search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug #9174: Empty SPNEGO packet can cause smbd to crash.
[Samba.git] / source3 / smbd / smb2_sesssetup.c
blobc90368ffc58aa201e1fd6fe80bd46ab9aa3562a8
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6 Copyright (C) Jeremy Allison 2010
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "../libcli/smb/smb_common.h"
26 #include "../libcli/auth/spnego.h"
27 #include "../libcli/auth/ntlmssp.h"
28 #include "ntlmssp_wrap.h"
29 #include "../librpc/gen_ndr/krb5pac.h"
30 #include "libads/kerberos_proto.h"
31 #include "../lib/util/asn1.h"
32 #include "auth.h"
33
34 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
35 uint64_t in_session_id,
36 uint8_t in_security_mode,
37 DATA_BLOB in_security_buffer,
38 uint16_t *out_session_flags,
39 DATA_BLOB *out_security_buffer,
40 uint64_t *out_session_id);
41
42 NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req)
43 {
44 const uint8_t *inhdr;
45 const uint8_t *inbody;
46 int i = smb2req->current_idx;
47 uint8_t *outhdr;
48 DATA_BLOB outbody;
49 DATA_BLOB outdyn;
50 uint64_t in_session_id;
51 uint8_t in_security_mode;
52 uint16_t in_security_offset;
53 uint16_t in_security_length;
54 DATA_BLOB in_security_buffer;
55 uint16_t out_session_flags;
56 uint64_t out_session_id;
57 uint16_t out_security_offset;
58 DATA_BLOB out_security_buffer = data_blob_null;
59 NTSTATUS status;
60
61 status = smbd_smb2_request_verify_sizes(smb2req, 0x19);
62 if (!NT_STATUS_IS_OK(status)) {
63 return smbd_smb2_request_error(smb2req, status);
64 }
65 inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base;
66 inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base;
67
68 in_security_offset = SVAL(inbody, 0x0C);
69 in_security_length = SVAL(inbody, 0x0E);
70
71 if (in_security_offset != (SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len)) {
72 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
73 }
74
75 if (in_security_length > smb2req->in.vector[i+2].iov_len) {
76 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
77 }
78
79 in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
80 in_security_mode = CVAL(inbody, 0x03);
81 in_security_buffer.data = (uint8_t *)smb2req->in.vector[i+2].iov_base;
82 in_security_buffer.length = in_security_length;
83
84 status = smbd_smb2_session_setup(smb2req,
85 in_session_id,
86 in_security_mode,
87 in_security_buffer,
88 &out_session_flags,
89 &out_security_buffer,
90 &out_session_id);
91 if (!NT_STATUS_IS_OK(status) &&
92 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
93 status = nt_status_squash(status);
94 return smbd_smb2_request_error(smb2req, status);
95 }
96
97 out_security_offset = SMB2_HDR_BODY + 0x08;
98
99 outhdr = (uint8_t *)smb2req->out.vector[i].iov_base;
100
101 outbody = data_blob_talloc(smb2req->out.vector, NULL, 0x08);
102 if (outbody.data == NULL) {
103 return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
104 }
105
106 SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id);
107
108 SSVAL(outbody.data, 0x00, 0x08 + 1); /* struct size */
109 SSVAL(outbody.data, 0x02,
110 out_session_flags); /* session flags */
111 SSVAL(outbody.data, 0x04,
112 out_security_offset); /* security buffer offset */
113 SSVAL(outbody.data, 0x06,
114 out_security_buffer.length); /* security buffer length */
115
116 outdyn = out_security_buffer;
117
118 return smbd_smb2_request_done_ex(smb2req, status, outbody, &outdyn,
119 __location__);
120 }
121
122 static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
123 {
124 if (session->sconn == NULL) {
125 return 0;
126 }
127
128 /* first free all tcons */
129 while (session->tcons.list) {
130 talloc_free(session->tcons.list);
131 }
132
133 idr_remove(session->sconn->smb2.sessions.idtree, session->vuid);
134 DLIST_REMOVE(session->sconn->smb2.sessions.list, session);
135 invalidate_vuid(session->sconn, session->vuid);
136
137 session->vuid = 0;
138 session->status = NT_STATUS_USER_SESSION_DELETED;
139 session->sconn = NULL;
140
141 return 0;
142 }
143
144 static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session,
145 NTSTATUS status)
146 {
147 if (NT_STATUS_IS_OK(status)) {
148 status = auth_ntlmssp_steal_session_info(session,
149 session->auth_ntlmssp_state,
150 &session->session_info);
151 } else {
152 /* Note that this session_info won't have a session
153 * key. But for map to guest, that's exactly the right
154 * thing - we can't reasonably guess the key the
155 * client wants, as the password was wrong */
156 status = do_map_to_guest(status,
157 &session->session_info,
158 auth_ntlmssp_get_username(session->auth_ntlmssp_state),
159 auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
160 }
161 return status;
162 }
163
164 #ifdef HAVE_KRB5
165 static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
166 struct smbd_smb2_request *smb2req,
167 uint8_t in_security_mode,
168 const DATA_BLOB *secblob,
169 const char *mechOID,
170 uint16_t *out_session_flags,
171 DATA_BLOB *out_security_buffer,
172 uint64_t *out_session_id)
173 {
174 DATA_BLOB ap_rep = data_blob_null;
175 DATA_BLOB ap_rep_wrapped = data_blob_null;
176 DATA_BLOB ticket = data_blob_null;
177 DATA_BLOB session_key = data_blob_null;
178 DATA_BLOB secblob_out = data_blob_null;
179 uint8 tok_id[2];
180 struct PAC_LOGON_INFO *logon_info = NULL;
181 char *principal = NULL;
182 char *user = NULL;
183 char *domain = NULL;
184 struct passwd *pw = NULL;
185 NTSTATUS status;
186 char *real_username;
187 fstring tmp;
188 bool username_was_mapped = false;
189 bool map_domainuser_to_guest = false;
190 bool guest = false;
191
192 if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
193 status = NT_STATUS_LOGON_FAILURE;
194 goto fail;
195 }
196
197 status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket,
198 &principal, &logon_info, &ap_rep,
199 &session_key, true);
200
201 if (!NT_STATUS_IS_OK(status)) {
202 DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n",
203 nt_errstr(status)));
204 if (!NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
205 status = NT_STATUS_LOGON_FAILURE;
206 }
207 goto fail;
208 }
209
210 status = get_user_from_kerberos_info(talloc_tos(),
211 smb2req->sconn->client_id.name,
212 principal, logon_info,
213 &username_was_mapped,
214 &map_domainuser_to_guest,
215 &user, &domain,
216 &real_username, &pw);
217 if (!NT_STATUS_IS_OK(status)) {
218 goto fail;
219 }
220
221 /* save the PAC data if we have it */
222 if (logon_info) {
223 netsamlogon_cache_store(user, &logon_info->info3);
224 }
225
226 /* setup the string used by %U */
227 sub_set_smb_name(real_username);
228
229 /* reload services so that the new %U is taken into account */
230 reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
231
232 status = make_server_info_krb5(session,
233 user, domain, real_username, pw,
234 logon_info, map_domainuser_to_guest,
235 &session->session_info);
236 if (!NT_STATUS_IS_OK(status)) {
237 DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
238 goto fail;
239 }
240
241
242 session->session_info->nss_token |= username_was_mapped;
243
244 /* we need to build the token for the user. make_session_info_guest()
245 already does this */
246
247 if (!session->session_info->security_token ) {
248 status = create_local_token(session->session_info);
249 if (!NT_STATUS_IS_OK(status)) {
250 DEBUG(10,("smb2: failed to create local token: %s\n",
251 nt_errstr(status)));
252 goto fail;
253 }
254 }
255
256 if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
257 lp_server_signing() == Required) {
258 session->do_signing = true;
259 }
260
261 if (session->session_info->guest) {
262 /* we map anonymous to guest internally */
263 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
264 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
265 /* force no signing */
266 session->do_signing = false;
267 guest = true;
268 }
269
270 data_blob_free(&session->session_info->user_session_key);
271 session->session_info->user_session_key =
272 data_blob_talloc(
273 session->session_info,
274 session_key.data,
275 session_key.length);
276 if (session_key.length > 0) {
277 if (session->session_info->user_session_key.data == NULL) {
278 status = NT_STATUS_NO_MEMORY;
279 goto fail;
280 }
281 }
282 session->session_key = session->session_info->user_session_key;
283
284 session->compat_vuser = talloc_zero(session, user_struct);
285 if (session->compat_vuser == NULL) {
286 status = NT_STATUS_NO_MEMORY;
287 goto fail;
288 }
289 session->compat_vuser->auth_ntlmssp_state = NULL;
290 session->compat_vuser->homes_snum = -1;
291 session->compat_vuser->session_info = session->session_info;
292 session->compat_vuser->session_keystr = NULL;
293 session->compat_vuser->vuid = session->vuid;
294 DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
295
296 /* This is a potentially untrusted username */
297 alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
298 session->session_info->sanitized_username =
299 talloc_strdup(session->session_info, tmp);
300
301 if (!session->session_info->guest) {
302 session->compat_vuser->homes_snum =
303 register_homes_share(session->session_info->unix_name);
304 }
305
306 if (!session_claim(session->sconn, session->compat_vuser)) {
307 DEBUG(1, ("smb2: Failed to claim session "
308 "for vuid=%d\n",
309 session->compat_vuser->vuid));
310 goto fail;
311 }
312
313 session->status = NT_STATUS_OK;
314
315 /*
316 * we attach the session to the request
317 * so that the response can be signed
318 */
319 smb2req->session = session;
320 if (!guest) {
321 smb2req->do_signing = true;
322 }
323
324 global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
325 status = NT_STATUS_OK;
326
327 /* wrap that up in a nice GSS-API wrapping */
328 ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
329 TOK_ID_KRB_AP_REP);
330
331 secblob_out = spnego_gen_auth_response(
332 talloc_tos(),
333 &ap_rep_wrapped,
334 status,
335 mechOID);
336
337 *out_security_buffer = data_blob_talloc(smb2req,
338 secblob_out.data,
339 secblob_out.length);
340 if (secblob_out.data && out_security_buffer->data == NULL) {
341 status = NT_STATUS_NO_MEMORY;
342 goto fail;
343 }
344
345 data_blob_free(&ap_rep);
346 data_blob_free(&ap_rep_wrapped);
347 data_blob_free(&ticket);
348 data_blob_free(&session_key);
349 data_blob_free(&secblob_out);
350
351 *out_session_id = session->vuid;
352
353 return NT_STATUS_OK;
354
355 fail:
356
357 data_blob_free(&ap_rep);
358 data_blob_free(&ap_rep_wrapped);
359 data_blob_free(&ticket);
360 data_blob_free(&session_key);
361 data_blob_free(&secblob_out);
362
363 ap_rep_wrapped = data_blob_null;
364 secblob_out = spnego_gen_auth_response(
365 talloc_tos(),
366 &ap_rep_wrapped,
367 status,
368 mechOID);
369
370 *out_security_buffer = data_blob_talloc(smb2req,
371 secblob_out.data,
372 secblob_out.length);
373 data_blob_free(&secblob_out);
374 return status;
375 }
376 #endif
377
378 static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
379 struct smbd_smb2_request *smb2req,
380 uint8_t in_security_mode,
381 DATA_BLOB in_security_buffer,
382 uint16_t *out_session_flags,
383 DATA_BLOB *out_security_buffer,
384 uint64_t *out_session_id)
385 {
386 DATA_BLOB secblob_in = data_blob_null;
387 DATA_BLOB chal_out = data_blob_null;
388 char *kerb_mech = NULL;
389 NTSTATUS status;
390
391 /* Ensure we have no old NTLM state around. */
392 TALLOC_FREE(session->auth_ntlmssp_state);
393
394 status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
395 &secblob_in, &kerb_mech);
396 if (!NT_STATUS_IS_OK(status)) {
397 goto out;
398 }
399
400 #ifdef HAVE_KRB5
401 if (kerb_mech && ((lp_security()==SEC_ADS) ||
402 USE_KERBEROS_KEYTAB) ) {
403 status = smbd_smb2_session_setup_krb5(session,
404 smb2req,
405 in_security_mode,
406 &secblob_in,
407 kerb_mech,
408 out_session_flags,
409 out_security_buffer,
410 out_session_id);
411
412 goto out;
413 }
414 #endif
415
416 if (kerb_mech) {
417 /* The mechtoken is a krb5 ticket, but
418 * we need to fall back to NTLM. */
419
420 DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
421 "but set to downgrade to NTLMSSP\n"));
422
423 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
424 } else {
425 /* Fall back to NTLMSSP. */
426 status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
427 if (!NT_STATUS_IS_OK(status)) {
428 goto out;
429 }
430
431 status = auth_ntlmssp_update(session->auth_ntlmssp_state,
432 secblob_in,
433 &chal_out);
434 }
435
436 if (!NT_STATUS_IS_OK(status) &&
437 !NT_STATUS_EQUAL(status,
438 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
439 goto out;
440 }
441
442 *out_security_buffer = spnego_gen_auth_response(smb2req,
443 &chal_out,
444 status,
445 OID_NTLMSSP);
446 if (out_security_buffer->data == NULL) {
447 status = NT_STATUS_NO_MEMORY;
448 goto out;
449 }
450 *out_session_id = session->vuid;
451
452 out:
453
454 data_blob_free(&secblob_in);
455 data_blob_free(&chal_out);
456 TALLOC_FREE(kerb_mech);
457 if (!NT_STATUS_IS_OK(status) &&
458 !NT_STATUS_EQUAL(status,
459 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
460 TALLOC_FREE(session->auth_ntlmssp_state);
461 TALLOC_FREE(session);
462 }
463 return status;
464 }
465
466 static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *session,
467 struct smbd_smb2_request *smb2req,
468 uint8_t in_security_mode,
469 DATA_BLOB in_security_buffer,
470 uint16_t *out_session_flags,
471 uint64_t *out_session_id)
472 {
473 fstring tmp;
474 bool guest = false;
475
476 if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
477 lp_server_signing() == Required) {
478 session->do_signing = true;
479 }
480
481 if (session->session_info->guest) {
482 /* we map anonymous to guest internally */
483 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
484 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
485 /* force no signing */
486 session->do_signing = false;
487 guest = true;
488 }
489
490 session->session_key = session->session_info->user_session_key;
491
492 session->compat_vuser = talloc_zero(session, user_struct);
493 if (session->compat_vuser == NULL) {
494 TALLOC_FREE(session->auth_ntlmssp_state);
495 TALLOC_FREE(session);
496 return NT_STATUS_NO_MEMORY;
497 }
498 session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state;
499 session->compat_vuser->homes_snum = -1;
500 session->compat_vuser->session_info = session->session_info;
501 session->compat_vuser->session_keystr = NULL;
502 session->compat_vuser->vuid = session->vuid;
503 DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
504
505 /* This is a potentially untrusted username */
506 alpha_strcpy(tmp,
507 auth_ntlmssp_get_username(session->auth_ntlmssp_state),
508 ". _-$",
509 sizeof(tmp));
510 session->session_info->sanitized_username = talloc_strdup(
511 session->session_info, tmp);
512
513 if (!session->compat_vuser->session_info->guest) {
514 session->compat_vuser->homes_snum =
515 register_homes_share(session->session_info->unix_name);
516 }
517
518 if (!session_claim(session->sconn, session->compat_vuser)) {
519 DEBUG(1, ("smb2: Failed to claim session "
520 "for vuid=%d\n",
521 session->compat_vuser->vuid));
522 TALLOC_FREE(session->auth_ntlmssp_state);
523 TALLOC_FREE(session);
524 return NT_STATUS_LOGON_FAILURE;
525 }
526
527
528 session->status = NT_STATUS_OK;
529
530 /*
531 * we attach the session to the request
532 * so that the response can be signed
533 */
534 smb2req->session = session;
535 if (!guest) {
536 smb2req->do_signing = true;
537 }
538
539 global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
540
541 *out_session_id = session->vuid;
542
543 return NT_STATUS_OK;
544 }
545
546 static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
547 struct smbd_smb2_request *smb2req,
548 uint8_t in_security_mode,
549 DATA_BLOB in_security_buffer,
550 uint16_t *out_session_flags,
551 DATA_BLOB *out_security_buffer,
552 uint64_t *out_session_id)
553 {
554 DATA_BLOB auth = data_blob_null;
555 DATA_BLOB auth_out = data_blob_null;
556 NTSTATUS status;
557
558 if (!spnego_parse_auth(talloc_tos(), in_security_buffer, &auth)) {
559 TALLOC_FREE(session);
560 return NT_STATUS_LOGON_FAILURE;
561 }
562
563 if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) {
564 /* Might be a second negTokenTarg packet */
565 DATA_BLOB secblob_in = data_blob_null;
566 char *kerb_mech = NULL;
567
568 status = parse_spnego_mechanisms(talloc_tos(),
569 in_security_buffer,
570 &secblob_in, &kerb_mech);
571 if (!NT_STATUS_IS_OK(status)) {
572 TALLOC_FREE(session);
573 return status;
574 }
575
576 #ifdef HAVE_KRB5
577 if (kerb_mech && ((lp_security()==SEC_ADS) ||
578 USE_KERBEROS_KEYTAB) ) {
579 status = smbd_smb2_session_setup_krb5(session,
580 smb2req,
581 in_security_mode,
582 &secblob_in,
583 kerb_mech,
584 out_session_flags,
585 out_security_buffer,
586 out_session_id);
587
588 data_blob_free(&secblob_in);
589 TALLOC_FREE(kerb_mech);
590 if (!NT_STATUS_IS_OK(status)) {
591 TALLOC_FREE(session);
592 }
593 return status;
594 }
595 #endif
596
597 /* Can't blunder into NTLMSSP auth if we have
598 * a krb5 ticket. */
599
600 if (kerb_mech) {
601 DEBUG(3,("smb2: network "
602 "misconfiguration, client sent us a "
603 "krb5 ticket and kerberos security "
604 "not enabled\n"));
605 TALLOC_FREE(session);
606 data_blob_free(&secblob_in);
607 TALLOC_FREE(kerb_mech);
608 return NT_STATUS_LOGON_FAILURE;
609 }
610
611 data_blob_free(&secblob_in);
612 }
613
614 if (session->auth_ntlmssp_state == NULL) {
615 status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
616 if (!NT_STATUS_IS_OK(status)) {
617 data_blob_free(&auth);
618 TALLOC_FREE(session);
619 return status;
620 }
621 }
622
623 status = auth_ntlmssp_update(session->auth_ntlmssp_state,
624 auth,
625 &auth_out);
626 /* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK,
627 or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
628 as this can trigger map to guest. */
629 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
630 status = setup_ntlmssp_session_info(session, status);
631 }
632
633 if (!NT_STATUS_IS_OK(status) &&
634 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
635 TALLOC_FREE(session->auth_ntlmssp_state);
636 data_blob_free(&auth);
637 TALLOC_FREE(session);
638 return status;
639 }
640
641 data_blob_free(&auth);
642
643 *out_security_buffer = spnego_gen_auth_response(smb2req,
644 &auth_out, status, NULL);
645
646 if (out_security_buffer->data == NULL) {
647 TALLOC_FREE(session->auth_ntlmssp_state);
648 TALLOC_FREE(session);
649 return NT_STATUS_NO_MEMORY;
650 }
651
652 *out_session_id = session->vuid;
653
654 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
655 return NT_STATUS_MORE_PROCESSING_REQUIRED;
656 }
657
658 /* We're done - claim the session. */
659 return smbd_smb2_common_ntlmssp_auth_return(session,
660 smb2req,
661 in_security_mode,
662 in_security_buffer,
663 out_session_flags,
664 out_session_id);
665 }
666
667 static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
668 struct smbd_smb2_request *smb2req,
669 uint8_t in_security_mode,
670 DATA_BLOB in_security_buffer,
671 uint16_t *out_session_flags,
672 DATA_BLOB *out_security_buffer,
673 uint64_t *out_session_id)
674 {
675 NTSTATUS status;
676 DATA_BLOB secblob_out = data_blob_null;
677
678 *out_security_buffer = data_blob_null;
679
680 if (session->auth_ntlmssp_state == NULL) {
681 status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
682 if (!NT_STATUS_IS_OK(status)) {
683 TALLOC_FREE(session);
684 return status;
685 }
686 }
687
688 /* RAW NTLMSSP */
689 status = auth_ntlmssp_update(session->auth_ntlmssp_state,
690 in_security_buffer,
691 &secblob_out);
692
693 if (NT_STATUS_IS_OK(status) ||
694 NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
695 *out_security_buffer = data_blob_talloc(smb2req,
696 secblob_out.data,
697 secblob_out.length);
698 if (secblob_out.data && out_security_buffer->data == NULL) {
699 TALLOC_FREE(session->auth_ntlmssp_state);
700 TALLOC_FREE(session);
701 return NT_STATUS_NO_MEMORY;
702 }
703 }
704
705 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
706 *out_session_id = session->vuid;
707 return status;
708 }
709
710 status = setup_ntlmssp_session_info(session, status);
711
712 if (!NT_STATUS_IS_OK(status)) {
713 TALLOC_FREE(session->auth_ntlmssp_state);
714 TALLOC_FREE(session);
715 return status;
716 }
717 *out_session_id = session->vuid;
718
719 return smbd_smb2_common_ntlmssp_auth_return(session,
720 smb2req,
721 in_security_mode,
722 in_security_buffer,
723 out_session_flags,
724 out_session_id);
725 }
726
727 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
728 uint64_t in_session_id,
729 uint8_t in_security_mode,
730 DATA_BLOB in_security_buffer,
731 uint16_t *out_session_flags,
732 DATA_BLOB *out_security_buffer,
733 uint64_t *out_session_id)
734 {
735 struct smbd_smb2_session *session;
736
737 *out_session_flags = 0;
738 *out_session_id = 0;
739
740 if (in_session_id == 0) {
741 int id;
742
743 /* create a new session */
744 session = talloc_zero(smb2req->sconn, struct smbd_smb2_session);
745 if (session == NULL) {
746 return NT_STATUS_NO_MEMORY;
747 }
748 session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
749 id = idr_get_new_random(smb2req->sconn->smb2.sessions.idtree,
750 session,
751 smb2req->sconn->smb2.sessions.limit);
752 if (id == -1) {
753 return NT_STATUS_INSUFFICIENT_RESOURCES;
754 }
755 session->vuid = id;
756
757 session->tcons.idtree = idr_init(session);
758 if (session->tcons.idtree == NULL) {
759 return NT_STATUS_NO_MEMORY;
760 }
761 session->tcons.limit = 0x0000FFFE;
762 session->tcons.list = NULL;
763
764 DLIST_ADD_END(smb2req->sconn->smb2.sessions.list, session,
765 struct smbd_smb2_session *);
766 session->sconn = smb2req->sconn;
767 talloc_set_destructor(session, smbd_smb2_session_destructor);
768 } else {
769 void *p;
770
771 /* lookup an existing session */
772 p = idr_find(smb2req->sconn->smb2.sessions.idtree, in_session_id);
773 if (p == NULL) {
774 return NT_STATUS_USER_SESSION_DELETED;
775 }
776 session = talloc_get_type_abort(p, struct smbd_smb2_session);
777 }
778
779 if (NT_STATUS_IS_OK(session->status)) {
780 return NT_STATUS_REQUEST_NOT_ACCEPTED;
781 }
782
783 if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
784 return smbd_smb2_spnego_negotiate(session,
785 smb2req,
786 in_security_mode,
787 in_security_buffer,
788 out_session_flags,
789 out_security_buffer,
790 out_session_id);
791 } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
792 return smbd_smb2_spnego_auth(session,
793 smb2req,
794 in_security_mode,
795 in_security_buffer,
796 out_session_flags,
797 out_security_buffer,
798 out_session_id);
799 } else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
800 return smbd_smb2_raw_ntlmssp_auth(session,
801 smb2req,
802 in_security_mode,
803 in_security_buffer,
804 out_session_flags,
805 out_security_buffer,
806 out_session_id);
807 }
808
809 /* Unknown packet type. */
810 DEBUG(1,("Unknown packet type %u in smb2 sessionsetup\n",
811 (unsigned int)in_security_buffer.data[0] ));
812 TALLOC_FREE(session->auth_ntlmssp_state);
813 TALLOC_FREE(session);
814 return NT_STATUS_LOGON_FAILURE;
815 }
816
817 NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
818 {
819 const uint8_t *inhdr;
820 int i = req->current_idx;
821 uint32_t in_flags;
822 uint64_t in_session_id;
823 void *p;
824 struct smbd_smb2_session *session;
825
826 req->session = NULL;
827 req->tcon = NULL;
828
829 inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
830
831 in_flags = IVAL(inhdr, SMB2_HDR_FLAGS);
832 in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
833
834 if (in_flags & SMB2_HDR_FLAG_CHAINED) {
835 in_session_id = req->last_session_id;
836 }
837
838 /* lookup an existing session */
839 p = idr_find(req->sconn->smb2.sessions.idtree, in_session_id);
840 if (p == NULL) {
841 return NT_STATUS_USER_SESSION_DELETED;
842 }
843 session = talloc_get_type_abort(p, struct smbd_smb2_session);
844
845 if (!NT_STATUS_IS_OK(session->status)) {
846 return NT_STATUS_ACCESS_DENIED;
847 }
848
849 set_current_user_info(session->session_info->sanitized_username,
850 session->session_info->unix_name,
851 session->session_info->info3->base.domain.string);
852
853 req->session = session;
854 req->last_session_id = in_session_id;
855
856 return NT_STATUS_OK;
857 }
858
859 NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
860 {
861 NTSTATUS status;
862 DATA_BLOB outbody;
863
864 status = smbd_smb2_request_verify_sizes(req, 0x04);
865 if (!NT_STATUS_IS_OK(status)) {
866 return smbd_smb2_request_error(req, status);
867 }
868
869 /*
870 * TODO: cancel all outstanding requests on the session
871 * and delete all tree connections.
872 */
873 smbd_smb2_session_destructor(req->session);
874 /*
875 * we may need to sign the response, so we need to keep
876 * the session until the response is sent to the wire.
877 */
878 talloc_steal(req, req->session);
879
880 outbody = data_blob_talloc(req->out.vector, NULL, 0x04);
881 if (outbody.data == NULL) {
882 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
883 }
884
885 SSVAL(outbody.data, 0x00, 0x04); /* struct size */
886 SSVAL(outbody.data, 0x02, 0); /* reserved */
887
888 return smbd_smb2_request_done(req, outbody, NULL);
889 }
Samba GIT mirror