search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
idmap: unify passdb *id_to_sid methods
[Samba.git] / libcli / smb / smbXcli_base.c
bloba3a7ecb801cf4dfb3339e3f47395d3dd2a7962da
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5 Copyright (C) Stefan Metzmacher 2011
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/network.h"
23 #include "../lib/async_req/async_sock.h"
24 #include "../lib/util/tevent_ntstatus.h"
25 #include "../lib/util/tevent_unix.h"
26 #include "lib/util/util_net.h"
27 #include "lib/util/dlinklist.h"
28 #include "../libcli/smb/smb_common.h"
29 #include "../libcli/smb/smb_seal.h"
30 #include "../libcli/smb/smb_signing.h"
31 #include "../libcli/smb/read_smb.h"
32 #include "smbXcli_base.h"
33 #include "librpc/ndr/libndr.h"
34 #include "libcli/smb/smb2_negotiate_context.h"
35 #include "lib/crypto/sha512.h"
36
37 struct smbXcli_conn;
38 struct smbXcli_req;
39 struct smbXcli_session;
40 struct smbXcli_tcon;
41
42 struct smbXcli_conn {
43 int read_fd;
44 int write_fd;
45 struct sockaddr_storage local_ss;
46 struct sockaddr_storage remote_ss;
47 const char *remote_name;
48
49 struct tevent_queue *outgoing;
50 struct tevent_req **pending;
51 struct tevent_req *read_smb_req;
52
53 enum protocol_types min_protocol;
54 enum protocol_types max_protocol;
55 enum protocol_types protocol;
56 bool allow_signing;
57 bool desire_signing;
58 bool mandatory_signing;
59
60 /*
61 * The incoming dispatch function should return:
62 * - NT_STATUS_RETRY, if more incoming PDUs are expected.
63 * - NT_STATUS_OK, if no more processing is desired, e.g.
64 * the dispatch function called
65 * tevent_req_done().
66 * - All other return values disconnect the connection.
67 */
68 NTSTATUS (*dispatch_incoming)(struct smbXcli_conn *conn,
69 TALLOC_CTX *tmp_mem,
70 uint8_t *inbuf);
71
72 struct {
73 struct {
74 uint32_t capabilities;
75 uint32_t max_xmit;
76 } client;
77
78 struct {
79 uint32_t capabilities;
80 uint32_t max_xmit;
81 uint16_t max_mux;
82 uint16_t security_mode;
83 bool readbraw;
84 bool writebraw;
85 bool lockread;
86 bool writeunlock;
87 uint32_t session_key;
88 struct GUID guid;
89 DATA_BLOB gss_blob;
90 uint8_t challenge[8];
91 const char *workgroup;
92 const char *name;
93 int time_zone;
94 NTTIME system_time;
95 } server;
96
97 uint32_t capabilities;
98 uint32_t max_xmit;
99
100 uint16_t mid;
101
102 struct smb_signing_state *signing;
103 struct smb_trans_enc_state *trans_enc;
104
105 struct tevent_req *read_braw_req;
106 } smb1;
107
108 struct {
109 struct {
110 uint32_t capabilities;
111 uint16_t security_mode;
112 struct GUID guid;
113 } client;
114
115 struct {
116 uint32_t capabilities;
117 uint16_t security_mode;
118 struct GUID guid;
119 uint32_t max_trans_size;
120 uint32_t max_read_size;
121 uint32_t max_write_size;
122 NTTIME system_time;
123 NTTIME start_time;
124 DATA_BLOB gss_blob;
125 uint16_t cipher;
126 } server;
127
128 uint64_t mid;
129 uint16_t cur_credits;
130 uint16_t max_credits;
131
132 uint8_t preauth_sha512[64];
133 } smb2;
134
135 struct smbXcli_session *sessions;
136 };
137
138 struct smb2cli_session {
139 uint64_t session_id;
140 uint16_t session_flags;
141 DATA_BLOB application_key;
142 DATA_BLOB signing_key;
143 bool should_sign;
144 bool should_encrypt;
145 DATA_BLOB encryption_key;
146 DATA_BLOB decryption_key;
147 uint64_t nonce_high;
148 uint64_t nonce_low;
149 uint16_t channel_sequence;
150 bool replay_active;
151 };
152
153 struct smbXcli_session {
154 struct smbXcli_session *prev, *next;
155 struct smbXcli_conn *conn;
156
157 struct {
158 uint16_t session_id;
159 DATA_BLOB application_key;
160 bool protected_key;
161 } smb1;
162
163 struct smb2cli_session *smb2;
164
165 struct {
166 DATA_BLOB signing_key;
167 uint8_t preauth_sha512[64];
168 } smb2_channel;
169
170 /*
171 * this should be a short term hack
172 * until the upper layers have implemented
173 * re-authentication.
174 */
175 bool disconnect_expired;
176 };
177
178 struct smbXcli_tcon {
179 bool is_smb1;
180 uint32_t fs_attributes;
181
182 struct {
183 uint16_t tcon_id;
184 uint16_t optional_support;
185 uint32_t maximal_access;
186 uint32_t guest_maximal_access;
187 char *service;
188 char *fs_type;
189 } smb1;
190
191 struct {
192 uint32_t tcon_id;
193 uint8_t type;
194 uint32_t flags;
195 uint32_t capabilities;
196 uint32_t maximal_access;
197 bool should_sign;
198 bool should_encrypt;
199 } smb2;
200 };
201
202 struct smbXcli_req_state {
203 struct tevent_context *ev;
204 struct smbXcli_conn *conn;
205 struct smbXcli_session *session; /* maybe NULL */
206 struct smbXcli_tcon *tcon; /* maybe NULL */
207
208 uint8_t length_hdr[4];
209
210 bool one_way;
211
212 uint8_t *inbuf;
213
214 struct {
215 /* Space for the header including the wct */
216 uint8_t hdr[HDR_VWV];
217
218 /*
219 * For normal requests, smb1cli_req_send chooses a mid.
220 * SecondaryV trans requests need to use the mid of the primary
221 * request, so we need a place to store it.
222 * Assume it is set if != 0.
223 */
224 uint16_t mid;
225
226 uint16_t *vwv;
227 uint8_t bytecount_buf[2];
228
229 #define MAX_SMB_IOV 10
230 /* length_hdr, hdr, words, byte_count, buffers */
231 struct iovec iov[1 + 3 + MAX_SMB_IOV];
232 int iov_count;
233
234 bool one_way_seqnum;
235 uint32_t seqnum;
236 struct tevent_req **chained_requests;
237
238 uint8_t recv_cmd;
239 NTSTATUS recv_status;
240 /* always an array of 3 talloc elements */
241 struct iovec *recv_iov;
242 } smb1;
243
244 struct {
245 const uint8_t *fixed;
246 uint16_t fixed_len;
247 const uint8_t *dyn;
248 uint32_t dyn_len;
249
250 uint8_t transform[SMB2_TF_HDR_SIZE];
251 uint8_t hdr[SMB2_HDR_BODY];
252 uint8_t pad[7]; /* padding space for compounding */
253
254 /*
255 * always an array of 3 talloc elements
256 * (without a SMB2_TRANSFORM header!)
257 *
258 * HDR, BODY, DYN
259 */
260 struct iovec *recv_iov;
261
262 /*
263 * the expected max for the response dyn_len
264 */
265 uint32_t max_dyn_len;
266
267 uint16_t credit_charge;
268
269 bool should_sign;
270 bool should_encrypt;
271 uint64_t encryption_session_id;
272
273 bool signing_skipped;
274 bool notify_async;
275 bool got_async;
276 } smb2;
277 };
278
279 static int smbXcli_conn_destructor(struct smbXcli_conn *conn)
280 {
281 /*
282 * NT_STATUS_OK, means we do not notify the callers
283 */
284 smbXcli_conn_disconnect(conn, NT_STATUS_OK);
285
286 while (conn->sessions) {
287 conn->sessions->conn = NULL;
288 DLIST_REMOVE(conn->sessions, conn->sessions);
289 }
290
291 if (conn->smb1.trans_enc) {
292 TALLOC_FREE(conn->smb1.trans_enc);
293 }
294
295 return 0;
296 }
297
298 struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
299 int fd,
300 const char *remote_name,
301 enum smb_signing_setting signing_state,
302 uint32_t smb1_capabilities,
303 struct GUID *client_guid,
304 uint32_t smb2_capabilities)
305 {
306 struct smbXcli_conn *conn = NULL;
307 void *ss = NULL;
308 struct sockaddr *sa = NULL;
309 socklen_t sa_length;
310 int ret;
311
312 conn = talloc_zero(mem_ctx, struct smbXcli_conn);
313 if (!conn) {
314 return NULL;
315 }
316
317 conn->read_fd = fd;
318 conn->write_fd = dup(fd);
319 if (conn->write_fd == -1) {
320 goto error;
321 }
322
323 conn->remote_name = talloc_strdup(conn, remote_name);
324 if (conn->remote_name == NULL) {
325 goto error;
326 }
327
328
329 ss = (void *)&conn->local_ss;
330 sa = (struct sockaddr *)ss;
331 sa_length = sizeof(conn->local_ss);
332 ret = getsockname(fd, sa, &sa_length);
333 if (ret == -1) {
334 goto error;
335 }
336 ss = (void *)&conn->remote_ss;
337 sa = (struct sockaddr *)ss;
338 sa_length = sizeof(conn->remote_ss);
339 ret = getpeername(fd, sa, &sa_length);
340 if (ret == -1) {
341 goto error;
342 }
343
344 conn->outgoing = tevent_queue_create(conn, "smbXcli_outgoing");
345 if (conn->outgoing == NULL) {
346 goto error;
347 }
348 conn->pending = NULL;
349
350 conn->min_protocol = PROTOCOL_NONE;
351 conn->max_protocol = PROTOCOL_NONE;
352 conn->protocol = PROTOCOL_NONE;
353
354 switch (signing_state) {
355 case SMB_SIGNING_OFF:
356 /* never */
357 conn->allow_signing = false;
358 conn->desire_signing = false;
359 conn->mandatory_signing = false;
360 break;
361 case SMB_SIGNING_DEFAULT:
362 case SMB_SIGNING_IF_REQUIRED:
363 /* if the server requires it */
364 conn->allow_signing = true;
365 conn->desire_signing = false;
366 conn->mandatory_signing = false;
367 break;
368 case SMB_SIGNING_REQUIRED:
369 /* always */
370 conn->allow_signing = true;
371 conn->desire_signing = true;
372 conn->mandatory_signing = true;
373 break;
374 }
375
376 conn->smb1.client.capabilities = smb1_capabilities;
377 conn->smb1.client.max_xmit = UINT16_MAX;
378
379 conn->smb1.capabilities = conn->smb1.client.capabilities;
380 conn->smb1.max_xmit = 1024;
381
382 conn->smb1.mid = 1;
383
384 /* initialise signing */
385 conn->smb1.signing = smb_signing_init(conn,
386 conn->allow_signing,
387 conn->desire_signing,
388 conn->mandatory_signing);
389 if (!conn->smb1.signing) {
390 goto error;
391 }
392
393 conn->smb2.client.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
394 if (conn->mandatory_signing) {
395 conn->smb2.client.security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
396 }
397 if (client_guid) {
398 conn->smb2.client.guid = *client_guid;
399 }
400 conn->smb2.client.capabilities = smb2_capabilities;
401
402 conn->smb2.cur_credits = 1;
403 conn->smb2.max_credits = 0;
404
405 talloc_set_destructor(conn, smbXcli_conn_destructor);
406 return conn;
407
408 error:
409 if (conn->write_fd != -1) {
410 close(conn->write_fd);
411 }
412 TALLOC_FREE(conn);
413 return NULL;
414 }
415
416 bool smbXcli_conn_is_connected(struct smbXcli_conn *conn)
417 {
418 if (conn == NULL) {
419 return false;
420 }
421
422 if (conn->read_fd == -1) {
423 return false;
424 }
425
426 return true;
427 }
428
429 enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn)
430 {
431 return conn->protocol;
432 }
433
434 bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
435 {
436 if (conn->protocol >= PROTOCOL_SMB2_02) {
437 return true;
438 }
439
440 if (conn->smb1.capabilities & CAP_UNICODE) {
441 return true;
442 }
443
444 return false;
445 }
446
447 void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
448 {
449 set_socket_options(conn->read_fd, options);
450 }
451
452 const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn)
453 {
454 return &conn->local_ss;
455 }
456
457 const struct sockaddr_storage *smbXcli_conn_remote_sockaddr(struct smbXcli_conn *conn)
458 {
459 return &conn->remote_ss;
460 }
461
462 const char *smbXcli_conn_remote_name(struct smbXcli_conn *conn)
463 {
464 return conn->remote_name;
465 }
466
467 uint16_t smbXcli_conn_max_requests(struct smbXcli_conn *conn)
468 {
469 if (conn->protocol >= PROTOCOL_SMB2_02) {
470 /*
471 * TODO...
472 */
473 return 1;
474 }
475
476 return conn->smb1.server.max_mux;
477 }
478
479 NTTIME smbXcli_conn_server_system_time(struct smbXcli_conn *conn)
480 {
481 if (conn->protocol >= PROTOCOL_SMB2_02) {
482 return conn->smb2.server.system_time;
483 }
484
485 return conn->smb1.server.system_time;
486 }
487
488 const DATA_BLOB *smbXcli_conn_server_gss_blob(struct smbXcli_conn *conn)
489 {
490 if (conn->protocol >= PROTOCOL_SMB2_02) {
491 return &conn->smb2.server.gss_blob;
492 }
493
494 return &conn->smb1.server.gss_blob;
495 }
496
497 const struct GUID *smbXcli_conn_server_guid(struct smbXcli_conn *conn)
498 {
499 if (conn->protocol >= PROTOCOL_SMB2_02) {
500 return &conn->smb2.server.guid;
501 }
502
503 return &conn->smb1.server.guid;
504 }
505
506 struct smbXcli_conn_samba_suicide_state {
507 struct smbXcli_conn *conn;
508 struct iovec iov;
509 uint8_t buf[9];
510 };
511
512 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq);
513
514 struct tevent_req *smbXcli_conn_samba_suicide_send(TALLOC_CTX *mem_ctx,
515 struct tevent_context *ev,
516 struct smbXcli_conn *conn,
517 uint8_t exitcode)
518 {
519 struct tevent_req *req, *subreq;
520 struct smbXcli_conn_samba_suicide_state *state;
521
522 req = tevent_req_create(mem_ctx, &state,
523 struct smbXcli_conn_samba_suicide_state);
524 if (req == NULL) {
525 return NULL;
526 }
527 state->conn = conn;
528 SIVAL(state->buf, 4, 0x74697865);
529 SCVAL(state->buf, 8, exitcode);
530 _smb_setlen_nbt(state->buf, sizeof(state->buf)-4);
531
532 state->iov.iov_base = state->buf;
533 state->iov.iov_len = sizeof(state->buf);
534
535 subreq = writev_send(state, ev, conn->outgoing, conn->write_fd,
536 false, &state->iov, 1);
537 if (tevent_req_nomem(subreq, req)) {
538 return tevent_req_post(req, ev);
539 }
540 tevent_req_set_callback(subreq, smbXcli_conn_samba_suicide_done, req);
541 return req;
542 }
543
544 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq)
545 {
546 struct tevent_req *req = tevent_req_callback_data(
547 subreq, struct tevent_req);
548 struct smbXcli_conn_samba_suicide_state *state = tevent_req_data(
549 req, struct smbXcli_conn_samba_suicide_state);
550 ssize_t nwritten;
551 int err;
552
553 nwritten = writev_recv(subreq, &err);
554 TALLOC_FREE(subreq);
555 if (nwritten == -1) {
556 NTSTATUS status = map_nt_error_from_unix_common(err);
557 smbXcli_conn_disconnect(state->conn, status);
558 return;
559 }
560 tevent_req_done(req);
561 }
562
563 NTSTATUS smbXcli_conn_samba_suicide_recv(struct tevent_req *req)
564 {
565 return tevent_req_simple_recv_ntstatus(req);
566 }
567
568 NTSTATUS smbXcli_conn_samba_suicide(struct smbXcli_conn *conn,
569 uint8_t exitcode)
570 {
571 TALLOC_CTX *frame = talloc_stackframe();
572 struct tevent_context *ev;
573 struct tevent_req *req;
574 NTSTATUS status = NT_STATUS_NO_MEMORY;
575 bool ok;
576
577 if (smbXcli_conn_has_async_calls(conn)) {
578 /*
579 * Can't use sync call while an async call is in flight
580 */
581 status = NT_STATUS_INVALID_PARAMETER_MIX;
582 goto fail;
583 }
584 ev = samba_tevent_context_init(frame);
585 if (ev == NULL) {
586 goto fail;
587 }
588 req = smbXcli_conn_samba_suicide_send(frame, ev, conn, exitcode);
589 if (req == NULL) {
590 goto fail;
591 }
592 ok = tevent_req_poll(req, ev);
593 if (!ok) {
594 status = map_nt_error_from_unix_common(errno);
595 goto fail;
596 }
597 status = smbXcli_conn_samba_suicide_recv(req);
598 fail:
599 TALLOC_FREE(frame);
600 return status;
601 }
602
603 uint32_t smb1cli_conn_capabilities(struct smbXcli_conn *conn)
604 {
605 return conn->smb1.capabilities;
606 }
607
608 uint32_t smb1cli_conn_max_xmit(struct smbXcli_conn *conn)
609 {
610 return conn->smb1.max_xmit;
611 }
612
613 bool smb1cli_conn_req_possible(struct smbXcli_conn *conn)
614 {
615 size_t pending;
616 uint16_t possible = conn->smb1.server.max_mux;
617
618 pending = tevent_queue_length(conn->outgoing);
619 if (pending >= possible) {
620 return false;
621 }
622 pending += talloc_array_length(conn->pending);
623 if (pending >= possible) {
624 return false;
625 }
626
627 return true;
628 }
629
630 uint32_t smb1cli_conn_server_session_key(struct smbXcli_conn *conn)
631 {
632 return conn->smb1.server.session_key;
633 }
634
635 const uint8_t *smb1cli_conn_server_challenge(struct smbXcli_conn *conn)
636 {
637 return conn->smb1.server.challenge;
638 }
639
640 uint16_t smb1cli_conn_server_security_mode(struct smbXcli_conn *conn)
641 {
642 return conn->smb1.server.security_mode;
643 }
644
645 bool smb1cli_conn_server_readbraw(struct smbXcli_conn *conn)
646 {
647 return conn->smb1.server.readbraw;
648 }
649
650 bool smb1cli_conn_server_writebraw(struct smbXcli_conn *conn)
651 {
652 return conn->smb1.server.writebraw;
653 }
654
655 bool smb1cli_conn_server_lockread(struct smbXcli_conn *conn)
656 {
657 return conn->smb1.server.lockread;
658 }
659
660 bool smb1cli_conn_server_writeunlock(struct smbXcli_conn *conn)
661 {
662 return conn->smb1.server.writeunlock;
663 }
664
665 int smb1cli_conn_server_time_zone(struct smbXcli_conn *conn)
666 {
667 return conn->smb1.server.time_zone;
668 }
669
670 bool smb1cli_conn_activate_signing(struct smbXcli_conn *conn,
671 const DATA_BLOB user_session_key,
672 const DATA_BLOB response)
673 {
674 return smb_signing_activate(conn->smb1.signing,
675 user_session_key,
676 response);
677 }
678
679 bool smb1cli_conn_check_signing(struct smbXcli_conn *conn,
680 const uint8_t *buf, uint32_t seqnum)
681 {
682 const uint8_t *hdr = buf + NBT_HDR_SIZE;
683 size_t len = smb_len_nbt(buf);
684
685 return smb_signing_check_pdu(conn->smb1.signing, hdr, len, seqnum);
686 }
687
688 bool smb1cli_conn_signing_is_active(struct smbXcli_conn *conn)
689 {
690 return smb_signing_is_active(conn->smb1.signing);
691 }
692
693 void smb1cli_conn_set_encryption(struct smbXcli_conn *conn,
694 struct smb_trans_enc_state *es)
695 {
696 /* Replace the old state, if any. */
697 if (conn->smb1.trans_enc) {
698 TALLOC_FREE(conn->smb1.trans_enc);
699 }
700 conn->smb1.trans_enc = es;
701 }
702
703 bool smb1cli_conn_encryption_on(struct smbXcli_conn *conn)
704 {
705 return common_encryption_on(conn->smb1.trans_enc);
706 }
707
708
709 static NTSTATUS smb1cli_pull_raw_error(const uint8_t *hdr)
710 {
711 uint32_t flags2 = SVAL(hdr, HDR_FLG2);
712 NTSTATUS status = NT_STATUS(IVAL(hdr, HDR_RCLS));
713
714 if (NT_STATUS_IS_OK(status)) {
715 return NT_STATUS_OK;
716 }
717
718 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
719 return status;
720 }
721
722 return NT_STATUS_DOS(CVAL(hdr, HDR_RCLS), SVAL(hdr, HDR_ERR));
723 }
724
725 /**
726 * Is the SMB command able to hold an AND_X successor
727 * @param[in] cmd The SMB command in question
728 * @retval Can we add a chained request after "cmd"?
729 */
730 bool smb1cli_is_andx_req(uint8_t cmd)
731 {
732 switch (cmd) {
733 case SMBtconX:
734 case SMBlockingX:
735 case SMBopenX:
736 case SMBreadX:
737 case SMBwriteX:
738 case SMBsesssetupX:
739 case SMBulogoffX:
740 case SMBntcreateX:
741 return true;
742 break;
743 default:
744 break;
745 }
746
747 return false;
748 }
749
750 static uint16_t smb1cli_alloc_mid(struct smbXcli_conn *conn)
751 {
752 size_t num_pending = talloc_array_length(conn->pending);
753 uint16_t result;
754
755 if (conn->protocol == PROTOCOL_NONE) {
756 /*
757 * This is what windows sends on the SMB1 Negprot request
758 * and some vendors reuse the SMB1 MID as SMB2 sequence number.
759 */
760 return 0;
761 }
762
763 while (true) {
764 size_t i;
765
766 result = conn->smb1.mid++;
767 if ((result == 0) || (result == 0xffff)) {
768 continue;
769 }
770
771 for (i=0; i<num_pending; i++) {
772 if (result == smb1cli_req_mid(conn->pending[i])) {
773 break;
774 }
775 }
776
777 if (i == num_pending) {
778 return result;
779 }
780 }
781 }
782
783 void smbXcli_req_unset_pending(struct tevent_req *req)
784 {
785 struct smbXcli_req_state *state =
786 tevent_req_data(req,
787 struct smbXcli_req_state);
788 struct smbXcli_conn *conn = state->conn;
789 size_t num_pending = talloc_array_length(conn->pending);
790 size_t i;
791
792 if (state->smb1.mid != 0) {
793 /*
794 * This is a [nt]trans[2] request which waits
795 * for more than one reply.
796 */
797 return;
798 }
799
800 tevent_req_set_cleanup_fn(req, NULL);
801
802 if (num_pending == 1) {
803 /*
804 * The pending read_smb tevent_req is a child of
805 * conn->pending. So if nothing is pending anymore, we need to
806 * delete the socket read fde.
807 */
808 TALLOC_FREE(conn->pending);
809 conn->read_smb_req = NULL;
810 return;
811 }
812
813 for (i=0; i<num_pending; i++) {
814 if (req == conn->pending[i]) {
815 break;
816 }
817 }
818 if (i == num_pending) {
819 /*
820 * Something's seriously broken. Just returning here is the
821 * right thing nevertheless, the point of this routine is to
822 * remove ourselves from conn->pending.
823 */
824 return;
825 }
826
827 /*
828 * Remove ourselves from the conn->pending array
829 */
830 for (; i < (num_pending - 1); i++) {
831 conn->pending[i] = conn->pending[i+1];
832 }
833
834 /*
835 * No NULL check here, we're shrinking by sizeof(void *), and
836 * talloc_realloc just adjusts the size for this.
837 */
838 conn->pending = talloc_realloc(NULL, conn->pending, struct tevent_req *,
839 num_pending - 1);
840 return;
841 }
842
843 static void smbXcli_req_cleanup(struct tevent_req *req,
844 enum tevent_req_state req_state)
845 {
846 struct smbXcli_req_state *state =
847 tevent_req_data(req,
848 struct smbXcli_req_state);
849
850 switch (req_state) {
851 case TEVENT_REQ_RECEIVED:
852 /*
853 * Make sure we really remove it from
854 * the pending array on destruction.
855 */
856 state->smb1.mid = 0;
857 smbXcli_req_unset_pending(req);
858 return;
859 default:
860 return;
861 }
862 }
863
864 static bool smb1cli_req_cancel(struct tevent_req *req);
865 static bool smb2cli_req_cancel(struct tevent_req *req);
866
867 static bool smbXcli_req_cancel(struct tevent_req *req)
868 {
869 struct smbXcli_req_state *state =
870 tevent_req_data(req,
871 struct smbXcli_req_state);
872
873 if (!smbXcli_conn_is_connected(state->conn)) {
874 return false;
875 }
876
877 if (state->conn->protocol == PROTOCOL_NONE) {
878 return false;
879 }
880
881 if (state->conn->protocol >= PROTOCOL_SMB2_02) {
882 return smb2cli_req_cancel(req);
883 }
884
885 return smb1cli_req_cancel(req);
886 }
887
888 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn);
889
890 bool smbXcli_req_set_pending(struct tevent_req *req)
891 {
892 struct smbXcli_req_state *state =
893 tevent_req_data(req,
894 struct smbXcli_req_state);
895 struct smbXcli_conn *conn;
896 struct tevent_req **pending;
897 size_t num_pending;
898
899 conn = state->conn;
900
901 if (!smbXcli_conn_is_connected(conn)) {
902 return false;
903 }
904
905 num_pending = talloc_array_length(conn->pending);
906
907 pending = talloc_realloc(conn, conn->pending, struct tevent_req *,
908 num_pending+1);
909 if (pending == NULL) {
910 return false;
911 }
912 pending[num_pending] = req;
913 conn->pending = pending;
914 tevent_req_set_cleanup_fn(req, smbXcli_req_cleanup);
915 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
916
917 if (!smbXcli_conn_receive_next(conn)) {
918 /*
919 * the caller should notify the current request
920 *
921 * And all other pending requests get notified
922 * by smbXcli_conn_disconnect().
923 */
924 smbXcli_req_unset_pending(req);
925 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
926 return false;
927 }
928
929 return true;
930 }
931
932 static void smbXcli_conn_received(struct tevent_req *subreq);
933
934 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn)
935 {
936 size_t num_pending = talloc_array_length(conn->pending);
937 struct tevent_req *req;
938 struct smbXcli_req_state *state;
939
940 if (conn->read_smb_req != NULL) {
941 return true;
942 }
943
944 if (num_pending == 0) {
945 if (conn->smb2.mid < UINT64_MAX) {
946 /* no more pending requests, so we are done for now */
947 return true;
948 }
949
950 /*
951 * If there are no more SMB2 requests possible,
952 * because we are out of message ids,
953 * we need to disconnect.
954 */
955 smbXcli_conn_disconnect(conn, NT_STATUS_CONNECTION_ABORTED);
956 return true;
957 }
958
959 req = conn->pending[0];
960 state = tevent_req_data(req, struct smbXcli_req_state);
961
962 /*
963 * We're the first ones, add the read_smb request that waits for the
964 * answer from the server
965 */
966 conn->read_smb_req = read_smb_send(conn->pending,
967 state->ev,
968 conn->read_fd);
969 if (conn->read_smb_req == NULL) {
970 return false;
971 }
972 tevent_req_set_callback(conn->read_smb_req, smbXcli_conn_received, conn);
973 return true;
974 }
975
976 void smbXcli_conn_disconnect(struct smbXcli_conn *conn, NTSTATUS status)
977 {
978 struct smbXcli_session *session;
979
980 tevent_queue_stop(conn->outgoing);
981
982 if (conn->read_fd != -1) {
983 close(conn->read_fd);
984 }
985 if (conn->write_fd != -1) {
986 close(conn->write_fd);
987 }
988 conn->read_fd = -1;
989 conn->write_fd = -1;
990
991 session = conn->sessions;
992 if (talloc_array_length(conn->pending) == 0) {
993 /*
994 * if we do not have pending requests
995 * there is no need to update the channel_sequence
996 */
997 session = NULL;
998 }
999 for (; session; session = session->next) {
1000 smb2cli_session_increment_channel_sequence(session);
1001 }
1002
1003 /*
1004 * Cancel all pending requests. We do not do a for-loop walking
1005 * conn->pending because that array changes in
1006 * smbXcli_req_unset_pending.
1007 */
1008 while (talloc_array_length(conn->pending) > 0) {
1009 struct tevent_req *req;
1010 struct smbXcli_req_state *state;
1011 struct tevent_req **chain;
1012 size_t num_chained;
1013 size_t i;
1014
1015 req = conn->pending[0];
1016 state = tevent_req_data(req, struct smbXcli_req_state);
1017
1018 if (state->smb1.chained_requests == NULL) {
1019 /*
1020 * We're dead. No point waiting for trans2
1021 * replies.
1022 */
1023 state->smb1.mid = 0;
1024
1025 smbXcli_req_unset_pending(req);
1026
1027 if (NT_STATUS_IS_OK(status)) {
1028 /* do not notify the callers */
1029 continue;
1030 }
1031
1032 /*
1033 * we need to defer the callback, because we may notify
1034 * more then one caller.
1035 */
1036 tevent_req_defer_callback(req, state->ev);
1037 tevent_req_nterror(req, status);
1038 continue;
1039 }
1040
1041 chain = talloc_move(conn, &state->smb1.chained_requests);
1042 num_chained = talloc_array_length(chain);
1043
1044 for (i=0; i<num_chained; i++) {
1045 req = chain[i];
1046 state = tevent_req_data(req, struct smbXcli_req_state);
1047
1048 /*
1049 * We're dead. No point waiting for trans2
1050 * replies.
1051 */
1052 state->smb1.mid = 0;
1053
1054 smbXcli_req_unset_pending(req);
1055
1056 if (NT_STATUS_IS_OK(status)) {
1057 /* do not notify the callers */
1058 continue;
1059 }
1060
1061 /*
1062 * we need to defer the callback, because we may notify
1063 * more than one caller.
1064 */
1065 tevent_req_defer_callback(req, state->ev);
1066 tevent_req_nterror(req, status);
1067 }
1068 TALLOC_FREE(chain);
1069 }
1070 }
1071
1072 /*
1073 * Fetch a smb request's mid. Only valid after the request has been sent by
1074 * smb1cli_req_send().
1075 */
1076 uint16_t smb1cli_req_mid(struct tevent_req *req)
1077 {
1078 struct smbXcli_req_state *state =
1079 tevent_req_data(req,
1080 struct smbXcli_req_state);
1081
1082 if (state->smb1.mid != 0) {
1083 return state->smb1.mid;
1084 }
1085
1086 return SVAL(state->smb1.hdr, HDR_MID);
1087 }
1088
1089 void smb1cli_req_set_mid(struct tevent_req *req, uint16_t mid)
1090 {
1091 struct smbXcli_req_state *state =
1092 tevent_req_data(req,
1093 struct smbXcli_req_state);
1094
1095 state->smb1.mid = mid;
1096 }
1097
1098 uint32_t smb1cli_req_seqnum(struct tevent_req *req)
1099 {
1100 struct smbXcli_req_state *state =
1101 tevent_req_data(req,
1102 struct smbXcli_req_state);
1103
1104 return state->smb1.seqnum;
1105 }
1106
1107 void smb1cli_req_set_seqnum(struct tevent_req *req, uint32_t seqnum)
1108 {
1109 struct smbXcli_req_state *state =
1110 tevent_req_data(req,
1111 struct smbXcli_req_state);
1112
1113 state->smb1.seqnum = seqnum;
1114 }
1115
1116 static size_t smbXcli_iov_len(const struct iovec *iov, int count)
1117 {
1118 size_t result = 0;
1119 int i;
1120 for (i=0; i<count; i++) {
1121 result += iov[i].iov_len;
1122 }
1123 return result;
1124 }
1125
1126 static uint8_t *smbXcli_iov_concat(TALLOC_CTX *mem_ctx,
1127 const struct iovec *iov,
1128 int count)
1129 {
1130 size_t len = smbXcli_iov_len(iov, count);
1131 size_t copied;
1132 uint8_t *buf;
1133 int i;
1134
1135 buf = talloc_array(mem_ctx, uint8_t, len);
1136 if (buf == NULL) {
1137 return NULL;
1138 }
1139 copied = 0;
1140 for (i=0; i<count; i++) {
1141 memcpy(buf+copied, iov[i].iov_base, iov[i].iov_len);
1142 copied += iov[i].iov_len;
1143 }
1144 return buf;
1145 }
1146
1147 static void smb1cli_req_flags(enum protocol_types protocol,
1148 uint32_t smb1_capabilities,
1149 uint8_t smb_command,
1150 uint8_t additional_flags,
1151 uint8_t clear_flags,
1152 uint8_t *_flags,
1153 uint16_t additional_flags2,
1154 uint16_t clear_flags2,
1155 uint16_t *_flags2)
1156 {
1157 uint8_t flags = 0;
1158 uint16_t flags2 = 0;
1159
1160 if (protocol >= PROTOCOL_LANMAN1) {
1161 flags |= FLAG_CASELESS_PATHNAMES;
1162 flags |= FLAG_CANONICAL_PATHNAMES;
1163 }
1164
1165 if (protocol >= PROTOCOL_LANMAN2) {
1166 flags2 |= FLAGS2_LONG_PATH_COMPONENTS;
1167 flags2 |= FLAGS2_EXTENDED_ATTRIBUTES;
1168 }
1169
1170 if (protocol >= PROTOCOL_NT1) {
1171 flags2 |= FLAGS2_IS_LONG_NAME;
1172
1173 if (smb1_capabilities & CAP_UNICODE) {
1174 flags2 |= FLAGS2_UNICODE_STRINGS;
1175 }
1176 if (smb1_capabilities & CAP_STATUS32) {
1177 flags2 |= FLAGS2_32_BIT_ERROR_CODES;
1178 }
1179 if (smb1_capabilities & CAP_EXTENDED_SECURITY) {
1180 flags2 |= FLAGS2_EXTENDED_SECURITY;
1181 }
1182 }
1183
1184 flags |= additional_flags;
1185 flags &= ~clear_flags;
1186 flags2 |= additional_flags2;
1187 flags2 &= ~clear_flags2;
1188
1189 *_flags = flags;
1190 *_flags2 = flags2;
1191 }
1192
1193 static void smb1cli_req_cancel_done(struct tevent_req *subreq);
1194
1195 static bool smb1cli_req_cancel(struct tevent_req *req)
1196 {
1197 struct smbXcli_req_state *state =
1198 tevent_req_data(req,
1199 struct smbXcli_req_state);
1200 uint8_t flags;
1201 uint16_t flags2;
1202 uint32_t pid;
1203 uint16_t mid;
1204 struct tevent_req *subreq;
1205 NTSTATUS status;
1206
1207 flags = CVAL(state->smb1.hdr, HDR_FLG);
1208 flags2 = SVAL(state->smb1.hdr, HDR_FLG2);
1209 pid = SVAL(state->smb1.hdr, HDR_PID);
1210 pid |= SVAL(state->smb1.hdr, HDR_PIDHIGH)<<16;
1211 mid = SVAL(state->smb1.hdr, HDR_MID);
1212
1213 subreq = smb1cli_req_create(state, state->ev,
1214 state->conn,
1215 SMBntcancel,
1216 flags, 0,
1217 flags2, 0,
1218 0, /* timeout */
1219 pid,
1220 state->tcon,
1221 state->session,
1222 0, NULL, /* vwv */
1223 0, NULL); /* bytes */
1224 if (subreq == NULL) {
1225 return false;
1226 }
1227 smb1cli_req_set_mid(subreq, mid);
1228
1229 status = smb1cli_req_chain_submit(&subreq, 1);
1230 if (!NT_STATUS_IS_OK(status)) {
1231 TALLOC_FREE(subreq);
1232 return false;
1233 }
1234 smb1cli_req_set_mid(subreq, 0);
1235
1236 tevent_req_set_callback(subreq, smb1cli_req_cancel_done, NULL);
1237
1238 return true;
1239 }
1240
1241 static void smb1cli_req_cancel_done(struct tevent_req *subreq)
1242 {
1243 /* we do not care about the result */
1244 TALLOC_FREE(subreq);
1245 }
1246
1247 struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
1248 struct tevent_context *ev,
1249 struct smbXcli_conn *conn,
1250 uint8_t smb_command,
1251 uint8_t additional_flags,
1252 uint8_t clear_flags,
1253 uint16_t additional_flags2,
1254 uint16_t clear_flags2,
1255 uint32_t timeout_msec,
1256 uint32_t pid,
1257 struct smbXcli_tcon *tcon,
1258 struct smbXcli_session *session,
1259 uint8_t wct, uint16_t *vwv,
1260 int iov_count,
1261 struct iovec *bytes_iov)
1262 {
1263 struct tevent_req *req;
1264 struct smbXcli_req_state *state;
1265 uint8_t flags = 0;
1266 uint16_t flags2 = 0;
1267 uint16_t uid = 0;
1268 uint16_t tid = 0;
1269
1270 if (iov_count > MAX_SMB_IOV) {
1271 /*
1272 * Should not happen :-)
1273 */
1274 return NULL;
1275 }
1276
1277 req = tevent_req_create(mem_ctx, &state,
1278 struct smbXcli_req_state);
1279 if (req == NULL) {
1280 return NULL;
1281 }
1282 state->ev = ev;
1283 state->conn = conn;
1284 state->session = session;
1285 state->tcon = tcon;
1286
1287 if (session) {
1288 uid = session->smb1.session_id;
1289 }
1290
1291 if (tcon) {
1292 tid = tcon->smb1.tcon_id;
1293
1294 if (tcon->fs_attributes & FILE_CASE_SENSITIVE_SEARCH) {
1295 clear_flags |= FLAG_CASELESS_PATHNAMES;
1296 } else {
1297 /* Default setting, case insensitive. */
1298 additional_flags |= FLAG_CASELESS_PATHNAMES;
1299 }
1300
1301 if (smbXcli_conn_dfs_supported(conn) &&
1302 smbXcli_tcon_is_dfs_share(tcon))
1303 {
1304 additional_flags2 |= FLAGS2_DFS_PATHNAMES;
1305 }
1306 }
1307
1308 state->smb1.recv_cmd = 0xFF;
1309 state->smb1.recv_status = NT_STATUS_INTERNAL_ERROR;
1310 state->smb1.recv_iov = talloc_zero_array(state, struct iovec, 3);
1311 if (state->smb1.recv_iov == NULL) {
1312 TALLOC_FREE(req);
1313 return NULL;
1314 }
1315
1316 smb1cli_req_flags(conn->protocol,
1317 conn->smb1.capabilities,
1318 smb_command,
1319 additional_flags,
1320 clear_flags,
1321 &flags,
1322 additional_flags2,
1323 clear_flags2,
1324 &flags2);
1325
1326 SIVAL(state->smb1.hdr, 0, SMB_MAGIC);
1327 SCVAL(state->smb1.hdr, HDR_COM, smb_command);
1328 SIVAL(state->smb1.hdr, HDR_RCLS, NT_STATUS_V(NT_STATUS_OK));
1329 SCVAL(state->smb1.hdr, HDR_FLG, flags);
1330 SSVAL(state->smb1.hdr, HDR_FLG2, flags2);
1331 SSVAL(state->smb1.hdr, HDR_PIDHIGH, pid >> 16);
1332 SSVAL(state->smb1.hdr, HDR_TID, tid);
1333 SSVAL(state->smb1.hdr, HDR_PID, pid);
1334 SSVAL(state->smb1.hdr, HDR_UID, uid);
1335 SSVAL(state->smb1.hdr, HDR_MID, 0); /* this comes later */
1336 SCVAL(state->smb1.hdr, HDR_WCT, wct);
1337
1338 state->smb1.vwv = vwv;
1339
1340 SSVAL(state->smb1.bytecount_buf, 0, smbXcli_iov_len(bytes_iov, iov_count));
1341
1342 state->smb1.iov[0].iov_base = (void *)state->length_hdr;
1343 state->smb1.iov[0].iov_len = sizeof(state->length_hdr);
1344 state->smb1.iov[1].iov_base = (void *)state->smb1.hdr;
1345 state->smb1.iov[1].iov_len = sizeof(state->smb1.hdr);
1346 state->smb1.iov[2].iov_base = (void *)state->smb1.vwv;
1347 state->smb1.iov[2].iov_len = wct * sizeof(uint16_t);
1348 state->smb1.iov[3].iov_base = (void *)state->smb1.bytecount_buf;
1349 state->smb1.iov[3].iov_len = sizeof(uint16_t);
1350
1351 if (iov_count != 0) {
1352 memcpy(&state->smb1.iov[4], bytes_iov,
1353 iov_count * sizeof(*bytes_iov));
1354 }
1355 state->smb1.iov_count = iov_count + 4;
1356
1357 if (timeout_msec > 0) {
1358 struct timeval endtime;
1359
1360 endtime = timeval_current_ofs_msec(timeout_msec);
1361 if (!tevent_req_set_endtime(req, ev, endtime)) {
1362 return req;
1363 }
1364 }
1365
1366 switch (smb_command) {
1367 case SMBtranss:
1368 case SMBtranss2:
1369 case SMBnttranss:
1370 state->one_way = true;
1371 break;
1372 case SMBntcancel:
1373 state->one_way = true;
1374 state->smb1.one_way_seqnum = true;
1375 break;
1376 case SMBlockingX:
1377 if ((wct == 8) &&
1378 (CVAL(vwv+3, 0) == LOCKING_ANDX_OPLOCK_RELEASE)) {
1379 state->one_way = true;
1380 }
1381 break;
1382 }
1383
1384 return req;
1385 }
1386
1387 static NTSTATUS smb1cli_conn_signv(struct smbXcli_conn *conn,
1388 struct iovec *iov, int iov_count,
1389 uint32_t *seqnum,
1390 bool one_way_seqnum)
1391 {
1392 TALLOC_CTX *frame = NULL;
1393 uint8_t *buf;
1394
1395 /*
1396 * Obvious optimization: Make cli_calculate_sign_mac work with struct
1397 * iovec directly. MD5Update would do that just fine.
1398 */
1399
1400 if (iov_count < 4) {
1401 return NT_STATUS_INVALID_PARAMETER_MIX;
1402 }
1403 if (iov[0].iov_len != NBT_HDR_SIZE) {
1404 return NT_STATUS_INVALID_PARAMETER_MIX;
1405 }
1406 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1407 return NT_STATUS_INVALID_PARAMETER_MIX;
1408 }
1409 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1410 return NT_STATUS_INVALID_PARAMETER_MIX;
1411 }
1412 if (iov[3].iov_len != sizeof(uint16_t)) {
1413 return NT_STATUS_INVALID_PARAMETER_MIX;
1414 }
1415
1416 frame = talloc_stackframe();
1417
1418 buf = smbXcli_iov_concat(frame, &iov[1], iov_count - 1);
1419 if (buf == NULL) {
1420 return NT_STATUS_NO_MEMORY;
1421 }
1422
1423 *seqnum = smb_signing_next_seqnum(conn->smb1.signing,
1424 one_way_seqnum);
1425 smb_signing_sign_pdu(conn->smb1.signing,
1426 buf, talloc_get_size(buf),
1427 *seqnum);
1428 memcpy(iov[1].iov_base, buf, iov[1].iov_len);
1429
1430 TALLOC_FREE(frame);
1431 return NT_STATUS_OK;
1432 }
1433
1434 static void smb1cli_req_writev_done(struct tevent_req *subreq);
1435 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1436 TALLOC_CTX *tmp_mem,
1437 uint8_t *inbuf);
1438
1439 static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
1440 struct smbXcli_req_state *state,
1441 struct iovec *iov, int iov_count)
1442 {
1443 struct tevent_req *subreq;
1444 NTSTATUS status;
1445 uint8_t cmd;
1446 uint16_t mid;
1447
1448 if (!smbXcli_conn_is_connected(state->conn)) {
1449 return NT_STATUS_CONNECTION_DISCONNECTED;
1450 }
1451
1452 if (state->conn->protocol > PROTOCOL_NT1) {
1453 return NT_STATUS_REVISION_MISMATCH;
1454 }
1455
1456 if (iov_count < 4) {
1457 return NT_STATUS_INVALID_PARAMETER_MIX;
1458 }
1459 if (iov[0].iov_len != NBT_HDR_SIZE) {
1460 return NT_STATUS_INVALID_PARAMETER_MIX;
1461 }
1462 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1463 return NT_STATUS_INVALID_PARAMETER_MIX;
1464 }
1465 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1466 return NT_STATUS_INVALID_PARAMETER_MIX;
1467 }
1468 if (iov[3].iov_len != sizeof(uint16_t)) {
1469 return NT_STATUS_INVALID_PARAMETER_MIX;
1470 }
1471
1472 cmd = CVAL(iov[1].iov_base, HDR_COM);
1473 if (cmd == SMBreadBraw) {
1474 if (smbXcli_conn_has_async_calls(state->conn)) {
1475 return NT_STATUS_INVALID_PARAMETER_MIX;
1476 }
1477 state->conn->smb1.read_braw_req = req;
1478 }
1479
1480 if (state->smb1.mid != 0) {
1481 mid = state->smb1.mid;
1482 } else {
1483 mid = smb1cli_alloc_mid(state->conn);
1484 }
1485 SSVAL(iov[1].iov_base, HDR_MID, mid);
1486
1487 _smb_setlen_nbt(iov[0].iov_base, smbXcli_iov_len(&iov[1], iov_count-1));
1488
1489 status = smb1cli_conn_signv(state->conn, iov, iov_count,
1490 &state->smb1.seqnum,
1491 state->smb1.one_way_seqnum);
1492
1493 if (!NT_STATUS_IS_OK(status)) {
1494 return status;
1495 }
1496
1497 /*
1498 * If we supported multiple encrytion contexts
1499 * here we'd look up based on tid.
1500 */
1501 if (common_encryption_on(state->conn->smb1.trans_enc)) {
1502 char *buf, *enc_buf;
1503
1504 buf = (char *)smbXcli_iov_concat(talloc_tos(), iov, iov_count);
1505 if (buf == NULL) {
1506 return NT_STATUS_NO_MEMORY;
1507 }
1508 status = common_encrypt_buffer(state->conn->smb1.trans_enc,
1509 (char *)buf, &enc_buf);
1510 TALLOC_FREE(buf);
1511 if (!NT_STATUS_IS_OK(status)) {
1512 DEBUG(0, ("Error in encrypting client message: %s\n",
1513 nt_errstr(status)));
1514 return status;
1515 }
1516 buf = (char *)talloc_memdup(state, enc_buf,
1517 smb_len_nbt(enc_buf)+4);
1518 SAFE_FREE(enc_buf);
1519 if (buf == NULL) {
1520 return NT_STATUS_NO_MEMORY;
1521 }
1522 iov[0].iov_base = (void *)buf;
1523 iov[0].iov_len = talloc_get_size(buf);
1524 iov_count = 1;
1525 }
1526
1527 if (state->conn->dispatch_incoming == NULL) {
1528 state->conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
1529 }
1530
1531 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
1532
1533 subreq = writev_send(state, state->ev, state->conn->outgoing,
1534 state->conn->write_fd, false, iov, iov_count);
1535 if (subreq == NULL) {
1536 return NT_STATUS_NO_MEMORY;
1537 }
1538 tevent_req_set_callback(subreq, smb1cli_req_writev_done, req);
1539 return NT_STATUS_OK;
1540 }
1541
1542 struct tevent_req *smb1cli_req_send(TALLOC_CTX *mem_ctx,
1543 struct tevent_context *ev,
1544 struct smbXcli_conn *conn,
1545 uint8_t smb_command,
1546 uint8_t additional_flags,
1547 uint8_t clear_flags,
1548 uint16_t additional_flags2,
1549 uint16_t clear_flags2,
1550 uint32_t timeout_msec,
1551 uint32_t pid,
1552 struct smbXcli_tcon *tcon,
1553 struct smbXcli_session *session,
1554 uint8_t wct, uint16_t *vwv,
1555 uint32_t num_bytes,
1556 const uint8_t *bytes)
1557 {
1558 struct tevent_req *req;
1559 struct iovec iov;
1560 NTSTATUS status;
1561
1562 iov.iov_base = discard_const_p(void, bytes);
1563 iov.iov_len = num_bytes;
1564
1565 req = smb1cli_req_create(mem_ctx, ev, conn, smb_command,
1566 additional_flags, clear_flags,
1567 additional_flags2, clear_flags2,
1568 timeout_msec,
1569 pid, tcon, session,
1570 wct, vwv, 1, &iov);
1571 if (req == NULL) {
1572 return NULL;
1573 }
1574 if (!tevent_req_is_in_progress(req)) {
1575 return tevent_req_post(req, ev);
1576 }
1577 status = smb1cli_req_chain_submit(&req, 1);
1578 if (tevent_req_nterror(req, status)) {
1579 return tevent_req_post(req, ev);
1580 }
1581 return req;
1582 }
1583
1584 static void smb1cli_req_writev_done(struct tevent_req *subreq)
1585 {
1586 struct tevent_req *req =
1587 tevent_req_callback_data(subreq,
1588 struct tevent_req);
1589 struct smbXcli_req_state *state =
1590 tevent_req_data(req,
1591 struct smbXcli_req_state);
1592 ssize_t nwritten;
1593 int err;
1594
1595 nwritten = writev_recv(subreq, &err);
1596 TALLOC_FREE(subreq);
1597 if (nwritten == -1) {
1598 NTSTATUS status = map_nt_error_from_unix_common(err);
1599 smbXcli_conn_disconnect(state->conn, status);
1600 return;
1601 }
1602
1603 if (state->one_way) {
1604 state->inbuf = NULL;
1605 tevent_req_done(req);
1606 return;
1607 }
1608
1609 if (!smbXcli_req_set_pending(req)) {
1610 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1611 return;
1612 }
1613 }
1614
1615 static void smbXcli_conn_received(struct tevent_req *subreq)
1616 {
1617 struct smbXcli_conn *conn =
1618 tevent_req_callback_data(subreq,
1619 struct smbXcli_conn);
1620 TALLOC_CTX *frame = talloc_stackframe();
1621 NTSTATUS status;
1622 uint8_t *inbuf;
1623 ssize_t received;
1624 int err;
1625
1626 if (subreq != conn->read_smb_req) {
1627 DEBUG(1, ("Internal error: cli_smb_received called with "
1628 "unexpected subreq\n"));
1629 smbXcli_conn_disconnect(conn, NT_STATUS_INTERNAL_ERROR);
1630 TALLOC_FREE(frame);
1631 return;
1632 }
1633 conn->read_smb_req = NULL;
1634
1635 received = read_smb_recv(subreq, frame, &inbuf, &err);
1636 TALLOC_FREE(subreq);
1637 if (received == -1) {
1638 status = map_nt_error_from_unix_common(err);
1639 smbXcli_conn_disconnect(conn, status);
1640 TALLOC_FREE(frame);
1641 return;
1642 }
1643
1644 status = conn->dispatch_incoming(conn, frame, inbuf);
1645 TALLOC_FREE(frame);
1646 if (NT_STATUS_IS_OK(status)) {
1647 /*
1648 * We should not do any more processing
1649 * as the dispatch function called
1650 * tevent_req_done().
1651 */
1652 return;
1653 }
1654
1655 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
1656 /*
1657 * We got an error, so notify all pending requests
1658 */
1659 smbXcli_conn_disconnect(conn, status);
1660 return;
1661 }
1662
1663 /*
1664 * We got NT_STATUS_RETRY, so we may ask for a
1665 * next incoming pdu.
1666 */
1667 if (!smbXcli_conn_receive_next(conn)) {
1668 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
1669 }
1670 }
1671
1672 static NTSTATUS smb1cli_inbuf_parse_chain(uint8_t *buf, TALLOC_CTX *mem_ctx,
1673 struct iovec **piov, int *pnum_iov)
1674 {
1675 struct iovec *iov;
1676 int num_iov;
1677 size_t buflen;
1678 size_t taken;
1679 size_t remaining;
1680 uint8_t *hdr;
1681 uint8_t cmd;
1682 uint32_t wct_ofs;
1683 NTSTATUS status;
1684 size_t min_size = MIN_SMB_SIZE;
1685
1686 buflen = smb_len_tcp(buf);
1687 taken = 0;
1688
1689 hdr = buf + NBT_HDR_SIZE;
1690
1691 status = smb1cli_pull_raw_error(hdr);
1692 if (NT_STATUS_IS_ERR(status)) {
1693 /*
1694 * This is an ugly hack to support OS/2
1695 * which skips the byte_count in the DATA block
1696 * on some error responses.
1697 *
1698 * See bug #9096
1699 */
1700 min_size -= sizeof(uint16_t);
1701 }
1702
1703 if (buflen < min_size) {
1704 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1705 }
1706
1707 /*
1708 * This returns iovec elements in the following order:
1709 *
1710 * - SMB header
1711 *
1712 * - Parameter Block
1713 * - Data Block
1714 *
1715 * - Parameter Block
1716 * - Data Block
1717 *
1718 * - Parameter Block
1719 * - Data Block
1720 */
1721 num_iov = 1;
1722
1723 iov = talloc_array(mem_ctx, struct iovec, num_iov);
1724 if (iov == NULL) {
1725 return NT_STATUS_NO_MEMORY;
1726 }
1727 iov[0].iov_base = hdr;
1728 iov[0].iov_len = HDR_WCT;
1729 taken += HDR_WCT;
1730
1731 cmd = CVAL(hdr, HDR_COM);
1732 wct_ofs = HDR_WCT;
1733
1734 while (true) {
1735 size_t len = buflen - taken;
1736 struct iovec *cur;
1737 struct iovec *iov_tmp;
1738 uint8_t wct;
1739 uint32_t bcc_ofs;
1740 uint16_t bcc;
1741 size_t needed;
1742
1743 /*
1744 * we need at least WCT
1745 */
1746 needed = sizeof(uint8_t);
1747 if (len < needed) {
1748 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1749 __location__, (int)len, (int)needed));
1750 goto inval;
1751 }
1752
1753 /*
1754 * Now we check if the specified words are there
1755 */
1756 wct = CVAL(hdr, wct_ofs);
1757 needed += wct * sizeof(uint16_t);
1758 if (len < needed) {
1759 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1760 __location__, (int)len, (int)needed));
1761 goto inval;
1762 }
1763
1764 if ((num_iov == 1) &&
1765 (len == needed) &&
1766 NT_STATUS_IS_ERR(status))
1767 {
1768 /*
1769 * This is an ugly hack to support OS/2
1770 * which skips the byte_count in the DATA block
1771 * on some error responses.
1772 *
1773 * See bug #9096
1774 */
1775 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1776 num_iov + 2);
1777 if (iov_tmp == NULL) {
1778 TALLOC_FREE(iov);
1779 return NT_STATUS_NO_MEMORY;
1780 }
1781 iov = iov_tmp;
1782 cur = &iov[num_iov];
1783 num_iov += 2;
1784
1785 cur[0].iov_len = 0;
1786 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1787 cur[1].iov_len = 0;
1788 cur[1].iov_base = cur[0].iov_base;
1789
1790 taken += needed;
1791 break;
1792 }
1793
1794 /*
1795 * we need at least BCC
1796 */
1797 needed += sizeof(uint16_t);
1798 if (len < needed) {
1799 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1800 __location__, (int)len, (int)needed));
1801 goto inval;
1802 }
1803
1804 /*
1805 * Now we check if the specified bytes are there
1806 */
1807 bcc_ofs = wct_ofs + sizeof(uint8_t) + wct * sizeof(uint16_t);
1808 bcc = SVAL(hdr, bcc_ofs);
1809 needed += bcc * sizeof(uint8_t);
1810 if (len < needed) {
1811 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1812 __location__, (int)len, (int)needed));
1813 goto inval;
1814 }
1815
1816 /*
1817 * we allocate 2 iovec structures for words and bytes
1818 */
1819 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1820 num_iov + 2);
1821 if (iov_tmp == NULL) {
1822 TALLOC_FREE(iov);
1823 return NT_STATUS_NO_MEMORY;
1824 }
1825 iov = iov_tmp;
1826 cur = &iov[num_iov];
1827 num_iov += 2;
1828
1829 cur[0].iov_len = wct * sizeof(uint16_t);
1830 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1831 cur[1].iov_len = bcc * sizeof(uint8_t);
1832 cur[1].iov_base = hdr + (bcc_ofs + sizeof(uint16_t));
1833
1834 taken += needed;
1835
1836 if (!smb1cli_is_andx_req(cmd)) {
1837 /*
1838 * If the current command does not have AndX chanining
1839 * we are done.
1840 */
1841 break;
1842 }
1843
1844 if (wct == 0 && bcc == 0) {
1845 /*
1846 * An empty response also ends the chain,
1847 * most likely with an error.
1848 */
1849 break;
1850 }
1851
1852 if (wct < 2) {
1853 DEBUG(10, ("%s: wct[%d] < 2 for cmd[0x%02X]\n",
1854 __location__, (int)wct, (int)cmd));
1855 goto inval;
1856 }
1857 cmd = CVAL(cur[0].iov_base, 0);
1858 if (cmd == 0xFF) {
1859 /*
1860 * If it is the end of the chain we are also done.
1861 */
1862 break;
1863 }
1864 wct_ofs = SVAL(cur[0].iov_base, 2);
1865
1866 if (wct_ofs < taken) {
1867 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1868 }
1869 if (wct_ofs > buflen) {
1870 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1871 }
1872
1873 /*
1874 * we consumed everything up to the start of the next
1875 * parameter block.
1876 */
1877 taken = wct_ofs;
1878 }
1879
1880 remaining = buflen - taken;
1881
1882 if (remaining > 0 && num_iov >= 3) {
1883 /*
1884 * The last DATA block gets the remaining
1885 * bytes, this is needed to support
1886 * CAP_LARGE_WRITEX and CAP_LARGE_READX.
1887 */
1888 iov[num_iov-1].iov_len += remaining;
1889 }
1890
1891 *piov = iov;
1892 *pnum_iov = num_iov;
1893 return NT_STATUS_OK;
1894
1895 inval:
1896 TALLOC_FREE(iov);
1897 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1898 }
1899
1900 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1901 TALLOC_CTX *tmp_mem,
1902 uint8_t *inbuf)
1903 {
1904 struct tevent_req *req;
1905 struct smbXcli_req_state *state;
1906 NTSTATUS status;
1907 size_t num_pending;
1908 size_t i;
1909 uint8_t cmd;
1910 uint16_t mid;
1911 bool oplock_break;
1912 uint8_t *inhdr = inbuf + NBT_HDR_SIZE;
1913 size_t len = smb_len_tcp(inbuf);
1914 struct iovec *iov = NULL;
1915 int num_iov = 0;
1916 struct tevent_req **chain = NULL;
1917 size_t num_chained = 0;
1918 size_t num_responses = 0;
1919
1920 if (conn->smb1.read_braw_req != NULL) {
1921 req = conn->smb1.read_braw_req;
1922 conn->smb1.read_braw_req = NULL;
1923 state = tevent_req_data(req, struct smbXcli_req_state);
1924
1925 smbXcli_req_unset_pending(req);
1926
1927 if (state->smb1.recv_iov == NULL) {
1928 /*
1929 * For requests with more than
1930 * one response, we have to readd the
1931 * recv_iov array.
1932 */
1933 state->smb1.recv_iov = talloc_zero_array(state,
1934 struct iovec,
1935 3);
1936 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
1937 return NT_STATUS_OK;
1938 }
1939 }
1940
1941 state->smb1.recv_iov[0].iov_base = (void *)(inhdr);
1942 state->smb1.recv_iov[0].iov_len = len;
1943 ZERO_STRUCT(state->smb1.recv_iov[1]);
1944 ZERO_STRUCT(state->smb1.recv_iov[2]);
1945
1946 state->smb1.recv_cmd = SMBreadBraw;
1947 state->smb1.recv_status = NT_STATUS_OK;
1948 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
1949
1950 tevent_req_done(req);
1951 return NT_STATUS_OK;
1952 }
1953
1954 if ((IVAL(inhdr, 0) != SMB_MAGIC) /* 0xFF"SMB" */
1955 && (SVAL(inhdr, 0) != 0x45ff)) /* 0xFF"E" */ {
1956 DEBUG(10, ("Got non-SMB PDU\n"));
1957 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1958 }
1959
1960 /*
1961 * If we supported multiple encrytion contexts
1962 * here we'd look up based on tid.
1963 */
1964 if (common_encryption_on(conn->smb1.trans_enc)
1965 && (CVAL(inbuf, 0) == 0)) {
1966 uint16_t enc_ctx_num;
1967
1968 status = get_enc_ctx_num(inbuf, &enc_ctx_num);
1969 if (!NT_STATUS_IS_OK(status)) {
1970 DEBUG(10, ("get_enc_ctx_num returned %s\n",
1971 nt_errstr(status)));
1972 return status;
1973 }
1974
1975 if (enc_ctx_num != conn->smb1.trans_enc->enc_ctx_num) {
1976 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
1977 enc_ctx_num,
1978 conn->smb1.trans_enc->enc_ctx_num));
1979 return NT_STATUS_INVALID_HANDLE;
1980 }
1981
1982 status = common_decrypt_buffer(conn->smb1.trans_enc,
1983 (char *)inbuf);
1984 if (!NT_STATUS_IS_OK(status)) {
1985 DEBUG(10, ("common_decrypt_buffer returned %s\n",
1986 nt_errstr(status)));
1987 return status;
1988 }
1989 inhdr = inbuf + NBT_HDR_SIZE;
1990 len = smb_len_nbt(inbuf);
1991 }
1992
1993 mid = SVAL(inhdr, HDR_MID);
1994 num_pending = talloc_array_length(conn->pending);
1995
1996 for (i=0; i<num_pending; i++) {
1997 if (mid == smb1cli_req_mid(conn->pending[i])) {
1998 break;
1999 }
2000 }
2001 if (i == num_pending) {
2002 /* Dump unexpected reply */
2003 return NT_STATUS_RETRY;
2004 }
2005
2006 oplock_break = false;
2007
2008 if (mid == 0xffff) {
2009 /*
2010 * Paranoia checks that this is really an oplock break request.
2011 */
2012 oplock_break = (len == 51); /* hdr + 8 words */
2013 oplock_break &= ((CVAL(inhdr, HDR_FLG) & FLAG_REPLY) == 0);
2014 oplock_break &= (CVAL(inhdr, HDR_COM) == SMBlockingX);
2015 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(6)) == 0);
2016 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(7)) == 0);
2017
2018 if (!oplock_break) {
2019 /* Dump unexpected reply */
2020 return NT_STATUS_RETRY;
2021 }
2022 }
2023
2024 req = conn->pending[i];
2025 state = tevent_req_data(req, struct smbXcli_req_state);
2026
2027 if (!oplock_break /* oplock breaks are not signed */
2028 && !smb_signing_check_pdu(conn->smb1.signing,
2029 inhdr, len, state->smb1.seqnum+1)) {
2030 DEBUG(10, ("cli_check_sign_mac failed\n"));
2031 return NT_STATUS_ACCESS_DENIED;
2032 }
2033
2034 status = smb1cli_inbuf_parse_chain(inbuf, tmp_mem,
2035 &iov, &num_iov);
2036 if (!NT_STATUS_IS_OK(status)) {
2037 DEBUG(10,("smb1cli_inbuf_parse_chain - %s\n",
2038 nt_errstr(status)));
2039 return status;
2040 }
2041
2042 cmd = CVAL(inhdr, HDR_COM);
2043 status = smb1cli_pull_raw_error(inhdr);
2044
2045 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
2046 (state->session != NULL) && state->session->disconnect_expired)
2047 {
2048 /*
2049 * this should be a short term hack
2050 * until the upper layers have implemented
2051 * re-authentication.
2052 */
2053 return status;
2054 }
2055
2056 if (state->smb1.chained_requests == NULL) {
2057 if (num_iov != 3) {
2058 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2059 }
2060
2061 smbXcli_req_unset_pending(req);
2062
2063 if (state->smb1.recv_iov == NULL) {
2064 /*
2065 * For requests with more than
2066 * one response, we have to readd the
2067 * recv_iov array.
2068 */
2069 state->smb1.recv_iov = talloc_zero_array(state,
2070 struct iovec,
2071 3);
2072 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2073 return NT_STATUS_OK;
2074 }
2075 }
2076
2077 state->smb1.recv_cmd = cmd;
2078 state->smb1.recv_status = status;
2079 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
2080
2081 state->smb1.recv_iov[0] = iov[0];
2082 state->smb1.recv_iov[1] = iov[1];
2083 state->smb1.recv_iov[2] = iov[2];
2084
2085 if (talloc_array_length(conn->pending) == 0) {
2086 tevent_req_done(req);
2087 return NT_STATUS_OK;
2088 }
2089
2090 tevent_req_defer_callback(req, state->ev);
2091 tevent_req_done(req);
2092 return NT_STATUS_RETRY;
2093 }
2094
2095 chain = talloc_move(tmp_mem, &state->smb1.chained_requests);
2096 num_chained = talloc_array_length(chain);
2097 num_responses = (num_iov - 1)/2;
2098
2099 if (num_responses > num_chained) {
2100 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2101 }
2102
2103 for (i=0; i<num_chained; i++) {
2104 size_t iov_idx = 1 + (i*2);
2105 struct iovec *cur = &iov[iov_idx];
2106 uint8_t *inbuf_ref;
2107
2108 req = chain[i];
2109 state = tevent_req_data(req, struct smbXcli_req_state);
2110
2111 smbXcli_req_unset_pending(req);
2112
2113 /*
2114 * as we finish multiple requests here
2115 * we need to defer the callbacks as
2116 * they could destroy our current stack state.
2117 */
2118 tevent_req_defer_callback(req, state->ev);
2119
2120 if (i >= num_responses) {
2121 tevent_req_nterror(req, NT_STATUS_REQUEST_ABORTED);
2122 continue;
2123 }
2124
2125 if (state->smb1.recv_iov == NULL) {
2126 /*
2127 * For requests with more than
2128 * one response, we have to readd the
2129 * recv_iov array.
2130 */
2131 state->smb1.recv_iov = talloc_zero_array(state,
2132 struct iovec,
2133 3);
2134 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2135 continue;
2136 }
2137 }
2138
2139 state->smb1.recv_cmd = cmd;
2140
2141 if (i == (num_responses - 1)) {
2142 /*
2143 * The last request in the chain gets the status
2144 */
2145 state->smb1.recv_status = status;
2146 } else {
2147 cmd = CVAL(cur[0].iov_base, 0);
2148 state->smb1.recv_status = NT_STATUS_OK;
2149 }
2150
2151 state->inbuf = inbuf;
2152
2153 /*
2154 * Note: here we use talloc_reference() in a way
2155 * that does not expose it to the caller.
2156 */
2157 inbuf_ref = talloc_reference(state->smb1.recv_iov, inbuf);
2158 if (tevent_req_nomem(inbuf_ref, req)) {
2159 continue;
2160 }
2161
2162 /* copy the related buffers */
2163 state->smb1.recv_iov[0] = iov[0];
2164 state->smb1.recv_iov[1] = cur[0];
2165 state->smb1.recv_iov[2] = cur[1];
2166
2167 tevent_req_done(req);
2168 }
2169
2170 return NT_STATUS_RETRY;
2171 }
2172
2173 NTSTATUS smb1cli_req_recv(struct tevent_req *req,
2174 TALLOC_CTX *mem_ctx,
2175 struct iovec **piov,
2176 uint8_t **phdr,
2177 uint8_t *pwct,
2178 uint16_t **pvwv,
2179 uint32_t *pvwv_offset,
2180 uint32_t *pnum_bytes,
2181 uint8_t **pbytes,
2182 uint32_t *pbytes_offset,
2183 uint8_t **pinbuf,
2184 const struct smb1cli_req_expected_response *expected,
2185 size_t num_expected)
2186 {
2187 struct smbXcli_req_state *state =
2188 tevent_req_data(req,
2189 struct smbXcli_req_state);
2190 NTSTATUS status = NT_STATUS_OK;
2191 struct iovec *recv_iov = NULL;
2192 uint8_t *hdr = NULL;
2193 uint8_t wct = 0;
2194 uint32_t vwv_offset = 0;
2195 uint16_t *vwv = NULL;
2196 uint32_t num_bytes = 0;
2197 uint32_t bytes_offset = 0;
2198 uint8_t *bytes = NULL;
2199 size_t i;
2200 bool found_status = false;
2201 bool found_size = false;
2202
2203 if (piov != NULL) {
2204 *piov = NULL;
2205 }
2206 if (phdr != NULL) {
2207 *phdr = 0;
2208 }
2209 if (pwct != NULL) {
2210 *pwct = 0;
2211 }
2212 if (pvwv != NULL) {
2213 *pvwv = NULL;
2214 }
2215 if (pvwv_offset != NULL) {
2216 *pvwv_offset = 0;
2217 }
2218 if (pnum_bytes != NULL) {
2219 *pnum_bytes = 0;
2220 }
2221 if (pbytes != NULL) {
2222 *pbytes = NULL;
2223 }
2224 if (pbytes_offset != NULL) {
2225 *pbytes_offset = 0;
2226 }
2227 if (pinbuf != NULL) {
2228 *pinbuf = NULL;
2229 }
2230
2231 if (state->inbuf != NULL) {
2232 recv_iov = state->smb1.recv_iov;
2233 state->smb1.recv_iov = NULL;
2234 if (state->smb1.recv_cmd != SMBreadBraw) {
2235 hdr = (uint8_t *)recv_iov[0].iov_base;
2236 wct = recv_iov[1].iov_len/2;
2237 vwv = (uint16_t *)recv_iov[1].iov_base;
2238 vwv_offset = PTR_DIFF(vwv, hdr);
2239 num_bytes = recv_iov[2].iov_len;
2240 bytes = (uint8_t *)recv_iov[2].iov_base;
2241 bytes_offset = PTR_DIFF(bytes, hdr);
2242 }
2243 }
2244
2245 if (tevent_req_is_nterror(req, &status)) {
2246 for (i=0; i < num_expected; i++) {
2247 if (NT_STATUS_EQUAL(status, expected[i].status)) {
2248 found_status = true;
2249 break;
2250 }
2251 }
2252
2253 if (found_status) {
2254 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
2255 }
2256
2257 return status;
2258 }
2259
2260 if (num_expected == 0) {
2261 found_status = true;
2262 found_size = true;
2263 }
2264
2265 status = state->smb1.recv_status;
2266
2267 for (i=0; i < num_expected; i++) {
2268 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
2269 continue;
2270 }
2271
2272 found_status = true;
2273 if (expected[i].wct == 0) {
2274 found_size = true;
2275 break;
2276 }
2277
2278 if (expected[i].wct == wct) {
2279 found_size = true;
2280 break;
2281 }
2282 }
2283
2284 if (!found_status) {
2285 return status;
2286 }
2287
2288 if (!found_size) {
2289 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2290 }
2291
2292 if (piov != NULL) {
2293 *piov = talloc_move(mem_ctx, &recv_iov);
2294 }
2295
2296 if (phdr != NULL) {
2297 *phdr = hdr;
2298 }
2299 if (pwct != NULL) {
2300 *pwct = wct;
2301 }
2302 if (pvwv != NULL) {
2303 *pvwv = vwv;
2304 }
2305 if (pvwv_offset != NULL) {
2306 *pvwv_offset = vwv_offset;
2307 }
2308 if (pnum_bytes != NULL) {
2309 *pnum_bytes = num_bytes;
2310 }
2311 if (pbytes != NULL) {
2312 *pbytes = bytes;
2313 }
2314 if (pbytes_offset != NULL) {
2315 *pbytes_offset = bytes_offset;
2316 }
2317 if (pinbuf != NULL) {
2318 *pinbuf = state->inbuf;
2319 }
2320
2321 return status;
2322 }
2323
2324 size_t smb1cli_req_wct_ofs(struct tevent_req **reqs, int num_reqs)
2325 {
2326 size_t wct_ofs;
2327 int i;
2328
2329 wct_ofs = HDR_WCT;
2330
2331 for (i=0; i<num_reqs; i++) {
2332 struct smbXcli_req_state *state;
2333 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2334 wct_ofs += smbXcli_iov_len(state->smb1.iov+2,
2335 state->smb1.iov_count-2);
2336 wct_ofs = (wct_ofs + 3) & ~3;
2337 }
2338 return wct_ofs;
2339 }
2340
2341 NTSTATUS smb1cli_req_chain_submit(struct tevent_req **reqs, int num_reqs)
2342 {
2343 struct smbXcli_req_state *first_state =
2344 tevent_req_data(reqs[0],
2345 struct smbXcli_req_state);
2346 struct smbXcli_req_state *state;
2347 size_t wct_offset;
2348 size_t chain_padding = 0;
2349 int i, iovlen;
2350 struct iovec *iov = NULL;
2351 struct iovec *this_iov;
2352 NTSTATUS status;
2353 size_t nbt_len;
2354
2355 if (num_reqs == 1) {
2356 return smb1cli_req_writev_submit(reqs[0], first_state,
2357 first_state->smb1.iov,
2358 first_state->smb1.iov_count);
2359 }
2360
2361 iovlen = 0;
2362 for (i=0; i<num_reqs; i++) {
2363 if (!tevent_req_is_in_progress(reqs[i])) {
2364 return NT_STATUS_INTERNAL_ERROR;
2365 }
2366
2367 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2368
2369 if (state->smb1.iov_count < 4) {
2370 return NT_STATUS_INVALID_PARAMETER_MIX;
2371 }
2372
2373 if (i == 0) {
2374 /*
2375 * The NBT and SMB header
2376 */
2377 iovlen += 2;
2378 } else {
2379 /*
2380 * Chain padding
2381 */
2382 iovlen += 1;
2383 }
2384
2385 /*
2386 * words and bytes
2387 */
2388 iovlen += state->smb1.iov_count - 2;
2389 }
2390
2391 iov = talloc_zero_array(first_state, struct iovec, iovlen);
2392 if (iov == NULL) {
2393 return NT_STATUS_NO_MEMORY;
2394 }
2395
2396 first_state->smb1.chained_requests = (struct tevent_req **)talloc_memdup(
2397 first_state, reqs, sizeof(*reqs) * num_reqs);
2398 if (first_state->smb1.chained_requests == NULL) {
2399 TALLOC_FREE(iov);
2400 return NT_STATUS_NO_MEMORY;
2401 }
2402
2403 wct_offset = HDR_WCT;
2404 this_iov = iov;
2405
2406 for (i=0; i<num_reqs; i++) {
2407 size_t next_padding = 0;
2408 uint16_t *vwv;
2409
2410 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2411
2412 if (i < num_reqs-1) {
2413 if (!smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))
2414 || CVAL(state->smb1.hdr, HDR_WCT) < 2) {
2415 TALLOC_FREE(iov);
2416 TALLOC_FREE(first_state->smb1.chained_requests);
2417 return NT_STATUS_INVALID_PARAMETER_MIX;
2418 }
2419 }
2420
2421 wct_offset += smbXcli_iov_len(state->smb1.iov+2,
2422 state->smb1.iov_count-2) + 1;
2423 if ((wct_offset % 4) != 0) {
2424 next_padding = 4 - (wct_offset % 4);
2425 }
2426 wct_offset += next_padding;
2427 vwv = state->smb1.vwv;
2428
2429 if (i < num_reqs-1) {
2430 struct smbXcli_req_state *next_state =
2431 tevent_req_data(reqs[i+1],
2432 struct smbXcli_req_state);
2433 SCVAL(vwv+0, 0, CVAL(next_state->smb1.hdr, HDR_COM));
2434 SCVAL(vwv+0, 1, 0);
2435 SSVAL(vwv+1, 0, wct_offset);
2436 } else if (smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))) {
2437 /* properly end the chain */
2438 SCVAL(vwv+0, 0, 0xff);
2439 SCVAL(vwv+0, 1, 0xff);
2440 SSVAL(vwv+1, 0, 0);
2441 }
2442
2443 if (i == 0) {
2444 /*
2445 * The NBT and SMB header
2446 */
2447 this_iov[0] = state->smb1.iov[0];
2448 this_iov[1] = state->smb1.iov[1];
2449 this_iov += 2;
2450 } else {
2451 /*
2452 * This one is a bit subtle. We have to add
2453 * chain_padding bytes between the requests, and we
2454 * have to also include the wct field of the
2455 * subsequent requests. We use the subsequent header
2456 * for the padding, it contains the wct field in its
2457 * last byte.
2458 */
2459 this_iov[0].iov_len = chain_padding+1;
2460 this_iov[0].iov_base = (void *)&state->smb1.hdr[
2461 sizeof(state->smb1.hdr) - this_iov[0].iov_len];
2462 memset(this_iov[0].iov_base, 0, this_iov[0].iov_len-1);
2463 this_iov += 1;
2464 }
2465
2466 /*
2467 * copy the words and bytes
2468 */
2469 memcpy(this_iov, state->smb1.iov+2,
2470 sizeof(struct iovec) * (state->smb1.iov_count-2));
2471 this_iov += state->smb1.iov_count - 2;
2472 chain_padding = next_padding;
2473 }
2474
2475 nbt_len = smbXcli_iov_len(&iov[1], iovlen-1);
2476 if (nbt_len > first_state->conn->smb1.max_xmit) {
2477 TALLOC_FREE(iov);
2478 TALLOC_FREE(first_state->smb1.chained_requests);
2479 return NT_STATUS_INVALID_PARAMETER_MIX;
2480 }
2481
2482 status = smb1cli_req_writev_submit(reqs[0], first_state, iov, iovlen);
2483 if (!NT_STATUS_IS_OK(status)) {
2484 TALLOC_FREE(iov);
2485 TALLOC_FREE(first_state->smb1.chained_requests);
2486 return status;
2487 }
2488
2489 return NT_STATUS_OK;
2490 }
2491
2492 bool smbXcli_conn_has_async_calls(struct smbXcli_conn *conn)
2493 {
2494 return ((tevent_queue_length(conn->outgoing) != 0)
2495 || (talloc_array_length(conn->pending) != 0));
2496 }
2497
2498 bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn)
2499 {
2500 if (conn->protocol >= PROTOCOL_SMB2_02) {
2501 return (smb2cli_conn_server_capabilities(conn) & SMB2_CAP_DFS);
2502 }
2503
2504 return (smb1cli_conn_capabilities(conn) & CAP_DFS);
2505 }
2506
2507 bool smb2cli_conn_req_possible(struct smbXcli_conn *conn, uint32_t *max_dyn_len)
2508 {
2509 uint16_t credits = 1;
2510
2511 if (conn->smb2.cur_credits == 0) {
2512 if (max_dyn_len != NULL) {
2513 *max_dyn_len = 0;
2514 }
2515 return false;
2516 }
2517
2518 if (conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2519 credits = conn->smb2.cur_credits;
2520 }
2521
2522 if (max_dyn_len != NULL) {
2523 *max_dyn_len = credits * 65536;
2524 }
2525
2526 return true;
2527 }
2528
2529 uint32_t smb2cli_conn_server_capabilities(struct smbXcli_conn *conn)
2530 {
2531 return conn->smb2.server.capabilities;
2532 }
2533
2534 uint16_t smb2cli_conn_server_security_mode(struct smbXcli_conn *conn)
2535 {
2536 return conn->smb2.server.security_mode;
2537 }
2538
2539 uint32_t smb2cli_conn_max_trans_size(struct smbXcli_conn *conn)
2540 {
2541 return conn->smb2.server.max_trans_size;
2542 }
2543
2544 uint32_t smb2cli_conn_max_read_size(struct smbXcli_conn *conn)
2545 {
2546 return conn->smb2.server.max_read_size;
2547 }
2548
2549 uint32_t smb2cli_conn_max_write_size(struct smbXcli_conn *conn)
2550 {
2551 return conn->smb2.server.max_write_size;
2552 }
2553
2554 void smb2cli_conn_set_max_credits(struct smbXcli_conn *conn,
2555 uint16_t max_credits)
2556 {
2557 conn->smb2.max_credits = max_credits;
2558 }
2559
2560 static void smb2cli_req_cancel_done(struct tevent_req *subreq);
2561
2562 static bool smb2cli_req_cancel(struct tevent_req *req)
2563 {
2564 struct smbXcli_req_state *state =
2565 tevent_req_data(req,
2566 struct smbXcli_req_state);
2567 uint32_t flags = IVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
2568 uint64_t mid = BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID);
2569 uint64_t aid = BVAL(state->smb2.hdr, SMB2_HDR_ASYNC_ID);
2570 struct smbXcli_tcon *tcon = state->tcon;
2571 struct smbXcli_session *session = state->session;
2572 uint8_t *fixed = state->smb2.pad;
2573 uint16_t fixed_len = 4;
2574 struct tevent_req *subreq;
2575 struct smbXcli_req_state *substate;
2576 NTSTATUS status;
2577
2578 SSVAL(fixed, 0, 0x04);
2579 SSVAL(fixed, 2, 0);
2580
2581 subreq = smb2cli_req_create(state, state->ev,
2582 state->conn,
2583 SMB2_OP_CANCEL,
2584 flags, 0,
2585 0, /* timeout */
2586 tcon, session,
2587 fixed, fixed_len,
2588 NULL, 0, 0);
2589 if (subreq == NULL) {
2590 return false;
2591 }
2592 substate = tevent_req_data(subreq, struct smbXcli_req_state);
2593
2594 /*
2595 * clear everything but the SMB2_HDR_FLAG_ASYNC flag
2596 * e.g. if SMB2_HDR_FLAG_CHAINED is set we get INVALID_PARAMETER back
2597 */
2598 flags &= SMB2_HDR_FLAG_ASYNC;
2599
2600 if (flags & SMB2_HDR_FLAG_ASYNC) {
2601 mid = 0;
2602 }
2603
2604 SIVAL(substate->smb2.hdr, SMB2_HDR_FLAGS, flags);
2605 SBVAL(substate->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
2606 SBVAL(substate->smb2.hdr, SMB2_HDR_ASYNC_ID, aid);
2607
2608 status = smb2cli_req_compound_submit(&subreq, 1);
2609 if (!NT_STATUS_IS_OK(status)) {
2610 TALLOC_FREE(subreq);
2611 return false;
2612 }
2613
2614 tevent_req_set_callback(subreq, smb2cli_req_cancel_done, NULL);
2615
2616 return true;
2617 }
2618
2619 static void smb2cli_req_cancel_done(struct tevent_req *subreq)
2620 {
2621 /* we do not care about the result */
2622 TALLOC_FREE(subreq);
2623 }
2624
2625 struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
2626 struct tevent_context *ev,
2627 struct smbXcli_conn *conn,
2628 uint16_t cmd,
2629 uint32_t additional_flags,
2630 uint32_t clear_flags,
2631 uint32_t timeout_msec,
2632 struct smbXcli_tcon *tcon,
2633 struct smbXcli_session *session,
2634 const uint8_t *fixed,
2635 uint16_t fixed_len,
2636 const uint8_t *dyn,
2637 uint32_t dyn_len,
2638 uint32_t max_dyn_len)
2639 {
2640 struct tevent_req *req;
2641 struct smbXcli_req_state *state;
2642 uint32_t flags = 0;
2643 uint32_t tid = 0;
2644 uint64_t uid = 0;
2645 bool use_channel_sequence = false;
2646 uint16_t channel_sequence = 0;
2647 bool use_replay_flag = false;
2648
2649 req = tevent_req_create(mem_ctx, &state,
2650 struct smbXcli_req_state);
2651 if (req == NULL) {
2652 return NULL;
2653 }
2654
2655 state->ev = ev;
2656 state->conn = conn;
2657 state->session = session;
2658 state->tcon = tcon;
2659
2660 if (conn->smb2.server.capabilities & SMB2_CAP_PERSISTENT_HANDLES) {
2661 use_channel_sequence = true;
2662 } else if (conn->smb2.server.capabilities & SMB2_CAP_MULTI_CHANNEL) {
2663 use_channel_sequence = true;
2664 }
2665
2666 if (smbXcli_conn_protocol(conn) >= PROTOCOL_SMB3_00) {
2667 use_replay_flag = true;
2668 }
2669
2670 if (session) {
2671 uid = session->smb2->session_id;
2672
2673 if (use_channel_sequence) {
2674 channel_sequence = session->smb2->channel_sequence;
2675 }
2676
2677 if (use_replay_flag && session->smb2->replay_active) {
2678 additional_flags |= SMB2_HDR_FLAG_REPLAY_OPERATION;
2679 }
2680
2681 state->smb2.should_sign = session->smb2->should_sign;
2682 state->smb2.should_encrypt = session->smb2->should_encrypt;
2683
2684 if (cmd == SMB2_OP_SESSSETUP &&
2685 session->smb2->signing_key.length != 0) {
2686 state->smb2.should_sign = true;
2687 }
2688
2689 if (cmd == SMB2_OP_SESSSETUP &&
2690 session->smb2_channel.signing_key.length == 0) {
2691 state->smb2.should_encrypt = false;
2692 }
2693
2694 if (additional_flags & SMB2_HDR_FLAG_SIGNED) {
2695 if (session->smb2_channel.signing_key.length == 0) {
2696 tevent_req_nterror(req, NT_STATUS_NO_USER_SESSION_KEY);
2697 return req;
2698 }
2699
2700 additional_flags &= ~SMB2_HDR_FLAG_SIGNED;
2701 state->smb2.should_sign = true;
2702 }
2703 }
2704
2705 if (tcon) {
2706 tid = tcon->smb2.tcon_id;
2707
2708 if (tcon->smb2.should_sign) {
2709 state->smb2.should_sign = true;
2710 }
2711 if (tcon->smb2.should_encrypt) {
2712 state->smb2.should_encrypt = true;
2713 }
2714 }
2715
2716 if (state->smb2.should_encrypt) {
2717 state->smb2.should_sign = false;
2718 }
2719
2720 state->smb2.recv_iov = talloc_zero_array(state, struct iovec, 3);
2721 if (state->smb2.recv_iov == NULL) {
2722 TALLOC_FREE(req);
2723 return NULL;
2724 }
2725
2726 flags |= additional_flags;
2727 flags &= ~clear_flags;
2728
2729 state->smb2.fixed = fixed;
2730 state->smb2.fixed_len = fixed_len;
2731 state->smb2.dyn = dyn;
2732 state->smb2.dyn_len = dyn_len;
2733 state->smb2.max_dyn_len = max_dyn_len;
2734
2735 if (state->smb2.should_encrypt) {
2736 SIVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2737 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID, uid);
2738 }
2739
2740 SIVAL(state->smb2.hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
2741 SSVAL(state->smb2.hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
2742 SSVAL(state->smb2.hdr, SMB2_HDR_OPCODE, cmd);
2743 SSVAL(state->smb2.hdr, SMB2_HDR_CHANNEL_SEQUENCE, channel_sequence);
2744 SIVAL(state->smb2.hdr, SMB2_HDR_FLAGS, flags);
2745 SIVAL(state->smb2.hdr, SMB2_HDR_PID, 0); /* reserved */
2746 SIVAL(state->smb2.hdr, SMB2_HDR_TID, tid);
2747 SBVAL(state->smb2.hdr, SMB2_HDR_SESSION_ID, uid);
2748
2749 switch (cmd) {
2750 case SMB2_OP_CANCEL:
2751 state->one_way = true;
2752 break;
2753 case SMB2_OP_BREAK:
2754 /*
2755 * If this is a dummy request, it will have
2756 * UINT64_MAX as message id.
2757 * If we send on break acknowledgement,
2758 * this gets overwritten later.
2759 */
2760 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, UINT64_MAX);
2761 break;
2762 }
2763
2764 if (timeout_msec > 0) {
2765 struct timeval endtime;
2766
2767 endtime = timeval_current_ofs_msec(timeout_msec);
2768 if (!tevent_req_set_endtime(req, ev, endtime)) {
2769 return req;
2770 }
2771 }
2772
2773 return req;
2774 }
2775
2776 void smb2cli_req_set_notify_async(struct tevent_req *req)
2777 {
2778 struct smbXcli_req_state *state =
2779 tevent_req_data(req,
2780 struct smbXcli_req_state);
2781
2782 state->smb2.notify_async = true;
2783 }
2784
2785 static void smb2cli_req_writev_done(struct tevent_req *subreq);
2786 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
2787 TALLOC_CTX *tmp_mem,
2788 uint8_t *inbuf);
2789
2790 NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
2791 int num_reqs)
2792 {
2793 struct smbXcli_req_state *state;
2794 struct tevent_req *subreq;
2795 struct iovec *iov;
2796 int i, num_iov, nbt_len;
2797 int tf_iov = -1;
2798 const DATA_BLOB *encryption_key = NULL;
2799 uint64_t encryption_session_id = 0;
2800
2801 /*
2802 * 1 for the nbt length, optional TRANSFORM
2803 * per request: HDR, fixed, dyn, padding
2804 * -1 because the last one does not need padding
2805 */
2806
2807 iov = talloc_array(reqs[0], struct iovec, 1 + 1 + 4*num_reqs - 1);
2808 if (iov == NULL) {
2809 return NT_STATUS_NO_MEMORY;
2810 }
2811
2812 num_iov = 1;
2813 nbt_len = 0;
2814
2815 /*
2816 * the session of the first request that requires encryption
2817 * specifies the encryption key.
2818 */
2819 for (i=0; i<num_reqs; i++) {
2820 if (!tevent_req_is_in_progress(reqs[i])) {
2821 return NT_STATUS_INTERNAL_ERROR;
2822 }
2823
2824 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2825
2826 if (!smbXcli_conn_is_connected(state->conn)) {
2827 return NT_STATUS_CONNECTION_DISCONNECTED;
2828 }
2829
2830 if ((state->conn->protocol != PROTOCOL_NONE) &&
2831 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2832 return NT_STATUS_REVISION_MISMATCH;
2833 }
2834
2835 if (state->session == NULL) {
2836 continue;
2837 }
2838
2839 if (!state->smb2.should_encrypt) {
2840 continue;
2841 }
2842
2843 encryption_key = &state->session->smb2->encryption_key;
2844 if (encryption_key->length == 0) {
2845 return NT_STATUS_INVALID_PARAMETER_MIX;
2846 }
2847
2848 encryption_session_id = state->session->smb2->session_id;
2849
2850 tf_iov = num_iov;
2851 iov[num_iov].iov_base = state->smb2.transform;
2852 iov[num_iov].iov_len = sizeof(state->smb2.transform);
2853 num_iov += 1;
2854
2855 SBVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2856 SBVAL(state->smb2.transform, SMB2_TF_NONCE,
2857 state->session->smb2->nonce_low);
2858 SBVAL(state->smb2.transform, SMB2_TF_NONCE+8,
2859 state->session->smb2->nonce_high);
2860 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID,
2861 encryption_session_id);
2862
2863 state->session->smb2->nonce_low += 1;
2864 if (state->session->smb2->nonce_low == 0) {
2865 state->session->smb2->nonce_high += 1;
2866 state->session->smb2->nonce_low += 1;
2867 }
2868
2869 nbt_len += SMB2_TF_HDR_SIZE;
2870 break;
2871 }
2872
2873 for (i=0; i<num_reqs; i++) {
2874 int hdr_iov;
2875 size_t reqlen;
2876 bool ret;
2877 uint16_t opcode;
2878 uint64_t avail;
2879 uint16_t charge;
2880 uint16_t credits;
2881 uint64_t mid;
2882 const DATA_BLOB *signing_key = NULL;
2883
2884 if (!tevent_req_is_in_progress(reqs[i])) {
2885 return NT_STATUS_INTERNAL_ERROR;
2886 }
2887
2888 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2889
2890 if (!smbXcli_conn_is_connected(state->conn)) {
2891 return NT_STATUS_CONNECTION_DISCONNECTED;
2892 }
2893
2894 if ((state->conn->protocol != PROTOCOL_NONE) &&
2895 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2896 return NT_STATUS_REVISION_MISMATCH;
2897 }
2898
2899 opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
2900 if (opcode == SMB2_OP_CANCEL) {
2901 goto skip_credits;
2902 }
2903
2904 avail = UINT64_MAX - state->conn->smb2.mid;
2905 if (avail < 1) {
2906 return NT_STATUS_CONNECTION_ABORTED;
2907 }
2908
2909 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2910 uint32_t max_dyn_len = 1;
2911
2912 max_dyn_len = MAX(max_dyn_len, state->smb2.dyn_len);
2913 max_dyn_len = MAX(max_dyn_len, state->smb2.max_dyn_len);
2914
2915 charge = (max_dyn_len - 1)/ 65536 + 1;
2916 } else {
2917 charge = 1;
2918 }
2919
2920 charge = MAX(state->smb2.credit_charge, charge);
2921
2922 avail = MIN(avail, state->conn->smb2.cur_credits);
2923 if (avail < charge) {
2924 return NT_STATUS_INTERNAL_ERROR;
2925 }
2926
2927 credits = 0;
2928 if (state->conn->smb2.max_credits > state->conn->smb2.cur_credits) {
2929 credits = state->conn->smb2.max_credits -
2930 state->conn->smb2.cur_credits;
2931 }
2932 if (state->conn->smb2.max_credits >= state->conn->smb2.cur_credits) {
2933 credits += 1;
2934 }
2935
2936 mid = state->conn->smb2.mid;
2937 state->conn->smb2.mid += charge;
2938 state->conn->smb2.cur_credits -= charge;
2939
2940 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2941 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT_CHARGE, charge);
2942 }
2943 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT, credits);
2944 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
2945
2946 skip_credits:
2947 if (state->session && encryption_key == NULL) {
2948 /*
2949 * We prefer the channel signing key if it is
2950 * already there.
2951 */
2952 if (state->smb2.should_sign) {
2953 signing_key = &state->session->smb2_channel.signing_key;
2954 }
2955
2956 /*
2957 * If it is a channel binding, we already have the main
2958 * signing key and try that one.
2959 */
2960 if (signing_key && signing_key->length == 0) {
2961 signing_key = &state->session->smb2->signing_key;
2962 }
2963
2964 /*
2965 * If we do not have any session key yet, we skip the
2966 * signing of SMB2_OP_SESSSETUP requests.
2967 */
2968 if (signing_key && signing_key->length == 0) {
2969 signing_key = NULL;
2970 }
2971 }
2972
2973 hdr_iov = num_iov;
2974 iov[num_iov].iov_base = state->smb2.hdr;
2975 iov[num_iov].iov_len = sizeof(state->smb2.hdr);
2976 num_iov += 1;
2977
2978 iov[num_iov].iov_base = discard_const(state->smb2.fixed);
2979 iov[num_iov].iov_len = state->smb2.fixed_len;
2980 num_iov += 1;
2981
2982 if (state->smb2.dyn != NULL) {
2983 iov[num_iov].iov_base = discard_const(state->smb2.dyn);
2984 iov[num_iov].iov_len = state->smb2.dyn_len;
2985 num_iov += 1;
2986 }
2987
2988 reqlen = sizeof(state->smb2.hdr);
2989 reqlen += state->smb2.fixed_len;
2990 reqlen += state->smb2.dyn_len;
2991
2992 if (i < num_reqs-1) {
2993 if ((reqlen % 8) > 0) {
2994 uint8_t pad = 8 - (reqlen % 8);
2995 iov[num_iov].iov_base = state->smb2.pad;
2996 iov[num_iov].iov_len = pad;
2997 num_iov += 1;
2998 reqlen += pad;
2999 }
3000 SIVAL(state->smb2.hdr, SMB2_HDR_NEXT_COMMAND, reqlen);
3001 }
3002
3003 state->smb2.encryption_session_id = encryption_session_id;
3004
3005 if (signing_key != NULL) {
3006 NTSTATUS status;
3007
3008 status = smb2_signing_sign_pdu(*signing_key,
3009 state->session->conn->protocol,
3010 &iov[hdr_iov], num_iov - hdr_iov);
3011 if (!NT_STATUS_IS_OK(status)) {
3012 return status;
3013 }
3014 }
3015
3016 nbt_len += reqlen;
3017
3018 ret = smbXcli_req_set_pending(reqs[i]);
3019 if (!ret) {
3020 return NT_STATUS_NO_MEMORY;
3021 }
3022 }
3023
3024 state = tevent_req_data(reqs[0], struct smbXcli_req_state);
3025 _smb_setlen_tcp(state->length_hdr, nbt_len);
3026 iov[0].iov_base = state->length_hdr;
3027 iov[0].iov_len = sizeof(state->length_hdr);
3028
3029 if (encryption_key != NULL) {
3030 NTSTATUS status;
3031 size_t buflen = nbt_len - SMB2_TF_HDR_SIZE;
3032 uint8_t *buf;
3033 int vi;
3034
3035 buf = talloc_array(iov, uint8_t, buflen);
3036 if (buf == NULL) {
3037 return NT_STATUS_NO_MEMORY;
3038 }
3039
3040 /*
3041 * We copy the buffers before encrypting them,
3042 * this is at least currently needed for the
3043 * to keep state->smb2.hdr.
3044 *
3045 * Also the callers may expect there buffers
3046 * to be const.
3047 */
3048 for (vi = tf_iov + 1; vi < num_iov; vi++) {
3049 struct iovec *v = &iov[vi];
3050 const uint8_t *o = (const uint8_t *)v->iov_base;
3051
3052 memcpy(buf, o, v->iov_len);
3053 v->iov_base = (void *)buf;
3054 buf += v->iov_len;
3055 }
3056
3057 status = smb2_signing_encrypt_pdu(*encryption_key,
3058 state->conn->smb2.server.cipher,
3059 &iov[tf_iov], num_iov - tf_iov);
3060 if (!NT_STATUS_IS_OK(status)) {
3061 return status;
3062 }
3063 }
3064
3065 if (state->conn->dispatch_incoming == NULL) {
3066 state->conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3067 }
3068
3069 subreq = writev_send(state, state->ev, state->conn->outgoing,
3070 state->conn->write_fd, false, iov, num_iov);
3071 if (subreq == NULL) {
3072 return NT_STATUS_NO_MEMORY;
3073 }
3074 tevent_req_set_callback(subreq, smb2cli_req_writev_done, reqs[0]);
3075 return NT_STATUS_OK;
3076 }
3077
3078 void smb2cli_req_set_credit_charge(struct tevent_req *req, uint16_t charge)
3079 {
3080 struct smbXcli_req_state *state =
3081 tevent_req_data(req,
3082 struct smbXcli_req_state);
3083
3084 state->smb2.credit_charge = charge;
3085 }
3086
3087 struct tevent_req *smb2cli_req_send(TALLOC_CTX *mem_ctx,
3088 struct tevent_context *ev,
3089 struct smbXcli_conn *conn,
3090 uint16_t cmd,
3091 uint32_t additional_flags,
3092 uint32_t clear_flags,
3093 uint32_t timeout_msec,
3094 struct smbXcli_tcon *tcon,
3095 struct smbXcli_session *session,
3096 const uint8_t *fixed,
3097 uint16_t fixed_len,
3098 const uint8_t *dyn,
3099 uint32_t dyn_len,
3100 uint32_t max_dyn_len)
3101 {
3102 struct tevent_req *req;
3103 NTSTATUS status;
3104
3105 req = smb2cli_req_create(mem_ctx, ev, conn, cmd,
3106 additional_flags, clear_flags,
3107 timeout_msec,
3108 tcon, session,
3109 fixed, fixed_len,
3110 dyn, dyn_len,
3111 max_dyn_len);
3112 if (req == NULL) {
3113 return NULL;
3114 }
3115 if (!tevent_req_is_in_progress(req)) {
3116 return tevent_req_post(req, ev);
3117 }
3118 status = smb2cli_req_compound_submit(&req, 1);
3119 if (tevent_req_nterror(req, status)) {
3120 return tevent_req_post(req, ev);
3121 }
3122 return req;
3123 }
3124
3125 static void smb2cli_req_writev_done(struct tevent_req *subreq)
3126 {
3127 struct tevent_req *req =
3128 tevent_req_callback_data(subreq,
3129 struct tevent_req);
3130 struct smbXcli_req_state *state =
3131 tevent_req_data(req,
3132 struct smbXcli_req_state);
3133 ssize_t nwritten;
3134 int err;
3135
3136 nwritten = writev_recv(subreq, &err);
3137 TALLOC_FREE(subreq);
3138 if (nwritten == -1) {
3139 /* here, we need to notify all pending requests */
3140 NTSTATUS status = map_nt_error_from_unix_common(err);
3141 smbXcli_conn_disconnect(state->conn, status);
3142 return;
3143 }
3144 }
3145
3146 static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
3147 uint8_t *buf,
3148 size_t buflen,
3149 TALLOC_CTX *mem_ctx,
3150 struct iovec **piov, int *pnum_iov)
3151 {
3152 struct iovec *iov;
3153 int num_iov = 0;
3154 size_t taken = 0;
3155 uint8_t *first_hdr = buf;
3156 size_t verified_buflen = 0;
3157 uint8_t *tf = NULL;
3158 size_t tf_len = 0;
3159
3160 iov = talloc_array(mem_ctx, struct iovec, num_iov);
3161 if (iov == NULL) {
3162 return NT_STATUS_NO_MEMORY;
3163 }
3164
3165 while (taken < buflen) {
3166 size_t len = buflen - taken;
3167 uint8_t *hdr = first_hdr + taken;
3168 struct iovec *cur;
3169 size_t full_size;
3170 size_t next_command_ofs;
3171 uint16_t body_size;
3172 struct iovec *iov_tmp;
3173
3174 if (verified_buflen > taken) {
3175 len = verified_buflen - taken;
3176 } else {
3177 tf = NULL;
3178 tf_len = 0;
3179 }
3180
3181 if (len < 4) {
3182 DEBUG(10, ("%d bytes left, expected at least %d\n",
3183 (int)len, 4));
3184 goto inval;
3185 }
3186 if (IVAL(hdr, 0) == SMB2_TF_MAGIC) {
3187 struct smbXcli_session *s;
3188 uint64_t uid;
3189 struct iovec tf_iov[2];
3190 size_t enc_len;
3191 NTSTATUS status;
3192
3193 if (len < SMB2_TF_HDR_SIZE) {
3194 DEBUG(10, ("%d bytes left, expected at least %d\n",
3195 (int)len, SMB2_TF_HDR_SIZE));
3196 goto inval;
3197 }
3198 tf = hdr;
3199 tf_len = SMB2_TF_HDR_SIZE;
3200 taken += tf_len;
3201
3202 hdr = first_hdr + taken;
3203 enc_len = IVAL(tf, SMB2_TF_MSG_SIZE);
3204 uid = BVAL(tf, SMB2_TF_SESSION_ID);
3205
3206 if (len < SMB2_TF_HDR_SIZE + enc_len) {
3207 DEBUG(10, ("%d bytes left, expected at least %d\n",
3208 (int)len,
3209 (int)(SMB2_TF_HDR_SIZE + enc_len)));
3210 goto inval;
3211 }
3212
3213 s = conn->sessions;
3214 for (; s; s = s->next) {
3215 if (s->smb2->session_id != uid) {
3216 continue;
3217 }
3218 break;
3219 }
3220
3221 if (s == NULL) {
3222 DEBUG(10, ("unknown session_id %llu\n",
3223 (unsigned long long)uid));
3224 goto inval;
3225 }
3226
3227 tf_iov[0].iov_base = (void *)tf;
3228 tf_iov[0].iov_len = tf_len;
3229 tf_iov[1].iov_base = (void *)hdr;
3230 tf_iov[1].iov_len = enc_len;
3231
3232 status = smb2_signing_decrypt_pdu(s->smb2->decryption_key,
3233 conn->smb2.server.cipher,
3234 tf_iov, 2);
3235 if (!NT_STATUS_IS_OK(status)) {
3236 TALLOC_FREE(iov);
3237 return status;
3238 }
3239
3240 verified_buflen = taken + enc_len;
3241 len = enc_len;
3242 }
3243
3244 /*
3245 * We need the header plus the body length field
3246 */
3247
3248 if (len < SMB2_HDR_BODY + 2) {
3249 DEBUG(10, ("%d bytes left, expected at least %d\n",
3250 (int)len, SMB2_HDR_BODY));
3251 goto inval;
3252 }
3253 if (IVAL(hdr, 0) != SMB2_MAGIC) {
3254 DEBUG(10, ("Got non-SMB2 PDU: %x\n",
3255 IVAL(hdr, 0)));
3256 goto inval;
3257 }
3258 if (SVAL(hdr, 4) != SMB2_HDR_BODY) {
3259 DEBUG(10, ("Got HDR len %d, expected %d\n",
3260 SVAL(hdr, 4), SMB2_HDR_BODY));
3261 goto inval;
3262 }
3263
3264 full_size = len;
3265 next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
3266 body_size = SVAL(hdr, SMB2_HDR_BODY);
3267
3268 if (next_command_ofs != 0) {
3269 if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
3270 goto inval;
3271 }
3272 if (next_command_ofs > full_size) {
3273 goto inval;
3274 }
3275 full_size = next_command_ofs;
3276 }
3277 if (body_size < 2) {
3278 goto inval;
3279 }
3280 body_size &= 0xfffe;
3281
3282 if (body_size > (full_size - SMB2_HDR_BODY)) {
3283 goto inval;
3284 }
3285
3286 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
3287 num_iov + 4);
3288 if (iov_tmp == NULL) {
3289 TALLOC_FREE(iov);
3290 return NT_STATUS_NO_MEMORY;
3291 }
3292 iov = iov_tmp;
3293 cur = &iov[num_iov];
3294 num_iov += 4;
3295
3296 cur[0].iov_base = tf;
3297 cur[0].iov_len = tf_len;
3298 cur[1].iov_base = hdr;
3299 cur[1].iov_len = SMB2_HDR_BODY;
3300 cur[2].iov_base = hdr + SMB2_HDR_BODY;
3301 cur[2].iov_len = body_size;
3302 cur[3].iov_base = hdr + SMB2_HDR_BODY + body_size;
3303 cur[3].iov_len = full_size - (SMB2_HDR_BODY + body_size);
3304
3305 taken += full_size;
3306 }
3307
3308 *piov = iov;
3309 *pnum_iov = num_iov;
3310 return NT_STATUS_OK;
3311
3312 inval:
3313 TALLOC_FREE(iov);
3314 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3315 }
3316
3317 static struct tevent_req *smb2cli_conn_find_pending(struct smbXcli_conn *conn,
3318 uint64_t mid)
3319 {
3320 size_t num_pending = talloc_array_length(conn->pending);
3321 size_t i;
3322
3323 for (i=0; i<num_pending; i++) {
3324 struct tevent_req *req = conn->pending[i];
3325 struct smbXcli_req_state *state =
3326 tevent_req_data(req,
3327 struct smbXcli_req_state);
3328
3329 if (mid == BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID)) {
3330 return req;
3331 }
3332 }
3333 return NULL;
3334 }
3335
3336 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
3337 TALLOC_CTX *tmp_mem,
3338 uint8_t *inbuf)
3339 {
3340 struct tevent_req *req;
3341 struct smbXcli_req_state *state = NULL;
3342 struct iovec *iov;
3343 int i, num_iov;
3344 NTSTATUS status;
3345 bool defer = true;
3346 struct smbXcli_session *last_session = NULL;
3347 size_t inbuf_len = smb_len_tcp(inbuf);
3348
3349 status = smb2cli_inbuf_parse_compound(conn,
3350 inbuf + NBT_HDR_SIZE,
3351 inbuf_len,
3352 tmp_mem,
3353 &iov, &num_iov);
3354 if (!NT_STATUS_IS_OK(status)) {
3355 return status;
3356 }
3357
3358 for (i=0; i<num_iov; i+=4) {
3359 uint8_t *inbuf_ref = NULL;
3360 struct iovec *cur = &iov[i];
3361 uint8_t *inhdr = (uint8_t *)cur[1].iov_base;
3362 uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
3363 uint32_t flags = IVAL(inhdr, SMB2_HDR_FLAGS);
3364 uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
3365 uint16_t req_opcode;
3366 uint32_t req_flags;
3367 uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
3368 uint32_t new_credits;
3369 struct smbXcli_session *session = NULL;
3370 const DATA_BLOB *signing_key = NULL;
3371 bool was_encrypted = false;
3372
3373 new_credits = conn->smb2.cur_credits;
3374 new_credits += credits;
3375 if (new_credits > UINT16_MAX) {
3376 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3377 }
3378 conn->smb2.cur_credits += credits;
3379
3380 req = smb2cli_conn_find_pending(conn, mid);
3381 if (req == NULL) {
3382 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3383 }
3384 state = tevent_req_data(req, struct smbXcli_req_state);
3385
3386 req_opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
3387 if (opcode != req_opcode) {
3388 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3389 }
3390 req_flags = SVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
3391
3392 if (!(flags & SMB2_HDR_FLAG_REDIRECT)) {
3393 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3394 }
3395
3396 status = NT_STATUS(IVAL(inhdr, SMB2_HDR_STATUS));
3397 if ((flags & SMB2_HDR_FLAG_ASYNC) &&
3398 NT_STATUS_EQUAL(status, STATUS_PENDING)) {
3399 uint64_t async_id = BVAL(inhdr, SMB2_HDR_ASYNC_ID);
3400
3401 if (state->smb2.got_async) {
3402 /* We only expect one STATUS_PENDING response */
3403 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3404 }
3405 state->smb2.got_async = true;
3406
3407 /*
3408 * async interim responses are not signed,
3409 * even if the SMB2_HDR_FLAG_SIGNED flag
3410 * is set.
3411 */
3412 req_flags |= SMB2_HDR_FLAG_ASYNC;
3413 SBVAL(state->smb2.hdr, SMB2_HDR_FLAGS, req_flags);
3414 SBVAL(state->smb2.hdr, SMB2_HDR_ASYNC_ID, async_id);
3415
3416 if (state->smb2.notify_async) {
3417 tevent_req_defer_callback(req, state->ev);
3418 tevent_req_notify_callback(req);
3419 }
3420 continue;
3421 }
3422
3423 session = state->session;
3424 if (req_flags & SMB2_HDR_FLAG_CHAINED) {
3425 session = last_session;
3426 }
3427 last_session = session;
3428
3429 if (state->smb2.should_sign) {
3430 if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
3431 return NT_STATUS_ACCESS_DENIED;
3432 }
3433 }
3434
3435 if (flags & SMB2_HDR_FLAG_SIGNED) {
3436 uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
3437
3438 if (session == NULL) {
3439 struct smbXcli_session *s;
3440
3441 s = state->conn->sessions;
3442 for (; s; s = s->next) {
3443 if (s->smb2->session_id != uid) {
3444 continue;
3445 }
3446
3447 session = s;
3448 break;
3449 }
3450 }
3451
3452 if (session == NULL) {
3453 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3454 }
3455
3456 last_session = session;
3457 signing_key = &session->smb2_channel.signing_key;
3458 }
3459
3460 if (opcode == SMB2_OP_SESSSETUP) {
3461 /*
3462 * We prefer the channel signing key, if it is
3463 * already there.
3464 *
3465 * If we do not have a channel signing key yet,
3466 * we try the main signing key, if it is not
3467 * the final response.
3468 */
3469 if (signing_key && signing_key->length == 0 &&
3470 !NT_STATUS_IS_OK(status)) {
3471 signing_key = &session->smb2->signing_key;
3472 }
3473
3474 if (signing_key && signing_key->length == 0) {
3475 /*
3476 * If we do not have a session key to
3477 * verify the signature, we defer the
3478 * signing check to the caller.
3479 *
3480 * The caller gets NT_STATUS_OK, it
3481 * has to call
3482 * smb2cli_session_set_session_key()
3483 * or
3484 * smb2cli_session_set_channel_key()
3485 * which will check the signature
3486 * with the channel signing key.
3487 */
3488 signing_key = NULL;
3489 }
3490 }
3491
3492 if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
3493 const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
3494 uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
3495
3496 /*
3497 * If the response was encrypted in a SMB2_TRANSFORM
3498 * pdu, which belongs to the correct session,
3499 * we do not need to do signing checks
3500 *
3501 * It could be the session the response belongs to
3502 * or the session that was used to encrypt the
3503 * SMB2_TRANSFORM request.
3504 */
3505 if ((session && session->smb2->session_id == uid) ||
3506 (state->smb2.encryption_session_id == uid)) {
3507 signing_key = NULL;
3508 was_encrypted = true;
3509 }
3510 }
3511
3512 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
3513 /*
3514 * if the server returns NT_STATUS_USER_SESSION_DELETED
3515 * the response is not signed and we should
3516 * propagate the NT_STATUS_USER_SESSION_DELETED
3517 * status to the caller.
3518 */
3519 state->smb2.signing_skipped = true;
3520 signing_key = NULL;
3521 }
3522
3523 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3524 /*
3525 * if the server returns
3526 * NT_STATUS_INVALID_PARAMETER
3527 * the response might not be encrypted.
3528 */
3529 if (state->smb2.should_encrypt && !was_encrypted) {
3530 state->smb2.signing_skipped = true;
3531 signing_key = NULL;
3532 }
3533 }
3534
3535 if (state->smb2.should_encrypt && !was_encrypted) {
3536 if (!state->smb2.signing_skipped) {
3537 return NT_STATUS_ACCESS_DENIED;
3538 }
3539 }
3540
3541 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
3542 NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
3543 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3544 /*
3545 * if the server returns
3546 * NT_STATUS_NETWORK_NAME_DELETED
3547 * NT_STATUS_FILE_CLOSED
3548 * NT_STATUS_INVALID_PARAMETER
3549 * the response might not be signed
3550 * as this happens before the signing checks.
3551 *
3552 * If server echos the signature (or all zeros)
3553 * we should report the status from the server
3554 * to the caller.
3555 */
3556 if (signing_key) {
3557 int cmp;
3558
3559 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3560 state->smb2.hdr+SMB2_HDR_SIGNATURE,
3561 16);
3562 if (cmp == 0) {
3563 state->smb2.signing_skipped = true;
3564 signing_key = NULL;
3565 }
3566 }
3567 if (signing_key) {
3568 int cmp;
3569 static const uint8_t zeros[16];
3570
3571 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3572 zeros,
3573 16);
3574 if (cmp == 0) {
3575 state->smb2.signing_skipped = true;
3576 signing_key = NULL;
3577 }
3578 }
3579 }
3580
3581 if (signing_key) {
3582 status = smb2_signing_check_pdu(*signing_key,
3583 state->conn->protocol,
3584 &cur[1], 3);
3585 if (!NT_STATUS_IS_OK(status)) {
3586 /*
3587 * If the signing check fails, we disconnect
3588 * the connection.
3589 */
3590 return status;
3591 }
3592 }
3593
3594 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
3595 (session != NULL) && session->disconnect_expired)
3596 {
3597 /*
3598 * this should be a short term hack
3599 * until the upper layers have implemented
3600 * re-authentication.
3601 */
3602 return status;
3603 }
3604
3605 smbXcli_req_unset_pending(req);
3606
3607 /*
3608 * There might be more than one response
3609 * we need to defer the notifications
3610 */
3611 if ((num_iov == 5) && (talloc_array_length(conn->pending) == 0)) {
3612 defer = false;
3613 }
3614
3615 if (defer) {
3616 tevent_req_defer_callback(req, state->ev);
3617 }
3618
3619 /*
3620 * Note: here we use talloc_reference() in a way
3621 * that does not expose it to the caller.
3622 */
3623 inbuf_ref = talloc_reference(state->smb2.recv_iov, inbuf);
3624 if (tevent_req_nomem(inbuf_ref, req)) {
3625 continue;
3626 }
3627
3628 /* copy the related buffers */
3629 state->smb2.recv_iov[0] = cur[1];
3630 state->smb2.recv_iov[1] = cur[2];
3631 state->smb2.recv_iov[2] = cur[3];
3632
3633 tevent_req_done(req);
3634 }
3635
3636 if (defer) {
3637 return NT_STATUS_RETRY;
3638 }
3639
3640 return NT_STATUS_OK;
3641 }
3642
3643 NTSTATUS smb2cli_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
3644 struct iovec **piov,
3645 const struct smb2cli_req_expected_response *expected,
3646 size_t num_expected)
3647 {
3648 struct smbXcli_req_state *state =
3649 tevent_req_data(req,
3650 struct smbXcli_req_state);
3651 NTSTATUS status;
3652 size_t body_size;
3653 bool found_status = false;
3654 bool found_size = false;
3655 size_t i;
3656
3657 if (piov != NULL) {
3658 *piov = NULL;
3659 }
3660
3661 if (tevent_req_is_in_progress(req) && state->smb2.got_async) {
3662 return STATUS_PENDING;
3663 }
3664
3665 if (tevent_req_is_nterror(req, &status)) {
3666 for (i=0; i < num_expected; i++) {
3667 if (NT_STATUS_EQUAL(status, expected[i].status)) {
3668 found_status = true;
3669 break;
3670 }
3671 }
3672
3673 if (found_status) {
3674 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
3675 }
3676
3677 return status;
3678 }
3679
3680 if (num_expected == 0) {
3681 found_status = true;
3682 found_size = true;
3683 }
3684
3685 status = NT_STATUS(IVAL(state->smb2.recv_iov[0].iov_base, SMB2_HDR_STATUS));
3686 body_size = SVAL(state->smb2.recv_iov[1].iov_base, 0);
3687
3688 for (i=0; i < num_expected; i++) {
3689 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
3690 continue;
3691 }
3692
3693 found_status = true;
3694 if (expected[i].body_size == 0) {
3695 found_size = true;
3696 break;
3697 }
3698
3699 if (expected[i].body_size == body_size) {
3700 found_size = true;
3701 break;
3702 }
3703 }
3704
3705 if (!found_status) {
3706 return status;
3707 }
3708
3709 if (state->smb2.signing_skipped) {
3710 if (num_expected > 0) {
3711 return NT_STATUS_ACCESS_DENIED;
3712 }
3713 if (!NT_STATUS_IS_ERR(status)) {
3714 return NT_STATUS_ACCESS_DENIED;
3715 }
3716 }
3717
3718 if (!found_size) {
3719 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3720 }
3721
3722 if (piov != NULL) {
3723 *piov = talloc_move(mem_ctx, &state->smb2.recv_iov);
3724 }
3725
3726 return status;
3727 }
3728
3729 NTSTATUS smb2cli_req_get_sent_iov(struct tevent_req *req,
3730 struct iovec *sent_iov)
3731 {
3732 struct smbXcli_req_state *state =
3733 tevent_req_data(req,
3734 struct smbXcli_req_state);
3735
3736 if (tevent_req_is_in_progress(req)) {
3737 return STATUS_PENDING;
3738 }
3739
3740 sent_iov[0].iov_base = state->smb2.hdr;
3741 sent_iov[0].iov_len = sizeof(state->smb2.hdr);
3742
3743 sent_iov[1].iov_base = discard_const(state->smb2.fixed);
3744 sent_iov[1].iov_len = state->smb2.fixed_len;
3745
3746 if (state->smb2.dyn != NULL) {
3747 sent_iov[2].iov_base = discard_const(state->smb2.dyn);
3748 sent_iov[2].iov_len = state->smb2.dyn_len;
3749 } else {
3750 sent_iov[2].iov_base = NULL;
3751 sent_iov[2].iov_len = 0;
3752 }
3753
3754 return NT_STATUS_OK;
3755 }
3756
3757 static const struct {
3758 enum protocol_types proto;
3759 const char *smb1_name;
3760 } smb1cli_prots[] = {
3761 {PROTOCOL_CORE, "PC NETWORK PROGRAM 1.0"},
3762 {PROTOCOL_COREPLUS, "MICROSOFT NETWORKS 1.03"},
3763 {PROTOCOL_LANMAN1, "MICROSOFT NETWORKS 3.0"},
3764 {PROTOCOL_LANMAN1, "LANMAN1.0"},
3765 {PROTOCOL_LANMAN2, "LM1.2X002"},
3766 {PROTOCOL_LANMAN2, "DOS LANMAN2.1"},
3767 {PROTOCOL_LANMAN2, "LANMAN2.1"},
3768 {PROTOCOL_LANMAN2, "Samba"},
3769 {PROTOCOL_NT1, "NT LANMAN 1.0"},
3770 {PROTOCOL_NT1, "NT LM 0.12"},
3771 {PROTOCOL_SMB2_02, "SMB 2.002"},
3772 {PROTOCOL_SMB2_10, "SMB 2.???"},
3773 };
3774
3775 static const struct {
3776 enum protocol_types proto;
3777 uint16_t smb2_dialect;
3778 } smb2cli_prots[] = {
3779 {PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202},
3780 {PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210},
3781 {PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222},
3782 {PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224},
3783 {PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300},
3784 {PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302},
3785 {PROTOCOL_SMB3_10, SMB3_DIALECT_REVISION_310},
3786 };
3787
3788 struct smbXcli_negprot_state {
3789 struct smbXcli_conn *conn;
3790 struct tevent_context *ev;
3791 uint32_t timeout_msec;
3792
3793 struct {
3794 uint8_t fixed[36];
3795 } smb2;
3796 };
3797
3798 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq);
3799 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state);
3800 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq);
3801 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state);
3802 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq);
3803 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
3804 TALLOC_CTX *frame,
3805 uint8_t *inbuf);
3806
3807 struct tevent_req *smbXcli_negprot_send(TALLOC_CTX *mem_ctx,
3808 struct tevent_context *ev,
3809 struct smbXcli_conn *conn,
3810 uint32_t timeout_msec,
3811 enum protocol_types min_protocol,
3812 enum protocol_types max_protocol)
3813 {
3814 struct tevent_req *req, *subreq;
3815 struct smbXcli_negprot_state *state;
3816
3817 req = tevent_req_create(mem_ctx, &state,
3818 struct smbXcli_negprot_state);
3819 if (req == NULL) {
3820 return NULL;
3821 }
3822 state->conn = conn;
3823 state->ev = ev;
3824 state->timeout_msec = timeout_msec;
3825
3826 if (min_protocol == PROTOCOL_NONE) {
3827 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3828 return tevent_req_post(req, ev);
3829 }
3830
3831 if (max_protocol == PROTOCOL_NONE) {
3832 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3833 return tevent_req_post(req, ev);
3834 }
3835
3836 if (min_protocol > max_protocol) {
3837 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3838 return tevent_req_post(req, ev);
3839 }
3840
3841 conn->min_protocol = min_protocol;
3842 conn->max_protocol = max_protocol;
3843 conn->protocol = PROTOCOL_NONE;
3844
3845 if ((min_protocol < PROTOCOL_SMB2_02) &&
3846 (max_protocol < PROTOCOL_SMB2_02)) {
3847 /*
3848 * SMB1 only...
3849 */
3850 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
3851
3852 subreq = smbXcli_negprot_smb1_subreq(state);
3853 if (tevent_req_nomem(subreq, req)) {
3854 return tevent_req_post(req, ev);
3855 }
3856 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
3857 return req;
3858 }
3859
3860 if ((min_protocol >= PROTOCOL_SMB2_02) &&
3861 (max_protocol >= PROTOCOL_SMB2_02)) {
3862 /*
3863 * SMB2 only...
3864 */
3865 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3866
3867 /*
3868 * As we're starting with an SMB2 negprot, emulate Windows
3869 * and ask for 31 credits in the initial SMB2 negprot.
3870 * If we don't and leave requested credits at
3871 * zero, MacOSX servers return zero credits on
3872 * the negprot reply and we fail to connect.
3873 */
3874 smb2cli_conn_set_max_credits(conn,
3875 WINDOWS_CLIENT_PURE_SMB2_NEGPROT_INITIAL_CREDIT_ASK);
3876
3877 subreq = smbXcli_negprot_smb2_subreq(state);
3878 if (tevent_req_nomem(subreq, req)) {
3879 return tevent_req_post(req, ev);
3880 }
3881 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
3882 return req;
3883 }
3884
3885 /*
3886 * We send an SMB1 negprot with the SMB2 dialects
3887 * and expect a SMB1 or a SMB2 response.
3888 *
3889 * smbXcli_negprot_dispatch_incoming() will fix the
3890 * callback to match protocol of the response.
3891 */
3892 conn->dispatch_incoming = smbXcli_negprot_dispatch_incoming;
3893
3894 subreq = smbXcli_negprot_smb1_subreq(state);
3895 if (tevent_req_nomem(subreq, req)) {
3896 return tevent_req_post(req, ev);
3897 }
3898 tevent_req_set_callback(subreq, smbXcli_negprot_invalid_done, req);
3899 return req;
3900 }
3901
3902 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq)
3903 {
3904 struct tevent_req *req =
3905 tevent_req_callback_data(subreq,
3906 struct tevent_req);
3907 NTSTATUS status;
3908
3909 /*
3910 * we just want the low level error
3911 */
3912 status = tevent_req_simple_recv_ntstatus(subreq);
3913 TALLOC_FREE(subreq);
3914 if (tevent_req_nterror(req, status)) {
3915 return;
3916 }
3917
3918 /* this should never happen */
3919 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
3920 }
3921
3922 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state)
3923 {
3924 size_t i;
3925 DATA_BLOB bytes = data_blob_null;
3926 uint8_t flags;
3927 uint16_t flags2;
3928
3929 /* setup the protocol strings */
3930 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
3931 uint8_t c = 2;
3932 bool ok;
3933
3934 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
3935 continue;
3936 }
3937
3938 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
3939 continue;
3940 }
3941
3942 ok = data_blob_append(state, &bytes, &c, sizeof(c));
3943 if (!ok) {
3944 return NULL;
3945 }
3946
3947 /*
3948 * We now it is already ascii and
3949 * we want NULL termination.
3950 */
3951 ok = data_blob_append(state, &bytes,
3952 smb1cli_prots[i].smb1_name,
3953 strlen(smb1cli_prots[i].smb1_name)+1);
3954 if (!ok) {
3955 return NULL;
3956 }
3957 }
3958
3959 smb1cli_req_flags(state->conn->max_protocol,
3960 state->conn->smb1.client.capabilities,
3961 SMBnegprot,
3962 0, 0, &flags,
3963 0, 0, &flags2);
3964
3965 return smb1cli_req_send(state, state->ev, state->conn,
3966 SMBnegprot,
3967 flags, ~flags,
3968 flags2, ~flags2,
3969 state->timeout_msec,
3970 0xFFFE, 0, NULL, /* pid, tid, session */
3971 0, NULL, /* wct, vwv */
3972 bytes.length, bytes.data);
3973 }
3974
3975 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq)
3976 {
3977 struct tevent_req *req =
3978 tevent_req_callback_data(subreq,
3979 struct tevent_req);
3980 struct smbXcli_negprot_state *state =
3981 tevent_req_data(req,
3982 struct smbXcli_negprot_state);
3983 struct smbXcli_conn *conn = state->conn;
3984 struct iovec *recv_iov = NULL;
3985 uint8_t *inhdr;
3986 uint8_t wct;
3987 uint16_t *vwv;
3988 uint32_t num_bytes;
3989 uint8_t *bytes;
3990 NTSTATUS status;
3991 uint16_t protnum;
3992 size_t i;
3993 size_t num_prots = 0;
3994 uint8_t flags;
3995 uint32_t client_capabilities = conn->smb1.client.capabilities;
3996 uint32_t both_capabilities;
3997 uint32_t server_capabilities = 0;
3998 uint32_t capabilities;
3999 uint32_t client_max_xmit = conn->smb1.client.max_xmit;
4000 uint32_t server_max_xmit = 0;
4001 uint32_t max_xmit;
4002 uint32_t server_max_mux = 0;
4003 uint16_t server_security_mode = 0;
4004 uint32_t server_session_key = 0;
4005 bool server_readbraw = false;
4006 bool server_writebraw = false;
4007 bool server_lockread = false;
4008 bool server_writeunlock = false;
4009 struct GUID server_guid = GUID_zero();
4010 DATA_BLOB server_gss_blob = data_blob_null;
4011 uint8_t server_challenge[8];
4012 char *server_workgroup = NULL;
4013 char *server_name = NULL;
4014 int server_time_zone = 0;
4015 NTTIME server_system_time = 0;
4016 static const struct smb1cli_req_expected_response expected[] = {
4017 {
4018 .status = NT_STATUS_OK,
4019 .wct = 0x11, /* NT1 */
4020 },
4021 {
4022 .status = NT_STATUS_OK,
4023 .wct = 0x0D, /* LM */
4024 },
4025 {
4026 .status = NT_STATUS_OK,
4027 .wct = 0x01, /* CORE */
4028 }
4029 };
4030
4031 ZERO_STRUCT(server_challenge);
4032
4033 status = smb1cli_req_recv(subreq, state,
4034 &recv_iov,
4035 &inhdr,
4036 &wct,
4037 &vwv,
4038 NULL, /* pvwv_offset */
4039 &num_bytes,
4040 &bytes,
4041 NULL, /* pbytes_offset */
4042 NULL, /* pinbuf */
4043 expected, ARRAY_SIZE(expected));
4044 TALLOC_FREE(subreq);
4045 if (tevent_req_nterror(req, status)) {
4046 return;
4047 }
4048
4049 flags = CVAL(inhdr, HDR_FLG);
4050
4051 protnum = SVAL(vwv, 0);
4052
4053 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
4054 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
4055 continue;
4056 }
4057
4058 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
4059 continue;
4060 }
4061
4062 if (protnum != num_prots) {
4063 num_prots++;
4064 continue;
4065 }
4066
4067 conn->protocol = smb1cli_prots[i].proto;
4068 break;
4069 }
4070
4071 if (conn->protocol == PROTOCOL_NONE) {
4072 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4073 return;
4074 }
4075
4076 if ((conn->protocol < PROTOCOL_NT1) && conn->mandatory_signing) {
4077 DEBUG(0,("smbXcli_negprot: SMB signing is mandatory "
4078 "and the selected protocol level doesn't support it.\n"));
4079 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4080 return;
4081 }
4082
4083 if (flags & FLAG_SUPPORT_LOCKREAD) {
4084 server_lockread = true;
4085 server_writeunlock = true;
4086 }
4087
4088 if (conn->protocol >= PROTOCOL_NT1) {
4089 const char *client_signing = NULL;
4090 bool server_mandatory = false;
4091 bool server_allowed = false;
4092 const char *server_signing = NULL;
4093 bool ok;
4094 uint8_t key_len;
4095
4096 if (wct != 0x11) {
4097 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4098 return;
4099 }
4100
4101 /* NT protocol */
4102 server_security_mode = CVAL(vwv + 1, 0);
4103 server_max_mux = SVAL(vwv + 1, 1);
4104 server_max_xmit = IVAL(vwv + 3, 1);
4105 server_session_key = IVAL(vwv + 7, 1);
4106 server_time_zone = SVALS(vwv + 15, 1);
4107 server_time_zone *= 60;
4108 /* this time arrives in real GMT */
4109 server_system_time = BVAL(vwv + 11, 1);
4110 server_capabilities = IVAL(vwv + 9, 1);
4111
4112 key_len = CVAL(vwv + 16, 1);
4113
4114 if (server_capabilities & CAP_RAW_MODE) {
4115 server_readbraw = true;
4116 server_writebraw = true;
4117 }
4118 if (server_capabilities & CAP_LOCK_AND_READ) {
4119 server_lockread = true;
4120 }
4121
4122 if (server_capabilities & CAP_EXTENDED_SECURITY) {
4123 DATA_BLOB blob1, blob2;
4124
4125 if (num_bytes < 16) {
4126 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4127 return;
4128 }
4129
4130 blob1 = data_blob_const(bytes, 16);
4131 status = GUID_from_data_blob(&blob1, &server_guid);
4132 if (tevent_req_nterror(req, status)) {
4133 return;
4134 }
4135
4136 blob1 = data_blob_const(bytes+16, num_bytes-16);
4137 blob2 = data_blob_dup_talloc(state, blob1);
4138 if (blob1.length > 0 &&
4139 tevent_req_nomem(blob2.data, req)) {
4140 return;
4141 }
4142 server_gss_blob = blob2;
4143 } else {
4144 DATA_BLOB blob1, blob2;
4145
4146 if (num_bytes < key_len) {
4147 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4148 return;
4149 }
4150
4151 if (key_len != 0 && key_len != 8) {
4152 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4153 return;
4154 }
4155
4156 if (key_len == 8) {
4157 memcpy(server_challenge, bytes, 8);
4158 }
4159
4160 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4161 blob2 = data_blob_const(bytes+key_len, num_bytes-key_len);
4162 if (blob1.length > 0) {
4163 size_t len;
4164
4165 len = utf16_len_n(blob1.data,
4166 blob1.length);
4167 blob1.length = len;
4168
4169 ok = convert_string_talloc(state,
4170 CH_UTF16LE,
4171 CH_UNIX,
4172 blob1.data,
4173 blob1.length,
4174 &server_workgroup,
4175 &len);
4176 if (!ok) {
4177 status = map_nt_error_from_unix_common(errno);
4178 tevent_req_nterror(req, status);
4179 return;
4180 }
4181 }
4182
4183 blob2.data += blob1.length;
4184 blob2.length -= blob1.length;
4185 if (blob2.length > 0) {
4186 size_t len;
4187
4188 len = utf16_len_n(blob1.data,
4189 blob1.length);
4190 blob1.length = len;
4191
4192 ok = convert_string_talloc(state,
4193 CH_UTF16LE,
4194 CH_UNIX,
4195 blob2.data,
4196 blob2.length,
4197 &server_name,
4198 &len);
4199 if (!ok) {
4200 status = map_nt_error_from_unix_common(errno);
4201 tevent_req_nterror(req, status);
4202 return;
4203 }
4204 }
4205 }
4206
4207 client_signing = "disabled";
4208 if (conn->allow_signing) {
4209 client_signing = "allowed";
4210 }
4211 if (conn->mandatory_signing) {
4212 client_signing = "required";
4213 }
4214
4215 server_signing = "not supported";
4216 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) {
4217 server_signing = "supported";
4218 server_allowed = true;
4219 } else if (conn->mandatory_signing) {
4220 /*
4221 * We have mandatory signing as client
4222 * lets assume the server will look at our
4223 * FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
4224 * flag in the session setup
4225 */
4226 server_signing = "not announced";
4227 server_allowed = true;
4228 }
4229 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
4230 server_signing = "required";
4231 server_mandatory = true;
4232 }
4233
4234 ok = smb_signing_set_negotiated(conn->smb1.signing,
4235 server_allowed,
4236 server_mandatory);
4237 if (!ok) {
4238 DEBUG(1,("cli_negprot: SMB signing is required, "
4239 "but client[%s] and server[%s] mismatch\n",
4240 client_signing, server_signing));
4241 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4242 return;
4243 }
4244
4245 } else if (conn->protocol >= PROTOCOL_LANMAN1) {
4246 DATA_BLOB blob1;
4247 uint8_t key_len;
4248 time_t t;
4249
4250 if (wct != 0x0D) {
4251 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4252 return;
4253 }
4254
4255 server_security_mode = SVAL(vwv + 1, 0);
4256 server_max_xmit = SVAL(vwv + 2, 0);
4257 server_max_mux = SVAL(vwv + 3, 0);
4258 server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
4259 server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
4260 server_session_key = IVAL(vwv + 6, 0);
4261 server_time_zone = SVALS(vwv + 10, 0);
4262 server_time_zone *= 60;
4263 /* this time is converted to GMT by make_unix_date */
4264 t = pull_dos_date((const uint8_t *)(vwv + 8), server_time_zone);
4265 unix_to_nt_time(&server_system_time, t);
4266 key_len = SVAL(vwv + 11, 0);
4267
4268 if (num_bytes < key_len) {
4269 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4270 return;
4271 }
4272
4273 if (key_len != 0 && key_len != 8) {
4274 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4275 return;
4276 }
4277
4278 if (key_len == 8) {
4279 memcpy(server_challenge, bytes, 8);
4280 }
4281
4282 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4283 if (blob1.length > 0) {
4284 size_t len;
4285 bool ok;
4286
4287 len = utf16_len_n(blob1.data,
4288 blob1.length);
4289 blob1.length = len;
4290
4291 ok = convert_string_talloc(state,
4292 CH_DOS,
4293 CH_UNIX,
4294 blob1.data,
4295 blob1.length,
4296 &server_workgroup,
4297 &len);
4298 if (!ok) {
4299 status = map_nt_error_from_unix_common(errno);
4300 tevent_req_nterror(req, status);
4301 return;
4302 }
4303 }
4304
4305 } else {
4306 /* the old core protocol */
4307 server_time_zone = get_time_zone(time(NULL));
4308 server_max_xmit = 1024;
4309 server_max_mux = 1;
4310 }
4311
4312 if (server_max_xmit < 1024) {
4313 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4314 return;
4315 }
4316
4317 if (server_max_mux < 1) {
4318 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4319 return;
4320 }
4321
4322 /*
4323 * Now calculate the negotiated capabilities
4324 * based on the mask for:
4325 * - client only flags
4326 * - flags used in both directions
4327 * - server only flags
4328 */
4329 both_capabilities = client_capabilities & server_capabilities;
4330 capabilities = client_capabilities & SMB_CAP_CLIENT_MASK;
4331 capabilities |= both_capabilities & SMB_CAP_BOTH_MASK;
4332 capabilities |= server_capabilities & SMB_CAP_SERVER_MASK;
4333
4334 max_xmit = MIN(client_max_xmit, server_max_xmit);
4335
4336 conn->smb1.server.capabilities = server_capabilities;
4337 conn->smb1.capabilities = capabilities;
4338
4339 conn->smb1.server.max_xmit = server_max_xmit;
4340 conn->smb1.max_xmit = max_xmit;
4341
4342 conn->smb1.server.max_mux = server_max_mux;
4343
4344 conn->smb1.server.security_mode = server_security_mode;
4345
4346 conn->smb1.server.readbraw = server_readbraw;
4347 conn->smb1.server.writebraw = server_writebraw;
4348 conn->smb1.server.lockread = server_lockread;
4349 conn->smb1.server.writeunlock = server_writeunlock;
4350
4351 conn->smb1.server.session_key = server_session_key;
4352
4353 talloc_steal(conn, server_gss_blob.data);
4354 conn->smb1.server.gss_blob = server_gss_blob;
4355 conn->smb1.server.guid = server_guid;
4356 memcpy(conn->smb1.server.challenge, server_challenge, 8);
4357 conn->smb1.server.workgroup = talloc_move(conn, &server_workgroup);
4358 conn->smb1.server.name = talloc_move(conn, &server_name);
4359
4360 conn->smb1.server.time_zone = server_time_zone;
4361 conn->smb1.server.system_time = server_system_time;
4362
4363 tevent_req_done(req);
4364 }
4365
4366 static size_t smbXcli_padding_helper(uint32_t offset, size_t n)
4367 {
4368 if ((offset & (n-1)) == 0) return 0;
4369 return n - (offset & (n-1));
4370 }
4371
4372 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state)
4373 {
4374 size_t i;
4375 uint8_t *buf;
4376 uint16_t dialect_count = 0;
4377 DATA_BLOB dyn = data_blob_null;
4378
4379 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4380 bool ok;
4381 uint8_t val[2];
4382
4383 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4384 continue;
4385 }
4386
4387 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4388 continue;
4389 }
4390
4391 SSVAL(val, 0, smb2cli_prots[i].smb2_dialect);
4392
4393 ok = data_blob_append(state, &dyn, val, sizeof(val));
4394 if (!ok) {
4395 return NULL;
4396 }
4397
4398 dialect_count++;
4399 }
4400
4401 buf = state->smb2.fixed;
4402 SSVAL(buf, 0, 36);
4403 SSVAL(buf, 2, dialect_count);
4404 SSVAL(buf, 4, state->conn->smb2.client.security_mode);
4405 SSVAL(buf, 6, 0); /* Reserved */
4406 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
4407 SIVAL(buf, 8, state->conn->smb2.client.capabilities);
4408 } else {
4409 SIVAL(buf, 8, 0); /* Capabilities */
4410 }
4411 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
4412 NTSTATUS status;
4413 DATA_BLOB blob;
4414
4415 status = GUID_to_ndr_blob(&state->conn->smb2.client.guid,
4416 state, &blob);
4417 if (!NT_STATUS_IS_OK(status)) {
4418 return NULL;
4419 }
4420 memcpy(buf+12, blob.data, 16); /* ClientGuid */
4421 } else {
4422 memset(buf+12, 0, 16); /* ClientGuid */
4423 }
4424
4425 if (state->conn->max_protocol >= PROTOCOL_SMB3_10) {
4426 NTSTATUS status;
4427 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4428 uint32_t offset;
4429 DATA_BLOB b;
4430 uint8_t p[38];
4431 const uint8_t zeros[8] = {0, };
4432 size_t pad;
4433 bool ok;
4434
4435 SSVAL(p, 0, 1); /* HashAlgorithmCount */
4436 SSVAL(p, 2, 32); /* SaltLength */
4437 SSVAL(p, 4, SMB2_PREAUTH_INTEGRITY_SHA512);
4438 generate_random_buffer(p + 6, 32);
4439
4440 b = data_blob_const(p, 38);
4441 status = smb2_negotiate_context_add(state, &c,
4442 SMB2_PREAUTH_INTEGRITY_CAPABILITIES, b);
4443 if (!NT_STATUS_IS_OK(status)) {
4444 return NULL;
4445 }
4446
4447 SSVAL(p, 0, 2); /* ChiperCount */
4448 SSVAL(p, 2, SMB2_ENCRYPTION_AES128_GCM);
4449 SSVAL(p, 4, SMB2_ENCRYPTION_AES128_CCM);
4450
4451 b = data_blob_const(p, 6);
4452 status = smb2_negotiate_context_add(state, &c,
4453 SMB2_ENCRYPTION_CAPABILITIES, b);
4454 if (!NT_STATUS_IS_OK(status)) {
4455 return NULL;
4456 }
4457
4458 status = smb2_negotiate_context_push(state, &b, c);
4459 if (!NT_STATUS_IS_OK(status)) {
4460 return NULL;
4461 }
4462
4463 offset = SMB2_HDR_BODY + sizeof(state->smb2.fixed) + dyn.length;
4464 pad = smbXcli_padding_helper(offset, 8);
4465
4466 ok = data_blob_append(state, &dyn, zeros, pad);
4467 if (!ok) {
4468 return NULL;
4469 }
4470 offset += pad;
4471
4472 ok = data_blob_append(state, &dyn, b.data, b.length);
4473 if (!ok) {
4474 return NULL;
4475 }
4476
4477 SIVAL(buf, 28, offset); /* NegotiateContextOffset */
4478 SSVAL(buf, 32, c.num_contexts); /* NegotiateContextCount */
4479 SSVAL(buf, 34, 0); /* Reserved */
4480 } else {
4481 SBVAL(buf, 28, 0); /* Reserved/ClientStartTime */
4482 }
4483
4484 return smb2cli_req_send(state, state->ev,
4485 state->conn, SMB2_OP_NEGPROT,
4486 0, 0, /* flags */
4487 state->timeout_msec,
4488 NULL, NULL, /* tcon, session */
4489 state->smb2.fixed, sizeof(state->smb2.fixed),
4490 dyn.data, dyn.length,
4491 UINT16_MAX); /* max_dyn_len */
4492 }
4493
4494 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
4495 {
4496 struct tevent_req *req =
4497 tevent_req_callback_data(subreq,
4498 struct tevent_req);
4499 struct smbXcli_negprot_state *state =
4500 tevent_req_data(req,
4501 struct smbXcli_negprot_state);
4502 struct smbXcli_conn *conn = state->conn;
4503 size_t security_offset, security_length;
4504 DATA_BLOB blob;
4505 NTSTATUS status;
4506 struct iovec *iov;
4507 uint8_t *body;
4508 size_t i;
4509 uint16_t dialect_revision;
4510 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4511 uint32_t negotiate_context_offset = 0;
4512 uint16_t negotiate_context_count = 0;
4513 DATA_BLOB negotiate_context_blob = data_blob_null;
4514 size_t avail;
4515 size_t ctx_ofs;
4516 size_t needed;
4517 struct smb2_negotiate_context *preauth = NULL;
4518 uint16_t hash_count;
4519 uint16_t salt_length;
4520 uint16_t hash_selected;
4521 struct hc_sha512state sctx;
4522 struct smb2_negotiate_context *cipher = NULL;
4523 struct iovec sent_iov[3];
4524 static const struct smb2cli_req_expected_response expected[] = {
4525 {
4526 .status = NT_STATUS_OK,
4527 .body_size = 0x41
4528 }
4529 };
4530
4531 status = smb2cli_req_recv(subreq, state, &iov,
4532 expected, ARRAY_SIZE(expected));
4533 if (tevent_req_nterror(req, status)) {
4534 return;
4535 }
4536
4537 body = (uint8_t *)iov[1].iov_base;
4538
4539 dialect_revision = SVAL(body, 4);
4540
4541 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4542 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4543 continue;
4544 }
4545
4546 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4547 continue;
4548 }
4549
4550 if (smb2cli_prots[i].smb2_dialect != dialect_revision) {
4551 continue;
4552 }
4553
4554 conn->protocol = smb2cli_prots[i].proto;
4555 break;
4556 }
4557
4558 if (conn->protocol == PROTOCOL_NONE) {
4559 TALLOC_FREE(subreq);
4560
4561 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
4562 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4563 return;
4564 }
4565
4566 if (dialect_revision != SMB2_DIALECT_REVISION_2FF) {
4567 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4568 return;
4569 }
4570
4571 /* make sure we do not loop forever */
4572 state->conn->min_protocol = PROTOCOL_SMB2_02;
4573
4574 /*
4575 * send a SMB2 negprot, in order to negotiate
4576 * the SMB2 dialect.
4577 */
4578 subreq = smbXcli_negprot_smb2_subreq(state);
4579 if (tevent_req_nomem(subreq, req)) {
4580 return;
4581 }
4582 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4583 return;
4584 }
4585
4586 conn->smb2.server.security_mode = SVAL(body, 2);
4587 if (conn->protocol >= PROTOCOL_SMB3_10) {
4588 negotiate_context_count = SVAL(body, 6);
4589 }
4590
4591 blob = data_blob_const(body + 8, 16);
4592 status = GUID_from_data_blob(&blob, &conn->smb2.server.guid);
4593 if (tevent_req_nterror(req, status)) {
4594 return;
4595 }
4596
4597 conn->smb2.server.capabilities = IVAL(body, 24);
4598 conn->smb2.server.max_trans_size= IVAL(body, 28);
4599 conn->smb2.server.max_read_size = IVAL(body, 32);
4600 conn->smb2.server.max_write_size= IVAL(body, 36);
4601 conn->smb2.server.system_time = BVAL(body, 40);
4602 conn->smb2.server.start_time = BVAL(body, 48);
4603
4604 security_offset = SVAL(body, 56);
4605 security_length = SVAL(body, 58);
4606
4607 if (security_offset != SMB2_HDR_BODY + iov[1].iov_len) {
4608 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4609 return;
4610 }
4611
4612 if (security_length > iov[2].iov_len) {
4613 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4614 return;
4615 }
4616
4617 conn->smb2.server.gss_blob = data_blob_talloc(conn,
4618 iov[2].iov_base,
4619 security_length);
4620 if (tevent_req_nomem(conn->smb2.server.gss_blob.data, req)) {
4621 return;
4622 }
4623
4624 if (conn->protocol < PROTOCOL_SMB3_10) {
4625 TALLOC_FREE(subreq);
4626
4627 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4628 conn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
4629 }
4630 tevent_req_done(req);
4631 return;
4632 }
4633
4634 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4635 tevent_req_nterror(req,
4636 NT_STATUS_INVALID_NETWORK_RESPONSE);
4637 return;
4638 }
4639
4640 negotiate_context_offset = IVAL(body, 60);
4641 if (negotiate_context_offset < security_offset) {
4642 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4643 return;
4644 }
4645
4646 ctx_ofs = negotiate_context_offset - security_offset;
4647 if (ctx_ofs > iov[2].iov_len) {
4648 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4649 return;
4650 }
4651 avail = iov[2].iov_len - security_length;
4652 needed = iov[2].iov_len - ctx_ofs;
4653 if (needed > avail) {
4654 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4655 return;
4656 }
4657
4658 negotiate_context_blob.data = (uint8_t *)iov[2].iov_base;
4659 negotiate_context_blob.length = iov[2].iov_len;
4660
4661 negotiate_context_blob.data += ctx_ofs;
4662 negotiate_context_blob.length -= ctx_ofs;
4663
4664 status = smb2_negotiate_context_parse(state, negotiate_context_blob, &c);
4665 if (tevent_req_nterror(req, status)) {
4666 return;
4667 }
4668
4669 if (negotiate_context_count != c.num_contexts) {
4670 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4671 return;
4672 }
4673
4674 preauth = smb2_negotiate_context_find(&c,
4675 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
4676 if (preauth == NULL) {
4677 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4678 return;
4679 }
4680
4681 if (preauth->data.length < 6) {
4682 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4683 return;
4684 }
4685
4686 hash_count = SVAL(preauth->data.data, 0);
4687 salt_length = SVAL(preauth->data.data, 2);
4688 hash_selected = SVAL(preauth->data.data, 4);
4689
4690 if (hash_count != 1) {
4691 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4692 return;
4693 }
4694
4695 if (preauth->data.length != (6 + salt_length)) {
4696 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4697 return;
4698 }
4699
4700 if (hash_selected != SMB2_PREAUTH_INTEGRITY_SHA512) {
4701 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4702 return;
4703 }
4704
4705 cipher = smb2_negotiate_context_find(&c, SMB2_ENCRYPTION_CAPABILITIES);
4706 if (cipher != NULL) {
4707 uint16_t cipher_count;
4708
4709 if (cipher->data.length < 2) {
4710 tevent_req_nterror(req,
4711 NT_STATUS_INVALID_NETWORK_RESPONSE);
4712 return;
4713 }
4714
4715 cipher_count = SVAL(cipher->data.data, 0);
4716
4717 if (cipher_count > 1) {
4718 tevent_req_nterror(req,
4719 NT_STATUS_INVALID_NETWORK_RESPONSE);
4720 return;
4721 }
4722
4723 if (cipher->data.length != (2 + 2 * cipher_count)) {
4724 tevent_req_nterror(req,
4725 NT_STATUS_INVALID_NETWORK_RESPONSE);
4726 return;
4727 }
4728
4729 if (cipher_count == 1) {
4730 uint16_t cipher_selected;
4731
4732 cipher_selected = SVAL(cipher->data.data, 2);
4733
4734 switch (cipher_selected) {
4735 case SMB2_ENCRYPTION_AES128_GCM:
4736 case SMB2_ENCRYPTION_AES128_CCM:
4737 conn->smb2.server.cipher = cipher_selected;
4738 break;
4739 }
4740 }
4741 }
4742
4743 /* First we hash the request */
4744 smb2cli_req_get_sent_iov(subreq, sent_iov);
4745 samba_SHA512_Init(&sctx);
4746 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4747 sizeof(conn->smb2.preauth_sha512));
4748 for (i = 0; i < 3; i++) {
4749 samba_SHA512_Update(&sctx, sent_iov[i].iov_base, sent_iov[i].iov_len);
4750 }
4751 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4752 TALLOC_FREE(subreq);
4753
4754 /* And now we hash the response */
4755 samba_SHA512_Init(&sctx);
4756 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4757 sizeof(conn->smb2.preauth_sha512));
4758 for (i = 0; i < 3; i++) {
4759 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
4760 }
4761 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4762
4763 tevent_req_done(req);
4764 }
4765
4766 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
4767 TALLOC_CTX *tmp_mem,
4768 uint8_t *inbuf)
4769 {
4770 size_t num_pending = talloc_array_length(conn->pending);
4771 struct tevent_req *subreq;
4772 struct smbXcli_req_state *substate;
4773 struct tevent_req *req;
4774 uint32_t protocol_magic;
4775 size_t inbuf_len = smb_len_nbt(inbuf);
4776
4777 if (num_pending != 1) {
4778 return NT_STATUS_INTERNAL_ERROR;
4779 }
4780
4781 if (inbuf_len < 4) {
4782 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4783 }
4784
4785 subreq = conn->pending[0];
4786 substate = tevent_req_data(subreq, struct smbXcli_req_state);
4787 req = tevent_req_callback_data(subreq, struct tevent_req);
4788
4789 protocol_magic = IVAL(inbuf, 4);
4790
4791 switch (protocol_magic) {
4792 case SMB_MAGIC:
4793 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
4794 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
4795 return smb1cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4796
4797 case SMB2_MAGIC:
4798 if (substate->smb2.recv_iov == NULL) {
4799 /*
4800 * For the SMB1 negprot we have move it.
4801 */
4802 substate->smb2.recv_iov = substate->smb1.recv_iov;
4803 substate->smb1.recv_iov = NULL;
4804 }
4805
4806 /*
4807 * we got an SMB2 answer, which consumed sequence number 0
4808 * so we need to use 1 as the next one.
4809 *
4810 * we also need to set the current credits to 0
4811 * as we consumed the initial one. The SMB2 answer
4812 * hopefully grant us a new credit.
4813 */
4814 conn->smb2.mid = 1;
4815 conn->smb2.cur_credits = 0;
4816 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4817 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
4818 return smb2cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4819 }
4820
4821 DEBUG(10, ("Got non-SMB PDU\n"));
4822 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4823 }
4824
4825 NTSTATUS smbXcli_negprot_recv(struct tevent_req *req)
4826 {
4827 return tevent_req_simple_recv_ntstatus(req);
4828 }
4829
4830 NTSTATUS smbXcli_negprot(struct smbXcli_conn *conn,
4831 uint32_t timeout_msec,
4832 enum protocol_types min_protocol,
4833 enum protocol_types max_protocol)
4834 {
4835 TALLOC_CTX *frame = talloc_stackframe();
4836 struct tevent_context *ev;
4837 struct tevent_req *req;
4838 NTSTATUS status = NT_STATUS_NO_MEMORY;
4839 bool ok;
4840
4841 if (smbXcli_conn_has_async_calls(conn)) {
4842 /*
4843 * Can't use sync call while an async call is in flight
4844 */
4845 status = NT_STATUS_INVALID_PARAMETER_MIX;
4846 goto fail;
4847 }
4848 ev = samba_tevent_context_init(frame);
4849 if (ev == NULL) {
4850 goto fail;
4851 }
4852 req = smbXcli_negprot_send(frame, ev, conn, timeout_msec,
4853 min_protocol, max_protocol);
4854 if (req == NULL) {
4855 goto fail;
4856 }
4857 ok = tevent_req_poll(req, ev);
4858 if (!ok) {
4859 status = map_nt_error_from_unix_common(errno);
4860 goto fail;
4861 }
4862 status = smbXcli_negprot_recv(req);
4863 fail:
4864 TALLOC_FREE(frame);
4865 return status;
4866 }
4867
4868 struct smb2cli_validate_negotiate_info_state {
4869 struct smbXcli_conn *conn;
4870 DATA_BLOB in_input_buffer;
4871 DATA_BLOB in_output_buffer;
4872 DATA_BLOB out_input_buffer;
4873 DATA_BLOB out_output_buffer;
4874 uint16_t dialect;
4875 };
4876
4877 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq);
4878
4879 struct tevent_req *smb2cli_validate_negotiate_info_send(TALLOC_CTX *mem_ctx,
4880 struct tevent_context *ev,
4881 struct smbXcli_conn *conn,
4882 uint32_t timeout_msec,
4883 struct smbXcli_session *session,
4884 struct smbXcli_tcon *tcon)
4885 {
4886 struct tevent_req *req;
4887 struct smb2cli_validate_negotiate_info_state *state;
4888 uint8_t *buf;
4889 uint16_t dialect_count = 0;
4890 struct tevent_req *subreq;
4891 bool _save_should_sign;
4892 size_t i;
4893
4894 req = tevent_req_create(mem_ctx, &state,
4895 struct smb2cli_validate_negotiate_info_state);
4896 if (req == NULL) {
4897 return NULL;
4898 }
4899 state->conn = conn;
4900
4901 state->in_input_buffer = data_blob_talloc_zero(state,
4902 4 + 16 + 1 + 1 + 2);
4903 if (tevent_req_nomem(state->in_input_buffer.data, req)) {
4904 return tevent_req_post(req, ev);
4905 }
4906 buf = state->in_input_buffer.data;
4907
4908 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
4909 SIVAL(buf, 0, conn->smb2.client.capabilities);
4910 } else {
4911 SIVAL(buf, 0, 0); /* Capabilities */
4912 }
4913 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
4914 NTSTATUS status;
4915 DATA_BLOB blob;
4916
4917 status = GUID_to_ndr_blob(&conn->smb2.client.guid,
4918 state, &blob);
4919 if (!NT_STATUS_IS_OK(status)) {
4920 return NULL;
4921 }
4922 memcpy(buf+4, blob.data, 16); /* ClientGuid */
4923 } else {
4924 memset(buf+4, 0, 16); /* ClientGuid */
4925 }
4926 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
4927 SCVAL(buf, 20, conn->smb2.client.security_mode);
4928 } else {
4929 SCVAL(buf, 20, 0);
4930 }
4931 SCVAL(buf, 21, 0); /* reserved */
4932
4933 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4934 bool ok;
4935 size_t ofs;
4936
4937 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4938 continue;
4939 }
4940
4941 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4942 continue;
4943 }
4944
4945 if (smb2cli_prots[i].proto == state->conn->protocol) {
4946 state->dialect = smb2cli_prots[i].smb2_dialect;
4947 }
4948
4949 ofs = state->in_input_buffer.length;
4950 ok = data_blob_realloc(state, &state->in_input_buffer,
4951 ofs + 2);
4952 if (!ok) {
4953 tevent_req_oom(req);
4954 return tevent_req_post(req, ev);
4955 }
4956
4957 buf = state->in_input_buffer.data;
4958 SSVAL(buf, ofs, smb2cli_prots[i].smb2_dialect);
4959
4960 dialect_count++;
4961 }
4962 buf = state->in_input_buffer.data;
4963 SSVAL(buf, 22, dialect_count);
4964
4965 _save_should_sign = smb2cli_tcon_is_signing_on(tcon);
4966 smb2cli_tcon_should_sign(tcon, true);
4967 subreq = smb2cli_ioctl_send(state, ev, conn,
4968 timeout_msec, session, tcon,
4969 UINT64_MAX, /* in_fid_persistent */
4970 UINT64_MAX, /* in_fid_volatile */
4971 FSCTL_VALIDATE_NEGOTIATE_INFO,
4972 0, /* in_max_input_length */
4973 &state->in_input_buffer,
4974 24, /* in_max_output_length */
4975 &state->in_output_buffer,
4976 SMB2_IOCTL_FLAG_IS_FSCTL);
4977 smb2cli_tcon_should_sign(tcon, _save_should_sign);
4978 if (tevent_req_nomem(subreq, req)) {
4979 return tevent_req_post(req, ev);
4980 }
4981 tevent_req_set_callback(subreq,
4982 smb2cli_validate_negotiate_info_done,
4983 req);
4984
4985 return req;
4986 }
4987
4988 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
4989 {
4990 struct tevent_req *req =
4991 tevent_req_callback_data(subreq,
4992 struct tevent_req);
4993 struct smb2cli_validate_negotiate_info_state *state =
4994 tevent_req_data(req,
4995 struct smb2cli_validate_negotiate_info_state);
4996 NTSTATUS status;
4997 const uint8_t *buf;
4998 uint32_t capabilities;
4999 DATA_BLOB guid_blob;
5000 struct GUID server_guid;
5001 uint16_t security_mode;
5002 uint16_t dialect;
5003
5004 status = smb2cli_ioctl_recv(subreq, state,
5005 &state->out_input_buffer,
5006 &state->out_output_buffer);
5007 TALLOC_FREE(subreq);
5008 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) {
5009 /*
5010 * The response was signed, but not supported
5011 *
5012 * Older Windows and Samba releases return
5013 * NT_STATUS_FILE_CLOSED.
5014 */
5015 tevent_req_done(req);
5016 return;
5017 }
5018 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_DEVICE_REQUEST)) {
5019 /*
5020 * The response was signed, but not supported
5021 *
5022 * This is returned by the NTVFS based Samba 4.x file server
5023 * for file shares.
5024 */
5025 tevent_req_done(req);
5026 return;
5027 }
5028 if (NT_STATUS_EQUAL(status, NT_STATUS_FS_DRIVER_REQUIRED)) {
5029 /*
5030 * The response was signed, but not supported
5031 *
5032 * This is returned by the NTVFS based Samba 4.x file server
5033 * for ipc shares.
5034 */
5035 tevent_req_done(req);
5036 return;
5037 }
5038 if (tevent_req_nterror(req, status)) {
5039 return;
5040 }
5041
5042 if (state->out_output_buffer.length != 24) {
5043 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
5044 return;
5045 }
5046
5047 buf = state->out_output_buffer.data;
5048
5049 capabilities = IVAL(buf, 0);
5050 guid_blob = data_blob_const(buf + 4, 16);
5051 status = GUID_from_data_blob(&guid_blob, &server_guid);
5052 if (tevent_req_nterror(req, status)) {
5053 return;
5054 }
5055 security_mode = CVAL(buf, 20);
5056 dialect = SVAL(buf, 22);
5057
5058 if (capabilities != state->conn->smb2.server.capabilities) {
5059 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5060 return;
5061 }
5062
5063 if (!GUID_equal(&server_guid, &state->conn->smb2.server.guid)) {
5064 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5065 return;
5066 }
5067
5068 if (security_mode != state->conn->smb2.server.security_mode) {
5069 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5070 return;
5071 }
5072
5073 if (dialect != state->dialect) {
5074 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5075 return;
5076 }
5077
5078 tevent_req_done(req);
5079 }
5080
5081 NTSTATUS smb2cli_validate_negotiate_info_recv(struct tevent_req *req)
5082 {
5083 return tevent_req_simple_recv_ntstatus(req);
5084 }
5085
5086 static int smbXcli_session_destructor(struct smbXcli_session *session)
5087 {
5088 if (session->conn == NULL) {
5089 return 0;
5090 }
5091
5092 DLIST_REMOVE(session->conn->sessions, session);
5093 return 0;
5094 }
5095
5096 struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
5097 struct smbXcli_conn *conn)
5098 {
5099 struct smbXcli_session *session;
5100
5101 session = talloc_zero(mem_ctx, struct smbXcli_session);
5102 if (session == NULL) {
5103 return NULL;
5104 }
5105 session->smb2 = talloc_zero(session, struct smb2cli_session);
5106 if (session->smb2 == NULL) {
5107 talloc_free(session);
5108 return NULL;
5109 }
5110 talloc_set_destructor(session, smbXcli_session_destructor);
5111
5112 DLIST_ADD_END(conn->sessions, session, struct smbXcli_session *);
5113 session->conn = conn;
5114
5115 memcpy(session->smb2_channel.preauth_sha512,
5116 conn->smb2.preauth_sha512,
5117 sizeof(session->smb2_channel.preauth_sha512));
5118
5119 return session;
5120 }
5121
5122 struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
5123 struct smbXcli_session *src)
5124 {
5125 struct smbXcli_session *session;
5126
5127 session = talloc_zero(mem_ctx, struct smbXcli_session);
5128 if (session == NULL) {
5129 return NULL;
5130 }
5131 session->smb2 = talloc_zero(session, struct smb2cli_session);
5132 if (session->smb2 == NULL) {
5133 talloc_free(session);
5134 return NULL;
5135 }
5136
5137 session->conn = src->conn;
5138 *session->smb2 = *src->smb2;
5139 session->smb2_channel = src->smb2_channel;
5140 session->disconnect_expired = src->disconnect_expired;
5141
5142 DLIST_ADD_END(src->conn->sessions, session, struct smbXcli_session *);
5143 talloc_set_destructor(session, smbXcli_session_destructor);
5144
5145 return session;
5146 }
5147
5148 bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
5149 {
5150 const DATA_BLOB *application_key;
5151
5152 if (session->conn == NULL) {
5153 return false;
5154 }
5155
5156 /*
5157 * If we have an application key we had a session key negotiated
5158 * at auth time.
5159 */
5160 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5161 application_key = &session->smb2->application_key;
5162 } else {
5163 application_key = &session->smb1.application_key;
5164 }
5165
5166 if (application_key->length == 0) {
5167 return false;
5168 }
5169
5170 return true;
5171 }
5172
5173 NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
5174 TALLOC_CTX *mem_ctx,
5175 DATA_BLOB *key)
5176 {
5177 const DATA_BLOB *application_key;
5178
5179 *key = data_blob_null;
5180
5181 if (session->conn == NULL) {
5182 return NT_STATUS_NO_USER_SESSION_KEY;
5183 }
5184
5185 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5186 application_key = &session->smb2->application_key;
5187 } else {
5188 application_key = &session->smb1.application_key;
5189 }
5190
5191 if (application_key->length == 0) {
5192 return NT_STATUS_NO_USER_SESSION_KEY;
5193 }
5194
5195 *key = data_blob_dup_talloc(mem_ctx, *application_key);
5196 if (key->data == NULL) {
5197 return NT_STATUS_NO_MEMORY;
5198 }
5199
5200 return NT_STATUS_OK;
5201 }
5202
5203 void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session)
5204 {
5205 session->disconnect_expired = true;
5206 }
5207
5208 uint16_t smb1cli_session_current_id(struct smbXcli_session *session)
5209 {
5210 return session->smb1.session_id;
5211 }
5212
5213 void smb1cli_session_set_id(struct smbXcli_session *session,
5214 uint16_t session_id)
5215 {
5216 session->smb1.session_id = session_id;
5217 }
5218
5219 NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
5220 const DATA_BLOB _session_key)
5221 {
5222 struct smbXcli_conn *conn = session->conn;
5223 uint8_t session_key[16];
5224
5225 if (conn == NULL) {
5226 return NT_STATUS_INVALID_PARAMETER_MIX;
5227 }
5228
5229 if (session->smb1.application_key.length != 0) {
5230 /*
5231 * TODO: do not allow this...
5232 *
5233 * return NT_STATUS_INVALID_PARAMETER_MIX;
5234 */
5235 data_blob_clear_free(&session->smb1.application_key);
5236 session->smb1.protected_key = false;
5237 }
5238
5239 if (_session_key.length == 0) {
5240 return NT_STATUS_OK;
5241 }
5242
5243 ZERO_STRUCT(session_key);
5244 memcpy(session_key, _session_key.data,
5245 MIN(_session_key.length, sizeof(session_key)));
5246
5247 session->smb1.application_key = data_blob_talloc(session,
5248 session_key,
5249 sizeof(session_key));
5250 ZERO_STRUCT(session_key);
5251 if (session->smb1.application_key.data == NULL) {
5252 return NT_STATUS_NO_MEMORY;
5253 }
5254
5255 session->smb1.protected_key = false;
5256
5257 return NT_STATUS_OK;
5258 }
5259
5260 NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session)
5261 {
5262 if (session->smb1.protected_key) {
5263 /* already protected */
5264 return NT_STATUS_OK;
5265 }
5266
5267 if (session->smb1.application_key.length != 16) {
5268 return NT_STATUS_INVALID_PARAMETER_MIX;
5269 }
5270
5271 smb_key_derivation(session->smb1.application_key.data,
5272 session->smb1.application_key.length,
5273 session->smb1.application_key.data);
5274
5275 session->smb1.protected_key = true;
5276
5277 return NT_STATUS_OK;
5278 }
5279
5280 uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
5281 {
5282 struct smbXcli_conn *conn = session->conn;
5283 uint8_t security_mode = 0;
5284
5285 if (conn == NULL) {
5286 return security_mode;
5287 }
5288
5289 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
5290 if (conn->mandatory_signing) {
5291 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
5292 }
5293
5294 return security_mode;
5295 }
5296
5297 uint64_t smb2cli_session_current_id(struct smbXcli_session *session)
5298 {
5299 return session->smb2->session_id;
5300 }
5301
5302 uint16_t smb2cli_session_get_flags(struct smbXcli_session *session)
5303 {
5304 return session->smb2->session_flags;
5305 }
5306
5307 void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
5308 uint64_t session_id,
5309 uint16_t session_flags)
5310 {
5311 session->smb2->session_id = session_id;
5312 session->smb2->session_flags = session_flags;
5313 }
5314
5315 void smb2cli_session_increment_channel_sequence(struct smbXcli_session *session)
5316 {
5317 session->smb2->channel_sequence += 1;
5318 }
5319
5320 uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
5321 uint16_t channel_sequence)
5322 {
5323 uint16_t prev_cs;
5324
5325 prev_cs = session->smb2->channel_sequence;
5326 session->smb2->channel_sequence = channel_sequence;
5327
5328 return prev_cs;
5329 }
5330
5331 void smb2cli_session_start_replay(struct smbXcli_session *session)
5332 {
5333 session->smb2->replay_active = true;
5334 }
5335
5336 void smb2cli_session_stop_replay(struct smbXcli_session *session)
5337 {
5338 session->smb2->replay_active = false;
5339 }
5340
5341 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
5342 const struct iovec *iov)
5343 {
5344 struct hc_sha512state sctx;
5345 size_t i;
5346
5347 if (session->conn == NULL) {
5348 return NT_STATUS_INTERNAL_ERROR;
5349 }
5350
5351 if (session->conn->protocol < PROTOCOL_SMB3_10) {
5352 return NT_STATUS_OK;
5353 }
5354
5355 if (session->smb2_channel.signing_key.length != 0) {
5356 return NT_STATUS_OK;
5357 }
5358
5359 samba_SHA512_Init(&sctx);
5360 samba_SHA512_Update(&sctx, session->smb2_channel.preauth_sha512,
5361 sizeof(session->smb2_channel.preauth_sha512));
5362 for (i = 0; i < 3; i++) {
5363 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
5364 }
5365 samba_SHA512_Final(session->smb2_channel.preauth_sha512, &sctx);
5366
5367 return NT_STATUS_OK;
5368 }
5369
5370 NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
5371 const DATA_BLOB _session_key,
5372 const struct iovec *recv_iov)
5373 {
5374 struct smbXcli_conn *conn = session->conn;
5375 uint16_t no_sign_flags;
5376 uint8_t session_key[16];
5377 bool check_signature = true;
5378 uint32_t hdr_flags;
5379 NTSTATUS status;
5380 struct _derivation {
5381 DATA_BLOB label;
5382 DATA_BLOB context;
5383 };
5384 struct {
5385 struct _derivation signing;
5386 struct _derivation encryption;
5387 struct _derivation decryption;
5388 struct _derivation application;
5389 } derivation = { };
5390
5391 if (conn == NULL) {
5392 return NT_STATUS_INVALID_PARAMETER_MIX;
5393 }
5394
5395 if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
5396 return NT_STATUS_INVALID_PARAMETER_MIX;
5397 }
5398
5399 no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
5400
5401 if (session->smb2->session_flags & no_sign_flags) {
5402 session->smb2->should_sign = false;
5403 return NT_STATUS_OK;
5404 }
5405
5406 if (session->smb2->signing_key.length != 0) {
5407 return NT_STATUS_INVALID_PARAMETER_MIX;
5408 }
5409
5410 if (conn->protocol >= PROTOCOL_SMB3_10) {
5411 struct _derivation *d;
5412 DATA_BLOB p;
5413
5414 p = data_blob_const(session->smb2_channel.preauth_sha512,
5415 sizeof(session->smb2_channel.preauth_sha512));
5416
5417 d = &derivation.signing;
5418 d->label = data_blob_string_const_null("SMBSigningKey");
5419 d->context = p;
5420
5421 d = &derivation.encryption;
5422 d->label = data_blob_string_const_null("SMBC2SCipherKey");
5423 d->context = p;
5424
5425 d = &derivation.decryption;
5426 d->label = data_blob_string_const_null("SMBS2CCipherKey");
5427 d->context = p;
5428
5429 d = &derivation.application;
5430 d->label = data_blob_string_const_null("SMBAppKey");
5431 d->context = p;
5432
5433 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5434 struct _derivation *d;
5435
5436 d = &derivation.signing;
5437 d->label = data_blob_string_const_null("SMB2AESCMAC");
5438 d->context = data_blob_string_const_null("SmbSign");
5439
5440 d = &derivation.encryption;
5441 d->label = data_blob_string_const_null("SMB2AESCCM");
5442 d->context = data_blob_string_const_null("ServerIn ");
5443
5444 d = &derivation.decryption;
5445 d->label = data_blob_string_const_null("SMB2AESCCM");
5446 d->context = data_blob_string_const_null("ServerOut");
5447
5448 d = &derivation.application;
5449 d->label = data_blob_string_const_null("SMB2APP");
5450 d->context = data_blob_string_const_null("SmbRpc");
5451 }
5452
5453 ZERO_STRUCT(session_key);
5454 memcpy(session_key, _session_key.data,
5455 MIN(_session_key.length, sizeof(session_key)));
5456
5457 session->smb2->signing_key = data_blob_talloc(session,
5458 session_key,
5459 sizeof(session_key));
5460 if (session->smb2->signing_key.data == NULL) {
5461 ZERO_STRUCT(session_key);
5462 return NT_STATUS_NO_MEMORY;
5463 }
5464
5465 if (conn->protocol >= PROTOCOL_SMB2_24) {
5466 struct _derivation *d = &derivation.signing;
5467
5468 smb2_key_derivation(session_key, sizeof(session_key),
5469 d->label.data, d->label.length,
5470 d->context.data, d->context.length,
5471 session->smb2->signing_key.data);
5472 }
5473
5474 session->smb2->encryption_key = data_blob_dup_talloc(session,
5475 session->smb2->signing_key);
5476 if (session->smb2->encryption_key.data == NULL) {
5477 ZERO_STRUCT(session_key);
5478 return NT_STATUS_NO_MEMORY;
5479 }
5480
5481 if (conn->protocol >= PROTOCOL_SMB2_24) {
5482 struct _derivation *d = &derivation.encryption;
5483
5484 smb2_key_derivation(session_key, sizeof(session_key),
5485 d->label.data, d->label.length,
5486 d->context.data, d->context.length,
5487 session->smb2->encryption_key.data);
5488 }
5489
5490 session->smb2->decryption_key = data_blob_dup_talloc(session,
5491 session->smb2->signing_key);
5492 if (session->smb2->decryption_key.data == NULL) {
5493 ZERO_STRUCT(session_key);
5494 return NT_STATUS_NO_MEMORY;
5495 }
5496
5497 if (conn->protocol >= PROTOCOL_SMB2_24) {
5498 struct _derivation *d = &derivation.decryption;
5499
5500 smb2_key_derivation(session_key, sizeof(session_key),
5501 d->label.data, d->label.length,
5502 d->context.data, d->context.length,
5503 session->smb2->decryption_key.data);
5504 }
5505
5506 session->smb2->application_key = data_blob_dup_talloc(session,
5507 session->smb2->signing_key);
5508 if (session->smb2->application_key.data == NULL) {
5509 ZERO_STRUCT(session_key);
5510 return NT_STATUS_NO_MEMORY;
5511 }
5512
5513 if (conn->protocol >= PROTOCOL_SMB2_24) {
5514 struct _derivation *d = &derivation.application;
5515
5516 smb2_key_derivation(session_key, sizeof(session_key),
5517 d->label.data, d->label.length,
5518 d->context.data, d->context.length,
5519 session->smb2->application_key.data);
5520 }
5521 ZERO_STRUCT(session_key);
5522
5523 session->smb2_channel.signing_key = data_blob_dup_talloc(session,
5524 session->smb2->signing_key);
5525 if (session->smb2_channel.signing_key.data == NULL) {
5526 return NT_STATUS_NO_MEMORY;
5527 }
5528
5529 check_signature = conn->mandatory_signing;
5530
5531 hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
5532 if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
5533 /*
5534 * Sadly some vendors don't sign the
5535 * final SMB2 session setup response
5536 *
5537 * At least Windows and Samba are always doing this
5538 * if there's a session key available.
5539 *
5540 * We only check the signature if it's mandatory
5541 * or SMB2_HDR_FLAG_SIGNED is provided.
5542 */
5543 check_signature = true;
5544 }
5545
5546 if (conn->protocol >= PROTOCOL_SMB3_10) {
5547 check_signature = true;
5548 }
5549
5550 if (check_signature) {
5551 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5552 session->conn->protocol,
5553 recv_iov, 3);
5554 if (!NT_STATUS_IS_OK(status)) {
5555 return status;
5556 }
5557 }
5558
5559 session->smb2->should_sign = false;
5560 session->smb2->should_encrypt = false;
5561
5562 if (conn->desire_signing) {
5563 session->smb2->should_sign = true;
5564 }
5565
5566 if (conn->smb2.server.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
5567 session->smb2->should_sign = true;
5568 }
5569
5570 if (session->smb2->session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA) {
5571 session->smb2->should_encrypt = true;
5572 }
5573
5574 if (conn->protocol < PROTOCOL_SMB2_24) {
5575 session->smb2->should_encrypt = false;
5576 }
5577
5578 if (conn->smb2.server.cipher == 0) {
5579 session->smb2->should_encrypt = false;
5580 }
5581
5582 generate_random_buffer((uint8_t *)&session->smb2->nonce_high,
5583 sizeof(session->smb2->nonce_high));
5584 session->smb2->nonce_low = 1;
5585
5586 return NT_STATUS_OK;
5587 }
5588
5589 NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
5590 struct smbXcli_session *session1,
5591 struct smbXcli_conn *conn,
5592 struct smbXcli_session **_session2)
5593 {
5594 struct smbXcli_session *session2;
5595
5596 if (session1->smb2->signing_key.length == 0) {
5597 return NT_STATUS_INVALID_PARAMETER_MIX;
5598 }
5599
5600 if (conn == NULL) {
5601 return NT_STATUS_INVALID_PARAMETER_MIX;
5602 }
5603
5604 session2 = talloc_zero(mem_ctx, struct smbXcli_session);
5605 if (session2 == NULL) {
5606 return NT_STATUS_NO_MEMORY;
5607 }
5608 session2->smb2 = talloc_reference(session2, session1->smb2);
5609 if (session2->smb2 == NULL) {
5610 talloc_free(session2);
5611 return NT_STATUS_NO_MEMORY;
5612 }
5613
5614 talloc_set_destructor(session2, smbXcli_session_destructor);
5615 DLIST_ADD_END(conn->sessions, session2, struct smbXcli_session *);
5616 session2->conn = conn;
5617
5618 memcpy(session2->smb2_channel.preauth_sha512,
5619 conn->smb2.preauth_sha512,
5620 sizeof(session2->smb2_channel.preauth_sha512));
5621
5622 *_session2 = session2;
5623 return NT_STATUS_OK;
5624 }
5625
5626 NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
5627 const DATA_BLOB _channel_key,
5628 const struct iovec *recv_iov)
5629 {
5630 struct smbXcli_conn *conn = session->conn;
5631 uint8_t channel_key[16];
5632 NTSTATUS status;
5633 struct _derivation {
5634 DATA_BLOB label;
5635 DATA_BLOB context;
5636 };
5637 struct {
5638 struct _derivation signing;
5639 } derivation = { };
5640
5641 if (conn == NULL) {
5642 return NT_STATUS_INVALID_PARAMETER_MIX;
5643 }
5644
5645 if (session->smb2_channel.signing_key.length != 0) {
5646 return NT_STATUS_INVALID_PARAMETER_MIX;
5647 }
5648
5649 if (conn->protocol >= PROTOCOL_SMB3_10) {
5650 struct _derivation *d;
5651 DATA_BLOB p;
5652
5653 p = data_blob_const(session->smb2_channel.preauth_sha512,
5654 sizeof(session->smb2_channel.preauth_sha512));
5655
5656 d = &derivation.signing;
5657 d->label = data_blob_string_const_null("SMBSigningKey");
5658 d->context = p;
5659 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5660 struct _derivation *d;
5661
5662 d = &derivation.signing;
5663 d->label = data_blob_string_const_null("SMB2AESCMAC");
5664 d->context = data_blob_string_const_null("SmbSign");
5665 }
5666
5667 ZERO_STRUCT(channel_key);
5668 memcpy(channel_key, _channel_key.data,
5669 MIN(_channel_key.length, sizeof(channel_key)));
5670
5671 session->smb2_channel.signing_key = data_blob_talloc(session,
5672 channel_key,
5673 sizeof(channel_key));
5674 if (session->smb2_channel.signing_key.data == NULL) {
5675 ZERO_STRUCT(channel_key);
5676 return NT_STATUS_NO_MEMORY;
5677 }
5678
5679 if (conn->protocol >= PROTOCOL_SMB2_24) {
5680 struct _derivation *d = &derivation.signing;
5681
5682 smb2_key_derivation(channel_key, sizeof(channel_key),
5683 d->label.data, d->label.length,
5684 d->context.data, d->context.length,
5685 session->smb2_channel.signing_key.data);
5686 }
5687 ZERO_STRUCT(channel_key);
5688
5689 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5690 session->conn->protocol,
5691 recv_iov, 3);
5692 if (!NT_STATUS_IS_OK(status)) {
5693 return status;
5694 }
5695
5696 return NT_STATUS_OK;
5697 }
5698
5699 NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
5700 {
5701 if (session->smb2->should_encrypt) {
5702 return NT_STATUS_OK;
5703 }
5704
5705 if (session->conn->protocol < PROTOCOL_SMB2_24) {
5706 return NT_STATUS_NOT_SUPPORTED;
5707 }
5708
5709 if (session->conn->smb2.server.cipher == 0) {
5710 return NT_STATUS_NOT_SUPPORTED;
5711 }
5712
5713 if (session->smb2->signing_key.data == NULL) {
5714 return NT_STATUS_NOT_SUPPORTED;
5715 }
5716 session->smb2->should_encrypt = true;
5717 return NT_STATUS_OK;
5718 }
5719
5720 struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx)
5721 {
5722 struct smbXcli_tcon *tcon;
5723
5724 tcon = talloc_zero(mem_ctx, struct smbXcli_tcon);
5725 if (tcon == NULL) {
5726 return NULL;
5727 }
5728
5729 return tcon;
5730 }
5731
5732 void smbXcli_tcon_set_fs_attributes(struct smbXcli_tcon *tcon,
5733 uint32_t fs_attributes)
5734 {
5735 tcon->fs_attributes = fs_attributes;
5736 }
5737
5738 uint32_t smbXcli_tcon_get_fs_attributes(struct smbXcli_tcon *tcon)
5739 {
5740 return tcon->fs_attributes;
5741 }
5742
5743 bool smbXcli_tcon_is_dfs_share(struct smbXcli_tcon *tcon)
5744 {
5745 if (tcon == NULL) {
5746 return false;
5747 }
5748
5749 if (tcon->is_smb1) {
5750 if (tcon->smb1.optional_support & SMB_SHARE_IN_DFS) {
5751 return true;
5752 }
5753
5754 return false;
5755 }
5756
5757 if (tcon->smb2.capabilities & SMB2_SHARE_CAP_DFS) {
5758 return true;
5759 }
5760
5761 return false;
5762 }
5763
5764 uint16_t smb1cli_tcon_current_id(struct smbXcli_tcon *tcon)
5765 {
5766 return tcon->smb1.tcon_id;
5767 }
5768
5769 void smb1cli_tcon_set_id(struct smbXcli_tcon *tcon, uint16_t tcon_id)
5770 {
5771 tcon->is_smb1 = true;
5772 tcon->smb1.tcon_id = tcon_id;
5773 }
5774
5775 bool smb1cli_tcon_set_values(struct smbXcli_tcon *tcon,
5776 uint16_t tcon_id,
5777 uint16_t optional_support,
5778 uint32_t maximal_access,
5779 uint32_t guest_maximal_access,
5780 const char *service,
5781 const char *fs_type)
5782 {
5783 tcon->is_smb1 = true;
5784 tcon->fs_attributes = 0;
5785 tcon->smb1.tcon_id = tcon_id;
5786 tcon->smb1.optional_support = optional_support;
5787 tcon->smb1.maximal_access = maximal_access;
5788 tcon->smb1.guest_maximal_access = guest_maximal_access;
5789
5790 TALLOC_FREE(tcon->smb1.service);
5791 tcon->smb1.service = talloc_strdup(tcon, service);
5792 if (service != NULL && tcon->smb1.service == NULL) {
5793 return false;
5794 }
5795
5796 TALLOC_FREE(tcon->smb1.fs_type);
5797 tcon->smb1.fs_type = talloc_strdup(tcon, fs_type);
5798 if (fs_type != NULL && tcon->smb1.fs_type == NULL) {
5799 return false;
5800 }
5801
5802 return true;
5803 }
5804
5805 uint32_t smb2cli_tcon_current_id(struct smbXcli_tcon *tcon)
5806 {
5807 return tcon->smb2.tcon_id;
5808 }
5809
5810 uint32_t smb2cli_tcon_capabilities(struct smbXcli_tcon *tcon)
5811 {
5812 return tcon->smb2.capabilities;
5813 }
5814
5815 void smb2cli_tcon_set_values(struct smbXcli_tcon *tcon,
5816 struct smbXcli_session *session,
5817 uint32_t tcon_id,
5818 uint8_t type,
5819 uint32_t flags,
5820 uint32_t capabilities,
5821 uint32_t maximal_access)
5822 {
5823 tcon->is_smb1 = false;
5824 tcon->fs_attributes = 0;
5825 tcon->smb2.tcon_id = tcon_id;
5826 tcon->smb2.type = type;
5827 tcon->smb2.flags = flags;
5828 tcon->smb2.capabilities = capabilities;
5829 tcon->smb2.maximal_access = maximal_access;
5830
5831 tcon->smb2.should_sign = false;
5832 tcon->smb2.should_encrypt = false;
5833
5834 if (session == NULL) {
5835 return;
5836 }
5837
5838 tcon->smb2.should_sign = session->smb2->should_sign;
5839 tcon->smb2.should_encrypt = session->smb2->should_encrypt;
5840
5841 if (flags & SMB2_SHAREFLAG_ENCRYPT_DATA) {
5842 tcon->smb2.should_encrypt = true;
5843 }
5844 }
5845
5846 void smb2cli_tcon_should_sign(struct smbXcli_tcon *tcon,
5847 bool should_sign)
5848 {
5849 tcon->smb2.should_sign = should_sign;
5850 }
5851
5852 bool smb2cli_tcon_is_signing_on(struct smbXcli_tcon *tcon)
5853 {
5854 if (tcon->smb2.should_encrypt) {
5855 return true;
5856 }
5857
5858 return tcon->smb2.should_sign;
5859 }
5860
5861 void smb2cli_tcon_should_encrypt(struct smbXcli_tcon *tcon,
5862 bool should_encrypt)
5863 {
5864 tcon->smb2.should_encrypt = should_encrypt;
5865 }
5866
5867 bool smb2cli_tcon_is_encryption_on(struct smbXcli_tcon *tcon)
5868 {
5869 return tcon->smb2.should_encrypt;
5870 }
Samba GIT mirror