search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Remove callback for release_ip when "state" is free'ed
[Samba.git] / source3 / smbd / smb2_negprot.c
blobfbed543f5637b2fa5fecd836a7fcc26023298bdc
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
29 #include "auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "lib/util/string_wrappers.h"
32 #include "source3/lib/substitute.h"
33 #ifdef HAVE_VALGRIND_CALLGRIND_H
34 #include <valgrind/callgrind.h>
35 #endif /* HAVE_VALGRIND_CALLGRIND_H */
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_SMB2
39
40 /*
41 * this is the entry point if SMB2 is selected via
42 * the SMB negprot and the given dialect.
43 */
44 static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect)
45 {
46 uint8_t *smb2_inpdu;
47 uint8_t *smb2_hdr;
48 uint8_t *smb2_body;
49 uint8_t *smb2_dyn;
50 size_t len = SMB2_HDR_BODY + 0x24 + 2;
51
52 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
53 if (smb2_inpdu == NULL) {
54 DEBUG(0, ("Could not push spnego blob\n"));
55 reply_nterror(req, NT_STATUS_NO_MEMORY);
56 return NT_STATUS_NO_MEMORY;
57 }
58 smb2_hdr = smb2_inpdu;
59 smb2_body = smb2_hdr + SMB2_HDR_BODY;
60 smb2_dyn = smb2_body + 0x24;
61
62 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
63 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
64
65 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
66 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
67
68 SSVAL(smb2_dyn, 0x00, dialect);
69
70 req->outbuf = NULL;
71
72 return smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
73 }
74
75 /*
76 * this is the entry point if SMB2 is selected via
77 * the SMB negprot and the "SMB 2.002" dialect.
78 */
79 NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice)
80 {
81 return reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
82 }
83
84 /*
85 * this is the entry point if SMB2 is selected via
86 * the SMB negprot and the "SMB 2.???" dialect.
87 */
88 NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice)
89 {
90 struct smbXsrv_connection *xconn = req->xconn;
91 xconn->smb2.allow_2ff = true;
92 return reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
93 }
94
95 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
96 const int dialect_count,
97 uint16_t *dialect)
98 {
99 struct {
100 enum protocol_types proto;
101 uint16_t dialect;
102 } pd[] = {
103 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
104 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
105 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
106 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
107 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
108 };
109 size_t i;
110
111 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
112 int c = 0;
113
114 if (lp_server_max_protocol() < pd[i].proto) {
115 continue;
116 }
117 if (lp_server_min_protocol() > pd[i].proto) {
118 continue;
119 }
120
121 for (c = 0; c < dialect_count; c++) {
122 *dialect = SVAL(indyn, c*2);
123 if (*dialect == pd[i].dialect) {
124 return pd[i].proto;
125 }
126 }
127 }
128
129 return PROTOCOL_NONE;
130 }
131
132 struct smbd_smb2_request_process_negprot_state {
133 struct smbd_smb2_request *req;
134 DATA_BLOB outbody;
135 DATA_BLOB outdyn;
136 };
137
138 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq);
139
140 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
141 {
142 struct smbd_smb2_request_process_negprot_state *state = NULL;
143 struct smbXsrv_connection *xconn = req->xconn;
144 struct tevent_req *subreq = NULL;
145 NTSTATUS status;
146 const uint8_t *inbody;
147 const uint8_t *indyn = NULL;
148 DATA_BLOB outbody;
149 DATA_BLOB outdyn;
150 DATA_BLOB negprot_spnego_blob;
151 uint16_t security_offset;
152 DATA_BLOB security_buffer;
153 size_t expected_dyn_size = 0;
154 size_t c;
155 uint16_t security_mode;
156 uint16_t dialect_count;
157 uint16_t in_security_mode;
158 uint32_t in_capabilities;
159 DATA_BLOB in_guid_blob;
160 struct GUID in_guid;
161 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
162 struct smb2_negotiate_context *in_preauth = NULL;
163 struct smb2_negotiate_context *in_cipher = NULL;
164 struct smb2_negotiate_context *in_sign_algo = NULL;
165 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
166 struct smb2_negotiate_context *in_posix = NULL;
167 const struct smb311_capabilities default_smb3_capabilities =
168 smb311_capabilities_parse("server",
169 lp_server_smb3_signing_algorithms(),
170 lp_server_smb3_encryption_algorithms());
171 DATA_BLOB out_negotiate_context_blob = data_blob_null;
172 uint32_t out_negotiate_context_offset = 0;
173 uint16_t out_negotiate_context_count = 0;
174 uint16_t dialect = 0;
175 uint32_t capabilities;
176 DATA_BLOB out_guid_blob;
177 struct GUID out_guid;
178 enum protocol_types protocol = PROTOCOL_NONE;
179 uint32_t max_limit;
180 uint32_t max_trans = lp_smb2_max_trans();
181 uint32_t max_read = lp_smb2_max_read();
182 uint32_t max_write = lp_smb2_max_write();
183 NTTIME now = timeval_to_nttime(&req->request_time);
184 bool ok;
185
186 status = smbd_smb2_request_verify_sizes(req, 0x24);
187 if (!NT_STATUS_IS_OK(status)) {
188 return smbd_smb2_request_error(req, status);
189 }
190 inbody = SMBD_SMB2_IN_BODY_PTR(req);
191
192 dialect_count = SVAL(inbody, 0x02);
193
194 in_security_mode = SVAL(inbody, 0x04);
195 in_capabilities = IVAL(inbody, 0x08);
196 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
197
198 if (dialect_count == 0) {
199 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
200 }
201
202 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
203 if (!NT_STATUS_IS_OK(status)) {
204 return smbd_smb2_request_error(req, status);
205 }
206
207 expected_dyn_size = dialect_count * 2;
208 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
209 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
210 }
211 indyn = SMBD_SMB2_IN_DYN_PTR(req);
212
213 protocol = smbd_smb2_protocol_dialect_match(indyn,
214 dialect_count,
215 &dialect);
216
217 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
218 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
219 break;
220 }
221
222 dialect = SVAL(indyn, c*2);
223 if (dialect == SMB2_DIALECT_REVISION_2FF) {
224 if (xconn->smb2.allow_2ff) {
225 xconn->smb2.allow_2ff = false;
226 protocol = PROTOCOL_SMB2_10;
227 break;
228 }
229 }
230 }
231
232 if (protocol == PROTOCOL_NONE) {
233 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
234 }
235
236 if (protocol >= PROTOCOL_SMB3_11) {
237 uint32_t in_negotiate_context_offset = 0;
238 uint16_t in_negotiate_context_count = 0;
239 DATA_BLOB in_negotiate_context_blob = data_blob_null;
240 size_t ofs;
241
242 in_negotiate_context_offset = IVAL(inbody, 0x1C);
243 in_negotiate_context_count = SVAL(inbody, 0x20);
244
245 ofs = SMB2_HDR_BODY;
246 ofs += SMBD_SMB2_IN_BODY_LEN(req);
247 ofs += expected_dyn_size;
248 if ((ofs % 8) != 0) {
249 ofs += 8 - (ofs % 8);
250 }
251
252 if (in_negotiate_context_offset != ofs) {
253 return smbd_smb2_request_error(req,
254 NT_STATUS_INVALID_PARAMETER);
255 }
256
257 ofs -= SMB2_HDR_BODY;
258 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
259
260 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
261 return smbd_smb2_request_error(req,
262 NT_STATUS_INVALID_PARAMETER);
263 }
264
265 in_negotiate_context_blob = data_blob_const(indyn,
266 SMBD_SMB2_IN_DYN_LEN(req));
267
268 in_negotiate_context_blob.data += ofs;
269 in_negotiate_context_blob.length -= ofs;
270
271 status = smb2_negotiate_context_parse(req,
272 in_negotiate_context_blob,
273 in_negotiate_context_count,
274 &in_c);
275 if (!NT_STATUS_IS_OK(status)) {
276 return smbd_smb2_request_error(req, status);
277 }
278
279 if (lp_smb3_unix_extensions()) {
280 in_posix = smb2_negotiate_context_find(&in_c,
281 SMB2_POSIX_EXTENSIONS_AVAILABLE);
282
283 if (in_posix != NULL) {
284 const uint8_t *inbuf = in_posix->data.data;
285 size_t inbuflen = in_posix->data.length;
286 bool posix_found = false;
287 /*
288 * For now the server only supports one variant.
289 * Check it's the right one.
290 */
291 if ((inbuflen % 16) != 0) {
292 return smbd_smb2_request_error(req,
293 NT_STATUS_INVALID_PARAMETER);
294 }
295 SMB_ASSERT(strlen(SMB2_CREATE_TAG_POSIX) == 16);
296 for (ofs=0; ofs<inbuflen; ofs+=16) {
297 if (memcmp(inbuf+ofs,
298 SMB2_CREATE_TAG_POSIX,
299 16) == 0) {
300 posix_found = true;
301 break;
302 }
303 }
304 if (posix_found) {
305 DBG_DEBUG("Client requested SMB2 unix "
306 "extensions\n");
307 } else {
308 DBG_DEBUG("Client requested unknown "
309 "SMB2 unix extensions:\n");
310 dump_data(10, inbuf, inbuflen);
311 in_posix = NULL;
312 }
313 }
314 }
315 }
316
317 if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
318 (protocol >= PROTOCOL_SMB2_10) &&
319 !GUID_all_zero(&in_guid))
320 {
321 ok = remote_arch_cache_update(&in_guid);
322 if (!ok) {
323 return smbd_smb2_request_error(
324 req, NT_STATUS_UNSUCCESSFUL);
325 }
326 }
327
328 switch (get_remote_arch()) {
329 case RA_VISTA:
330 case RA_SAMBA:
331 case RA_CIFSFS:
332 case RA_OSX:
333 break;
334 default:
335 set_remote_arch(RA_VISTA);
336 break;
337 }
338
339 {
340 fstring proto;
341 fstr_sprintf(proto,
342 "SMB%X_%02X",
343 (dialect >> 8) & 0xFF, dialect & 0xFF);
344 set_remote_proto(proto);
345 DEBUG(3,("Selected protocol %s\n", proto));
346 }
347
348 reload_services(req->sconn, conn_snum_used, true);
349
350 in_preauth = smb2_negotiate_context_find(&in_c,
351 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
352 if (protocol >= PROTOCOL_SMB3_11 && in_preauth == NULL) {
353 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
354 }
355 in_cipher = smb2_negotiate_context_find(&in_c,
356 SMB2_ENCRYPTION_CAPABILITIES);
357 in_sign_algo = smb2_negotiate_context_find(&in_c,
358 SMB2_SIGNING_CAPABILITIES);
359
360 /* negprot_spnego() returns a the server guid in the first 16 bytes */
361 negprot_spnego_blob = negprot_spnego(req, xconn);
362 if (negprot_spnego_blob.data == NULL) {
363 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
364 }
365
366 if (negprot_spnego_blob.length < 16) {
367 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
368 }
369
370 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
371 if (xconn->smb2.signing_mandatory) {
372 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
373 }
374
375 capabilities = 0;
376 if (lp_host_msdfs()) {
377 capabilities |= SMB2_CAP_DFS;
378 }
379
380 if (protocol >= PROTOCOL_SMB2_10 &&
381 lp_smb2_leases() &&
382 lp_oplocks(GLOBAL_SECTION_SNUM) &&
383 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
384 {
385 capabilities |= SMB2_CAP_LEASING;
386 }
387
388 if ((protocol >= PROTOCOL_SMB3_00) &&
389 (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) &&
390 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
391 capabilities |= SMB2_CAP_ENCRYPTION;
392 }
393
394 /*
395 * 0x10000 (65536) is the maximum allowed message size
396 * for SMB 2.0
397 */
398 max_limit = 0x10000;
399
400 if (protocol >= PROTOCOL_SMB2_10) {
401 int p = 0;
402
403 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
404 p = tsocket_address_inet_port(req->sconn->local_address);
405 }
406
407 /* largeMTU is not supported over NBT (tcp port 139) */
408 if (p != NBT_SMB_PORT) {
409 capabilities |= SMB2_CAP_LARGE_MTU;
410 xconn->smb2.credits.multicredit = true;
411
412 /*
413 * We allow up to almost 16MB.
414 *
415 * The maximum PDU size is 0xFFFFFF (16776960)
416 * and we need some space for the header.
417 */
418 max_limit = 0xFFFF00;
419 }
420 }
421
422 /*
423 * the defaults are 8MB, but we'll limit this to max_limit based on
424 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
425 *
426 * user configured values exceeding the limits will be overwritten,
427 * only smaller values will be accepted
428 */
429
430 max_trans = MIN(max_limit, lp_smb2_max_trans());
431 max_read = MIN(max_limit, lp_smb2_max_read());
432 max_write = MIN(max_limit, lp_smb2_max_write());
433
434 if (in_preauth != NULL) {
435 size_t needed = 4;
436 uint16_t hash_count;
437 uint16_t salt_length;
438 uint16_t selected_preauth = 0;
439 const uint8_t *p;
440 uint8_t buf[38];
441 size_t i;
442
443 if (in_preauth->data.length < needed) {
444 return smbd_smb2_request_error(req,
445 NT_STATUS_INVALID_PARAMETER);
446 }
447
448 hash_count = SVAL(in_preauth->data.data, 0);
449 salt_length = SVAL(in_preauth->data.data, 2);
450
451 if (hash_count == 0) {
452 return smbd_smb2_request_error(req,
453 NT_STATUS_INVALID_PARAMETER);
454 }
455
456 p = in_preauth->data.data + needed;
457 needed += hash_count * 2;
458 needed += salt_length;
459
460 if (in_preauth->data.length < needed) {
461 return smbd_smb2_request_error(req,
462 NT_STATUS_INVALID_PARAMETER);
463 }
464
465 for (i=0; i < hash_count; i++) {
466 uint16_t v;
467
468 v = SVAL(p, 0);
469 p += 2;
470
471 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
472 selected_preauth = v;
473 break;
474 }
475 }
476
477 if (selected_preauth == 0) {
478 return smbd_smb2_request_error(req,
479 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
480 }
481
482 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
483 SSVAL(buf, 2, 32); /* SaltLength */
484 SSVAL(buf, 4, selected_preauth);
485 generate_random_buffer(buf + 6, 32);
486
487 status = smb2_negotiate_context_add(
488 req,
489 &out_c,
490 SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
491 buf,
492 sizeof(buf));
493 if (!NT_STATUS_IS_OK(status)) {
494 return smbd_smb2_request_error(req, status);
495 }
496
497 req->preauth = &req->xconn->smb2.preauth;
498 }
499
500 if (protocol >= PROTOCOL_SMB3_00) {
501 xconn->smb2.server.sign_algo = SMB2_SIGNING_AES128_CMAC;
502 } else {
503 xconn->smb2.server.sign_algo = SMB2_SIGNING_HMAC_SHA256;
504 }
505
506 if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
507 const struct smb3_encryption_capabilities *srv_ciphers =
508 &default_smb3_capabilities.encryption;
509 uint16_t srv_preferred_idx = UINT16_MAX;
510 size_t needed = 2;
511 uint16_t cipher_count;
512 const uint8_t *p;
513 uint8_t buf[4];
514 size_t i;
515
516 capabilities &= ~SMB2_CAP_ENCRYPTION;
517
518 if (in_cipher->data.length < needed) {
519 return smbd_smb2_request_error(req,
520 NT_STATUS_INVALID_PARAMETER);
521 }
522
523 cipher_count = SVAL(in_cipher->data.data, 0);
524 if (cipher_count == 0) {
525 return smbd_smb2_request_error(req,
526 NT_STATUS_INVALID_PARAMETER);
527 }
528
529 p = in_cipher->data.data + needed;
530 needed += cipher_count * 2;
531
532 if (in_cipher->data.length < needed) {
533 return smbd_smb2_request_error(req,
534 NT_STATUS_INVALID_PARAMETER);
535 }
536
537 for (i=0; i < cipher_count; i++) {
538 uint16_t si;
539 uint16_t v;
540
541 v = SVAL(p, 0);
542 p += 2;
543
544 for (si = 0; si < srv_ciphers->num_algos; si++) {
545 if (srv_ciphers->algos[si] != v) {
546 continue;
547 }
548
549 /*
550 * The server ciphers are listed
551 * with the lowest idx being preferred.
552 */
553 if (si < srv_preferred_idx) {
554 srv_preferred_idx = si;
555 }
556 break;
557 }
558 }
559
560 if (srv_preferred_idx != UINT16_MAX) {
561 xconn->smb2.server.cipher =
562 srv_ciphers->algos[srv_preferred_idx];
563 }
564
565 SSVAL(buf, 0, 1); /* ChiperCount */
566 SSVAL(buf, 2, xconn->smb2.server.cipher);
567
568 status = smb2_negotiate_context_add(
569 req,
570 &out_c,
571 SMB2_ENCRYPTION_CAPABILITIES,
572 buf,
573 sizeof(buf));
574 if (!NT_STATUS_IS_OK(status)) {
575 return smbd_smb2_request_error(req, status);
576 }
577 }
578
579 if (capabilities & SMB2_CAP_ENCRYPTION) {
580 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
581 }
582
583 if (in_sign_algo != NULL) {
584 const struct smb3_signing_capabilities *srv_sign_algos =
585 &default_smb3_capabilities.signing;
586 uint16_t srv_preferred_idx = UINT16_MAX;
587 size_t needed = 2;
588 uint16_t sign_algo_count;
589 const uint8_t *p;
590 size_t i;
591
592 if (in_sign_algo->data.length < needed) {
593 return smbd_smb2_request_error(req,
594 NT_STATUS_INVALID_PARAMETER);
595 }
596
597 sign_algo_count = SVAL(in_sign_algo->data.data, 0);
598 if (sign_algo_count == 0) {
599 return smbd_smb2_request_error(req,
600 NT_STATUS_INVALID_PARAMETER);
601 }
602
603 p = in_sign_algo->data.data + needed;
604 needed += sign_algo_count * 2;
605
606 if (in_sign_algo->data.length < needed) {
607 return smbd_smb2_request_error(req,
608 NT_STATUS_INVALID_PARAMETER);
609 }
610
611 for (i=0; i < sign_algo_count; i++) {
612 uint16_t si;
613 uint16_t v;
614
615 v = SVAL(p, 0);
616 p += 2;
617
618 for (si = 0; si < srv_sign_algos->num_algos; si++) {
619 if (srv_sign_algos->algos[si] != v) {
620 continue;
621 }
622
623 /*
624 * The server sign_algos are listed
625 * with the lowest idx being preferred.
626 */
627 if (si < srv_preferred_idx) {
628 srv_preferred_idx = si;
629 }
630 break;
631 }
632 }
633
634 /*
635 * If we found a match announce it
636 * otherwise we'll keep the default
637 * of SMB2_SIGNING_AES128_CMAC
638 */
639 if (srv_preferred_idx != UINT16_MAX) {
640 uint8_t buf[4];
641
642 xconn->smb2.server.sign_algo =
643 srv_sign_algos->algos[srv_preferred_idx];
644
645 SSVAL(buf, 0, 1); /* SigningAlgorithmCount */
646 SSVAL(buf, 2, xconn->smb2.server.sign_algo);
647
648 status = smb2_negotiate_context_add(
649 req,
650 &out_c,
651 SMB2_SIGNING_CAPABILITIES,
652 buf,
653 sizeof(buf));
654 if (!NT_STATUS_IS_OK(status)) {
655 return smbd_smb2_request_error(req, status);
656 }
657 }
658 }
659
660 status = smb311_capabilities_check(&default_smb3_capabilities,
661 "smb2srv_negprot",
662 DBGLVL_NOTICE,
663 NT_STATUS_INVALID_PARAMETER,
664 "server",
665 protocol,
666 xconn->smb2.server.sign_algo,
667 xconn->smb2.server.cipher);
668 if (!NT_STATUS_IS_OK(status)) {
669 return smbd_smb2_request_error(req, status);
670 }
671
672 if (protocol >= PROTOCOL_SMB3_00 &&
673 xconn->client->server_multi_channel_enabled)
674 {
675 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
676 capabilities |= SMB2_CAP_MULTI_CHANNEL;
677 }
678 }
679
680 security_offset = SMB2_HDR_BODY + 0x40;
681
682 #if 1
683 /* Try SPNEGO auth... */
684 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
685 negprot_spnego_blob.length - 16);
686 #else
687 /* for now we want raw NTLMSSP */
688 security_buffer = data_blob_const(NULL, 0);
689 #endif
690
691 if (in_posix != NULL) {
692 /* Client correctly negotiated SMB2 unix extensions. */
693 const uint8_t *buf = (const uint8_t *)SMB2_CREATE_TAG_POSIX;
694 status = smb2_negotiate_context_add(
695 req,
696 &out_c,
697 SMB2_POSIX_EXTENSIONS_AVAILABLE,
698 buf,
699 16);
700 if (!NT_STATUS_IS_OK(status)) {
701 return smbd_smb2_request_error(req, status);
702 }
703 xconn->smb2.server.posix_extensions_negotiated = true;
704 }
705
706 if (out_c.num_contexts != 0) {
707 status = smb2_negotiate_context_push(req,
708 &out_negotiate_context_blob,
709 out_c);
710 if (!NT_STATUS_IS_OK(status)) {
711 return smbd_smb2_request_error(req, status);
712 }
713 }
714
715 if (out_negotiate_context_blob.length != 0) {
716 static const uint8_t zeros[8];
717 size_t pad = 0;
718 size_t ofs;
719
720 outdyn = data_blob_dup_talloc(req, security_buffer);
721 if (outdyn.length != security_buffer.length) {
722 return smbd_smb2_request_error(req,
723 NT_STATUS_NO_MEMORY);
724 }
725
726 ofs = security_offset + security_buffer.length;
727 if ((ofs % 8) != 0) {
728 pad = 8 - (ofs % 8);
729 }
730 ofs += pad;
731
732 ok = data_blob_append(req, &outdyn, zeros, pad);
733 if (!ok) {
734 return smbd_smb2_request_error(req,
735 NT_STATUS_NO_MEMORY);
736 }
737
738 ok = data_blob_append(req, &outdyn,
739 out_negotiate_context_blob.data,
740 out_negotiate_context_blob.length);
741 if (!ok) {
742 return smbd_smb2_request_error(req,
743 NT_STATUS_NO_MEMORY);
744 }
745
746 out_negotiate_context_offset = ofs;
747 out_negotiate_context_count = out_c.num_contexts;
748 } else {
749 outdyn = security_buffer;
750 }
751
752 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
753 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
754 if (!NT_STATUS_IS_OK(status)) {
755 return smbd_smb2_request_error(req, status);
756 }
757
758 outbody = smbd_smb2_generate_outbody(req, 0x40);
759 if (outbody.data == NULL) {
760 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
761 }
762
763 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
764 SSVAL(outbody.data, 0x02,
765 security_mode); /* security mode */
766 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
767 SSVAL(outbody.data, 0x06,
768 out_negotiate_context_count); /* reserved/NegotiateContextCount */
769 memcpy(outbody.data + 0x08,
770 out_guid_blob.data, 16); /* server guid */
771 SIVAL(outbody.data, 0x18,
772 capabilities); /* capabilities */
773 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
774 SIVAL(outbody.data, 0x20, max_read); /* max read size */
775 SIVAL(outbody.data, 0x24, max_write); /* max write size */
776 SBVAL(outbody.data, 0x28, now); /* system time */
777 SBVAL(outbody.data, 0x30, 0); /* server start time */
778 SSVAL(outbody.data, 0x38,
779 security_offset); /* security buffer offset */
780 SSVAL(outbody.data, 0x3A,
781 security_buffer.length); /* security buffer length */
782 SIVAL(outbody.data, 0x3C,
783 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
784
785 req->sconn->using_smb2 = true;
786
787 if (dialect == SMB2_DIALECT_REVISION_2FF) {
788 return smbd_smb2_request_done(req, outbody, &outdyn);
789 }
790
791 status = smbXsrv_connection_init_tables(xconn, protocol);
792 if (!NT_STATUS_IS_OK(status)) {
793 return smbd_smb2_request_error(req, status);
794 }
795
796 xconn->smb2.client.capabilities = in_capabilities;
797 xconn->smb2.client.security_mode = in_security_mode;
798 xconn->smb2.client.guid = in_guid;
799 xconn->smb2.client.num_dialects = dialect_count;
800 xconn->smb2.client.dialects = talloc_array(xconn,
801 uint16_t,
802 dialect_count);
803 if (xconn->smb2.client.dialects == NULL) {
804 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
805 }
806 for (c=0; c < dialect_count; c++) {
807 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
808 }
809
810 xconn->smb2.server.capabilities = capabilities;
811 xconn->smb2.server.security_mode = security_mode;
812 xconn->smb2.server.guid = out_guid;
813 xconn->smb2.server.dialect = dialect;
814 xconn->smb2.server.max_trans = max_trans;
815 xconn->smb2.server.max_read = max_read;
816 xconn->smb2.server.max_write = max_write;
817
818 if (xconn->protocol < PROTOCOL_SMB2_10) {
819 /*
820 * SMB2_02 doesn't support client guids
821 */
822 return smbd_smb2_request_done(req, outbody, &outdyn);
823 }
824
825 if (!xconn->client->server_multi_channel_enabled) {
826 /*
827 * Only deal with the client guid database
828 * if multi-channel is enabled.
829 *
830 * But we still need to setup
831 * xconn->client->global->client_guid to
832 * the correct value.
833 */
834 xconn->client->global->client_guid =
835 xconn->smb2.client.guid;
836 return smbd_smb2_request_done(req, outbody, &outdyn);
837 }
838
839 if (xconn->smb2.client.guid_verified) {
840 /*
841 * The connection was passed from another
842 * smbd process.
843 */
844 return smbd_smb2_request_done(req, outbody, &outdyn);
845 }
846
847 state = talloc_zero(req, struct smbd_smb2_request_process_negprot_state);
848 if (state == NULL) {
849 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
850 }
851 *state = (struct smbd_smb2_request_process_negprot_state) {
852 .req = req,
853 .outbody = outbody,
854 .outdyn = outdyn,
855 };
856
857 subreq = smb2srv_client_mc_negprot_send(state,
858 req->xconn->client->raw_ev_ctx,
859 req);
860 if (subreq == NULL) {
861 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
862 }
863 tevent_req_set_callback(subreq,
864 smbd_smb2_request_process_negprot_mc_done,
865 state);
866 return NT_STATUS_OK;
867 }
868
869 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq)
870 {
871 struct smbd_smb2_request_process_negprot_state *state =
872 tevent_req_callback_data(subreq,
873 struct smbd_smb2_request_process_negprot_state);
874 struct smbd_smb2_request *req = state->req;
875 struct smbXsrv_connection *xconn = req->xconn;
876 NTSTATUS status;
877
878 status = smb2srv_client_mc_negprot_recv(subreq);
879 TALLOC_FREE(subreq);
880 if (NT_STATUS_EQUAL(status, NT_STATUS_MESSAGE_RETRIEVED)) {
881 /*
882 * The connection was passed to another process
883 *
884 * We mark the error as NT_STATUS_CONNECTION_IN_USE,
885 * in order to indicate to low level code if
886 * ctdbd_unregister_ips() or ctdbd_passed_ips()
887 * is more useful.
888 */
889 smbXsrv_connection_disconnect_transport(xconn,
890 NT_STATUS_CONNECTION_IN_USE);
891 smbd_server_connection_terminate(xconn,
892 "passed connection");
893 /*
894 * smbd_server_connection_terminate() should not return!
895 */
896 smb_panic(__location__);
897 return;
898 }
899 if (!NT_STATUS_IS_OK(status)) {
900 status = smbd_smb2_request_error(req, status);
901 if (NT_STATUS_IS_OK(status)) {
902 return;
903 }
904
905 /*
906 * The connection was passed to another process
907 */
908 smbd_server_connection_terminate(xconn, nt_errstr(status));
909 /*
910 * smbd_server_connection_terminate() should not return!
911 */
912 smb_panic(__location__);
913 return;
914 }
915
916 /*
917 * We're the first connection...
918 */
919 status = smbd_smb2_request_done(req, state->outbody, &state->outdyn);
920 if (NT_STATUS_IS_OK(status)) {
921 /*
922 * This allows us to support starting smbd under
923 * callgrind and only start the overhead and
924 * instrumentation after the SMB2 negprot,
925 * this allows us to profile only useful
926 * stuff and not all the smbd startup, forking
927 * and multichannel handling.
928 *
929 * valgrind --tool=callgrind --instr-atstart=no smbd
930 */
931 #ifdef CALLGRIND_START_INSTRUMENTATION
932 CALLGRIND_START_INSTRUMENTATION;
933 #endif
934 return;
935 }
936
937 /*
938 * The connection was passed to another process
939 */
940 smbd_server_connection_terminate(xconn, nt_errstr(status));
941 /*
942 * smbd_server_connection_terminate() should not return!
943 */
944 smb_panic(__location__);
945 return;
946 }
947
948 /****************************************************************************
949 Generate the spnego negprot reply blob. Return the number of bytes used.
950 ****************************************************************************/
951
952 DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn)
953 {
954 DATA_BLOB blob = data_blob_null;
955 DATA_BLOB blob_out = data_blob_null;
956 nstring dos_name;
957 fstring unix_name;
958 NTSTATUS status;
959 #ifdef DEVELOPER
960 size_t slen;
961 #endif
962 struct gensec_security *gensec_security;
963
964 /* See if we can get an SPNEGO blob */
965 status = auth_generic_prepare(talloc_tos(),
966 xconn->remote_address,
967 xconn->local_address,
968 "SMB",
969 &gensec_security);
970
971 /*
972 * Despite including it above, there is no need to set a
973 * remote address or similar as we are just interested in the
974 * SPNEGO blob, we never keep this context.
975 */
976
977 if (NT_STATUS_IS_OK(status)) {
978 status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
979 if (NT_STATUS_IS_OK(status)) {
980 status = gensec_update(gensec_security, ctx,
981 data_blob_null, &blob);
982 /* If we get the list of OIDs, the 'OK' answer
983 * is NT_STATUS_MORE_PROCESSING_REQUIRED */
984 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
985 DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
986 blob = data_blob_null;
987 }
988 }
989 TALLOC_FREE(gensec_security);
990 }
991
992 #if defined(WITH_SMB1SERVER)
993 xconn->smb1.negprot.spnego = true;
994 #endif
995
996 /* strangely enough, NT does not sent the single OID NTLMSSP when
997 not a ADS member, it sends no OIDs at all
998
999 OLD COMMENT : "we can't do this until we teach our session setup parser to know
1000 about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
1001
1002 Our sessionsetup code now handles raw NTLMSSP connects, so we can go
1003 back to doing what W2K3 does here. This is needed to make PocketPC 2003
1004 CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
1005 for details. JRA.
1006
1007 */
1008
1009 if (blob.length == 0 || blob.data == NULL) {
1010 return data_blob_null;
1011 }
1012
1013 blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
1014 if (blob_out.data == NULL) {
1015 data_blob_free(&blob);
1016 return data_blob_null;
1017 }
1018
1019 memset(blob_out.data, '\0', 16);
1020
1021 checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name));
1022 (void)strlower_m(unix_name);
1023 push_ascii_nstring(dos_name, unix_name);
1024 strlcpy((char *)blob_out.data, dos_name, 17);
1025
1026 #ifdef DEVELOPER
1027 /* Fix valgrind 'uninitialized bytes' issue. */
1028 slen = strlen(dos_name);
1029 if (slen < 16) {
1030 memset(blob_out.data+slen, '\0', 16 - slen);
1031 }
1032 #endif
1033
1034 memcpy(&blob_out.data[16], blob.data, blob.length);
1035
1036 data_blob_free(&blob);
1037
1038 return blob_out;
1039 }
1040
1041 /*
1042 * MS-CIFS, 2.2.4.52.2 SMB_COM_NEGOTIATE Response:
1043 * If the server does not support any of the listed dialects, it MUST return a
1044 * DialectIndex of 0XFFFF
1045 */
1046 #define NO_PROTOCOL_CHOSEN 0xffff
1047
1048 #define PROT_SMB_2_002 0x1000
1049 #define PROT_SMB_2_FF 0x2000
1050
1051 /* List of supported SMB1 protocols, most desired first.
1052 * This is for enabling multi-protocol negotiation in SMB2 when SMB1
1053 * is disabled.
1054 */
1055 static const struct {
1056 const char *proto_name;
1057 const char *short_name;
1058 NTSTATUS (*proto_reply_fn)(struct smb_request *req, uint16_t choice);
1059 int protocol_level;
1060 } supported_protocols[] = {
1061 {"SMB 2.???", "SMB2_FF", reply_smb20ff, PROTOCOL_SMB2_10},
1062 {"SMB 2.002", "SMB2_02", reply_smb2002, PROTOCOL_SMB2_02},
1063 {NULL,NULL,NULL,0},
1064 };
1065
1066 /****************************************************************************
1067 Reply to a negprot.
1068 conn POINTER CAN BE NULL HERE !
1069 ****************************************************************************/
1070
1071 NTSTATUS smb2_multi_protocol_reply_negprot(struct smb_request *req)
1072 {
1073 size_t choice = 0;
1074 bool choice_set = false;
1075 int protocol;
1076 const char *p;
1077 int num_cliprotos;
1078 char **cliprotos;
1079 size_t i;
1080 size_t converted_size;
1081 struct smbXsrv_connection *xconn = req->xconn;
1082 struct smbd_server_connection *sconn = req->sconn;
1083 int max_proto;
1084 int min_proto;
1085 NTSTATUS status;
1086
1087 START_PROFILE(SMBnegprot);
1088
1089 if (req->buflen == 0) {
1090 DEBUG(0, ("negprot got no protocols\n"));
1091 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1092 END_PROFILE(SMBnegprot);
1093 return NT_STATUS_INVALID_PARAMETER;
1094 }
1095
1096 if (req->buf[req->buflen-1] != '\0') {
1097 DEBUG(0, ("negprot protocols not 0-terminated\n"));
1098 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1099 END_PROFILE(SMBnegprot);
1100 return NT_STATUS_INVALID_PARAMETER;
1101 }
1102
1103 p = (const char *)req->buf + 1;
1104
1105 num_cliprotos = 0;
1106 cliprotos = NULL;
1107
1108 while (smbreq_bufrem(req, p) > 0) {
1109
1110 char **tmp;
1111
1112 tmp = talloc_realloc(talloc_tos(), cliprotos, char *,
1113 num_cliprotos+1);
1114 if (tmp == NULL) {
1115 DEBUG(0, ("talloc failed\n"));
1116 TALLOC_FREE(cliprotos);
1117 reply_nterror(req, NT_STATUS_NO_MEMORY);
1118 END_PROFILE(SMBnegprot);
1119 return NT_STATUS_NO_MEMORY;
1120 }
1121
1122 cliprotos = tmp;
1123
1124 if (!pull_ascii_talloc(cliprotos, &cliprotos[num_cliprotos], p,
1125 &converted_size)) {
1126 DEBUG(0, ("pull_ascii_talloc failed\n"));
1127 TALLOC_FREE(cliprotos);
1128 reply_nterror(req, NT_STATUS_NO_MEMORY);
1129 END_PROFILE(SMBnegprot);
1130 return NT_STATUS_NO_MEMORY;
1131 }
1132
1133 DEBUG(3, ("Requested protocol [%s]\n",
1134 cliprotos[num_cliprotos]));
1135
1136 num_cliprotos += 1;
1137 p += strlen(p) + 2;
1138 }
1139
1140 /* possibly reload - change of architecture */
1141 reload_services(sconn, conn_snum_used, true);
1142
1143 /*
1144 * Anything higher than PROTOCOL_SMB2_10 still
1145 * needs to go via "SMB 2.???", which is marked
1146 * as PROTOCOL_SMB2_10.
1147 *
1148 * The real negotiation happens via reply_smb20ff()
1149 * using SMB2 Negotiation.
1150 */
1151 max_proto = lp_server_max_protocol();
1152 if (max_proto > PROTOCOL_SMB2_10) {
1153 max_proto = PROTOCOL_SMB2_10;
1154 }
1155 min_proto = lp_server_min_protocol();
1156 if (min_proto > PROTOCOL_SMB2_10) {
1157 min_proto = PROTOCOL_SMB2_10;
1158 }
1159
1160 /* Check for protocols, most desirable first */
1161 for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
1162 i = 0;
1163 if ((supported_protocols[protocol].protocol_level <= max_proto) &&
1164 (supported_protocols[protocol].protocol_level >= min_proto))
1165 while (i < num_cliprotos) {
1166 if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
1167 choice = i;
1168 choice_set = true;
1169 }
1170 i++;
1171 }
1172 if (choice_set) {
1173 break;
1174 }
1175 }
1176
1177 if (!choice_set) {
1178 bool ok;
1179
1180 DBG_NOTICE("No protocol supported !\n");
1181 reply_smb1_outbuf(req, 1, 0);
1182 SSVAL(req->outbuf, smb_vwv0, NO_PROTOCOL_CHOSEN);
1183
1184 ok = smb1_srv_send(xconn, (char *)req->outbuf, false, 0, false);
1185 if (!ok) {
1186 DBG_NOTICE("smb1_srv_send failed\n");
1187 }
1188 exit_server_cleanly("no protocol supported\n");
1189 }
1190
1191 set_remote_proto(supported_protocols[protocol].short_name);
1192 reload_services(sconn, conn_snum_used, true);
1193 status = supported_protocols[protocol].proto_reply_fn(req, choice);
1194 if (!NT_STATUS_IS_OK(status)) {
1195 exit_server_cleanly("negprot function failed\n");
1196 }
1197
1198 DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
1199
1200 DBG_INFO("negprot index=%zu\n", choice);
1201
1202 TALLOC_FREE(cliprotos);
1203
1204 END_PROFILE(SMBnegprot);
1205 return NT_STATUS_OK;
1206 }
Samba GIT mirror