search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb/docs: Include ceph rados namespace support in man page
[Samba.git] / source3 / smbd / smb2_negprot.c
blobf66ec2aa47f98ad8ada61a25104a1fbcc798b49e
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
29 #include "auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "lib/util/string_wrappers.h"
32 #include "source3/lib/substitute.h"
33 #ifdef HAVE_VALGRIND_CALLGRIND_H
34 #include <valgrind/callgrind.h>
35 #endif /* HAVE_VALGRIND_CALLGRIND_H */
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_SMB2
39
40 /*
41 * this is the entry point if SMB2 is selected via
42 * the SMB negprot and the given dialect.
43 */
44 static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect)
45 {
46 uint8_t *smb2_inpdu;
47 uint8_t *smb2_hdr;
48 uint8_t *smb2_body;
49 uint8_t *smb2_dyn;
50 size_t len = SMB2_HDR_BODY + 0x24 + 2;
51
52 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
53 if (smb2_inpdu == NULL) {
54 DEBUG(0, ("Could not push spnego blob\n"));
55 reply_nterror(req, NT_STATUS_NO_MEMORY);
56 return NT_STATUS_NO_MEMORY;
57 }
58 smb2_hdr = smb2_inpdu;
59 smb2_body = smb2_hdr + SMB2_HDR_BODY;
60 smb2_dyn = smb2_body + 0x24;
61
62 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
63 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
64
65 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
66 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
67
68 SSVAL(smb2_dyn, 0x00, dialect);
69
70 req->outbuf = NULL;
71
72 return smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
73 }
74
75 /*
76 * this is the entry point if SMB2 is selected via
77 * the SMB negprot and the "SMB 2.002" dialect.
78 */
79 NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice)
80 {
81 return reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
82 }
83
84 /*
85 * this is the entry point if SMB2 is selected via
86 * the SMB negprot and the "SMB 2.???" dialect.
87 */
88 NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice)
89 {
90 struct smbXsrv_connection *xconn = req->xconn;
91 xconn->smb2.allow_2ff = true;
92 return reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
93 }
94
95 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
96 const int dialect_count,
97 uint16_t *dialect)
98 {
99 static const struct {
100 enum protocol_types proto;
101 uint16_t dialect;
102 } pd[] = {
103 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
104 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
105 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
106 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
107 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
108 };
109 size_t i;
110
111 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
112 int c = 0;
113
114 if (lp_server_max_protocol() < pd[i].proto) {
115 continue;
116 }
117 if (lp_server_min_protocol() > pd[i].proto) {
118 continue;
119 }
120
121 for (c = 0; c < dialect_count; c++) {
122 *dialect = SVAL(indyn, c*2);
123 if (*dialect == pd[i].dialect) {
124 return pd[i].proto;
125 }
126 }
127 }
128
129 return PROTOCOL_NONE;
130 }
131
132 static NTSTATUS smb2_negotiate_context_process_posix(
133 const struct smb2_negotiate_contexts *in_c,
134 bool *posix)
135 {
136 struct smb2_negotiate_context *in_posix = NULL;
137 const uint8_t *inbuf = NULL;
138 size_t inbuflen;
139 bool posix_found = false;
140 size_t ofs;
141 int cmp;
142
143 *posix = false;
144
145 if (!lp_smb3_unix_extensions(GLOBAL_SECTION_SNUM)) {
146 return NT_STATUS_OK;
147 }
148
149 in_posix = smb2_negotiate_context_find(in_c,
150 SMB2_POSIX_EXTENSIONS_AVAILABLE);
151 if (in_posix == NULL) {
152 return NT_STATUS_OK;
153 }
154
155 inbuf = in_posix->data.data;
156 inbuflen = in_posix->data.length;
157
158 /*
159 * For now the server only supports one variant.
160 * Check it's the right one.
161 */
162 if ((inbuflen % 16) != 0) {
163 return NT_STATUS_INVALID_PARAMETER;
164 }
165
166 SMB_ASSERT(strlen(SMB2_CREATE_TAG_POSIX) == 16);
167
168 for (ofs = 0; ofs < inbuflen; ofs += 16) {
169 cmp = memcmp(inbuf+ofs, SMB2_CREATE_TAG_POSIX, 16);
170 if (cmp == 0) {
171 posix_found = true;
172 break;
173 }
174 }
175
176 if (!posix_found) {
177 DBG_DEBUG("Client requested unknown SMB3 Unix extensions:\n");
178 dump_data(10, inbuf, inbuflen);
179 return NT_STATUS_OK;
180 }
181
182 DBG_DEBUG("Client requested SMB3 Unix extensions\n");
183 *posix = true;
184 return NT_STATUS_OK;
185 }
186
187 struct smbd_smb2_request_process_negprot_state {
188 struct smbd_smb2_request *req;
189 DATA_BLOB outbody;
190 DATA_BLOB outdyn;
191 };
192
193 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq);
194
195 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
196 {
197 struct smbd_smb2_request_process_negprot_state *state = NULL;
198 struct smbXsrv_connection *xconn = req->xconn;
199 struct tevent_req *subreq = NULL;
200 NTSTATUS status;
201 const uint8_t *inbody;
202 const uint8_t *indyn = NULL;
203 DATA_BLOB outbody;
204 DATA_BLOB outdyn;
205 DATA_BLOB negprot_spnego_blob;
206 uint16_t security_offset;
207 DATA_BLOB security_buffer;
208 size_t expected_dyn_size = 0;
209 size_t c;
210 uint16_t security_mode;
211 uint16_t dialect_count;
212 uint16_t in_security_mode;
213 uint32_t in_capabilities;
214 DATA_BLOB in_guid_blob;
215 struct GUID in_guid;
216 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
217 struct smb2_negotiate_context *in_preauth = NULL;
218 struct smb2_negotiate_context *in_cipher = NULL;
219 struct smb2_negotiate_context *in_sign_algo = NULL;
220 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
221 const struct smb311_capabilities default_smb3_capabilities =
222 smb311_capabilities_parse("server",
223 lp_server_smb3_signing_algorithms(),
224 lp_server_smb3_encryption_algorithms());
225 DATA_BLOB out_negotiate_context_blob = data_blob_null;
226 uint32_t out_negotiate_context_offset = 0;
227 uint16_t out_negotiate_context_count = 0;
228 uint16_t dialect = 0;
229 uint32_t capabilities;
230 DATA_BLOB out_guid_blob;
231 struct GUID out_guid;
232 enum protocol_types protocol = PROTOCOL_NONE;
233 uint32_t max_limit;
234 uint32_t max_trans = lp_smb2_max_trans();
235 uint32_t max_read = lp_smb2_max_read();
236 uint32_t max_write = lp_smb2_max_write();
237 NTTIME now = timeval_to_nttime(&req->request_time);
238 bool posix = false;
239 bool ok;
240
241 status = smbd_smb2_request_verify_sizes(req, 0x24);
242 if (!NT_STATUS_IS_OK(status)) {
243 return smbd_smb2_request_error(req, status);
244 }
245 inbody = SMBD_SMB2_IN_BODY_PTR(req);
246
247 dialect_count = SVAL(inbody, 0x02);
248
249 in_security_mode = SVAL(inbody, 0x04);
250 in_capabilities = IVAL(inbody, 0x08);
251 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
252
253 if (dialect_count == 0) {
254 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
255 }
256
257 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
258 if (!NT_STATUS_IS_OK(status)) {
259 return smbd_smb2_request_error(req, status);
260 }
261
262 expected_dyn_size = dialect_count * 2;
263 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
264 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
265 }
266 indyn = SMBD_SMB2_IN_DYN_PTR(req);
267
268 protocol = smbd_smb2_protocol_dialect_match(indyn,
269 dialect_count,
270 &dialect);
271
272 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
273 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
274 break;
275 }
276
277 dialect = SVAL(indyn, c*2);
278 if (dialect == SMB2_DIALECT_REVISION_2FF) {
279 if (xconn->smb2.allow_2ff) {
280 xconn->smb2.allow_2ff = false;
281 protocol = PROTOCOL_SMB2_10;
282 break;
283 }
284 }
285 }
286
287 if (protocol == PROTOCOL_NONE) {
288 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
289 }
290
291 if (protocol >= PROTOCOL_SMB3_11) {
292 uint32_t in_negotiate_context_offset = 0;
293 uint16_t in_negotiate_context_count = 0;
294 DATA_BLOB in_negotiate_context_blob = data_blob_null;
295 size_t ofs;
296
297 in_negotiate_context_offset = IVAL(inbody, 0x1C);
298 in_negotiate_context_count = SVAL(inbody, 0x20);
299
300 ofs = SMB2_HDR_BODY;
301 ofs += SMBD_SMB2_IN_BODY_LEN(req);
302 ofs += expected_dyn_size;
303 if ((ofs % 8) != 0) {
304 ofs += 8 - (ofs % 8);
305 }
306
307 if (in_negotiate_context_offset != ofs) {
308 return smbd_smb2_request_error(req,
309 NT_STATUS_INVALID_PARAMETER);
310 }
311
312 ofs -= SMB2_HDR_BODY;
313 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
314
315 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
316 return smbd_smb2_request_error(req,
317 NT_STATUS_INVALID_PARAMETER);
318 }
319
320 in_negotiate_context_blob = data_blob_const(indyn,
321 SMBD_SMB2_IN_DYN_LEN(req));
322
323 in_negotiate_context_blob.data += ofs;
324 in_negotiate_context_blob.length -= ofs;
325
326 status = smb2_negotiate_context_parse(req,
327 in_negotiate_context_blob,
328 in_negotiate_context_count,
329 &in_c);
330 if (!NT_STATUS_IS_OK(status)) {
331 return smbd_smb2_request_error(req, status);
332 }
333
334 status = smb2_negotiate_context_process_posix(&in_c, &posix);
335 if (!NT_STATUS_IS_OK(status)) {
336 return smbd_smb2_request_error(req, status);
337 }
338 }
339
340 if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
341 (protocol >= PROTOCOL_SMB2_10) &&
342 !GUID_all_zero(&in_guid))
343 {
344 ok = remote_arch_cache_update(&in_guid);
345 if (!ok) {
346 return smbd_smb2_request_error(
347 req, NT_STATUS_UNSUCCESSFUL);
348 }
349 }
350
351 switch (get_remote_arch()) {
352 case RA_VISTA:
353 case RA_SAMBA:
354 case RA_CIFSFS:
355 case RA_OSX:
356 break;
357 default:
358 set_remote_arch(RA_VISTA);
359 break;
360 }
361
362 {
363 fstring proto;
364 fstr_sprintf(proto,
365 "SMB%X_%02X",
366 (dialect >> 8) & 0xFF, dialect & 0xFF);
367 set_remote_proto(proto);
368 DEBUG(3,("Selected protocol %s\n", proto));
369 }
370
371 reload_services(req->sconn, conn_snum_used, true);
372
373 in_preauth = smb2_negotiate_context_find(&in_c,
374 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
375 if (protocol >= PROTOCOL_SMB3_11 && in_preauth == NULL) {
376 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
377 }
378 in_cipher = smb2_negotiate_context_find(&in_c,
379 SMB2_ENCRYPTION_CAPABILITIES);
380 in_sign_algo = smb2_negotiate_context_find(&in_c,
381 SMB2_SIGNING_CAPABILITIES);
382
383 /* negprot_spnego() returns the server guid in the first 16 bytes */
384 negprot_spnego_blob = negprot_spnego(req, xconn);
385 if (negprot_spnego_blob.data == NULL) {
386 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
387 }
388
389 if (negprot_spnego_blob.length < 16) {
390 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
391 }
392
393 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
394 if (xconn->smb2.signing_mandatory) {
395 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
396 }
397
398 capabilities = 0;
399 if (lp_host_msdfs()) {
400 capabilities |= SMB2_CAP_DFS;
401 }
402
403 if (protocol >= PROTOCOL_SMB2_10 &&
404 lp_smb2_leases() &&
405 lp_oplocks(GLOBAL_SECTION_SNUM) &&
406 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
407 {
408 capabilities |= SMB2_CAP_LEASING;
409 }
410
411 if ((protocol >= PROTOCOL_SMB3_00) &&
412 (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) &&
413 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
414 capabilities |= SMB2_CAP_ENCRYPTION;
415 }
416
417 /*
418 * 0x10000 (65536) is the maximum allowed message size
419 * for SMB 2.0
420 */
421 max_limit = 0x10000;
422
423 if (protocol >= PROTOCOL_SMB2_10) {
424 int p = 0;
425
426 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
427 p = tsocket_address_inet_port(req->sconn->local_address);
428 }
429
430 /* largeMTU is not supported over NBT (tcp port 139) */
431 if (p != NBT_SMB_PORT) {
432 capabilities |= SMB2_CAP_LARGE_MTU;
433 xconn->smb2.credits.multicredit = true;
434
435 /*
436 * We allow up to almost 16MB.
437 *
438 * The maximum PDU size is 0xFFFFFF (16776960)
439 * and we need some space for the header.
440 */
441 max_limit = 0xFFFF00;
442 }
443 }
444
445 /*
446 * the defaults are 8MB, but we'll limit this to max_limit based on
447 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
448 *
449 * user configured values exceeding the limits will be overwritten,
450 * only smaller values will be accepted
451 */
452
453 max_trans = MIN(max_limit, lp_smb2_max_trans());
454 max_read = MIN(max_limit, lp_smb2_max_read());
455 max_write = MIN(max_limit, lp_smb2_max_write());
456
457 if (in_preauth != NULL) {
458 size_t needed = 4;
459 uint16_t hash_count;
460 uint16_t salt_length;
461 uint16_t selected_preauth = 0;
462 const uint8_t *p;
463 uint8_t buf[38];
464 size_t i;
465
466 if (in_preauth->data.length < needed) {
467 return smbd_smb2_request_error(req,
468 NT_STATUS_INVALID_PARAMETER);
469 }
470
471 hash_count = SVAL(in_preauth->data.data, 0);
472 salt_length = SVAL(in_preauth->data.data, 2);
473
474 if (hash_count == 0) {
475 return smbd_smb2_request_error(req,
476 NT_STATUS_INVALID_PARAMETER);
477 }
478
479 p = in_preauth->data.data + needed;
480 needed += hash_count * 2;
481 needed += salt_length;
482
483 if (in_preauth->data.length < needed) {
484 return smbd_smb2_request_error(req,
485 NT_STATUS_INVALID_PARAMETER);
486 }
487
488 for (i=0; i < hash_count; i++) {
489 uint16_t v;
490
491 v = SVAL(p, 0);
492 p += 2;
493
494 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
495 selected_preauth = v;
496 break;
497 }
498 }
499
500 if (selected_preauth == 0) {
501 return smbd_smb2_request_error(req,
502 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
503 }
504
505 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
506 SSVAL(buf, 2, 32); /* SaltLength */
507 SSVAL(buf, 4, selected_preauth);
508 generate_random_buffer(buf + 6, 32);
509
510 status = smb2_negotiate_context_add(
511 req,
512 &out_c,
513 SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
514 buf,
515 sizeof(buf));
516 if (!NT_STATUS_IS_OK(status)) {
517 return smbd_smb2_request_error(req, status);
518 }
519
520 req->preauth = &req->xconn->smb2.preauth;
521 }
522
523 if (protocol >= PROTOCOL_SMB3_00) {
524 xconn->smb2.server.sign_algo = SMB2_SIGNING_AES128_CMAC;
525 } else {
526 xconn->smb2.server.sign_algo = SMB2_SIGNING_HMAC_SHA256;
527 }
528
529 if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
530 const struct smb3_encryption_capabilities *srv_ciphers =
531 &default_smb3_capabilities.encryption;
532 uint16_t srv_preferred_idx = UINT16_MAX;
533 size_t needed = 2;
534 uint16_t cipher_count;
535 const uint8_t *p;
536 uint8_t buf[4];
537 size_t i;
538
539 capabilities &= ~SMB2_CAP_ENCRYPTION;
540
541 if (in_cipher->data.length < needed) {
542 return smbd_smb2_request_error(req,
543 NT_STATUS_INVALID_PARAMETER);
544 }
545
546 cipher_count = SVAL(in_cipher->data.data, 0);
547 if (cipher_count == 0) {
548 return smbd_smb2_request_error(req,
549 NT_STATUS_INVALID_PARAMETER);
550 }
551
552 p = in_cipher->data.data + needed;
553 needed += cipher_count * 2;
554
555 if (in_cipher->data.length < needed) {
556 return smbd_smb2_request_error(req,
557 NT_STATUS_INVALID_PARAMETER);
558 }
559
560 for (i=0; i < cipher_count; i++) {
561 uint16_t si;
562 uint16_t v;
563
564 v = SVAL(p, 0);
565 p += 2;
566
567 for (si = 0; si < srv_ciphers->num_algos; si++) {
568 if (srv_ciphers->algos[si] != v) {
569 continue;
570 }
571
572 /*
573 * The server ciphers are listed
574 * with the lowest idx being preferred.
575 */
576 if (si < srv_preferred_idx) {
577 srv_preferred_idx = si;
578 }
579 break;
580 }
581 }
582
583 if (srv_preferred_idx != UINT16_MAX) {
584 xconn->smb2.server.cipher =
585 srv_ciphers->algos[srv_preferred_idx];
586 }
587
588 SSVAL(buf, 0, 1); /* ChiperCount */
589 SSVAL(buf, 2, xconn->smb2.server.cipher);
590
591 status = smb2_negotiate_context_add(
592 req,
593 &out_c,
594 SMB2_ENCRYPTION_CAPABILITIES,
595 buf,
596 sizeof(buf));
597 if (!NT_STATUS_IS_OK(status)) {
598 return smbd_smb2_request_error(req, status);
599 }
600 }
601
602 if (capabilities & SMB2_CAP_ENCRYPTION) {
603 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
604 }
605
606 if (in_sign_algo != NULL) {
607 const struct smb3_signing_capabilities *srv_sign_algos =
608 &default_smb3_capabilities.signing;
609 uint16_t srv_preferred_idx = UINT16_MAX;
610 size_t needed = 2;
611 uint16_t sign_algo_count;
612 const uint8_t *p;
613 size_t i;
614
615 if (in_sign_algo->data.length < needed) {
616 return smbd_smb2_request_error(req,
617 NT_STATUS_INVALID_PARAMETER);
618 }
619
620 sign_algo_count = SVAL(in_sign_algo->data.data, 0);
621 if (sign_algo_count == 0) {
622 return smbd_smb2_request_error(req,
623 NT_STATUS_INVALID_PARAMETER);
624 }
625
626 p = in_sign_algo->data.data + needed;
627 needed += sign_algo_count * 2;
628
629 if (in_sign_algo->data.length < needed) {
630 return smbd_smb2_request_error(req,
631 NT_STATUS_INVALID_PARAMETER);
632 }
633
634 for (i=0; i < sign_algo_count; i++) {
635 uint16_t si;
636 uint16_t v;
637
638 v = SVAL(p, 0);
639 p += 2;
640
641 for (si = 0; si < srv_sign_algos->num_algos; si++) {
642 if (srv_sign_algos->algos[si] != v) {
643 continue;
644 }
645
646 /*
647 * The server sign_algos are listed
648 * with the lowest idx being preferred.
649 */
650 if (si < srv_preferred_idx) {
651 srv_preferred_idx = si;
652 }
653 break;
654 }
655 }
656
657 /*
658 * If we found a match announce it
659 * otherwise we'll keep the default
660 * of SMB2_SIGNING_AES128_CMAC
661 */
662 if (srv_preferred_idx != UINT16_MAX) {
663 uint8_t buf[4];
664
665 xconn->smb2.server.sign_algo =
666 srv_sign_algos->algos[srv_preferred_idx];
667
668 SSVAL(buf, 0, 1); /* SigningAlgorithmCount */
669 SSVAL(buf, 2, xconn->smb2.server.sign_algo);
670
671 status = smb2_negotiate_context_add(
672 req,
673 &out_c,
674 SMB2_SIGNING_CAPABILITIES,
675 buf,
676 sizeof(buf));
677 if (!NT_STATUS_IS_OK(status)) {
678 return smbd_smb2_request_error(req, status);
679 }
680 }
681 }
682
683 status = smb311_capabilities_check(&default_smb3_capabilities,
684 "smb2srv_negprot",
685 DBGLVL_NOTICE,
686 NT_STATUS_INVALID_PARAMETER,
687 "server",
688 protocol,
689 xconn->smb2.server.sign_algo,
690 xconn->smb2.server.cipher);
691 if (!NT_STATUS_IS_OK(status)) {
692 return smbd_smb2_request_error(req, status);
693 }
694
695 if (protocol >= PROTOCOL_SMB3_00 &&
696 xconn->client->server_multi_channel_enabled)
697 {
698 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
699 capabilities |= SMB2_CAP_MULTI_CHANNEL;
700 }
701 }
702
703 security_offset = SMB2_HDR_BODY + 0x40;
704
705 #if 1
706 /* Try SPNEGO auth... */
707 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
708 negprot_spnego_blob.length - 16);
709 #else
710 /* for now we want raw NTLMSSP */
711 security_buffer = data_blob_const(NULL, 0);
712 #endif
713
714 if (posix) {
715 /* Client correctly negotiated SMB2 unix extensions. */
716 const uint8_t *buf = (const uint8_t *)SMB2_CREATE_TAG_POSIX;
717 status = smb2_negotiate_context_add(
718 req,
719 &out_c,
720 SMB2_POSIX_EXTENSIONS_AVAILABLE,
721 buf,
722 16);
723 if (!NT_STATUS_IS_OK(status)) {
724 return smbd_smb2_request_error(req, status);
725 }
726 xconn->smb2.server.posix_extensions_negotiated = true;
727 }
728
729 if (out_c.num_contexts != 0) {
730 status = smb2_negotiate_context_push(req,
731 &out_negotiate_context_blob,
732 out_c);
733 if (!NT_STATUS_IS_OK(status)) {
734 return smbd_smb2_request_error(req, status);
735 }
736 }
737
738 if (out_negotiate_context_blob.length != 0) {
739 static const uint8_t zeros[8];
740 size_t pad = 0;
741 size_t ofs;
742
743 outdyn = data_blob_dup_talloc(req, security_buffer);
744 if (outdyn.length != security_buffer.length) {
745 return smbd_smb2_request_error(req,
746 NT_STATUS_NO_MEMORY);
747 }
748
749 ofs = security_offset + security_buffer.length;
750 if ((ofs % 8) != 0) {
751 pad = 8 - (ofs % 8);
752 }
753 ofs += pad;
754
755 ok = data_blob_append(req, &outdyn, zeros, pad);
756 if (!ok) {
757 return smbd_smb2_request_error(req,
758 NT_STATUS_NO_MEMORY);
759 }
760
761 ok = data_blob_append(req, &outdyn,
762 out_negotiate_context_blob.data,
763 out_negotiate_context_blob.length);
764 if (!ok) {
765 return smbd_smb2_request_error(req,
766 NT_STATUS_NO_MEMORY);
767 }
768
769 out_negotiate_context_offset = ofs;
770 out_negotiate_context_count = out_c.num_contexts;
771 } else {
772 outdyn = security_buffer;
773 }
774
775 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
776 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
777 if (!NT_STATUS_IS_OK(status)) {
778 return smbd_smb2_request_error(req, status);
779 }
780
781 outbody = smbd_smb2_generate_outbody(req, 0x40);
782 if (outbody.data == NULL) {
783 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
784 }
785
786 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
787 SSVAL(outbody.data, 0x02,
788 security_mode); /* security mode */
789 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
790 SSVAL(outbody.data, 0x06,
791 out_negotiate_context_count); /* reserved/NegotiateContextCount */
792 memcpy(outbody.data + 0x08,
793 out_guid_blob.data, 16); /* server guid */
794 SIVAL(outbody.data, 0x18,
795 capabilities); /* capabilities */
796 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
797 SIVAL(outbody.data, 0x20, max_read); /* max read size */
798 SIVAL(outbody.data, 0x24, max_write); /* max write size */
799 SBVAL(outbody.data, 0x28, now); /* system time */
800 SBVAL(outbody.data, 0x30, 0); /* server start time */
801 SSVAL(outbody.data, 0x38,
802 security_offset); /* security buffer offset */
803 SSVAL(outbody.data, 0x3A,
804 security_buffer.length); /* security buffer length */
805 SIVAL(outbody.data, 0x3C,
806 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
807
808 if (dialect == SMB2_DIALECT_REVISION_2FF) {
809 return smbd_smb2_request_done(req, outbody, &outdyn);
810 }
811
812 status = smbXsrv_connection_init_tables(xconn, protocol);
813 if (!NT_STATUS_IS_OK(status)) {
814 return smbd_smb2_request_error(req, status);
815 }
816
817 xconn->smb2.client.capabilities = in_capabilities;
818 xconn->smb2.client.security_mode = in_security_mode;
819 xconn->smb2.client.guid = in_guid;
820 xconn->smb2.client.num_dialects = dialect_count;
821 xconn->smb2.client.dialects = talloc_array(xconn,
822 uint16_t,
823 dialect_count);
824 if (xconn->smb2.client.dialects == NULL) {
825 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
826 }
827 for (c=0; c < dialect_count; c++) {
828 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
829 }
830
831 xconn->smb2.server.capabilities = capabilities;
832 xconn->smb2.server.security_mode = security_mode;
833 xconn->smb2.server.guid = out_guid;
834 xconn->smb2.server.dialect = dialect;
835 xconn->smb2.server.max_trans = max_trans;
836 xconn->smb2.server.max_read = max_read;
837 xconn->smb2.server.max_write = max_write;
838
839 if (xconn->protocol < PROTOCOL_SMB2_10) {
840 /*
841 * SMB2_02 doesn't support client guids
842 */
843 return smbd_smb2_request_done(req, outbody, &outdyn);
844 }
845
846 if (!xconn->client->server_multi_channel_enabled) {
847 /*
848 * Only deal with the client guid database
849 * if multi-channel is enabled.
850 *
851 * But we still need to setup
852 * xconn->client->global->client_guid to
853 * the correct value.
854 */
855 xconn->client->global->client_guid =
856 xconn->smb2.client.guid;
857 return smbd_smb2_request_done(req, outbody, &outdyn);
858 }
859
860 if (xconn->smb2.client.guid_verified) {
861 /*
862 * The connection was passed from another
863 * smbd process.
864 */
865 return smbd_smb2_request_done(req, outbody, &outdyn);
866 }
867
868 state = talloc_zero(req, struct smbd_smb2_request_process_negprot_state);
869 if (state == NULL) {
870 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
871 }
872 *state = (struct smbd_smb2_request_process_negprot_state) {
873 .req = req,
874 .outbody = outbody,
875 .outdyn = outdyn,
876 };
877
878 subreq = smb2srv_client_mc_negprot_send(state,
879 req->xconn->client->raw_ev_ctx,
880 req);
881 if (subreq == NULL) {
882 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
883 }
884 tevent_req_set_callback(subreq,
885 smbd_smb2_request_process_negprot_mc_done,
886 state);
887 return NT_STATUS_OK;
888 }
889
890 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq)
891 {
892 struct smbd_smb2_request_process_negprot_state *state =
893 tevent_req_callback_data(subreq,
894 struct smbd_smb2_request_process_negprot_state);
895 struct smbd_smb2_request *req = state->req;
896 struct smbXsrv_connection *xconn = req->xconn;
897 NTSTATUS status;
898
899 status = smb2srv_client_mc_negprot_recv(subreq);
900 TALLOC_FREE(subreq);
901 if (NT_STATUS_EQUAL(status, NT_STATUS_MESSAGE_RETRIEVED)) {
902 /*
903 * The connection was passed to another process
904 *
905 * We mark the error as NT_STATUS_CONNECTION_IN_USE,
906 * in order to indicate to low level code if
907 * ctdbd_unregister_ips() or ctdbd_passed_ips()
908 * is more useful.
909 */
910 smbXsrv_connection_disconnect_transport(xconn,
911 NT_STATUS_CONNECTION_IN_USE);
912 smbd_server_connection_terminate(xconn,
913 "passed connection");
914 /*
915 * smbd_server_connection_terminate() should not return!
916 */
917 smb_panic(__location__);
918 return;
919 }
920 if (!NT_STATUS_IS_OK(status)) {
921 status = smbd_smb2_request_error(req, status);
922 if (NT_STATUS_IS_OK(status)) {
923 return;
924 }
925
926 /*
927 * The connection was passed to another process
928 */
929 smbd_server_connection_terminate(xconn, nt_errstr(status));
930 /*
931 * smbd_server_connection_terminate() should not return!
932 */
933 smb_panic(__location__);
934 return;
935 }
936
937 /*
938 * We're the first connection...
939 */
940 status = smbd_smb2_request_done(req, state->outbody, &state->outdyn);
941 if (NT_STATUS_IS_OK(status)) {
942 /*
943 * This allows us to support starting smbd under
944 * callgrind and only start the overhead and
945 * instrumentation after the SMB2 negprot,
946 * this allows us to profile only useful
947 * stuff and not all the smbd startup, forking
948 * and multichannel handling.
949 *
950 * valgrind --tool=callgrind --instr-atstart=no smbd
951 */
952 #ifdef CALLGRIND_START_INSTRUMENTATION
953 CALLGRIND_START_INSTRUMENTATION;
954 #endif
955 return;
956 }
957
958 /*
959 * The connection was passed to another process
960 */
961 smbd_server_connection_terminate(xconn, nt_errstr(status));
962 /*
963 * smbd_server_connection_terminate() should not return!
964 */
965 smb_panic(__location__);
966 return;
967 }
968
969 /****************************************************************************
970 Generate the spnego negprot reply blob. Return the number of bytes used.
971 ****************************************************************************/
972
973 DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn)
974 {
975 DATA_BLOB blob = data_blob_null;
976 DATA_BLOB blob_out = data_blob_null;
977 nstring dos_name;
978 fstring unix_name;
979 NTSTATUS status;
980 #ifdef DEVELOPER
981 size_t slen;
982 #endif
983 struct gensec_security *gensec_security;
984
985 /* See if we can get an SPNEGO blob */
986 status = auth_generic_prepare(talloc_tos(),
987 xconn->remote_address,
988 xconn->local_address,
989 "SMB",
990 &gensec_security);
991
992 /*
993 * Despite including it above, there is no need to set a
994 * remote address or similar as we are just interested in the
995 * SPNEGO blob, we never keep this context.
996 */
997
998 if (NT_STATUS_IS_OK(status)) {
999 status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
1000 if (NT_STATUS_IS_OK(status)) {
1001 status = gensec_update(gensec_security, ctx,
1002 data_blob_null, &blob);
1003 /* If we get the list of OIDs, the 'OK' answer
1004 * is NT_STATUS_MORE_PROCESSING_REQUIRED */
1005 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1006 DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
1007 blob = data_blob_null;
1008 }
1009 }
1010 TALLOC_FREE(gensec_security);
1011 }
1012
1013 #if defined(WITH_SMB1SERVER)
1014 xconn->smb1.negprot.spnego = true;
1015 #endif
1016
1017 /* strangely enough, NT does not sent the single OID NTLMSSP when
1018 not a ADS member, it sends no OIDs at all
1019
1020 OLD COMMENT : "we can't do this until we teach our session setup parser to know
1021 about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
1022
1023 Our sessionsetup code now handles raw NTLMSSP connects, so we can go
1024 back to doing what W2K3 does here. This is needed to make PocketPC 2003
1025 CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
1026 for details. JRA.
1027
1028 */
1029
1030 if (blob.length == 0 || blob.data == NULL) {
1031 return data_blob_null;
1032 }
1033
1034 blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
1035 if (blob_out.data == NULL) {
1036 data_blob_free(&blob);
1037 return data_blob_null;
1038 }
1039
1040 memset(blob_out.data, '\0', 16);
1041
1042 checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name));
1043 (void)strlower_m(unix_name);
1044 push_ascii_nstring(dos_name, unix_name);
1045 strlcpy((char *)blob_out.data, dos_name, 17);
1046
1047 #ifdef DEVELOPER
1048 /* Fix valgrind 'uninitialized bytes' issue. */
1049 slen = strlen(dos_name);
1050 if (slen < 16) {
1051 memset(blob_out.data+slen, '\0', 16 - slen);
1052 }
1053 #endif
1054
1055 memcpy(&blob_out.data[16], blob.data, blob.length);
1056
1057 data_blob_free(&blob);
1058
1059 return blob_out;
1060 }
1061
1062 /*
1063 * MS-CIFS, 2.2.4.52.2 SMB_COM_NEGOTIATE Response:
1064 * If the server does not support any of the listed dialects, it MUST return a
1065 * DialectIndex of 0XFFFF
1066 */
1067 #define NO_PROTOCOL_CHOSEN 0xffff
1068
1069 #define PROT_SMB_2_002 0x1000
1070 #define PROT_SMB_2_FF 0x2000
1071
1072 /* List of supported SMB1 protocols, most desired first.
1073 * This is for enabling multi-protocol negotiation in SMB2 when SMB1
1074 * is disabled.
1075 */
1076 static const struct {
1077 const char *proto_name;
1078 const char *short_name;
1079 NTSTATUS (*proto_reply_fn)(struct smb_request *req, uint16_t choice);
1080 int protocol_level;
1081 } supported_protocols[] = {
1082 {"SMB 2.???", "SMB2_FF", reply_smb20ff, PROTOCOL_SMB2_10},
1083 {"SMB 2.002", "SMB2_02", reply_smb2002, PROTOCOL_SMB2_02},
1084 {NULL,NULL,NULL,0},
1085 };
1086
1087 /****************************************************************************
1088 Reply to a negprot.
1089 conn POINTER CAN BE NULL HERE !
1090 ****************************************************************************/
1091
1092 NTSTATUS smb2_multi_protocol_reply_negprot(struct smb_request *req)
1093 {
1094 size_t choice = 0;
1095 bool choice_set = false;
1096 int protocol;
1097 const char *p;
1098 int num_cliprotos;
1099 char **cliprotos;
1100 size_t i;
1101 size_t converted_size;
1102 struct smbXsrv_connection *xconn = req->xconn;
1103 struct smbd_server_connection *sconn = req->sconn;
1104 int max_proto;
1105 int min_proto;
1106 NTSTATUS status;
1107
1108 START_PROFILE(SMBnegprot);
1109
1110 if (req->buflen == 0) {
1111 DEBUG(0, ("negprot got no protocols\n"));
1112 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1113 END_PROFILE(SMBnegprot);
1114 return NT_STATUS_INVALID_PARAMETER;
1115 }
1116
1117 if (req->buf[req->buflen-1] != '\0') {
1118 DEBUG(0, ("negprot protocols not 0-terminated\n"));
1119 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1120 END_PROFILE(SMBnegprot);
1121 return NT_STATUS_INVALID_PARAMETER;
1122 }
1123
1124 p = (const char *)req->buf + 1;
1125
1126 num_cliprotos = 0;
1127 cliprotos = NULL;
1128
1129 while (smbreq_bufrem(req, p) > 0) {
1130
1131 char **tmp;
1132
1133 tmp = talloc_realloc(talloc_tos(), cliprotos, char *,
1134 num_cliprotos+1);
1135 if (tmp == NULL) {
1136 DEBUG(0, ("talloc failed\n"));
1137 TALLOC_FREE(cliprotos);
1138 reply_nterror(req, NT_STATUS_NO_MEMORY);
1139 END_PROFILE(SMBnegprot);
1140 return NT_STATUS_NO_MEMORY;
1141 }
1142
1143 cliprotos = tmp;
1144
1145 if (!pull_ascii_talloc(cliprotos, &cliprotos[num_cliprotos], p,
1146 &converted_size)) {
1147 DEBUG(0, ("pull_ascii_talloc failed\n"));
1148 TALLOC_FREE(cliprotos);
1149 reply_nterror(req, NT_STATUS_NO_MEMORY);
1150 END_PROFILE(SMBnegprot);
1151 return NT_STATUS_NO_MEMORY;
1152 }
1153
1154 DEBUG(3, ("Requested protocol [%s]\n",
1155 cliprotos[num_cliprotos]));
1156
1157 num_cliprotos += 1;
1158 p += strlen(p) + 2;
1159 }
1160
1161 /* possibly reload - change of architecture */
1162 reload_services(sconn, conn_snum_used, true);
1163
1164 /*
1165 * Anything higher than PROTOCOL_SMB2_10 still
1166 * needs to go via "SMB 2.???", which is marked
1167 * as PROTOCOL_SMB2_10.
1168 *
1169 * The real negotiation happens via reply_smb20ff()
1170 * using SMB2 Negotiation.
1171 */
1172 max_proto = lp_server_max_protocol();
1173 if (max_proto > PROTOCOL_SMB2_10) {
1174 max_proto = PROTOCOL_SMB2_10;
1175 }
1176 min_proto = lp_server_min_protocol();
1177 if (min_proto > PROTOCOL_SMB2_10) {
1178 min_proto = PROTOCOL_SMB2_10;
1179 }
1180
1181 /* Check for protocols, most desirable first */
1182 for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
1183 i = 0;
1184 if ((supported_protocols[protocol].protocol_level <= max_proto) &&
1185 (supported_protocols[protocol].protocol_level >= min_proto))
1186 while (i < num_cliprotos) {
1187 if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
1188 choice = i;
1189 choice_set = true;
1190 }
1191 i++;
1192 }
1193 if (choice_set) {
1194 break;
1195 }
1196 }
1197
1198 if (!choice_set) {
1199 bool ok;
1200
1201 DBG_NOTICE("No protocol supported !\n");
1202 reply_smb1_outbuf(req, 1, 0);
1203 SSVAL(req->outbuf, smb_vwv0, NO_PROTOCOL_CHOSEN);
1204
1205 ok = smb1_srv_send(xconn, (char *)req->outbuf, false, 0, false);
1206 if (!ok) {
1207 DBG_NOTICE("smb1_srv_send failed\n");
1208 }
1209 exit_server_cleanly("no protocol supported\n");
1210 }
1211
1212 set_remote_proto(supported_protocols[protocol].short_name);
1213 reload_services(sconn, conn_snum_used, true);
1214 status = supported_protocols[protocol].proto_reply_fn(req, choice);
1215 if (!NT_STATUS_IS_OK(status)) {
1216 exit_server_cleanly("negprot function failed\n");
1217 }
1218
1219 DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
1220
1221 DBG_INFO("negprot index=%zu\n", choice);
1222
1223 TALLOC_FREE(cliprotos);
1224
1225 END_PROFILE(SMBnegprot);
1226 return NT_STATUS_OK;
1227 }
Samba GIT mirror