1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 #pragma ident "%Z%%M% %I% %E% SMI" 26 /* 27 * SMB: session_setup_andx 28 * 29 * This SMB is used to further "Set up" the session normally just 30 * established via the negotiate protocol. 31 * 32 * One primary function is to perform a "user logon" in the case where the 33 * server is in user level security mode. The Uid in the SMB header is set 34 * by the client to be the userid desired for the AccountName and validated 35 * by the AccountPassword. 36 * 37 * If the negotiated protocol is prior to NT LM 0.12, the format of 38 * SMB_COM_SESSION_SETUP_ANDX is: 39 * 40 * Client Request Description 41 * ============================== ===================================== 42 * 43 * UCHAR WordCount; Count of parameter words = 10 44 * UCHAR AndXCommand; Secondary (X) command; 0xFF = none 45 * UCHAR AndXReserved; Reserved (must be 0) 46 * USHORT AndXOffset; Offset to next command WordCount 47 * USHORT MaxBufferSize; Client maximum buffer size 48 * USHORT MaxMpxCount; Actual maximum multiplexed pending 49 * requests 50 * USHORT VcNumber; 0 = first (only), nonzero=additional 51 * VC number 52 * ULONG SessionKey; Session key (valid iff VcNumber != 0) 53 * USHORT PasswordLength; Account password size 54 * ULONG Reserved; Must be 0 55 * USHORT ByteCount; Count of data bytes; min = 0 56 * UCHAR AccountPassword[]; Account Password 57 * STRING AccountName[]; Account Name 58 * STRING PrimaryDomain[]; Client's primary domain 59 * STRING NativeOS[]; Client's native operating system 60 * STRING NativeLanMan[]; Client's native LAN Manager type 61 * 62 * and the response is: 63 * 64 * Server Response Description 65 * ================================== ================================= 66 * 67 * UCHAR WordCount; Count of parameter words = 3 68 * UCHAR AndXCommand; Secondary (X) command; 0xFF = 69 * none 70 * UCHAR AndXReserved; Reserved (must be 0) 71 * USHORT AndXOffset; Offset to next command WordCount 72 * USHORT Action; Request mode: 73 * bit0 = logged in as GUEST 74 * USHORT ByteCount; Count of data bytes 75 * STRING NativeOS[]; Server's native operating system 76 * STRING NativeLanMan[]; Server's native LAN Manager type 77 * STRING PrimaryDomain[]; Server's primary domain 78 * 79 * If the server is in "share level security mode", the account name and 80 * passwd should be ignored by the server. 81 * 82 * If challenge/response authentication is not being used, AccountPassword 83 * should be a null terminated ASCII string with PasswordLength set to the 84 * string size including the null; the password will case insensitive. If 85 * challenge/response authentication is being used (see section 2.10), then 86 * AccountPassword will be the response to the server's challenge, and 87 * PasswordLength should be set to its length. 88 * 89 * The server validates the name and password supplied and if valid, it 90 * registers the user identifier on this session as representing the 91 * specified AccountName. The Uid field in the SMB header will then be 92 * used to validate access on subsequent SMB requests. The SMB requests 93 * where permission checks are required are those which refer to a 94 * symbolically named resource such as SMB_COM_OPEN, SMB_COM_RENAME, 95 * SMB_COM_DELETE, etc.. The value of the Uid is relative to a specific 96 * client/server session so it is possible to have the same Uid value 97 * represent two different users on two different sessions at the server. 98 * 99 * Multiple session setup commands may be sent to register additional users 100 * on this session. If the server receives an additional 101 * SMB_COM_SESSION_SETUP_ANDX, only the Uid, AccountName and 102 * AccountPassword fields need contain valid values (the server MUST ignore 103 * the other fields). 104 * 105 * The client writes the name of its domain in PrimaryDomain if it knows 106 * what the domain name is. If the domain name is unknown, the client 107 * either encodes it as a NULL string, or as a question mark. 108 * 109 * If bit0 of Action is set, this informs the client that although the 110 * server did not recognize the AccountName, it logged the user in as a 111 * guest. This is optional behavior by the server, and in any case one 112 * would ordinarily expect guest privileges to limited. 113 * 114 * Another function of the Session Set Up protocol is to inform the server 115 * of the maximum values which will be utilized by this client. Here 116 * MaxBufferSize is the maximum message size which the client can receive. 117 * Thus although the server may support 16k buffers (as returned in the 118 * SMB_COM_NEGOTIATE response), if the client only has 4k buffers, the 119 * value of MaxBufferSize here would be 4096. The minimum allowable value 120 * for MaxBufferSize is 1024. The SMB_COM_NEGOTIATE response includes the 121 * server buffer size supported. Thus this is the maximum SMB message size 122 * which the client can send to the server. This size may be larger than 123 * the size returned to the server from the client via the 124 * SMB_COM_SESSION_SETUP_AND X protocol which is the maximum SMB message 125 * size which the server may send to the client. Thus if the server's 126 * buffer size were 4k and the client's buffer size were only 2K, the 127 * client could send up to 4k (standard) write requests but must only 128 * request up to 2k for (standard) read requests. 129 * 130 * The field, MaxMpxCount informs the server of the maximum number of 131 * requests which the client will have outstanding to the server 132 * simultaneously (see sections 5.13 and 5.25). 133 * 134 * The VcNumber field specifies whether the client wants this to be the 135 * first VC or an additional VC. If the the SMB_COM_SESSION_SETUP_ANDX 136 * request contains a VcNumber of 0 and other VCs are still connected to 137 * that client, they should be aborted to free any resources held by the 138 * server. This condition could occur if the client was rebooted and 139 * reconnected to the server before the transport level had informed the 140 * server of the previous VC termination. There is more information on 141 * VCs in smb_negotiate.c. 142 * 143 * The values for MaxBufferSize, MaxMpxCount, and VcNumber must be less 144 * than or equal to the maximum values supported by the server as returned 145 * in the SMB_COM_NEGOTIATE response. 146 * 147 * If the negotiated SMB dialect is "NT LM 0.12" or later, the format of 148 * the response SMB is unchanged, but the request is: 149 * 150 * Client Request Description 151 * ============================== ===================================== 152 * 153 * UCHAR WordCount; Count of parameter words = 13 154 * UCHAR AndXCommand; Secondary (X) command; 0xFF = none 155 * UCHAR AndXReserved; Reserved (must be 0) 156 * USHORT AndXOffset; Offset to next command WordCount 157 * USHORT MaxBufferSize; Client's maximum buffer size 158 * USHORT MaxMpxCount; Actual maximum multiplexed pending 159 * requests 160 * USHORT VcNumber; 0 = first (only), nonzero=additional 161 * VC number 162 * ULONG SessionKey; Session key (valid iff VcNumber != 0) 163 * USHORT Account password size, ANSI 164 * CaseInsensitivePasswordLength; 165 * USHORT Account password size, Unicode 166 * CaseSensitivePasswordLength; 167 * ULONG Reserved; must be 0 168 * ULONG Capabilities; Client capabilities 169 * USHORT ByteCount; Count of data bytes; min = 0 170 * UCHAR Account Password, ANSI 171 * CaseInsensitivePassword[]; 172 * UCHAR CaseSensitivePassword[]; Account Password, Unicode 173 * STRING AccountName[]; Account Name, Unicode 174 * STRING PrimaryDomain[]; Client's primary domain, Unicode 175 * STRING NativeOS[]; Client's native operating system, 176 * Unicode 177 * STRING NativeLanMan[]; Client's native LAN Manager type, 178 * Unicode 179 * 180 * The client expresses its capabilities to the server encoded in the 181 * Capabilities field: 182 * 183 * Capability Name Encoding Description 184 * ======================== ========= ================================ 185 * 186 * CAP_UNICODE 0x0004 The client can use UNICODE 187 * strings 188 * CAP_LARGE_FILES 0x0008 The client can deal with files 189 * having 64 bit offsets 190 * CAP_NT_SMBS 0x0010 The client understands the SMBs 191 * introduced with the NT LM 0.12 192 * dialect. Implies CAP_NT_FIND. 193 * CAP_NT_FIND 0x0200 194 * CAP_STATUS32 0x0040 The client can receive 32 bit 195 * errors encoded in Status.Status 196 * CAP_LEVEL_II_OPLOCKS 0x0080 The client understands Level II 197 * oplocks 198 * 199 * The entire message sent and received including the optional ANDX SMB 200 * must fit in the negotiated maximum transfer size. The following are the 201 * only valid SMB commands for AndXCommand for SMB_COM_SESSION_SETUP_ANDX 202 * 203 * SMB_COM_TREE_CONNECT_ANDX SMB_COM_OPEN 204 * SMB_COM_OPEN_ANDX SMB_COM_CREATE 205 * SMB_COM_CREATE_NEW SMB_COM_CREATE_DIRECTORY 206 * SMB_COM_DELETE SMB_COM_DELETE_DIRECTORY 207 * SMB_COM_FIND SMB_COM_FIND_UNIQUE 208 * SMB_COM_COPY SMB_COM_RENAME 209 * SMB_COM_NT_RENAME SMB_COM_CHECK_DIRECTORY 210 * SMB_COM_QUERY_INFORMATION SMB_COM_SET_INFORMATION 211 * SMB_COM_NO_ANDX_COMMAND SMB_COM_OPEN_PRINT_FILE 212 * SMB_COM_GET_PRINT_QUEUE SMB_COM_TRANSACTION 213 * 214 * 4.1.2.1 Errors 215 * 216 * ERRSRV/ERRerror - no NEG_PROT issued 217 * ERRSRV/ERRbadpw - password not correct for given user name 218 * ERRSRV/ERRtoomanyuids - maximum number of users per session exceeded 219 * ERRSRV/ERRnosupport - chaining of this request to the previous one is 220 * not supported 221 */ 222 223 #include <sys/types.h> 224 #include <sys/socket.h> 225 #include <netinet/in.h> 226 #include <smbsrv/smb_incl.h> 227 #include <smbsrv/smb_token.h> 228 #include <smbsrv/smb_door_svc.h> 229 230 int 231 smb_com_session_setup_andx(struct smb_request *sr) 232 { 233 uint16_t maxbufsize, maxmpxcount, vcnumber = 0; 234 uint32_t sesskey; 235 uint32_t capabilities = 0; 236 char *account_name = ""; 237 char *primary_domain = ""; 238 char *native_os = ""; 239 char *native_lanman = ""; 240 char *hostname = smb_info.si.skc_hostname; 241 smb_token_t *usr_token = NULL; 242 smb_user_t *user = NULL; 243 int security = smb_info.si.skc_secmode; 244 245 uint16_t ci_pwlen = 0; 246 unsigned char *ci_password = NULL; 247 uint16_t cs_pwlen = 0; 248 unsigned char *cs_password = NULL; 249 250 netr_client_t clnt_info; 251 smb_session_key_t *session_key = NULL; 252 int rc; 253 254 if (sr->session->dialect >= NT_LM_0_12) { 255 rc = smbsr_decode_vwv(sr, "b.wwwwlww4.l", &sr->andx_com, 256 &sr->andx_off, &maxbufsize, &maxmpxcount, &vcnumber, 257 &sesskey, &ci_pwlen, &cs_pwlen, &capabilities); 258 259 if (rc != 0) { 260 smbsr_decode_error(sr); 261 /* NOTREACHED */ 262 } 263 264 ci_password = kmem_alloc(ci_pwlen + 1, KM_SLEEP); 265 cs_password = kmem_alloc(cs_pwlen + 1, KM_SLEEP); 266 267 /* 268 * The padding between the Native OS and Native LM is a 269 * bit strange. On NT4.0, there is a 2 byte pad between 270 * the OS (Windows NT 1381) and LM (Windows NT 4.0). 271 * On Windows 2000, there is no padding between the OS 272 * (Windows 2000 2195) and LM (Windows 2000 5.0). 273 * 274 * If the padding is removed from this decode string 275 * the NT4.0 LM comes out as an empty string. 276 * 277 * So if the client's native OS is Win NT we consider 278 * the padding otherwise we don't. 279 */ 280 rc = smbsr_decode_data(sr, "%#c#cuuu", 281 sr, 282 ci_pwlen, ci_password, 283 cs_pwlen, cs_password, 284 &account_name, 285 &primary_domain, 286 &native_os); 287 288 if (rc != 0) { 289 kmem_free(ci_password, ci_pwlen + 1); 290 kmem_free(cs_password, cs_pwlen + 1); 291 smbsr_decode_error(sr); 292 /* NOTREACHED */ 293 } 294 295 ci_password[ci_pwlen] = 0; 296 cs_password[cs_pwlen] = 0; 297 298 sr->session->native_os = smbnative_os_value(native_os); 299 300 if (sr->session->native_os == NATIVE_OS_WINNT) 301 rc = smbsr_decode_data(sr, "%,u", sr, &native_lanman); 302 else 303 rc = smbsr_decode_data(sr, "%u", sr, &native_lanman); 304 305 /* 306 * Native Lanman could be null so we really don't care 307 * if above decode fails, but to have a valid value for 308 * the field we set it to Win NT. 309 */ 310 if (rc != 0) 311 native_lanman = "NT LAN Manager 4.0"; 312 313 } else { 314 rc = smbsr_decode_vwv(sr, "b.wwwwlw4.", &sr->andx_com, 315 &sr->andx_off, &maxbufsize, &maxmpxcount, 316 &vcnumber, &sesskey, &ci_pwlen); 317 318 if (rc != 0) { 319 smbsr_decode_error(sr); 320 /* NOTREACHED */ 321 } 322 323 ci_password = kmem_alloc(ci_pwlen + 1, KM_SLEEP); 324 rc = smbsr_decode_data(sr, "%#c", sr, ci_pwlen, ci_password); 325 if (rc != 0) { 326 kmem_free(ci_password, ci_pwlen + 1); 327 smbsr_decode_error(sr); 328 /* NOTREACHED */ 329 } 330 331 ci_password[ci_pwlen] = 0; 332 333 /* 334 * Despite the CIFS/1.0 spec, the rest of this message is 335 * not always present. We need to try to get the account 336 * name and the primary domain but we don't care about the 337 * the native OS or native LanMan fields. 338 */ 339 if (smbsr_decode_data(sr, "%u", sr, &account_name) != 0) 340 account_name = ""; 341 342 if (smbsr_decode_data(sr, "%u", sr, &primary_domain) != 0) 343 primary_domain = ""; 344 345 sr->session->native_os = NATIVE_OS_UNKNOWN; 346 } 347 348 /* 349 * If the vcnumber is zero, we can discard any 350 * other connections associated with this client. 351 */ 352 sr->session->vcnumber = vcnumber; 353 if (vcnumber == 0) 354 smb_reconnection_check(sr->session); 355 356 sr->session->smb_msg_size = maxbufsize; 357 358 bzero(&clnt_info, sizeof (netr_client_t)); 359 360 if (*primary_domain == 0) 361 primary_domain = smb_info.si.skc_resource_domain; 362 363 if ((cs_pwlen == 0) && 364 (ci_pwlen == 0 || (ci_pwlen == 1 && *ci_password == 0))) { 365 /* anonymous user */ 366 clnt_info.flags |= NETR_CFLG_ANON; 367 account_name = "nobody"; 368 } else if (*account_name == '\0') { 369 if (ci_password) 370 kmem_free(ci_password, ci_pwlen + 1); 371 if (cs_password) 372 kmem_free(cs_password, cs_pwlen + 1); 373 smbsr_raise_error(sr, ERRSRV, ERRaccess); 374 /* NOTREACHED */ 375 } else if (utf8_strcasecmp(primary_domain, hostname) == 0) { 376 /* 377 * When domain name is equal to hostname, it means 378 * the user is local even if system is running in 379 * domain mode, so perform a local logon. 380 */ 381 clnt_info.flags |= NETR_CFLG_LOCAL; 382 } else if (security == SMB_SECMODE_DOMAIN) { 383 clnt_info.flags |= NETR_CFLG_DOMAIN; 384 } else if (security == SMB_SECMODE_WORKGRP) { 385 clnt_info.flags |= NETR_CFLG_LOCAL; 386 } 387 388 (void) utf8_strupr(primary_domain); 389 390 /* 391 * If this is an additional setup for an existing user 392 * on this session, duplicate the authenticated user. 393 * Otherwise authenticate as new user. 394 */ 395 user = smb_user_lookup_by_name(sr->session, primary_domain, 396 account_name); 397 398 if (user) { 399 smb_user_t *orig_user = user; 400 401 user = smb_user_dup(orig_user); 402 smb_user_release(orig_user); 403 } else { 404 cred_t *cr; 405 uint32_t privileges; 406 407 clnt_info.logon_level = NETR_NETWORK_LOGON; 408 clnt_info.domain = primary_domain; 409 clnt_info.username = account_name; 410 clnt_info.workstation = sr->session->workstation; 411 clnt_info.ipaddr = sr->session->ipaddr; 412 clnt_info.local_ipaddr = sr->session->local_ipaddr; 413 clnt_info.challenge_key.challenge_key_val = 414 sr->session->challenge_key; 415 clnt_info.challenge_key.challenge_key_len = 416 sr->session->challenge_len; 417 clnt_info.nt_password.nt_password_val = cs_password; 418 clnt_info.nt_password.nt_password_len = cs_pwlen; 419 clnt_info.lm_password.lm_password_val = ci_password; 420 clnt_info.lm_password.lm_password_len = ci_pwlen; 421 clnt_info.native_os = sr->session->native_os; 422 clnt_info.native_lm = smbnative_lm_value(native_lanman); 423 clnt_info.local_port = sr->session->s_local_port; 424 425 DTRACE_PROBE1(smb__sessionsetup__clntinfo, netr_client_t *, 426 &clnt_info); 427 428 usr_token = smb_upcall_get_token(&clnt_info); 429 if (usr_token == 0) { 430 if (ci_password) 431 kmem_free(ci_password, ci_pwlen + 1); 432 if (cs_password) 433 kmem_free(cs_password, cs_pwlen + 1); 434 smbsr_raise_error(sr, ERRSRV, ERRbadpw); 435 /* NOTREACHED */ 436 } 437 438 if (usr_token->tkn_session_key) { 439 session_key = kmem_alloc(sizeof (smb_session_key_t), 440 KM_SLEEP); 441 (void) memcpy(session_key, usr_token->tkn_session_key, 442 sizeof (smb_session_key_t)); 443 } 444 445 cr = smb_cred_create(usr_token, &privileges); 446 if (cr != NULL) { 447 user = smb_user_login(sr->session, cr, 448 usr_token->tkn_domain_name, 449 usr_token->tkn_account_name, 450 usr_token->tkn_flags, 451 privileges, 452 usr_token->tkn_audit_sid); 453 smb_cred_rele(cr); 454 } 455 smb_token_free(usr_token); 456 } 457 458 if (ci_password) 459 kmem_free(ci_password, ci_pwlen + 1); 460 if (cs_password) 461 kmem_free(cs_password, cs_pwlen + 1); 462 463 if (user == NULL) { 464 if (session_key) 465 kmem_free(session_key, sizeof (smb_session_key_t)); 466 smbsr_raise_error(sr, ERRDOS, ERROR_INVALID_HANDLE); 467 /* no return */ 468 } 469 470 sr->user_cr = user->u_cred; 471 sr->smb_uid = user->u_uid; 472 sr->uid_user = user; 473 sr->session->capabilities = capabilities; 474 475 /* 476 * Check to see if SMB signing is enable, but if it is already turned 477 * on leave it. 478 * The first authenticated logon provides the MAC key and sequence 479 * numbers for signing all further session on the 480 * same network connection. 481 */ 482 if (!(sr->session->signing.flags & SMB_SIGNING_ENABLED) && 483 (sr->session->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && 484 (sr->smb_flg2 & SMB_FLAGS2_SMB_SECURITY_SIGNATURE) && 485 session_key) 486 smb_sign_init(sr, session_key, (char *)cs_password, cs_pwlen); 487 488 if (session_key) 489 kmem_free(session_key, sizeof (smb_session_key_t)); 490 491 /* 492 * NT systems use different native OS and native LanMan values 493 * dependent on whether they are acting as a client or a server. 494 * As a server, NT 4.0 responds with the following values: 495 * 496 * NativeOS: Windows NT 4.0 497 * NativeLM: NT LAN Manager 4.0 498 * 499 * We should probably use the same values as NT but this code has 500 * been using the product name and "Windows NT 4.0" for a long time 501 * and I don't know if a change would cause any problems (see the 502 * conditional test below). 503 */ 504 smbsr_encode_result(sr, 3, VAR_BCC, "bb.www%uuu", 505 3, 506 sr->andx_com, 507 -1, /* andx_off */ 508 ((user->u_flags & SMB_USER_FLAG_GUEST) ? 1 : 0), 509 VAR_BCC, 510 sr, 511 "Windows NT 4.0", 512 "NT LAN Manager 4.0", 513 smb_info.si.skc_resource_domain); 514 515 return (SDRC_NORMAL_REPLY); 516 } 517