search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2020-25719 mit-samba: Add mit_samba_princ_needs_pac()
[Samba.git] / source3 / smbd / smb2_negprot.c
blobc6c9e50e32af11d0f66ed03cc0289becc31fe0e9
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_SMB2
32
33 extern fstring remote_proto;
34
35 /*
36 * this is the entry point if SMB2 is selected via
37 * the SMB negprot and the given dialect.
38 */
39 static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect)
40 {
41 uint8_t *smb2_inpdu;
42 uint8_t *smb2_hdr;
43 uint8_t *smb2_body;
44 uint8_t *smb2_dyn;
45 size_t len = SMB2_HDR_BODY + 0x24 + 2;
46
47 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
48 if (smb2_inpdu == NULL) {
49 DEBUG(0, ("Could not push spnego blob\n"));
50 reply_nterror(req, NT_STATUS_NO_MEMORY);
51 return NT_STATUS_NO_MEMORY;
52 }
53 smb2_hdr = smb2_inpdu;
54 smb2_body = smb2_hdr + SMB2_HDR_BODY;
55 smb2_dyn = smb2_body + 0x24;
56
57 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
58 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
59
60 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
61 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
62
63 SSVAL(smb2_dyn, 0x00, dialect);
64
65 req->outbuf = NULL;
66
67 return smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
68 }
69
70 /*
71 * this is the entry point if SMB2 is selected via
72 * the SMB negprot and the "SMB 2.002" dialect.
73 */
74 NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice)
75 {
76 return reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
77 }
78
79 /*
80 * this is the entry point if SMB2 is selected via
81 * the SMB negprot and the "SMB 2.???" dialect.
82 */
83 NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice)
84 {
85 struct smbXsrv_connection *xconn = req->xconn;
86 xconn->smb2.allow_2ff = true;
87 return reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
88 }
89
90 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
91 const int dialect_count,
92 uint16_t *dialect)
93 {
94 struct {
95 enum protocol_types proto;
96 uint16_t dialect;
97 } pd[] = {
98 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
99 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
100 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
101 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
102 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
103 };
104 size_t i;
105
106 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
107 int c = 0;
108
109 if (lp_server_max_protocol() < pd[i].proto) {
110 continue;
111 }
112 if (lp_server_min_protocol() > pd[i].proto) {
113 continue;
114 }
115
116 for (c = 0; c < dialect_count; c++) {
117 *dialect = SVAL(indyn, c*2);
118 if (*dialect == pd[i].dialect) {
119 return pd[i].proto;
120 }
121 }
122 }
123
124 return PROTOCOL_NONE;
125 }
126
127 struct smbd_smb2_request_process_negprot_state {
128 struct smbd_smb2_request *req;
129 DATA_BLOB outbody;
130 DATA_BLOB outdyn;
131 };
132
133 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq);
134
135 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
136 {
137 struct smbd_smb2_request_process_negprot_state *state = NULL;
138 struct smbXsrv_connection *xconn = req->xconn;
139 struct tevent_req *subreq = NULL;
140 NTSTATUS status;
141 const uint8_t *inbody;
142 const uint8_t *indyn = NULL;
143 DATA_BLOB outbody;
144 DATA_BLOB outdyn;
145 DATA_BLOB negprot_spnego_blob;
146 uint16_t security_offset;
147 DATA_BLOB security_buffer;
148 size_t expected_dyn_size = 0;
149 size_t c;
150 uint16_t security_mode;
151 uint16_t dialect_count;
152 uint16_t in_security_mode;
153 uint32_t in_capabilities;
154 DATA_BLOB in_guid_blob;
155 struct GUID in_guid;
156 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
157 struct smb2_negotiate_context *in_preauth = NULL;
158 struct smb2_negotiate_context *in_cipher = NULL;
159 struct smb2_negotiate_context *in_sign_algo = NULL;
160 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
161 const struct smb311_capabilities default_smb3_capabilities =
162 smb311_capabilities_parse("server",
163 lp_server_smb3_signing_algorithms(),
164 lp_server_smb3_encryption_algorithms());
165 DATA_BLOB out_negotiate_context_blob = data_blob_null;
166 uint32_t out_negotiate_context_offset = 0;
167 uint16_t out_negotiate_context_count = 0;
168 uint16_t dialect = 0;
169 uint32_t capabilities;
170 DATA_BLOB out_guid_blob;
171 struct GUID out_guid;
172 enum protocol_types protocol = PROTOCOL_NONE;
173 uint32_t max_limit;
174 uint32_t max_trans = lp_smb2_max_trans();
175 uint32_t max_read = lp_smb2_max_read();
176 uint32_t max_write = lp_smb2_max_write();
177 NTTIME now = timeval_to_nttime(&req->request_time);
178 bool signing_required = true;
179 bool ok;
180
181 status = smbd_smb2_request_verify_sizes(req, 0x24);
182 if (!NT_STATUS_IS_OK(status)) {
183 return smbd_smb2_request_error(req, status);
184 }
185 inbody = SMBD_SMB2_IN_BODY_PTR(req);
186
187 dialect_count = SVAL(inbody, 0x02);
188
189 in_security_mode = SVAL(inbody, 0x04);
190 in_capabilities = IVAL(inbody, 0x08);
191 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
192
193 if (dialect_count == 0) {
194 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
195 }
196
197 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
198 if (!NT_STATUS_IS_OK(status)) {
199 return smbd_smb2_request_error(req, status);
200 }
201
202 expected_dyn_size = dialect_count * 2;
203 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
204 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
205 }
206 indyn = SMBD_SMB2_IN_DYN_PTR(req);
207
208 protocol = smbd_smb2_protocol_dialect_match(indyn,
209 dialect_count,
210 &dialect);
211
212 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
213 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
214 break;
215 }
216
217 dialect = SVAL(indyn, c*2);
218 if (dialect == SMB2_DIALECT_REVISION_2FF) {
219 if (xconn->smb2.allow_2ff) {
220 xconn->smb2.allow_2ff = false;
221 protocol = PROTOCOL_SMB2_10;
222 break;
223 }
224 }
225 }
226
227 if (protocol == PROTOCOL_NONE) {
228 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
229 }
230
231 if (protocol >= PROTOCOL_SMB3_11) {
232 uint32_t in_negotiate_context_offset = 0;
233 uint16_t in_negotiate_context_count = 0;
234 DATA_BLOB in_negotiate_context_blob = data_blob_null;
235 size_t ofs;
236
237 in_negotiate_context_offset = IVAL(inbody, 0x1C);
238 in_negotiate_context_count = SVAL(inbody, 0x20);
239
240 ofs = SMB2_HDR_BODY;
241 ofs += SMBD_SMB2_IN_BODY_LEN(req);
242 ofs += expected_dyn_size;
243 if ((ofs % 8) != 0) {
244 ofs += 8 - (ofs % 8);
245 }
246
247 if (in_negotiate_context_offset != ofs) {
248 return smbd_smb2_request_error(req,
249 NT_STATUS_INVALID_PARAMETER);
250 }
251
252 ofs -= SMB2_HDR_BODY;
253 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
254
255 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
256 return smbd_smb2_request_error(req,
257 NT_STATUS_INVALID_PARAMETER);
258 }
259
260 in_negotiate_context_blob = data_blob_const(indyn,
261 SMBD_SMB2_IN_DYN_LEN(req));
262
263 in_negotiate_context_blob.data += ofs;
264 in_negotiate_context_blob.length -= ofs;
265
266 status = smb2_negotiate_context_parse(req,
267 in_negotiate_context_blob,
268 in_negotiate_context_count,
269 &in_c);
270 if (!NT_STATUS_IS_OK(status)) {
271 return smbd_smb2_request_error(req, status);
272 }
273 }
274
275 if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
276 (protocol >= PROTOCOL_SMB2_10) &&
277 !GUID_all_zero(&in_guid))
278 {
279 ok = remote_arch_cache_update(&in_guid);
280 if (!ok) {
281 return smbd_smb2_request_error(
282 req, NT_STATUS_UNSUCCESSFUL);
283 }
284 }
285
286 switch (get_remote_arch()) {
287 case RA_VISTA:
288 case RA_SAMBA:
289 case RA_CIFSFS:
290 case RA_OSX:
291 break;
292 default:
293 set_remote_arch(RA_VISTA);
294 break;
295 }
296
297 fstr_sprintf(remote_proto, "SMB%X_%02X",
298 (dialect >> 8) & 0xFF, dialect & 0xFF);
299
300 reload_services(req->sconn, conn_snum_used, true);
301 DEBUG(3,("Selected protocol %s\n", remote_proto));
302
303 in_preauth = smb2_negotiate_context_find(&in_c,
304 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
305 if (protocol >= PROTOCOL_SMB3_11 && in_preauth == NULL) {
306 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
307 }
308 in_cipher = smb2_negotiate_context_find(&in_c,
309 SMB2_ENCRYPTION_CAPABILITIES);
310 in_sign_algo = smb2_negotiate_context_find(&in_c,
311 SMB2_SIGNING_CAPABILITIES);
312
313 /* negprot_spnego() returns a the server guid in the first 16 bytes */
314 negprot_spnego_blob = negprot_spnego(req, xconn);
315 if (negprot_spnego_blob.data == NULL) {
316 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
317 }
318
319 if (negprot_spnego_blob.length < 16) {
320 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
321 }
322
323 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
324 /*
325 * We use xconn->smb1.signing_state as that's already present
326 * and used lpcfg_server_signing_allowed() to get the correct
327 * defaults, e.g. signing_required for an ad_dc.
328 */
329 signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state);
330 if (signing_required) {
331 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
332 }
333
334 capabilities = 0;
335 if (lp_host_msdfs()) {
336 capabilities |= SMB2_CAP_DFS;
337 }
338
339 if (protocol >= PROTOCOL_SMB2_10 &&
340 lp_smb2_leases() &&
341 lp_oplocks(GLOBAL_SECTION_SNUM) &&
342 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
343 {
344 capabilities |= SMB2_CAP_LEASING;
345 }
346
347 if ((protocol >= PROTOCOL_SMB3_00) &&
348 (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) &&
349 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
350 capabilities |= SMB2_CAP_ENCRYPTION;
351 }
352
353 /*
354 * 0x10000 (65536) is the maximum allowed message size
355 * for SMB 2.0
356 */
357 max_limit = 0x10000;
358
359 if (protocol >= PROTOCOL_SMB2_10) {
360 int p = 0;
361
362 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
363 p = tsocket_address_inet_port(req->sconn->local_address);
364 }
365
366 /* largeMTU is not supported over NBT (tcp port 139) */
367 if (p != NBT_SMB_PORT) {
368 capabilities |= SMB2_CAP_LARGE_MTU;
369 xconn->smb2.credits.multicredit = true;
370
371 /*
372 * We allow up to almost 16MB.
373 *
374 * The maximum PDU size is 0xFFFFFF (16776960)
375 * and we need some space for the header.
376 */
377 max_limit = 0xFFFF00;
378 }
379 }
380
381 /*
382 * the defaults are 8MB, but we'll limit this to max_limit based on
383 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
384 *
385 * user configured values exceeding the limits will be overwritten,
386 * only smaller values will be accepted
387 */
388
389 max_trans = MIN(max_limit, lp_smb2_max_trans());
390 max_read = MIN(max_limit, lp_smb2_max_read());
391 max_write = MIN(max_limit, lp_smb2_max_write());
392
393 if (in_preauth != NULL) {
394 size_t needed = 4;
395 uint16_t hash_count;
396 uint16_t salt_length;
397 uint16_t selected_preauth = 0;
398 const uint8_t *p;
399 uint8_t buf[38];
400 size_t i;
401
402 if (in_preauth->data.length < needed) {
403 return smbd_smb2_request_error(req,
404 NT_STATUS_INVALID_PARAMETER);
405 }
406
407 hash_count = SVAL(in_preauth->data.data, 0);
408 salt_length = SVAL(in_preauth->data.data, 2);
409
410 if (hash_count == 0) {
411 return smbd_smb2_request_error(req,
412 NT_STATUS_INVALID_PARAMETER);
413 }
414
415 p = in_preauth->data.data + needed;
416 needed += hash_count * 2;
417 needed += salt_length;
418
419 if (in_preauth->data.length < needed) {
420 return smbd_smb2_request_error(req,
421 NT_STATUS_INVALID_PARAMETER);
422 }
423
424 for (i=0; i < hash_count; i++) {
425 uint16_t v;
426
427 v = SVAL(p, 0);
428 p += 2;
429
430 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
431 selected_preauth = v;
432 break;
433 }
434 }
435
436 if (selected_preauth == 0) {
437 return smbd_smb2_request_error(req,
438 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
439 }
440
441 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
442 SSVAL(buf, 2, 32); /* SaltLength */
443 SSVAL(buf, 4, selected_preauth);
444 generate_random_buffer(buf + 6, 32);
445
446 status = smb2_negotiate_context_add(
447 req,
448 &out_c,
449 SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
450 buf,
451 sizeof(buf));
452 if (!NT_STATUS_IS_OK(status)) {
453 return smbd_smb2_request_error(req, status);
454 }
455
456 req->preauth = &req->xconn->smb2.preauth;
457 }
458
459 if (protocol >= PROTOCOL_SMB3_00) {
460 xconn->smb2.server.sign_algo = SMB2_SIGNING_AES128_CMAC;
461 } else {
462 xconn->smb2.server.sign_algo = SMB2_SIGNING_HMAC_SHA256;
463 }
464
465 if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
466 const struct smb3_encryption_capabilities *srv_ciphers =
467 &default_smb3_capabilities.encryption;
468 uint16_t srv_preferred_idx = UINT16_MAX;
469 size_t needed = 2;
470 uint16_t cipher_count;
471 const uint8_t *p;
472 uint8_t buf[4];
473 size_t i;
474
475 capabilities &= ~SMB2_CAP_ENCRYPTION;
476
477 if (in_cipher->data.length < needed) {
478 return smbd_smb2_request_error(req,
479 NT_STATUS_INVALID_PARAMETER);
480 }
481
482 cipher_count = SVAL(in_cipher->data.data, 0);
483 if (cipher_count == 0) {
484 return smbd_smb2_request_error(req,
485 NT_STATUS_INVALID_PARAMETER);
486 }
487
488 p = in_cipher->data.data + needed;
489 needed += cipher_count * 2;
490
491 if (in_cipher->data.length < needed) {
492 return smbd_smb2_request_error(req,
493 NT_STATUS_INVALID_PARAMETER);
494 }
495
496 for (i=0; i < cipher_count; i++) {
497 uint16_t si;
498 uint16_t v;
499
500 v = SVAL(p, 0);
501 p += 2;
502
503 for (si = 0; si < srv_ciphers->num_algos; si++) {
504 if (srv_ciphers->algos[si] != v) {
505 continue;
506 }
507
508 /*
509 * The server ciphers are listed
510 * with the lowest idx being preferred.
511 */
512 if (si < srv_preferred_idx) {
513 srv_preferred_idx = si;
514 }
515 break;
516 }
517 }
518
519 if (srv_preferred_idx != UINT16_MAX) {
520 xconn->smb2.server.cipher =
521 srv_ciphers->algos[srv_preferred_idx];
522 }
523
524 SSVAL(buf, 0, 1); /* ChiperCount */
525 SSVAL(buf, 2, xconn->smb2.server.cipher);
526
527 status = smb2_negotiate_context_add(
528 req,
529 &out_c,
530 SMB2_ENCRYPTION_CAPABILITIES,
531 buf,
532 sizeof(buf));
533 if (!NT_STATUS_IS_OK(status)) {
534 return smbd_smb2_request_error(req, status);
535 }
536 }
537
538 if (capabilities & SMB2_CAP_ENCRYPTION) {
539 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
540 }
541
542 if (in_sign_algo != NULL) {
543 const struct smb3_signing_capabilities *srv_sign_algos =
544 &default_smb3_capabilities.signing;
545 uint16_t srv_preferred_idx = UINT16_MAX;
546 size_t needed = 2;
547 uint16_t sign_algo_count;
548 const uint8_t *p;
549 size_t i;
550
551 if (in_sign_algo->data.length < needed) {
552 return smbd_smb2_request_error(req,
553 NT_STATUS_INVALID_PARAMETER);
554 }
555
556 sign_algo_count = SVAL(in_sign_algo->data.data, 0);
557 if (sign_algo_count == 0) {
558 return smbd_smb2_request_error(req,
559 NT_STATUS_INVALID_PARAMETER);
560 }
561
562 p = in_sign_algo->data.data + needed;
563 needed += sign_algo_count * 2;
564
565 if (in_sign_algo->data.length < needed) {
566 return smbd_smb2_request_error(req,
567 NT_STATUS_INVALID_PARAMETER);
568 }
569
570 for (i=0; i < sign_algo_count; i++) {
571 uint16_t si;
572 uint16_t v;
573
574 v = SVAL(p, 0);
575 p += 2;
576
577 for (si = 0; si < srv_sign_algos->num_algos; si++) {
578 if (srv_sign_algos->algos[si] != v) {
579 continue;
580 }
581
582 /*
583 * The server sign_algos are listed
584 * with the lowest idx being preferred.
585 */
586 if (si < srv_preferred_idx) {
587 srv_preferred_idx = si;
588 }
589 break;
590 }
591 }
592
593 /*
594 * If we found a match announce it
595 * otherwise we'll keep the default
596 * of SMB2_SIGNING_AES128_CMAC
597 */
598 if (srv_preferred_idx != UINT16_MAX) {
599 uint8_t buf[4];
600
601 xconn->smb2.server.sign_algo =
602 srv_sign_algos->algos[srv_preferred_idx];
603
604 SSVAL(buf, 0, 1); /* SigningAlgorithmCount */
605 SSVAL(buf, 2, xconn->smb2.server.sign_algo);
606
607 status = smb2_negotiate_context_add(
608 req,
609 &out_c,
610 SMB2_SIGNING_CAPABILITIES,
611 buf,
612 sizeof(buf));
613 if (!NT_STATUS_IS_OK(status)) {
614 return smbd_smb2_request_error(req, status);
615 }
616 }
617 }
618
619 status = smb311_capabilities_check(&default_smb3_capabilities,
620 "smb2srv_negprot",
621 DBGLVL_NOTICE,
622 NT_STATUS_INVALID_PARAMETER,
623 "server",
624 protocol,
625 xconn->smb2.server.sign_algo,
626 xconn->smb2.server.cipher);
627 if (!NT_STATUS_IS_OK(status)) {
628 return smbd_smb2_request_error(req, status);
629 }
630
631 if (protocol >= PROTOCOL_SMB3_00 &&
632 xconn->client->server_multi_channel_enabled)
633 {
634 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
635 capabilities |= SMB2_CAP_MULTI_CHANNEL;
636 }
637 }
638
639 security_offset = SMB2_HDR_BODY + 0x40;
640
641 #if 1
642 /* Try SPNEGO auth... */
643 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
644 negprot_spnego_blob.length - 16);
645 #else
646 /* for now we want raw NTLMSSP */
647 security_buffer = data_blob_const(NULL, 0);
648 #endif
649
650 if (out_c.num_contexts != 0) {
651 status = smb2_negotiate_context_push(req,
652 &out_negotiate_context_blob,
653 out_c);
654 if (!NT_STATUS_IS_OK(status)) {
655 return smbd_smb2_request_error(req, status);
656 }
657 }
658
659 if (out_negotiate_context_blob.length != 0) {
660 static const uint8_t zeros[8];
661 size_t pad = 0;
662 size_t ofs;
663
664 outdyn = data_blob_dup_talloc(req, security_buffer);
665 if (outdyn.length != security_buffer.length) {
666 return smbd_smb2_request_error(req,
667 NT_STATUS_NO_MEMORY);
668 }
669
670 ofs = security_offset + security_buffer.length;
671 if ((ofs % 8) != 0) {
672 pad = 8 - (ofs % 8);
673 }
674 ofs += pad;
675
676 ok = data_blob_append(req, &outdyn, zeros, pad);
677 if (!ok) {
678 return smbd_smb2_request_error(req,
679 NT_STATUS_NO_MEMORY);
680 }
681
682 ok = data_blob_append(req, &outdyn,
683 out_negotiate_context_blob.data,
684 out_negotiate_context_blob.length);
685 if (!ok) {
686 return smbd_smb2_request_error(req,
687 NT_STATUS_NO_MEMORY);
688 }
689
690 out_negotiate_context_offset = ofs;
691 out_negotiate_context_count = out_c.num_contexts;
692 } else {
693 outdyn = security_buffer;
694 }
695
696 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
697 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
698 if (!NT_STATUS_IS_OK(status)) {
699 return smbd_smb2_request_error(req, status);
700 }
701
702 outbody = smbd_smb2_generate_outbody(req, 0x40);
703 if (outbody.data == NULL) {
704 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
705 }
706
707 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
708 SSVAL(outbody.data, 0x02,
709 security_mode); /* security mode */
710 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
711 SSVAL(outbody.data, 0x06,
712 out_negotiate_context_count); /* reserved/NegotiateContextCount */
713 memcpy(outbody.data + 0x08,
714 out_guid_blob.data, 16); /* server guid */
715 SIVAL(outbody.data, 0x18,
716 capabilities); /* capabilities */
717 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
718 SIVAL(outbody.data, 0x20, max_read); /* max read size */
719 SIVAL(outbody.data, 0x24, max_write); /* max write size */
720 SBVAL(outbody.data, 0x28, now); /* system time */
721 SBVAL(outbody.data, 0x30, 0); /* server start time */
722 SSVAL(outbody.data, 0x38,
723 security_offset); /* security buffer offset */
724 SSVAL(outbody.data, 0x3A,
725 security_buffer.length); /* security buffer length */
726 SIVAL(outbody.data, 0x3C,
727 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
728
729 req->sconn->using_smb2 = true;
730
731 if (dialect == SMB2_DIALECT_REVISION_2FF) {
732 return smbd_smb2_request_done(req, outbody, &outdyn);
733 }
734
735 status = smbXsrv_connection_init_tables(xconn, protocol);
736 if (!NT_STATUS_IS_OK(status)) {
737 return smbd_smb2_request_error(req, status);
738 }
739
740 xconn->smb2.client.capabilities = in_capabilities;
741 xconn->smb2.client.security_mode = in_security_mode;
742 xconn->smb2.client.guid = in_guid;
743 xconn->smb2.client.num_dialects = dialect_count;
744 xconn->smb2.client.dialects = talloc_array(xconn,
745 uint16_t,
746 dialect_count);
747 if (xconn->smb2.client.dialects == NULL) {
748 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
749 }
750 for (c=0; c < dialect_count; c++) {
751 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
752 }
753
754 xconn->smb2.server.capabilities = capabilities;
755 xconn->smb2.server.security_mode = security_mode;
756 xconn->smb2.server.guid = out_guid;
757 xconn->smb2.server.dialect = dialect;
758 xconn->smb2.server.max_trans = max_trans;
759 xconn->smb2.server.max_read = max_read;
760 xconn->smb2.server.max_write = max_write;
761
762 if (xconn->protocol < PROTOCOL_SMB2_10) {
763 /*
764 * SMB2_02 doesn't support client guids
765 */
766 return smbd_smb2_request_done(req, outbody, &outdyn);
767 }
768
769 if (!xconn->client->server_multi_channel_enabled) {
770 /*
771 * Only deal with the client guid database
772 * if multi-channel is enabled.
773 *
774 * But we still need to setup
775 * xconn->client->global->client_guid to
776 * the correct value.
777 */
778 xconn->client->global->client_guid =
779 xconn->smb2.client.guid;
780 return smbd_smb2_request_done(req, outbody, &outdyn);
781 }
782
783 if (xconn->smb2.client.guid_verified) {
784 /*
785 * The connection was passed from another
786 * smbd process.
787 */
788 return smbd_smb2_request_done(req, outbody, &outdyn);
789 }
790
791 state = talloc_zero(req, struct smbd_smb2_request_process_negprot_state);
792 if (state == NULL) {
793 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
794 }
795 *state = (struct smbd_smb2_request_process_negprot_state) {
796 .req = req,
797 .outbody = outbody,
798 .outdyn = outdyn,
799 };
800
801 subreq = smb2srv_client_mc_negprot_send(state,
802 req->xconn->client->raw_ev_ctx,
803 req);
804 if (subreq == NULL) {
805 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
806 }
807 tevent_req_set_callback(subreq,
808 smbd_smb2_request_process_negprot_mc_done,
809 state);
810 return NT_STATUS_OK;
811 }
812
813 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq)
814 {
815 struct smbd_smb2_request_process_negprot_state *state =
816 tevent_req_callback_data(subreq,
817 struct smbd_smb2_request_process_negprot_state);
818 struct smbd_smb2_request *req = state->req;
819 struct smbXsrv_connection *xconn = req->xconn;
820 NTSTATUS status;
821
822 status = smb2srv_client_mc_negprot_recv(subreq);
823 TALLOC_FREE(subreq);
824 if (NT_STATUS_EQUAL(status, NT_STATUS_MESSAGE_RETRIEVED)) {
825 /*
826 * The connection was passed to another process
827 */
828 smbd_server_connection_terminate(xconn,
829 "passed connection");
830 /*
831 * smbd_server_connection_terminate() should not return!
832 */
833 smb_panic(__location__);
834 return;
835 }
836 if (!NT_STATUS_IS_OK(status)) {
837 status = smbd_smb2_request_error(req, status);
838 if (NT_STATUS_IS_OK(status)) {
839 return;
840 }
841
842 /*
843 * The connection was passed to another process
844 */
845 smbd_server_connection_terminate(xconn, nt_errstr(status));
846 /*
847 * smbd_server_connection_terminate() should not return!
848 */
849 smb_panic(__location__);
850 return;
851 }
852
853 /*
854 * We're the first connection...
855 */
856 status = smbd_smb2_request_done(req, state->outbody, &state->outdyn);
857 if (NT_STATUS_IS_OK(status)) {
858 return;
859 }
860
861 /*
862 * The connection was passed to another process
863 */
864 smbd_server_connection_terminate(xconn, nt_errstr(status));
865 /*
866 * smbd_server_connection_terminate() should not return!
867 */
868 smb_panic(__location__);
869 return;
870 }
Samba GIT mirror