Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source4/libcli/smb_composite/sesssetup.c

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 18.7 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Copyright (C) Andrew Tridgell 2005
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19	/*
20	a composite API for making handling a generic async session setup
21	*/
22
23	#include "includes.h"
24	#include "libcli/raw/libcliraw.h"
25	#include "libcli/raw/raw_proto.h"
26	#include "libcli/composite/composite.h"
27	#include "libcli/smb_composite/smb_composite.h"
28	#include "libcli/smb_composite/proto.h"
29	#include "libcli/auth/libcli_auth.h"
30	#include "auth/auth.h"
31	#include "auth/gensec/gensec.h"
32	#include "auth/credentials/credentials.h"
33	#include "version.h"
34	#include "param/param.h"
35
36	struct sesssetup_state {
37	union smb_sesssetup setup;
38	NTSTATUS remote_status;
39	NTSTATUS gensec_status;
40	struct smb_composite_sesssetup *io;
41	struct smbcli_request *req;
42	};
43
44	static int sesssetup_state_destructor(struct sesssetup_state *state)
45	{
46	if (state->req) {
47	talloc_free(state->req);
48	state->req = NULL;
49	}
50
51	return 0;
52	}
53
54	static NTSTATUS session_setup_old(struct composite_context *c,
55	struct smbcli_session *session,
56	struct smb_composite_sesssetup *io,
57	struct smbcli_request **req);
58	static NTSTATUS session_setup_nt1(struct composite_context *c,
59	struct smbcli_session *session,
60	struct smb_composite_sesssetup *io,
61	struct smbcli_request **req);
62	static NTSTATUS session_setup_spnego(struct composite_context *c,
63	struct smbcli_session *session,
64	struct smb_composite_sesssetup *io,
65	struct smbcli_request **req);
66
67	/*
68	store the user session key for a transport
69	*/
70	static void set_user_session_key(struct smbcli_session *session,
71	const DATA_BLOB *session_key)
72	{
73	session->user_session_key = data_blob_talloc(session,
74	session_key->data,
75	session_key->length);
76	}
77
78	/*
79	handler for completion of a smbcli_request sub-request
80	*/
81	static void request_handler(struct smbcli_request *req)
82	{
83	struct composite_context c = (struct composite_context )req->async.private_data;
84	struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
85	struct smbcli_session *session = req->session;
86	DATA_BLOB session_key = data_blob(NULL, 0);
87	DATA_BLOB null_data_blob = data_blob(NULL, 0);
88	NTSTATUS session_key_err, nt_status;
89	struct smbcli_request *check_req = NULL;
90	const char *os = NULL;
91	const char *lanman = NULL;
92
93	if (req->sign_caller_checks) {
94	req->do_not_free = true;
95	check_req = req;
96	}
97
98	state->remote_status = smb_raw_sesssetup_recv(req, state, &state->setup);
99	c->status = state->remote_status;
100	state->req = NULL;
101
102	/*
103	* we only need to check the signature if the
104	* NT_STATUS_OK is returned
105	*/
106	if (!NT_STATUS_IS_OK(state->remote_status)) {
107	talloc_free(check_req);
108	check_req = NULL;
109	}
110
111	switch (state->setup.old.level) {
112	case RAW_SESSSETUP_OLD:
113	state->io->out.vuid = state->setup.old.out.vuid;
114	/* This doesn't work, as this only happens on old
115	* protocols, where this comparison won't match. */
116	if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
117	/* we neet to reset the vuid for a new try */
118	session->vuid = 0;
119	if (cli_credentials_wrong_password(state->io->in.credentials)) {
120	nt_status = session_setup_old(c, session,
121	state->io,
122	&state->req);
123	if (NT_STATUS_IS_OK(nt_status)) {
124	talloc_free(check_req);
125	c->status = nt_status;
126	composite_continue_smb(c, state->req, request_handler, c);
127	return;
128	}
129	}
130	}
131	os = state->setup.old.out.os;
132	lanman = state->setup.old.out.lanman;
133	break;
134
135	case RAW_SESSSETUP_NT1:
136	state->io->out.vuid = state->setup.nt1.out.vuid;
137	if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
138	/* we neet to reset the vuid for a new try */
139	session->vuid = 0;
140	if (cli_credentials_wrong_password(state->io->in.credentials)) {
141	nt_status = session_setup_nt1(c, session,
142	state->io,
143	&state->req);
144	if (NT_STATUS_IS_OK(nt_status)) {
145	talloc_free(check_req);
146	c->status = nt_status;
147	composite_continue_smb(c, state->req, request_handler, c);
148	return;
149	}
150	}
151	}
152	os = state->setup.nt1.out.os;
153	lanman = state->setup.nt1.out.lanman;
154	break;
155
156	case RAW_SESSSETUP_SPNEGO:
157	state->io->out.vuid = state->setup.spnego.out.vuid;
158	if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
159	/* we need to reset the vuid for a new try */
160	session->vuid = 0;
161	if (cli_credentials_wrong_password(state->io->in.credentials)) {
162	nt_status = session_setup_spnego(c, session,
163	state->io,
164	&state->req);
165	if (NT_STATUS_IS_OK(nt_status)) {
166	talloc_free(check_req);
167	c->status = nt_status;
168	composite_continue_smb(c, state->req, request_handler, c);
169	return;
170	}
171	}
172	}
173	if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
174	!NT_STATUS_IS_OK(c->status)) {
175	break;
176	}
177	if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
178
179	/* The status value here, from the earlier pass at GENSEC is
180	* vital to the security of the system. Even if the other end
181	* accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
182	* you must keep feeding it blobs, or else the remote
183	* host/attacker might avoid mutal authentication
184	* requirements */
185
186	state->gensec_status = gensec_update(session->gensec, state,
187	state->setup.spnego.out.secblob,
188	&state->setup.spnego.in.secblob);
189	c->status = state->gensec_status;
190	if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
191	!NT_STATUS_IS_OK(c->status)) {
192	break;
193	}
194	} else {
195	state->setup.spnego.in.secblob = data_blob(NULL, 0);
196	}
197
198	if (NT_STATUS_IS_OK(state->remote_status)) {
199	if (state->setup.spnego.in.secblob.length) {
200	c->status = NT_STATUS_INTERNAL_ERROR;
201	break;
202	}
203	session_key_err = gensec_session_key(session->gensec, &session_key);
204	if (NT_STATUS_IS_OK(session_key_err)) {
205	set_user_session_key(session, &session_key);
206	smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
207	}
208	}
209
210	if (state->setup.spnego.in.secblob.length) {
211	/*
212	* set the session->vuid value only for calling
213	* smb_raw_sesssetup_send()
214	*/
215	uint16_t vuid = session->vuid;
216	session->vuid = state->io->out.vuid;
217	state->req = smb_raw_sesssetup_send(session, &state->setup);
218	session->vuid = vuid;
219	if (state->req) {
220	state->req->sign_caller_checks = true;
221	}
222	composite_continue_smb(c, state->req, request_handler, c);
223	return;
224	}
225	os = state->setup.spnego.out.os;
226	lanman = state->setup.spnego.out.lanman;
227	break;
228
229	case RAW_SESSSETUP_SMB2:
230	c->status = NT_STATUS_INTERNAL_ERROR;
231	break;
232	}
233
234	if (check_req) {
235	check_req->sign_caller_checks = false;
236	if (!smbcli_request_check_sign_mac(check_req)) {
237	c->status = NT_STATUS_ACCESS_DENIED;
238	}
239	talloc_free(check_req);
240	check_req = NULL;
241	}
242
243	/* enforce the local signing required flag */
244	if (NT_STATUS_IS_OK(c->status) && !cli_credentials_is_anonymous(state->io->in.credentials)) {
245	if (!session->transport->negotiate.sign_info.doing_signing
246	&& session->transport->negotiate.sign_info.mandatory_signing) {
247	DEBUG(0, ("SMB signing required, but server does not support it\n"));
248	c->status = NT_STATUS_ACCESS_DENIED;
249	}
250	}
251
252	if (!NT_STATUS_IS_OK(c->status)) {
253	composite_error(c, c->status);
254	return;
255	}
256
257	if (os) {
258	session->os = talloc_strdup(session, os);
259	if (composite_nomem(session->os, c)) return;
260	} else {
261	session->os = NULL;
262	}
263	if (lanman) {
264	session->lanman = talloc_strdup(session, lanman);
265	if (composite_nomem(session->lanman, c)) return;
266	} else {
267	session->lanman = NULL;
268	}
269
270	composite_done(c);
271	}
272
273
274	/*
275	send a nt1 style session setup
276	*/
277	static NTSTATUS session_setup_nt1(struct composite_context *c,
278	struct smbcli_session *session,
279	struct smb_composite_sesssetup *io,
280	struct smbcli_request **req)
281	{
282	NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
283	struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
284	DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, cli_credentials_get_domain(io->in.credentials));
285	DATA_BLOB session_key = data_blob(NULL, 0);
286	int flags = CLI_CRED_NTLM_AUTH;
287
288	smbcli_temp_set_signing(session->transport);
289
290	if (session->options.lanman_auth) {
291	flags \|= CLI_CRED_LANMAN_AUTH;
292	}
293
294	if (session->options.ntlmv2_auth) {
295	flags \|= CLI_CRED_NTLMv2_AUTH;
296	}
297
298	state->setup.nt1.level = RAW_SESSSETUP_NT1;
299	state->setup.nt1.in.bufsize = session->transport->options.max_xmit;
300	state->setup.nt1.in.mpx_max = session->transport->options.max_mux;
301	state->setup.nt1.in.vc_num = 1;
302	state->setup.nt1.in.sesskey = io->in.sesskey;
303	state->setup.nt1.in.capabilities = io->in.capabilities;
304	state->setup.nt1.in.os = "Unix";
305	state->setup.nt1.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
306
307	cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
308	&state->setup.nt1.in.user,
309	&state->setup.nt1.in.domain);
310
311
312	if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
313	nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state,
314	&flags,
315	session->transport->negotiate.secblob,
316	names_blob,
317	&state->setup.nt1.in.password1,
318	&state->setup.nt1.in.password2,
319	NULL, &session_key);
320	NT_STATUS_NOT_OK_RETURN(nt_status);
321	} else if (session->options.plaintext_auth) {
322	const char *password = cli_credentials_get_password(io->in.credentials);
323	state->setup.nt1.in.password1 = data_blob_talloc(state, password, strlen(password));
324	state->setup.nt1.in.password2 = data_blob(NULL, 0);
325	} else {
326	/* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
327	return NT_STATUS_INVALID_PARAMETER;
328	}
329
330	*req = smb_raw_sesssetup_send(session, &state->setup);
331	if (!*req) {
332	return NT_STATUS_NO_MEMORY;
333	}
334
335	if (NT_STATUS_IS_OK(nt_status)) {
336	smbcli_transport_simple_set_signing(session->transport, session_key,
337	state->setup.nt1.in.password2);
338	set_user_session_key(session, &session_key);
339
340	data_blob_free(&session_key);
341	}
342
343	return (*req)->status;
344	}
345
346
347	/*
348	old style session setup (pre NT1 protocol level)
349	*/
350	static NTSTATUS session_setup_old(struct composite_context *c,
351	struct smbcli_session *session,
352	struct smb_composite_sesssetup *io,
353	struct smbcli_request **req)
354	{
355	NTSTATUS nt_status;
356	struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
357	const char *password = cli_credentials_get_password(io->in.credentials);
358	DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, cli_credentials_get_domain(io->in.credentials));
359	DATA_BLOB session_key;
360	int flags = 0;
361	if (session->options.lanman_auth) {
362	flags \|= CLI_CRED_LANMAN_AUTH;
363	}
364
365	if (session->options.ntlmv2_auth) {
366	flags \|= CLI_CRED_NTLMv2_AUTH;
367	}
368
369	state->setup.old.level = RAW_SESSSETUP_OLD;
370	state->setup.old.in.bufsize = session->transport->options.max_xmit;
371	state->setup.old.in.mpx_max = session->transport->options.max_mux;
372	state->setup.old.in.vc_num = 1;
373	state->setup.old.in.sesskey = io->in.sesskey;
374	state->setup.old.in.os = "Unix";
375	state->setup.old.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
376	cli_credentials_get_ntlm_username_domain(io->in.credentials, state,
377	&state->setup.old.in.user,
378	&state->setup.old.in.domain);
379
380	if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
381	nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state,
382	&flags,
383	session->transport->negotiate.secblob,
384	names_blob,
385	&state->setup.old.in.password,
386	NULL,
387	NULL, &session_key);
388	NT_STATUS_NOT_OK_RETURN(nt_status);
389	set_user_session_key(session, &session_key);
390
391	data_blob_free(&session_key);
392	} else if (session->options.plaintext_auth) {
393	state->setup.old.in.password = data_blob_talloc(state, password, strlen(password));
394	} else {
395	/* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
396	return NT_STATUS_INVALID_PARAMETER;
397	}
398
399	*req = smb_raw_sesssetup_send(session, &state->setup);
400	if (!*req) {
401	return NT_STATUS_NO_MEMORY;
402	}
403	return (*req)->status;
404	}
405
406
407	/*
408	Modern, all singing, all dancing extended security (and possibly SPNEGO) request
409	*/
410	static NTSTATUS session_setup_spnego(struct composite_context *c,
411	struct smbcli_session *session,
412	struct smb_composite_sesssetup *io,
413	struct smbcli_request **req)
414	{
415	struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
416	NTSTATUS status;
417	const char *chosen_oid = NULL;
418
419	state->setup.spnego.level = RAW_SESSSETUP_SPNEGO;
420	state->setup.spnego.in.bufsize = session->transport->options.max_xmit;
421	state->setup.spnego.in.mpx_max = session->transport->options.max_mux;
422	state->setup.spnego.in.vc_num = 1;
423	state->setup.spnego.in.sesskey = io->in.sesskey;
424	state->setup.spnego.in.capabilities = io->in.capabilities;
425	state->setup.spnego.in.os = "Unix";
426	state->setup.spnego.in.lanman = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
427	state->setup.spnego.in.workgroup = io->in.workgroup;
428
429	smbcli_temp_set_signing(session->transport);
430
431	status = gensec_client_start(session, &session->gensec, c->event_ctx,
432	io->in.gensec_settings);
433	if (!NT_STATUS_IS_OK(status)) {
434	DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
435	return status;
436	}
437
438	gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY);
439
440	status = gensec_set_credentials(session->gensec, io->in.credentials);
441	if (!NT_STATUS_IS_OK(status)) {
442	DEBUG(1, ("Failed to start set GENSEC client credentials: %s\n",
443	nt_errstr(status)));
444	return status;
445	}
446
447	status = gensec_set_target_hostname(session->gensec, session->transport->socket->hostname);
448	if (!NT_STATUS_IS_OK(status)) {
449	DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
450	nt_errstr(status)));
451	return status;
452	}
453
454	status = gensec_set_target_service(session->gensec, "cifs");
455	if (!NT_STATUS_IS_OK(status)) {
456	DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
457	nt_errstr(status)));
458	return status;
459	}
460
461	if (session->transport->negotiate.secblob.length) {
462	chosen_oid = GENSEC_OID_SPNEGO;
463	status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
464	if (!NT_STATUS_IS_OK(status)) {
465	DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
466	gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status)));
467	chosen_oid = GENSEC_OID_NTLMSSP;
468	status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
469	if (!NT_STATUS_IS_OK(status)) {
470	DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
471	gensec_get_name_by_oid(session->gensec, chosen_oid),
472	nt_errstr(status)));
473	return status;
474	}
475	}
476	} else {
477	/* without a sec blob, means raw NTLMSSP */
478	chosen_oid = GENSEC_OID_NTLMSSP;
479	status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
480	if (!NT_STATUS_IS_OK(status)) {
481	DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
482	gensec_get_name_by_oid(session->gensec, chosen_oid), nt_errstr(status)));
483	}
484	}
485
486	if ((const void )chosen_oid == (const void )GENSEC_OID_SPNEGO) {
487	status = gensec_update(session->gensec, state,
488	session->transport->negotiate.secblob,
489	&state->setup.spnego.in.secblob);
490	} else {
491	status = gensec_update(session->gensec, state,
492	data_blob(NULL, 0),
493	&state->setup.spnego.in.secblob);
494
495	}
496
497	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
498	!NT_STATUS_IS_OK(status)) {
499	DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
500	gensec_get_name_by_oid(session->gensec, chosen_oid),
501	nt_errstr(status)));
502	return status;
503	}
504	state->gensec_status = status;
505
506	*req = smb_raw_sesssetup_send(session, &state->setup);
507	if (!*req) {
508	return NT_STATUS_NO_MEMORY;
509	}
510
511	/*
512	* we need to check the signature ourself
513	* as the session key might be the acceptor subkey
514	* which comes within the response itself
515	*/
516	(*req)->sign_caller_checks = true;
517
518	return (*req)->status;
519	}
520
521
522	/*
523	composite session setup function that hides the details of all the
524	different session setup varients, including the multi-pass nature of
525	the spnego varient
526	*/
527	struct composite_context smb_composite_sesssetup_send(struct smbcli_session session,
528	struct smb_composite_sesssetup *io)
529	{
530	struct composite_context *c;
531	struct sesssetup_state *state;
532	NTSTATUS status;
533
534	c = composite_create(session, session->transport->socket->event.ctx);
535	if (c == NULL) return NULL;
536
537	state = talloc_zero(c, struct sesssetup_state);
538	if (composite_nomem(state, c)) return c;
539	c->private_data = state;
540
541	state->io = io;
542
543	talloc_set_destructor(state, sesssetup_state_destructor);
544
545	/* no session setup at all in earliest protocol varients */
546	if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
547	ZERO_STRUCT(io->out);
548	composite_done(c);
549	return c;
550	}
551
552	/* see what session setup interface we will use */
553	if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
554	status = session_setup_old(c, session, io, &state->req);
555	} else if (!session->transport->options.use_spnego \|\|
556	!(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
557	status = session_setup_nt1(c, session, io, &state->req);
558	} else {
559	status = session_setup_spnego(c, session, io, &state->req);
560	}
561
562	if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) \|\|
563	NT_STATUS_IS_OK(status)) {
564	composite_continue_smb(c, state->req, request_handler, c);
565	return c;
566	}
567
568	composite_error(c, status);
569	return c;
570	}
571
572
573	/*
574	receive a composite session setup reply
575	*/
576	NTSTATUS smb_composite_sesssetup_recv(struct composite_context *c)
577	{
578	NTSTATUS status;
579	status = composite_wait(c);
580	talloc_free(c);
581	return status;
582	}
583
584	/*
585	sync version of smb_composite_sesssetup
586	*/
587	NTSTATUS smb_composite_sesssetup(struct smbcli_session session, struct smb_composite_sesssetup io)
588	{
589	struct composite_context *c = smb_composite_sesssetup_send(session, io);
590	return smb_composite_sesssetup_recv(c);
591	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: