SECURITY_CHALLENGE_RESPONSE
) {
397 nt_status
= cli_credentials_get_ntlm_response(io
->in
.credentials
, state
,
399 session
->transport
->negotiate
.secblob
,
401 &state
->setup
.old
.in
.password
,
404 NT_STATUS_NOT_OK_RETURN(nt_status
);
406 nt_status
= smb1cli_session_set_session_key(session
->smbXcli
,
408 data_blob_free(&session_key
);
409 if (!NT_STATUS_IS_OK(nt_status
)) {
412 } else if (session
->options
.plaintext_auth
) {
413 state
->setup
.old
.in
.password
= data_blob_talloc(state
, password
, strlen(password
));
415 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
416 return NT_STATUS_INVALID_PARAMETER
;
419 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
421 return NT_STATUS_NO_MEMORY
;
423 return (*req
)->status
;
428 Modern, all singing, all dancing extended security (and possibly SPNEGO) request
430 static NTSTATUS
session_setup_spnego(struct composite_context
*c
,
431 struct smbcli_session
*session
,
432 struct smb_composite_sesssetup
*io
,
433 struct smbcli_request
**req
)
435 struct sesssetup_state
*state
= talloc_get_type(c
->private_data
, struct sesssetup_state
);
437 const char *chosen_oid
= NULL
;
439 state
->setup
.spnego
.level
= RAW_SESSSETUP_SPNEGO
;
440 state
->setup
.spnego
.in
.bufsize
= session
->transport
->options
.max_xmit
;
441 state
->setup
.spnego
.in
.mpx_max
= session
->transport
->options
.max_mux
;
442 state
->setup
.spnego
.in
.vc_num
= 1;
443 state
->setup
.spnego
.in
.sesskey
= io
->in
.sesskey
;
444 state
->setup
.spnego
.in
.capabilities
= io
->in
.capabilities
;
445 state
->setup
.spnego
.in
.os
= "Unix";
446 state
->setup
.spnego
.in
.lanman
= talloc_asprintf(state
, "Samba %s", SAMBA_VERSION_STRING
);
447 state
->setup
.spnego
.in
.workgroup
= io
->in
.workgroup
;
449 status
= gensec_client_start(session
, &session
->gensec
,
450 io
->in
.gensec_settings
);
451 if (!NT_STATUS_IS_OK(status
)) {
452 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status
)));
456 gensec_want_feature(session
->gensec
, GENSEC_FEATURE_SESSION_KEY
);
458 status
= gensec_set_credentials(session
->gensec
, io
->in
.credentials
);
459 if (!NT_STATUS_IS_OK(status
)) {
460 DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
465 status
= gensec_set_target_hostname(session
->gensec
,
466 smbXcli_conn_remote_name(session
->transport
->conn
));
467 if (!NT_STATUS_IS_OK(status
)) {
468 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
473 status
= gensec_set_target_service(session
->gensec
, "cifs");
474 if (!NT_STATUS_IS_OK(status
)) {
475 DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
480 if (session
->transport
->negotiate
.secblob
.length
) {
481 chosen_oid
= GENSEC_OID_SPNEGO
;
482 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
483 if (!NT_STATUS_IS_OK(status
)) {
484 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
485 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
486 chosen_oid
= GENSEC_OID_NTLMSSP
;
487 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
488 if (!NT_STATUS_IS_OK(status
)) {
489 DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
490 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
496 /* without a sec blob, means raw NTLMSSP */
497 chosen_oid
= GENSEC_OID_NTLMSSP
;
498 status
= gensec_start_mech_by_oid(session
->gensec
, chosen_oid
);
499 if (!NT_STATUS_IS_OK(status
)) {
500 DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
501 gensec_get_name_by_oid(session
->gensec
, chosen_oid
), nt_errstr(status
)));
505 if ((const void *)chosen_oid
== (const void *)GENSEC_OID_SPNEGO
) {
506 status
= gensec_update(session
->gensec
, state
,
508 session
->transport
->negotiate
.secblob
,
509 &state
->setup
.spnego
.in
.secblob
);
511 status
= gensec_update(session
->gensec
, state
,
514 &state
->setup
.spnego
.in
.secblob
);
518 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) &&
519 !NT_STATUS_IS_OK(status
)) {
520 DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
521 gensec_get_name_by_oid(session
->gensec
, chosen_oid
),
525 state
->gensec_status
= status
;
527 *req
= smb_raw_sesssetup_send(session
, &state
->setup
);
529 return NT_STATUS_NO_MEMORY
;
533 * we need to check the signature ourself
534 * as the session key might be the acceptor subkey
535 * which comes within the response itself
537 if (!smb1cli_conn_signing_is_active((*req
)->transport
->conn
)) {
538 (*req
)->sign_caller_checks
= true;
541 return (*req
)->status
;
546 composite session setup function that hides the details of all the
547 different session setup varients, including the multi-pass nature of
550 struct composite_context
*smb_composite_sesssetup_send(struct smbcli_session
*session
,
551 struct smb_composite_sesssetup
*io
)
553 struct composite_context
*c
;
554 struct sesssetup_state
*state
;
557 c
= composite_create(session
, session
->transport
->ev
);
558 if (c
== NULL
) return NULL
;
560 state
= talloc_zero(c
, struct sesssetup_state
);
561 if (composite_nomem(state
, c
)) return c
;
562 c
->private_data
= state
;
566 talloc_set_destructor(state
, sesssetup_state_destructor
);
568 /* no session setup at all in earliest protocol varients */
569 if (session
->transport
->negotiate
.protocol
< PROTOCOL_LANMAN1
) {
570 ZERO_STRUCT(io
->out
);
575 /* see what session setup interface we will use */
576 if (session
->transport
->negotiate
.protocol
< PROTOCOL_NT1
) {
577 status
= session_setup_old(c
, session
, io
, &state
->req
);
578 } else if (!session
->transport
->options
.use_spnego
||
579 !(io
->in
.capabilities
& CAP_EXTENDED_SECURITY
)) {
580 status
= session_setup_nt1(c
, session
, io
, &state
->req
);
582 status
= session_setup_spnego(c
, session
, io
, &state
->req
);
585 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) ||
586 NT_STATUS_IS_OK(status
)) {
587 composite_continue_smb(c
, state
->req
, request_handler
, c
);
591 composite_error(c
, status
);
597 receive a composite session setup reply
599 NTSTATUS
smb_composite_sesssetup_recv(struct composite_context
*c
)
602 status
= composite_wait(c
);
608 sync version of smb_composite_sesssetup
610 NTSTATUS
smb_composite_sesssetup(struct smbcli_session
*session
, struct smb_composite_sesssetup
*io
)
612 struct composite_context
*c
= smb_composite_sesssetup_send(session
, io
);
613 return smb_composite_sesssetup_recv(c
);