1/* 2 * Copyright (c) 2000-2001 Boris Popov 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Boris Popov. 16 * 4. Neither the name of the author nor the names of any co-contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33/* 34 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. 35 */ 36 37/* 38 * SMB Session Setup, and related. 39 * Copied from the driver: smb_smb.c 40 */ 41 42#include <errno.h> 43#include <stdio.h> 44#include <stdlib.h> 45#include <unistd.h> 46#include <strings.h> 47#include <netdb.h> 48#include <libintl.h> 49#include <xti.h> 50#include <assert.h> 51 52#include <sys/types.h> 53#include <sys/time.h> 54#include <sys/byteorder.h> 55#include <sys/socket.h> 56#include <sys/fcntl.h> 57 58#include <netinet/in.h> 59#include <netinet/tcp.h> 60#include <arpa/inet.h> 61 62#include <netsmb/mchain.h> 63#include <netsmb/netbios.h> 64#include <netsmb/smb_dev.h> 65#include <netsmb/smb.h> 66 67#include <netsmb/smb_lib.h> 68#include <netsmb/nb_lib.h> 69 70#include "private.h" 71#include "charsets.h" 72#include "ntlm.h" 73#include "smb_crypt.h" 74 75 76static int 77smb__ssnsetup(struct smb_ctx *ctx, 78 struct mbdata *mbc1, struct mbdata *mbc2, 79 uint32_t *statusp, uint16_t *actionp); 80 81/* 82 * Session Setup: NULL session (anonymous) 83 */ 84int 85smb_ssnsetup_null(struct smb_ctx *ctx) 86{ 87 int err; 88 uint32_t ntstatus; 89 uint16_t action = 0; 90 91 if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) { 92 /* Should not get here with... */ 93 err = EINVAL; 94 goto out; 95 } 96 97 err = smb__ssnsetup(ctx, NULL, NULL, &ntstatus, &action); 98 if (err) 99 goto out; 100 101 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action); 102 if (ntstatus != 0) 103 err = EAUTH; 104 105out: 106 return (err); 107} 108 109 110/* 111 * SMB Session Setup, using NTLMv1 (and maybe LMv1) 112 */ 113int 114smb_ssnsetup_ntlm1(struct smb_ctx *ctx) 115{ 116 struct mbdata lm_mbc, nt_mbc; 117 int err; 118 uint32_t ntstatus; 119 uint16_t action = 0; 120 121 if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) { 122 /* Should not get here with... */ 123 err = EINVAL; 124 goto out; 125 } 126 127 /* Make mb_done calls at out safe. */ 128 bzero(&lm_mbc, sizeof (lm_mbc)); 129 bzero(&nt_mbc, sizeof (nt_mbc)); 130 131 /* Put the LM,NTLM responses (as mbdata). */ 132 err = ntlm_put_v1_responses(ctx, &lm_mbc, &nt_mbc); 133 if (err) 134 goto out; 135 136 /* 137 * If we negotiated signing, compute the MAC key 138 * and start signing messages, but only on the 139 * first non-null session login. 140 */ 141 if ((ctx->ct_vcflags & SMBV_WILL_SIGN) && 142 (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) { 143 struct mbuf *m = nt_mbc.mb_top; 144 char *p; 145 146 /* 147 * MAC_key = concat(session_key, nt_response) 148 */ 149 ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len; 150 ctx->ct_mackey = malloc(ctx->ct_mackeylen); 151 if (ctx->ct_mackey == NULL) { 152 ctx->ct_mackeylen = 0; 153 err = ENOMEM; 154 goto out; 155 } 156 p = ctx->ct_mackey; 157 memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ); 158 memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len); 159 160 /* OK, start signing! */ 161 ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE; 162 } 163 164 err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action); 165 if (err) 166 goto out; 167 168 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action); 169 if (ntstatus != 0) 170 err = EAUTH; 171 172out: 173 mb_done(&lm_mbc); 174 mb_done(&nt_mbc); 175 176 return (err); 177} 178 179/* 180 * SMB Session Setup, using NTLMv2 (and LMv2) 181 */ 182int 183smb_ssnsetup_ntlm2(struct smb_ctx *ctx) 184{ 185 struct mbdata lm_mbc, nt_mbc, ti_mbc; 186 int err; 187 uint32_t ntstatus; 188 uint16_t action = 0; 189 190 if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) { 191 /* Should not get here with... */ 192 err = EINVAL; 193 goto out; 194 } 195 196 /* Make mb_done calls at out safe. */ 197 bzero(&lm_mbc, sizeof (lm_mbc)); 198 bzero(&nt_mbc, sizeof (nt_mbc)); 199 bzero(&ti_mbc, sizeof (ti_mbc)); 200 201 /* Build the NTLMv2 "target info" blob (as mbdata) */ 202 err = ntlm_build_target_info(ctx, NULL, &ti_mbc); 203 if (err) 204 goto out; 205 206 /* Put the LMv2, NTLMv2 responses (as mbdata). */ 207 err = ntlm_put_v2_responses(ctx, &ti_mbc, &lm_mbc, &nt_mbc); 208 if (err) 209 goto out; 210 211 /* 212 * If we negotiated signing, compute the MAC key 213 * and start signing messages, but only on the 214 * first non-null session login. 215 */ 216 if ((ctx->ct_vcflags & SMBV_WILL_SIGN) && 217 (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) { 218 struct mbuf *m = nt_mbc.mb_top; 219 char *p; 220 221 /* 222 * MAC_key = concat(session_key, nt_response) 223 */ 224 ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len; 225 ctx->ct_mackey = malloc(ctx->ct_mackeylen); 226 if (ctx->ct_mackey == NULL) { 227 ctx->ct_mackeylen = 0; 228 err = ENOMEM; 229 goto out; 230 } 231 p = ctx->ct_mackey; 232 memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ); 233 memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len); 234 235 /* OK, start signing! */ 236 ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE; 237 } 238 239 err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action); 240 if (err) 241 goto out; 242 243 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action); 244 if (ntstatus != 0) 245 err = EAUTH; 246 247out: 248 mb_done(&ti_mbc); 249 mb_done(&lm_mbc); 250 mb_done(&nt_mbc); 251 252 return (err); 253} 254 255int 256smb_ssnsetup_spnego(struct smb_ctx *ctx, struct mbdata *hint_mb) 257{ 258 struct mbdata send_mb, recv_mb; 259 int err; 260 uint32_t ntstatus; 261 uint16_t action = 0; 262 263 err = ssp_ctx_create_client(ctx, hint_mb); 264 if (err) 265 goto out; 266 267 bzero(&send_mb, sizeof (send_mb)); 268 bzero(&recv_mb, sizeof (recv_mb)); 269 270 /* NULL input indicates first call. */ 271 err = ssp_ctx_next_token(ctx, NULL, &send_mb); 272 if (err) 273 goto out; 274 275 for (;;) { 276 err = smb__ssnsetup(ctx, &send_mb, &recv_mb, 277 &ntstatus, &action); 278 if (err) 279 goto out; 280 if (ntstatus == 0) 281 break; /* normal loop termination */ 282 if (ntstatus != NT_STATUS_MORE_PROCESSING_REQUIRED) { 283 err = EAUTH; 284 goto out; 285 } 286 287 /* middle calls get both in, out */ 288 err = ssp_ctx_next_token(ctx, &recv_mb, &send_mb); 289 if (err) 290 goto out; 291 } 292 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action); 293 294 /* NULL output indicates last call. */ 295 (void) ssp_ctx_next_token(ctx, &recv_mb, NULL); 296 297out: 298 ssp_ctx_destroy(ctx); 299 300 return (err); 301} 302 303/* 304 * Session Setup function used for all the forms we support. 305 * To allow this sharing, the crypto stuff is computed by 306 * callers and passed in as mbdata chains. Also, the args 307 * have different meanings for extended security vs. old. 308 * Some may be used as either IN or OUT parameters. 309 * 310 * For NTLM (v1, v2), all parameters are inputs 311 * mbc1: [in] LM password hash 312 * mbc2: [in] NT password hash 313 * For Extended security (spnego) 314 * mbc1: [in] outgoing blob data 315 * mbc2: [out] received blob data 316 * For both forms, these are optional: 317 * statusp: [out] NT status 318 * actionp: [out] Logon Action (i.e. SMB_ACT_GUEST) 319 */ 320static int 321smb__ssnsetup(struct smb_ctx *ctx, 322 struct mbdata *mbc1, struct mbdata *mbc2, 323 uint32_t *statusp, uint16_t *actionp) 324{ 325 static const char NativeOS[] = "Solaris"; 326 static const char LanMan[] = "NETSMB"; 327 struct smb_sopt *sv = &ctx->ct_sopt; 328 struct smb_iods *is = &ctx->ct_iods; 329 struct smb_rq *rqp = NULL; 330 struct mbdata *mbp; 331 struct mbuf *m; 332 int err, uc; 333 uint32_t caps; 334 uint16_t bc, len1, len2, sblen; 335 uint8_t wc; 336 337 /* 338 * Some of the "capability" bits we offer will be copied 339 * from those offered by the server, with a mask applied. 340 * This is the mask of capabilies copied from the server. 341 * Some others get special handling below. 342 */ 343 static const uint32_t caps_mask = 344 SMB_CAP_UNICODE | 345 SMB_CAP_LARGE_FILES | 346 SMB_CAP_NT_SMBS | 347 SMB_CAP_STATUS32 | 348 SMB_CAP_EXT_SECURITY; 349 350 caps = ctx->ct_sopt.sv_caps & caps_mask; 351 uc = ctx->ct_hflags2 & SMB_FLAGS2_UNICODE; 352 353 err = smb_rq_init(ctx, SMB_COM_SESSION_SETUP_ANDX, &rqp); 354 if (err) 355 goto out; 356 357 /* 358 * Build the SMB request. 359 */ 360 mbp = &rqp->rq_rq; 361 smb_rq_wstart(rqp); 362 mb_put_uint16le(mbp, 0xff); /* 0: AndXCommand */ 363 mb_put_uint16le(mbp, 0); /* 1: AndXOffset */ 364 mb_put_uint16le(mbp, sv->sv_maxtx); /* 2: MaxBufferSize */ 365 mb_put_uint16le(mbp, sv->sv_maxmux); /* 3: MaxMpxCount */ 366 mb_put_uint16le(mbp, 1); /* 4: VcNumber */ 367 mb_put_uint32le(mbp, sv->sv_skey); /* 5,6: Session Key */ 368 369 if (caps & SMB_CAP_EXT_SECURITY) { 370 len1 = mbc1 ? mbc1->mb_count : 0; 371 mb_put_uint16le(mbp, len1); /* 7: Sec. Blob Len */ 372 mb_put_uint32le(mbp, 0); /* 8,9: reserved */ 373 mb_put_uint32le(mbp, caps); /* 10,11: Capabilities */ 374 smb_rq_wend(rqp); /* 12: Byte Count */ 375 smb_rq_bstart(rqp); 376 if (mbc1 && mbc1->mb_top) { 377 mb_put_mbuf(mbp, mbc1->mb_top); /* sec. blob */ 378 mbc1->mb_top = NULL; /* consumed */ 379 } 380 /* mbc2 is required below */ 381 if (mbc2 == NULL) { 382 err = EINVAL; 383 goto out; 384 } 385 } else { 386 len1 = mbc1 ? mbc1->mb_count : 0; 387 len2 = mbc2 ? mbc2->mb_count : 0; 388 mb_put_uint16le(mbp, len1); /* 7: LM pass. len */ 389 mb_put_uint16le(mbp, len2); /* 8: NT pass. len */ 390 mb_put_uint32le(mbp, 0); /* 9,10: reserved */ 391 mb_put_uint32le(mbp, caps); /* 11,12: Capabilities */ 392 smb_rq_wend(rqp); /* 13: Byte Count */ 393 smb_rq_bstart(rqp); 394 if (mbc1 && mbc1->mb_top) { 395 mb_put_mbuf(mbp, mbc1->mb_top); /* LM password */ 396 mbc1->mb_top = NULL; /* consumed */ 397 } 398 if (mbc2 && mbc2->mb_top) { 399 mb_put_mbuf(mbp, mbc2->mb_top); /* NT password */ 400 mbc2->mb_top = NULL; /* consumed */ 401 } 402 mb_put_string(mbp, ctx->ct_user, uc); 403 mb_put_string(mbp, ctx->ct_domain, uc); 404 } 405 mb_put_string(mbp, NativeOS, uc); 406 mb_put_string(mbp, LanMan, uc); 407 smb_rq_bend(rqp); 408 409 err = smb_rq_internal(ctx, rqp); 410 if (err) 411 goto out; 412 413 if (statusp) 414 *statusp = rqp->rq_status; 415 416 /* 417 * If we have a real error, the response probably has 418 * no more data, so don't try to parse any more. 419 * Note: err=0, means rq_status is valid. 420 */ 421 if (rqp->rq_status != 0 && 422 rqp->rq_status != NT_STATUS_MORE_PROCESSING_REQUIRED) { 423 goto out; 424 } 425 426 /* 427 * Parse the reply 428 */ 429 uc = rqp->rq_hflags2 & SMB_FLAGS2_UNICODE; 430 is->is_smbuid = rqp->rq_uid; 431 mbp = &rqp->rq_rp; 432 433 err = md_get_uint8(mbp, &wc); 434 if (err) 435 goto out; 436 437 err = EBADRPC; /* for any problems in this section */ 438 if (caps & SMB_CAP_EXT_SECURITY) { 439 if (wc != 4) 440 goto out; 441 md_get_uint16le(mbp, NULL); /* secondary cmd */ 442 md_get_uint16le(mbp, NULL); /* andxoffset */ 443 md_get_uint16le(mbp, actionp); /* action */ 444 md_get_uint16le(mbp, &sblen); /* sec. blob len */ 445 md_get_uint16le(mbp, &bc); /* byte count */ 446 /* 447 * Get the security blob, after 448 * sanity-checking the length. 449 */ 450 if (sblen == 0 || bc < sblen) 451 goto out; 452 err = md_get_mbuf(mbp, sblen, &m); 453 if (err) 454 goto out; 455 mb_initm(mbc2, m); 456 mbc2->mb_count = sblen; 457 } else { 458 if (wc != 3) 459 goto out; 460 md_get_uint16le(mbp, NULL); /* secondary cmd */ 461 md_get_uint16le(mbp, NULL); /* andxoffset */ 462 md_get_uint16le(mbp, actionp); /* action */ 463 err = md_get_uint16le(mbp, &bc); /* byte count */ 464 if (err) 465 goto out; 466 } 467 468 /* 469 * Native OS, LANMGR, & Domain follow here. 470 * Parse these strings and store for later. 471 * If unicode, they should be aligned. 472 * 473 * Note that with Extended security, we may use 474 * multiple calls to this function. Only parse 475 * these strings on the last one (status == 0). 476 * Ditto for the CAP_LARGE work-around. 477 */ 478 if (rqp->rq_status != 0) 479 goto out; 480 481 /* Ignore any parsing errors for these strings. */ 482 err = md_get_string(mbp, &ctx->ct_srv_OS, uc); 483 DPRINT("server OS: %s", err ? "?" : ctx->ct_srv_OS); 484 err = md_get_string(mbp, &ctx->ct_srv_LM, uc); 485 DPRINT("server LM: %s", err ? "?" : ctx->ct_srv_LM); 486 /* 487 * There's sometimes a server domain folloing 488 * at this point, but we don't need it. 489 */ 490 491 /* Success! (See Ignore any ... above) */ 492 err = 0; 493 494 /* 495 * Windows systems don't suport CAP_LARGE_READX,WRITEX 496 * when signing is enabled, so adjust sv_caps. 497 */ 498 if (ctx->ct_srv_OS && 499 0 == strncmp(ctx->ct_srv_OS, "Windows ", 8)) { 500 DPRINT("Server is Windows"); 501 if (ctx->ct_vcflags & SMBV_WILL_SIGN) { 502 DPRINT("disable CAP_LARGE_(r/w)"); 503 ctx->ct_sopt.sv_caps &= 504 ~(SMB_CAP_LARGE_READX | SMB_CAP_LARGE_WRITEX); 505 } 506 } 507 508out: 509 if (rqp) 510 smb_rq_done(rqp); 511 512 return (err); 513} 514