source3/smbd/smb2_sesssetup.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Core SMB2 server
   4
   5    Copyright (C) Stefan Metzmacher 2009
   6    Copyright (C) Jeremy Allison 2010
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "smbd/smbd.h"
  24 #include "smbd/globals.h"
  25 #include "../libcli/smb/smb_common.h"
  26 #include "../libcli/auth/spnego.h"
  27 #include "../libcli/auth/ntlmssp.h"
  28 #include "../auth/gensec/gensec.h"
  29 #include "ntlmssp_wrap.h"
  30 #include "../librpc/gen_ndr/krb5pac.h"
  31 #include "libads/kerberos_proto.h"
  32 #include "../lib/util/asn1.h"
  33 #include "auth.h"
  34 #include "../lib/tsocket/tsocket.h"
  35 #include "../libcli/security/security.h"
  36
  37 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
  38                                         uint64_t in_session_id,
  39                                         uint8_t in_security_mode,
  40                                         DATA_BLOB in_security_buffer,
  41                                         uint16_t *out_session_flags,
  42                                         DATA_BLOB *out_security_buffer,
  43                                         uint64_t *out_session_id);
  44
  45 NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req)
  46 {
  47         const uint8_t *inhdr;
  48         const uint8_t *inbody;
  49         int i = smb2req->current_idx;
  50         uint8_t *outhdr;
  51         DATA_BLOB outbody;
  52         DATA_BLOB outdyn;
  53         size_t expected_body_size = 0x19;
  54         size_t body_size;
  55         uint64_t in_session_id;
  56         uint8_t in_security_mode;
  57         uint16_t in_security_offset;
  58         uint16_t in_security_length;
  59         DATA_BLOB in_security_buffer;
  60         uint16_t out_session_flags;
  61         uint64_t out_session_id;
  62         uint16_t out_security_offset;
  63         DATA_BLOB out_security_buffer;
  64         NTSTATUS status;
  65
  66         inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base;
  67
  68         if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
  69                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  70         }
  71
  72         inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base;
  73
  74         body_size = SVAL(inbody, 0x00);
  75         if (body_size != expected_body_size) {
  76                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  77         }
  78
  79         in_security_offset = SVAL(inbody, 0x0C);
  80         in_security_length = SVAL(inbody, 0x0E);
  81
  82         if (in_security_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
  83                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  84         }
  85
  86         if (in_security_length > smb2req->in.vector[i+2].iov_len) {
  87                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  88         }
  89
  90         in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
  91         in_security_mode = CVAL(inbody, 0x03);
  92         in_security_buffer.data = (uint8_t *)smb2req->in.vector[i+2].iov_base;
  93         in_security_buffer.length = in_security_length;
  94
  95         status = smbd_smb2_session_setup(smb2req,
  96                                          in_session_id,
  97                                          in_security_mode,
  98                                          in_security_buffer,
  99                                          &out_session_flags,
 100                                          &out_security_buffer,
 101                                          &out_session_id);
 102         if (!NT_STATUS_IS_OK(status) &&
 103             !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 104                 status = nt_status_squash(status);
 105                 return smbd_smb2_request_error(smb2req, status);
 106         }
 107
 108         out_security_offset = SMB2_HDR_BODY + 0x08;
 109
 110         outhdr = (uint8_t *)smb2req->out.vector[i].iov_base;
 111
 112         outbody = data_blob_talloc(smb2req->out.vector, NULL, 0x08);
 113         if (outbody.data == NULL) {
 114                 return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
 115         }
 116
 117         SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id);
 118
 119         SSVAL(outbody.data, 0x00, 0x08 + 1);    /* struct size */
 120         SSVAL(outbody.data, 0x02,
 121               out_session_flags);               /* session flags */
 122         SSVAL(outbody.data, 0x04,
 123               out_security_offset);             /* security buffer offset */
 124         SSVAL(outbody.data, 0x06,
 125               out_security_buffer.length);      /* security buffer length */
 126
 127         outdyn = out_security_buffer;
 128
 129         return smbd_smb2_request_done_ex(smb2req, status, outbody, &outdyn,
 130                                          __location__);
 131 }
 132
 133 static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
 134 {
 135         if (session->sconn == NULL) {
 136                 return 0;
 137         }
 138
 139         /* first free all tcons */
 140         while (session->tcons.list) {
 141                 talloc_free(session->tcons.list);
 142         }
 143
 144         idr_remove(session->sconn->smb2.sessions.idtree, session->vuid);
 145         DLIST_REMOVE(session->sconn->smb2.sessions.list, session);
 146         invalidate_vuid(session->sconn, session->vuid);
 147
 148         session->vuid = 0;
 149         session->status = NT_STATUS_USER_SESSION_DELETED;
 150         session->sconn = NULL;
 151
 152         return 0;
 153 }
 154
 155 #ifdef HAVE_KRB5
 156 static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 157                                         struct smbd_smb2_request *smb2req,
 158                                         uint8_t in_security_mode,
 159                                         const DATA_BLOB *secblob,
 160                                         const char *mechOID,
 161                                         uint16_t *out_session_flags,
 162                                         DATA_BLOB *out_security_buffer,
 163                                         uint64_t *out_session_id)
 164 {
 165         DATA_BLOB ap_rep = data_blob_null;
 166         DATA_BLOB ap_rep_wrapped = data_blob_null;
 167         DATA_BLOB ticket = data_blob_null;
 168         DATA_BLOB session_key = data_blob_null;
 169         DATA_BLOB secblob_out = data_blob_null;
 170         uint8 tok_id[2];
 171         struct PAC_LOGON_INFO *logon_info = NULL;
 172         char *principal = NULL;
 173         char *user = NULL;
 174         char *domain = NULL;
 175         struct passwd *pw = NULL;
 176         NTSTATUS status;
 177         char *real_username;
 178         bool username_was_mapped = false;
 179         bool map_domainuser_to_guest = false;
 180
 181         if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
 182                 status = NT_STATUS_LOGON_FAILURE;
 183                 goto fail;
 184         }
 185
 186         status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket,
 187                                    &principal, &logon_info, &ap_rep,
 188                                    &session_key, true);
 189
 190         if (!NT_STATUS_IS_OK(status)) {
 191                 DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n",
 192                         nt_errstr(status)));
 193                 if (!NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
 194                         status = NT_STATUS_LOGON_FAILURE;
 195                 }
 196                 goto fail;
 197         }
 198
 199         status = get_user_from_kerberos_info(talloc_tos(),
 200                                              session->sconn->remote_hostname,
 201                                              principal, logon_info,
 202                                              &username_was_mapped,
 203                                              &map_domainuser_to_guest,
 204                                              &user, &domain,
 205                                              &real_username, &pw);
 206         if (!NT_STATUS_IS_OK(status)) {
 207                 goto fail;
 208         }
 209
 210         /* save the PAC data if we have it */
 211         if (logon_info) {
 212                 netsamlogon_cache_store(user, &logon_info->info3);
 213         }
 214
 215         /* setup the string used by %U */
 216         sub_set_smb_name(real_username);
 217
 218         /* reload services so that the new %U is taken into account */
 219         reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
 220
 221         status = make_session_info_krb5(session,
 222                                         user, domain, real_username, pw,
 223                                         logon_info, map_domainuser_to_guest,
 224                                         username_was_mapped,
 225                                         &session_key,
 226                                         &session->session_info);
 227         if (!NT_STATUS_IS_OK(status)) {
 228                 DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
 229                 goto fail;
 230         }
 231
 232         if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 233              lp_server_signing() == Required) {
 234                 session->do_signing = true;
 235         }
 236
 237         if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 238                 /* we map anonymous to guest internally */
 239                 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 240                 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 241                 /* force no signing */
 242                 session->do_signing = false;
 243         }
 244
 245         session->session_key = session->session_info->session_key;
 246
 247         session->compat_vuser = talloc_zero(session, user_struct);
 248         if (session->compat_vuser == NULL) {
 249                 status = NT_STATUS_NO_MEMORY;
 250                 goto fail;
 251         }
 252         session->compat_vuser->auth_ntlmssp_state = NULL;
 253         session->compat_vuser->homes_snum = -1;
 254         session->compat_vuser->session_info = session->session_info;
 255         session->compat_vuser->session_keystr = NULL;
 256         session->compat_vuser->vuid = session->vuid;
 257         DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
 258
 259         if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 260                 session->compat_vuser->homes_snum =
 261                         register_homes_share(session->session_info->unix_info->unix_name);
 262         }
 263
 264         if (!session_claim(session->sconn, session->compat_vuser)) {
 265                 DEBUG(1, ("smb2: Failed to claim session "
 266                         "for vuid=%d\n",
 267                         session->compat_vuser->vuid));
 268                 goto fail;
 269         }
 270
 271         session->status = NT_STATUS_OK;
 272
 273         /*
 274          * we attach the session to the request
 275          * so that the response can be signed
 276          */
 277         smb2req->session = session;
 278         if (session->do_signing) {
 279                 smb2req->do_signing = true;
 280         }
 281
 282         global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
 283         status = NT_STATUS_OK;
 284
 285         /* wrap that up in a nice GSS-API wrapping */
 286         ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
 287                                 TOK_ID_KRB_AP_REP);
 288
 289         secblob_out = spnego_gen_auth_response(
 290                                         talloc_tos(),
 291                                         &ap_rep_wrapped,
 292                                         status,
 293                                         mechOID);
 294
 295         *out_security_buffer = data_blob_talloc(smb2req,
 296                                                 secblob_out.data,
 297                                                 secblob_out.length);
 298         if (secblob_out.data && out_security_buffer->data == NULL) {
 299                 status = NT_STATUS_NO_MEMORY;
 300                 goto fail;
 301         }
 302
 303         data_blob_free(&ap_rep);
 304         data_blob_free(&ap_rep_wrapped);
 305         data_blob_free(&ticket);
 306         data_blob_free(&session_key);
 307         data_blob_free(&secblob_out);
 308
 309         *out_session_id = session->vuid;
 310
 311         return NT_STATUS_OK;
 312
 313   fail:
 314
 315         data_blob_free(&ap_rep);
 316         data_blob_free(&ap_rep_wrapped);
 317         data_blob_free(&ticket);
 318         data_blob_free(&session_key);
 319         data_blob_free(&secblob_out);
 320
 321         ap_rep_wrapped = data_blob_null;
 322         secblob_out = spnego_gen_auth_response(
 323                                         talloc_tos(),
 324                                         &ap_rep_wrapped,
 325                                         status,
 326                                         mechOID);
 327
 328         *out_security_buffer = data_blob_talloc(smb2req,
 329                                                 secblob_out.data,
 330                                                 secblob_out.length);
 331         data_blob_free(&secblob_out);
 332         return status;
 333 }
 334 #endif
 335
 336 static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 337                                         struct smbd_smb2_request *smb2req,
 338                                         uint8_t in_security_mode,
 339                                         DATA_BLOB in_security_buffer,
 340                                         uint16_t *out_session_flags,
 341                                         DATA_BLOB *out_security_buffer,
 342                                         uint64_t *out_session_id)
 343 {
 344         DATA_BLOB secblob_in = data_blob_null;
 345         DATA_BLOB chal_out = data_blob_null;
 346         char *kerb_mech = NULL;
 347         NTSTATUS status;
 348
 349         /* Ensure we have no old NTLM state around. */
 350         TALLOC_FREE(session->auth_ntlmssp_state);
 351
 352         status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
 353                         &secblob_in, &kerb_mech);
 354         if (!NT_STATUS_IS_OK(status)) {
 355                 goto out;
 356         }
 357
 358 #ifdef HAVE_KRB5
 359         if (kerb_mech && ((lp_security()==SEC_ADS) ||
 360                                 USE_KERBEROS_KEYTAB) ) {
 361                 status = smbd_smb2_session_setup_krb5(session,
 362                                 smb2req,
 363                                 in_security_mode,
 364                                 &secblob_in,
 365                                 kerb_mech,
 366                                 out_session_flags,
 367                                 out_security_buffer,
 368                                 out_session_id);
 369
 370                 goto out;
 371         }
 372 #endif
 373
 374         if (kerb_mech) {
 375                 /* The mechtoken is a krb5 ticket, but
 376                  * we need to fall back to NTLM. */
 377
 378                 DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
 379                         "but set to downgrade to NTLMSSP\n"));
 380
 381                 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 382         } else {
 383                 /* Fall back to NTLMSSP. */
 384                 status = auth_ntlmssp_prepare(session->sconn->remote_address,
 385                                             &session->auth_ntlmssp_state);
 386                 if (!NT_STATUS_IS_OK(status)) {
 387                         goto out;
 388                 }
 389
 390                 auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
 391
 392                 status = auth_ntlmssp_start(session->auth_ntlmssp_state);
 393                 if (!NT_STATUS_IS_OK(status)) {
 394                         goto out;
 395                 }
 396
 397                 status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 398                                              talloc_tos(),
 399                                              secblob_in,
 400                                              &chal_out);
 401         }
 402
 403         if (!NT_STATUS_IS_OK(status) &&
 404                         !NT_STATUS_EQUAL(status,
 405                                 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 406                 goto out;
 407         }
 408
 409         *out_security_buffer = spnego_gen_auth_response(smb2req,
 410                                                 &chal_out,
 411                                                 status,
 412                                                 OID_NTLMSSP);
 413         if (out_security_buffer->data == NULL) {
 414                 status = NT_STATUS_NO_MEMORY;
 415                 goto out;
 416         }
 417         *out_session_id = session->vuid;
 418
 419   out:
 420
 421         data_blob_free(&secblob_in);
 422         data_blob_free(&chal_out);
 423         TALLOC_FREE(kerb_mech);
 424         if (!NT_STATUS_IS_OK(status) &&
 425                         !NT_STATUS_EQUAL(status,
 426                                 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 427                 TALLOC_FREE(session->auth_ntlmssp_state);
 428                 TALLOC_FREE(session);
 429         }
 430         return status;
 431 }
 432
 433 static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *session,
 434                                         struct smbd_smb2_request *smb2req,
 435                                         uint8_t in_security_mode,
 436                                         DATA_BLOB in_security_buffer,
 437                                         uint16_t *out_session_flags,
 438                                         uint64_t *out_session_id)
 439 {
 440         if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 441             lp_server_signing() == Required) {
 442                 session->do_signing = true;
 443         }
 444
 445         if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 446                 /* we map anonymous to guest internally */
 447                 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 448                 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 449                 /* force no signing */
 450                 session->do_signing = false;
 451         }
 452
 453         session->session_key = session->session_info->session_key;
 454
 455         session->compat_vuser = talloc_zero(session, user_struct);
 456         if (session->compat_vuser == NULL) {
 457                 TALLOC_FREE(session->auth_ntlmssp_state);
 458                 TALLOC_FREE(session);
 459                 return NT_STATUS_NO_MEMORY;
 460         }
 461         session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state;
 462         session->compat_vuser->homes_snum = -1;
 463         session->compat_vuser->session_info = session->session_info;
 464         session->compat_vuser->session_keystr = NULL;
 465         session->compat_vuser->vuid = session->vuid;
 466         DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
 467
 468         if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 469                 session->compat_vuser->homes_snum =
 470                         register_homes_share(session->session_info->unix_info->unix_name);
 471         }
 472
 473         if (!session_claim(session->sconn, session->compat_vuser)) {
 474                 DEBUG(1, ("smb2: Failed to claim session "
 475                         "for vuid=%d\n",
 476                         session->compat_vuser->vuid));
 477                 TALLOC_FREE(session->auth_ntlmssp_state);
 478                 TALLOC_FREE(session);
 479                 return NT_STATUS_LOGON_FAILURE;
 480         }
 481
 482
 483         session->status = NT_STATUS_OK;
 484
 485         /*
 486          * we attach the session to the request
 487          * so that the response can be signed
 488          */
 489         smb2req->session = session;
 490         if (session->do_signing) {
 491                 smb2req->do_signing = true;
 492         }
 493
 494         global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
 495
 496         *out_session_id = session->vuid;
 497
 498         return NT_STATUS_OK;
 499 }
 500
 501 static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 502                                         struct smbd_smb2_request *smb2req,
 503                                         uint8_t in_security_mode,
 504                                         DATA_BLOB in_security_buffer,
 505                                         uint16_t *out_session_flags,
 506                                         DATA_BLOB *out_security_buffer,
 507                                         uint64_t *out_session_id)
 508 {
 509         DATA_BLOB auth = data_blob_null;
 510         DATA_BLOB auth_out = data_blob_null;
 511         NTSTATUS status;
 512
 513         if (!spnego_parse_auth(talloc_tos(), in_security_buffer, &auth)) {
 514                 TALLOC_FREE(session);
 515                 return NT_STATUS_LOGON_FAILURE;
 516         }
 517
 518         if (auth.data[0] == ASN1_APPLICATION(0)) {
 519                 /* Might be a second negTokenTarg packet */
 520                 DATA_BLOB secblob_in = data_blob_null;
 521                 char *kerb_mech = NULL;
 522
 523                 status = parse_spnego_mechanisms(talloc_tos(),
 524                                 in_security_buffer,
 525                                 &secblob_in, &kerb_mech);
 526                 if (!NT_STATUS_IS_OK(status)) {
 527                         TALLOC_FREE(session);
 528                         return status;
 529                 }
 530
 531 #ifdef HAVE_KRB5
 532                 if (kerb_mech && ((lp_security()==SEC_ADS) ||
 533                                         USE_KERBEROS_KEYTAB) ) {
 534                         status = smbd_smb2_session_setup_krb5(session,
 535                                         smb2req,
 536                                         in_security_mode,
 537                                         &secblob_in,
 538                                         kerb_mech,
 539                                         out_session_flags,
 540                                         out_security_buffer,
 541                                         out_session_id);
 542
 543                         data_blob_free(&secblob_in);
 544                         TALLOC_FREE(kerb_mech);
 545                         if (!NT_STATUS_IS_OK(status)) {
 546                                 TALLOC_FREE(session);
 547                         }
 548                         return status;
 549                 }
 550 #endif
 551
 552                 /* Can't blunder into NTLMSSP auth if we have
 553                  * a krb5 ticket. */
 554
 555                 if (kerb_mech) {
 556                         DEBUG(3,("smb2: network "
 557                                 "misconfiguration, client sent us a "
 558                                 "krb5 ticket and kerberos security "
 559                                 "not enabled\n"));
 560                         TALLOC_FREE(session);
 561                         data_blob_free(&secblob_in);
 562                         TALLOC_FREE(kerb_mech);
 563                         return NT_STATUS_LOGON_FAILURE;
 564                 }
 565
 566                 data_blob_free(&secblob_in);
 567         }
 568
 569         if (session->auth_ntlmssp_state == NULL) {
 570                 status = auth_ntlmssp_prepare(session->sconn->remote_address,
 571                                             &session->auth_ntlmssp_state);
 572                 if (!NT_STATUS_IS_OK(status)) {
 573                         data_blob_free(&auth);
 574                         TALLOC_FREE(session);
 575                         return status;
 576                 }
 577
 578                 auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
 579
 580                 status = auth_ntlmssp_start(session->auth_ntlmssp_state);
 581                 if (!NT_STATUS_IS_OK(status)) {
 582                         data_blob_free(&auth);
 583                         TALLOC_FREE(session);
 584                         return status;
 585                 }
 586         }
 587
 588         status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 589                                      talloc_tos(), auth,
 590                                      &auth_out);
 591         /* If status is NT_STATUS_OK then we need to get the token.
 592          * Map to guest is now internal to auth_ntlmssp */
 593         if (NT_STATUS_IS_OK(status)) {
 594                 status = auth_ntlmssp_session_info(session,
 595                                                    session->auth_ntlmssp_state,
 596                                                    &session->session_info);
 597         }
 598
 599         if (!NT_STATUS_IS_OK(status) &&
 600                         !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 601                 TALLOC_FREE(session->auth_ntlmssp_state);
 602                 data_blob_free(&auth);
 603                 TALLOC_FREE(session);
 604                 return status;
 605         }
 606
 607         data_blob_free(&auth);
 608
 609         *out_security_buffer = spnego_gen_auth_response(smb2req,
 610                                 &auth_out, status, NULL);
 611
 612         if (out_security_buffer->data == NULL) {
 613                 TALLOC_FREE(session->auth_ntlmssp_state);
 614                 TALLOC_FREE(session);
 615                 return NT_STATUS_NO_MEMORY;
 616         }
 617
 618         *out_session_id = session->vuid;
 619
 620         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 621                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 622         }
 623
 624         /* We're done - claim the session. */
 625         return smbd_smb2_common_ntlmssp_auth_return(session,
 626                                                 smb2req,
 627                                                 in_security_mode,
 628                                                 in_security_buffer,
 629                                                 out_session_flags,
 630                                                 out_session_id);
 631 }
 632
 633 static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 634                                         struct smbd_smb2_request *smb2req,
 635                                         uint8_t in_security_mode,
 636                                         DATA_BLOB in_security_buffer,
 637                                         uint16_t *out_session_flags,
 638                                         DATA_BLOB *out_security_buffer,
 639                                         uint64_t *out_session_id)
 640 {
 641         NTSTATUS status;
 642
 643         if (session->auth_ntlmssp_state == NULL) {
 644                 status = auth_ntlmssp_prepare(session->sconn->remote_address,
 645                                             &session->auth_ntlmssp_state);
 646                 if (!NT_STATUS_IS_OK(status)) {
 647                         TALLOC_FREE(session);
 648                         return status;
 649                 }
 650
 651                 auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
 652
 653                 if (session->sconn->use_gensec_hook) {
 654                         status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
 655                 } else {
 656                         status = auth_ntlmssp_start(session->auth_ntlmssp_state);
 657                 }
 658                 if (!NT_STATUS_IS_OK(status)) {
 659                         TALLOC_FREE(session);
 660                         return status;
 661                 }
 662         }
 663
 664         /* RAW NTLMSSP */
 665         status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 666                                      smb2req,
 667                                      in_security_buffer,
 668                                      out_security_buffer);
 669
 670         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 671                 *out_session_id = session->vuid;
 672                 return status;
 673         }
 674
 675         status = auth_ntlmssp_session_info(session,
 676                                            session->auth_ntlmssp_state,
 677                                            &session->session_info);
 678
 679         if (!NT_STATUS_IS_OK(status)) {
 680                 TALLOC_FREE(session->auth_ntlmssp_state);
 681                 TALLOC_FREE(session);
 682                 return status;
 683         }
 684         *out_session_id = session->vuid;
 685
 686         return smbd_smb2_common_ntlmssp_auth_return(session,
 687                                                 smb2req,
 688                                                 in_security_mode,
 689                                                 in_security_buffer,
 690                                                 out_session_flags,
 691                                                 out_session_id);
 692 }
 693
 694 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
 695                                         uint64_t in_session_id,
 696                                         uint8_t in_security_mode,
 697                                         DATA_BLOB in_security_buffer,
 698                                         uint16_t *out_session_flags,
 699                                         DATA_BLOB *out_security_buffer,
 700                                         uint64_t *out_session_id)
 701 {
 702         struct smbd_smb2_session *session;
 703
 704         *out_session_flags = 0;
 705         *out_session_id = 0;
 706
 707         if (in_session_id == 0) {
 708                 int id;
 709
 710                 /* create a new session */
 711                 session = talloc_zero(smb2req->sconn, struct smbd_smb2_session);
 712                 if (session == NULL) {
 713                         return NT_STATUS_NO_MEMORY;
 714                 }
 715                 session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 716                 id = idr_get_new_random(smb2req->sconn->smb2.sessions.idtree,
 717                                         session,
 718                                         smb2req->sconn->smb2.sessions.limit);
 719                 if (id == -1) {
 720                         return NT_STATUS_INSUFFICIENT_RESOURCES;
 721                 }
 722                 session->vuid = id;
 723
 724                 session->tcons.idtree = idr_init(session);
 725                 if (session->tcons.idtree == NULL) {
 726                         return NT_STATUS_NO_MEMORY;
 727                 }
 728                 session->tcons.limit = 0x0000FFFE;
 729                 session->tcons.list = NULL;
 730
 731                 DLIST_ADD_END(smb2req->sconn->smb2.sessions.list, session,
 732                               struct smbd_smb2_session *);
 733                 session->sconn = smb2req->sconn;
 734                 talloc_set_destructor(session, smbd_smb2_session_destructor);
 735         } else {
 736                 void *p;
 737
 738                 /* lookup an existing session */
 739                 p = idr_find(smb2req->sconn->smb2.sessions.idtree, in_session_id);
 740                 if (p == NULL) {
 741                         return NT_STATUS_USER_SESSION_DELETED;
 742                 }
 743                 session = talloc_get_type_abort(p, struct smbd_smb2_session);
 744         }
 745
 746         if (NT_STATUS_IS_OK(session->status)) {
 747                 return NT_STATUS_REQUEST_NOT_ACCEPTED;
 748         }
 749
 750         /* Handle either raw NTLMSSP or hand off the whole blob to
 751          * GENSEC.  The processing at this layer is essentially
 752          * identical regardless.  In particular, both rely only on the
 753          * status code (not the contents of the packet) and do not
 754          * wrap the result */
 755         if (session->sconn->use_gensec_hook
 756             || ntlmssp_blob_matches_magic(&in_security_buffer)) {
 757                 return smbd_smb2_raw_ntlmssp_auth(session,
 758                                                 smb2req,
 759                                                 in_security_mode,
 760                                                 in_security_buffer,
 761                                                 out_session_flags,
 762                                                 out_security_buffer,
 763                                                 out_session_id);
 764         } else if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
 765                 return smbd_smb2_spnego_negotiate(session,
 766                                                 smb2req,
 767                                                 in_security_mode,
 768                                                 in_security_buffer,
 769                                                 out_session_flags,
 770                                                 out_security_buffer,
 771                                                 out_session_id);
 772         } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
 773                 return smbd_smb2_spnego_auth(session,
 774                                                 smb2req,
 775                                                 in_security_mode,
 776                                                 in_security_buffer,
 777                                                 out_session_flags,
 778                                                 out_security_buffer,
 779                                                 out_session_id);
 780         }
 781
 782         /* Unknown packet type. */
 783         DEBUG(1,("Unknown packet type %u in smb2 sessionsetup\n",
 784                 (unsigned int)in_security_buffer.data[0] ));
 785         TALLOC_FREE(session->auth_ntlmssp_state);
 786         TALLOC_FREE(session);
 787         return NT_STATUS_LOGON_FAILURE;
 788 }
 789
 790 NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
 791 {
 792         const uint8_t *inbody;
 793         int i = req->current_idx;
 794         DATA_BLOB outbody;
 795         size_t expected_body_size = 0x04;
 796         size_t body_size;
 797
 798         if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
 799                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 800         }
 801
 802         inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
 803
 804         body_size = SVAL(inbody, 0x00);
 805         if (body_size != expected_body_size) {
 806                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 807         }
 808
 809         /*
 810          * TODO: cancel all outstanding requests on the session
 811          *       and delete all tree connections.
 812          */
 813         smbd_smb2_session_destructor(req->session);
 814         /*
 815          * we may need to sign the response, so we need to keep
 816          * the session until the response is sent to the wire.
 817          */
 818         talloc_steal(req, req->session);
 819
 820         outbody = data_blob_talloc(req->out.vector, NULL, 0x04);
 821         if (outbody.data == NULL) {
 822                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
 823         }
 824
 825         SSVAL(outbody.data, 0x00, 0x04);        /* struct size */
 826         SSVAL(outbody.data, 0x02, 0);           /* reserved */
 827
 828         return smbd_smb2_request_done(req, outbody, NULL);
 829 }