struct sesssetup_state {
union smb_sesssetup setup;
- NTSTATUS session_key_err;
+ NTSTATUS gensec_status;
struct smb_composite_sesssetup *io;
struct smbcli_request *req;
};
struct smbcli_session *session = req->session;
DATA_BLOB session_key = data_blob(NULL, 0);
DATA_BLOB null_data_blob = data_blob(NULL, 0);
+ NTSTATUS session_key_err;
c->status = smb_raw_sesssetup_recv(req, state, &state->setup);
!NT_STATUS_IS_OK(c->status)) {
break;
}
- c->status = gensec_update(session->gensec, state,
- state->setup.spnego.out.secblob,
- &state->setup.spnego.in.secblob);
- if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
- !NT_STATUS_IS_OK(c->status)) {
- break;
- }
- if (state->setup.spnego.in.secblob.length == 0) {
- break;
+ if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+
+ /* The status value here, from the earlier pass at GENSEC is
+ * vital to the security of the system. Even if the other end
+ * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
+ * you must keep feeding it blobs, or else the remote
+ * host/attacker might avoid mutal authentication
+ * requirements */
+
+ state->gensec_status = gensec_update(session->gensec, state,
+ state->setup.spnego.out.secblob,
+ &state->setup.spnego.in.secblob);
+ c->status = state->gensec_status;
+ if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
+ !NT_STATUS_IS_OK(c->status)) {
+ break;
+ }
+ } else {
+ state->setup.spnego.in.secblob = data_blob(NULL, 0);
}
-
+
/* we need to do another round of session setup. We keep going until both sides
are happy */
- state->session_key_err = gensec_session_key(session->gensec, &session_key);
- if (NT_STATUS_IS_OK(state->session_key_err)) {
+ session_key_err = gensec_session_key(session->gensec, &session_key);
+ if (NT_STATUS_IS_OK(session_key_err)) {
set_user_session_key(session, &session_key);
smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
}
- state->req = smb_raw_sesssetup_send(session, &state->setup);
- state->req->async.fn = request_handler;
- state->req->async.private = c;
- return;
+ if (state->setup.spnego.in.secblob.length) {
+ state->req = smb_raw_sesssetup_send(session, &state->setup);
+ state->req->async.fn = request_handler;
+ state->req->async.private = c;
+ return;
+ }
}
/* enforce the local signing required flag */
/*
send a nt1 style session setup
*/
-static struct smbcli_request *session_setup_nt1(struct composite_context *c,
- struct smbcli_session *session,
- struct smb_composite_sesssetup *io)
+static NTSTATUS session_setup_nt1(struct composite_context *c,
+ struct smbcli_session *session,
+ struct smb_composite_sesssetup *io,
+ struct smbcli_request **req)
{
struct sesssetup_state *state = talloc_get_type(c->private, struct sesssetup_state);
const struct samr_Password *nt_hash = cli_credentials_get_nt_hash(io->in.credentials, state);
&lmv2_response, &ntlmv2_response,
&lmv2_session_key, &session_key)) {
data_blob_free(&names_blob);
- return NULL;
+ return NT_STATUS_NO_MEMORY;
}
data_blob_free(&names_blob);
state->setup.nt1.in.password1 = lmv2_response;
state->setup.nt1.in.password2 = data_blob(NULL, 0);
} else {
/* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
- return NULL;
+ return NT_STATUS_INVALID_PARAMETER;
}
- return smb_raw_sesssetup_send(session, &state->setup);
+ *req = smb_raw_sesssetup_send(session, &state->setup);
+ if (!*req) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return (*req)->status;
}
/*
old style session setup (pre NT1 protocol level)
*/
-static struct smbcli_request *session_setup_old(struct composite_context *c,
- struct smbcli_session *session,
- struct smb_composite_sesssetup *io)
+static NTSTATUS session_setup_old(struct composite_context *c,
+ struct smbcli_session *session,
+ struct smb_composite_sesssetup *io,
+ struct smbcli_request **req)
{
struct sesssetup_state *state = talloc_get_type(c->private, struct sesssetup_state);
const char *password = cli_credentials_get_password(io->in.credentials);
strlen(password));
}
- return smb_raw_sesssetup_send(session, &state->setup);
+ *req = smb_raw_sesssetup_send(session, &state->setup);
+ if (!*req) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return (*req)->status;
}
/*
- old style session setup (pre NT1 protocol level)
+ Modern, all singing, all dancing extended security (and possibly SPNEGO) request
*/
-static struct smbcli_request *session_setup_spnego(struct composite_context *c,
- struct smbcli_session *session,
- struct smb_composite_sesssetup *io)
+static NTSTATUS session_setup_spnego(struct composite_context *c,
+ struct smbcli_session *session,
+ struct smb_composite_sesssetup *io,
+ struct smbcli_request **req)
{
struct sesssetup_state *state = talloc_get_type(c->private, struct sesssetup_state);
- NTSTATUS status;
+ NTSTATUS status, session_key_err;
DATA_BLOB session_key = data_blob(NULL, 0);
DATA_BLOB null_data_blob = data_blob(NULL, 0);
const char *chosen_oid = NULL;
status = gensec_client_start(session, &session->gensec, c->event_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
- return NULL;
+ return status;
}
gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n",
nt_errstr(status)));
- return NULL;
+ return status;
}
status = gensec_set_target_hostname(session->gensec, session->transport->socket->hostname);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
nt_errstr(status)));
- return NULL;
+ return status;
}
status = gensec_set_target_service(session->gensec, "cifs");
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
nt_errstr(status)));
- return NULL;
+ return status;
}
if (session->transport->negotiate.secblob.length) {
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism %s: %s\n",
gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
- return NULL;
+ return status;
}
status = gensec_update(session->gensec, state,
session->transport->negotiate.secblob,
&state->setup.spnego.in.secblob);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
+ !NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
- return NULL;
+ return status;
}
+ state->gensec_status = status;
- state->session_key_err = gensec_session_key(session->gensec, &session_key);
- if (NT_STATUS_IS_OK(state->session_key_err)) {
+ session_key_err = gensec_session_key(session->gensec, &session_key);
+ if (NT_STATUS_IS_OK(session_key_err)) {
smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
}
- return smb_raw_sesssetup_send(session, &state->setup);
+ *req = smb_raw_sesssetup_send(session, &state->setup);
+ if (!*req) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return (*req)->status;
}
{
struct composite_context *c;
struct sesssetup_state *state;
+ NTSTATUS status;
c = talloc_zero(session, struct composite_context);
- if (c == NULL) goto failed;
+ if (c == NULL) return NULL;
state = talloc(c, struct sesssetup_state);
- if (state == NULL) goto failed;
+ if (state == NULL) {
+ c->state = SMBCLI_REQUEST_ERROR;
+ c->status = NT_STATUS_NO_MEMORY;
+ }
state->io = io;
/* see what session setup interface we will use */
if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
- state->req = session_setup_old(c, session, io);
+ status = session_setup_old(c, session, io, &state->req);
} else if (!session->transport->options.use_spnego ||
!(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
- state->req = session_setup_nt1(c, session, io);
+ status = session_setup_nt1(c, session, io, &state->req);
} else {
- state->req = session_setup_spnego(c, session, io);
+ status = session_setup_spnego(c, session, io, &state->req);
}
- if (state->req == NULL) goto failed;
-
- state->req->async.fn = request_handler;
- state->req->async.private = c;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) ||
+ NT_STATUS_IS_OK(status)) {
+ state->req->async.fn = request_handler;
+ state->req->async.private = c;
+ return c;
+ }
+ c->state = SMBCLI_REQUEST_ERROR;
+ c->status = status;
return c;
-
-failed:
- talloc_free(c);
- return NULL;
}
{
NTSTATUS status;
TALLOC_CTX *tmp_ctx = NULL;
+
DATA_BLOB input = data_blob(NULL, 0);
DATA_BLOB output = data_blob(NULL, 0);
tmp_ctx = talloc_new(conn);
if (tmp_ctx == NULL) goto failed;
- status = gensec_update(conn->gensec, tmp_ctx, input, &output);
-
while (1) {
+ NTSTATUS gensec_status;
struct ldap_message *response;
struct ldap_message *msg;
struct ldap_request *req;
int result = LDAP_OTHER;
- if (NT_STATUS_IS_OK(status) && output.length == 0) {
- break;
- }
+ status = gensec_update(conn->gensec, tmp_ctx,
+ input,
+ &output);
+ /* The status value here, from GENSEC is vital to the security
+ * of the system. Even if the other end accepts, if GENSEC
+ * claims 'MORE_PROCESSING_REQUIRED' then you must keep
+ * feeding it blobs, or else the remote host/attacker might
+ * avoid mutal authentication requirements.
+ *
+ * Likewise, you must not feed GENSEC too much (after the OK),
+ * it doesn't like that either
+ */
+
+ gensec_status = status;
+
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(status)) {
break;
}
+ if (output.length == 0) {
+ break;
+ }
msg = new_ldap_sasl_bind_msg(tmp_ctx, "GSS-SPNEGO", &output);
if (msg == NULL) {
result = response->r.BindResponse.response.resultcode;
if (result != LDAP_SUCCESS && result != LDAP_SASL_BIND_IN_PROGRESS) {
+ status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
break;
}
- status = gensec_update(conn->gensec, tmp_ctx,
- response->r.BindResponse.SASL.secblob,
- &output);
+ /* This is where we check if GENSEC wanted to be fed more data */
+ if (!NT_STATUS_EQUAL(gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ break;
+ }
+ input = response->r.BindResponse.SASL.secblob;
}
if (NT_STATUS_IS_OK(status) &&
DATA_BLOB credentials;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
+ int num_passes = 0;
+
if (!p->conn->security_state.generic_state) {
status = gensec_client_start(p, &p->conn->security_state.generic_state,
p->conn->event_ctx);
p->conn->security_state.auth_info->auth_context_id = random();
p->conn->security_state.auth_info->credentials = null_data_blob;
- status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
- null_data_blob,
- &credentials);
-
- p->conn->security_state.auth_info->credentials = credentials;
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- /* We are demanding a reply, so use a request that will get us one */
- status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- } else if (NT_STATUS_IS_OK(status)) {
- /* We don't care for the reply, so jump to the end */
- status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
- goto done;
- } else {
- /* Something broke in GENSEC - bail */
- goto done;
- }
-
while (1) {
+ num_passes++;
status = gensec_update(p->conn->security_state.generic_state, tmp_ctx,
p->conn->security_state.auth_info->credentials,
&credentials);
+
+ /* The status value here, from GENSEC is vital to the security
+ * of the system. Even if the other end accepts, if GENSEC
+ * claims 'MORE_PROCESSING_REQUIRED' then you must keep
+ * feeding it blobs, or else the remote host/attacker might
+ * avoid mutal authentication requirements.
+ *
+ * Likewise, you must not feed GENSEC too much (after the OK),
+ * it doesn't like that either
+ */
+
if (!NT_STATUS_IS_OK(status)
&& !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ DEBUG(1, ("Failed DCERPC client gensec_update with mechanism %s: %s\n",
+ gensec_get_name_by_authtype(auth_type), nt_errstr(status)));
+
break;
}
p->conn->security_state.auth_info->credentials = credentials;
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- /* We are demanding a reply, so use a request that will get us one */
- status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
+ if (num_passes == 1) {
+ status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
+ } else {
+ /* We are demanding a reply, so use a request that will get us one */
+ status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax);
+ }
if (!NT_STATUS_IS_OK(status)) {
break;
}
- } else {
+ } else if (NT_STATUS_IS_OK(status)) {
/* NO reply expected, so just send it */
- status = dcerpc_auth3(p->conn, tmp_ctx);
- credentials = data_blob(NULL, 0);
- if (!NT_STATUS_IS_OK(status)) {
- break;
+ if (num_passes == 1) {
+ status = dcerpc_bind_byuuid(p, tmp_ctx, uuid, version);
+ } else {
+ status = dcerpc_auth3(p->conn, tmp_ctx);
}
+ break;
+ } else {
+ break;
}
};