search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/sam: Remove unnecessary calls for third party module imports.
[Samba.git] / libcli / smb / smbXcli_base.c
blob5773ab3d18c871fcf45ff9dc46aa0267e34b12d7
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5 Copyright (C) Stefan Metzmacher 2011
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/network.h"
23 #include "../lib/async_req/async_sock.h"
24 #include "../lib/util/tevent_ntstatus.h"
25 #include "../lib/util/tevent_unix.h"
26 #include "lib/util/util_net.h"
27 #include "lib/util/dlinklist.h"
28 #include "lib/util/iov_buf.h"
29 #include "../libcli/smb/smb_common.h"
30 #include "../libcli/smb/smb_seal.h"
31 #include "../libcli/smb/smb_signing.h"
32 #include "../libcli/smb/read_smb.h"
33 #include "smbXcli_base.h"
34 #include "librpc/ndr/libndr.h"
35 #include "libcli/smb/smb2_negotiate_context.h"
36 #include "lib/crypto/sha512.h"
37
38 struct smbXcli_conn;
39 struct smbXcli_req;
40 struct smbXcli_session;
41 struct smbXcli_tcon;
42
43 struct smbXcli_conn {
44 int read_fd;
45 int write_fd;
46 struct sockaddr_storage local_ss;
47 struct sockaddr_storage remote_ss;
48 const char *remote_name;
49
50 struct tevent_queue *outgoing;
51 struct tevent_req **pending;
52 struct tevent_req *read_smb_req;
53
54 enum protocol_types min_protocol;
55 enum protocol_types max_protocol;
56 enum protocol_types protocol;
57 bool allow_signing;
58 bool desire_signing;
59 bool mandatory_signing;
60
61 /*
62 * The incoming dispatch function should return:
63 * - NT_STATUS_RETRY, if more incoming PDUs are expected.
64 * - NT_STATUS_OK, if no more processing is desired, e.g.
65 * the dispatch function called
66 * tevent_req_done().
67 * - All other return values disconnect the connection.
68 */
69 NTSTATUS (*dispatch_incoming)(struct smbXcli_conn *conn,
70 TALLOC_CTX *tmp_mem,
71 uint8_t *inbuf);
72
73 struct {
74 struct {
75 uint32_t capabilities;
76 uint32_t max_xmit;
77 } client;
78
79 struct {
80 uint32_t capabilities;
81 uint32_t max_xmit;
82 uint16_t max_mux;
83 uint16_t security_mode;
84 bool readbraw;
85 bool writebraw;
86 bool lockread;
87 bool writeunlock;
88 uint32_t session_key;
89 struct GUID guid;
90 DATA_BLOB gss_blob;
91 uint8_t challenge[8];
92 const char *workgroup;
93 const char *name;
94 int time_zone;
95 NTTIME system_time;
96 } server;
97
98 uint32_t capabilities;
99 uint32_t max_xmit;
100
101 uint16_t mid;
102
103 struct smb_signing_state *signing;
104 struct smb_trans_enc_state *trans_enc;
105
106 struct tevent_req *read_braw_req;
107 } smb1;
108
109 struct {
110 struct {
111 uint32_t capabilities;
112 uint16_t security_mode;
113 struct GUID guid;
114 } client;
115
116 struct {
117 uint32_t capabilities;
118 uint16_t security_mode;
119 struct GUID guid;
120 uint32_t max_trans_size;
121 uint32_t max_read_size;
122 uint32_t max_write_size;
123 NTTIME system_time;
124 NTTIME start_time;
125 DATA_BLOB gss_blob;
126 uint16_t cipher;
127 } server;
128
129 uint64_t mid;
130 uint16_t cur_credits;
131 uint16_t max_credits;
132
133 uint8_t preauth_sha512[64];
134 } smb2;
135
136 struct smbXcli_session *sessions;
137 };
138
139 struct smb2cli_session {
140 uint64_t session_id;
141 uint16_t session_flags;
142 DATA_BLOB application_key;
143 DATA_BLOB signing_key;
144 bool should_sign;
145 bool should_encrypt;
146 DATA_BLOB encryption_key;
147 DATA_BLOB decryption_key;
148 uint64_t nonce_high;
149 uint64_t nonce_low;
150 uint16_t channel_sequence;
151 bool replay_active;
152 };
153
154 struct smbXcli_session {
155 struct smbXcli_session *prev, *next;
156 struct smbXcli_conn *conn;
157
158 struct {
159 uint16_t session_id;
160 DATA_BLOB application_key;
161 bool protected_key;
162 } smb1;
163
164 struct smb2cli_session *smb2;
165
166 struct {
167 DATA_BLOB signing_key;
168 uint8_t preauth_sha512[64];
169 } smb2_channel;
170
171 /*
172 * this should be a short term hack
173 * until the upper layers have implemented
174 * re-authentication.
175 */
176 bool disconnect_expired;
177 };
178
179 struct smbXcli_tcon {
180 bool is_smb1;
181 uint32_t fs_attributes;
182
183 struct {
184 uint16_t tcon_id;
185 uint16_t optional_support;
186 uint32_t maximal_access;
187 uint32_t guest_maximal_access;
188 char *service;
189 char *fs_type;
190 } smb1;
191
192 struct {
193 uint32_t tcon_id;
194 uint8_t type;
195 uint32_t flags;
196 uint32_t capabilities;
197 uint32_t maximal_access;
198 bool should_sign;
199 bool should_encrypt;
200 } smb2;
201 };
202
203 struct smbXcli_req_state {
204 struct tevent_context *ev;
205 struct smbXcli_conn *conn;
206 struct smbXcli_session *session; /* maybe NULL */
207 struct smbXcli_tcon *tcon; /* maybe NULL */
208
209 uint8_t length_hdr[4];
210
211 bool one_way;
212
213 uint8_t *inbuf;
214
215 struct {
216 /* Space for the header including the wct */
217 uint8_t hdr[HDR_VWV];
218
219 /*
220 * For normal requests, smb1cli_req_send chooses a mid.
221 * SecondaryV trans requests need to use the mid of the primary
222 * request, so we need a place to store it.
223 * Assume it is set if != 0.
224 */
225 uint16_t mid;
226
227 uint16_t *vwv;
228 uint8_t bytecount_buf[2];
229
230 #define MAX_SMB_IOV 10
231 /* length_hdr, hdr, words, byte_count, buffers */
232 struct iovec iov[1 + 3 + MAX_SMB_IOV];
233 int iov_count;
234
235 bool one_way_seqnum;
236 uint32_t seqnum;
237 struct tevent_req **chained_requests;
238
239 uint8_t recv_cmd;
240 NTSTATUS recv_status;
241 /* always an array of 3 talloc elements */
242 struct iovec *recv_iov;
243 } smb1;
244
245 struct {
246 const uint8_t *fixed;
247 uint16_t fixed_len;
248 const uint8_t *dyn;
249 uint32_t dyn_len;
250
251 uint8_t transform[SMB2_TF_HDR_SIZE];
252 uint8_t hdr[SMB2_HDR_BODY];
253 uint8_t pad[7]; /* padding space for compounding */
254
255 /*
256 * always an array of 3 talloc elements
257 * (without a SMB2_TRANSFORM header!)
258 *
259 * HDR, BODY, DYN
260 */
261 struct iovec *recv_iov;
262
263 /*
264 * the expected max for the response dyn_len
265 */
266 uint32_t max_dyn_len;
267
268 uint16_t credit_charge;
269
270 bool should_sign;
271 bool should_encrypt;
272 uint64_t encryption_session_id;
273
274 bool signing_skipped;
275 bool notify_async;
276 bool got_async;
277 } smb2;
278 };
279
280 static int smbXcli_conn_destructor(struct smbXcli_conn *conn)
281 {
282 /*
283 * NT_STATUS_OK, means we do not notify the callers
284 */
285 smbXcli_conn_disconnect(conn, NT_STATUS_OK);
286
287 while (conn->sessions) {
288 conn->sessions->conn = NULL;
289 DLIST_REMOVE(conn->sessions, conn->sessions);
290 }
291
292 if (conn->smb1.trans_enc) {
293 TALLOC_FREE(conn->smb1.trans_enc);
294 }
295
296 return 0;
297 }
298
299 struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
300 int fd,
301 const char *remote_name,
302 enum smb_signing_setting signing_state,
303 uint32_t smb1_capabilities,
304 struct GUID *client_guid,
305 uint32_t smb2_capabilities)
306 {
307 struct smbXcli_conn *conn = NULL;
308 void *ss = NULL;
309 struct sockaddr *sa = NULL;
310 socklen_t sa_length;
311 int ret;
312
313 conn = talloc_zero(mem_ctx, struct smbXcli_conn);
314 if (!conn) {
315 return NULL;
316 }
317
318 conn->read_fd = fd;
319 conn->write_fd = dup(fd);
320 if (conn->write_fd == -1) {
321 goto error;
322 }
323
324 conn->remote_name = talloc_strdup(conn, remote_name);
325 if (conn->remote_name == NULL) {
326 goto error;
327 }
328
329
330 ss = (void *)&conn->local_ss;
331 sa = (struct sockaddr *)ss;
332 sa_length = sizeof(conn->local_ss);
333 ret = getsockname(fd, sa, &sa_length);
334 if (ret == -1) {
335 goto error;
336 }
337 ss = (void *)&conn->remote_ss;
338 sa = (struct sockaddr *)ss;
339 sa_length = sizeof(conn->remote_ss);
340 ret = getpeername(fd, sa, &sa_length);
341 if (ret == -1) {
342 goto error;
343 }
344
345 conn->outgoing = tevent_queue_create(conn, "smbXcli_outgoing");
346 if (conn->outgoing == NULL) {
347 goto error;
348 }
349 conn->pending = NULL;
350
351 conn->min_protocol = PROTOCOL_NONE;
352 conn->max_protocol = PROTOCOL_NONE;
353 conn->protocol = PROTOCOL_NONE;
354
355 switch (signing_state) {
356 case SMB_SIGNING_OFF:
357 /* never */
358 conn->allow_signing = false;
359 conn->desire_signing = false;
360 conn->mandatory_signing = false;
361 break;
362 case SMB_SIGNING_DEFAULT:
363 case SMB_SIGNING_IF_REQUIRED:
364 /* if the server requires it */
365 conn->allow_signing = true;
366 conn->desire_signing = false;
367 conn->mandatory_signing = false;
368 break;
369 case SMB_SIGNING_REQUIRED:
370 /* always */
371 conn->allow_signing = true;
372 conn->desire_signing = true;
373 conn->mandatory_signing = true;
374 break;
375 }
376
377 conn->smb1.client.capabilities = smb1_capabilities;
378 conn->smb1.client.max_xmit = UINT16_MAX;
379
380 conn->smb1.capabilities = conn->smb1.client.capabilities;
381 conn->smb1.max_xmit = 1024;
382
383 conn->smb1.mid = 1;
384
385 /* initialise signing */
386 conn->smb1.signing = smb_signing_init(conn,
387 conn->allow_signing,
388 conn->desire_signing,
389 conn->mandatory_signing);
390 if (!conn->smb1.signing) {
391 goto error;
392 }
393
394 conn->smb2.client.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
395 if (conn->mandatory_signing) {
396 conn->smb2.client.security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
397 }
398 if (client_guid) {
399 conn->smb2.client.guid = *client_guid;
400 }
401 conn->smb2.client.capabilities = smb2_capabilities;
402
403 conn->smb2.cur_credits = 1;
404 conn->smb2.max_credits = 0;
405
406 talloc_set_destructor(conn, smbXcli_conn_destructor);
407 return conn;
408
409 error:
410 if (conn->write_fd != -1) {
411 close(conn->write_fd);
412 }
413 TALLOC_FREE(conn);
414 return NULL;
415 }
416
417 bool smbXcli_conn_is_connected(struct smbXcli_conn *conn)
418 {
419 if (conn == NULL) {
420 return false;
421 }
422
423 if (conn->read_fd == -1) {
424 return false;
425 }
426
427 return true;
428 }
429
430 enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn)
431 {
432 return conn->protocol;
433 }
434
435 bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
436 {
437 if (conn->protocol >= PROTOCOL_SMB2_02) {
438 return true;
439 }
440
441 if (conn->smb1.capabilities & CAP_UNICODE) {
442 return true;
443 }
444
445 return false;
446 }
447
448 void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
449 {
450 set_socket_options(conn->read_fd, options);
451 }
452
453 const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn)
454 {
455 return &conn->local_ss;
456 }
457
458 const struct sockaddr_storage *smbXcli_conn_remote_sockaddr(struct smbXcli_conn *conn)
459 {
460 return &conn->remote_ss;
461 }
462
463 const char *smbXcli_conn_remote_name(struct smbXcli_conn *conn)
464 {
465 return conn->remote_name;
466 }
467
468 uint16_t smbXcli_conn_max_requests(struct smbXcli_conn *conn)
469 {
470 if (conn->protocol >= PROTOCOL_SMB2_02) {
471 /*
472 * TODO...
473 */
474 return 1;
475 }
476
477 return conn->smb1.server.max_mux;
478 }
479
480 NTTIME smbXcli_conn_server_system_time(struct smbXcli_conn *conn)
481 {
482 if (conn->protocol >= PROTOCOL_SMB2_02) {
483 return conn->smb2.server.system_time;
484 }
485
486 return conn->smb1.server.system_time;
487 }
488
489 const DATA_BLOB *smbXcli_conn_server_gss_blob(struct smbXcli_conn *conn)
490 {
491 if (conn->protocol >= PROTOCOL_SMB2_02) {
492 return &conn->smb2.server.gss_blob;
493 }
494
495 return &conn->smb1.server.gss_blob;
496 }
497
498 const struct GUID *smbXcli_conn_server_guid(struct smbXcli_conn *conn)
499 {
500 if (conn->protocol >= PROTOCOL_SMB2_02) {
501 return &conn->smb2.server.guid;
502 }
503
504 return &conn->smb1.server.guid;
505 }
506
507 struct smbXcli_conn_samba_suicide_state {
508 struct smbXcli_conn *conn;
509 struct iovec iov;
510 uint8_t buf[9];
511 };
512
513 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq);
514
515 struct tevent_req *smbXcli_conn_samba_suicide_send(TALLOC_CTX *mem_ctx,
516 struct tevent_context *ev,
517 struct smbXcli_conn *conn,
518 uint8_t exitcode)
519 {
520 struct tevent_req *req, *subreq;
521 struct smbXcli_conn_samba_suicide_state *state;
522
523 req = tevent_req_create(mem_ctx, &state,
524 struct smbXcli_conn_samba_suicide_state);
525 if (req == NULL) {
526 return NULL;
527 }
528 state->conn = conn;
529 SIVAL(state->buf, 4, 0x74697865);
530 SCVAL(state->buf, 8, exitcode);
531 _smb_setlen_nbt(state->buf, sizeof(state->buf)-4);
532
533 state->iov.iov_base = state->buf;
534 state->iov.iov_len = sizeof(state->buf);
535
536 subreq = writev_send(state, ev, conn->outgoing, conn->write_fd,
537 false, &state->iov, 1);
538 if (tevent_req_nomem(subreq, req)) {
539 return tevent_req_post(req, ev);
540 }
541 tevent_req_set_callback(subreq, smbXcli_conn_samba_suicide_done, req);
542 return req;
543 }
544
545 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq)
546 {
547 struct tevent_req *req = tevent_req_callback_data(
548 subreq, struct tevent_req);
549 struct smbXcli_conn_samba_suicide_state *state = tevent_req_data(
550 req, struct smbXcli_conn_samba_suicide_state);
551 ssize_t nwritten;
552 int err;
553
554 nwritten = writev_recv(subreq, &err);
555 TALLOC_FREE(subreq);
556 if (nwritten == -1) {
557 NTSTATUS status = map_nt_error_from_unix_common(err);
558 smbXcli_conn_disconnect(state->conn, status);
559 return;
560 }
561 tevent_req_done(req);
562 }
563
564 NTSTATUS smbXcli_conn_samba_suicide_recv(struct tevent_req *req)
565 {
566 return tevent_req_simple_recv_ntstatus(req);
567 }
568
569 NTSTATUS smbXcli_conn_samba_suicide(struct smbXcli_conn *conn,
570 uint8_t exitcode)
571 {
572 TALLOC_CTX *frame = talloc_stackframe();
573 struct tevent_context *ev;
574 struct tevent_req *req;
575 NTSTATUS status = NT_STATUS_NO_MEMORY;
576 bool ok;
577
578 if (smbXcli_conn_has_async_calls(conn)) {
579 /*
580 * Can't use sync call while an async call is in flight
581 */
582 status = NT_STATUS_INVALID_PARAMETER_MIX;
583 goto fail;
584 }
585 ev = samba_tevent_context_init(frame);
586 if (ev == NULL) {
587 goto fail;
588 }
589 req = smbXcli_conn_samba_suicide_send(frame, ev, conn, exitcode);
590 if (req == NULL) {
591 goto fail;
592 }
593 ok = tevent_req_poll_ntstatus(req, ev, &status);
594 if (!ok) {
595 goto fail;
596 }
597 status = smbXcli_conn_samba_suicide_recv(req);
598 fail:
599 TALLOC_FREE(frame);
600 return status;
601 }
602
603 uint32_t smb1cli_conn_capabilities(struct smbXcli_conn *conn)
604 {
605 return conn->smb1.capabilities;
606 }
607
608 uint32_t smb1cli_conn_max_xmit(struct smbXcli_conn *conn)
609 {
610 return conn->smb1.max_xmit;
611 }
612
613 bool smb1cli_conn_req_possible(struct smbXcli_conn *conn)
614 {
615 size_t pending;
616 uint16_t possible = conn->smb1.server.max_mux;
617
618 pending = tevent_queue_length(conn->outgoing);
619 if (pending >= possible) {
620 return false;
621 }
622 pending += talloc_array_length(conn->pending);
623 if (pending >= possible) {
624 return false;
625 }
626
627 return true;
628 }
629
630 uint32_t smb1cli_conn_server_session_key(struct smbXcli_conn *conn)
631 {
632 return conn->smb1.server.session_key;
633 }
634
635 const uint8_t *smb1cli_conn_server_challenge(struct smbXcli_conn *conn)
636 {
637 return conn->smb1.server.challenge;
638 }
639
640 uint16_t smb1cli_conn_server_security_mode(struct smbXcli_conn *conn)
641 {
642 return conn->smb1.server.security_mode;
643 }
644
645 bool smb1cli_conn_server_readbraw(struct smbXcli_conn *conn)
646 {
647 return conn->smb1.server.readbraw;
648 }
649
650 bool smb1cli_conn_server_writebraw(struct smbXcli_conn *conn)
651 {
652 return conn->smb1.server.writebraw;
653 }
654
655 bool smb1cli_conn_server_lockread(struct smbXcli_conn *conn)
656 {
657 return conn->smb1.server.lockread;
658 }
659
660 bool smb1cli_conn_server_writeunlock(struct smbXcli_conn *conn)
661 {
662 return conn->smb1.server.writeunlock;
663 }
664
665 int smb1cli_conn_server_time_zone(struct smbXcli_conn *conn)
666 {
667 return conn->smb1.server.time_zone;
668 }
669
670 bool smb1cli_conn_activate_signing(struct smbXcli_conn *conn,
671 const DATA_BLOB user_session_key,
672 const DATA_BLOB response)
673 {
674 return smb_signing_activate(conn->smb1.signing,
675 user_session_key,
676 response);
677 }
678
679 bool smb1cli_conn_check_signing(struct smbXcli_conn *conn,
680 const uint8_t *buf, uint32_t seqnum)
681 {
682 const uint8_t *hdr = buf + NBT_HDR_SIZE;
683 size_t len = smb_len_nbt(buf);
684
685 return smb_signing_check_pdu(conn->smb1.signing, hdr, len, seqnum);
686 }
687
688 bool smb1cli_conn_signing_is_active(struct smbXcli_conn *conn)
689 {
690 return smb_signing_is_active(conn->smb1.signing);
691 }
692
693 void smb1cli_conn_set_encryption(struct smbXcli_conn *conn,
694 struct smb_trans_enc_state *es)
695 {
696 /* Replace the old state, if any. */
697 if (conn->smb1.trans_enc) {
698 TALLOC_FREE(conn->smb1.trans_enc);
699 }
700 conn->smb1.trans_enc = es;
701 }
702
703 bool smb1cli_conn_encryption_on(struct smbXcli_conn *conn)
704 {
705 return common_encryption_on(conn->smb1.trans_enc);
706 }
707
708
709 static NTSTATUS smb1cli_pull_raw_error(const uint8_t *hdr)
710 {
711 uint32_t flags2 = SVAL(hdr, HDR_FLG2);
712 NTSTATUS status = NT_STATUS(IVAL(hdr, HDR_RCLS));
713
714 if (NT_STATUS_IS_OK(status)) {
715 return NT_STATUS_OK;
716 }
717
718 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
719 return status;
720 }
721
722 return NT_STATUS_DOS(CVAL(hdr, HDR_RCLS), SVAL(hdr, HDR_ERR));
723 }
724
725 /**
726 * Is the SMB command able to hold an AND_X successor
727 * @param[in] cmd The SMB command in question
728 * @retval Can we add a chained request after "cmd"?
729 */
730 bool smb1cli_is_andx_req(uint8_t cmd)
731 {
732 switch (cmd) {
733 case SMBtconX:
734 case SMBlockingX:
735 case SMBopenX:
736 case SMBreadX:
737 case SMBwriteX:
738 case SMBsesssetupX:
739 case SMBulogoffX:
740 case SMBntcreateX:
741 return true;
742 break;
743 default:
744 break;
745 }
746
747 return false;
748 }
749
750 static uint16_t smb1cli_alloc_mid(struct smbXcli_conn *conn)
751 {
752 size_t num_pending = talloc_array_length(conn->pending);
753 uint16_t result;
754
755 if (conn->protocol == PROTOCOL_NONE) {
756 /*
757 * This is what windows sends on the SMB1 Negprot request
758 * and some vendors reuse the SMB1 MID as SMB2 sequence number.
759 */
760 return 0;
761 }
762
763 while (true) {
764 size_t i;
765
766 result = conn->smb1.mid++;
767 if ((result == 0) || (result == 0xffff)) {
768 continue;
769 }
770
771 for (i=0; i<num_pending; i++) {
772 if (result == smb1cli_req_mid(conn->pending[i])) {
773 break;
774 }
775 }
776
777 if (i == num_pending) {
778 return result;
779 }
780 }
781 }
782
783 void smbXcli_req_unset_pending(struct tevent_req *req)
784 {
785 struct smbXcli_req_state *state =
786 tevent_req_data(req,
787 struct smbXcli_req_state);
788 struct smbXcli_conn *conn = state->conn;
789 size_t num_pending = talloc_array_length(conn->pending);
790 size_t i;
791
792 if (state->smb1.mid != 0) {
793 /*
794 * This is a [nt]trans[2] request which waits
795 * for more than one reply.
796 */
797 return;
798 }
799
800 tevent_req_set_cleanup_fn(req, NULL);
801
802 if (num_pending == 1) {
803 /*
804 * The pending read_smb tevent_req is a child of
805 * conn->pending. So if nothing is pending anymore, we need to
806 * delete the socket read fde.
807 */
808 TALLOC_FREE(conn->pending);
809 conn->read_smb_req = NULL;
810 return;
811 }
812
813 for (i=0; i<num_pending; i++) {
814 if (req == conn->pending[i]) {
815 break;
816 }
817 }
818 if (i == num_pending) {
819 /*
820 * Something's seriously broken. Just returning here is the
821 * right thing nevertheless, the point of this routine is to
822 * remove ourselves from conn->pending.
823 */
824 return;
825 }
826
827 /*
828 * Remove ourselves from the conn->pending array
829 */
830 for (; i < (num_pending - 1); i++) {
831 conn->pending[i] = conn->pending[i+1];
832 }
833
834 /*
835 * No NULL check here, we're shrinking by sizeof(void *), and
836 * talloc_realloc just adjusts the size for this.
837 */
838 conn->pending = talloc_realloc(NULL, conn->pending, struct tevent_req *,
839 num_pending - 1);
840 return;
841 }
842
843 static void smbXcli_req_cleanup(struct tevent_req *req,
844 enum tevent_req_state req_state)
845 {
846 struct smbXcli_req_state *state =
847 tevent_req_data(req,
848 struct smbXcli_req_state);
849
850 switch (req_state) {
851 case TEVENT_REQ_RECEIVED:
852 /*
853 * Make sure we really remove it from
854 * the pending array on destruction.
855 */
856 state->smb1.mid = 0;
857 smbXcli_req_unset_pending(req);
858 return;
859 default:
860 return;
861 }
862 }
863
864 static bool smb1cli_req_cancel(struct tevent_req *req);
865 static bool smb2cli_req_cancel(struct tevent_req *req);
866
867 static bool smbXcli_req_cancel(struct tevent_req *req)
868 {
869 struct smbXcli_req_state *state =
870 tevent_req_data(req,
871 struct smbXcli_req_state);
872
873 if (!smbXcli_conn_is_connected(state->conn)) {
874 return false;
875 }
876
877 if (state->conn->protocol == PROTOCOL_NONE) {
878 return false;
879 }
880
881 if (state->conn->protocol >= PROTOCOL_SMB2_02) {
882 return smb2cli_req_cancel(req);
883 }
884
885 return smb1cli_req_cancel(req);
886 }
887
888 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn);
889
890 bool smbXcli_req_set_pending(struct tevent_req *req)
891 {
892 struct smbXcli_req_state *state =
893 tevent_req_data(req,
894 struct smbXcli_req_state);
895 struct smbXcli_conn *conn;
896 struct tevent_req **pending;
897 size_t num_pending;
898
899 conn = state->conn;
900
901 if (!smbXcli_conn_is_connected(conn)) {
902 return false;
903 }
904
905 num_pending = talloc_array_length(conn->pending);
906
907 pending = talloc_realloc(conn, conn->pending, struct tevent_req *,
908 num_pending+1);
909 if (pending == NULL) {
910 return false;
911 }
912 pending[num_pending] = req;
913 conn->pending = pending;
914 tevent_req_set_cleanup_fn(req, smbXcli_req_cleanup);
915 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
916
917 if (!smbXcli_conn_receive_next(conn)) {
918 /*
919 * the caller should notify the current request
920 *
921 * And all other pending requests get notified
922 * by smbXcli_conn_disconnect().
923 */
924 smbXcli_req_unset_pending(req);
925 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
926 return false;
927 }
928
929 return true;
930 }
931
932 static void smbXcli_conn_received(struct tevent_req *subreq);
933
934 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn)
935 {
936 size_t num_pending = talloc_array_length(conn->pending);
937 struct tevent_req *req;
938 struct smbXcli_req_state *state;
939
940 if (conn->read_smb_req != NULL) {
941 return true;
942 }
943
944 if (num_pending == 0) {
945 if (conn->smb2.mid < UINT64_MAX) {
946 /* no more pending requests, so we are done for now */
947 return true;
948 }
949
950 /*
951 * If there are no more SMB2 requests possible,
952 * because we are out of message ids,
953 * we need to disconnect.
954 */
955 smbXcli_conn_disconnect(conn, NT_STATUS_CONNECTION_ABORTED);
956 return true;
957 }
958
959 req = conn->pending[0];
960 state = tevent_req_data(req, struct smbXcli_req_state);
961
962 /*
963 * We're the first ones, add the read_smb request that waits for the
964 * answer from the server
965 */
966 conn->read_smb_req = read_smb_send(conn->pending,
967 state->ev,
968 conn->read_fd);
969 if (conn->read_smb_req == NULL) {
970 return false;
971 }
972 tevent_req_set_callback(conn->read_smb_req, smbXcli_conn_received, conn);
973 return true;
974 }
975
976 void smbXcli_conn_disconnect(struct smbXcli_conn *conn, NTSTATUS status)
977 {
978 struct smbXcli_session *session;
979
980 tevent_queue_stop(conn->outgoing);
981
982 if (conn->read_fd != -1) {
983 close(conn->read_fd);
984 }
985 if (conn->write_fd != -1) {
986 close(conn->write_fd);
987 }
988 conn->read_fd = -1;
989 conn->write_fd = -1;
990
991 session = conn->sessions;
992 if (talloc_array_length(conn->pending) == 0) {
993 /*
994 * if we do not have pending requests
995 * there is no need to update the channel_sequence
996 */
997 session = NULL;
998 }
999 for (; session; session = session->next) {
1000 smb2cli_session_increment_channel_sequence(session);
1001 }
1002
1003 /*
1004 * Cancel all pending requests. We do not do a for-loop walking
1005 * conn->pending because that array changes in
1006 * smbXcli_req_unset_pending.
1007 */
1008 while (talloc_array_length(conn->pending) > 0) {
1009 struct tevent_req *req;
1010 struct smbXcli_req_state *state;
1011 struct tevent_req **chain;
1012 size_t num_chained;
1013 size_t i;
1014
1015 req = conn->pending[0];
1016 state = tevent_req_data(req, struct smbXcli_req_state);
1017
1018 if (state->smb1.chained_requests == NULL) {
1019 /*
1020 * We're dead. No point waiting for trans2
1021 * replies.
1022 */
1023 state->smb1.mid = 0;
1024
1025 smbXcli_req_unset_pending(req);
1026
1027 if (NT_STATUS_IS_OK(status)) {
1028 /* do not notify the callers */
1029 continue;
1030 }
1031
1032 /*
1033 * we need to defer the callback, because we may notify
1034 * more then one caller.
1035 */
1036 tevent_req_defer_callback(req, state->ev);
1037 tevent_req_nterror(req, status);
1038 continue;
1039 }
1040
1041 chain = talloc_move(conn, &state->smb1.chained_requests);
1042 num_chained = talloc_array_length(chain);
1043
1044 for (i=0; i<num_chained; i++) {
1045 req = chain[i];
1046 state = tevent_req_data(req, struct smbXcli_req_state);
1047
1048 /*
1049 * We're dead. No point waiting for trans2
1050 * replies.
1051 */
1052 state->smb1.mid = 0;
1053
1054 smbXcli_req_unset_pending(req);
1055
1056 if (NT_STATUS_IS_OK(status)) {
1057 /* do not notify the callers */
1058 continue;
1059 }
1060
1061 /*
1062 * we need to defer the callback, because we may notify
1063 * more than one caller.
1064 */
1065 tevent_req_defer_callback(req, state->ev);
1066 tevent_req_nterror(req, status);
1067 }
1068 TALLOC_FREE(chain);
1069 }
1070 }
1071
1072 /*
1073 * Fetch a smb request's mid. Only valid after the request has been sent by
1074 * smb1cli_req_send().
1075 */
1076 uint16_t smb1cli_req_mid(struct tevent_req *req)
1077 {
1078 struct smbXcli_req_state *state =
1079 tevent_req_data(req,
1080 struct smbXcli_req_state);
1081
1082 if (state->smb1.mid != 0) {
1083 return state->smb1.mid;
1084 }
1085
1086 return SVAL(state->smb1.hdr, HDR_MID);
1087 }
1088
1089 void smb1cli_req_set_mid(struct tevent_req *req, uint16_t mid)
1090 {
1091 struct smbXcli_req_state *state =
1092 tevent_req_data(req,
1093 struct smbXcli_req_state);
1094
1095 state->smb1.mid = mid;
1096 }
1097
1098 uint32_t smb1cli_req_seqnum(struct tevent_req *req)
1099 {
1100 struct smbXcli_req_state *state =
1101 tevent_req_data(req,
1102 struct smbXcli_req_state);
1103
1104 return state->smb1.seqnum;
1105 }
1106
1107 void smb1cli_req_set_seqnum(struct tevent_req *req, uint32_t seqnum)
1108 {
1109 struct smbXcli_req_state *state =
1110 tevent_req_data(req,
1111 struct smbXcli_req_state);
1112
1113 state->smb1.seqnum = seqnum;
1114 }
1115
1116 static size_t smbXcli_iov_len(const struct iovec *iov, int count)
1117 {
1118 ssize_t ret = iov_buflen(iov, count);
1119
1120 /* Ignore the overflow case for now ... */
1121 return ret;
1122 }
1123
1124 static uint8_t *smbXcli_iov_concat(TALLOC_CTX *mem_ctx,
1125 const struct iovec *iov,
1126 int count)
1127 {
1128 ssize_t buflen;
1129 uint8_t *buf;
1130
1131 buflen = iov_buflen(iov, count);
1132 if (buflen == -1) {
1133 return NULL;
1134 }
1135
1136 buf = talloc_array(mem_ctx, uint8_t, buflen);
1137 if (buf == NULL) {
1138 return NULL;
1139 }
1140
1141 iov_buf(iov, count, buf, buflen);
1142
1143 return buf;
1144 }
1145
1146 static void smb1cli_req_flags(enum protocol_types protocol,
1147 uint32_t smb1_capabilities,
1148 uint8_t smb_command,
1149 uint8_t additional_flags,
1150 uint8_t clear_flags,
1151 uint8_t *_flags,
1152 uint16_t additional_flags2,
1153 uint16_t clear_flags2,
1154 uint16_t *_flags2)
1155 {
1156 uint8_t flags = 0;
1157 uint16_t flags2 = 0;
1158
1159 if (protocol >= PROTOCOL_LANMAN1) {
1160 flags |= FLAG_CASELESS_PATHNAMES;
1161 flags |= FLAG_CANONICAL_PATHNAMES;
1162 }
1163
1164 if (protocol >= PROTOCOL_LANMAN2) {
1165 flags2 |= FLAGS2_LONG_PATH_COMPONENTS;
1166 flags2 |= FLAGS2_EXTENDED_ATTRIBUTES;
1167 }
1168
1169 if (protocol >= PROTOCOL_NT1) {
1170 flags2 |= FLAGS2_IS_LONG_NAME;
1171
1172 if (smb1_capabilities & CAP_UNICODE) {
1173 flags2 |= FLAGS2_UNICODE_STRINGS;
1174 }
1175 if (smb1_capabilities & CAP_STATUS32) {
1176 flags2 |= FLAGS2_32_BIT_ERROR_CODES;
1177 }
1178 if (smb1_capabilities & CAP_EXTENDED_SECURITY) {
1179 flags2 |= FLAGS2_EXTENDED_SECURITY;
1180 }
1181 }
1182
1183 flags |= additional_flags;
1184 flags &= ~clear_flags;
1185 flags2 |= additional_flags2;
1186 flags2 &= ~clear_flags2;
1187
1188 *_flags = flags;
1189 *_flags2 = flags2;
1190 }
1191
1192 static void smb1cli_req_cancel_done(struct tevent_req *subreq);
1193
1194 static bool smb1cli_req_cancel(struct tevent_req *req)
1195 {
1196 struct smbXcli_req_state *state =
1197 tevent_req_data(req,
1198 struct smbXcli_req_state);
1199 uint8_t flags;
1200 uint16_t flags2;
1201 uint32_t pid;
1202 uint16_t mid;
1203 struct tevent_req *subreq;
1204 NTSTATUS status;
1205
1206 flags = CVAL(state->smb1.hdr, HDR_FLG);
1207 flags2 = SVAL(state->smb1.hdr, HDR_FLG2);
1208 pid = SVAL(state->smb1.hdr, HDR_PID);
1209 pid |= SVAL(state->smb1.hdr, HDR_PIDHIGH)<<16;
1210 mid = SVAL(state->smb1.hdr, HDR_MID);
1211
1212 subreq = smb1cli_req_create(state, state->ev,
1213 state->conn,
1214 SMBntcancel,
1215 flags, 0,
1216 flags2, 0,
1217 0, /* timeout */
1218 pid,
1219 state->tcon,
1220 state->session,
1221 0, NULL, /* vwv */
1222 0, NULL); /* bytes */
1223 if (subreq == NULL) {
1224 return false;
1225 }
1226 smb1cli_req_set_mid(subreq, mid);
1227
1228 status = smb1cli_req_chain_submit(&subreq, 1);
1229 if (!NT_STATUS_IS_OK(status)) {
1230 TALLOC_FREE(subreq);
1231 return false;
1232 }
1233 smb1cli_req_set_mid(subreq, 0);
1234
1235 tevent_req_set_callback(subreq, smb1cli_req_cancel_done, NULL);
1236
1237 return true;
1238 }
1239
1240 static void smb1cli_req_cancel_done(struct tevent_req *subreq)
1241 {
1242 /* we do not care about the result */
1243 TALLOC_FREE(subreq);
1244 }
1245
1246 struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
1247 struct tevent_context *ev,
1248 struct smbXcli_conn *conn,
1249 uint8_t smb_command,
1250 uint8_t additional_flags,
1251 uint8_t clear_flags,
1252 uint16_t additional_flags2,
1253 uint16_t clear_flags2,
1254 uint32_t timeout_msec,
1255 uint32_t pid,
1256 struct smbXcli_tcon *tcon,
1257 struct smbXcli_session *session,
1258 uint8_t wct, uint16_t *vwv,
1259 int iov_count,
1260 struct iovec *bytes_iov)
1261 {
1262 struct tevent_req *req;
1263 struct smbXcli_req_state *state;
1264 uint8_t flags = 0;
1265 uint16_t flags2 = 0;
1266 uint16_t uid = 0;
1267 uint16_t tid = 0;
1268 ssize_t num_bytes;
1269
1270 if (iov_count > MAX_SMB_IOV) {
1271 /*
1272 * Should not happen :-)
1273 */
1274 return NULL;
1275 }
1276
1277 req = tevent_req_create(mem_ctx, &state,
1278 struct smbXcli_req_state);
1279 if (req == NULL) {
1280 return NULL;
1281 }
1282 state->ev = ev;
1283 state->conn = conn;
1284 state->session = session;
1285 state->tcon = tcon;
1286
1287 if (session) {
1288 uid = session->smb1.session_id;
1289 }
1290
1291 if (tcon) {
1292 tid = tcon->smb1.tcon_id;
1293
1294 if (tcon->fs_attributes & FILE_CASE_SENSITIVE_SEARCH) {
1295 clear_flags |= FLAG_CASELESS_PATHNAMES;
1296 } else {
1297 /* Default setting, case insensitive. */
1298 additional_flags |= FLAG_CASELESS_PATHNAMES;
1299 }
1300
1301 if (smbXcli_conn_dfs_supported(conn) &&
1302 smbXcli_tcon_is_dfs_share(tcon))
1303 {
1304 additional_flags2 |= FLAGS2_DFS_PATHNAMES;
1305 }
1306 }
1307
1308 state->smb1.recv_cmd = 0xFF;
1309 state->smb1.recv_status = NT_STATUS_INTERNAL_ERROR;
1310 state->smb1.recv_iov = talloc_zero_array(state, struct iovec, 3);
1311 if (state->smb1.recv_iov == NULL) {
1312 TALLOC_FREE(req);
1313 return NULL;
1314 }
1315
1316 smb1cli_req_flags(conn->protocol,
1317 conn->smb1.capabilities,
1318 smb_command,
1319 additional_flags,
1320 clear_flags,
1321 &flags,
1322 additional_flags2,
1323 clear_flags2,
1324 &flags2);
1325
1326 SIVAL(state->smb1.hdr, 0, SMB_MAGIC);
1327 SCVAL(state->smb1.hdr, HDR_COM, smb_command);
1328 SIVAL(state->smb1.hdr, HDR_RCLS, NT_STATUS_V(NT_STATUS_OK));
1329 SCVAL(state->smb1.hdr, HDR_FLG, flags);
1330 SSVAL(state->smb1.hdr, HDR_FLG2, flags2);
1331 SSVAL(state->smb1.hdr, HDR_PIDHIGH, pid >> 16);
1332 SSVAL(state->smb1.hdr, HDR_TID, tid);
1333 SSVAL(state->smb1.hdr, HDR_PID, pid);
1334 SSVAL(state->smb1.hdr, HDR_UID, uid);
1335 SSVAL(state->smb1.hdr, HDR_MID, 0); /* this comes later */
1336 SCVAL(state->smb1.hdr, HDR_WCT, wct);
1337
1338 state->smb1.vwv = vwv;
1339
1340 num_bytes = iov_buflen(bytes_iov, iov_count);
1341 if (num_bytes == -1) {
1342 /*
1343 * I'd love to add a check for num_bytes<=UINT16_MAX here, but
1344 * the smbclient->samba connections can lie and transfer more.
1345 */
1346 TALLOC_FREE(req);
1347 return NULL;
1348 }
1349
1350 SSVAL(state->smb1.bytecount_buf, 0, num_bytes);
1351
1352 state->smb1.iov[0].iov_base = (void *)state->length_hdr;
1353 state->smb1.iov[0].iov_len = sizeof(state->length_hdr);
1354 state->smb1.iov[1].iov_base = (void *)state->smb1.hdr;
1355 state->smb1.iov[1].iov_len = sizeof(state->smb1.hdr);
1356 state->smb1.iov[2].iov_base = (void *)state->smb1.vwv;
1357 state->smb1.iov[2].iov_len = wct * sizeof(uint16_t);
1358 state->smb1.iov[3].iov_base = (void *)state->smb1.bytecount_buf;
1359 state->smb1.iov[3].iov_len = sizeof(uint16_t);
1360
1361 if (iov_count != 0) {
1362 memcpy(&state->smb1.iov[4], bytes_iov,
1363 iov_count * sizeof(*bytes_iov));
1364 }
1365 state->smb1.iov_count = iov_count + 4;
1366
1367 if (timeout_msec > 0) {
1368 struct timeval endtime;
1369
1370 endtime = timeval_current_ofs_msec(timeout_msec);
1371 if (!tevent_req_set_endtime(req, ev, endtime)) {
1372 return req;
1373 }
1374 }
1375
1376 switch (smb_command) {
1377 case SMBtranss:
1378 case SMBtranss2:
1379 case SMBnttranss:
1380 state->one_way = true;
1381 break;
1382 case SMBntcancel:
1383 state->one_way = true;
1384 state->smb1.one_way_seqnum = true;
1385 break;
1386 case SMBlockingX:
1387 if ((wct == 8) &&
1388 (CVAL(vwv+3, 0) == LOCKING_ANDX_OPLOCK_RELEASE)) {
1389 state->one_way = true;
1390 }
1391 break;
1392 }
1393
1394 return req;
1395 }
1396
1397 static NTSTATUS smb1cli_conn_signv(struct smbXcli_conn *conn,
1398 struct iovec *iov, int iov_count,
1399 uint32_t *seqnum,
1400 bool one_way_seqnum)
1401 {
1402 TALLOC_CTX *frame = NULL;
1403 uint8_t *buf;
1404
1405 /*
1406 * Obvious optimization: Make cli_calculate_sign_mac work with struct
1407 * iovec directly. MD5Update would do that just fine.
1408 */
1409
1410 if (iov_count < 4) {
1411 return NT_STATUS_INVALID_PARAMETER_MIX;
1412 }
1413 if (iov[0].iov_len != NBT_HDR_SIZE) {
1414 return NT_STATUS_INVALID_PARAMETER_MIX;
1415 }
1416 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1417 return NT_STATUS_INVALID_PARAMETER_MIX;
1418 }
1419 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1420 return NT_STATUS_INVALID_PARAMETER_MIX;
1421 }
1422 if (iov[3].iov_len != sizeof(uint16_t)) {
1423 return NT_STATUS_INVALID_PARAMETER_MIX;
1424 }
1425
1426 frame = talloc_stackframe();
1427
1428 buf = smbXcli_iov_concat(frame, &iov[1], iov_count - 1);
1429 if (buf == NULL) {
1430 return NT_STATUS_NO_MEMORY;
1431 }
1432
1433 *seqnum = smb_signing_next_seqnum(conn->smb1.signing,
1434 one_way_seqnum);
1435 smb_signing_sign_pdu(conn->smb1.signing,
1436 buf, talloc_get_size(buf),
1437 *seqnum);
1438 memcpy(iov[1].iov_base, buf, iov[1].iov_len);
1439
1440 TALLOC_FREE(frame);
1441 return NT_STATUS_OK;
1442 }
1443
1444 static void smb1cli_req_writev_done(struct tevent_req *subreq);
1445 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1446 TALLOC_CTX *tmp_mem,
1447 uint8_t *inbuf);
1448
1449 static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
1450 struct smbXcli_req_state *state,
1451 struct iovec *iov, int iov_count)
1452 {
1453 struct tevent_req *subreq;
1454 NTSTATUS status;
1455 uint8_t cmd;
1456 uint16_t mid;
1457 ssize_t nbtlen;
1458
1459 if (!smbXcli_conn_is_connected(state->conn)) {
1460 return NT_STATUS_CONNECTION_DISCONNECTED;
1461 }
1462
1463 if (state->conn->protocol > PROTOCOL_NT1) {
1464 return NT_STATUS_REVISION_MISMATCH;
1465 }
1466
1467 if (iov_count < 4) {
1468 return NT_STATUS_INVALID_PARAMETER_MIX;
1469 }
1470 if (iov[0].iov_len != NBT_HDR_SIZE) {
1471 return NT_STATUS_INVALID_PARAMETER_MIX;
1472 }
1473 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1474 return NT_STATUS_INVALID_PARAMETER_MIX;
1475 }
1476 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1477 return NT_STATUS_INVALID_PARAMETER_MIX;
1478 }
1479 if (iov[3].iov_len != sizeof(uint16_t)) {
1480 return NT_STATUS_INVALID_PARAMETER_MIX;
1481 }
1482
1483 cmd = CVAL(iov[1].iov_base, HDR_COM);
1484 if (cmd == SMBreadBraw) {
1485 if (smbXcli_conn_has_async_calls(state->conn)) {
1486 return NT_STATUS_INVALID_PARAMETER_MIX;
1487 }
1488 state->conn->smb1.read_braw_req = req;
1489 }
1490
1491 if (state->smb1.mid != 0) {
1492 mid = state->smb1.mid;
1493 } else {
1494 mid = smb1cli_alloc_mid(state->conn);
1495 }
1496 SSVAL(iov[1].iov_base, HDR_MID, mid);
1497
1498 nbtlen = iov_buflen(&iov[1], iov_count-1);
1499 if ((nbtlen == -1) || (nbtlen > 0x1FFFF)) {
1500 return NT_STATUS_INVALID_PARAMETER_MIX;
1501 }
1502
1503 _smb_setlen_nbt(iov[0].iov_base, nbtlen);
1504
1505 status = smb1cli_conn_signv(state->conn, iov, iov_count,
1506 &state->smb1.seqnum,
1507 state->smb1.one_way_seqnum);
1508
1509 if (!NT_STATUS_IS_OK(status)) {
1510 return status;
1511 }
1512
1513 /*
1514 * If we supported multiple encrytion contexts
1515 * here we'd look up based on tid.
1516 */
1517 if (common_encryption_on(state->conn->smb1.trans_enc)) {
1518 char *buf, *enc_buf;
1519
1520 buf = (char *)smbXcli_iov_concat(talloc_tos(), iov, iov_count);
1521 if (buf == NULL) {
1522 return NT_STATUS_NO_MEMORY;
1523 }
1524 status = common_encrypt_buffer(state->conn->smb1.trans_enc,
1525 (char *)buf, &enc_buf);
1526 TALLOC_FREE(buf);
1527 if (!NT_STATUS_IS_OK(status)) {
1528 DEBUG(0, ("Error in encrypting client message: %s\n",
1529 nt_errstr(status)));
1530 return status;
1531 }
1532 buf = (char *)talloc_memdup(state, enc_buf,
1533 smb_len_nbt(enc_buf)+4);
1534 SAFE_FREE(enc_buf);
1535 if (buf == NULL) {
1536 return NT_STATUS_NO_MEMORY;
1537 }
1538 iov[0].iov_base = (void *)buf;
1539 iov[0].iov_len = talloc_get_size(buf);
1540 iov_count = 1;
1541 }
1542
1543 if (state->conn->dispatch_incoming == NULL) {
1544 state->conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
1545 }
1546
1547 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
1548
1549 subreq = writev_send(state, state->ev, state->conn->outgoing,
1550 state->conn->write_fd, false, iov, iov_count);
1551 if (subreq == NULL) {
1552 return NT_STATUS_NO_MEMORY;
1553 }
1554 tevent_req_set_callback(subreq, smb1cli_req_writev_done, req);
1555 return NT_STATUS_OK;
1556 }
1557
1558 struct tevent_req *smb1cli_req_send(TALLOC_CTX *mem_ctx,
1559 struct tevent_context *ev,
1560 struct smbXcli_conn *conn,
1561 uint8_t smb_command,
1562 uint8_t additional_flags,
1563 uint8_t clear_flags,
1564 uint16_t additional_flags2,
1565 uint16_t clear_flags2,
1566 uint32_t timeout_msec,
1567 uint32_t pid,
1568 struct smbXcli_tcon *tcon,
1569 struct smbXcli_session *session,
1570 uint8_t wct, uint16_t *vwv,
1571 uint32_t num_bytes,
1572 const uint8_t *bytes)
1573 {
1574 struct tevent_req *req;
1575 struct iovec iov;
1576 NTSTATUS status;
1577
1578 iov.iov_base = discard_const_p(void, bytes);
1579 iov.iov_len = num_bytes;
1580
1581 req = smb1cli_req_create(mem_ctx, ev, conn, smb_command,
1582 additional_flags, clear_flags,
1583 additional_flags2, clear_flags2,
1584 timeout_msec,
1585 pid, tcon, session,
1586 wct, vwv, 1, &iov);
1587 if (req == NULL) {
1588 return NULL;
1589 }
1590 if (!tevent_req_is_in_progress(req)) {
1591 return tevent_req_post(req, ev);
1592 }
1593 status = smb1cli_req_chain_submit(&req, 1);
1594 if (tevent_req_nterror(req, status)) {
1595 return tevent_req_post(req, ev);
1596 }
1597 return req;
1598 }
1599
1600 static void smb1cli_req_writev_done(struct tevent_req *subreq)
1601 {
1602 struct tevent_req *req =
1603 tevent_req_callback_data(subreq,
1604 struct tevent_req);
1605 struct smbXcli_req_state *state =
1606 tevent_req_data(req,
1607 struct smbXcli_req_state);
1608 ssize_t nwritten;
1609 int err;
1610
1611 nwritten = writev_recv(subreq, &err);
1612 TALLOC_FREE(subreq);
1613 if (nwritten == -1) {
1614 NTSTATUS status = map_nt_error_from_unix_common(err);
1615 smbXcli_conn_disconnect(state->conn, status);
1616 return;
1617 }
1618
1619 if (state->one_way) {
1620 state->inbuf = NULL;
1621 tevent_req_done(req);
1622 return;
1623 }
1624
1625 if (!smbXcli_req_set_pending(req)) {
1626 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
1627 return;
1628 }
1629 }
1630
1631 static void smbXcli_conn_received(struct tevent_req *subreq)
1632 {
1633 struct smbXcli_conn *conn =
1634 tevent_req_callback_data(subreq,
1635 struct smbXcli_conn);
1636 TALLOC_CTX *frame = talloc_stackframe();
1637 NTSTATUS status;
1638 uint8_t *inbuf;
1639 ssize_t received;
1640 int err;
1641
1642 if (subreq != conn->read_smb_req) {
1643 DEBUG(1, ("Internal error: cli_smb_received called with "
1644 "unexpected subreq\n"));
1645 smbXcli_conn_disconnect(conn, NT_STATUS_INTERNAL_ERROR);
1646 TALLOC_FREE(frame);
1647 return;
1648 }
1649 conn->read_smb_req = NULL;
1650
1651 received = read_smb_recv(subreq, frame, &inbuf, &err);
1652 TALLOC_FREE(subreq);
1653 if (received == -1) {
1654 status = map_nt_error_from_unix_common(err);
1655 smbXcli_conn_disconnect(conn, status);
1656 TALLOC_FREE(frame);
1657 return;
1658 }
1659
1660 status = conn->dispatch_incoming(conn, frame, inbuf);
1661 TALLOC_FREE(frame);
1662 if (NT_STATUS_IS_OK(status)) {
1663 /*
1664 * We should not do any more processing
1665 * as the dispatch function called
1666 * tevent_req_done().
1667 */
1668 return;
1669 }
1670
1671 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
1672 /*
1673 * We got an error, so notify all pending requests
1674 */
1675 smbXcli_conn_disconnect(conn, status);
1676 return;
1677 }
1678
1679 /*
1680 * We got NT_STATUS_RETRY, so we may ask for a
1681 * next incoming pdu.
1682 */
1683 if (!smbXcli_conn_receive_next(conn)) {
1684 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
1685 }
1686 }
1687
1688 static NTSTATUS smb1cli_inbuf_parse_chain(uint8_t *buf, TALLOC_CTX *mem_ctx,
1689 struct iovec **piov, int *pnum_iov)
1690 {
1691 struct iovec *iov;
1692 int num_iov;
1693 size_t buflen;
1694 size_t taken;
1695 size_t remaining;
1696 uint8_t *hdr;
1697 uint8_t cmd;
1698 uint32_t wct_ofs;
1699 NTSTATUS status;
1700 size_t min_size = MIN_SMB_SIZE;
1701
1702 buflen = smb_len_tcp(buf);
1703 taken = 0;
1704
1705 hdr = buf + NBT_HDR_SIZE;
1706
1707 status = smb1cli_pull_raw_error(hdr);
1708 if (NT_STATUS_IS_ERR(status)) {
1709 /*
1710 * This is an ugly hack to support OS/2
1711 * which skips the byte_count in the DATA block
1712 * on some error responses.
1713 *
1714 * See bug #9096
1715 */
1716 min_size -= sizeof(uint16_t);
1717 }
1718
1719 if (buflen < min_size) {
1720 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1721 }
1722
1723 /*
1724 * This returns iovec elements in the following order:
1725 *
1726 * - SMB header
1727 *
1728 * - Parameter Block
1729 * - Data Block
1730 *
1731 * - Parameter Block
1732 * - Data Block
1733 *
1734 * - Parameter Block
1735 * - Data Block
1736 */
1737 num_iov = 1;
1738
1739 iov = talloc_array(mem_ctx, struct iovec, num_iov);
1740 if (iov == NULL) {
1741 return NT_STATUS_NO_MEMORY;
1742 }
1743 iov[0].iov_base = hdr;
1744 iov[0].iov_len = HDR_WCT;
1745 taken += HDR_WCT;
1746
1747 cmd = CVAL(hdr, HDR_COM);
1748 wct_ofs = HDR_WCT;
1749
1750 while (true) {
1751 size_t len = buflen - taken;
1752 struct iovec *cur;
1753 struct iovec *iov_tmp;
1754 uint8_t wct;
1755 uint32_t bcc_ofs;
1756 uint16_t bcc;
1757 size_t needed;
1758
1759 /*
1760 * we need at least WCT
1761 */
1762 needed = sizeof(uint8_t);
1763 if (len < needed) {
1764 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1765 __location__, (int)len, (int)needed));
1766 goto inval;
1767 }
1768
1769 /*
1770 * Now we check if the specified words are there
1771 */
1772 wct = CVAL(hdr, wct_ofs);
1773 needed += wct * sizeof(uint16_t);
1774 if (len < needed) {
1775 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1776 __location__, (int)len, (int)needed));
1777 goto inval;
1778 }
1779
1780 if ((num_iov == 1) &&
1781 (len == needed) &&
1782 NT_STATUS_IS_ERR(status))
1783 {
1784 /*
1785 * This is an ugly hack to support OS/2
1786 * which skips the byte_count in the DATA block
1787 * on some error responses.
1788 *
1789 * See bug #9096
1790 */
1791 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1792 num_iov + 2);
1793 if (iov_tmp == NULL) {
1794 TALLOC_FREE(iov);
1795 return NT_STATUS_NO_MEMORY;
1796 }
1797 iov = iov_tmp;
1798 cur = &iov[num_iov];
1799 num_iov += 2;
1800
1801 cur[0].iov_len = 0;
1802 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1803 cur[1].iov_len = 0;
1804 cur[1].iov_base = cur[0].iov_base;
1805
1806 taken += needed;
1807 break;
1808 }
1809
1810 /*
1811 * we need at least BCC
1812 */
1813 needed += sizeof(uint16_t);
1814 if (len < needed) {
1815 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1816 __location__, (int)len, (int)needed));
1817 goto inval;
1818 }
1819
1820 /*
1821 * Now we check if the specified bytes are there
1822 */
1823 bcc_ofs = wct_ofs + sizeof(uint8_t) + wct * sizeof(uint16_t);
1824 bcc = SVAL(hdr, bcc_ofs);
1825 needed += bcc * sizeof(uint8_t);
1826 if (len < needed) {
1827 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1828 __location__, (int)len, (int)needed));
1829 goto inval;
1830 }
1831
1832 /*
1833 * we allocate 2 iovec structures for words and bytes
1834 */
1835 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1836 num_iov + 2);
1837 if (iov_tmp == NULL) {
1838 TALLOC_FREE(iov);
1839 return NT_STATUS_NO_MEMORY;
1840 }
1841 iov = iov_tmp;
1842 cur = &iov[num_iov];
1843 num_iov += 2;
1844
1845 cur[0].iov_len = wct * sizeof(uint16_t);
1846 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1847 cur[1].iov_len = bcc * sizeof(uint8_t);
1848 cur[1].iov_base = hdr + (bcc_ofs + sizeof(uint16_t));
1849
1850 taken += needed;
1851
1852 if (!smb1cli_is_andx_req(cmd)) {
1853 /*
1854 * If the current command does not have AndX chanining
1855 * we are done.
1856 */
1857 break;
1858 }
1859
1860 if (wct == 0 && bcc == 0) {
1861 /*
1862 * An empty response also ends the chain,
1863 * most likely with an error.
1864 */
1865 break;
1866 }
1867
1868 if (wct < 2) {
1869 DEBUG(10, ("%s: wct[%d] < 2 for cmd[0x%02X]\n",
1870 __location__, (int)wct, (int)cmd));
1871 goto inval;
1872 }
1873 cmd = CVAL(cur[0].iov_base, 0);
1874 if (cmd == 0xFF) {
1875 /*
1876 * If it is the end of the chain we are also done.
1877 */
1878 break;
1879 }
1880 wct_ofs = SVAL(cur[0].iov_base, 2);
1881
1882 if (wct_ofs < taken) {
1883 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1884 }
1885 if (wct_ofs > buflen) {
1886 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1887 }
1888
1889 /*
1890 * we consumed everything up to the start of the next
1891 * parameter block.
1892 */
1893 taken = wct_ofs;
1894 }
1895
1896 remaining = buflen - taken;
1897
1898 if (remaining > 0 && num_iov >= 3) {
1899 /*
1900 * The last DATA block gets the remaining
1901 * bytes, this is needed to support
1902 * CAP_LARGE_WRITEX and CAP_LARGE_READX.
1903 */
1904 iov[num_iov-1].iov_len += remaining;
1905 }
1906
1907 *piov = iov;
1908 *pnum_iov = num_iov;
1909 return NT_STATUS_OK;
1910
1911 inval:
1912 TALLOC_FREE(iov);
1913 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1914 }
1915
1916 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1917 TALLOC_CTX *tmp_mem,
1918 uint8_t *inbuf)
1919 {
1920 struct tevent_req *req;
1921 struct smbXcli_req_state *state;
1922 NTSTATUS status;
1923 size_t num_pending;
1924 size_t i;
1925 uint8_t cmd;
1926 uint16_t mid;
1927 bool oplock_break;
1928 uint8_t *inhdr = inbuf + NBT_HDR_SIZE;
1929 size_t len = smb_len_tcp(inbuf);
1930 struct iovec *iov = NULL;
1931 int num_iov = 0;
1932 struct tevent_req **chain = NULL;
1933 size_t num_chained = 0;
1934 size_t num_responses = 0;
1935
1936 if (conn->smb1.read_braw_req != NULL) {
1937 req = conn->smb1.read_braw_req;
1938 conn->smb1.read_braw_req = NULL;
1939 state = tevent_req_data(req, struct smbXcli_req_state);
1940
1941 smbXcli_req_unset_pending(req);
1942
1943 if (state->smb1.recv_iov == NULL) {
1944 /*
1945 * For requests with more than
1946 * one response, we have to readd the
1947 * recv_iov array.
1948 */
1949 state->smb1.recv_iov = talloc_zero_array(state,
1950 struct iovec,
1951 3);
1952 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
1953 return NT_STATUS_OK;
1954 }
1955 }
1956
1957 state->smb1.recv_iov[0].iov_base = (void *)(inhdr);
1958 state->smb1.recv_iov[0].iov_len = len;
1959 ZERO_STRUCT(state->smb1.recv_iov[1]);
1960 ZERO_STRUCT(state->smb1.recv_iov[2]);
1961
1962 state->smb1.recv_cmd = SMBreadBraw;
1963 state->smb1.recv_status = NT_STATUS_OK;
1964 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
1965
1966 tevent_req_done(req);
1967 return NT_STATUS_OK;
1968 }
1969
1970 if ((IVAL(inhdr, 0) != SMB_MAGIC) /* 0xFF"SMB" */
1971 && (SVAL(inhdr, 0) != 0x45ff)) /* 0xFF"E" */ {
1972 DEBUG(10, ("Got non-SMB PDU\n"));
1973 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1974 }
1975
1976 /*
1977 * If we supported multiple encrytion contexts
1978 * here we'd look up based on tid.
1979 */
1980 if (common_encryption_on(conn->smb1.trans_enc)
1981 && (CVAL(inbuf, 0) == 0)) {
1982 uint16_t enc_ctx_num;
1983
1984 status = get_enc_ctx_num(inbuf, &enc_ctx_num);
1985 if (!NT_STATUS_IS_OK(status)) {
1986 DEBUG(10, ("get_enc_ctx_num returned %s\n",
1987 nt_errstr(status)));
1988 return status;
1989 }
1990
1991 if (enc_ctx_num != conn->smb1.trans_enc->enc_ctx_num) {
1992 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
1993 enc_ctx_num,
1994 conn->smb1.trans_enc->enc_ctx_num));
1995 return NT_STATUS_INVALID_HANDLE;
1996 }
1997
1998 status = common_decrypt_buffer(conn->smb1.trans_enc,
1999 (char *)inbuf);
2000 if (!NT_STATUS_IS_OK(status)) {
2001 DEBUG(10, ("common_decrypt_buffer returned %s\n",
2002 nt_errstr(status)));
2003 return status;
2004 }
2005 inhdr = inbuf + NBT_HDR_SIZE;
2006 len = smb_len_nbt(inbuf);
2007 }
2008
2009 mid = SVAL(inhdr, HDR_MID);
2010 num_pending = talloc_array_length(conn->pending);
2011
2012 for (i=0; i<num_pending; i++) {
2013 if (mid == smb1cli_req_mid(conn->pending[i])) {
2014 break;
2015 }
2016 }
2017 if (i == num_pending) {
2018 /* Dump unexpected reply */
2019 return NT_STATUS_RETRY;
2020 }
2021
2022 oplock_break = false;
2023
2024 if (mid == 0xffff) {
2025 /*
2026 * Paranoia checks that this is really an oplock break request.
2027 */
2028 oplock_break = (len == 51); /* hdr + 8 words */
2029 oplock_break &= ((CVAL(inhdr, HDR_FLG) & FLAG_REPLY) == 0);
2030 oplock_break &= (CVAL(inhdr, HDR_COM) == SMBlockingX);
2031 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(6)) == 0);
2032 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(7)) == 0);
2033
2034 if (!oplock_break) {
2035 /* Dump unexpected reply */
2036 return NT_STATUS_RETRY;
2037 }
2038 }
2039
2040 req = conn->pending[i];
2041 state = tevent_req_data(req, struct smbXcli_req_state);
2042
2043 if (!oplock_break /* oplock breaks are not signed */
2044 && !smb_signing_check_pdu(conn->smb1.signing,
2045 inhdr, len, state->smb1.seqnum+1)) {
2046 DEBUG(10, ("cli_check_sign_mac failed\n"));
2047 return NT_STATUS_ACCESS_DENIED;
2048 }
2049
2050 status = smb1cli_inbuf_parse_chain(inbuf, tmp_mem,
2051 &iov, &num_iov);
2052 if (!NT_STATUS_IS_OK(status)) {
2053 DEBUG(10,("smb1cli_inbuf_parse_chain - %s\n",
2054 nt_errstr(status)));
2055 return status;
2056 }
2057
2058 cmd = CVAL(inhdr, HDR_COM);
2059 status = smb1cli_pull_raw_error(inhdr);
2060
2061 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
2062 (state->session != NULL) && state->session->disconnect_expired)
2063 {
2064 /*
2065 * this should be a short term hack
2066 * until the upper layers have implemented
2067 * re-authentication.
2068 */
2069 return status;
2070 }
2071
2072 if (state->smb1.chained_requests == NULL) {
2073 if (num_iov != 3) {
2074 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2075 }
2076
2077 smbXcli_req_unset_pending(req);
2078
2079 if (state->smb1.recv_iov == NULL) {
2080 /*
2081 * For requests with more than
2082 * one response, we have to readd the
2083 * recv_iov array.
2084 */
2085 state->smb1.recv_iov = talloc_zero_array(state,
2086 struct iovec,
2087 3);
2088 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2089 return NT_STATUS_OK;
2090 }
2091 }
2092
2093 state->smb1.recv_cmd = cmd;
2094 state->smb1.recv_status = status;
2095 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
2096
2097 state->smb1.recv_iov[0] = iov[0];
2098 state->smb1.recv_iov[1] = iov[1];
2099 state->smb1.recv_iov[2] = iov[2];
2100
2101 if (talloc_array_length(conn->pending) == 0) {
2102 tevent_req_done(req);
2103 return NT_STATUS_OK;
2104 }
2105
2106 tevent_req_defer_callback(req, state->ev);
2107 tevent_req_done(req);
2108 return NT_STATUS_RETRY;
2109 }
2110
2111 chain = talloc_move(tmp_mem, &state->smb1.chained_requests);
2112 num_chained = talloc_array_length(chain);
2113 num_responses = (num_iov - 1)/2;
2114
2115 if (num_responses > num_chained) {
2116 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2117 }
2118
2119 for (i=0; i<num_chained; i++) {
2120 size_t iov_idx = 1 + (i*2);
2121 struct iovec *cur = &iov[iov_idx];
2122 uint8_t *inbuf_ref;
2123
2124 req = chain[i];
2125 state = tevent_req_data(req, struct smbXcli_req_state);
2126
2127 smbXcli_req_unset_pending(req);
2128
2129 /*
2130 * as we finish multiple requests here
2131 * we need to defer the callbacks as
2132 * they could destroy our current stack state.
2133 */
2134 tevent_req_defer_callback(req, state->ev);
2135
2136 if (i >= num_responses) {
2137 tevent_req_nterror(req, NT_STATUS_REQUEST_ABORTED);
2138 continue;
2139 }
2140
2141 if (state->smb1.recv_iov == NULL) {
2142 /*
2143 * For requests with more than
2144 * one response, we have to readd the
2145 * recv_iov array.
2146 */
2147 state->smb1.recv_iov = talloc_zero_array(state,
2148 struct iovec,
2149 3);
2150 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2151 continue;
2152 }
2153 }
2154
2155 state->smb1.recv_cmd = cmd;
2156
2157 if (i == (num_responses - 1)) {
2158 /*
2159 * The last request in the chain gets the status
2160 */
2161 state->smb1.recv_status = status;
2162 } else {
2163 cmd = CVAL(cur[0].iov_base, 0);
2164 state->smb1.recv_status = NT_STATUS_OK;
2165 }
2166
2167 state->inbuf = inbuf;
2168
2169 /*
2170 * Note: here we use talloc_reference() in a way
2171 * that does not expose it to the caller.
2172 */
2173 inbuf_ref = talloc_reference(state->smb1.recv_iov, inbuf);
2174 if (tevent_req_nomem(inbuf_ref, req)) {
2175 continue;
2176 }
2177
2178 /* copy the related buffers */
2179 state->smb1.recv_iov[0] = iov[0];
2180 state->smb1.recv_iov[1] = cur[0];
2181 state->smb1.recv_iov[2] = cur[1];
2182
2183 tevent_req_done(req);
2184 }
2185
2186 return NT_STATUS_RETRY;
2187 }
2188
2189 NTSTATUS smb1cli_req_recv(struct tevent_req *req,
2190 TALLOC_CTX *mem_ctx,
2191 struct iovec **piov,
2192 uint8_t **phdr,
2193 uint8_t *pwct,
2194 uint16_t **pvwv,
2195 uint32_t *pvwv_offset,
2196 uint32_t *pnum_bytes,
2197 uint8_t **pbytes,
2198 uint32_t *pbytes_offset,
2199 uint8_t **pinbuf,
2200 const struct smb1cli_req_expected_response *expected,
2201 size_t num_expected)
2202 {
2203 struct smbXcli_req_state *state =
2204 tevent_req_data(req,
2205 struct smbXcli_req_state);
2206 NTSTATUS status = NT_STATUS_OK;
2207 struct iovec *recv_iov = NULL;
2208 uint8_t *hdr = NULL;
2209 uint8_t wct = 0;
2210 uint32_t vwv_offset = 0;
2211 uint16_t *vwv = NULL;
2212 uint32_t num_bytes = 0;
2213 uint32_t bytes_offset = 0;
2214 uint8_t *bytes = NULL;
2215 size_t i;
2216 bool found_status = false;
2217 bool found_size = false;
2218
2219 if (piov != NULL) {
2220 *piov = NULL;
2221 }
2222 if (phdr != NULL) {
2223 *phdr = 0;
2224 }
2225 if (pwct != NULL) {
2226 *pwct = 0;
2227 }
2228 if (pvwv != NULL) {
2229 *pvwv = NULL;
2230 }
2231 if (pvwv_offset != NULL) {
2232 *pvwv_offset = 0;
2233 }
2234 if (pnum_bytes != NULL) {
2235 *pnum_bytes = 0;
2236 }
2237 if (pbytes != NULL) {
2238 *pbytes = NULL;
2239 }
2240 if (pbytes_offset != NULL) {
2241 *pbytes_offset = 0;
2242 }
2243 if (pinbuf != NULL) {
2244 *pinbuf = NULL;
2245 }
2246
2247 if (state->inbuf != NULL) {
2248 recv_iov = state->smb1.recv_iov;
2249 state->smb1.recv_iov = NULL;
2250 if (state->smb1.recv_cmd != SMBreadBraw) {
2251 hdr = (uint8_t *)recv_iov[0].iov_base;
2252 wct = recv_iov[1].iov_len/2;
2253 vwv = (uint16_t *)recv_iov[1].iov_base;
2254 vwv_offset = PTR_DIFF(vwv, hdr);
2255 num_bytes = recv_iov[2].iov_len;
2256 bytes = (uint8_t *)recv_iov[2].iov_base;
2257 bytes_offset = PTR_DIFF(bytes, hdr);
2258 }
2259 }
2260
2261 if (tevent_req_is_nterror(req, &status)) {
2262 for (i=0; i < num_expected; i++) {
2263 if (NT_STATUS_EQUAL(status, expected[i].status)) {
2264 found_status = true;
2265 break;
2266 }
2267 }
2268
2269 if (found_status) {
2270 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
2271 }
2272
2273 return status;
2274 }
2275
2276 if (num_expected == 0) {
2277 found_status = true;
2278 found_size = true;
2279 }
2280
2281 status = state->smb1.recv_status;
2282
2283 for (i=0; i < num_expected; i++) {
2284 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
2285 continue;
2286 }
2287
2288 found_status = true;
2289 if (expected[i].wct == 0) {
2290 found_size = true;
2291 break;
2292 }
2293
2294 if (expected[i].wct == wct) {
2295 found_size = true;
2296 break;
2297 }
2298 }
2299
2300 if (!found_status) {
2301 return status;
2302 }
2303
2304 if (!found_size) {
2305 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2306 }
2307
2308 if (piov != NULL) {
2309 *piov = talloc_move(mem_ctx, &recv_iov);
2310 }
2311
2312 if (phdr != NULL) {
2313 *phdr = hdr;
2314 }
2315 if (pwct != NULL) {
2316 *pwct = wct;
2317 }
2318 if (pvwv != NULL) {
2319 *pvwv = vwv;
2320 }
2321 if (pvwv_offset != NULL) {
2322 *pvwv_offset = vwv_offset;
2323 }
2324 if (pnum_bytes != NULL) {
2325 *pnum_bytes = num_bytes;
2326 }
2327 if (pbytes != NULL) {
2328 *pbytes = bytes;
2329 }
2330 if (pbytes_offset != NULL) {
2331 *pbytes_offset = bytes_offset;
2332 }
2333 if (pinbuf != NULL) {
2334 *pinbuf = state->inbuf;
2335 }
2336
2337 return status;
2338 }
2339
2340 size_t smb1cli_req_wct_ofs(struct tevent_req **reqs, int num_reqs)
2341 {
2342 size_t wct_ofs;
2343 int i;
2344
2345 wct_ofs = HDR_WCT;
2346
2347 for (i=0; i<num_reqs; i++) {
2348 struct smbXcli_req_state *state;
2349 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2350 wct_ofs += smbXcli_iov_len(state->smb1.iov+2,
2351 state->smb1.iov_count-2);
2352 wct_ofs = (wct_ofs + 3) & ~3;
2353 }
2354 return wct_ofs;
2355 }
2356
2357 NTSTATUS smb1cli_req_chain_submit(struct tevent_req **reqs, int num_reqs)
2358 {
2359 struct smbXcli_req_state *first_state =
2360 tevent_req_data(reqs[0],
2361 struct smbXcli_req_state);
2362 struct smbXcli_req_state *state;
2363 size_t wct_offset;
2364 size_t chain_padding = 0;
2365 int i, iovlen;
2366 struct iovec *iov = NULL;
2367 struct iovec *this_iov;
2368 NTSTATUS status;
2369 ssize_t nbt_len;
2370
2371 if (num_reqs == 1) {
2372 return smb1cli_req_writev_submit(reqs[0], first_state,
2373 first_state->smb1.iov,
2374 first_state->smb1.iov_count);
2375 }
2376
2377 iovlen = 0;
2378 for (i=0; i<num_reqs; i++) {
2379 if (!tevent_req_is_in_progress(reqs[i])) {
2380 return NT_STATUS_INTERNAL_ERROR;
2381 }
2382
2383 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2384
2385 if (state->smb1.iov_count < 4) {
2386 return NT_STATUS_INVALID_PARAMETER_MIX;
2387 }
2388
2389 if (i == 0) {
2390 /*
2391 * The NBT and SMB header
2392 */
2393 iovlen += 2;
2394 } else {
2395 /*
2396 * Chain padding
2397 */
2398 iovlen += 1;
2399 }
2400
2401 /*
2402 * words and bytes
2403 */
2404 iovlen += state->smb1.iov_count - 2;
2405 }
2406
2407 iov = talloc_zero_array(first_state, struct iovec, iovlen);
2408 if (iov == NULL) {
2409 return NT_STATUS_NO_MEMORY;
2410 }
2411
2412 first_state->smb1.chained_requests = (struct tevent_req **)talloc_memdup(
2413 first_state, reqs, sizeof(*reqs) * num_reqs);
2414 if (first_state->smb1.chained_requests == NULL) {
2415 TALLOC_FREE(iov);
2416 return NT_STATUS_NO_MEMORY;
2417 }
2418
2419 wct_offset = HDR_WCT;
2420 this_iov = iov;
2421
2422 for (i=0; i<num_reqs; i++) {
2423 size_t next_padding = 0;
2424 uint16_t *vwv;
2425
2426 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2427
2428 if (i < num_reqs-1) {
2429 if (!smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))
2430 || CVAL(state->smb1.hdr, HDR_WCT) < 2) {
2431 TALLOC_FREE(iov);
2432 TALLOC_FREE(first_state->smb1.chained_requests);
2433 return NT_STATUS_INVALID_PARAMETER_MIX;
2434 }
2435 }
2436
2437 wct_offset += smbXcli_iov_len(state->smb1.iov+2,
2438 state->smb1.iov_count-2) + 1;
2439 if ((wct_offset % 4) != 0) {
2440 next_padding = 4 - (wct_offset % 4);
2441 }
2442 wct_offset += next_padding;
2443 vwv = state->smb1.vwv;
2444
2445 if (i < num_reqs-1) {
2446 struct smbXcli_req_state *next_state =
2447 tevent_req_data(reqs[i+1],
2448 struct smbXcli_req_state);
2449 SCVAL(vwv+0, 0, CVAL(next_state->smb1.hdr, HDR_COM));
2450 SCVAL(vwv+0, 1, 0);
2451 SSVAL(vwv+1, 0, wct_offset);
2452 } else if (smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))) {
2453 /* properly end the chain */
2454 SCVAL(vwv+0, 0, 0xff);
2455 SCVAL(vwv+0, 1, 0xff);
2456 SSVAL(vwv+1, 0, 0);
2457 }
2458
2459 if (i == 0) {
2460 /*
2461 * The NBT and SMB header
2462 */
2463 this_iov[0] = state->smb1.iov[0];
2464 this_iov[1] = state->smb1.iov[1];
2465 this_iov += 2;
2466 } else {
2467 /*
2468 * This one is a bit subtle. We have to add
2469 * chain_padding bytes between the requests, and we
2470 * have to also include the wct field of the
2471 * subsequent requests. We use the subsequent header
2472 * for the padding, it contains the wct field in its
2473 * last byte.
2474 */
2475 this_iov[0].iov_len = chain_padding+1;
2476 this_iov[0].iov_base = (void *)&state->smb1.hdr[
2477 sizeof(state->smb1.hdr) - this_iov[0].iov_len];
2478 memset(this_iov[0].iov_base, 0, this_iov[0].iov_len-1);
2479 this_iov += 1;
2480 }
2481
2482 /*
2483 * copy the words and bytes
2484 */
2485 memcpy(this_iov, state->smb1.iov+2,
2486 sizeof(struct iovec) * (state->smb1.iov_count-2));
2487 this_iov += state->smb1.iov_count - 2;
2488 chain_padding = next_padding;
2489 }
2490
2491 nbt_len = iov_buflen(&iov[1], iovlen-1);
2492 if ((nbt_len == -1) || (nbt_len > first_state->conn->smb1.max_xmit)) {
2493 TALLOC_FREE(iov);
2494 TALLOC_FREE(first_state->smb1.chained_requests);
2495 return NT_STATUS_INVALID_PARAMETER_MIX;
2496 }
2497
2498 status = smb1cli_req_writev_submit(reqs[0], first_state, iov, iovlen);
2499 if (!NT_STATUS_IS_OK(status)) {
2500 TALLOC_FREE(iov);
2501 TALLOC_FREE(first_state->smb1.chained_requests);
2502 return status;
2503 }
2504
2505 return NT_STATUS_OK;
2506 }
2507
2508 bool smbXcli_conn_has_async_calls(struct smbXcli_conn *conn)
2509 {
2510 return ((tevent_queue_length(conn->outgoing) != 0)
2511 || (talloc_array_length(conn->pending) != 0));
2512 }
2513
2514 bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn)
2515 {
2516 if (conn->protocol >= PROTOCOL_SMB2_02) {
2517 return (smb2cli_conn_server_capabilities(conn) & SMB2_CAP_DFS);
2518 }
2519
2520 return (smb1cli_conn_capabilities(conn) & CAP_DFS);
2521 }
2522
2523 bool smb2cli_conn_req_possible(struct smbXcli_conn *conn, uint32_t *max_dyn_len)
2524 {
2525 uint16_t credits = 1;
2526
2527 if (conn->smb2.cur_credits == 0) {
2528 if (max_dyn_len != NULL) {
2529 *max_dyn_len = 0;
2530 }
2531 return false;
2532 }
2533
2534 if (conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2535 credits = conn->smb2.cur_credits;
2536 }
2537
2538 if (max_dyn_len != NULL) {
2539 *max_dyn_len = credits * 65536;
2540 }
2541
2542 return true;
2543 }
2544
2545 uint32_t smb2cli_conn_server_capabilities(struct smbXcli_conn *conn)
2546 {
2547 return conn->smb2.server.capabilities;
2548 }
2549
2550 uint16_t smb2cli_conn_server_security_mode(struct smbXcli_conn *conn)
2551 {
2552 return conn->smb2.server.security_mode;
2553 }
2554
2555 uint32_t smb2cli_conn_max_trans_size(struct smbXcli_conn *conn)
2556 {
2557 return conn->smb2.server.max_trans_size;
2558 }
2559
2560 uint32_t smb2cli_conn_max_read_size(struct smbXcli_conn *conn)
2561 {
2562 return conn->smb2.server.max_read_size;
2563 }
2564
2565 uint32_t smb2cli_conn_max_write_size(struct smbXcli_conn *conn)
2566 {
2567 return conn->smb2.server.max_write_size;
2568 }
2569
2570 void smb2cli_conn_set_max_credits(struct smbXcli_conn *conn,
2571 uint16_t max_credits)
2572 {
2573 conn->smb2.max_credits = max_credits;
2574 }
2575
2576 static void smb2cli_req_cancel_done(struct tevent_req *subreq);
2577
2578 static bool smb2cli_req_cancel(struct tevent_req *req)
2579 {
2580 struct smbXcli_req_state *state =
2581 tevent_req_data(req,
2582 struct smbXcli_req_state);
2583 uint32_t flags = IVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
2584 uint64_t mid = BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID);
2585 uint64_t aid = BVAL(state->smb2.hdr, SMB2_HDR_ASYNC_ID);
2586 struct smbXcli_tcon *tcon = state->tcon;
2587 struct smbXcli_session *session = state->session;
2588 uint8_t *fixed = state->smb2.pad;
2589 uint16_t fixed_len = 4;
2590 struct tevent_req *subreq;
2591 struct smbXcli_req_state *substate;
2592 NTSTATUS status;
2593
2594 SSVAL(fixed, 0, 0x04);
2595 SSVAL(fixed, 2, 0);
2596
2597 subreq = smb2cli_req_create(state, state->ev,
2598 state->conn,
2599 SMB2_OP_CANCEL,
2600 flags, 0,
2601 0, /* timeout */
2602 tcon, session,
2603 fixed, fixed_len,
2604 NULL, 0, 0);
2605 if (subreq == NULL) {
2606 return false;
2607 }
2608 substate = tevent_req_data(subreq, struct smbXcli_req_state);
2609
2610 /*
2611 * clear everything but the SMB2_HDR_FLAG_ASYNC flag
2612 * e.g. if SMB2_HDR_FLAG_CHAINED is set we get INVALID_PARAMETER back
2613 */
2614 flags &= SMB2_HDR_FLAG_ASYNC;
2615
2616 if (flags & SMB2_HDR_FLAG_ASYNC) {
2617 mid = 0;
2618 }
2619
2620 SIVAL(substate->smb2.hdr, SMB2_HDR_FLAGS, flags);
2621 SBVAL(substate->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
2622 SBVAL(substate->smb2.hdr, SMB2_HDR_ASYNC_ID, aid);
2623
2624 status = smb2cli_req_compound_submit(&subreq, 1);
2625 if (!NT_STATUS_IS_OK(status)) {
2626 TALLOC_FREE(subreq);
2627 return false;
2628 }
2629
2630 tevent_req_set_callback(subreq, smb2cli_req_cancel_done, NULL);
2631
2632 return true;
2633 }
2634
2635 static void smb2cli_req_cancel_done(struct tevent_req *subreq)
2636 {
2637 /* we do not care about the result */
2638 TALLOC_FREE(subreq);
2639 }
2640
2641 struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
2642 struct tevent_context *ev,
2643 struct smbXcli_conn *conn,
2644 uint16_t cmd,
2645 uint32_t additional_flags,
2646 uint32_t clear_flags,
2647 uint32_t timeout_msec,
2648 struct smbXcli_tcon *tcon,
2649 struct smbXcli_session *session,
2650 const uint8_t *fixed,
2651 uint16_t fixed_len,
2652 const uint8_t *dyn,
2653 uint32_t dyn_len,
2654 uint32_t max_dyn_len)
2655 {
2656 struct tevent_req *req;
2657 struct smbXcli_req_state *state;
2658 uint32_t flags = 0;
2659 uint32_t tid = 0;
2660 uint64_t uid = 0;
2661 bool use_channel_sequence = false;
2662 uint16_t channel_sequence = 0;
2663 bool use_replay_flag = false;
2664
2665 req = tevent_req_create(mem_ctx, &state,
2666 struct smbXcli_req_state);
2667 if (req == NULL) {
2668 return NULL;
2669 }
2670
2671 state->ev = ev;
2672 state->conn = conn;
2673 state->session = session;
2674 state->tcon = tcon;
2675
2676 if (conn->smb2.server.capabilities & SMB2_CAP_PERSISTENT_HANDLES) {
2677 use_channel_sequence = true;
2678 } else if (conn->smb2.server.capabilities & SMB2_CAP_MULTI_CHANNEL) {
2679 use_channel_sequence = true;
2680 }
2681
2682 if (smbXcli_conn_protocol(conn) >= PROTOCOL_SMB3_00) {
2683 use_replay_flag = true;
2684 }
2685
2686 if (session) {
2687 uid = session->smb2->session_id;
2688
2689 if (use_channel_sequence) {
2690 channel_sequence = session->smb2->channel_sequence;
2691 }
2692
2693 if (use_replay_flag && session->smb2->replay_active) {
2694 additional_flags |= SMB2_HDR_FLAG_REPLAY_OPERATION;
2695 }
2696
2697 state->smb2.should_sign = session->smb2->should_sign;
2698 state->smb2.should_encrypt = session->smb2->should_encrypt;
2699
2700 if (cmd == SMB2_OP_SESSSETUP &&
2701 session->smb2_channel.signing_key.length == 0 &&
2702 session->smb2->signing_key.length != 0)
2703 {
2704 /*
2705 * a session bind needs to be signed
2706 */
2707 state->smb2.should_sign = true;
2708 }
2709
2710 if (cmd == SMB2_OP_SESSSETUP &&
2711 session->smb2_channel.signing_key.length == 0) {
2712 state->smb2.should_encrypt = false;
2713 }
2714
2715 if (additional_flags & SMB2_HDR_FLAG_SIGNED) {
2716 if (session->smb2_channel.signing_key.length == 0) {
2717 tevent_req_nterror(req, NT_STATUS_NO_USER_SESSION_KEY);
2718 return req;
2719 }
2720
2721 additional_flags &= ~SMB2_HDR_FLAG_SIGNED;
2722 state->smb2.should_sign = true;
2723 }
2724 }
2725
2726 if (tcon) {
2727 tid = tcon->smb2.tcon_id;
2728
2729 if (tcon->smb2.should_sign) {
2730 state->smb2.should_sign = true;
2731 }
2732 if (tcon->smb2.should_encrypt) {
2733 state->smb2.should_encrypt = true;
2734 }
2735 }
2736
2737 if (state->smb2.should_encrypt) {
2738 state->smb2.should_sign = false;
2739 }
2740
2741 state->smb2.recv_iov = talloc_zero_array(state, struct iovec, 3);
2742 if (state->smb2.recv_iov == NULL) {
2743 TALLOC_FREE(req);
2744 return NULL;
2745 }
2746
2747 flags |= additional_flags;
2748 flags &= ~clear_flags;
2749
2750 state->smb2.fixed = fixed;
2751 state->smb2.fixed_len = fixed_len;
2752 state->smb2.dyn = dyn;
2753 state->smb2.dyn_len = dyn_len;
2754 state->smb2.max_dyn_len = max_dyn_len;
2755
2756 if (state->smb2.should_encrypt) {
2757 SIVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2758 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID, uid);
2759 }
2760
2761 SIVAL(state->smb2.hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
2762 SSVAL(state->smb2.hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
2763 SSVAL(state->smb2.hdr, SMB2_HDR_OPCODE, cmd);
2764 SSVAL(state->smb2.hdr, SMB2_HDR_CHANNEL_SEQUENCE, channel_sequence);
2765 SIVAL(state->smb2.hdr, SMB2_HDR_FLAGS, flags);
2766 SIVAL(state->smb2.hdr, SMB2_HDR_PID, 0); /* reserved */
2767 SIVAL(state->smb2.hdr, SMB2_HDR_TID, tid);
2768 SBVAL(state->smb2.hdr, SMB2_HDR_SESSION_ID, uid);
2769
2770 switch (cmd) {
2771 case SMB2_OP_CANCEL:
2772 state->one_way = true;
2773 break;
2774 case SMB2_OP_BREAK:
2775 /*
2776 * If this is a dummy request, it will have
2777 * UINT64_MAX as message id.
2778 * If we send on break acknowledgement,
2779 * this gets overwritten later.
2780 */
2781 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, UINT64_MAX);
2782 break;
2783 }
2784
2785 if (timeout_msec > 0) {
2786 struct timeval endtime;
2787
2788 endtime = timeval_current_ofs_msec(timeout_msec);
2789 if (!tevent_req_set_endtime(req, ev, endtime)) {
2790 return req;
2791 }
2792 }
2793
2794 return req;
2795 }
2796
2797 void smb2cli_req_set_notify_async(struct tevent_req *req)
2798 {
2799 struct smbXcli_req_state *state =
2800 tevent_req_data(req,
2801 struct smbXcli_req_state);
2802
2803 state->smb2.notify_async = true;
2804 }
2805
2806 static void smb2cli_req_writev_done(struct tevent_req *subreq);
2807 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
2808 TALLOC_CTX *tmp_mem,
2809 uint8_t *inbuf);
2810
2811 NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
2812 int num_reqs)
2813 {
2814 struct smbXcli_req_state *state;
2815 struct tevent_req *subreq;
2816 struct iovec *iov;
2817 int i, num_iov, nbt_len;
2818 int tf_iov = -1;
2819 const DATA_BLOB *encryption_key = NULL;
2820 uint64_t encryption_session_id = 0;
2821
2822 /*
2823 * 1 for the nbt length, optional TRANSFORM
2824 * per request: HDR, fixed, dyn, padding
2825 * -1 because the last one does not need padding
2826 */
2827
2828 iov = talloc_array(reqs[0], struct iovec, 1 + 1 + 4*num_reqs - 1);
2829 if (iov == NULL) {
2830 return NT_STATUS_NO_MEMORY;
2831 }
2832
2833 num_iov = 1;
2834 nbt_len = 0;
2835
2836 /*
2837 * the session of the first request that requires encryption
2838 * specifies the encryption key.
2839 */
2840 for (i=0; i<num_reqs; i++) {
2841 if (!tevent_req_is_in_progress(reqs[i])) {
2842 return NT_STATUS_INTERNAL_ERROR;
2843 }
2844
2845 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2846
2847 if (!smbXcli_conn_is_connected(state->conn)) {
2848 return NT_STATUS_CONNECTION_DISCONNECTED;
2849 }
2850
2851 if ((state->conn->protocol != PROTOCOL_NONE) &&
2852 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2853 return NT_STATUS_REVISION_MISMATCH;
2854 }
2855
2856 if (state->session == NULL) {
2857 continue;
2858 }
2859
2860 if (!state->smb2.should_encrypt) {
2861 continue;
2862 }
2863
2864 encryption_key = &state->session->smb2->encryption_key;
2865 if (encryption_key->length == 0) {
2866 return NT_STATUS_INVALID_PARAMETER_MIX;
2867 }
2868
2869 encryption_session_id = state->session->smb2->session_id;
2870
2871 tf_iov = num_iov;
2872 iov[num_iov].iov_base = state->smb2.transform;
2873 iov[num_iov].iov_len = sizeof(state->smb2.transform);
2874 num_iov += 1;
2875
2876 SBVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2877 SBVAL(state->smb2.transform, SMB2_TF_NONCE,
2878 state->session->smb2->nonce_low);
2879 SBVAL(state->smb2.transform, SMB2_TF_NONCE+8,
2880 state->session->smb2->nonce_high);
2881 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID,
2882 encryption_session_id);
2883
2884 state->session->smb2->nonce_low += 1;
2885 if (state->session->smb2->nonce_low == 0) {
2886 state->session->smb2->nonce_high += 1;
2887 state->session->smb2->nonce_low += 1;
2888 }
2889
2890 nbt_len += SMB2_TF_HDR_SIZE;
2891 break;
2892 }
2893
2894 for (i=0; i<num_reqs; i++) {
2895 int hdr_iov;
2896 size_t reqlen;
2897 bool ret;
2898 uint16_t opcode;
2899 uint64_t avail;
2900 uint16_t charge;
2901 uint16_t credits;
2902 uint64_t mid;
2903 const DATA_BLOB *signing_key = NULL;
2904
2905 if (!tevent_req_is_in_progress(reqs[i])) {
2906 return NT_STATUS_INTERNAL_ERROR;
2907 }
2908
2909 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2910
2911 if (!smbXcli_conn_is_connected(state->conn)) {
2912 return NT_STATUS_CONNECTION_DISCONNECTED;
2913 }
2914
2915 if ((state->conn->protocol != PROTOCOL_NONE) &&
2916 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2917 return NT_STATUS_REVISION_MISMATCH;
2918 }
2919
2920 opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
2921 if (opcode == SMB2_OP_CANCEL) {
2922 goto skip_credits;
2923 }
2924
2925 avail = UINT64_MAX - state->conn->smb2.mid;
2926 if (avail < 1) {
2927 return NT_STATUS_CONNECTION_ABORTED;
2928 }
2929
2930 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2931 uint32_t max_dyn_len = 1;
2932
2933 max_dyn_len = MAX(max_dyn_len, state->smb2.dyn_len);
2934 max_dyn_len = MAX(max_dyn_len, state->smb2.max_dyn_len);
2935
2936 charge = (max_dyn_len - 1)/ 65536 + 1;
2937 } else {
2938 charge = 1;
2939 }
2940
2941 charge = MAX(state->smb2.credit_charge, charge);
2942
2943 avail = MIN(avail, state->conn->smb2.cur_credits);
2944 if (avail < charge) {
2945 return NT_STATUS_INTERNAL_ERROR;
2946 }
2947
2948 credits = 0;
2949 if (state->conn->smb2.max_credits > state->conn->smb2.cur_credits) {
2950 credits = state->conn->smb2.max_credits -
2951 state->conn->smb2.cur_credits;
2952 }
2953 if (state->conn->smb2.max_credits >= state->conn->smb2.cur_credits) {
2954 credits += 1;
2955 }
2956
2957 mid = state->conn->smb2.mid;
2958 state->conn->smb2.mid += charge;
2959 state->conn->smb2.cur_credits -= charge;
2960
2961 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2962 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT_CHARGE, charge);
2963 }
2964 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT, credits);
2965 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
2966
2967 skip_credits:
2968 if (state->session && encryption_key == NULL) {
2969 /*
2970 * We prefer the channel signing key if it is
2971 * already there.
2972 */
2973 if (state->smb2.should_sign) {
2974 signing_key = &state->session->smb2_channel.signing_key;
2975 }
2976
2977 /*
2978 * If it is a channel binding, we already have the main
2979 * signing key and try that one.
2980 */
2981 if (signing_key && signing_key->length == 0) {
2982 signing_key = &state->session->smb2->signing_key;
2983 }
2984
2985 /*
2986 * If we do not have any session key yet, we skip the
2987 * signing of SMB2_OP_SESSSETUP requests.
2988 */
2989 if (signing_key && signing_key->length == 0) {
2990 signing_key = NULL;
2991 }
2992 }
2993
2994 hdr_iov = num_iov;
2995 iov[num_iov].iov_base = state->smb2.hdr;
2996 iov[num_iov].iov_len = sizeof(state->smb2.hdr);
2997 num_iov += 1;
2998
2999 iov[num_iov].iov_base = discard_const(state->smb2.fixed);
3000 iov[num_iov].iov_len = state->smb2.fixed_len;
3001 num_iov += 1;
3002
3003 if (state->smb2.dyn != NULL) {
3004 iov[num_iov].iov_base = discard_const(state->smb2.dyn);
3005 iov[num_iov].iov_len = state->smb2.dyn_len;
3006 num_iov += 1;
3007 }
3008
3009 reqlen = sizeof(state->smb2.hdr);
3010 reqlen += state->smb2.fixed_len;
3011 reqlen += state->smb2.dyn_len;
3012
3013 if (i < num_reqs-1) {
3014 if ((reqlen % 8) > 0) {
3015 uint8_t pad = 8 - (reqlen % 8);
3016 iov[num_iov].iov_base = state->smb2.pad;
3017 iov[num_iov].iov_len = pad;
3018 num_iov += 1;
3019 reqlen += pad;
3020 }
3021 SIVAL(state->smb2.hdr, SMB2_HDR_NEXT_COMMAND, reqlen);
3022 }
3023
3024 state->smb2.encryption_session_id = encryption_session_id;
3025
3026 if (signing_key != NULL) {
3027 NTSTATUS status;
3028
3029 status = smb2_signing_sign_pdu(*signing_key,
3030 state->session->conn->protocol,
3031 &iov[hdr_iov], num_iov - hdr_iov);
3032 if (!NT_STATUS_IS_OK(status)) {
3033 return status;
3034 }
3035 }
3036
3037 nbt_len += reqlen;
3038
3039 ret = smbXcli_req_set_pending(reqs[i]);
3040 if (!ret) {
3041 return NT_STATUS_NO_MEMORY;
3042 }
3043 }
3044
3045 state = tevent_req_data(reqs[0], struct smbXcli_req_state);
3046 _smb_setlen_tcp(state->length_hdr, nbt_len);
3047 iov[0].iov_base = state->length_hdr;
3048 iov[0].iov_len = sizeof(state->length_hdr);
3049
3050 if (encryption_key != NULL) {
3051 NTSTATUS status;
3052 size_t buflen = nbt_len - SMB2_TF_HDR_SIZE;
3053 uint8_t *buf;
3054 int vi;
3055
3056 buf = talloc_array(iov, uint8_t, buflen);
3057 if (buf == NULL) {
3058 return NT_STATUS_NO_MEMORY;
3059 }
3060
3061 /*
3062 * We copy the buffers before encrypting them,
3063 * this is at least currently needed for the
3064 * to keep state->smb2.hdr.
3065 *
3066 * Also the callers may expect there buffers
3067 * to be const.
3068 */
3069 for (vi = tf_iov + 1; vi < num_iov; vi++) {
3070 struct iovec *v = &iov[vi];
3071 const uint8_t *o = (const uint8_t *)v->iov_base;
3072
3073 memcpy(buf, o, v->iov_len);
3074 v->iov_base = (void *)buf;
3075 buf += v->iov_len;
3076 }
3077
3078 status = smb2_signing_encrypt_pdu(*encryption_key,
3079 state->conn->smb2.server.cipher,
3080 &iov[tf_iov], num_iov - tf_iov);
3081 if (!NT_STATUS_IS_OK(status)) {
3082 return status;
3083 }
3084 }
3085
3086 if (state->conn->dispatch_incoming == NULL) {
3087 state->conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3088 }
3089
3090 subreq = writev_send(state, state->ev, state->conn->outgoing,
3091 state->conn->write_fd, false, iov, num_iov);
3092 if (subreq == NULL) {
3093 return NT_STATUS_NO_MEMORY;
3094 }
3095 tevent_req_set_callback(subreq, smb2cli_req_writev_done, reqs[0]);
3096 return NT_STATUS_OK;
3097 }
3098
3099 void smb2cli_req_set_credit_charge(struct tevent_req *req, uint16_t charge)
3100 {
3101 struct smbXcli_req_state *state =
3102 tevent_req_data(req,
3103 struct smbXcli_req_state);
3104
3105 state->smb2.credit_charge = charge;
3106 }
3107
3108 struct tevent_req *smb2cli_req_send(TALLOC_CTX *mem_ctx,
3109 struct tevent_context *ev,
3110 struct smbXcli_conn *conn,
3111 uint16_t cmd,
3112 uint32_t additional_flags,
3113 uint32_t clear_flags,
3114 uint32_t timeout_msec,
3115 struct smbXcli_tcon *tcon,
3116 struct smbXcli_session *session,
3117 const uint8_t *fixed,
3118 uint16_t fixed_len,
3119 const uint8_t *dyn,
3120 uint32_t dyn_len,
3121 uint32_t max_dyn_len)
3122 {
3123 struct tevent_req *req;
3124 NTSTATUS status;
3125
3126 req = smb2cli_req_create(mem_ctx, ev, conn, cmd,
3127 additional_flags, clear_flags,
3128 timeout_msec,
3129 tcon, session,
3130 fixed, fixed_len,
3131 dyn, dyn_len,
3132 max_dyn_len);
3133 if (req == NULL) {
3134 return NULL;
3135 }
3136 if (!tevent_req_is_in_progress(req)) {
3137 return tevent_req_post(req, ev);
3138 }
3139 status = smb2cli_req_compound_submit(&req, 1);
3140 if (tevent_req_nterror(req, status)) {
3141 return tevent_req_post(req, ev);
3142 }
3143 return req;
3144 }
3145
3146 static void smb2cli_req_writev_done(struct tevent_req *subreq)
3147 {
3148 struct tevent_req *req =
3149 tevent_req_callback_data(subreq,
3150 struct tevent_req);
3151 struct smbXcli_req_state *state =
3152 tevent_req_data(req,
3153 struct smbXcli_req_state);
3154 ssize_t nwritten;
3155 int err;
3156
3157 nwritten = writev_recv(subreq, &err);
3158 TALLOC_FREE(subreq);
3159 if (nwritten == -1) {
3160 /* here, we need to notify all pending requests */
3161 NTSTATUS status = map_nt_error_from_unix_common(err);
3162 smbXcli_conn_disconnect(state->conn, status);
3163 return;
3164 }
3165 }
3166
3167 static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
3168 uint8_t *buf,
3169 size_t buflen,
3170 TALLOC_CTX *mem_ctx,
3171 struct iovec **piov, int *pnum_iov)
3172 {
3173 struct iovec *iov;
3174 int num_iov = 0;
3175 size_t taken = 0;
3176 uint8_t *first_hdr = buf;
3177 size_t verified_buflen = 0;
3178 uint8_t *tf = NULL;
3179 size_t tf_len = 0;
3180
3181 iov = talloc_array(mem_ctx, struct iovec, num_iov);
3182 if (iov == NULL) {
3183 return NT_STATUS_NO_MEMORY;
3184 }
3185
3186 while (taken < buflen) {
3187 size_t len = buflen - taken;
3188 uint8_t *hdr = first_hdr + taken;
3189 struct iovec *cur;
3190 size_t full_size;
3191 size_t next_command_ofs;
3192 uint16_t body_size;
3193 struct iovec *iov_tmp;
3194
3195 if (verified_buflen > taken) {
3196 len = verified_buflen - taken;
3197 } else {
3198 tf = NULL;
3199 tf_len = 0;
3200 }
3201
3202 if (len < 4) {
3203 DEBUG(10, ("%d bytes left, expected at least %d\n",
3204 (int)len, 4));
3205 goto inval;
3206 }
3207 if (IVAL(hdr, 0) == SMB2_TF_MAGIC) {
3208 struct smbXcli_session *s;
3209 uint64_t uid;
3210 struct iovec tf_iov[2];
3211 size_t enc_len;
3212 NTSTATUS status;
3213
3214 if (len < SMB2_TF_HDR_SIZE) {
3215 DEBUG(10, ("%d bytes left, expected at least %d\n",
3216 (int)len, SMB2_TF_HDR_SIZE));
3217 goto inval;
3218 }
3219 tf = hdr;
3220 tf_len = SMB2_TF_HDR_SIZE;
3221 taken += tf_len;
3222
3223 hdr = first_hdr + taken;
3224 enc_len = IVAL(tf, SMB2_TF_MSG_SIZE);
3225 uid = BVAL(tf, SMB2_TF_SESSION_ID);
3226
3227 if (len < SMB2_TF_HDR_SIZE + enc_len) {
3228 DEBUG(10, ("%d bytes left, expected at least %d\n",
3229 (int)len,
3230 (int)(SMB2_TF_HDR_SIZE + enc_len)));
3231 goto inval;
3232 }
3233
3234 s = conn->sessions;
3235 for (; s; s = s->next) {
3236 if (s->smb2->session_id != uid) {
3237 continue;
3238 }
3239 break;
3240 }
3241
3242 if (s == NULL) {
3243 DEBUG(10, ("unknown session_id %llu\n",
3244 (unsigned long long)uid));
3245 goto inval;
3246 }
3247
3248 tf_iov[0].iov_base = (void *)tf;
3249 tf_iov[0].iov_len = tf_len;
3250 tf_iov[1].iov_base = (void *)hdr;
3251 tf_iov[1].iov_len = enc_len;
3252
3253 status = smb2_signing_decrypt_pdu(s->smb2->decryption_key,
3254 conn->smb2.server.cipher,
3255 tf_iov, 2);
3256 if (!NT_STATUS_IS_OK(status)) {
3257 TALLOC_FREE(iov);
3258 return status;
3259 }
3260
3261 verified_buflen = taken + enc_len;
3262 len = enc_len;
3263 }
3264
3265 /*
3266 * We need the header plus the body length field
3267 */
3268
3269 if (len < SMB2_HDR_BODY + 2) {
3270 DEBUG(10, ("%d bytes left, expected at least %d\n",
3271 (int)len, SMB2_HDR_BODY));
3272 goto inval;
3273 }
3274 if (IVAL(hdr, 0) != SMB2_MAGIC) {
3275 DEBUG(10, ("Got non-SMB2 PDU: %x\n",
3276 IVAL(hdr, 0)));
3277 goto inval;
3278 }
3279 if (SVAL(hdr, 4) != SMB2_HDR_BODY) {
3280 DEBUG(10, ("Got HDR len %d, expected %d\n",
3281 SVAL(hdr, 4), SMB2_HDR_BODY));
3282 goto inval;
3283 }
3284
3285 full_size = len;
3286 next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
3287 body_size = SVAL(hdr, SMB2_HDR_BODY);
3288
3289 if (next_command_ofs != 0) {
3290 if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
3291 goto inval;
3292 }
3293 if (next_command_ofs > full_size) {
3294 goto inval;
3295 }
3296 full_size = next_command_ofs;
3297 }
3298 if (body_size < 2) {
3299 goto inval;
3300 }
3301 body_size &= 0xfffe;
3302
3303 if (body_size > (full_size - SMB2_HDR_BODY)) {
3304 goto inval;
3305 }
3306
3307 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
3308 num_iov + 4);
3309 if (iov_tmp == NULL) {
3310 TALLOC_FREE(iov);
3311 return NT_STATUS_NO_MEMORY;
3312 }
3313 iov = iov_tmp;
3314 cur = &iov[num_iov];
3315 num_iov += 4;
3316
3317 cur[0].iov_base = tf;
3318 cur[0].iov_len = tf_len;
3319 cur[1].iov_base = hdr;
3320 cur[1].iov_len = SMB2_HDR_BODY;
3321 cur[2].iov_base = hdr + SMB2_HDR_BODY;
3322 cur[2].iov_len = body_size;
3323 cur[3].iov_base = hdr + SMB2_HDR_BODY + body_size;
3324 cur[3].iov_len = full_size - (SMB2_HDR_BODY + body_size);
3325
3326 taken += full_size;
3327 }
3328
3329 *piov = iov;
3330 *pnum_iov = num_iov;
3331 return NT_STATUS_OK;
3332
3333 inval:
3334 TALLOC_FREE(iov);
3335 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3336 }
3337
3338 static struct tevent_req *smb2cli_conn_find_pending(struct smbXcli_conn *conn,
3339 uint64_t mid)
3340 {
3341 size_t num_pending = talloc_array_length(conn->pending);
3342 size_t i;
3343
3344 for (i=0; i<num_pending; i++) {
3345 struct tevent_req *req = conn->pending[i];
3346 struct smbXcli_req_state *state =
3347 tevent_req_data(req,
3348 struct smbXcli_req_state);
3349
3350 if (mid == BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID)) {
3351 return req;
3352 }
3353 }
3354 return NULL;
3355 }
3356
3357 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
3358 TALLOC_CTX *tmp_mem,
3359 uint8_t *inbuf)
3360 {
3361 struct tevent_req *req;
3362 struct smbXcli_req_state *state = NULL;
3363 struct iovec *iov;
3364 int i, num_iov;
3365 NTSTATUS status;
3366 bool defer = true;
3367 struct smbXcli_session *last_session = NULL;
3368 size_t inbuf_len = smb_len_tcp(inbuf);
3369
3370 status = smb2cli_inbuf_parse_compound(conn,
3371 inbuf + NBT_HDR_SIZE,
3372 inbuf_len,
3373 tmp_mem,
3374 &iov, &num_iov);
3375 if (!NT_STATUS_IS_OK(status)) {
3376 return status;
3377 }
3378
3379 for (i=0; i<num_iov; i+=4) {
3380 uint8_t *inbuf_ref = NULL;
3381 struct iovec *cur = &iov[i];
3382 uint8_t *inhdr = (uint8_t *)cur[1].iov_base;
3383 uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
3384 uint32_t flags = IVAL(inhdr, SMB2_HDR_FLAGS);
3385 uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
3386 uint16_t req_opcode;
3387 uint32_t req_flags;
3388 uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
3389 uint32_t new_credits;
3390 struct smbXcli_session *session = NULL;
3391 const DATA_BLOB *signing_key = NULL;
3392 bool was_encrypted = false;
3393
3394 new_credits = conn->smb2.cur_credits;
3395 new_credits += credits;
3396 if (new_credits > UINT16_MAX) {
3397 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3398 }
3399 conn->smb2.cur_credits += credits;
3400
3401 req = smb2cli_conn_find_pending(conn, mid);
3402 if (req == NULL) {
3403 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3404 }
3405 state = tevent_req_data(req, struct smbXcli_req_state);
3406
3407 req_opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
3408 if (opcode != req_opcode) {
3409 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3410 }
3411 req_flags = SVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
3412
3413 if (!(flags & SMB2_HDR_FLAG_REDIRECT)) {
3414 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3415 }
3416
3417 status = NT_STATUS(IVAL(inhdr, SMB2_HDR_STATUS));
3418 if ((flags & SMB2_HDR_FLAG_ASYNC) &&
3419 NT_STATUS_EQUAL(status, STATUS_PENDING)) {
3420 uint64_t async_id = BVAL(inhdr, SMB2_HDR_ASYNC_ID);
3421
3422 if (state->smb2.got_async) {
3423 /* We only expect one STATUS_PENDING response */
3424 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3425 }
3426 state->smb2.got_async = true;
3427
3428 /*
3429 * async interim responses are not signed,
3430 * even if the SMB2_HDR_FLAG_SIGNED flag
3431 * is set.
3432 */
3433 req_flags |= SMB2_HDR_FLAG_ASYNC;
3434 SBVAL(state->smb2.hdr, SMB2_HDR_FLAGS, req_flags);
3435 SBVAL(state->smb2.hdr, SMB2_HDR_ASYNC_ID, async_id);
3436
3437 if (state->smb2.notify_async) {
3438 tevent_req_defer_callback(req, state->ev);
3439 tevent_req_notify_callback(req);
3440 }
3441 continue;
3442 }
3443
3444 session = state->session;
3445 if (req_flags & SMB2_HDR_FLAG_CHAINED) {
3446 session = last_session;
3447 }
3448 last_session = session;
3449
3450 if (state->smb2.should_sign) {
3451 if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
3452 return NT_STATUS_ACCESS_DENIED;
3453 }
3454 }
3455
3456 if (flags & SMB2_HDR_FLAG_SIGNED) {
3457 uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
3458
3459 if (session == NULL) {
3460 struct smbXcli_session *s;
3461
3462 s = state->conn->sessions;
3463 for (; s; s = s->next) {
3464 if (s->smb2->session_id != uid) {
3465 continue;
3466 }
3467
3468 session = s;
3469 break;
3470 }
3471 }
3472
3473 if (session == NULL) {
3474 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3475 }
3476
3477 last_session = session;
3478 signing_key = &session->smb2_channel.signing_key;
3479 }
3480
3481 if (opcode == SMB2_OP_SESSSETUP) {
3482 /*
3483 * We prefer the channel signing key, if it is
3484 * already there.
3485 *
3486 * If we do not have a channel signing key yet,
3487 * we try the main signing key, if it is not
3488 * the final response.
3489 */
3490 if (signing_key && signing_key->length == 0 &&
3491 !NT_STATUS_IS_OK(status)) {
3492 signing_key = &session->smb2->signing_key;
3493 }
3494
3495 if (signing_key && signing_key->length == 0) {
3496 /*
3497 * If we do not have a session key to
3498 * verify the signature, we defer the
3499 * signing check to the caller.
3500 *
3501 * The caller gets NT_STATUS_OK, it
3502 * has to call
3503 * smb2cli_session_set_session_key()
3504 * or
3505 * smb2cli_session_set_channel_key()
3506 * which will check the signature
3507 * with the channel signing key.
3508 */
3509 signing_key = NULL;
3510 }
3511 }
3512
3513 if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
3514 const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
3515 uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
3516
3517 /*
3518 * If the response was encrypted in a SMB2_TRANSFORM
3519 * pdu, which belongs to the correct session,
3520 * we do not need to do signing checks
3521 *
3522 * It could be the session the response belongs to
3523 * or the session that was used to encrypt the
3524 * SMB2_TRANSFORM request.
3525 */
3526 if ((session && session->smb2->session_id == uid) ||
3527 (state->smb2.encryption_session_id == uid)) {
3528 signing_key = NULL;
3529 was_encrypted = true;
3530 }
3531 }
3532
3533 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
3534 /*
3535 * if the server returns NT_STATUS_USER_SESSION_DELETED
3536 * the response is not signed and we should
3537 * propagate the NT_STATUS_USER_SESSION_DELETED
3538 * status to the caller.
3539 */
3540 state->smb2.signing_skipped = true;
3541 signing_key = NULL;
3542 }
3543
3544 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3545 /*
3546 * if the server returns
3547 * NT_STATUS_INVALID_PARAMETER
3548 * the response might not be encrypted.
3549 */
3550 if (state->smb2.should_encrypt && !was_encrypted) {
3551 state->smb2.signing_skipped = true;
3552 signing_key = NULL;
3553 }
3554 }
3555
3556 if (state->smb2.should_encrypt && !was_encrypted) {
3557 if (!state->smb2.signing_skipped) {
3558 return NT_STATUS_ACCESS_DENIED;
3559 }
3560 }
3561
3562 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
3563 NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
3564 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3565 /*
3566 * if the server returns
3567 * NT_STATUS_NETWORK_NAME_DELETED
3568 * NT_STATUS_FILE_CLOSED
3569 * NT_STATUS_INVALID_PARAMETER
3570 * the response might not be signed
3571 * as this happens before the signing checks.
3572 *
3573 * If server echos the signature (or all zeros)
3574 * we should report the status from the server
3575 * to the caller.
3576 */
3577 if (signing_key) {
3578 int cmp;
3579
3580 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3581 state->smb2.hdr+SMB2_HDR_SIGNATURE,
3582 16);
3583 if (cmp == 0) {
3584 state->smb2.signing_skipped = true;
3585 signing_key = NULL;
3586 }
3587 }
3588 if (signing_key) {
3589 int cmp;
3590 static const uint8_t zeros[16];
3591
3592 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3593 zeros,
3594 16);
3595 if (cmp == 0) {
3596 state->smb2.signing_skipped = true;
3597 signing_key = NULL;
3598 }
3599 }
3600 }
3601
3602 if (signing_key) {
3603 status = smb2_signing_check_pdu(*signing_key,
3604 state->conn->protocol,
3605 &cur[1], 3);
3606 if (!NT_STATUS_IS_OK(status)) {
3607 /*
3608 * If the signing check fails, we disconnect
3609 * the connection.
3610 */
3611 return status;
3612 }
3613 }
3614
3615 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
3616 (session != NULL) && session->disconnect_expired)
3617 {
3618 /*
3619 * this should be a short term hack
3620 * until the upper layers have implemented
3621 * re-authentication.
3622 */
3623 return status;
3624 }
3625
3626 smbXcli_req_unset_pending(req);
3627
3628 /*
3629 * There might be more than one response
3630 * we need to defer the notifications
3631 */
3632 if ((num_iov == 5) && (talloc_array_length(conn->pending) == 0)) {
3633 defer = false;
3634 }
3635
3636 if (defer) {
3637 tevent_req_defer_callback(req, state->ev);
3638 }
3639
3640 /*
3641 * Note: here we use talloc_reference() in a way
3642 * that does not expose it to the caller.
3643 */
3644 inbuf_ref = talloc_reference(state->smb2.recv_iov, inbuf);
3645 if (tevent_req_nomem(inbuf_ref, req)) {
3646 continue;
3647 }
3648
3649 /* copy the related buffers */
3650 state->smb2.recv_iov[0] = cur[1];
3651 state->smb2.recv_iov[1] = cur[2];
3652 state->smb2.recv_iov[2] = cur[3];
3653
3654 tevent_req_done(req);
3655 }
3656
3657 if (defer) {
3658 return NT_STATUS_RETRY;
3659 }
3660
3661 return NT_STATUS_OK;
3662 }
3663
3664 NTSTATUS smb2cli_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
3665 struct iovec **piov,
3666 const struct smb2cli_req_expected_response *expected,
3667 size_t num_expected)
3668 {
3669 struct smbXcli_req_state *state =
3670 tevent_req_data(req,
3671 struct smbXcli_req_state);
3672 NTSTATUS status;
3673 size_t body_size;
3674 bool found_status = false;
3675 bool found_size = false;
3676 size_t i;
3677
3678 if (piov != NULL) {
3679 *piov = NULL;
3680 }
3681
3682 if (tevent_req_is_in_progress(req) && state->smb2.got_async) {
3683 return STATUS_PENDING;
3684 }
3685
3686 if (tevent_req_is_nterror(req, &status)) {
3687 for (i=0; i < num_expected; i++) {
3688 if (NT_STATUS_EQUAL(status, expected[i].status)) {
3689 found_status = true;
3690 break;
3691 }
3692 }
3693
3694 if (found_status) {
3695 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
3696 }
3697
3698 return status;
3699 }
3700
3701 if (num_expected == 0) {
3702 found_status = true;
3703 found_size = true;
3704 }
3705
3706 status = NT_STATUS(IVAL(state->smb2.recv_iov[0].iov_base, SMB2_HDR_STATUS));
3707 body_size = SVAL(state->smb2.recv_iov[1].iov_base, 0);
3708
3709 for (i=0; i < num_expected; i++) {
3710 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
3711 continue;
3712 }
3713
3714 found_status = true;
3715 if (expected[i].body_size == 0) {
3716 found_size = true;
3717 break;
3718 }
3719
3720 if (expected[i].body_size == body_size) {
3721 found_size = true;
3722 break;
3723 }
3724 }
3725
3726 if (!found_status) {
3727 return status;
3728 }
3729
3730 if (state->smb2.signing_skipped) {
3731 if (num_expected > 0) {
3732 return NT_STATUS_ACCESS_DENIED;
3733 }
3734 if (!NT_STATUS_IS_ERR(status)) {
3735 return NT_STATUS_ACCESS_DENIED;
3736 }
3737 }
3738
3739 if (!found_size) {
3740 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3741 }
3742
3743 if (piov != NULL) {
3744 *piov = talloc_move(mem_ctx, &state->smb2.recv_iov);
3745 }
3746
3747 return status;
3748 }
3749
3750 NTSTATUS smb2cli_req_get_sent_iov(struct tevent_req *req,
3751 struct iovec *sent_iov)
3752 {
3753 struct smbXcli_req_state *state =
3754 tevent_req_data(req,
3755 struct smbXcli_req_state);
3756
3757 if (tevent_req_is_in_progress(req)) {
3758 return STATUS_PENDING;
3759 }
3760
3761 sent_iov[0].iov_base = state->smb2.hdr;
3762 sent_iov[0].iov_len = sizeof(state->smb2.hdr);
3763
3764 sent_iov[1].iov_base = discard_const(state->smb2.fixed);
3765 sent_iov[1].iov_len = state->smb2.fixed_len;
3766
3767 if (state->smb2.dyn != NULL) {
3768 sent_iov[2].iov_base = discard_const(state->smb2.dyn);
3769 sent_iov[2].iov_len = state->smb2.dyn_len;
3770 } else {
3771 sent_iov[2].iov_base = NULL;
3772 sent_iov[2].iov_len = 0;
3773 }
3774
3775 return NT_STATUS_OK;
3776 }
3777
3778 static const struct {
3779 enum protocol_types proto;
3780 const char *smb1_name;
3781 } smb1cli_prots[] = {
3782 {PROTOCOL_CORE, "PC NETWORK PROGRAM 1.0"},
3783 {PROTOCOL_COREPLUS, "MICROSOFT NETWORKS 1.03"},
3784 {PROTOCOL_LANMAN1, "MICROSOFT NETWORKS 3.0"},
3785 {PROTOCOL_LANMAN1, "LANMAN1.0"},
3786 {PROTOCOL_LANMAN2, "LM1.2X002"},
3787 {PROTOCOL_LANMAN2, "DOS LANMAN2.1"},
3788 {PROTOCOL_LANMAN2, "LANMAN2.1"},
3789 {PROTOCOL_LANMAN2, "Samba"},
3790 {PROTOCOL_NT1, "NT LANMAN 1.0"},
3791 {PROTOCOL_NT1, "NT LM 0.12"},
3792 {PROTOCOL_SMB2_02, "SMB 2.002"},
3793 {PROTOCOL_SMB2_10, "SMB 2.???"},
3794 };
3795
3796 static const struct {
3797 enum protocol_types proto;
3798 uint16_t smb2_dialect;
3799 } smb2cli_prots[] = {
3800 {PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202},
3801 {PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210},
3802 {PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222},
3803 {PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224},
3804 {PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300},
3805 {PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302},
3806 {PROTOCOL_SMB3_10, SMB3_DIALECT_REVISION_310},
3807 };
3808
3809 struct smbXcli_negprot_state {
3810 struct smbXcli_conn *conn;
3811 struct tevent_context *ev;
3812 uint32_t timeout_msec;
3813
3814 struct {
3815 uint8_t fixed[36];
3816 } smb2;
3817 };
3818
3819 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq);
3820 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state);
3821 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq);
3822 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state);
3823 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq);
3824 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
3825 TALLOC_CTX *frame,
3826 uint8_t *inbuf);
3827
3828 struct tevent_req *smbXcli_negprot_send(TALLOC_CTX *mem_ctx,
3829 struct tevent_context *ev,
3830 struct smbXcli_conn *conn,
3831 uint32_t timeout_msec,
3832 enum protocol_types min_protocol,
3833 enum protocol_types max_protocol)
3834 {
3835 struct tevent_req *req, *subreq;
3836 struct smbXcli_negprot_state *state;
3837
3838 req = tevent_req_create(mem_ctx, &state,
3839 struct smbXcli_negprot_state);
3840 if (req == NULL) {
3841 return NULL;
3842 }
3843 state->conn = conn;
3844 state->ev = ev;
3845 state->timeout_msec = timeout_msec;
3846
3847 if (min_protocol == PROTOCOL_NONE) {
3848 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3849 return tevent_req_post(req, ev);
3850 }
3851
3852 if (max_protocol == PROTOCOL_NONE) {
3853 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3854 return tevent_req_post(req, ev);
3855 }
3856
3857 if (min_protocol > max_protocol) {
3858 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3859 return tevent_req_post(req, ev);
3860 }
3861
3862 conn->min_protocol = min_protocol;
3863 conn->max_protocol = max_protocol;
3864 conn->protocol = PROTOCOL_NONE;
3865
3866 if ((min_protocol < PROTOCOL_SMB2_02) &&
3867 (max_protocol < PROTOCOL_SMB2_02)) {
3868 /*
3869 * SMB1 only...
3870 */
3871 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
3872
3873 subreq = smbXcli_negprot_smb1_subreq(state);
3874 if (tevent_req_nomem(subreq, req)) {
3875 return tevent_req_post(req, ev);
3876 }
3877 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
3878 return req;
3879 }
3880
3881 if ((min_protocol >= PROTOCOL_SMB2_02) &&
3882 (max_protocol >= PROTOCOL_SMB2_02)) {
3883 /*
3884 * SMB2 only...
3885 */
3886 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3887
3888 /*
3889 * As we're starting with an SMB2 negprot, emulate Windows
3890 * and ask for 31 credits in the initial SMB2 negprot.
3891 * If we don't and leave requested credits at
3892 * zero, MacOSX servers return zero credits on
3893 * the negprot reply and we fail to connect.
3894 */
3895 smb2cli_conn_set_max_credits(conn,
3896 WINDOWS_CLIENT_PURE_SMB2_NEGPROT_INITIAL_CREDIT_ASK);
3897
3898 subreq = smbXcli_negprot_smb2_subreq(state);
3899 if (tevent_req_nomem(subreq, req)) {
3900 return tevent_req_post(req, ev);
3901 }
3902 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
3903 return req;
3904 }
3905
3906 /*
3907 * We send an SMB1 negprot with the SMB2 dialects
3908 * and expect a SMB1 or a SMB2 response.
3909 *
3910 * smbXcli_negprot_dispatch_incoming() will fix the
3911 * callback to match protocol of the response.
3912 */
3913 conn->dispatch_incoming = smbXcli_negprot_dispatch_incoming;
3914
3915 subreq = smbXcli_negprot_smb1_subreq(state);
3916 if (tevent_req_nomem(subreq, req)) {
3917 return tevent_req_post(req, ev);
3918 }
3919 tevent_req_set_callback(subreq, smbXcli_negprot_invalid_done, req);
3920 return req;
3921 }
3922
3923 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq)
3924 {
3925 struct tevent_req *req =
3926 tevent_req_callback_data(subreq,
3927 struct tevent_req);
3928 NTSTATUS status;
3929
3930 /*
3931 * we just want the low level error
3932 */
3933 status = tevent_req_simple_recv_ntstatus(subreq);
3934 TALLOC_FREE(subreq);
3935 if (tevent_req_nterror(req, status)) {
3936 return;
3937 }
3938
3939 /* this should never happen */
3940 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
3941 }
3942
3943 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state)
3944 {
3945 size_t i;
3946 DATA_BLOB bytes = data_blob_null;
3947 uint8_t flags;
3948 uint16_t flags2;
3949
3950 /* setup the protocol strings */
3951 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
3952 uint8_t c = 2;
3953 bool ok;
3954
3955 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
3956 continue;
3957 }
3958
3959 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
3960 continue;
3961 }
3962
3963 ok = data_blob_append(state, &bytes, &c, sizeof(c));
3964 if (!ok) {
3965 return NULL;
3966 }
3967
3968 /*
3969 * We now it is already ascii and
3970 * we want NULL termination.
3971 */
3972 ok = data_blob_append(state, &bytes,
3973 smb1cli_prots[i].smb1_name,
3974 strlen(smb1cli_prots[i].smb1_name)+1);
3975 if (!ok) {
3976 return NULL;
3977 }
3978 }
3979
3980 smb1cli_req_flags(state->conn->max_protocol,
3981 state->conn->smb1.client.capabilities,
3982 SMBnegprot,
3983 0, 0, &flags,
3984 0, 0, &flags2);
3985
3986 return smb1cli_req_send(state, state->ev, state->conn,
3987 SMBnegprot,
3988 flags, ~flags,
3989 flags2, ~flags2,
3990 state->timeout_msec,
3991 0xFFFE, 0, NULL, /* pid, tid, session */
3992 0, NULL, /* wct, vwv */
3993 bytes.length, bytes.data);
3994 }
3995
3996 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq)
3997 {
3998 struct tevent_req *req =
3999 tevent_req_callback_data(subreq,
4000 struct tevent_req);
4001 struct smbXcli_negprot_state *state =
4002 tevent_req_data(req,
4003 struct smbXcli_negprot_state);
4004 struct smbXcli_conn *conn = state->conn;
4005 struct iovec *recv_iov = NULL;
4006 uint8_t *inhdr;
4007 uint8_t wct;
4008 uint16_t *vwv;
4009 uint32_t num_bytes;
4010 uint8_t *bytes;
4011 NTSTATUS status;
4012 uint16_t protnum;
4013 size_t i;
4014 size_t num_prots = 0;
4015 uint8_t flags;
4016 uint32_t client_capabilities = conn->smb1.client.capabilities;
4017 uint32_t both_capabilities;
4018 uint32_t server_capabilities = 0;
4019 uint32_t capabilities;
4020 uint32_t client_max_xmit = conn->smb1.client.max_xmit;
4021 uint32_t server_max_xmit = 0;
4022 uint32_t max_xmit;
4023 uint32_t server_max_mux = 0;
4024 uint16_t server_security_mode = 0;
4025 uint32_t server_session_key = 0;
4026 bool server_readbraw = false;
4027 bool server_writebraw = false;
4028 bool server_lockread = false;
4029 bool server_writeunlock = false;
4030 struct GUID server_guid = GUID_zero();
4031 DATA_BLOB server_gss_blob = data_blob_null;
4032 uint8_t server_challenge[8];
4033 char *server_workgroup = NULL;
4034 char *server_name = NULL;
4035 int server_time_zone = 0;
4036 NTTIME server_system_time = 0;
4037 static const struct smb1cli_req_expected_response expected[] = {
4038 {
4039 .status = NT_STATUS_OK,
4040 .wct = 0x11, /* NT1 */
4041 },
4042 {
4043 .status = NT_STATUS_OK,
4044 .wct = 0x0D, /* LM */
4045 },
4046 {
4047 .status = NT_STATUS_OK,
4048 .wct = 0x01, /* CORE */
4049 }
4050 };
4051
4052 ZERO_STRUCT(server_challenge);
4053
4054 status = smb1cli_req_recv(subreq, state,
4055 &recv_iov,
4056 &inhdr,
4057 &wct,
4058 &vwv,
4059 NULL, /* pvwv_offset */
4060 &num_bytes,
4061 &bytes,
4062 NULL, /* pbytes_offset */
4063 NULL, /* pinbuf */
4064 expected, ARRAY_SIZE(expected));
4065 TALLOC_FREE(subreq);
4066 if (tevent_req_nterror(req, status)) {
4067 return;
4068 }
4069
4070 flags = CVAL(inhdr, HDR_FLG);
4071
4072 protnum = SVAL(vwv, 0);
4073
4074 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
4075 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
4076 continue;
4077 }
4078
4079 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
4080 continue;
4081 }
4082
4083 if (protnum != num_prots) {
4084 num_prots++;
4085 continue;
4086 }
4087
4088 conn->protocol = smb1cli_prots[i].proto;
4089 break;
4090 }
4091
4092 if (conn->protocol == PROTOCOL_NONE) {
4093 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4094 return;
4095 }
4096
4097 if ((conn->protocol < PROTOCOL_NT1) && conn->mandatory_signing) {
4098 DEBUG(0,("smbXcli_negprot: SMB signing is mandatory "
4099 "and the selected protocol level doesn't support it.\n"));
4100 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4101 return;
4102 }
4103
4104 if (flags & FLAG_SUPPORT_LOCKREAD) {
4105 server_lockread = true;
4106 server_writeunlock = true;
4107 }
4108
4109 if (conn->protocol >= PROTOCOL_NT1) {
4110 const char *client_signing = NULL;
4111 bool server_mandatory = false;
4112 bool server_allowed = false;
4113 const char *server_signing = NULL;
4114 bool ok;
4115 uint8_t key_len;
4116
4117 if (wct != 0x11) {
4118 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4119 return;
4120 }
4121
4122 /* NT protocol */
4123 server_security_mode = CVAL(vwv + 1, 0);
4124 server_max_mux = SVAL(vwv + 1, 1);
4125 server_max_xmit = IVAL(vwv + 3, 1);
4126 server_session_key = IVAL(vwv + 7, 1);
4127 server_time_zone = SVALS(vwv + 15, 1);
4128 server_time_zone *= 60;
4129 /* this time arrives in real GMT */
4130 server_system_time = BVAL(vwv + 11, 1);
4131 server_capabilities = IVAL(vwv + 9, 1);
4132
4133 key_len = CVAL(vwv + 16, 1);
4134
4135 if (server_capabilities & CAP_RAW_MODE) {
4136 server_readbraw = true;
4137 server_writebraw = true;
4138 }
4139 if (server_capabilities & CAP_LOCK_AND_READ) {
4140 server_lockread = true;
4141 }
4142
4143 if (server_capabilities & CAP_EXTENDED_SECURITY) {
4144 DATA_BLOB blob1, blob2;
4145
4146 if (num_bytes < 16) {
4147 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4148 return;
4149 }
4150
4151 blob1 = data_blob_const(bytes, 16);
4152 status = GUID_from_data_blob(&blob1, &server_guid);
4153 if (tevent_req_nterror(req, status)) {
4154 return;
4155 }
4156
4157 blob1 = data_blob_const(bytes+16, num_bytes-16);
4158 blob2 = data_blob_dup_talloc(state, blob1);
4159 if (blob1.length > 0 &&
4160 tevent_req_nomem(blob2.data, req)) {
4161 return;
4162 }
4163 server_gss_blob = blob2;
4164 } else {
4165 DATA_BLOB blob1, blob2;
4166
4167 if (num_bytes < key_len) {
4168 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4169 return;
4170 }
4171
4172 if (key_len != 0 && key_len != 8) {
4173 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4174 return;
4175 }
4176
4177 if (key_len == 8) {
4178 memcpy(server_challenge, bytes, 8);
4179 }
4180
4181 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4182 blob2 = data_blob_const(bytes+key_len, num_bytes-key_len);
4183 if (blob1.length > 0) {
4184 size_t len;
4185
4186 len = utf16_len_n(blob1.data,
4187 blob1.length);
4188 blob1.length = len;
4189
4190 ok = convert_string_talloc(state,
4191 CH_UTF16LE,
4192 CH_UNIX,
4193 blob1.data,
4194 blob1.length,
4195 &server_workgroup,
4196 &len);
4197 if (!ok) {
4198 status = map_nt_error_from_unix_common(errno);
4199 tevent_req_nterror(req, status);
4200 return;
4201 }
4202 }
4203
4204 blob2.data += blob1.length;
4205 blob2.length -= blob1.length;
4206 if (blob2.length > 0) {
4207 size_t len;
4208
4209 len = utf16_len_n(blob1.data,
4210 blob1.length);
4211 blob1.length = len;
4212
4213 ok = convert_string_talloc(state,
4214 CH_UTF16LE,
4215 CH_UNIX,
4216 blob2.data,
4217 blob2.length,
4218 &server_name,
4219 &len);
4220 if (!ok) {
4221 status = map_nt_error_from_unix_common(errno);
4222 tevent_req_nterror(req, status);
4223 return;
4224 }
4225 }
4226 }
4227
4228 client_signing = "disabled";
4229 if (conn->allow_signing) {
4230 client_signing = "allowed";
4231 }
4232 if (conn->mandatory_signing) {
4233 client_signing = "required";
4234 }
4235
4236 server_signing = "not supported";
4237 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) {
4238 server_signing = "supported";
4239 server_allowed = true;
4240 } else if (conn->mandatory_signing) {
4241 /*
4242 * We have mandatory signing as client
4243 * lets assume the server will look at our
4244 * FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
4245 * flag in the session setup
4246 */
4247 server_signing = "not announced";
4248 server_allowed = true;
4249 }
4250 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
4251 server_signing = "required";
4252 server_mandatory = true;
4253 }
4254
4255 ok = smb_signing_set_negotiated(conn->smb1.signing,
4256 server_allowed,
4257 server_mandatory);
4258 if (!ok) {
4259 DEBUG(1,("cli_negprot: SMB signing is required, "
4260 "but client[%s] and server[%s] mismatch\n",
4261 client_signing, server_signing));
4262 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4263 return;
4264 }
4265
4266 } else if (conn->protocol >= PROTOCOL_LANMAN1) {
4267 DATA_BLOB blob1;
4268 uint8_t key_len;
4269 time_t t;
4270
4271 if (wct != 0x0D) {
4272 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4273 return;
4274 }
4275
4276 server_security_mode = SVAL(vwv + 1, 0);
4277 server_max_xmit = SVAL(vwv + 2, 0);
4278 server_max_mux = SVAL(vwv + 3, 0);
4279 server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
4280 server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
4281 server_session_key = IVAL(vwv + 6, 0);
4282 server_time_zone = SVALS(vwv + 10, 0);
4283 server_time_zone *= 60;
4284 /* this time is converted to GMT by make_unix_date */
4285 t = pull_dos_date((const uint8_t *)(vwv + 8), server_time_zone);
4286 unix_to_nt_time(&server_system_time, t);
4287 key_len = SVAL(vwv + 11, 0);
4288
4289 if (num_bytes < key_len) {
4290 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4291 return;
4292 }
4293
4294 if (key_len != 0 && key_len != 8) {
4295 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4296 return;
4297 }
4298
4299 if (key_len == 8) {
4300 memcpy(server_challenge, bytes, 8);
4301 }
4302
4303 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4304 if (blob1.length > 0) {
4305 size_t len;
4306 bool ok;
4307
4308 len = utf16_len_n(blob1.data,
4309 blob1.length);
4310 blob1.length = len;
4311
4312 ok = convert_string_talloc(state,
4313 CH_DOS,
4314 CH_UNIX,
4315 blob1.data,
4316 blob1.length,
4317 &server_workgroup,
4318 &len);
4319 if (!ok) {
4320 status = map_nt_error_from_unix_common(errno);
4321 tevent_req_nterror(req, status);
4322 return;
4323 }
4324 }
4325
4326 } else {
4327 /* the old core protocol */
4328 server_time_zone = get_time_zone(time(NULL));
4329 server_max_xmit = 1024;
4330 server_max_mux = 1;
4331 }
4332
4333 if (server_max_xmit < 1024) {
4334 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4335 return;
4336 }
4337
4338 if (server_max_mux < 1) {
4339 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4340 return;
4341 }
4342
4343 /*
4344 * Now calculate the negotiated capabilities
4345 * based on the mask for:
4346 * - client only flags
4347 * - flags used in both directions
4348 * - server only flags
4349 */
4350 both_capabilities = client_capabilities & server_capabilities;
4351 capabilities = client_capabilities & SMB_CAP_CLIENT_MASK;
4352 capabilities |= both_capabilities & SMB_CAP_BOTH_MASK;
4353 capabilities |= server_capabilities & SMB_CAP_SERVER_MASK;
4354
4355 max_xmit = MIN(client_max_xmit, server_max_xmit);
4356
4357 conn->smb1.server.capabilities = server_capabilities;
4358 conn->smb1.capabilities = capabilities;
4359
4360 conn->smb1.server.max_xmit = server_max_xmit;
4361 conn->smb1.max_xmit = max_xmit;
4362
4363 conn->smb1.server.max_mux = server_max_mux;
4364
4365 conn->smb1.server.security_mode = server_security_mode;
4366
4367 conn->smb1.server.readbraw = server_readbraw;
4368 conn->smb1.server.writebraw = server_writebraw;
4369 conn->smb1.server.lockread = server_lockread;
4370 conn->smb1.server.writeunlock = server_writeunlock;
4371
4372 conn->smb1.server.session_key = server_session_key;
4373
4374 talloc_steal(conn, server_gss_blob.data);
4375 conn->smb1.server.gss_blob = server_gss_blob;
4376 conn->smb1.server.guid = server_guid;
4377 memcpy(conn->smb1.server.challenge, server_challenge, 8);
4378 conn->smb1.server.workgroup = talloc_move(conn, &server_workgroup);
4379 conn->smb1.server.name = talloc_move(conn, &server_name);
4380
4381 conn->smb1.server.time_zone = server_time_zone;
4382 conn->smb1.server.system_time = server_system_time;
4383
4384 tevent_req_done(req);
4385 }
4386
4387 static size_t smbXcli_padding_helper(uint32_t offset, size_t n)
4388 {
4389 if ((offset & (n-1)) == 0) return 0;
4390 return n - (offset & (n-1));
4391 }
4392
4393 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state)
4394 {
4395 size_t i;
4396 uint8_t *buf;
4397 uint16_t dialect_count = 0;
4398 DATA_BLOB dyn = data_blob_null;
4399
4400 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4401 bool ok;
4402 uint8_t val[2];
4403
4404 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4405 continue;
4406 }
4407
4408 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4409 continue;
4410 }
4411
4412 SSVAL(val, 0, smb2cli_prots[i].smb2_dialect);
4413
4414 ok = data_blob_append(state, &dyn, val, sizeof(val));
4415 if (!ok) {
4416 return NULL;
4417 }
4418
4419 dialect_count++;
4420 }
4421
4422 buf = state->smb2.fixed;
4423 SSVAL(buf, 0, 36);
4424 SSVAL(buf, 2, dialect_count);
4425 SSVAL(buf, 4, state->conn->smb2.client.security_mode);
4426 SSVAL(buf, 6, 0); /* Reserved */
4427 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
4428 SIVAL(buf, 8, state->conn->smb2.client.capabilities);
4429 } else {
4430 SIVAL(buf, 8, 0); /* Capabilities */
4431 }
4432 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
4433 NTSTATUS status;
4434 DATA_BLOB blob;
4435
4436 status = GUID_to_ndr_blob(&state->conn->smb2.client.guid,
4437 state, &blob);
4438 if (!NT_STATUS_IS_OK(status)) {
4439 return NULL;
4440 }
4441 memcpy(buf+12, blob.data, 16); /* ClientGuid */
4442 } else {
4443 memset(buf+12, 0, 16); /* ClientGuid */
4444 }
4445
4446 if (state->conn->max_protocol >= PROTOCOL_SMB3_10) {
4447 NTSTATUS status;
4448 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4449 uint32_t offset;
4450 DATA_BLOB b;
4451 uint8_t p[38];
4452 const uint8_t zeros[8] = {0, };
4453 size_t pad;
4454 bool ok;
4455
4456 SSVAL(p, 0, 1); /* HashAlgorithmCount */
4457 SSVAL(p, 2, 32); /* SaltLength */
4458 SSVAL(p, 4, SMB2_PREAUTH_INTEGRITY_SHA512);
4459 generate_random_buffer(p + 6, 32);
4460
4461 b = data_blob_const(p, 38);
4462 status = smb2_negotiate_context_add(state, &c,
4463 SMB2_PREAUTH_INTEGRITY_CAPABILITIES, b);
4464 if (!NT_STATUS_IS_OK(status)) {
4465 return NULL;
4466 }
4467
4468 SSVAL(p, 0, 2); /* ChiperCount */
4469 SSVAL(p, 2, SMB2_ENCRYPTION_AES128_GCM);
4470 SSVAL(p, 4, SMB2_ENCRYPTION_AES128_CCM);
4471
4472 b = data_blob_const(p, 6);
4473 status = smb2_negotiate_context_add(state, &c,
4474 SMB2_ENCRYPTION_CAPABILITIES, b);
4475 if (!NT_STATUS_IS_OK(status)) {
4476 return NULL;
4477 }
4478
4479 status = smb2_negotiate_context_push(state, &b, c);
4480 if (!NT_STATUS_IS_OK(status)) {
4481 return NULL;
4482 }
4483
4484 offset = SMB2_HDR_BODY + sizeof(state->smb2.fixed) + dyn.length;
4485 pad = smbXcli_padding_helper(offset, 8);
4486
4487 ok = data_blob_append(state, &dyn, zeros, pad);
4488 if (!ok) {
4489 return NULL;
4490 }
4491 offset += pad;
4492
4493 ok = data_blob_append(state, &dyn, b.data, b.length);
4494 if (!ok) {
4495 return NULL;
4496 }
4497
4498 SIVAL(buf, 28, offset); /* NegotiateContextOffset */
4499 SSVAL(buf, 32, c.num_contexts); /* NegotiateContextCount */
4500 SSVAL(buf, 34, 0); /* Reserved */
4501 } else {
4502 SBVAL(buf, 28, 0); /* Reserved/ClientStartTime */
4503 }
4504
4505 return smb2cli_req_send(state, state->ev,
4506 state->conn, SMB2_OP_NEGPROT,
4507 0, 0, /* flags */
4508 state->timeout_msec,
4509 NULL, NULL, /* tcon, session */
4510 state->smb2.fixed, sizeof(state->smb2.fixed),
4511 dyn.data, dyn.length,
4512 UINT16_MAX); /* max_dyn_len */
4513 }
4514
4515 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
4516 {
4517 struct tevent_req *req =
4518 tevent_req_callback_data(subreq,
4519 struct tevent_req);
4520 struct smbXcli_negprot_state *state =
4521 tevent_req_data(req,
4522 struct smbXcli_negprot_state);
4523 struct smbXcli_conn *conn = state->conn;
4524 size_t security_offset, security_length;
4525 DATA_BLOB blob;
4526 NTSTATUS status;
4527 struct iovec *iov;
4528 uint8_t *body;
4529 size_t i;
4530 uint16_t dialect_revision;
4531 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4532 uint32_t negotiate_context_offset = 0;
4533 uint16_t negotiate_context_count = 0;
4534 DATA_BLOB negotiate_context_blob = data_blob_null;
4535 size_t avail;
4536 size_t ctx_ofs;
4537 size_t needed;
4538 struct smb2_negotiate_context *preauth = NULL;
4539 uint16_t hash_count;
4540 uint16_t salt_length;
4541 uint16_t hash_selected;
4542 struct hc_sha512state sctx;
4543 struct smb2_negotiate_context *cipher = NULL;
4544 struct iovec sent_iov[3];
4545 static const struct smb2cli_req_expected_response expected[] = {
4546 {
4547 .status = NT_STATUS_OK,
4548 .body_size = 0x41
4549 }
4550 };
4551
4552 status = smb2cli_req_recv(subreq, state, &iov,
4553 expected, ARRAY_SIZE(expected));
4554 if (tevent_req_nterror(req, status)) {
4555 return;
4556 }
4557
4558 body = (uint8_t *)iov[1].iov_base;
4559
4560 dialect_revision = SVAL(body, 4);
4561
4562 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4563 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4564 continue;
4565 }
4566
4567 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4568 continue;
4569 }
4570
4571 if (smb2cli_prots[i].smb2_dialect != dialect_revision) {
4572 continue;
4573 }
4574
4575 conn->protocol = smb2cli_prots[i].proto;
4576 break;
4577 }
4578
4579 if (conn->protocol == PROTOCOL_NONE) {
4580 TALLOC_FREE(subreq);
4581
4582 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
4583 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4584 return;
4585 }
4586
4587 if (dialect_revision != SMB2_DIALECT_REVISION_2FF) {
4588 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4589 return;
4590 }
4591
4592 /* make sure we do not loop forever */
4593 state->conn->min_protocol = PROTOCOL_SMB2_02;
4594
4595 /*
4596 * send a SMB2 negprot, in order to negotiate
4597 * the SMB2 dialect.
4598 */
4599 subreq = smbXcli_negprot_smb2_subreq(state);
4600 if (tevent_req_nomem(subreq, req)) {
4601 return;
4602 }
4603 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4604 return;
4605 }
4606
4607 conn->smb2.server.security_mode = SVAL(body, 2);
4608 if (conn->protocol >= PROTOCOL_SMB3_10) {
4609 negotiate_context_count = SVAL(body, 6);
4610 }
4611
4612 blob = data_blob_const(body + 8, 16);
4613 status = GUID_from_data_blob(&blob, &conn->smb2.server.guid);
4614 if (tevent_req_nterror(req, status)) {
4615 return;
4616 }
4617
4618 conn->smb2.server.capabilities = IVAL(body, 24);
4619 conn->smb2.server.max_trans_size= IVAL(body, 28);
4620 conn->smb2.server.max_read_size = IVAL(body, 32);
4621 conn->smb2.server.max_write_size= IVAL(body, 36);
4622 conn->smb2.server.system_time = BVAL(body, 40);
4623 conn->smb2.server.start_time = BVAL(body, 48);
4624
4625 security_offset = SVAL(body, 56);
4626 security_length = SVAL(body, 58);
4627
4628 if (security_offset != SMB2_HDR_BODY + iov[1].iov_len) {
4629 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4630 return;
4631 }
4632
4633 if (security_length > iov[2].iov_len) {
4634 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4635 return;
4636 }
4637
4638 conn->smb2.server.gss_blob = data_blob_talloc(conn,
4639 iov[2].iov_base,
4640 security_length);
4641 if (tevent_req_nomem(conn->smb2.server.gss_blob.data, req)) {
4642 return;
4643 }
4644
4645 if (conn->protocol < PROTOCOL_SMB3_10) {
4646 TALLOC_FREE(subreq);
4647
4648 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4649 conn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
4650 }
4651 tevent_req_done(req);
4652 return;
4653 }
4654
4655 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4656 tevent_req_nterror(req,
4657 NT_STATUS_INVALID_NETWORK_RESPONSE);
4658 return;
4659 }
4660
4661 negotiate_context_offset = IVAL(body, 60);
4662 if (negotiate_context_offset < security_offset) {
4663 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4664 return;
4665 }
4666
4667 ctx_ofs = negotiate_context_offset - security_offset;
4668 if (ctx_ofs > iov[2].iov_len) {
4669 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4670 return;
4671 }
4672 avail = iov[2].iov_len - security_length;
4673 needed = iov[2].iov_len - ctx_ofs;
4674 if (needed > avail) {
4675 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4676 return;
4677 }
4678
4679 negotiate_context_blob.data = (uint8_t *)iov[2].iov_base;
4680 negotiate_context_blob.length = iov[2].iov_len;
4681
4682 negotiate_context_blob.data += ctx_ofs;
4683 negotiate_context_blob.length -= ctx_ofs;
4684
4685 status = smb2_negotiate_context_parse(state, negotiate_context_blob, &c);
4686 if (tevent_req_nterror(req, status)) {
4687 return;
4688 }
4689
4690 if (negotiate_context_count != c.num_contexts) {
4691 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4692 return;
4693 }
4694
4695 preauth = smb2_negotiate_context_find(&c,
4696 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
4697 if (preauth == NULL) {
4698 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4699 return;
4700 }
4701
4702 if (preauth->data.length < 6) {
4703 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4704 return;
4705 }
4706
4707 hash_count = SVAL(preauth->data.data, 0);
4708 salt_length = SVAL(preauth->data.data, 2);
4709 hash_selected = SVAL(preauth->data.data, 4);
4710
4711 if (hash_count != 1) {
4712 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4713 return;
4714 }
4715
4716 if (preauth->data.length != (6 + salt_length)) {
4717 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4718 return;
4719 }
4720
4721 if (hash_selected != SMB2_PREAUTH_INTEGRITY_SHA512) {
4722 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4723 return;
4724 }
4725
4726 cipher = smb2_negotiate_context_find(&c, SMB2_ENCRYPTION_CAPABILITIES);
4727 if (cipher != NULL) {
4728 uint16_t cipher_count;
4729
4730 if (cipher->data.length < 2) {
4731 tevent_req_nterror(req,
4732 NT_STATUS_INVALID_NETWORK_RESPONSE);
4733 return;
4734 }
4735
4736 cipher_count = SVAL(cipher->data.data, 0);
4737
4738 if (cipher_count > 1) {
4739 tevent_req_nterror(req,
4740 NT_STATUS_INVALID_NETWORK_RESPONSE);
4741 return;
4742 }
4743
4744 if (cipher->data.length != (2 + 2 * cipher_count)) {
4745 tevent_req_nterror(req,
4746 NT_STATUS_INVALID_NETWORK_RESPONSE);
4747 return;
4748 }
4749
4750 if (cipher_count == 1) {
4751 uint16_t cipher_selected;
4752
4753 cipher_selected = SVAL(cipher->data.data, 2);
4754
4755 switch (cipher_selected) {
4756 case SMB2_ENCRYPTION_AES128_GCM:
4757 case SMB2_ENCRYPTION_AES128_CCM:
4758 conn->smb2.server.cipher = cipher_selected;
4759 break;
4760 }
4761 }
4762 }
4763
4764 /* First we hash the request */
4765 smb2cli_req_get_sent_iov(subreq, sent_iov);
4766 samba_SHA512_Init(&sctx);
4767 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4768 sizeof(conn->smb2.preauth_sha512));
4769 for (i = 0; i < 3; i++) {
4770 samba_SHA512_Update(&sctx, sent_iov[i].iov_base, sent_iov[i].iov_len);
4771 }
4772 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4773 TALLOC_FREE(subreq);
4774
4775 /* And now we hash the response */
4776 samba_SHA512_Init(&sctx);
4777 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4778 sizeof(conn->smb2.preauth_sha512));
4779 for (i = 0; i < 3; i++) {
4780 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
4781 }
4782 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4783
4784 tevent_req_done(req);
4785 }
4786
4787 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
4788 TALLOC_CTX *tmp_mem,
4789 uint8_t *inbuf)
4790 {
4791 size_t num_pending = talloc_array_length(conn->pending);
4792 struct tevent_req *subreq;
4793 struct smbXcli_req_state *substate;
4794 struct tevent_req *req;
4795 uint32_t protocol_magic;
4796 size_t inbuf_len = smb_len_nbt(inbuf);
4797
4798 if (num_pending != 1) {
4799 return NT_STATUS_INTERNAL_ERROR;
4800 }
4801
4802 if (inbuf_len < 4) {
4803 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4804 }
4805
4806 subreq = conn->pending[0];
4807 substate = tevent_req_data(subreq, struct smbXcli_req_state);
4808 req = tevent_req_callback_data(subreq, struct tevent_req);
4809
4810 protocol_magic = IVAL(inbuf, 4);
4811
4812 switch (protocol_magic) {
4813 case SMB_MAGIC:
4814 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
4815 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
4816 return smb1cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4817
4818 case SMB2_MAGIC:
4819 if (substate->smb2.recv_iov == NULL) {
4820 /*
4821 * For the SMB1 negprot we have move it.
4822 */
4823 substate->smb2.recv_iov = substate->smb1.recv_iov;
4824 substate->smb1.recv_iov = NULL;
4825 }
4826
4827 /*
4828 * we got an SMB2 answer, which consumed sequence number 0
4829 * so we need to use 1 as the next one.
4830 *
4831 * we also need to set the current credits to 0
4832 * as we consumed the initial one. The SMB2 answer
4833 * hopefully grant us a new credit.
4834 */
4835 conn->smb2.mid = 1;
4836 conn->smb2.cur_credits = 0;
4837 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4838 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
4839 return smb2cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4840 }
4841
4842 DEBUG(10, ("Got non-SMB PDU\n"));
4843 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4844 }
4845
4846 NTSTATUS smbXcli_negprot_recv(struct tevent_req *req)
4847 {
4848 return tevent_req_simple_recv_ntstatus(req);
4849 }
4850
4851 NTSTATUS smbXcli_negprot(struct smbXcli_conn *conn,
4852 uint32_t timeout_msec,
4853 enum protocol_types min_protocol,
4854 enum protocol_types max_protocol)
4855 {
4856 TALLOC_CTX *frame = talloc_stackframe();
4857 struct tevent_context *ev;
4858 struct tevent_req *req;
4859 NTSTATUS status = NT_STATUS_NO_MEMORY;
4860 bool ok;
4861
4862 if (smbXcli_conn_has_async_calls(conn)) {
4863 /*
4864 * Can't use sync call while an async call is in flight
4865 */
4866 status = NT_STATUS_INVALID_PARAMETER_MIX;
4867 goto fail;
4868 }
4869 ev = samba_tevent_context_init(frame);
4870 if (ev == NULL) {
4871 goto fail;
4872 }
4873 req = smbXcli_negprot_send(frame, ev, conn, timeout_msec,
4874 min_protocol, max_protocol);
4875 if (req == NULL) {
4876 goto fail;
4877 }
4878 ok = tevent_req_poll_ntstatus(req, ev, &status);
4879 if (!ok) {
4880 goto fail;
4881 }
4882 status = smbXcli_negprot_recv(req);
4883 fail:
4884 TALLOC_FREE(frame);
4885 return status;
4886 }
4887
4888 struct smb2cli_validate_negotiate_info_state {
4889 struct smbXcli_conn *conn;
4890 DATA_BLOB in_input_buffer;
4891 DATA_BLOB in_output_buffer;
4892 DATA_BLOB out_input_buffer;
4893 DATA_BLOB out_output_buffer;
4894 uint16_t dialect;
4895 };
4896
4897 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq);
4898
4899 struct tevent_req *smb2cli_validate_negotiate_info_send(TALLOC_CTX *mem_ctx,
4900 struct tevent_context *ev,
4901 struct smbXcli_conn *conn,
4902 uint32_t timeout_msec,
4903 struct smbXcli_session *session,
4904 struct smbXcli_tcon *tcon)
4905 {
4906 struct tevent_req *req;
4907 struct smb2cli_validate_negotiate_info_state *state;
4908 uint8_t *buf;
4909 uint16_t dialect_count = 0;
4910 struct tevent_req *subreq;
4911 bool _save_should_sign;
4912 size_t i;
4913
4914 req = tevent_req_create(mem_ctx, &state,
4915 struct smb2cli_validate_negotiate_info_state);
4916 if (req == NULL) {
4917 return NULL;
4918 }
4919 state->conn = conn;
4920
4921 state->in_input_buffer = data_blob_talloc_zero(state,
4922 4 + 16 + 1 + 1 + 2);
4923 if (tevent_req_nomem(state->in_input_buffer.data, req)) {
4924 return tevent_req_post(req, ev);
4925 }
4926 buf = state->in_input_buffer.data;
4927
4928 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
4929 SIVAL(buf, 0, conn->smb2.client.capabilities);
4930 } else {
4931 SIVAL(buf, 0, 0); /* Capabilities */
4932 }
4933 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
4934 NTSTATUS status;
4935 DATA_BLOB blob;
4936
4937 status = GUID_to_ndr_blob(&conn->smb2.client.guid,
4938 state, &blob);
4939 if (!NT_STATUS_IS_OK(status)) {
4940 return NULL;
4941 }
4942 memcpy(buf+4, blob.data, 16); /* ClientGuid */
4943 } else {
4944 memset(buf+4, 0, 16); /* ClientGuid */
4945 }
4946 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
4947 SCVAL(buf, 20, conn->smb2.client.security_mode);
4948 } else {
4949 SCVAL(buf, 20, 0);
4950 }
4951 SCVAL(buf, 21, 0); /* reserved */
4952
4953 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4954 bool ok;
4955 size_t ofs;
4956
4957 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4958 continue;
4959 }
4960
4961 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4962 continue;
4963 }
4964
4965 if (smb2cli_prots[i].proto == state->conn->protocol) {
4966 state->dialect = smb2cli_prots[i].smb2_dialect;
4967 }
4968
4969 ofs = state->in_input_buffer.length;
4970 ok = data_blob_realloc(state, &state->in_input_buffer,
4971 ofs + 2);
4972 if (!ok) {
4973 tevent_req_oom(req);
4974 return tevent_req_post(req, ev);
4975 }
4976
4977 buf = state->in_input_buffer.data;
4978 SSVAL(buf, ofs, smb2cli_prots[i].smb2_dialect);
4979
4980 dialect_count++;
4981 }
4982 buf = state->in_input_buffer.data;
4983 SSVAL(buf, 22, dialect_count);
4984
4985 _save_should_sign = smb2cli_tcon_is_signing_on(tcon);
4986 smb2cli_tcon_should_sign(tcon, true);
4987 subreq = smb2cli_ioctl_send(state, ev, conn,
4988 timeout_msec, session, tcon,
4989 UINT64_MAX, /* in_fid_persistent */
4990 UINT64_MAX, /* in_fid_volatile */
4991 FSCTL_VALIDATE_NEGOTIATE_INFO,
4992 0, /* in_max_input_length */
4993 &state->in_input_buffer,
4994 24, /* in_max_output_length */
4995 &state->in_output_buffer,
4996 SMB2_IOCTL_FLAG_IS_FSCTL);
4997 smb2cli_tcon_should_sign(tcon, _save_should_sign);
4998 if (tevent_req_nomem(subreq, req)) {
4999 return tevent_req_post(req, ev);
5000 }
5001 tevent_req_set_callback(subreq,
5002 smb2cli_validate_negotiate_info_done,
5003 req);
5004
5005 return req;
5006 }
5007
5008 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
5009 {
5010 struct tevent_req *req =
5011 tevent_req_callback_data(subreq,
5012 struct tevent_req);
5013 struct smb2cli_validate_negotiate_info_state *state =
5014 tevent_req_data(req,
5015 struct smb2cli_validate_negotiate_info_state);
5016 NTSTATUS status;
5017 const uint8_t *buf;
5018 uint32_t capabilities;
5019 DATA_BLOB guid_blob;
5020 struct GUID server_guid;
5021 uint16_t security_mode;
5022 uint16_t dialect;
5023
5024 status = smb2cli_ioctl_recv(subreq, state,
5025 &state->out_input_buffer,
5026 &state->out_output_buffer);
5027 TALLOC_FREE(subreq);
5028 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) {
5029 /*
5030 * The response was signed, but not supported
5031 *
5032 * Older Windows and Samba releases return
5033 * NT_STATUS_FILE_CLOSED.
5034 */
5035 tevent_req_done(req);
5036 return;
5037 }
5038 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_DEVICE_REQUEST)) {
5039 /*
5040 * The response was signed, but not supported
5041 *
5042 * This is returned by the NTVFS based Samba 4.x file server
5043 * for file shares.
5044 */
5045 tevent_req_done(req);
5046 return;
5047 }
5048 if (NT_STATUS_EQUAL(status, NT_STATUS_FS_DRIVER_REQUIRED)) {
5049 /*
5050 * The response was signed, but not supported
5051 *
5052 * This is returned by the NTVFS based Samba 4.x file server
5053 * for ipc shares.
5054 */
5055 tevent_req_done(req);
5056 return;
5057 }
5058 if (tevent_req_nterror(req, status)) {
5059 return;
5060 }
5061
5062 if (state->out_output_buffer.length != 24) {
5063 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
5064 return;
5065 }
5066
5067 buf = state->out_output_buffer.data;
5068
5069 capabilities = IVAL(buf, 0);
5070 guid_blob = data_blob_const(buf + 4, 16);
5071 status = GUID_from_data_blob(&guid_blob, &server_guid);
5072 if (tevent_req_nterror(req, status)) {
5073 return;
5074 }
5075 security_mode = CVAL(buf, 20);
5076 dialect = SVAL(buf, 22);
5077
5078 if (capabilities != state->conn->smb2.server.capabilities) {
5079 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5080 return;
5081 }
5082
5083 if (!GUID_equal(&server_guid, &state->conn->smb2.server.guid)) {
5084 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5085 return;
5086 }
5087
5088 if (security_mode != state->conn->smb2.server.security_mode) {
5089 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5090 return;
5091 }
5092
5093 if (dialect != state->dialect) {
5094 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5095 return;
5096 }
5097
5098 tevent_req_done(req);
5099 }
5100
5101 NTSTATUS smb2cli_validate_negotiate_info_recv(struct tevent_req *req)
5102 {
5103 return tevent_req_simple_recv_ntstatus(req);
5104 }
5105
5106 static int smbXcli_session_destructor(struct smbXcli_session *session)
5107 {
5108 if (session->conn == NULL) {
5109 return 0;
5110 }
5111
5112 DLIST_REMOVE(session->conn->sessions, session);
5113 return 0;
5114 }
5115
5116 struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
5117 struct smbXcli_conn *conn)
5118 {
5119 struct smbXcli_session *session;
5120
5121 session = talloc_zero(mem_ctx, struct smbXcli_session);
5122 if (session == NULL) {
5123 return NULL;
5124 }
5125 session->smb2 = talloc_zero(session, struct smb2cli_session);
5126 if (session->smb2 == NULL) {
5127 talloc_free(session);
5128 return NULL;
5129 }
5130 talloc_set_destructor(session, smbXcli_session_destructor);
5131
5132 DLIST_ADD_END(conn->sessions, session, struct smbXcli_session *);
5133 session->conn = conn;
5134
5135 memcpy(session->smb2_channel.preauth_sha512,
5136 conn->smb2.preauth_sha512,
5137 sizeof(session->smb2_channel.preauth_sha512));
5138
5139 return session;
5140 }
5141
5142 struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
5143 struct smbXcli_session *src)
5144 {
5145 struct smbXcli_session *session;
5146
5147 session = talloc_zero(mem_ctx, struct smbXcli_session);
5148 if (session == NULL) {
5149 return NULL;
5150 }
5151 session->smb2 = talloc_zero(session, struct smb2cli_session);
5152 if (session->smb2 == NULL) {
5153 talloc_free(session);
5154 return NULL;
5155 }
5156
5157 session->conn = src->conn;
5158 *session->smb2 = *src->smb2;
5159 session->smb2_channel = src->smb2_channel;
5160 session->disconnect_expired = src->disconnect_expired;
5161
5162 DLIST_ADD_END(src->conn->sessions, session, struct smbXcli_session *);
5163 talloc_set_destructor(session, smbXcli_session_destructor);
5164
5165 return session;
5166 }
5167
5168 bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
5169 {
5170 const DATA_BLOB *application_key;
5171
5172 if (session->conn == NULL) {
5173 return false;
5174 }
5175
5176 /*
5177 * If we have an application key we had a session key negotiated
5178 * at auth time.
5179 */
5180 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5181 application_key = &session->smb2->application_key;
5182 } else {
5183 application_key = &session->smb1.application_key;
5184 }
5185
5186 if (application_key->length == 0) {
5187 return false;
5188 }
5189
5190 return true;
5191 }
5192
5193 NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
5194 TALLOC_CTX *mem_ctx,
5195 DATA_BLOB *key)
5196 {
5197 const DATA_BLOB *application_key;
5198
5199 *key = data_blob_null;
5200
5201 if (session->conn == NULL) {
5202 return NT_STATUS_NO_USER_SESSION_KEY;
5203 }
5204
5205 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5206 application_key = &session->smb2->application_key;
5207 } else {
5208 application_key = &session->smb1.application_key;
5209 }
5210
5211 if (application_key->length == 0) {
5212 return NT_STATUS_NO_USER_SESSION_KEY;
5213 }
5214
5215 *key = data_blob_dup_talloc(mem_ctx, *application_key);
5216 if (key->data == NULL) {
5217 return NT_STATUS_NO_MEMORY;
5218 }
5219
5220 return NT_STATUS_OK;
5221 }
5222
5223 void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session)
5224 {
5225 session->disconnect_expired = true;
5226 }
5227
5228 uint16_t smb1cli_session_current_id(struct smbXcli_session *session)
5229 {
5230 return session->smb1.session_id;
5231 }
5232
5233 void smb1cli_session_set_id(struct smbXcli_session *session,
5234 uint16_t session_id)
5235 {
5236 session->smb1.session_id = session_id;
5237 }
5238
5239 NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
5240 const DATA_BLOB _session_key)
5241 {
5242 struct smbXcli_conn *conn = session->conn;
5243 uint8_t session_key[16];
5244
5245 if (conn == NULL) {
5246 return NT_STATUS_INVALID_PARAMETER_MIX;
5247 }
5248
5249 if (session->smb1.application_key.length != 0) {
5250 /*
5251 * TODO: do not allow this...
5252 *
5253 * return NT_STATUS_INVALID_PARAMETER_MIX;
5254 */
5255 data_blob_clear_free(&session->smb1.application_key);
5256 session->smb1.protected_key = false;
5257 }
5258
5259 if (_session_key.length == 0) {
5260 return NT_STATUS_OK;
5261 }
5262
5263 ZERO_STRUCT(session_key);
5264 memcpy(session_key, _session_key.data,
5265 MIN(_session_key.length, sizeof(session_key)));
5266
5267 session->smb1.application_key = data_blob_talloc(session,
5268 session_key,
5269 sizeof(session_key));
5270 ZERO_STRUCT(session_key);
5271 if (session->smb1.application_key.data == NULL) {
5272 return NT_STATUS_NO_MEMORY;
5273 }
5274
5275 session->smb1.protected_key = false;
5276
5277 return NT_STATUS_OK;
5278 }
5279
5280 NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session)
5281 {
5282 if (session->smb1.protected_key) {
5283 /* already protected */
5284 return NT_STATUS_OK;
5285 }
5286
5287 if (session->smb1.application_key.length != 16) {
5288 return NT_STATUS_INVALID_PARAMETER_MIX;
5289 }
5290
5291 smb_key_derivation(session->smb1.application_key.data,
5292 session->smb1.application_key.length,
5293 session->smb1.application_key.data);
5294
5295 session->smb1.protected_key = true;
5296
5297 return NT_STATUS_OK;
5298 }
5299
5300 uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
5301 {
5302 struct smbXcli_conn *conn = session->conn;
5303 uint8_t security_mode = 0;
5304
5305 if (conn == NULL) {
5306 return security_mode;
5307 }
5308
5309 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
5310 if (conn->mandatory_signing) {
5311 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
5312 }
5313
5314 return security_mode;
5315 }
5316
5317 uint64_t smb2cli_session_current_id(struct smbXcli_session *session)
5318 {
5319 return session->smb2->session_id;
5320 }
5321
5322 uint16_t smb2cli_session_get_flags(struct smbXcli_session *session)
5323 {
5324 return session->smb2->session_flags;
5325 }
5326
5327 void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
5328 uint64_t session_id,
5329 uint16_t session_flags)
5330 {
5331 session->smb2->session_id = session_id;
5332 session->smb2->session_flags = session_flags;
5333 }
5334
5335 void smb2cli_session_increment_channel_sequence(struct smbXcli_session *session)
5336 {
5337 session->smb2->channel_sequence += 1;
5338 }
5339
5340 uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
5341 uint16_t channel_sequence)
5342 {
5343 uint16_t prev_cs;
5344
5345 prev_cs = session->smb2->channel_sequence;
5346 session->smb2->channel_sequence = channel_sequence;
5347
5348 return prev_cs;
5349 }
5350
5351 void smb2cli_session_start_replay(struct smbXcli_session *session)
5352 {
5353 session->smb2->replay_active = true;
5354 }
5355
5356 void smb2cli_session_stop_replay(struct smbXcli_session *session)
5357 {
5358 session->smb2->replay_active = false;
5359 }
5360
5361 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
5362 const struct iovec *iov)
5363 {
5364 struct hc_sha512state sctx;
5365 size_t i;
5366
5367 if (session->conn == NULL) {
5368 return NT_STATUS_INTERNAL_ERROR;
5369 }
5370
5371 if (session->conn->protocol < PROTOCOL_SMB3_10) {
5372 return NT_STATUS_OK;
5373 }
5374
5375 if (session->smb2_channel.signing_key.length != 0) {
5376 return NT_STATUS_OK;
5377 }
5378
5379 samba_SHA512_Init(&sctx);
5380 samba_SHA512_Update(&sctx, session->smb2_channel.preauth_sha512,
5381 sizeof(session->smb2_channel.preauth_sha512));
5382 for (i = 0; i < 3; i++) {
5383 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
5384 }
5385 samba_SHA512_Final(session->smb2_channel.preauth_sha512, &sctx);
5386
5387 return NT_STATUS_OK;
5388 }
5389
5390 NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
5391 const DATA_BLOB _session_key,
5392 const struct iovec *recv_iov)
5393 {
5394 struct smbXcli_conn *conn = session->conn;
5395 uint16_t no_sign_flags;
5396 uint8_t session_key[16];
5397 bool check_signature = true;
5398 uint32_t hdr_flags;
5399 NTSTATUS status;
5400 struct _derivation {
5401 DATA_BLOB label;
5402 DATA_BLOB context;
5403 };
5404 struct {
5405 struct _derivation signing;
5406 struct _derivation encryption;
5407 struct _derivation decryption;
5408 struct _derivation application;
5409 } derivation = { };
5410
5411 if (conn == NULL) {
5412 return NT_STATUS_INVALID_PARAMETER_MIX;
5413 }
5414
5415 if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
5416 return NT_STATUS_INVALID_PARAMETER_MIX;
5417 }
5418
5419 no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
5420
5421 if (session->smb2->session_flags & no_sign_flags) {
5422 session->smb2->should_sign = false;
5423 return NT_STATUS_OK;
5424 }
5425
5426 if (session->smb2->signing_key.length != 0) {
5427 return NT_STATUS_INVALID_PARAMETER_MIX;
5428 }
5429
5430 if (conn->protocol >= PROTOCOL_SMB3_10) {
5431 struct _derivation *d;
5432 DATA_BLOB p;
5433
5434 p = data_blob_const(session->smb2_channel.preauth_sha512,
5435 sizeof(session->smb2_channel.preauth_sha512));
5436
5437 d = &derivation.signing;
5438 d->label = data_blob_string_const_null("SMBSigningKey");
5439 d->context = p;
5440
5441 d = &derivation.encryption;
5442 d->label = data_blob_string_const_null("SMBC2SCipherKey");
5443 d->context = p;
5444
5445 d = &derivation.decryption;
5446 d->label = data_blob_string_const_null("SMBS2CCipherKey");
5447 d->context = p;
5448
5449 d = &derivation.application;
5450 d->label = data_blob_string_const_null("SMBAppKey");
5451 d->context = p;
5452
5453 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5454 struct _derivation *d;
5455
5456 d = &derivation.signing;
5457 d->label = data_blob_string_const_null("SMB2AESCMAC");
5458 d->context = data_blob_string_const_null("SmbSign");
5459
5460 d = &derivation.encryption;
5461 d->label = data_blob_string_const_null("SMB2AESCCM");
5462 d->context = data_blob_string_const_null("ServerIn ");
5463
5464 d = &derivation.decryption;
5465 d->label = data_blob_string_const_null("SMB2AESCCM");
5466 d->context = data_blob_string_const_null("ServerOut");
5467
5468 d = &derivation.application;
5469 d->label = data_blob_string_const_null("SMB2APP");
5470 d->context = data_blob_string_const_null("SmbRpc");
5471 }
5472
5473 ZERO_STRUCT(session_key);
5474 memcpy(session_key, _session_key.data,
5475 MIN(_session_key.length, sizeof(session_key)));
5476
5477 session->smb2->signing_key = data_blob_talloc(session,
5478 session_key,
5479 sizeof(session_key));
5480 if (session->smb2->signing_key.data == NULL) {
5481 ZERO_STRUCT(session_key);
5482 return NT_STATUS_NO_MEMORY;
5483 }
5484
5485 if (conn->protocol >= PROTOCOL_SMB2_24) {
5486 struct _derivation *d = &derivation.signing;
5487
5488 smb2_key_derivation(session_key, sizeof(session_key),
5489 d->label.data, d->label.length,
5490 d->context.data, d->context.length,
5491 session->smb2->signing_key.data);
5492 }
5493
5494 session->smb2->encryption_key = data_blob_dup_talloc(session,
5495 session->smb2->signing_key);
5496 if (session->smb2->encryption_key.data == NULL) {
5497 ZERO_STRUCT(session_key);
5498 return NT_STATUS_NO_MEMORY;
5499 }
5500
5501 if (conn->protocol >= PROTOCOL_SMB2_24) {
5502 struct _derivation *d = &derivation.encryption;
5503
5504 smb2_key_derivation(session_key, sizeof(session_key),
5505 d->label.data, d->label.length,
5506 d->context.data, d->context.length,
5507 session->smb2->encryption_key.data);
5508 }
5509
5510 session->smb2->decryption_key = data_blob_dup_talloc(session,
5511 session->smb2->signing_key);
5512 if (session->smb2->decryption_key.data == NULL) {
5513 ZERO_STRUCT(session_key);
5514 return NT_STATUS_NO_MEMORY;
5515 }
5516
5517 if (conn->protocol >= PROTOCOL_SMB2_24) {
5518 struct _derivation *d = &derivation.decryption;
5519
5520 smb2_key_derivation(session_key, sizeof(session_key),
5521 d->label.data, d->label.length,
5522 d->context.data, d->context.length,
5523 session->smb2->decryption_key.data);
5524 }
5525
5526 session->smb2->application_key = data_blob_dup_talloc(session,
5527 session->smb2->signing_key);
5528 if (session->smb2->application_key.data == NULL) {
5529 ZERO_STRUCT(session_key);
5530 return NT_STATUS_NO_MEMORY;
5531 }
5532
5533 if (conn->protocol >= PROTOCOL_SMB2_24) {
5534 struct _derivation *d = &derivation.application;
5535
5536 smb2_key_derivation(session_key, sizeof(session_key),
5537 d->label.data, d->label.length,
5538 d->context.data, d->context.length,
5539 session->smb2->application_key.data);
5540 }
5541 ZERO_STRUCT(session_key);
5542
5543 session->smb2_channel.signing_key = data_blob_dup_talloc(session,
5544 session->smb2->signing_key);
5545 if (session->smb2_channel.signing_key.data == NULL) {
5546 return NT_STATUS_NO_MEMORY;
5547 }
5548
5549 check_signature = conn->mandatory_signing;
5550
5551 hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
5552 if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
5553 /*
5554 * Sadly some vendors don't sign the
5555 * final SMB2 session setup response
5556 *
5557 * At least Windows and Samba are always doing this
5558 * if there's a session key available.
5559 *
5560 * We only check the signature if it's mandatory
5561 * or SMB2_HDR_FLAG_SIGNED is provided.
5562 */
5563 check_signature = true;
5564 }
5565
5566 if (conn->protocol >= PROTOCOL_SMB3_10) {
5567 check_signature = true;
5568 }
5569
5570 if (check_signature) {
5571 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5572 session->conn->protocol,
5573 recv_iov, 3);
5574 if (!NT_STATUS_IS_OK(status)) {
5575 return status;
5576 }
5577 }
5578
5579 session->smb2->should_sign = false;
5580 session->smb2->should_encrypt = false;
5581
5582 if (conn->desire_signing) {
5583 session->smb2->should_sign = true;
5584 }
5585
5586 if (conn->smb2.server.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
5587 session->smb2->should_sign = true;
5588 }
5589
5590 if (session->smb2->session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA) {
5591 session->smb2->should_encrypt = true;
5592 }
5593
5594 if (conn->protocol < PROTOCOL_SMB2_24) {
5595 session->smb2->should_encrypt = false;
5596 }
5597
5598 if (conn->smb2.server.cipher == 0) {
5599 session->smb2->should_encrypt = false;
5600 }
5601
5602 generate_random_buffer((uint8_t *)&session->smb2->nonce_high,
5603 sizeof(session->smb2->nonce_high));
5604 session->smb2->nonce_low = 1;
5605
5606 return NT_STATUS_OK;
5607 }
5608
5609 NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
5610 struct smbXcli_session *session1,
5611 struct smbXcli_conn *conn,
5612 struct smbXcli_session **_session2)
5613 {
5614 struct smbXcli_session *session2;
5615
5616 if (session1->smb2->signing_key.length == 0) {
5617 return NT_STATUS_INVALID_PARAMETER_MIX;
5618 }
5619
5620 if (conn == NULL) {
5621 return NT_STATUS_INVALID_PARAMETER_MIX;
5622 }
5623
5624 session2 = talloc_zero(mem_ctx, struct smbXcli_session);
5625 if (session2 == NULL) {
5626 return NT_STATUS_NO_MEMORY;
5627 }
5628 session2->smb2 = talloc_reference(session2, session1->smb2);
5629 if (session2->smb2 == NULL) {
5630 talloc_free(session2);
5631 return NT_STATUS_NO_MEMORY;
5632 }
5633
5634 talloc_set_destructor(session2, smbXcli_session_destructor);
5635 DLIST_ADD_END(conn->sessions, session2, struct smbXcli_session *);
5636 session2->conn = conn;
5637
5638 memcpy(session2->smb2_channel.preauth_sha512,
5639 conn->smb2.preauth_sha512,
5640 sizeof(session2->smb2_channel.preauth_sha512));
5641
5642 *_session2 = session2;
5643 return NT_STATUS_OK;
5644 }
5645
5646 NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
5647 const DATA_BLOB _channel_key,
5648 const struct iovec *recv_iov)
5649 {
5650 struct smbXcli_conn *conn = session->conn;
5651 uint8_t channel_key[16];
5652 NTSTATUS status;
5653 struct _derivation {
5654 DATA_BLOB label;
5655 DATA_BLOB context;
5656 };
5657 struct {
5658 struct _derivation signing;
5659 } derivation = { };
5660
5661 if (conn == NULL) {
5662 return NT_STATUS_INVALID_PARAMETER_MIX;
5663 }
5664
5665 if (session->smb2_channel.signing_key.length != 0) {
5666 return NT_STATUS_INVALID_PARAMETER_MIX;
5667 }
5668
5669 if (conn->protocol >= PROTOCOL_SMB3_10) {
5670 struct _derivation *d;
5671 DATA_BLOB p;
5672
5673 p = data_blob_const(session->smb2_channel.preauth_sha512,
5674 sizeof(session->smb2_channel.preauth_sha512));
5675
5676 d = &derivation.signing;
5677 d->label = data_blob_string_const_null("SMBSigningKey");
5678 d->context = p;
5679 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5680 struct _derivation *d;
5681
5682 d = &derivation.signing;
5683 d->label = data_blob_string_const_null("SMB2AESCMAC");
5684 d->context = data_blob_string_const_null("SmbSign");
5685 }
5686
5687 ZERO_STRUCT(channel_key);
5688 memcpy(channel_key, _channel_key.data,
5689 MIN(_channel_key.length, sizeof(channel_key)));
5690
5691 session->smb2_channel.signing_key = data_blob_talloc(session,
5692 channel_key,
5693 sizeof(channel_key));
5694 if (session->smb2_channel.signing_key.data == NULL) {
5695 ZERO_STRUCT(channel_key);
5696 return NT_STATUS_NO_MEMORY;
5697 }
5698
5699 if (conn->protocol >= PROTOCOL_SMB2_24) {
5700 struct _derivation *d = &derivation.signing;
5701
5702 smb2_key_derivation(channel_key, sizeof(channel_key),
5703 d->label.data, d->label.length,
5704 d->context.data, d->context.length,
5705 session->smb2_channel.signing_key.data);
5706 }
5707 ZERO_STRUCT(channel_key);
5708
5709 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5710 session->conn->protocol,
5711 recv_iov, 3);
5712 if (!NT_STATUS_IS_OK(status)) {
5713 return status;
5714 }
5715
5716 return NT_STATUS_OK;
5717 }
5718
5719 NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
5720 {
5721 if (session->smb2->should_encrypt) {
5722 return NT_STATUS_OK;
5723 }
5724
5725 if (session->conn->protocol < PROTOCOL_SMB2_24) {
5726 return NT_STATUS_NOT_SUPPORTED;
5727 }
5728
5729 if (session->conn->smb2.server.cipher == 0) {
5730 return NT_STATUS_NOT_SUPPORTED;
5731 }
5732
5733 if (session->smb2->signing_key.data == NULL) {
5734 return NT_STATUS_NOT_SUPPORTED;
5735 }
5736 session->smb2->should_encrypt = true;
5737 return NT_STATUS_OK;
5738 }
5739
5740 struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx)
5741 {
5742 struct smbXcli_tcon *tcon;
5743
5744 tcon = talloc_zero(mem_ctx, struct smbXcli_tcon);
5745 if (tcon == NULL) {
5746 return NULL;
5747 }
5748
5749 return tcon;
5750 }
5751
5752 void smbXcli_tcon_set_fs_attributes(struct smbXcli_tcon *tcon,
5753 uint32_t fs_attributes)
5754 {
5755 tcon->fs_attributes = fs_attributes;
5756 }
5757
5758 uint32_t smbXcli_tcon_get_fs_attributes(struct smbXcli_tcon *tcon)
5759 {
5760 return tcon->fs_attributes;
5761 }
5762
5763 bool smbXcli_tcon_is_dfs_share(struct smbXcli_tcon *tcon)
5764 {
5765 if (tcon == NULL) {
5766 return false;
5767 }
5768
5769 if (tcon->is_smb1) {
5770 if (tcon->smb1.optional_support & SMB_SHARE_IN_DFS) {
5771 return true;
5772 }
5773
5774 return false;
5775 }
5776
5777 if (tcon->smb2.capabilities & SMB2_SHARE_CAP_DFS) {
5778 return true;
5779 }
5780
5781 return false;
5782 }
5783
5784 uint16_t smb1cli_tcon_current_id(struct smbXcli_tcon *tcon)
5785 {
5786 return tcon->smb1.tcon_id;
5787 }
5788
5789 void smb1cli_tcon_set_id(struct smbXcli_tcon *tcon, uint16_t tcon_id)
5790 {
5791 tcon->is_smb1 = true;
5792 tcon->smb1.tcon_id = tcon_id;
5793 }
5794
5795 bool smb1cli_tcon_set_values(struct smbXcli_tcon *tcon,
5796 uint16_t tcon_id,
5797 uint16_t optional_support,
5798 uint32_t maximal_access,
5799 uint32_t guest_maximal_access,
5800 const char *service,
5801 const char *fs_type)
5802 {
5803 tcon->is_smb1 = true;
5804 tcon->fs_attributes = 0;
5805 tcon->smb1.tcon_id = tcon_id;
5806 tcon->smb1.optional_support = optional_support;
5807 tcon->smb1.maximal_access = maximal_access;
5808 tcon->smb1.guest_maximal_access = guest_maximal_access;
5809
5810 TALLOC_FREE(tcon->smb1.service);
5811 tcon->smb1.service = talloc_strdup(tcon, service);
5812 if (service != NULL && tcon->smb1.service == NULL) {
5813 return false;
5814 }
5815
5816 TALLOC_FREE(tcon->smb1.fs_type);
5817 tcon->smb1.fs_type = talloc_strdup(tcon, fs_type);
5818 if (fs_type != NULL && tcon->smb1.fs_type == NULL) {
5819 return false;
5820 }
5821
5822 return true;
5823 }
5824
5825 uint32_t smb2cli_tcon_current_id(struct smbXcli_tcon *tcon)
5826 {
5827 return tcon->smb2.tcon_id;
5828 }
5829
5830 uint32_t smb2cli_tcon_capabilities(struct smbXcli_tcon *tcon)
5831 {
5832 return tcon->smb2.capabilities;
5833 }
5834
5835 void smb2cli_tcon_set_values(struct smbXcli_tcon *tcon,
5836 struct smbXcli_session *session,
5837 uint32_t tcon_id,
5838 uint8_t type,
5839 uint32_t flags,
5840 uint32_t capabilities,
5841 uint32_t maximal_access)
5842 {
5843 tcon->is_smb1 = false;
5844 tcon->fs_attributes = 0;
5845 tcon->smb2.tcon_id = tcon_id;
5846 tcon->smb2.type = type;
5847 tcon->smb2.flags = flags;
5848 tcon->smb2.capabilities = capabilities;
5849 tcon->smb2.maximal_access = maximal_access;
5850
5851 tcon->smb2.should_sign = false;
5852 tcon->smb2.should_encrypt = false;
5853
5854 if (session == NULL) {
5855 return;
5856 }
5857
5858 tcon->smb2.should_sign = session->smb2->should_sign;
5859 tcon->smb2.should_encrypt = session->smb2->should_encrypt;
5860
5861 if (flags & SMB2_SHAREFLAG_ENCRYPT_DATA) {
5862 tcon->smb2.should_encrypt = true;
5863 }
5864 }
5865
5866 void smb2cli_tcon_should_sign(struct smbXcli_tcon *tcon,
5867 bool should_sign)
5868 {
5869 tcon->smb2.should_sign = should_sign;
5870 }
5871
5872 bool smb2cli_tcon_is_signing_on(struct smbXcli_tcon *tcon)
5873 {
5874 if (tcon->smb2.should_encrypt) {
5875 return true;
5876 }
5877
5878 return tcon->smb2.should_sign;
5879 }
5880
5881 void smb2cli_tcon_should_encrypt(struct smbXcli_tcon *tcon,
5882 bool should_encrypt)
5883 {
5884 tcon->smb2.should_encrypt = should_encrypt;
5885 }
5886
5887 bool smb2cli_tcon_is_encryption_on(struct smbXcli_tcon *tcon)
5888 {
5889 return tcon->smb2.should_encrypt;
5890 }
Samba GIT mirror