xref: /titanic_44/usr/src/lib/libsmbfs/smb/ssnsetup.c (revision 11d0a659fdd288190c17d8600ecd218e9a9b546d)
1 /*
2  * Copyright (c) 2000-2001 Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 /*
34  * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
35  */
36 
37 /*
38  * SMB Session Setup, and related.
39  * Copied from the driver: smb_smb.c
40  */
41 
42 #include <errno.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <unistd.h>
46 #include <strings.h>
47 #include <netdb.h>
48 #include <libintl.h>
49 #include <xti.h>
50 #include <assert.h>
51 
52 #include <sys/types.h>
53 #include <sys/time.h>
54 #include <sys/byteorder.h>
55 #include <sys/socket.h>
56 #include <sys/fcntl.h>
57 
58 #include <netinet/in.h>
59 #include <netinet/tcp.h>
60 #include <arpa/inet.h>
61 
62 #include <netsmb/mchain.h>
63 #include <netsmb/netbios.h>
64 #include <netsmb/smb_dev.h>
65 #include <netsmb/smb.h>
66 
67 #include <netsmb/smb_lib.h>
68 #include <netsmb/nb_lib.h>
69 
70 #include "private.h"
71 #include "charsets.h"
72 #include "ntlm.h"
73 #include "smb_crypt.h"
74 
75 /*
76  * When we have a _real_ ntstatus.h, eliminate this.
77  * XXX: Current smb.h defines it without the high bits.
78  */
79 #define	STATUS_MORE_PROCESSING_REQUIRED 0xC0000016
80 
81 static int
82 smb__ssnsetup(struct smb_ctx *ctx,
83 	struct mbdata *mbc1, struct mbdata *mbc2,
84 	uint32_t *statusp, uint16_t *actionp);
85 
86 /*
87  * Session Setup: NULL session (anonymous)
88  */
89 int
90 smb_ssnsetup_null(struct smb_ctx *ctx)
91 {
92 	int err;
93 	uint32_t ntstatus;
94 	uint16_t action = 0;
95 
96 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
97 		/* Should not get here with... */
98 		err = EINVAL;
99 		goto out;
100 	}
101 
102 	err = smb__ssnsetup(ctx, NULL, NULL, &ntstatus, &action);
103 	if (err)
104 		goto out;
105 
106 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
107 	if (ntstatus != 0)
108 		err = EAUTH;
109 
110 out:
111 	return (err);
112 }
113 
114 
115 /*
116  * SMB Session Setup, using NTLMv1 (and maybe LMv1)
117  */
118 int
119 smb_ssnsetup_ntlm1(struct smb_ctx *ctx)
120 {
121 	struct mbdata lm_mbc, nt_mbc;
122 	int err;
123 	uint32_t ntstatus;
124 	uint16_t action = 0;
125 
126 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
127 		/* Should not get here with... */
128 		err = EINVAL;
129 		goto out;
130 	}
131 
132 	/* Make mb_done calls at out safe. */
133 	bzero(&lm_mbc, sizeof (lm_mbc));
134 	bzero(&nt_mbc, sizeof (nt_mbc));
135 
136 	/* Put the LM,NTLM responses (as mbdata). */
137 	err = ntlm_put_v1_responses(ctx, &lm_mbc, &nt_mbc);
138 	if (err)
139 		goto out;
140 
141 	/*
142 	 * If we negotiated signing, compute the MAC key
143 	 * and start signing messages, but only on the
144 	 * first non-null session login.
145 	 */
146 	if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
147 	    (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
148 		struct mbuf *m = nt_mbc.mb_top;
149 		char *p;
150 
151 		/*
152 		 * MAC_key = concat(session_key, nt_response)
153 		 */
154 		ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
155 		ctx->ct_mackey = malloc(ctx->ct_mackeylen);
156 		if (ctx->ct_mackey == NULL) {
157 			ctx->ct_mackeylen = 0;
158 			err = ENOMEM;
159 			goto out;
160 		}
161 		p = ctx->ct_mackey;
162 		memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
163 		memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
164 
165 		/* OK, start signing! */
166 		ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
167 	}
168 
169 	err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
170 	if (err)
171 		goto out;
172 
173 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
174 	if (ntstatus != 0)
175 		err = EAUTH;
176 
177 out:
178 	mb_done(&lm_mbc);
179 	mb_done(&nt_mbc);
180 
181 	return (err);
182 }
183 
184 /*
185  * SMB Session Setup, using NTLMv2 (and LMv2)
186  */
187 int
188 smb_ssnsetup_ntlm2(struct smb_ctx *ctx)
189 {
190 	struct mbdata lm_mbc, nt_mbc, ti_mbc;
191 	int err;
192 	uint32_t ntstatus;
193 	uint16_t action = 0;
194 
195 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
196 		/* Should not get here with... */
197 		err = EINVAL;
198 		goto out;
199 	}
200 
201 	/* Make mb_done calls at out safe. */
202 	bzero(&lm_mbc, sizeof (lm_mbc));
203 	bzero(&nt_mbc, sizeof (nt_mbc));
204 	bzero(&ti_mbc, sizeof (ti_mbc));
205 
206 	/* Build the NTLMv2 "target info" blob (as mbdata) */
207 	err = ntlm_build_target_info(ctx, NULL, &ti_mbc);
208 	if (err)
209 		goto out;
210 
211 	/* Put the LMv2, NTLMv2 responses (as mbdata). */
212 	err = ntlm_put_v2_responses(ctx, &ti_mbc, &lm_mbc, &nt_mbc);
213 	if (err)
214 		goto out;
215 
216 	/*
217 	 * If we negotiated signing, compute the MAC key
218 	 * and start signing messages, but only on the
219 	 * first non-null session login.
220 	 */
221 	if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
222 	    (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
223 		struct mbuf *m = nt_mbc.mb_top;
224 		char *p;
225 
226 		/*
227 		 * MAC_key = concat(session_key, nt_response)
228 		 */
229 		ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
230 		ctx->ct_mackey = malloc(ctx->ct_mackeylen);
231 		if (ctx->ct_mackey == NULL) {
232 			ctx->ct_mackeylen = 0;
233 			err = ENOMEM;
234 			goto out;
235 		}
236 		p = ctx->ct_mackey;
237 		memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
238 		memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
239 
240 		/* OK, start signing! */
241 		ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
242 	}
243 
244 	err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
245 	if (err)
246 		goto out;
247 
248 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
249 	if (ntstatus != 0)
250 		err = EAUTH;
251 
252 out:
253 	mb_done(&ti_mbc);
254 	mb_done(&lm_mbc);
255 	mb_done(&nt_mbc);
256 
257 	return (err);
258 }
259 
260 int
261 smb_ssnsetup_spnego(struct smb_ctx *ctx, struct mbdata *hint_mb)
262 {
263 	struct mbdata send_mb, recv_mb;
264 	int		err;
265 	uint32_t	ntstatus;
266 	uint16_t	action = 0;
267 
268 	err = ssp_ctx_create_client(ctx, hint_mb);
269 	if (err)
270 		goto out;
271 
272 	bzero(&send_mb, sizeof (send_mb));
273 	bzero(&recv_mb, sizeof (recv_mb));
274 
275 	/* NULL input indicates first call. */
276 	err = ssp_ctx_next_token(ctx, NULL, &send_mb);
277 	if (err)
278 		goto out;
279 
280 	for (;;) {
281 		err = smb__ssnsetup(ctx, &send_mb, &recv_mb,
282 		    &ntstatus, &action);
283 		if (err)
284 			goto out;
285 		if (ntstatus == 0)
286 			break; /* normal loop termination */
287 		if (ntstatus != STATUS_MORE_PROCESSING_REQUIRED) {
288 			err = EAUTH;
289 			goto out;
290 		}
291 
292 		/* middle calls get both in, out */
293 		err = ssp_ctx_next_token(ctx, &recv_mb, &send_mb);
294 		if (err)
295 			goto out;
296 	}
297 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
298 
299 	/* NULL output indicates last call. */
300 	(void) ssp_ctx_next_token(ctx, &recv_mb, NULL);
301 
302 out:
303 	ssp_ctx_destroy(ctx);
304 
305 	return (err);
306 }
307 
308 /*
309  * Session Setup function used for all the forms we support.
310  * To allow this sharing, the crypto stuff is computed by
311  * callers and passed in as mbdata chains.  Also, the args
312  * have different meanings for extended security vs. old.
313  * Some may be used as either IN or OUT parameters.
314  *
315  * For NTLM (v1, v2), all parameters are inputs
316  * 	mbc1: [in] LM password hash
317  * 	mbc2: [in] NT password hash
318  * For Extended security (spnego)
319  *	mbc1: [in]  outgoing blob data
320  *	mbc2: [out] received blob data
321  * For both forms, these are optional:
322  *	statusp: [out] NT status
323  *	actionp: [out] Logon Action (i.e. SMB_ACT_GUEST)
324  */
325 static int
326 smb__ssnsetup(struct smb_ctx *ctx,
327 	struct mbdata *mbc1, struct mbdata *mbc2,
328 	uint32_t *statusp, uint16_t *actionp)
329 {
330 	static const char NativeOS[] = "Solaris";
331 	static const char LanMan[] = "NETSMB";
332 	struct smb_sopt *sv = &ctx->ct_sopt;
333 	struct smb_iods *is = &ctx->ct_iods;
334 	struct smb_rq	*rqp = NULL;
335 	struct mbdata	*mbp;
336 	struct mbuf	*m;
337 	int err, uc;
338 	uint32_t caps;
339 	uint16_t bc, len1, len2, sblen;
340 	uint8_t wc;
341 
342 	/*
343 	 * Some of the "capability" bits we offer will be copied
344 	 * from those offered by the server, with a mask applied.
345 	 * This is the mask of capabilies copied from the server.
346 	 * Some others get special handling below.
347 	 */
348 	static const uint32_t caps_mask =
349 	    SMB_CAP_UNICODE |
350 	    SMB_CAP_LARGE_FILES |
351 	    SMB_CAP_NT_SMBS |
352 	    SMB_CAP_STATUS32 |
353 	    SMB_CAP_EXT_SECURITY;
354 
355 	caps = ctx->ct_sopt.sv_caps & caps_mask;
356 	uc = ctx->ct_hflags2 & SMB_FLAGS2_UNICODE;
357 
358 	err = smb_rq_init(ctx, SMB_COM_SESSION_SETUP_ANDX, &rqp);
359 	if (err)
360 		goto out;
361 
362 	/*
363 	 * Build the SMB request.
364 	 */
365 	mbp = &rqp->rq_rq;
366 	smb_rq_wstart(rqp);
367 	mb_put_uint16le(mbp, 0xff);		/* 0: AndXCommand */
368 	mb_put_uint16le(mbp, 0);		/* 1: AndXOffset */
369 	mb_put_uint16le(mbp, sv->sv_maxtx);	/* 2: MaxBufferSize */
370 	mb_put_uint16le(mbp, sv->sv_maxmux);	/* 3: MaxMpxCount */
371 	mb_put_uint16le(mbp, 1);		/* 4: VcNumber */
372 	mb_put_uint32le(mbp, sv->sv_skey);	/* 5,6: Session Key */
373 
374 	if (caps & SMB_CAP_EXT_SECURITY) {
375 		len1 = mbc1 ? mbc1->mb_count : 0;
376 		mb_put_uint16le(mbp, len1);	/* 7: Sec. Blob Len */
377 		mb_put_uint32le(mbp, 0);	/* 8,9: reserved */
378 		mb_put_uint32le(mbp, caps);	/* 10,11: Capabilities */
379 		smb_rq_wend(rqp);		/* 12: Byte Count */
380 		smb_rq_bstart(rqp);
381 		if (mbc1 && mbc1->mb_top) {
382 			mb_put_mbuf(mbp, mbc1->mb_top);	/* sec. blob */
383 			mbc1->mb_top = NULL; /* consumed */
384 		}
385 		/* mbc2 is required below */
386 		if (mbc2 == NULL) {
387 			err = EINVAL;
388 			goto out;
389 		}
390 	} else {
391 		len1 = mbc1 ? mbc1->mb_count : 0;
392 		len2 = mbc2 ? mbc2->mb_count : 0;
393 		mb_put_uint16le(mbp, len1);	/* 7: LM pass. len */
394 		mb_put_uint16le(mbp, len2);	/* 8: NT pass. len */
395 		mb_put_uint32le(mbp, 0);	/* 9,10: reserved */
396 		mb_put_uint32le(mbp, caps);	/* 11,12: Capabilities */
397 		smb_rq_wend(rqp);		/* 13: Byte Count */
398 		smb_rq_bstart(rqp);
399 		if (mbc1 && mbc1->mb_top) {
400 			mb_put_mbuf(mbp, mbc1->mb_top);	/* LM password */
401 			mbc1->mb_top = NULL; /* consumed */
402 		}
403 		if (mbc2 && mbc2->mb_top) {
404 			mb_put_mbuf(mbp, mbc2->mb_top);	/* NT password */
405 			mbc2->mb_top = NULL; /* consumed */
406 		}
407 		mb_put_string(mbp, ctx->ct_user, uc);
408 		mb_put_string(mbp, ctx->ct_domain, uc);
409 	}
410 	mb_put_string(mbp, NativeOS, uc);
411 	mb_put_string(mbp, LanMan, uc);
412 	smb_rq_bend(rqp);
413 
414 	err = smb_rq_internal(ctx, rqp);
415 	if (err)
416 		goto out;
417 
418 	if (statusp)
419 		*statusp = rqp->rq_status;
420 
421 	/*
422 	 * If we have a real error, the response probably has
423 	 * no more data, so don't try to parse any more.
424 	 * Note: err=0, means rq_status is valid.
425 	 */
426 	if (rqp->rq_status != 0 &&
427 	    rqp->rq_status != STATUS_MORE_PROCESSING_REQUIRED) {
428 		goto out;
429 	}
430 
431 	/*
432 	 * Parse the reply
433 	 */
434 	uc = rqp->rq_hflags2 & SMB_FLAGS2_UNICODE;
435 	is->is_smbuid = rqp->rq_uid;
436 	mbp = &rqp->rq_rp;
437 
438 	err = md_get_uint8(mbp, &wc);
439 	if (err)
440 		goto out;
441 
442 	err = EBADRPC; /* for any problems in this section */
443 	if (caps & SMB_CAP_EXT_SECURITY) {
444 		if (wc != 4)
445 			goto out;
446 		md_get_uint16le(mbp, NULL);	/* secondary cmd */
447 		md_get_uint16le(mbp, NULL);	/* andxoffset */
448 		md_get_uint16le(mbp, actionp);	/* action */
449 		md_get_uint16le(mbp, &sblen);	/* sec. blob len */
450 		md_get_uint16le(mbp, &bc);	/* byte count */
451 		/*
452 		 * Get the security blob, after
453 		 * sanity-checking the length.
454 		 */
455 		if (sblen == 0 || bc < sblen)
456 			goto out;
457 		err = md_get_mbuf(mbp, sblen, &m);
458 		if (err)
459 			goto out;
460 		mb_initm(mbc2, m);
461 		mbc2->mb_count = sblen;
462 	} else {
463 		if (wc != 3)
464 			goto out;
465 		md_get_uint16le(mbp, NULL);	/* secondary cmd */
466 		md_get_uint16le(mbp, NULL);	/* andxoffset */
467 		md_get_uint16le(mbp, actionp);	/* action */
468 		err = md_get_uint16le(mbp, &bc); /* byte count */
469 		if (err)
470 			goto out;
471 	}
472 
473 	/*
474 	 * Native OS, LANMGR, & Domain follow here.
475 	 * Parse these strings and store for later.
476 	 * If unicode, they should be aligned.
477 	 *
478 	 * Note that with Extended security, we may use
479 	 * multiple calls to this function.  Only parse
480 	 * these strings on the last one (status == 0).
481 	 * Ditto for the CAP_LARGE work-around.
482 	 */
483 	if (rqp->rq_status != 0)
484 		goto out;
485 
486 	/* Ignore any parsing errors for these strings. */
487 	err = md_get_string(mbp, &ctx->ct_srv_OS, uc);
488 	DPRINT("server OS: %s", err ? "?" : ctx->ct_srv_OS);
489 	err = md_get_string(mbp, &ctx->ct_srv_LM, uc);
490 	DPRINT("server LM: %s", err ? "?" : ctx->ct_srv_LM);
491 	/*
492 	 * There's sometimes a server domain folloing
493 	 * at this point, but we don't need it.
494 	 */
495 
496 	/* Success! (See Ignore any ... above) */
497 	err = 0;
498 
499 	/*
500 	 * Windows systems don't suport CAP_LARGE_READX,WRITEX
501 	 * when signing is enabled, so adjust sv_caps.
502 	 */
503 	if (ctx->ct_srv_OS &&
504 	    0 == strncmp(ctx->ct_srv_OS, "Windows ", 8)) {
505 		DPRINT("Server is Windows");
506 		if (ctx->ct_vcflags & SMBV_WILL_SIGN) {
507 			DPRINT("disable CAP_LARGE_(r/w)");
508 			ctx->ct_sopt.sv_caps &=
509 			    ~(SMB_CAP_LARGE_READX | SMB_CAP_LARGE_WRITEX);
510 		}
511 	}
512 
513 out:
514 	if (rqp)
515 		smb_rq_done(rqp);
516 
517 	return (err);
518 }
519