xref: /titanic_41/usr/src/lib/libsmbfs/smb/ssnsetup.c (revision 05ead181677a01a3a118f8b89ce79361113e34cf)
1 /*
2  * Copyright (c) 2000-2001 Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 /*
34  * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
35  */
36 
37 /*
38  * SMB Session Setup, and related.
39  * Copied from the driver: smb_smb.c
40  */
41 
42 #include <errno.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <unistd.h>
46 #include <strings.h>
47 #include <netdb.h>
48 #include <libintl.h>
49 #include <xti.h>
50 #include <assert.h>
51 
52 #include <sys/types.h>
53 #include <sys/time.h>
54 #include <sys/byteorder.h>
55 #include <sys/socket.h>
56 #include <sys/fcntl.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/tcp.h>
60 #include <arpa/inet.h>
61 
62 #include <netsmb/mchain.h>
63 #include <netsmb/netbios.h>
64 #include <netsmb/smb_dev.h>
65 #include <netsmb/smb.h>
66 
67 #include <netsmb/smb_lib.h>
68 #include <netsmb/nb_lib.h>
69 
70 #include "private.h"
71 #include "charsets.h"
72 #include "ntlm.h"
73 #include "smb_crypt.h"
74 
75 
76 static int
77 smb__ssnsetup(struct smb_ctx *ctx,
78 	struct mbdata *mbc1, struct mbdata *mbc2,
79 	uint32_t *statusp, uint16_t *actionp);
80 
81 /*
82  * Session Setup: NULL session (anonymous)
83  */
84 int
85 smb_ssnsetup_null(struct smb_ctx *ctx)
86 {
87 	int err;
88 	uint32_t ntstatus;
89 	uint16_t action = 0;
90 
91 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
92 		/* Should not get here with... */
93 		err = EINVAL;
94 		goto out;
95 	}
96 
97 	err = smb__ssnsetup(ctx, NULL, NULL, &ntstatus, &action);
98 	if (err)
99 		goto out;
100 
101 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
102 	if (ntstatus != 0)
103 		err = EAUTH;
104 
105 out:
106 	return (err);
107 }
108 
109 
110 /*
111  * SMB Session Setup, using NTLMv1 (and maybe LMv1)
112  */
113 int
114 smb_ssnsetup_ntlm1(struct smb_ctx *ctx)
115 {
116 	struct mbdata lm_mbc, nt_mbc;
117 	int err;
118 	uint32_t ntstatus;
119 	uint16_t action = 0;
120 
121 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
122 		/* Should not get here with... */
123 		err = EINVAL;
124 		goto out;
125 	}
126 
127 	/* Make mb_done calls at out safe. */
128 	bzero(&lm_mbc, sizeof (lm_mbc));
129 	bzero(&nt_mbc, sizeof (nt_mbc));
130 
131 	/* Put the LM,NTLM responses (as mbdata). */
132 	err = ntlm_put_v1_responses(ctx, &lm_mbc, &nt_mbc);
133 	if (err)
134 		goto out;
135 
136 	/*
137 	 * If we negotiated signing, compute the MAC key
138 	 * and start signing messages, but only on the
139 	 * first non-null session login.
140 	 */
141 	if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
142 	    (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
143 		struct mbuf *m = nt_mbc.mb_top;
144 		char *p;
145 
146 		/*
147 		 * MAC_key = concat(session_key, nt_response)
148 		 */
149 		ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
150 		ctx->ct_mackey = malloc(ctx->ct_mackeylen);
151 		if (ctx->ct_mackey == NULL) {
152 			ctx->ct_mackeylen = 0;
153 			err = ENOMEM;
154 			goto out;
155 		}
156 		p = ctx->ct_mackey;
157 		memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
158 		memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
159 
160 		/* OK, start signing! */
161 		ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
162 	}
163 
164 	err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
165 	if (err)
166 		goto out;
167 
168 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
169 	if (ntstatus != 0)
170 		err = EAUTH;
171 
172 out:
173 	mb_done(&lm_mbc);
174 	mb_done(&nt_mbc);
175 
176 	return (err);
177 }
178 
179 /*
180  * SMB Session Setup, using NTLMv2 (and LMv2)
181  */
182 int
183 smb_ssnsetup_ntlm2(struct smb_ctx *ctx)
184 {
185 	struct mbdata lm_mbc, nt_mbc, ti_mbc;
186 	int err;
187 	uint32_t ntstatus;
188 	uint16_t action = 0;
189 
190 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
191 		/* Should not get here with... */
192 		err = EINVAL;
193 		goto out;
194 	}
195 
196 	/* Make mb_done calls at out safe. */
197 	bzero(&lm_mbc, sizeof (lm_mbc));
198 	bzero(&nt_mbc, sizeof (nt_mbc));
199 	bzero(&ti_mbc, sizeof (ti_mbc));
200 
201 	/* Build the NTLMv2 "target info" blob (as mbdata) */
202 	err = ntlm_build_target_info(ctx, NULL, &ti_mbc);
203 	if (err)
204 		goto out;
205 
206 	/* Put the LMv2, NTLMv2 responses (as mbdata). */
207 	err = ntlm_put_v2_responses(ctx, &ti_mbc, &lm_mbc, &nt_mbc);
208 	if (err)
209 		goto out;
210 
211 	/*
212 	 * If we negotiated signing, compute the MAC key
213 	 * and start signing messages, but only on the
214 	 * first non-null session login.
215 	 */
216 	if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
217 	    (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
218 		struct mbuf *m = nt_mbc.mb_top;
219 		char *p;
220 
221 		/*
222 		 * MAC_key = concat(session_key, nt_response)
223 		 */
224 		ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
225 		ctx->ct_mackey = malloc(ctx->ct_mackeylen);
226 		if (ctx->ct_mackey == NULL) {
227 			ctx->ct_mackeylen = 0;
228 			err = ENOMEM;
229 			goto out;
230 		}
231 		p = ctx->ct_mackey;
232 		memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
233 		memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
234 
235 		/* OK, start signing! */
236 		ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
237 	}
238 
239 	err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
240 	if (err)
241 		goto out;
242 
243 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
244 	if (ntstatus != 0)
245 		err = EAUTH;
246 
247 out:
248 	mb_done(&ti_mbc);
249 	mb_done(&lm_mbc);
250 	mb_done(&nt_mbc);
251 
252 	return (err);
253 }
254 
255 int
256 smb_ssnsetup_spnego(struct smb_ctx *ctx, struct mbdata *hint_mb)
257 {
258 	struct mbdata send_mb, recv_mb;
259 	int		err;
260 	uint32_t	ntstatus;
261 	uint16_t	action = 0;
262 
263 	err = ssp_ctx_create_client(ctx, hint_mb);
264 	if (err)
265 		goto out;
266 
267 	bzero(&send_mb, sizeof (send_mb));
268 	bzero(&recv_mb, sizeof (recv_mb));
269 
270 	/* NULL input indicates first call. */
271 	err = ssp_ctx_next_token(ctx, NULL, &send_mb);
272 	if (err)
273 		goto out;
274 
275 	for (;;) {
276 		err = smb__ssnsetup(ctx, &send_mb, &recv_mb,
277 		    &ntstatus, &action);
278 		if (err)
279 			goto out;
280 		if (ntstatus == 0)
281 			break; /* normal loop termination */
282 		if (ntstatus != NT_STATUS_MORE_PROCESSING_REQUIRED) {
283 			err = EAUTH;
284 			goto out;
285 		}
286 
287 		/* middle calls get both in, out */
288 		err = ssp_ctx_next_token(ctx, &recv_mb, &send_mb);
289 		if (err)
290 			goto out;
291 	}
292 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
293 
294 	/* NULL output indicates last call. */
295 	(void) ssp_ctx_next_token(ctx, &recv_mb, NULL);
296 
297 out:
298 	ssp_ctx_destroy(ctx);
299 
300 	return (err);
301 }
302 
303 /*
304  * Session Setup function used for all the forms we support.
305  * To allow this sharing, the crypto stuff is computed by
306  * callers and passed in as mbdata chains.  Also, the args
307  * have different meanings for extended security vs. old.
308  * Some may be used as either IN or OUT parameters.
309  *
310  * For NTLM (v1, v2), all parameters are inputs
311  * 	mbc1: [in] LM password hash
312  * 	mbc2: [in] NT password hash
313  * For Extended security (spnego)
314  *	mbc1: [in]  outgoing blob data
315  *	mbc2: [out] received blob data
316  * For both forms, these are optional:
317  *	statusp: [out] NT status
318  *	actionp: [out] Logon Action (i.e. SMB_ACT_GUEST)
319  */
320 static int
321 smb__ssnsetup(struct smb_ctx *ctx,
322 	struct mbdata *mbc1, struct mbdata *mbc2,
323 	uint32_t *statusp, uint16_t *actionp)
324 {
325 	static const char NativeOS[] = "Solaris";
326 	static const char LanMan[] = "NETSMB";
327 	struct smb_sopt *sv = &ctx->ct_sopt;
328 	struct smb_iods *is = &ctx->ct_iods;
329 	struct smb_rq	*rqp = NULL;
330 	struct mbdata	*mbp;
331 	struct mbuf	*m;
332 	int err, uc;
333 	uint32_t caps;
334 	uint16_t bc, len1, len2, sblen;
335 	uint8_t wc;
336 
337 	/*
338 	 * Some of the "capability" bits we offer will be copied
339 	 * from those offered by the server, with a mask applied.
340 	 * This is the mask of capabilies copied from the server.
341 	 * Some others get special handling below.
342 	 */
343 	static const uint32_t caps_mask =
344 	    SMB_CAP_UNICODE |
345 	    SMB_CAP_LARGE_FILES |
346 	    SMB_CAP_NT_SMBS |
347 	    SMB_CAP_STATUS32 |
348 	    SMB_CAP_EXT_SECURITY;
349 
350 	caps = ctx->ct_sopt.sv_caps & caps_mask;
351 	uc = ctx->ct_hflags2 & SMB_FLAGS2_UNICODE;
352 
353 	err = smb_rq_init(ctx, SMB_COM_SESSION_SETUP_ANDX, &rqp);
354 	if (err)
355 		goto out;
356 
357 	/*
358 	 * Build the SMB request.
359 	 */
360 	mbp = &rqp->rq_rq;
361 	smb_rq_wstart(rqp);
362 	mb_put_uint16le(mbp, 0xff);		/* 0: AndXCommand */
363 	mb_put_uint16le(mbp, 0);		/* 1: AndXOffset */
364 	mb_put_uint16le(mbp, sv->sv_maxtx);	/* 2: MaxBufferSize */
365 	mb_put_uint16le(mbp, sv->sv_maxmux);	/* 3: MaxMpxCount */
366 	mb_put_uint16le(mbp, 1);		/* 4: VcNumber */
367 	mb_put_uint32le(mbp, sv->sv_skey);	/* 5,6: Session Key */
368 
369 	if (caps & SMB_CAP_EXT_SECURITY) {
370 		len1 = mbc1 ? mbc1->mb_count : 0;
371 		mb_put_uint16le(mbp, len1);	/* 7: Sec. Blob Len */
372 		mb_put_uint32le(mbp, 0);	/* 8,9: reserved */
373 		mb_put_uint32le(mbp, caps);	/* 10,11: Capabilities */
374 		smb_rq_wend(rqp);		/* 12: Byte Count */
375 		smb_rq_bstart(rqp);
376 		if (mbc1 && mbc1->mb_top) {
377 			mb_put_mbuf(mbp, mbc1->mb_top);	/* sec. blob */
378 			mbc1->mb_top = NULL; /* consumed */
379 		}
380 		/* mbc2 is required below */
381 		if (mbc2 == NULL) {
382 			err = EINVAL;
383 			goto out;
384 		}
385 	} else {
386 		len1 = mbc1 ? mbc1->mb_count : 0;
387 		len2 = mbc2 ? mbc2->mb_count : 0;
388 		mb_put_uint16le(mbp, len1);	/* 7: LM pass. len */
389 		mb_put_uint16le(mbp, len2);	/* 8: NT pass. len */
390 		mb_put_uint32le(mbp, 0);	/* 9,10: reserved */
391 		mb_put_uint32le(mbp, caps);	/* 11,12: Capabilities */
392 		smb_rq_wend(rqp);		/* 13: Byte Count */
393 		smb_rq_bstart(rqp);
394 		if (mbc1 && mbc1->mb_top) {
395 			mb_put_mbuf(mbp, mbc1->mb_top);	/* LM password */
396 			mbc1->mb_top = NULL; /* consumed */
397 		}
398 		if (mbc2 && mbc2->mb_top) {
399 			mb_put_mbuf(mbp, mbc2->mb_top);	/* NT password */
400 			mbc2->mb_top = NULL; /* consumed */
401 		}
402 		mb_put_string(mbp, ctx->ct_user, uc);
403 		mb_put_string(mbp, ctx->ct_domain, uc);
404 	}
405 	mb_put_string(mbp, NativeOS, uc);
406 	mb_put_string(mbp, LanMan, uc);
407 	smb_rq_bend(rqp);
408 
409 	err = smb_rq_internal(ctx, rqp);
410 	if (err)
411 		goto out;
412 
413 	if (statusp)
414 		*statusp = rqp->rq_status;
415 
416 	/*
417 	 * If we have a real error, the response probably has
418 	 * no more data, so don't try to parse any more.
419 	 * Note: err=0, means rq_status is valid.
420 	 */
421 	if (rqp->rq_status != 0 &&
422 	    rqp->rq_status != NT_STATUS_MORE_PROCESSING_REQUIRED) {
423 		goto out;
424 	}
425 
426 	/*
427 	 * Parse the reply
428 	 */
429 	uc = rqp->rq_hflags2 & SMB_FLAGS2_UNICODE;
430 	is->is_smbuid = rqp->rq_uid;
431 	mbp = &rqp->rq_rp;
432 
433 	err = md_get_uint8(mbp, &wc);
434 	if (err)
435 		goto out;
436 
437 	err = EBADRPC; /* for any problems in this section */
438 	if (caps & SMB_CAP_EXT_SECURITY) {
439 		if (wc != 4)
440 			goto out;
441 		md_get_uint16le(mbp, NULL);	/* secondary cmd */
442 		md_get_uint16le(mbp, NULL);	/* andxoffset */
443 		md_get_uint16le(mbp, actionp);	/* action */
444 		md_get_uint16le(mbp, &sblen);	/* sec. blob len */
445 		md_get_uint16le(mbp, &bc);	/* byte count */
446 		/*
447 		 * Get the security blob, after
448 		 * sanity-checking the length.
449 		 */
450 		if (sblen == 0 || bc < sblen)
451 			goto out;
452 		err = md_get_mbuf(mbp, sblen, &m);
453 		if (err)
454 			goto out;
455 		mb_initm(mbc2, m);
456 		mbc2->mb_count = sblen;
457 	} else {
458 		if (wc != 3)
459 			goto out;
460 		md_get_uint16le(mbp, NULL);	/* secondary cmd */
461 		md_get_uint16le(mbp, NULL);	/* andxoffset */
462 		md_get_uint16le(mbp, actionp);	/* action */
463 		err = md_get_uint16le(mbp, &bc); /* byte count */
464 		if (err)
465 			goto out;
466 	}
467 
468 	/*
469 	 * Native OS, LANMGR, & Domain follow here.
470 	 * Parse these strings and store for later.
471 	 * If unicode, they should be aligned.
472 	 *
473 	 * Note that with Extended security, we may use
474 	 * multiple calls to this function.  Only parse
475 	 * these strings on the last one (status == 0).
476 	 * Ditto for the CAP_LARGE work-around.
477 	 */
478 	if (rqp->rq_status != 0)
479 		goto out;
480 
481 	/* Ignore any parsing errors for these strings. */
482 	err = md_get_string(mbp, &ctx->ct_srv_OS, uc);
483 	DPRINT("server OS: %s", err ? "?" : ctx->ct_srv_OS);
484 	err = md_get_string(mbp, &ctx->ct_srv_LM, uc);
485 	DPRINT("server LM: %s", err ? "?" : ctx->ct_srv_LM);
486 	/*
487 	 * There's sometimes a server domain folloing
488 	 * at this point, but we don't need it.
489 	 */
490 
491 	/* Success! (See Ignore any ... above) */
492 	err = 0;
493 
494 	/*
495 	 * Windows systems don't suport CAP_LARGE_READX,WRITEX
496 	 * when signing is enabled, so adjust sv_caps.
497 	 */
498 	if (ctx->ct_srv_OS &&
499 	    0 == strncmp(ctx->ct_srv_OS, "Windows ", 8)) {
500 		DPRINT("Server is Windows");
501 		if (ctx->ct_vcflags & SMBV_WILL_SIGN) {
502 			DPRINT("disable CAP_LARGE_(r/w)");
503 			ctx->ct_sopt.sv_caps &=
504 			    ~(SMB_CAP_LARGE_READX | SMB_CAP_LARGE_WRITEX);
505 		}
506 	}
507 
508 out:
509 	if (rqp)
510 		smb_rq_done(rqp);
511 
512 	return (err);
513 }
514