2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan (metze) Metzmacher 2003
5 Copyright (C) Jeremy Allison 2007
6 Copyright (C) Andrew Bartlett 2011
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libsmb/libsmb.h"
24 #include "../libcli/auth/spnego.h"
25 #include "../auth/ntlmssp/ntlmssp.h"
26 #include "../lib/util/tevent_ntstatus.h"
27 #include "async_smb.h"
28 #include "../libcli/smb/smb_seal.h"
30 #include "auth_generic.h"
31 #include "auth/gensec/gensec.h"
32 #include "../libcli/smb/smbXcli_base.h"
33 #include "auth/credentials/credentials.h"
35 /****************************************************************************
36 Get UNIX extensions version info.
37 ****************************************************************************/
39 struct cli_unix_extensions_version_state {
40 struct cli_state *cli;
43 uint16_t major, minor;
44 uint32_t caplow, caphigh;
47 static void cli_unix_extensions_version_done(struct tevent_req *subreq);
49 struct tevent_req *cli_unix_extensions_version_send(TALLOC_CTX *mem_ctx,
50 struct tevent_context *ev,
51 struct cli_state *cli)
53 struct tevent_req *req, *subreq;
54 struct cli_unix_extensions_version_state *state;
56 req = tevent_req_create(mem_ctx, &state,
57 struct cli_unix_extensions_version_state);
62 SSVAL(state->setup, 0, TRANSACT2_QFSINFO);
63 SSVAL(state->param, 0, SMB_QUERY_CIFS_UNIX_INFO);
65 subreq = cli_trans_send(state, ev, cli, SMBtrans2,
70 if (tevent_req_nomem(subreq, req)) {
71 return tevent_req_post(req, ev);
73 tevent_req_set_callback(subreq, cli_unix_extensions_version_done, req);
77 static void cli_unix_extensions_version_done(struct tevent_req *subreq)
79 struct tevent_req *req = tevent_req_callback_data(
80 subreq, struct tevent_req);
81 struct cli_unix_extensions_version_state *state = tevent_req_data(
82 req, struct cli_unix_extensions_version_state);
87 status = cli_trans_recv(subreq, state, NULL, NULL, 0, NULL,
88 NULL, 0, NULL, &data, 12, &num_data);
90 if (!NT_STATUS_IS_OK(status)) {
91 tevent_req_nterror(req, status);
95 state->major = SVAL(data, 0);
96 state->minor = SVAL(data, 2);
97 state->caplow = IVAL(data, 4);
98 state->caphigh = IVAL(data, 8);
100 tevent_req_done(req);
103 NTSTATUS cli_unix_extensions_version_recv(struct tevent_req *req,
104 uint16_t *pmajor, uint16_t *pminor,
108 struct cli_unix_extensions_version_state *state = tevent_req_data(
109 req, struct cli_unix_extensions_version_state);
112 if (tevent_req_is_nterror(req, &status)) {
115 *pmajor = state->major;
116 *pminor = state->minor;
117 *pcaplow = state->caplow;
118 *pcaphigh = state->caphigh;
119 state->cli->server_posix_capabilities = *pcaplow;
123 NTSTATUS cli_unix_extensions_version(struct cli_state *cli, uint16 *pmajor,
124 uint16 *pminor, uint32 *pcaplow,
127 TALLOC_CTX *frame = talloc_stackframe();
128 struct event_context *ev;
129 struct tevent_req *req;
130 NTSTATUS status = NT_STATUS_OK;
132 if (cli_has_async_calls(cli)) {
134 * Can't use sync call while an async call is in flight
136 status = NT_STATUS_INVALID_PARAMETER;
140 ev = event_context_init(frame);
142 status = NT_STATUS_NO_MEMORY;
146 req = cli_unix_extensions_version_send(frame, ev, cli);
148 status = NT_STATUS_NO_MEMORY;
152 if (!tevent_req_poll(req, ev)) {
153 status = map_nt_error_from_unix(errno);
157 status = cli_unix_extensions_version_recv(req, pmajor, pminor, pcaplow,
164 /****************************************************************************
165 Set UNIX extensions capabilities.
166 ****************************************************************************/
168 struct cli_set_unix_extensions_capabilities_state {
169 struct cli_state *cli;
175 static void cli_set_unix_extensions_capabilities_done(
176 struct tevent_req *subreq);
178 struct tevent_req *cli_set_unix_extensions_capabilities_send(
179 TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct cli_state *cli,
180 uint16_t major, uint16_t minor, uint32_t caplow, uint32_t caphigh)
182 struct tevent_req *req, *subreq;
183 struct cli_set_unix_extensions_capabilities_state *state;
185 req = tevent_req_create(
187 struct cli_set_unix_extensions_capabilities_state);
193 SSVAL(state->setup+0, 0, TRANSACT2_SETFSINFO);
195 SSVAL(state->param, 0, 0);
196 SSVAL(state->param, 2, SMB_SET_CIFS_UNIX_INFO);
198 SSVAL(state->data, 0, major);
199 SSVAL(state->data, 2, minor);
200 SIVAL(state->data, 4, caplow);
201 SIVAL(state->data, 8, caphigh);
203 subreq = cli_trans_send(state, ev, cli, SMBtrans2,
207 state->data, 12, 560);
208 if (tevent_req_nomem(subreq, req)) {
209 return tevent_req_post(req, ev);
211 tevent_req_set_callback(
212 subreq, cli_set_unix_extensions_capabilities_done, req);
216 static void cli_set_unix_extensions_capabilities_done(
217 struct tevent_req *subreq)
219 struct tevent_req *req = tevent_req_callback_data(
220 subreq, struct tevent_req);
221 struct cli_set_unix_extensions_capabilities_state *state = tevent_req_data(
222 req, struct cli_set_unix_extensions_capabilities_state);
224 NTSTATUS status = cli_trans_recv(subreq, NULL, NULL, NULL, 0, NULL,
225 NULL, 0, NULL, NULL, 0, NULL);
226 if (NT_STATUS_IS_OK(status)) {
227 state->cli->requested_posix_capabilities = IVAL(state->data, 4);
229 tevent_req_simple_finish_ntstatus(subreq, status);
232 NTSTATUS cli_set_unix_extensions_capabilities_recv(struct tevent_req *req)
234 return tevent_req_simple_recv_ntstatus(req);
237 NTSTATUS cli_set_unix_extensions_capabilities(struct cli_state *cli,
238 uint16 major, uint16 minor,
239 uint32 caplow, uint32 caphigh)
241 struct tevent_context *ev;
242 struct tevent_req *req;
243 NTSTATUS status = NT_STATUS_NO_MEMORY;
245 if (cli_has_async_calls(cli)) {
246 return NT_STATUS_INVALID_PARAMETER;
248 ev = tevent_context_init(talloc_tos());
252 req = cli_set_unix_extensions_capabilities_send(
253 ev, ev, cli, major, minor, caplow, caphigh);
257 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
260 status = cli_set_unix_extensions_capabilities_recv(req);
266 struct cli_get_fs_attr_info_state {
272 static void cli_get_fs_attr_info_done(struct tevent_req *subreq);
274 struct tevent_req *cli_get_fs_attr_info_send(TALLOC_CTX *mem_ctx,
275 struct tevent_context *ev,
276 struct cli_state *cli)
278 struct tevent_req *subreq, *req;
279 struct cli_get_fs_attr_info_state *state;
281 req = tevent_req_create(mem_ctx, &state,
282 struct cli_get_fs_attr_info_state);
286 SSVAL(state->setup+0, 0, TRANSACT2_QFSINFO);
287 SSVAL(state->param+0, 0, SMB_QUERY_FS_ATTRIBUTE_INFO);
289 subreq = cli_trans_send(state, ev, cli, SMBtrans2,
294 if (tevent_req_nomem(subreq, req)) {
295 return tevent_req_post(req, ev);
297 tevent_req_set_callback(subreq, cli_get_fs_attr_info_done, req);
301 static void cli_get_fs_attr_info_done(struct tevent_req *subreq)
303 struct tevent_req *req = tevent_req_callback_data(
304 subreq, struct tevent_req);
305 struct cli_get_fs_attr_info_state *state = tevent_req_data(
306 req, struct cli_get_fs_attr_info_state);
311 status = cli_trans_recv(subreq, talloc_tos(), NULL, NULL, 0, NULL,
312 NULL, 0, NULL, &data, 12, &num_data);
314 if (!NT_STATUS_IS_OK(status)) {
315 tevent_req_nterror(req, status);
318 state->fs_attr = IVAL(data, 0);
320 tevent_req_done(req);
323 NTSTATUS cli_get_fs_attr_info_recv(struct tevent_req *req, uint32_t *fs_attr)
325 struct cli_get_fs_attr_info_state *state = tevent_req_data(
326 req, struct cli_get_fs_attr_info_state);
329 if (tevent_req_is_nterror(req, &status)) {
332 *fs_attr = state->fs_attr;
336 NTSTATUS cli_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr)
338 struct tevent_context *ev;
339 struct tevent_req *req;
340 NTSTATUS status = NT_STATUS_NO_MEMORY;
342 if (cli_has_async_calls(cli)) {
343 return NT_STATUS_INVALID_PARAMETER;
345 ev = tevent_context_init(talloc_tos());
349 req = cli_get_fs_attr_info_send(ev, ev, cli);
353 if (!tevent_req_poll_ntstatus(req, ev, &status)) {
356 status = cli_get_fs_attr_info_recv(req, fs_attr);
362 NTSTATUS cli_get_fs_volume_info(struct cli_state *cli,
365 uint32_t *pserial_number,
369 uint16_t recv_flags2;
373 uint32_t rdata_count;
375 char *volume_name = NULL;
377 SSVAL(setup, 0, TRANSACT2_QFSINFO);
378 SSVAL(param,0,SMB_QUERY_FS_VOLUME_INFO);
380 status = cli_trans(talloc_tos(), cli, SMBtrans2,
388 &rdata, 18, &rdata_count);
389 if (!NT_STATUS_IS_OK(status)) {
395 ts = interpret_long_date((char *)rdata);
398 if (pserial_number) {
399 *pserial_number = IVAL(rdata,8);
401 nlen = IVAL(rdata,12);
402 if (nlen > (rdata_count - 18)) {
404 return NT_STATUS_INVALID_NETWORK_RESPONSE;
407 clistr_pull_talloc(mem_ctx,
413 if (volume_name == NULL) {
414 status = map_nt_error_from_unix(errno);
419 /* todo: but not yet needed
420 * return the other stuff
423 *_volume_name = volume_name;
428 NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli,
429 uint64_t *total_allocation_units,
430 uint64_t *caller_allocation_units,
431 uint64_t *actual_allocation_units,
432 uint64_t *sectors_per_allocation_unit,
433 uint64_t *bytes_per_sector)
437 uint8_t *rdata = NULL;
438 uint32_t rdata_count;
441 SSVAL(setup, 0, TRANSACT2_QFSINFO);
442 SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION);
444 status = cli_trans(talloc_tos(), cli, SMBtrans2,
446 setup, 1, 0, /* setup */
447 param, 2, 0, /* param */
448 NULL, 0, 560, /* data */
450 NULL, 0, NULL, /* rsetup */
451 NULL, 0, NULL, /* rparam */
452 &rdata, 32, &rdata_count); /* rdata */
453 if (!NT_STATUS_IS_OK(status)) {
457 if (total_allocation_units) {
458 *total_allocation_units = BIG_UINT(rdata, 0);
460 if (caller_allocation_units) {
461 *caller_allocation_units = BIG_UINT(rdata,8);
463 if (actual_allocation_units) {
464 *actual_allocation_units = BIG_UINT(rdata,16);
466 if (sectors_per_allocation_unit) {
467 *sectors_per_allocation_unit = IVAL(rdata,24);
469 if (bytes_per_sector) {
470 *bytes_per_sector = IVAL(rdata,28);
478 NTSTATUS cli_get_posix_fs_info(struct cli_state *cli,
479 uint32 *optimal_transfer_size,
481 uint64_t *total_blocks,
482 uint64_t *blocks_available,
483 uint64_t *user_blocks_available,
484 uint64_t *total_file_nodes,
485 uint64_t *free_file_nodes,
486 uint64_t *fs_identifier)
490 uint8_t *rdata = NULL;
491 uint32_t rdata_count;
494 SSVAL(setup, 0, TRANSACT2_QFSINFO);
495 SSVAL(param,0,SMB_QUERY_POSIX_FS_INFO);
497 status = cli_trans(talloc_tos(), cli, SMBtrans2, NULL, 0, 0, 0,
502 NULL, 0, NULL, /* rsetup */
503 NULL, 0, NULL, /* rparam */
504 &rdata, 56, &rdata_count);
505 if (!NT_STATUS_IS_OK(status)) {
509 if (optimal_transfer_size) {
510 *optimal_transfer_size = IVAL(rdata, 0);
513 *block_size = IVAL(rdata,4);
516 *total_blocks = BIG_UINT(rdata,8);
518 if (blocks_available) {
519 *blocks_available = BIG_UINT(rdata,16);
521 if (user_blocks_available) {
522 *user_blocks_available = BIG_UINT(rdata,24);
524 if (total_file_nodes) {
525 *total_file_nodes = BIG_UINT(rdata,32);
527 if (free_file_nodes) {
528 *free_file_nodes = BIG_UINT(rdata,40);
531 *fs_identifier = BIG_UINT(rdata,48);
537 /******************************************************************************
538 Send/receive the request encryption blob.
539 ******************************************************************************/
541 static NTSTATUS enc_blob_send_receive(struct cli_state *cli, DATA_BLOB *in, DATA_BLOB *out, DATA_BLOB *param_out)
545 uint8_t *rparam=NULL, *rdata=NULL;
546 uint32_t num_rparam, num_rdata;
549 SSVAL(setup+0, 0, TRANSACT2_SETFSINFO);
551 SSVAL(param,2,SMB_REQUEST_TRANSPORT_ENCRYPTION);
553 status = cli_trans(talloc_tos(), cli, SMBtrans2, NULL, 0, 0, 0,
556 (uint8_t *)in->data, in->length, CLI_BUFFER_SIZE,
557 NULL, /* recv_flags */
558 NULL, 0, NULL, /* rsetup */
559 &rparam, 0, &num_rparam,
560 &rdata, 0, &num_rdata);
562 if (!NT_STATUS_IS_OK(status) &&
563 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
567 *out = data_blob(rdata, num_rdata);
568 *param_out = data_blob(rparam, num_rparam);
575 /******************************************************************************
576 Make a client state struct.
577 ******************************************************************************/
579 static struct smb_trans_enc_state *make_cli_enc_state(enum smb_trans_enc_type smb_enc_type)
581 struct smb_trans_enc_state *es = NULL;
582 es = SMB_MALLOC_P(struct smb_trans_enc_state);
587 es->smb_enc_type = smb_enc_type;
592 /******************************************************************************
593 Start a raw ntlmssp encryption.
594 ******************************************************************************/
596 NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli,
601 DATA_BLOB blob_in = data_blob_null;
602 DATA_BLOB blob_out = data_blob_null;
603 DATA_BLOB param_out = data_blob_null;
604 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
605 struct auth_generic_state *auth_generic_state;
606 struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_NTLM);
609 return NT_STATUS_NO_MEMORY;
611 status = auth_generic_client_prepare(NULL,
612 &auth_generic_state);
613 if (!NT_STATUS_IS_OK(status)) {
617 gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
618 gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
620 if (!NT_STATUS_IS_OK(status = auth_generic_set_username(auth_generic_state, user))) {
623 if (!NT_STATUS_IS_OK(status = auth_generic_set_domain(auth_generic_state, domain))) {
626 if (!NT_STATUS_IS_OK(status = auth_generic_set_password(auth_generic_state, pass))) {
630 if (!NT_STATUS_IS_OK(status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP))) {
635 status = gensec_update(auth_generic_state->gensec_security, auth_generic_state,
636 NULL, blob_in, &blob_out);
637 data_blob_free(&blob_in);
638 data_blob_free(¶m_out);
639 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) {
640 NTSTATUS trans_status = enc_blob_send_receive(cli,
644 if (!NT_STATUS_EQUAL(trans_status,
645 NT_STATUS_MORE_PROCESSING_REQUIRED) &&
646 !NT_STATUS_IS_OK(trans_status)) {
647 status = trans_status;
649 if (param_out.length == 2) {
650 es->enc_ctx_num = SVAL(param_out.data, 0);
654 data_blob_free(&blob_out);
655 } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
657 data_blob_free(&blob_in);
659 if (NT_STATUS_IS_OK(status)) {
661 /* Replace the old state, if any. */
662 /* We only need the gensec_security part from here.
663 * es is a malloc()ed pointer, so we cannot make
664 * gensec_security a talloc child */
665 es->gensec_security = talloc_move(NULL,
666 &auth_generic_state->gensec_security);
667 smb1cli_conn_set_encryption(cli->conn, es);
672 TALLOC_FREE(auth_generic_state);
673 common_free_encryption_state(&es);
677 /******************************************************************************
678 Get client gss blob to send to a server.
679 ******************************************************************************/
681 static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
682 struct gensec_security *gensec_security,
684 DATA_BLOB spnego_blob_in,
685 DATA_BLOB *p_blob_out)
687 const char *krb_mechs[] = {OID_KERBEROS5, NULL};
688 DATA_BLOB blob_out = data_blob_null;
689 DATA_BLOB blob_in = data_blob_null;
690 NTSTATUS status = NT_STATUS_OK;
692 if (spnego_blob_in.length == 0) {
693 blob_in = spnego_blob_in;
695 /* Remove the SPNEGO wrapper */
696 if (!spnego_parse_auth_response(ctx, spnego_blob_in, status_in, OID_KERBEROS5, &blob_in)) {
697 status = NT_STATUS_UNSUCCESSFUL;
702 status = gensec_update(gensec_security, ctx,
703 NULL, blob_in, &blob_out);
705 /* Wrap in an SPNEGO wrapper */
706 *p_blob_out = spnego_gen_negTokenInit(ctx, krb_mechs, &blob_out, NULL);
710 data_blob_free(&blob_out);
711 data_blob_free(&blob_in);
715 /******************************************************************************
716 Start a SPNEGO gssapi encryption context.
717 ******************************************************************************/
719 NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli)
721 DATA_BLOB blob_recv = data_blob_null;
722 DATA_BLOB blob_send = data_blob_null;
723 DATA_BLOB param_out = data_blob_null;
724 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
725 struct auth_generic_state *auth_generic_state;
726 struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_GSS);
729 return NT_STATUS_NO_MEMORY;
732 status = auth_generic_client_prepare(NULL,
733 &auth_generic_state);
734 if (!NT_STATUS_IS_OK(status)) {
738 gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
739 gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
741 cli_credentials_set_kerberos_state(auth_generic_state->credentials,
742 CRED_MUST_USE_KERBEROS);
744 status = gensec_set_target_service(auth_generic_state->gensec_security, "cifs");
745 if (!NT_STATUS_IS_OK(status)) {
749 status = gensec_set_target_hostname(auth_generic_state->gensec_security,
750 cli_state_remote_name(cli));
751 if (!NT_STATUS_IS_OK(status)) {
755 if (!NT_STATUS_IS_OK(status = auth_generic_client_start(auth_generic_state, GENSEC_OID_KERBEROS5))) {
759 status = make_cli_gss_blob(talloc_tos(), auth_generic_state->gensec_security, NT_STATUS_OK, blob_recv, &blob_send);
761 data_blob_free(&blob_recv);
762 status = enc_blob_send_receive(cli, &blob_send, &blob_recv, ¶m_out);
763 if (param_out.length == 2) {
764 es->enc_ctx_num = SVAL(param_out.data, 0);
766 data_blob_free(&blob_send);
767 status = make_cli_gss_blob(talloc_tos(), auth_generic_state->gensec_security, status, blob_recv, &blob_send);
768 } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
769 data_blob_free(&blob_recv);
771 if (NT_STATUS_IS_OK(status)) {
772 if (!gensec_have_feature(auth_generic_state->gensec_security,
773 GENSEC_FEATURE_SIGN) ||
774 !gensec_have_feature(auth_generic_state->gensec_security,
775 GENSEC_FEATURE_SEAL)) {
776 status = NT_STATUS_ACCESS_DENIED;
780 if (NT_STATUS_IS_OK(status)) {
782 /* Replace the old state, if any. */
783 /* We only need the gensec_security part from here.
784 * es is a malloc()ed pointer, so we cannot make
785 * gensec_security a talloc child */
786 es->gensec_security = talloc_move(NULL,
787 &auth_generic_state->gensec_security);
788 smb1cli_conn_set_encryption(cli->conn, es);
792 common_free_encryption_state(&es);
796 /********************************************************************
797 Ensure a connection is encrypted.
798 ********************************************************************/
800 NTSTATUS cli_force_encryption(struct cli_state *c,
801 const char *username,
802 const char *password,
806 uint32 caplow, caphigh;
809 if (!SERVER_HAS_UNIX_CIFS(c)) {
810 return NT_STATUS_NOT_SUPPORTED;
813 status = cli_unix_extensions_version(c, &major, &minor, &caplow,
815 if (!NT_STATUS_IS_OK(status)) {
816 DEBUG(10, ("cli_force_encryption: cli_unix_extensions_version "
817 "returned %s\n", nt_errstr(status)));
818 return NT_STATUS_UNKNOWN_REVISION;
821 if (!(caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP)) {
822 return NT_STATUS_UNSUPPORTED_COMPRESSION;
825 if (c->use_kerberos) {
826 return cli_gss_smb_encryption_start(c);
828 return cli_raw_ntlm_smb_encryption_start(c,
git.samba.org / gd / samba-autobuild / .git / blob