search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit '42a3762d0138d6dd0c0f96964be98d0b21ab6bef'
[unleashed.git] / usr / src / cmd / smbsrv / smbd / smbd_authsvc.c
blobb507148b72e46e58c81bb81c7123a161d10fa7f3
1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
14 */
15
16 /*
17 * SMB authentication service
18 *
19 * This service listens on a local AF_UNIX socket, spawning a
20 * thread to service each connection. The client-side of such
21 * connections is the in-kernel SMB service, with an open and
22 * connect done in the SMB session setup handler.
23 */
24
25 #include <sys/types.h>
26 #include <stdlib.h>
27 #include <errno.h>
28 #include <string.h>
29 #include <strings.h>
30 #include <unistd.h>
31 #include <signal.h>
32 #include <stdio.h>
33 #include <note.h>
34 #include <net/if.h>
35 #include <net/route.h>
36 #include <sys/sockio.h>
37 #include <sys/socket.h>
38 #include <sys/un.h>
39 #include <netinet/in.h>
40 #include <fcntl.h>
41 #include <pthread.h>
42 #include <syslog.h>
43 #include <smbsrv/libsmb.h>
44 #include <netsmb/spnego.h>
45
46 #include "smbd.h"
47 #include "smbd_authsvc.h"
48
49 /* Arbitrary value outside the (small) range of valid OIDs */
50 #define special_mech_raw_NTLMSSP (spnego_mech_oid_NTLMSSP + 100)
51
52 static struct sockaddr_un smbauth_sockname = {
53 AF_UNIX, SMB_AUTHSVC_SOCKNAME };
54
55 typedef struct spnego_mech_handler {
56 int mh_oid; /* SPNEGO_MECH_OID */
57 int (*mh_init)(authsvc_context_t *);
58 int (*mh_work)(authsvc_context_t *);
59 void (*mh_fini)(authsvc_context_t *);
60 } spnego_mech_handler_t;
61
62 static int smbd_authsock_create(void);
63 static void smbd_authsock_destroy(void);
64 static void *smbd_authsvc_listen(void *);
65 static void *smbd_authsvc_work(void *);
66 static void smbd_authsvc_flood(void);
67
68 static int smbd_authsvc_oldreq(authsvc_context_t *);
69 static int smbd_authsvc_clinfo(authsvc_context_t *);
70 static int smbd_authsvc_esfirst(authsvc_context_t *);
71 static int smbd_authsvc_esnext(authsvc_context_t *);
72 static int smbd_authsvc_escmn(authsvc_context_t *);
73 static int smbd_authsvc_gettoken(authsvc_context_t *);
74 static int smbd_raw_ntlmssp_esfirst(authsvc_context_t *);
75 static int smbd_raw_ntlmssp_esnext(authsvc_context_t *);
76
77 /*
78 * We can get relatively large tokens now, thanks to krb5 PAC.
79 * Might be better to size these buffers dynamically, but these
80 * are all short-lived so not bothering with that for now.
81 */
82 int smbd_authsvc_bufsize = 65000;
83
84 static mutex_t smbd_authsvc_mutex = DEFAULTMUTEX;
85
86 /*
87 * The maximum number of authentication thread is limited by the
88 * smbsrv smb_threshold_...(->sv_ssetup_ct) mechanism. However,
89 * due to occasional delays closing these auth. sockets, we need
90 * a little "slack" on the number of threads we'll allow, as
91 * compared with the in-kernel limit. We could perhaps just
92 * remove this limit now, but want it for extra safety.
93 */
94 int smbd_authsvc_maxthread = SMB_AUTHSVC_MAXTHREAD + 32;
95 int smbd_authsvc_thrcnt = 0; /* current thrcnt */
96 int smbd_authsvc_hiwat = 0; /* largest thrcnt seen */
97 #ifdef DEBUG
98 int smbd_authsvc_slowdown = 0;
99 #endif
100
101 /*
102 * These are the mechanisms we support, in order of preference.
103 * But note: it's really the _client's_ preference that matters.
104 * See &pref in the spnegoIsMechTypeAvailable() calls below.
105 * Careful with this table; the code below knows its format and
106 * may skip the fist two entries to ommit Kerberos.
107 */
108 static const spnego_mech_handler_t
109 mech_table[] = {
110 {
111 spnego_mech_oid_Kerberos_V5,
112 smbd_krb5ssp_init,
113 smbd_krb5ssp_work,
114 smbd_krb5ssp_fini
115 },
116 {
117 spnego_mech_oid_Kerberos_V5_Legacy,
118 smbd_krb5ssp_init,
119 smbd_krb5ssp_work,
120 smbd_krb5ssp_fini
121 },
122 #define MECH_TBL_IDX_NTLMSSP 2
123 {
124 spnego_mech_oid_NTLMSSP,
125 smbd_ntlmssp_init,
126 smbd_ntlmssp_work,
127 smbd_ntlmssp_fini
128 },
129 {
130 /* end marker */
131 spnego_mech_oid_NotUsed,
132 NULL, NULL, NULL
133 },
134 };
135
136 static const spnego_mech_handler_t
137 smbd_auth_mech_raw_ntlmssp = {
138 special_mech_raw_NTLMSSP,
139 smbd_ntlmssp_init,
140 smbd_ntlmssp_work,
141 smbd_ntlmssp_fini
142 };
143
144
145 /*
146 * Start the authentication service.
147 * Returns non-zero on error.
148 */
149 int
150 smbd_authsvc_start(void)
151 {
152 pthread_attr_t attr;
153 pthread_t tid;
154 int rc;
155
156 rc = smbd_authsock_create();
157 if (rc)
158 return (rc);
159
160 (void) pthread_attr_init(&attr);
161 (void) pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
162 rc = pthread_create(&tid, &attr, smbd_authsvc_listen, &smbd);
163 (void) pthread_attr_destroy(&attr);
164 if (rc) {
165 smbd_authsock_destroy();
166 return (rc);
167 }
168
169 smbd.s_authsvc_tid = tid;
170 return (0);
171 }
172
173 void
174 smbd_authsvc_stop(void)
175 {
176
177 if (smbd.s_authsvc_tid != 0) {
178 (void) pthread_kill(smbd.s_authsvc_tid, SIGTERM);
179 smbd.s_authsvc_tid = 0;
180 }
181 }
182
183 static int
184 smbd_authsock_create(void)
185 {
186 int sock = -1;
187
188 sock = socket(AF_UNIX, SOCK_STREAM, 0);
189 if (sock < 0) {
190 smbd_report("authsvc, socket create failed, %d", errno);
191 return (errno);
192 }
193
194 (void) unlink(smbauth_sockname.sun_path);
195 if (bind(sock, (struct sockaddr *)&smbauth_sockname,
196 sizeof (smbauth_sockname)) < 0) {
197 smbd_report("authsvc, socket bind failed, %d", errno);
198 (void) close(sock);
199 return (errno);
200 }
201
202 if (listen(sock, SOMAXCONN) < 0) {
203 smbd_report("authsvc, socket listen failed, %d", errno);
204 (void) close(sock);
205 return (errno);
206 }
207
208 smbd.s_authsvc_sock = sock;
209 return (0);
210 }
211
212 static void
213 smbd_authsock_destroy(void)
214 {
215 int fid;
216
217 if ((fid = smbd.s_authsvc_sock) != -1) {
218 smbd.s_authsvc_sock = -1;
219 (void) close(fid);
220 }
221 }
222
223 static void *
224 smbd_authsvc_listen(void *arg)
225 {
226 authsvc_context_t *ctx;
227 pthread_attr_t attr;
228 pthread_t tid;
229 socklen_t slen;
230 int ls, ns, rc;
231
232 _NOTE(ARGUNUSED(arg))
233
234 (void) pthread_attr_init(&attr);
235 (void) pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
236
237 ls = smbd.s_authsvc_sock;
238 for (;;) {
239
240 slen = 0;
241 ns = accept(ls, NULL, &slen);
242 if (ns < 0) {
243 switch (errno) {
244 case ECONNABORTED:
245 continue;
246 case EINTR:
247 /* normal termination */
248 goto out;
249 default:
250 smbd_report("authsvc, socket accept failed,"
251 " %d", errno);
252 goto out;
253 }
254 }
255
256 /*
257 * Limit the number of auth. sockets
258 * (and the threads that service them).
259 */
260 (void) mutex_lock(&smbd_authsvc_mutex);
261 if (smbd_authsvc_thrcnt >= smbd_authsvc_maxthread) {
262 (void) mutex_unlock(&smbd_authsvc_mutex);
263 (void) close(ns);
264 smbd_authsvc_flood();
265 continue;
266 }
267 smbd_authsvc_thrcnt++;
268 if (smbd_authsvc_hiwat < smbd_authsvc_thrcnt)
269 smbd_authsvc_hiwat = smbd_authsvc_thrcnt;
270 (void) mutex_unlock(&smbd_authsvc_mutex);
271
272 ctx = smbd_authctx_create();
273 if (ctx == NULL) {
274 smbd_report("authsvc, can't allocate context");
275 (void) mutex_lock(&smbd_authsvc_mutex);
276 smbd_authsvc_thrcnt--;
277 (void) mutex_unlock(&smbd_authsvc_mutex);
278 (void) close(ns);
279 goto out;
280 }
281 ctx->ctx_socket = ns;
282
283 rc = pthread_create(&tid, &attr, smbd_authsvc_work, ctx);
284 if (rc) {
285 smbd_report("authsvc, thread create failed, %d", rc);
286 (void) mutex_lock(&smbd_authsvc_mutex);
287 smbd_authsvc_thrcnt--;
288 (void) mutex_unlock(&smbd_authsvc_mutex);
289 smbd_authctx_destroy(ctx);
290 goto out;
291 }
292 ctx = NULL; /* given to the new thread */
293 }
294
295 out:
296 (void) pthread_attr_destroy(&attr);
297 smbd_authsock_destroy();
298 return (NULL);
299 }
300
301 static void
302 smbd_authsvc_flood(void)
303 {
304 static uint_t count;
305 static time_t last_report;
306 time_t now = time(NULL);
307
308 count++;
309 if (last_report + 60 < now) {
310 last_report = now;
311 smbd_report("authsvc: flooded %u", count);
312 count = 0;
313 }
314 }
315
316 authsvc_context_t *
317 smbd_authctx_create(void)
318 {
319 authsvc_context_t *ctx;
320
321 ctx = malloc(sizeof (*ctx));
322 if (ctx == NULL)
323 return (NULL);
324 bzero(ctx, sizeof (*ctx));
325
326 ctx->ctx_irawlen = smbd_authsvc_bufsize;
327 ctx->ctx_irawbuf = malloc(ctx->ctx_irawlen);
328 ctx->ctx_orawlen = smbd_authsvc_bufsize;
329 ctx->ctx_orawbuf = malloc(ctx->ctx_orawlen);
330 if (ctx->ctx_irawbuf == NULL || ctx->ctx_orawbuf == NULL)
331 goto errout;
332
333 ctx->ctx_ibodylen = smbd_authsvc_bufsize;
334 ctx->ctx_ibodybuf = malloc(ctx->ctx_ibodylen);
335 ctx->ctx_obodylen = smbd_authsvc_bufsize;
336 ctx->ctx_obodybuf = malloc(ctx->ctx_obodylen);
337 if (ctx->ctx_ibodybuf == NULL || ctx->ctx_obodybuf == NULL)
338 goto errout;
339
340 return (ctx);
341
342 errout:
343 smbd_authctx_destroy(ctx);
344 return (NULL);
345 }
346
347 void
348 smbd_authctx_destroy(authsvc_context_t *ctx)
349 {
350 if (ctx->ctx_socket != -1) {
351 (void) close(ctx->ctx_socket);
352 ctx->ctx_socket = -1;
353 }
354
355 if (ctx->ctx_token != NULL)
356 smb_token_destroy(ctx->ctx_token);
357
358 if (ctx->ctx_itoken != NULL)
359 spnegoFreeData(ctx->ctx_itoken);
360 if (ctx->ctx_otoken != NULL)
361 spnegoFreeData(ctx->ctx_otoken);
362
363 free(ctx->ctx_irawbuf);
364 free(ctx->ctx_orawbuf);
365 free(ctx->ctx_ibodybuf);
366 free(ctx->ctx_obodybuf);
367
368 free(ctx);
369 }
370
371 /*
372 * Limit how long smbd_authsvc_work will wait for the client to
373 * send us the next part of the authentication sequence.
374 */
375 static struct timeval recv_tmo = { 30, 0 };
376
377 /*
378 * Also set a timeout for send, where we're sending a response to
379 * the client side (in smbsrv). That should always be waiting in
380 * recv by the time we send, so a short timeout is OK.
381 */
382 static struct timeval send_tmo = { 15, 0 };
383
384 static void *
385 smbd_authsvc_work(void *arg)
386 {
387 authsvc_context_t *ctx = arg;
388 smb_lsa_msg_hdr_t hdr;
389 int sock = ctx->ctx_socket;
390 int len, rc;
391
392 if (setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO,
393 (char *)&send_tmo, sizeof (send_tmo)) != 0) {
394 smbd_report("authsvc_work: set set timeout: %m");
395 goto out;
396 }
397
398 if (setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO,
399 (char *)&recv_tmo, sizeof (recv_tmo)) != 0) {
400 smbd_report("authsvc_work: set recv timeout: %m");
401 goto out;
402 }
403
404 for (;;) {
405
406 len = recv(sock, &hdr, sizeof (hdr), MSG_WAITALL);
407 if (len <= 0) {
408 /* normal termination */
409 break;
410 }
411 if (len != sizeof (hdr)) {
412 smbd_report("authsvc_work: read header failed");
413 break;
414 }
415
416 if (hdr.lmh_msglen > smbd_authsvc_bufsize) {
417 smbd_report("authsvc_work: msg too large");
418 break;
419 }
420
421 if (hdr.lmh_msglen > 0) {
422 len = recv(sock, ctx->ctx_irawbuf, hdr.lmh_msglen,
423 MSG_WAITALL);
424 if (len != hdr.lmh_msglen) {
425 smbd_report("authsvc_work: read mesg failed");
426 break;
427 }
428 }
429 ctx->ctx_irawtype = hdr.lmh_msgtype;
430 ctx->ctx_irawlen = hdr.lmh_msglen;
431 ctx->ctx_orawlen = smbd_authsvc_bufsize;
432 ctx->ctx_ibodylen = smbd_authsvc_bufsize;
433 ctx->ctx_obodylen = smbd_authsvc_bufsize;
434
435 /*
436 * The real work happens here.
437 */
438 rc = smbd_authsvc_dispatch(ctx);
439 if (rc)
440 break;
441
442 hdr.lmh_msgtype = ctx->ctx_orawtype;
443 hdr.lmh_msglen = ctx->ctx_orawlen;
444 len = send(sock, &hdr, sizeof (hdr), 0);
445 if (len != sizeof (hdr)) {
446 smbd_report("authsvc_work: send failed");
447 break;
448 }
449
450 if (ctx->ctx_orawlen > 0) {
451 len = send(sock, ctx->ctx_orawbuf,
452 ctx->ctx_orawlen, 0);
453 if (len != ctx->ctx_orawlen) {
454 smbd_report("authsvc_work: send failed");
455 break;
456 }
457 }
458 }
459
460 out:
461 if (ctx->ctx_mh_fini)
462 (ctx->ctx_mh_fini)(ctx);
463
464 smbd_authctx_destroy(ctx);
465
466 (void) mutex_lock(&smbd_authsvc_mutex);
467 smbd_authsvc_thrcnt--;
468 (void) mutex_unlock(&smbd_authsvc_mutex);
469
470 return (NULL); /* implied pthread_exit() */
471 }
472
473 /*
474 * Dispatch based on message type LSA_MTYPE_...
475 * Non-zero return here ends the conversation.
476 */
477 int
478 smbd_authsvc_dispatch(authsvc_context_t *ctx)
479 {
480 int rc;
481
482 switch (ctx->ctx_irawtype) {
483
484 case LSA_MTYPE_OLDREQ:
485 #ifdef DEBUG
486 if (smbd_authsvc_slowdown)
487 (void) sleep(smbd_authsvc_slowdown);
488 #endif
489 rc = smbd_authsvc_oldreq(ctx);
490 break;
491
492 case LSA_MTYPE_CLINFO:
493 rc = smbd_authsvc_clinfo(ctx);
494 break;
495
496 case LSA_MTYPE_ESFIRST:
497 rc = smbd_authsvc_esfirst(ctx);
498 break;
499
500 case LSA_MTYPE_ESNEXT:
501 #ifdef DEBUG
502 if (smbd_authsvc_slowdown)
503 (void) sleep(smbd_authsvc_slowdown);
504 #endif
505 rc = smbd_authsvc_esnext(ctx);
506 break;
507
508 case LSA_MTYPE_GETTOK:
509 rc = smbd_authsvc_gettoken(ctx);
510 break;
511
512 /* response types */
513 case LSA_MTYPE_OK:
514 case LSA_MTYPE_ERROR:
515 case LSA_MTYPE_TOKEN:
516 case LSA_MTYPE_ES_CONT:
517 case LSA_MTYPE_ES_DONE:
518 default:
519 return (-1);
520 }
521
522 if (rc != 0) {
523 smb_lsa_eresp_t *er = ctx->ctx_orawbuf;
524 ctx->ctx_orawtype = LSA_MTYPE_ERROR;
525 ctx->ctx_orawlen = sizeof (*er);
526 er->ler_ntstatus = rc;
527 er->ler_errclass = 0;
528 er->ler_errcode = 0;
529 }
530 return (0);
531 }
532
533 static int
534 smbd_authsvc_oldreq(authsvc_context_t *ctx)
535 {
536 smb_logon_t user_info;
537 XDR xdrs;
538 smb_token_t *token = NULL;
539 int rc = 0;
540
541 bzero(&user_info, sizeof (user_info));
542 xdrmem_create(&xdrs, ctx->ctx_irawbuf, ctx->ctx_irawlen,
543 XDR_DECODE);
544 if (!smb_logon_xdr(&xdrs, &user_info)) {
545 xdr_destroy(&xdrs);
546 return (NT_STATUS_INVALID_PARAMETER);
547 }
548 xdr_destroy(&xdrs);
549
550 token = smbd_user_auth_logon(&user_info);
551 xdr_free(smb_logon_xdr, (char *)&user_info);
552 if (token == NULL) {
553 rc = user_info.lg_status;
554 if (rc == 0) /* should not happen */
555 rc = NT_STATUS_INTERNAL_ERROR;
556 return (rc);
557 }
558
559 ctx->ctx_token = token;
560
561 return (rc);
562 }
563
564 static int
565 smbd_authsvc_clinfo(authsvc_context_t *ctx)
566 {
567
568 if (ctx->ctx_irawlen != sizeof (smb_lsa_clinfo_t))
569 return (NT_STATUS_INTERNAL_ERROR);
570 (void) memcpy(&ctx->ctx_clinfo, ctx->ctx_irawbuf,
571 sizeof (smb_lsa_clinfo_t));
572
573 ctx->ctx_orawtype = LSA_MTYPE_OK;
574 ctx->ctx_orawlen = 0;
575 return (0);
576 }
577
578 /*
579 * Handle a security blob we've received from the client.
580 * Incoming type: LSA_MTYPE_ESFIRST
581 * Outgoing types: LSA_MTYPE_ES_CONT, LSA_MTYPE_ES_DONE,
582 * LSA_MTYPE_ERROR
583 */
584 static int
585 smbd_authsvc_esfirst(authsvc_context_t *ctx)
586 {
587 const spnego_mech_handler_t *mh;
588 int idx, pref, rc;
589 int best_pref = 1000;
590 int best_mhidx = -1;
591
592 /*
593 * NTLMSSP header is 8+, SPNEGO is 10+
594 */
595 if (ctx->ctx_irawlen < 8) {
596 smbd_report("authsvc: short blob");
597 return (NT_STATUS_INVALID_PARAMETER);
598 }
599
600 /*
601 * We could have "Raw NTLMSSP" here intead of SPNEGO.
602 */
603 if (bcmp(ctx->ctx_irawbuf, "NTLMSSP", 8) == 0) {
604 rc = smbd_raw_ntlmssp_esfirst(ctx);
605 return (rc);
606 }
607
608 /*
609 * Parse the SPNEGO token, check its type.
610 */
611 rc = spnegoInitFromBinary(ctx->ctx_irawbuf,
612 ctx->ctx_irawlen, &ctx->ctx_itoken);
613 if (rc != 0) {
614 smbd_report("authsvc: spnego parse failed");
615 return (NT_STATUS_INVALID_PARAMETER);
616 }
617
618 rc = spnegoGetTokenType(ctx->ctx_itoken, &ctx->ctx_itoktype);
619 if (rc != 0) {
620 smbd_report("authsvc: spnego get token type failed");
621 return (NT_STATUS_INVALID_PARAMETER);
622 }
623
624 if (ctx->ctx_itoktype != SPNEGO_TOKEN_INIT) {
625 smbd_report("authsvc: spnego wrong token type %d",
626 ctx->ctx_itoktype);
627 return (NT_STATUS_INVALID_PARAMETER);
628 }
629
630 /*
631 * Figure out which mech type to use. We want to use the
632 * first of the client's supported mechanisms that we also
633 * support. Unfortunately, the spnego code does not have an
634 * interface to walk the token's mech list, so we have to
635 * ask about each mech type we know and keep track of which
636 * was earliest in the token's mech list.
637 *
638 * Also, skip the Kerberos mechanisms in workgroup mode.
639 */
640 idx = 0;
641 mh = mech_table;
642 if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
643 idx = MECH_TBL_IDX_NTLMSSP;
644 mh = &mech_table[idx];
645 }
646 for (; mh->mh_init != NULL; idx++, mh++) {
647
648 if (spnegoIsMechTypeAvailable(ctx->ctx_itoken,
649 mh->mh_oid, &pref) != 0)
650 continue;
651
652 if (pref < best_pref) {
653 best_pref = pref;
654 best_mhidx = idx;
655 }
656 }
657 if (best_mhidx == -1) {
658 smbd_report("authsvc: no supported spnego mechanism");
659 return (NT_STATUS_INVALID_PARAMETER);
660 }
661
662 /* Found a mutually agreeable mech. */
663 mh = &mech_table[best_mhidx];
664 ctx->ctx_mech_oid = mh->mh_oid;
665 ctx->ctx_mh_work = mh->mh_work;
666 ctx->ctx_mh_fini = mh->mh_fini;
667 rc = mh->mh_init(ctx);
668 if (rc != 0) {
669 smbd_report("authsvc: mech init failed");
670 return (rc);
671 }
672
673 /*
674 * Common to LSA_MTYPE_ESFIRST, LSA_MTYPE_ESNEXT
675 */
676 rc = smbd_authsvc_escmn(ctx);
677 return (rc);
678 }
679
680 /*
681 * Handle a security blob we've received from the client.
682 * Incoming type: LSA_MTYPE_ESNEXT
683 * Outgoing types: LSA_MTYPE_ES_CONT, LSA_MTYPE_ES_DONE,
684 * LSA_MTYPE_ERROR
685 */
686 static int
687 smbd_authsvc_esnext(authsvc_context_t *ctx)
688 {
689 int rc;
690
691 /*
692 * Make sure LSA_MTYPE_ESFIRST was handled
693 * previously, so we have a work function.
694 */
695 if (ctx->ctx_mh_work == NULL)
696 return (NT_STATUS_INVALID_PARAMETER);
697
698 if (ctx->ctx_mech_oid == special_mech_raw_NTLMSSP) {
699 rc = smbd_raw_ntlmssp_esnext(ctx);
700 return (rc);
701 }
702
703 /*
704 * Cleanup state from previous calls.
705 */
706 if (ctx->ctx_itoken != NULL) {
707 spnegoFreeData(ctx->ctx_itoken);
708 ctx->ctx_itoken = NULL;
709 }
710
711 /*
712 * Parse the SPNEGO token, check its type.
713 */
714 rc = spnegoInitFromBinary(ctx->ctx_irawbuf,
715 ctx->ctx_irawlen, &ctx->ctx_itoken);
716 if (rc != 0)
717 return (NT_STATUS_INVALID_PARAMETER);
718
719 rc = spnegoGetTokenType(ctx->ctx_itoken, &ctx->ctx_itoktype);
720 if (rc != 0)
721 return (NT_STATUS_INVALID_PARAMETER);
722
723 if (ctx->ctx_itoktype != SPNEGO_TOKEN_TARG)
724 return (NT_STATUS_INVALID_PARAMETER);
725
726 rc = smbd_authsvc_escmn(ctx);
727 return (rc);
728 }
729
730 static int
731 smbd_authsvc_escmn(authsvc_context_t *ctx)
732 {
733 SPNEGO_MECH_OID oid;
734 ulong_t toklen;
735 int rc;
736
737 /*
738 * Cleanup state from previous calls.
739 */
740 if (ctx->ctx_otoken != NULL) {
741 spnegoFreeData(ctx->ctx_otoken);
742 ctx->ctx_otoken = NULL;
743 }
744
745 /*
746 * Extract the payload (mech token).
747 */
748 toklen = ctx->ctx_ibodylen;
749 rc = spnegoGetMechToken(ctx->ctx_itoken,
750 ctx->ctx_ibodybuf, &toklen);
751 switch (rc) {
752 case SPNEGO_E_SUCCESS:
753 break;
754 case SPNEGO_E_ELEMENT_UNAVAILABLE:
755 toklen = 0;
756 break;
757 case SPNEGO_E_BUFFER_TOO_SMALL:
758 return (NT_STATUS_BUFFER_TOO_SMALL);
759 default:
760 return (NT_STATUS_INTERNAL_ERROR);
761 }
762 ctx->ctx_ibodylen = toklen;
763
764 /*
765 * Now that we have the incoming "body" (mech. token),
766 * call the back-end mech-specific work function to
767 * create the outgoing "body" (mech. token).
768 *
769 * The worker must fill in: ctx->ctx_negresult,
770 * and: ctx->ctx_obodylen, but ctx->ctx_obodybuf
771 * is optional, and is typically NULL after the
772 * final message of an auth sequence, where
773 * negresult == spnego_negresult_complete.
774 */
775 rc = ctx->ctx_mh_work(ctx);
776 if (rc != 0)
777 return (rc);
778
779 /*
780 * Wrap the outgoing body in a negTokenTarg SPNEGO token.
781 * The selected mech. OID is returned only when the
782 * incoming token was of type SPNEGO_TOKEN_INIT.
783 */
784 if (ctx->ctx_itoktype == SPNEGO_TOKEN_INIT) {
785 /* tell the client the selected mech. */
786 oid = ctx->ctx_mech_oid;
787 } else {
788 /* Ommit the "supported mech." field. */
789 oid = spnego_mech_oid_NotUsed;
790 }
791
792 /*
793 * Determine the spnego "negresult" from the
794 * reply message type (from the work func).
795 */
796 switch (ctx->ctx_orawtype) {
797 case LSA_MTYPE_ERROR:
798 ctx->ctx_negresult = spnego_negresult_rejected;
799 break;
800 case LSA_MTYPE_ES_DONE:
801 ctx->ctx_negresult = spnego_negresult_success;
802 break;
803 case LSA_MTYPE_ES_CONT:
804 ctx->ctx_negresult = spnego_negresult_incomplete;
805 break;
806 default:
807 return (-1);
808 }
809
810 rc = spnegoCreateNegTokenTarg(
811 oid,
812 ctx->ctx_negresult,
813 ctx->ctx_obodybuf, /* may be NULL */
814 ctx->ctx_obodylen,
815 NULL, 0,
816 &ctx->ctx_otoken);
817
818 /*
819 * Convert the SPNEGO token into binary form,
820 * writing it to the output buffer.
821 */
822 toklen = smbd_authsvc_bufsize;
823 rc = spnegoTokenGetBinary(ctx->ctx_otoken,
824 (uchar_t *)ctx->ctx_orawbuf, &toklen);
825 if (rc)
826 rc = NT_STATUS_INTERNAL_ERROR;
827 ctx->ctx_orawlen = (uint_t)toklen;
828
829 return (rc);
830 }
831
832 /*
833 * Wrapper for "Raw NTLMSSP", which is exactly like the
834 * normal (SPNEGO-wrapped) NTLMSSP but without SPNEGO.
835 * Setup back-end handler for: special_mech_raw_NTLMSSP
836 * Compare with smbd_authsvc_esfirst().
837 */
838 static int
839 smbd_raw_ntlmssp_esfirst(authsvc_context_t *ctx)
840 {
841 const spnego_mech_handler_t *mh;
842 int rc;
843
844 mh = &smbd_auth_mech_raw_ntlmssp;
845 rc = mh->mh_init(ctx);
846 if (rc != 0)
847 return (rc);
848
849 ctx->ctx_mech_oid = mh->mh_oid;
850 ctx->ctx_mh_work = mh->mh_work;
851 ctx->ctx_mh_fini = mh->mh_fini;
852
853 rc = smbd_raw_ntlmssp_esnext(ctx);
854
855 return (rc);
856 }
857
858
859 /*
860 * Wrapper for "Raw NTLMSSP", which is exactly like the
861 * normal (SPNEGO-wrapped) NTLMSSP but without SPNEGO.
862 * Just copy "raw" to "body", and vice versa.
863 * Compare with smbd_authsvc_esnext, smbd_authsvc_escmn
864 */
865 static int
866 smbd_raw_ntlmssp_esnext(authsvc_context_t *ctx)
867 {
868 int rc;
869
870 ctx->ctx_ibodylen = ctx->ctx_irawlen;
871 (void) memcpy(ctx->ctx_ibodybuf,
872 ctx->ctx_irawbuf, ctx->ctx_irawlen);
873
874 rc = ctx->ctx_mh_work(ctx);
875
876 ctx->ctx_orawlen = ctx->ctx_obodylen;
877 (void) memcpy(ctx->ctx_orawbuf,
878 ctx->ctx_obodybuf, ctx->ctx_obodylen);
879
880 return (rc);
881 }
882
883
884 /*
885 * After a successful authentication, request the access token.
886 */
887 static int
888 smbd_authsvc_gettoken(authsvc_context_t *ctx)
889 {
890 XDR xdrs;
891 smb_token_t *token = NULL;
892 int rc = 0;
893 int len;
894
895 if ((token = ctx->ctx_token) == NULL)
896 return (NT_STATUS_ACCESS_DENIED);
897
898 /*
899 * Encode the token response
900 */
901 len = xdr_sizeof(smb_token_xdr, token);
902 if (len > ctx->ctx_orawlen) {
903 if ((ctx->ctx_orawbuf = realloc(ctx->ctx_orawbuf, len)) ==
904 NULL) {
905 return (NT_STATUS_INTERNAL_ERROR);
906 }
907 }
908
909 ctx->ctx_orawtype = LSA_MTYPE_TOKEN;
910 ctx->ctx_orawlen = len;
911 xdrmem_create(&xdrs, ctx->ctx_orawbuf, len, XDR_ENCODE);
912 if (!smb_token_xdr(&xdrs, token))
913 rc = NT_STATUS_INTERNAL_ERROR;
914 xdr_destroy(&xdrs);
915
916 return (rc);
917 }
918
919 /*
920 * Initialization time code to figure out what mechanisms we support.
921 * Careful with this table; the code below knows its format and may
922 * skip the fist two entries to ommit Kerberos.
923 */
924 static SPNEGO_MECH_OID MechTypeList[] = {
925 spnego_mech_oid_Kerberos_V5,
926 spnego_mech_oid_Kerberos_V5_Legacy,
927 #define MECH_OID_IDX_NTLMSSP 2
928 spnego_mech_oid_NTLMSSP,
929 };
930 static int MechTypeCnt = sizeof (MechTypeList) /
931 sizeof (MechTypeList[0]);
932
933 /* This string is just like Windows. */
934 static char IgnoreSPN[] = "not_defined_in_RFC4178@please_ignore";
935
936 /*
937 * Build the SPNEGO "hint" token based on the
938 * configured authentication mechanisms.
939 * (NTLMSSP, and maybe Kerberos)
940 */
941 void
942 smbd_get_authconf(smb_kmod_cfg_t *kcfg)
943 {
944 SPNEGO_MECH_OID *mechList = MechTypeList;
945 int mechCnt = MechTypeCnt;
946 SPNEGO_TOKEN_HANDLE hSpnegoToken = NULL;
947 uchar_t *pBuf = kcfg->skc_negtok;
948 uint32_t *pBufLen = &kcfg->skc_negtok_len;
949 ulong_t tLen = sizeof (kcfg->skc_negtok);
950 int rc;
951
952 /*
953 * In workgroup mode, skip Kerberos.
954 */
955 if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
956 mechList += MECH_OID_IDX_NTLMSSP;
957 mechCnt -= MECH_OID_IDX_NTLMSSP;
958 }
959
960 rc = spnegoCreateNegTokenHint(mechList, mechCnt,
961 (uchar_t *)IgnoreSPN, &hSpnegoToken);
962 if (rc != SPNEGO_E_SUCCESS) {
963 syslog(LOG_DEBUG, "smb_config_get_negtok: "
964 "spnegoCreateNegTokenHint, rc=%d", rc);
965 *pBufLen = 0;
966 return;
967 }
968 rc = spnegoTokenGetBinary(hSpnegoToken, pBuf, &tLen);
969 if (rc != SPNEGO_E_SUCCESS) {
970 syslog(LOG_DEBUG, "smb_config_get_negtok: "
971 "spnegoTokenGetBinary, rc=%d", rc);
972 *pBufLen = 0;
973 } else {
974 *pBufLen = (uint32_t)tLen;
975 }
976 spnegoFreeData(hSpnegoToken);
977 }
Unleashed OS