source3/smbd/smb2_sesssetup.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Core SMB2 server
   4
   5    Copyright (C) Stefan Metzmacher 2009
   6    Copyright (C) Jeremy Allison 2010
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "smbd/smbd.h"
  24 #include "smbd/globals.h"
  25 #include "../libcli/smb/smb_common.h"
  26 #include "../auth/gensec/gensec.h"
  27 #include "auth.h"
  28 #include "../lib/tsocket/tsocket.h"
  29 #include "../libcli/security/security.h"
  30 #include "../lib/util/tevent_ntstatus.h"
  31 #include "lib/crypto/sha512.h"
  32 #include "lib/crypto/aes.h"
  33 #include "lib/crypto/aes_ccm_128.h"
  34 #include "lib/crypto/aes_gcm_128.h"
  35
  36 static struct tevent_req *smbd_smb2_session_setup_wrap_send(TALLOC_CTX *mem_ctx,
  37                                         struct tevent_context *ev,
  38                                         struct smbd_smb2_request *smb2req,
  39                                         uint64_t in_session_id,
  40                                         uint8_t in_flags,
  41                                         uint8_t in_security_mode,
  42                                         uint64_t in_previous_session_id,
  43                                         DATA_BLOB in_security_buffer);
  44 static NTSTATUS smbd_smb2_session_setup_wrap_recv(struct tevent_req *req,
  45                                         uint16_t *out_session_flags,
  46                                         TALLOC_CTX *mem_ctx,
  47                                         DATA_BLOB *out_security_buffer,
  48                                         uint64_t *out_session_id);
  49
  50 static void smbd_smb2_request_sesssetup_done(struct tevent_req *subreq);
  51
  52 NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req)
  53 {
  54         const uint8_t *inhdr;
  55         const uint8_t *inbody;
  56         uint64_t in_session_id;
  57         uint8_t in_flags;
  58         uint8_t in_security_mode;
  59         uint64_t in_previous_session_id;
  60         uint16_t in_security_offset;
  61         uint16_t in_security_length;
  62         DATA_BLOB in_security_buffer;
  63         NTSTATUS status;
  64         struct tevent_req *subreq;
  65
  66         status = smbd_smb2_request_verify_sizes(smb2req, 0x19);
  67         if (!NT_STATUS_IS_OK(status)) {
  68                 return smbd_smb2_request_error(smb2req, status);
  69         }
  70         inhdr = SMBD_SMB2_IN_HDR_PTR(smb2req);
  71         inbody = SMBD_SMB2_IN_BODY_PTR(smb2req);
  72
  73         in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
  74
  75         in_flags = CVAL(inbody, 0x02);
  76         in_security_mode = CVAL(inbody, 0x03);
  77         /* Capabilities = IVAL(inbody, 0x04) */
  78         /* Channel = IVAL(inbody, 0x08) */
  79         in_security_offset = SVAL(inbody, 0x0C);
  80         in_security_length = SVAL(inbody, 0x0E);
  81         in_previous_session_id = BVAL(inbody, 0x10);
  82
  83         if (in_security_offset != (SMB2_HDR_BODY + SMBD_SMB2_IN_BODY_LEN(smb2req))) {
  84                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  85         }
  86
  87         if (in_security_length > SMBD_SMB2_IN_DYN_LEN(smb2req)) {
  88                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  89         }
  90
  91         in_security_buffer.data = SMBD_SMB2_IN_DYN_PTR(smb2req);
  92         in_security_buffer.length = in_security_length;
  93
  94         subreq = smbd_smb2_session_setup_wrap_send(smb2req,
  95                                                    smb2req->sconn->ev_ctx,
  96                                                    smb2req,
  97                                                    in_session_id,
  98                                                    in_flags,
  99                                                    in_security_mode,
 100                                                    in_previous_session_id,
 101                                                    in_security_buffer);
 102         if (subreq == NULL) {
 103                 return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
 104         }
 105         tevent_req_set_callback(subreq, smbd_smb2_request_sesssetup_done, smb2req);
 106
 107         return smbd_smb2_request_pending_queue(smb2req, subreq, 500);
 108 }
 109
 110 static void smbd_smb2_request_sesssetup_done(struct tevent_req *subreq)
 111 {
 112         struct smbd_smb2_request *smb2req =
 113                 tevent_req_callback_data(subreq,
 114                 struct smbd_smb2_request);
 115         uint8_t *outhdr;
 116         DATA_BLOB outbody;
 117         DATA_BLOB outdyn;
 118         uint16_t out_session_flags = 0;
 119         uint64_t out_session_id = 0;
 120         uint16_t out_security_offset;
 121         DATA_BLOB out_security_buffer = data_blob_null;
 122         NTSTATUS status;
 123         NTSTATUS error; /* transport error */
 124
 125         status = smbd_smb2_session_setup_wrap_recv(subreq,
 126                                                    &out_session_flags,
 127                                                    smb2req,
 128                                                    &out_security_buffer,
 129                                                    &out_session_id);
 130         TALLOC_FREE(subreq);
 131         if (!NT_STATUS_IS_OK(status) &&
 132             !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 133                 status = nt_status_squash(status);
 134                 error = smbd_smb2_request_error(smb2req, status);
 135                 if (!NT_STATUS_IS_OK(error)) {
 136                         smbd_server_connection_terminate(smb2req->xconn,
 137                                                          nt_errstr(error));
 138                         return;
 139                 }
 140                 return;
 141         }
 142
 143         out_security_offset = SMB2_HDR_BODY + 0x08;
 144
 145         outhdr = SMBD_SMB2_OUT_HDR_PTR(smb2req);
 146
 147         outbody = smbd_smb2_generate_outbody(smb2req, 0x08);
 148         if (outbody.data == NULL) {
 149                 error = smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
 150                 if (!NT_STATUS_IS_OK(error)) {
 151                         smbd_server_connection_terminate(smb2req->xconn,
 152                                                          nt_errstr(error));
 153                         return;
 154                 }
 155                 return;
 156         }
 157
 158         SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id);
 159
 160         SSVAL(outbody.data, 0x00, 0x08 + 1);    /* struct size */
 161         SSVAL(outbody.data, 0x02,
 162               out_session_flags);               /* session flags */
 163         SSVAL(outbody.data, 0x04,
 164               out_security_offset);             /* security buffer offset */
 165         SSVAL(outbody.data, 0x06,
 166               out_security_buffer.length);      /* security buffer length */
 167
 168         outdyn = out_security_buffer;
 169
 170         error = smbd_smb2_request_done_ex(smb2req, status, outbody, &outdyn,
 171                                            __location__);
 172         if (!NT_STATUS_IS_OK(error)) {
 173                 smbd_server_connection_terminate(smb2req->xconn,
 174                                                  nt_errstr(error));
 175                 return;
 176         }
 177 }
 178
 179 static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
 180                                         struct smbXsrv_session_auth0 **_auth,
 181                                         struct smbd_smb2_request *smb2req,
 182                                         uint8_t in_security_mode,
 183                                         struct auth_session_info *session_info,
 184                                         uint16_t *out_session_flags,
 185                                         uint64_t *out_session_id)
 186 {
 187         NTSTATUS status;
 188         bool guest = false;
 189         uint8_t session_key[16];
 190         struct smbXsrv_session *x = session;
 191         struct smbXsrv_session_auth0 *auth = *_auth;
 192         struct smbXsrv_connection *xconn = smb2req->xconn;
 193         struct _derivation {
 194                 DATA_BLOB label;
 195                 DATA_BLOB context;
 196         };
 197         struct {
 198                 struct _derivation signing;
 199                 struct _derivation encryption;
 200                 struct _derivation decryption;
 201                 struct _derivation application;
 202         } derivation = { };
 203
 204         *_auth = NULL;
 205
 206         if (xconn->protocol >= PROTOCOL_SMB3_10) {
 207                 struct smbXsrv_preauth *preauth;
 208                 struct _derivation *d;
 209                 DATA_BLOB p;
 210                 struct hc_sha512state sctx;
 211                 size_t i;
 212
 213                 preauth = talloc_move(smb2req, &auth->preauth);
 214
 215                 samba_SHA512_Init(&sctx);
 216                 samba_SHA512_Update(&sctx, preauth->sha512_value,
 217                                     sizeof(preauth->sha512_value));
 218                 for (i = 1; i < smb2req->in.vector_count; i++) {
 219                         samba_SHA512_Update(&sctx,
 220                                             smb2req->in.vector[i].iov_base,
 221                                             smb2req->in.vector[i].iov_len);
 222                 }
 223                 samba_SHA512_Final(preauth->sha512_value, &sctx);
 224
 225                 p = data_blob_const(preauth->sha512_value,
 226                                     sizeof(preauth->sha512_value));
 227
 228                 d = &derivation.signing;
 229                 d->label = data_blob_string_const_null("SMBSigningKey");
 230                 d->context = p;
 231
 232                 d = &derivation.decryption;
 233                 d->label = data_blob_string_const_null("SMBC2SCipherKey");
 234                 d->context = p;
 235
 236                 d = &derivation.encryption;
 237                 d->label = data_blob_string_const_null("SMBS2CCipherKey");
 238                 d->context = p;
 239
 240                 d = &derivation.application;
 241                 d->label = data_blob_string_const_null("SMBAppKey");
 242                 d->context = p;
 243
 244         } else if (xconn->protocol >= PROTOCOL_SMB2_24) {
 245                 struct _derivation *d;
 246
 247                 d = &derivation.signing;
 248                 d->label = data_blob_string_const_null("SMB2AESCMAC");
 249                 d->context = data_blob_string_const_null("SmbSign");
 250
 251                 d = &derivation.decryption;
 252                 d->label = data_blob_string_const_null("SMB2AESCCM");
 253                 d->context = data_blob_string_const_null("ServerIn ");
 254
 255                 d = &derivation.encryption;
 256                 d->label = data_blob_string_const_null("SMB2AESCCM");
 257                 d->context = data_blob_string_const_null("ServerOut");
 258
 259                 d = &derivation.application;
 260                 d->label = data_blob_string_const_null("SMB2APP");
 261                 d->context = data_blob_string_const_null("SmbRpc");
 262         }
 263
 264         if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 265             lp_server_signing() == SMB_SIGNING_REQUIRED) {
 266                 x->global->signing_required = true;
 267         }
 268
 269         if ((lp_smb_encrypt(-1) >= SMB_SIGNING_DESIRED) &&
 270             (xconn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) {
 271                 x->encryption_desired = true;
 272         }
 273
 274         if (lp_smb_encrypt(-1) == SMB_SIGNING_REQUIRED) {
 275                 x->encryption_desired = true;
 276                 x->global->encryption_required = true;
 277         }
 278
 279         if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 280                 /* we map anonymous to guest internally */
 281                 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 282                 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 283                 /* force no signing */
 284                 x->global->signing_required = false;
 285                 guest = true;
 286         }
 287
 288         if (guest && x->global->encryption_required) {
 289                 DEBUG(1,("reject guest session as encryption is required\n"));
 290                 return NT_STATUS_ACCESS_DENIED;
 291         }
 292
 293         if (xconn->smb2.server.cipher == 0) {
 294                 if (x->global->encryption_required) {
 295                         DEBUG(1,("reject session with dialect[0x%04X] "
 296                                  "as encryption is required\n",
 297                                  xconn->smb2.server.dialect));
 298                         return NT_STATUS_ACCESS_DENIED;
 299                 }
 300         }
 301
 302         if (x->encryption_desired) {
 303                 *out_session_flags |= SMB2_SESSION_FLAG_ENCRYPT_DATA;
 304         }
 305
 306         ZERO_STRUCT(session_key);
 307         memcpy(session_key, session_info->session_key.data,
 308                MIN(session_info->session_key.length, sizeof(session_key)));
 309
 310         x->global->signing_key = data_blob_talloc(x->global,
 311                                                   session_key,
 312                                                   sizeof(session_key));
 313         if (x->global->signing_key.data == NULL) {
 314                 ZERO_STRUCT(session_key);
 315                 return NT_STATUS_NO_MEMORY;
 316         }
 317
 318         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 319                 struct _derivation *d = &derivation.signing;
 320
 321                 smb2_key_derivation(session_key, sizeof(session_key),
 322                                     d->label.data, d->label.length,
 323                                     d->context.data, d->context.length,
 324                                     x->global->signing_key.data);
 325         }
 326
 327         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 328                 struct _derivation *d = &derivation.decryption;
 329
 330                 x->global->decryption_key = data_blob_talloc(x->global,
 331                                                              session_key,
 332                                                              sizeof(session_key));
 333                 if (x->global->decryption_key.data == NULL) {
 334                         ZERO_STRUCT(session_key);
 335                         return NT_STATUS_NO_MEMORY;
 336                 }
 337
 338                 smb2_key_derivation(session_key, sizeof(session_key),
 339                                     d->label.data, d->label.length,
 340                                     d->context.data, d->context.length,
 341                                     x->global->decryption_key.data);
 342         }
 343
 344         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 345                 struct _derivation *d = &derivation.encryption;
 346                 size_t nonce_size;
 347
 348                 x->global->encryption_key = data_blob_talloc(x->global,
 349                                                              session_key,
 350                                                              sizeof(session_key));
 351                 if (x->global->encryption_key.data == NULL) {
 352                         ZERO_STRUCT(session_key);
 353                         return NT_STATUS_NO_MEMORY;
 354                 }
 355
 356                 smb2_key_derivation(session_key, sizeof(session_key),
 357                                     d->label.data, d->label.length,
 358                                     d->context.data, d->context.length,
 359                                     x->global->encryption_key.data);
 360
 361                 /*
 362                  * CCM and GCM algorithms must never have their
 363                  * nonce wrap, or the security of the whole
 364                  * communication and the keys is destroyed.
 365                  * We must drop the connection once we have
 366                  * transfered too much data.
 367                  *
 368                  * NOTE: We assume nonces greater than 8 bytes.
 369                  */
 370                 generate_random_buffer((uint8_t *)&x->nonce_high_random,
 371                                        sizeof(x->nonce_high_random));
 372                 switch (xconn->smb2.server.cipher) {
 373                 case SMB2_ENCRYPTION_AES128_CCM:
 374                         nonce_size = AES_CCM_128_NONCE_SIZE;
 375                         break;
 376                 case SMB2_ENCRYPTION_AES128_GCM:
 377                         nonce_size = AES_GCM_128_IV_SIZE;
 378                         break;
 379                 default:
 380                         nonce_size = 0;
 381                         break;
 382                 }
 383                 x->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size);
 384                 x->nonce_high = 0;
 385                 x->nonce_low = 0;
 386         }
 387
 388         x->global->application_key = data_blob_dup_talloc(x->global,
 389                                                 x->global->signing_key);
 390         if (x->global->application_key.data == NULL) {
 391                 ZERO_STRUCT(session_key);
 392                 return NT_STATUS_NO_MEMORY;
 393         }
 394
 395         if (xconn->protocol >= PROTOCOL_SMB2_24) {
 396                 struct _derivation *d = &derivation.application;
 397
 398                 smb2_key_derivation(session_key, sizeof(session_key),
 399                                     d->label.data, d->label.length,
 400                                     d->context.data, d->context.length,
 401                                     x->global->application_key.data);
 402         }
 403         ZERO_STRUCT(session_key);
 404
 405         x->global->channels[0].signing_key = data_blob_dup_talloc(x->global->channels,
 406                                                 x->global->signing_key);
 407         if (x->global->channels[0].signing_key.data == NULL) {
 408                 return NT_STATUS_NO_MEMORY;
 409         }
 410
 411         data_blob_clear_free(&session_info->session_key);
 412         session_info->session_key = data_blob_dup_talloc(session_info,
 413                                                 x->global->application_key);
 414         if (session_info->session_key.data == NULL) {
 415                 return NT_STATUS_NO_MEMORY;
 416         }
 417
 418         session->compat = talloc_zero(session, struct user_struct);
 419         if (session->compat == NULL) {
 420                 return NT_STATUS_NO_MEMORY;
 421         }
 422         session->compat->session = session;
 423         session->compat->homes_snum = -1;
 424         session->compat->session_info = session_info;
 425         session->compat->session_keystr = NULL;
 426         session->compat->vuid = session->global->session_wire_id;
 427         DLIST_ADD(smb2req->sconn->users, session->compat);
 428         smb2req->sconn->num_users++;
 429
 430         if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
 431                 session->compat->homes_snum =
 432                         register_homes_share(session_info->unix_info->unix_name);
 433         }
 434
 435         set_current_user_info(session_info->unix_info->sanitized_username,
 436                               session_info->unix_info->unix_name,
 437                               session_info->info->domain_name);
 438
 439         reload_services(smb2req->sconn, conn_snum_used, true);
 440
 441         session->status = NT_STATUS_OK;
 442         session->global->auth_session_info = session_info;
 443         session->global->auth_session_info_seqnum += 1;
 444         session->global->channels[0].auth_session_info_seqnum =
 445                 session->global->auth_session_info_seqnum;
 446         session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
 447         session->global->expiration_time = gensec_expire_time(auth->gensec);
 448
 449         if (!session_claim(session)) {
 450                 DEBUG(1, ("smb2: Failed to claim session "
 451                         "for vuid=%llu\n",
 452                         (unsigned long long)session->compat->vuid));
 453                 return NT_STATUS_LOGON_FAILURE;
 454         }
 455
 456         TALLOC_FREE(auth);
 457         status = smbXsrv_session_update(session);
 458         if (!NT_STATUS_IS_OK(status)) {
 459                 DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
 460                           (unsigned long long)session->compat->vuid,
 461                           nt_errstr(status)));
 462                 return NT_STATUS_LOGON_FAILURE;
 463         }
 464
 465         /*
 466          * we attach the session to the request
 467          * so that the response can be signed
 468          */
 469         if (!guest) {
 470                 smb2req->do_signing = true;
 471         }
 472
 473         global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
 474
 475         *out_session_id = session->global->session_wire_id;
 476
 477         return NT_STATUS_OK;
 478 }
 479
 480 static NTSTATUS smbd_smb2_reauth_generic_return(struct smbXsrv_session *session,
 481                                         struct smbXsrv_session_auth0 **_auth,
 482                                         struct smbd_smb2_request *smb2req,
 483                                         struct auth_session_info *session_info,
 484                                         uint16_t *out_session_flags,
 485                                         uint64_t *out_session_id)
 486 {
 487         NTSTATUS status;
 488         struct smbXsrv_session *x = session;
 489         struct smbXsrv_session_auth0 *auth = *_auth;
 490
 491         *_auth = NULL;
 492
 493         data_blob_clear_free(&session_info->session_key);
 494         session_info->session_key = data_blob_dup_talloc(session_info,
 495                                                 x->global->application_key);
 496         if (session_info->session_key.data == NULL) {
 497                 return NT_STATUS_NO_MEMORY;
 498         }
 499
 500         session->compat->session_info = session_info;
 501         session->compat->vuid = session->global->session_wire_id;
 502
 503         session->compat->homes_snum =
 504                         register_homes_share(session_info->unix_info->unix_name);
 505
 506         set_current_user_info(session_info->unix_info->sanitized_username,
 507                               session_info->unix_info->unix_name,
 508                               session_info->info->domain_name);
 509
 510         reload_services(smb2req->sconn, conn_snum_used, true);
 511
 512         session->status = NT_STATUS_OK;
 513         TALLOC_FREE(session->global->auth_session_info);
 514         session->global->auth_session_info = session_info;
 515         session->global->auth_session_info_seqnum += 1;
 516         session->global->channels[0].auth_session_info_seqnum =
 517                 session->global->auth_session_info_seqnum;
 518         session->global->auth_time = timeval_to_nttime(&smb2req->request_time);
 519         session->global->expiration_time = gensec_expire_time(auth->gensec);
 520
 521         TALLOC_FREE(auth);
 522         status = smbXsrv_session_update(session);
 523         if (!NT_STATUS_IS_OK(status)) {
 524                 DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
 525                           (unsigned long long)session->compat->vuid,
 526                           nt_errstr(status)));
 527                 return NT_STATUS_LOGON_FAILURE;
 528         }
 529
 530         conn_clear_vuid_caches(smb2req->sconn, session->compat->vuid);
 531
 532         if (security_session_user_level(session_info, NULL) >= SECURITY_USER) {
 533                 smb2req->do_signing = true;
 534         }
 535
 536         *out_session_id = session->global->session_wire_id;
 537
 538         return NT_STATUS_OK;
 539 }
 540
 541 struct smbd_smb2_session_setup_state {
 542         struct tevent_context *ev;
 543         struct smbd_smb2_request *smb2req;
 544         uint64_t in_session_id;
 545         uint8_t in_flags;
 546         uint8_t in_security_mode;
 547         uint64_t in_previous_session_id;
 548         DATA_BLOB in_security_buffer;
 549         struct smbXsrv_session *session;
 550         struct smbXsrv_session_auth0 *auth;
 551         struct auth_session_info *session_info;
 552         uint16_t out_session_flags;
 553         DATA_BLOB out_security_buffer;
 554         uint64_t out_session_id;
 555 };
 556
 557 static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq);
 558 static void smbd_smb2_session_setup_previous_done(struct tevent_req *subreq);
 559 static void smbd_smb2_session_setup_auth_return(struct tevent_req *req);
 560
 561 static struct tevent_req *smbd_smb2_session_setup_send(TALLOC_CTX *mem_ctx,
 562                                         struct tevent_context *ev,
 563                                         struct smbd_smb2_request *smb2req,
 564                                         uint64_t in_session_id,
 565                                         uint8_t in_flags,
 566                                         uint8_t in_security_mode,
 567                                         uint64_t in_previous_session_id,
 568                                         DATA_BLOB in_security_buffer)
 569 {
 570         struct tevent_req *req;
 571         struct smbd_smb2_session_setup_state *state;
 572         NTSTATUS status;
 573         NTTIME now = timeval_to_nttime(&smb2req->request_time);
 574         struct tevent_req *subreq;
 575         struct smbXsrv_channel_global0 *c = NULL;
 576
 577         req = tevent_req_create(mem_ctx, &state,
 578                                 struct smbd_smb2_session_setup_state);
 579         if (req == NULL) {
 580                 return NULL;
 581         }
 582         state->ev = ev;
 583         state->smb2req = smb2req;
 584         state->in_session_id = in_session_id;
 585         state->in_flags = in_flags;
 586         state->in_security_mode = in_security_mode;
 587         state->in_previous_session_id = in_previous_session_id;
 588         state->in_security_buffer = in_security_buffer;
 589
 590         if (in_flags & SMB2_SESSION_FLAG_BINDING) {
 591                 if (smb2req->xconn->protocol < PROTOCOL_SMB2_22) {
 592                         tevent_req_nterror(req, NT_STATUS_REQUEST_NOT_ACCEPTED);
 593                         return tevent_req_post(req, ev);
 594                 }
 595
 596                 /*
 597                  * We do not support multi channel.
 598                  */
 599                 tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
 600                 return tevent_req_post(req, ev);
 601         }
 602
 603         if (state->in_session_id == 0) {
 604                 /* create a new session */
 605                 status = smbXsrv_session_create(state->smb2req->xconn,
 606                                                 now, &state->session);
 607                 if (tevent_req_nterror(req, status)) {
 608                         return tevent_req_post(req, ev);
 609                 }
 610                 smb2req->session = state->session;
 611         } else {
 612                 if (smb2req->session == NULL) {
 613                         tevent_req_nterror(req, NT_STATUS_USER_SESSION_DELETED);
 614                         return tevent_req_post(req, ev);
 615                 }
 616
 617                 state->session = smb2req->session;
 618                 status = state->session->status;
 619                 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
 620                         status = NT_STATUS_OK;
 621                 }
 622                 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 623                         status = NT_STATUS_OK;
 624                 }
 625                 if (tevent_req_nterror(req, status)) {
 626                         return tevent_req_post(req, ev);
 627                 }
 628                 if (!(in_flags & SMB2_SESSION_FLAG_BINDING)) {
 629                         state->session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 630                 }
 631         }
 632
 633         status = smbXsrv_session_find_channel(smb2req->session,
 634                                               smb2req->xconn, &c);
 635         if (!NT_STATUS_IS_OK(status)) {
 636                 tevent_req_nterror(req, status);
 637                 return tevent_req_post(req, ev);
 638         }
 639
 640         status = smbXsrv_session_find_auth(state->session, smb2req->xconn,
 641                                            now, &state->auth);
 642         if (!NT_STATUS_IS_OK(status)) {
 643                 status = smbXsrv_session_create_auth(state->session,
 644                                                      smb2req->xconn, now,
 645                                                      in_flags, in_security_mode,
 646                                                      &state->auth);
 647                 if (tevent_req_nterror(req, status)) {
 648                         return tevent_req_post(req, ev);
 649                 }
 650         }
 651
 652         if (state->auth->gensec == NULL) {
 653                 status = auth_generic_prepare(state->auth,
 654                                               state->smb2req->xconn->remote_address,
 655                                               &state->auth->gensec);
 656                 if (tevent_req_nterror(req, status)) {
 657                         return tevent_req_post(req, ev);
 658                 }
 659
 660                 gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_SESSION_KEY);
 661                 gensec_want_feature(state->auth->gensec, GENSEC_FEATURE_UNIX_TOKEN);
 662
 663                 status = gensec_start_mech_by_oid(state->auth->gensec,
 664                                                   GENSEC_OID_SPNEGO);
 665                 if (tevent_req_nterror(req, status)) {
 666                         return tevent_req_post(req, ev);
 667                 }
 668         }
 669
 670         status = smbXsrv_session_update(state->session);
 671         if (tevent_req_nterror(req, status)) {
 672                 return tevent_req_post(req, ev);
 673         }
 674
 675         become_root();
 676         subreq = gensec_update_send(state, state->ev,
 677                                     state->auth->gensec,
 678                                     state->in_security_buffer);
 679         unbecome_root();
 680         if (tevent_req_nomem(subreq, req)) {
 681                 return tevent_req_post(req, ev);
 682         }
 683         tevent_req_set_callback(subreq, smbd_smb2_session_setup_gensec_done, req);
 684
 685         return req;
 686 }
 687
 688 static void smbd_smb2_session_setup_gensec_done(struct tevent_req *subreq)
 689 {
 690         struct tevent_req *req =
 691                 tevent_req_callback_data(subreq,
 692                 struct tevent_req);
 693         struct smbd_smb2_session_setup_state *state =
 694                 tevent_req_data(req,
 695                 struct smbd_smb2_session_setup_state);
 696         NTSTATUS status;
 697
 698         become_root();
 699         status = gensec_update_recv(subreq, state,
 700                                     &state->out_security_buffer);
 701         unbecome_root();
 702         TALLOC_FREE(subreq);
 703         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
 704             !NT_STATUS_IS_OK(status)) {
 705                 tevent_req_nterror(req, status);
 706                 return;
 707         }
 708
 709         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 710                 state->out_session_id = state->session->global->session_wire_id;
 711                 state->smb2req->preauth = state->auth->preauth;
 712                 tevent_req_nterror(req, status);
 713                 return;
 714         }
 715
 716         status = gensec_session_info(state->auth->gensec,
 717                                      state->session->global,
 718                                      &state->session_info);
 719         if (tevent_req_nterror(req, status)) {
 720                 return;
 721         }
 722
 723         if ((state->in_previous_session_id != 0) &&
 724              (state->session->global->session_wire_id !=
 725               state->in_previous_session_id))
 726         {
 727                 subreq = smb2srv_session_close_previous_send(state, state->ev,
 728                                                 state->smb2req->xconn,
 729                                                 state->session_info,
 730                                                 state->in_previous_session_id,
 731                                                 state->session->global->session_wire_id);
 732                 if (tevent_req_nomem(subreq, req)) {
 733                         return;
 734                 }
 735                 tevent_req_set_callback(subreq,
 736                                         smbd_smb2_session_setup_previous_done,
 737                                         req);
 738                 return;
 739         }
 740
 741         smbd_smb2_session_setup_auth_return(req);
 742 }
 743
 744 static void smbd_smb2_session_setup_previous_done(struct tevent_req *subreq)
 745 {
 746         struct tevent_req *req =
 747                 tevent_req_callback_data(subreq,
 748                 struct tevent_req);
 749         NTSTATUS status;
 750
 751         status = smb2srv_session_close_previous_recv(subreq);
 752         TALLOC_FREE(subreq);
 753         if (tevent_req_nterror(req, status)) {
 754                 return;
 755         }
 756
 757         smbd_smb2_session_setup_auth_return(req);
 758 }
 759
 760 static void smbd_smb2_session_setup_auth_return(struct tevent_req *req)
 761 {
 762         struct smbd_smb2_session_setup_state *state =
 763                 tevent_req_data(req,
 764                 struct smbd_smb2_session_setup_state);
 765         NTSTATUS status;
 766
 767         if (state->session->global->auth_session_info != NULL) {
 768                 status = smbd_smb2_reauth_generic_return(state->session,
 769                                                          &state->auth,
 770                                                          state->smb2req,
 771                                                          state->session_info,
 772                                                          &state->out_session_flags,
 773                                                          &state->out_session_id);
 774                 if (tevent_req_nterror(req, status)) {
 775                         return;
 776                 }
 777                 tevent_req_done(req);
 778                 return;
 779         }
 780
 781         status = smbd_smb2_auth_generic_return(state->session,
 782                                                &state->auth,
 783                                                state->smb2req,
 784                                                state->in_security_mode,
 785                                                state->session_info,
 786                                                &state->out_session_flags,
 787                                                &state->out_session_id);
 788         if (tevent_req_nterror(req, status)) {
 789                 return;
 790         }
 791
 792         tevent_req_done(req);
 793         return;
 794 }
 795
 796 static NTSTATUS smbd_smb2_session_setup_recv(struct tevent_req *req,
 797                                         uint16_t *out_session_flags,
 798                                         TALLOC_CTX *mem_ctx,
 799                                         DATA_BLOB *out_security_buffer,
 800                                         uint64_t *out_session_id)
 801 {
 802         struct smbd_smb2_session_setup_state *state =
 803                 tevent_req_data(req,
 804                 struct smbd_smb2_session_setup_state);
 805         NTSTATUS status;
 806
 807         if (tevent_req_is_nterror(req, &status)) {
 808                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 809                         tevent_req_received(req);
 810                         return nt_status_squash(status);
 811                 }
 812         } else {
 813                 status = NT_STATUS_OK;
 814         }
 815
 816         *out_session_flags = state->out_session_flags;
 817         *out_security_buffer = state->out_security_buffer;
 818         *out_session_id = state->out_session_id;
 819
 820         talloc_steal(mem_ctx, out_security_buffer->data);
 821         tevent_req_received(req);
 822         return status;
 823 }
 824
 825 struct smbd_smb2_session_setup_wrap_state {
 826         struct tevent_context *ev;
 827         struct smbd_smb2_request *smb2req;
 828         uint64_t in_session_id;
 829         uint8_t in_flags;
 830         uint8_t in_security_mode;
 831         uint64_t in_previous_session_id;
 832         DATA_BLOB in_security_buffer;
 833         uint16_t out_session_flags;
 834         DATA_BLOB out_security_buffer;
 835         uint64_t out_session_id;
 836         NTSTATUS error;
 837 };
 838
 839 static void smbd_smb2_session_setup_wrap_setup_done(struct tevent_req *subreq);
 840 static void smbd_smb2_session_setup_wrap_shutdown_done(struct tevent_req *subreq);
 841
 842 static struct tevent_req *smbd_smb2_session_setup_wrap_send(TALLOC_CTX *mem_ctx,
 843                                         struct tevent_context *ev,
 844                                         struct smbd_smb2_request *smb2req,
 845                                         uint64_t in_session_id,
 846                                         uint8_t in_flags,
 847                                         uint8_t in_security_mode,
 848                                         uint64_t in_previous_session_id,
 849                                         DATA_BLOB in_security_buffer)
 850 {
 851         struct tevent_req *req;
 852         struct smbd_smb2_session_setup_wrap_state *state;
 853         struct tevent_req *subreq;
 854
 855         req = tevent_req_create(mem_ctx, &state,
 856                                 struct smbd_smb2_session_setup_wrap_state);
 857         if (req == NULL) {
 858                 return NULL;
 859         }
 860         state->ev = ev;
 861         state->smb2req = smb2req;
 862         state->in_session_id = in_session_id;
 863         state->in_flags = in_flags;
 864         state->in_security_mode = in_security_mode;
 865         state->in_previous_session_id = in_previous_session_id;
 866         state->in_security_buffer = in_security_buffer;
 867
 868         subreq = smbd_smb2_session_setup_send(state, state->ev,
 869                                               state->smb2req,
 870                                               state->in_session_id,
 871                                               state->in_flags,
 872                                               state->in_security_mode,
 873                                               state->in_previous_session_id,
 874                                               state->in_security_buffer);
 875         if (tevent_req_nomem(subreq, req)) {
 876                 return tevent_req_post(req, ev);
 877         }
 878         tevent_req_set_callback(subreq,
 879                                 smbd_smb2_session_setup_wrap_setup_done, req);
 880
 881         return req;
 882 }
 883
 884 static void smbd_smb2_session_setup_wrap_setup_done(struct tevent_req *subreq)
 885 {
 886         struct tevent_req *req =
 887                 tevent_req_callback_data(subreq,
 888                 struct tevent_req);
 889         struct smbd_smb2_session_setup_wrap_state *state =
 890                 tevent_req_data(req,
 891                 struct smbd_smb2_session_setup_wrap_state);
 892         NTSTATUS status;
 893
 894         status = smbd_smb2_session_setup_recv(subreq,
 895                                               &state->out_session_flags,
 896                                               state,
 897                                               &state->out_security_buffer,
 898                                               &state->out_session_id);
 899         TALLOC_FREE(subreq);
 900         if (NT_STATUS_IS_OK(status)) {
 901                 tevent_req_done(req);
 902                 return;
 903         }
 904         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 905                 tevent_req_nterror(req, status);
 906                 return;
 907         }
 908
 909         if (state->smb2req->session == NULL) {
 910                 tevent_req_nterror(req, status);
 911                 return;
 912         }
 913
 914         state->error = status;
 915
 916         subreq = smb2srv_session_shutdown_send(state, state->ev,
 917                                                state->smb2req->session,
 918                                                state->smb2req);
 919         if (tevent_req_nomem(subreq, req)) {
 920                 return;
 921         }
 922         tevent_req_set_callback(subreq,
 923                                 smbd_smb2_session_setup_wrap_shutdown_done,
 924                                 req);
 925 }
 926
 927 static void smbd_smb2_session_setup_wrap_shutdown_done(struct tevent_req *subreq)
 928 {
 929         struct tevent_req *req =
 930                 tevent_req_callback_data(subreq,
 931                 struct tevent_req);
 932         struct smbd_smb2_session_setup_wrap_state *state =
 933                 tevent_req_data(req,
 934                 struct smbd_smb2_session_setup_wrap_state);
 935         NTSTATUS status;
 936
 937         status = smb2srv_session_shutdown_recv(subreq);
 938         TALLOC_FREE(subreq);
 939         if (tevent_req_nterror(req, status)) {
 940                 return;
 941         }
 942
 943         /*
 944          * we may need to sign the response, so we need to keep
 945          * the session until the response is sent to the wire.
 946          */
 947         talloc_steal(state->smb2req, state->smb2req->session);
 948
 949         tevent_req_nterror(req, state->error);
 950 }
 951
 952 static NTSTATUS smbd_smb2_session_setup_wrap_recv(struct tevent_req *req,
 953                                         uint16_t *out_session_flags,
 954                                         TALLOC_CTX *mem_ctx,
 955                                         DATA_BLOB *out_security_buffer,
 956                                         uint64_t *out_session_id)
 957 {
 958         struct smbd_smb2_session_setup_wrap_state *state =
 959                 tevent_req_data(req,
 960                 struct smbd_smb2_session_setup_wrap_state);
 961         NTSTATUS status;
 962
 963         if (tevent_req_is_nterror(req, &status)) {
 964                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 965                         tevent_req_received(req);
 966                         return nt_status_squash(status);
 967                 }
 968         } else {
 969                 status = NT_STATUS_OK;
 970         }
 971
 972         *out_session_flags = state->out_session_flags;
 973         *out_security_buffer = state->out_security_buffer;
 974         *out_session_id = state->out_session_id;
 975
 976         talloc_steal(mem_ctx, out_security_buffer->data);
 977         tevent_req_received(req);
 978         return status;
 979 }
 980
 981 static struct tevent_req *smbd_smb2_logoff_send(TALLOC_CTX *mem_ctx,
 982                                         struct tevent_context *ev,
 983                                         struct smbd_smb2_request *smb2req);
 984 static NTSTATUS smbd_smb2_logoff_recv(struct tevent_req *req);
 985 static void smbd_smb2_request_logoff_done(struct tevent_req *subreq);
 986
 987 NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
 988 {
 989         NTSTATUS status;
 990         struct tevent_req *subreq = NULL;
 991
 992         status = smbd_smb2_request_verify_sizes(req, 0x04);
 993         if (!NT_STATUS_IS_OK(status)) {
 994                 return smbd_smb2_request_error(req, status);
 995         }
 996
 997         subreq = smbd_smb2_logoff_send(req, req->sconn->ev_ctx, req);
 998         if (subreq == NULL) {
 999                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
1000         }
1001         tevent_req_set_callback(subreq, smbd_smb2_request_logoff_done, req);
1002
1003         /*
1004          * Wait a long time before going async on this to allow
1005          * requests we're waiting on to finish. Set timeout to 10 secs.
1006          */
1007         return smbd_smb2_request_pending_queue(req, subreq, 10000000);
1008 }
1009
1010 static void smbd_smb2_request_logoff_done(struct tevent_req *subreq)
1011 {
1012         struct smbd_smb2_request *smb2req =
1013                 tevent_req_callback_data(subreq,
1014                 struct smbd_smb2_request);
1015         DATA_BLOB outbody;
1016         NTSTATUS status;
1017         NTSTATUS error;
1018
1019         status = smbd_smb2_logoff_recv(subreq);
1020         TALLOC_FREE(subreq);
1021         if (!NT_STATUS_IS_OK(status)) {
1022                 error = smbd_smb2_request_error(smb2req, status);
1023                 if (!NT_STATUS_IS_OK(error)) {
1024                         smbd_server_connection_terminate(smb2req->xconn,
1025                                                         nt_errstr(error));
1026                         return;
1027                 }
1028                 return;
1029         }
1030
1031         outbody = smbd_smb2_generate_outbody(smb2req, 0x04);
1032         if (outbody.data == NULL) {
1033                 error = smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
1034                 if (!NT_STATUS_IS_OK(error)) {
1035                         smbd_server_connection_terminate(smb2req->xconn,
1036                                                         nt_errstr(error));
1037                         return;
1038                 }
1039                 return;
1040         }
1041
1042         SSVAL(outbody.data, 0x00, 0x04);        /* struct size */
1043         SSVAL(outbody.data, 0x02, 0);           /* reserved */
1044
1045         error = smbd_smb2_request_done(smb2req, outbody, NULL);
1046         if (!NT_STATUS_IS_OK(error)) {
1047                 smbd_server_connection_terminate(smb2req->xconn,
1048                                                 nt_errstr(error));
1049                 return;
1050         }
1051 }
1052
1053 struct smbd_smb2_logoff_state {
1054         struct smbd_smb2_request *smb2req;
1055 };
1056
1057 static void smbd_smb2_logoff_shutdown_done(struct tevent_req *subreq);
1058
1059 static struct tevent_req *smbd_smb2_logoff_send(TALLOC_CTX *mem_ctx,
1060                                         struct tevent_context *ev,
1061                                         struct smbd_smb2_request *smb2req)
1062 {
1063         struct tevent_req *req;
1064         struct smbd_smb2_logoff_state *state;
1065         struct tevent_req *subreq;
1066
1067         req = tevent_req_create(mem_ctx, &state,
1068                         struct smbd_smb2_logoff_state);
1069         if (req == NULL) {
1070                 return NULL;
1071         }
1072         state->smb2req = smb2req;
1073
1074         subreq = smb2srv_session_shutdown_send(state, ev,
1075                                                smb2req->session,
1076                                                smb2req);
1077         if (tevent_req_nomem(subreq, req)) {
1078                 return tevent_req_post(req, ev);
1079         }
1080         tevent_req_set_callback(subreq, smbd_smb2_logoff_shutdown_done, req);
1081
1082         return req;
1083 }
1084
1085 static void smbd_smb2_logoff_shutdown_done(struct tevent_req *subreq)
1086 {
1087         struct tevent_req *req = tevent_req_callback_data(
1088                 subreq, struct tevent_req);
1089         struct smbd_smb2_logoff_state *state = tevent_req_data(
1090                 req, struct smbd_smb2_logoff_state);
1091         NTSTATUS status;
1092
1093         status = smb2srv_session_shutdown_recv(subreq);
1094         if (tevent_req_nterror(req, status)) {
1095                 return;
1096         }
1097         TALLOC_FREE(subreq);
1098
1099         /*
1100          * As we've been awoken, we may have changed
1101          * uid in the meantime. Ensure we're still
1102          * root (SMB2_OP_LOGOFF has .as_root = true).
1103          */
1104         change_to_root_user();
1105
1106         status = smbXsrv_session_logoff(state->smb2req->session);
1107         if (tevent_req_nterror(req, status)) {
1108                 return;
1109         }
1110
1111         /*
1112          * we may need to sign the response, so we need to keep
1113          * the session until the response is sent to the wire.
1114          */
1115         talloc_steal(state->smb2req, state->smb2req->session);
1116
1117         tevent_req_done(req);
1118 }
1119
1120 static NTSTATUS smbd_smb2_logoff_recv(struct tevent_req *req)
1121 {
1122         return tevent_req_simple_recv_ntstatus(req);
1123 }