110023SGordon.Ross@Sun.COM /*
210023SGordon.Ross@Sun.COM * Copyright (c) 2000-2001 Boris Popov
310023SGordon.Ross@Sun.COM * All rights reserved.
410023SGordon.Ross@Sun.COM *
510023SGordon.Ross@Sun.COM * Redistribution and use in source and binary forms, with or without
610023SGordon.Ross@Sun.COM * modification, are permitted provided that the following conditions
710023SGordon.Ross@Sun.COM * are met:
810023SGordon.Ross@Sun.COM * 1. Redistributions of source code must retain the above copyright
910023SGordon.Ross@Sun.COM * notice, this list of conditions and the following disclaimer.
1010023SGordon.Ross@Sun.COM * 2. Redistributions in binary form must reproduce the above copyright
1110023SGordon.Ross@Sun.COM * notice, this list of conditions and the following disclaimer in the
1210023SGordon.Ross@Sun.COM * documentation and/or other materials provided with the distribution.
1310023SGordon.Ross@Sun.COM * 3. All advertising materials mentioning features or use of this software
1410023SGordon.Ross@Sun.COM * must display the following acknowledgement:
1510023SGordon.Ross@Sun.COM * This product includes software developed by Boris Popov.
1610023SGordon.Ross@Sun.COM * 4. Neither the name of the author nor the names of any co-contributors
1710023SGordon.Ross@Sun.COM * may be used to endorse or promote products derived from this software
1810023SGordon.Ross@Sun.COM * without specific prior written permission.
1910023SGordon.Ross@Sun.COM *
2010023SGordon.Ross@Sun.COM * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
2110023SGordon.Ross@Sun.COM * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2210023SGordon.Ross@Sun.COM * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2310023SGordon.Ross@Sun.COM * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
2410023SGordon.Ross@Sun.COM * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2510023SGordon.Ross@Sun.COM * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2610023SGordon.Ross@Sun.COM * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2710023SGordon.Ross@Sun.COM * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2810023SGordon.Ross@Sun.COM * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2910023SGordon.Ross@Sun.COM * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3010023SGordon.Ross@Sun.COM * SUCH DAMAGE.
3110023SGordon.Ross@Sun.COM */
3210023SGordon.Ross@Sun.COM
3310023SGordon.Ross@Sun.COM /*
3412140SGordon.Ross@Sun.COM * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
3510023SGordon.Ross@Sun.COM */
3610023SGordon.Ross@Sun.COM
3710023SGordon.Ross@Sun.COM /*
3810023SGordon.Ross@Sun.COM * SMB Session Setup, and related.
3910023SGordon.Ross@Sun.COM * Copied from the driver: smb_smb.c
4010023SGordon.Ross@Sun.COM */
4110023SGordon.Ross@Sun.COM
4210023SGordon.Ross@Sun.COM #include <errno.h>
4310023SGordon.Ross@Sun.COM #include <stdio.h>
4410023SGordon.Ross@Sun.COM #include <stdlib.h>
4510023SGordon.Ross@Sun.COM #include <unistd.h>
4610023SGordon.Ross@Sun.COM #include <strings.h>
4710023SGordon.Ross@Sun.COM #include <netdb.h>
4810023SGordon.Ross@Sun.COM #include <libintl.h>
4910023SGordon.Ross@Sun.COM #include <xti.h>
5010023SGordon.Ross@Sun.COM #include <assert.h>
5110023SGordon.Ross@Sun.COM
5210023SGordon.Ross@Sun.COM #include <sys/types.h>
5310023SGordon.Ross@Sun.COM #include <sys/time.h>
5410023SGordon.Ross@Sun.COM #include <sys/byteorder.h>
5510023SGordon.Ross@Sun.COM #include <sys/socket.h>
5610023SGordon.Ross@Sun.COM #include <sys/fcntl.h>
5710023SGordon.Ross@Sun.COM
5810023SGordon.Ross@Sun.COM #include <netinet/in.h>
5910023SGordon.Ross@Sun.COM #include <netinet/tcp.h>
6010023SGordon.Ross@Sun.COM #include <arpa/inet.h>
6110023SGordon.Ross@Sun.COM
6210023SGordon.Ross@Sun.COM #include <netsmb/mchain.h>
6310023SGordon.Ross@Sun.COM #include <netsmb/netbios.h>
6410023SGordon.Ross@Sun.COM #include <netsmb/smb_dev.h>
6510023SGordon.Ross@Sun.COM #include <netsmb/smb.h>
6610023SGordon.Ross@Sun.COM
6710023SGordon.Ross@Sun.COM #include <netsmb/smb_lib.h>
6810023SGordon.Ross@Sun.COM #include <netsmb/nb_lib.h>
6910023SGordon.Ross@Sun.COM
7010023SGordon.Ross@Sun.COM #include "private.h"
7110023SGordon.Ross@Sun.COM #include "charsets.h"
7210023SGordon.Ross@Sun.COM #include "ntlm.h"
7310023SGordon.Ross@Sun.COM #include "smb_crypt.h"
7410023SGordon.Ross@Sun.COM
7510023SGordon.Ross@Sun.COM
7610023SGordon.Ross@Sun.COM static int
7710023SGordon.Ross@Sun.COM smb__ssnsetup(struct smb_ctx *ctx,
7810023SGordon.Ross@Sun.COM struct mbdata *mbc1, struct mbdata *mbc2,
7910023SGordon.Ross@Sun.COM uint32_t *statusp, uint16_t *actionp);
8010023SGordon.Ross@Sun.COM
8110023SGordon.Ross@Sun.COM /*
8210023SGordon.Ross@Sun.COM * Session Setup: NULL session (anonymous)
8310023SGordon.Ross@Sun.COM */
8410023SGordon.Ross@Sun.COM int
smb_ssnsetup_null(struct smb_ctx * ctx)8510023SGordon.Ross@Sun.COM smb_ssnsetup_null(struct smb_ctx *ctx)
8610023SGordon.Ross@Sun.COM {
8710023SGordon.Ross@Sun.COM int err;
8810023SGordon.Ross@Sun.COM uint32_t ntstatus;
8910023SGordon.Ross@Sun.COM uint16_t action = 0;
9010023SGordon.Ross@Sun.COM
9110023SGordon.Ross@Sun.COM if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
9210023SGordon.Ross@Sun.COM /* Should not get here with... */
9310023SGordon.Ross@Sun.COM err = EINVAL;
9410023SGordon.Ross@Sun.COM goto out;
9510023SGordon.Ross@Sun.COM }
9610023SGordon.Ross@Sun.COM
9710023SGordon.Ross@Sun.COM err = smb__ssnsetup(ctx, NULL, NULL, &ntstatus, &action);
9810023SGordon.Ross@Sun.COM if (err)
9910023SGordon.Ross@Sun.COM goto out;
10010023SGordon.Ross@Sun.COM
10110023SGordon.Ross@Sun.COM DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
10210023SGordon.Ross@Sun.COM if (ntstatus != 0)
10310023SGordon.Ross@Sun.COM err = EAUTH;
10410023SGordon.Ross@Sun.COM
10510023SGordon.Ross@Sun.COM out:
10610023SGordon.Ross@Sun.COM return (err);
10710023SGordon.Ross@Sun.COM }
10810023SGordon.Ross@Sun.COM
10910023SGordon.Ross@Sun.COM
11010023SGordon.Ross@Sun.COM /*
11110023SGordon.Ross@Sun.COM * SMB Session Setup, using NTLMv1 (and maybe LMv1)
11210023SGordon.Ross@Sun.COM */
11310023SGordon.Ross@Sun.COM int
smb_ssnsetup_ntlm1(struct smb_ctx * ctx)11410023SGordon.Ross@Sun.COM smb_ssnsetup_ntlm1(struct smb_ctx *ctx)
11510023SGordon.Ross@Sun.COM {
11610023SGordon.Ross@Sun.COM struct mbdata lm_mbc, nt_mbc;
11710023SGordon.Ross@Sun.COM int err;
11810023SGordon.Ross@Sun.COM uint32_t ntstatus;
11910023SGordon.Ross@Sun.COM uint16_t action = 0;
12010023SGordon.Ross@Sun.COM
12110023SGordon.Ross@Sun.COM if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
12210023SGordon.Ross@Sun.COM /* Should not get here with... */
12310023SGordon.Ross@Sun.COM err = EINVAL;
12410023SGordon.Ross@Sun.COM goto out;
12510023SGordon.Ross@Sun.COM }
12610023SGordon.Ross@Sun.COM
12710023SGordon.Ross@Sun.COM /* Make mb_done calls at out safe. */
12810023SGordon.Ross@Sun.COM bzero(&lm_mbc, sizeof (lm_mbc));
12910023SGordon.Ross@Sun.COM bzero(&nt_mbc, sizeof (nt_mbc));
13010023SGordon.Ross@Sun.COM
13110023SGordon.Ross@Sun.COM /* Put the LM,NTLM responses (as mbdata). */
13210023SGordon.Ross@Sun.COM err = ntlm_put_v1_responses(ctx, &lm_mbc, &nt_mbc);
13310023SGordon.Ross@Sun.COM if (err)
13410023SGordon.Ross@Sun.COM goto out;
13510023SGordon.Ross@Sun.COM
13610023SGordon.Ross@Sun.COM /*
13710023SGordon.Ross@Sun.COM * If we negotiated signing, compute the MAC key
13810023SGordon.Ross@Sun.COM * and start signing messages, but only on the
13910023SGordon.Ross@Sun.COM * first non-null session login.
14010023SGordon.Ross@Sun.COM */
14110023SGordon.Ross@Sun.COM if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
14210023SGordon.Ross@Sun.COM (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
14310023SGordon.Ross@Sun.COM struct mbuf *m = nt_mbc.mb_top;
14410023SGordon.Ross@Sun.COM char *p;
14510023SGordon.Ross@Sun.COM
14610023SGordon.Ross@Sun.COM /*
14710023SGordon.Ross@Sun.COM * MAC_key = concat(session_key, nt_response)
14810023SGordon.Ross@Sun.COM */
14910023SGordon.Ross@Sun.COM ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
15010023SGordon.Ross@Sun.COM ctx->ct_mackey = malloc(ctx->ct_mackeylen);
15110023SGordon.Ross@Sun.COM if (ctx->ct_mackey == NULL) {
15210023SGordon.Ross@Sun.COM ctx->ct_mackeylen = 0;
15310023SGordon.Ross@Sun.COM err = ENOMEM;
15410023SGordon.Ross@Sun.COM goto out;
15510023SGordon.Ross@Sun.COM }
15610023SGordon.Ross@Sun.COM p = ctx->ct_mackey;
15710023SGordon.Ross@Sun.COM memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
15810023SGordon.Ross@Sun.COM memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
15910023SGordon.Ross@Sun.COM
16010023SGordon.Ross@Sun.COM /* OK, start signing! */
16110023SGordon.Ross@Sun.COM ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
16210023SGordon.Ross@Sun.COM }
16310023SGordon.Ross@Sun.COM
16410023SGordon.Ross@Sun.COM err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
16510023SGordon.Ross@Sun.COM if (err)
16610023SGordon.Ross@Sun.COM goto out;
16710023SGordon.Ross@Sun.COM
16810023SGordon.Ross@Sun.COM DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
16910023SGordon.Ross@Sun.COM if (ntstatus != 0)
17010023SGordon.Ross@Sun.COM err = EAUTH;
17110023SGordon.Ross@Sun.COM
17210023SGordon.Ross@Sun.COM out:
17310023SGordon.Ross@Sun.COM mb_done(&lm_mbc);
17410023SGordon.Ross@Sun.COM mb_done(&nt_mbc);
17510023SGordon.Ross@Sun.COM
17610023SGordon.Ross@Sun.COM return (err);
17710023SGordon.Ross@Sun.COM }
17810023SGordon.Ross@Sun.COM
17910023SGordon.Ross@Sun.COM /*
18010023SGordon.Ross@Sun.COM * SMB Session Setup, using NTLMv2 (and LMv2)
18110023SGordon.Ross@Sun.COM */
18210023SGordon.Ross@Sun.COM int
smb_ssnsetup_ntlm2(struct smb_ctx * ctx)18310023SGordon.Ross@Sun.COM smb_ssnsetup_ntlm2(struct smb_ctx *ctx)
18410023SGordon.Ross@Sun.COM {
18510023SGordon.Ross@Sun.COM struct mbdata lm_mbc, nt_mbc, ti_mbc;
18610023SGordon.Ross@Sun.COM int err;
18710023SGordon.Ross@Sun.COM uint32_t ntstatus;
18810023SGordon.Ross@Sun.COM uint16_t action = 0;
18910023SGordon.Ross@Sun.COM
19010023SGordon.Ross@Sun.COM if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
19110023SGordon.Ross@Sun.COM /* Should not get here with... */
19210023SGordon.Ross@Sun.COM err = EINVAL;
19310023SGordon.Ross@Sun.COM goto out;
19410023SGordon.Ross@Sun.COM }
19510023SGordon.Ross@Sun.COM
19610023SGordon.Ross@Sun.COM /* Make mb_done calls at out safe. */
19710023SGordon.Ross@Sun.COM bzero(&lm_mbc, sizeof (lm_mbc));
19810023SGordon.Ross@Sun.COM bzero(&nt_mbc, sizeof (nt_mbc));
19910023SGordon.Ross@Sun.COM bzero(&ti_mbc, sizeof (ti_mbc));
20010023SGordon.Ross@Sun.COM
20110023SGordon.Ross@Sun.COM /* Build the NTLMv2 "target info" blob (as mbdata) */
20210023SGordon.Ross@Sun.COM err = ntlm_build_target_info(ctx, NULL, &ti_mbc);
20310023SGordon.Ross@Sun.COM if (err)
20410023SGordon.Ross@Sun.COM goto out;
20510023SGordon.Ross@Sun.COM
20610023SGordon.Ross@Sun.COM /* Put the LMv2, NTLMv2 responses (as mbdata). */
20710023SGordon.Ross@Sun.COM err = ntlm_put_v2_responses(ctx, &ti_mbc, &lm_mbc, &nt_mbc);
20810023SGordon.Ross@Sun.COM if (err)
20910023SGordon.Ross@Sun.COM goto out;
21010023SGordon.Ross@Sun.COM
21110023SGordon.Ross@Sun.COM /*
21210023SGordon.Ross@Sun.COM * If we negotiated signing, compute the MAC key
21310023SGordon.Ross@Sun.COM * and start signing messages, but only on the
21410023SGordon.Ross@Sun.COM * first non-null session login.
21510023SGordon.Ross@Sun.COM */
21610023SGordon.Ross@Sun.COM if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
21710023SGordon.Ross@Sun.COM (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
21810023SGordon.Ross@Sun.COM struct mbuf *m = nt_mbc.mb_top;
21910023SGordon.Ross@Sun.COM char *p;
22010023SGordon.Ross@Sun.COM
22110023SGordon.Ross@Sun.COM /*
22210023SGordon.Ross@Sun.COM * MAC_key = concat(session_key, nt_response)
22310023SGordon.Ross@Sun.COM */
22410023SGordon.Ross@Sun.COM ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
22510023SGordon.Ross@Sun.COM ctx->ct_mackey = malloc(ctx->ct_mackeylen);
22610023SGordon.Ross@Sun.COM if (ctx->ct_mackey == NULL) {
22710023SGordon.Ross@Sun.COM ctx->ct_mackeylen = 0;
22810023SGordon.Ross@Sun.COM err = ENOMEM;
22910023SGordon.Ross@Sun.COM goto out;
23010023SGordon.Ross@Sun.COM }
23110023SGordon.Ross@Sun.COM p = ctx->ct_mackey;
23210023SGordon.Ross@Sun.COM memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
23310023SGordon.Ross@Sun.COM memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
23410023SGordon.Ross@Sun.COM
23510023SGordon.Ross@Sun.COM /* OK, start signing! */
23610023SGordon.Ross@Sun.COM ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
23710023SGordon.Ross@Sun.COM }
23810023SGordon.Ross@Sun.COM
23910023SGordon.Ross@Sun.COM err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
24010023SGordon.Ross@Sun.COM if (err)
24110023SGordon.Ross@Sun.COM goto out;
24210023SGordon.Ross@Sun.COM
24310023SGordon.Ross@Sun.COM DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
24410023SGordon.Ross@Sun.COM if (ntstatus != 0)
24510023SGordon.Ross@Sun.COM err = EAUTH;
24610023SGordon.Ross@Sun.COM
24710023SGordon.Ross@Sun.COM out:
24810023SGordon.Ross@Sun.COM mb_done(&ti_mbc);
24910023SGordon.Ross@Sun.COM mb_done(&lm_mbc);
25010023SGordon.Ross@Sun.COM mb_done(&nt_mbc);
25110023SGordon.Ross@Sun.COM
25210023SGordon.Ross@Sun.COM return (err);
25310023SGordon.Ross@Sun.COM }
25410023SGordon.Ross@Sun.COM
25510023SGordon.Ross@Sun.COM int
smb_ssnsetup_spnego(struct smb_ctx * ctx,struct mbdata * hint_mb)25610023SGordon.Ross@Sun.COM smb_ssnsetup_spnego(struct smb_ctx *ctx, struct mbdata *hint_mb)
25710023SGordon.Ross@Sun.COM {
25810023SGordon.Ross@Sun.COM struct mbdata send_mb, recv_mb;
25910023SGordon.Ross@Sun.COM int err;
26010023SGordon.Ross@Sun.COM uint32_t ntstatus;
26110023SGordon.Ross@Sun.COM uint16_t action = 0;
26210023SGordon.Ross@Sun.COM
26310023SGordon.Ross@Sun.COM err = ssp_ctx_create_client(ctx, hint_mb);
26410023SGordon.Ross@Sun.COM if (err)
26510023SGordon.Ross@Sun.COM goto out;
26610023SGordon.Ross@Sun.COM
26710023SGordon.Ross@Sun.COM bzero(&send_mb, sizeof (send_mb));
26810023SGordon.Ross@Sun.COM bzero(&recv_mb, sizeof (recv_mb));
26910023SGordon.Ross@Sun.COM
27010023SGordon.Ross@Sun.COM /* NULL input indicates first call. */
27110023SGordon.Ross@Sun.COM err = ssp_ctx_next_token(ctx, NULL, &send_mb);
27210023SGordon.Ross@Sun.COM if (err)
27310023SGordon.Ross@Sun.COM goto out;
27410023SGordon.Ross@Sun.COM
27510023SGordon.Ross@Sun.COM for (;;) {
27610023SGordon.Ross@Sun.COM err = smb__ssnsetup(ctx, &send_mb, &recv_mb,
27710023SGordon.Ross@Sun.COM &ntstatus, &action);
27810023SGordon.Ross@Sun.COM if (err)
27910023SGordon.Ross@Sun.COM goto out;
28010023SGordon.Ross@Sun.COM if (ntstatus == 0)
28110023SGordon.Ross@Sun.COM break; /* normal loop termination */
282*12508Samw@Sun.COM if (ntstatus != NT_STATUS_MORE_PROCESSING_REQUIRED) {
28310023SGordon.Ross@Sun.COM err = EAUTH;
28412140SGordon.Ross@Sun.COM goto out;
28510023SGordon.Ross@Sun.COM }
28610023SGordon.Ross@Sun.COM
28710023SGordon.Ross@Sun.COM /* middle calls get both in, out */
28810023SGordon.Ross@Sun.COM err = ssp_ctx_next_token(ctx, &recv_mb, &send_mb);
28910023SGordon.Ross@Sun.COM if (err)
29010023SGordon.Ross@Sun.COM goto out;
29110023SGordon.Ross@Sun.COM }
29210023SGordon.Ross@Sun.COM DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
29310023SGordon.Ross@Sun.COM
29410023SGordon.Ross@Sun.COM /* NULL output indicates last call. */
29510023SGordon.Ross@Sun.COM (void) ssp_ctx_next_token(ctx, &recv_mb, NULL);
29610023SGordon.Ross@Sun.COM
29710023SGordon.Ross@Sun.COM out:
29810023SGordon.Ross@Sun.COM ssp_ctx_destroy(ctx);
29910023SGordon.Ross@Sun.COM
30010023SGordon.Ross@Sun.COM return (err);
30110023SGordon.Ross@Sun.COM }
30210023SGordon.Ross@Sun.COM
30310023SGordon.Ross@Sun.COM /*
30410023SGordon.Ross@Sun.COM * Session Setup function used for all the forms we support.
30510023SGordon.Ross@Sun.COM * To allow this sharing, the crypto stuff is computed by
30610023SGordon.Ross@Sun.COM * callers and passed in as mbdata chains. Also, the args
30710023SGordon.Ross@Sun.COM * have different meanings for extended security vs. old.
30810023SGordon.Ross@Sun.COM * Some may be used as either IN or OUT parameters.
30910023SGordon.Ross@Sun.COM *
31010023SGordon.Ross@Sun.COM * For NTLM (v1, v2), all parameters are inputs
31110023SGordon.Ross@Sun.COM * mbc1: [in] LM password hash
31210023SGordon.Ross@Sun.COM * mbc2: [in] NT password hash
31310023SGordon.Ross@Sun.COM * For Extended security (spnego)
31410023SGordon.Ross@Sun.COM * mbc1: [in] outgoing blob data
31510023SGordon.Ross@Sun.COM * mbc2: [out] received blob data
31610023SGordon.Ross@Sun.COM * For both forms, these are optional:
31710023SGordon.Ross@Sun.COM * statusp: [out] NT status
31810023SGordon.Ross@Sun.COM * actionp: [out] Logon Action (i.e. SMB_ACT_GUEST)
31910023SGordon.Ross@Sun.COM */
32010023SGordon.Ross@Sun.COM static int
smb__ssnsetup(struct smb_ctx * ctx,struct mbdata * mbc1,struct mbdata * mbc2,uint32_t * statusp,uint16_t * actionp)32110023SGordon.Ross@Sun.COM smb__ssnsetup(struct smb_ctx *ctx,
32210023SGordon.Ross@Sun.COM struct mbdata *mbc1, struct mbdata *mbc2,
32310023SGordon.Ross@Sun.COM uint32_t *statusp, uint16_t *actionp)
32410023SGordon.Ross@Sun.COM {
32510023SGordon.Ross@Sun.COM static const char NativeOS[] = "Solaris";
32610023SGordon.Ross@Sun.COM static const char LanMan[] = "NETSMB";
32710023SGordon.Ross@Sun.COM struct smb_sopt *sv = &ctx->ct_sopt;
32810023SGordon.Ross@Sun.COM struct smb_iods *is = &ctx->ct_iods;
32910023SGordon.Ross@Sun.COM struct smb_rq *rqp = NULL;
33010023SGordon.Ross@Sun.COM struct mbdata *mbp;
33110023SGordon.Ross@Sun.COM struct mbuf *m;
33210023SGordon.Ross@Sun.COM int err, uc;
33310023SGordon.Ross@Sun.COM uint32_t caps;
33410023SGordon.Ross@Sun.COM uint16_t bc, len1, len2, sblen;
33510023SGordon.Ross@Sun.COM uint8_t wc;
33610023SGordon.Ross@Sun.COM
33710023SGordon.Ross@Sun.COM /*
33810023SGordon.Ross@Sun.COM * Some of the "capability" bits we offer will be copied
33910023SGordon.Ross@Sun.COM * from those offered by the server, with a mask applied.
34010023SGordon.Ross@Sun.COM * This is the mask of capabilies copied from the server.
34110023SGordon.Ross@Sun.COM * Some others get special handling below.
34210023SGordon.Ross@Sun.COM */
34310023SGordon.Ross@Sun.COM static const uint32_t caps_mask =
34410023SGordon.Ross@Sun.COM SMB_CAP_UNICODE |
34510023SGordon.Ross@Sun.COM SMB_CAP_LARGE_FILES |
34610023SGordon.Ross@Sun.COM SMB_CAP_NT_SMBS |
34710023SGordon.Ross@Sun.COM SMB_CAP_STATUS32 |
34810023SGordon.Ross@Sun.COM SMB_CAP_EXT_SECURITY;
34910023SGordon.Ross@Sun.COM
35010023SGordon.Ross@Sun.COM caps = ctx->ct_sopt.sv_caps & caps_mask;
35110023SGordon.Ross@Sun.COM uc = ctx->ct_hflags2 & SMB_FLAGS2_UNICODE;
35210023SGordon.Ross@Sun.COM
35310023SGordon.Ross@Sun.COM err = smb_rq_init(ctx, SMB_COM_SESSION_SETUP_ANDX, &rqp);
35410023SGordon.Ross@Sun.COM if (err)
35510023SGordon.Ross@Sun.COM goto out;
35610023SGordon.Ross@Sun.COM
35710023SGordon.Ross@Sun.COM /*
35810023SGordon.Ross@Sun.COM * Build the SMB request.
35910023SGordon.Ross@Sun.COM */
36010023SGordon.Ross@Sun.COM mbp = &rqp->rq_rq;
36110023SGordon.Ross@Sun.COM smb_rq_wstart(rqp);
36210023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, 0xff); /* 0: AndXCommand */
36310023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, 0); /* 1: AndXOffset */
36410023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, sv->sv_maxtx); /* 2: MaxBufferSize */
36510023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, sv->sv_maxmux); /* 3: MaxMpxCount */
36610023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, 1); /* 4: VcNumber */
36710023SGordon.Ross@Sun.COM mb_put_uint32le(mbp, sv->sv_skey); /* 5,6: Session Key */
36810023SGordon.Ross@Sun.COM
36910023SGordon.Ross@Sun.COM if (caps & SMB_CAP_EXT_SECURITY) {
37010023SGordon.Ross@Sun.COM len1 = mbc1 ? mbc1->mb_count : 0;
37110023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, len1); /* 7: Sec. Blob Len */
37210023SGordon.Ross@Sun.COM mb_put_uint32le(mbp, 0); /* 8,9: reserved */
37310023SGordon.Ross@Sun.COM mb_put_uint32le(mbp, caps); /* 10,11: Capabilities */
37410023SGordon.Ross@Sun.COM smb_rq_wend(rqp); /* 12: Byte Count */
37510023SGordon.Ross@Sun.COM smb_rq_bstart(rqp);
37610023SGordon.Ross@Sun.COM if (mbc1 && mbc1->mb_top) {
37710023SGordon.Ross@Sun.COM mb_put_mbuf(mbp, mbc1->mb_top); /* sec. blob */
37810023SGordon.Ross@Sun.COM mbc1->mb_top = NULL; /* consumed */
37910023SGordon.Ross@Sun.COM }
38010023SGordon.Ross@Sun.COM /* mbc2 is required below */
38110023SGordon.Ross@Sun.COM if (mbc2 == NULL) {
38210023SGordon.Ross@Sun.COM err = EINVAL;
38310023SGordon.Ross@Sun.COM goto out;
38410023SGordon.Ross@Sun.COM }
38510023SGordon.Ross@Sun.COM } else {
38610023SGordon.Ross@Sun.COM len1 = mbc1 ? mbc1->mb_count : 0;
38710023SGordon.Ross@Sun.COM len2 = mbc2 ? mbc2->mb_count : 0;
38810023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, len1); /* 7: LM pass. len */
38910023SGordon.Ross@Sun.COM mb_put_uint16le(mbp, len2); /* 8: NT pass. len */
39010023SGordon.Ross@Sun.COM mb_put_uint32le(mbp, 0); /* 9,10: reserved */
39110023SGordon.Ross@Sun.COM mb_put_uint32le(mbp, caps); /* 11,12: Capabilities */
39210023SGordon.Ross@Sun.COM smb_rq_wend(rqp); /* 13: Byte Count */
39310023SGordon.Ross@Sun.COM smb_rq_bstart(rqp);
39410023SGordon.Ross@Sun.COM if (mbc1 && mbc1->mb_top) {
39510023SGordon.Ross@Sun.COM mb_put_mbuf(mbp, mbc1->mb_top); /* LM password */
39610023SGordon.Ross@Sun.COM mbc1->mb_top = NULL; /* consumed */
39710023SGordon.Ross@Sun.COM }
39810023SGordon.Ross@Sun.COM if (mbc2 && mbc2->mb_top) {
39910023SGordon.Ross@Sun.COM mb_put_mbuf(mbp, mbc2->mb_top); /* NT password */
40010023SGordon.Ross@Sun.COM mbc2->mb_top = NULL; /* consumed */
40110023SGordon.Ross@Sun.COM }
40211332SGordon.Ross@Sun.COM mb_put_string(mbp, ctx->ct_user, uc);
40311332SGordon.Ross@Sun.COM mb_put_string(mbp, ctx->ct_domain, uc);
40410023SGordon.Ross@Sun.COM }
40511332SGordon.Ross@Sun.COM mb_put_string(mbp, NativeOS, uc);
40611332SGordon.Ross@Sun.COM mb_put_string(mbp, LanMan, uc);
40710023SGordon.Ross@Sun.COM smb_rq_bend(rqp);
40810023SGordon.Ross@Sun.COM
40910023SGordon.Ross@Sun.COM err = smb_rq_internal(ctx, rqp);
41010023SGordon.Ross@Sun.COM if (err)
41110023SGordon.Ross@Sun.COM goto out;
41210023SGordon.Ross@Sun.COM
41310023SGordon.Ross@Sun.COM if (statusp)
41410023SGordon.Ross@Sun.COM *statusp = rqp->rq_status;
41510023SGordon.Ross@Sun.COM
41610023SGordon.Ross@Sun.COM /*
41710023SGordon.Ross@Sun.COM * If we have a real error, the response probably has
41810023SGordon.Ross@Sun.COM * no more data, so don't try to parse any more.
41910023SGordon.Ross@Sun.COM * Note: err=0, means rq_status is valid.
42010023SGordon.Ross@Sun.COM */
42110023SGordon.Ross@Sun.COM if (rqp->rq_status != 0 &&
422*12508Samw@Sun.COM rqp->rq_status != NT_STATUS_MORE_PROCESSING_REQUIRED) {
42310023SGordon.Ross@Sun.COM goto out;
42410023SGordon.Ross@Sun.COM }
42510023SGordon.Ross@Sun.COM
42610023SGordon.Ross@Sun.COM /*
42710023SGordon.Ross@Sun.COM * Parse the reply
42810023SGordon.Ross@Sun.COM */
42910023SGordon.Ross@Sun.COM uc = rqp->rq_hflags2 & SMB_FLAGS2_UNICODE;
43010023SGordon.Ross@Sun.COM is->is_smbuid = rqp->rq_uid;
43110023SGordon.Ross@Sun.COM mbp = &rqp->rq_rp;
43210023SGordon.Ross@Sun.COM
43311332SGordon.Ross@Sun.COM err = md_get_uint8(mbp, &wc);
43410023SGordon.Ross@Sun.COM if (err)
43510023SGordon.Ross@Sun.COM goto out;
43610023SGordon.Ross@Sun.COM
43710023SGordon.Ross@Sun.COM err = EBADRPC; /* for any problems in this section */
43810023SGordon.Ross@Sun.COM if (caps & SMB_CAP_EXT_SECURITY) {
43910023SGordon.Ross@Sun.COM if (wc != 4)
44010023SGordon.Ross@Sun.COM goto out;
44111332SGordon.Ross@Sun.COM md_get_uint16le(mbp, NULL); /* secondary cmd */
44211332SGordon.Ross@Sun.COM md_get_uint16le(mbp, NULL); /* andxoffset */
44311332SGordon.Ross@Sun.COM md_get_uint16le(mbp, actionp); /* action */
44411332SGordon.Ross@Sun.COM md_get_uint16le(mbp, &sblen); /* sec. blob len */
44511332SGordon.Ross@Sun.COM md_get_uint16le(mbp, &bc); /* byte count */
44610023SGordon.Ross@Sun.COM /*
44710023SGordon.Ross@Sun.COM * Get the security blob, after
44810023SGordon.Ross@Sun.COM * sanity-checking the length.
44910023SGordon.Ross@Sun.COM */
45010023SGordon.Ross@Sun.COM if (sblen == 0 || bc < sblen)
45110023SGordon.Ross@Sun.COM goto out;
45211332SGordon.Ross@Sun.COM err = md_get_mbuf(mbp, sblen, &m);
45310023SGordon.Ross@Sun.COM if (err)
45410023SGordon.Ross@Sun.COM goto out;
45510023SGordon.Ross@Sun.COM mb_initm(mbc2, m);
45610023SGordon.Ross@Sun.COM mbc2->mb_count = sblen;
45710023SGordon.Ross@Sun.COM } else {
45810023SGordon.Ross@Sun.COM if (wc != 3)
45910023SGordon.Ross@Sun.COM goto out;
46011332SGordon.Ross@Sun.COM md_get_uint16le(mbp, NULL); /* secondary cmd */
46111332SGordon.Ross@Sun.COM md_get_uint16le(mbp, NULL); /* andxoffset */
46211332SGordon.Ross@Sun.COM md_get_uint16le(mbp, actionp); /* action */
46311332SGordon.Ross@Sun.COM err = md_get_uint16le(mbp, &bc); /* byte count */
46410023SGordon.Ross@Sun.COM if (err)
46510023SGordon.Ross@Sun.COM goto out;
46610023SGordon.Ross@Sun.COM }
46710023SGordon.Ross@Sun.COM
46810023SGordon.Ross@Sun.COM /*
46910023SGordon.Ross@Sun.COM * Native OS, LANMGR, & Domain follow here.
47010023SGordon.Ross@Sun.COM * Parse these strings and store for later.
47110023SGordon.Ross@Sun.COM * If unicode, they should be aligned.
47210023SGordon.Ross@Sun.COM *
47310023SGordon.Ross@Sun.COM * Note that with Extended security, we may use
47410023SGordon.Ross@Sun.COM * multiple calls to this function. Only parse
47510023SGordon.Ross@Sun.COM * these strings on the last one (status == 0).
47610023SGordon.Ross@Sun.COM * Ditto for the CAP_LARGE work-around.
47710023SGordon.Ross@Sun.COM */
47810023SGordon.Ross@Sun.COM if (rqp->rq_status != 0)
47910023SGordon.Ross@Sun.COM goto out;
48010023SGordon.Ross@Sun.COM
48110023SGordon.Ross@Sun.COM /* Ignore any parsing errors for these strings. */
48211332SGordon.Ross@Sun.COM err = md_get_string(mbp, &ctx->ct_srv_OS, uc);
48310023SGordon.Ross@Sun.COM DPRINT("server OS: %s", err ? "?" : ctx->ct_srv_OS);
48411332SGordon.Ross@Sun.COM err = md_get_string(mbp, &ctx->ct_srv_LM, uc);
48510023SGordon.Ross@Sun.COM DPRINT("server LM: %s", err ? "?" : ctx->ct_srv_LM);
48610023SGordon.Ross@Sun.COM /*
48710023SGordon.Ross@Sun.COM * There's sometimes a server domain folloing
48810023SGordon.Ross@Sun.COM * at this point, but we don't need it.
48910023SGordon.Ross@Sun.COM */
49010023SGordon.Ross@Sun.COM
49110023SGordon.Ross@Sun.COM /* Success! (See Ignore any ... above) */
49210023SGordon.Ross@Sun.COM err = 0;
49310023SGordon.Ross@Sun.COM
49410023SGordon.Ross@Sun.COM /*
49510023SGordon.Ross@Sun.COM * Windows systems don't suport CAP_LARGE_READX,WRITEX
49610023SGordon.Ross@Sun.COM * when signing is enabled, so adjust sv_caps.
49710023SGordon.Ross@Sun.COM */
49810023SGordon.Ross@Sun.COM if (ctx->ct_srv_OS &&
49910023SGordon.Ross@Sun.COM 0 == strncmp(ctx->ct_srv_OS, "Windows ", 8)) {
50010023SGordon.Ross@Sun.COM DPRINT("Server is Windows");
50110023SGordon.Ross@Sun.COM if (ctx->ct_vcflags & SMBV_WILL_SIGN) {
50210023SGordon.Ross@Sun.COM DPRINT("disable CAP_LARGE_(r/w)");
50310023SGordon.Ross@Sun.COM ctx->ct_sopt.sv_caps &=
50410023SGordon.Ross@Sun.COM ~(SMB_CAP_LARGE_READX | SMB_CAP_LARGE_WRITEX);
50510023SGordon.Ross@Sun.COM }
50610023SGordon.Ross@Sun.COM }
50710023SGordon.Ross@Sun.COM
50810023SGordon.Ross@Sun.COM out:
50910023SGordon.Ross@Sun.COM if (rqp)
51010023SGordon.Ross@Sun.COM smb_rq_done(rqp);
51110023SGordon.Ross@Sun.COM
51210023SGordon.Ross@Sun.COM return (err);
51310023SGordon.Ross@Sun.COM }
514