1 /*
2 * Copyright (c) 2000-2001 Boris Popov
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by Boris Popov.
16 * 4. Neither the name of the author nor the names of any co-contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 /*
34 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
35 */
36
37 /*
38 * SMB Session Setup, and related.
39 * Copied from the driver: smb_smb.c
40 */
41
42 #include <errno.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <unistd.h>
46 #include <strings.h>
47 #include <netdb.h>
48 #include <libintl.h>
49 #include <xti.h>
50 #include <assert.h>
51
52 #include <sys/types.h>
53 #include <sys/time.h>
54 #include <sys/byteorder.h>
55 #include <sys/socket.h>
56 #include <sys/fcntl.h>
57
58 #include <netinet/in.h>
59 #include <netinet/tcp.h>
60 #include <arpa/inet.h>
61
62 #include <netsmb/mchain.h>
63 #include <netsmb/netbios.h>
64 #include <netsmb/smb_dev.h>
65 #include <netsmb/smb.h>
66
67 #include <netsmb/smb_lib.h>
68 #include <netsmb/nb_lib.h>
69
70 #include "private.h"
71 #include "charsets.h"
72 #include "ntlm.h"
73 #include "smb_crypt.h"
74
75
76 static int
77 smb__ssnsetup(struct smb_ctx *ctx,
78 struct mbdata *mbc1, struct mbdata *mbc2,
79 uint32_t *statusp, uint16_t *actionp);
80
81 /*
82 * Session Setup: NULL session (anonymous)
83 */
84 int
smb_ssnsetup_null(struct smb_ctx * ctx)85 smb_ssnsetup_null(struct smb_ctx *ctx)
86 {
87 int err;
88 uint32_t ntstatus;
89 uint16_t action = 0;
90
91 if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
92 /* Should not get here with... */
93 err = EINVAL;
94 goto out;
95 }
96
97 err = smb__ssnsetup(ctx, NULL, NULL, &ntstatus, &action);
98 if (err)
99 goto out;
100
101 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
102 if (ntstatus != 0)
103 err = EAUTH;
104
105 out:
106 return (err);
107 }
108
109
110 /*
111 * SMB Session Setup, using NTLMv1 (and maybe LMv1)
112 */
113 int
smb_ssnsetup_ntlm1(struct smb_ctx * ctx)114 smb_ssnsetup_ntlm1(struct smb_ctx *ctx)
115 {
116 struct mbdata lm_mbc, nt_mbc;
117 int err;
118 uint32_t ntstatus;
119 uint16_t action = 0;
120
121 if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
122 /* Should not get here with... */
123 err = EINVAL;
124 goto out;
125 }
126
127 /* Make mb_done calls at out safe. */
128 bzero(&lm_mbc, sizeof (lm_mbc));
129 bzero(&nt_mbc, sizeof (nt_mbc));
130
131 /* Put the LM,NTLM responses (as mbdata). */
132 err = ntlm_put_v1_responses(ctx, &lm_mbc, &nt_mbc);
133 if (err)
134 goto out;
135
136 /*
137 * If we negotiated signing, compute the MAC key
138 * and start signing messages, but only on the
139 * first non-null session login.
140 */
141 if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
142 (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
143 struct mbuf *m = nt_mbc.mb_top;
144 char *p;
145
146 /*
147 * MAC_key = concat(session_key, nt_response)
148 */
149 ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
150 ctx->ct_mackey = malloc(ctx->ct_mackeylen);
151 if (ctx->ct_mackey == NULL) {
152 ctx->ct_mackeylen = 0;
153 err = ENOMEM;
154 goto out;
155 }
156 p = ctx->ct_mackey;
157 memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
158 memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
159
160 /* OK, start signing! */
161 ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
162 }
163
164 err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
165 if (err)
166 goto out;
167
168 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
169 if (ntstatus != 0)
170 err = EAUTH;
171
172 out:
173 mb_done(&lm_mbc);
174 mb_done(&nt_mbc);
175
176 return (err);
177 }
178
179 /*
180 * SMB Session Setup, using NTLMv2 (and LMv2)
181 */
182 int
smb_ssnsetup_ntlm2(struct smb_ctx * ctx)183 smb_ssnsetup_ntlm2(struct smb_ctx *ctx)
184 {
185 struct mbdata lm_mbc, nt_mbc, ti_mbc;
186 int err;
187 uint32_t ntstatus;
188 uint16_t action = 0;
189
190 if (ctx->ct_sopt.sv_caps & SMB_CAP_EXT_SECURITY) {
191 /* Should not get here with... */
192 err = EINVAL;
193 goto out;
194 }
195
196 /* Make mb_done calls at out safe. */
197 bzero(&lm_mbc, sizeof (lm_mbc));
198 bzero(&nt_mbc, sizeof (nt_mbc));
199 bzero(&ti_mbc, sizeof (ti_mbc));
200
201 /* Build the NTLMv2 "target info" blob (as mbdata) */
202 err = ntlm_build_target_info(ctx, NULL, &ti_mbc);
203 if (err)
204 goto out;
205
206 /* Put the LMv2, NTLMv2 responses (as mbdata). */
207 err = ntlm_put_v2_responses(ctx, &ti_mbc, &lm_mbc, &nt_mbc);
208 if (err)
209 goto out;
210
211 /*
212 * If we negotiated signing, compute the MAC key
213 * and start signing messages, but only on the
214 * first non-null session login.
215 */
216 if ((ctx->ct_vcflags & SMBV_WILL_SIGN) &&
217 (ctx->ct_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
218 struct mbuf *m = nt_mbc.mb_top;
219 char *p;
220
221 /*
222 * MAC_key = concat(session_key, nt_response)
223 */
224 ctx->ct_mackeylen = NTLM_HASH_SZ + m->m_len;
225 ctx->ct_mackey = malloc(ctx->ct_mackeylen);
226 if (ctx->ct_mackey == NULL) {
227 ctx->ct_mackeylen = 0;
228 err = ENOMEM;
229 goto out;
230 }
231 p = ctx->ct_mackey;
232 memcpy(p, ctx->ct_ssn_key, NTLM_HASH_SZ);
233 memcpy(p + NTLM_HASH_SZ, m->m_data, m->m_len);
234
235 /* OK, start signing! */
236 ctx->ct_hflags2 |= SMB_FLAGS2_SECURITY_SIGNATURE;
237 }
238
239 err = smb__ssnsetup(ctx, &lm_mbc, &nt_mbc, &ntstatus, &action);
240 if (err)
241 goto out;
242
243 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
244 if (ntstatus != 0)
245 err = EAUTH;
246
247 out:
248 mb_done(&ti_mbc);
249 mb_done(&lm_mbc);
250 mb_done(&nt_mbc);
251
252 return (err);
253 }
254
255 int
smb_ssnsetup_spnego(struct smb_ctx * ctx,struct mbdata * hint_mb)256 smb_ssnsetup_spnego(struct smb_ctx *ctx, struct mbdata *hint_mb)
257 {
258 struct mbdata send_mb, recv_mb;
259 int err;
260 uint32_t ntstatus;
261 uint16_t action = 0;
262
263 err = ssp_ctx_create_client(ctx, hint_mb);
264 if (err)
265 goto out;
266
267 bzero(&send_mb, sizeof (send_mb));
268 bzero(&recv_mb, sizeof (recv_mb));
269
270 /* NULL input indicates first call. */
271 err = ssp_ctx_next_token(ctx, NULL, &send_mb);
272 if (err)
273 goto out;
274
275 for (;;) {
276 err = smb__ssnsetup(ctx, &send_mb, &recv_mb,
277 &ntstatus, &action);
278 if (err)
279 goto out;
280 if (ntstatus == 0)
281 break; /* normal loop termination */
282 if (ntstatus != NT_STATUS_MORE_PROCESSING_REQUIRED) {
283 err = EAUTH;
284 goto out;
285 }
286
287 /* middle calls get both in, out */
288 err = ssp_ctx_next_token(ctx, &recv_mb, &send_mb);
289 if (err)
290 goto out;
291 }
292 DPRINT("status 0x%x action 0x%x", ntstatus, (int)action);
293
294 /* NULL output indicates last call. */
295 (void) ssp_ctx_next_token(ctx, &recv_mb, NULL);
296
297 out:
298 ssp_ctx_destroy(ctx);
299
300 return (err);
301 }
302
303 /*
304 * Session Setup function used for all the forms we support.
305 * To allow this sharing, the crypto stuff is computed by
306 * callers and passed in as mbdata chains. Also, the args
307 * have different meanings for extended security vs. old.
308 * Some may be used as either IN or OUT parameters.
309 *
310 * For NTLM (v1, v2), all parameters are inputs
311 * mbc1: [in] LM password hash
312 * mbc2: [in] NT password hash
313 * For Extended security (spnego)
314 * mbc1: [in] outgoing blob data
315 * mbc2: [out] received blob data
316 * For both forms, these are optional:
317 * statusp: [out] NT status
318 * actionp: [out] Logon Action (i.e. SMB_ACT_GUEST)
319 */
320 static int
smb__ssnsetup(struct smb_ctx * ctx,struct mbdata * mbc1,struct mbdata * mbc2,uint32_t * statusp,uint16_t * actionp)321 smb__ssnsetup(struct smb_ctx *ctx,
322 struct mbdata *mbc1, struct mbdata *mbc2,
323 uint32_t *statusp, uint16_t *actionp)
324 {
325 static const char NativeOS[] = "Solaris";
326 static const char LanMan[] = "NETSMB";
327 struct smb_sopt *sv = &ctx->ct_sopt;
328 struct smb_iods *is = &ctx->ct_iods;
329 struct smb_rq *rqp = NULL;
330 struct mbdata *mbp;
331 struct mbuf *m;
332 int err, uc;
333 uint32_t caps;
334 uint16_t bc, len1, len2, sblen;
335 uint8_t wc;
336
337 /*
338 * Some of the "capability" bits we offer will be copied
339 * from those offered by the server, with a mask applied.
340 * This is the mask of capabilies copied from the server.
341 * Some others get special handling below.
342 */
343 static const uint32_t caps_mask =
344 SMB_CAP_UNICODE |
345 SMB_CAP_LARGE_FILES |
346 SMB_CAP_NT_SMBS |
347 SMB_CAP_STATUS32 |
348 SMB_CAP_EXT_SECURITY;
349
350 caps = ctx->ct_sopt.sv_caps & caps_mask;
351 uc = ctx->ct_hflags2 & SMB_FLAGS2_UNICODE;
352
353 err = smb_rq_init(ctx, SMB_COM_SESSION_SETUP_ANDX, &rqp);
354 if (err)
355 goto out;
356
357 /*
358 * Build the SMB request.
359 */
360 mbp = &rqp->rq_rq;
361 smb_rq_wstart(rqp);
362 mb_put_uint16le(mbp, 0xff); /* 0: AndXCommand */
363 mb_put_uint16le(mbp, 0); /* 1: AndXOffset */
364 mb_put_uint16le(mbp, sv->sv_maxtx); /* 2: MaxBufferSize */
365 mb_put_uint16le(mbp, sv->sv_maxmux); /* 3: MaxMpxCount */
366 mb_put_uint16le(mbp, 1); /* 4: VcNumber */
367 mb_put_uint32le(mbp, sv->sv_skey); /* 5,6: Session Key */
368
369 if (caps & SMB_CAP_EXT_SECURITY) {
370 len1 = mbc1 ? mbc1->mb_count : 0;
371 mb_put_uint16le(mbp, len1); /* 7: Sec. Blob Len */
372 mb_put_uint32le(mbp, 0); /* 8,9: reserved */
373 mb_put_uint32le(mbp, caps); /* 10,11: Capabilities */
374 smb_rq_wend(rqp); /* 12: Byte Count */
375 smb_rq_bstart(rqp);
376 if (mbc1 && mbc1->mb_top) {
377 mb_put_mbuf(mbp, mbc1->mb_top); /* sec. blob */
378 mbc1->mb_top = NULL; /* consumed */
379 }
380 /* mbc2 is required below */
381 if (mbc2 == NULL) {
382 err = EINVAL;
383 goto out;
384 }
385 } else {
386 len1 = mbc1 ? mbc1->mb_count : 0;
387 len2 = mbc2 ? mbc2->mb_count : 0;
388 mb_put_uint16le(mbp, len1); /* 7: LM pass. len */
389 mb_put_uint16le(mbp, len2); /* 8: NT pass. len */
390 mb_put_uint32le(mbp, 0); /* 9,10: reserved */
391 mb_put_uint32le(mbp, caps); /* 11,12: Capabilities */
392 smb_rq_wend(rqp); /* 13: Byte Count */
393 smb_rq_bstart(rqp);
394 if (mbc1 && mbc1->mb_top) {
395 mb_put_mbuf(mbp, mbc1->mb_top); /* LM password */
396 mbc1->mb_top = NULL; /* consumed */
397 }
398 if (mbc2 && mbc2->mb_top) {
399 mb_put_mbuf(mbp, mbc2->mb_top); /* NT password */
400 mbc2->mb_top = NULL; /* consumed */
401 }
402 mb_put_string(mbp, ctx->ct_user, uc);
403 mb_put_string(mbp, ctx->ct_domain, uc);
404 }
405 mb_put_string(mbp, NativeOS, uc);
406 mb_put_string(mbp, LanMan, uc);
407 smb_rq_bend(rqp);
408
409 err = smb_rq_internal(ctx, rqp);
410 if (err)
411 goto out;
412
413 if (statusp)
414 *statusp = rqp->rq_status;
415
416 /*
417 * If we have a real error, the response probably has
418 * no more data, so don't try to parse any more.
419 * Note: err=0, means rq_status is valid.
420 */
421 if (rqp->rq_status != 0 &&
422 rqp->rq_status != NT_STATUS_MORE_PROCESSING_REQUIRED) {
423 goto out;
424 }
425
426 /*
427 * Parse the reply
428 */
429 uc = rqp->rq_hflags2 & SMB_FLAGS2_UNICODE;
430 is->is_smbuid = rqp->rq_uid;
431 mbp = &rqp->rq_rp;
432
433 err = md_get_uint8(mbp, &wc);
434 if (err)
435 goto out;
436
437 err = EBADRPC; /* for any problems in this section */
438 if (caps & SMB_CAP_EXT_SECURITY) {
439 if (wc != 4)
440 goto out;
441 md_get_uint16le(mbp, NULL); /* secondary cmd */
442 md_get_uint16le(mbp, NULL); /* andxoffset */
443 md_get_uint16le(mbp, actionp); /* action */
444 md_get_uint16le(mbp, &sblen); /* sec. blob len */
445 md_get_uint16le(mbp, &bc); /* byte count */
446 /*
447 * Get the security blob, after
448 * sanity-checking the length.
449 */
450 if (sblen == 0 || bc < sblen)
451 goto out;
452 err = md_get_mbuf(mbp, sblen, &m);
453 if (err)
454 goto out;
455 mb_initm(mbc2, m);
456 mbc2->mb_count = sblen;
457 } else {
458 if (wc != 3)
459 goto out;
460 md_get_uint16le(mbp, NULL); /* secondary cmd */
461 md_get_uint16le(mbp, NULL); /* andxoffset */
462 md_get_uint16le(mbp, actionp); /* action */
463 err = md_get_uint16le(mbp, &bc); /* byte count */
464 if (err)
465 goto out;
466 }
467
468 /*
469 * Native OS, LANMGR, & Domain follow here.
470 * Parse these strings and store for later.
471 * If unicode, they should be aligned.
472 *
473 * Note that with Extended security, we may use
474 * multiple calls to this function. Only parse
475 * these strings on the last one (status == 0).
476 * Ditto for the CAP_LARGE work-around.
477 */
478 if (rqp->rq_status != 0)
479 goto out;
480
481 /* Ignore any parsing errors for these strings. */
482 err = md_get_string(mbp, &ctx->ct_srv_OS, uc);
483 DPRINT("server OS: %s", err ? "?" : ctx->ct_srv_OS);
484 err = md_get_string(mbp, &ctx->ct_srv_LM, uc);
485 DPRINT("server LM: %s", err ? "?" : ctx->ct_srv_LM);
486 /*
487 * There's sometimes a server domain folloing
488 * at this point, but we don't need it.
489 */
490
491 /* Success! (See Ignore any ... above) */
492 err = 0;
493
494 /*
495 * Windows systems don't suport CAP_LARGE_READX,WRITEX
496 * when signing is enabled, so adjust sv_caps.
497 */
498 if (ctx->ct_srv_OS &&
499 0 == strncmp(ctx->ct_srv_OS, "Windows ", 8)) {
500 DPRINT("Server is Windows");
501 if (ctx->ct_vcflags & SMBV_WILL_SIGN) {
502 DPRINT("disable CAP_LARGE_(r/w)");
503 ctx->ct_sopt.sv_caps &=
504 ~(SMB_CAP_LARGE_READX | SMB_CAP_LARGE_WRITEX);
505 }
506 }
507
508 out:
509 if (rqp)
510 smb_rq_done(rqp);
511
512 return (err);
513 }
514