xref: /titanic_52/usr/src/lib/libsmbfs/smb/ssnsetup.c (revision 96a62ada8aa6cb19b04270da282e7e21ba74b808)
1 /*
2  * Copyright (c) 2000-2001 Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 /*
34  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
35  * Use is subject to license terms.
36  */
37 
38 /*
39  * SMB Session Setup, and related.
40  * Copied from the driver: smb_smb.c
41  */
42 
43 #include <errno.h>
44 #include <stdio.h>
45 #include <stdlib.h>
46 #include <unistd.h>
47 #include <strings.h>
48 #include <netdb.h>
49 #include <libintl.h>
50 #include <xti.h>
51 #include <assert.h>
52 
53 #include <sys/types.h>
54 #include <sys/time.h>
55 #include <sys/byteorder.h>
56 #include <sys/socket.h>
57 #include <sys/fcntl.h>
58 
59 #include <netinet/in.h>
60 #include <netinet/tcp.h>
61 #include <arpa/inet.h>
62 
63 #include <netsmb/mchain.h>
64 #include <netsmb/netbios.h>
65 #include <netsmb/smb_dev.h>
66 #include <netsmb/smb.h>
67 
68 #include <netsmb/smb_lib.h>
69 #include <netsmb/nb_lib.h>
70 
71 #include "private.h"
72 #include "charsets.h"
73 #include "ntlm.h"
74 #include "smb_crypt.h"
75 
76 /*
77  * When we have a _real_ ntstatus.h, eliminate this.
78  * XXX: Current smb.h defines it without the high bits.
79  */
80 #define	STATUS_MORE_PROCESSING_REQUIRED 0xC0000016
81 
82 static int
83 smb__ssnsetup(struct smb_ctx *ctx,
84 	struct mbdata *mbc1, struct mbdata *mbc2,
85 	uint32_t *statusp, uint16_t *actionp);
86 
87 /*
88  * Session Setup: NULL session (anonymous)
89  */
90 int
91 smb_ssnsetup_null(struct smb_ctx *ctx)
92 {
93 	int err;
94 	uint32_t ntstatus;
95 	uint16_t action = 0;
96 
97 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
98 		/* Should not get here with... */
99 		err = EINVAL;
100 		goto out;
101 	}
102 
103 	err = smb__ssnsetup(ctx, NULL, NULL, &ntstatus, &action);
104 	if (err)
105 		goto out;
106 
107 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
108 	if (ntstatus != 0)
109 		err = EAUTH;
110 
111 out:
112 	return (err);
113 }
114 
115 
116 /*
117  * SMB Session Setup, using NTLMv1 (and maybe LMv1)
118  */
119 int
120 smb_ssnsetup_ntlm1(struct smb_ctx *ctx)
121 {
122 	struct mbdata lm_mbc, nt_mbc;
123 	int err;
124 	uint32_t ntstatus;
125 	uint16_t action = 0;
126 
127 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
128 		/* Should not get here with... */
129 		err = EINVAL;
130 		goto out;
131 	}
132 
133 	/* Make mb_done calls at out safe. */
134 	bzero(&lm_mbc, sizeof (lm_mbc));
135 	bzero(&nt_mbc, sizeof (nt_mbc));
136 
137 	/* Put the LM,NTLM responses (as mbdata). */
138 	err = ntlm_put_v1_responses(ctx, &lm_mbc, &nt_mbc);
139 	if (err)
140 		goto out;
141 
142 	/*
143 	 * If we negotiated signing, compute the MAC key
144 	 * and start signing messages, but only on the
145 	 * first non-null session login.
146 	 */
147 	if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
148 	    (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
149 		struct mbuf *m = nt_mbc.mb_top;
150 		char *p;
151 
152 		/*
153 		 * MAC_key = concat(session_key, nt_response)
154 		 */
155 		ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
156 		ctx->ct_mackey = malloc(ctx->ct_mackeylen);
157 		if (ctx->ct_mackey == NULL) {
158 			ctx->ct_mackeylen = 0;
159 			err = ENOMEM;
160 			goto out;
161 		}
162 		p = ctx->ct_mackey;
163 		memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
164 		memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
165 
166 		/* OK, start signing! */
167 		ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
168 	}
169 
170 	err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
171 	if (err)
172 		goto out;
173 
174 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
175 	if (ntstatus != 0)
176 		err = EAUTH;
177 
178 out:
179 	mb_done(&lm_mbc);
180 	mb_done(&nt_mbc);
181 
182 	return (err);
183 }
184 
185 /*
186  * SMB Session Setup, using NTLMv2 (and LMv2)
187  */
188 int
189 smb_ssnsetup_ntlm2(struct smb_ctx *ctx)
190 {
191 	struct mbdata lm_mbc, nt_mbc, ti_mbc;
192 	int err;
193 	uint32_t ntstatus;
194 	uint16_t action = 0;
195 
196 	if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
197 		/* Should not get here with... */
198 		err = EINVAL;
199 		goto out;
200 	}
201 
202 	/* Make mb_done calls at out safe. */
203 	bzero(&lm_mbc, sizeof (lm_mbc));
204 	bzero(&nt_mbc, sizeof (nt_mbc));
205 	bzero(&ti_mbc, sizeof (ti_mbc));
206 
207 	/* Build the NTLMv2 "target info" blob (as mbdata) */
208 	err = ntlm_build_target_info(ctx, NULL, &ti_mbc);
209 	if (err)
210 		goto out;
211 
212 	/* Put the LMv2, NTLMv2 responses (as mbdata). */
213 	err = ntlm_put_v2_responses(ctx, &ti_mbc, &lm_mbc, &nt_mbc);
214 	if (err)
215 		goto out;
216 
217 	/*
218 	 * If we negotiated signing, compute the MAC key
219 	 * and start signing messages, but only on the
220 	 * first non-null session login.
221 	 */
222 	if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
223 	    (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
224 		struct mbuf *m = nt_mbc.mb_top;
225 		char *p;
226 
227 		/*
228 		 * MAC_key = concat(session_key, nt_response)
229 		 */
230 		ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
231 		ctx->ct_mackey = malloc(ctx->ct_mackeylen);
232 		if (ctx->ct_mackey == NULL) {
233 			ctx->ct_mackeylen = 0;
234 			err = ENOMEM;
235 			goto out;
236 		}
237 		p = ctx->ct_mackey;
238 		memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
239 		memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
240 
241 		/* OK, start signing! */
242 		ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
243 	}
244 
245 	err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
246 	if (err)
247 		goto out;
248 
249 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
250 	if (ntstatus != 0)
251 		err = EAUTH;
252 
253 out:
254 	mb_done(&ti_mbc);
255 	mb_done(&lm_mbc);
256 	mb_done(&nt_mbc);
257 
258 	return (err);
259 }
260 
261 int
262 smb_ssnsetup_spnego(struct smb_ctx *ctx, struct mbdata *hint_mb)
263 {
264 	struct mbdata send_mb, recv_mb;
265 	int		err;
266 	uint32_t	ntstatus;
267 	uint16_t	action = 0;
268 
269 	err = ssp_ctx_create_client(ctx, hint_mb);
270 	if (err)
271 		goto out;
272 
273 	bzero(&send_mb, sizeof (send_mb));
274 	bzero(&recv_mb, sizeof (recv_mb));
275 
276 	/* NULL input indicates first call. */
277 	err = ssp_ctx_next_token(ctx, NULL, &send_mb);
278 	if (err)
279 		goto out;
280 
281 	for (;;) {
282 		err = smb__ssnsetup(ctx, &send_mb, &recv_mb,
283 		    &ntstatus, &action);
284 		if (err)
285 			goto out;
286 		if (ntstatus == 0)
287 			break; /* normal loop termination */
288 		if (ntstatus != STATUS_MORE_PROCESSING_REQUIRED) {
289 			err = EAUTH;
290 			break;
291 		}
292 
293 		/* middle calls get both in, out */
294 		err = ssp_ctx_next_token(ctx, &recv_mb, &send_mb);
295 		if (err)
296 			goto out;
297 	}
298 	DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
299 
300 	/* NULL output indicates last call. */
301 	(void) ssp_ctx_next_token(ctx, &recv_mb, NULL);
302 
303 out:
304 	ssp_ctx_destroy(ctx);
305 
306 	return (err);
307 }
308 
309 /*
310  * Session Setup function used for all the forms we support.
311  * To allow this sharing, the crypto stuff is computed by
312  * callers and passed in as mbdata chains.  Also, the args
313  * have different meanings for extended security vs. old.
314  * Some may be used as either IN or OUT parameters.
315  *
316  * For NTLM (v1, v2), all parameters are inputs
317  * 	mbc1: [in] LM password hash
318  * 	mbc2: [in] NT password hash
319  * For Extended security (spnego)
320  *	mbc1: [in]  outgoing blob data
321  *	mbc2: [out] received blob data
322  * For both forms, these are optional:
323  *	statusp: [out] NT status
324  *	actionp: [out] Logon Action (i.e. SMB_ACT_GUEST)
325  */
326 static int
327 smb__ssnsetup(struct smb_ctx *ctx,
328 	struct mbdata *mbc1, struct mbdata *mbc2,
329 	uint32_t *statusp, uint16_t *actionp)
330 {
331 	static const char NativeOS[] = "Solaris";
332 	static const char LanMan[] = "NETSMB";
333 	struct smb_sopt *sv = &ctx->ct_sopt;
334 	struct smb_iods *is = &ctx->ct_iods;
335 	struct smb_rq	*rqp = NULL;
336 	struct mbdata	*mbp;
337 	struct mbuf	*m;
338 	int err, uc;
339 	uint32_t caps;
340 	uint16_t bc, len1, len2, sblen;
341 	uint8_t wc;
342 
343 	/*
344 	 * Some of the "capability" bits we offer will be copied
345 	 * from those offered by the server, with a mask applied.
346 	 * This is the mask of capabilies copied from the server.
347 	 * Some others get special handling below.
348 	 */
349 	static const uint32_t caps_mask =
350 	    SMB_CAP_UNICODE |
351 	    SMB_CAP_LARGE_FILES |
352 	    SMB_CAP_NT_SMBS |
353 	    SMB_CAP_STATUS32 |
354 	    SMB_CAP_EXT_SECURITY;
355 
356 	caps = ctx->ct_sopt.sv_caps & caps_mask;
357 	uc = ctx->ct_hflags2 & SMB_FLAGS2_UNICODE;
358 
359 	err = smb_rq_init(ctx, SMB_COM_SESSION_SETUP_ANDX, &rqp);
360 	if (err)
361 		goto out;
362 
363 	/*
364 	 * Build the SMB request.
365 	 */
366 	mbp = &rqp->rq_rq;
367 	smb_rq_wstart(rqp);
368 	mb_put_uint16le(mbp, 0xff);		/* 0: AndXCommand */
369 	mb_put_uint16le(mbp, 0);		/* 1: AndXOffset */
370 	mb_put_uint16le(mbp, sv->sv_maxtx);	/* 2: MaxBufferSize */
371 	mb_put_uint16le(mbp, sv->sv_maxmux);	/* 3: MaxMpxCount */
372 	mb_put_uint16le(mbp, 1);		/* 4: VcNumber */
373 	mb_put_uint32le(mbp, sv->sv_skey);	/* 5,6: Session Key */
374 
375 	if (caps & SMB_CAP_EXT_SECURITY) {
376 		len1 = mbc1 ? mbc1->mb_count : 0;
377 		mb_put_uint16le(mbp, len1);	/* 7: Sec. Blob Len */
378 		mb_put_uint32le(mbp, 0);	/* 8,9: reserved */
379 		mb_put_uint32le(mbp, caps);	/* 10,11: Capabilities */
380 		smb_rq_wend(rqp);		/* 12: Byte Count */
381 		smb_rq_bstart(rqp);
382 		if (mbc1 && mbc1->mb_top) {
383 			mb_put_mbuf(mbp, mbc1->mb_top);	/* sec. blob */
384 			mbc1->mb_top = NULL; /* consumed */
385 		}
386 		/* mbc2 is required below */
387 		if (mbc2 == NULL) {
388 			err = EINVAL;
389 			goto out;
390 		}
391 	} else {
392 		len1 = mbc1 ? mbc1->mb_count : 0;
393 		len2 = mbc2 ? mbc2->mb_count : 0;
394 		mb_put_uint16le(mbp, len1);	/* 7: LM pass. len */
395 		mb_put_uint16le(mbp, len2);	/* 8: NT pass. len */
396 		mb_put_uint32le(mbp, 0);	/* 9,10: reserved */
397 		mb_put_uint32le(mbp, caps);	/* 11,12: Capabilities */
398 		smb_rq_wend(rqp);		/* 13: Byte Count */
399 		smb_rq_bstart(rqp);
400 		if (mbc1 && mbc1->mb_top) {
401 			mb_put_mbuf(mbp, mbc1->mb_top);	/* LM password */
402 			mbc1->mb_top = NULL; /* consumed */
403 		}
404 		if (mbc2 && mbc2->mb_top) {
405 			mb_put_mbuf(mbp, mbc2->mb_top);	/* NT password */
406 			mbc2->mb_top = NULL; /* consumed */
407 		}
408 		mb_put_string(mbp, ctx->ct_user, uc);
409 		mb_put_string(mbp, ctx->ct_domain, uc);
410 	}
411 	mb_put_string(mbp, NativeOS, uc);
412 	mb_put_string(mbp, LanMan, uc);
413 	smb_rq_bend(rqp);
414 
415 	err = smb_rq_internal(ctx, rqp);
416 	if (err)
417 		goto out;
418 
419 	if (statusp)
420 		*statusp = rqp->rq_status;
421 
422 	/*
423 	 * If we have a real error, the response probably has
424 	 * no more data, so don't try to parse any more.
425 	 * Note: err=0, means rq_status is valid.
426 	 */
427 	if (rqp->rq_status != 0 &&
428 	    rqp->rq_status != STATUS_MORE_PROCESSING_REQUIRED) {
429 		goto out;
430 	}
431 
432 	/*
433 	 * Parse the reply
434 	 */
435 	uc = rqp->rq_hflags2 & SMB_FLAGS2_UNICODE;
436 	is->is_smbuid = rqp->rq_uid;
437 	mbp = &rqp->rq_rp;
438 
439 	err = md_get_uint8(mbp, &wc);
440 	if (err)
441 		goto out;
442 
443 	err = EBADRPC; /* for any problems in this section */
444 	if (caps & SMB_CAP_EXT_SECURITY) {
445 		if (wc != 4)
446 			goto out;
447 		md_get_uint16le(mbp, NULL);	/* secondary cmd */
448 		md_get_uint16le(mbp, NULL);	/* andxoffset */
449 		md_get_uint16le(mbp, actionp);	/* action */
450 		md_get_uint16le(mbp, &sblen);	/* sec. blob len */
451 		md_get_uint16le(mbp, &bc);	/* byte count */
452 		/*
453 		 * Get the security blob, after
454 		 * sanity-checking the length.
455 		 */
456 		if (sblen == 0 || bc < sblen)
457 			goto out;
458 		err = md_get_mbuf(mbp, sblen, &m);
459 		if (err)
460 			goto out;
461 		mb_initm(mbc2, m);
462 		mbc2->mb_count = sblen;
463 	} else {
464 		if (wc != 3)
465 			goto out;
466 		md_get_uint16le(mbp, NULL);	/* secondary cmd */
467 		md_get_uint16le(mbp, NULL);	/* andxoffset */
468 		md_get_uint16le(mbp, actionp);	/* action */
469 		err = md_get_uint16le(mbp, &bc); /* byte count */
470 		if (err)
471 			goto out;
472 	}
473 
474 	/*
475 	 * Native OS, LANMGR, & Domain follow here.
476 	 * Parse these strings and store for later.
477 	 * If unicode, they should be aligned.
478 	 *
479 	 * Note that with Extended security, we may use
480 	 * multiple calls to this function.  Only parse
481 	 * these strings on the last one (status == 0).
482 	 * Ditto for the CAP_LARGE work-around.
483 	 */
484 	if (rqp->rq_status != 0)
485 		goto out;
486 
487 	/* Ignore any parsing errors for these strings. */
488 	err = md_get_string(mbp, &ctx->ct_srv_OS, uc);
489 	DPRINT("server OS: %s", err ? "?" : ctx->ct_srv_OS);
490 	err = md_get_string(mbp, &ctx->ct_srv_LM, uc);
491 	DPRINT("server LM: %s", err ? "?" : ctx->ct_srv_LM);
492 	/*
493 	 * There's sometimes a server domain folloing
494 	 * at this point, but we don't need it.
495 	 */
496 
497 	/* Success! (See Ignore any ... above) */
498 	err = 0;
499 
500 	/*
501 	 * Windows systems don't suport CAP_LARGE_READX,WRITEX
502 	 * when signing is enabled, so adjust sv_caps.
503 	 */
504 	if (ctx->ct_srv_OS &&
505 	    0 == strncmp(ctx->ct_srv_OS, "Windows ", 8)) {
506 		DPRINT("Server is Windows");
507 		if (ctx->ct_vcflags & SMBV_WILL_SIGN) {
508 			DPRINT("disable CAP_LARGE_(r/w)");
509 			ctx->ct_sopt.sv_caps &=
510 			    ~(SMB_CAP_LARGE_READX | SMB_CAP_LARGE_WRITEX);
511 		}
512 	}
513 
514 out:
515 	if (rqp)
516 		smb_rq_done(rqp);
517 
518 	return (err);
519 }
520