search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
[Samba.git] / source3 / smbd / smb2_negprot.c
blob885769be24d53779b20f5dd885656ef9c1de35e5
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
29 #include "auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "lib/util/string_wrappers.h"
32 #include "source3/lib/substitute.h"
33 #ifdef HAVE_VALGRIND_CALLGRIND_H
34 #include <valgrind/callgrind.h>
35 #endif /* HAVE_VALGRIND_CALLGRIND_H */
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_SMB2
39
40 /*
41 * this is the entry point if SMB2 is selected via
42 * the SMB negprot and the given dialect.
43 */
44 static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect)
45 {
46 uint8_t *smb2_inpdu;
47 uint8_t *smb2_hdr;
48 uint8_t *smb2_body;
49 uint8_t *smb2_dyn;
50 size_t len = SMB2_HDR_BODY + 0x24 + 2;
51
52 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
53 if (smb2_inpdu == NULL) {
54 DEBUG(0, ("Could not push spnego blob\n"));
55 reply_nterror(req, NT_STATUS_NO_MEMORY);
56 return NT_STATUS_NO_MEMORY;
57 }
58 smb2_hdr = smb2_inpdu;
59 smb2_body = smb2_hdr + SMB2_HDR_BODY;
60 smb2_dyn = smb2_body + 0x24;
61
62 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
63 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
64
65 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
66 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
67
68 SSVAL(smb2_dyn, 0x00, dialect);
69
70 req->outbuf = NULL;
71
72 return smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
73 }
74
75 /*
76 * this is the entry point if SMB2 is selected via
77 * the SMB negprot and the "SMB 2.002" dialect.
78 */
79 NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice)
80 {
81 return reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
82 }
83
84 /*
85 * this is the entry point if SMB2 is selected via
86 * the SMB negprot and the "SMB 2.???" dialect.
87 */
88 NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice)
89 {
90 struct smbXsrv_connection *xconn = req->xconn;
91 xconn->smb2.allow_2ff = true;
92 return reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
93 }
94
95 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
96 const int dialect_count,
97 uint16_t *dialect)
98 {
99 struct {
100 enum protocol_types proto;
101 uint16_t dialect;
102 } pd[] = {
103 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
104 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
105 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
106 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
107 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
108 };
109 size_t i;
110
111 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
112 int c = 0;
113
114 if (lp_server_max_protocol() < pd[i].proto) {
115 continue;
116 }
117 if (lp_server_min_protocol() > pd[i].proto) {
118 continue;
119 }
120
121 for (c = 0; c < dialect_count; c++) {
122 *dialect = SVAL(indyn, c*2);
123 if (*dialect == pd[i].dialect) {
124 return pd[i].proto;
125 }
126 }
127 }
128
129 return PROTOCOL_NONE;
130 }
131
132 struct smbd_smb2_request_process_negprot_state {
133 struct smbd_smb2_request *req;
134 DATA_BLOB outbody;
135 DATA_BLOB outdyn;
136 };
137
138 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq);
139
140 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
141 {
142 struct smbd_smb2_request_process_negprot_state *state = NULL;
143 struct smbXsrv_connection *xconn = req->xconn;
144 struct tevent_req *subreq = NULL;
145 NTSTATUS status;
146 const uint8_t *inbody;
147 const uint8_t *indyn = NULL;
148 DATA_BLOB outbody;
149 DATA_BLOB outdyn;
150 DATA_BLOB negprot_spnego_blob;
151 uint16_t security_offset;
152 DATA_BLOB security_buffer;
153 size_t expected_dyn_size = 0;
154 size_t c;
155 uint16_t security_mode;
156 uint16_t dialect_count;
157 uint16_t in_security_mode;
158 uint32_t in_capabilities;
159 DATA_BLOB in_guid_blob;
160 struct GUID in_guid;
161 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
162 struct smb2_negotiate_context *in_preauth = NULL;
163 struct smb2_negotiate_context *in_cipher = NULL;
164 struct smb2_negotiate_context *in_sign_algo = NULL;
165 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
166 struct smb2_negotiate_context *in_posix = NULL;
167 const struct smb311_capabilities default_smb3_capabilities =
168 smb311_capabilities_parse("server",
169 lp_server_smb3_signing_algorithms(),
170 lp_server_smb3_encryption_algorithms());
171 DATA_BLOB out_negotiate_context_blob = data_blob_null;
172 uint32_t out_negotiate_context_offset = 0;
173 uint16_t out_negotiate_context_count = 0;
174 uint16_t dialect = 0;
175 uint32_t capabilities;
176 DATA_BLOB out_guid_blob;
177 struct GUID out_guid;
178 enum protocol_types protocol = PROTOCOL_NONE;
179 uint32_t max_limit;
180 uint32_t max_trans = lp_smb2_max_trans();
181 uint32_t max_read = lp_smb2_max_read();
182 uint32_t max_write = lp_smb2_max_write();
183 NTTIME now = timeval_to_nttime(&req->request_time);
184 bool ok;
185
186 status = smbd_smb2_request_verify_sizes(req, 0x24);
187 if (!NT_STATUS_IS_OK(status)) {
188 return smbd_smb2_request_error(req, status);
189 }
190 inbody = SMBD_SMB2_IN_BODY_PTR(req);
191
192 dialect_count = SVAL(inbody, 0x02);
193
194 in_security_mode = SVAL(inbody, 0x04);
195 in_capabilities = IVAL(inbody, 0x08);
196 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
197
198 if (dialect_count == 0) {
199 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
200 }
201
202 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
203 if (!NT_STATUS_IS_OK(status)) {
204 return smbd_smb2_request_error(req, status);
205 }
206
207 expected_dyn_size = dialect_count * 2;
208 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
209 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
210 }
211 indyn = SMBD_SMB2_IN_DYN_PTR(req);
212
213 protocol = smbd_smb2_protocol_dialect_match(indyn,
214 dialect_count,
215 &dialect);
216
217 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
218 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
219 break;
220 }
221
222 dialect = SVAL(indyn, c*2);
223 if (dialect == SMB2_DIALECT_REVISION_2FF) {
224 if (xconn->smb2.allow_2ff) {
225 xconn->smb2.allow_2ff = false;
226 protocol = PROTOCOL_SMB2_10;
227 break;
228 }
229 }
230 }
231
232 if (protocol == PROTOCOL_NONE) {
233 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
234 }
235
236 if (protocol >= PROTOCOL_SMB3_11) {
237 uint32_t in_negotiate_context_offset = 0;
238 uint16_t in_negotiate_context_count = 0;
239 DATA_BLOB in_negotiate_context_blob = data_blob_null;
240 size_t ofs;
241
242 in_negotiate_context_offset = IVAL(inbody, 0x1C);
243 in_negotiate_context_count = SVAL(inbody, 0x20);
244
245 ofs = SMB2_HDR_BODY;
246 ofs += SMBD_SMB2_IN_BODY_LEN(req);
247 ofs += expected_dyn_size;
248 if ((ofs % 8) != 0) {
249 ofs += 8 - (ofs % 8);
250 }
251
252 if (in_negotiate_context_offset != ofs) {
253 return smbd_smb2_request_error(req,
254 NT_STATUS_INVALID_PARAMETER);
255 }
256
257 ofs -= SMB2_HDR_BODY;
258 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
259
260 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
261 return smbd_smb2_request_error(req,
262 NT_STATUS_INVALID_PARAMETER);
263 }
264
265 in_negotiate_context_blob = data_blob_const(indyn,
266 SMBD_SMB2_IN_DYN_LEN(req));
267
268 in_negotiate_context_blob.data += ofs;
269 in_negotiate_context_blob.length -= ofs;
270
271 status = smb2_negotiate_context_parse(req,
272 in_negotiate_context_blob,
273 in_negotiate_context_count,
274 &in_c);
275 if (!NT_STATUS_IS_OK(status)) {
276 return smbd_smb2_request_error(req, status);
277 }
278
279 if (lp_smb3_unix_extensions()) {
280 in_posix = smb2_negotiate_context_find(&in_c,
281 SMB2_POSIX_EXTENSIONS_AVAILABLE);
282
283 if (in_posix != NULL) {
284 const uint8_t *inbuf = in_posix->data.data;
285 size_t inbuflen = in_posix->data.length;
286 bool posix_found = false;
287 /*
288 * For now the server only supports one variant.
289 * Check it's the right one.
290 */
291 if ((inbuflen % 16) != 0) {
292 return smbd_smb2_request_error(req,
293 NT_STATUS_INVALID_PARAMETER);
294 }
295 SMB_ASSERT(strlen(SMB2_CREATE_TAG_POSIX) == 16);
296 for (ofs=0; ofs<inbuflen; ofs+=16) {
297 if (memcmp(inbuf+ofs,
298 SMB2_CREATE_TAG_POSIX,
299 16) == 0) {
300 posix_found = true;
301 break;
302 }
303 }
304 if (posix_found) {
305 DBG_DEBUG("Client requested SMB2 unix "
306 "extensions\n");
307 } else {
308 DBG_DEBUG("Client requested unknown "
309 "SMB2 unix extensions:\n");
310 dump_data(10, inbuf, inbuflen);
311 in_posix = NULL;
312 }
313 }
314 }
315 }
316
317 if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
318 (protocol >= PROTOCOL_SMB2_10) &&
319 !GUID_all_zero(&in_guid))
320 {
321 ok = remote_arch_cache_update(&in_guid);
322 if (!ok) {
323 return smbd_smb2_request_error(
324 req, NT_STATUS_UNSUCCESSFUL);
325 }
326 }
327
328 switch (get_remote_arch()) {
329 case RA_VISTA:
330 case RA_SAMBA:
331 case RA_CIFSFS:
332 case RA_OSX:
333 break;
334 default:
335 set_remote_arch(RA_VISTA);
336 break;
337 }
338
339 {
340 fstring proto;
341 fstr_sprintf(proto,
342 "SMB%X_%02X",
343 (dialect >> 8) & 0xFF, dialect & 0xFF);
344 set_remote_proto(proto);
345 DEBUG(3,("Selected protocol %s\n", proto));
346 }
347
348 reload_services(req->sconn, conn_snum_used, true);
349
350 in_preauth = smb2_negotiate_context_find(&in_c,
351 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
352 if (protocol >= PROTOCOL_SMB3_11 && in_preauth == NULL) {
353 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
354 }
355 in_cipher = smb2_negotiate_context_find(&in_c,
356 SMB2_ENCRYPTION_CAPABILITIES);
357 in_sign_algo = smb2_negotiate_context_find(&in_c,
358 SMB2_SIGNING_CAPABILITIES);
359
360 /* negprot_spnego() returns a the server guid in the first 16 bytes */
361 negprot_spnego_blob = negprot_spnego(req, xconn);
362 if (negprot_spnego_blob.data == NULL) {
363 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
364 }
365
366 if (negprot_spnego_blob.length < 16) {
367 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
368 }
369
370 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
371 if (xconn->smb2.signing_mandatory) {
372 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
373 }
374
375 capabilities = 0;
376 if (lp_host_msdfs()) {
377 capabilities |= SMB2_CAP_DFS;
378 }
379
380 if (protocol >= PROTOCOL_SMB2_10 &&
381 lp_smb2_leases() &&
382 lp_oplocks(GLOBAL_SECTION_SNUM) &&
383 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
384 {
385 capabilities |= SMB2_CAP_LEASING;
386 }
387
388 if ((protocol >= PROTOCOL_SMB3_00) &&
389 (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) &&
390 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
391 capabilities |= SMB2_CAP_ENCRYPTION;
392 }
393
394 /*
395 * 0x10000 (65536) is the maximum allowed message size
396 * for SMB 2.0
397 */
398 max_limit = 0x10000;
399
400 if (protocol >= PROTOCOL_SMB2_10) {
401 int p = 0;
402
403 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
404 p = tsocket_address_inet_port(req->sconn->local_address);
405 }
406
407 /* largeMTU is not supported over NBT (tcp port 139) */
408 if (p != NBT_SMB_PORT) {
409 capabilities |= SMB2_CAP_LARGE_MTU;
410 xconn->smb2.credits.multicredit = true;
411
412 /*
413 * We allow up to almost 16MB.
414 *
415 * The maximum PDU size is 0xFFFFFF (16776960)
416 * and we need some space for the header.
417 */
418 max_limit = 0xFFFF00;
419 }
420 }
421
422 /*
423 * the defaults are 8MB, but we'll limit this to max_limit based on
424 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
425 *
426 * user configured values exceeding the limits will be overwritten,
427 * only smaller values will be accepted
428 */
429
430 max_trans = MIN(max_limit, lp_smb2_max_trans());
431 max_read = MIN(max_limit, lp_smb2_max_read());
432 max_write = MIN(max_limit, lp_smb2_max_write());
433
434 if (in_preauth != NULL) {
435 size_t needed = 4;
436 uint16_t hash_count;
437 uint16_t salt_length;
438 uint16_t selected_preauth = 0;
439 const uint8_t *p;
440 uint8_t buf[38];
441 size_t i;
442
443 if (in_preauth->data.length < needed) {
444 return smbd_smb2_request_error(req,
445 NT_STATUS_INVALID_PARAMETER);
446 }
447
448 hash_count = SVAL(in_preauth->data.data, 0);
449 salt_length = SVAL(in_preauth->data.data, 2);
450
451 if (hash_count == 0) {
452 return smbd_smb2_request_error(req,
453 NT_STATUS_INVALID_PARAMETER);
454 }
455
456 p = in_preauth->data.data + needed;
457 needed += hash_count * 2;
458 needed += salt_length;
459
460 if (in_preauth->data.length < needed) {
461 return smbd_smb2_request_error(req,
462 NT_STATUS_INVALID_PARAMETER);
463 }
464
465 for (i=0; i < hash_count; i++) {
466 uint16_t v;
467
468 v = SVAL(p, 0);
469 p += 2;
470
471 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
472 selected_preauth = v;
473 break;
474 }
475 }
476
477 if (selected_preauth == 0) {
478 return smbd_smb2_request_error(req,
479 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
480 }
481
482 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
483 SSVAL(buf, 2, 32); /* SaltLength */
484 SSVAL(buf, 4, selected_preauth);
485 generate_random_buffer(buf + 6, 32);
486
487 status = smb2_negotiate_context_add(
488 req,
489 &out_c,
490 SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
491 buf,
492 sizeof(buf));
493 if (!NT_STATUS_IS_OK(status)) {
494 return smbd_smb2_request_error(req, status);
495 }
496
497 req->preauth = &req->xconn->smb2.preauth;
498 }
499
500 if (protocol >= PROTOCOL_SMB3_00) {
501 xconn->smb2.server.sign_algo = SMB2_SIGNING_AES128_CMAC;
502 } else {
503 xconn->smb2.server.sign_algo = SMB2_SIGNING_HMAC_SHA256;
504 }
505
506 if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
507 const struct smb3_encryption_capabilities *srv_ciphers =
508 &default_smb3_capabilities.encryption;
509 uint16_t srv_preferred_idx = UINT16_MAX;
510 size_t needed = 2;
511 uint16_t cipher_count;
512 const uint8_t *p;
513 uint8_t buf[4];
514 size_t i;
515
516 capabilities &= ~SMB2_CAP_ENCRYPTION;
517
518 if (in_cipher->data.length < needed) {
519 return smbd_smb2_request_error(req,
520 NT_STATUS_INVALID_PARAMETER);
521 }
522
523 cipher_count = SVAL(in_cipher->data.data, 0);
524 if (cipher_count == 0) {
525 return smbd_smb2_request_error(req,
526 NT_STATUS_INVALID_PARAMETER);
527 }
528
529 p = in_cipher->data.data + needed;
530 needed += cipher_count * 2;
531
532 if (in_cipher->data.length < needed) {
533 return smbd_smb2_request_error(req,
534 NT_STATUS_INVALID_PARAMETER);
535 }
536
537 for (i=0; i < cipher_count; i++) {
538 uint16_t si;
539 uint16_t v;
540
541 v = SVAL(p, 0);
542 p += 2;
543
544 for (si = 0; si < srv_ciphers->num_algos; si++) {
545 if (srv_ciphers->algos[si] != v) {
546 continue;
547 }
548
549 /*
550 * The server ciphers are listed
551 * with the lowest idx being preferred.
552 */
553 if (si < srv_preferred_idx) {
554 srv_preferred_idx = si;
555 }
556 break;
557 }
558 }
559
560 if (srv_preferred_idx != UINT16_MAX) {
561 xconn->smb2.server.cipher =
562 srv_ciphers->algos[srv_preferred_idx];
563 }
564
565 SSVAL(buf, 0, 1); /* ChiperCount */
566 SSVAL(buf, 2, xconn->smb2.server.cipher);
567
568 status = smb2_negotiate_context_add(
569 req,
570 &out_c,
571 SMB2_ENCRYPTION_CAPABILITIES,
572 buf,
573 sizeof(buf));
574 if (!NT_STATUS_IS_OK(status)) {
575 return smbd_smb2_request_error(req, status);
576 }
577 }
578
579 if (capabilities & SMB2_CAP_ENCRYPTION) {
580 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
581 }
582
583 if (in_sign_algo != NULL) {
584 const struct smb3_signing_capabilities *srv_sign_algos =
585 &default_smb3_capabilities.signing;
586 uint16_t srv_preferred_idx = UINT16_MAX;
587 size_t needed = 2;
588 uint16_t sign_algo_count;
589 const uint8_t *p;
590 size_t i;
591
592 if (in_sign_algo->data.length < needed) {
593 return smbd_smb2_request_error(req,
594 NT_STATUS_INVALID_PARAMETER);
595 }
596
597 sign_algo_count = SVAL(in_sign_algo->data.data, 0);
598 if (sign_algo_count == 0) {
599 return smbd_smb2_request_error(req,
600 NT_STATUS_INVALID_PARAMETER);
601 }
602
603 p = in_sign_algo->data.data + needed;
604 needed += sign_algo_count * 2;
605
606 if (in_sign_algo->data.length < needed) {
607 return smbd_smb2_request_error(req,
608 NT_STATUS_INVALID_PARAMETER);
609 }
610
611 for (i=0; i < sign_algo_count; i++) {
612 uint16_t si;
613 uint16_t v;
614
615 v = SVAL(p, 0);
616 p += 2;
617
618 for (si = 0; si < srv_sign_algos->num_algos; si++) {
619 if (srv_sign_algos->algos[si] != v) {
620 continue;
621 }
622
623 /*
624 * The server sign_algos are listed
625 * with the lowest idx being preferred.
626 */
627 if (si < srv_preferred_idx) {
628 srv_preferred_idx = si;
629 }
630 break;
631 }
632 }
633
634 /*
635 * If we found a match announce it
636 * otherwise we'll keep the default
637 * of SMB2_SIGNING_AES128_CMAC
638 */
639 if (srv_preferred_idx != UINT16_MAX) {
640 uint8_t buf[4];
641
642 xconn->smb2.server.sign_algo =
643 srv_sign_algos->algos[srv_preferred_idx];
644
645 SSVAL(buf, 0, 1); /* SigningAlgorithmCount */
646 SSVAL(buf, 2, xconn->smb2.server.sign_algo);
647
648 status = smb2_negotiate_context_add(
649 req,
650 &out_c,
651 SMB2_SIGNING_CAPABILITIES,
652 buf,
653 sizeof(buf));
654 if (!NT_STATUS_IS_OK(status)) {
655 return smbd_smb2_request_error(req, status);
656 }
657 }
658 }
659
660 status = smb311_capabilities_check(&default_smb3_capabilities,
661 "smb2srv_negprot",
662 DBGLVL_NOTICE,
663 NT_STATUS_INVALID_PARAMETER,
664 "server",
665 protocol,
666 xconn->smb2.server.sign_algo,
667 xconn->smb2.server.cipher);
668 if (!NT_STATUS_IS_OK(status)) {
669 return smbd_smb2_request_error(req, status);
670 }
671
672 if (protocol >= PROTOCOL_SMB3_00 &&
673 xconn->client->server_multi_channel_enabled)
674 {
675 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
676 capabilities |= SMB2_CAP_MULTI_CHANNEL;
677 }
678 }
679
680 security_offset = SMB2_HDR_BODY + 0x40;
681
682 #if 1
683 /* Try SPNEGO auth... */
684 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
685 negprot_spnego_blob.length - 16);
686 #else
687 /* for now we want raw NTLMSSP */
688 security_buffer = data_blob_const(NULL, 0);
689 #endif
690
691 if (in_posix != NULL) {
692 /* Client correctly negotiated SMB2 unix extensions. */
693 const uint8_t *buf = (const uint8_t *)SMB2_CREATE_TAG_POSIX;
694 status = smb2_negotiate_context_add(
695 req,
696 &out_c,
697 SMB2_POSIX_EXTENSIONS_AVAILABLE,
698 buf,
699 16);
700 if (!NT_STATUS_IS_OK(status)) {
701 return smbd_smb2_request_error(req, status);
702 }
703 xconn->smb2.server.posix_extensions_negotiated = true;
704 }
705
706 if (out_c.num_contexts != 0) {
707 status = smb2_negotiate_context_push(req,
708 &out_negotiate_context_blob,
709 out_c);
710 if (!NT_STATUS_IS_OK(status)) {
711 return smbd_smb2_request_error(req, status);
712 }
713 }
714
715 if (out_negotiate_context_blob.length != 0) {
716 static const uint8_t zeros[8];
717 size_t pad = 0;
718 size_t ofs;
719
720 outdyn = data_blob_dup_talloc(req, security_buffer);
721 if (outdyn.length != security_buffer.length) {
722 return smbd_smb2_request_error(req,
723 NT_STATUS_NO_MEMORY);
724 }
725
726 ofs = security_offset + security_buffer.length;
727 if ((ofs % 8) != 0) {
728 pad = 8 - (ofs % 8);
729 }
730 ofs += pad;
731
732 ok = data_blob_append(req, &outdyn, zeros, pad);
733 if (!ok) {
734 return smbd_smb2_request_error(req,
735 NT_STATUS_NO_MEMORY);
736 }
737
738 ok = data_blob_append(req, &outdyn,
739 out_negotiate_context_blob.data,
740 out_negotiate_context_blob.length);
741 if (!ok) {
742 return smbd_smb2_request_error(req,
743 NT_STATUS_NO_MEMORY);
744 }
745
746 out_negotiate_context_offset = ofs;
747 out_negotiate_context_count = out_c.num_contexts;
748 } else {
749 outdyn = security_buffer;
750 }
751
752 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
753 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
754 if (!NT_STATUS_IS_OK(status)) {
755 return smbd_smb2_request_error(req, status);
756 }
757
758 outbody = smbd_smb2_generate_outbody(req, 0x40);
759 if (outbody.data == NULL) {
760 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
761 }
762
763 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
764 SSVAL(outbody.data, 0x02,
765 security_mode); /* security mode */
766 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
767 SSVAL(outbody.data, 0x06,
768 out_negotiate_context_count); /* reserved/NegotiateContextCount */
769 memcpy(outbody.data + 0x08,
770 out_guid_blob.data, 16); /* server guid */
771 SIVAL(outbody.data, 0x18,
772 capabilities); /* capabilities */
773 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
774 SIVAL(outbody.data, 0x20, max_read); /* max read size */
775 SIVAL(outbody.data, 0x24, max_write); /* max write size */
776 SBVAL(outbody.data, 0x28, now); /* system time */
777 SBVAL(outbody.data, 0x30, 0); /* server start time */
778 SSVAL(outbody.data, 0x38,
779 security_offset); /* security buffer offset */
780 SSVAL(outbody.data, 0x3A,
781 security_buffer.length); /* security buffer length */
782 SIVAL(outbody.data, 0x3C,
783 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
784
785 req->sconn->using_smb2 = true;
786
787 if (dialect == SMB2_DIALECT_REVISION_2FF) {
788 return smbd_smb2_request_done(req, outbody, &outdyn);
789 }
790
791 status = smbXsrv_connection_init_tables(xconn, protocol);
792 if (!NT_STATUS_IS_OK(status)) {
793 return smbd_smb2_request_error(req, status);
794 }
795
796 xconn->smb2.client.capabilities = in_capabilities;
797 xconn->smb2.client.security_mode = in_security_mode;
798 xconn->smb2.client.guid = in_guid;
799 xconn->smb2.client.num_dialects = dialect_count;
800 xconn->smb2.client.dialects = talloc_array(xconn,
801 uint16_t,
802 dialect_count);
803 if (xconn->smb2.client.dialects == NULL) {
804 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
805 }
806 for (c=0; c < dialect_count; c++) {
807 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
808 }
809
810 xconn->smb2.server.capabilities = capabilities;
811 xconn->smb2.server.security_mode = security_mode;
812 xconn->smb2.server.guid = out_guid;
813 xconn->smb2.server.dialect = dialect;
814 xconn->smb2.server.max_trans = max_trans;
815 xconn->smb2.server.max_read = max_read;
816 xconn->smb2.server.max_write = max_write;
817
818 if (xconn->protocol < PROTOCOL_SMB2_10) {
819 /*
820 * SMB2_02 doesn't support client guids
821 */
822 return smbd_smb2_request_done(req, outbody, &outdyn);
823 }
824
825 if (!xconn->client->server_multi_channel_enabled) {
826 /*
827 * Only deal with the client guid database
828 * if multi-channel is enabled.
829 *
830 * But we still need to setup
831 * xconn->client->global->client_guid to
832 * the correct value.
833 */
834 xconn->client->global->client_guid =
835 xconn->smb2.client.guid;
836 return smbd_smb2_request_done(req, outbody, &outdyn);
837 }
838
839 if (xconn->smb2.client.guid_verified) {
840 /*
841 * The connection was passed from another
842 * smbd process.
843 */
844 return smbd_smb2_request_done(req, outbody, &outdyn);
845 }
846
847 state = talloc_zero(req, struct smbd_smb2_request_process_negprot_state);
848 if (state == NULL) {
849 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
850 }
851 *state = (struct smbd_smb2_request_process_negprot_state) {
852 .req = req,
853 .outbody = outbody,
854 .outdyn = outdyn,
855 };
856
857 subreq = smb2srv_client_mc_negprot_send(state,
858 req->xconn->client->raw_ev_ctx,
859 req);
860 if (subreq == NULL) {
861 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
862 }
863 tevent_req_set_callback(subreq,
864 smbd_smb2_request_process_negprot_mc_done,
865 state);
866 return NT_STATUS_OK;
867 }
868
869 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq)
870 {
871 struct smbd_smb2_request_process_negprot_state *state =
872 tevent_req_callback_data(subreq,
873 struct smbd_smb2_request_process_negprot_state);
874 struct smbd_smb2_request *req = state->req;
875 struct smbXsrv_connection *xconn = req->xconn;
876 NTSTATUS status;
877
878 status = smb2srv_client_mc_negprot_recv(subreq);
879 TALLOC_FREE(subreq);
880 if (NT_STATUS_EQUAL(status, NT_STATUS_MESSAGE_RETRIEVED)) {
881 /*
882 * The connection was passed to another process
883 */
884 smbd_server_connection_terminate(xconn,
885 "passed connection");
886 /*
887 * smbd_server_connection_terminate() should not return!
888 */
889 smb_panic(__location__);
890 return;
891 }
892 if (!NT_STATUS_IS_OK(status)) {
893 status = smbd_smb2_request_error(req, status);
894 if (NT_STATUS_IS_OK(status)) {
895 return;
896 }
897
898 /*
899 * The connection was passed to another process
900 */
901 smbd_server_connection_terminate(xconn, nt_errstr(status));
902 /*
903 * smbd_server_connection_terminate() should not return!
904 */
905 smb_panic(__location__);
906 return;
907 }
908
909 /*
910 * We're the first connection...
911 */
912 status = smbd_smb2_request_done(req, state->outbody, &state->outdyn);
913 if (NT_STATUS_IS_OK(status)) {
914 /*
915 * This allows us to support starting smbd under
916 * callgrind and only start the overhead and
917 * instrumentation after the SMB2 negprot,
918 * this allows us to profile only useful
919 * stuff and not all the smbd startup, forking
920 * and multichannel handling.
921 *
922 * valgrind --tool=callgrind --instr-atstart=no smbd
923 */
924 #ifdef CALLGRIND_START_INSTRUMENTATION
925 CALLGRIND_START_INSTRUMENTATION;
926 #endif
927 return;
928 }
929
930 /*
931 * The connection was passed to another process
932 */
933 smbd_server_connection_terminate(xconn, nt_errstr(status));
934 /*
935 * smbd_server_connection_terminate() should not return!
936 */
937 smb_panic(__location__);
938 return;
939 }
940
941 /****************************************************************************
942 Generate the spnego negprot reply blob. Return the number of bytes used.
943 ****************************************************************************/
944
945 DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn)
946 {
947 DATA_BLOB blob = data_blob_null;
948 DATA_BLOB blob_out = data_blob_null;
949 nstring dos_name;
950 fstring unix_name;
951 NTSTATUS status;
952 #ifdef DEVELOPER
953 size_t slen;
954 #endif
955 struct gensec_security *gensec_security;
956
957 /* See if we can get an SPNEGO blob */
958 status = auth_generic_prepare(talloc_tos(),
959 xconn->remote_address,
960 xconn->local_address,
961 "SMB",
962 &gensec_security);
963
964 /*
965 * Despite including it above, there is no need to set a
966 * remote address or similar as we are just interested in the
967 * SPNEGO blob, we never keep this context.
968 */
969
970 if (NT_STATUS_IS_OK(status)) {
971 status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
972 if (NT_STATUS_IS_OK(status)) {
973 status = gensec_update(gensec_security, ctx,
974 data_blob_null, &blob);
975 /* If we get the list of OIDs, the 'OK' answer
976 * is NT_STATUS_MORE_PROCESSING_REQUIRED */
977 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
978 DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
979 blob = data_blob_null;
980 }
981 }
982 TALLOC_FREE(gensec_security);
983 }
984
985 #if defined(WITH_SMB1SERVER)
986 xconn->smb1.negprot.spnego = true;
987 #endif
988
989 /* strangely enough, NT does not sent the single OID NTLMSSP when
990 not a ADS member, it sends no OIDs at all
991
992 OLD COMMENT : "we can't do this until we teach our session setup parser to know
993 about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
994
995 Our sessionsetup code now handles raw NTLMSSP connects, so we can go
996 back to doing what W2K3 does here. This is needed to make PocketPC 2003
997 CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
998 for details. JRA.
999
1000 */
1001
1002 if (blob.length == 0 || blob.data == NULL) {
1003 return data_blob_null;
1004 }
1005
1006 blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
1007 if (blob_out.data == NULL) {
1008 data_blob_free(&blob);
1009 return data_blob_null;
1010 }
1011
1012 memset(blob_out.data, '\0', 16);
1013
1014 checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name));
1015 (void)strlower_m(unix_name);
1016 push_ascii_nstring(dos_name, unix_name);
1017 strlcpy((char *)blob_out.data, dos_name, 17);
1018
1019 #ifdef DEVELOPER
1020 /* Fix valgrind 'uninitialized bytes' issue. */
1021 slen = strlen(dos_name);
1022 if (slen < 16) {
1023 memset(blob_out.data+slen, '\0', 16 - slen);
1024 }
1025 #endif
1026
1027 memcpy(&blob_out.data[16], blob.data, blob.length);
1028
1029 data_blob_free(&blob);
1030
1031 return blob_out;
1032 }
1033
1034 /*
1035 * MS-CIFS, 2.2.4.52.2 SMB_COM_NEGOTIATE Response:
1036 * If the server does not support any of the listed dialects, it MUST return a
1037 * DialectIndex of 0XFFFF
1038 */
1039 #define NO_PROTOCOL_CHOSEN 0xffff
1040
1041 #define PROT_SMB_2_002 0x1000
1042 #define PROT_SMB_2_FF 0x2000
1043
1044 /* List of supported SMB1 protocols, most desired first.
1045 * This is for enabling multi-protocol negotiation in SMB2 when SMB1
1046 * is disabled.
1047 */
1048 static const struct {
1049 const char *proto_name;
1050 const char *short_name;
1051 NTSTATUS (*proto_reply_fn)(struct smb_request *req, uint16_t choice);
1052 int protocol_level;
1053 } supported_protocols[] = {
1054 {"SMB 2.???", "SMB2_FF", reply_smb20ff, PROTOCOL_SMB2_10},
1055 {"SMB 2.002", "SMB2_02", reply_smb2002, PROTOCOL_SMB2_02},
1056 {NULL,NULL,NULL,0},
1057 };
1058
1059 /****************************************************************************
1060 Reply to a negprot.
1061 conn POINTER CAN BE NULL HERE !
1062 ****************************************************************************/
1063
1064 NTSTATUS smb2_multi_protocol_reply_negprot(struct smb_request *req)
1065 {
1066 size_t choice = 0;
1067 bool choice_set = false;
1068 int protocol;
1069 const char *p;
1070 int num_cliprotos;
1071 char **cliprotos;
1072 size_t i;
1073 size_t converted_size;
1074 struct smbXsrv_connection *xconn = req->xconn;
1075 struct smbd_server_connection *sconn = req->sconn;
1076 int max_proto;
1077 int min_proto;
1078 NTSTATUS status;
1079
1080 START_PROFILE(SMBnegprot);
1081
1082 if (req->buflen == 0) {
1083 DEBUG(0, ("negprot got no protocols\n"));
1084 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1085 END_PROFILE(SMBnegprot);
1086 return NT_STATUS_INVALID_PARAMETER;
1087 }
1088
1089 if (req->buf[req->buflen-1] != '\0') {
1090 DEBUG(0, ("negprot protocols not 0-terminated\n"));
1091 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1092 END_PROFILE(SMBnegprot);
1093 return NT_STATUS_INVALID_PARAMETER;
1094 }
1095
1096 p = (const char *)req->buf + 1;
1097
1098 num_cliprotos = 0;
1099 cliprotos = NULL;
1100
1101 while (smbreq_bufrem(req, p) > 0) {
1102
1103 char **tmp;
1104
1105 tmp = talloc_realloc(talloc_tos(), cliprotos, char *,
1106 num_cliprotos+1);
1107 if (tmp == NULL) {
1108 DEBUG(0, ("talloc failed\n"));
1109 TALLOC_FREE(cliprotos);
1110 reply_nterror(req, NT_STATUS_NO_MEMORY);
1111 END_PROFILE(SMBnegprot);
1112 return NT_STATUS_NO_MEMORY;
1113 }
1114
1115 cliprotos = tmp;
1116
1117 if (!pull_ascii_talloc(cliprotos, &cliprotos[num_cliprotos], p,
1118 &converted_size)) {
1119 DEBUG(0, ("pull_ascii_talloc failed\n"));
1120 TALLOC_FREE(cliprotos);
1121 reply_nterror(req, NT_STATUS_NO_MEMORY);
1122 END_PROFILE(SMBnegprot);
1123 return NT_STATUS_NO_MEMORY;
1124 }
1125
1126 DEBUG(3, ("Requested protocol [%s]\n",
1127 cliprotos[num_cliprotos]));
1128
1129 num_cliprotos += 1;
1130 p += strlen(p) + 2;
1131 }
1132
1133 /* possibly reload - change of architecture */
1134 reload_services(sconn, conn_snum_used, true);
1135
1136 /*
1137 * Anything higher than PROTOCOL_SMB2_10 still
1138 * needs to go via "SMB 2.???", which is marked
1139 * as PROTOCOL_SMB2_10.
1140 *
1141 * The real negotiation happens via reply_smb20ff()
1142 * using SMB2 Negotiation.
1143 */
1144 max_proto = lp_server_max_protocol();
1145 if (max_proto > PROTOCOL_SMB2_10) {
1146 max_proto = PROTOCOL_SMB2_10;
1147 }
1148 min_proto = lp_server_min_protocol();
1149 if (min_proto > PROTOCOL_SMB2_10) {
1150 min_proto = PROTOCOL_SMB2_10;
1151 }
1152
1153 /* Check for protocols, most desirable first */
1154 for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
1155 i = 0;
1156 if ((supported_protocols[protocol].protocol_level <= max_proto) &&
1157 (supported_protocols[protocol].protocol_level >= min_proto))
1158 while (i < num_cliprotos) {
1159 if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
1160 choice = i;
1161 choice_set = true;
1162 }
1163 i++;
1164 }
1165 if (choice_set) {
1166 break;
1167 }
1168 }
1169
1170 if (!choice_set) {
1171 bool ok;
1172
1173 DBG_NOTICE("No protocol supported !\n");
1174 reply_smb1_outbuf(req, 1, 0);
1175 SSVAL(req->outbuf, smb_vwv0, NO_PROTOCOL_CHOSEN);
1176
1177 ok = smb1_srv_send(xconn, (char *)req->outbuf, false, 0, false);
1178 if (!ok) {
1179 DBG_NOTICE("smb1_srv_send failed\n");
1180 }
1181 exit_server_cleanly("no protocol supported\n");
1182 }
1183
1184 set_remote_proto(supported_protocols[protocol].short_name);
1185 reload_services(sconn, conn_snum_used, true);
1186 status = supported_protocols[protocol].proto_reply_fn(req, choice);
1187 if (!NT_STATUS_IS_OK(status)) {
1188 exit_server_cleanly("negprot function failed\n");
1189 }
1190
1191 DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
1192
1193 DBG_INFO("negprot index=%zu\n", choice);
1194
1195 TALLOC_FREE(cliprotos);
1196
1197 END_PROFILE(SMBnegprot);
1198 return NT_STATUS_OK;
1199 }
Samba GIT mirror