6f9e6b0de3c16dfe52c1da3aca801f004ffefba8
[jelmer/samba4-debian.git] / source / libcli / smb_composite / sesssetup.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Copyright (C) Andrew Tridgell 2005
5    
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10    
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15    
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19 /*
20   a composite API for making handling a generic async session setup
21 */
22
23 #include "includes.h"
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/composite/composite.h"
26 #include "libcli/smb_composite/smb_composite.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "auth/auth.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/credentials/credentials.h"
31 #include "version.h"
32 #include "param/param.h"
33
34 struct sesssetup_state {
35         union smb_sesssetup setup;
36         NTSTATUS gensec_status;
37         struct smb_composite_sesssetup *io;
38         struct smbcli_request *req;
39 };
40
41 static int sesssetup_state_destructor(struct sesssetup_state *state)
42 {
43         if (state->req) {
44                 talloc_free(state->req);
45                 state->req = NULL;
46         }
47
48         return 0;
49 }
50
51 static NTSTATUS session_setup_old(struct composite_context *c,
52                                   struct smbcli_session *session, 
53                                   struct smb_composite_sesssetup *io,
54                                   struct smbcli_request **req); 
55 static NTSTATUS session_setup_nt1(struct composite_context *c,
56                                   struct smbcli_session *session, 
57                                   struct smb_composite_sesssetup *io,
58                                   struct smbcli_request **req); 
59 static NTSTATUS session_setup_spnego(struct composite_context *c,
60                                      struct smbcli_session *session, 
61                                      struct smb_composite_sesssetup *io,
62                                      struct smbcli_request **req);
63
64 /*
65   store the user session key for a transport
66 */
67 static void set_user_session_key(struct smbcli_session *session,
68                                  const DATA_BLOB *session_key)
69 {
70         session->user_session_key = data_blob_talloc(session, 
71                                                      session_key->data, 
72                                                      session_key->length);
73 }
74
75 /*
76   handler for completion of a smbcli_request sub-request
77 */
78 static void request_handler(struct smbcli_request *req)
79 {
80         struct composite_context *c = (struct composite_context *)req->async.private;
81         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
82         struct smbcli_session *session = req->session;
83         DATA_BLOB session_key = data_blob(NULL, 0);
84         DATA_BLOB null_data_blob = data_blob(NULL, 0);
85         NTSTATUS session_key_err, nt_status;
86
87         c->status = smb_raw_sesssetup_recv(req, state, &state->setup);
88         state->req = NULL;
89
90         switch (state->setup.old.level) {
91         case RAW_SESSSETUP_OLD:
92                 state->io->out.vuid = state->setup.old.out.vuid;
93                 /* This doesn't work, as this only happens on old
94                  * protocols, where this comparison won't match. */
95                 if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
96                         /* we neet to reset the vuid for a new try */
97                         session->vuid = 0;
98                         if (cli_credentials_wrong_password(state->io->in.credentials)) {
99                                 nt_status = session_setup_old(c, session, 
100                                                               state->io, 
101                                                               &state->req);
102                                 if (NT_STATUS_IS_OK(nt_status)) {
103                                         c->status = nt_status;
104                                         composite_continue_smb(c, state->req, request_handler, c);
105                                         return;
106                                 }
107                         }
108                 }
109                 break;
110
111         case RAW_SESSSETUP_NT1:
112                 state->io->out.vuid = state->setup.nt1.out.vuid;
113                 if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
114                         /* we neet to reset the vuid for a new try */
115                         session->vuid = 0;
116                         if (cli_credentials_wrong_password(state->io->in.credentials)) {
117                                 nt_status = session_setup_nt1(c, session, 
118                                                               state->io, 
119                                                               &state->req);
120                                 if (NT_STATUS_IS_OK(nt_status)) {
121                                         c->status = nt_status;
122                                         composite_continue_smb(c, state->req, request_handler, c);
123                                         return;
124                                 }
125                         }
126                 }
127                 break;
128
129         case RAW_SESSSETUP_SPNEGO:
130                 state->io->out.vuid = state->setup.spnego.out.vuid;
131                 if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
132                         /* we neet to reset the vuid for a new try */
133                         session->vuid = 0;
134                         if (cli_credentials_wrong_password(state->io->in.credentials)) {
135                                 nt_status = session_setup_spnego(c, session, 
136                                                                       state->io, 
137                                                                       &state->req);
138                                 if (NT_STATUS_IS_OK(nt_status)) {
139                                         c->status = nt_status;
140                                         composite_continue_smb(c, state->req, request_handler, c);
141                                         return;
142                                 }
143                         }
144                 }
145                 if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) && 
146                     !NT_STATUS_IS_OK(c->status)) {
147                         break;
148                 }
149                 if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
150
151                         /* The status value here, from the earlier pass at GENSEC is
152                          * vital to the security of the system.  Even if the other end
153                          * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
154                          * you must keep feeding it blobs, or else the remote
155                          * host/attacker might avoid mutal authentication
156                          * requirements */
157                         
158                         state->gensec_status = gensec_update(session->gensec, state,
159                                                          state->setup.spnego.out.secblob,
160                                                          &state->setup.spnego.in.secblob);
161                         c->status = state->gensec_status;
162                         if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) && 
163                             !NT_STATUS_IS_OK(c->status)) {
164                                 break;
165                         }
166                 } else {
167                         state->setup.spnego.in.secblob = data_blob(NULL, 0);
168                 }
169
170                 /* we need to do another round of session setup. We keep going until both sides
171                    are happy */
172                 session_key_err = gensec_session_key(session->gensec, &session_key);
173                 if (NT_STATUS_IS_OK(session_key_err)) {
174                         set_user_session_key(session, &session_key);
175                         smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
176                 }
177
178                 if (state->setup.spnego.in.secblob.length) {
179                         /* 
180                          * set the session->vuid value only for calling
181                          * smb_raw_sesssetup_send()
182                          */
183                         uint16_t vuid = session->vuid;
184                         session->vuid = state->io->out.vuid;
185                         state->req = smb_raw_sesssetup_send(session, &state->setup);
186                         session->vuid = vuid;
187                         composite_continue_smb(c, state->req, request_handler, c);
188                         return;
189                 }
190                 break;
191
192         case RAW_SESSSETUP_SMB2:
193                 c->status = NT_STATUS_INTERNAL_ERROR;
194                 break;
195         }
196
197         /* enforce the local signing required flag */
198         if (NT_STATUS_IS_OK(c->status) && !cli_credentials_is_anonymous(state->io->in.credentials)) {
199                 if (!session->transport->negotiate.sign_info.doing_signing 
200                     && session->transport->negotiate.sign_info.mandatory_signing) {
201                         DEBUG(0, ("SMB signing required, but server does not support it\n"));
202                         c->status = NT_STATUS_ACCESS_DENIED;
203                 }
204         }
205
206         if (!NT_STATUS_IS_OK(c->status)) {
207                 composite_error(c, c->status);
208                 return;
209         }
210
211         composite_done(c);
212 }
213
214
215 /*
216   send a nt1 style session setup
217 */
218 static NTSTATUS session_setup_nt1(struct composite_context *c,
219                                   struct smbcli_session *session, 
220                                   struct smb_composite_sesssetup *io,
221                                   struct smbcli_request **req) 
222 {
223         NTSTATUS nt_status;
224         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
225         const char *password = cli_credentials_get_password(io->in.credentials);
226         DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, lp_workgroup(global_loadparm));
227         DATA_BLOB session_key;
228         int flags = CLI_CRED_NTLM_AUTH;
229         if (lp_client_lanman_auth(global_loadparm)) {
230                 flags |= CLI_CRED_LANMAN_AUTH;
231         }
232
233         if (lp_client_ntlmv2_auth(global_loadparm)) {
234                 flags |= CLI_CRED_NTLMv2_AUTH;
235         }
236
237         state->setup.nt1.level           = RAW_SESSSETUP_NT1;
238         state->setup.nt1.in.bufsize      = session->transport->options.max_xmit;
239         state->setup.nt1.in.mpx_max      = session->transport->options.max_mux;
240         state->setup.nt1.in.vc_num       = 1;
241         state->setup.nt1.in.sesskey      = io->in.sesskey;
242         state->setup.nt1.in.capabilities = io->in.capabilities;
243         state->setup.nt1.in.os           = "Unix";
244         state->setup.nt1.in.lanman       = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
245
246         cli_credentials_get_ntlm_username_domain(io->in.credentials, state, 
247                                                  &state->setup.nt1.in.user,
248                                                  &state->setup.nt1.in.domain);
249         
250
251         if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
252                 nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
253                                                               &flags, 
254                                                               session->transport->negotiate.secblob, 
255                                                               names_blob,
256                                                               &state->setup.nt1.in.password1,
257                                                               &state->setup.nt1.in.password2,
258                                                               NULL, &session_key);
259                 NT_STATUS_NOT_OK_RETURN(nt_status);
260
261                 smbcli_transport_simple_set_signing(session->transport, session_key, 
262                                                     state->setup.nt1.in.password2);
263                 set_user_session_key(session, &session_key);
264                 
265                 data_blob_free(&session_key);
266         } else if (lp_client_plaintext_auth(global_loadparm)) {
267                 state->setup.nt1.in.password1 = data_blob_talloc(state, password, strlen(password));
268                 state->setup.nt1.in.password2 = data_blob(NULL, 0);
269         } else {
270                 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
271                 return NT_STATUS_INVALID_PARAMETER;
272         }
273
274         *req = smb_raw_sesssetup_send(session, &state->setup);
275         if (!*req) {
276                 return NT_STATUS_NO_MEMORY;
277         }
278         return (*req)->status;
279 }
280
281
282 /*
283   old style session setup (pre NT1 protocol level)
284 */
285 static NTSTATUS session_setup_old(struct composite_context *c,
286                                   struct smbcli_session *session, 
287                                   struct smb_composite_sesssetup *io,
288                                   struct smbcli_request **req) 
289 {
290         NTSTATUS nt_status;
291         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
292         const char *password = cli_credentials_get_password(io->in.credentials);
293         DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, lp_workgroup(global_loadparm));
294         DATA_BLOB session_key;
295         int flags = 0;
296         if (lp_client_lanman_auth(global_loadparm)) {
297                 flags |= CLI_CRED_LANMAN_AUTH;
298         }
299
300         if (lp_client_ntlmv2_auth(global_loadparm)) {
301                 flags |= CLI_CRED_NTLMv2_AUTH;
302         }
303
304         state->setup.old.level      = RAW_SESSSETUP_OLD;
305         state->setup.old.in.bufsize = session->transport->options.max_xmit;
306         state->setup.old.in.mpx_max = session->transport->options.max_mux;
307         state->setup.old.in.vc_num  = 1;
308         state->setup.old.in.sesskey = io->in.sesskey;
309         state->setup.old.in.os      = "Unix";
310         state->setup.old.in.lanman  = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
311         cli_credentials_get_ntlm_username_domain(io->in.credentials, state, 
312                                                  &state->setup.old.in.user,
313                                                  &state->setup.old.in.domain);
314         
315         if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
316                 nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
317                                                               &flags, 
318                                                               session->transport->negotiate.secblob, 
319                                                               names_blob,
320                                                               &state->setup.old.in.password,
321                                                               NULL,
322                                                               NULL, &session_key);
323                 NT_STATUS_NOT_OK_RETURN(nt_status);
324                 set_user_session_key(session, &session_key);
325                 
326                 data_blob_free(&session_key);
327         } else if (lp_client_plaintext_auth(global_loadparm)) {
328                 state->setup.old.in.password = data_blob_talloc(state, password, strlen(password));
329         } else {
330                 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
331                 return NT_STATUS_INVALID_PARAMETER;
332         }
333         
334         *req = smb_raw_sesssetup_send(session, &state->setup);
335         if (!*req) {
336                 return NT_STATUS_NO_MEMORY;
337         }
338         return (*req)->status;
339 }
340
341
342 /*
343   Modern, all singing, all dancing extended security (and possibly SPNEGO) request
344 */
345 static NTSTATUS session_setup_spnego(struct composite_context *c,
346                                      struct smbcli_session *session, 
347                                      struct smb_composite_sesssetup *io,
348                                      struct smbcli_request **req) 
349 {
350         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
351         NTSTATUS status, session_key_err;
352         DATA_BLOB session_key = data_blob(NULL, 0);
353         DATA_BLOB null_data_blob = data_blob(NULL, 0);
354         const char *chosen_oid = NULL;
355
356         state->setup.spnego.level           = RAW_SESSSETUP_SPNEGO;
357         state->setup.spnego.in.bufsize      = session->transport->options.max_xmit;
358         state->setup.spnego.in.mpx_max      = session->transport->options.max_mux;
359         state->setup.spnego.in.vc_num       = 1;
360         state->setup.spnego.in.sesskey      = io->in.sesskey;
361         state->setup.spnego.in.capabilities = io->in.capabilities;
362         state->setup.spnego.in.os           = "Unix";
363         state->setup.spnego.in.lanman       = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
364         state->setup.spnego.in.workgroup    = io->in.workgroup;
365
366         smbcli_temp_set_signing(session->transport);
367
368         status = gensec_client_start(session, &session->gensec, c->event_ctx);
369         if (!NT_STATUS_IS_OK(status)) {
370                 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
371                 return status;
372         }
373
374         gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY);
375
376         status = gensec_set_credentials(session->gensec, io->in.credentials);
377         if (!NT_STATUS_IS_OK(status)) {
378                 DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n", 
379                           nt_errstr(status)));
380                 return status;
381         }
382
383         status = gensec_set_target_hostname(session->gensec, session->transport->socket->hostname);
384         if (!NT_STATUS_IS_OK(status)) {
385                 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", 
386                           nt_errstr(status)));
387                 return status;
388         }
389
390         status = gensec_set_target_service(session->gensec, "cifs");
391         if (!NT_STATUS_IS_OK(status)) {
392                 DEBUG(1, ("Failed to start set GENSEC target service: %s\n", 
393                           nt_errstr(status)));
394                 return status;
395         }
396
397         if (session->transport->negotiate.secblob.length) {
398                 chosen_oid = GENSEC_OID_SPNEGO;
399                 status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
400                 if (!NT_STATUS_IS_OK(status)) {
401                         DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
402                                   gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
403                         chosen_oid = GENSEC_OID_NTLMSSP;
404                         status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
405                         if (!NT_STATUS_IS_OK(status)) {
406                                 DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
407                                           gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
408                         return status;
409                         }
410                 }
411         } else {
412                 /* without a sec blob, means raw NTLMSSP */
413                 chosen_oid = GENSEC_OID_NTLMSSP;
414                 status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
415                 if (!NT_STATUS_IS_OK(status)) {
416                         DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
417                                   gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
418                 }
419         }
420
421         if (chosen_oid == GENSEC_OID_SPNEGO) {
422                 status = gensec_update(session->gensec, state,
423                                        session->transport->negotiate.secblob,
424                                        &state->setup.spnego.in.secblob);
425         } else {
426                 status = gensec_update(session->gensec, state,
427                                        data_blob(NULL, 0),
428                                        &state->setup.spnego.in.secblob);
429
430         }
431
432         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && 
433             !NT_STATUS_IS_OK(status)) {
434                 DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
435                           gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
436                 return status;
437         }
438         state->gensec_status = status;
439
440         session_key_err = gensec_session_key(session->gensec, &session_key);
441         if (NT_STATUS_IS_OK(session_key_err)) {
442                 smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
443         }
444
445         *req = smb_raw_sesssetup_send(session, &state->setup);
446         if (!*req) {
447                 return NT_STATUS_NO_MEMORY;
448         }
449         return (*req)->status;
450 }
451
452
453 /*
454   composite session setup function that hides the details of all the
455   different session setup varients, including the multi-pass nature of
456   the spnego varient
457 */
458 struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *session, 
459                                                        struct smb_composite_sesssetup *io)
460 {
461         struct composite_context *c;
462         struct sesssetup_state *state;
463         NTSTATUS status;
464
465         c = composite_create(session, session->transport->socket->event.ctx);
466         if (c == NULL) return NULL;
467
468         state = talloc_zero(c, struct sesssetup_state);
469         if (composite_nomem(state, c)) return c;
470         c->private_data = state;
471
472         state->io = io;
473
474         talloc_set_destructor(state, sesssetup_state_destructor);
475
476         /* no session setup at all in earliest protocol varients */
477         if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
478                 ZERO_STRUCT(io->out);
479                 composite_done(c);
480                 return c;
481         }
482
483         /* see what session setup interface we will use */
484         if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
485                 status = session_setup_old(c, session, io, &state->req);
486         } else if (!session->transport->options.use_spnego ||
487                    !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
488                 status = session_setup_nt1(c, session, io, &state->req);
489         } else {
490                 status = session_setup_spnego(c, session, io, &state->req);
491         }
492
493         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || 
494             NT_STATUS_IS_OK(status)) {
495                 composite_continue_smb(c, state->req, request_handler, c);      
496                 return c;
497         }
498
499         composite_error(c, status);
500         return c;
501 }
502
503
504 /*
505   receive a composite session setup reply
506 */
507 NTSTATUS smb_composite_sesssetup_recv(struct composite_context *c)
508 {
509         NTSTATUS status;
510         status = composite_wait(c);
511         talloc_free(c);
512         return status;
513 }
514
515 /*
516   sync version of smb_composite_sesssetup 
517 */
518 NTSTATUS smb_composite_sesssetup(struct smbcli_session *session, struct smb_composite_sesssetup *io)
519 {
520         struct composite_context *c = smb_composite_sesssetup_send(session, io);
521         return smb_composite_sesssetup_recv(c);
522 }