search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nfs4acls: Use talloc_realloc()
[Samba.git] / source3 / smbd / smb2_negprot.c
blob3106ef38c7a99bf1d24c50bc5f90359dbf01e71f
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28
29 extern fstring remote_proto;
30
31 /*
32 * this is the entry point if SMB2 is selected via
33 * the SMB negprot and the given dialect.
34 */
35 static void reply_smb20xx(struct smb_request *req, uint16_t dialect)
36 {
37 uint8_t *smb2_inpdu;
38 uint8_t *smb2_hdr;
39 uint8_t *smb2_body;
40 uint8_t *smb2_dyn;
41 size_t len = SMB2_HDR_BODY + 0x24 + 2;
42
43 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
44 if (smb2_inpdu == NULL) {
45 DEBUG(0, ("Could not push spnego blob\n"));
46 reply_nterror(req, NT_STATUS_NO_MEMORY);
47 return;
48 }
49 smb2_hdr = smb2_inpdu;
50 smb2_body = smb2_hdr + SMB2_HDR_BODY;
51 smb2_dyn = smb2_body + 0x24;
52
53 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
54 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
55
56 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
57 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
58
59 SSVAL(smb2_dyn, 0x00, dialect);
60
61 req->outbuf = NULL;
62
63 smbd_smb2_first_negprot(req->xconn, smb2_inpdu, len);
64 return;
65 }
66
67 /*
68 * this is the entry point if SMB2 is selected via
69 * the SMB negprot and the "SMB 2.002" dialect.
70 */
71 void reply_smb2002(struct smb_request *req, uint16_t choice)
72 {
73 reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
74 }
75
76 /*
77 * this is the entry point if SMB2 is selected via
78 * the SMB negprot and the "SMB 2.???" dialect.
79 */
80 void reply_smb20ff(struct smb_request *req, uint16_t choice)
81 {
82 struct smbXsrv_connection *xconn = req->xconn;
83 xconn->smb2.allow_2ff = true;
84 reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
85 }
86
87 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
88 const int dialect_count,
89 uint16_t *dialect)
90 {
91 struct {
92 enum protocol_types proto;
93 uint16_t dialect;
94 } pd[] = {
95 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
96 { PROTOCOL_SMB3_10, SMB3_DIALECT_REVISION_310 },
97 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
98 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
99 { PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224 },
100 { PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222 },
101 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
102 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
103 };
104 size_t i;
105
106 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
107 size_t c = 0;
108
109 if (lp_server_max_protocol() < pd[i].proto) {
110 continue;
111 }
112 if (lp_server_min_protocol() > pd[i].proto) {
113 continue;
114 }
115
116 for (c = 0; c < dialect_count; c++) {
117 *dialect = SVAL(indyn, c*2);
118 if (*dialect == pd[i].dialect) {
119 return pd[i].proto;
120 }
121 }
122 }
123
124 return PROTOCOL_NONE;
125 }
126
127 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
128 {
129 struct smbXsrv_connection *xconn = req->xconn;
130 NTSTATUS status;
131 const uint8_t *inbody;
132 const uint8_t *indyn = NULL;
133 DATA_BLOB outbody;
134 DATA_BLOB outdyn;
135 DATA_BLOB negprot_spnego_blob;
136 uint16_t security_offset;
137 DATA_BLOB security_buffer;
138 size_t expected_dyn_size = 0;
139 size_t c;
140 uint16_t security_mode;
141 uint16_t dialect_count;
142 uint16_t in_security_mode;
143 uint32_t in_capabilities;
144 DATA_BLOB in_guid_blob;
145 struct GUID in_guid;
146 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
147 struct smb2_negotiate_context *in_preauth = NULL;
148 struct smb2_negotiate_context *in_cipher = NULL;
149 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
150 DATA_BLOB out_negotiate_context_blob = data_blob_null;
151 uint32_t out_negotiate_context_offset = 0;
152 uint16_t out_negotiate_context_count = 0;
153 uint16_t dialect = 0;
154 uint32_t capabilities;
155 DATA_BLOB out_guid_blob;
156 struct GUID out_guid;
157 enum protocol_types protocol = PROTOCOL_NONE;
158 uint32_t max_limit;
159 uint32_t max_trans = lp_smb2_max_trans();
160 uint32_t max_read = lp_smb2_max_read();
161 uint32_t max_write = lp_smb2_max_write();
162 NTTIME now = timeval_to_nttime(&req->request_time);
163
164 status = smbd_smb2_request_verify_sizes(req, 0x24);
165 if (!NT_STATUS_IS_OK(status)) {
166 return smbd_smb2_request_error(req, status);
167 }
168 inbody = SMBD_SMB2_IN_BODY_PTR(req);
169
170 dialect_count = SVAL(inbody, 0x02);
171
172 in_security_mode = SVAL(inbody, 0x04);
173 in_capabilities = IVAL(inbody, 0x08);
174 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
175
176 if (dialect_count == 0) {
177 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
178 }
179
180 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
181 if (!NT_STATUS_IS_OK(status)) {
182 return smbd_smb2_request_error(req, status);
183 }
184
185 expected_dyn_size = dialect_count * 2;
186 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
187 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
188 }
189 indyn = SMBD_SMB2_IN_DYN_PTR(req);
190
191 protocol = smbd_smb2_protocol_dialect_match(indyn,
192 dialect_count,
193 &dialect);
194
195 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
196 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
197 break;
198 }
199
200 dialect = SVAL(indyn, c*2);
201 if (dialect == SMB2_DIALECT_REVISION_2FF) {
202 if (xconn->smb2.allow_2ff) {
203 xconn->smb2.allow_2ff = false;
204 protocol = PROTOCOL_SMB2_10;
205 break;
206 }
207 }
208 }
209
210 if (protocol == PROTOCOL_NONE) {
211 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
212 }
213
214 if (protocol >= PROTOCOL_SMB3_10) {
215 uint32_t in_negotiate_context_offset = 0;
216 uint16_t in_negotiate_context_count = 0;
217 DATA_BLOB in_negotiate_context_blob = data_blob_null;
218 size_t ofs;
219
220 in_negotiate_context_offset = IVAL(inbody, 0x1C);
221 in_negotiate_context_count = SVAL(inbody, 0x20);
222
223 ofs = SMB2_HDR_BODY;
224 ofs += SMBD_SMB2_IN_BODY_LEN(req);
225 ofs += expected_dyn_size;
226 if ((ofs % 8) != 0) {
227 ofs += 8 - (ofs % 8);
228 }
229
230 if (in_negotiate_context_offset != ofs) {
231 return smbd_smb2_request_error(req,
232 NT_STATUS_INVALID_PARAMETER);
233 }
234
235 ofs -= SMB2_HDR_BODY;
236 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
237
238 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
239 return smbd_smb2_request_error(req,
240 NT_STATUS_INVALID_PARAMETER);
241 }
242
243 in_negotiate_context_blob = data_blob_const(indyn,
244 SMBD_SMB2_IN_DYN_LEN(req));
245
246 in_negotiate_context_blob.data += ofs;
247 in_negotiate_context_blob.length -= ofs;
248
249 status = smb2_negotiate_context_parse(req,
250 in_negotiate_context_blob, &in_c);
251 if (!NT_STATUS_IS_OK(status)) {
252 return smbd_smb2_request_error(req, status);
253 }
254
255 if (in_negotiate_context_count != in_c.num_contexts) {
256 return smbd_smb2_request_error(req,
257 NT_STATUS_INVALID_PARAMETER);
258 }
259 }
260
261 if (get_remote_arch() != RA_SAMBA) {
262 set_remote_arch(RA_VISTA);
263 }
264
265 fstr_sprintf(remote_proto, "SMB%X_%02X",
266 (dialect >> 8) & 0xFF, dialect & 0xFF);
267
268 reload_services(req->sconn, conn_snum_used, true);
269 DEBUG(3,("Selected protocol %s\n", remote_proto));
270
271 in_preauth = smb2_negotiate_context_find(&in_c,
272 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
273 if (protocol >= PROTOCOL_SMB3_10 && in_preauth == NULL) {
274 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
275 }
276 in_cipher = smb2_negotiate_context_find(&in_c,
277 SMB2_ENCRYPTION_CAPABILITIES);
278
279 /* negprot_spnego() returns a the server guid in the first 16 bytes */
280 negprot_spnego_blob = negprot_spnego(req, xconn);
281 if (negprot_spnego_blob.data == NULL) {
282 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
283 }
284
285 if (negprot_spnego_blob.length < 16) {
286 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
287 }
288
289 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
290 if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
291 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
292 }
293
294 capabilities = 0;
295 if (lp_host_msdfs()) {
296 capabilities |= SMB2_CAP_DFS;
297 }
298
299 if (protocol >= PROTOCOL_SMB2_10 &&
300 lp_smb2_leases() &&
301 lp_oplocks(GLOBAL_SECTION_SNUM) &&
302 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
303 {
304 capabilities |= SMB2_CAP_LEASING;
305 }
306
307 if ((protocol >= PROTOCOL_SMB2_24) &&
308 (lp_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
309 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
310 capabilities |= SMB2_CAP_ENCRYPTION;
311 }
312
313 /*
314 * 0x10000 (65536) is the maximum allowed message size
315 * for SMB 2.0
316 */
317 max_limit = 0x10000;
318
319 if (protocol >= PROTOCOL_SMB2_10) {
320 int p = 0;
321
322 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
323 p = tsocket_address_inet_port(req->sconn->local_address);
324 }
325
326 /* largeMTU is not supported over NBT (tcp port 139) */
327 if (p != NBT_SMB_PORT) {
328 capabilities |= SMB2_CAP_LARGE_MTU;
329 xconn->smb2.credits.multicredit = true;
330
331 /*
332 * We allow up to almost 16MB.
333 *
334 * The maximum PDU size is 0xFFFFFF (16776960)
335 * and we need some space for the header.
336 */
337 max_limit = 0xFFFF00;
338 }
339 }
340
341 /*
342 * the defaults are 8MB, but we'll limit this to max_limit based on
343 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
344 *
345 * user configured values exceeding the limits will be overwritten,
346 * only smaller values will be accepted
347 */
348
349 max_trans = MIN(max_limit, lp_smb2_max_trans());
350 max_read = MIN(max_limit, lp_smb2_max_read());
351 max_write = MIN(max_limit, lp_smb2_max_write());
352
353 if (in_preauth != NULL) {
354 size_t needed = 4;
355 uint16_t hash_count;
356 uint16_t salt_length;
357 uint16_t selected_preauth = 0;
358 const uint8_t *p;
359 uint8_t buf[38];
360 DATA_BLOB b;
361 size_t i;
362
363 if (in_preauth->data.length < needed) {
364 return smbd_smb2_request_error(req,
365 NT_STATUS_INVALID_PARAMETER);
366 }
367
368 hash_count = SVAL(in_preauth->data.data, 0);
369 salt_length = SVAL(in_preauth->data.data, 2);
370
371 if (hash_count == 0) {
372 return smbd_smb2_request_error(req,
373 NT_STATUS_INVALID_PARAMETER);
374 }
375
376 p = in_preauth->data.data + needed;
377 needed += hash_count * 2;
378 needed += salt_length;
379
380 if (in_preauth->data.length < needed) {
381 return smbd_smb2_request_error(req,
382 NT_STATUS_INVALID_PARAMETER);
383 }
384
385 for (i=0; i < hash_count; i++) {
386 uint16_t v;
387
388 v = SVAL(p, 0);
389 p += 2;
390
391 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
392 selected_preauth = v;
393 break;
394 }
395 }
396
397 if (selected_preauth == 0) {
398 return smbd_smb2_request_error(req,
399 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
400 }
401
402 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
403 SSVAL(buf, 2, 32); /* SaltLength */
404 SSVAL(buf, 4, selected_preauth);
405 generate_random_buffer(buf + 6, 32);
406
407 b = data_blob_const(buf, sizeof(buf));
408 status = smb2_negotiate_context_add(req, &out_c,
409 SMB2_PREAUTH_INTEGRITY_CAPABILITIES, b);
410 if (!NT_STATUS_IS_OK(status)) {
411 return smbd_smb2_request_error(req, status);
412 }
413
414 req->preauth = &req->xconn->smb2.preauth;
415 }
416
417 if (in_cipher != NULL) {
418 size_t needed = 2;
419 uint16_t cipher_count;
420 const uint8_t *p;
421 uint8_t buf[4];
422 DATA_BLOB b;
423 size_t i;
424
425 capabilities &= ~SMB2_CAP_ENCRYPTION;
426
427 if (in_cipher->data.length < needed) {
428 return smbd_smb2_request_error(req,
429 NT_STATUS_INVALID_PARAMETER);
430 }
431
432 cipher_count = SVAL(in_cipher->data.data, 0);
433
434 if (cipher_count == 0) {
435 return smbd_smb2_request_error(req,
436 NT_STATUS_INVALID_PARAMETER);
437 }
438
439 p = in_cipher->data.data + needed;
440 needed += cipher_count * 2;
441
442 if (in_cipher->data.length < needed) {
443 return smbd_smb2_request_error(req,
444 NT_STATUS_INVALID_PARAMETER);
445 }
446
447 for (i=0; i < cipher_count; i++) {
448 uint16_t v;
449
450 v = SVAL(p, 0);
451 p += 2;
452
453 if (v == SMB2_ENCRYPTION_AES128_GCM) {
454 xconn->smb2.server.cipher = v;
455 break;
456 }
457 if (v == SMB2_ENCRYPTION_AES128_CCM) {
458 xconn->smb2.server.cipher = v;
459 break;
460 }
461 }
462
463 SSVAL(buf, 0, 1); /* ChiperCount */
464 SSVAL(buf, 2, xconn->smb2.server.cipher);
465
466 b = data_blob_const(buf, sizeof(buf));
467 status = smb2_negotiate_context_add(req, &out_c,
468 SMB2_ENCRYPTION_CAPABILITIES, b);
469 if (!NT_STATUS_IS_OK(status)) {
470 return smbd_smb2_request_error(req, status);
471 }
472 }
473
474 if (capabilities & SMB2_CAP_ENCRYPTION) {
475 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
476 }
477
478 security_offset = SMB2_HDR_BODY + 0x40;
479
480 #if 1
481 /* Try SPNEGO auth... */
482 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
483 negprot_spnego_blob.length - 16);
484 #else
485 /* for now we want raw NTLMSSP */
486 security_buffer = data_blob_const(NULL, 0);
487 #endif
488
489 if (out_c.num_contexts != 0) {
490 status = smb2_negotiate_context_push(req,
491 &out_negotiate_context_blob,
492 out_c);
493 if (!NT_STATUS_IS_OK(status)) {
494 return smbd_smb2_request_error(req, status);
495 }
496 }
497
498 if (out_negotiate_context_blob.length != 0) {
499 static const uint8_t zeros[8];
500 size_t pad = 0;
501 size_t ofs;
502 bool ok;
503
504 outdyn = data_blob_dup_talloc(req, security_buffer);
505 if (outdyn.length != security_buffer.length) {
506 return smbd_smb2_request_error(req,
507 NT_STATUS_NO_MEMORY);
508 }
509
510 ofs = security_offset + security_buffer.length;
511 if ((ofs % 8) != 0) {
512 pad = 8 - (ofs % 8);
513 }
514 ofs += pad;
515
516 ok = data_blob_append(req, &outdyn, zeros, pad);
517 if (!ok) {
518 return smbd_smb2_request_error(req,
519 NT_STATUS_NO_MEMORY);
520 }
521
522 ok = data_blob_append(req, &outdyn,
523 out_negotiate_context_blob.data,
524 out_negotiate_context_blob.length);
525 if (!ok) {
526 return smbd_smb2_request_error(req,
527 NT_STATUS_NO_MEMORY);
528 }
529
530 out_negotiate_context_offset = ofs;
531 out_negotiate_context_count = out_c.num_contexts;
532 } else {
533 outdyn = security_buffer;
534 }
535
536 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
537 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
538 if (!NT_STATUS_IS_OK(status)) {
539 return smbd_smb2_request_error(req, status);
540 }
541
542 outbody = smbd_smb2_generate_outbody(req, 0x40);
543 if (outbody.data == NULL) {
544 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
545 }
546
547 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
548 SSVAL(outbody.data, 0x02,
549 security_mode); /* security mode */
550 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
551 SSVAL(outbody.data, 0x06,
552 out_negotiate_context_count); /* reserved/NegotiateContextCount */
553 memcpy(outbody.data + 0x08,
554 out_guid_blob.data, 16); /* server guid */
555 SIVAL(outbody.data, 0x18,
556 capabilities); /* capabilities */
557 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
558 SIVAL(outbody.data, 0x20, max_read); /* max read size */
559 SIVAL(outbody.data, 0x24, max_write); /* max write size */
560 SBVAL(outbody.data, 0x28, now); /* system time */
561 SBVAL(outbody.data, 0x30, 0); /* server start time */
562 SSVAL(outbody.data, 0x38,
563 security_offset); /* security buffer offset */
564 SSVAL(outbody.data, 0x3A,
565 security_buffer.length); /* security buffer length */
566 SIVAL(outbody.data, 0x3C,
567 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
568
569 req->sconn->using_smb2 = true;
570
571 if (dialect != SMB2_DIALECT_REVISION_2FF) {
572 status = smbXsrv_connection_init_tables(xconn, protocol);
573 if (!NT_STATUS_IS_OK(status)) {
574 return smbd_smb2_request_error(req, status);
575 }
576
577 xconn->smb2.client.capabilities = in_capabilities;
578 xconn->smb2.client.security_mode = in_security_mode;
579 xconn->smb2.client.guid = in_guid;
580 xconn->smb2.client.num_dialects = dialect_count;
581 xconn->smb2.client.dialects = talloc_array(xconn,
582 uint16_t,
583 dialect_count);
584 if (xconn->smb2.client.dialects == NULL) {
585 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
586 }
587 for (c=0; c < dialect_count; c++) {
588 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
589 }
590
591 xconn->smb2.server.capabilities = capabilities;
592 xconn->smb2.server.security_mode = security_mode;
593 xconn->smb2.server.guid = out_guid;
594 xconn->smb2.server.dialect = dialect;
595 xconn->smb2.server.max_trans = max_trans;
596 xconn->smb2.server.max_read = max_read;
597 xconn->smb2.server.max_write = max_write;
598 }
599
600 return smbd_smb2_request_done(req, outbody, &outdyn);
601 }
Samba GIT mirror