NTSTATUS auth_generic_server_start(TALLOC_CTX *mem_ctx,
const char *oid,
bool do_sign,
bool do_seal,
bool is_dcerpc,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
if (do_sign) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
}
if (do_seal) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
}
if (is_dcerpc) {
gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
}
status = gensec_start_mech_by_oid(gensec_security, oid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, (__location__ ": gensec_update failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
/* steal gensec context to the caller */
*ctx = talloc_move(mem_ctx, &gensec_security);
return NT_STATUS_OK;
}
static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
uint8_t auth_type, uint8_t auth_level,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_start_mech_by_authtype(gensec_security, auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, (__location__ ": gensec_update failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
/* steal gensec context to the caller */
*ctx = talloc_move(mem_ctx, &gensec_security);
return NT_STATUS_OK;
}
static void reply_sesssetup_and_X_spnego(struct smb_request *req)
{
const uint8_t *p;
DATA_BLOB in_blob;
DATA_BLOB out_blob = data_blob_null;
size_t bufrem;
char *tmp;
const char *native_os;
const char *native_lanman;
const char *primary_domain;
uint16_t data_blob_len = SVAL(req->vwv+7, 0);
enum remote_arch_types ra_type = get_remote_arch();
uint64_t vuid = req->vuid;
NTSTATUS status = NT_STATUS_OK;
struct smbXsrv_connection *xconn = req->xconn;
struct smbd_server_connection *sconn = req->sconn;
uint16_t action = 0;
bool is_authenticated = false;
NTTIME now = timeval_to_nttime(&req->request_time);
struct smbXsrv_session *session = NULL;
uint16_t smb_bufsize = SVAL(req->vwv+2, 0);
uint32_t client_caps = IVAL(req->vwv+10, 0);
struct smbXsrv_session_auth0 *auth;
DEBUG(3,("Doing spnego session setup\n"));
if (!xconn->smb1.sessions.done_sesssetup) {
global_client_caps = client_caps;
if (!(global_client_caps & CAP_STATUS32)) {
remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
}
}
p = req->buf;
if (data_blob_len == 0) {
/* an invalid request */
reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
return;
}
bufrem = smbreq_bufrem(req, p);
/* pull the spnego blob */
in_blob = data_blob_const(p, MIN(bufrem, data_blob_len));
#if 0
file_save("negotiate.dat", in_blob.data, in_blob.length);
#endif
p = req->buf + in_blob.length;
p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
STR_TERMINATE);
native_os = tmp ? tmp : "";
p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
STR_TERMINATE);
native_lanman = tmp ? tmp : "";
p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
STR_TERMINATE);
primary_domain = tmp ? tmp : "";
DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n",
native_os, native_lanman, primary_domain));
if ( ra_type == RA_WIN2K ) {
/* Vista sets neither the OS or lanman strings */
if ( !strlen(native_os) && !strlen(native_lanman) )
set_remote_arch(RA_VISTA);
/* Windows 2003 doesn't set the native lanman string,
but does set primary domain which is a bug I think */
if ( !strlen(native_lanman) ) {
ra_lanman_string( primary_domain );
} else {
ra_lanman_string( native_lanman );
}
} else if ( ra_type == RA_VISTA ) {
if ( strncmp(native_os, "Mac OS X", 8) == 0 ) {
set_remote_arch(RA_OSX);
}
}
if (vuid != 0) {
status = smb1srv_session_lookup(xconn,
vuid, now,
&session);
if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
reply_force_doserror(req, ERRSRV, ERRbaduid);
return;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
status = NT_STATUS_OK;
}
if (NT_STATUS_IS_OK(status)) {
session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
TALLOC_FREE(session->pending_auth);
}
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
reply_nterror(req, nt_status_squash(status));
return;
}
}
if (session == NULL) {
/* create a new session */
status = smbXsrv_session_create(xconn,
now, &session);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, nt_status_squash(status));
return;
}
}
status = smbXsrv_session_find_auth(session, xconn, now, &auth);
if (!NT_STATUS_IS_OK(status)) {
status = smbXsrv_session_create_auth(session, xconn, now,
0, /* flags */
0, /* security */
&auth);
if (!NT_STATUS_IS_OK(status)) {
reply_nterror(req, nt_status_squash(status));
return;
}
}
if (auth->gensec == NULL) {
status = auth_generic_prepare(session,
xconn->remote_address,
xconn->local_address,
"SMB",
&auth->gensec);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
reply_nterror(req, nt_status_squash(status));
return;
}
gensec_want_feature(auth->gensec, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
gensec_want_feature(auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT);
status = gensec_start_mech_by_oid(auth->gensec,
GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to start SPNEGO handler!\n"));
TALLOC_FREE(session);;
reply_nterror(req, nt_status_squash(status));
return;
}
}
become_root();
status = gensec_update(auth->gensec,
talloc_tos(),
in_blob, &out_blob);
unbecome_root();
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
TALLOC_FREE(session);
reply_nterror(req, nt_status_squash(status));
return;
}
if (NT_STATUS_IS_OK(status) && session->global->auth_session_info == NULL) {
struct auth_session_info *session_info = NULL;
status = gensec_session_info(auth->gensec,
session,
&session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("Failed to generate session_info "
"(user and group token) for session setup: %s\n",
nt_errstr(status)));
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, nt_status_squash(status));
return;
}
if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) {
action |= SMB_SETUP_GUEST;
}
if (session_info->session_key.length > 0) {
struct smbXsrv_session *x = session;
/*
* Note: the SMB1 signing key is not truncated to 16 byte!
*/
x->global->signing_key =
data_blob_dup_talloc(x->global,
session_info->session_key);
if (x->global->signing_key.data == NULL) {
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
/*
* clear the session key
* the first tcon will add setup the application key
*/
data_blob_clear_free(&session_info->session_key);
}
session->compat = talloc_zero(session, struct user_struct);
if (session->compat == NULL) {
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
session->compat->session = session;
session->compat->homes_snum = -1;
session->compat->session_info = session_info;
session->compat->session_keystr = NULL;
session->compat->vuid = session->global->session_wire_id;
DLIST_ADD(sconn->users, session->compat);
sconn->num_users++;
if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
is_authenticated = true;
session->compat->homes_snum =
register_homes_share(session_info->unix_info->unix_name);
}
if (srv_is_signing_negotiated(xconn) &&
is_authenticated &&
session->global->signing_key.length > 0)
{
/*
* Try and turn on server signing on the first non-guest
* sessionsetup.
*/
srv_set_signing(xconn,
session->global->signing_key,
data_blob_null);
}
set_current_user_info(session_info->unix_info->sanitized_username,
session_info->unix_info->unix_name,
session_info->info->domain_name);
session->status = NT_STATUS_OK;
session->global->auth_session_info = talloc_move(session->global,
&session_info);
session->global->auth_session_info_seqnum += 1;
session->global->channels[0].auth_session_info_seqnum =
session->global->auth_session_info_seqnum;
session->global->auth_time = now;
if (client_caps & CAP_DYNAMIC_REAUTH) {
session->global->expiration_time =
gensec_expire_time(auth->gensec);
} else {
session->global->expiration_time =
GENSEC_EXPIRE_TIME_INFINITY;
}
if (!session_claim(session)) {
DEBUG(1, ("smb1: Failed to claim session for vuid=%llu\n",
(unsigned long long)session->compat->vuid));
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_LOGON_FAILURE);
return;
}
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb1: Failed to update session for vuid=%llu - %s\n",
(unsigned long long)session->compat->vuid,
nt_errstr(status)));
data_blob_free(&out_blob);
TALLOC_FREE(session);
reply_nterror(req, NT_STATUS_LOGON_FAILURE);
return;
}
if (!xconn->smb1.sessions.done_sesssetup) {
if (smb_bufsize < SMB_BUFFER_SIZE_MIN) {
reply_force_doserror(req, ERRSRV, ERRerror);
return;
}
xconn->smb1.sessions.max_send = smb_bufsize;
xconn->smb1.sessions.done_sesssetup = true;
}
/* current_user_info is changed on new vuid */
reload_services(sconn, conn_snum_used, true);
} else if (NT_STATUS_IS_OK(status)) {
DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
{
DATA_BLOB blob = data_blob_null;
DATA_BLOB blob_out = data_blob_null;
nstring dos_name;
fstring unix_name;
NTSTATUS status;
#ifdef DEVELOPER
size_t slen;
#endif
struct gensec_security *gensec_security;
/* See if we can get an SPNEGO blob */
status = auth_generic_prepare(talloc_tos(),
sconn->remote_address,
&gensec_security);
if (NT_STATUS_IS_OK(status)) {
status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
if (NT_STATUS_IS_OK(status)) {
status = gensec_update(gensec_security, ctx,
NULL, data_blob_null, &blob);
/* If we get the list of OIDs, the 'OK' answer
* is NT_STATUS_MORE_PROCESSING_REQUIRED */
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
blob = data_blob_null;
}
}
TALLOC_FREE(gensec_security);
}
sconn->smb1.negprot.spnego = true;
/* strangely enough, NT does not sent the single OID NTLMSSP when
not a ADS member, it sends no OIDs at all
OLD COMMENT : "we can't do this until we teach our sesssion setup parser to know
about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
Our sessionsetup code now handles raw NTLMSSP connects, so we can go
back to doing what W2K3 does here. This is needed to make PocketPC 2003
CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
for details. JRA.
*/
if (blob.length == 0 || blob.data == NULL) {
return data_blob_null;
}
blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
if (blob_out.data == NULL) {
data_blob_free(&blob);
return data_blob_null;
}
memset(blob_out.data, '\0', 16);
checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name));
(void)strlower_m(unix_name);
push_ascii_nstring(dos_name, unix_name);
strlcpy((char *)blob_out.data, dos_name, 17);
#ifdef DEVELOPER
/* Fix valgrind 'uninitialized bytes' issue. */
slen = strlen(dos_name);
if (slen < 16) {
memset(blob_out.data+slen, '\0', 16 - slen);
}
#endif
memcpy(&blob_out.data[16], blob.data, blob.length);
data_blob_free(&blob);
return blob_out;
}
static NTSTATUS smbd_smb2_auth_generic(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
uint8_t in_security_mode,
DATA_BLOB in_security_buffer,
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
uint64_t *out_session_id)
{
NTSTATUS status;
*out_security_buffer = data_blob_null;
if (session->gensec_security == NULL) {
status = auth_generic_prepare(session, session->sconn->remote_address,
&session->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
gensec_want_feature(session->gensec_security, GENSEC_FEATURE_UNIX_TOKEN);
status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
}
become_root();
status = gensec_update(session->gensec_security,
smb2req, NULL,
in_security_buffer,
out_security_buffer);
unbecome_root();
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return nt_status_squash(status);
}
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*out_session_id = session->vuid;
return status;
}
status = gensec_session_info(session->gensec_security,
session,
&session->session_info);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
*out_session_id = session->vuid;
return smbd_smb2_auth_generic_return(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_session_id);
}
