search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
[Samba.git] / libcli / smb / smbXcli_base.c
blob6c35430c580f1455c1db79f1531191a253f56959
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5 Copyright (C) Stefan Metzmacher 2011
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/network.h"
23 #include "../lib/async_req/async_sock.h"
24 #include "../lib/util/tevent_ntstatus.h"
25 #include "../lib/util/tevent_unix.h"
26 #include "lib/util/util_net.h"
27 #include "lib/util/dlinklist.h"
28 #include "lib/util/iov_buf.h"
29 #include "../libcli/smb/smb_common.h"
30 #include "../libcli/smb/smb_seal.h"
31 #include "../libcli/smb/smb_signing.h"
32 #include "../libcli/smb/read_smb.h"
33 #include "smbXcli_base.h"
34 #include "librpc/ndr/libndr.h"
35 #include "libcli/smb/smb2_negotiate_context.h"
36 #include "lib/crypto/sha512.h"
37 #include "lib/crypto/aes.h"
38 #include "lib/crypto/aes_ccm_128.h"
39 #include "lib/crypto/aes_gcm_128.h"
40
41 struct smbXcli_conn;
42 struct smbXcli_req;
43 struct smbXcli_session;
44 struct smbXcli_tcon;
45
46 struct smbXcli_conn {
47 int sock_fd;
48 struct sockaddr_storage local_ss;
49 struct sockaddr_storage remote_ss;
50 const char *remote_name;
51
52 struct tevent_queue *outgoing;
53 struct tevent_req **pending;
54 struct tevent_req *read_smb_req;
55 struct tevent_req *suicide_req;
56
57 enum protocol_types min_protocol;
58 enum protocol_types max_protocol;
59 enum protocol_types protocol;
60 bool allow_signing;
61 bool desire_signing;
62 bool mandatory_signing;
63
64 /*
65 * The incoming dispatch function should return:
66 * - NT_STATUS_RETRY, if more incoming PDUs are expected.
67 * - NT_STATUS_OK, if no more processing is desired, e.g.
68 * the dispatch function called
69 * tevent_req_done().
70 * - All other return values disconnect the connection.
71 */
72 NTSTATUS (*dispatch_incoming)(struct smbXcli_conn *conn,
73 TALLOC_CTX *tmp_mem,
74 uint8_t *inbuf);
75
76 struct {
77 struct {
78 uint32_t capabilities;
79 uint32_t max_xmit;
80 } client;
81
82 struct {
83 uint32_t capabilities;
84 uint32_t max_xmit;
85 uint16_t max_mux;
86 uint16_t security_mode;
87 bool readbraw;
88 bool writebraw;
89 bool lockread;
90 bool writeunlock;
91 uint32_t session_key;
92 struct GUID guid;
93 DATA_BLOB gss_blob;
94 uint8_t challenge[8];
95 const char *workgroup;
96 const char *name;
97 int time_zone;
98 NTTIME system_time;
99 } server;
100
101 uint32_t capabilities;
102 uint32_t max_xmit;
103
104 uint16_t mid;
105
106 struct smb_signing_state *signing;
107 struct smb_trans_enc_state *trans_enc;
108
109 struct tevent_req *read_braw_req;
110 } smb1;
111
112 struct {
113 struct {
114 uint32_t capabilities;
115 uint16_t security_mode;
116 struct GUID guid;
117 } client;
118
119 struct {
120 uint32_t capabilities;
121 uint16_t security_mode;
122 struct GUID guid;
123 uint32_t max_trans_size;
124 uint32_t max_read_size;
125 uint32_t max_write_size;
126 NTTIME system_time;
127 NTTIME start_time;
128 DATA_BLOB gss_blob;
129 uint16_t cipher;
130 } server;
131
132 uint64_t mid;
133 uint16_t cur_credits;
134 uint16_t max_credits;
135
136 uint32_t cc_chunk_len;
137 uint32_t cc_max_chunks;
138
139 uint8_t io_priority;
140
141 uint8_t preauth_sha512[64];
142 } smb2;
143
144 struct smbXcli_session *sessions;
145 };
146
147 struct smb2cli_session {
148 uint64_t session_id;
149 uint16_t session_flags;
150 DATA_BLOB application_key;
151 DATA_BLOB signing_key;
152 bool should_sign;
153 bool should_encrypt;
154 DATA_BLOB encryption_key;
155 DATA_BLOB decryption_key;
156 uint64_t nonce_high_random;
157 uint64_t nonce_high_max;
158 uint64_t nonce_high;
159 uint64_t nonce_low;
160 uint16_t channel_sequence;
161 bool replay_active;
162 };
163
164 struct smbXcli_session {
165 struct smbXcli_session *prev, *next;
166 struct smbXcli_conn *conn;
167
168 struct {
169 uint16_t session_id;
170 DATA_BLOB application_key;
171 bool protected_key;
172 } smb1;
173
174 struct smb2cli_session *smb2;
175
176 struct {
177 DATA_BLOB signing_key;
178 uint8_t preauth_sha512[64];
179 } smb2_channel;
180
181 /*
182 * this should be a short term hack
183 * until the upper layers have implemented
184 * re-authentication.
185 */
186 bool disconnect_expired;
187 };
188
189 struct smbXcli_tcon {
190 bool is_smb1;
191 uint32_t fs_attributes;
192
193 struct {
194 uint16_t tcon_id;
195 uint16_t optional_support;
196 uint32_t maximal_access;
197 uint32_t guest_maximal_access;
198 char *service;
199 char *fs_type;
200 } smb1;
201
202 struct {
203 uint32_t tcon_id;
204 uint8_t type;
205 uint32_t flags;
206 uint32_t capabilities;
207 uint32_t maximal_access;
208 bool should_sign;
209 bool should_encrypt;
210 } smb2;
211 };
212
213 struct smbXcli_req_state {
214 struct tevent_context *ev;
215 struct smbXcli_conn *conn;
216 struct smbXcli_session *session; /* maybe NULL */
217 struct smbXcli_tcon *tcon; /* maybe NULL */
218
219 uint8_t length_hdr[4];
220
221 bool one_way;
222
223 uint8_t *inbuf;
224
225 struct tevent_req *write_req;
226
227 struct {
228 /* Space for the header including the wct */
229 uint8_t hdr[HDR_VWV];
230
231 /*
232 * For normal requests, smb1cli_req_send chooses a mid.
233 * SecondaryV trans requests need to use the mid of the primary
234 * request, so we need a place to store it.
235 * Assume it is set if != 0.
236 */
237 uint16_t mid;
238
239 uint16_t *vwv;
240 uint8_t bytecount_buf[2];
241
242 #define MAX_SMB_IOV 10
243 /* length_hdr, hdr, words, byte_count, buffers */
244 struct iovec iov[1 + 3 + MAX_SMB_IOV];
245 int iov_count;
246
247 bool one_way_seqnum;
248 uint32_t seqnum;
249 struct tevent_req **chained_requests;
250
251 uint8_t recv_cmd;
252 NTSTATUS recv_status;
253 /* always an array of 3 talloc elements */
254 struct iovec *recv_iov;
255 } smb1;
256
257 struct {
258 const uint8_t *fixed;
259 uint16_t fixed_len;
260 const uint8_t *dyn;
261 uint32_t dyn_len;
262
263 uint8_t transform[SMB2_TF_HDR_SIZE];
264 uint8_t hdr[SMB2_HDR_BODY];
265 uint8_t pad[7]; /* padding space for compounding */
266
267 /*
268 * always an array of 3 talloc elements
269 * (without a SMB2_TRANSFORM header!)
270 *
271 * HDR, BODY, DYN
272 */
273 struct iovec *recv_iov;
274
275 /*
276 * the expected max for the response dyn_len
277 */
278 uint32_t max_dyn_len;
279
280 uint16_t credit_charge;
281
282 bool should_sign;
283 bool should_encrypt;
284 uint64_t encryption_session_id;
285
286 bool signing_skipped;
287 bool notify_async;
288 bool got_async;
289 uint16_t cancel_flags;
290 uint64_t cancel_mid;
291 uint64_t cancel_aid;
292 } smb2;
293 };
294
295 static int smbXcli_conn_destructor(struct smbXcli_conn *conn)
296 {
297 /*
298 * NT_STATUS_OK, means we do not notify the callers
299 */
300 smbXcli_conn_disconnect(conn, NT_STATUS_OK);
301
302 while (conn->sessions) {
303 conn->sessions->conn = NULL;
304 DLIST_REMOVE(conn->sessions, conn->sessions);
305 }
306
307 if (conn->smb1.trans_enc) {
308 TALLOC_FREE(conn->smb1.trans_enc);
309 }
310
311 return 0;
312 }
313
314 struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
315 int fd,
316 const char *remote_name,
317 enum smb_signing_setting signing_state,
318 uint32_t smb1_capabilities,
319 struct GUID *client_guid,
320 uint32_t smb2_capabilities)
321 {
322 struct smbXcli_conn *conn = NULL;
323 void *ss = NULL;
324 struct sockaddr *sa = NULL;
325 socklen_t sa_length;
326 int ret;
327
328 conn = talloc_zero(mem_ctx, struct smbXcli_conn);
329 if (!conn) {
330 return NULL;
331 }
332
333 conn->sock_fd = fd;
334
335 conn->remote_name = talloc_strdup(conn, remote_name);
336 if (conn->remote_name == NULL) {
337 goto error;
338 }
339
340 ss = (void *)&conn->local_ss;
341 sa = (struct sockaddr *)ss;
342 sa_length = sizeof(conn->local_ss);
343 ret = getsockname(fd, sa, &sa_length);
344 if (ret == -1) {
345 goto error;
346 }
347 ss = (void *)&conn->remote_ss;
348 sa = (struct sockaddr *)ss;
349 sa_length = sizeof(conn->remote_ss);
350 ret = getpeername(fd, sa, &sa_length);
351 if (ret == -1) {
352 goto error;
353 }
354
355 conn->outgoing = tevent_queue_create(conn, "smbXcli_outgoing");
356 if (conn->outgoing == NULL) {
357 goto error;
358 }
359 conn->pending = NULL;
360
361 conn->min_protocol = PROTOCOL_NONE;
362 conn->max_protocol = PROTOCOL_NONE;
363 conn->protocol = PROTOCOL_NONE;
364
365 switch (signing_state) {
366 case SMB_SIGNING_OFF:
367 /* never */
368 conn->allow_signing = false;
369 conn->desire_signing = false;
370 conn->mandatory_signing = false;
371 break;
372 case SMB_SIGNING_DEFAULT:
373 case SMB_SIGNING_IF_REQUIRED:
374 /* if the server requires it */
375 conn->allow_signing = true;
376 conn->desire_signing = false;
377 conn->mandatory_signing = false;
378 break;
379 case SMB_SIGNING_DESIRED:
380 /* if the server desires it */
381 conn->allow_signing = true;
382 conn->desire_signing = true;
383 conn->mandatory_signing = false;
384 break;
385 case SMB_SIGNING_REQUIRED:
386 /* always */
387 conn->allow_signing = true;
388 conn->desire_signing = true;
389 conn->mandatory_signing = true;
390 break;
391 }
392
393 conn->smb1.client.capabilities = smb1_capabilities;
394 conn->smb1.client.max_xmit = UINT16_MAX;
395
396 conn->smb1.capabilities = conn->smb1.client.capabilities;
397 conn->smb1.max_xmit = 1024;
398
399 conn->smb1.mid = 1;
400
401 /* initialise signing */
402 conn->smb1.signing = smb_signing_init(conn,
403 conn->allow_signing,
404 conn->desire_signing,
405 conn->mandatory_signing);
406 if (!conn->smb1.signing) {
407 goto error;
408 }
409
410 conn->smb2.client.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
411 if (conn->mandatory_signing) {
412 conn->smb2.client.security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
413 }
414 if (client_guid) {
415 conn->smb2.client.guid = *client_guid;
416 }
417 conn->smb2.client.capabilities = smb2_capabilities;
418
419 conn->smb2.cur_credits = 1;
420 conn->smb2.max_credits = 0;
421 conn->smb2.io_priority = 1;
422
423 /*
424 * Samba and Windows servers accept a maximum of 16 MiB with a maximum
425 * chunk length of 1 MiB.
426 */
427 conn->smb2.cc_chunk_len = 1024 * 1024;
428 conn->smb2.cc_max_chunks = 16;
429
430 talloc_set_destructor(conn, smbXcli_conn_destructor);
431 return conn;
432
433 error:
434 TALLOC_FREE(conn);
435 return NULL;
436 }
437
438 bool smbXcli_conn_is_connected(struct smbXcli_conn *conn)
439 {
440 if (conn == NULL) {
441 return false;
442 }
443
444 if (conn->sock_fd == -1) {
445 return false;
446 }
447
448 return true;
449 }
450
451 enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn)
452 {
453 return conn->protocol;
454 }
455
456 bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
457 {
458 if (conn->protocol >= PROTOCOL_SMB2_02) {
459 return true;
460 }
461
462 if (conn->smb1.capabilities & CAP_UNICODE) {
463 return true;
464 }
465
466 return false;
467 }
468
469 void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
470 {
471 set_socket_options(conn->sock_fd, options);
472 }
473
474 const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn)
475 {
476 return &conn->local_ss;
477 }
478
479 const struct sockaddr_storage *smbXcli_conn_remote_sockaddr(struct smbXcli_conn *conn)
480 {
481 return &conn->remote_ss;
482 }
483
484 const char *smbXcli_conn_remote_name(struct smbXcli_conn *conn)
485 {
486 return conn->remote_name;
487 }
488
489 uint16_t smbXcli_conn_max_requests(struct smbXcli_conn *conn)
490 {
491 if (conn->protocol >= PROTOCOL_SMB2_02) {
492 /*
493 * TODO...
494 */
495 return 1;
496 }
497
498 return conn->smb1.server.max_mux;
499 }
500
501 NTTIME smbXcli_conn_server_system_time(struct smbXcli_conn *conn)
502 {
503 if (conn->protocol >= PROTOCOL_SMB2_02) {
504 return conn->smb2.server.system_time;
505 }
506
507 return conn->smb1.server.system_time;
508 }
509
510 const DATA_BLOB *smbXcli_conn_server_gss_blob(struct smbXcli_conn *conn)
511 {
512 if (conn->protocol >= PROTOCOL_SMB2_02) {
513 return &conn->smb2.server.gss_blob;
514 }
515
516 return &conn->smb1.server.gss_blob;
517 }
518
519 const struct GUID *smbXcli_conn_server_guid(struct smbXcli_conn *conn)
520 {
521 if (conn->protocol >= PROTOCOL_SMB2_02) {
522 return &conn->smb2.server.guid;
523 }
524
525 return &conn->smb1.server.guid;
526 }
527
528 struct smbXcli_conn_samba_suicide_state {
529 struct smbXcli_conn *conn;
530 struct iovec iov;
531 uint8_t buf[9];
532 struct tevent_req *write_req;
533 };
534
535 static void smbXcli_conn_samba_suicide_cleanup(struct tevent_req *req,
536 enum tevent_req_state req_state);
537 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq);
538
539 struct tevent_req *smbXcli_conn_samba_suicide_send(TALLOC_CTX *mem_ctx,
540 struct tevent_context *ev,
541 struct smbXcli_conn *conn,
542 uint8_t exitcode)
543 {
544 struct tevent_req *req, *subreq;
545 struct smbXcli_conn_samba_suicide_state *state;
546
547 req = tevent_req_create(mem_ctx, &state,
548 struct smbXcli_conn_samba_suicide_state);
549 if (req == NULL) {
550 return NULL;
551 }
552 state->conn = conn;
553 SIVAL(state->buf, 4, 0x74697865);
554 SCVAL(state->buf, 8, exitcode);
555 _smb_setlen_nbt(state->buf, sizeof(state->buf)-4);
556
557 if (conn->suicide_req != NULL) {
558 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
559 return tevent_req_post(req, ev);
560 }
561
562 state->iov.iov_base = state->buf;
563 state->iov.iov_len = sizeof(state->buf);
564
565 subreq = writev_send(state, ev, conn->outgoing, conn->sock_fd,
566 false, &state->iov, 1);
567 if (tevent_req_nomem(subreq, req)) {
568 return tevent_req_post(req, ev);
569 }
570 tevent_req_set_callback(subreq, smbXcli_conn_samba_suicide_done, req);
571 state->write_req = subreq;
572
573 tevent_req_set_cleanup_fn(req, smbXcli_conn_samba_suicide_cleanup);
574
575 /*
576 * We need to use tevent_req_defer_callback()
577 * in order to allow smbXcli_conn_disconnect()
578 * to do a safe cleanup.
579 */
580 tevent_req_defer_callback(req, ev);
581 conn->suicide_req = req;
582
583 return req;
584 }
585
586 static void smbXcli_conn_samba_suicide_cleanup(struct tevent_req *req,
587 enum tevent_req_state req_state)
588 {
589 struct smbXcli_conn_samba_suicide_state *state = tevent_req_data(
590 req, struct smbXcli_conn_samba_suicide_state);
591
592 TALLOC_FREE(state->write_req);
593
594 if (state->conn == NULL) {
595 return;
596 }
597
598 if (state->conn->suicide_req == req) {
599 state->conn->suicide_req = NULL;
600 }
601 state->conn = NULL;
602 }
603
604 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq)
605 {
606 struct tevent_req *req = tevent_req_callback_data(
607 subreq, struct tevent_req);
608 struct smbXcli_conn_samba_suicide_state *state = tevent_req_data(
609 req, struct smbXcli_conn_samba_suicide_state);
610 ssize_t nwritten;
611 int err;
612
613 state->write_req = NULL;
614
615 nwritten = writev_recv(subreq, &err);
616 TALLOC_FREE(subreq);
617 if (nwritten == -1) {
618 /* here, we need to notify all pending requests */
619 NTSTATUS status = map_nt_error_from_unix_common(err);
620 smbXcli_conn_disconnect(state->conn, status);
621 return;
622 }
623 tevent_req_done(req);
624 }
625
626 NTSTATUS smbXcli_conn_samba_suicide_recv(struct tevent_req *req)
627 {
628 return tevent_req_simple_recv_ntstatus(req);
629 }
630
631 NTSTATUS smbXcli_conn_samba_suicide(struct smbXcli_conn *conn,
632 uint8_t exitcode)
633 {
634 TALLOC_CTX *frame = talloc_stackframe();
635 struct tevent_context *ev;
636 struct tevent_req *req;
637 NTSTATUS status = NT_STATUS_NO_MEMORY;
638 bool ok;
639
640 if (smbXcli_conn_has_async_calls(conn)) {
641 /*
642 * Can't use sync call while an async call is in flight
643 */
644 status = NT_STATUS_INVALID_PARAMETER_MIX;
645 goto fail;
646 }
647 ev = samba_tevent_context_init(frame);
648 if (ev == NULL) {
649 goto fail;
650 }
651 req = smbXcli_conn_samba_suicide_send(frame, ev, conn, exitcode);
652 if (req == NULL) {
653 goto fail;
654 }
655 ok = tevent_req_poll_ntstatus(req, ev, &status);
656 if (!ok) {
657 goto fail;
658 }
659 status = smbXcli_conn_samba_suicide_recv(req);
660 fail:
661 TALLOC_FREE(frame);
662 return status;
663 }
664
665 uint32_t smb1cli_conn_capabilities(struct smbXcli_conn *conn)
666 {
667 return conn->smb1.capabilities;
668 }
669
670 uint32_t smb1cli_conn_max_xmit(struct smbXcli_conn *conn)
671 {
672 return conn->smb1.max_xmit;
673 }
674
675 bool smb1cli_conn_req_possible(struct smbXcli_conn *conn)
676 {
677 size_t pending = talloc_array_length(conn->pending);
678 uint16_t possible = conn->smb1.server.max_mux;
679
680 if (pending >= possible) {
681 return false;
682 }
683
684 return true;
685 }
686
687 uint32_t smb1cli_conn_server_session_key(struct smbXcli_conn *conn)
688 {
689 return conn->smb1.server.session_key;
690 }
691
692 const uint8_t *smb1cli_conn_server_challenge(struct smbXcli_conn *conn)
693 {
694 return conn->smb1.server.challenge;
695 }
696
697 uint16_t smb1cli_conn_server_security_mode(struct smbXcli_conn *conn)
698 {
699 return conn->smb1.server.security_mode;
700 }
701
702 bool smb1cli_conn_server_readbraw(struct smbXcli_conn *conn)
703 {
704 return conn->smb1.server.readbraw;
705 }
706
707 bool smb1cli_conn_server_writebraw(struct smbXcli_conn *conn)
708 {
709 return conn->smb1.server.writebraw;
710 }
711
712 bool smb1cli_conn_server_lockread(struct smbXcli_conn *conn)
713 {
714 return conn->smb1.server.lockread;
715 }
716
717 bool smb1cli_conn_server_writeunlock(struct smbXcli_conn *conn)
718 {
719 return conn->smb1.server.writeunlock;
720 }
721
722 int smb1cli_conn_server_time_zone(struct smbXcli_conn *conn)
723 {
724 return conn->smb1.server.time_zone;
725 }
726
727 bool smb1cli_conn_activate_signing(struct smbXcli_conn *conn,
728 const DATA_BLOB user_session_key,
729 const DATA_BLOB response)
730 {
731 return smb_signing_activate(conn->smb1.signing,
732 user_session_key,
733 response);
734 }
735
736 bool smb1cli_conn_check_signing(struct smbXcli_conn *conn,
737 const uint8_t *buf, uint32_t seqnum)
738 {
739 const uint8_t *hdr = buf + NBT_HDR_SIZE;
740 size_t len = smb_len_nbt(buf);
741
742 return smb_signing_check_pdu(conn->smb1.signing, hdr, len, seqnum);
743 }
744
745 bool smb1cli_conn_signing_is_active(struct smbXcli_conn *conn)
746 {
747 return smb_signing_is_active(conn->smb1.signing);
748 }
749
750 void smb1cli_conn_set_encryption(struct smbXcli_conn *conn,
751 struct smb_trans_enc_state *es)
752 {
753 /* Replace the old state, if any. */
754 if (conn->smb1.trans_enc) {
755 TALLOC_FREE(conn->smb1.trans_enc);
756 }
757 conn->smb1.trans_enc = es;
758 }
759
760 bool smb1cli_conn_encryption_on(struct smbXcli_conn *conn)
761 {
762 return common_encryption_on(conn->smb1.trans_enc);
763 }
764
765
766 static NTSTATUS smb1cli_pull_raw_error(const uint8_t *hdr)
767 {
768 uint32_t flags2 = SVAL(hdr, HDR_FLG2);
769 NTSTATUS status = NT_STATUS(IVAL(hdr, HDR_RCLS));
770
771 if (NT_STATUS_IS_OK(status)) {
772 return NT_STATUS_OK;
773 }
774
775 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
776 return status;
777 }
778
779 return NT_STATUS_DOS(CVAL(hdr, HDR_RCLS), SVAL(hdr, HDR_ERR));
780 }
781
782 /**
783 * Is the SMB command able to hold an AND_X successor
784 * @param[in] cmd The SMB command in question
785 * @retval Can we add a chained request after "cmd"?
786 */
787 bool smb1cli_is_andx_req(uint8_t cmd)
788 {
789 switch (cmd) {
790 case SMBtconX:
791 case SMBlockingX:
792 case SMBopenX:
793 case SMBreadX:
794 case SMBwriteX:
795 case SMBsesssetupX:
796 case SMBulogoffX:
797 case SMBntcreateX:
798 return true;
799 break;
800 default:
801 break;
802 }
803
804 return false;
805 }
806
807 static uint16_t smb1cli_alloc_mid(struct smbXcli_conn *conn)
808 {
809 size_t num_pending = talloc_array_length(conn->pending);
810 uint16_t result;
811
812 if (conn->protocol == PROTOCOL_NONE) {
813 /*
814 * This is what windows sends on the SMB1 Negprot request
815 * and some vendors reuse the SMB1 MID as SMB2 sequence number.
816 */
817 return 0;
818 }
819
820 while (true) {
821 size_t i;
822
823 result = conn->smb1.mid++;
824 if ((result == 0) || (result == 0xffff)) {
825 continue;
826 }
827
828 for (i=0; i<num_pending; i++) {
829 if (result == smb1cli_req_mid(conn->pending[i])) {
830 break;
831 }
832 }
833
834 if (i == num_pending) {
835 return result;
836 }
837 }
838 }
839
840 void smbXcli_req_unset_pending(struct tevent_req *req)
841 {
842 struct smbXcli_req_state *state =
843 tevent_req_data(req,
844 struct smbXcli_req_state);
845 struct smbXcli_conn *conn = state->conn;
846 size_t num_pending = talloc_array_length(conn->pending);
847 size_t i;
848
849 TALLOC_FREE(state->write_req);
850
851 if (state->smb1.mid != 0) {
852 /*
853 * This is a [nt]trans[2] request which waits
854 * for more than one reply.
855 */
856 return;
857 }
858
859 tevent_req_set_cleanup_fn(req, NULL);
860
861 if (num_pending == 1) {
862 /*
863 * The pending read_smb tevent_req is a child of
864 * conn->pending. So if nothing is pending anymore, we need to
865 * delete the socket read fde.
866 */
867 TALLOC_FREE(conn->pending);
868 conn->read_smb_req = NULL;
869 return;
870 }
871
872 for (i=0; i<num_pending; i++) {
873 if (req == conn->pending[i]) {
874 break;
875 }
876 }
877 if (i == num_pending) {
878 /*
879 * Something's seriously broken. Just returning here is the
880 * right thing nevertheless, the point of this routine is to
881 * remove ourselves from conn->pending.
882 */
883 return;
884 }
885
886 /*
887 * Remove ourselves from the conn->pending array
888 */
889 for (; i < (num_pending - 1); i++) {
890 conn->pending[i] = conn->pending[i+1];
891 }
892
893 /*
894 * No NULL check here, we're shrinking by sizeof(void *), and
895 * talloc_realloc just adjusts the size for this.
896 */
897 conn->pending = talloc_realloc(NULL, conn->pending, struct tevent_req *,
898 num_pending - 1);
899 return;
900 }
901
902 static void smbXcli_req_cleanup(struct tevent_req *req,
903 enum tevent_req_state req_state)
904 {
905 struct smbXcli_req_state *state =
906 tevent_req_data(req,
907 struct smbXcli_req_state);
908
909 TALLOC_FREE(state->write_req);
910
911 switch (req_state) {
912 case TEVENT_REQ_RECEIVED:
913 /*
914 * Make sure we really remove it from
915 * the pending array on destruction.
916 */
917 state->smb1.mid = 0;
918 smbXcli_req_unset_pending(req);
919 return;
920 default:
921 return;
922 }
923 }
924
925 static bool smb1cli_req_cancel(struct tevent_req *req);
926 static bool smb2cli_req_cancel(struct tevent_req *req);
927
928 static bool smbXcli_req_cancel(struct tevent_req *req)
929 {
930 struct smbXcli_req_state *state =
931 tevent_req_data(req,
932 struct smbXcli_req_state);
933
934 if (!smbXcli_conn_is_connected(state->conn)) {
935 return false;
936 }
937
938 if (state->conn->protocol == PROTOCOL_NONE) {
939 return false;
940 }
941
942 if (state->conn->protocol >= PROTOCOL_SMB2_02) {
943 return smb2cli_req_cancel(req);
944 }
945
946 return smb1cli_req_cancel(req);
947 }
948
949 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn);
950
951 bool smbXcli_req_set_pending(struct tevent_req *req)
952 {
953 struct smbXcli_req_state *state =
954 tevent_req_data(req,
955 struct smbXcli_req_state);
956 struct smbXcli_conn *conn;
957 struct tevent_req **pending;
958 size_t num_pending;
959
960 conn = state->conn;
961
962 if (!smbXcli_conn_is_connected(conn)) {
963 return false;
964 }
965
966 num_pending = talloc_array_length(conn->pending);
967
968 pending = talloc_realloc(conn, conn->pending, struct tevent_req *,
969 num_pending+1);
970 if (pending == NULL) {
971 return false;
972 }
973 pending[num_pending] = req;
974 conn->pending = pending;
975 tevent_req_set_cleanup_fn(req, smbXcli_req_cleanup);
976 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
977
978 if (!smbXcli_conn_receive_next(conn)) {
979 /*
980 * the caller should notify the current request
981 *
982 * And all other pending requests get notified
983 * by smbXcli_conn_disconnect().
984 */
985 smbXcli_req_unset_pending(req);
986 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
987 return false;
988 }
989
990 return true;
991 }
992
993 static void smbXcli_conn_received(struct tevent_req *subreq);
994
995 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn)
996 {
997 size_t num_pending = talloc_array_length(conn->pending);
998 struct tevent_req *req;
999 struct smbXcli_req_state *state;
1000
1001 if (conn->read_smb_req != NULL) {
1002 return true;
1003 }
1004
1005 if (num_pending == 0) {
1006 if (conn->smb2.mid < UINT64_MAX) {
1007 /* no more pending requests, so we are done for now */
1008 return true;
1009 }
1010
1011 /*
1012 * If there are no more SMB2 requests possible,
1013 * because we are out of message ids,
1014 * we need to disconnect.
1015 */
1016 smbXcli_conn_disconnect(conn, NT_STATUS_CONNECTION_ABORTED);
1017 return true;
1018 }
1019
1020 req = conn->pending[0];
1021 state = tevent_req_data(req, struct smbXcli_req_state);
1022
1023 /*
1024 * We're the first ones, add the read_smb request that waits for the
1025 * answer from the server
1026 */
1027 conn->read_smb_req = read_smb_send(conn->pending,
1028 state->ev,
1029 conn->sock_fd);
1030 if (conn->read_smb_req == NULL) {
1031 return false;
1032 }
1033 tevent_req_set_callback(conn->read_smb_req, smbXcli_conn_received, conn);
1034 return true;
1035 }
1036
1037 void smbXcli_conn_disconnect(struct smbXcli_conn *conn, NTSTATUS status)
1038 {
1039 struct smbXcli_session *session;
1040 int sock_fd = conn->sock_fd;
1041
1042 tevent_queue_stop(conn->outgoing);
1043
1044 conn->sock_fd = -1;
1045
1046 session = conn->sessions;
1047 if (talloc_array_length(conn->pending) == 0) {
1048 /*
1049 * if we do not have pending requests
1050 * there is no need to update the channel_sequence
1051 */
1052 session = NULL;
1053 }
1054 for (; session; session = session->next) {
1055 smb2cli_session_increment_channel_sequence(session);
1056 }
1057
1058 if (conn->suicide_req != NULL) {
1059 /*
1060 * smbXcli_conn_samba_suicide_send()
1061 * used tevent_req_defer_callback() already.
1062 */
1063 if (!NT_STATUS_IS_OK(status)) {
1064 tevent_req_nterror(conn->suicide_req, status);
1065 }
1066 conn->suicide_req = NULL;
1067 }
1068
1069 /*
1070 * Cancel all pending requests. We do not do a for-loop walking
1071 * conn->pending because that array changes in
1072 * smbXcli_req_unset_pending.
1073 */
1074 while (talloc_array_length(conn->pending) > 0) {
1075 struct tevent_req *req;
1076 struct smbXcli_req_state *state;
1077 struct tevent_req **chain;
1078 size_t num_chained;
1079 size_t i;
1080
1081 req = conn->pending[0];
1082 state = tevent_req_data(req, struct smbXcli_req_state);
1083
1084 if (state->smb1.chained_requests == NULL) {
1085 /*
1086 * We're dead. No point waiting for trans2
1087 * replies.
1088 */
1089 state->smb1.mid = 0;
1090
1091 smbXcli_req_unset_pending(req);
1092
1093 if (NT_STATUS_IS_OK(status)) {
1094 /* do not notify the callers */
1095 continue;
1096 }
1097
1098 /*
1099 * we need to defer the callback, because we may notify
1100 * more then one caller.
1101 */
1102 tevent_req_defer_callback(req, state->ev);
1103 tevent_req_nterror(req, status);
1104 continue;
1105 }
1106
1107 chain = talloc_move(conn, &state->smb1.chained_requests);
1108 num_chained = talloc_array_length(chain);
1109
1110 for (i=0; i<num_chained; i++) {
1111 req = chain[i];
1112 state = tevent_req_data(req, struct smbXcli_req_state);
1113
1114 /*
1115 * We're dead. No point waiting for trans2
1116 * replies.
1117 */
1118 state->smb1.mid = 0;
1119
1120 smbXcli_req_unset_pending(req);
1121
1122 if (NT_STATUS_IS_OK(status)) {
1123 /* do not notify the callers */
1124 continue;
1125 }
1126
1127 /*
1128 * we need to defer the callback, because we may notify
1129 * more than one caller.
1130 */
1131 tevent_req_defer_callback(req, state->ev);
1132 tevent_req_nterror(req, status);
1133 }
1134 TALLOC_FREE(chain);
1135 }
1136
1137 if (sock_fd != -1) {
1138 close(sock_fd);
1139 }
1140 }
1141
1142 /*
1143 * Fetch a smb request's mid. Only valid after the request has been sent by
1144 * smb1cli_req_send().
1145 */
1146 uint16_t smb1cli_req_mid(struct tevent_req *req)
1147 {
1148 struct smbXcli_req_state *state =
1149 tevent_req_data(req,
1150 struct smbXcli_req_state);
1151
1152 if (state->smb1.mid != 0) {
1153 return state->smb1.mid;
1154 }
1155
1156 return SVAL(state->smb1.hdr, HDR_MID);
1157 }
1158
1159 void smb1cli_req_set_mid(struct tevent_req *req, uint16_t mid)
1160 {
1161 struct smbXcli_req_state *state =
1162 tevent_req_data(req,
1163 struct smbXcli_req_state);
1164
1165 state->smb1.mid = mid;
1166 }
1167
1168 uint32_t smb1cli_req_seqnum(struct tevent_req *req)
1169 {
1170 struct smbXcli_req_state *state =
1171 tevent_req_data(req,
1172 struct smbXcli_req_state);
1173
1174 return state->smb1.seqnum;
1175 }
1176
1177 void smb1cli_req_set_seqnum(struct tevent_req *req, uint32_t seqnum)
1178 {
1179 struct smbXcli_req_state *state =
1180 tevent_req_data(req,
1181 struct smbXcli_req_state);
1182
1183 state->smb1.seqnum = seqnum;
1184 }
1185
1186 static size_t smbXcli_iov_len(const struct iovec *iov, int count)
1187 {
1188 ssize_t ret = iov_buflen(iov, count);
1189
1190 /* Ignore the overflow case for now ... */
1191 return ret;
1192 }
1193
1194 static uint8_t *smbXcli_iov_concat(TALLOC_CTX *mem_ctx,
1195 const struct iovec *iov,
1196 int count)
1197 {
1198 ssize_t buflen;
1199 uint8_t *buf;
1200
1201 buflen = iov_buflen(iov, count);
1202 if (buflen == -1) {
1203 return NULL;
1204 }
1205
1206 buf = talloc_array(mem_ctx, uint8_t, buflen);
1207 if (buf == NULL) {
1208 return NULL;
1209 }
1210
1211 iov_buf(iov, count, buf, buflen);
1212
1213 return buf;
1214 }
1215
1216 static void smb1cli_req_flags(enum protocol_types protocol,
1217 uint32_t smb1_capabilities,
1218 uint8_t smb_command,
1219 uint8_t additional_flags,
1220 uint8_t clear_flags,
1221 uint8_t *_flags,
1222 uint16_t additional_flags2,
1223 uint16_t clear_flags2,
1224 uint16_t *_flags2)
1225 {
1226 uint8_t flags = 0;
1227 uint16_t flags2 = 0;
1228
1229 if (protocol >= PROTOCOL_LANMAN1) {
1230 flags |= FLAG_CASELESS_PATHNAMES;
1231 flags |= FLAG_CANONICAL_PATHNAMES;
1232 }
1233
1234 if (protocol >= PROTOCOL_LANMAN2) {
1235 flags2 |= FLAGS2_LONG_PATH_COMPONENTS;
1236 flags2 |= FLAGS2_EXTENDED_ATTRIBUTES;
1237 }
1238
1239 if (protocol >= PROTOCOL_NT1) {
1240 flags2 |= FLAGS2_IS_LONG_NAME;
1241
1242 if (smb1_capabilities & CAP_UNICODE) {
1243 flags2 |= FLAGS2_UNICODE_STRINGS;
1244 }
1245 if (smb1_capabilities & CAP_STATUS32) {
1246 flags2 |= FLAGS2_32_BIT_ERROR_CODES;
1247 }
1248 if (smb1_capabilities & CAP_EXTENDED_SECURITY) {
1249 flags2 |= FLAGS2_EXTENDED_SECURITY;
1250 }
1251 }
1252
1253 flags |= additional_flags;
1254 flags &= ~clear_flags;
1255 flags2 |= additional_flags2;
1256 flags2 &= ~clear_flags2;
1257
1258 *_flags = flags;
1259 *_flags2 = flags2;
1260 }
1261
1262 static void smb1cli_req_cancel_done(struct tevent_req *subreq);
1263
1264 static bool smb1cli_req_cancel(struct tevent_req *req)
1265 {
1266 struct smbXcli_req_state *state =
1267 tevent_req_data(req,
1268 struct smbXcli_req_state);
1269 uint8_t flags;
1270 uint16_t flags2;
1271 uint32_t pid;
1272 uint16_t mid;
1273 struct tevent_req *subreq;
1274 NTSTATUS status;
1275
1276 flags = CVAL(state->smb1.hdr, HDR_FLG);
1277 flags2 = SVAL(state->smb1.hdr, HDR_FLG2);
1278 pid = SVAL(state->smb1.hdr, HDR_PID);
1279 pid |= SVAL(state->smb1.hdr, HDR_PIDHIGH)<<16;
1280 mid = SVAL(state->smb1.hdr, HDR_MID);
1281
1282 subreq = smb1cli_req_create(state, state->ev,
1283 state->conn,
1284 SMBntcancel,
1285 flags, 0,
1286 flags2, 0,
1287 0, /* timeout */
1288 pid,
1289 state->tcon,
1290 state->session,
1291 0, NULL, /* vwv */
1292 0, NULL); /* bytes */
1293 if (subreq == NULL) {
1294 return false;
1295 }
1296 smb1cli_req_set_mid(subreq, mid);
1297
1298 status = smb1cli_req_chain_submit(&subreq, 1);
1299 if (!NT_STATUS_IS_OK(status)) {
1300 TALLOC_FREE(subreq);
1301 return false;
1302 }
1303 smb1cli_req_set_mid(subreq, 0);
1304
1305 tevent_req_set_callback(subreq, smb1cli_req_cancel_done, NULL);
1306
1307 return true;
1308 }
1309
1310 static void smb1cli_req_cancel_done(struct tevent_req *subreq)
1311 {
1312 /* we do not care about the result */
1313 TALLOC_FREE(subreq);
1314 }
1315
1316 struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
1317 struct tevent_context *ev,
1318 struct smbXcli_conn *conn,
1319 uint8_t smb_command,
1320 uint8_t additional_flags,
1321 uint8_t clear_flags,
1322 uint16_t additional_flags2,
1323 uint16_t clear_flags2,
1324 uint32_t timeout_msec,
1325 uint32_t pid,
1326 struct smbXcli_tcon *tcon,
1327 struct smbXcli_session *session,
1328 uint8_t wct, uint16_t *vwv,
1329 int iov_count,
1330 struct iovec *bytes_iov)
1331 {
1332 struct tevent_req *req;
1333 struct smbXcli_req_state *state;
1334 uint8_t flags = 0;
1335 uint16_t flags2 = 0;
1336 uint16_t uid = 0;
1337 uint16_t tid = 0;
1338 ssize_t num_bytes;
1339
1340 if (iov_count > MAX_SMB_IOV) {
1341 /*
1342 * Should not happen :-)
1343 */
1344 return NULL;
1345 }
1346
1347 req = tevent_req_create(mem_ctx, &state,
1348 struct smbXcli_req_state);
1349 if (req == NULL) {
1350 return NULL;
1351 }
1352 state->ev = ev;
1353 state->conn = conn;
1354 state->session = session;
1355 state->tcon = tcon;
1356
1357 if (session) {
1358 uid = session->smb1.session_id;
1359 }
1360
1361 if (tcon) {
1362 tid = tcon->smb1.tcon_id;
1363
1364 if (tcon->fs_attributes & FILE_CASE_SENSITIVE_SEARCH) {
1365 clear_flags |= FLAG_CASELESS_PATHNAMES;
1366 } else {
1367 /* Default setting, case insensitive. */
1368 additional_flags |= FLAG_CASELESS_PATHNAMES;
1369 }
1370
1371 if (smbXcli_conn_dfs_supported(conn) &&
1372 smbXcli_tcon_is_dfs_share(tcon))
1373 {
1374 additional_flags2 |= FLAGS2_DFS_PATHNAMES;
1375 }
1376 }
1377
1378 state->smb1.recv_cmd = 0xFF;
1379 state->smb1.recv_status = NT_STATUS_INTERNAL_ERROR;
1380 state->smb1.recv_iov = talloc_zero_array(state, struct iovec, 3);
1381 if (state->smb1.recv_iov == NULL) {
1382 TALLOC_FREE(req);
1383 return NULL;
1384 }
1385
1386 smb1cli_req_flags(conn->protocol,
1387 conn->smb1.capabilities,
1388 smb_command,
1389 additional_flags,
1390 clear_flags,
1391 &flags,
1392 additional_flags2,
1393 clear_flags2,
1394 &flags2);
1395
1396 SIVAL(state->smb1.hdr, 0, SMB_MAGIC);
1397 SCVAL(state->smb1.hdr, HDR_COM, smb_command);
1398 SIVAL(state->smb1.hdr, HDR_RCLS, NT_STATUS_V(NT_STATUS_OK));
1399 SCVAL(state->smb1.hdr, HDR_FLG, flags);
1400 SSVAL(state->smb1.hdr, HDR_FLG2, flags2);
1401 SSVAL(state->smb1.hdr, HDR_PIDHIGH, pid >> 16);
1402 SSVAL(state->smb1.hdr, HDR_TID, tid);
1403 SSVAL(state->smb1.hdr, HDR_PID, pid);
1404 SSVAL(state->smb1.hdr, HDR_UID, uid);
1405 SSVAL(state->smb1.hdr, HDR_MID, 0); /* this comes later */
1406 SCVAL(state->smb1.hdr, HDR_WCT, wct);
1407
1408 state->smb1.vwv = vwv;
1409
1410 num_bytes = iov_buflen(bytes_iov, iov_count);
1411 if (num_bytes == -1) {
1412 /*
1413 * I'd love to add a check for num_bytes<=UINT16_MAX here, but
1414 * the smbclient->samba connections can lie and transfer more.
1415 */
1416 TALLOC_FREE(req);
1417 return NULL;
1418 }
1419
1420 SSVAL(state->smb1.bytecount_buf, 0, num_bytes);
1421
1422 state->smb1.iov[0].iov_base = (void *)state->length_hdr;
1423 state->smb1.iov[0].iov_len = sizeof(state->length_hdr);
1424 state->smb1.iov[1].iov_base = (void *)state->smb1.hdr;
1425 state->smb1.iov[1].iov_len = sizeof(state->smb1.hdr);
1426 state->smb1.iov[2].iov_base = (void *)state->smb1.vwv;
1427 state->smb1.iov[2].iov_len = wct * sizeof(uint16_t);
1428 state->smb1.iov[3].iov_base = (void *)state->smb1.bytecount_buf;
1429 state->smb1.iov[3].iov_len = sizeof(uint16_t);
1430
1431 if (iov_count != 0) {
1432 memcpy(&state->smb1.iov[4], bytes_iov,
1433 iov_count * sizeof(*bytes_iov));
1434 }
1435 state->smb1.iov_count = iov_count + 4;
1436
1437 if (timeout_msec > 0) {
1438 struct timeval endtime;
1439
1440 endtime = timeval_current_ofs_msec(timeout_msec);
1441 if (!tevent_req_set_endtime(req, ev, endtime)) {
1442 return req;
1443 }
1444 }
1445
1446 switch (smb_command) {
1447 case SMBtranss:
1448 case SMBtranss2:
1449 case SMBnttranss:
1450 state->one_way = true;
1451 break;
1452 case SMBntcancel:
1453 state->one_way = true;
1454 state->smb1.one_way_seqnum = true;
1455 break;
1456 case SMBlockingX:
1457 if ((wct == 8) &&
1458 (CVAL(vwv+3, 0) == LOCKING_ANDX_OPLOCK_RELEASE)) {
1459 state->one_way = true;
1460 }
1461 break;
1462 }
1463
1464 return req;
1465 }
1466
1467 static NTSTATUS smb1cli_conn_signv(struct smbXcli_conn *conn,
1468 struct iovec *iov, int iov_count,
1469 uint32_t *seqnum,
1470 bool one_way_seqnum)
1471 {
1472 TALLOC_CTX *frame = NULL;
1473 uint8_t *buf;
1474
1475 /*
1476 * Obvious optimization: Make cli_calculate_sign_mac work with struct
1477 * iovec directly. MD5Update would do that just fine.
1478 */
1479
1480 if (iov_count < 4) {
1481 return NT_STATUS_INVALID_PARAMETER_MIX;
1482 }
1483 if (iov[0].iov_len != NBT_HDR_SIZE) {
1484 return NT_STATUS_INVALID_PARAMETER_MIX;
1485 }
1486 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1487 return NT_STATUS_INVALID_PARAMETER_MIX;
1488 }
1489 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1490 return NT_STATUS_INVALID_PARAMETER_MIX;
1491 }
1492 if (iov[3].iov_len != sizeof(uint16_t)) {
1493 return NT_STATUS_INVALID_PARAMETER_MIX;
1494 }
1495
1496 frame = talloc_stackframe();
1497
1498 buf = smbXcli_iov_concat(frame, &iov[1], iov_count - 1);
1499 if (buf == NULL) {
1500 return NT_STATUS_NO_MEMORY;
1501 }
1502
1503 *seqnum = smb_signing_next_seqnum(conn->smb1.signing,
1504 one_way_seqnum);
1505 smb_signing_sign_pdu(conn->smb1.signing,
1506 buf, talloc_get_size(buf),
1507 *seqnum);
1508 memcpy(iov[1].iov_base, buf, iov[1].iov_len);
1509
1510 TALLOC_FREE(frame);
1511 return NT_STATUS_OK;
1512 }
1513
1514 static void smb1cli_req_writev_done(struct tevent_req *subreq);
1515 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1516 TALLOC_CTX *tmp_mem,
1517 uint8_t *inbuf);
1518
1519 static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
1520 struct smbXcli_req_state *state,
1521 struct iovec *iov, int iov_count)
1522 {
1523 struct tevent_req *subreq;
1524 NTSTATUS status;
1525 uint8_t cmd;
1526 uint16_t mid;
1527 ssize_t nbtlen;
1528
1529 if (!smbXcli_conn_is_connected(state->conn)) {
1530 return NT_STATUS_CONNECTION_DISCONNECTED;
1531 }
1532
1533 if (state->conn->protocol > PROTOCOL_NT1) {
1534 return NT_STATUS_REVISION_MISMATCH;
1535 }
1536
1537 if (iov_count < 4) {
1538 return NT_STATUS_INVALID_PARAMETER_MIX;
1539 }
1540 if (iov[0].iov_len != NBT_HDR_SIZE) {
1541 return NT_STATUS_INVALID_PARAMETER_MIX;
1542 }
1543 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1544 return NT_STATUS_INVALID_PARAMETER_MIX;
1545 }
1546 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1547 return NT_STATUS_INVALID_PARAMETER_MIX;
1548 }
1549 if (iov[3].iov_len != sizeof(uint16_t)) {
1550 return NT_STATUS_INVALID_PARAMETER_MIX;
1551 }
1552
1553 cmd = CVAL(iov[1].iov_base, HDR_COM);
1554 if (cmd == SMBreadBraw) {
1555 if (smbXcli_conn_has_async_calls(state->conn)) {
1556 return NT_STATUS_INVALID_PARAMETER_MIX;
1557 }
1558 state->conn->smb1.read_braw_req = req;
1559 }
1560
1561 if (state->smb1.mid != 0) {
1562 mid = state->smb1.mid;
1563 } else {
1564 mid = smb1cli_alloc_mid(state->conn);
1565 }
1566 SSVAL(iov[1].iov_base, HDR_MID, mid);
1567
1568 nbtlen = iov_buflen(&iov[1], iov_count-1);
1569 if ((nbtlen == -1) || (nbtlen > 0x1FFFF)) {
1570 return NT_STATUS_INVALID_PARAMETER_MIX;
1571 }
1572
1573 _smb_setlen_nbt(iov[0].iov_base, nbtlen);
1574
1575 status = smb1cli_conn_signv(state->conn, iov, iov_count,
1576 &state->smb1.seqnum,
1577 state->smb1.one_way_seqnum);
1578
1579 if (!NT_STATUS_IS_OK(status)) {
1580 return status;
1581 }
1582
1583 /*
1584 * If we supported multiple encrytion contexts
1585 * here we'd look up based on tid.
1586 */
1587 if (common_encryption_on(state->conn->smb1.trans_enc)) {
1588 char *buf, *enc_buf;
1589
1590 buf = (char *)smbXcli_iov_concat(talloc_tos(), iov, iov_count);
1591 if (buf == NULL) {
1592 return NT_STATUS_NO_MEMORY;
1593 }
1594 status = common_encrypt_buffer(state->conn->smb1.trans_enc,
1595 (char *)buf, &enc_buf);
1596 TALLOC_FREE(buf);
1597 if (!NT_STATUS_IS_OK(status)) {
1598 DEBUG(0, ("Error in encrypting client message: %s\n",
1599 nt_errstr(status)));
1600 return status;
1601 }
1602 buf = (char *)talloc_memdup(state, enc_buf,
1603 smb_len_nbt(enc_buf)+4);
1604 SAFE_FREE(enc_buf);
1605 if (buf == NULL) {
1606 return NT_STATUS_NO_MEMORY;
1607 }
1608 iov[0].iov_base = (void *)buf;
1609 iov[0].iov_len = talloc_get_size(buf);
1610 iov_count = 1;
1611 }
1612
1613 if (state->conn->dispatch_incoming == NULL) {
1614 state->conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
1615 }
1616
1617 if (!smbXcli_req_set_pending(req)) {
1618 return NT_STATUS_NO_MEMORY;
1619 }
1620
1621 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
1622
1623 subreq = writev_send(state, state->ev, state->conn->outgoing,
1624 state->conn->sock_fd, false, iov, iov_count);
1625 if (subreq == NULL) {
1626 return NT_STATUS_NO_MEMORY;
1627 }
1628 tevent_req_set_callback(subreq, smb1cli_req_writev_done, req);
1629 state->write_req = subreq;
1630
1631 return NT_STATUS_OK;
1632 }
1633
1634 struct tevent_req *smb1cli_req_send(TALLOC_CTX *mem_ctx,
1635 struct tevent_context *ev,
1636 struct smbXcli_conn *conn,
1637 uint8_t smb_command,
1638 uint8_t additional_flags,
1639 uint8_t clear_flags,
1640 uint16_t additional_flags2,
1641 uint16_t clear_flags2,
1642 uint32_t timeout_msec,
1643 uint32_t pid,
1644 struct smbXcli_tcon *tcon,
1645 struct smbXcli_session *session,
1646 uint8_t wct, uint16_t *vwv,
1647 uint32_t num_bytes,
1648 const uint8_t *bytes)
1649 {
1650 struct tevent_req *req;
1651 struct iovec iov;
1652 NTSTATUS status;
1653
1654 iov.iov_base = discard_const_p(void, bytes);
1655 iov.iov_len = num_bytes;
1656
1657 req = smb1cli_req_create(mem_ctx, ev, conn, smb_command,
1658 additional_flags, clear_flags,
1659 additional_flags2, clear_flags2,
1660 timeout_msec,
1661 pid, tcon, session,
1662 wct, vwv, 1, &iov);
1663 if (req == NULL) {
1664 return NULL;
1665 }
1666 if (!tevent_req_is_in_progress(req)) {
1667 return tevent_req_post(req, ev);
1668 }
1669 status = smb1cli_req_chain_submit(&req, 1);
1670 if (tevent_req_nterror(req, status)) {
1671 return tevent_req_post(req, ev);
1672 }
1673 return req;
1674 }
1675
1676 static void smb1cli_req_writev_done(struct tevent_req *subreq)
1677 {
1678 struct tevent_req *req =
1679 tevent_req_callback_data(subreq,
1680 struct tevent_req);
1681 struct smbXcli_req_state *state =
1682 tevent_req_data(req,
1683 struct smbXcli_req_state);
1684 ssize_t nwritten;
1685 int err;
1686
1687 state->write_req = NULL;
1688
1689 nwritten = writev_recv(subreq, &err);
1690 TALLOC_FREE(subreq);
1691 if (nwritten == -1) {
1692 /* here, we need to notify all pending requests */
1693 NTSTATUS status = map_nt_error_from_unix_common(err);
1694 smbXcli_conn_disconnect(state->conn, status);
1695 return;
1696 }
1697
1698 if (state->one_way) {
1699 state->inbuf = NULL;
1700 tevent_req_done(req);
1701 return;
1702 }
1703 }
1704
1705 static void smbXcli_conn_received(struct tevent_req *subreq)
1706 {
1707 struct smbXcli_conn *conn =
1708 tevent_req_callback_data(subreq,
1709 struct smbXcli_conn);
1710 TALLOC_CTX *frame = talloc_stackframe();
1711 NTSTATUS status;
1712 uint8_t *inbuf;
1713 ssize_t received;
1714 int err;
1715
1716 if (subreq != conn->read_smb_req) {
1717 DEBUG(1, ("Internal error: cli_smb_received called with "
1718 "unexpected subreq\n"));
1719 smbXcli_conn_disconnect(conn, NT_STATUS_INTERNAL_ERROR);
1720 TALLOC_FREE(frame);
1721 return;
1722 }
1723 conn->read_smb_req = NULL;
1724
1725 received = read_smb_recv(subreq, frame, &inbuf, &err);
1726 TALLOC_FREE(subreq);
1727 if (received == -1) {
1728 status = map_nt_error_from_unix_common(err);
1729 smbXcli_conn_disconnect(conn, status);
1730 TALLOC_FREE(frame);
1731 return;
1732 }
1733
1734 status = conn->dispatch_incoming(conn, frame, inbuf);
1735 TALLOC_FREE(frame);
1736 if (NT_STATUS_IS_OK(status)) {
1737 /*
1738 * We should not do any more processing
1739 * as the dispatch function called
1740 * tevent_req_done().
1741 */
1742 return;
1743 }
1744
1745 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
1746 /*
1747 * We got an error, so notify all pending requests
1748 */
1749 smbXcli_conn_disconnect(conn, status);
1750 return;
1751 }
1752
1753 /*
1754 * We got NT_STATUS_RETRY, so we may ask for a
1755 * next incoming pdu.
1756 */
1757 if (!smbXcli_conn_receive_next(conn)) {
1758 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
1759 }
1760 }
1761
1762 static NTSTATUS smb1cli_inbuf_parse_chain(uint8_t *buf, TALLOC_CTX *mem_ctx,
1763 struct iovec **piov, int *pnum_iov)
1764 {
1765 struct iovec *iov;
1766 int num_iov;
1767 size_t buflen;
1768 size_t taken;
1769 size_t remaining;
1770 uint8_t *hdr;
1771 uint8_t cmd;
1772 uint32_t wct_ofs;
1773 NTSTATUS status;
1774 size_t min_size = MIN_SMB_SIZE;
1775
1776 buflen = smb_len_tcp(buf);
1777 taken = 0;
1778
1779 hdr = buf + NBT_HDR_SIZE;
1780
1781 status = smb1cli_pull_raw_error(hdr);
1782 if (NT_STATUS_IS_ERR(status)) {
1783 /*
1784 * This is an ugly hack to support OS/2
1785 * which skips the byte_count in the DATA block
1786 * on some error responses.
1787 *
1788 * See bug #9096
1789 */
1790 min_size -= sizeof(uint16_t);
1791 }
1792
1793 if (buflen < min_size) {
1794 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1795 }
1796
1797 /*
1798 * This returns iovec elements in the following order:
1799 *
1800 * - SMB header
1801 *
1802 * - Parameter Block
1803 * - Data Block
1804 *
1805 * - Parameter Block
1806 * - Data Block
1807 *
1808 * - Parameter Block
1809 * - Data Block
1810 */
1811 num_iov = 1;
1812
1813 iov = talloc_array(mem_ctx, struct iovec, num_iov);
1814 if (iov == NULL) {
1815 return NT_STATUS_NO_MEMORY;
1816 }
1817 iov[0].iov_base = hdr;
1818 iov[0].iov_len = HDR_WCT;
1819 taken += HDR_WCT;
1820
1821 cmd = CVAL(hdr, HDR_COM);
1822 wct_ofs = HDR_WCT;
1823
1824 while (true) {
1825 size_t len = buflen - taken;
1826 struct iovec *cur;
1827 struct iovec *iov_tmp;
1828 uint8_t wct;
1829 uint32_t bcc_ofs;
1830 uint16_t bcc;
1831 size_t needed;
1832
1833 /*
1834 * we need at least WCT
1835 */
1836 needed = sizeof(uint8_t);
1837 if (len < needed) {
1838 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1839 __location__, (int)len, (int)needed));
1840 goto inval;
1841 }
1842
1843 /*
1844 * Now we check if the specified words are there
1845 */
1846 wct = CVAL(hdr, wct_ofs);
1847 needed += wct * sizeof(uint16_t);
1848 if (len < needed) {
1849 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1850 __location__, (int)len, (int)needed));
1851 goto inval;
1852 }
1853
1854 if ((num_iov == 1) &&
1855 (len == needed) &&
1856 NT_STATUS_IS_ERR(status))
1857 {
1858 /*
1859 * This is an ugly hack to support OS/2
1860 * which skips the byte_count in the DATA block
1861 * on some error responses.
1862 *
1863 * See bug #9096
1864 */
1865 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1866 num_iov + 2);
1867 if (iov_tmp == NULL) {
1868 TALLOC_FREE(iov);
1869 return NT_STATUS_NO_MEMORY;
1870 }
1871 iov = iov_tmp;
1872 cur = &iov[num_iov];
1873 num_iov += 2;
1874
1875 cur[0].iov_len = 0;
1876 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1877 cur[1].iov_len = 0;
1878 cur[1].iov_base = cur[0].iov_base;
1879
1880 taken += needed;
1881 break;
1882 }
1883
1884 /*
1885 * we need at least BCC
1886 */
1887 needed += sizeof(uint16_t);
1888 if (len < needed) {
1889 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1890 __location__, (int)len, (int)needed));
1891 goto inval;
1892 }
1893
1894 /*
1895 * Now we check if the specified bytes are there
1896 */
1897 bcc_ofs = wct_ofs + sizeof(uint8_t) + wct * sizeof(uint16_t);
1898 bcc = SVAL(hdr, bcc_ofs);
1899 needed += bcc * sizeof(uint8_t);
1900 if (len < needed) {
1901 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1902 __location__, (int)len, (int)needed));
1903 goto inval;
1904 }
1905
1906 /*
1907 * we allocate 2 iovec structures for words and bytes
1908 */
1909 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1910 num_iov + 2);
1911 if (iov_tmp == NULL) {
1912 TALLOC_FREE(iov);
1913 return NT_STATUS_NO_MEMORY;
1914 }
1915 iov = iov_tmp;
1916 cur = &iov[num_iov];
1917 num_iov += 2;
1918
1919 cur[0].iov_len = wct * sizeof(uint16_t);
1920 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1921 cur[1].iov_len = bcc * sizeof(uint8_t);
1922 cur[1].iov_base = hdr + (bcc_ofs + sizeof(uint16_t));
1923
1924 taken += needed;
1925
1926 if (!smb1cli_is_andx_req(cmd)) {
1927 /*
1928 * If the current command does not have AndX chanining
1929 * we are done.
1930 */
1931 break;
1932 }
1933
1934 if (wct == 0 && bcc == 0) {
1935 /*
1936 * An empty response also ends the chain,
1937 * most likely with an error.
1938 */
1939 break;
1940 }
1941
1942 if (wct < 2) {
1943 DEBUG(10, ("%s: wct[%d] < 2 for cmd[0x%02X]\n",
1944 __location__, (int)wct, (int)cmd));
1945 goto inval;
1946 }
1947 cmd = CVAL(cur[0].iov_base, 0);
1948 if (cmd == 0xFF) {
1949 /*
1950 * If it is the end of the chain we are also done.
1951 */
1952 break;
1953 }
1954 wct_ofs = SVAL(cur[0].iov_base, 2);
1955
1956 if (wct_ofs < taken) {
1957 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1958 }
1959 if (wct_ofs > buflen) {
1960 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1961 }
1962
1963 /*
1964 * we consumed everything up to the start of the next
1965 * parameter block.
1966 */
1967 taken = wct_ofs;
1968 }
1969
1970 remaining = buflen - taken;
1971
1972 if (remaining > 0 && num_iov >= 3) {
1973 /*
1974 * The last DATA block gets the remaining
1975 * bytes, this is needed to support
1976 * CAP_LARGE_WRITEX and CAP_LARGE_READX.
1977 */
1978 iov[num_iov-1].iov_len += remaining;
1979 }
1980
1981 *piov = iov;
1982 *pnum_iov = num_iov;
1983 return NT_STATUS_OK;
1984
1985 inval:
1986 TALLOC_FREE(iov);
1987 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1988 }
1989
1990 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1991 TALLOC_CTX *tmp_mem,
1992 uint8_t *inbuf)
1993 {
1994 struct tevent_req *req;
1995 struct smbXcli_req_state *state;
1996 NTSTATUS status;
1997 size_t num_pending;
1998 size_t i;
1999 uint8_t cmd;
2000 uint16_t mid;
2001 bool oplock_break;
2002 uint8_t *inhdr = inbuf + NBT_HDR_SIZE;
2003 size_t len = smb_len_tcp(inbuf);
2004 struct iovec *iov = NULL;
2005 int num_iov = 0;
2006 struct tevent_req **chain = NULL;
2007 size_t num_chained = 0;
2008 size_t num_responses = 0;
2009
2010 if (conn->smb1.read_braw_req != NULL) {
2011 req = conn->smb1.read_braw_req;
2012 conn->smb1.read_braw_req = NULL;
2013 state = tevent_req_data(req, struct smbXcli_req_state);
2014
2015 smbXcli_req_unset_pending(req);
2016
2017 if (state->smb1.recv_iov == NULL) {
2018 /*
2019 * For requests with more than
2020 * one response, we have to readd the
2021 * recv_iov array.
2022 */
2023 state->smb1.recv_iov = talloc_zero_array(state,
2024 struct iovec,
2025 3);
2026 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2027 return NT_STATUS_OK;
2028 }
2029 }
2030
2031 state->smb1.recv_iov[0].iov_base = (void *)(inhdr);
2032 state->smb1.recv_iov[0].iov_len = len;
2033 ZERO_STRUCT(state->smb1.recv_iov[1]);
2034 ZERO_STRUCT(state->smb1.recv_iov[2]);
2035
2036 state->smb1.recv_cmd = SMBreadBraw;
2037 state->smb1.recv_status = NT_STATUS_OK;
2038 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
2039
2040 tevent_req_done(req);
2041 return NT_STATUS_OK;
2042 }
2043
2044 if ((IVAL(inhdr, 0) != SMB_MAGIC) /* 0xFF"SMB" */
2045 && (SVAL(inhdr, 0) != 0x45ff)) /* 0xFF"E" */ {
2046 DEBUG(10, ("Got non-SMB PDU\n"));
2047 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2048 }
2049
2050 /*
2051 * If we supported multiple encrytion contexts
2052 * here we'd look up based on tid.
2053 */
2054 if (common_encryption_on(conn->smb1.trans_enc)
2055 && (CVAL(inbuf, 0) == 0)) {
2056 uint16_t enc_ctx_num;
2057
2058 status = get_enc_ctx_num(inbuf, &enc_ctx_num);
2059 if (!NT_STATUS_IS_OK(status)) {
2060 DEBUG(10, ("get_enc_ctx_num returned %s\n",
2061 nt_errstr(status)));
2062 return status;
2063 }
2064
2065 if (enc_ctx_num != conn->smb1.trans_enc->enc_ctx_num) {
2066 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
2067 enc_ctx_num,
2068 conn->smb1.trans_enc->enc_ctx_num));
2069 return NT_STATUS_INVALID_HANDLE;
2070 }
2071
2072 status = common_decrypt_buffer(conn->smb1.trans_enc,
2073 (char *)inbuf);
2074 if (!NT_STATUS_IS_OK(status)) {
2075 DEBUG(10, ("common_decrypt_buffer returned %s\n",
2076 nt_errstr(status)));
2077 return status;
2078 }
2079 inhdr = inbuf + NBT_HDR_SIZE;
2080 len = smb_len_nbt(inbuf);
2081 }
2082
2083 mid = SVAL(inhdr, HDR_MID);
2084 num_pending = talloc_array_length(conn->pending);
2085
2086 for (i=0; i<num_pending; i++) {
2087 if (mid == smb1cli_req_mid(conn->pending[i])) {
2088 break;
2089 }
2090 }
2091 if (i == num_pending) {
2092 /* Dump unexpected reply */
2093 return NT_STATUS_RETRY;
2094 }
2095
2096 oplock_break = false;
2097
2098 if (mid == 0xffff) {
2099 /*
2100 * Paranoia checks that this is really an oplock break request.
2101 */
2102 oplock_break = (len == 51); /* hdr + 8 words */
2103 oplock_break &= ((CVAL(inhdr, HDR_FLG) & FLAG_REPLY) == 0);
2104 oplock_break &= (CVAL(inhdr, HDR_COM) == SMBlockingX);
2105 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(6)) == 0);
2106 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(7)) == 0);
2107
2108 if (!oplock_break) {
2109 /* Dump unexpected reply */
2110 return NT_STATUS_RETRY;
2111 }
2112 }
2113
2114 req = conn->pending[i];
2115 state = tevent_req_data(req, struct smbXcli_req_state);
2116
2117 if (!oplock_break /* oplock breaks are not signed */
2118 && !smb_signing_check_pdu(conn->smb1.signing,
2119 inhdr, len, state->smb1.seqnum+1)) {
2120 DEBUG(10, ("cli_check_sign_mac failed\n"));
2121 return NT_STATUS_ACCESS_DENIED;
2122 }
2123
2124 status = smb1cli_inbuf_parse_chain(inbuf, tmp_mem,
2125 &iov, &num_iov);
2126 if (!NT_STATUS_IS_OK(status)) {
2127 DEBUG(10,("smb1cli_inbuf_parse_chain - %s\n",
2128 nt_errstr(status)));
2129 return status;
2130 }
2131
2132 cmd = CVAL(inhdr, HDR_COM);
2133 status = smb1cli_pull_raw_error(inhdr);
2134
2135 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
2136 (state->session != NULL) && state->session->disconnect_expired)
2137 {
2138 /*
2139 * this should be a short term hack
2140 * until the upper layers have implemented
2141 * re-authentication.
2142 */
2143 return status;
2144 }
2145
2146 if (state->smb1.chained_requests == NULL) {
2147 if (num_iov != 3) {
2148 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2149 }
2150
2151 smbXcli_req_unset_pending(req);
2152
2153 if (state->smb1.recv_iov == NULL) {
2154 /*
2155 * For requests with more than
2156 * one response, we have to readd the
2157 * recv_iov array.
2158 */
2159 state->smb1.recv_iov = talloc_zero_array(state,
2160 struct iovec,
2161 3);
2162 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2163 return NT_STATUS_OK;
2164 }
2165 }
2166
2167 state->smb1.recv_cmd = cmd;
2168 state->smb1.recv_status = status;
2169 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
2170
2171 state->smb1.recv_iov[0] = iov[0];
2172 state->smb1.recv_iov[1] = iov[1];
2173 state->smb1.recv_iov[2] = iov[2];
2174
2175 if (talloc_array_length(conn->pending) == 0) {
2176 tevent_req_done(req);
2177 return NT_STATUS_OK;
2178 }
2179
2180 tevent_req_defer_callback(req, state->ev);
2181 tevent_req_done(req);
2182 return NT_STATUS_RETRY;
2183 }
2184
2185 chain = talloc_move(tmp_mem, &state->smb1.chained_requests);
2186 num_chained = talloc_array_length(chain);
2187 num_responses = (num_iov - 1)/2;
2188
2189 if (num_responses > num_chained) {
2190 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2191 }
2192
2193 for (i=0; i<num_chained; i++) {
2194 size_t iov_idx = 1 + (i*2);
2195 struct iovec *cur = &iov[iov_idx];
2196 uint8_t *inbuf_ref;
2197
2198 req = chain[i];
2199 state = tevent_req_data(req, struct smbXcli_req_state);
2200
2201 smbXcli_req_unset_pending(req);
2202
2203 /*
2204 * as we finish multiple requests here
2205 * we need to defer the callbacks as
2206 * they could destroy our current stack state.
2207 */
2208 tevent_req_defer_callback(req, state->ev);
2209
2210 if (i >= num_responses) {
2211 tevent_req_nterror(req, NT_STATUS_REQUEST_ABORTED);
2212 continue;
2213 }
2214
2215 if (state->smb1.recv_iov == NULL) {
2216 /*
2217 * For requests with more than
2218 * one response, we have to readd the
2219 * recv_iov array.
2220 */
2221 state->smb1.recv_iov = talloc_zero_array(state,
2222 struct iovec,
2223 3);
2224 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2225 continue;
2226 }
2227 }
2228
2229 state->smb1.recv_cmd = cmd;
2230
2231 if (i == (num_responses - 1)) {
2232 /*
2233 * The last request in the chain gets the status
2234 */
2235 state->smb1.recv_status = status;
2236 } else {
2237 cmd = CVAL(cur[0].iov_base, 0);
2238 state->smb1.recv_status = NT_STATUS_OK;
2239 }
2240
2241 state->inbuf = inbuf;
2242
2243 /*
2244 * Note: here we use talloc_reference() in a way
2245 * that does not expose it to the caller.
2246 */
2247 inbuf_ref = talloc_reference(state->smb1.recv_iov, inbuf);
2248 if (tevent_req_nomem(inbuf_ref, req)) {
2249 continue;
2250 }
2251
2252 /* copy the related buffers */
2253 state->smb1.recv_iov[0] = iov[0];
2254 state->smb1.recv_iov[1] = cur[0];
2255 state->smb1.recv_iov[2] = cur[1];
2256
2257 tevent_req_done(req);
2258 }
2259
2260 return NT_STATUS_RETRY;
2261 }
2262
2263 NTSTATUS smb1cli_req_recv(struct tevent_req *req,
2264 TALLOC_CTX *mem_ctx,
2265 struct iovec **piov,
2266 uint8_t **phdr,
2267 uint8_t *pwct,
2268 uint16_t **pvwv,
2269 uint32_t *pvwv_offset,
2270 uint32_t *pnum_bytes,
2271 uint8_t **pbytes,
2272 uint32_t *pbytes_offset,
2273 uint8_t **pinbuf,
2274 const struct smb1cli_req_expected_response *expected,
2275 size_t num_expected)
2276 {
2277 struct smbXcli_req_state *state =
2278 tevent_req_data(req,
2279 struct smbXcli_req_state);
2280 NTSTATUS status = NT_STATUS_OK;
2281 struct iovec *recv_iov = NULL;
2282 uint8_t *hdr = NULL;
2283 uint8_t wct = 0;
2284 uint32_t vwv_offset = 0;
2285 uint16_t *vwv = NULL;
2286 uint32_t num_bytes = 0;
2287 uint32_t bytes_offset = 0;
2288 uint8_t *bytes = NULL;
2289 size_t i;
2290 bool found_status = false;
2291 bool found_size = false;
2292
2293 if (piov != NULL) {
2294 *piov = NULL;
2295 }
2296 if (phdr != NULL) {
2297 *phdr = 0;
2298 }
2299 if (pwct != NULL) {
2300 *pwct = 0;
2301 }
2302 if (pvwv != NULL) {
2303 *pvwv = NULL;
2304 }
2305 if (pvwv_offset != NULL) {
2306 *pvwv_offset = 0;
2307 }
2308 if (pnum_bytes != NULL) {
2309 *pnum_bytes = 0;
2310 }
2311 if (pbytes != NULL) {
2312 *pbytes = NULL;
2313 }
2314 if (pbytes_offset != NULL) {
2315 *pbytes_offset = 0;
2316 }
2317 if (pinbuf != NULL) {
2318 *pinbuf = NULL;
2319 }
2320
2321 if (state->inbuf != NULL) {
2322 recv_iov = state->smb1.recv_iov;
2323 state->smb1.recv_iov = NULL;
2324 if (state->smb1.recv_cmd != SMBreadBraw) {
2325 hdr = (uint8_t *)recv_iov[0].iov_base;
2326 wct = recv_iov[1].iov_len/2;
2327 vwv = (uint16_t *)recv_iov[1].iov_base;
2328 vwv_offset = PTR_DIFF(vwv, hdr);
2329 num_bytes = recv_iov[2].iov_len;
2330 bytes = (uint8_t *)recv_iov[2].iov_base;
2331 bytes_offset = PTR_DIFF(bytes, hdr);
2332 }
2333 }
2334
2335 if (tevent_req_is_nterror(req, &status)) {
2336 for (i=0; i < num_expected; i++) {
2337 if (NT_STATUS_EQUAL(status, expected[i].status)) {
2338 found_status = true;
2339 break;
2340 }
2341 }
2342
2343 if (found_status) {
2344 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
2345 }
2346
2347 return status;
2348 }
2349
2350 if (num_expected == 0) {
2351 found_status = true;
2352 found_size = true;
2353 }
2354
2355 status = state->smb1.recv_status;
2356
2357 for (i=0; i < num_expected; i++) {
2358 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
2359 continue;
2360 }
2361
2362 found_status = true;
2363 if (expected[i].wct == 0) {
2364 found_size = true;
2365 break;
2366 }
2367
2368 if (expected[i].wct == wct) {
2369 found_size = true;
2370 break;
2371 }
2372 }
2373
2374 if (!found_status) {
2375 return status;
2376 }
2377
2378 if (!found_size) {
2379 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2380 }
2381
2382 if (piov != NULL) {
2383 *piov = talloc_move(mem_ctx, &recv_iov);
2384 }
2385
2386 if (phdr != NULL) {
2387 *phdr = hdr;
2388 }
2389 if (pwct != NULL) {
2390 *pwct = wct;
2391 }
2392 if (pvwv != NULL) {
2393 *pvwv = vwv;
2394 }
2395 if (pvwv_offset != NULL) {
2396 *pvwv_offset = vwv_offset;
2397 }
2398 if (pnum_bytes != NULL) {
2399 *pnum_bytes = num_bytes;
2400 }
2401 if (pbytes != NULL) {
2402 *pbytes = bytes;
2403 }
2404 if (pbytes_offset != NULL) {
2405 *pbytes_offset = bytes_offset;
2406 }
2407 if (pinbuf != NULL) {
2408 *pinbuf = state->inbuf;
2409 }
2410
2411 return status;
2412 }
2413
2414 size_t smb1cli_req_wct_ofs(struct tevent_req **reqs, int num_reqs)
2415 {
2416 size_t wct_ofs;
2417 int i;
2418
2419 wct_ofs = HDR_WCT;
2420
2421 for (i=0; i<num_reqs; i++) {
2422 struct smbXcli_req_state *state;
2423 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2424 wct_ofs += smbXcli_iov_len(state->smb1.iov+2,
2425 state->smb1.iov_count-2);
2426 wct_ofs = (wct_ofs + 3) & ~3;
2427 }
2428 return wct_ofs;
2429 }
2430
2431 NTSTATUS smb1cli_req_chain_submit(struct tevent_req **reqs, int num_reqs)
2432 {
2433 struct smbXcli_req_state *first_state =
2434 tevent_req_data(reqs[0],
2435 struct smbXcli_req_state);
2436 struct smbXcli_req_state *state;
2437 size_t wct_offset;
2438 size_t chain_padding = 0;
2439 int i, iovlen;
2440 struct iovec *iov = NULL;
2441 struct iovec *this_iov;
2442 NTSTATUS status;
2443 ssize_t nbt_len;
2444
2445 if (num_reqs == 1) {
2446 return smb1cli_req_writev_submit(reqs[0], first_state,
2447 first_state->smb1.iov,
2448 first_state->smb1.iov_count);
2449 }
2450
2451 iovlen = 0;
2452 for (i=0; i<num_reqs; i++) {
2453 if (!tevent_req_is_in_progress(reqs[i])) {
2454 return NT_STATUS_INTERNAL_ERROR;
2455 }
2456
2457 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2458
2459 if (state->smb1.iov_count < 4) {
2460 return NT_STATUS_INVALID_PARAMETER_MIX;
2461 }
2462
2463 if (i == 0) {
2464 /*
2465 * The NBT and SMB header
2466 */
2467 iovlen += 2;
2468 } else {
2469 /*
2470 * Chain padding
2471 */
2472 iovlen += 1;
2473 }
2474
2475 /*
2476 * words and bytes
2477 */
2478 iovlen += state->smb1.iov_count - 2;
2479 }
2480
2481 iov = talloc_zero_array(first_state, struct iovec, iovlen);
2482 if (iov == NULL) {
2483 return NT_STATUS_NO_MEMORY;
2484 }
2485
2486 first_state->smb1.chained_requests = (struct tevent_req **)talloc_memdup(
2487 first_state, reqs, sizeof(*reqs) * num_reqs);
2488 if (first_state->smb1.chained_requests == NULL) {
2489 TALLOC_FREE(iov);
2490 return NT_STATUS_NO_MEMORY;
2491 }
2492
2493 wct_offset = HDR_WCT;
2494 this_iov = iov;
2495
2496 for (i=0; i<num_reqs; i++) {
2497 size_t next_padding = 0;
2498 uint16_t *vwv;
2499
2500 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2501
2502 if (i < num_reqs-1) {
2503 if (!smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))
2504 || CVAL(state->smb1.hdr, HDR_WCT) < 2) {
2505 TALLOC_FREE(iov);
2506 TALLOC_FREE(first_state->smb1.chained_requests);
2507 return NT_STATUS_INVALID_PARAMETER_MIX;
2508 }
2509 }
2510
2511 wct_offset += smbXcli_iov_len(state->smb1.iov+2,
2512 state->smb1.iov_count-2) + 1;
2513 if ((wct_offset % 4) != 0) {
2514 next_padding = 4 - (wct_offset % 4);
2515 }
2516 wct_offset += next_padding;
2517 vwv = state->smb1.vwv;
2518
2519 if (i < num_reqs-1) {
2520 struct smbXcli_req_state *next_state =
2521 tevent_req_data(reqs[i+1],
2522 struct smbXcli_req_state);
2523 SCVAL(vwv+0, 0, CVAL(next_state->smb1.hdr, HDR_COM));
2524 SCVAL(vwv+0, 1, 0);
2525 SSVAL(vwv+1, 0, wct_offset);
2526 } else if (smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))) {
2527 /* properly end the chain */
2528 SCVAL(vwv+0, 0, 0xff);
2529 SCVAL(vwv+0, 1, 0xff);
2530 SSVAL(vwv+1, 0, 0);
2531 }
2532
2533 if (i == 0) {
2534 /*
2535 * The NBT and SMB header
2536 */
2537 this_iov[0] = state->smb1.iov[0];
2538 this_iov[1] = state->smb1.iov[1];
2539 this_iov += 2;
2540 } else {
2541 /*
2542 * This one is a bit subtle. We have to add
2543 * chain_padding bytes between the requests, and we
2544 * have to also include the wct field of the
2545 * subsequent requests. We use the subsequent header
2546 * for the padding, it contains the wct field in its
2547 * last byte.
2548 */
2549 this_iov[0].iov_len = chain_padding+1;
2550 this_iov[0].iov_base = (void *)&state->smb1.hdr[
2551 sizeof(state->smb1.hdr) - this_iov[0].iov_len];
2552 memset(this_iov[0].iov_base, 0, this_iov[0].iov_len-1);
2553 this_iov += 1;
2554 }
2555
2556 /*
2557 * copy the words and bytes
2558 */
2559 memcpy(this_iov, state->smb1.iov+2,
2560 sizeof(struct iovec) * (state->smb1.iov_count-2));
2561 this_iov += state->smb1.iov_count - 2;
2562 chain_padding = next_padding;
2563 }
2564
2565 nbt_len = iov_buflen(&iov[1], iovlen-1);
2566 if ((nbt_len == -1) || (nbt_len > first_state->conn->smb1.max_xmit)) {
2567 TALLOC_FREE(iov);
2568 TALLOC_FREE(first_state->smb1.chained_requests);
2569 return NT_STATUS_INVALID_PARAMETER_MIX;
2570 }
2571
2572 status = smb1cli_req_writev_submit(reqs[0], first_state, iov, iovlen);
2573 if (!NT_STATUS_IS_OK(status)) {
2574 TALLOC_FREE(iov);
2575 TALLOC_FREE(first_state->smb1.chained_requests);
2576 return status;
2577 }
2578
2579 return NT_STATUS_OK;
2580 }
2581
2582 bool smbXcli_conn_has_async_calls(struct smbXcli_conn *conn)
2583 {
2584 return ((tevent_queue_length(conn->outgoing) != 0)
2585 || (talloc_array_length(conn->pending) != 0));
2586 }
2587
2588 bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn)
2589 {
2590 if (conn->protocol >= PROTOCOL_SMB2_02) {
2591 return (smb2cli_conn_server_capabilities(conn) & SMB2_CAP_DFS);
2592 }
2593
2594 return (smb1cli_conn_capabilities(conn) & CAP_DFS);
2595 }
2596
2597 bool smb2cli_conn_req_possible(struct smbXcli_conn *conn, uint32_t *max_dyn_len)
2598 {
2599 uint16_t credits = 1;
2600
2601 if (conn->smb2.cur_credits == 0) {
2602 if (max_dyn_len != NULL) {
2603 *max_dyn_len = 0;
2604 }
2605 return false;
2606 }
2607
2608 if (conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2609 credits = conn->smb2.cur_credits;
2610 }
2611
2612 if (max_dyn_len != NULL) {
2613 *max_dyn_len = credits * 65536;
2614 }
2615
2616 return true;
2617 }
2618
2619 uint32_t smb2cli_conn_server_capabilities(struct smbXcli_conn *conn)
2620 {
2621 return conn->smb2.server.capabilities;
2622 }
2623
2624 uint16_t smb2cli_conn_server_security_mode(struct smbXcli_conn *conn)
2625 {
2626 return conn->smb2.server.security_mode;
2627 }
2628
2629 uint32_t smb2cli_conn_max_trans_size(struct smbXcli_conn *conn)
2630 {
2631 return conn->smb2.server.max_trans_size;
2632 }
2633
2634 uint32_t smb2cli_conn_max_read_size(struct smbXcli_conn *conn)
2635 {
2636 return conn->smb2.server.max_read_size;
2637 }
2638
2639 uint32_t smb2cli_conn_max_write_size(struct smbXcli_conn *conn)
2640 {
2641 return conn->smb2.server.max_write_size;
2642 }
2643
2644 void smb2cli_conn_set_max_credits(struct smbXcli_conn *conn,
2645 uint16_t max_credits)
2646 {
2647 conn->smb2.max_credits = max_credits;
2648 }
2649
2650 uint8_t smb2cli_conn_get_io_priority(struct smbXcli_conn *conn)
2651 {
2652 if (conn->protocol < PROTOCOL_SMB3_11) {
2653 return 0;
2654 }
2655
2656 return conn->smb2.io_priority;
2657 }
2658
2659 void smb2cli_conn_set_io_priority(struct smbXcli_conn *conn,
2660 uint8_t io_priority)
2661 {
2662 conn->smb2.io_priority = io_priority;
2663 }
2664
2665 uint32_t smb2cli_conn_cc_chunk_len(struct smbXcli_conn *conn)
2666 {
2667 return conn->smb2.cc_chunk_len;
2668 }
2669
2670 void smb2cli_conn_set_cc_chunk_len(struct smbXcli_conn *conn,
2671 uint32_t chunk_len)
2672 {
2673 conn->smb2.cc_chunk_len = chunk_len;
2674 }
2675
2676 uint32_t smb2cli_conn_cc_max_chunks(struct smbXcli_conn *conn)
2677 {
2678 return conn->smb2.cc_max_chunks;
2679 }
2680
2681 void smb2cli_conn_set_cc_max_chunks(struct smbXcli_conn *conn,
2682 uint32_t max_chunks)
2683 {
2684 conn->smb2.cc_max_chunks = max_chunks;
2685 }
2686
2687 static void smb2cli_req_cancel_done(struct tevent_req *subreq);
2688
2689 static bool smb2cli_req_cancel(struct tevent_req *req)
2690 {
2691 struct smbXcli_req_state *state =
2692 tevent_req_data(req,
2693 struct smbXcli_req_state);
2694 struct smbXcli_tcon *tcon = state->tcon;
2695 struct smbXcli_session *session = state->session;
2696 uint8_t *fixed = state->smb2.pad;
2697 uint16_t fixed_len = 4;
2698 struct tevent_req *subreq;
2699 struct smbXcli_req_state *substate;
2700 NTSTATUS status;
2701
2702 SSVAL(fixed, 0, 0x04);
2703 SSVAL(fixed, 2, 0);
2704
2705 subreq = smb2cli_req_create(state, state->ev,
2706 state->conn,
2707 SMB2_OP_CANCEL,
2708 0, 0, /* flags */
2709 0, /* timeout */
2710 tcon, session,
2711 fixed, fixed_len,
2712 NULL, 0, 0);
2713 if (subreq == NULL) {
2714 return false;
2715 }
2716 substate = tevent_req_data(subreq, struct smbXcli_req_state);
2717
2718 SIVAL(substate->smb2.hdr, SMB2_HDR_FLAGS, state->smb2.cancel_flags);
2719 SBVAL(substate->smb2.hdr, SMB2_HDR_MESSAGE_ID, state->smb2.cancel_mid);
2720 SBVAL(substate->smb2.hdr, SMB2_HDR_ASYNC_ID, state->smb2.cancel_aid);
2721
2722 status = smb2cli_req_compound_submit(&subreq, 1);
2723 if (!NT_STATUS_IS_OK(status)) {
2724 TALLOC_FREE(subreq);
2725 return false;
2726 }
2727
2728 tevent_req_set_callback(subreq, smb2cli_req_cancel_done, NULL);
2729
2730 return true;
2731 }
2732
2733 static void smb2cli_req_cancel_done(struct tevent_req *subreq)
2734 {
2735 /* we do not care about the result */
2736 TALLOC_FREE(subreq);
2737 }
2738
2739 struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
2740 struct tevent_context *ev,
2741 struct smbXcli_conn *conn,
2742 uint16_t cmd,
2743 uint32_t additional_flags,
2744 uint32_t clear_flags,
2745 uint32_t timeout_msec,
2746 struct smbXcli_tcon *tcon,
2747 struct smbXcli_session *session,
2748 const uint8_t *fixed,
2749 uint16_t fixed_len,
2750 const uint8_t *dyn,
2751 uint32_t dyn_len,
2752 uint32_t max_dyn_len)
2753 {
2754 struct tevent_req *req;
2755 struct smbXcli_req_state *state;
2756 uint32_t flags = 0;
2757 uint32_t tid = 0;
2758 uint64_t uid = 0;
2759 bool use_channel_sequence = false;
2760 uint16_t channel_sequence = 0;
2761 bool use_replay_flag = false;
2762
2763 req = tevent_req_create(mem_ctx, &state,
2764 struct smbXcli_req_state);
2765 if (req == NULL) {
2766 return NULL;
2767 }
2768
2769 state->ev = ev;
2770 state->conn = conn;
2771 state->session = session;
2772 state->tcon = tcon;
2773
2774 if (conn->smb2.server.capabilities & SMB2_CAP_PERSISTENT_HANDLES) {
2775 use_channel_sequence = true;
2776 } else if (conn->smb2.server.capabilities & SMB2_CAP_MULTI_CHANNEL) {
2777 use_channel_sequence = true;
2778 }
2779
2780 if (smbXcli_conn_protocol(conn) >= PROTOCOL_SMB3_00) {
2781 use_replay_flag = true;
2782 }
2783
2784 if (smbXcli_conn_protocol(conn) >= PROTOCOL_SMB3_11) {
2785 flags |= SMB2_PRIORITY_VALUE_TO_MASK(conn->smb2.io_priority);
2786 }
2787
2788 if (session) {
2789 uid = session->smb2->session_id;
2790
2791 if (use_channel_sequence) {
2792 channel_sequence = session->smb2->channel_sequence;
2793 }
2794
2795 if (use_replay_flag && session->smb2->replay_active) {
2796 additional_flags |= SMB2_HDR_FLAG_REPLAY_OPERATION;
2797 }
2798
2799 state->smb2.should_sign = session->smb2->should_sign;
2800 state->smb2.should_encrypt = session->smb2->should_encrypt;
2801
2802 if (cmd == SMB2_OP_SESSSETUP &&
2803 session->smb2_channel.signing_key.length == 0 &&
2804 session->smb2->signing_key.length != 0)
2805 {
2806 /*
2807 * a session bind needs to be signed
2808 */
2809 state->smb2.should_sign = true;
2810 }
2811
2812 if (cmd == SMB2_OP_SESSSETUP &&
2813 session->smb2_channel.signing_key.length == 0) {
2814 state->smb2.should_encrypt = false;
2815 }
2816
2817 if (additional_flags & SMB2_HDR_FLAG_SIGNED) {
2818 if (session->smb2_channel.signing_key.length == 0) {
2819 tevent_req_nterror(req, NT_STATUS_NO_USER_SESSION_KEY);
2820 return req;
2821 }
2822
2823 additional_flags &= ~SMB2_HDR_FLAG_SIGNED;
2824 state->smb2.should_sign = true;
2825 }
2826 }
2827
2828 if (tcon) {
2829 tid = tcon->smb2.tcon_id;
2830
2831 if (tcon->smb2.should_sign) {
2832 state->smb2.should_sign = true;
2833 }
2834 if (tcon->smb2.should_encrypt) {
2835 state->smb2.should_encrypt = true;
2836 }
2837 }
2838
2839 if (state->smb2.should_encrypt) {
2840 state->smb2.should_sign = false;
2841 }
2842
2843 state->smb2.recv_iov = talloc_zero_array(state, struct iovec, 3);
2844 if (state->smb2.recv_iov == NULL) {
2845 TALLOC_FREE(req);
2846 return NULL;
2847 }
2848
2849 flags |= additional_flags;
2850 flags &= ~clear_flags;
2851
2852 state->smb2.fixed = fixed;
2853 state->smb2.fixed_len = fixed_len;
2854 state->smb2.dyn = dyn;
2855 state->smb2.dyn_len = dyn_len;
2856 state->smb2.max_dyn_len = max_dyn_len;
2857
2858 if (state->smb2.should_encrypt) {
2859 SIVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2860 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID, uid);
2861 }
2862
2863 SIVAL(state->smb2.hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
2864 SSVAL(state->smb2.hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
2865 SSVAL(state->smb2.hdr, SMB2_HDR_OPCODE, cmd);
2866 SSVAL(state->smb2.hdr, SMB2_HDR_CHANNEL_SEQUENCE, channel_sequence);
2867 SIVAL(state->smb2.hdr, SMB2_HDR_FLAGS, flags);
2868 SIVAL(state->smb2.hdr, SMB2_HDR_PID, 0); /* reserved */
2869 SIVAL(state->smb2.hdr, SMB2_HDR_TID, tid);
2870 SBVAL(state->smb2.hdr, SMB2_HDR_SESSION_ID, uid);
2871
2872 switch (cmd) {
2873 case SMB2_OP_CANCEL:
2874 state->one_way = true;
2875 break;
2876 case SMB2_OP_BREAK:
2877 /*
2878 * If this is a dummy request, it will have
2879 * UINT64_MAX as message id.
2880 * If we send on break acknowledgement,
2881 * this gets overwritten later.
2882 */
2883 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, UINT64_MAX);
2884 break;
2885 }
2886
2887 if (timeout_msec > 0) {
2888 struct timeval endtime;
2889
2890 endtime = timeval_current_ofs_msec(timeout_msec);
2891 if (!tevent_req_set_endtime(req, ev, endtime)) {
2892 return req;
2893 }
2894 }
2895
2896 return req;
2897 }
2898
2899 void smb2cli_req_set_notify_async(struct tevent_req *req)
2900 {
2901 struct smbXcli_req_state *state =
2902 tevent_req_data(req,
2903 struct smbXcli_req_state);
2904
2905 state->smb2.notify_async = true;
2906 }
2907
2908 static void smb2cli_req_writev_done(struct tevent_req *subreq);
2909 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
2910 TALLOC_CTX *tmp_mem,
2911 uint8_t *inbuf);
2912
2913 NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
2914 int num_reqs)
2915 {
2916 struct smbXcli_req_state *state;
2917 struct tevent_req *subreq;
2918 struct iovec *iov;
2919 int i, num_iov, nbt_len;
2920 int tf_iov = -1;
2921 const DATA_BLOB *encryption_key = NULL;
2922 uint64_t encryption_session_id = 0;
2923 uint64_t nonce_high = UINT64_MAX;
2924 uint64_t nonce_low = UINT64_MAX;
2925
2926 /*
2927 * 1 for the nbt length, optional TRANSFORM
2928 * per request: HDR, fixed, dyn, padding
2929 * -1 because the last one does not need padding
2930 */
2931
2932 iov = talloc_array(reqs[0], struct iovec, 1 + 1 + 4*num_reqs - 1);
2933 if (iov == NULL) {
2934 return NT_STATUS_NO_MEMORY;
2935 }
2936
2937 num_iov = 1;
2938 nbt_len = 0;
2939
2940 /*
2941 * the session of the first request that requires encryption
2942 * specifies the encryption key.
2943 */
2944 for (i=0; i<num_reqs; i++) {
2945 if (!tevent_req_is_in_progress(reqs[i])) {
2946 return NT_STATUS_INTERNAL_ERROR;
2947 }
2948
2949 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2950
2951 if (!smbXcli_conn_is_connected(state->conn)) {
2952 return NT_STATUS_CONNECTION_DISCONNECTED;
2953 }
2954
2955 if ((state->conn->protocol != PROTOCOL_NONE) &&
2956 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2957 return NT_STATUS_REVISION_MISMATCH;
2958 }
2959
2960 if (state->session == NULL) {
2961 continue;
2962 }
2963
2964 if (!state->smb2.should_encrypt) {
2965 continue;
2966 }
2967
2968 encryption_key = &state->session->smb2->encryption_key;
2969 if (encryption_key->length == 0) {
2970 return NT_STATUS_INVALID_PARAMETER_MIX;
2971 }
2972
2973 encryption_session_id = state->session->smb2->session_id;
2974
2975 state->session->smb2->nonce_low += 1;
2976 if (state->session->smb2->nonce_low == 0) {
2977 state->session->smb2->nonce_high += 1;
2978 state->session->smb2->nonce_low += 1;
2979 }
2980
2981 /*
2982 * CCM and GCM algorithms must never have their
2983 * nonce wrap, or the security of the whole
2984 * communication and the keys is destroyed.
2985 * We must drop the connection once we have
2986 * transfered too much data.
2987 *
2988 * NOTE: We assume nonces greater than 8 bytes.
2989 */
2990 if (state->session->smb2->nonce_high >=
2991 state->session->smb2->nonce_high_max)
2992 {
2993 return NT_STATUS_ENCRYPTION_FAILED;
2994 }
2995
2996 nonce_high = state->session->smb2->nonce_high_random;
2997 nonce_high += state->session->smb2->nonce_high;
2998 nonce_low = state->session->smb2->nonce_low;
2999
3000 tf_iov = num_iov;
3001 iov[num_iov].iov_base = state->smb2.transform;
3002 iov[num_iov].iov_len = sizeof(state->smb2.transform);
3003 num_iov += 1;
3004
3005 SBVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
3006 SBVAL(state->smb2.transform, SMB2_TF_NONCE,
3007 nonce_low);
3008 SBVAL(state->smb2.transform, SMB2_TF_NONCE+8,
3009 nonce_high);
3010 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID,
3011 encryption_session_id);
3012
3013 nbt_len += SMB2_TF_HDR_SIZE;
3014 break;
3015 }
3016
3017 for (i=0; i<num_reqs; i++) {
3018 int hdr_iov;
3019 size_t reqlen;
3020 bool ret;
3021 uint16_t opcode;
3022 uint64_t avail;
3023 uint16_t charge;
3024 uint16_t credits;
3025 uint64_t mid;
3026 const DATA_BLOB *signing_key = NULL;
3027
3028 if (!tevent_req_is_in_progress(reqs[i])) {
3029 return NT_STATUS_INTERNAL_ERROR;
3030 }
3031
3032 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
3033
3034 if (!smbXcli_conn_is_connected(state->conn)) {
3035 return NT_STATUS_CONNECTION_DISCONNECTED;
3036 }
3037
3038 if ((state->conn->protocol != PROTOCOL_NONE) &&
3039 (state->conn->protocol < PROTOCOL_SMB2_02)) {
3040 return NT_STATUS_REVISION_MISMATCH;
3041 }
3042
3043 opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
3044 if (opcode == SMB2_OP_CANCEL) {
3045 goto skip_credits;
3046 }
3047
3048 avail = UINT64_MAX - state->conn->smb2.mid;
3049 if (avail < 1) {
3050 return NT_STATUS_CONNECTION_ABORTED;
3051 }
3052
3053 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
3054 uint32_t max_dyn_len = 1;
3055
3056 max_dyn_len = MAX(max_dyn_len, state->smb2.dyn_len);
3057 max_dyn_len = MAX(max_dyn_len, state->smb2.max_dyn_len);
3058
3059 charge = (max_dyn_len - 1)/ 65536 + 1;
3060 } else {
3061 charge = 1;
3062 }
3063
3064 charge = MAX(state->smb2.credit_charge, charge);
3065
3066 avail = MIN(avail, state->conn->smb2.cur_credits);
3067 if (avail < charge) {
3068 return NT_STATUS_INTERNAL_ERROR;
3069 }
3070
3071 credits = 0;
3072 if (state->conn->smb2.max_credits > state->conn->smb2.cur_credits) {
3073 credits = state->conn->smb2.max_credits -
3074 state->conn->smb2.cur_credits;
3075 }
3076 if (state->conn->smb2.max_credits >= state->conn->smb2.cur_credits) {
3077 credits += 1;
3078 }
3079
3080 mid = state->conn->smb2.mid;
3081 state->conn->smb2.mid += charge;
3082 state->conn->smb2.cur_credits -= charge;
3083
3084 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
3085 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT_CHARGE, charge);
3086 }
3087 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT, credits);
3088 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
3089
3090 state->smb2.cancel_flags = 0;
3091 state->smb2.cancel_mid = mid;
3092 state->smb2.cancel_aid = 0;
3093
3094 skip_credits:
3095 if (state->session && encryption_key == NULL) {
3096 /*
3097 * We prefer the channel signing key if it is
3098 * already there.
3099 */
3100 if (state->smb2.should_sign) {
3101 signing_key = &state->session->smb2_channel.signing_key;
3102 }
3103
3104 /*
3105 * If it is a channel binding, we already have the main
3106 * signing key and try that one.
3107 */
3108 if (signing_key && signing_key->length == 0) {
3109 signing_key = &state->session->smb2->signing_key;
3110 }
3111
3112 /*
3113 * If we do not have any session key yet, we skip the
3114 * signing of SMB2_OP_SESSSETUP requests.
3115 */
3116 if (signing_key && signing_key->length == 0) {
3117 signing_key = NULL;
3118 }
3119 }
3120
3121 hdr_iov = num_iov;
3122 iov[num_iov].iov_base = state->smb2.hdr;
3123 iov[num_iov].iov_len = sizeof(state->smb2.hdr);
3124 num_iov += 1;
3125
3126 iov[num_iov].iov_base = discard_const(state->smb2.fixed);
3127 iov[num_iov].iov_len = state->smb2.fixed_len;
3128 num_iov += 1;
3129
3130 if (state->smb2.dyn != NULL) {
3131 iov[num_iov].iov_base = discard_const(state->smb2.dyn);
3132 iov[num_iov].iov_len = state->smb2.dyn_len;
3133 num_iov += 1;
3134 }
3135
3136 reqlen = sizeof(state->smb2.hdr);
3137 reqlen += state->smb2.fixed_len;
3138 reqlen += state->smb2.dyn_len;
3139
3140 if (i < num_reqs-1) {
3141 if ((reqlen % 8) > 0) {
3142 uint8_t pad = 8 - (reqlen % 8);
3143 iov[num_iov].iov_base = state->smb2.pad;
3144 iov[num_iov].iov_len = pad;
3145 num_iov += 1;
3146 reqlen += pad;
3147 }
3148 SIVAL(state->smb2.hdr, SMB2_HDR_NEXT_COMMAND, reqlen);
3149 }
3150
3151 state->smb2.encryption_session_id = encryption_session_id;
3152
3153 if (signing_key != NULL) {
3154 NTSTATUS status;
3155
3156 status = smb2_signing_sign_pdu(*signing_key,
3157 state->session->conn->protocol,
3158 &iov[hdr_iov], num_iov - hdr_iov);
3159 if (!NT_STATUS_IS_OK(status)) {
3160 return status;
3161 }
3162 }
3163
3164 nbt_len += reqlen;
3165
3166 ret = smbXcli_req_set_pending(reqs[i]);
3167 if (!ret) {
3168 return NT_STATUS_NO_MEMORY;
3169 }
3170 }
3171
3172 state = tevent_req_data(reqs[0], struct smbXcli_req_state);
3173 _smb_setlen_tcp(state->length_hdr, nbt_len);
3174 iov[0].iov_base = state->length_hdr;
3175 iov[0].iov_len = sizeof(state->length_hdr);
3176
3177 if (encryption_key != NULL) {
3178 NTSTATUS status;
3179 size_t buflen = nbt_len - SMB2_TF_HDR_SIZE;
3180 uint8_t *buf;
3181 int vi;
3182
3183 buf = talloc_array(iov, uint8_t, buflen);
3184 if (buf == NULL) {
3185 return NT_STATUS_NO_MEMORY;
3186 }
3187
3188 /*
3189 * We copy the buffers before encrypting them,
3190 * this is at least currently needed for the
3191 * to keep state->smb2.hdr.
3192 *
3193 * Also the callers may expect there buffers
3194 * to be const.
3195 */
3196 for (vi = tf_iov + 1; vi < num_iov; vi++) {
3197 struct iovec *v = &iov[vi];
3198 const uint8_t *o = (const uint8_t *)v->iov_base;
3199
3200 memcpy(buf, o, v->iov_len);
3201 v->iov_base = (void *)buf;
3202 buf += v->iov_len;
3203 }
3204
3205 status = smb2_signing_encrypt_pdu(*encryption_key,
3206 state->conn->smb2.server.cipher,
3207 &iov[tf_iov], num_iov - tf_iov);
3208 if (!NT_STATUS_IS_OK(status)) {
3209 return status;
3210 }
3211 }
3212
3213 if (state->conn->dispatch_incoming == NULL) {
3214 state->conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3215 }
3216
3217 subreq = writev_send(state, state->ev, state->conn->outgoing,
3218 state->conn->sock_fd, false, iov, num_iov);
3219 if (subreq == NULL) {
3220 return NT_STATUS_NO_MEMORY;
3221 }
3222 tevent_req_set_callback(subreq, smb2cli_req_writev_done, reqs[0]);
3223 state->write_req = subreq;
3224
3225 return NT_STATUS_OK;
3226 }
3227
3228 void smb2cli_req_set_credit_charge(struct tevent_req *req, uint16_t charge)
3229 {
3230 struct smbXcli_req_state *state =
3231 tevent_req_data(req,
3232 struct smbXcli_req_state);
3233
3234 state->smb2.credit_charge = charge;
3235 }
3236
3237 struct tevent_req *smb2cli_req_send(TALLOC_CTX *mem_ctx,
3238 struct tevent_context *ev,
3239 struct smbXcli_conn *conn,
3240 uint16_t cmd,
3241 uint32_t additional_flags,
3242 uint32_t clear_flags,
3243 uint32_t timeout_msec,
3244 struct smbXcli_tcon *tcon,
3245 struct smbXcli_session *session,
3246 const uint8_t *fixed,
3247 uint16_t fixed_len,
3248 const uint8_t *dyn,
3249 uint32_t dyn_len,
3250 uint32_t max_dyn_len)
3251 {
3252 struct tevent_req *req;
3253 NTSTATUS status;
3254
3255 req = smb2cli_req_create(mem_ctx, ev, conn, cmd,
3256 additional_flags, clear_flags,
3257 timeout_msec,
3258 tcon, session,
3259 fixed, fixed_len,
3260 dyn, dyn_len,
3261 max_dyn_len);
3262 if (req == NULL) {
3263 return NULL;
3264 }
3265 if (!tevent_req_is_in_progress(req)) {
3266 return tevent_req_post(req, ev);
3267 }
3268 status = smb2cli_req_compound_submit(&req, 1);
3269 if (tevent_req_nterror(req, status)) {
3270 return tevent_req_post(req, ev);
3271 }
3272 return req;
3273 }
3274
3275 static void smb2cli_req_writev_done(struct tevent_req *subreq)
3276 {
3277 struct tevent_req *req =
3278 tevent_req_callback_data(subreq,
3279 struct tevent_req);
3280 struct smbXcli_req_state *state =
3281 tevent_req_data(req,
3282 struct smbXcli_req_state);
3283 ssize_t nwritten;
3284 int err;
3285
3286 state->write_req = NULL;
3287
3288 nwritten = writev_recv(subreq, &err);
3289 TALLOC_FREE(subreq);
3290 if (nwritten == -1) {
3291 /* here, we need to notify all pending requests */
3292 NTSTATUS status = map_nt_error_from_unix_common(err);
3293 smbXcli_conn_disconnect(state->conn, status);
3294 return;
3295 }
3296 }
3297
3298 static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
3299 uint8_t *buf,
3300 size_t buflen,
3301 TALLOC_CTX *mem_ctx,
3302 struct iovec **piov, int *pnum_iov)
3303 {
3304 struct iovec *iov;
3305 int num_iov = 0;
3306 size_t taken = 0;
3307 uint8_t *first_hdr = buf;
3308 size_t verified_buflen = 0;
3309 uint8_t *tf = NULL;
3310 size_t tf_len = 0;
3311
3312 iov = talloc_array(mem_ctx, struct iovec, num_iov);
3313 if (iov == NULL) {
3314 return NT_STATUS_NO_MEMORY;
3315 }
3316
3317 while (taken < buflen) {
3318 size_t len = buflen - taken;
3319 uint8_t *hdr = first_hdr + taken;
3320 struct iovec *cur;
3321 size_t full_size;
3322 size_t next_command_ofs;
3323 uint16_t body_size;
3324 struct iovec *iov_tmp;
3325
3326 if (verified_buflen > taken) {
3327 len = verified_buflen - taken;
3328 } else {
3329 tf = NULL;
3330 tf_len = 0;
3331 }
3332
3333 if (len < 4) {
3334 DEBUG(10, ("%d bytes left, expected at least %d\n",
3335 (int)len, 4));
3336 goto inval;
3337 }
3338 if (IVAL(hdr, 0) == SMB2_TF_MAGIC) {
3339 struct smbXcli_session *s;
3340 uint64_t uid;
3341 struct iovec tf_iov[2];
3342 size_t enc_len;
3343 NTSTATUS status;
3344
3345 if (len < SMB2_TF_HDR_SIZE) {
3346 DEBUG(10, ("%d bytes left, expected at least %d\n",
3347 (int)len, SMB2_TF_HDR_SIZE));
3348 goto inval;
3349 }
3350 tf = hdr;
3351 tf_len = SMB2_TF_HDR_SIZE;
3352 taken += tf_len;
3353
3354 hdr = first_hdr + taken;
3355 enc_len = IVAL(tf, SMB2_TF_MSG_SIZE);
3356 uid = BVAL(tf, SMB2_TF_SESSION_ID);
3357
3358 if (len < SMB2_TF_HDR_SIZE + enc_len) {
3359 DEBUG(10, ("%d bytes left, expected at least %d\n",
3360 (int)len,
3361 (int)(SMB2_TF_HDR_SIZE + enc_len)));
3362 goto inval;
3363 }
3364
3365 s = conn->sessions;
3366 for (; s; s = s->next) {
3367 if (s->smb2->session_id != uid) {
3368 continue;
3369 }
3370 break;
3371 }
3372
3373 if (s == NULL) {
3374 DEBUG(10, ("unknown session_id %llu\n",
3375 (unsigned long long)uid));
3376 goto inval;
3377 }
3378
3379 tf_iov[0].iov_base = (void *)tf;
3380 tf_iov[0].iov_len = tf_len;
3381 tf_iov[1].iov_base = (void *)hdr;
3382 tf_iov[1].iov_len = enc_len;
3383
3384 status = smb2_signing_decrypt_pdu(s->smb2->decryption_key,
3385 conn->smb2.server.cipher,
3386 tf_iov, 2);
3387 if (!NT_STATUS_IS_OK(status)) {
3388 TALLOC_FREE(iov);
3389 return status;
3390 }
3391
3392 verified_buflen = taken + enc_len;
3393 len = enc_len;
3394 }
3395
3396 /*
3397 * We need the header plus the body length field
3398 */
3399
3400 if (len < SMB2_HDR_BODY + 2) {
3401 DEBUG(10, ("%d bytes left, expected at least %d\n",
3402 (int)len, SMB2_HDR_BODY));
3403 goto inval;
3404 }
3405 if (IVAL(hdr, 0) != SMB2_MAGIC) {
3406 DEBUG(10, ("Got non-SMB2 PDU: %x\n",
3407 IVAL(hdr, 0)));
3408 goto inval;
3409 }
3410 if (SVAL(hdr, 4) != SMB2_HDR_BODY) {
3411 DEBUG(10, ("Got HDR len %d, expected %d\n",
3412 SVAL(hdr, 4), SMB2_HDR_BODY));
3413 goto inval;
3414 }
3415
3416 full_size = len;
3417 next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
3418 body_size = SVAL(hdr, SMB2_HDR_BODY);
3419
3420 if (next_command_ofs != 0) {
3421 if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
3422 goto inval;
3423 }
3424 if (next_command_ofs > full_size) {
3425 goto inval;
3426 }
3427 full_size = next_command_ofs;
3428 }
3429 if (body_size < 2) {
3430 goto inval;
3431 }
3432 body_size &= 0xfffe;
3433
3434 if (body_size > (full_size - SMB2_HDR_BODY)) {
3435 goto inval;
3436 }
3437
3438 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
3439 num_iov + 4);
3440 if (iov_tmp == NULL) {
3441 TALLOC_FREE(iov);
3442 return NT_STATUS_NO_MEMORY;
3443 }
3444 iov = iov_tmp;
3445 cur = &iov[num_iov];
3446 num_iov += 4;
3447
3448 cur[0].iov_base = tf;
3449 cur[0].iov_len = tf_len;
3450 cur[1].iov_base = hdr;
3451 cur[1].iov_len = SMB2_HDR_BODY;
3452 cur[2].iov_base = hdr + SMB2_HDR_BODY;
3453 cur[2].iov_len = body_size;
3454 cur[3].iov_base = hdr + SMB2_HDR_BODY + body_size;
3455 cur[3].iov_len = full_size - (SMB2_HDR_BODY + body_size);
3456
3457 taken += full_size;
3458 }
3459
3460 *piov = iov;
3461 *pnum_iov = num_iov;
3462 return NT_STATUS_OK;
3463
3464 inval:
3465 TALLOC_FREE(iov);
3466 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3467 }
3468
3469 static struct tevent_req *smb2cli_conn_find_pending(struct smbXcli_conn *conn,
3470 uint64_t mid)
3471 {
3472 size_t num_pending = talloc_array_length(conn->pending);
3473 size_t i;
3474
3475 for (i=0; i<num_pending; i++) {
3476 struct tevent_req *req = conn->pending[i];
3477 struct smbXcli_req_state *state =
3478 tevent_req_data(req,
3479 struct smbXcli_req_state);
3480
3481 if (mid == BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID)) {
3482 return req;
3483 }
3484 }
3485 return NULL;
3486 }
3487
3488 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
3489 TALLOC_CTX *tmp_mem,
3490 uint8_t *inbuf)
3491 {
3492 struct tevent_req *req;
3493 struct smbXcli_req_state *state = NULL;
3494 struct iovec *iov;
3495 int i, num_iov;
3496 NTSTATUS status;
3497 bool defer = true;
3498 struct smbXcli_session *last_session = NULL;
3499 size_t inbuf_len = smb_len_tcp(inbuf);
3500
3501 status = smb2cli_inbuf_parse_compound(conn,
3502 inbuf + NBT_HDR_SIZE,
3503 inbuf_len,
3504 tmp_mem,
3505 &iov, &num_iov);
3506 if (!NT_STATUS_IS_OK(status)) {
3507 return status;
3508 }
3509
3510 for (i=0; i<num_iov; i+=4) {
3511 uint8_t *inbuf_ref = NULL;
3512 struct iovec *cur = &iov[i];
3513 uint8_t *inhdr = (uint8_t *)cur[1].iov_base;
3514 uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
3515 uint32_t flags = IVAL(inhdr, SMB2_HDR_FLAGS);
3516 uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
3517 uint16_t req_opcode;
3518 uint32_t req_flags;
3519 uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
3520 uint32_t new_credits;
3521 struct smbXcli_session *session = NULL;
3522 const DATA_BLOB *signing_key = NULL;
3523 bool was_encrypted = false;
3524
3525 new_credits = conn->smb2.cur_credits;
3526 new_credits += credits;
3527 if (new_credits > UINT16_MAX) {
3528 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3529 }
3530 conn->smb2.cur_credits += credits;
3531
3532 req = smb2cli_conn_find_pending(conn, mid);
3533 if (req == NULL) {
3534 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3535 }
3536 state = tevent_req_data(req, struct smbXcli_req_state);
3537
3538 req_opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
3539 if (opcode != req_opcode) {
3540 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3541 }
3542 req_flags = SVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
3543
3544 if (!(flags & SMB2_HDR_FLAG_REDIRECT)) {
3545 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3546 }
3547
3548 status = NT_STATUS(IVAL(inhdr, SMB2_HDR_STATUS));
3549 if ((flags & SMB2_HDR_FLAG_ASYNC) &&
3550 NT_STATUS_EQUAL(status, STATUS_PENDING)) {
3551 uint64_t async_id = BVAL(inhdr, SMB2_HDR_ASYNC_ID);
3552
3553 if (state->smb2.got_async) {
3554 /* We only expect one STATUS_PENDING response */
3555 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3556 }
3557 state->smb2.got_async = true;
3558
3559 /*
3560 * async interim responses are not signed,
3561 * even if the SMB2_HDR_FLAG_SIGNED flag
3562 * is set.
3563 */
3564 state->smb2.cancel_flags = SMB2_HDR_FLAG_ASYNC;
3565 state->smb2.cancel_mid = 0;
3566 state->smb2.cancel_aid = async_id;
3567
3568 if (state->smb2.notify_async) {
3569 tevent_req_defer_callback(req, state->ev);
3570 tevent_req_notify_callback(req);
3571 }
3572 continue;
3573 }
3574
3575 session = state->session;
3576 if (req_flags & SMB2_HDR_FLAG_CHAINED) {
3577 session = last_session;
3578 }
3579 last_session = session;
3580
3581 if (state->smb2.should_sign) {
3582 if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
3583 return NT_STATUS_ACCESS_DENIED;
3584 }
3585 }
3586
3587 if (flags & SMB2_HDR_FLAG_SIGNED) {
3588 uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
3589
3590 if (session == NULL) {
3591 struct smbXcli_session *s;
3592
3593 s = state->conn->sessions;
3594 for (; s; s = s->next) {
3595 if (s->smb2->session_id != uid) {
3596 continue;
3597 }
3598
3599 session = s;
3600 break;
3601 }
3602 }
3603
3604 if (session == NULL) {
3605 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3606 }
3607
3608 last_session = session;
3609 signing_key = &session->smb2_channel.signing_key;
3610 }
3611
3612 if (opcode == SMB2_OP_SESSSETUP) {
3613 /*
3614 * We prefer the channel signing key, if it is
3615 * already there.
3616 *
3617 * If we do not have a channel signing key yet,
3618 * we try the main signing key, if it is not
3619 * the final response.
3620 */
3621 if (signing_key && signing_key->length == 0 &&
3622 !NT_STATUS_IS_OK(status)) {
3623 signing_key = &session->smb2->signing_key;
3624 }
3625
3626 if (signing_key && signing_key->length == 0) {
3627 /*
3628 * If we do not have a session key to
3629 * verify the signature, we defer the
3630 * signing check to the caller.
3631 *
3632 * The caller gets NT_STATUS_OK, it
3633 * has to call
3634 * smb2cli_session_set_session_key()
3635 * or
3636 * smb2cli_session_set_channel_key()
3637 * which will check the signature
3638 * with the channel signing key.
3639 */
3640 signing_key = NULL;
3641 }
3642 }
3643
3644 if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
3645 const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
3646 uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
3647
3648 /*
3649 * If the response was encrypted in a SMB2_TRANSFORM
3650 * pdu, which belongs to the correct session,
3651 * we do not need to do signing checks
3652 *
3653 * It could be the session the response belongs to
3654 * or the session that was used to encrypt the
3655 * SMB2_TRANSFORM request.
3656 */
3657 if ((session && session->smb2->session_id == uid) ||
3658 (state->smb2.encryption_session_id == uid)) {
3659 signing_key = NULL;
3660 was_encrypted = true;
3661 }
3662 }
3663
3664 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
3665 /*
3666 * if the server returns NT_STATUS_USER_SESSION_DELETED
3667 * the response is not signed and we should
3668 * propagate the NT_STATUS_USER_SESSION_DELETED
3669 * status to the caller.
3670 */
3671 state->smb2.signing_skipped = true;
3672 signing_key = NULL;
3673 }
3674
3675 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3676 /*
3677 * if the server returns
3678 * NT_STATUS_INVALID_PARAMETER
3679 * the response might not be encrypted.
3680 */
3681 if (state->smb2.should_encrypt && !was_encrypted) {
3682 state->smb2.signing_skipped = true;
3683 signing_key = NULL;
3684 }
3685 }
3686
3687 if (state->smb2.should_encrypt && !was_encrypted) {
3688 if (!state->smb2.signing_skipped) {
3689 return NT_STATUS_ACCESS_DENIED;
3690 }
3691 }
3692
3693 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
3694 NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
3695 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3696 /*
3697 * if the server returns
3698 * NT_STATUS_NETWORK_NAME_DELETED
3699 * NT_STATUS_FILE_CLOSED
3700 * NT_STATUS_INVALID_PARAMETER
3701 * the response might not be signed
3702 * as this happens before the signing checks.
3703 *
3704 * If server echos the signature (or all zeros)
3705 * we should report the status from the server
3706 * to the caller.
3707 */
3708 if (signing_key) {
3709 int cmp;
3710
3711 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3712 state->smb2.hdr+SMB2_HDR_SIGNATURE,
3713 16);
3714 if (cmp == 0) {
3715 state->smb2.signing_skipped = true;
3716 signing_key = NULL;
3717 }
3718 }
3719 if (signing_key) {
3720 int cmp;
3721 static const uint8_t zeros[16];
3722
3723 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3724 zeros,
3725 16);
3726 if (cmp == 0) {
3727 state->smb2.signing_skipped = true;
3728 signing_key = NULL;
3729 }
3730 }
3731 }
3732
3733 if (signing_key) {
3734 status = smb2_signing_check_pdu(*signing_key,
3735 state->conn->protocol,
3736 &cur[1], 3);
3737 if (!NT_STATUS_IS_OK(status)) {
3738 /*
3739 * If the signing check fails, we disconnect
3740 * the connection.
3741 */
3742 return status;
3743 }
3744 }
3745
3746 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
3747 (session != NULL) && session->disconnect_expired)
3748 {
3749 /*
3750 * this should be a short term hack
3751 * until the upper layers have implemented
3752 * re-authentication.
3753 */
3754 return status;
3755 }
3756
3757 smbXcli_req_unset_pending(req);
3758
3759 /*
3760 * There might be more than one response
3761 * we need to defer the notifications
3762 */
3763 if ((num_iov == 5) && (talloc_array_length(conn->pending) == 0)) {
3764 defer = false;
3765 }
3766
3767 if (defer) {
3768 tevent_req_defer_callback(req, state->ev);
3769 }
3770
3771 /*
3772 * Note: here we use talloc_reference() in a way
3773 * that does not expose it to the caller.
3774 */
3775 inbuf_ref = talloc_reference(state->smb2.recv_iov, inbuf);
3776 if (tevent_req_nomem(inbuf_ref, req)) {
3777 continue;
3778 }
3779
3780 /* copy the related buffers */
3781 state->smb2.recv_iov[0] = cur[1];
3782 state->smb2.recv_iov[1] = cur[2];
3783 state->smb2.recv_iov[2] = cur[3];
3784
3785 tevent_req_done(req);
3786 }
3787
3788 if (defer) {
3789 return NT_STATUS_RETRY;
3790 }
3791
3792 return NT_STATUS_OK;
3793 }
3794
3795 NTSTATUS smb2cli_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
3796 struct iovec **piov,
3797 const struct smb2cli_req_expected_response *expected,
3798 size_t num_expected)
3799 {
3800 struct smbXcli_req_state *state =
3801 tevent_req_data(req,
3802 struct smbXcli_req_state);
3803 NTSTATUS status;
3804 size_t body_size;
3805 bool found_status = false;
3806 bool found_size = false;
3807 size_t i;
3808
3809 if (piov != NULL) {
3810 *piov = NULL;
3811 }
3812
3813 if (tevent_req_is_in_progress(req) && state->smb2.got_async) {
3814 return STATUS_PENDING;
3815 }
3816
3817 if (tevent_req_is_nterror(req, &status)) {
3818 for (i=0; i < num_expected; i++) {
3819 if (NT_STATUS_EQUAL(status, expected[i].status)) {
3820 found_status = true;
3821 break;
3822 }
3823 }
3824
3825 if (found_status) {
3826 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
3827 }
3828
3829 return status;
3830 }
3831
3832 if (num_expected == 0) {
3833 found_status = true;
3834 found_size = true;
3835 }
3836
3837 status = NT_STATUS(IVAL(state->smb2.recv_iov[0].iov_base, SMB2_HDR_STATUS));
3838 body_size = SVAL(state->smb2.recv_iov[1].iov_base, 0);
3839
3840 for (i=0; i < num_expected; i++) {
3841 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
3842 continue;
3843 }
3844
3845 found_status = true;
3846 if (expected[i].body_size == 0) {
3847 found_size = true;
3848 break;
3849 }
3850
3851 if (expected[i].body_size == body_size) {
3852 found_size = true;
3853 break;
3854 }
3855 }
3856
3857 if (!found_status) {
3858 return status;
3859 }
3860
3861 if (state->smb2.signing_skipped) {
3862 if (num_expected > 0) {
3863 return NT_STATUS_ACCESS_DENIED;
3864 }
3865 if (!NT_STATUS_IS_ERR(status)) {
3866 return NT_STATUS_ACCESS_DENIED;
3867 }
3868 }
3869
3870 if (!found_size) {
3871 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3872 }
3873
3874 if (piov != NULL) {
3875 *piov = talloc_move(mem_ctx, &state->smb2.recv_iov);
3876 }
3877
3878 return status;
3879 }
3880
3881 NTSTATUS smb2cli_req_get_sent_iov(struct tevent_req *req,
3882 struct iovec *sent_iov)
3883 {
3884 struct smbXcli_req_state *state =
3885 tevent_req_data(req,
3886 struct smbXcli_req_state);
3887
3888 if (tevent_req_is_in_progress(req)) {
3889 return STATUS_PENDING;
3890 }
3891
3892 sent_iov[0].iov_base = state->smb2.hdr;
3893 sent_iov[0].iov_len = sizeof(state->smb2.hdr);
3894
3895 sent_iov[1].iov_base = discard_const(state->smb2.fixed);
3896 sent_iov[1].iov_len = state->smb2.fixed_len;
3897
3898 if (state->smb2.dyn != NULL) {
3899 sent_iov[2].iov_base = discard_const(state->smb2.dyn);
3900 sent_iov[2].iov_len = state->smb2.dyn_len;
3901 } else {
3902 sent_iov[2].iov_base = NULL;
3903 sent_iov[2].iov_len = 0;
3904 }
3905
3906 return NT_STATUS_OK;
3907 }
3908
3909 static const struct {
3910 enum protocol_types proto;
3911 const char *smb1_name;
3912 } smb1cli_prots[] = {
3913 {PROTOCOL_CORE, "PC NETWORK PROGRAM 1.0"},
3914 {PROTOCOL_COREPLUS, "MICROSOFT NETWORKS 1.03"},
3915 {PROTOCOL_LANMAN1, "MICROSOFT NETWORKS 3.0"},
3916 {PROTOCOL_LANMAN1, "LANMAN1.0"},
3917 {PROTOCOL_LANMAN2, "LM1.2X002"},
3918 {PROTOCOL_LANMAN2, "DOS LANMAN2.1"},
3919 {PROTOCOL_LANMAN2, "LANMAN2.1"},
3920 {PROTOCOL_LANMAN2, "Samba"},
3921 {PROTOCOL_NT1, "NT LANMAN 1.0"},
3922 {PROTOCOL_NT1, "NT LM 0.12"},
3923 {PROTOCOL_SMB2_02, "SMB 2.002"},
3924 {PROTOCOL_SMB2_10, "SMB 2.???"},
3925 };
3926
3927 static const struct {
3928 enum protocol_types proto;
3929 uint16_t smb2_dialect;
3930 } smb2cli_prots[] = {
3931 {PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202},
3932 {PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210},
3933 {PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222},
3934 {PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224},
3935 {PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300},
3936 {PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302},
3937 {PROTOCOL_SMB3_10, SMB3_DIALECT_REVISION_310},
3938 {PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311},
3939 };
3940
3941 struct smbXcli_negprot_state {
3942 struct smbXcli_conn *conn;
3943 struct tevent_context *ev;
3944 uint32_t timeout_msec;
3945
3946 struct {
3947 uint8_t fixed[36];
3948 } smb2;
3949 };
3950
3951 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq);
3952 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state);
3953 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq);
3954 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state);
3955 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq);
3956 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
3957 TALLOC_CTX *frame,
3958 uint8_t *inbuf);
3959
3960 struct tevent_req *smbXcli_negprot_send(TALLOC_CTX *mem_ctx,
3961 struct tevent_context *ev,
3962 struct smbXcli_conn *conn,
3963 uint32_t timeout_msec,
3964 enum protocol_types min_protocol,
3965 enum protocol_types max_protocol)
3966 {
3967 struct tevent_req *req, *subreq;
3968 struct smbXcli_negprot_state *state;
3969
3970 req = tevent_req_create(mem_ctx, &state,
3971 struct smbXcli_negprot_state);
3972 if (req == NULL) {
3973 return NULL;
3974 }
3975 state->conn = conn;
3976 state->ev = ev;
3977 state->timeout_msec = timeout_msec;
3978
3979 if (min_protocol == PROTOCOL_NONE) {
3980 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3981 return tevent_req_post(req, ev);
3982 }
3983
3984 if (max_protocol == PROTOCOL_NONE) {
3985 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3986 return tevent_req_post(req, ev);
3987 }
3988
3989 if (min_protocol > max_protocol) {
3990 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3991 return tevent_req_post(req, ev);
3992 }
3993
3994 conn->min_protocol = min_protocol;
3995 conn->max_protocol = max_protocol;
3996 conn->protocol = PROTOCOL_NONE;
3997
3998 if ((min_protocol < PROTOCOL_SMB2_02) &&
3999 (max_protocol < PROTOCOL_SMB2_02)) {
4000 /*
4001 * SMB1 only...
4002 */
4003 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
4004
4005 subreq = smbXcli_negprot_smb1_subreq(state);
4006 if (tevent_req_nomem(subreq, req)) {
4007 return tevent_req_post(req, ev);
4008 }
4009 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
4010 return req;
4011 }
4012
4013 if ((min_protocol >= PROTOCOL_SMB2_02) &&
4014 (max_protocol >= PROTOCOL_SMB2_02)) {
4015 /*
4016 * SMB2 only...
4017 */
4018 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
4019
4020 /*
4021 * As we're starting with an SMB2 negprot, emulate Windows
4022 * and ask for 31 credits in the initial SMB2 negprot.
4023 * If we don't and leave requested credits at
4024 * zero, MacOSX servers return zero credits on
4025 * the negprot reply and we fail to connect.
4026 */
4027 smb2cli_conn_set_max_credits(conn,
4028 WINDOWS_CLIENT_PURE_SMB2_NEGPROT_INITIAL_CREDIT_ASK);
4029
4030 subreq = smbXcli_negprot_smb2_subreq(state);
4031 if (tevent_req_nomem(subreq, req)) {
4032 return tevent_req_post(req, ev);
4033 }
4034 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4035 return req;
4036 }
4037
4038 /*
4039 * We send an SMB1 negprot with the SMB2 dialects
4040 * and expect a SMB1 or a SMB2 response.
4041 *
4042 * smbXcli_negprot_dispatch_incoming() will fix the
4043 * callback to match protocol of the response.
4044 */
4045 conn->dispatch_incoming = smbXcli_negprot_dispatch_incoming;
4046
4047 subreq = smbXcli_negprot_smb1_subreq(state);
4048 if (tevent_req_nomem(subreq, req)) {
4049 return tevent_req_post(req, ev);
4050 }
4051 tevent_req_set_callback(subreq, smbXcli_negprot_invalid_done, req);
4052 return req;
4053 }
4054
4055 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq)
4056 {
4057 struct tevent_req *req =
4058 tevent_req_callback_data(subreq,
4059 struct tevent_req);
4060 NTSTATUS status;
4061
4062 /*
4063 * we just want the low level error
4064 */
4065 status = tevent_req_simple_recv_ntstatus(subreq);
4066 TALLOC_FREE(subreq);
4067 if (tevent_req_nterror(req, status)) {
4068 return;
4069 }
4070
4071 /* this should never happen */
4072 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
4073 }
4074
4075 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state)
4076 {
4077 size_t i;
4078 DATA_BLOB bytes = data_blob_null;
4079 uint8_t flags;
4080 uint16_t flags2;
4081
4082 /* setup the protocol strings */
4083 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
4084 uint8_t c = 2;
4085 bool ok;
4086
4087 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
4088 continue;
4089 }
4090
4091 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
4092 continue;
4093 }
4094
4095 ok = data_blob_append(state, &bytes, &c, sizeof(c));
4096 if (!ok) {
4097 return NULL;
4098 }
4099
4100 /*
4101 * We now it is already ascii and
4102 * we want NULL termination.
4103 */
4104 ok = data_blob_append(state, &bytes,
4105 smb1cli_prots[i].smb1_name,
4106 strlen(smb1cli_prots[i].smb1_name)+1);
4107 if (!ok) {
4108 return NULL;
4109 }
4110 }
4111
4112 smb1cli_req_flags(state->conn->max_protocol,
4113 state->conn->smb1.client.capabilities,
4114 SMBnegprot,
4115 0, 0, &flags,
4116 0, 0, &flags2);
4117
4118 return smb1cli_req_send(state, state->ev, state->conn,
4119 SMBnegprot,
4120 flags, ~flags,
4121 flags2, ~flags2,
4122 state->timeout_msec,
4123 0xFFFE, 0, NULL, /* pid, tid, session */
4124 0, NULL, /* wct, vwv */
4125 bytes.length, bytes.data);
4126 }
4127
4128 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq)
4129 {
4130 struct tevent_req *req =
4131 tevent_req_callback_data(subreq,
4132 struct tevent_req);
4133 struct smbXcli_negprot_state *state =
4134 tevent_req_data(req,
4135 struct smbXcli_negprot_state);
4136 struct smbXcli_conn *conn = state->conn;
4137 struct iovec *recv_iov = NULL;
4138 uint8_t *inhdr;
4139 uint8_t wct;
4140 uint16_t *vwv;
4141 uint32_t num_bytes;
4142 uint8_t *bytes;
4143 NTSTATUS status;
4144 uint16_t protnum;
4145 size_t i;
4146 size_t num_prots = 0;
4147 uint8_t flags;
4148 uint32_t client_capabilities = conn->smb1.client.capabilities;
4149 uint32_t both_capabilities;
4150 uint32_t server_capabilities = 0;
4151 uint32_t capabilities;
4152 uint32_t client_max_xmit = conn->smb1.client.max_xmit;
4153 uint32_t server_max_xmit = 0;
4154 uint32_t max_xmit;
4155 uint32_t server_max_mux = 0;
4156 uint16_t server_security_mode = 0;
4157 uint32_t server_session_key = 0;
4158 bool server_readbraw = false;
4159 bool server_writebraw = false;
4160 bool server_lockread = false;
4161 bool server_writeunlock = false;
4162 struct GUID server_guid = GUID_zero();
4163 DATA_BLOB server_gss_blob = data_blob_null;
4164 uint8_t server_challenge[8];
4165 char *server_workgroup = NULL;
4166 char *server_name = NULL;
4167 int server_time_zone = 0;
4168 NTTIME server_system_time = 0;
4169 static const struct smb1cli_req_expected_response expected[] = {
4170 {
4171 .status = NT_STATUS_OK,
4172 .wct = 0x11, /* NT1 */
4173 },
4174 {
4175 .status = NT_STATUS_OK,
4176 .wct = 0x0D, /* LM */
4177 },
4178 {
4179 .status = NT_STATUS_OK,
4180 .wct = 0x01, /* CORE */
4181 }
4182 };
4183
4184 ZERO_STRUCT(server_challenge);
4185
4186 status = smb1cli_req_recv(subreq, state,
4187 &recv_iov,
4188 &inhdr,
4189 &wct,
4190 &vwv,
4191 NULL, /* pvwv_offset */
4192 &num_bytes,
4193 &bytes,
4194 NULL, /* pbytes_offset */
4195 NULL, /* pinbuf */
4196 expected, ARRAY_SIZE(expected));
4197 TALLOC_FREE(subreq);
4198 if (tevent_req_nterror(req, status)) {
4199 return;
4200 }
4201
4202 flags = CVAL(inhdr, HDR_FLG);
4203
4204 protnum = SVAL(vwv, 0);
4205
4206 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
4207 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
4208 continue;
4209 }
4210
4211 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
4212 continue;
4213 }
4214
4215 if (protnum != num_prots) {
4216 num_prots++;
4217 continue;
4218 }
4219
4220 conn->protocol = smb1cli_prots[i].proto;
4221 break;
4222 }
4223
4224 if (conn->protocol == PROTOCOL_NONE) {
4225 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4226 return;
4227 }
4228
4229 if ((conn->protocol < PROTOCOL_NT1) && conn->mandatory_signing) {
4230 DEBUG(0,("smbXcli_negprot: SMB signing is mandatory "
4231 "and the selected protocol level doesn't support it.\n"));
4232 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4233 return;
4234 }
4235
4236 if (flags & FLAG_SUPPORT_LOCKREAD) {
4237 server_lockread = true;
4238 server_writeunlock = true;
4239 }
4240
4241 if (conn->protocol >= PROTOCOL_NT1) {
4242 const char *client_signing = NULL;
4243 bool server_mandatory = false;
4244 bool server_allowed = false;
4245 const char *server_signing = NULL;
4246 bool ok;
4247 uint8_t key_len;
4248
4249 if (wct != 0x11) {
4250 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4251 return;
4252 }
4253
4254 /* NT protocol */
4255 server_security_mode = CVAL(vwv + 1, 0);
4256 server_max_mux = SVAL(vwv + 1, 1);
4257 server_max_xmit = IVAL(vwv + 3, 1);
4258 server_session_key = IVAL(vwv + 7, 1);
4259 server_time_zone = SVALS(vwv + 15, 1);
4260 server_time_zone *= 60;
4261 /* this time arrives in real GMT */
4262 server_system_time = BVAL(vwv + 11, 1);
4263 server_capabilities = IVAL(vwv + 9, 1);
4264
4265 key_len = CVAL(vwv + 16, 1);
4266
4267 if (server_capabilities & CAP_RAW_MODE) {
4268 server_readbraw = true;
4269 server_writebraw = true;
4270 }
4271 if (server_capabilities & CAP_LOCK_AND_READ) {
4272 server_lockread = true;
4273 }
4274
4275 if (server_capabilities & CAP_EXTENDED_SECURITY) {
4276 DATA_BLOB blob1, blob2;
4277
4278 if (num_bytes < 16) {
4279 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4280 return;
4281 }
4282
4283 blob1 = data_blob_const(bytes, 16);
4284 status = GUID_from_data_blob(&blob1, &server_guid);
4285 if (tevent_req_nterror(req, status)) {
4286 return;
4287 }
4288
4289 blob1 = data_blob_const(bytes+16, num_bytes-16);
4290 blob2 = data_blob_dup_talloc(state, blob1);
4291 if (blob1.length > 0 &&
4292 tevent_req_nomem(blob2.data, req)) {
4293 return;
4294 }
4295 server_gss_blob = blob2;
4296 } else {
4297 DATA_BLOB blob1, blob2;
4298
4299 if (num_bytes < key_len) {
4300 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4301 return;
4302 }
4303
4304 if (key_len != 0 && key_len != 8) {
4305 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4306 return;
4307 }
4308
4309 if (key_len == 8) {
4310 memcpy(server_challenge, bytes, 8);
4311 }
4312
4313 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4314 blob2 = data_blob_const(bytes+key_len, num_bytes-key_len);
4315 if (blob1.length > 0) {
4316 size_t len;
4317
4318 len = utf16_len_n(blob1.data,
4319 blob1.length);
4320 blob1.length = len;
4321
4322 ok = convert_string_talloc(state,
4323 CH_UTF16LE,
4324 CH_UNIX,
4325 blob1.data,
4326 blob1.length,
4327 &server_workgroup,
4328 &len);
4329 if (!ok) {
4330 status = map_nt_error_from_unix_common(errno);
4331 tevent_req_nterror(req, status);
4332 return;
4333 }
4334 }
4335
4336 blob2.data += blob1.length;
4337 blob2.length -= blob1.length;
4338 if (blob2.length > 0) {
4339 size_t len;
4340
4341 len = utf16_len_n(blob1.data,
4342 blob1.length);
4343 blob1.length = len;
4344
4345 ok = convert_string_talloc(state,
4346 CH_UTF16LE,
4347 CH_UNIX,
4348 blob2.data,
4349 blob2.length,
4350 &server_name,
4351 &len);
4352 if (!ok) {
4353 status = map_nt_error_from_unix_common(errno);
4354 tevent_req_nterror(req, status);
4355 return;
4356 }
4357 }
4358 }
4359
4360 client_signing = "disabled";
4361 if (conn->allow_signing) {
4362 client_signing = "allowed";
4363 }
4364 if (conn->mandatory_signing) {
4365 client_signing = "required";
4366 }
4367
4368 server_signing = "not supported";
4369 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) {
4370 server_signing = "supported";
4371 server_allowed = true;
4372 } else if (conn->mandatory_signing) {
4373 /*
4374 * We have mandatory signing as client
4375 * lets assume the server will look at our
4376 * FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
4377 * flag in the session setup
4378 */
4379 server_signing = "not announced";
4380 server_allowed = true;
4381 }
4382 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
4383 server_signing = "required";
4384 server_mandatory = true;
4385 }
4386
4387 ok = smb_signing_set_negotiated(conn->smb1.signing,
4388 server_allowed,
4389 server_mandatory);
4390 if (!ok) {
4391 DEBUG(1,("cli_negprot: SMB signing is required, "
4392 "but client[%s] and server[%s] mismatch\n",
4393 client_signing, server_signing));
4394 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4395 return;
4396 }
4397
4398 } else if (conn->protocol >= PROTOCOL_LANMAN1) {
4399 DATA_BLOB blob1;
4400 uint8_t key_len;
4401 time_t t;
4402
4403 if (wct != 0x0D) {
4404 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4405 return;
4406 }
4407
4408 server_security_mode = SVAL(vwv + 1, 0);
4409 server_max_xmit = SVAL(vwv + 2, 0);
4410 server_max_mux = SVAL(vwv + 3, 0);
4411 server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
4412 server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
4413 server_session_key = IVAL(vwv + 6, 0);
4414 server_time_zone = SVALS(vwv + 10, 0);
4415 server_time_zone *= 60;
4416 /* this time is converted to GMT by make_unix_date */
4417 t = pull_dos_date((const uint8_t *)(vwv + 8), server_time_zone);
4418 unix_to_nt_time(&server_system_time, t);
4419 key_len = SVAL(vwv + 11, 0);
4420
4421 if (num_bytes < key_len) {
4422 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4423 return;
4424 }
4425
4426 if (key_len != 0 && key_len != 8) {
4427 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4428 return;
4429 }
4430
4431 if (key_len == 8) {
4432 memcpy(server_challenge, bytes, 8);
4433 }
4434
4435 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4436 if (blob1.length > 0) {
4437 size_t len;
4438 bool ok;
4439
4440 len = utf16_len_n(blob1.data,
4441 blob1.length);
4442 blob1.length = len;
4443
4444 ok = convert_string_talloc(state,
4445 CH_DOS,
4446 CH_UNIX,
4447 blob1.data,
4448 blob1.length,
4449 &server_workgroup,
4450 &len);
4451 if (!ok) {
4452 status = map_nt_error_from_unix_common(errno);
4453 tevent_req_nterror(req, status);
4454 return;
4455 }
4456 }
4457
4458 } else {
4459 /* the old core protocol */
4460 server_time_zone = get_time_zone(time(NULL));
4461 server_max_xmit = 1024;
4462 server_max_mux = 1;
4463 }
4464
4465 if (server_max_xmit < 1024) {
4466 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4467 return;
4468 }
4469
4470 if (server_max_mux < 1) {
4471 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4472 return;
4473 }
4474
4475 /*
4476 * Now calculate the negotiated capabilities
4477 * based on the mask for:
4478 * - client only flags
4479 * - flags used in both directions
4480 * - server only flags
4481 */
4482 both_capabilities = client_capabilities & server_capabilities;
4483 capabilities = client_capabilities & SMB_CAP_CLIENT_MASK;
4484 capabilities |= both_capabilities & SMB_CAP_BOTH_MASK;
4485 capabilities |= server_capabilities & SMB_CAP_SERVER_MASK;
4486
4487 max_xmit = MIN(client_max_xmit, server_max_xmit);
4488
4489 conn->smb1.server.capabilities = server_capabilities;
4490 conn->smb1.capabilities = capabilities;
4491
4492 conn->smb1.server.max_xmit = server_max_xmit;
4493 conn->smb1.max_xmit = max_xmit;
4494
4495 conn->smb1.server.max_mux = server_max_mux;
4496
4497 conn->smb1.server.security_mode = server_security_mode;
4498
4499 conn->smb1.server.readbraw = server_readbraw;
4500 conn->smb1.server.writebraw = server_writebraw;
4501 conn->smb1.server.lockread = server_lockread;
4502 conn->smb1.server.writeunlock = server_writeunlock;
4503
4504 conn->smb1.server.session_key = server_session_key;
4505
4506 talloc_steal(conn, server_gss_blob.data);
4507 conn->smb1.server.gss_blob = server_gss_blob;
4508 conn->smb1.server.guid = server_guid;
4509 memcpy(conn->smb1.server.challenge, server_challenge, 8);
4510 conn->smb1.server.workgroup = talloc_move(conn, &server_workgroup);
4511 conn->smb1.server.name = talloc_move(conn, &server_name);
4512
4513 conn->smb1.server.time_zone = server_time_zone;
4514 conn->smb1.server.system_time = server_system_time;
4515
4516 tevent_req_done(req);
4517 }
4518
4519 static size_t smbXcli_padding_helper(uint32_t offset, size_t n)
4520 {
4521 if ((offset & (n-1)) == 0) return 0;
4522 return n - (offset & (n-1));
4523 }
4524
4525 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state)
4526 {
4527 size_t i;
4528 uint8_t *buf;
4529 uint16_t dialect_count = 0;
4530 DATA_BLOB dyn = data_blob_null;
4531
4532 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4533 bool ok;
4534 uint8_t val[2];
4535
4536 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4537 continue;
4538 }
4539
4540 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4541 continue;
4542 }
4543
4544 SSVAL(val, 0, smb2cli_prots[i].smb2_dialect);
4545
4546 ok = data_blob_append(state, &dyn, val, sizeof(val));
4547 if (!ok) {
4548 return NULL;
4549 }
4550
4551 dialect_count++;
4552 }
4553
4554 buf = state->smb2.fixed;
4555 SSVAL(buf, 0, 36);
4556 SSVAL(buf, 2, dialect_count);
4557 SSVAL(buf, 4, state->conn->smb2.client.security_mode);
4558 SSVAL(buf, 6, 0); /* Reserved */
4559 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
4560 SIVAL(buf, 8, state->conn->smb2.client.capabilities);
4561 } else {
4562 SIVAL(buf, 8, 0); /* Capabilities */
4563 }
4564 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
4565 NTSTATUS status;
4566 DATA_BLOB blob;
4567
4568 status = GUID_to_ndr_blob(&state->conn->smb2.client.guid,
4569 state, &blob);
4570 if (!NT_STATUS_IS_OK(status)) {
4571 return NULL;
4572 }
4573 memcpy(buf+12, blob.data, 16); /* ClientGuid */
4574 } else {
4575 memset(buf+12, 0, 16); /* ClientGuid */
4576 }
4577
4578 if (state->conn->max_protocol >= PROTOCOL_SMB3_10) {
4579 NTSTATUS status;
4580 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4581 uint32_t offset;
4582 DATA_BLOB b;
4583 uint8_t p[38];
4584 const uint8_t zeros[8] = {0, };
4585 size_t pad;
4586 bool ok;
4587
4588 SSVAL(p, 0, 1); /* HashAlgorithmCount */
4589 SSVAL(p, 2, 32); /* SaltLength */
4590 SSVAL(p, 4, SMB2_PREAUTH_INTEGRITY_SHA512);
4591 generate_random_buffer(p + 6, 32);
4592
4593 b = data_blob_const(p, 38);
4594 status = smb2_negotiate_context_add(state, &c,
4595 SMB2_PREAUTH_INTEGRITY_CAPABILITIES, b);
4596 if (!NT_STATUS_IS_OK(status)) {
4597 return NULL;
4598 }
4599
4600 SSVAL(p, 0, 2); /* ChiperCount */
4601 SSVAL(p, 2, SMB2_ENCRYPTION_AES128_GCM);
4602 SSVAL(p, 4, SMB2_ENCRYPTION_AES128_CCM);
4603
4604 b = data_blob_const(p, 6);
4605 status = smb2_negotiate_context_add(state, &c,
4606 SMB2_ENCRYPTION_CAPABILITIES, b);
4607 if (!NT_STATUS_IS_OK(status)) {
4608 return NULL;
4609 }
4610
4611 status = smb2_negotiate_context_push(state, &b, c);
4612 if (!NT_STATUS_IS_OK(status)) {
4613 return NULL;
4614 }
4615
4616 offset = SMB2_HDR_BODY + sizeof(state->smb2.fixed) + dyn.length;
4617 pad = smbXcli_padding_helper(offset, 8);
4618
4619 ok = data_blob_append(state, &dyn, zeros, pad);
4620 if (!ok) {
4621 return NULL;
4622 }
4623 offset += pad;
4624
4625 ok = data_blob_append(state, &dyn, b.data, b.length);
4626 if (!ok) {
4627 return NULL;
4628 }
4629
4630 SIVAL(buf, 28, offset); /* NegotiateContextOffset */
4631 SSVAL(buf, 32, c.num_contexts); /* NegotiateContextCount */
4632 SSVAL(buf, 34, 0); /* Reserved */
4633 } else {
4634 SBVAL(buf, 28, 0); /* Reserved/ClientStartTime */
4635 }
4636
4637 return smb2cli_req_send(state, state->ev,
4638 state->conn, SMB2_OP_NEGPROT,
4639 0, 0, /* flags */
4640 state->timeout_msec,
4641 NULL, NULL, /* tcon, session */
4642 state->smb2.fixed, sizeof(state->smb2.fixed),
4643 dyn.data, dyn.length,
4644 UINT16_MAX); /* max_dyn_len */
4645 }
4646
4647 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
4648 {
4649 struct tevent_req *req =
4650 tevent_req_callback_data(subreq,
4651 struct tevent_req);
4652 struct smbXcli_negprot_state *state =
4653 tevent_req_data(req,
4654 struct smbXcli_negprot_state);
4655 struct smbXcli_conn *conn = state->conn;
4656 size_t security_offset, security_length;
4657 DATA_BLOB blob;
4658 NTSTATUS status;
4659 struct iovec *iov;
4660 uint8_t *body;
4661 size_t i;
4662 uint16_t dialect_revision;
4663 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4664 uint32_t negotiate_context_offset = 0;
4665 uint16_t negotiate_context_count = 0;
4666 DATA_BLOB negotiate_context_blob = data_blob_null;
4667 size_t avail;
4668 size_t ctx_ofs;
4669 size_t needed;
4670 struct smb2_negotiate_context *preauth = NULL;
4671 uint16_t hash_count;
4672 uint16_t salt_length;
4673 uint16_t hash_selected;
4674 struct hc_sha512state sctx;
4675 struct smb2_negotiate_context *cipher = NULL;
4676 struct iovec sent_iov[3];
4677 static const struct smb2cli_req_expected_response expected[] = {
4678 {
4679 .status = NT_STATUS_OK,
4680 .body_size = 0x41
4681 }
4682 };
4683
4684 status = smb2cli_req_recv(subreq, state, &iov,
4685 expected, ARRAY_SIZE(expected));
4686 if (tevent_req_nterror(req, status)) {
4687 return;
4688 }
4689
4690 body = (uint8_t *)iov[1].iov_base;
4691
4692 dialect_revision = SVAL(body, 4);
4693
4694 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4695 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4696 continue;
4697 }
4698
4699 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4700 continue;
4701 }
4702
4703 if (smb2cli_prots[i].smb2_dialect != dialect_revision) {
4704 continue;
4705 }
4706
4707 conn->protocol = smb2cli_prots[i].proto;
4708 break;
4709 }
4710
4711 if (conn->protocol == PROTOCOL_NONE) {
4712 TALLOC_FREE(subreq);
4713
4714 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
4715 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4716 return;
4717 }
4718
4719 if (dialect_revision != SMB2_DIALECT_REVISION_2FF) {
4720 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4721 return;
4722 }
4723
4724 /* make sure we do not loop forever */
4725 state->conn->min_protocol = PROTOCOL_SMB2_02;
4726
4727 /*
4728 * send a SMB2 negprot, in order to negotiate
4729 * the SMB2 dialect.
4730 */
4731 subreq = smbXcli_negprot_smb2_subreq(state);
4732 if (tevent_req_nomem(subreq, req)) {
4733 return;
4734 }
4735 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4736 return;
4737 }
4738
4739 conn->smb2.server.security_mode = SVAL(body, 2);
4740 if (conn->protocol >= PROTOCOL_SMB3_10) {
4741 negotiate_context_count = SVAL(body, 6);
4742 }
4743
4744 blob = data_blob_const(body + 8, 16);
4745 status = GUID_from_data_blob(&blob, &conn->smb2.server.guid);
4746 if (tevent_req_nterror(req, status)) {
4747 return;
4748 }
4749
4750 conn->smb2.server.capabilities = IVAL(body, 24);
4751 conn->smb2.server.max_trans_size= IVAL(body, 28);
4752 conn->smb2.server.max_read_size = IVAL(body, 32);
4753 conn->smb2.server.max_write_size= IVAL(body, 36);
4754 conn->smb2.server.system_time = BVAL(body, 40);
4755 conn->smb2.server.start_time = BVAL(body, 48);
4756
4757 security_offset = SVAL(body, 56);
4758 security_length = SVAL(body, 58);
4759
4760 if (security_offset != SMB2_HDR_BODY + iov[1].iov_len) {
4761 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4762 return;
4763 }
4764
4765 if (security_length > iov[2].iov_len) {
4766 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4767 return;
4768 }
4769
4770 conn->smb2.server.gss_blob = data_blob_talloc(conn,
4771 iov[2].iov_base,
4772 security_length);
4773 if (tevent_req_nomem(conn->smb2.server.gss_blob.data, req)) {
4774 return;
4775 }
4776
4777 if (conn->protocol < PROTOCOL_SMB3_10) {
4778 TALLOC_FREE(subreq);
4779
4780 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4781 conn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
4782 }
4783 tevent_req_done(req);
4784 return;
4785 }
4786
4787 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4788 tevent_req_nterror(req,
4789 NT_STATUS_INVALID_NETWORK_RESPONSE);
4790 return;
4791 }
4792
4793 negotiate_context_offset = IVAL(body, 60);
4794 if (negotiate_context_offset < security_offset) {
4795 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4796 return;
4797 }
4798
4799 ctx_ofs = negotiate_context_offset - security_offset;
4800 if (ctx_ofs > iov[2].iov_len) {
4801 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4802 return;
4803 }
4804 avail = iov[2].iov_len - security_length;
4805 needed = iov[2].iov_len - ctx_ofs;
4806 if (needed > avail) {
4807 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4808 return;
4809 }
4810
4811 negotiate_context_blob.data = (uint8_t *)iov[2].iov_base;
4812 negotiate_context_blob.length = iov[2].iov_len;
4813
4814 negotiate_context_blob.data += ctx_ofs;
4815 negotiate_context_blob.length -= ctx_ofs;
4816
4817 status = smb2_negotiate_context_parse(state, negotiate_context_blob, &c);
4818 if (tevent_req_nterror(req, status)) {
4819 return;
4820 }
4821
4822 if (negotiate_context_count != c.num_contexts) {
4823 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4824 return;
4825 }
4826
4827 preauth = smb2_negotiate_context_find(&c,
4828 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
4829 if (preauth == NULL) {
4830 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4831 return;
4832 }
4833
4834 if (preauth->data.length < 6) {
4835 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4836 return;
4837 }
4838
4839 hash_count = SVAL(preauth->data.data, 0);
4840 salt_length = SVAL(preauth->data.data, 2);
4841 hash_selected = SVAL(preauth->data.data, 4);
4842
4843 if (hash_count != 1) {
4844 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4845 return;
4846 }
4847
4848 if (preauth->data.length != (6 + salt_length)) {
4849 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4850 return;
4851 }
4852
4853 if (hash_selected != SMB2_PREAUTH_INTEGRITY_SHA512) {
4854 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4855 return;
4856 }
4857
4858 cipher = smb2_negotiate_context_find(&c, SMB2_ENCRYPTION_CAPABILITIES);
4859 if (cipher != NULL) {
4860 uint16_t cipher_count;
4861
4862 if (cipher->data.length < 2) {
4863 tevent_req_nterror(req,
4864 NT_STATUS_INVALID_NETWORK_RESPONSE);
4865 return;
4866 }
4867
4868 cipher_count = SVAL(cipher->data.data, 0);
4869
4870 if (cipher_count > 1) {
4871 tevent_req_nterror(req,
4872 NT_STATUS_INVALID_NETWORK_RESPONSE);
4873 return;
4874 }
4875
4876 if (cipher->data.length != (2 + 2 * cipher_count)) {
4877 tevent_req_nterror(req,
4878 NT_STATUS_INVALID_NETWORK_RESPONSE);
4879 return;
4880 }
4881
4882 if (cipher_count == 1) {
4883 uint16_t cipher_selected;
4884
4885 cipher_selected = SVAL(cipher->data.data, 2);
4886
4887 switch (cipher_selected) {
4888 case SMB2_ENCRYPTION_AES128_GCM:
4889 case SMB2_ENCRYPTION_AES128_CCM:
4890 conn->smb2.server.cipher = cipher_selected;
4891 break;
4892 }
4893 }
4894 }
4895
4896 /* First we hash the request */
4897 smb2cli_req_get_sent_iov(subreq, sent_iov);
4898 samba_SHA512_Init(&sctx);
4899 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4900 sizeof(conn->smb2.preauth_sha512));
4901 for (i = 0; i < 3; i++) {
4902 samba_SHA512_Update(&sctx, sent_iov[i].iov_base, sent_iov[i].iov_len);
4903 }
4904 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4905 TALLOC_FREE(subreq);
4906
4907 /* And now we hash the response */
4908 samba_SHA512_Init(&sctx);
4909 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4910 sizeof(conn->smb2.preauth_sha512));
4911 for (i = 0; i < 3; i++) {
4912 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
4913 }
4914 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4915
4916 tevent_req_done(req);
4917 }
4918
4919 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
4920 TALLOC_CTX *tmp_mem,
4921 uint8_t *inbuf)
4922 {
4923 size_t num_pending = talloc_array_length(conn->pending);
4924 struct tevent_req *subreq;
4925 struct smbXcli_req_state *substate;
4926 struct tevent_req *req;
4927 uint32_t protocol_magic;
4928 size_t inbuf_len = smb_len_nbt(inbuf);
4929
4930 if (num_pending != 1) {
4931 return NT_STATUS_INTERNAL_ERROR;
4932 }
4933
4934 if (inbuf_len < 4) {
4935 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4936 }
4937
4938 subreq = conn->pending[0];
4939 substate = tevent_req_data(subreq, struct smbXcli_req_state);
4940 req = tevent_req_callback_data(subreq, struct tevent_req);
4941
4942 protocol_magic = IVAL(inbuf, 4);
4943
4944 switch (protocol_magic) {
4945 case SMB_MAGIC:
4946 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
4947 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
4948 return smb1cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4949
4950 case SMB2_MAGIC:
4951 if (substate->smb2.recv_iov == NULL) {
4952 /*
4953 * For the SMB1 negprot we have move it.
4954 */
4955 substate->smb2.recv_iov = substate->smb1.recv_iov;
4956 substate->smb1.recv_iov = NULL;
4957 }
4958
4959 /*
4960 * we got an SMB2 answer, which consumed sequence number 0
4961 * so we need to use 1 as the next one.
4962 *
4963 * we also need to set the current credits to 0
4964 * as we consumed the initial one. The SMB2 answer
4965 * hopefully grant us a new credit.
4966 */
4967 conn->smb2.mid = 1;
4968 conn->smb2.cur_credits = 0;
4969 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4970 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
4971 return smb2cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4972 }
4973
4974 DEBUG(10, ("Got non-SMB PDU\n"));
4975 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4976 }
4977
4978 NTSTATUS smbXcli_negprot_recv(struct tevent_req *req)
4979 {
4980 return tevent_req_simple_recv_ntstatus(req);
4981 }
4982
4983 NTSTATUS smbXcli_negprot(struct smbXcli_conn *conn,
4984 uint32_t timeout_msec,
4985 enum protocol_types min_protocol,
4986 enum protocol_types max_protocol)
4987 {
4988 TALLOC_CTX *frame = talloc_stackframe();
4989 struct tevent_context *ev;
4990 struct tevent_req *req;
4991 NTSTATUS status = NT_STATUS_NO_MEMORY;
4992 bool ok;
4993
4994 if (smbXcli_conn_has_async_calls(conn)) {
4995 /*
4996 * Can't use sync call while an async call is in flight
4997 */
4998 status = NT_STATUS_INVALID_PARAMETER_MIX;
4999 goto fail;
5000 }
5001 ev = samba_tevent_context_init(frame);
5002 if (ev == NULL) {
5003 goto fail;
5004 }
5005 req = smbXcli_negprot_send(frame, ev, conn, timeout_msec,
5006 min_protocol, max_protocol);
5007 if (req == NULL) {
5008 goto fail;
5009 }
5010 ok = tevent_req_poll_ntstatus(req, ev, &status);
5011 if (!ok) {
5012 goto fail;
5013 }
5014 status = smbXcli_negprot_recv(req);
5015 fail:
5016 TALLOC_FREE(frame);
5017 return status;
5018 }
5019
5020 struct smb2cli_validate_negotiate_info_state {
5021 struct smbXcli_conn *conn;
5022 DATA_BLOB in_input_buffer;
5023 DATA_BLOB in_output_buffer;
5024 DATA_BLOB out_input_buffer;
5025 DATA_BLOB out_output_buffer;
5026 uint16_t dialect;
5027 };
5028
5029 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq);
5030
5031 struct tevent_req *smb2cli_validate_negotiate_info_send(TALLOC_CTX *mem_ctx,
5032 struct tevent_context *ev,
5033 struct smbXcli_conn *conn,
5034 uint32_t timeout_msec,
5035 struct smbXcli_session *session,
5036 struct smbXcli_tcon *tcon)
5037 {
5038 struct tevent_req *req;
5039 struct smb2cli_validate_negotiate_info_state *state;
5040 uint8_t *buf;
5041 uint16_t dialect_count = 0;
5042 struct tevent_req *subreq;
5043 bool _save_should_sign;
5044 size_t i;
5045
5046 req = tevent_req_create(mem_ctx, &state,
5047 struct smb2cli_validate_negotiate_info_state);
5048 if (req == NULL) {
5049 return NULL;
5050 }
5051 state->conn = conn;
5052
5053 state->in_input_buffer = data_blob_talloc_zero(state,
5054 4 + 16 + 1 + 1 + 2);
5055 if (tevent_req_nomem(state->in_input_buffer.data, req)) {
5056 return tevent_req_post(req, ev);
5057 }
5058 buf = state->in_input_buffer.data;
5059
5060 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
5061 SIVAL(buf, 0, conn->smb2.client.capabilities);
5062 } else {
5063 SIVAL(buf, 0, 0); /* Capabilities */
5064 }
5065 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
5066 NTSTATUS status;
5067 DATA_BLOB blob;
5068
5069 status = GUID_to_ndr_blob(&conn->smb2.client.guid,
5070 state, &blob);
5071 if (!NT_STATUS_IS_OK(status)) {
5072 return NULL;
5073 }
5074 memcpy(buf+4, blob.data, 16); /* ClientGuid */
5075 } else {
5076 memset(buf+4, 0, 16); /* ClientGuid */
5077 }
5078 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
5079 SCVAL(buf, 20, conn->smb2.client.security_mode);
5080 } else {
5081 SCVAL(buf, 20, 0);
5082 }
5083 SCVAL(buf, 21, 0); /* reserved */
5084
5085 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
5086 bool ok;
5087 size_t ofs;
5088
5089 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
5090 continue;
5091 }
5092
5093 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
5094 continue;
5095 }
5096
5097 if (smb2cli_prots[i].proto == state->conn->protocol) {
5098 state->dialect = smb2cli_prots[i].smb2_dialect;
5099 }
5100
5101 ofs = state->in_input_buffer.length;
5102 ok = data_blob_realloc(state, &state->in_input_buffer,
5103 ofs + 2);
5104 if (!ok) {
5105 tevent_req_oom(req);
5106 return tevent_req_post(req, ev);
5107 }
5108
5109 buf = state->in_input_buffer.data;
5110 SSVAL(buf, ofs, smb2cli_prots[i].smb2_dialect);
5111
5112 dialect_count++;
5113 }
5114 buf = state->in_input_buffer.data;
5115 SSVAL(buf, 22, dialect_count);
5116
5117 _save_should_sign = smb2cli_tcon_is_signing_on(tcon);
5118 smb2cli_tcon_should_sign(tcon, true);
5119 subreq = smb2cli_ioctl_send(state, ev, conn,
5120 timeout_msec, session, tcon,
5121 UINT64_MAX, /* in_fid_persistent */
5122 UINT64_MAX, /* in_fid_volatile */
5123 FSCTL_VALIDATE_NEGOTIATE_INFO,
5124 0, /* in_max_input_length */
5125 &state->in_input_buffer,
5126 24, /* in_max_output_length */
5127 &state->in_output_buffer,
5128 SMB2_IOCTL_FLAG_IS_FSCTL);
5129 smb2cli_tcon_should_sign(tcon, _save_should_sign);
5130 if (tevent_req_nomem(subreq, req)) {
5131 return tevent_req_post(req, ev);
5132 }
5133 tevent_req_set_callback(subreq,
5134 smb2cli_validate_negotiate_info_done,
5135 req);
5136
5137 return req;
5138 }
5139
5140 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
5141 {
5142 struct tevent_req *req =
5143 tevent_req_callback_data(subreq,
5144 struct tevent_req);
5145 struct smb2cli_validate_negotiate_info_state *state =
5146 tevent_req_data(req,
5147 struct smb2cli_validate_negotiate_info_state);
5148 NTSTATUS status;
5149 const uint8_t *buf;
5150 uint32_t capabilities;
5151 DATA_BLOB guid_blob;
5152 struct GUID server_guid;
5153 uint16_t security_mode;
5154 uint16_t dialect;
5155
5156 status = smb2cli_ioctl_recv(subreq, state,
5157 &state->out_input_buffer,
5158 &state->out_output_buffer);
5159 TALLOC_FREE(subreq);
5160 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) {
5161 /*
5162 * The response was signed, but not supported
5163 *
5164 * Older Windows and Samba releases return
5165 * NT_STATUS_FILE_CLOSED.
5166 */
5167 tevent_req_done(req);
5168 return;
5169 }
5170 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_DEVICE_REQUEST)) {
5171 /*
5172 * The response was signed, but not supported
5173 *
5174 * This is returned by the NTVFS based Samba 4.x file server
5175 * for file shares.
5176 */
5177 tevent_req_done(req);
5178 return;
5179 }
5180 if (NT_STATUS_EQUAL(status, NT_STATUS_FS_DRIVER_REQUIRED)) {
5181 /*
5182 * The response was signed, but not supported
5183 *
5184 * This is returned by the NTVFS based Samba 4.x file server
5185 * for ipc shares.
5186 */
5187 tevent_req_done(req);
5188 return;
5189 }
5190 if (tevent_req_nterror(req, status)) {
5191 return;
5192 }
5193
5194 if (state->out_output_buffer.length != 24) {
5195 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
5196 return;
5197 }
5198
5199 buf = state->out_output_buffer.data;
5200
5201 capabilities = IVAL(buf, 0);
5202 guid_blob = data_blob_const(buf + 4, 16);
5203 status = GUID_from_data_blob(&guid_blob, &server_guid);
5204 if (tevent_req_nterror(req, status)) {
5205 return;
5206 }
5207 security_mode = CVAL(buf, 20);
5208 dialect = SVAL(buf, 22);
5209
5210 if (capabilities != state->conn->smb2.server.capabilities) {
5211 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5212 return;
5213 }
5214
5215 if (!GUID_equal(&server_guid, &state->conn->smb2.server.guid)) {
5216 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5217 return;
5218 }
5219
5220 if (security_mode != state->conn->smb2.server.security_mode) {
5221 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5222 return;
5223 }
5224
5225 if (dialect != state->dialect) {
5226 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5227 return;
5228 }
5229
5230 tevent_req_done(req);
5231 }
5232
5233 NTSTATUS smb2cli_validate_negotiate_info_recv(struct tevent_req *req)
5234 {
5235 return tevent_req_simple_recv_ntstatus(req);
5236 }
5237
5238 static int smbXcli_session_destructor(struct smbXcli_session *session)
5239 {
5240 if (session->conn == NULL) {
5241 return 0;
5242 }
5243
5244 DLIST_REMOVE(session->conn->sessions, session);
5245 return 0;
5246 }
5247
5248 struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
5249 struct smbXcli_conn *conn)
5250 {
5251 struct smbXcli_session *session;
5252
5253 session = talloc_zero(mem_ctx, struct smbXcli_session);
5254 if (session == NULL) {
5255 return NULL;
5256 }
5257 session->smb2 = talloc_zero(session, struct smb2cli_session);
5258 if (session->smb2 == NULL) {
5259 talloc_free(session);
5260 return NULL;
5261 }
5262 talloc_set_destructor(session, smbXcli_session_destructor);
5263
5264 DLIST_ADD_END(conn->sessions, session, struct smbXcli_session *);
5265 session->conn = conn;
5266
5267 memcpy(session->smb2_channel.preauth_sha512,
5268 conn->smb2.preauth_sha512,
5269 sizeof(session->smb2_channel.preauth_sha512));
5270
5271 return session;
5272 }
5273
5274 struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
5275 struct smbXcli_session *src)
5276 {
5277 struct smbXcli_session *session;
5278
5279 session = talloc_zero(mem_ctx, struct smbXcli_session);
5280 if (session == NULL) {
5281 return NULL;
5282 }
5283 session->smb2 = talloc_zero(session, struct smb2cli_session);
5284 if (session->smb2 == NULL) {
5285 talloc_free(session);
5286 return NULL;
5287 }
5288
5289 session->conn = src->conn;
5290 *session->smb2 = *src->smb2;
5291 session->smb2_channel = src->smb2_channel;
5292 session->disconnect_expired = src->disconnect_expired;
5293
5294 DLIST_ADD_END(src->conn->sessions, session, struct smbXcli_session *);
5295 talloc_set_destructor(session, smbXcli_session_destructor);
5296
5297 return session;
5298 }
5299
5300 bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
5301 {
5302 const DATA_BLOB *application_key;
5303
5304 if (session->conn == NULL) {
5305 return false;
5306 }
5307
5308 /*
5309 * If we have an application key we had a session key negotiated
5310 * at auth time.
5311 */
5312 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5313 application_key = &session->smb2->application_key;
5314 } else {
5315 application_key = &session->smb1.application_key;
5316 }
5317
5318 if (application_key->length == 0) {
5319 return false;
5320 }
5321
5322 return true;
5323 }
5324
5325 NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
5326 TALLOC_CTX *mem_ctx,
5327 DATA_BLOB *key)
5328 {
5329 const DATA_BLOB *application_key;
5330
5331 *key = data_blob_null;
5332
5333 if (session->conn == NULL) {
5334 return NT_STATUS_NO_USER_SESSION_KEY;
5335 }
5336
5337 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5338 application_key = &session->smb2->application_key;
5339 } else {
5340 application_key = &session->smb1.application_key;
5341 }
5342
5343 if (application_key->length == 0) {
5344 return NT_STATUS_NO_USER_SESSION_KEY;
5345 }
5346
5347 *key = data_blob_dup_talloc(mem_ctx, *application_key);
5348 if (key->data == NULL) {
5349 return NT_STATUS_NO_MEMORY;
5350 }
5351
5352 return NT_STATUS_OK;
5353 }
5354
5355 void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session)
5356 {
5357 session->disconnect_expired = true;
5358 }
5359
5360 uint16_t smb1cli_session_current_id(struct smbXcli_session *session)
5361 {
5362 return session->smb1.session_id;
5363 }
5364
5365 void smb1cli_session_set_id(struct smbXcli_session *session,
5366 uint16_t session_id)
5367 {
5368 session->smb1.session_id = session_id;
5369 }
5370
5371 NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
5372 const DATA_BLOB _session_key)
5373 {
5374 struct smbXcli_conn *conn = session->conn;
5375 uint8_t session_key[16];
5376
5377 if (conn == NULL) {
5378 return NT_STATUS_INVALID_PARAMETER_MIX;
5379 }
5380
5381 if (session->smb1.application_key.length != 0) {
5382 /*
5383 * TODO: do not allow this...
5384 *
5385 * return NT_STATUS_INVALID_PARAMETER_MIX;
5386 */
5387 data_blob_clear_free(&session->smb1.application_key);
5388 session->smb1.protected_key = false;
5389 }
5390
5391 if (_session_key.length == 0) {
5392 return NT_STATUS_OK;
5393 }
5394
5395 ZERO_STRUCT(session_key);
5396 memcpy(session_key, _session_key.data,
5397 MIN(_session_key.length, sizeof(session_key)));
5398
5399 session->smb1.application_key = data_blob_talloc(session,
5400 session_key,
5401 sizeof(session_key));
5402 ZERO_STRUCT(session_key);
5403 if (session->smb1.application_key.data == NULL) {
5404 return NT_STATUS_NO_MEMORY;
5405 }
5406
5407 session->smb1.protected_key = false;
5408
5409 return NT_STATUS_OK;
5410 }
5411
5412 NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session)
5413 {
5414 if (session->smb1.protected_key) {
5415 /* already protected */
5416 return NT_STATUS_OK;
5417 }
5418
5419 if (session->smb1.application_key.length != 16) {
5420 return NT_STATUS_INVALID_PARAMETER_MIX;
5421 }
5422
5423 smb_key_derivation(session->smb1.application_key.data,
5424 session->smb1.application_key.length,
5425 session->smb1.application_key.data);
5426
5427 session->smb1.protected_key = true;
5428
5429 return NT_STATUS_OK;
5430 }
5431
5432 uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
5433 {
5434 struct smbXcli_conn *conn = session->conn;
5435 uint8_t security_mode = 0;
5436
5437 if (conn == NULL) {
5438 return security_mode;
5439 }
5440
5441 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
5442 if (conn->mandatory_signing) {
5443 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
5444 }
5445
5446 return security_mode;
5447 }
5448
5449 uint64_t smb2cli_session_current_id(struct smbXcli_session *session)
5450 {
5451 return session->smb2->session_id;
5452 }
5453
5454 uint16_t smb2cli_session_get_flags(struct smbXcli_session *session)
5455 {
5456 return session->smb2->session_flags;
5457 }
5458
5459 void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
5460 uint64_t session_id,
5461 uint16_t session_flags)
5462 {
5463 session->smb2->session_id = session_id;
5464 session->smb2->session_flags = session_flags;
5465 }
5466
5467 void smb2cli_session_increment_channel_sequence(struct smbXcli_session *session)
5468 {
5469 session->smb2->channel_sequence += 1;
5470 }
5471
5472 uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
5473 uint16_t channel_sequence)
5474 {
5475 uint16_t prev_cs;
5476
5477 prev_cs = session->smb2->channel_sequence;
5478 session->smb2->channel_sequence = channel_sequence;
5479
5480 return prev_cs;
5481 }
5482
5483 void smb2cli_session_start_replay(struct smbXcli_session *session)
5484 {
5485 session->smb2->replay_active = true;
5486 }
5487
5488 void smb2cli_session_stop_replay(struct smbXcli_session *session)
5489 {
5490 session->smb2->replay_active = false;
5491 }
5492
5493 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
5494 const struct iovec *iov)
5495 {
5496 struct hc_sha512state sctx;
5497 size_t i;
5498
5499 if (session->conn == NULL) {
5500 return NT_STATUS_INTERNAL_ERROR;
5501 }
5502
5503 if (session->conn->protocol < PROTOCOL_SMB3_10) {
5504 return NT_STATUS_OK;
5505 }
5506
5507 if (session->smb2_channel.signing_key.length != 0) {
5508 return NT_STATUS_OK;
5509 }
5510
5511 samba_SHA512_Init(&sctx);
5512 samba_SHA512_Update(&sctx, session->smb2_channel.preauth_sha512,
5513 sizeof(session->smb2_channel.preauth_sha512));
5514 for (i = 0; i < 3; i++) {
5515 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
5516 }
5517 samba_SHA512_Final(session->smb2_channel.preauth_sha512, &sctx);
5518
5519 return NT_STATUS_OK;
5520 }
5521
5522 NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
5523 const DATA_BLOB _session_key,
5524 const struct iovec *recv_iov)
5525 {
5526 struct smbXcli_conn *conn = session->conn;
5527 uint16_t no_sign_flags;
5528 uint8_t session_key[16];
5529 bool check_signature = true;
5530 uint32_t hdr_flags;
5531 NTSTATUS status;
5532 struct _derivation {
5533 DATA_BLOB label;
5534 DATA_BLOB context;
5535 };
5536 struct {
5537 struct _derivation signing;
5538 struct _derivation encryption;
5539 struct _derivation decryption;
5540 struct _derivation application;
5541 } derivation = { };
5542 size_t nonce_size = 0;
5543
5544 if (conn == NULL) {
5545 return NT_STATUS_INVALID_PARAMETER_MIX;
5546 }
5547
5548 if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
5549 return NT_STATUS_INVALID_PARAMETER_MIX;
5550 }
5551
5552 no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
5553
5554 if (session->smb2->session_flags & no_sign_flags) {
5555 session->smb2->should_sign = false;
5556 return NT_STATUS_OK;
5557 }
5558
5559 if (session->smb2->signing_key.length != 0) {
5560 return NT_STATUS_INVALID_PARAMETER_MIX;
5561 }
5562
5563 if (conn->protocol >= PROTOCOL_SMB3_10) {
5564 struct _derivation *d;
5565 DATA_BLOB p;
5566
5567 p = data_blob_const(session->smb2_channel.preauth_sha512,
5568 sizeof(session->smb2_channel.preauth_sha512));
5569
5570 d = &derivation.signing;
5571 d->label = data_blob_string_const_null("SMBSigningKey");
5572 d->context = p;
5573
5574 d = &derivation.encryption;
5575 d->label = data_blob_string_const_null("SMBC2SCipherKey");
5576 d->context = p;
5577
5578 d = &derivation.decryption;
5579 d->label = data_blob_string_const_null("SMBS2CCipherKey");
5580 d->context = p;
5581
5582 d = &derivation.application;
5583 d->label = data_blob_string_const_null("SMBAppKey");
5584 d->context = p;
5585
5586 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5587 struct _derivation *d;
5588
5589 d = &derivation.signing;
5590 d->label = data_blob_string_const_null("SMB2AESCMAC");
5591 d->context = data_blob_string_const_null("SmbSign");
5592
5593 d = &derivation.encryption;
5594 d->label = data_blob_string_const_null("SMB2AESCCM");
5595 d->context = data_blob_string_const_null("ServerIn ");
5596
5597 d = &derivation.decryption;
5598 d->label = data_blob_string_const_null("SMB2AESCCM");
5599 d->context = data_blob_string_const_null("ServerOut");
5600
5601 d = &derivation.application;
5602 d->label = data_blob_string_const_null("SMB2APP");
5603 d->context = data_blob_string_const_null("SmbRpc");
5604 }
5605
5606 ZERO_STRUCT(session_key);
5607 memcpy(session_key, _session_key.data,
5608 MIN(_session_key.length, sizeof(session_key)));
5609
5610 session->smb2->signing_key = data_blob_talloc(session,
5611 session_key,
5612 sizeof(session_key));
5613 if (session->smb2->signing_key.data == NULL) {
5614 ZERO_STRUCT(session_key);
5615 return NT_STATUS_NO_MEMORY;
5616 }
5617
5618 if (conn->protocol >= PROTOCOL_SMB2_24) {
5619 struct _derivation *d = &derivation.signing;
5620
5621 smb2_key_derivation(session_key, sizeof(session_key),
5622 d->label.data, d->label.length,
5623 d->context.data, d->context.length,
5624 session->smb2->signing_key.data);
5625 }
5626
5627 session->smb2->encryption_key = data_blob_dup_talloc(session,
5628 session->smb2->signing_key);
5629 if (session->smb2->encryption_key.data == NULL) {
5630 ZERO_STRUCT(session_key);
5631 return NT_STATUS_NO_MEMORY;
5632 }
5633
5634 if (conn->protocol >= PROTOCOL_SMB2_24) {
5635 struct _derivation *d = &derivation.encryption;
5636
5637 smb2_key_derivation(session_key, sizeof(session_key),
5638 d->label.data, d->label.length,
5639 d->context.data, d->context.length,
5640 session->smb2->encryption_key.data);
5641 }
5642
5643 session->smb2->decryption_key = data_blob_dup_talloc(session,
5644 session->smb2->signing_key);
5645 if (session->smb2->decryption_key.data == NULL) {
5646 ZERO_STRUCT(session_key);
5647 return NT_STATUS_NO_MEMORY;
5648 }
5649
5650 if (conn->protocol >= PROTOCOL_SMB2_24) {
5651 struct _derivation *d = &derivation.decryption;
5652
5653 smb2_key_derivation(session_key, sizeof(session_key),
5654 d->label.data, d->label.length,
5655 d->context.data, d->context.length,
5656 session->smb2->decryption_key.data);
5657 }
5658
5659 session->smb2->application_key = data_blob_dup_talloc(session,
5660 session->smb2->signing_key);
5661 if (session->smb2->application_key.data == NULL) {
5662 ZERO_STRUCT(session_key);
5663 return NT_STATUS_NO_MEMORY;
5664 }
5665
5666 if (conn->protocol >= PROTOCOL_SMB2_24) {
5667 struct _derivation *d = &derivation.application;
5668
5669 smb2_key_derivation(session_key, sizeof(session_key),
5670 d->label.data, d->label.length,
5671 d->context.data, d->context.length,
5672 session->smb2->application_key.data);
5673 }
5674 ZERO_STRUCT(session_key);
5675
5676 session->smb2_channel.signing_key = data_blob_dup_talloc(session,
5677 session->smb2->signing_key);
5678 if (session->smb2_channel.signing_key.data == NULL) {
5679 return NT_STATUS_NO_MEMORY;
5680 }
5681
5682 check_signature = conn->mandatory_signing;
5683
5684 hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
5685 if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
5686 /*
5687 * Sadly some vendors don't sign the
5688 * final SMB2 session setup response
5689 *
5690 * At least Windows and Samba are always doing this
5691 * if there's a session key available.
5692 *
5693 * We only check the signature if it's mandatory
5694 * or SMB2_HDR_FLAG_SIGNED is provided.
5695 */
5696 check_signature = true;
5697 }
5698
5699 if (conn->protocol >= PROTOCOL_SMB3_10) {
5700 check_signature = true;
5701 }
5702
5703 if (check_signature) {
5704 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5705 session->conn->protocol,
5706 recv_iov, 3);
5707 if (!NT_STATUS_IS_OK(status)) {
5708 return status;
5709 }
5710 }
5711
5712 session->smb2->should_sign = false;
5713 session->smb2->should_encrypt = false;
5714
5715 if (conn->desire_signing) {
5716 session->smb2->should_sign = true;
5717 }
5718
5719 if (conn->smb2.server.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
5720 session->smb2->should_sign = true;
5721 }
5722
5723 if (session->smb2->session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA) {
5724 session->smb2->should_encrypt = true;
5725 }
5726
5727 if (conn->protocol < PROTOCOL_SMB2_24) {
5728 session->smb2->should_encrypt = false;
5729 }
5730
5731 if (conn->smb2.server.cipher == 0) {
5732 session->smb2->should_encrypt = false;
5733 }
5734
5735 /*
5736 * CCM and GCM algorithms must never have their
5737 * nonce wrap, or the security of the whole
5738 * communication and the keys is destroyed.
5739 * We must drop the connection once we have
5740 * transfered too much data.
5741 *
5742 * NOTE: We assume nonces greater than 8 bytes.
5743 */
5744 generate_random_buffer((uint8_t *)&session->smb2->nonce_high_random,
5745 sizeof(session->smb2->nonce_high_random));
5746 switch (conn->smb2.server.cipher) {
5747 case SMB2_ENCRYPTION_AES128_CCM:
5748 nonce_size = AES_CCM_128_NONCE_SIZE;
5749 break;
5750 case SMB2_ENCRYPTION_AES128_GCM:
5751 nonce_size = AES_GCM_128_IV_SIZE;
5752 break;
5753 default:
5754 nonce_size = 0;
5755 break;
5756 }
5757 session->smb2->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size);
5758 session->smb2->nonce_high = 0;
5759 session->smb2->nonce_low = 0;
5760
5761 return NT_STATUS_OK;
5762 }
5763
5764 NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
5765 struct smbXcli_session *session1,
5766 struct smbXcli_conn *conn,
5767 struct smbXcli_session **_session2)
5768 {
5769 struct smbXcli_session *session2;
5770
5771 if (session1->smb2->signing_key.length == 0) {
5772 return NT_STATUS_INVALID_PARAMETER_MIX;
5773 }
5774
5775 if (conn == NULL) {
5776 return NT_STATUS_INVALID_PARAMETER_MIX;
5777 }
5778
5779 session2 = talloc_zero(mem_ctx, struct smbXcli_session);
5780 if (session2 == NULL) {
5781 return NT_STATUS_NO_MEMORY;
5782 }
5783 session2->smb2 = talloc_reference(session2, session1->smb2);
5784 if (session2->smb2 == NULL) {
5785 talloc_free(session2);
5786 return NT_STATUS_NO_MEMORY;
5787 }
5788
5789 talloc_set_destructor(session2, smbXcli_session_destructor);
5790 DLIST_ADD_END(conn->sessions, session2, struct smbXcli_session *);
5791 session2->conn = conn;
5792
5793 memcpy(session2->smb2_channel.preauth_sha512,
5794 conn->smb2.preauth_sha512,
5795 sizeof(session2->smb2_channel.preauth_sha512));
5796
5797 *_session2 = session2;
5798 return NT_STATUS_OK;
5799 }
5800
5801 NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
5802 const DATA_BLOB _channel_key,
5803 const struct iovec *recv_iov)
5804 {
5805 struct smbXcli_conn *conn = session->conn;
5806 uint8_t channel_key[16];
5807 NTSTATUS status;
5808 struct _derivation {
5809 DATA_BLOB label;
5810 DATA_BLOB context;
5811 };
5812 struct {
5813 struct _derivation signing;
5814 } derivation = { };
5815
5816 if (conn == NULL) {
5817 return NT_STATUS_INVALID_PARAMETER_MIX;
5818 }
5819
5820 if (session->smb2_channel.signing_key.length != 0) {
5821 return NT_STATUS_INVALID_PARAMETER_MIX;
5822 }
5823
5824 if (conn->protocol >= PROTOCOL_SMB3_10) {
5825 struct _derivation *d;
5826 DATA_BLOB p;
5827
5828 p = data_blob_const(session->smb2_channel.preauth_sha512,
5829 sizeof(session->smb2_channel.preauth_sha512));
5830
5831 d = &derivation.signing;
5832 d->label = data_blob_string_const_null("SMBSigningKey");
5833 d->context = p;
5834 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5835 struct _derivation *d;
5836
5837 d = &derivation.signing;
5838 d->label = data_blob_string_const_null("SMB2AESCMAC");
5839 d->context = data_blob_string_const_null("SmbSign");
5840 }
5841
5842 ZERO_STRUCT(channel_key);
5843 memcpy(channel_key, _channel_key.data,
5844 MIN(_channel_key.length, sizeof(channel_key)));
5845
5846 session->smb2_channel.signing_key = data_blob_talloc(session,
5847 channel_key,
5848 sizeof(channel_key));
5849 if (session->smb2_channel.signing_key.data == NULL) {
5850 ZERO_STRUCT(channel_key);
5851 return NT_STATUS_NO_MEMORY;
5852 }
5853
5854 if (conn->protocol >= PROTOCOL_SMB2_24) {
5855 struct _derivation *d = &derivation.signing;
5856
5857 smb2_key_derivation(channel_key, sizeof(channel_key),
5858 d->label.data, d->label.length,
5859 d->context.data, d->context.length,
5860 session->smb2_channel.signing_key.data);
5861 }
5862 ZERO_STRUCT(channel_key);
5863
5864 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5865 session->conn->protocol,
5866 recv_iov, 3);
5867 if (!NT_STATUS_IS_OK(status)) {
5868 return status;
5869 }
5870
5871 return NT_STATUS_OK;
5872 }
5873
5874 NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
5875 {
5876 if (session->smb2->should_encrypt) {
5877 return NT_STATUS_OK;
5878 }
5879
5880 if (session->conn->protocol < PROTOCOL_SMB2_24) {
5881 return NT_STATUS_NOT_SUPPORTED;
5882 }
5883
5884 if (session->conn->smb2.server.cipher == 0) {
5885 return NT_STATUS_NOT_SUPPORTED;
5886 }
5887
5888 if (session->smb2->signing_key.data == NULL) {
5889 return NT_STATUS_NOT_SUPPORTED;
5890 }
5891 session->smb2->should_encrypt = true;
5892 return NT_STATUS_OK;
5893 }
5894
5895 struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx)
5896 {
5897 struct smbXcli_tcon *tcon;
5898
5899 tcon = talloc_zero(mem_ctx, struct smbXcli_tcon);
5900 if (tcon == NULL) {
5901 return NULL;
5902 }
5903
5904 return tcon;
5905 }
5906
5907 void smbXcli_tcon_set_fs_attributes(struct smbXcli_tcon *tcon,
5908 uint32_t fs_attributes)
5909 {
5910 tcon->fs_attributes = fs_attributes;
5911 }
5912
5913 uint32_t smbXcli_tcon_get_fs_attributes(struct smbXcli_tcon *tcon)
5914 {
5915 return tcon->fs_attributes;
5916 }
5917
5918 bool smbXcli_tcon_is_dfs_share(struct smbXcli_tcon *tcon)
5919 {
5920 if (tcon == NULL) {
5921 return false;
5922 }
5923
5924 if (tcon->is_smb1) {
5925 if (tcon->smb1.optional_support & SMB_SHARE_IN_DFS) {
5926 return true;
5927 }
5928
5929 return false;
5930 }
5931
5932 if (tcon->smb2.capabilities & SMB2_SHARE_CAP_DFS) {
5933 return true;
5934 }
5935
5936 return false;
5937 }
5938
5939 uint16_t smb1cli_tcon_current_id(struct smbXcli_tcon *tcon)
5940 {
5941 return tcon->smb1.tcon_id;
5942 }
5943
5944 void smb1cli_tcon_set_id(struct smbXcli_tcon *tcon, uint16_t tcon_id)
5945 {
5946 tcon->is_smb1 = true;
5947 tcon->smb1.tcon_id = tcon_id;
5948 }
5949
5950 bool smb1cli_tcon_set_values(struct smbXcli_tcon *tcon,
5951 uint16_t tcon_id,
5952 uint16_t optional_support,
5953 uint32_t maximal_access,
5954 uint32_t guest_maximal_access,
5955 const char *service,
5956 const char *fs_type)
5957 {
5958 tcon->is_smb1 = true;
5959 tcon->fs_attributes = 0;
5960 tcon->smb1.tcon_id = tcon_id;
5961 tcon->smb1.optional_support = optional_support;
5962 tcon->smb1.maximal_access = maximal_access;
5963 tcon->smb1.guest_maximal_access = guest_maximal_access;
5964
5965 TALLOC_FREE(tcon->smb1.service);
5966 tcon->smb1.service = talloc_strdup(tcon, service);
5967 if (service != NULL && tcon->smb1.service == NULL) {
5968 return false;
5969 }
5970
5971 TALLOC_FREE(tcon->smb1.fs_type);
5972 tcon->smb1.fs_type = talloc_strdup(tcon, fs_type);
5973 if (fs_type != NULL && tcon->smb1.fs_type == NULL) {
5974 return false;
5975 }
5976
5977 return true;
5978 }
5979
5980 uint32_t smb2cli_tcon_current_id(struct smbXcli_tcon *tcon)
5981 {
5982 return tcon->smb2.tcon_id;
5983 }
5984
5985 uint32_t smb2cli_tcon_capabilities(struct smbXcli_tcon *tcon)
5986 {
5987 return tcon->smb2.capabilities;
5988 }
5989
5990 void smb2cli_tcon_set_values(struct smbXcli_tcon *tcon,
5991 struct smbXcli_session *session,
5992 uint32_t tcon_id,
5993 uint8_t type,
5994 uint32_t flags,
5995 uint32_t capabilities,
5996 uint32_t maximal_access)
5997 {
5998 tcon->is_smb1 = false;
5999 tcon->fs_attributes = 0;
6000 tcon->smb2.tcon_id = tcon_id;
6001 tcon->smb2.type = type;
6002 tcon->smb2.flags = flags;
6003 tcon->smb2.capabilities = capabilities;
6004 tcon->smb2.maximal_access = maximal_access;
6005
6006 tcon->smb2.should_sign = false;
6007 tcon->smb2.should_encrypt = false;
6008
6009 if (session == NULL) {
6010 return;
6011 }
6012
6013 tcon->smb2.should_sign = session->smb2->should_sign;
6014 tcon->smb2.should_encrypt = session->smb2->should_encrypt;
6015
6016 if (flags & SMB2_SHAREFLAG_ENCRYPT_DATA) {
6017 tcon->smb2.should_encrypt = true;
6018 }
6019 }
6020
6021 void smb2cli_tcon_should_sign(struct smbXcli_tcon *tcon,
6022 bool should_sign)
6023 {
6024 tcon->smb2.should_sign = should_sign;
6025 }
6026
6027 bool smb2cli_tcon_is_signing_on(struct smbXcli_tcon *tcon)
6028 {
6029 if (tcon->smb2.should_encrypt) {
6030 return true;
6031 }
6032
6033 return tcon->smb2.should_sign;
6034 }
6035
6036 void smb2cli_tcon_should_encrypt(struct smbXcli_tcon *tcon,
6037 bool should_encrypt)
6038 {
6039 tcon->smb2.should_encrypt = should_encrypt;
6040 }
6041
6042 bool smb2cli_tcon_is_encryption_on(struct smbXcli_tcon *tcon)
6043 {
6044 return tcon->smb2.should_encrypt;
6045 }
Samba GIT mirror