579706261ab933c99eb0b4a6fd616da81a799626
[kai/samba-autobuild/.git] / source4 / libcli / smb_composite / sesssetup.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Copyright (C) Andrew Tridgell 2005
5    
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10    
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15    
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19 /*
20   a composite API for making handling a generic async session setup
21 */
22
23 #include "includes.h"
24 #include "libcli/raw/libcliraw.h"
25 #include "libcli/composite/composite.h"
26 #include "libcli/smb_composite/smb_composite.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "auth/auth.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/credentials/credentials.h"
31 #include "version.h"
32
33 struct sesssetup_state {
34         union smb_sesssetup setup;
35         NTSTATUS gensec_status;
36         struct smb_composite_sesssetup *io;
37         struct smbcli_request *req;
38 };
39
40 static int sesssetup_state_destructor(struct sesssetup_state *state)
41 {
42         if (state->req) {
43                 talloc_free(state->req);
44                 state->req = NULL;
45         }
46
47         return 0;
48 }
49
50 static NTSTATUS session_setup_old(struct composite_context *c,
51                                   struct smbcli_session *session, 
52                                   struct smb_composite_sesssetup *io,
53                                   struct smbcli_request **req); 
54 static NTSTATUS session_setup_nt1(struct composite_context *c,
55                                   struct smbcli_session *session, 
56                                   struct smb_composite_sesssetup *io,
57                                   struct smbcli_request **req); 
58 static NTSTATUS session_setup_spnego(struct composite_context *c,
59                                      struct smbcli_session *session, 
60                                      struct smb_composite_sesssetup *io,
61                                      struct smbcli_request **req);
62
63 /*
64   store the user session key for a transport
65 */
66 static void set_user_session_key(struct smbcli_session *session,
67                                  const DATA_BLOB *session_key)
68 {
69         session->user_session_key = data_blob_talloc(session, 
70                                                      session_key->data, 
71                                                      session_key->length);
72 }
73
74 /*
75   handler for completion of a smbcli_request sub-request
76 */
77 static void request_handler(struct smbcli_request *req)
78 {
79         struct composite_context *c = (struct composite_context *)req->async.private;
80         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
81         struct smbcli_session *session = req->session;
82         DATA_BLOB session_key = data_blob(NULL, 0);
83         DATA_BLOB null_data_blob = data_blob(NULL, 0);
84         NTSTATUS session_key_err, nt_status;
85
86         c->status = smb_raw_sesssetup_recv(req, state, &state->setup);
87         state->req = NULL;
88
89         switch (state->setup.old.level) {
90         case RAW_SESSSETUP_OLD:
91                 state->io->out.vuid = state->setup.old.out.vuid;
92                 /* This doesn't work, as this only happens on old
93                  * protocols, where this comparison won't match. */
94                 if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
95                         /* we neet to reset the vuid for a new try */
96                         session->vuid = 0;
97                         if (cli_credentials_wrong_password(state->io->in.credentials)) {
98                                 nt_status = session_setup_old(c, session, 
99                                                               state->io, 
100                                                               &state->req);
101                                 if (NT_STATUS_IS_OK(nt_status)) {
102                                         c->status = nt_status;
103                                         composite_continue_smb(c, state->req, request_handler, c);
104                                         return;
105                                 }
106                         }
107                 }
108                 break;
109
110         case RAW_SESSSETUP_NT1:
111                 state->io->out.vuid = state->setup.nt1.out.vuid;
112                 if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
113                         /* we neet to reset the vuid for a new try */
114                         session->vuid = 0;
115                         if (cli_credentials_wrong_password(state->io->in.credentials)) {
116                                 nt_status = session_setup_nt1(c, session, 
117                                                               state->io, 
118                                                               &state->req);
119                                 if (NT_STATUS_IS_OK(nt_status)) {
120                                         c->status = nt_status;
121                                         composite_continue_smb(c, state->req, request_handler, c);
122                                         return;
123                                 }
124                         }
125                 }
126                 break;
127
128         case RAW_SESSSETUP_SPNEGO:
129                 state->io->out.vuid = state->setup.spnego.out.vuid;
130                 if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
131                         /* we neet to reset the vuid for a new try */
132                         session->vuid = 0;
133                         if (cli_credentials_wrong_password(state->io->in.credentials)) {
134                                 nt_status = session_setup_spnego(c, session, 
135                                                                       state->io, 
136                                                                       &state->req);
137                                 if (NT_STATUS_IS_OK(nt_status)) {
138                                         c->status = nt_status;
139                                         composite_continue_smb(c, state->req, request_handler, c);
140                                         return;
141                                 }
142                         }
143                 }
144                 if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) && 
145                     !NT_STATUS_IS_OK(c->status)) {
146                         break;
147                 }
148                 if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
149
150                         /* The status value here, from the earlier pass at GENSEC is
151                          * vital to the security of the system.  Even if the other end
152                          * accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
153                          * you must keep feeding it blobs, or else the remote
154                          * host/attacker might avoid mutal authentication
155                          * requirements */
156                         
157                         state->gensec_status = gensec_update(session->gensec, state,
158                                                          state->setup.spnego.out.secblob,
159                                                          &state->setup.spnego.in.secblob);
160                         c->status = state->gensec_status;
161                         if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) && 
162                             !NT_STATUS_IS_OK(c->status)) {
163                                 break;
164                         }
165                 } else {
166                         state->setup.spnego.in.secblob = data_blob(NULL, 0);
167                 }
168
169                 /* we need to do another round of session setup. We keep going until both sides
170                    are happy */
171                 session_key_err = gensec_session_key(session->gensec, &session_key);
172                 if (NT_STATUS_IS_OK(session_key_err)) {
173                         set_user_session_key(session, &session_key);
174                         smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
175                 }
176
177                 if (state->setup.spnego.in.secblob.length) {
178                         /* 
179                          * set the session->vuid value only for calling
180                          * smb_raw_sesssetup_send()
181                          */
182                         uint16_t vuid = session->vuid;
183                         session->vuid = state->io->out.vuid;
184                         state->req = smb_raw_sesssetup_send(session, &state->setup);
185                         session->vuid = vuid;
186                         composite_continue_smb(c, state->req, request_handler, c);
187                         return;
188                 }
189                 break;
190
191         case RAW_SESSSETUP_SMB2:
192                 c->status = NT_STATUS_INTERNAL_ERROR;
193                 break;
194         }
195
196         /* enforce the local signing required flag */
197         if (NT_STATUS_IS_OK(c->status) && !cli_credentials_is_anonymous(state->io->in.credentials)) {
198                 if (!session->transport->negotiate.sign_info.doing_signing 
199                     && session->transport->negotiate.sign_info.mandatory_signing) {
200                         DEBUG(0, ("SMB signing required, but server does not support it\n"));
201                         c->status = NT_STATUS_ACCESS_DENIED;
202                 }
203         }
204
205         if (!NT_STATUS_IS_OK(c->status)) {
206                 composite_error(c, c->status);
207                 return;
208         }
209
210         composite_done(c);
211 }
212
213
214 /*
215   send a nt1 style session setup
216 */
217 static NTSTATUS session_setup_nt1(struct composite_context *c,
218                                   struct smbcli_session *session, 
219                                   struct smb_composite_sesssetup *io,
220                                   struct smbcli_request **req) 
221 {
222         NTSTATUS nt_status;
223         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
224         const char *password = cli_credentials_get_password(io->in.credentials);
225         DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, lp_workgroup());
226         DATA_BLOB session_key;
227         int flags = CLI_CRED_NTLM_AUTH;
228         if (lp_client_lanman_auth()) {
229                 flags |= CLI_CRED_LANMAN_AUTH;
230         }
231
232         if (lp_client_ntlmv2_auth()) {
233                 flags |= CLI_CRED_NTLMv2_AUTH;
234         }
235
236         state->setup.nt1.level           = RAW_SESSSETUP_NT1;
237         state->setup.nt1.in.bufsize      = session->transport->options.max_xmit;
238         state->setup.nt1.in.mpx_max      = session->transport->options.max_mux;
239         state->setup.nt1.in.vc_num       = 1;
240         state->setup.nt1.in.sesskey      = io->in.sesskey;
241         state->setup.nt1.in.capabilities = io->in.capabilities;
242         state->setup.nt1.in.os           = "Unix";
243         state->setup.nt1.in.lanman       = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
244
245         cli_credentials_get_ntlm_username_domain(io->in.credentials, state, 
246                                                  &state->setup.nt1.in.user,
247                                                  &state->setup.nt1.in.domain);
248         
249
250         if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
251                 nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
252                                                               &flags, 
253                                                               session->transport->negotiate.secblob, 
254                                                               names_blob,
255                                                               &state->setup.nt1.in.password1,
256                                                               &state->setup.nt1.in.password2,
257                                                               NULL, &session_key);
258                 NT_STATUS_NOT_OK_RETURN(nt_status);
259
260                 smbcli_transport_simple_set_signing(session->transport, session_key, 
261                                                     state->setup.nt1.in.password2);
262                 set_user_session_key(session, &session_key);
263                 
264                 data_blob_free(&session_key);
265         } else if (lp_client_plaintext_auth()) {
266                 state->setup.nt1.in.password1 = data_blob_talloc(state, password, strlen(password));
267                 state->setup.nt1.in.password2 = data_blob(NULL, 0);
268         } else {
269                 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
270                 return NT_STATUS_INVALID_PARAMETER;
271         }
272
273         *req = smb_raw_sesssetup_send(session, &state->setup);
274         if (!*req) {
275                 return NT_STATUS_NO_MEMORY;
276         }
277         return (*req)->status;
278 }
279
280
281 /*
282   old style session setup (pre NT1 protocol level)
283 */
284 static NTSTATUS session_setup_old(struct composite_context *c,
285                                   struct smbcli_session *session, 
286                                   struct smb_composite_sesssetup *io,
287                                   struct smbcli_request **req) 
288 {
289         NTSTATUS nt_status;
290         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
291         const char *password = cli_credentials_get_password(io->in.credentials);
292         DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, lp_workgroup());
293         DATA_BLOB session_key;
294         int flags = 0;
295         if (lp_client_lanman_auth()) {
296                 flags |= CLI_CRED_LANMAN_AUTH;
297         }
298
299         if (lp_client_ntlmv2_auth()) {
300                 flags |= CLI_CRED_NTLMv2_AUTH;
301         }
302
303         state->setup.old.level      = RAW_SESSSETUP_OLD;
304         state->setup.old.in.bufsize = session->transport->options.max_xmit;
305         state->setup.old.in.mpx_max = session->transport->options.max_mux;
306         state->setup.old.in.vc_num  = 1;
307         state->setup.old.in.sesskey = io->in.sesskey;
308         state->setup.old.in.os      = "Unix";
309         state->setup.old.in.lanman  = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
310         cli_credentials_get_ntlm_username_domain(io->in.credentials, state, 
311                                                  &state->setup.old.in.user,
312                                                  &state->setup.old.in.domain);
313         
314         if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
315                 nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
316                                                               &flags, 
317                                                               session->transport->negotiate.secblob, 
318                                                               names_blob,
319                                                               &state->setup.old.in.password,
320                                                               NULL,
321                                                               NULL, &session_key);
322                 NT_STATUS_NOT_OK_RETURN(nt_status);
323                 set_user_session_key(session, &session_key);
324                 
325                 data_blob_free(&session_key);
326         } else if (lp_client_plaintext_auth()) {
327                 state->setup.old.in.password = data_blob_talloc(state, password, strlen(password));
328         } else {
329                 /* could match windows client and return 'cannot logon from this workstation', but it just confuses everybody */
330                 return NT_STATUS_INVALID_PARAMETER;
331         }
332         
333         *req = smb_raw_sesssetup_send(session, &state->setup);
334         if (!*req) {
335                 return NT_STATUS_NO_MEMORY;
336         }
337         return (*req)->status;
338 }
339
340
341 /*
342   Modern, all singing, all dancing extended security (and possibly SPNEGO) request
343 */
344 static NTSTATUS session_setup_spnego(struct composite_context *c,
345                                      struct smbcli_session *session, 
346                                      struct smb_composite_sesssetup *io,
347                                      struct smbcli_request **req) 
348 {
349         struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
350         NTSTATUS status, session_key_err;
351         DATA_BLOB session_key = data_blob(NULL, 0);
352         DATA_BLOB null_data_blob = data_blob(NULL, 0);
353         const char *chosen_oid = NULL;
354
355         state->setup.spnego.level           = RAW_SESSSETUP_SPNEGO;
356         state->setup.spnego.in.bufsize      = session->transport->options.max_xmit;
357         state->setup.spnego.in.mpx_max      = session->transport->options.max_mux;
358         state->setup.spnego.in.vc_num       = 1;
359         state->setup.spnego.in.sesskey      = io->in.sesskey;
360         state->setup.spnego.in.capabilities = io->in.capabilities;
361         state->setup.spnego.in.os           = "Unix";
362         state->setup.spnego.in.lanman       = talloc_asprintf(state, "Samba %s", SAMBA_VERSION_STRING);
363         state->setup.spnego.in.workgroup    = io->in.workgroup;
364
365         smbcli_temp_set_signing(session->transport);
366
367         status = gensec_client_start(session, &session->gensec, c->event_ctx);
368         if (!NT_STATUS_IS_OK(status)) {
369                 DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status)));
370                 return status;
371         }
372
373         gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY);
374
375         status = gensec_set_credentials(session->gensec, io->in.credentials);
376         if (!NT_STATUS_IS_OK(status)) {
377                 DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n", 
378                           nt_errstr(status)));
379                 return status;
380         }
381
382         status = gensec_set_target_hostname(session->gensec, session->transport->socket->hostname);
383         if (!NT_STATUS_IS_OK(status)) {
384                 DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", 
385                           nt_errstr(status)));
386                 return status;
387         }
388
389         status = gensec_set_target_service(session->gensec, "cifs");
390         if (!NT_STATUS_IS_OK(status)) {
391                 DEBUG(1, ("Failed to start set GENSEC target service: %s\n", 
392                           nt_errstr(status)));
393                 return status;
394         }
395
396         if (session->transport->negotiate.secblob.length) {
397                 chosen_oid = GENSEC_OID_SPNEGO;
398                 status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
399                 if (!NT_STATUS_IS_OK(status)) {
400                         DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
401                                   gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
402                         chosen_oid = GENSEC_OID_NTLMSSP;
403                         status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
404                         if (!NT_STATUS_IS_OK(status)) {
405                                 DEBUG(1, ("Failed to start set (fallback) GENSEC client mechanism %s: %s\n",
406                                           gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
407                         return status;
408                         }
409                 }
410         } else {
411                 /* without a sec blob, means raw NTLMSSP */
412                 chosen_oid = GENSEC_OID_NTLMSSP;
413                 status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
414                 if (!NT_STATUS_IS_OK(status)) {
415                         DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n",
416                                   gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
417                 }
418         }
419
420         if (chosen_oid == GENSEC_OID_SPNEGO) {
421                 status = gensec_update(session->gensec, state,
422                                        session->transport->negotiate.secblob,
423                                        &state->setup.spnego.in.secblob);
424         } else {
425                 status = gensec_update(session->gensec, state,
426                                        data_blob(NULL, 0),
427                                        &state->setup.spnego.in.secblob);
428
429         }
430
431         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && 
432             !NT_STATUS_IS_OK(status)) {
433                 DEBUG(1, ("Failed initial gensec_update with mechanism %s: %s\n",
434                           gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
435                 return status;
436         }
437         state->gensec_status = status;
438
439         session_key_err = gensec_session_key(session->gensec, &session_key);
440         if (NT_STATUS_IS_OK(session_key_err)) {
441                 smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
442         }
443
444         *req = smb_raw_sesssetup_send(session, &state->setup);
445         if (!*req) {
446                 return NT_STATUS_NO_MEMORY;
447         }
448         return (*req)->status;
449 }
450
451
452 /*
453   composite session setup function that hides the details of all the
454   different session setup varients, including the multi-pass nature of
455   the spnego varient
456 */
457 struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *session, 
458                                                        struct smb_composite_sesssetup *io)
459 {
460         struct composite_context *c;
461         struct sesssetup_state *state;
462         NTSTATUS status;
463
464         c = composite_create(session, session->transport->socket->event.ctx);
465         if (c == NULL) return NULL;
466
467         state = talloc_zero(c, struct sesssetup_state);
468         if (composite_nomem(state, c)) return c;
469         c->private_data = state;
470
471         state->io = io;
472
473         talloc_set_destructor(state, sesssetup_state_destructor);
474
475         /* no session setup at all in earliest protocol varients */
476         if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
477                 ZERO_STRUCT(io->out);
478                 composite_done(c);
479                 return c;
480         }
481
482         /* see what session setup interface we will use */
483         if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
484                 status = session_setup_old(c, session, io, &state->req);
485         } else if (!session->transport->options.use_spnego ||
486                    !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
487                 status = session_setup_nt1(c, session, io, &state->req);
488         } else {
489                 status = session_setup_spnego(c, session, io, &state->req);
490         }
491
492         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || 
493             NT_STATUS_IS_OK(status)) {
494                 composite_continue_smb(c, state->req, request_handler, c);      
495                 return c;
496         }
497
498         composite_error(c, status);
499         return c;
500 }
501
502
503 /*
504   receive a composite session setup reply
505 */
506 NTSTATUS smb_composite_sesssetup_recv(struct composite_context *c)
507 {
508         NTSTATUS status;
509         status = composite_wait(c);
510         talloc_free(c);
511         return status;
512 }
513
514 /*
515   sync version of smb_composite_sesssetup 
516 */
517 NTSTATUS smb_composite_sesssetup(struct smbcli_session *session, struct smb_composite_sesssetup *io)
518 {
519         struct composite_context *c = smb_composite_sesssetup_send(session, io);
520         return smb_composite_sesssetup_recv(c);
521 }