search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcli/smb: add smb2cli_tcon_should_encrypt()
[Samba.git] / libcli / smb / smbXcli_base.c
blobe720a500fa6c7eac1612efac9b9b450dad4232cf
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5 Copyright (C) Stefan Metzmacher 2011
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/network.h"
23 #include "../lib/async_req/async_sock.h"
24 #include "../lib/util/tevent_ntstatus.h"
25 #include "../lib/util/tevent_unix.h"
26 #include "lib/util/util_net.h"
27 #include "lib/util/dlinklist.h"
28 #include "../libcli/smb/smb_common.h"
29 #include "../libcli/smb/smb_seal.h"
30 #include "../libcli/smb/smb_signing.h"
31 #include "../libcli/smb/read_smb.h"
32 #include "smbXcli_base.h"
33 #include "librpc/ndr/libndr.h"
34
35 struct smbXcli_conn;
36 struct smbXcli_req;
37 struct smbXcli_session;
38 struct smbXcli_tcon;
39
40 struct smbXcli_conn {
41 int read_fd;
42 int write_fd;
43 struct sockaddr_storage local_ss;
44 struct sockaddr_storage remote_ss;
45 const char *remote_name;
46
47 struct tevent_queue *outgoing;
48 struct tevent_req **pending;
49 struct tevent_req *read_smb_req;
50
51 enum protocol_types protocol;
52 bool allow_signing;
53 bool desire_signing;
54 bool mandatory_signing;
55
56 /*
57 * The incoming dispatch function should return:
58 * - NT_STATUS_RETRY, if more incoming PDUs are expected.
59 * - NT_STATUS_OK, if no more processing is desired, e.g.
60 * the dispatch function called
61 * tevent_req_done().
62 * - All other return values disconnect the connection.
63 */
64 NTSTATUS (*dispatch_incoming)(struct smbXcli_conn *conn,
65 TALLOC_CTX *tmp_mem,
66 uint8_t *inbuf);
67
68 struct {
69 struct {
70 uint32_t capabilities;
71 uint32_t max_xmit;
72 } client;
73
74 struct {
75 uint32_t capabilities;
76 uint32_t max_xmit;
77 uint16_t max_mux;
78 uint16_t security_mode;
79 bool readbraw;
80 bool writebraw;
81 bool lockread;
82 bool writeunlock;
83 uint32_t session_key;
84 struct GUID guid;
85 DATA_BLOB gss_blob;
86 uint8_t challenge[8];
87 const char *workgroup;
88 const char *name;
89 int time_zone;
90 NTTIME system_time;
91 } server;
92
93 uint32_t capabilities;
94 uint32_t max_xmit;
95
96 uint16_t mid;
97
98 struct smb_signing_state *signing;
99 struct smb_trans_enc_state *trans_enc;
100
101 struct tevent_req *read_braw_req;
102 } smb1;
103
104 struct {
105 struct {
106 uint32_t capabilities;
107 uint16_t security_mode;
108 struct GUID guid;
109 } client;
110
111 struct {
112 uint32_t capabilities;
113 uint16_t security_mode;
114 struct GUID guid;
115 uint32_t max_trans_size;
116 uint32_t max_read_size;
117 uint32_t max_write_size;
118 NTTIME system_time;
119 NTTIME start_time;
120 DATA_BLOB gss_blob;
121 } server;
122
123 uint64_t mid;
124 uint16_t cur_credits;
125 uint16_t max_credits;
126 } smb2;
127
128 struct smbXcli_session *sessions;
129 };
130
131 struct smb2cli_session {
132 uint64_t session_id;
133 uint16_t session_flags;
134 DATA_BLOB application_key;
135 DATA_BLOB signing_key;
136 bool should_sign;
137 bool should_encrypt;
138 DATA_BLOB encryption_key;
139 DATA_BLOB decryption_key;
140 uint64_t nonce_high;
141 uint64_t nonce_low;
142 uint16_t channel_sequence;
143 bool replay_active;
144 };
145
146 struct smbXcli_session {
147 struct smbXcli_session *prev, *next;
148 struct smbXcli_conn *conn;
149
150 struct {
151 uint16_t session_id;
152 DATA_BLOB application_key;
153 bool protected_key;
154 } smb1;
155
156 struct smb2cli_session *smb2;
157
158 struct {
159 DATA_BLOB signing_key;
160 } smb2_channel;
161
162 /*
163 * this should be a short term hack
164 * until the upper layers have implemented
165 * re-authentication.
166 */
167 bool disconnect_expired;
168 };
169
170 struct smbXcli_tcon {
171 bool is_smb1;
172 uint32_t fs_attributes;
173
174 struct {
175 uint16_t tcon_id;
176 uint16_t optional_support;
177 uint32_t maximal_access;
178 uint32_t guest_maximal_access;
179 char *service;
180 char *fs_type;
181 } smb1;
182
183 struct {
184 uint32_t tcon_id;
185 uint8_t type;
186 uint32_t flags;
187 uint32_t capabilities;
188 uint32_t maximal_access;
189 bool should_encrypt;
190 } smb2;
191 };
192
193 struct smbXcli_req_state {
194 struct tevent_context *ev;
195 struct smbXcli_conn *conn;
196 struct smbXcli_session *session; /* maybe NULL */
197 struct smbXcli_tcon *tcon; /* maybe NULL */
198
199 uint8_t length_hdr[4];
200
201 bool one_way;
202
203 uint8_t *inbuf;
204
205 struct {
206 /* Space for the header including the wct */
207 uint8_t hdr[HDR_VWV];
208
209 /*
210 * For normal requests, smb1cli_req_send chooses a mid.
211 * SecondaryV trans requests need to use the mid of the primary
212 * request, so we need a place to store it.
213 * Assume it is set if != 0.
214 */
215 uint16_t mid;
216
217 uint16_t *vwv;
218 uint8_t bytecount_buf[2];
219
220 #define MAX_SMB_IOV 10
221 /* length_hdr, hdr, words, byte_count, buffers */
222 struct iovec iov[1 + 3 + MAX_SMB_IOV];
223 int iov_count;
224
225 bool one_way_seqnum;
226 uint32_t seqnum;
227 struct tevent_req **chained_requests;
228
229 uint8_t recv_cmd;
230 NTSTATUS recv_status;
231 /* always an array of 3 talloc elements */
232 struct iovec *recv_iov;
233 } smb1;
234
235 struct {
236 const uint8_t *fixed;
237 uint16_t fixed_len;
238 const uint8_t *dyn;
239 uint32_t dyn_len;
240
241 uint8_t transform[SMB2_TF_HDR_SIZE];
242 uint8_t hdr[SMB2_HDR_BODY];
243 uint8_t pad[7]; /* padding space for compounding */
244
245 /*
246 * always an array of 3 talloc elements
247 * (without a SMB2_TRANSFORM header!)
248 *
249 * HDR, BODY, DYN
250 */
251 struct iovec *recv_iov;
252
253 /*
254 * the expected max for the response dyn_len
255 */
256 uint32_t max_dyn_len;
257
258 uint16_t credit_charge;
259
260 bool should_sign;
261 bool should_encrypt;
262 uint64_t encryption_session_id;
263
264 bool signing_skipped;
265 bool notify_async;
266 bool got_async;
267 } smb2;
268 };
269
270 static int smbXcli_conn_destructor(struct smbXcli_conn *conn)
271 {
272 /*
273 * NT_STATUS_OK, means we do not notify the callers
274 */
275 smbXcli_conn_disconnect(conn, NT_STATUS_OK);
276
277 while (conn->sessions) {
278 conn->sessions->conn = NULL;
279 DLIST_REMOVE(conn->sessions, conn->sessions);
280 }
281
282 if (conn->smb1.trans_enc) {
283 TALLOC_FREE(conn->smb1.trans_enc);
284 }
285
286 return 0;
287 }
288
289 struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
290 int fd,
291 const char *remote_name,
292 enum smb_signing_setting signing_state,
293 uint32_t smb1_capabilities,
294 struct GUID *client_guid,
295 uint32_t smb2_capabilities)
296 {
297 struct smbXcli_conn *conn = NULL;
298 void *ss = NULL;
299 struct sockaddr *sa = NULL;
300 socklen_t sa_length;
301 int ret;
302
303 conn = talloc_zero(mem_ctx, struct smbXcli_conn);
304 if (!conn) {
305 return NULL;
306 }
307
308 conn->read_fd = fd;
309 conn->write_fd = dup(fd);
310 if (conn->write_fd == -1) {
311 goto error;
312 }
313
314 conn->remote_name = talloc_strdup(conn, remote_name);
315 if (conn->remote_name == NULL) {
316 goto error;
317 }
318
319
320 ss = (void *)&conn->local_ss;
321 sa = (struct sockaddr *)ss;
322 sa_length = sizeof(conn->local_ss);
323 ret = getsockname(fd, sa, &sa_length);
324 if (ret == -1) {
325 goto error;
326 }
327 ss = (void *)&conn->remote_ss;
328 sa = (struct sockaddr *)ss;
329 sa_length = sizeof(conn->remote_ss);
330 ret = getpeername(fd, sa, &sa_length);
331 if (ret == -1) {
332 goto error;
333 }
334
335 conn->outgoing = tevent_queue_create(conn, "smbXcli_outgoing");
336 if (conn->outgoing == NULL) {
337 goto error;
338 }
339 conn->pending = NULL;
340
341 conn->protocol = PROTOCOL_NONE;
342
343 switch (signing_state) {
344 case SMB_SIGNING_OFF:
345 /* never */
346 conn->allow_signing = false;
347 conn->desire_signing = false;
348 conn->mandatory_signing = false;
349 break;
350 case SMB_SIGNING_DEFAULT:
351 case SMB_SIGNING_IF_REQUIRED:
352 /* if the server requires it */
353 conn->allow_signing = true;
354 conn->desire_signing = false;
355 conn->mandatory_signing = false;
356 break;
357 case SMB_SIGNING_REQUIRED:
358 /* always */
359 conn->allow_signing = true;
360 conn->desire_signing = true;
361 conn->mandatory_signing = true;
362 break;
363 }
364
365 conn->smb1.client.capabilities = smb1_capabilities;
366 conn->smb1.client.max_xmit = UINT16_MAX;
367
368 conn->smb1.capabilities = conn->smb1.client.capabilities;
369 conn->smb1.max_xmit = 1024;
370
371 conn->smb1.mid = 1;
372
373 /* initialise signing */
374 conn->smb1.signing = smb_signing_init(conn,
375 conn->allow_signing,
376 conn->desire_signing,
377 conn->mandatory_signing);
378 if (!conn->smb1.signing) {
379 goto error;
380 }
381
382 conn->smb2.client.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
383 if (conn->mandatory_signing) {
384 conn->smb2.client.security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
385 }
386 if (client_guid) {
387 conn->smb2.client.guid = *client_guid;
388 }
389 conn->smb2.client.capabilities = smb2_capabilities;
390
391 conn->smb2.cur_credits = 1;
392 conn->smb2.max_credits = 0;
393
394 talloc_set_destructor(conn, smbXcli_conn_destructor);
395 return conn;
396
397 error:
398 if (conn->write_fd != -1) {
399 close(conn->write_fd);
400 }
401 TALLOC_FREE(conn);
402 return NULL;
403 }
404
405 bool smbXcli_conn_is_connected(struct smbXcli_conn *conn)
406 {
407 if (conn == NULL) {
408 return false;
409 }
410
411 if (conn->read_fd == -1) {
412 return false;
413 }
414
415 return true;
416 }
417
418 enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn)
419 {
420 return conn->protocol;
421 }
422
423 bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
424 {
425 if (conn->protocol >= PROTOCOL_SMB2_02) {
426 return true;
427 }
428
429 if (conn->smb1.capabilities & CAP_UNICODE) {
430 return true;
431 }
432
433 return false;
434 }
435
436 void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
437 {
438 set_socket_options(conn->read_fd, options);
439 }
440
441 const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn)
442 {
443 return &conn->local_ss;
444 }
445
446 const struct sockaddr_storage *smbXcli_conn_remote_sockaddr(struct smbXcli_conn *conn)
447 {
448 return &conn->remote_ss;
449 }
450
451 const char *smbXcli_conn_remote_name(struct smbXcli_conn *conn)
452 {
453 return conn->remote_name;
454 }
455
456 uint16_t smbXcli_conn_max_requests(struct smbXcli_conn *conn)
457 {
458 if (conn->protocol >= PROTOCOL_SMB2_02) {
459 /*
460 * TODO...
461 */
462 return 1;
463 }
464
465 return conn->smb1.server.max_mux;
466 }
467
468 NTTIME smbXcli_conn_server_system_time(struct smbXcli_conn *conn)
469 {
470 if (conn->protocol >= PROTOCOL_SMB2_02) {
471 return conn->smb2.server.system_time;
472 }
473
474 return conn->smb1.server.system_time;
475 }
476
477 const DATA_BLOB *smbXcli_conn_server_gss_blob(struct smbXcli_conn *conn)
478 {
479 if (conn->protocol >= PROTOCOL_SMB2_02) {
480 return &conn->smb2.server.gss_blob;
481 }
482
483 return &conn->smb1.server.gss_blob;
484 }
485
486 const struct GUID *smbXcli_conn_server_guid(struct smbXcli_conn *conn)
487 {
488 if (conn->protocol >= PROTOCOL_SMB2_02) {
489 return &conn->smb2.server.guid;
490 }
491
492 return &conn->smb1.server.guid;
493 }
494
495 struct smbXcli_conn_samba_suicide_state {
496 struct smbXcli_conn *conn;
497 struct iovec iov;
498 uint8_t buf[9];
499 };
500
501 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq);
502
503 struct tevent_req *smbXcli_conn_samba_suicide_send(TALLOC_CTX *mem_ctx,
504 struct tevent_context *ev,
505 struct smbXcli_conn *conn,
506 uint8_t exitcode)
507 {
508 struct tevent_req *req, *subreq;
509 struct smbXcli_conn_samba_suicide_state *state;
510
511 req = tevent_req_create(mem_ctx, &state,
512 struct smbXcli_conn_samba_suicide_state);
513 if (req == NULL) {
514 return NULL;
515 }
516 state->conn = conn;
517 SIVAL(state->buf, 4, 0x74697865);
518 SCVAL(state->buf, 8, exitcode);
519 _smb_setlen_nbt(state->buf, sizeof(state->buf)-4);
520
521 state->iov.iov_base = state->buf;
522 state->iov.iov_len = sizeof(state->buf);
523
524 subreq = writev_send(state, ev, conn->outgoing, conn->write_fd,
525 false, &state->iov, 1);
526 if (tevent_req_nomem(subreq, req)) {
527 return tevent_req_post(req, ev);
528 }
529 tevent_req_set_callback(subreq, smbXcli_conn_samba_suicide_done, req);
530 return req;
531 }
532
533 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq)
534 {
535 struct tevent_req *req = tevent_req_callback_data(
536 subreq, struct tevent_req);
537 struct smbXcli_conn_samba_suicide_state *state = tevent_req_data(
538 req, struct smbXcli_conn_samba_suicide_state);
539 ssize_t nwritten;
540 int err;
541
542 nwritten = writev_recv(subreq, &err);
543 TALLOC_FREE(subreq);
544 if (nwritten == -1) {
545 NTSTATUS status = map_nt_error_from_unix_common(err);
546 smbXcli_conn_disconnect(state->conn, status);
547 return;
548 }
549 tevent_req_done(req);
550 }
551
552 NTSTATUS smbXcli_conn_samba_suicide_recv(struct tevent_req *req)
553 {
554 return tevent_req_simple_recv_ntstatus(req);
555 }
556
557 NTSTATUS smbXcli_conn_samba_suicide(struct smbXcli_conn *conn,
558 uint8_t exitcode)
559 {
560 TALLOC_CTX *frame = talloc_stackframe();
561 struct tevent_context *ev;
562 struct tevent_req *req;
563 NTSTATUS status = NT_STATUS_NO_MEMORY;
564 bool ok;
565
566 if (smbXcli_conn_has_async_calls(conn)) {
567 /*
568 * Can't use sync call while an async call is in flight
569 */
570 status = NT_STATUS_INVALID_PARAMETER_MIX;
571 goto fail;
572 }
573 ev = samba_tevent_context_init(frame);
574 if (ev == NULL) {
575 goto fail;
576 }
577 req = smbXcli_conn_samba_suicide_send(frame, ev, conn, exitcode);
578 if (req == NULL) {
579 goto fail;
580 }
581 ok = tevent_req_poll(req, ev);
582 if (!ok) {
583 status = map_nt_error_from_unix_common(errno);
584 goto fail;
585 }
586 status = smbXcli_conn_samba_suicide_recv(req);
587 fail:
588 TALLOC_FREE(frame);
589 return status;
590 }
591
592 uint32_t smb1cli_conn_capabilities(struct smbXcli_conn *conn)
593 {
594 return conn->smb1.capabilities;
595 }
596
597 uint32_t smb1cli_conn_max_xmit(struct smbXcli_conn *conn)
598 {
599 return conn->smb1.max_xmit;
600 }
601
602 bool smb1cli_conn_req_possible(struct smbXcli_conn *conn)
603 {
604 size_t pending;
605 uint16_t possible = conn->smb1.server.max_mux;
606
607 pending = tevent_queue_length(conn->outgoing);
608 if (pending >= possible) {
609 return false;
610 }
611 pending += talloc_array_length(conn->pending);
612 if (pending >= possible) {
613 return false;
614 }
615
616 return true;
617 }
618
619 uint32_t smb1cli_conn_server_session_key(struct smbXcli_conn *conn)
620 {
621 return conn->smb1.server.session_key;
622 }
623
624 const uint8_t *smb1cli_conn_server_challenge(struct smbXcli_conn *conn)
625 {
626 return conn->smb1.server.challenge;
627 }
628
629 uint16_t smb1cli_conn_server_security_mode(struct smbXcli_conn *conn)
630 {
631 return conn->smb1.server.security_mode;
632 }
633
634 bool smb1cli_conn_server_readbraw(struct smbXcli_conn *conn)
635 {
636 return conn->smb1.server.readbraw;
637 }
638
639 bool smb1cli_conn_server_writebraw(struct smbXcli_conn *conn)
640 {
641 return conn->smb1.server.writebraw;
642 }
643
644 bool smb1cli_conn_server_lockread(struct smbXcli_conn *conn)
645 {
646 return conn->smb1.server.lockread;
647 }
648
649 bool smb1cli_conn_server_writeunlock(struct smbXcli_conn *conn)
650 {
651 return conn->smb1.server.writeunlock;
652 }
653
654 int smb1cli_conn_server_time_zone(struct smbXcli_conn *conn)
655 {
656 return conn->smb1.server.time_zone;
657 }
658
659 bool smb1cli_conn_activate_signing(struct smbXcli_conn *conn,
660 const DATA_BLOB user_session_key,
661 const DATA_BLOB response)
662 {
663 return smb_signing_activate(conn->smb1.signing,
664 user_session_key,
665 response);
666 }
667
668 bool smb1cli_conn_check_signing(struct smbXcli_conn *conn,
669 const uint8_t *buf, uint32_t seqnum)
670 {
671 const uint8_t *hdr = buf + NBT_HDR_SIZE;
672 size_t len = smb_len_nbt(buf);
673
674 return smb_signing_check_pdu(conn->smb1.signing, hdr, len, seqnum);
675 }
676
677 bool smb1cli_conn_signing_is_active(struct smbXcli_conn *conn)
678 {
679 return smb_signing_is_active(conn->smb1.signing);
680 }
681
682 void smb1cli_conn_set_encryption(struct smbXcli_conn *conn,
683 struct smb_trans_enc_state *es)
684 {
685 /* Replace the old state, if any. */
686 if (conn->smb1.trans_enc) {
687 TALLOC_FREE(conn->smb1.trans_enc);
688 }
689 conn->smb1.trans_enc = es;
690 }
691
692 bool smb1cli_conn_encryption_on(struct smbXcli_conn *conn)
693 {
694 return common_encryption_on(conn->smb1.trans_enc);
695 }
696
697
698 static NTSTATUS smb1cli_pull_raw_error(const uint8_t *hdr)
699 {
700 uint32_t flags2 = SVAL(hdr, HDR_FLG2);
701 NTSTATUS status = NT_STATUS(IVAL(hdr, HDR_RCLS));
702
703 if (NT_STATUS_IS_OK(status)) {
704 return NT_STATUS_OK;
705 }
706
707 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
708 return status;
709 }
710
711 return NT_STATUS_DOS(CVAL(hdr, HDR_RCLS), SVAL(hdr, HDR_ERR));
712 }
713
714 /**
715 * Is the SMB command able to hold an AND_X successor
716 * @param[in] cmd The SMB command in question
717 * @retval Can we add a chained request after "cmd"?
718 */
719 bool smb1cli_is_andx_req(uint8_t cmd)
720 {
721 switch (cmd) {
722 case SMBtconX:
723 case SMBlockingX:
724 case SMBopenX:
725 case SMBreadX:
726 case SMBwriteX:
727 case SMBsesssetupX:
728 case SMBulogoffX:
729 case SMBntcreateX:
730 return true;
731 break;
732 default:
733 break;
734 }
735
736 return false;
737 }
738
739 static uint16_t smb1cli_alloc_mid(struct smbXcli_conn *conn)
740 {
741 size_t num_pending = talloc_array_length(conn->pending);
742 uint16_t result;
743
744 if (conn->protocol == PROTOCOL_NONE) {
745 /*
746 * This is what windows sends on the SMB1 Negprot request
747 * and some vendors reuse the SMB1 MID as SMB2 sequence number.
748 */
749 return 0;
750 }
751
752 while (true) {
753 size_t i;
754
755 result = conn->smb1.mid++;
756 if ((result == 0) || (result == 0xffff)) {
757 continue;
758 }
759
760 for (i=0; i<num_pending; i++) {
761 if (result == smb1cli_req_mid(conn->pending[i])) {
762 break;
763 }
764 }
765
766 if (i == num_pending) {
767 return result;
768 }
769 }
770 }
771
772 void smbXcli_req_unset_pending(struct tevent_req *req)
773 {
774 struct smbXcli_req_state *state =
775 tevent_req_data(req,
776 struct smbXcli_req_state);
777 struct smbXcli_conn *conn = state->conn;
778 size_t num_pending = talloc_array_length(conn->pending);
779 size_t i;
780
781 if (state->smb1.mid != 0) {
782 /*
783 * This is a [nt]trans[2] request which waits
784 * for more than one reply.
785 */
786 return;
787 }
788
789 tevent_req_set_cleanup_fn(req, NULL);
790
791 if (num_pending == 1) {
792 /*
793 * The pending read_smb tevent_req is a child of
794 * conn->pending. So if nothing is pending anymore, we need to
795 * delete the socket read fde.
796 */
797 TALLOC_FREE(conn->pending);
798 conn->read_smb_req = NULL;
799 return;
800 }
801
802 for (i=0; i<num_pending; i++) {
803 if (req == conn->pending[i]) {
804 break;
805 }
806 }
807 if (i == num_pending) {
808 /*
809 * Something's seriously broken. Just returning here is the
810 * right thing nevertheless, the point of this routine is to
811 * remove ourselves from conn->pending.
812 */
813 return;
814 }
815
816 /*
817 * Remove ourselves from the conn->pending array
818 */
819 for (; i < (num_pending - 1); i++) {
820 conn->pending[i] = conn->pending[i+1];
821 }
822
823 /*
824 * No NULL check here, we're shrinking by sizeof(void *), and
825 * talloc_realloc just adjusts the size for this.
826 */
827 conn->pending = talloc_realloc(NULL, conn->pending, struct tevent_req *,
828 num_pending - 1);
829 return;
830 }
831
832 static void smbXcli_req_cleanup(struct tevent_req *req,
833 enum tevent_req_state req_state)
834 {
835 struct smbXcli_req_state *state =
836 tevent_req_data(req,
837 struct smbXcli_req_state);
838
839 switch (req_state) {
840 case TEVENT_REQ_RECEIVED:
841 /*
842 * Make sure we really remove it from
843 * the pending array on destruction.
844 */
845 state->smb1.mid = 0;
846 smbXcli_req_unset_pending(req);
847 return;
848 default:
849 return;
850 }
851 }
852
853 static bool smb1cli_req_cancel(struct tevent_req *req);
854 static bool smb2cli_req_cancel(struct tevent_req *req);
855
856 static bool smbXcli_req_cancel(struct tevent_req *req)
857 {
858 struct smbXcli_req_state *state =
859 tevent_req_data(req,
860 struct smbXcli_req_state);
861
862 if (!smbXcli_conn_is_connected(state->conn)) {
863 return false;
864 }
865
866 if (state->conn->protocol == PROTOCOL_NONE) {
867 return false;
868 }
869
870 if (state->conn->protocol >= PROTOCOL_SMB2_02) {
871 return smb2cli_req_cancel(req);
872 }
873
874 return smb1cli_req_cancel(req);
875 }
876
877 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn);
878
879 bool smbXcli_req_set_pending(struct tevent_req *req)
880 {
881 struct smbXcli_req_state *state =
882 tevent_req_data(req,
883 struct smbXcli_req_state);
884 struct smbXcli_conn *conn;
885 struct tevent_req **pending;
886 size_t num_pending;
887
888 conn = state->conn;
889
890 if (!smbXcli_conn_is_connected(conn)) {
891 return false;
892 }
893
894 num_pending = talloc_array_length(conn->pending);
895
896 pending = talloc_realloc(conn, conn->pending, struct tevent_req *,
897 num_pending+1);
898 if (pending == NULL) {
899 return false;
900 }
901 pending[num_pending] = req;
902 conn->pending = pending;
903 tevent_req_set_cleanup_fn(req, smbXcli_req_cleanup);
904 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
905
906 if (!smbXcli_conn_receive_next(conn)) {
907 /*
908 * the caller should notify the current request
909 *
910 * And all other pending requests get notified
911 * by smbXcli_conn_disconnect().
912 */
913 smbXcli_req_unset_pending(req);
914 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
915 return false;
916 }
917
918 return true;
919 }
920
921 static void smbXcli_conn_received(struct tevent_req *subreq);
922
923 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn)
924 {
925 size_t num_pending = talloc_array_length(conn->pending);
926 struct tevent_req *req;
927 struct smbXcli_req_state *state;
928
929 if (conn->read_smb_req != NULL) {
930 return true;
931 }
932
933 if (num_pending == 0) {
934 if (conn->smb2.mid < UINT64_MAX) {
935 /* no more pending requests, so we are done for now */
936 return true;
937 }
938
939 /*
940 * If there are no more SMB2 requests possible,
941 * because we are out of message ids,
942 * we need to disconnect.
943 */
944 smbXcli_conn_disconnect(conn, NT_STATUS_CONNECTION_ABORTED);
945 return true;
946 }
947
948 req = conn->pending[0];
949 state = tevent_req_data(req, struct smbXcli_req_state);
950
951 /*
952 * We're the first ones, add the read_smb request that waits for the
953 * answer from the server
954 */
955 conn->read_smb_req = read_smb_send(conn->pending,
956 state->ev,
957 conn->read_fd);
958 if (conn->read_smb_req == NULL) {
959 return false;
960 }
961 tevent_req_set_callback(conn->read_smb_req, smbXcli_conn_received, conn);
962 return true;
963 }
964
965 void smbXcli_conn_disconnect(struct smbXcli_conn *conn, NTSTATUS status)
966 {
967 struct smbXcli_session *session;
968
969 tevent_queue_stop(conn->outgoing);
970
971 if (conn->read_fd != -1) {
972 close(conn->read_fd);
973 }
974 if (conn->write_fd != -1) {
975 close(conn->write_fd);
976 }
977 conn->read_fd = -1;
978 conn->write_fd = -1;
979
980 session = conn->sessions;
981 if (talloc_array_length(conn->pending) == 0) {
982 /*
983 * if we do not have pending requests
984 * there is no need to update the channel_sequence
985 */
986 session = NULL;
987 }
988 for (; session; session = session->next) {
989 smb2cli_session_increment_channel_sequence(session);
990 }
991
992 /*
993 * Cancel all pending requests. We do not do a for-loop walking
994 * conn->pending because that array changes in
995 * smbXcli_req_unset_pending.
996 */
997 while (talloc_array_length(conn->pending) > 0) {
998 struct tevent_req *req;
999 struct smbXcli_req_state *state;
1000 struct tevent_req **chain;
1001 size_t num_chained;
1002 size_t i;
1003
1004 req = conn->pending[0];
1005 state = tevent_req_data(req, struct smbXcli_req_state);
1006
1007 if (state->smb1.chained_requests == NULL) {
1008 /*
1009 * We're dead. No point waiting for trans2
1010 * replies.
1011 */
1012 state->smb1.mid = 0;
1013
1014 smbXcli_req_unset_pending(req);
1015
1016 if (NT_STATUS_IS_OK(status)) {
1017 /* do not notify the callers */
1018 continue;
1019 }
1020
1021 /*
1022 * we need to defer the callback, because we may notify
1023 * more then one caller.
1024 */
1025 tevent_req_defer_callback(req, state->ev);
1026 tevent_req_nterror(req, status);
1027 continue;
1028 }
1029
1030 chain = talloc_move(conn, &state->smb1.chained_requests);
1031 num_chained = talloc_array_length(chain);
1032
1033 for (i=0; i<num_chained; i++) {
1034 req = chain[i];
1035 state = tevent_req_data(req, struct smbXcli_req_state);
1036
1037 /*
1038 * We're dead. No point waiting for trans2
1039 * replies.
1040 */
1041 state->smb1.mid = 0;
1042
1043 smbXcli_req_unset_pending(req);
1044
1045 if (NT_STATUS_IS_OK(status)) {
1046 /* do not notify the callers */
1047 continue;
1048 }
1049
1050 /*
1051 * we need to defer the callback, because we may notify
1052 * more than one caller.
1053 */
1054 tevent_req_defer_callback(req, state->ev);
1055 tevent_req_nterror(req, status);
1056 }
1057 TALLOC_FREE(chain);
1058 }
1059 }
1060
1061 /*
1062 * Fetch a smb request's mid. Only valid after the request has been sent by
1063 * smb1cli_req_send().
1064 */
1065 uint16_t smb1cli_req_mid(struct tevent_req *req)
1066 {
1067 struct smbXcli_req_state *state =
1068 tevent_req_data(req,
1069 struct smbXcli_req_state);
1070
1071 if (state->smb1.mid != 0) {
1072 return state->smb1.mid;
1073 }
1074
1075 return SVAL(state->smb1.hdr, HDR_MID);
1076 }
1077
1078 void smb1cli_req_set_mid(struct tevent_req *req, uint16_t mid)
1079 {
1080 struct smbXcli_req_state *state =
1081 tevent_req_data(req,
1082 struct smbXcli_req_state);
1083
1084 state->smb1.mid = mid;
1085 }
1086
1087 uint32_t smb1cli_req_seqnum(struct tevent_req *req)
1088 {
1089 struct smbXcli_req_state *state =
1090 tevent_req_data(req,
1091 struct smbXcli_req_state);
1092
1093 return state->smb1.seqnum;
1094 }
1095
1096 void smb1cli_req_set_seqnum(struct tevent_req *req, uint32_t seqnum)
1097 {
1098 struct smbXcli_req_state *state =
1099 tevent_req_data(req,
1100 struct smbXcli_req_state);
1101
1102 state->smb1.seqnum = seqnum;
1103 }
1104
1105 static size_t smbXcli_iov_len(const struct iovec *iov, int count)
1106 {
1107 size_t result = 0;
1108 int i;
1109 for (i=0; i<count; i++) {
1110 result += iov[i].iov_len;
1111 }
1112 return result;
1113 }
1114
1115 static uint8_t *smbXcli_iov_concat(TALLOC_CTX *mem_ctx,
1116 const struct iovec *iov,
1117 int count)
1118 {
1119 size_t len = smbXcli_iov_len(iov, count);
1120 size_t copied;
1121 uint8_t *buf;
1122 int i;
1123
1124 buf = talloc_array(mem_ctx, uint8_t, len);
1125 if (buf == NULL) {
1126 return NULL;
1127 }
1128 copied = 0;
1129 for (i=0; i<count; i++) {
1130 memcpy(buf+copied, iov[i].iov_base, iov[i].iov_len);
1131 copied += iov[i].iov_len;
1132 }
1133 return buf;
1134 }
1135
1136 static void smb1cli_req_flags(enum protocol_types protocol,
1137 uint32_t smb1_capabilities,
1138 uint8_t smb_command,
1139 uint8_t additional_flags,
1140 uint8_t clear_flags,
1141 uint8_t *_flags,
1142 uint16_t additional_flags2,
1143 uint16_t clear_flags2,
1144 uint16_t *_flags2)
1145 {
1146 uint8_t flags = 0;
1147 uint16_t flags2 = 0;
1148
1149 if (protocol >= PROTOCOL_LANMAN1) {
1150 flags |= FLAG_CASELESS_PATHNAMES;
1151 flags |= FLAG_CANONICAL_PATHNAMES;
1152 }
1153
1154 if (protocol >= PROTOCOL_LANMAN2) {
1155 flags2 |= FLAGS2_LONG_PATH_COMPONENTS;
1156 flags2 |= FLAGS2_EXTENDED_ATTRIBUTES;
1157 }
1158
1159 if (protocol >= PROTOCOL_NT1) {
1160 flags2 |= FLAGS2_IS_LONG_NAME;
1161
1162 if (smb1_capabilities & CAP_UNICODE) {
1163 flags2 |= FLAGS2_UNICODE_STRINGS;
1164 }
1165 if (smb1_capabilities & CAP_STATUS32) {
1166 flags2 |= FLAGS2_32_BIT_ERROR_CODES;
1167 }
1168 if (smb1_capabilities & CAP_EXTENDED_SECURITY) {
1169 flags2 |= FLAGS2_EXTENDED_SECURITY;
1170 }
1171 }
1172
1173 flags |= additional_flags;
1174 flags &= ~clear_flags;
1175 flags2 |= additional_flags2;
1176 flags2 &= ~clear_flags2;
1177
1178 *_flags = flags;
1179 *_flags2 = flags2;
1180 }
1181
1182 static void smb1cli_req_cancel_done(struct tevent_req *subreq);
1183
1184 static bool smb1cli_req_cancel(struct tevent_req *req)
1185 {
1186 struct smbXcli_req_state *state =
1187 tevent_req_data(req,
1188 struct smbXcli_req_state);
1189 uint8_t flags;
1190 uint16_t flags2;
1191 uint32_t pid;
1192 uint16_t mid;
1193 struct tevent_req *subreq;
1194 NTSTATUS status;
1195
1196 flags = CVAL(state->smb1.hdr, HDR_FLG);
1197 flags2 = SVAL(state->smb1.hdr, HDR_FLG2);
1198 pid = SVAL(state->smb1.hdr, HDR_PID);
1199 pid |= SVAL(state->smb1.hdr, HDR_PIDHIGH)<<16;
1200 mid = SVAL(state->smb1.hdr, HDR_MID);
1201
1202 subreq = smb1cli_req_create(state, state->ev,
1203 state->conn,
1204 SMBntcancel,
1205 flags, 0,
1206 flags2, 0,
1207 0, /* timeout */
1208 pid,
1209 state->tcon,
1210 state->session,
1211 0, NULL, /* vwv */
1212 0, NULL); /* bytes */
1213 if (subreq == NULL) {
1214 return false;
1215 }
1216 smb1cli_req_set_mid(subreq, mid);
1217
1218 status = smb1cli_req_chain_submit(&subreq, 1);
1219 if (!NT_STATUS_IS_OK(status)) {
1220 TALLOC_FREE(subreq);
1221 return false;
1222 }
1223 smb1cli_req_set_mid(subreq, 0);
1224
1225 tevent_req_set_callback(subreq, smb1cli_req_cancel_done, NULL);
1226
1227 return true;
1228 }
1229
1230 static void smb1cli_req_cancel_done(struct tevent_req *subreq)
1231 {
1232 /* we do not care about the result */
1233 TALLOC_FREE(subreq);
1234 }
1235
1236 struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
1237 struct tevent_context *ev,
1238 struct smbXcli_conn *conn,
1239 uint8_t smb_command,
1240 uint8_t additional_flags,
1241 uint8_t clear_flags,
1242 uint16_t additional_flags2,
1243 uint16_t clear_flags2,
1244 uint32_t timeout_msec,
1245 uint32_t pid,
1246 struct smbXcli_tcon *tcon,
1247 struct smbXcli_session *session,
1248 uint8_t wct, uint16_t *vwv,
1249 int iov_count,
1250 struct iovec *bytes_iov)
1251 {
1252 struct tevent_req *req;
1253 struct smbXcli_req_state *state;
1254 uint8_t flags = 0;
1255 uint16_t flags2 = 0;
1256 uint16_t uid = 0;
1257 uint16_t tid = 0;
1258
1259 if (iov_count > MAX_SMB_IOV) {
1260 /*
1261 * Should not happen :-)
1262 */
1263 return NULL;
1264 }
1265
1266 req = tevent_req_create(mem_ctx, &state,
1267 struct smbXcli_req_state);
1268 if (req == NULL) {
1269 return NULL;
1270 }
1271 state->ev = ev;
1272 state->conn = conn;
1273 state->session = session;
1274 state->tcon = tcon;
1275
1276 if (session) {
1277 uid = session->smb1.session_id;
1278 }
1279
1280 if (tcon) {
1281 tid = tcon->smb1.tcon_id;
1282
1283 if (tcon->fs_attributes & FILE_CASE_SENSITIVE_SEARCH) {
1284 clear_flags |= FLAG_CASELESS_PATHNAMES;
1285 } else {
1286 /* Default setting, case insensitive. */
1287 additional_flags |= FLAG_CASELESS_PATHNAMES;
1288 }
1289
1290 if (smbXcli_conn_dfs_supported(conn) &&
1291 smbXcli_tcon_is_dfs_share(tcon))
1292 {
1293 additional_flags2 |= FLAGS2_DFS_PATHNAMES;
1294 }
1295 }
1296
1297 state->smb1.recv_cmd = 0xFF;
1298 state->smb1.recv_status = NT_STATUS_INTERNAL_ERROR;
1299 state->smb1.recv_iov = talloc_zero_array(state, struct iovec, 3);
1300 if (state->smb1.recv_iov == NULL) {
1301 TALLOC_FREE(req);
1302 return NULL;
1303 }
1304
1305 smb1cli_req_flags(conn->protocol,
1306 conn->smb1.capabilities,
1307 smb_command,
1308 additional_flags,
1309 clear_flags,
1310 &flags,
1311 additional_flags2,
1312 clear_flags2,
1313 &flags2);
1314
1315 SIVAL(state->smb1.hdr, 0, SMB_MAGIC);
1316 SCVAL(state->smb1.hdr, HDR_COM, smb_command);
1317 SIVAL(state->smb1.hdr, HDR_RCLS, NT_STATUS_V(NT_STATUS_OK));
1318 SCVAL(state->smb1.hdr, HDR_FLG, flags);
1319 SSVAL(state->smb1.hdr, HDR_FLG2, flags2);
1320 SSVAL(state->smb1.hdr, HDR_PIDHIGH, pid >> 16);
1321 SSVAL(state->smb1.hdr, HDR_TID, tid);
1322 SSVAL(state->smb1.hdr, HDR_PID, pid);
1323 SSVAL(state->smb1.hdr, HDR_UID, uid);
1324 SSVAL(state->smb1.hdr, HDR_MID, 0); /* this comes later */
1325 SCVAL(state->smb1.hdr, HDR_WCT, wct);
1326
1327 state->smb1.vwv = vwv;
1328
1329 SSVAL(state->smb1.bytecount_buf, 0, smbXcli_iov_len(bytes_iov, iov_count));
1330
1331 state->smb1.iov[0].iov_base = (void *)state->length_hdr;
1332 state->smb1.iov[0].iov_len = sizeof(state->length_hdr);
1333 state->smb1.iov[1].iov_base = (void *)state->smb1.hdr;
1334 state->smb1.iov[1].iov_len = sizeof(state->smb1.hdr);
1335 state->smb1.iov[2].iov_base = (void *)state->smb1.vwv;
1336 state->smb1.iov[2].iov_len = wct * sizeof(uint16_t);
1337 state->smb1.iov[3].iov_base = (void *)state->smb1.bytecount_buf;
1338 state->smb1.iov[3].iov_len = sizeof(uint16_t);
1339
1340 if (iov_count != 0) {
1341 memcpy(&state->smb1.iov[4], bytes_iov,
1342 iov_count * sizeof(*bytes_iov));
1343 }
1344 state->smb1.iov_count = iov_count + 4;
1345
1346 if (timeout_msec > 0) {
1347 struct timeval endtime;
1348
1349 endtime = timeval_current_ofs_msec(timeout_msec);
1350 if (!tevent_req_set_endtime(req, ev, endtime)) {
1351 return req;
1352 }
1353 }
1354
1355 switch (smb_command) {
1356 case SMBtranss:
1357 case SMBtranss2:
1358 case SMBnttranss:
1359 state->one_way = true;
1360 break;
1361 case SMBntcancel:
1362 state->one_way = true;
1363 state->smb1.one_way_seqnum = true;
1364 break;
1365 case SMBlockingX:
1366 if ((wct == 8) &&
1367 (CVAL(vwv+3, 0) == LOCKING_ANDX_OPLOCK_RELEASE)) {
1368 state->one_way = true;
1369 }
1370 break;
1371 }
1372
1373 return req;
1374 }
1375
1376 static NTSTATUS smb1cli_conn_signv(struct smbXcli_conn *conn,
1377 struct iovec *iov, int iov_count,
1378 uint32_t *seqnum,
1379 bool one_way_seqnum)
1380 {
1381 TALLOC_CTX *frame = NULL;
1382 uint8_t *buf;
1383
1384 /*
1385 * Obvious optimization: Make cli_calculate_sign_mac work with struct
1386 * iovec directly. MD5Update would do that just fine.
1387 */
1388
1389 if (iov_count < 4) {
1390 return NT_STATUS_INVALID_PARAMETER_MIX;
1391 }
1392 if (iov[0].iov_len != NBT_HDR_SIZE) {
1393 return NT_STATUS_INVALID_PARAMETER_MIX;
1394 }
1395 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1396 return NT_STATUS_INVALID_PARAMETER_MIX;
1397 }
1398 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1399 return NT_STATUS_INVALID_PARAMETER_MIX;
1400 }
1401 if (iov[3].iov_len != sizeof(uint16_t)) {
1402 return NT_STATUS_INVALID_PARAMETER_MIX;
1403 }
1404
1405 frame = talloc_stackframe();
1406
1407 buf = smbXcli_iov_concat(frame, &iov[1], iov_count - 1);
1408 if (buf == NULL) {
1409 return NT_STATUS_NO_MEMORY;
1410 }
1411
1412 *seqnum = smb_signing_next_seqnum(conn->smb1.signing,
1413 one_way_seqnum);
1414 smb_signing_sign_pdu(conn->smb1.signing,
1415 buf, talloc_get_size(buf),
1416 *seqnum);
1417 memcpy(iov[1].iov_base, buf, iov[1].iov_len);
1418
1419 TALLOC_FREE(frame);
1420 return NT_STATUS_OK;
1421 }
1422
1423 static void smb1cli_req_writev_done(struct tevent_req *subreq);
1424 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1425 TALLOC_CTX *tmp_mem,
1426 uint8_t *inbuf);
1427
1428 static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
1429 struct smbXcli_req_state *state,
1430 struct iovec *iov, int iov_count)
1431 {
1432 struct tevent_req *subreq;
1433 NTSTATUS status;
1434 uint8_t cmd;
1435 uint16_t mid;
1436
1437 if (!smbXcli_conn_is_connected(state->conn)) {
1438 return NT_STATUS_CONNECTION_DISCONNECTED;
1439 }
1440
1441 if (state->conn->protocol > PROTOCOL_NT1) {
1442 return NT_STATUS_REVISION_MISMATCH;
1443 }
1444
1445 if (iov_count < 4) {
1446 return NT_STATUS_INVALID_PARAMETER_MIX;
1447 }
1448 if (iov[0].iov_len != NBT_HDR_SIZE) {
1449 return NT_STATUS_INVALID_PARAMETER_MIX;
1450 }
1451 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1452 return NT_STATUS_INVALID_PARAMETER_MIX;
1453 }
1454 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1455 return NT_STATUS_INVALID_PARAMETER_MIX;
1456 }
1457 if (iov[3].iov_len != sizeof(uint16_t)) {
1458 return NT_STATUS_INVALID_PARAMETER_MIX;
1459 }
1460
1461 cmd = CVAL(iov[1].iov_base, HDR_COM);
1462 if (cmd == SMBreadBraw) {
1463 if (smbXcli_conn_has_async_calls(state->conn)) {
1464 return NT_STATUS_INVALID_PARAMETER_MIX;
1465 }
1466 state->conn->smb1.read_braw_req = req;
1467 }
1468
1469 if (state->smb1.mid != 0) {
1470 mid = state->smb1.mid;
1471 } else {
1472 mid = smb1cli_alloc_mid(state->conn);
1473 }
1474 SSVAL(iov[1].iov_base, HDR_MID, mid);
1475
1476 _smb_setlen_nbt(iov[0].iov_base, smbXcli_iov_len(&iov[1], iov_count-1));
1477
1478 status = smb1cli_conn_signv(state->conn, iov, iov_count,
1479 &state->smb1.seqnum,
1480 state->smb1.one_way_seqnum);
1481
1482 if (!NT_STATUS_IS_OK(status)) {
1483 return status;
1484 }
1485
1486 /*
1487 * If we supported multiple encrytion contexts
1488 * here we'd look up based on tid.
1489 */
1490 if (common_encryption_on(state->conn->smb1.trans_enc)) {
1491 char *buf, *enc_buf;
1492
1493 buf = (char *)smbXcli_iov_concat(talloc_tos(), iov, iov_count);
1494 if (buf == NULL) {
1495 return NT_STATUS_NO_MEMORY;
1496 }
1497 status = common_encrypt_buffer(state->conn->smb1.trans_enc,
1498 (char *)buf, &enc_buf);
1499 TALLOC_FREE(buf);
1500 if (!NT_STATUS_IS_OK(status)) {
1501 DEBUG(0, ("Error in encrypting client message: %s\n",
1502 nt_errstr(status)));
1503 return status;
1504 }
1505 buf = (char *)talloc_memdup(state, enc_buf,
1506 smb_len_nbt(enc_buf)+4);
1507 SAFE_FREE(enc_buf);
1508 if (buf == NULL) {
1509 return NT_STATUS_NO_MEMORY;
1510 }
1511 iov[0].iov_base = (void *)buf;
1512 iov[0].iov_len = talloc_get_size(buf);
1513 iov_count = 1;
1514 }
1515
1516 if (state->conn->dispatch_incoming == NULL) {
1517 state->conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
1518 }
1519
1520 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
1521
1522 subreq = writev_send(state, state->ev, state->conn->outgoing,
1523 state->conn->write_fd, false, iov, iov_count);
1524 if (subreq == NULL) {
1525 return NT_STATUS_NO_MEMORY;
1526 }
1527 tevent_req_set_callback(subreq, smb1cli_req_writev_done, req);
1528 return NT_STATUS_OK;
1529 }
1530
1531 struct tevent_req *smb1cli_req_send(TALLOC_CTX *mem_ctx,
1532 struct tevent_context *ev,
1533 struct smbXcli_conn *conn,
1534 uint8_t smb_command,
1535 uint8_t additional_flags,
1536 uint8_t clear_flags,
1537 uint16_t additional_flags2,
1538 uint16_t clear_flags2,
1539 uint32_t timeout_msec,
1540 uint32_t pid,
1541 struct smbXcli_tcon *tcon,
1542 struct smbXcli_session *session,
1543 uint8_t wct, uint16_t *vwv,
1544 uint32_t num_bytes,
1545 const uint8_t *bytes)
1546 {
1547 struct tevent_req *req;
1548 struct iovec iov;
1549 NTSTATUS status;
1550
1551 iov.iov_base = discard_const_p(void, bytes);
1552 iov.iov_len = num_bytes;
1553
1554 req = smb1cli_req_create(mem_ctx, ev, conn, smb_command,
1555 additional_flags, clear_flags,
1556 additional_flags2, clear_flags2,
1557 timeout_msec,
1558 pid, tcon, session,
1559 wct, vwv, 1, &iov);
1560 if (req == NULL) {
1561 return NULL;
1562 }
1563 if (!tevent_req_is_in_progress(req)) {
1564 return tevent_req_post(req, ev);
1565 }
1566 status = smb1cli_req_chain_submit(&req, 1);
1567 if (tevent_req_nterror(req, status)) {
1568 return tevent_req_post(req, ev);
1569 }
1570 return req;
1571 }
1572
1573 static void smb1cli_req_writev_done(struct tevent_req *subreq)
1574 {
1575 struct tevent_req *req =
1576 tevent_req_callback_data(subreq,
1577 struct tevent_req);
1578 struct smbXcli_req_state *state =
1579 tevent_req_data(req,
1580 struct smbXcli_req_state);
1581 ssize_t nwritten;
1582 int err;
1583
1584 nwritten = writev_recv(subreq, &err);
1585 TALLOC_FREE(subreq);
1586 if (nwritten == -1) {
1587 NTSTATUS status = map_nt_error_from_unix_common(err);
1588 smbXcli_conn_disconnect(state->conn, status);
1589 return;
1590 }
1591
1592 if (state->one_way) {
1593 state->inbuf = NULL;
1594 tevent_req_done(req);
1595 return;
1596 }
1597
1598 if (!smbXcli_req_set_pending(req)) {
1599 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1600 return;
1601 }
1602 }
1603
1604 static void smbXcli_conn_received(struct tevent_req *subreq)
1605 {
1606 struct smbXcli_conn *conn =
1607 tevent_req_callback_data(subreq,
1608 struct smbXcli_conn);
1609 TALLOC_CTX *frame = talloc_stackframe();
1610 NTSTATUS status;
1611 uint8_t *inbuf;
1612 ssize_t received;
1613 int err;
1614
1615 if (subreq != conn->read_smb_req) {
1616 DEBUG(1, ("Internal error: cli_smb_received called with "
1617 "unexpected subreq\n"));
1618 smbXcli_conn_disconnect(conn, NT_STATUS_INTERNAL_ERROR);
1619 TALLOC_FREE(frame);
1620 return;
1621 }
1622 conn->read_smb_req = NULL;
1623
1624 received = read_smb_recv(subreq, frame, &inbuf, &err);
1625 TALLOC_FREE(subreq);
1626 if (received == -1) {
1627 status = map_nt_error_from_unix_common(err);
1628 smbXcli_conn_disconnect(conn, status);
1629 TALLOC_FREE(frame);
1630 return;
1631 }
1632
1633 status = conn->dispatch_incoming(conn, frame, inbuf);
1634 TALLOC_FREE(frame);
1635 if (NT_STATUS_IS_OK(status)) {
1636 /*
1637 * We should not do any more processing
1638 * as the dispatch function called
1639 * tevent_req_done().
1640 */
1641 return;
1642 }
1643
1644 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
1645 /*
1646 * We got an error, so notify all pending requests
1647 */
1648 smbXcli_conn_disconnect(conn, status);
1649 return;
1650 }
1651
1652 /*
1653 * We got NT_STATUS_RETRY, so we may ask for a
1654 * next incoming pdu.
1655 */
1656 if (!smbXcli_conn_receive_next(conn)) {
1657 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
1658 }
1659 }
1660
1661 static NTSTATUS smb1cli_inbuf_parse_chain(uint8_t *buf, TALLOC_CTX *mem_ctx,
1662 struct iovec **piov, int *pnum_iov)
1663 {
1664 struct iovec *iov;
1665 int num_iov;
1666 size_t buflen;
1667 size_t taken;
1668 size_t remaining;
1669 uint8_t *hdr;
1670 uint8_t cmd;
1671 uint32_t wct_ofs;
1672 NTSTATUS status;
1673 size_t min_size = MIN_SMB_SIZE;
1674
1675 buflen = smb_len_tcp(buf);
1676 taken = 0;
1677
1678 hdr = buf + NBT_HDR_SIZE;
1679
1680 status = smb1cli_pull_raw_error(hdr);
1681 if (NT_STATUS_IS_ERR(status)) {
1682 /*
1683 * This is an ugly hack to support OS/2
1684 * which skips the byte_count in the DATA block
1685 * on some error responses.
1686 *
1687 * See bug #9096
1688 */
1689 min_size -= sizeof(uint16_t);
1690 }
1691
1692 if (buflen < min_size) {
1693 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1694 }
1695
1696 /*
1697 * This returns iovec elements in the following order:
1698 *
1699 * - SMB header
1700 *
1701 * - Parameter Block
1702 * - Data Block
1703 *
1704 * - Parameter Block
1705 * - Data Block
1706 *
1707 * - Parameter Block
1708 * - Data Block
1709 */
1710 num_iov = 1;
1711
1712 iov = talloc_array(mem_ctx, struct iovec, num_iov);
1713 if (iov == NULL) {
1714 return NT_STATUS_NO_MEMORY;
1715 }
1716 iov[0].iov_base = hdr;
1717 iov[0].iov_len = HDR_WCT;
1718 taken += HDR_WCT;
1719
1720 cmd = CVAL(hdr, HDR_COM);
1721 wct_ofs = HDR_WCT;
1722
1723 while (true) {
1724 size_t len = buflen - taken;
1725 struct iovec *cur;
1726 struct iovec *iov_tmp;
1727 uint8_t wct;
1728 uint32_t bcc_ofs;
1729 uint16_t bcc;
1730 size_t needed;
1731
1732 /*
1733 * we need at least WCT
1734 */
1735 needed = sizeof(uint8_t);
1736 if (len < needed) {
1737 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1738 __location__, (int)len, (int)needed));
1739 goto inval;
1740 }
1741
1742 /*
1743 * Now we check if the specified words are there
1744 */
1745 wct = CVAL(hdr, wct_ofs);
1746 needed += wct * sizeof(uint16_t);
1747 if (len < needed) {
1748 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1749 __location__, (int)len, (int)needed));
1750 goto inval;
1751 }
1752
1753 if ((num_iov == 1) &&
1754 (len == needed) &&
1755 NT_STATUS_IS_ERR(status))
1756 {
1757 /*
1758 * This is an ugly hack to support OS/2
1759 * which skips the byte_count in the DATA block
1760 * on some error responses.
1761 *
1762 * See bug #9096
1763 */
1764 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1765 num_iov + 2);
1766 if (iov_tmp == NULL) {
1767 TALLOC_FREE(iov);
1768 return NT_STATUS_NO_MEMORY;
1769 }
1770 iov = iov_tmp;
1771 cur = &iov[num_iov];
1772 num_iov += 2;
1773
1774 cur[0].iov_len = 0;
1775 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1776 cur[1].iov_len = 0;
1777 cur[1].iov_base = cur[0].iov_base;
1778
1779 taken += needed;
1780 break;
1781 }
1782
1783 /*
1784 * we need at least BCC
1785 */
1786 needed += sizeof(uint16_t);
1787 if (len < needed) {
1788 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1789 __location__, (int)len, (int)needed));
1790 goto inval;
1791 }
1792
1793 /*
1794 * Now we check if the specified bytes are there
1795 */
1796 bcc_ofs = wct_ofs + sizeof(uint8_t) + wct * sizeof(uint16_t);
1797 bcc = SVAL(hdr, bcc_ofs);
1798 needed += bcc * sizeof(uint8_t);
1799 if (len < needed) {
1800 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1801 __location__, (int)len, (int)needed));
1802 goto inval;
1803 }
1804
1805 /*
1806 * we allocate 2 iovec structures for words and bytes
1807 */
1808 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1809 num_iov + 2);
1810 if (iov_tmp == NULL) {
1811 TALLOC_FREE(iov);
1812 return NT_STATUS_NO_MEMORY;
1813 }
1814 iov = iov_tmp;
1815 cur = &iov[num_iov];
1816 num_iov += 2;
1817
1818 cur[0].iov_len = wct * sizeof(uint16_t);
1819 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1820 cur[1].iov_len = bcc * sizeof(uint8_t);
1821 cur[1].iov_base = hdr + (bcc_ofs + sizeof(uint16_t));
1822
1823 taken += needed;
1824
1825 if (!smb1cli_is_andx_req(cmd)) {
1826 /*
1827 * If the current command does not have AndX chanining
1828 * we are done.
1829 */
1830 break;
1831 }
1832
1833 if (wct == 0 && bcc == 0) {
1834 /*
1835 * An empty response also ends the chain,
1836 * most likely with an error.
1837 */
1838 break;
1839 }
1840
1841 if (wct < 2) {
1842 DEBUG(10, ("%s: wct[%d] < 2 for cmd[0x%02X]\n",
1843 __location__, (int)wct, (int)cmd));
1844 goto inval;
1845 }
1846 cmd = CVAL(cur[0].iov_base, 0);
1847 if (cmd == 0xFF) {
1848 /*
1849 * If it is the end of the chain we are also done.
1850 */
1851 break;
1852 }
1853 wct_ofs = SVAL(cur[0].iov_base, 2);
1854
1855 if (wct_ofs < taken) {
1856 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1857 }
1858 if (wct_ofs > buflen) {
1859 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1860 }
1861
1862 /*
1863 * we consumed everything up to the start of the next
1864 * parameter block.
1865 */
1866 taken = wct_ofs;
1867 }
1868
1869 remaining = buflen - taken;
1870
1871 if (remaining > 0 && num_iov >= 3) {
1872 /*
1873 * The last DATA block gets the remaining
1874 * bytes, this is needed to support
1875 * CAP_LARGE_WRITEX and CAP_LARGE_READX.
1876 */
1877 iov[num_iov-1].iov_len += remaining;
1878 }
1879
1880 *piov = iov;
1881 *pnum_iov = num_iov;
1882 return NT_STATUS_OK;
1883
1884 inval:
1885 TALLOC_FREE(iov);
1886 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1887 }
1888
1889 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1890 TALLOC_CTX *tmp_mem,
1891 uint8_t *inbuf)
1892 {
1893 struct tevent_req *req;
1894 struct smbXcli_req_state *state;
1895 NTSTATUS status;
1896 size_t num_pending;
1897 size_t i;
1898 uint8_t cmd;
1899 uint16_t mid;
1900 bool oplock_break;
1901 uint8_t *inhdr = inbuf + NBT_HDR_SIZE;
1902 size_t len = smb_len_tcp(inbuf);
1903 struct iovec *iov = NULL;
1904 int num_iov = 0;
1905 struct tevent_req **chain = NULL;
1906 size_t num_chained = 0;
1907 size_t num_responses = 0;
1908
1909 if (conn->smb1.read_braw_req != NULL) {
1910 req = conn->smb1.read_braw_req;
1911 conn->smb1.read_braw_req = NULL;
1912 state = tevent_req_data(req, struct smbXcli_req_state);
1913
1914 smbXcli_req_unset_pending(req);
1915
1916 if (state->smb1.recv_iov == NULL) {
1917 /*
1918 * For requests with more than
1919 * one response, we have to readd the
1920 * recv_iov array.
1921 */
1922 state->smb1.recv_iov = talloc_zero_array(state,
1923 struct iovec,
1924 3);
1925 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
1926 return NT_STATUS_OK;
1927 }
1928 }
1929
1930 state->smb1.recv_iov[0].iov_base = (void *)(inhdr);
1931 state->smb1.recv_iov[0].iov_len = len;
1932 ZERO_STRUCT(state->smb1.recv_iov[1]);
1933 ZERO_STRUCT(state->smb1.recv_iov[2]);
1934
1935 state->smb1.recv_cmd = SMBreadBraw;
1936 state->smb1.recv_status = NT_STATUS_OK;
1937 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
1938
1939 tevent_req_done(req);
1940 return NT_STATUS_OK;
1941 }
1942
1943 if ((IVAL(inhdr, 0) != SMB_MAGIC) /* 0xFF"SMB" */
1944 && (SVAL(inhdr, 0) != 0x45ff)) /* 0xFF"E" */ {
1945 DEBUG(10, ("Got non-SMB PDU\n"));
1946 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1947 }
1948
1949 /*
1950 * If we supported multiple encrytion contexts
1951 * here we'd look up based on tid.
1952 */
1953 if (common_encryption_on(conn->smb1.trans_enc)
1954 && (CVAL(inbuf, 0) == 0)) {
1955 uint16_t enc_ctx_num;
1956
1957 status = get_enc_ctx_num(inbuf, &enc_ctx_num);
1958 if (!NT_STATUS_IS_OK(status)) {
1959 DEBUG(10, ("get_enc_ctx_num returned %s\n",
1960 nt_errstr(status)));
1961 return status;
1962 }
1963
1964 if (enc_ctx_num != conn->smb1.trans_enc->enc_ctx_num) {
1965 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
1966 enc_ctx_num,
1967 conn->smb1.trans_enc->enc_ctx_num));
1968 return NT_STATUS_INVALID_HANDLE;
1969 }
1970
1971 status = common_decrypt_buffer(conn->smb1.trans_enc,
1972 (char *)inbuf);
1973 if (!NT_STATUS_IS_OK(status)) {
1974 DEBUG(10, ("common_decrypt_buffer returned %s\n",
1975 nt_errstr(status)));
1976 return status;
1977 }
1978 inhdr = inbuf + NBT_HDR_SIZE;
1979 len = smb_len_nbt(inbuf);
1980 }
1981
1982 mid = SVAL(inhdr, HDR_MID);
1983 num_pending = talloc_array_length(conn->pending);
1984
1985 for (i=0; i<num_pending; i++) {
1986 if (mid == smb1cli_req_mid(conn->pending[i])) {
1987 break;
1988 }
1989 }
1990 if (i == num_pending) {
1991 /* Dump unexpected reply */
1992 return NT_STATUS_RETRY;
1993 }
1994
1995 oplock_break = false;
1996
1997 if (mid == 0xffff) {
1998 /*
1999 * Paranoia checks that this is really an oplock break request.
2000 */
2001 oplock_break = (len == 51); /* hdr + 8 words */
2002 oplock_break &= ((CVAL(inhdr, HDR_FLG) & FLAG_REPLY) == 0);
2003 oplock_break &= (CVAL(inhdr, HDR_COM) == SMBlockingX);
2004 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(6)) == 0);
2005 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(7)) == 0);
2006
2007 if (!oplock_break) {
2008 /* Dump unexpected reply */
2009 return NT_STATUS_RETRY;
2010 }
2011 }
2012
2013 req = conn->pending[i];
2014 state = tevent_req_data(req, struct smbXcli_req_state);
2015
2016 if (!oplock_break /* oplock breaks are not signed */
2017 && !smb_signing_check_pdu(conn->smb1.signing,
2018 inhdr, len, state->smb1.seqnum+1)) {
2019 DEBUG(10, ("cli_check_sign_mac failed\n"));
2020 return NT_STATUS_ACCESS_DENIED;
2021 }
2022
2023 status = smb1cli_inbuf_parse_chain(inbuf, tmp_mem,
2024 &iov, &num_iov);
2025 if (!NT_STATUS_IS_OK(status)) {
2026 DEBUG(10,("smb1cli_inbuf_parse_chain - %s\n",
2027 nt_errstr(status)));
2028 return status;
2029 }
2030
2031 cmd = CVAL(inhdr, HDR_COM);
2032 status = smb1cli_pull_raw_error(inhdr);
2033
2034 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
2035 (state->session != NULL) && state->session->disconnect_expired)
2036 {
2037 /*
2038 * this should be a short term hack
2039 * until the upper layers have implemented
2040 * re-authentication.
2041 */
2042 return status;
2043 }
2044
2045 if (state->smb1.chained_requests == NULL) {
2046 if (num_iov != 3) {
2047 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2048 }
2049
2050 smbXcli_req_unset_pending(req);
2051
2052 if (state->smb1.recv_iov == NULL) {
2053 /*
2054 * For requests with more than
2055 * one response, we have to readd the
2056 * recv_iov array.
2057 */
2058 state->smb1.recv_iov = talloc_zero_array(state,
2059 struct iovec,
2060 3);
2061 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2062 return NT_STATUS_OK;
2063 }
2064 }
2065
2066 state->smb1.recv_cmd = cmd;
2067 state->smb1.recv_status = status;
2068 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
2069
2070 state->smb1.recv_iov[0] = iov[0];
2071 state->smb1.recv_iov[1] = iov[1];
2072 state->smb1.recv_iov[2] = iov[2];
2073
2074 if (talloc_array_length(conn->pending) == 0) {
2075 tevent_req_done(req);
2076 return NT_STATUS_OK;
2077 }
2078
2079 tevent_req_defer_callback(req, state->ev);
2080 tevent_req_done(req);
2081 return NT_STATUS_RETRY;
2082 }
2083
2084 chain = talloc_move(tmp_mem, &state->smb1.chained_requests);
2085 num_chained = talloc_array_length(chain);
2086 num_responses = (num_iov - 1)/2;
2087
2088 if (num_responses > num_chained) {
2089 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2090 }
2091
2092 for (i=0; i<num_chained; i++) {
2093 size_t iov_idx = 1 + (i*2);
2094 struct iovec *cur = &iov[iov_idx];
2095 uint8_t *inbuf_ref;
2096
2097 req = chain[i];
2098 state = tevent_req_data(req, struct smbXcli_req_state);
2099
2100 smbXcli_req_unset_pending(req);
2101
2102 /*
2103 * as we finish multiple requests here
2104 * we need to defer the callbacks as
2105 * they could destroy our current stack state.
2106 */
2107 tevent_req_defer_callback(req, state->ev);
2108
2109 if (i >= num_responses) {
2110 tevent_req_nterror(req, NT_STATUS_REQUEST_ABORTED);
2111 continue;
2112 }
2113
2114 if (state->smb1.recv_iov == NULL) {
2115 /*
2116 * For requests with more than
2117 * one response, we have to readd the
2118 * recv_iov array.
2119 */
2120 state->smb1.recv_iov = talloc_zero_array(state,
2121 struct iovec,
2122 3);
2123 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2124 continue;
2125 }
2126 }
2127
2128 state->smb1.recv_cmd = cmd;
2129
2130 if (i == (num_responses - 1)) {
2131 /*
2132 * The last request in the chain gets the status
2133 */
2134 state->smb1.recv_status = status;
2135 } else {
2136 cmd = CVAL(cur[0].iov_base, 0);
2137 state->smb1.recv_status = NT_STATUS_OK;
2138 }
2139
2140 state->inbuf = inbuf;
2141
2142 /*
2143 * Note: here we use talloc_reference() in a way
2144 * that does not expose it to the caller.
2145 */
2146 inbuf_ref = talloc_reference(state->smb1.recv_iov, inbuf);
2147 if (tevent_req_nomem(inbuf_ref, req)) {
2148 continue;
2149 }
2150
2151 /* copy the related buffers */
2152 state->smb1.recv_iov[0] = iov[0];
2153 state->smb1.recv_iov[1] = cur[0];
2154 state->smb1.recv_iov[2] = cur[1];
2155
2156 tevent_req_done(req);
2157 }
2158
2159 return NT_STATUS_RETRY;
2160 }
2161
2162 NTSTATUS smb1cli_req_recv(struct tevent_req *req,
2163 TALLOC_CTX *mem_ctx,
2164 struct iovec **piov,
2165 uint8_t **phdr,
2166 uint8_t *pwct,
2167 uint16_t **pvwv,
2168 uint32_t *pvwv_offset,
2169 uint32_t *pnum_bytes,
2170 uint8_t **pbytes,
2171 uint32_t *pbytes_offset,
2172 uint8_t **pinbuf,
2173 const struct smb1cli_req_expected_response *expected,
2174 size_t num_expected)
2175 {
2176 struct smbXcli_req_state *state =
2177 tevent_req_data(req,
2178 struct smbXcli_req_state);
2179 NTSTATUS status = NT_STATUS_OK;
2180 struct iovec *recv_iov = NULL;
2181 uint8_t *hdr = NULL;
2182 uint8_t wct = 0;
2183 uint32_t vwv_offset = 0;
2184 uint16_t *vwv = NULL;
2185 uint32_t num_bytes = 0;
2186 uint32_t bytes_offset = 0;
2187 uint8_t *bytes = NULL;
2188 size_t i;
2189 bool found_status = false;
2190 bool found_size = false;
2191
2192 if (piov != NULL) {
2193 *piov = NULL;
2194 }
2195 if (phdr != NULL) {
2196 *phdr = 0;
2197 }
2198 if (pwct != NULL) {
2199 *pwct = 0;
2200 }
2201 if (pvwv != NULL) {
2202 *pvwv = NULL;
2203 }
2204 if (pvwv_offset != NULL) {
2205 *pvwv_offset = 0;
2206 }
2207 if (pnum_bytes != NULL) {
2208 *pnum_bytes = 0;
2209 }
2210 if (pbytes != NULL) {
2211 *pbytes = NULL;
2212 }
2213 if (pbytes_offset != NULL) {
2214 *pbytes_offset = 0;
2215 }
2216 if (pinbuf != NULL) {
2217 *pinbuf = NULL;
2218 }
2219
2220 if (state->inbuf != NULL) {
2221 recv_iov = state->smb1.recv_iov;
2222 state->smb1.recv_iov = NULL;
2223 if (state->smb1.recv_cmd != SMBreadBraw) {
2224 hdr = (uint8_t *)recv_iov[0].iov_base;
2225 wct = recv_iov[1].iov_len/2;
2226 vwv = (uint16_t *)recv_iov[1].iov_base;
2227 vwv_offset = PTR_DIFF(vwv, hdr);
2228 num_bytes = recv_iov[2].iov_len;
2229 bytes = (uint8_t *)recv_iov[2].iov_base;
2230 bytes_offset = PTR_DIFF(bytes, hdr);
2231 }
2232 }
2233
2234 if (tevent_req_is_nterror(req, &status)) {
2235 for (i=0; i < num_expected; i++) {
2236 if (NT_STATUS_EQUAL(status, expected[i].status)) {
2237 found_status = true;
2238 break;
2239 }
2240 }
2241
2242 if (found_status) {
2243 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
2244 }
2245
2246 return status;
2247 }
2248
2249 if (num_expected == 0) {
2250 found_status = true;
2251 found_size = true;
2252 }
2253
2254 status = state->smb1.recv_status;
2255
2256 for (i=0; i < num_expected; i++) {
2257 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
2258 continue;
2259 }
2260
2261 found_status = true;
2262 if (expected[i].wct == 0) {
2263 found_size = true;
2264 break;
2265 }
2266
2267 if (expected[i].wct == wct) {
2268 found_size = true;
2269 break;
2270 }
2271 }
2272
2273 if (!found_status) {
2274 return status;
2275 }
2276
2277 if (!found_size) {
2278 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2279 }
2280
2281 if (piov != NULL) {
2282 *piov = talloc_move(mem_ctx, &recv_iov);
2283 }
2284
2285 if (phdr != NULL) {
2286 *phdr = hdr;
2287 }
2288 if (pwct != NULL) {
2289 *pwct = wct;
2290 }
2291 if (pvwv != NULL) {
2292 *pvwv = vwv;
2293 }
2294 if (pvwv_offset != NULL) {
2295 *pvwv_offset = vwv_offset;
2296 }
2297 if (pnum_bytes != NULL) {
2298 *pnum_bytes = num_bytes;
2299 }
2300 if (pbytes != NULL) {
2301 *pbytes = bytes;
2302 }
2303 if (pbytes_offset != NULL) {
2304 *pbytes_offset = bytes_offset;
2305 }
2306 if (pinbuf != NULL) {
2307 *pinbuf = state->inbuf;
2308 }
2309
2310 return status;
2311 }
2312
2313 size_t smb1cli_req_wct_ofs(struct tevent_req **reqs, int num_reqs)
2314 {
2315 size_t wct_ofs;
2316 int i;
2317
2318 wct_ofs = HDR_WCT;
2319
2320 for (i=0; i<num_reqs; i++) {
2321 struct smbXcli_req_state *state;
2322 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2323 wct_ofs += smbXcli_iov_len(state->smb1.iov+2,
2324 state->smb1.iov_count-2);
2325 wct_ofs = (wct_ofs + 3) & ~3;
2326 }
2327 return wct_ofs;
2328 }
2329
2330 NTSTATUS smb1cli_req_chain_submit(struct tevent_req **reqs, int num_reqs)
2331 {
2332 struct smbXcli_req_state *first_state =
2333 tevent_req_data(reqs[0],
2334 struct smbXcli_req_state);
2335 struct smbXcli_req_state *state;
2336 size_t wct_offset;
2337 size_t chain_padding = 0;
2338 int i, iovlen;
2339 struct iovec *iov = NULL;
2340 struct iovec *this_iov;
2341 NTSTATUS status;
2342 size_t nbt_len;
2343
2344 if (num_reqs == 1) {
2345 return smb1cli_req_writev_submit(reqs[0], first_state,
2346 first_state->smb1.iov,
2347 first_state->smb1.iov_count);
2348 }
2349
2350 iovlen = 0;
2351 for (i=0; i<num_reqs; i++) {
2352 if (!tevent_req_is_in_progress(reqs[i])) {
2353 return NT_STATUS_INTERNAL_ERROR;
2354 }
2355
2356 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2357
2358 if (state->smb1.iov_count < 4) {
2359 return NT_STATUS_INVALID_PARAMETER_MIX;
2360 }
2361
2362 if (i == 0) {
2363 /*
2364 * The NBT and SMB header
2365 */
2366 iovlen += 2;
2367 } else {
2368 /*
2369 * Chain padding
2370 */
2371 iovlen += 1;
2372 }
2373
2374 /*
2375 * words and bytes
2376 */
2377 iovlen += state->smb1.iov_count - 2;
2378 }
2379
2380 iov = talloc_zero_array(first_state, struct iovec, iovlen);
2381 if (iov == NULL) {
2382 return NT_STATUS_NO_MEMORY;
2383 }
2384
2385 first_state->smb1.chained_requests = (struct tevent_req **)talloc_memdup(
2386 first_state, reqs, sizeof(*reqs) * num_reqs);
2387 if (first_state->smb1.chained_requests == NULL) {
2388 TALLOC_FREE(iov);
2389 return NT_STATUS_NO_MEMORY;
2390 }
2391
2392 wct_offset = HDR_WCT;
2393 this_iov = iov;
2394
2395 for (i=0; i<num_reqs; i++) {
2396 size_t next_padding = 0;
2397 uint16_t *vwv;
2398
2399 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2400
2401 if (i < num_reqs-1) {
2402 if (!smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))
2403 || CVAL(state->smb1.hdr, HDR_WCT) < 2) {
2404 TALLOC_FREE(iov);
2405 TALLOC_FREE(first_state->smb1.chained_requests);
2406 return NT_STATUS_INVALID_PARAMETER_MIX;
2407 }
2408 }
2409
2410 wct_offset += smbXcli_iov_len(state->smb1.iov+2,
2411 state->smb1.iov_count-2) + 1;
2412 if ((wct_offset % 4) != 0) {
2413 next_padding = 4 - (wct_offset % 4);
2414 }
2415 wct_offset += next_padding;
2416 vwv = state->smb1.vwv;
2417
2418 if (i < num_reqs-1) {
2419 struct smbXcli_req_state *next_state =
2420 tevent_req_data(reqs[i+1],
2421 struct smbXcli_req_state);
2422 SCVAL(vwv+0, 0, CVAL(next_state->smb1.hdr, HDR_COM));
2423 SCVAL(vwv+0, 1, 0);
2424 SSVAL(vwv+1, 0, wct_offset);
2425 } else if (smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))) {
2426 /* properly end the chain */
2427 SCVAL(vwv+0, 0, 0xff);
2428 SCVAL(vwv+0, 1, 0xff);
2429 SSVAL(vwv+1, 0, 0);
2430 }
2431
2432 if (i == 0) {
2433 /*
2434 * The NBT and SMB header
2435 */
2436 this_iov[0] = state->smb1.iov[0];
2437 this_iov[1] = state->smb1.iov[1];
2438 this_iov += 2;
2439 } else {
2440 /*
2441 * This one is a bit subtle. We have to add
2442 * chain_padding bytes between the requests, and we
2443 * have to also include the wct field of the
2444 * subsequent requests. We use the subsequent header
2445 * for the padding, it contains the wct field in its
2446 * last byte.
2447 */
2448 this_iov[0].iov_len = chain_padding+1;
2449 this_iov[0].iov_base = (void *)&state->smb1.hdr[
2450 sizeof(state->smb1.hdr) - this_iov[0].iov_len];
2451 memset(this_iov[0].iov_base, 0, this_iov[0].iov_len-1);
2452 this_iov += 1;
2453 }
2454
2455 /*
2456 * copy the words and bytes
2457 */
2458 memcpy(this_iov, state->smb1.iov+2,
2459 sizeof(struct iovec) * (state->smb1.iov_count-2));
2460 this_iov += state->smb1.iov_count - 2;
2461 chain_padding = next_padding;
2462 }
2463
2464 nbt_len = smbXcli_iov_len(&iov[1], iovlen-1);
2465 if (nbt_len > first_state->conn->smb1.max_xmit) {
2466 TALLOC_FREE(iov);
2467 TALLOC_FREE(first_state->smb1.chained_requests);
2468 return NT_STATUS_INVALID_PARAMETER_MIX;
2469 }
2470
2471 status = smb1cli_req_writev_submit(reqs[0], first_state, iov, iovlen);
2472 if (!NT_STATUS_IS_OK(status)) {
2473 TALLOC_FREE(iov);
2474 TALLOC_FREE(first_state->smb1.chained_requests);
2475 return status;
2476 }
2477
2478 return NT_STATUS_OK;
2479 }
2480
2481 bool smbXcli_conn_has_async_calls(struct smbXcli_conn *conn)
2482 {
2483 return ((tevent_queue_length(conn->outgoing) != 0)
2484 || (talloc_array_length(conn->pending) != 0));
2485 }
2486
2487 bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn)
2488 {
2489 if (conn->protocol >= PROTOCOL_SMB2_02) {
2490 return (smb2cli_conn_server_capabilities(conn) & SMB2_CAP_DFS);
2491 }
2492
2493 return (smb1cli_conn_capabilities(conn) & CAP_DFS);
2494 }
2495
2496 bool smb2cli_conn_req_possible(struct smbXcli_conn *conn, uint32_t *max_dyn_len)
2497 {
2498 uint16_t credits = 1;
2499
2500 if (conn->smb2.cur_credits == 0) {
2501 if (max_dyn_len != NULL) {
2502 *max_dyn_len = 0;
2503 }
2504 return false;
2505 }
2506
2507 if (conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2508 credits = conn->smb2.cur_credits;
2509 }
2510
2511 if (max_dyn_len != NULL) {
2512 *max_dyn_len = credits * 65536;
2513 }
2514
2515 return true;
2516 }
2517
2518 uint32_t smb2cli_conn_server_capabilities(struct smbXcli_conn *conn)
2519 {
2520 return conn->smb2.server.capabilities;
2521 }
2522
2523 uint16_t smb2cli_conn_server_security_mode(struct smbXcli_conn *conn)
2524 {
2525 return conn->smb2.server.security_mode;
2526 }
2527
2528 uint32_t smb2cli_conn_max_trans_size(struct smbXcli_conn *conn)
2529 {
2530 return conn->smb2.server.max_trans_size;
2531 }
2532
2533 uint32_t smb2cli_conn_max_read_size(struct smbXcli_conn *conn)
2534 {
2535 return conn->smb2.server.max_read_size;
2536 }
2537
2538 uint32_t smb2cli_conn_max_write_size(struct smbXcli_conn *conn)
2539 {
2540 return conn->smb2.server.max_write_size;
2541 }
2542
2543 void smb2cli_conn_set_max_credits(struct smbXcli_conn *conn,
2544 uint16_t max_credits)
2545 {
2546 conn->smb2.max_credits = max_credits;
2547 }
2548
2549 static void smb2cli_req_cancel_done(struct tevent_req *subreq);
2550
2551 static bool smb2cli_req_cancel(struct tevent_req *req)
2552 {
2553 struct smbXcli_req_state *state =
2554 tevent_req_data(req,
2555 struct smbXcli_req_state);
2556 uint32_t flags = IVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
2557 uint64_t mid = BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID);
2558 uint64_t aid = BVAL(state->smb2.hdr, SMB2_HDR_ASYNC_ID);
2559 struct smbXcli_tcon *tcon = state->tcon;
2560 struct smbXcli_session *session = state->session;
2561 uint8_t *fixed = state->smb2.pad;
2562 uint16_t fixed_len = 4;
2563 struct tevent_req *subreq;
2564 struct smbXcli_req_state *substate;
2565 NTSTATUS status;
2566
2567 SSVAL(fixed, 0, 0x04);
2568 SSVAL(fixed, 2, 0);
2569
2570 subreq = smb2cli_req_create(state, state->ev,
2571 state->conn,
2572 SMB2_OP_CANCEL,
2573 flags, 0,
2574 0, /* timeout */
2575 tcon, session,
2576 fixed, fixed_len,
2577 NULL, 0, 0);
2578 if (subreq == NULL) {
2579 return false;
2580 }
2581 substate = tevent_req_data(subreq, struct smbXcli_req_state);
2582
2583 /*
2584 * clear everything but the SMB2_HDR_FLAG_ASYNC flag
2585 * e.g. if SMB2_HDR_FLAG_CHAINED is set we get INVALID_PARAMETER back
2586 */
2587 flags &= SMB2_HDR_FLAG_ASYNC;
2588
2589 if (flags & SMB2_HDR_FLAG_ASYNC) {
2590 mid = 0;
2591 }
2592
2593 SIVAL(substate->smb2.hdr, SMB2_HDR_FLAGS, flags);
2594 SBVAL(substate->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
2595 SBVAL(substate->smb2.hdr, SMB2_HDR_ASYNC_ID, aid);
2596
2597 status = smb2cli_req_compound_submit(&subreq, 1);
2598 if (!NT_STATUS_IS_OK(status)) {
2599 TALLOC_FREE(subreq);
2600 return false;
2601 }
2602
2603 tevent_req_set_callback(subreq, smb2cli_req_cancel_done, NULL);
2604
2605 return true;
2606 }
2607
2608 static void smb2cli_req_cancel_done(struct tevent_req *subreq)
2609 {
2610 /* we do not care about the result */
2611 TALLOC_FREE(subreq);
2612 }
2613
2614 struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
2615 struct tevent_context *ev,
2616 struct smbXcli_conn *conn,
2617 uint16_t cmd,
2618 uint32_t additional_flags,
2619 uint32_t clear_flags,
2620 uint32_t timeout_msec,
2621 struct smbXcli_tcon *tcon,
2622 struct smbXcli_session *session,
2623 const uint8_t *fixed,
2624 uint16_t fixed_len,
2625 const uint8_t *dyn,
2626 uint32_t dyn_len,
2627 uint32_t max_dyn_len)
2628 {
2629 struct tevent_req *req;
2630 struct smbXcli_req_state *state;
2631 uint32_t flags = 0;
2632 uint32_t tid = 0;
2633 uint64_t uid = 0;
2634 bool use_channel_sequence = false;
2635 uint16_t channel_sequence = 0;
2636 bool use_replay_flag = false;
2637
2638 req = tevent_req_create(mem_ctx, &state,
2639 struct smbXcli_req_state);
2640 if (req == NULL) {
2641 return NULL;
2642 }
2643
2644 state->ev = ev;
2645 state->conn = conn;
2646 state->session = session;
2647 state->tcon = tcon;
2648
2649 if (conn->smb2.server.capabilities & SMB2_CAP_PERSISTENT_HANDLES) {
2650 use_channel_sequence = true;
2651 } else if (conn->smb2.server.capabilities & SMB2_CAP_MULTI_CHANNEL) {
2652 use_channel_sequence = true;
2653 }
2654
2655 if (smbXcli_conn_protocol(conn) >= PROTOCOL_SMB3_00) {
2656 use_replay_flag = true;
2657 }
2658
2659 if (session) {
2660 uid = session->smb2->session_id;
2661
2662 if (use_channel_sequence) {
2663 channel_sequence = session->smb2->channel_sequence;
2664 }
2665
2666 if (use_replay_flag && session->smb2->replay_active) {
2667 additional_flags |= SMB2_HDR_FLAG_REPLAY_OPERATION;
2668 }
2669
2670 state->smb2.should_sign = session->smb2->should_sign;
2671 state->smb2.should_encrypt = session->smb2->should_encrypt;
2672
2673 if (cmd == SMB2_OP_SESSSETUP &&
2674 session->smb2->signing_key.length != 0) {
2675 state->smb2.should_sign = true;
2676 }
2677
2678 if (cmd == SMB2_OP_SESSSETUP &&
2679 session->smb2_channel.signing_key.length == 0) {
2680 state->smb2.should_encrypt = false;
2681 }
2682
2683 if (additional_flags & SMB2_HDR_FLAG_SIGNED) {
2684 if (session->smb2_channel.signing_key.length == 0) {
2685 tevent_req_nterror(req, NT_STATUS_NO_USER_SESSION_KEY);
2686 return req;
2687 }
2688
2689 additional_flags &= ~SMB2_HDR_FLAG_SIGNED;
2690 state->smb2.should_sign = true;
2691 }
2692 }
2693
2694 if (tcon) {
2695 tid = tcon->smb2.tcon_id;
2696
2697 if (tcon->smb2.should_encrypt) {
2698 state->smb2.should_encrypt = true;
2699 }
2700 }
2701
2702 if (state->smb2.should_encrypt) {
2703 state->smb2.should_sign = false;
2704 }
2705
2706 state->smb2.recv_iov = talloc_zero_array(state, struct iovec, 3);
2707 if (state->smb2.recv_iov == NULL) {
2708 TALLOC_FREE(req);
2709 return NULL;
2710 }
2711
2712 flags |= additional_flags;
2713 flags &= ~clear_flags;
2714
2715 state->smb2.fixed = fixed;
2716 state->smb2.fixed_len = fixed_len;
2717 state->smb2.dyn = dyn;
2718 state->smb2.dyn_len = dyn_len;
2719 state->smb2.max_dyn_len = max_dyn_len;
2720
2721 if (state->smb2.should_encrypt) {
2722 SIVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2723 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID, uid);
2724 }
2725
2726 SIVAL(state->smb2.hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
2727 SSVAL(state->smb2.hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
2728 SSVAL(state->smb2.hdr, SMB2_HDR_OPCODE, cmd);
2729 SSVAL(state->smb2.hdr, SMB2_HDR_CHANNEL_SEQUENCE, channel_sequence);
2730 SIVAL(state->smb2.hdr, SMB2_HDR_FLAGS, flags);
2731 SIVAL(state->smb2.hdr, SMB2_HDR_PID, 0); /* reserved */
2732 SIVAL(state->smb2.hdr, SMB2_HDR_TID, tid);
2733 SBVAL(state->smb2.hdr, SMB2_HDR_SESSION_ID, uid);
2734
2735 switch (cmd) {
2736 case SMB2_OP_CANCEL:
2737 state->one_way = true;
2738 break;
2739 case SMB2_OP_BREAK:
2740 /*
2741 * If this is a dummy request, it will have
2742 * UINT64_MAX as message id.
2743 * If we send on break acknowledgement,
2744 * this gets overwritten later.
2745 */
2746 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, UINT64_MAX);
2747 break;
2748 }
2749
2750 if (timeout_msec > 0) {
2751 struct timeval endtime;
2752
2753 endtime = timeval_current_ofs_msec(timeout_msec);
2754 if (!tevent_req_set_endtime(req, ev, endtime)) {
2755 return req;
2756 }
2757 }
2758
2759 return req;
2760 }
2761
2762 void smb2cli_req_set_notify_async(struct tevent_req *req)
2763 {
2764 struct smbXcli_req_state *state =
2765 tevent_req_data(req,
2766 struct smbXcli_req_state);
2767
2768 state->smb2.notify_async = true;
2769 }
2770
2771 static void smb2cli_req_writev_done(struct tevent_req *subreq);
2772 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
2773 TALLOC_CTX *tmp_mem,
2774 uint8_t *inbuf);
2775
2776 NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
2777 int num_reqs)
2778 {
2779 struct smbXcli_req_state *state;
2780 struct tevent_req *subreq;
2781 struct iovec *iov;
2782 int i, num_iov, nbt_len;
2783 int tf_iov = -1;
2784 const DATA_BLOB *encryption_key = NULL;
2785 uint64_t encryption_session_id = 0;
2786
2787 /*
2788 * 1 for the nbt length, optional TRANSFORM
2789 * per request: HDR, fixed, dyn, padding
2790 * -1 because the last one does not need padding
2791 */
2792
2793 iov = talloc_array(reqs[0], struct iovec, 1 + 1 + 4*num_reqs - 1);
2794 if (iov == NULL) {
2795 return NT_STATUS_NO_MEMORY;
2796 }
2797
2798 num_iov = 1;
2799 nbt_len = 0;
2800
2801 /*
2802 * the session of the first request that requires encryption
2803 * specifies the encryption key.
2804 */
2805 for (i=0; i<num_reqs; i++) {
2806 if (!tevent_req_is_in_progress(reqs[i])) {
2807 return NT_STATUS_INTERNAL_ERROR;
2808 }
2809
2810 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2811
2812 if (!smbXcli_conn_is_connected(state->conn)) {
2813 return NT_STATUS_CONNECTION_DISCONNECTED;
2814 }
2815
2816 if ((state->conn->protocol != PROTOCOL_NONE) &&
2817 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2818 return NT_STATUS_REVISION_MISMATCH;
2819 }
2820
2821 if (state->session == NULL) {
2822 continue;
2823 }
2824
2825 if (!state->smb2.should_encrypt) {
2826 continue;
2827 }
2828
2829 encryption_key = &state->session->smb2->encryption_key;
2830 if (encryption_key->length == 0) {
2831 return NT_STATUS_INVALID_PARAMETER_MIX;
2832 }
2833
2834 encryption_session_id = state->session->smb2->session_id;
2835
2836 tf_iov = num_iov;
2837 iov[num_iov].iov_base = state->smb2.transform;
2838 iov[num_iov].iov_len = sizeof(state->smb2.transform);
2839 num_iov += 1;
2840
2841 SBVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2842 SBVAL(state->smb2.transform, SMB2_TF_NONCE,
2843 state->session->smb2->nonce_low);
2844 SBVAL(state->smb2.transform, SMB2_TF_NONCE+8,
2845 state->session->smb2->nonce_high);
2846 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID,
2847 encryption_session_id);
2848
2849 state->session->smb2->nonce_low += 1;
2850 if (state->session->smb2->nonce_low == 0) {
2851 state->session->smb2->nonce_high += 1;
2852 state->session->smb2->nonce_low += 1;
2853 }
2854
2855 nbt_len += SMB2_TF_HDR_SIZE;
2856 break;
2857 }
2858
2859 for (i=0; i<num_reqs; i++) {
2860 int hdr_iov;
2861 size_t reqlen;
2862 bool ret;
2863 uint16_t opcode;
2864 uint64_t avail;
2865 uint16_t charge;
2866 uint16_t credits;
2867 uint64_t mid;
2868 const DATA_BLOB *signing_key = NULL;
2869
2870 if (!tevent_req_is_in_progress(reqs[i])) {
2871 return NT_STATUS_INTERNAL_ERROR;
2872 }
2873
2874 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2875
2876 if (!smbXcli_conn_is_connected(state->conn)) {
2877 return NT_STATUS_CONNECTION_DISCONNECTED;
2878 }
2879
2880 if ((state->conn->protocol != PROTOCOL_NONE) &&
2881 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2882 return NT_STATUS_REVISION_MISMATCH;
2883 }
2884
2885 opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
2886 if (opcode == SMB2_OP_CANCEL) {
2887 goto skip_credits;
2888 }
2889
2890 avail = UINT64_MAX - state->conn->smb2.mid;
2891 if (avail < 1) {
2892 return NT_STATUS_CONNECTION_ABORTED;
2893 }
2894
2895 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2896 uint32_t max_dyn_len = 1;
2897
2898 max_dyn_len = MAX(max_dyn_len, state->smb2.dyn_len);
2899 max_dyn_len = MAX(max_dyn_len, state->smb2.max_dyn_len);
2900
2901 charge = (max_dyn_len - 1)/ 65536 + 1;
2902 } else {
2903 charge = 1;
2904 }
2905
2906 charge = MAX(state->smb2.credit_charge, charge);
2907
2908 avail = MIN(avail, state->conn->smb2.cur_credits);
2909 if (avail < charge) {
2910 return NT_STATUS_INTERNAL_ERROR;
2911 }
2912
2913 credits = 0;
2914 if (state->conn->smb2.max_credits > state->conn->smb2.cur_credits) {
2915 credits = state->conn->smb2.max_credits -
2916 state->conn->smb2.cur_credits;
2917 }
2918 if (state->conn->smb2.max_credits >= state->conn->smb2.cur_credits) {
2919 credits += 1;
2920 }
2921
2922 mid = state->conn->smb2.mid;
2923 state->conn->smb2.mid += charge;
2924 state->conn->smb2.cur_credits -= charge;
2925
2926 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2927 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT_CHARGE, charge);
2928 }
2929 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT, credits);
2930 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
2931
2932 skip_credits:
2933 if (state->session && encryption_key == NULL) {
2934 /*
2935 * We prefer the channel signing key if it is
2936 * already there.
2937 */
2938 if (state->smb2.should_sign) {
2939 signing_key = &state->session->smb2_channel.signing_key;
2940 }
2941
2942 /*
2943 * If it is a channel binding, we already have the main
2944 * signing key and try that one.
2945 */
2946 if (signing_key && signing_key->length == 0) {
2947 signing_key = &state->session->smb2->signing_key;
2948 }
2949
2950 /*
2951 * If we do not have any session key yet, we skip the
2952 * signing of SMB2_OP_SESSSETUP requests.
2953 */
2954 if (signing_key && signing_key->length == 0) {
2955 signing_key = NULL;
2956 }
2957 }
2958
2959 hdr_iov = num_iov;
2960 iov[num_iov].iov_base = state->smb2.hdr;
2961 iov[num_iov].iov_len = sizeof(state->smb2.hdr);
2962 num_iov += 1;
2963
2964 iov[num_iov].iov_base = discard_const(state->smb2.fixed);
2965 iov[num_iov].iov_len = state->smb2.fixed_len;
2966 num_iov += 1;
2967
2968 if (state->smb2.dyn != NULL) {
2969 iov[num_iov].iov_base = discard_const(state->smb2.dyn);
2970 iov[num_iov].iov_len = state->smb2.dyn_len;
2971 num_iov += 1;
2972 }
2973
2974 reqlen = sizeof(state->smb2.hdr);
2975 reqlen += state->smb2.fixed_len;
2976 reqlen += state->smb2.dyn_len;
2977
2978 if (i < num_reqs-1) {
2979 if ((reqlen % 8) > 0) {
2980 uint8_t pad = 8 - (reqlen % 8);
2981 iov[num_iov].iov_base = state->smb2.pad;
2982 iov[num_iov].iov_len = pad;
2983 num_iov += 1;
2984 reqlen += pad;
2985 }
2986 SIVAL(state->smb2.hdr, SMB2_HDR_NEXT_COMMAND, reqlen);
2987 }
2988
2989 state->smb2.encryption_session_id = encryption_session_id;
2990
2991 if (signing_key != NULL) {
2992 NTSTATUS status;
2993
2994 status = smb2_signing_sign_pdu(*signing_key,
2995 state->session->conn->protocol,
2996 &iov[hdr_iov], num_iov - hdr_iov);
2997 if (!NT_STATUS_IS_OK(status)) {
2998 return status;
2999 }
3000 }
3001
3002 nbt_len += reqlen;
3003
3004 ret = smbXcli_req_set_pending(reqs[i]);
3005 if (!ret) {
3006 return NT_STATUS_NO_MEMORY;
3007 }
3008 }
3009
3010 state = tevent_req_data(reqs[0], struct smbXcli_req_state);
3011 _smb_setlen_tcp(state->length_hdr, nbt_len);
3012 iov[0].iov_base = state->length_hdr;
3013 iov[0].iov_len = sizeof(state->length_hdr);
3014
3015 if (encryption_key != NULL) {
3016 NTSTATUS status;
3017 size_t buflen = nbt_len - SMB2_TF_HDR_SIZE;
3018 uint8_t *buf;
3019 int vi;
3020
3021 buf = talloc_array(iov, uint8_t, buflen);
3022 if (buf == NULL) {
3023 return NT_STATUS_NO_MEMORY;
3024 }
3025
3026 /*
3027 * We copy the buffers before encrypting them,
3028 * this is at least currently needed for the
3029 * to keep state->smb2.hdr.
3030 *
3031 * Also the callers may expect there buffers
3032 * to be const.
3033 */
3034 for (vi = tf_iov + 1; vi < num_iov; vi++) {
3035 struct iovec *v = &iov[vi];
3036 const uint8_t *o = (const uint8_t *)v->iov_base;
3037
3038 memcpy(buf, o, v->iov_len);
3039 v->iov_base = (void *)buf;
3040 buf += v->iov_len;
3041 }
3042
3043 status = smb2_signing_encrypt_pdu(*encryption_key,
3044 state->conn->protocol,
3045 &iov[tf_iov], num_iov - tf_iov);
3046 if (!NT_STATUS_IS_OK(status)) {
3047 return status;
3048 }
3049 }
3050
3051 if (state->conn->dispatch_incoming == NULL) {
3052 state->conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3053 }
3054
3055 subreq = writev_send(state, state->ev, state->conn->outgoing,
3056 state->conn->write_fd, false, iov, num_iov);
3057 if (subreq == NULL) {
3058 return NT_STATUS_NO_MEMORY;
3059 }
3060 tevent_req_set_callback(subreq, smb2cli_req_writev_done, reqs[0]);
3061 return NT_STATUS_OK;
3062 }
3063
3064 void smb2cli_req_set_credit_charge(struct tevent_req *req, uint16_t charge)
3065 {
3066 struct smbXcli_req_state *state =
3067 tevent_req_data(req,
3068 struct smbXcli_req_state);
3069
3070 state->smb2.credit_charge = charge;
3071 }
3072
3073 struct tevent_req *smb2cli_req_send(TALLOC_CTX *mem_ctx,
3074 struct tevent_context *ev,
3075 struct smbXcli_conn *conn,
3076 uint16_t cmd,
3077 uint32_t additional_flags,
3078 uint32_t clear_flags,
3079 uint32_t timeout_msec,
3080 struct smbXcli_tcon *tcon,
3081 struct smbXcli_session *session,
3082 const uint8_t *fixed,
3083 uint16_t fixed_len,
3084 const uint8_t *dyn,
3085 uint32_t dyn_len,
3086 uint32_t max_dyn_len)
3087 {
3088 struct tevent_req *req;
3089 NTSTATUS status;
3090
3091 req = smb2cli_req_create(mem_ctx, ev, conn, cmd,
3092 additional_flags, clear_flags,
3093 timeout_msec,
3094 tcon, session,
3095 fixed, fixed_len,
3096 dyn, dyn_len,
3097 max_dyn_len);
3098 if (req == NULL) {
3099 return NULL;
3100 }
3101 if (!tevent_req_is_in_progress(req)) {
3102 return tevent_req_post(req, ev);
3103 }
3104 status = smb2cli_req_compound_submit(&req, 1);
3105 if (tevent_req_nterror(req, status)) {
3106 return tevent_req_post(req, ev);
3107 }
3108 return req;
3109 }
3110
3111 static void smb2cli_req_writev_done(struct tevent_req *subreq)
3112 {
3113 struct tevent_req *req =
3114 tevent_req_callback_data(subreq,
3115 struct tevent_req);
3116 struct smbXcli_req_state *state =
3117 tevent_req_data(req,
3118 struct smbXcli_req_state);
3119 ssize_t nwritten;
3120 int err;
3121
3122 nwritten = writev_recv(subreq, &err);
3123 TALLOC_FREE(subreq);
3124 if (nwritten == -1) {
3125 /* here, we need to notify all pending requests */
3126 NTSTATUS status = map_nt_error_from_unix_common(err);
3127 smbXcli_conn_disconnect(state->conn, status);
3128 return;
3129 }
3130 }
3131
3132 static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
3133 uint8_t *buf,
3134 size_t buflen,
3135 TALLOC_CTX *mem_ctx,
3136 struct iovec **piov, int *pnum_iov)
3137 {
3138 struct iovec *iov;
3139 int num_iov = 0;
3140 size_t taken = 0;
3141 uint8_t *first_hdr = buf;
3142 size_t verified_buflen = 0;
3143 uint8_t *tf = NULL;
3144 size_t tf_len = 0;
3145
3146 iov = talloc_array(mem_ctx, struct iovec, num_iov);
3147 if (iov == NULL) {
3148 return NT_STATUS_NO_MEMORY;
3149 }
3150
3151 while (taken < buflen) {
3152 size_t len = buflen - taken;
3153 uint8_t *hdr = first_hdr + taken;
3154 struct iovec *cur;
3155 size_t full_size;
3156 size_t next_command_ofs;
3157 uint16_t body_size;
3158 struct iovec *iov_tmp;
3159
3160 if (verified_buflen > taken) {
3161 len = verified_buflen - taken;
3162 } else {
3163 tf = NULL;
3164 tf_len = 0;
3165 }
3166
3167 if (len < 4) {
3168 DEBUG(10, ("%d bytes left, expected at least %d\n",
3169 (int)len, 4));
3170 goto inval;
3171 }
3172 if (IVAL(hdr, 0) == SMB2_TF_MAGIC) {
3173 struct smbXcli_session *s;
3174 uint64_t uid;
3175 struct iovec tf_iov[2];
3176 size_t enc_len;
3177 NTSTATUS status;
3178
3179 if (len < SMB2_TF_HDR_SIZE) {
3180 DEBUG(10, ("%d bytes left, expected at least %d\n",
3181 (int)len, SMB2_TF_HDR_SIZE));
3182 goto inval;
3183 }
3184 tf = hdr;
3185 tf_len = SMB2_TF_HDR_SIZE;
3186 taken += tf_len;
3187
3188 hdr = first_hdr + taken;
3189 enc_len = IVAL(tf, SMB2_TF_MSG_SIZE);
3190 uid = BVAL(tf, SMB2_TF_SESSION_ID);
3191
3192 if (len < SMB2_TF_HDR_SIZE + enc_len) {
3193 DEBUG(10, ("%d bytes left, expected at least %d\n",
3194 (int)len,
3195 (int)(SMB2_TF_HDR_SIZE + enc_len)));
3196 goto inval;
3197 }
3198
3199 s = conn->sessions;
3200 for (; s; s = s->next) {
3201 if (s->smb2->session_id != uid) {
3202 continue;
3203 }
3204 break;
3205 }
3206
3207 if (s == NULL) {
3208 DEBUG(10, ("unknown session_id %llu\n",
3209 (unsigned long long)uid));
3210 goto inval;
3211 }
3212
3213 tf_iov[0].iov_base = (void *)tf;
3214 tf_iov[0].iov_len = tf_len;
3215 tf_iov[1].iov_base = (void *)hdr;
3216 tf_iov[1].iov_len = enc_len;
3217
3218 status = smb2_signing_decrypt_pdu(s->smb2->decryption_key,
3219 conn->protocol,
3220 tf_iov, 2);
3221 if (!NT_STATUS_IS_OK(status)) {
3222 TALLOC_FREE(iov);
3223 return status;
3224 }
3225
3226 verified_buflen = taken + enc_len;
3227 len = enc_len;
3228 }
3229
3230 /*
3231 * We need the header plus the body length field
3232 */
3233
3234 if (len < SMB2_HDR_BODY + 2) {
3235 DEBUG(10, ("%d bytes left, expected at least %d\n",
3236 (int)len, SMB2_HDR_BODY));
3237 goto inval;
3238 }
3239 if (IVAL(hdr, 0) != SMB2_MAGIC) {
3240 DEBUG(10, ("Got non-SMB2 PDU: %x\n",
3241 IVAL(hdr, 0)));
3242 goto inval;
3243 }
3244 if (SVAL(hdr, 4) != SMB2_HDR_BODY) {
3245 DEBUG(10, ("Got HDR len %d, expected %d\n",
3246 SVAL(hdr, 4), SMB2_HDR_BODY));
3247 goto inval;
3248 }
3249
3250 full_size = len;
3251 next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
3252 body_size = SVAL(hdr, SMB2_HDR_BODY);
3253
3254 if (next_command_ofs != 0) {
3255 if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
3256 goto inval;
3257 }
3258 if (next_command_ofs > full_size) {
3259 goto inval;
3260 }
3261 full_size = next_command_ofs;
3262 }
3263 if (body_size < 2) {
3264 goto inval;
3265 }
3266 body_size &= 0xfffe;
3267
3268 if (body_size > (full_size - SMB2_HDR_BODY)) {
3269 goto inval;
3270 }
3271
3272 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
3273 num_iov + 4);
3274 if (iov_tmp == NULL) {
3275 TALLOC_FREE(iov);
3276 return NT_STATUS_NO_MEMORY;
3277 }
3278 iov = iov_tmp;
3279 cur = &iov[num_iov];
3280 num_iov += 4;
3281
3282 cur[0].iov_base = tf;
3283 cur[0].iov_len = tf_len;
3284 cur[1].iov_base = hdr;
3285 cur[1].iov_len = SMB2_HDR_BODY;
3286 cur[2].iov_base = hdr + SMB2_HDR_BODY;
3287 cur[2].iov_len = body_size;
3288 cur[3].iov_base = hdr + SMB2_HDR_BODY + body_size;
3289 cur[3].iov_len = full_size - (SMB2_HDR_BODY + body_size);
3290
3291 taken += full_size;
3292 }
3293
3294 *piov = iov;
3295 *pnum_iov = num_iov;
3296 return NT_STATUS_OK;
3297
3298 inval:
3299 TALLOC_FREE(iov);
3300 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3301 }
3302
3303 static struct tevent_req *smb2cli_conn_find_pending(struct smbXcli_conn *conn,
3304 uint64_t mid)
3305 {
3306 size_t num_pending = talloc_array_length(conn->pending);
3307 size_t i;
3308
3309 for (i=0; i<num_pending; i++) {
3310 struct tevent_req *req = conn->pending[i];
3311 struct smbXcli_req_state *state =
3312 tevent_req_data(req,
3313 struct smbXcli_req_state);
3314
3315 if (mid == BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID)) {
3316 return req;
3317 }
3318 }
3319 return NULL;
3320 }
3321
3322 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
3323 TALLOC_CTX *tmp_mem,
3324 uint8_t *inbuf)
3325 {
3326 struct tevent_req *req;
3327 struct smbXcli_req_state *state = NULL;
3328 struct iovec *iov;
3329 int i, num_iov;
3330 NTSTATUS status;
3331 bool defer = true;
3332 struct smbXcli_session *last_session = NULL;
3333 size_t inbuf_len = smb_len_tcp(inbuf);
3334
3335 status = smb2cli_inbuf_parse_compound(conn,
3336 inbuf + NBT_HDR_SIZE,
3337 inbuf_len,
3338 tmp_mem,
3339 &iov, &num_iov);
3340 if (!NT_STATUS_IS_OK(status)) {
3341 return status;
3342 }
3343
3344 for (i=0; i<num_iov; i+=4) {
3345 uint8_t *inbuf_ref = NULL;
3346 struct iovec *cur = &iov[i];
3347 uint8_t *inhdr = (uint8_t *)cur[1].iov_base;
3348 uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
3349 uint32_t flags = IVAL(inhdr, SMB2_HDR_FLAGS);
3350 uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
3351 uint16_t req_opcode;
3352 uint32_t req_flags;
3353 uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
3354 uint32_t new_credits;
3355 struct smbXcli_session *session = NULL;
3356 const DATA_BLOB *signing_key = NULL;
3357 bool was_encrypted = false;
3358
3359 new_credits = conn->smb2.cur_credits;
3360 new_credits += credits;
3361 if (new_credits > UINT16_MAX) {
3362 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3363 }
3364 conn->smb2.cur_credits += credits;
3365
3366 req = smb2cli_conn_find_pending(conn, mid);
3367 if (req == NULL) {
3368 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3369 }
3370 state = tevent_req_data(req, struct smbXcli_req_state);
3371
3372 req_opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
3373 if (opcode != req_opcode) {
3374 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3375 }
3376 req_flags = SVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
3377
3378 if (!(flags & SMB2_HDR_FLAG_REDIRECT)) {
3379 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3380 }
3381
3382 status = NT_STATUS(IVAL(inhdr, SMB2_HDR_STATUS));
3383 if ((flags & SMB2_HDR_FLAG_ASYNC) &&
3384 NT_STATUS_EQUAL(status, STATUS_PENDING)) {
3385 uint64_t async_id = BVAL(inhdr, SMB2_HDR_ASYNC_ID);
3386
3387 if (state->smb2.got_async) {
3388 /* We only expect one STATUS_PENDING response */
3389 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3390 }
3391 state->smb2.got_async = true;
3392
3393 /*
3394 * async interim responses are not signed,
3395 * even if the SMB2_HDR_FLAG_SIGNED flag
3396 * is set.
3397 */
3398 req_flags |= SMB2_HDR_FLAG_ASYNC;
3399 SBVAL(state->smb2.hdr, SMB2_HDR_FLAGS, req_flags);
3400 SBVAL(state->smb2.hdr, SMB2_HDR_ASYNC_ID, async_id);
3401
3402 if (state->smb2.notify_async) {
3403 tevent_req_defer_callback(req, state->ev);
3404 tevent_req_notify_callback(req);
3405 }
3406 continue;
3407 }
3408
3409 session = state->session;
3410 if (req_flags & SMB2_HDR_FLAG_CHAINED) {
3411 session = last_session;
3412 }
3413 last_session = session;
3414
3415 if (state->smb2.should_sign) {
3416 if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
3417 return NT_STATUS_ACCESS_DENIED;
3418 }
3419 }
3420
3421 if (flags & SMB2_HDR_FLAG_SIGNED) {
3422 uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
3423
3424 if (session == NULL) {
3425 struct smbXcli_session *s;
3426
3427 s = state->conn->sessions;
3428 for (; s; s = s->next) {
3429 if (s->smb2->session_id != uid) {
3430 continue;
3431 }
3432
3433 session = s;
3434 break;
3435 }
3436 }
3437
3438 if (session == NULL) {
3439 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3440 }
3441
3442 last_session = session;
3443 signing_key = &session->smb2_channel.signing_key;
3444 }
3445
3446 if (opcode == SMB2_OP_SESSSETUP) {
3447 /*
3448 * We prefer the channel signing key, if it is
3449 * already there.
3450 *
3451 * If we do not have a channel signing key yet,
3452 * we try the main signing key, if it is not
3453 * the final response.
3454 */
3455 if (signing_key && signing_key->length == 0 &&
3456 !NT_STATUS_IS_OK(status)) {
3457 signing_key = &session->smb2->signing_key;
3458 }
3459
3460 if (signing_key && signing_key->length == 0) {
3461 /*
3462 * If we do not have a session key to
3463 * verify the signature, we defer the
3464 * signing check to the caller.
3465 *
3466 * The caller gets NT_STATUS_OK, it
3467 * has to call
3468 * smb2cli_session_set_session_key()
3469 * or
3470 * smb2cli_session_set_channel_key()
3471 * which will check the signature
3472 * with the channel signing key.
3473 */
3474 signing_key = NULL;
3475 }
3476 }
3477
3478 if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
3479 const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
3480 uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
3481
3482 /*
3483 * If the response was encrypted in a SMB2_TRANSFORM
3484 * pdu, which belongs to the correct session,
3485 * we do not need to do signing checks
3486 *
3487 * It could be the session the response belongs to
3488 * or the session that was used to encrypt the
3489 * SMB2_TRANSFORM request.
3490 */
3491 if ((session && session->smb2->session_id == uid) ||
3492 (state->smb2.encryption_session_id == uid)) {
3493 signing_key = NULL;
3494 was_encrypted = true;
3495 }
3496 }
3497
3498 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
3499 /*
3500 * if the server returns NT_STATUS_USER_SESSION_DELETED
3501 * the response is not signed and we should
3502 * propagate the NT_STATUS_USER_SESSION_DELETED
3503 * status to the caller.
3504 */
3505 state->smb2.signing_skipped = true;
3506 signing_key = NULL;
3507 }
3508
3509 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3510 /*
3511 * if the server returns
3512 * NT_STATUS_INVALID_PARAMETER
3513 * the response might not be encrypted.
3514 */
3515 if (state->smb2.should_encrypt && !was_encrypted) {
3516 state->smb2.signing_skipped = true;
3517 signing_key = NULL;
3518 }
3519 }
3520
3521 if (state->smb2.should_encrypt && !was_encrypted) {
3522 if (!state->smb2.signing_skipped) {
3523 return NT_STATUS_ACCESS_DENIED;
3524 }
3525 }
3526
3527 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
3528 NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
3529 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3530 /*
3531 * if the server returns
3532 * NT_STATUS_NETWORK_NAME_DELETED
3533 * NT_STATUS_FILE_CLOSED
3534 * NT_STATUS_INVALID_PARAMETER
3535 * the response might not be signed
3536 * as this happens before the signing checks.
3537 *
3538 * If server echos the signature (or all zeros)
3539 * we should report the status from the server
3540 * to the caller.
3541 */
3542 if (signing_key) {
3543 int cmp;
3544
3545 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3546 state->smb2.hdr+SMB2_HDR_SIGNATURE,
3547 16);
3548 if (cmp == 0) {
3549 state->smb2.signing_skipped = true;
3550 signing_key = NULL;
3551 }
3552 }
3553 if (signing_key) {
3554 int cmp;
3555 static const uint8_t zeros[16];
3556
3557 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3558 zeros,
3559 16);
3560 if (cmp == 0) {
3561 state->smb2.signing_skipped = true;
3562 signing_key = NULL;
3563 }
3564 }
3565 }
3566
3567 if (signing_key) {
3568 status = smb2_signing_check_pdu(*signing_key,
3569 state->conn->protocol,
3570 &cur[1], 3);
3571 if (!NT_STATUS_IS_OK(status)) {
3572 /*
3573 * If the signing check fails, we disconnect
3574 * the connection.
3575 */
3576 return status;
3577 }
3578 }
3579
3580 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
3581 (session != NULL) && session->disconnect_expired)
3582 {
3583 /*
3584 * this should be a short term hack
3585 * until the upper layers have implemented
3586 * re-authentication.
3587 */
3588 return status;
3589 }
3590
3591 smbXcli_req_unset_pending(req);
3592
3593 /*
3594 * There might be more than one response
3595 * we need to defer the notifications
3596 */
3597 if ((num_iov == 5) && (talloc_array_length(conn->pending) == 0)) {
3598 defer = false;
3599 }
3600
3601 if (defer) {
3602 tevent_req_defer_callback(req, state->ev);
3603 }
3604
3605 /*
3606 * Note: here we use talloc_reference() in a way
3607 * that does not expose it to the caller.
3608 */
3609 inbuf_ref = talloc_reference(state->smb2.recv_iov, inbuf);
3610 if (tevent_req_nomem(inbuf_ref, req)) {
3611 continue;
3612 }
3613
3614 /* copy the related buffers */
3615 state->smb2.recv_iov[0] = cur[1];
3616 state->smb2.recv_iov[1] = cur[2];
3617 state->smb2.recv_iov[2] = cur[3];
3618
3619 tevent_req_done(req);
3620 }
3621
3622 if (defer) {
3623 return NT_STATUS_RETRY;
3624 }
3625
3626 return NT_STATUS_OK;
3627 }
3628
3629 NTSTATUS smb2cli_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
3630 struct iovec **piov,
3631 const struct smb2cli_req_expected_response *expected,
3632 size_t num_expected)
3633 {
3634 struct smbXcli_req_state *state =
3635 tevent_req_data(req,
3636 struct smbXcli_req_state);
3637 NTSTATUS status;
3638 size_t body_size;
3639 bool found_status = false;
3640 bool found_size = false;
3641 size_t i;
3642
3643 if (piov != NULL) {
3644 *piov = NULL;
3645 }
3646
3647 if (tevent_req_is_in_progress(req) && state->smb2.got_async) {
3648 return STATUS_PENDING;
3649 }
3650
3651 if (tevent_req_is_nterror(req, &status)) {
3652 for (i=0; i < num_expected; i++) {
3653 if (NT_STATUS_EQUAL(status, expected[i].status)) {
3654 found_status = true;
3655 break;
3656 }
3657 }
3658
3659 if (found_status) {
3660 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
3661 }
3662
3663 return status;
3664 }
3665
3666 if (num_expected == 0) {
3667 found_status = true;
3668 found_size = true;
3669 }
3670
3671 status = NT_STATUS(IVAL(state->smb2.recv_iov[0].iov_base, SMB2_HDR_STATUS));
3672 body_size = SVAL(state->smb2.recv_iov[1].iov_base, 0);
3673
3674 for (i=0; i < num_expected; i++) {
3675 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
3676 continue;
3677 }
3678
3679 found_status = true;
3680 if (expected[i].body_size == 0) {
3681 found_size = true;
3682 break;
3683 }
3684
3685 if (expected[i].body_size == body_size) {
3686 found_size = true;
3687 break;
3688 }
3689 }
3690
3691 if (!found_status) {
3692 return status;
3693 }
3694
3695 if (state->smb2.signing_skipped) {
3696 if (num_expected > 0) {
3697 return NT_STATUS_ACCESS_DENIED;
3698 }
3699 if (!NT_STATUS_IS_ERR(status)) {
3700 return NT_STATUS_ACCESS_DENIED;
3701 }
3702 }
3703
3704 if (!found_size) {
3705 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3706 }
3707
3708 if (piov != NULL) {
3709 *piov = talloc_move(mem_ctx, &state->smb2.recv_iov);
3710 }
3711
3712 return status;
3713 }
3714
3715 static const struct {
3716 enum protocol_types proto;
3717 const char *smb1_name;
3718 } smb1cli_prots[] = {
3719 {PROTOCOL_CORE, "PC NETWORK PROGRAM 1.0"},
3720 {PROTOCOL_COREPLUS, "MICROSOFT NETWORKS 1.03"},
3721 {PROTOCOL_LANMAN1, "MICROSOFT NETWORKS 3.0"},
3722 {PROTOCOL_LANMAN1, "LANMAN1.0"},
3723 {PROTOCOL_LANMAN2, "LM1.2X002"},
3724 {PROTOCOL_LANMAN2, "DOS LANMAN2.1"},
3725 {PROTOCOL_LANMAN2, "LANMAN2.1"},
3726 {PROTOCOL_LANMAN2, "Samba"},
3727 {PROTOCOL_NT1, "NT LANMAN 1.0"},
3728 {PROTOCOL_NT1, "NT LM 0.12"},
3729 {PROTOCOL_SMB2_02, "SMB 2.002"},
3730 {PROTOCOL_SMB2_10, "SMB 2.???"},
3731 };
3732
3733 static const struct {
3734 enum protocol_types proto;
3735 uint16_t smb2_dialect;
3736 } smb2cli_prots[] = {
3737 {PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202},
3738 {PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210},
3739 {PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222},
3740 {PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224},
3741 {PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300},
3742 {PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302},
3743 };
3744
3745 struct smbXcli_negprot_state {
3746 struct smbXcli_conn *conn;
3747 struct tevent_context *ev;
3748 uint32_t timeout_msec;
3749 enum protocol_types min_protocol;
3750 enum protocol_types max_protocol;
3751
3752 struct {
3753 uint8_t fixed[36];
3754 uint8_t dyn[ARRAY_SIZE(smb2cli_prots)*2];
3755 } smb2;
3756 };
3757
3758 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq);
3759 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state);
3760 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq);
3761 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state);
3762 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq);
3763 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
3764 TALLOC_CTX *frame,
3765 uint8_t *inbuf);
3766
3767 struct tevent_req *smbXcli_negprot_send(TALLOC_CTX *mem_ctx,
3768 struct tevent_context *ev,
3769 struct smbXcli_conn *conn,
3770 uint32_t timeout_msec,
3771 enum protocol_types min_protocol,
3772 enum protocol_types max_protocol)
3773 {
3774 struct tevent_req *req, *subreq;
3775 struct smbXcli_negprot_state *state;
3776
3777 req = tevent_req_create(mem_ctx, &state,
3778 struct smbXcli_negprot_state);
3779 if (req == NULL) {
3780 return NULL;
3781 }
3782 state->conn = conn;
3783 state->ev = ev;
3784 state->timeout_msec = timeout_msec;
3785 state->min_protocol = min_protocol;
3786 state->max_protocol = max_protocol;
3787
3788 if (min_protocol == PROTOCOL_NONE) {
3789 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3790 return tevent_req_post(req, ev);
3791 }
3792
3793 if (max_protocol == PROTOCOL_NONE) {
3794 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3795 return tevent_req_post(req, ev);
3796 }
3797
3798 if (min_protocol > max_protocol) {
3799 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3800 return tevent_req_post(req, ev);
3801 }
3802
3803 if ((min_protocol < PROTOCOL_SMB2_02) &&
3804 (max_protocol < PROTOCOL_SMB2_02)) {
3805 /*
3806 * SMB1 only...
3807 */
3808 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
3809
3810 subreq = smbXcli_negprot_smb1_subreq(state);
3811 if (tevent_req_nomem(subreq, req)) {
3812 return tevent_req_post(req, ev);
3813 }
3814 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
3815 return req;
3816 }
3817
3818 if ((min_protocol >= PROTOCOL_SMB2_02) &&
3819 (max_protocol >= PROTOCOL_SMB2_02)) {
3820 /*
3821 * SMB2 only...
3822 */
3823 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3824
3825 subreq = smbXcli_negprot_smb2_subreq(state);
3826 if (tevent_req_nomem(subreq, req)) {
3827 return tevent_req_post(req, ev);
3828 }
3829 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
3830 return req;
3831 }
3832
3833 /*
3834 * We send an SMB1 negprot with the SMB2 dialects
3835 * and expect a SMB1 or a SMB2 response.
3836 *
3837 * smbXcli_negprot_dispatch_incoming() will fix the
3838 * callback to match protocol of the response.
3839 */
3840 conn->dispatch_incoming = smbXcli_negprot_dispatch_incoming;
3841
3842 subreq = smbXcli_negprot_smb1_subreq(state);
3843 if (tevent_req_nomem(subreq, req)) {
3844 return tevent_req_post(req, ev);
3845 }
3846 tevent_req_set_callback(subreq, smbXcli_negprot_invalid_done, req);
3847 return req;
3848 }
3849
3850 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq)
3851 {
3852 struct tevent_req *req =
3853 tevent_req_callback_data(subreq,
3854 struct tevent_req);
3855 NTSTATUS status;
3856
3857 /*
3858 * we just want the low level error
3859 */
3860 status = tevent_req_simple_recv_ntstatus(subreq);
3861 TALLOC_FREE(subreq);
3862 if (tevent_req_nterror(req, status)) {
3863 return;
3864 }
3865
3866 /* this should never happen */
3867 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
3868 }
3869
3870 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state)
3871 {
3872 size_t i;
3873 DATA_BLOB bytes = data_blob_null;
3874 uint8_t flags;
3875 uint16_t flags2;
3876
3877 /* setup the protocol strings */
3878 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
3879 uint8_t c = 2;
3880 bool ok;
3881
3882 if (smb1cli_prots[i].proto < state->min_protocol) {
3883 continue;
3884 }
3885
3886 if (smb1cli_prots[i].proto > state->max_protocol) {
3887 continue;
3888 }
3889
3890 ok = data_blob_append(state, &bytes, &c, sizeof(c));
3891 if (!ok) {
3892 return NULL;
3893 }
3894
3895 /*
3896 * We now it is already ascii and
3897 * we want NULL termination.
3898 */
3899 ok = data_blob_append(state, &bytes,
3900 smb1cli_prots[i].smb1_name,
3901 strlen(smb1cli_prots[i].smb1_name)+1);
3902 if (!ok) {
3903 return NULL;
3904 }
3905 }
3906
3907 smb1cli_req_flags(state->max_protocol,
3908 state->conn->smb1.client.capabilities,
3909 SMBnegprot,
3910 0, 0, &flags,
3911 0, 0, &flags2);
3912
3913 return smb1cli_req_send(state, state->ev, state->conn,
3914 SMBnegprot,
3915 flags, ~flags,
3916 flags2, ~flags2,
3917 state->timeout_msec,
3918 0xFFFE, 0, NULL, /* pid, tid, session */
3919 0, NULL, /* wct, vwv */
3920 bytes.length, bytes.data);
3921 }
3922
3923 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq)
3924 {
3925 struct tevent_req *req =
3926 tevent_req_callback_data(subreq,
3927 struct tevent_req);
3928 struct smbXcli_negprot_state *state =
3929 tevent_req_data(req,
3930 struct smbXcli_negprot_state);
3931 struct smbXcli_conn *conn = state->conn;
3932 struct iovec *recv_iov = NULL;
3933 uint8_t *inhdr;
3934 uint8_t wct;
3935 uint16_t *vwv;
3936 uint32_t num_bytes;
3937 uint8_t *bytes;
3938 NTSTATUS status;
3939 uint16_t protnum;
3940 size_t i;
3941 size_t num_prots = 0;
3942 uint8_t flags;
3943 uint32_t client_capabilities = conn->smb1.client.capabilities;
3944 uint32_t both_capabilities;
3945 uint32_t server_capabilities = 0;
3946 uint32_t capabilities;
3947 uint32_t client_max_xmit = conn->smb1.client.max_xmit;
3948 uint32_t server_max_xmit = 0;
3949 uint32_t max_xmit;
3950 uint32_t server_max_mux = 0;
3951 uint16_t server_security_mode = 0;
3952 uint32_t server_session_key = 0;
3953 bool server_readbraw = false;
3954 bool server_writebraw = false;
3955 bool server_lockread = false;
3956 bool server_writeunlock = false;
3957 struct GUID server_guid = GUID_zero();
3958 DATA_BLOB server_gss_blob = data_blob_null;
3959 uint8_t server_challenge[8];
3960 char *server_workgroup = NULL;
3961 char *server_name = NULL;
3962 int server_time_zone = 0;
3963 NTTIME server_system_time = 0;
3964 static const struct smb1cli_req_expected_response expected[] = {
3965 {
3966 .status = NT_STATUS_OK,
3967 .wct = 0x11, /* NT1 */
3968 },
3969 {
3970 .status = NT_STATUS_OK,
3971 .wct = 0x0D, /* LM */
3972 },
3973 {
3974 .status = NT_STATUS_OK,
3975 .wct = 0x01, /* CORE */
3976 }
3977 };
3978
3979 ZERO_STRUCT(server_challenge);
3980
3981 status = smb1cli_req_recv(subreq, state,
3982 &recv_iov,
3983 &inhdr,
3984 &wct,
3985 &vwv,
3986 NULL, /* pvwv_offset */
3987 &num_bytes,
3988 &bytes,
3989 NULL, /* pbytes_offset */
3990 NULL, /* pinbuf */
3991 expected, ARRAY_SIZE(expected));
3992 TALLOC_FREE(subreq);
3993 if (tevent_req_nterror(req, status)) {
3994 return;
3995 }
3996
3997 flags = CVAL(inhdr, HDR_FLG);
3998
3999 protnum = SVAL(vwv, 0);
4000
4001 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
4002 if (smb1cli_prots[i].proto < state->min_protocol) {
4003 continue;
4004 }
4005
4006 if (smb1cli_prots[i].proto > state->max_protocol) {
4007 continue;
4008 }
4009
4010 if (protnum != num_prots) {
4011 num_prots++;
4012 continue;
4013 }
4014
4015 conn->protocol = smb1cli_prots[i].proto;
4016 break;
4017 }
4018
4019 if (conn->protocol == PROTOCOL_NONE) {
4020 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4021 return;
4022 }
4023
4024 if ((conn->protocol < PROTOCOL_NT1) && conn->mandatory_signing) {
4025 DEBUG(0,("smbXcli_negprot: SMB signing is mandatory "
4026 "and the selected protocol level doesn't support it.\n"));
4027 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4028 return;
4029 }
4030
4031 if (flags & FLAG_SUPPORT_LOCKREAD) {
4032 server_lockread = true;
4033 server_writeunlock = true;
4034 }
4035
4036 if (conn->protocol >= PROTOCOL_NT1) {
4037 const char *client_signing = NULL;
4038 bool server_mandatory = false;
4039 bool server_allowed = false;
4040 const char *server_signing = NULL;
4041 bool ok;
4042 uint8_t key_len;
4043
4044 if (wct != 0x11) {
4045 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4046 return;
4047 }
4048
4049 /* NT protocol */
4050 server_security_mode = CVAL(vwv + 1, 0);
4051 server_max_mux = SVAL(vwv + 1, 1);
4052 server_max_xmit = IVAL(vwv + 3, 1);
4053 server_session_key = IVAL(vwv + 7, 1);
4054 server_time_zone = SVALS(vwv + 15, 1);
4055 server_time_zone *= 60;
4056 /* this time arrives in real GMT */
4057 server_system_time = BVAL(vwv + 11, 1);
4058 server_capabilities = IVAL(vwv + 9, 1);
4059
4060 key_len = CVAL(vwv + 16, 1);
4061
4062 if (server_capabilities & CAP_RAW_MODE) {
4063 server_readbraw = true;
4064 server_writebraw = true;
4065 }
4066 if (server_capabilities & CAP_LOCK_AND_READ) {
4067 server_lockread = true;
4068 }
4069
4070 if (server_capabilities & CAP_EXTENDED_SECURITY) {
4071 DATA_BLOB blob1, blob2;
4072
4073 if (num_bytes < 16) {
4074 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4075 return;
4076 }
4077
4078 blob1 = data_blob_const(bytes, 16);
4079 status = GUID_from_data_blob(&blob1, &server_guid);
4080 if (tevent_req_nterror(req, status)) {
4081 return;
4082 }
4083
4084 blob1 = data_blob_const(bytes+16, num_bytes-16);
4085 blob2 = data_blob_dup_talloc(state, blob1);
4086 if (blob1.length > 0 &&
4087 tevent_req_nomem(blob2.data, req)) {
4088 return;
4089 }
4090 server_gss_blob = blob2;
4091 } else {
4092 DATA_BLOB blob1, blob2;
4093
4094 if (num_bytes < key_len) {
4095 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4096 return;
4097 }
4098
4099 if (key_len != 0 && key_len != 8) {
4100 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4101 return;
4102 }
4103
4104 if (key_len == 8) {
4105 memcpy(server_challenge, bytes, 8);
4106 }
4107
4108 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4109 blob2 = data_blob_const(bytes+key_len, num_bytes-key_len);
4110 if (blob1.length > 0) {
4111 size_t len;
4112
4113 len = utf16_len_n(blob1.data,
4114 blob1.length);
4115 blob1.length = len;
4116
4117 ok = convert_string_talloc(state,
4118 CH_UTF16LE,
4119 CH_UNIX,
4120 blob1.data,
4121 blob1.length,
4122 &server_workgroup,
4123 &len);
4124 if (!ok) {
4125 status = map_nt_error_from_unix_common(errno);
4126 tevent_req_nterror(req, status);
4127 return;
4128 }
4129 }
4130
4131 blob2.data += blob1.length;
4132 blob2.length -= blob1.length;
4133 if (blob2.length > 0) {
4134 size_t len;
4135
4136 len = utf16_len_n(blob1.data,
4137 blob1.length);
4138 blob1.length = len;
4139
4140 ok = convert_string_talloc(state,
4141 CH_UTF16LE,
4142 CH_UNIX,
4143 blob2.data,
4144 blob2.length,
4145 &server_name,
4146 &len);
4147 if (!ok) {
4148 status = map_nt_error_from_unix_common(errno);
4149 tevent_req_nterror(req, status);
4150 return;
4151 }
4152 }
4153 }
4154
4155 client_signing = "disabled";
4156 if (conn->allow_signing) {
4157 client_signing = "allowed";
4158 }
4159 if (conn->mandatory_signing) {
4160 client_signing = "required";
4161 }
4162
4163 server_signing = "not supported";
4164 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) {
4165 server_signing = "supported";
4166 server_allowed = true;
4167 } else if (conn->mandatory_signing) {
4168 /*
4169 * We have mandatory signing as client
4170 * lets assume the server will look at our
4171 * FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
4172 * flag in the session setup
4173 */
4174 server_signing = "not announced";
4175 server_allowed = true;
4176 }
4177 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
4178 server_signing = "required";
4179 server_mandatory = true;
4180 }
4181
4182 ok = smb_signing_set_negotiated(conn->smb1.signing,
4183 server_allowed,
4184 server_mandatory);
4185 if (!ok) {
4186 DEBUG(1,("cli_negprot: SMB signing is required, "
4187 "but client[%s] and server[%s] mismatch\n",
4188 client_signing, server_signing));
4189 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4190 return;
4191 }
4192
4193 } else if (conn->protocol >= PROTOCOL_LANMAN1) {
4194 DATA_BLOB blob1;
4195 uint8_t key_len;
4196 time_t t;
4197
4198 if (wct != 0x0D) {
4199 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4200 return;
4201 }
4202
4203 server_security_mode = SVAL(vwv + 1, 0);
4204 server_max_xmit = SVAL(vwv + 2, 0);
4205 server_max_mux = SVAL(vwv + 3, 0);
4206 server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
4207 server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
4208 server_session_key = IVAL(vwv + 6, 0);
4209 server_time_zone = SVALS(vwv + 10, 0);
4210 server_time_zone *= 60;
4211 /* this time is converted to GMT by make_unix_date */
4212 t = pull_dos_date((const uint8_t *)(vwv + 8), server_time_zone);
4213 unix_to_nt_time(&server_system_time, t);
4214 key_len = SVAL(vwv + 11, 0);
4215
4216 if (num_bytes < key_len) {
4217 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4218 return;
4219 }
4220
4221 if (key_len != 0 && key_len != 8) {
4222 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4223 return;
4224 }
4225
4226 if (key_len == 8) {
4227 memcpy(server_challenge, bytes, 8);
4228 }
4229
4230 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4231 if (blob1.length > 0) {
4232 size_t len;
4233 bool ok;
4234
4235 len = utf16_len_n(blob1.data,
4236 blob1.length);
4237 blob1.length = len;
4238
4239 ok = convert_string_talloc(state,
4240 CH_DOS,
4241 CH_UNIX,
4242 blob1.data,
4243 blob1.length,
4244 &server_workgroup,
4245 &len);
4246 if (!ok) {
4247 status = map_nt_error_from_unix_common(errno);
4248 tevent_req_nterror(req, status);
4249 return;
4250 }
4251 }
4252
4253 } else {
4254 /* the old core protocol */
4255 server_time_zone = get_time_zone(time(NULL));
4256 server_max_xmit = 1024;
4257 server_max_mux = 1;
4258 }
4259
4260 if (server_max_xmit < 1024) {
4261 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4262 return;
4263 }
4264
4265 if (server_max_mux < 1) {
4266 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4267 return;
4268 }
4269
4270 /*
4271 * Now calculate the negotiated capabilities
4272 * based on the mask for:
4273 * - client only flags
4274 * - flags used in both directions
4275 * - server only flags
4276 */
4277 both_capabilities = client_capabilities & server_capabilities;
4278 capabilities = client_capabilities & SMB_CAP_CLIENT_MASK;
4279 capabilities |= both_capabilities & SMB_CAP_BOTH_MASK;
4280 capabilities |= server_capabilities & SMB_CAP_SERVER_MASK;
4281
4282 max_xmit = MIN(client_max_xmit, server_max_xmit);
4283
4284 conn->smb1.server.capabilities = server_capabilities;
4285 conn->smb1.capabilities = capabilities;
4286
4287 conn->smb1.server.max_xmit = server_max_xmit;
4288 conn->smb1.max_xmit = max_xmit;
4289
4290 conn->smb1.server.max_mux = server_max_mux;
4291
4292 conn->smb1.server.security_mode = server_security_mode;
4293
4294 conn->smb1.server.readbraw = server_readbraw;
4295 conn->smb1.server.writebraw = server_writebraw;
4296 conn->smb1.server.lockread = server_lockread;
4297 conn->smb1.server.writeunlock = server_writeunlock;
4298
4299 conn->smb1.server.session_key = server_session_key;
4300
4301 talloc_steal(conn, server_gss_blob.data);
4302 conn->smb1.server.gss_blob = server_gss_blob;
4303 conn->smb1.server.guid = server_guid;
4304 memcpy(conn->smb1.server.challenge, server_challenge, 8);
4305 conn->smb1.server.workgroup = talloc_move(conn, &server_workgroup);
4306 conn->smb1.server.name = talloc_move(conn, &server_name);
4307
4308 conn->smb1.server.time_zone = server_time_zone;
4309 conn->smb1.server.system_time = server_system_time;
4310
4311 tevent_req_done(req);
4312 }
4313
4314 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state)
4315 {
4316 size_t i;
4317 uint8_t *buf;
4318 uint16_t dialect_count = 0;
4319
4320 buf = state->smb2.dyn;
4321 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4322 if (smb2cli_prots[i].proto < state->min_protocol) {
4323 continue;
4324 }
4325
4326 if (smb2cli_prots[i].proto > state->max_protocol) {
4327 continue;
4328 }
4329
4330 SSVAL(buf, dialect_count*2, smb2cli_prots[i].smb2_dialect);
4331 dialect_count++;
4332 }
4333
4334 buf = state->smb2.fixed;
4335 SSVAL(buf, 0, 36);
4336 SSVAL(buf, 2, dialect_count);
4337 SSVAL(buf, 4, state->conn->smb2.client.security_mode);
4338 SSVAL(buf, 6, 0); /* Reserved */
4339 if (state->max_protocol >= PROTOCOL_SMB2_22) {
4340 SIVAL(buf, 8, state->conn->smb2.client.capabilities);
4341 } else {
4342 SIVAL(buf, 8, 0); /* Capabilities */
4343 }
4344 if (state->max_protocol >= PROTOCOL_SMB2_10) {
4345 NTSTATUS status;
4346 DATA_BLOB blob;
4347
4348 status = GUID_to_ndr_blob(&state->conn->smb2.client.guid,
4349 state, &blob);
4350 if (!NT_STATUS_IS_OK(status)) {
4351 return NULL;
4352 }
4353 memcpy(buf+12, blob.data, 16); /* ClientGuid */
4354 } else {
4355 memset(buf+12, 0, 16); /* ClientGuid */
4356 }
4357 SBVAL(buf, 28, 0); /* ClientStartTime */
4358
4359 return smb2cli_req_send(state, state->ev,
4360 state->conn, SMB2_OP_NEGPROT,
4361 0, 0, /* flags */
4362 state->timeout_msec,
4363 NULL, NULL, /* tcon, session */
4364 state->smb2.fixed, sizeof(state->smb2.fixed),
4365 state->smb2.dyn, dialect_count*2,
4366 UINT16_MAX); /* max_dyn_len */
4367 }
4368
4369 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
4370 {
4371 struct tevent_req *req =
4372 tevent_req_callback_data(subreq,
4373 struct tevent_req);
4374 struct smbXcli_negprot_state *state =
4375 tevent_req_data(req,
4376 struct smbXcli_negprot_state);
4377 struct smbXcli_conn *conn = state->conn;
4378 size_t security_offset, security_length;
4379 DATA_BLOB blob;
4380 NTSTATUS status;
4381 struct iovec *iov;
4382 uint8_t *body;
4383 size_t i;
4384 uint16_t dialect_revision;
4385 static const struct smb2cli_req_expected_response expected[] = {
4386 {
4387 .status = NT_STATUS_OK,
4388 .body_size = 0x41
4389 }
4390 };
4391
4392 status = smb2cli_req_recv(subreq, state, &iov,
4393 expected, ARRAY_SIZE(expected));
4394 TALLOC_FREE(subreq);
4395 if (tevent_req_nterror(req, status)) {
4396 return;
4397 }
4398
4399 body = (uint8_t *)iov[1].iov_base;
4400
4401 dialect_revision = SVAL(body, 4);
4402
4403 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4404 if (smb2cli_prots[i].proto < state->min_protocol) {
4405 continue;
4406 }
4407
4408 if (smb2cli_prots[i].proto > state->max_protocol) {
4409 continue;
4410 }
4411
4412 if (smb2cli_prots[i].smb2_dialect != dialect_revision) {
4413 continue;
4414 }
4415
4416 conn->protocol = smb2cli_prots[i].proto;
4417 break;
4418 }
4419
4420 if (conn->protocol == PROTOCOL_NONE) {
4421 if (state->min_protocol >= PROTOCOL_SMB2_02) {
4422 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4423 return;
4424 }
4425
4426 if (dialect_revision != SMB2_DIALECT_REVISION_2FF) {
4427 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4428 return;
4429 }
4430
4431 /* make sure we do not loop forever */
4432 state->min_protocol = PROTOCOL_SMB2_02;
4433
4434 /*
4435 * send a SMB2 negprot, in order to negotiate
4436 * the SMB2 dialect.
4437 */
4438 subreq = smbXcli_negprot_smb2_subreq(state);
4439 if (tevent_req_nomem(subreq, req)) {
4440 return;
4441 }
4442 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4443 return;
4444 }
4445
4446 conn->smb2.server.security_mode = SVAL(body, 2);
4447
4448 blob = data_blob_const(body + 8, 16);
4449 status = GUID_from_data_blob(&blob, &conn->smb2.server.guid);
4450 if (tevent_req_nterror(req, status)) {
4451 return;
4452 }
4453
4454 conn->smb2.server.capabilities = IVAL(body, 24);
4455 conn->smb2.server.max_trans_size= IVAL(body, 28);
4456 conn->smb2.server.max_read_size = IVAL(body, 32);
4457 conn->smb2.server.max_write_size= IVAL(body, 36);
4458 conn->smb2.server.system_time = BVAL(body, 40);
4459 conn->smb2.server.start_time = BVAL(body, 48);
4460
4461 security_offset = SVAL(body, 56);
4462 security_length = SVAL(body, 58);
4463
4464 if (security_offset != SMB2_HDR_BODY + iov[1].iov_len) {
4465 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4466 return;
4467 }
4468
4469 if (security_length > iov[2].iov_len) {
4470 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4471 return;
4472 }
4473
4474 conn->smb2.server.gss_blob = data_blob_talloc(conn,
4475 iov[2].iov_base,
4476 security_length);
4477 if (tevent_req_nomem(conn->smb2.server.gss_blob.data, req)) {
4478 return;
4479 }
4480
4481 tevent_req_done(req);
4482 }
4483
4484 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
4485 TALLOC_CTX *tmp_mem,
4486 uint8_t *inbuf)
4487 {
4488 size_t num_pending = talloc_array_length(conn->pending);
4489 struct tevent_req *subreq;
4490 struct smbXcli_req_state *substate;
4491 struct tevent_req *req;
4492 uint32_t protocol_magic;
4493 size_t inbuf_len = smb_len_nbt(inbuf);
4494
4495 if (num_pending != 1) {
4496 return NT_STATUS_INTERNAL_ERROR;
4497 }
4498
4499 if (inbuf_len < 4) {
4500 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4501 }
4502
4503 subreq = conn->pending[0];
4504 substate = tevent_req_data(subreq, struct smbXcli_req_state);
4505 req = tevent_req_callback_data(subreq, struct tevent_req);
4506
4507 protocol_magic = IVAL(inbuf, 4);
4508
4509 switch (protocol_magic) {
4510 case SMB_MAGIC:
4511 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
4512 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
4513 return smb1cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4514
4515 case SMB2_MAGIC:
4516 if (substate->smb2.recv_iov == NULL) {
4517 /*
4518 * For the SMB1 negprot we have move it.
4519 */
4520 substate->smb2.recv_iov = substate->smb1.recv_iov;
4521 substate->smb1.recv_iov = NULL;
4522 }
4523
4524 /*
4525 * we got an SMB2 answer, which consumed sequence number 0
4526 * so we need to use 1 as the next one.
4527 *
4528 * we also need to set the current credits to 0
4529 * as we consumed the initial one. The SMB2 answer
4530 * hopefully grant us a new credit.
4531 */
4532 conn->smb2.mid = 1;
4533 conn->smb2.cur_credits = 0;
4534 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4535 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
4536 return smb2cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4537 }
4538
4539 DEBUG(10, ("Got non-SMB PDU\n"));
4540 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4541 }
4542
4543 NTSTATUS smbXcli_negprot_recv(struct tevent_req *req)
4544 {
4545 return tevent_req_simple_recv_ntstatus(req);
4546 }
4547
4548 NTSTATUS smbXcli_negprot(struct smbXcli_conn *conn,
4549 uint32_t timeout_msec,
4550 enum protocol_types min_protocol,
4551 enum protocol_types max_protocol)
4552 {
4553 TALLOC_CTX *frame = talloc_stackframe();
4554 struct tevent_context *ev;
4555 struct tevent_req *req;
4556 NTSTATUS status = NT_STATUS_NO_MEMORY;
4557 bool ok;
4558
4559 if (smbXcli_conn_has_async_calls(conn)) {
4560 /*
4561 * Can't use sync call while an async call is in flight
4562 */
4563 status = NT_STATUS_INVALID_PARAMETER_MIX;
4564 goto fail;
4565 }
4566 ev = samba_tevent_context_init(frame);
4567 if (ev == NULL) {
4568 goto fail;
4569 }
4570 req = smbXcli_negprot_send(frame, ev, conn, timeout_msec,
4571 min_protocol, max_protocol);
4572 if (req == NULL) {
4573 goto fail;
4574 }
4575 ok = tevent_req_poll(req, ev);
4576 if (!ok) {
4577 status = map_nt_error_from_unix_common(errno);
4578 goto fail;
4579 }
4580 status = smbXcli_negprot_recv(req);
4581 fail:
4582 TALLOC_FREE(frame);
4583 return status;
4584 }
4585
4586 static int smbXcli_session_destructor(struct smbXcli_session *session)
4587 {
4588 if (session->conn == NULL) {
4589 return 0;
4590 }
4591
4592 DLIST_REMOVE(session->conn->sessions, session);
4593 return 0;
4594 }
4595
4596 struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
4597 struct smbXcli_conn *conn)
4598 {
4599 struct smbXcli_session *session;
4600
4601 session = talloc_zero(mem_ctx, struct smbXcli_session);
4602 if (session == NULL) {
4603 return NULL;
4604 }
4605 session->smb2 = talloc_zero(session, struct smb2cli_session);
4606 if (session->smb2 == NULL) {
4607 talloc_free(session);
4608 return NULL;
4609 }
4610 talloc_set_destructor(session, smbXcli_session_destructor);
4611
4612 DLIST_ADD_END(conn->sessions, session, struct smbXcli_session *);
4613 session->conn = conn;
4614
4615 return session;
4616 }
4617
4618 struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
4619 struct smbXcli_session *src)
4620 {
4621 struct smbXcli_session *session;
4622
4623 session = talloc_zero(mem_ctx, struct smbXcli_session);
4624 if (session == NULL) {
4625 return NULL;
4626 }
4627 session->smb2 = talloc_zero(session, struct smb2cli_session);
4628 if (session->smb2 == NULL) {
4629 talloc_free(session);
4630 return NULL;
4631 }
4632
4633 session->conn = src->conn;
4634 *session->smb2 = *src->smb2;
4635 session->smb2_channel = src->smb2_channel;
4636 session->disconnect_expired = src->disconnect_expired;
4637
4638 DLIST_ADD_END(src->conn->sessions, session, struct smbXcli_session *);
4639 talloc_set_destructor(session, smbXcli_session_destructor);
4640
4641 return session;
4642 }
4643
4644 bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
4645 {
4646 const DATA_BLOB *application_key;
4647
4648 if (session->conn == NULL) {
4649 return false;
4650 }
4651
4652 /*
4653 * If we have an application key we had a session key negotiated
4654 * at auth time.
4655 */
4656 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
4657 application_key = &session->smb2->application_key;
4658 } else {
4659 application_key = &session->smb1.application_key;
4660 }
4661
4662 if (application_key->length == 0) {
4663 return false;
4664 }
4665
4666 return true;
4667 }
4668
4669 NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
4670 TALLOC_CTX *mem_ctx,
4671 DATA_BLOB *key)
4672 {
4673 const DATA_BLOB *application_key;
4674
4675 *key = data_blob_null;
4676
4677 if (session->conn == NULL) {
4678 return NT_STATUS_NO_USER_SESSION_KEY;
4679 }
4680
4681 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
4682 application_key = &session->smb2->application_key;
4683 } else {
4684 application_key = &session->smb1.application_key;
4685 }
4686
4687 if (application_key->length == 0) {
4688 return NT_STATUS_NO_USER_SESSION_KEY;
4689 }
4690
4691 *key = data_blob_dup_talloc(mem_ctx, *application_key);
4692 if (key->data == NULL) {
4693 return NT_STATUS_NO_MEMORY;
4694 }
4695
4696 return NT_STATUS_OK;
4697 }
4698
4699 void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session)
4700 {
4701 session->disconnect_expired = true;
4702 }
4703
4704 uint16_t smb1cli_session_current_id(struct smbXcli_session *session)
4705 {
4706 return session->smb1.session_id;
4707 }
4708
4709 void smb1cli_session_set_id(struct smbXcli_session *session,
4710 uint16_t session_id)
4711 {
4712 session->smb1.session_id = session_id;
4713 }
4714
4715 NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
4716 const DATA_BLOB _session_key)
4717 {
4718 struct smbXcli_conn *conn = session->conn;
4719 uint8_t session_key[16];
4720
4721 if (conn == NULL) {
4722 return NT_STATUS_INVALID_PARAMETER_MIX;
4723 }
4724
4725 if (session->smb1.application_key.length != 0) {
4726 /*
4727 * TODO: do not allow this...
4728 *
4729 * return NT_STATUS_INVALID_PARAMETER_MIX;
4730 */
4731 data_blob_clear_free(&session->smb1.application_key);
4732 session->smb1.protected_key = false;
4733 }
4734
4735 if (_session_key.length == 0) {
4736 return NT_STATUS_OK;
4737 }
4738
4739 ZERO_STRUCT(session_key);
4740 memcpy(session_key, _session_key.data,
4741 MIN(_session_key.length, sizeof(session_key)));
4742
4743 session->smb1.application_key = data_blob_talloc(session,
4744 session_key,
4745 sizeof(session_key));
4746 ZERO_STRUCT(session_key);
4747 if (session->smb1.application_key.data == NULL) {
4748 return NT_STATUS_NO_MEMORY;
4749 }
4750
4751 session->smb1.protected_key = false;
4752
4753 return NT_STATUS_OK;
4754 }
4755
4756 NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session)
4757 {
4758 if (session->smb1.protected_key) {
4759 /* already protected */
4760 return NT_STATUS_OK;
4761 }
4762
4763 if (session->smb1.application_key.length != 16) {
4764 return NT_STATUS_INVALID_PARAMETER_MIX;
4765 }
4766
4767 smb_key_derivation(session->smb1.application_key.data,
4768 session->smb1.application_key.length,
4769 session->smb1.application_key.data);
4770
4771 session->smb1.protected_key = true;
4772
4773 return NT_STATUS_OK;
4774 }
4775
4776 uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
4777 {
4778 struct smbXcli_conn *conn = session->conn;
4779 uint8_t security_mode = 0;
4780
4781 if (conn == NULL) {
4782 return security_mode;
4783 }
4784
4785 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
4786 if (conn->mandatory_signing) {
4787 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
4788 }
4789
4790 return security_mode;
4791 }
4792
4793 uint64_t smb2cli_session_current_id(struct smbXcli_session *session)
4794 {
4795 return session->smb2->session_id;
4796 }
4797
4798 uint16_t smb2cli_session_get_flags(struct smbXcli_session *session)
4799 {
4800 return session->smb2->session_flags;
4801 }
4802
4803 void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
4804 uint64_t session_id,
4805 uint16_t session_flags)
4806 {
4807 session->smb2->session_id = session_id;
4808 session->smb2->session_flags = session_flags;
4809 }
4810
4811 void smb2cli_session_increment_channel_sequence(struct smbXcli_session *session)
4812 {
4813 session->smb2->channel_sequence += 1;
4814 }
4815
4816 uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
4817 uint16_t channel_sequence)
4818 {
4819 uint16_t prev_cs;
4820
4821 prev_cs = session->smb2->channel_sequence;
4822 session->smb2->channel_sequence = channel_sequence;
4823
4824 return prev_cs;
4825 }
4826
4827 void smb2cli_session_start_replay(struct smbXcli_session *session)
4828 {
4829 session->smb2->replay_active = true;
4830 }
4831
4832 void smb2cli_session_stop_replay(struct smbXcli_session *session)
4833 {
4834 session->smb2->replay_active = false;
4835 }
4836
4837 NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
4838 const DATA_BLOB _session_key,
4839 const struct iovec *recv_iov)
4840 {
4841 struct smbXcli_conn *conn = session->conn;
4842 uint16_t no_sign_flags;
4843 uint8_t session_key[16];
4844 bool check_signature = true;
4845 uint32_t hdr_flags;
4846 NTSTATUS status;
4847
4848 if (conn == NULL) {
4849 return NT_STATUS_INVALID_PARAMETER_MIX;
4850 }
4851
4852 if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
4853 return NT_STATUS_INVALID_PARAMETER_MIX;
4854 }
4855
4856 no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
4857
4858 if (session->smb2->session_flags & no_sign_flags) {
4859 session->smb2->should_sign = false;
4860 return NT_STATUS_OK;
4861 }
4862
4863 if (session->smb2->signing_key.length != 0) {
4864 return NT_STATUS_INVALID_PARAMETER_MIX;
4865 }
4866
4867 ZERO_STRUCT(session_key);
4868 memcpy(session_key, _session_key.data,
4869 MIN(_session_key.length, sizeof(session_key)));
4870
4871 session->smb2->signing_key = data_blob_talloc(session,
4872 session_key,
4873 sizeof(session_key));
4874 if (session->smb2->signing_key.data == NULL) {
4875 ZERO_STRUCT(session_key);
4876 return NT_STATUS_NO_MEMORY;
4877 }
4878
4879 if (conn->protocol >= PROTOCOL_SMB2_24) {
4880 const DATA_BLOB label = data_blob_string_const_null("SMB2AESCMAC");
4881 const DATA_BLOB context = data_blob_string_const_null("SmbSign");
4882
4883 smb2_key_derivation(session_key, sizeof(session_key),
4884 label.data, label.length,
4885 context.data, context.length,
4886 session->smb2->signing_key.data);
4887 }
4888
4889 session->smb2->encryption_key = data_blob_dup_talloc(session,
4890 session->smb2->signing_key);
4891 if (session->smb2->encryption_key.data == NULL) {
4892 ZERO_STRUCT(session_key);
4893 return NT_STATUS_NO_MEMORY;
4894 }
4895
4896 if (conn->protocol >= PROTOCOL_SMB2_24) {
4897 const DATA_BLOB label = data_blob_string_const_null("SMB2AESCCM");
4898 const DATA_BLOB context = data_blob_string_const_null("ServerIn ");
4899
4900 smb2_key_derivation(session_key, sizeof(session_key),
4901 label.data, label.length,
4902 context.data, context.length,
4903 session->smb2->encryption_key.data);
4904 }
4905
4906 session->smb2->decryption_key = data_blob_dup_talloc(session,
4907 session->smb2->signing_key);
4908 if (session->smb2->decryption_key.data == NULL) {
4909 ZERO_STRUCT(session_key);
4910 return NT_STATUS_NO_MEMORY;
4911 }
4912
4913 if (conn->protocol >= PROTOCOL_SMB2_24) {
4914 const DATA_BLOB label = data_blob_string_const_null("SMB2AESCCM");
4915 const DATA_BLOB context = data_blob_string_const_null("ServerOut");
4916
4917 smb2_key_derivation(session_key, sizeof(session_key),
4918 label.data, label.length,
4919 context.data, context.length,
4920 session->smb2->decryption_key.data);
4921 }
4922
4923 session->smb2->application_key = data_blob_dup_talloc(session,
4924 session->smb2->signing_key);
4925 if (session->smb2->application_key.data == NULL) {
4926 ZERO_STRUCT(session_key);
4927 return NT_STATUS_NO_MEMORY;
4928 }
4929
4930 if (conn->protocol >= PROTOCOL_SMB2_24) {
4931 const DATA_BLOB label = data_blob_string_const_null("SMB2APP");
4932 const DATA_BLOB context = data_blob_string_const_null("SmbRpc");
4933
4934 smb2_key_derivation(session_key, sizeof(session_key),
4935 label.data, label.length,
4936 context.data, context.length,
4937 session->smb2->application_key.data);
4938 }
4939 ZERO_STRUCT(session_key);
4940
4941 session->smb2_channel.signing_key = data_blob_dup_talloc(session,
4942 session->smb2->signing_key);
4943 if (session->smb2_channel.signing_key.data == NULL) {
4944 return NT_STATUS_NO_MEMORY;
4945 }
4946
4947 check_signature = conn->mandatory_signing;
4948
4949 hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
4950 if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
4951 /*
4952 * Sadly some vendors don't sign the
4953 * final SMB2 session setup response
4954 *
4955 * At least Windows and Samba are always doing this
4956 * if there's a session key available.
4957 *
4958 * We only check the signature if it's mandatory
4959 * or SMB2_HDR_FLAG_SIGNED is provided.
4960 */
4961 check_signature = true;
4962 }
4963
4964 if (check_signature) {
4965 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
4966 session->conn->protocol,
4967 recv_iov, 3);
4968 if (!NT_STATUS_IS_OK(status)) {
4969 return status;
4970 }
4971 }
4972
4973 session->smb2->should_sign = false;
4974 session->smb2->should_encrypt = false;
4975
4976 if (conn->desire_signing) {
4977 session->smb2->should_sign = true;
4978 }
4979
4980 if (conn->smb2.server.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
4981 session->smb2->should_sign = true;
4982 }
4983
4984 if (session->smb2->session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA) {
4985 session->smb2->should_encrypt = true;
4986 }
4987
4988 if (conn->protocol < PROTOCOL_SMB2_24) {
4989 session->smb2->should_encrypt = false;
4990 }
4991
4992 if (!(conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) {
4993 session->smb2->should_encrypt = false;
4994 }
4995
4996 generate_random_buffer((uint8_t *)&session->smb2->nonce_high,
4997 sizeof(session->smb2->nonce_high));
4998 session->smb2->nonce_low = 1;
4999
5000 return NT_STATUS_OK;
5001 }
5002
5003 NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
5004 struct smbXcli_session *session1,
5005 struct smbXcli_conn *conn,
5006 struct smbXcli_session **_session2)
5007 {
5008 struct smbXcli_session *session2;
5009
5010 if (session1->smb2->signing_key.length == 0) {
5011 return NT_STATUS_INVALID_PARAMETER_MIX;
5012 }
5013
5014 if (conn == NULL) {
5015 return NT_STATUS_INVALID_PARAMETER_MIX;
5016 }
5017
5018 session2 = talloc_zero(mem_ctx, struct smbXcli_session);
5019 if (session2 == NULL) {
5020 return NT_STATUS_NO_MEMORY;
5021 }
5022 session2->smb2 = talloc_reference(session2, session1->smb2);
5023 if (session2->smb2 == NULL) {
5024 talloc_free(session2);
5025 return NT_STATUS_NO_MEMORY;
5026 }
5027
5028 talloc_set_destructor(session2, smbXcli_session_destructor);
5029 DLIST_ADD_END(conn->sessions, session2, struct smbXcli_session *);
5030 session2->conn = conn;
5031
5032 *_session2 = session2;
5033 return NT_STATUS_OK;
5034 }
5035
5036 NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
5037 const DATA_BLOB _channel_key,
5038 const struct iovec *recv_iov)
5039 {
5040 struct smbXcli_conn *conn = session->conn;
5041 uint8_t channel_key[16];
5042 NTSTATUS status;
5043
5044 if (conn == NULL) {
5045 return NT_STATUS_INVALID_PARAMETER_MIX;
5046 }
5047
5048 if (session->smb2_channel.signing_key.length != 0) {
5049 return NT_STATUS_INVALID_PARAMETER_MIX;
5050 }
5051
5052 ZERO_STRUCT(channel_key);
5053 memcpy(channel_key, _channel_key.data,
5054 MIN(_channel_key.length, sizeof(channel_key)));
5055
5056 session->smb2_channel.signing_key = data_blob_talloc(session,
5057 channel_key,
5058 sizeof(channel_key));
5059 if (session->smb2_channel.signing_key.data == NULL) {
5060 ZERO_STRUCT(channel_key);
5061 return NT_STATUS_NO_MEMORY;
5062 }
5063
5064 if (conn->protocol >= PROTOCOL_SMB2_24) {
5065 const DATA_BLOB label = data_blob_string_const_null("SMB2AESCMAC");
5066 const DATA_BLOB context = data_blob_string_const_null("SmbSign");
5067
5068 smb2_key_derivation(channel_key, sizeof(channel_key),
5069 label.data, label.length,
5070 context.data, context.length,
5071 session->smb2_channel.signing_key.data);
5072 }
5073 ZERO_STRUCT(channel_key);
5074
5075 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5076 session->conn->protocol,
5077 recv_iov, 3);
5078 if (!NT_STATUS_IS_OK(status)) {
5079 return status;
5080 }
5081
5082 return NT_STATUS_OK;
5083 }
5084
5085 NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
5086 {
5087 if (session->smb2->should_encrypt) {
5088 return NT_STATUS_OK;
5089 }
5090
5091 if (session->conn->protocol < PROTOCOL_SMB2_24) {
5092 return NT_STATUS_NOT_SUPPORTED;
5093 }
5094
5095 if (!(session->conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION)) {
5096 return NT_STATUS_NOT_SUPPORTED;
5097 }
5098
5099 if (session->smb2->signing_key.data == NULL) {
5100 return NT_STATUS_NOT_SUPPORTED;
5101 }
5102 session->smb2->should_encrypt = true;
5103 return NT_STATUS_OK;
5104 }
5105
5106 struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx)
5107 {
5108 struct smbXcli_tcon *tcon;
5109
5110 tcon = talloc_zero(mem_ctx, struct smbXcli_tcon);
5111 if (tcon == NULL) {
5112 return NULL;
5113 }
5114
5115 return tcon;
5116 }
5117
5118 void smbXcli_tcon_set_fs_attributes(struct smbXcli_tcon *tcon,
5119 uint32_t fs_attributes)
5120 {
5121 tcon->fs_attributes = fs_attributes;
5122 }
5123
5124 uint32_t smbXcli_tcon_get_fs_attributes(struct smbXcli_tcon *tcon)
5125 {
5126 return tcon->fs_attributes;
5127 }
5128
5129 bool smbXcli_tcon_is_dfs_share(struct smbXcli_tcon *tcon)
5130 {
5131 if (tcon == NULL) {
5132 return false;
5133 }
5134
5135 if (tcon->is_smb1) {
5136 if (tcon->smb1.optional_support & SMB_SHARE_IN_DFS) {
5137 return true;
5138 }
5139
5140 return false;
5141 }
5142
5143 if (tcon->smb2.capabilities & SMB2_SHARE_CAP_DFS) {
5144 return true;
5145 }
5146
5147 return false;
5148 }
5149
5150 uint16_t smb1cli_tcon_current_id(struct smbXcli_tcon *tcon)
5151 {
5152 return tcon->smb1.tcon_id;
5153 }
5154
5155 void smb1cli_tcon_set_id(struct smbXcli_tcon *tcon, uint16_t tcon_id)
5156 {
5157 tcon->is_smb1 = true;
5158 tcon->smb1.tcon_id = tcon_id;
5159 }
5160
5161 bool smb1cli_tcon_set_values(struct smbXcli_tcon *tcon,
5162 uint16_t tcon_id,
5163 uint16_t optional_support,
5164 uint32_t maximal_access,
5165 uint32_t guest_maximal_access,
5166 const char *service,
5167 const char *fs_type)
5168 {
5169 tcon->is_smb1 = true;
5170 tcon->fs_attributes = 0;
5171 tcon->smb1.tcon_id = tcon_id;
5172 tcon->smb1.optional_support = optional_support;
5173 tcon->smb1.maximal_access = maximal_access;
5174 tcon->smb1.guest_maximal_access = guest_maximal_access;
5175
5176 TALLOC_FREE(tcon->smb1.service);
5177 tcon->smb1.service = talloc_strdup(tcon, service);
5178 if (service != NULL && tcon->smb1.service == NULL) {
5179 return false;
5180 }
5181
5182 TALLOC_FREE(tcon->smb1.fs_type);
5183 tcon->smb1.fs_type = talloc_strdup(tcon, fs_type);
5184 if (fs_type != NULL && tcon->smb1.fs_type == NULL) {
5185 return false;
5186 }
5187
5188 return true;
5189 }
5190
5191 uint32_t smb2cli_tcon_current_id(struct smbXcli_tcon *tcon)
5192 {
5193 return tcon->smb2.tcon_id;
5194 }
5195
5196 uint32_t smb2cli_tcon_capabilities(struct smbXcli_tcon *tcon)
5197 {
5198 return tcon->smb2.capabilities;
5199 }
5200
5201 void smb2cli_tcon_set_values(struct smbXcli_tcon *tcon,
5202 struct smbXcli_session *session,
5203 uint32_t tcon_id,
5204 uint8_t type,
5205 uint32_t flags,
5206 uint32_t capabilities,
5207 uint32_t maximal_access)
5208 {
5209 tcon->is_smb1 = false;
5210 tcon->fs_attributes = 0;
5211 tcon->smb2.tcon_id = tcon_id;
5212 tcon->smb2.type = type;
5213 tcon->smb2.flags = flags;
5214 tcon->smb2.capabilities = capabilities;
5215 tcon->smb2.maximal_access = maximal_access;
5216
5217 tcon->smb2.should_encrypt = false;
5218
5219 if (session == NULL) {
5220 return;
5221 }
5222
5223 tcon->smb2.should_encrypt = session->smb2->should_encrypt;
5224
5225 if (flags & SMB2_SHAREFLAG_ENCRYPT_DATA) {
5226 tcon->smb2.should_encrypt = true;
5227 }
5228 }
5229
5230 void smb2cli_tcon_should_encrypt(struct smbXcli_tcon *tcon,
5231 bool should_encrypt)
5232 {
5233 tcon->smb2.should_encrypt = should_encrypt;
5234 }
5235
5236 bool smb2cli_tcon_is_encryption_on(struct smbXcli_tcon *tcon)
5237 {
5238 return tcon->smb2.should_encrypt;
5239 }
Samba GIT mirror