2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan (metze) Metzmacher 2003
5 Copyright (C) Jeremy Allison 2007
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 /****************************************************************************
24 Get UNIX extensions version info.
25 ****************************************************************************/
27 bool cli_unix_extensions_version(struct cli_state *cli, uint16 *pmajor, uint16 *pminor,
28 uint32 *pcaplow, uint32 *pcaphigh)
33 char *rparam=NULL, *rdata=NULL;
34 unsigned int rparam_count=0, rdata_count=0;
36 setup = TRANSACT2_QFSINFO;
38 SSVAL(param,0,SMB_QUERY_CIFS_UNIX_INFO);
40 if (!cli_send_trans(cli, SMBtrans2,
49 if (!cli_receive_trans(cli, SMBtrans2,
50 &rparam, &rparam_count,
51 &rdata, &rdata_count)) {
55 if (cli_is_error(cli)) {
62 if (rdata_count < 12) {
66 *pmajor = SVAL(rdata,0);
67 *pminor = SVAL(rdata,2);
68 cli->posix_capabilities = *pcaplow = IVAL(rdata,4);
69 *pcaphigh = IVAL(rdata,8);
71 /* todo: but not yet needed
72 * return the other stuff
82 /****************************************************************************
83 Set UNIX extensions capabilities.
84 ****************************************************************************/
86 bool cli_set_unix_extensions_capabilities(struct cli_state *cli, uint16 major, uint16 minor,
87 uint32 caplow, uint32 caphigh)
93 char *rparam=NULL, *rdata=NULL;
94 unsigned int rparam_count=0, rdata_count=0;
96 setup = TRANSACT2_SETFSINFO;
99 SSVAL(param,2,SMB_SET_CIFS_UNIX_INFO);
103 SIVAL(data,4,caplow);
104 SIVAL(data,8,caphigh);
106 if (!cli_send_trans(cli, SMBtrans2,
115 if (!cli_receive_trans(cli, SMBtrans2,
116 &rparam, &rparam_count,
117 &rdata, &rdata_count)) {
121 if (cli_is_error(cli)) {
135 bool cli_get_fs_attr_info(struct cli_state *cli, uint32 *fs_attr)
140 char *rparam=NULL, *rdata=NULL;
141 unsigned int rparam_count=0, rdata_count=0;
144 smb_panic("cli_get_fs_attr_info() called with NULL Pionter!");
146 setup = TRANSACT2_QFSINFO;
148 SSVAL(param,0,SMB_QUERY_FS_ATTRIBUTE_INFO);
150 if (!cli_send_trans(cli, SMBtrans2,
159 if (!cli_receive_trans(cli, SMBtrans2,
160 &rparam, &rparam_count,
161 &rdata, &rdata_count)) {
165 if (cli_is_error(cli)) {
172 if (rdata_count < 12) {
176 *fs_attr = IVAL(rdata,0);
178 /* todo: but not yet needed
179 * return the other stuff
189 bool cli_get_fs_volume_info_old(struct cli_state *cli, fstring volume_name, uint32 *pserial_number)
194 char *rparam=NULL, *rdata=NULL;
195 unsigned int rparam_count=0, rdata_count=0;
198 setup = TRANSACT2_QFSINFO;
200 SSVAL(param,0,SMB_INFO_VOLUME);
202 if (!cli_send_trans(cli, SMBtrans2,
211 if (!cli_receive_trans(cli, SMBtrans2,
212 &rparam, &rparam_count,
213 &rdata, &rdata_count)) {
217 if (cli_is_error(cli)) {
224 if (rdata_count < 5) {
228 if (pserial_number) {
229 *pserial_number = IVAL(rdata,0);
231 nlen = CVAL(rdata,l2_vol_cch);
232 clistr_pull(cli, volume_name, rdata + l2_vol_szVolLabel, sizeof(fstring), nlen, STR_NOALIGN);
234 /* todo: but not yet needed
235 * return the other stuff
245 bool cli_get_fs_volume_info(struct cli_state *cli, fstring volume_name, uint32 *pserial_number, time_t *pdate)
250 char *rparam=NULL, *rdata=NULL;
251 unsigned int rparam_count=0, rdata_count=0;
254 setup = TRANSACT2_QFSINFO;
256 SSVAL(param,0,SMB_QUERY_FS_VOLUME_INFO);
258 if (!cli_send_trans(cli, SMBtrans2,
267 if (!cli_receive_trans(cli, SMBtrans2,
268 &rparam, &rparam_count,
269 &rdata, &rdata_count)) {
273 if (cli_is_error(cli)) {
280 if (rdata_count < 19) {
286 ts = interpret_long_date(rdata);
289 if (pserial_number) {
290 *pserial_number = IVAL(rdata,8);
292 nlen = IVAL(rdata,12);
293 clistr_pull(cli, volume_name, rdata + 18, sizeof(fstring), nlen, STR_UNICODE);
295 /* todo: but not yet needed
296 * return the other stuff
306 /******************************************************************************
307 Send/receive the request encryption blob.
308 ******************************************************************************/
310 static NTSTATUS enc_blob_send_receive(struct cli_state *cli, DATA_BLOB *in, DATA_BLOB *out, DATA_BLOB *param_out)
314 char *rparam=NULL, *rdata=NULL;
315 unsigned int rparam_count=0, rdata_count=0;
316 NTSTATUS status = NT_STATUS_OK;
318 setup = TRANSACT2_SETFSINFO;
321 SSVAL(param,2,SMB_REQUEST_TRANSPORT_ENCRYPTION);
323 if (!cli_send_trans(cli, SMBtrans2,
328 (char *)in->data, in->length, CLI_BUFFER_SIZE)) {
329 status = cli_nt_error(cli);
333 if (!cli_receive_trans(cli, SMBtrans2,
334 &rparam, &rparam_count,
335 &rdata, &rdata_count)) {
336 status = cli_nt_error(cli);
340 if (cli_is_error(cli)) {
341 status = cli_nt_error(cli);
342 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
347 *out = data_blob(rdata, rdata_count);
348 *param_out = data_blob(rparam, rparam_count);
357 /******************************************************************************
358 Make a client state struct.
359 ******************************************************************************/
361 static struct smb_trans_enc_state *make_cli_enc_state(enum smb_trans_enc_type smb_enc_type)
363 struct smb_trans_enc_state *es = NULL;
364 es = SMB_MALLOC_P(struct smb_trans_enc_state);
369 es->smb_enc_type = smb_enc_type;
371 if (smb_enc_type == SMB_TRANS_ENC_GSS) {
372 #if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
373 es->s.gss_state = SMB_MALLOC_P(struct smb_tran_enc_state_gss);
374 if (!es->s.gss_state) {
378 ZERO_STRUCTP(es->s.gss_state);
380 DEBUG(0,("make_cli_enc_state: no krb5 compiled.\n"));
388 /******************************************************************************
389 Start a raw ntlmssp encryption.
390 ******************************************************************************/
392 NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli,
397 DATA_BLOB blob_in = data_blob_null;
398 DATA_BLOB blob_out = data_blob_null;
399 DATA_BLOB param_out = data_blob_null;
400 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
401 struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_NTLM);
404 return NT_STATUS_NO_MEMORY;
406 status = ntlmssp_client_start(&es->s.ntlmssp_state);
407 if (!NT_STATUS_IS_OK(status)) {
411 ntlmssp_want_feature(es->s.ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
412 es->s.ntlmssp_state->neg_flags |= (NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
414 if (!NT_STATUS_IS_OK(status = ntlmssp_set_username(es->s.ntlmssp_state, user))) {
417 if (!NT_STATUS_IS_OK(status = ntlmssp_set_domain(es->s.ntlmssp_state, domain))) {
420 if (!NT_STATUS_IS_OK(status = ntlmssp_set_password(es->s.ntlmssp_state, pass))) {
425 status = ntlmssp_update(es->s.ntlmssp_state, blob_in, &blob_out);
426 data_blob_free(&blob_in);
427 data_blob_free(¶m_out);
428 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) {
429 NTSTATUS trans_status = enc_blob_send_receive(cli,
433 if (!NT_STATUS_EQUAL(trans_status,
434 NT_STATUS_MORE_PROCESSING_REQUIRED) &&
435 !NT_STATUS_IS_OK(trans_status)) {
436 status = trans_status;
438 if (param_out.length == 2) {
439 es->enc_ctx_num = SVAL(param_out.data, 0);
443 data_blob_free(&blob_out);
444 } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
446 data_blob_free(&blob_in);
448 if (NT_STATUS_IS_OK(status)) {
449 /* Replace the old state, if any. */
450 if (cli->trans_enc_state) {
451 common_free_encryption_state(&cli->trans_enc_state);
453 cli->trans_enc_state = es;
454 cli->trans_enc_state->enc_on = True;
460 common_free_encryption_state(&es);
464 #if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
466 #ifndef SMB_GSS_REQUIRED_FLAGS
467 #define SMB_GSS_REQUIRED_FLAGS (GSS_C_CONF_FLAG|GSS_C_INTEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_REPLAY_FLAG|GSS_C_SEQUENCE_FLAG)
470 /******************************************************************************
471 Get client gss blob to send to a server.
472 ******************************************************************************/
474 static NTSTATUS make_cli_gss_blob(struct smb_trans_enc_state *es,
478 DATA_BLOB spnego_blob_in,
479 DATA_BLOB *p_blob_out)
481 const char *krb_mechs[] = {OID_KERBEROS5, NULL};
485 gss_buffer_desc input_name;
486 gss_buffer_desc *p_tok_in;
487 gss_buffer_desc tok_out, tok_in;
488 DATA_BLOB blob_out = data_blob_null;
489 DATA_BLOB blob_in = data_blob_null;
490 char *host_princ_s = NULL;
491 OM_uint32 ret_flags = 0;
492 NTSTATUS status = NT_STATUS_OK;
494 gss_OID_desc nt_hostbased_service =
495 {10, CONST_DISCARD(char *,"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")};
497 memset(&tok_out, '\0', sizeof(tok_out));
499 /* Get a ticket for the service@host */
500 asprintf(&host_princ_s, "%s@%s", service, host);
501 if (host_princ_s == NULL) {
502 return NT_STATUS_NO_MEMORY;
505 input_name.value = host_princ_s;
506 input_name.length = strlen(host_princ_s) + 1;
508 ret = gss_import_name(&min,
510 &nt_hostbased_service,
513 if (ret != GSS_S_COMPLETE) {
514 SAFE_FREE(host_princ_s);
515 return map_nt_error_from_gss(ret, min);
518 if (spnego_blob_in.length == 0) {
519 p_tok_in = GSS_C_NO_BUFFER;
521 /* Remove the SPNEGO wrapper */
522 if (!spnego_parse_auth_response(spnego_blob_in, status_in, OID_KERBEROS5, &blob_in)) {
523 status = NT_STATUS_UNSUCCESSFUL;
526 tok_in.value = blob_in.data;
527 tok_in.length = blob_in.length;
531 ret = gss_init_sec_context(&min,
532 GSS_C_NO_CREDENTIAL, /* Use our default cred. */
533 &es->s.gss_state->gss_ctx,
535 GSS_C_NO_OID, /* default OID. */
536 GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG,
537 GSS_C_INDEFINITE, /* requested ticket lifetime. */
538 NULL, /* no channel bindings */
540 NULL, /* ignore mech type */
543 NULL); /* ignore time_rec */
545 status = map_nt_error_from_gss(ret, min);
546 if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
547 ADS_STATUS adss = ADS_ERROR_GSS(ret, min);
548 DEBUG(10,("make_cli_gss_blob: gss_init_sec_context failed with %s\n",
553 if ((ret_flags & SMB_GSS_REQUIRED_FLAGS) != SMB_GSS_REQUIRED_FLAGS) {
554 status = NT_STATUS_ACCESS_DENIED;
557 blob_out = data_blob(tok_out.value, tok_out.length);
559 /* Wrap in an SPNEGO wrapper */
560 *p_blob_out = gen_negTokenTarg(krb_mechs, blob_out);
564 data_blob_free(&blob_out);
565 data_blob_free(&blob_in);
566 SAFE_FREE(host_princ_s);
567 gss_release_name(&min, &srv_name);
569 gss_release_buffer(&min, &tok_out);
574 /******************************************************************************
575 Start a SPNEGO gssapi encryption context.
576 ******************************************************************************/
578 NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli)
580 DATA_BLOB blob_recv = data_blob_null;
581 DATA_BLOB blob_send = data_blob_null;
582 DATA_BLOB param_out = data_blob_null;
583 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
585 const char *servicename;
586 struct smb_trans_enc_state *es = make_cli_enc_state(SMB_TRANS_ENC_GSS);
589 return NT_STATUS_NO_MEMORY;
592 name_to_fqdn(fqdn, cli->desthost);
595 servicename = "cifs";
596 status = make_cli_gss_blob(es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send);
597 if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
598 servicename = "host";
599 status = make_cli_gss_blob(es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send);
600 if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) {
606 data_blob_free(&blob_recv);
607 status = enc_blob_send_receive(cli, &blob_send, &blob_recv, ¶m_out);
608 if (param_out.length == 2) {
609 es->enc_ctx_num = SVAL(param_out.data, 0);
611 data_blob_free(&blob_send);
612 status = make_cli_gss_blob(es, servicename, fqdn, status, blob_recv, &blob_send);
613 } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
614 data_blob_free(&blob_recv);
616 if (NT_STATUS_IS_OK(status)) {
617 /* Replace the old state, if any. */
618 if (cli->trans_enc_state) {
619 common_free_encryption_state(&cli->trans_enc_state);
621 cli->trans_enc_state = es;
622 cli->trans_enc_state->enc_on = True;
628 common_free_encryption_state(&es);
632 NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli)
634 return NT_STATUS_NOT_SUPPORTED;
638 /********************************************************************
639 Ensure a connection is encrypted.
640 ********************************************************************/
642 NTSTATUS cli_force_encryption(struct cli_state *c,
643 const char *username,
644 const char *password,
648 uint32 caplow, caphigh;
650 if (!SERVER_HAS_UNIX_CIFS(c)) {
651 return NT_STATUS_NOT_SUPPORTED;
654 if (!cli_unix_extensions_version(c, &major, &minor, &caplow, &caphigh)) {
655 return NT_STATUS_UNKNOWN_REVISION;
658 if (!(caplow & CIFS_UNIX_TRANSPORT_ENCRYPTION_CAP)) {
659 return NT_STATUS_UNSUPPORTED_COMPRESSION;
662 if (c->use_kerberos) {
663 return cli_gss_smb_encryption_start(c);
665 return cli_raw_ntlm_smb_encryption_start(c,