xref: /illumos-gate/usr/src/lib/libsmbfs/smb/ctx.c (revision 528737823843346cf95a4a701612f82089135554)
1 /*
2  * Copyright (c) 2000, Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  *
32  * $Id: ctx.c,v 1.32.70.2 2005/06/02 00:55:40 lindak Exp $
33  */
34 
35 /*
36  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
37  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
38  */
39 
40 #include <sys/param.h>
41 #include <sys/ioctl.h>
42 #include <sys/time.h>
43 #include <sys/mount.h>
44 #include <sys/types.h>
45 #include <sys/byteorder.h>
46 
47 #include <fcntl.h>
48 #include <ctype.h>
49 #include <errno.h>
50 #include <stdio.h>
51 #include <string.h>
52 #include <strings.h>
53 #include <stdlib.h>
54 #include <pwd.h>
55 #include <grp.h>
56 #include <unistd.h>
57 #include <libintl.h>
58 #include <assert.h>
59 #include <nss_dbdefs.h>
60 
61 #include <cflib.h>
62 #include <netsmb/smb_lib.h>
63 #include <netsmb/netbios.h>
64 #include <netsmb/nb_lib.h>
65 #include <netsmb/smb_dev.h>
66 
67 #include "charsets.h"
68 #include "private.h"
69 #include "ntlm.h"
70 
71 #ifndef FALSE
72 #define	FALSE	0
73 #endif
74 #ifndef TRUE
75 #define	TRUE	1
76 #endif
77 
78 #define	SMB_AT_DEFAULT	(SMB_AT_KRB5 | SMB_AT_NTLM2)
79 #define	SMB_AT_MINAUTH	(SMB_AT_KRB5 | SMB_AT_NTLM2 | SMB_AT_NTLM1)
80 
81 struct nv {
82 	char *name;
83 	int value;
84 };
85 
86 /* These two may be set by commands. */
87 int smb_debug, smb_verbose;
88 
89 /*
90  * Was: STDPARAM_OPT - see smb_ctx_scan_argv, smb_ctx_opt
91  */
92 const char smbutil_std_opts[] = "ABCD:E:I:L:M:NO:P:U:R:S:T:W:";
93 
94 /*
95  * Defaults for new contexts (connections to servers).
96  * These are set by smbfs_set_default_...
97  */
98 static char default_domain[SMBIOC_MAX_NAME];
99 static char default_user[SMBIOC_MAX_NAME];
100 
101 
102 /*
103  * Give the RPC library a callback hook that will be
104  * called whenever we destroy or reinit an smb_ctx_t.
105  * The name rpc_cleanup_smbctx() is legacy, and was
106  * originally a direct call into the RPC code.
107  */
108 static smb_ctx_close_hook_t close_hook;
109 static void
110 rpc_cleanup_smbctx(struct smb_ctx *ctx)
111 {
112 	if (close_hook)
113 		(*close_hook)(ctx);
114 }
115 void
116 smb_ctx_set_close_hook(smb_ctx_close_hook_t hook)
117 {
118 	close_hook = hook;
119 }
120 
121 void
122 dump_ctx_flags(int flags)
123 {
124 	printf(" Flags: ");
125 	if (flags == 0)
126 		printf("0");
127 	if (flags & SMBCF_NOPWD)
128 		printf("NOPWD ");
129 	if (flags & SMBCF_SRIGHTS)
130 		printf("SRIGHTS ");
131 	if (flags & SMBCF_LOCALE)
132 		printf("LOCALE ");
133 	if (flags & SMBCF_CMD_DOM)
134 		printf("CMD_DOM ");
135 	if (flags & SMBCF_CMD_USR)
136 		printf("CMD_USR ");
137 	if (flags & SMBCF_CMD_PW)
138 		printf("CMD_PW ");
139 	if (flags & SMBCF_RESOLVED)
140 		printf("RESOLVED ");
141 	if (flags & SMBCF_KCBAD)
142 		printf("KCBAD ");
143 	if (flags & SMBCF_KCFOUND)
144 		printf("KCFOUND ");
145 	if (flags & SMBCF_BROWSEOK)
146 		printf("BROWSEOK ");
147 	if (flags & SMBCF_AUTHREQ)
148 		printf("AUTHREQ ");
149 	if (flags & SMBCF_KCSAVE)
150 		printf("KCSAVE  ");
151 	if (flags & SMBCF_KCDOMAIN)
152 		printf("KCDOMAIN ");
153 	printf("\n");
154 }
155 
156 void
157 dump_iod_ssn(smb_iod_ssn_t *is)
158 {
159 	static const char zeros[NTLM_HASH_SZ] = {0};
160 	struct smbioc_ossn *ssn = &is->iod_ossn;
161 
162 	printf(" ct_srvname=\"%s\", ", ssn->ssn_srvname);
163 	dump_sockaddr(&ssn->ssn_srvaddr.sa);
164 	printf(" dom=\"%s\", user=\"%s\"\n",
165 	    ssn->ssn_domain, ssn->ssn_user);
166 	printf(" ct_vopt=0x%x, ct_owner=%d\n",
167 	    ssn->ssn_vopt, ssn->ssn_owner);
168 	printf(" ct_minver=0x%x, ct_maxver=0x%x\n",
169 	    ssn->ssn_minver, ssn->ssn_maxver);
170 	printf(" ct_authflags=0x%x\n", is->iod_authflags);
171 
172 	printf(" ct_nthash:");
173 	if (bcmp(zeros, &is->iod_nthash, NTLM_HASH_SZ))
174 		smb_hexdump(&is->iod_nthash, NTLM_HASH_SZ);
175 	else
176 		printf(" {0}\n");
177 
178 	printf(" ct_lmhash:");
179 	if (bcmp(zeros, &is->iod_lmhash, NTLM_HASH_SZ))
180 		smb_hexdump(&is->iod_lmhash, NTLM_HASH_SZ);
181 	else
182 		printf(" {0}\n");
183 }
184 
185 void
186 dump_ctx(char *where, struct smb_ctx *ctx)
187 {
188 	printf("context %s:\n", where);
189 	dump_ctx_flags(ctx->ct_flags);
190 
191 	if (ctx->ct_locname)
192 		printf(" localname=\"%s\"", ctx->ct_locname);
193 	else
194 		printf(" localname=NULL");
195 
196 	if (ctx->ct_fullserver)
197 		printf(" fullserver=\"%s\"", ctx->ct_fullserver);
198 	else
199 		printf(" fullserver=NULL");
200 
201 	if (ctx->ct_srvaddr_s)
202 		printf(" srvaddr_s=\"%s\"\n", ctx->ct_srvaddr_s);
203 	else
204 		printf(" srvaddr_s=NULL\n");
205 
206 	if (ctx->ct_addrinfo)
207 		dump_addrinfo(ctx->ct_addrinfo);
208 	else
209 		printf(" ct_addrinfo = NULL\n");
210 
211 	dump_iod_ssn(&ctx->ct_iod_ssn);
212 
213 	printf(" share_name=\"%s\", share_type=%d\n",
214 	    ctx->ct_origshare ? ctx->ct_origshare : "",
215 	    ctx->ct_shtype_req);
216 
217 	printf(" ct_home=\"%s\"\n", ctx->ct_home);
218 	printf(" ct_rpath=\"%s\"\n", ctx->ct_rpath);
219 }
220 
221 int
222 smb_ctx_alloc(struct smb_ctx **ctx_pp)
223 {
224 	smb_ctx_t *ctx;
225 	int err;
226 
227 	ctx = malloc(sizeof (*ctx));
228 	if (ctx == NULL)
229 		return (ENOMEM);
230 	err = smb_ctx_init(ctx);
231 	if (err != 0) {
232 		free(ctx);
233 		return (err);
234 	}
235 	*ctx_pp = ctx;
236 	return (0);
237 }
238 
239 /*
240  * Initialize an smb_ctx struct (defaults)
241  */
242 int
243 smb_ctx_init(struct smb_ctx *ctx)
244 {
245 	int error;
246 
247 	bzero(ctx, sizeof (*ctx));
248 
249 	error = nb_ctx_create(&ctx->ct_nb);
250 	if (error)
251 		return (error);
252 
253 	ctx->ct_dev_fd = -1;
254 	ctx->ct_door_fd = -1;
255 	ctx->ct_parsedlevel = SMBL_NONE;
256 	ctx->ct_minlevel = SMBL_NONE;
257 	ctx->ct_maxlevel = SMBL_PATH;
258 
259 	/* Fill in defaults */
260 	ctx->ct_vopt = SMBVOPT_SIGNING_ENABLED;
261 	ctx->ct_owner = SMBM_ANY_OWNER;
262 	ctx->ct_authflags = SMB_AT_DEFAULT;
263 	ctx->ct_minauth = SMB_AT_MINAUTH;
264 	ctx->ct_maxver = SMB2_DIALECT_MAX;
265 
266 	/*
267 	 * Default domain, user, ...
268 	 */
269 	strlcpy(ctx->ct_domain, default_domain,
270 	    sizeof (ctx->ct_domain));
271 	strlcpy(ctx->ct_user, default_user,
272 	    sizeof (ctx->ct_user));
273 
274 	return (0);
275 }
276 
277 /*
278  * "Scan" the command line args to find the server name,
279  * user name, and share name, as needed.  We need these
280  * before reading the RC files and/or sharectl values.
281  *
282  * The sequence for getting all the members filled in
283  * has some tricky aspects.  Here's how it works:
284  *
285  * The search order for options is as follows:
286  *   command line options
287  *   values parsed from UNC path (cmd)
288  *   values from RC file (per-user)
289  *   values from SMF (system-wide)
290  *   built-in defaults
291  *
292  * Normally, one would simply get all the values starting with
293  * the bottom of the above list and working to the top, and
294  * overwriting values as you go.  But we need an exception.
295  *
296  * In this function, we parse the UNC path and command line options,
297  * because we need (at least) the server name when we're getting the
298  * SMF and RC file values.  However, values we get from the command
299  * should not be overwritten by SMF or RC file parsing, so we mark
300  * values from the command as "from CMD" and the RC file parser
301  * leaves in place any values so marked.  See: SMBCF_CMD_*
302  *
303  * The semantics of these flags are: "This value came from the
304  * current command instance, not from sources that may apply to
305  * multiple commands."  (Different from the old "FROMUSR" flag.)
306  *
307  * Note that smb_ctx_opt() is called later to handle the
308  * remaining options, which should be ignored here.
309  * The (magic) leading ":" in cf_getopt() makes it
310  * ignore options not in the options string.
311  */
312 int
313 smb_ctx_scan_argv(struct smb_ctx *ctx, int argc, char **argv,
314 	int minlevel, int maxlevel, int sharetype)
315 {
316 	int  ind, opt, error = 0;
317 	int aflg = 0, uflg = 0;
318 	const char *arg;
319 
320 	/*
321 	 * Parse options, if any.  Values from here too
322 	 * are marked as "from CMD".
323 	 */
324 	if (argv == NULL)
325 		return (0);
326 
327 	ctx->ct_minlevel = minlevel;
328 	ctx->ct_maxlevel = maxlevel;
329 	ctx->ct_shtype_req = sharetype;
330 
331 	cf_opt_lock();
332 	/* Careful: no return/goto before cf_opt_unlock! */
333 	while (error == 0) {
334 		/*
335 		 * Leading ':' tells this to skip unknown opts.
336 		 * Just get -A and -U here so we know the user
337 		 * for config file parsing.
338 		 */
339 		opt = cf_getopt(argc, argv, ":AU:");
340 		if (opt == -1)
341 			break;
342 		arg = cf_optarg;
343 		/* NB: handle most in smb_ctx_opt */
344 		switch (opt) {
345 		case 'A':
346 			aflg = 1;
347 			error = smb_ctx_setuser(ctx, "", TRUE);
348 			ctx->ct_flags |= SMBCF_NOPWD;
349 			break;
350 		case 'U':
351 			uflg = 1;
352 			error = smb_ctx_setuser(ctx, arg, TRUE);
353 			break;
354 		default:
355 			DPRINT("skip opt=%c", opt);
356 			break;
357 		}
358 	}
359 	ind = cf_optind;
360 	arg = argv[ind];
361 	cf_optind = cf_optreset = 1;
362 	cf_opt_unlock();
363 
364 	if (error)
365 		return (error);
366 
367 	if (aflg && uflg)  {
368 		printf(gettext("-A and -U flags are exclusive.\n"));
369 		return (EINVAL);
370 	}
371 
372 	/*
373 	 * Parse the UNC path.  Values from here are
374 	 * marked as "from CMD".
375 	 */
376 	for (; ind < argc; ind++) {
377 		arg = argv[ind];
378 		if (strncmp(arg, "//", 2) != 0)
379 			continue;
380 		error = smb_ctx_parseunc(ctx, arg,
381 		    minlevel, maxlevel, sharetype, &arg);
382 		if (error)
383 			return (error);
384 		break;
385 	}
386 
387 	return (error);
388 }
389 
390 void
391 smb_ctx_free(smb_ctx_t *ctx)
392 {
393 	smb_ctx_done(ctx);
394 	free(ctx);
395 }
396 
397 void
398 smb_ctx_done(struct smb_ctx *ctx)
399 {
400 
401 	rpc_cleanup_smbctx(ctx);
402 
403 	if (ctx->ct_dev_fd != -1) {
404 		nsmb_close(ctx->ct_dev_fd);
405 		ctx->ct_dev_fd = -1;
406 	}
407 	if (ctx->ct_door_fd != -1) {
408 		close(ctx->ct_door_fd);
409 		ctx->ct_door_fd = -1;
410 	}
411 	if (ctx->ct_srvaddr_s) {
412 		free(ctx->ct_srvaddr_s);
413 		ctx->ct_srvaddr_s = NULL;
414 	}
415 	if (ctx->ct_nb) {
416 		nb_ctx_done(ctx->ct_nb);
417 		ctx->ct_nb = NULL;
418 	}
419 	if (ctx->ct_locname) {
420 		free(ctx->ct_locname);
421 		ctx->ct_locname = NULL;
422 	}
423 	if (ctx->ct_origshare) {
424 		free(ctx->ct_origshare);
425 		ctx->ct_origshare = NULL;
426 	}
427 	if (ctx->ct_fullserver) {
428 		free(ctx->ct_fullserver);
429 		ctx->ct_fullserver = NULL;
430 	}
431 	if (ctx->ct_addrinfo) {
432 		freeaddrinfo(ctx->ct_addrinfo);
433 		ctx->ct_addrinfo = NULL;
434 	}
435 	if (ctx->ct_home) {
436 		free(ctx->ct_home);
437 		ctx->ct_home = NULL;
438 	}
439 	if (ctx->ct_rpath) {
440 		free(ctx->ct_rpath);
441 		ctx->ct_rpath = NULL;
442 	}
443 	if (ctx->ct_ssnkey_buf) {
444 		free(ctx->ct_ssnkey_buf);
445 		ctx->ct_ssnkey_buf = NULL;
446 	}
447 }
448 
449 /*
450  * Parse the UNC path.  Here we expect something like
451  *   "//[[domain;]user[:password]@]host[/share[/path]]"
452  * See http://ietf.org/internet-drafts/draft-crhertel-smb-url-07.txt
453  * Values found here are marked as "from CMD".
454  */
455 int
456 smb_ctx_parseunc(struct smb_ctx *ctx, const char *unc,
457 	int minlevel, int maxlevel, int sharetype,
458 	const char **next)
459 {
460 	char tmp[1024];
461 	char *host, *share, *path;
462 	char *dom, *usr, *pw, *p;
463 	int error;
464 
465 	/*
466 	 * This may be called outside of _scan_argv,
467 	 * so make sure these get initialized.
468 	 */
469 	ctx->ct_minlevel = minlevel;
470 	ctx->ct_maxlevel = maxlevel;
471 	ctx->ct_shtype_req = sharetype;
472 	ctx->ct_parsedlevel = SMBL_NONE;
473 
474 	dom = usr = pw = host = NULL;
475 
476 	/* Work on a temporary copy, fix back slashes. */
477 	strlcpy(tmp, unc, sizeof (tmp));
478 	for (p = tmp; *p; p++)
479 		if (*p == '\\')
480 			*p = '/';
481 
482 	if (tmp[0] != '/' || tmp[1] != '/') {
483 		smb_error(dgettext(TEXT_DOMAIN,
484 		    "UNC should start with '//'"), 0);
485 		error = EINVAL;
486 		goto out;
487 	}
488 	p = tmp + 2;	/* user@host... */
489 
490 	/* Find the share part, if any. */
491 	share = strchr(p, '/');
492 	if (share)
493 		*share = '\0';
494 	(void) unpercent(p);	/* host component */
495 
496 	/*
497 	 * Parse the "host" stuff right to left:
498 	 * 1: trailing "@hostname" (or whole field)
499 	 * 2: trailing ":password"
500 	 * 3: trailing "domain;user" (or just user)
501 	 */
502 	host = strrchr(p, '@');
503 	if (host == NULL) {
504 		host = p;	/* no user@ prefix */
505 	} else {
506 		*host++ = '\0';
507 
508 		/* may have [[domain;]user[:passwd]] */
509 		pw = strchr(p, ':');
510 		if (pw)
511 			*pw++ = '\0';
512 		usr = strchr(p, ';');
513 		if (usr) {
514 			*usr++ = '\0';
515 			dom = p;
516 		} else
517 			usr = p;
518 	}
519 
520 	if (*host == '\0') {
521 		smb_error(dgettext(TEXT_DOMAIN, "empty server name"), 0);
522 		error = EINVAL;
523 		goto out;
524 	}
525 	error = smb_ctx_setfullserver(ctx, host);
526 	if (error)
527 		goto out;
528 	ctx->ct_parsedlevel = SMBL_VC;
529 
530 	if (dom != NULL) {
531 		error = smb_ctx_setdomain(ctx, dom, TRUE);
532 		if (error)
533 			goto out;
534 	}
535 	if (usr != NULL) {
536 		if (*usr == '\0') {
537 			smb_error(dgettext(TEXT_DOMAIN,
538 			    "empty user name"), 0);
539 			error = EINVAL;
540 			goto out;
541 		}
542 		if (ctx->ct_maxlevel < SMBL_VC) {
543 			smb_error(dgettext(TEXT_DOMAIN,
544 			    "no user name required"), 0);
545 			error = EINVAL;
546 			goto out;
547 		}
548 		error = smb_ctx_setuser(ctx, usr, TRUE);
549 		if (error)
550 			goto out;
551 	}
552 	if (pw != NULL) {
553 		error = smb_ctx_setpassword(ctx, pw, TRUE);
554 		if (error)
555 			goto out;
556 	}
557 
558 	if (share != NULL) {
559 		/* restore the slash */
560 		*share = '/';
561 		p = share + 1;
562 
563 		/* Find the path part, if any. */
564 		path = strchr(p, '/');
565 		if (path)
566 			*path = '\0';
567 		(void) unpercent(p);	/* share component */
568 
569 		if (*p == '\0') {
570 			smb_error(dgettext(TEXT_DOMAIN,
571 			    "empty share name"), 0);
572 			error = EINVAL;
573 			goto out;
574 		}
575 		if (ctx->ct_maxlevel < SMBL_SHARE) {
576 			smb_error(dgettext(TEXT_DOMAIN,
577 			    "no share name required"), 0);
578 			error = EINVAL;
579 			goto out;
580 		}
581 
582 		/*
583 		 * Special case UNC names like:
584 		 *	//host/PIPE/endpoint
585 		 * to have share: IPC$
586 		 */
587 		if (strcasecmp(p, "PIPE") == 0) {
588 			sharetype = USE_IPC;
589 			p = "IPC$";
590 		}
591 		error = smb_ctx_setshare(ctx, p, sharetype);
592 		if (error)
593 			goto out;
594 		ctx->ct_parsedlevel = SMBL_SHARE;
595 
596 		if (path) {
597 			/* restore the slash */
598 			*path = '/';
599 			p = path + 1;
600 			(void) unpercent(p);	/* remainder */
601 			free(ctx->ct_rpath);
602 			ctx->ct_rpath = strdup(path);
603 		}
604 	} else if (ctx->ct_minlevel >= SMBL_SHARE) {
605 		smb_error(dgettext(TEXT_DOMAIN, "empty share name"), 0);
606 		error = EINVAL;
607 		goto out;
608 	}
609 
610 	if (next)
611 		*next = NULL;
612 
613 out:
614 	if (error == 0 && smb_debug > 0)
615 		dump_ctx("after smb_ctx_parseunc", ctx);
616 
617 	return (error);
618 }
619 
620 #ifdef KICONV_SUPPORT
621 int
622 smb_ctx_setcharset(struct smb_ctx *ctx, const char *arg)
623 {
624 	char *cp, *servercs, *localcs;
625 	int cslen = sizeof (ctx->ct_ssn.ioc_localcs);
626 	int scslen, lcslen, error;
627 
628 	cp = strchr(arg, ':');
629 	lcslen = cp ? (cp - arg) : 0;
630 	if (lcslen == 0 || lcslen >= cslen) {
631 		smb_error(dgettext(TEXT_DOMAIN,
632 		    "invalid local charset specification (%s)"), 0, arg);
633 		return (EINVAL);
634 	}
635 	scslen = (size_t)strlen(++cp);
636 	if (scslen == 0 || scslen >= cslen) {
637 		smb_error(dgettext(TEXT_DOMAIN,
638 		    "invalid server charset specification (%s)"), 0, arg);
639 		return (EINVAL);
640 	}
641 	localcs = memcpy(ctx->ct_ssn.ioc_localcs, arg, lcslen);
642 	localcs[lcslen] = 0;
643 	servercs = strcpy(ctx->ct_ssn.ioc_servercs, cp);
644 	error = nls_setrecode(localcs, servercs);
645 	if (error == 0)
646 		return (0);
647 	smb_error(dgettext(TEXT_DOMAIN,
648 	    "can't initialize iconv support (%s:%s)"),
649 	    error, localcs, servercs);
650 	localcs[0] = 0;
651 	servercs[0] = 0;
652 	return (error);
653 }
654 #endif /* KICONV_SUPPORT */
655 
656 int
657 smb_ctx_setauthflags(struct smb_ctx *ctx, int flags)
658 {
659 	ctx->ct_authflags = flags;
660 	return (0);
661 }
662 
663 int
664 smb_ctx_setfullserver(struct smb_ctx *ctx, const char *name)
665 {
666 	char *p = strdup(name);
667 
668 	if (p == NULL)
669 		return (ENOMEM);
670 	if (ctx->ct_fullserver)
671 		free(ctx->ct_fullserver);
672 	ctx->ct_fullserver = p;
673 	return (0);
674 }
675 
676 int
677 smb_ctx_setserver(struct smb_ctx *ctx, const char *name)
678 {
679 	strlcpy(ctx->ct_srvname, name,
680 	    sizeof (ctx->ct_srvname));
681 	return (0);
682 }
683 
684 int
685 smb_ctx_setuser(struct smb_ctx *ctx, const char *name, int from_cmd)
686 {
687 
688 	if (strlen(name) >= sizeof (ctx->ct_user)) {
689 		smb_error(dgettext(TEXT_DOMAIN,
690 		    "user name '%s' too long"), 0, name);
691 		return (ENAMETOOLONG);
692 	}
693 
694 	/*
695 	 * Don't overwrite a value from the command line
696 	 * with one from anywhere else.
697 	 */
698 	if (!from_cmd && (ctx->ct_flags & SMBCF_CMD_USR))
699 		return (0);
700 
701 	strlcpy(ctx->ct_user, name,
702 	    sizeof (ctx->ct_user));
703 
704 	/* Mark this as "from the command line". */
705 	if (from_cmd)
706 		ctx->ct_flags |= SMBCF_CMD_USR;
707 
708 	return (0);
709 }
710 
711 /*
712  * Don't overwrite a domain name from the
713  * command line with one from anywhere else.
714  * See smb_ctx_init() for notes about this.
715  */
716 int
717 smb_ctx_setdomain(struct smb_ctx *ctx, const char *name, int from_cmd)
718 {
719 
720 	if (strlen(name) >= sizeof (ctx->ct_domain)) {
721 		smb_error(dgettext(TEXT_DOMAIN,
722 		    "workgroup name '%s' too long"), 0, name);
723 		return (ENAMETOOLONG);
724 	}
725 
726 	/*
727 	 * Don't overwrite a value from the command line
728 	 * with one from anywhere else.
729 	 */
730 	if (!from_cmd && (ctx->ct_flags & SMBCF_CMD_DOM))
731 		return (0);
732 
733 	strlcpy(ctx->ct_domain, name,
734 	    sizeof (ctx->ct_domain));
735 
736 	/* Mark this as "from the command line". */
737 	if (from_cmd)
738 		ctx->ct_flags |= SMBCF_CMD_DOM;
739 
740 	return (0);
741 }
742 
743 int
744 smb_ctx_setpassword(struct smb_ctx *ctx, const char *passwd, int from_cmd)
745 {
746 	int err;
747 
748 	if (passwd == NULL)
749 		return (EINVAL);
750 	if (strlen(passwd) >= sizeof (ctx->ct_password)) {
751 		smb_error(dgettext(TEXT_DOMAIN, "password too long"), 0);
752 		return (ENAMETOOLONG);
753 	}
754 
755 	/*
756 	 * If called again after comand line parsing,
757 	 * don't overwrite a value from the command line
758 	 * with one from any stored config.
759 	 */
760 	if (!from_cmd && (ctx->ct_flags & SMBCF_CMD_PW))
761 		return (0);
762 
763 	memset(ctx->ct_password, 0, sizeof (ctx->ct_password));
764 	if (strncmp(passwd, "$$1", 3) == 0)
765 		(void) smb_simpledecrypt(ctx->ct_password, passwd);
766 	else
767 		strlcpy(ctx->ct_password, passwd,
768 		    sizeof (ctx->ct_password));
769 
770 	/*
771 	 * Compute LM hash, NT hash.
772 	 */
773 	if (ctx->ct_password[0]) {
774 		err = ntlm_compute_nt_hash(ctx->ct_nthash, ctx->ct_password);
775 		if (err != 0)
776 			return (err);
777 		err = ntlm_compute_lm_hash(ctx->ct_lmhash, ctx->ct_password);
778 		if (err != 0)
779 			return (err);
780 	}
781 
782 	/* Mark this as "from the command line". */
783 	if (from_cmd)
784 		ctx->ct_flags |= SMBCF_CMD_PW;
785 
786 	return (0);
787 }
788 
789 /*
790  * Use this to set NTLM auth. info (hashes)
791  * when we don't have the password.
792  */
793 int
794 smb_ctx_setpwhash(smb_ctx_t *ctx,
795     const uchar_t *nthash, const uchar_t *lmhash)
796 {
797 
798 	/* Need ct_password to be non-null. */
799 	if (ctx->ct_password[0] == '\0')
800 		strlcpy(ctx->ct_password, "$HASH",
801 		    sizeof (ctx->ct_password));
802 
803 	/*
804 	 * Compute LM hash, NT hash.
805 	 */
806 	memcpy(ctx->ct_nthash, nthash, NTLM_HASH_SZ);
807 
808 	/* The LM hash is optional */
809 	if (lmhash) {
810 		memcpy(ctx->ct_nthash, nthash, NTLM_HASH_SZ);
811 	}
812 
813 	return (0);
814 }
815 
816 int
817 smb_ctx_setshare(struct smb_ctx *ctx, const char *share, int stype)
818 {
819 	if (strlen(share) >= SMBIOC_MAX_NAME) {
820 		smb_error(dgettext(TEXT_DOMAIN,
821 		    "share name '%s' too long"), 0, share);
822 		return (ENAMETOOLONG);
823 	}
824 	if (ctx->ct_origshare)
825 		free(ctx->ct_origshare);
826 	if ((ctx->ct_origshare = strdup(share)) == NULL)
827 		return (ENOMEM);
828 
829 	ctx->ct_shtype_req = stype;
830 
831 	return (0);
832 }
833 
834 int
835 smb_ctx_setsrvaddr(struct smb_ctx *ctx, const char *addr)
836 {
837 	if (addr == NULL || addr[0] == 0)
838 		return (EINVAL);
839 	if (ctx->ct_srvaddr_s)
840 		free(ctx->ct_srvaddr_s);
841 	if ((ctx->ct_srvaddr_s = strdup(addr)) == NULL)
842 		return (ENOMEM);
843 	return (0);
844 }
845 
846 /*
847  * API for library caller to set signing enabled, required
848  * Note: if not enable, ignore require
849  */
850 int
851 smb_ctx_setsigning(struct smb_ctx *ctx, int enable, int require)
852 {
853 	ctx->ct_vopt &= ~SMBVOPT_SIGNING_MASK;
854 	if (enable) {
855 		ctx->ct_vopt |=	SMBVOPT_SIGNING_ENABLED;
856 		if (require)
857 			ctx->ct_vopt |=	SMBVOPT_SIGNING_REQUIRED;
858 	}
859 	return (0);
860 }
861 
862 /*
863  * Handle .nsmbrc "minver" option.
864  * Must be <= maxver
865  */
866 int
867 smb_ctx_setminver(struct smb_ctx *ctx, int ver)
868 {
869 	if (ver < 0 || ver > ctx->ct_maxver)
870 		return (EINVAL);
871 	ctx->ct_minver = (uint16_t)ver;
872 	return (0);
873 }
874 
875 /*
876  * Handle .nsmbrc "maxver" option.
877  * Must be >= minver
878  *
879  * Any "too high" value is just clamped, so the caller
880  * doesn't need to know what's the highest we support.
881  */
882 int
883 smb_ctx_setmaxver(struct smb_ctx *ctx, int ver)
884 {
885 	if (ver < 1 || ver < ctx->ct_minver)
886 		return (EINVAL);
887 	if (ver > SMB2_DIALECT_MAX)
888 		ver = SMB2_DIALECT_MAX;
889 	ctx->ct_maxver = (uint16_t)ver;
890 	return (0);
891 }
892 
893 static int
894 smb_parse_owner(char *pair, uid_t *uid, gid_t *gid)
895 {
896 	struct group gr;
897 	struct passwd pw;
898 	char buf[NSS_BUFLEN_PASSWD];
899 	char *cp;
900 
901 	cp = strchr(pair, ':');
902 	if (cp) {
903 		*cp++ = '\0';
904 		if (*cp && gid) {
905 			if (getgrnam_r(cp, &gr, buf, sizeof (buf)) != NULL) {
906 				*gid = gr.gr_gid;
907 			} else
908 				smb_error(dgettext(TEXT_DOMAIN,
909 				    "Invalid group name %s, ignored"), 0, cp);
910 		}
911 	}
912 	if (*pair) {
913 		if (getpwnam_r(pair, &pw, buf, sizeof (buf)) != NULL) {
914 			*uid = pw.pw_uid;
915 		} else
916 			smb_error(dgettext(TEXT_DOMAIN,
917 			    "Invalid user name %s, ignored"), 0, pair);
918 	}
919 
920 	return (0);
921 }
922 
923 /*
924  * Suport a securty options arg, i.e. -S lm,ntlm
925  * for testing various type of authenticators.
926  */
927 static struct nv
928 sectype_table[] = {
929 	{ "anon",	SMB_AT_ANON },
930 	{ "lm",		SMB_AT_LM1 },
931 	{ "ntlm",	SMB_AT_NTLM1 },
932 	{ "ntlm2",	SMB_AT_NTLM2 },
933 	{ "krb5",	SMB_AT_KRB5 },
934 	{ NULL,		0 },
935 };
936 int
937 smb_parse_secopts(struct smb_ctx *ctx, const char *arg)
938 {
939 	const char *sep = ":;,";
940 	const char *p = arg;
941 	struct nv *nv;
942 	int nlen, tlen;
943 	int authflags = 0;
944 
945 	for (;;) {
946 		/* skip separators */
947 		tlen = strspn(p, sep);
948 		p += tlen;
949 
950 		nlen = strcspn(p, sep);
951 		if (nlen == 0)
952 			break;
953 
954 		/* This is rarely called, so not optimized. */
955 		for (nv = sectype_table; nv->name; nv++) {
956 			tlen = strlen(nv->name);
957 			if (tlen == nlen && 0 == strncmp(p, nv->name, tlen))
958 				break;
959 		}
960 		if (nv->name == NULL) {
961 			smb_error(dgettext(TEXT_DOMAIN,
962 			    "%s: invalid security options"), 0, p);
963 			return (EINVAL);
964 		}
965 		authflags |= nv->value;
966 		p += nlen;
967 	}
968 
969 	if (authflags)
970 		ctx->ct_authflags = authflags;
971 
972 	return (0);
973 }
974 
975 /*
976  * Commands use this with getopt.  See:
977  *   STDPARAM_OPT, STDPARAM_ARGS
978  * Called after smb_ctx_readrc().
979  */
980 int
981 smb_ctx_opt(struct smb_ctx *ctx, int opt, const char *arg)
982 {
983 	int error = 0;
984 	char *p, *cp;
985 	char tmp[1024];
986 
987 	switch (opt) {
988 	case 'A':
989 	case 'U':
990 		/* Handled in smb_ctx_init() */
991 		break;
992 	case 'I':
993 		error = smb_ctx_setsrvaddr(ctx, arg);
994 		break;
995 	case 'M':
996 		/* share connect rights - ignored */
997 		ctx->ct_flags |= SMBCF_SRIGHTS;
998 		break;
999 	case 'N':
1000 		ctx->ct_flags |= SMBCF_NOPWD;
1001 		break;
1002 	case 'O':
1003 		p = strdup(arg);
1004 		cp = strchr(p, '/');
1005 		if (cp)
1006 			*cp = '\0';
1007 		error = smb_parse_owner(cp, &ctx->ct_owner, NULL);
1008 		free(p);
1009 		break;
1010 	case 'P':
1011 /*		ctx->ct_vopt |= SMBCOPT_PERMANENT; */
1012 		break;
1013 	case 'R':
1014 		/* retry count - ignored */
1015 		break;
1016 	case 'S':
1017 		/* Security options (undocumented, just for tests) */
1018 		error = smb_parse_secopts(ctx, arg);
1019 		break;
1020 	case 'T':
1021 		/* timeout - ignored */
1022 		break;
1023 	case 'D':	/* domain */
1024 	case 'W':	/* workgroup (legacy alias) */
1025 		error = smb_ctx_setdomain(ctx, tmp, TRUE);
1026 		break;
1027 	}
1028 	return (error);
1029 }
1030 
1031 
1032 /*
1033  * Original code injected iconv tables into the kernel.
1034  * Not sure if we'll need this or not...  REVISIT
1035  */
1036 #ifdef KICONV_SUPPORT
1037 static int
1038 smb_addiconvtbl(const char *to, const char *from, const uchar_t *tbl)
1039 {
1040 	int error = 0;
1041 
1042 	error = kiconv_add_xlat_table(to, from, tbl);
1043 	if (error && error != EEXIST) {
1044 		smb_error(dgettext(TEXT_DOMAIN,
1045 		    "can not setup kernel iconv table (%s:%s)"),
1046 		    error, from, to);
1047 		return (error);
1048 	}
1049 	return (error);
1050 }
1051 #endif	/* KICONV_SUPPORT */
1052 
1053 /*
1054  * Verify context info. before connect operation(s),
1055  * lookup specified server and try to fill all forgotten fields.
1056  * Legacy name used by commands.
1057  */
1058 int
1059 smb_ctx_resolve(struct smb_ctx *ctx)
1060 {
1061 	struct smbioc_ossn *ssn = &ctx->ct_ssn;
1062 	int error = 0;
1063 #ifdef KICONV_SUPPORT
1064 	uchar_t cstbl[256];
1065 	uint_t i;
1066 #endif
1067 
1068 	if (smb_debug)
1069 		dump_ctx("before smb_ctx_resolve", ctx);
1070 
1071 	ctx->ct_flags &= ~SMBCF_RESOLVED;
1072 
1073 	if (ctx->ct_fullserver == NULL) {
1074 		smb_error(dgettext(TEXT_DOMAIN,
1075 		    "no server name specified"), 0);
1076 		return (EINVAL);
1077 	}
1078 
1079 	if (ctx->ct_minlevel >= SMBL_SHARE &&
1080 	    ctx->ct_origshare == NULL) {
1081 		smb_error(dgettext(TEXT_DOMAIN,
1082 		    "no share name specified for %s@%s"),
1083 		    0, ssn->ssn_user, ctx->ct_fullserver);
1084 		return (EINVAL);
1085 	}
1086 	error = nb_ctx_resolve(ctx->ct_nb);
1087 	if (error)
1088 		return (error);
1089 #ifdef KICONV_SUPPORT
1090 	if (ssn->ioc_localcs[0] == 0)
1091 		strcpy(ssn->ioc_localcs, "default");	/* XXX: locale name ? */
1092 	error = smb_addiconvtbl("tolower", ssn->ioc_localcs, nls_lower);
1093 	if (error)
1094 		return (error);
1095 	error = smb_addiconvtbl("toupper", ssn->ioc_localcs, nls_upper);
1096 	if (error)
1097 		return (error);
1098 	if (ssn->ioc_servercs[0] != 0) {
1099 		for (i = 0; i < sizeof (cstbl); i++)
1100 			cstbl[i] = i;
1101 		nls_mem_toext(cstbl, cstbl, sizeof (cstbl));
1102 		error = smb_addiconvtbl(ssn->ioc_servercs, ssn->ioc_localcs,
1103 		    cstbl);
1104 		if (error)
1105 			return (error);
1106 		for (i = 0; i < sizeof (cstbl); i++)
1107 			cstbl[i] = i;
1108 		nls_mem_toloc(cstbl, cstbl, sizeof (cstbl));
1109 		error = smb_addiconvtbl(ssn->ioc_localcs, ssn->ioc_servercs,
1110 		    cstbl);
1111 		if (error)
1112 			return (error);
1113 	}
1114 #endif	/* KICONV_SUPPORT */
1115 
1116 	/*
1117 	 * Lookup the IP address and fill in ct_addrinfo.
1118 	 *
1119 	 * Note: smb_ctx_getaddr() returns a EAI_xxx
1120 	 * error value like getaddrinfo(3), but this
1121 	 * function needs to return an errno value.
1122 	 */
1123 	error = smb_ctx_getaddr(ctx);
1124 	if (error) {
1125 		const char *ais = gai_strerror(error);
1126 		smb_error(dgettext(TEXT_DOMAIN,
1127 		    "can't resolve name\"%s\", %s"),
1128 		    0, ctx->ct_fullserver, ais);
1129 		return (ENODATA);
1130 	}
1131 	assert(ctx->ct_addrinfo != NULL);
1132 
1133 	/*
1134 	 * Empty user name means an explicit request for
1135 	 * NULL session setup, which is a special case.
1136 	 * (No SMB signing, per [MS-SMB] 3.3.5.3)
1137 	 */
1138 	if (ctx->ct_user[0] == '\0') {
1139 		/* Null user should have null domain too. */
1140 		ctx->ct_domain[0] = '\0';
1141 		ctx->ct_authflags = SMB_AT_ANON;
1142 		ctx->ct_vopt |= SMBVOPT_ANONYMOUS;
1143 		ctx->ct_vopt &= ~SMBVOPT_SIGNING_REQUIRED;
1144 	}
1145 
1146 	/*
1147 	 * If we have a user name but no password,
1148 	 * check for a keychain entry.
1149 	 * XXX: Only for auth NTLM?
1150 	 */
1151 	if (ctx->ct_user[0] != '\0') {
1152 		/*
1153 		 * Have a user name.
1154 		 * If we don't have a p/w yet,
1155 		 * try the keychain.
1156 		 */
1157 		if (ctx->ct_password[0] == '\0' &&
1158 		    smb_get_keychain(ctx) == 0) {
1159 			strlcpy(ctx->ct_password, "$HASH",
1160 			    sizeof (ctx->ct_password));
1161 		}
1162 
1163 		/*
1164 		 * Mask out disallowed auth types.
1165 		 */
1166 		ctx->ct_authflags &= ctx->ct_minauth;
1167 	}
1168 
1169 	if (ctx->ct_authflags == 0) {
1170 		smb_error(dgettext(TEXT_DOMAIN,
1171 		    "no valid auth. types"), 0);
1172 		return (ENOTSUP);
1173 	}
1174 
1175 	ctx->ct_flags |= SMBCF_RESOLVED;
1176 	if (smb_debug)
1177 		dump_ctx("after smb_ctx_resolve", ctx);
1178 
1179 	return (0);
1180 }
1181 
1182 /*
1183  * Note: The next three have NODIRECT binding so the
1184  * "fksmbcl" development tool can provide its own.
1185  */
1186 int
1187 smb_open_driver()
1188 {
1189 	int fd;
1190 
1191 	fd = open("/dev/"NSMB_NAME, O_RDWR);
1192 	if (fd < 0) {
1193 		return (-1);
1194 	}
1195 
1196 	/* This handle controls per-process resources. */
1197 	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
1198 
1199 	return (fd);
1200 }
1201 
1202 int
1203 nsmb_close(int fd)
1204 {
1205 	return (close(fd));
1206 }
1207 
1208 int
1209 nsmb_ioctl(int fd, int cmd, void *arg)
1210 {
1211 	return (ioctl(fd, cmd, arg));
1212 }
1213 
1214 
1215 int
1216 smb_ctx_gethandle(struct smb_ctx *ctx)
1217 {
1218 	int fd, err;
1219 	uint32_t version;
1220 
1221 	if (ctx->ct_dev_fd != -1) {
1222 		rpc_cleanup_smbctx(ctx);
1223 		nsmb_close(ctx->ct_dev_fd);
1224 		ctx->ct_dev_fd = -1;
1225 	}
1226 
1227 	fd = smb_open_driver();
1228 	if (fd < 0) {
1229 		err = errno;
1230 		smb_error(dgettext(TEXT_DOMAIN,
1231 		    "failed to open driver"), err);
1232 		return (err);
1233 	}
1234 
1235 	/*
1236 	 * Check the driver version (paranoia)
1237 	 */
1238 	if (nsmb_ioctl(fd, SMBIOC_GETVERS, &version) < 0)
1239 		version = 0;
1240 	if (version != NSMB_VERSION) {
1241 		smb_error(dgettext(TEXT_DOMAIN,
1242 		    "incorrect driver version"), 0);
1243 		nsmb_close(fd);
1244 		return (ENODEV);
1245 	}
1246 
1247 	ctx->ct_dev_fd = fd;
1248 	return (0);
1249 }
1250 
1251 
1252 /*
1253  * Find or create a connection + logon session
1254  */
1255 int
1256 smb_ctx_get_ssn(struct smb_ctx *ctx)
1257 {
1258 	int err = 0;
1259 
1260 	if ((ctx->ct_flags & SMBCF_RESOLVED) == 0)
1261 		return (EINVAL);
1262 
1263 	/*
1264 	 * Check whether the driver already has a VC
1265 	 * we can use.  If so, we're done!
1266 	 */
1267 	err = smb_ctx_findvc(ctx);
1268 	if (err == 0) {
1269 		DPRINT("found an existing VC");
1270 	} else {
1271 		/*
1272 		 * If we're authenticating (real user, not NULL session)
1273 		 * and we don't yet have a password, return EAUTH and
1274 		 * the caller will prompt for it and call again.
1275 		 */
1276 		if (ctx->ct_user[0] != '\0' &&
1277 		    ctx->ct_password[0] == '\0')
1278 			return (EAUTH);
1279 
1280 		/*
1281 		 * This calls the IOD to create a new session.
1282 		 */
1283 		DPRINT("setup a new VC");
1284 		err = smb_ctx_newvc(ctx);
1285 		if (err != 0)
1286 			return (err);
1287 
1288 		/*
1289 		 * Call findvc again.  The new VC sould be
1290 		 * found in the driver this time.
1291 		 */
1292 		err = smb_ctx_findvc(ctx);
1293 	}
1294 
1295 	return (err);
1296 }
1297 
1298 /*
1299  * Find or create a tree connection
1300  */
1301 int
1302 smb_ctx_get_tree(struct smb_ctx *ctx)
1303 {
1304 	smbioc_tcon_t *tcon = NULL;
1305 	int cmd, err = 0;
1306 
1307 	if (ctx->ct_dev_fd < 0 ||
1308 	    ctx->ct_origshare == NULL) {
1309 		return (EINVAL);
1310 	}
1311 
1312 	cmd = SMBIOC_TREE_CONNECT;
1313 	tcon = malloc(sizeof (*tcon));
1314 	if (tcon == NULL)
1315 		return (ENOMEM);
1316 	bzero(tcon, sizeof (*tcon));
1317 	tcon->tc_flags = SMBLK_CREATE;
1318 	tcon->tc_opt = 0;
1319 
1320 	/* The share name */
1321 	strlcpy(tcon->tc_sh.sh_name, ctx->ct_origshare,
1322 	    sizeof (tcon->tc_sh.sh_name));
1323 
1324 	/* The share "use" type. */
1325 	tcon->tc_sh.sh_use = ctx->ct_shtype_req;
1326 
1327 	/*
1328 	 * Todo: share passwords for share-level security.
1329 	 *
1330 	 * The driver does the actual TCON call.
1331 	 */
1332 	if (nsmb_ioctl(ctx->ct_dev_fd, cmd, tcon) == -1) {
1333 		err = errno;
1334 		goto out;
1335 	}
1336 
1337 	/*
1338 	 * Check the returned share type
1339 	 */
1340 	DPRINT("ret. sh_type: \"%d\"", tcon->tc_sh.sh_type);
1341 	if (ctx->ct_shtype_req != USE_WILDCARD &&
1342 	    ctx->ct_shtype_req != tcon->tc_sh.sh_type) {
1343 		smb_error(dgettext(TEXT_DOMAIN,
1344 		    "%s: incompatible share type"),
1345 		    0, ctx->ct_origshare);
1346 	}
1347 
1348 out:
1349 	if (tcon != NULL)
1350 		free(tcon);
1351 
1352 	return (err);
1353 }
1354 
1355 /*
1356  * Return the hflags2 word for an smb_ctx.
1357  */
1358 int
1359 smb_ctx_flags2(struct smb_ctx *ctx)
1360 {
1361 	uint16_t flags2;
1362 
1363 	if (nsmb_ioctl(ctx->ct_dev_fd, SMBIOC_FLAGS2, &flags2) == -1) {
1364 		smb_error(dgettext(TEXT_DOMAIN,
1365 		    "can't get flags2 for a session"), errno);
1366 		return (-1);
1367 	}
1368 	return (flags2);
1369 }
1370 
1371 /*
1372  * Get the transport level session key.
1373  * Must already have an active SMB session.
1374  */
1375 int
1376 smb_fh_getssnkey(int dev_fd, uchar_t *key, size_t len)
1377 {
1378 	if (len < SMBIOC_HASH_SZ)
1379 		return (EINVAL);
1380 
1381 	if (nsmb_ioctl(dev_fd, SMBIOC_GETSSNKEY, key) == -1)
1382 		return (errno);
1383 
1384 	return (0);
1385 }
1386 
1387 /*
1388  * RC file parsing stuff
1389  */
1390 
1391 static struct nv
1392 minauth_table[] = {
1393 	/* Allowed auth. types */
1394 	{ "kerberos",	SMB_AT_KRB5 },
1395 	{ "ntlmv2",	SMB_AT_KRB5|SMB_AT_NTLM2 },
1396 	{ "ntlm",	SMB_AT_KRB5|SMB_AT_NTLM2|SMB_AT_NTLM1 },
1397 	{ "lm",		SMB_AT_KRB5|SMB_AT_NTLM2|SMB_AT_NTLM1|SMB_AT_LM1 },
1398 	{ "none",	SMB_AT_KRB5|SMB_AT_NTLM2|SMB_AT_NTLM1|SMB_AT_LM1|
1399 			SMB_AT_ANON },
1400 	{ NULL }
1401 };
1402 
1403 int
1404 smb_cf_minauth_from_str(char *str)
1405 {
1406 	struct nv *nvp;
1407 
1408 	for (nvp = minauth_table; nvp->name; nvp++)
1409 		if (strcmp(nvp->name, str) == 0)
1410 			return (nvp->value);
1411 	return (-1);
1412 }
1413 
1414 /*
1415  * SMB 2.1 is the oldest SMB2 dialect implemented (we skipped SMB 2.002)
1416  * so if we see a_protocol value of just "2" assume they meant 2.1
1417  */
1418 static struct nv
1419 smbver_table[] = {
1420 	{ "3.02",	SMB2_DIALECT_0302 },
1421 	{ "3.0",	SMB2_DIALECT_0300 },
1422 	{ "2.1",	SMB2_DIALECT_0210 },
1423 	{ "2",		SMB2_DIALECT_0210 },
1424 	{ "1",		1 },
1425 	{ NULL,		0 }
1426 };
1427 
1428 int
1429 smb_cf_version_from_str(char *str)
1430 {
1431 	struct nv *nvp;
1432 
1433 	for (nvp = smbver_table; nvp->name; nvp++)
1434 		if (strcmp(nvp->name, str) == 0)
1435 			return (nvp->value);
1436 	return (-1);
1437 }
1438 
1439 /*
1440  * level values:
1441  * 0 - default
1442  * 1 - server
1443  * 2 - server:user
1444  * 3 - server:user:share
1445  */
1446 static int
1447 smb_ctx_readrcsection(struct smb_ctx *ctx, const char *sname, int level)
1448 {
1449 	char *p;
1450 	int ival;
1451 	int error;
1452 	int minver, maxver;
1453 
1454 #ifdef	KICONV_SUPPORT
1455 	if (level > 0) {
1456 		rc_getstringptr(smb_rc, sname, "charsets", &p);
1457 		if (p) {
1458 			error = smb_ctx_setcharset(ctx, p);
1459 			if (error)
1460 				smb_error(dgettext(TEXT_DOMAIN,
1461 	"charset specification in the section '%s' ignored"),
1462 				    error, sname);
1463 		}
1464 	}
1465 #endif
1466 
1467 	if (level <= 1) {
1468 		/* Section is: [default] or [server] */
1469 
1470 		/*
1471 		 * Handle min_protocol, max_protocol
1472 		 * (SMB protocol versions)
1473 		 */
1474 		minver = -1;
1475 		rc_getstringptr(smb_rc, sname, "min_protocol", &p);
1476 		if (p != NULL) {
1477 			minver = smb_cf_version_from_str(p);
1478 			if (minver == -1) {
1479 				smb_error(dgettext(TEXT_DOMAIN,
1480 "invalid min_protocol value \"%s\" specified in the section %s"),
1481 				    0, p, sname);
1482 			}
1483 		}
1484 		maxver = -1;
1485 		rc_getstringptr(smb_rc, sname, "max_protocol", &p);
1486 		if (p != NULL) {
1487 			maxver = smb_cf_version_from_str(p);
1488 			if (maxver == -1) {
1489 				smb_error(dgettext(TEXT_DOMAIN,
1490 "invalid max_protocol value \"%s\" specified in the section %s"),
1491 				    0, p, sname);
1492 			}
1493 		}
1494 
1495 		/*
1496 		 * If setting both min/max protocol,
1497 		 * validate against each other
1498 		 */
1499 		if (minver != -1 && maxver != -1) {
1500 			if (minver > maxver) {
1501 				smb_error(dgettext(TEXT_DOMAIN,
1502 "invalid min/max protocol combination in the section %s"),
1503 				    0, sname);
1504 			} else {
1505 				ctx->ct_minver = minver;
1506 				ctx->ct_maxver = maxver;
1507 			}
1508 		}
1509 
1510 		/*
1511 		 * Setting just min or max, validate against
1512 		 * current settings
1513 		 */
1514 		if (minver != -1) {
1515 			if (minver > ctx->ct_maxver) {
1516 				smb_error(dgettext(TEXT_DOMAIN,
1517 "invalid min/max protocol combination in the section %s"),
1518 				    0, sname);
1519 			} else {
1520 				ctx->ct_minver = minver;
1521 			}
1522 		}
1523 		if (maxver != -1) {
1524 			if (maxver < ctx->ct_minver) {
1525 				smb_error(dgettext(TEXT_DOMAIN,
1526 "invalid min/max protocol combination in the section %s"),
1527 				    0, sname);
1528 			} else {
1529 				ctx->ct_maxver = maxver;
1530 			}
1531 		}
1532 
1533 		rc_getstringptr(smb_rc, sname, "minauth", &p);
1534 		if (p) {
1535 			/*
1536 			 * "minauth" was set in this section; override
1537 			 * the current minimum authentication setting.
1538 			 */
1539 			ival = smb_cf_minauth_from_str(p);
1540 			if (ival != -1) {
1541 				ctx->ct_minauth = ival;
1542 			} else {
1543 				/*
1544 				 * Unknown minimum authentication level.
1545 				 */
1546 				smb_error(dgettext(TEXT_DOMAIN,
1547 "invalid minimum authentication level \"%s\" specified in the section %s"),
1548 				    0, p, sname);
1549 				return (EINVAL);
1550 			}
1551 		}
1552 
1553 		rc_getstringptr(smb_rc, sname, "signing", &p);
1554 		if (p) {
1555 			/*
1556 			 * "signing" was set in this section; override
1557 			 * the current signing settings.  Note:
1558 			 * setsigning flags are: enable, require
1559 			 */
1560 			if (strcmp(p, "disabled") == 0) {
1561 				(void) smb_ctx_setsigning(ctx, FALSE, FALSE);
1562 			} else if (strcmp(p, "enabled") == 0) {
1563 				(void) smb_ctx_setsigning(ctx, TRUE, FALSE);
1564 			} else if (strcmp(p, "required") == 0) {
1565 				(void) smb_ctx_setsigning(ctx, TRUE, TRUE);
1566 			} else {
1567 				/*
1568 				 * Unknown "signing" value.
1569 				 */
1570 				smb_error(dgettext(TEXT_DOMAIN,
1571 "invalid signing policy \"%s\" specified in the section %s"),
1572 				    0, p, sname);
1573 				return (EINVAL);
1574 			}
1575 		}
1576 
1577 		/*
1578 		 * Domain name.  Allow both keywords:
1579 		 * "workgroup", "domain"
1580 		 *
1581 		 * Note: these are NOT marked "from CMD".
1582 		 * See long comment at smb_ctx_init()
1583 		 */
1584 		rc_getstringptr(smb_rc, sname, "workgroup", &p);
1585 		if (p) {
1586 			error = smb_ctx_setdomain(ctx, p, 0);
1587 			if (error)
1588 				smb_error(dgettext(TEXT_DOMAIN,
1589 				    "workgroup specification in the "
1590 				    "section '%s' ignored"), error, sname);
1591 		}
1592 		rc_getstringptr(smb_rc, sname, "domain", &p);
1593 		if (p) {
1594 			error = smb_ctx_setdomain(ctx, p, 0);
1595 			if (error)
1596 				smb_error(dgettext(TEXT_DOMAIN,
1597 				    "domain specification in the "
1598 				    "section '%s' ignored"), error, sname);
1599 		}
1600 
1601 		rc_getstringptr(smb_rc, sname, "user", &p);
1602 		if (p) {
1603 			error = smb_ctx_setuser(ctx, p, 0);
1604 			if (error)
1605 				smb_error(dgettext(TEXT_DOMAIN,
1606 				    "user specification in the "
1607 				    "section '%s' ignored"), error, sname);
1608 		}
1609 	}
1610 
1611 	if (level == 1) {
1612 		/* Section is: [server] */
1613 		rc_getstringptr(smb_rc, sname, "addr", &p);
1614 		if (p) {
1615 			error = smb_ctx_setsrvaddr(ctx, p);
1616 			if (error) {
1617 				smb_error(dgettext(TEXT_DOMAIN,
1618 				    "invalid address specified in section %s"),
1619 				    0, sname);
1620 				return (error);
1621 			}
1622 		}
1623 	}
1624 
1625 	rc_getstringptr(smb_rc, sname, "password", &p);
1626 	if (p) {
1627 		error = smb_ctx_setpassword(ctx, p, 0);
1628 		if (error)
1629 			smb_error(dgettext(TEXT_DOMAIN,
1630 	    "password specification in the section '%s' ignored"),
1631 			    error, sname);
1632 	}
1633 
1634 	return (0);
1635 }
1636 
1637 /*
1638  * read rc file as follows:
1639  * 0: read [default] section
1640  * 1: override with [server] section
1641  * 2: override with [server:user] section
1642  * 3: override with [server:user:share] section
1643  * Since absence of rcfile is not fatal, silently ignore this fact.
1644  * smb_rc file should be closed by caller.
1645  */
1646 int
1647 smb_ctx_readrc(struct smb_ctx *ctx)
1648 {
1649 	char pwbuf[NSS_BUFLEN_PASSWD];
1650 	struct passwd pw;
1651 	char *sname = NULL;
1652 	int sname_max;
1653 	int err = 0;
1654 
1655 	/*
1656 	 * If the user name is not specified some other way,
1657 	 * use the current user name.  Also save the homedir.
1658 	 * NB: ct_home=NULL is allowed, and we don't want to
1659 	 * bail out with an error for a missing ct_home.
1660 	 */
1661 	if (getpwuid_r(getuid(), &pw, pwbuf, sizeof (pwbuf)) != NULL) {
1662 		if (ctx->ct_user[0] == 0)
1663 			(void) smb_ctx_setuser(ctx, pw.pw_name, B_FALSE);
1664 		if (ctx->ct_home == NULL)
1665 			ctx->ct_home = strdup(pw.pw_dir);
1666 	}
1667 
1668 	if ((err = smb_open_rcfile(ctx->ct_home)) != 0) {
1669 		DPRINT("smb_open_rcfile, err=%d", err);
1670 		/* ignore any error here */
1671 		return (0);
1672 	}
1673 
1674 	sname_max = 3 * SMBIOC_MAX_NAME + 4;
1675 	sname = malloc(sname_max);
1676 	if (sname == NULL) {
1677 		err = ENOMEM;
1678 		goto done;
1679 	}
1680 
1681 	/*
1682 	 * default parameters (level=0)
1683 	 */
1684 	smb_ctx_readrcsection(ctx, "default", 0);
1685 	nb_ctx_readrcsection(smb_rc, ctx->ct_nb, "default", 0);
1686 
1687 	/*
1688 	 * If we don't have a server name, we can't read any of the
1689 	 * [server...] sections.
1690 	 */
1691 	if (ctx->ct_fullserver == NULL)
1692 		goto done;
1693 	/*
1694 	 * SERVER parameters.
1695 	 */
1696 	smb_ctx_readrcsection(ctx, ctx->ct_fullserver, 1);
1697 
1698 	/*
1699 	 * If we don't have a user name, we can't read any of the
1700 	 * [server:user...] sections.
1701 	 */
1702 	if (ctx->ct_user[0] == 0)
1703 		goto done;
1704 	/*
1705 	 * SERVER:USER parameters
1706 	 */
1707 	snprintf(sname, sname_max, "%s:%s",
1708 	    ctx->ct_fullserver,
1709 	    ctx->ct_user);
1710 	smb_ctx_readrcsection(ctx, sname, 2);
1711 
1712 
1713 	/*
1714 	 * If we don't have a share name, we can't read any of the
1715 	 * [server:user:share] sections.
1716 	 */
1717 	if (ctx->ct_origshare == NULL)
1718 		goto done;
1719 	/*
1720 	 * SERVER:USER:SHARE parameters
1721 	 */
1722 	snprintf(sname, sname_max, "%s:%s:%s",
1723 	    ctx->ct_fullserver,
1724 	    ctx->ct_user,
1725 	    ctx->ct_origshare);
1726 	smb_ctx_readrcsection(ctx, sname, 3);
1727 
1728 done:
1729 	if (sname)
1730 		free(sname);
1731 	smb_close_rcfile();
1732 	if (smb_debug)
1733 		dump_ctx("after smb_ctx_readrc", ctx);
1734 	if (err)
1735 		DPRINT("err=%d\n", err);
1736 
1737 	return (err);
1738 }
1739 
1740 void
1741 smbfs_set_default_domain(const char *domain)
1742 {
1743 	strlcpy(default_domain, domain, sizeof (default_domain));
1744 }
1745 
1746 void
1747 smbfs_set_default_user(const char *user)
1748 {
1749 	strlcpy(default_user, user, sizeof (default_user));
1750 }
1751