1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
26  */
27 
28 #ifndef _SMB_TOKEN_H
29 #define	_SMB_TOKEN_H
30 
31 #include <smbsrv/smb_inet.h>
32 #include <smbsrv/smb_privilege.h>
33 #include <smbsrv/smb_sid.h>
34 
35 /*
36  * Don't want <smbsrv/netrauth.h> in here, but
37  * uts/common/fs/smbsrv/smb_authenticate.c
38  * wants this.  Todo: cleanup
39  */
40 #define	NETR_NETWORK_LOGON			0x02
41 
42 #ifdef __cplusplus
43 extern "C" {
44 #endif
45 
46 /*
47  * 32-bit opaque buffer (non-null terminated strings)
48  * See also: smb_buf32_xdr()
49  */
50 typedef struct smb_buf32 {
51 	uint32_t	len;
52 	uint8_t		*val;
53 } smb_buf32_t;
54 
55 /*
56  * Access Token
57  *
58  * An access token identifies a user, the user's privileges and the
59  * list of groups of which the user is a member. This information is
60  * used when access is requested to an object by comparing this
61  * information with the DACL in the object's security descriptor.
62  *
63  * There should be one unique token per user per session per client.
64  *
65  * Access Token Flags
66  *
67  * SMB_ATF_GUEST	Token belongs to guest user
68  * SMB_ATF_ANON		Token belongs to anonymous user
69  * 			and it's only good for IPC Connection.
70  * SMB_ATF_POWERUSER	Token belongs to a Power User member
71  * SMB_ATF_BACKUPOP	Token belongs to a Power User member
72  * SMB_ATF_ADMIN	Token belongs to a Domain Admins member
73  */
74 #define	SMB_ATF_ANON		0x00000001
75 #define	SMB_ATF_GUEST		0x00000002
76 #define	SMB_ATF_POWERUSER	0x00000004
77 #define	SMB_ATF_BACKUPOP	0x00000008
78 #define	SMB_ATF_ADMIN		0x00000010
79 
80 #define	SMB_POSIX_GRPS_SIZE(n) \
81 	(sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
82 /*
83  * It consists of the primary and supplementary POSIX groups.
84  * See also: smb_posix_grps_xdr()
85  */
86 typedef struct smb_posix_grps {
87 	uint32_t	pg_ngrps;
88 	gid_t		pg_grps[ANY_SIZE_ARRAY];
89 } smb_posix_grps_t;
90 
91 /*
92  * An NT-style logon "token" (NT terminology)
93  * See also: smb_token_xdr()
94  */
95 typedef struct smb_token {
96 	smb_id_t	tkn_user;
97 	smb_id_t	tkn_owner;
98 	smb_id_t	tkn_primary_grp;
99 	smb_ids_t	tkn_win_grps;
100 	smb_privset_t	*tkn_privileges;
101 	char		*tkn_account_name;
102 	char		*tkn_domain_name;
103 	uint32_t	tkn_flags;
104 	uint32_t	tkn_audit_sid;
105 	smb_buf32_t	tkn_ssnkey;
106 	smb_posix_grps_t *tkn_posix_grps;
107 } smb_token_t;
108 
109 /*
110  * Details required to authenticate a user.
111  * See also: smb_logon_xdr()
112  */
113 typedef struct smb_logon {
114 	uint16_t	lg_level;
115 	char		*lg_username;	/* requested username */
116 	char		*lg_domain;	/* requested domain */
117 	char		*lg_e_username;	/* effective username */
118 	char		*lg_e_domain;	/* effective domain */
119 	char		*lg_workstation;
120 	smb_inaddr_t	lg_clnt_ipaddr;
121 	smb_inaddr_t	lg_local_ipaddr;
122 	uint16_t	lg_local_port;
123 	smb_buf32_t	lg_challenge_key;
124 	smb_buf32_t	lg_nt_password;
125 	smb_buf32_t	lg_lm_password;
126 	uint32_t	lg_ntlm_flags;
127 	int		lg_native_os;
128 	int		lg_native_lm;
129 	uint32_t	lg_flags;
130 	uint32_t	lg_logon_id;	/* filled in user space */
131 	uint32_t	lg_domain_type;	/* filled in user space */
132 	uint32_t	lg_secmode;	/* filled in user space */
133 	uint32_t	lg_status;	/* filled in user space */
134 } smb_logon_t;
135 
136 /*
137  * This is the name of the local (AF_UNIX) socket
138  * where the SMB auth. service listens.
139  */
140 #define	SMB_AUTHSVC_SOCKNAME	"/var/smb/lipc/smbauth"
141 
142 /*
143  * Maximum number of authentcation conversations at one time.
144  * Note this is _NOT_ the max. number of logged on users,
145  * which can be much larger.
146  */
147 #define	SMB_AUTHSVC_MAXTHREAD	256
148 
149 /*
150  * Messages to and from the local security authority
151  * Type codes:
152  */
153 typedef enum smb_lsa_mtype {
154 	/* reply types */
155 	LSA_MTYPE_OK	= 0,
156 	LSA_MTYPE_ERROR,
157 	LSA_MTYPE_ES_DONE,	/* ext. sec: authenticated */
158 	LSA_MTYPE_ES_CONT,	/* more processing required */
159 	LSA_MTYPE_TOKEN,	/* smb_token_t */
160 
161 	/* request types */
162 	LSA_MTYPE_OLDREQ,	/* non-ext. sec. session setup */
163 	LSA_MTYPE_CLINFO,	/* client info sent at start of ES */
164 	LSA_MTYPE_ESFIRST,	/* spnego initial message */
165 	LSA_MTYPE_ESNEXT,	/* spnego continuation */
166 	LSA_MTYPE_GETTOK	/* after ES auth, get token */
167 } smb_lsa_mtype_t;
168 
169 /*
170  * msg: header common to all message types
171  */
172 typedef struct smb_lsa_msg_hdr {
173 	uint32_t	lmh_msgtype;	/* smb_lsa_mtype_t */
174 	uint32_t	lmh_msglen;	/* size of what follows */
175 } smb_lsa_msg_hdr_t;
176 
177 /*
178  * eresp: error response
179  * msgtype: LSA_MTYPE_ERESP
180  */
181 typedef struct smb_lsa_eresp {
182 	uint32_t	ler_ntstatus;
183 	uint16_t	ler_errclass;
184 	uint16_t	ler_errcode;
185 } smb_lsa_eresp_t;
186 
187 /*
188  * Message for LSA_MTYPE_CLINFO
189  */
190 typedef struct smb_lsa_clinfo {
191 	smb_inaddr_t	lci_clnt_ipaddr;
192 	unsigned char	lci_challenge_key[8];
193 	int		lci_native_os;
194 	int		lci_native_lm;
195 } smb_lsa_clinfo_t;
196 
197 struct XDR;
198 int smb_logon_xdr(struct XDR *, smb_logon_t *);
199 int smb_token_xdr(struct XDR *, smb_token_t *);
200 
201 #if defined(_KERNEL) || defined(_FAKE_KERNEL)
202 void smb_token_free(smb_token_t *);
203 #else /* _KERNEL */
204 smb_token_t *smb_logon(smb_logon_t *);
205 void smb_logon_abort(void);
206 void smb_token_destroy(smb_token_t *);
207 uint8_t *smb_token_encode(smb_token_t *, uint32_t *);
208 void smb_token_log(smb_token_t *);
209 smb_logon_t *smb_logon_decode(uint8_t *, uint32_t);
210 void smb_logon_free(smb_logon_t *);
211 #endif /* _KERNEL */
212 
213 int smb_token_query_privilege(smb_token_t *token, int priv_id);
214 boolean_t smb_token_valid(smb_token_t *);
215 
216 #ifdef __cplusplus
217 }
218 #endif
219 
220 #endif /* _SMB_TOKEN_H */
221