2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
30 #include "auth/gensec/gensec.h"
31 #include "lib/util/string_wrappers.h"
32 #include "source3/lib/substitute.h"
33 #ifdef HAVE_VALGRIND_CALLGRIND_H
34 #include <valgrind/callgrind.h>
35 #endif /* HAVE_VALGRIND_CALLGRIND_H */
38 #define DBGC_CLASS DBGC_SMB2
41 * this is the entry point if SMB2 is selected via
42 * the SMB negprot and the given dialect.
44 static NTSTATUS
reply_smb20xx(struct smb_request
*req
, uint16_t dialect
)
50 size_t len
= SMB2_HDR_BODY
+ 0x24 + 2;
52 smb2_inpdu
= talloc_zero_array(talloc_tos(), uint8_t, len
);
53 if (smb2_inpdu
== NULL
) {
54 DEBUG(0, ("Could not push spnego blob\n"));
55 reply_nterror(req
, NT_STATUS_NO_MEMORY
);
56 return NT_STATUS_NO_MEMORY
;
58 smb2_hdr
= smb2_inpdu
;
59 smb2_body
= smb2_hdr
+ SMB2_HDR_BODY
;
60 smb2_dyn
= smb2_body
+ 0x24;
62 SIVAL(smb2_hdr
, SMB2_HDR_PROTOCOL_ID
, SMB2_MAGIC
);
63 SIVAL(smb2_hdr
, SMB2_HDR_LENGTH
, SMB2_HDR_BODY
);
65 SSVAL(smb2_body
, 0x00, 0x0024); /* struct size */
66 SSVAL(smb2_body
, 0x02, 0x0001); /* dialect count */
68 SSVAL(smb2_dyn
, 0x00, dialect
);
72 return smbd_smb2_process_negprot(req
->xconn
, 0, smb2_inpdu
, len
);
76 * this is the entry point if SMB2 is selected via
77 * the SMB negprot and the "SMB 2.002" dialect.
79 NTSTATUS
reply_smb2002(struct smb_request
*req
, uint16_t choice
)
81 return reply_smb20xx(req
, SMB2_DIALECT_REVISION_202
);
85 * this is the entry point if SMB2 is selected via
86 * the SMB negprot and the "SMB 2.???" dialect.
88 NTSTATUS
reply_smb20ff(struct smb_request
*req
, uint16_t choice
)
90 struct smbXsrv_connection
*xconn
= req
->xconn
;
91 xconn
->smb2
.allow_2ff
= true;
92 return reply_smb20xx(req
, SMB2_DIALECT_REVISION_2FF
);
95 enum protocol_types
smbd_smb2_protocol_dialect_match(const uint8_t *indyn
,
96 const int dialect_count
,
100 enum protocol_types proto
;
103 { PROTOCOL_SMB3_11
, SMB3_DIALECT_REVISION_311
},
104 { PROTOCOL_SMB3_02
, SMB3_DIALECT_REVISION_302
},
105 { PROTOCOL_SMB3_00
, SMB3_DIALECT_REVISION_300
},
106 { PROTOCOL_SMB2_10
, SMB2_DIALECT_REVISION_210
},
107 { PROTOCOL_SMB2_02
, SMB2_DIALECT_REVISION_202
},
111 for (i
= 0; i
< ARRAY_SIZE(pd
); i
++) {
114 if (lp_server_max_protocol() < pd
[i
].proto
) {
117 if (lp_server_min_protocol() > pd
[i
].proto
) {
121 for (c
= 0; c
< dialect_count
; c
++) {
122 *dialect
= SVAL(indyn
, c
*2);
123 if (*dialect
== pd
[i
].dialect
) {
129 return PROTOCOL_NONE
;
132 static NTSTATUS
smb2_negotiate_context_process_posix(
133 const struct smb2_negotiate_contexts
*in_c
,
136 struct smb2_negotiate_context
*in_posix
= NULL
;
137 const uint8_t *inbuf
= NULL
;
139 bool posix_found
= false;
145 if (!lp_smb3_unix_extensions(GLOBAL_SECTION_SNUM
)) {
149 in_posix
= smb2_negotiate_context_find(in_c
,
150 SMB2_POSIX_EXTENSIONS_AVAILABLE
);
151 if (in_posix
== NULL
) {
155 inbuf
= in_posix
->data
.data
;
156 inbuflen
= in_posix
->data
.length
;
159 * For now the server only supports one variant.
160 * Check it's the right one.
162 if ((inbuflen
% 16) != 0) {
163 return NT_STATUS_INVALID_PARAMETER
;
166 SMB_ASSERT(strlen(SMB2_CREATE_TAG_POSIX
) == 16);
168 for (ofs
= 0; ofs
< inbuflen
; ofs
+= 16) {
169 cmp
= memcmp(inbuf
+ofs
, SMB2_CREATE_TAG_POSIX
, 16);
177 DBG_DEBUG("Client requested unknown SMB3 Unix extensions:\n");
178 dump_data(10, inbuf
, inbuflen
);
182 DBG_DEBUG("Client requested SMB3 Unix extensions\n");
187 struct smbd_smb2_request_process_negprot_state
{
188 struct smbd_smb2_request
*req
;
193 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req
*subreq
);
195 NTSTATUS
smbd_smb2_request_process_negprot(struct smbd_smb2_request
*req
)
197 struct smbd_smb2_request_process_negprot_state
*state
= NULL
;
198 struct smbXsrv_connection
*xconn
= req
->xconn
;
199 struct tevent_req
*subreq
= NULL
;
201 const uint8_t *inbody
;
202 const uint8_t *indyn
= NULL
;
205 DATA_BLOB negprot_spnego_blob
;
206 uint16_t security_offset
;
207 DATA_BLOB security_buffer
;
208 size_t expected_dyn_size
= 0;
210 uint16_t security_mode
;
211 uint16_t dialect_count
;
212 uint16_t in_security_mode
;
213 uint32_t in_capabilities
;
214 DATA_BLOB in_guid_blob
;
216 struct smb2_negotiate_contexts in_c
= { .num_contexts
= 0, };
217 struct smb2_negotiate_context
*in_preauth
= NULL
;
218 struct smb2_negotiate_context
*in_cipher
= NULL
;
219 struct smb2_negotiate_context
*in_sign_algo
= NULL
;
220 struct smb2_negotiate_contexts out_c
= { .num_contexts
= 0, };
221 const struct smb311_capabilities default_smb3_capabilities
=
222 smb311_capabilities_parse("server",
223 lp_server_smb3_signing_algorithms(),
224 lp_server_smb3_encryption_algorithms());
225 DATA_BLOB out_negotiate_context_blob
= data_blob_null
;
226 uint32_t out_negotiate_context_offset
= 0;
227 uint16_t out_negotiate_context_count
= 0;
228 uint16_t dialect
= 0;
229 uint32_t capabilities
;
230 DATA_BLOB out_guid_blob
;
231 struct GUID out_guid
;
232 enum protocol_types protocol
= PROTOCOL_NONE
;
234 uint32_t max_trans
= lp_smb2_max_trans();
235 uint32_t max_read
= lp_smb2_max_read();
236 uint32_t max_write
= lp_smb2_max_write();
237 NTTIME now
= timeval_to_nttime(&req
->request_time
);
241 status
= smbd_smb2_request_verify_sizes(req
, 0x24);
242 if (!NT_STATUS_IS_OK(status
)) {
243 return smbd_smb2_request_error(req
, status
);
245 inbody
= SMBD_SMB2_IN_BODY_PTR(req
);
247 dialect_count
= SVAL(inbody
, 0x02);
249 in_security_mode
= SVAL(inbody
, 0x04);
250 in_capabilities
= IVAL(inbody
, 0x08);
251 in_guid_blob
= data_blob_const(inbody
+ 0x0C, 16);
253 if (dialect_count
== 0) {
254 return smbd_smb2_request_error(req
, NT_STATUS_INVALID_PARAMETER
);
257 status
= GUID_from_ndr_blob(&in_guid_blob
, &in_guid
);
258 if (!NT_STATUS_IS_OK(status
)) {
259 return smbd_smb2_request_error(req
, status
);
262 expected_dyn_size
= dialect_count
* 2;
263 if (SMBD_SMB2_IN_DYN_LEN(req
) < expected_dyn_size
) {
264 return smbd_smb2_request_error(req
, NT_STATUS_INVALID_PARAMETER
);
266 indyn
= SMBD_SMB2_IN_DYN_PTR(req
);
268 protocol
= smbd_smb2_protocol_dialect_match(indyn
,
272 for (c
=0; protocol
== PROTOCOL_NONE
&& c
< dialect_count
; c
++) {
273 if (lp_server_max_protocol() < PROTOCOL_SMB2_10
) {
277 dialect
= SVAL(indyn
, c
*2);
278 if (dialect
== SMB2_DIALECT_REVISION_2FF
) {
279 if (xconn
->smb2
.allow_2ff
) {
280 xconn
->smb2
.allow_2ff
= false;
281 protocol
= PROTOCOL_SMB2_10
;
287 if (protocol
== PROTOCOL_NONE
) {
288 return smbd_smb2_request_error(req
, NT_STATUS_NOT_SUPPORTED
);
291 if (protocol
>= PROTOCOL_SMB3_11
) {
292 uint32_t in_negotiate_context_offset
= 0;
293 uint16_t in_negotiate_context_count
= 0;
294 DATA_BLOB in_negotiate_context_blob
= data_blob_null
;
297 in_negotiate_context_offset
= IVAL(inbody
, 0x1C);
298 in_negotiate_context_count
= SVAL(inbody
, 0x20);
301 ofs
+= SMBD_SMB2_IN_BODY_LEN(req
);
302 ofs
+= expected_dyn_size
;
303 if ((ofs
% 8) != 0) {
304 ofs
+= 8 - (ofs
% 8);
307 if (in_negotiate_context_offset
!= ofs
) {
308 return smbd_smb2_request_error(req
,
309 NT_STATUS_INVALID_PARAMETER
);
312 ofs
-= SMB2_HDR_BODY
;
313 ofs
-= SMBD_SMB2_IN_BODY_LEN(req
);
315 if (SMBD_SMB2_IN_DYN_LEN(req
) < ofs
) {
316 return smbd_smb2_request_error(req
,
317 NT_STATUS_INVALID_PARAMETER
);
320 in_negotiate_context_blob
= data_blob_const(indyn
,
321 SMBD_SMB2_IN_DYN_LEN(req
));
323 in_negotiate_context_blob
.data
+= ofs
;
324 in_negotiate_context_blob
.length
-= ofs
;
326 status
= smb2_negotiate_context_parse(req
,
327 in_negotiate_context_blob
,
328 in_negotiate_context_count
,
330 if (!NT_STATUS_IS_OK(status
)) {
331 return smbd_smb2_request_error(req
, status
);
334 status
= smb2_negotiate_context_process_posix(&in_c
, &posix
);
335 if (!NT_STATUS_IS_OK(status
)) {
336 return smbd_smb2_request_error(req
, status
);
340 if ((dialect
!= SMB2_DIALECT_REVISION_2FF
) &&
341 (protocol
>= PROTOCOL_SMB2_10
) &&
342 !GUID_all_zero(&in_guid
))
344 ok
= remote_arch_cache_update(&in_guid
);
346 return smbd_smb2_request_error(
347 req
, NT_STATUS_UNSUCCESSFUL
);
351 switch (get_remote_arch()) {
358 set_remote_arch(RA_VISTA
);
366 (dialect
>> 8) & 0xFF, dialect
& 0xFF);
367 set_remote_proto(proto
);
368 DEBUG(3,("Selected protocol %s\n", proto
));
371 reload_services(req
->sconn
, conn_snum_used
, true);
373 in_preauth
= smb2_negotiate_context_find(&in_c
,
374 SMB2_PREAUTH_INTEGRITY_CAPABILITIES
);
375 if (protocol
>= PROTOCOL_SMB3_11
&& in_preauth
== NULL
) {
376 return smbd_smb2_request_error(req
, NT_STATUS_INVALID_PARAMETER
);
378 in_cipher
= smb2_negotiate_context_find(&in_c
,
379 SMB2_ENCRYPTION_CAPABILITIES
);
380 in_sign_algo
= smb2_negotiate_context_find(&in_c
,
381 SMB2_SIGNING_CAPABILITIES
);
383 /* negprot_spnego() returns the server guid in the first 16 bytes */
384 negprot_spnego_blob
= negprot_spnego(req
, xconn
);
385 if (negprot_spnego_blob
.data
== NULL
) {
386 return smbd_smb2_request_error(req
, NT_STATUS_NO_MEMORY
);
389 if (negprot_spnego_blob
.length
< 16) {
390 return smbd_smb2_request_error(req
, NT_STATUS_INTERNAL_ERROR
);
393 security_mode
= SMB2_NEGOTIATE_SIGNING_ENABLED
;
394 if (xconn
->smb2
.signing_mandatory
) {
395 security_mode
|= SMB2_NEGOTIATE_SIGNING_REQUIRED
;
399 if (lp_host_msdfs()) {
400 capabilities
|= SMB2_CAP_DFS
;
403 if (protocol
>= PROTOCOL_SMB2_10
&&
405 lp_oplocks(GLOBAL_SECTION_SNUM
) &&
406 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM
))
408 capabilities
|= SMB2_CAP_LEASING
;
411 if ((protocol
>= PROTOCOL_SMB3_00
) &&
412 (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF
) &&
413 (in_capabilities
& SMB2_CAP_ENCRYPTION
)) {
414 capabilities
|= SMB2_CAP_ENCRYPTION
;
418 * 0x10000 (65536) is the maximum allowed message size
423 if (protocol
>= PROTOCOL_SMB2_10
) {
426 if (tsocket_address_is_inet(req
->sconn
->local_address
, "ip")) {
427 p
= tsocket_address_inet_port(req
->sconn
->local_address
);
430 /* largeMTU is not supported over NBT (tcp port 139) */
431 if (p
!= NBT_SMB_PORT
) {
432 capabilities
|= SMB2_CAP_LARGE_MTU
;
433 xconn
->smb2
.credits
.multicredit
= true;
436 * We allow up to almost 16MB.
438 * The maximum PDU size is 0xFFFFFF (16776960)
439 * and we need some space for the header.
441 max_limit
= 0xFFFF00;
446 * the defaults are 8MB, but we'll limit this to max_limit based on
447 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
449 * user configured values exceeding the limits will be overwritten,
450 * only smaller values will be accepted
453 max_trans
= MIN(max_limit
, lp_smb2_max_trans());
454 max_read
= MIN(max_limit
, lp_smb2_max_read());
455 max_write
= MIN(max_limit
, lp_smb2_max_write());
457 if (in_preauth
!= NULL
) {
460 uint16_t salt_length
;
461 uint16_t selected_preauth
= 0;
466 if (in_preauth
->data
.length
< needed
) {
467 return smbd_smb2_request_error(req
,
468 NT_STATUS_INVALID_PARAMETER
);
471 hash_count
= SVAL(in_preauth
->data
.data
, 0);
472 salt_length
= SVAL(in_preauth
->data
.data
, 2);
474 if (hash_count
== 0) {
475 return smbd_smb2_request_error(req
,
476 NT_STATUS_INVALID_PARAMETER
);
479 p
= in_preauth
->data
.data
+ needed
;
480 needed
+= hash_count
* 2;
481 needed
+= salt_length
;
483 if (in_preauth
->data
.length
< needed
) {
484 return smbd_smb2_request_error(req
,
485 NT_STATUS_INVALID_PARAMETER
);
488 for (i
=0; i
< hash_count
; i
++) {
494 if (v
== SMB2_PREAUTH_INTEGRITY_SHA512
) {
495 selected_preauth
= v
;
500 if (selected_preauth
== 0) {
501 return smbd_smb2_request_error(req
,
502 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP
);
505 SSVAL(buf
, 0, 1); /* HashAlgorithmCount */
506 SSVAL(buf
, 2, 32); /* SaltLength */
507 SSVAL(buf
, 4, selected_preauth
);
508 generate_random_buffer(buf
+ 6, 32);
510 status
= smb2_negotiate_context_add(
513 SMB2_PREAUTH_INTEGRITY_CAPABILITIES
,
516 if (!NT_STATUS_IS_OK(status
)) {
517 return smbd_smb2_request_error(req
, status
);
520 req
->preauth
= &req
->xconn
->smb2
.preauth
;
523 if (protocol
>= PROTOCOL_SMB3_00
) {
524 xconn
->smb2
.server
.sign_algo
= SMB2_SIGNING_AES128_CMAC
;
526 xconn
->smb2
.server
.sign_algo
= SMB2_SIGNING_HMAC_SHA256
;
529 if ((capabilities
& SMB2_CAP_ENCRYPTION
) && (in_cipher
!= NULL
)) {
530 const struct smb3_encryption_capabilities
*srv_ciphers
=
531 &default_smb3_capabilities
.encryption
;
532 uint16_t srv_preferred_idx
= UINT16_MAX
;
534 uint16_t cipher_count
;
539 capabilities
&= ~SMB2_CAP_ENCRYPTION
;
541 if (in_cipher
->data
.length
< needed
) {
542 return smbd_smb2_request_error(req
,
543 NT_STATUS_INVALID_PARAMETER
);
546 cipher_count
= SVAL(in_cipher
->data
.data
, 0);
547 if (cipher_count
== 0) {
548 return smbd_smb2_request_error(req
,
549 NT_STATUS_INVALID_PARAMETER
);
552 p
= in_cipher
->data
.data
+ needed
;
553 needed
+= cipher_count
* 2;
555 if (in_cipher
->data
.length
< needed
) {
556 return smbd_smb2_request_error(req
,
557 NT_STATUS_INVALID_PARAMETER
);
560 for (i
=0; i
< cipher_count
; i
++) {
567 for (si
= 0; si
< srv_ciphers
->num_algos
; si
++) {
568 if (srv_ciphers
->algos
[si
] != v
) {
573 * The server ciphers are listed
574 * with the lowest idx being preferred.
576 if (si
< srv_preferred_idx
) {
577 srv_preferred_idx
= si
;
583 if (srv_preferred_idx
!= UINT16_MAX
) {
584 xconn
->smb2
.server
.cipher
=
585 srv_ciphers
->algos
[srv_preferred_idx
];
588 SSVAL(buf
, 0, 1); /* ChiperCount */
589 SSVAL(buf
, 2, xconn
->smb2
.server
.cipher
);
591 status
= smb2_negotiate_context_add(
594 SMB2_ENCRYPTION_CAPABILITIES
,
597 if (!NT_STATUS_IS_OK(status
)) {
598 return smbd_smb2_request_error(req
, status
);
602 if (capabilities
& SMB2_CAP_ENCRYPTION
) {
603 xconn
->smb2
.server
.cipher
= SMB2_ENCRYPTION_AES128_CCM
;
606 if (in_sign_algo
!= NULL
) {
607 const struct smb3_signing_capabilities
*srv_sign_algos
=
608 &default_smb3_capabilities
.signing
;
609 uint16_t srv_preferred_idx
= UINT16_MAX
;
611 uint16_t sign_algo_count
;
615 if (in_sign_algo
->data
.length
< needed
) {
616 return smbd_smb2_request_error(req
,
617 NT_STATUS_INVALID_PARAMETER
);
620 sign_algo_count
= SVAL(in_sign_algo
->data
.data
, 0);
621 if (sign_algo_count
== 0) {
622 return smbd_smb2_request_error(req
,
623 NT_STATUS_INVALID_PARAMETER
);
626 p
= in_sign_algo
->data
.data
+ needed
;
627 needed
+= sign_algo_count
* 2;
629 if (in_sign_algo
->data
.length
< needed
) {
630 return smbd_smb2_request_error(req
,
631 NT_STATUS_INVALID_PARAMETER
);
634 for (i
=0; i
< sign_algo_count
; i
++) {
641 for (si
= 0; si
< srv_sign_algos
->num_algos
; si
++) {
642 if (srv_sign_algos
->algos
[si
] != v
) {
647 * The server sign_algos are listed
648 * with the lowest idx being preferred.
650 if (si
< srv_preferred_idx
) {
651 srv_preferred_idx
= si
;
658 * If we found a match announce it
659 * otherwise we'll keep the default
660 * of SMB2_SIGNING_AES128_CMAC
662 if (srv_preferred_idx
!= UINT16_MAX
) {
665 xconn
->smb2
.server
.sign_algo
=
666 srv_sign_algos
->algos
[srv_preferred_idx
];
668 SSVAL(buf
, 0, 1); /* SigningAlgorithmCount */
669 SSVAL(buf
, 2, xconn
->smb2
.server
.sign_algo
);
671 status
= smb2_negotiate_context_add(
674 SMB2_SIGNING_CAPABILITIES
,
677 if (!NT_STATUS_IS_OK(status
)) {
678 return smbd_smb2_request_error(req
, status
);
683 status
= smb311_capabilities_check(&default_smb3_capabilities
,
686 NT_STATUS_INVALID_PARAMETER
,
689 xconn
->smb2
.server
.sign_algo
,
690 xconn
->smb2
.server
.cipher
);
691 if (!NT_STATUS_IS_OK(status
)) {
692 return smbd_smb2_request_error(req
, status
);
695 if (protocol
>= PROTOCOL_SMB3_00
&&
696 xconn
->client
->server_multi_channel_enabled
)
698 if (in_capabilities
& SMB2_CAP_MULTI_CHANNEL
) {
699 capabilities
|= SMB2_CAP_MULTI_CHANNEL
;
703 security_offset
= SMB2_HDR_BODY
+ 0x40;
706 /* Try SPNEGO auth... */
707 security_buffer
= data_blob_const(negprot_spnego_blob
.data
+ 16,
708 negprot_spnego_blob
.length
- 16);
710 /* for now we want raw NTLMSSP */
711 security_buffer
= data_blob_const(NULL
, 0);
715 /* Client correctly negotiated SMB2 unix extensions. */
716 const uint8_t *buf
= (const uint8_t *)SMB2_CREATE_TAG_POSIX
;
717 status
= smb2_negotiate_context_add(
720 SMB2_POSIX_EXTENSIONS_AVAILABLE
,
723 if (!NT_STATUS_IS_OK(status
)) {
724 return smbd_smb2_request_error(req
, status
);
726 xconn
->smb2
.server
.posix_extensions_negotiated
= true;
729 if (out_c
.num_contexts
!= 0) {
730 status
= smb2_negotiate_context_push(req
,
731 &out_negotiate_context_blob
,
733 if (!NT_STATUS_IS_OK(status
)) {
734 return smbd_smb2_request_error(req
, status
);
738 if (out_negotiate_context_blob
.length
!= 0) {
739 static const uint8_t zeros
[8];
743 outdyn
= data_blob_dup_talloc(req
, security_buffer
);
744 if (outdyn
.length
!= security_buffer
.length
) {
745 return smbd_smb2_request_error(req
,
746 NT_STATUS_NO_MEMORY
);
749 ofs
= security_offset
+ security_buffer
.length
;
750 if ((ofs
% 8) != 0) {
755 ok
= data_blob_append(req
, &outdyn
, zeros
, pad
);
757 return smbd_smb2_request_error(req
,
758 NT_STATUS_NO_MEMORY
);
761 ok
= data_blob_append(req
, &outdyn
,
762 out_negotiate_context_blob
.data
,
763 out_negotiate_context_blob
.length
);
765 return smbd_smb2_request_error(req
,
766 NT_STATUS_NO_MEMORY
);
769 out_negotiate_context_offset
= ofs
;
770 out_negotiate_context_count
= out_c
.num_contexts
;
772 outdyn
= security_buffer
;
775 out_guid_blob
= data_blob_const(negprot_spnego_blob
.data
, 16);
776 status
= GUID_from_ndr_blob(&out_guid_blob
, &out_guid
);
777 if (!NT_STATUS_IS_OK(status
)) {
778 return smbd_smb2_request_error(req
, status
);
781 outbody
= smbd_smb2_generate_outbody(req
, 0x40);
782 if (outbody
.data
== NULL
) {
783 return smbd_smb2_request_error(req
, NT_STATUS_NO_MEMORY
);
786 SSVAL(outbody
.data
, 0x00, 0x40 + 1); /* struct size */
787 SSVAL(outbody
.data
, 0x02,
788 security_mode
); /* security mode */
789 SSVAL(outbody
.data
, 0x04, dialect
); /* dialect revision */
790 SSVAL(outbody
.data
, 0x06,
791 out_negotiate_context_count
); /* reserved/NegotiateContextCount */
792 memcpy(outbody
.data
+ 0x08,
793 out_guid_blob
.data
, 16); /* server guid */
794 SIVAL(outbody
.data
, 0x18,
795 capabilities
); /* capabilities */
796 SIVAL(outbody
.data
, 0x1C, max_trans
); /* max transact size */
797 SIVAL(outbody
.data
, 0x20, max_read
); /* max read size */
798 SIVAL(outbody
.data
, 0x24, max_write
); /* max write size */
799 SBVAL(outbody
.data
, 0x28, now
); /* system time */
800 SBVAL(outbody
.data
, 0x30, 0); /* server start time */
801 SSVAL(outbody
.data
, 0x38,
802 security_offset
); /* security buffer offset */
803 SSVAL(outbody
.data
, 0x3A,
804 security_buffer
.length
); /* security buffer length */
805 SIVAL(outbody
.data
, 0x3C,
806 out_negotiate_context_offset
); /* reserved/NegotiateContextOffset */
808 if (dialect
== SMB2_DIALECT_REVISION_2FF
) {
809 return smbd_smb2_request_done(req
, outbody
, &outdyn
);
812 status
= smbXsrv_connection_init_tables(xconn
, protocol
);
813 if (!NT_STATUS_IS_OK(status
)) {
814 return smbd_smb2_request_error(req
, status
);
817 xconn
->smb2
.client
.capabilities
= in_capabilities
;
818 xconn
->smb2
.client
.security_mode
= in_security_mode
;
819 xconn
->smb2
.client
.guid
= in_guid
;
820 xconn
->smb2
.client
.num_dialects
= dialect_count
;
821 xconn
->smb2
.client
.dialects
= talloc_array(xconn
,
824 if (xconn
->smb2
.client
.dialects
== NULL
) {
825 return smbd_smb2_request_error(req
, NT_STATUS_NO_MEMORY
);
827 for (c
=0; c
< dialect_count
; c
++) {
828 xconn
->smb2
.client
.dialects
[c
] = SVAL(indyn
, c
*2);
831 xconn
->smb2
.server
.capabilities
= capabilities
;
832 xconn
->smb2
.server
.security_mode
= security_mode
;
833 xconn
->smb2
.server
.guid
= out_guid
;
834 xconn
->smb2
.server
.dialect
= dialect
;
835 xconn
->smb2
.server
.max_trans
= max_trans
;
836 xconn
->smb2
.server
.max_read
= max_read
;
837 xconn
->smb2
.server
.max_write
= max_write
;
839 if (xconn
->protocol
< PROTOCOL_SMB2_10
) {
841 * SMB2_02 doesn't support client guids
843 return smbd_smb2_request_done(req
, outbody
, &outdyn
);
846 if (!xconn
->client
->server_multi_channel_enabled
) {
848 * Only deal with the client guid database
849 * if multi-channel is enabled.
851 * But we still need to setup
852 * xconn->client->global->client_guid to
855 xconn
->client
->global
->client_guid
=
856 xconn
->smb2
.client
.guid
;
857 return smbd_smb2_request_done(req
, outbody
, &outdyn
);
860 if (xconn
->smb2
.client
.guid_verified
) {
862 * The connection was passed from another
865 return smbd_smb2_request_done(req
, outbody
, &outdyn
);
868 state
= talloc_zero(req
, struct smbd_smb2_request_process_negprot_state
);
870 return smbd_smb2_request_error(req
, NT_STATUS_NO_MEMORY
);
872 *state
= (struct smbd_smb2_request_process_negprot_state
) {
878 subreq
= smb2srv_client_mc_negprot_send(state
,
879 req
->xconn
->client
->raw_ev_ctx
,
881 if (subreq
== NULL
) {
882 return smbd_smb2_request_error(req
, NT_STATUS_NO_MEMORY
);
884 tevent_req_set_callback(subreq
,
885 smbd_smb2_request_process_negprot_mc_done
,
890 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req
*subreq
)
892 struct smbd_smb2_request_process_negprot_state
*state
=
893 tevent_req_callback_data(subreq
,
894 struct smbd_smb2_request_process_negprot_state
);
895 struct smbd_smb2_request
*req
= state
->req
;
896 struct smbXsrv_connection
*xconn
= req
->xconn
;
899 status
= smb2srv_client_mc_negprot_recv(subreq
);
901 if (NT_STATUS_EQUAL(status
, NT_STATUS_MESSAGE_RETRIEVED
)) {
903 * The connection was passed to another process
905 * We mark the error as NT_STATUS_CONNECTION_IN_USE,
906 * in order to indicate to low level code if
907 * ctdbd_unregister_ips() or ctdbd_passed_ips()
910 smbXsrv_connection_disconnect_transport(xconn
,
911 NT_STATUS_CONNECTION_IN_USE
);
912 smbd_server_connection_terminate(xconn
,
913 "passed connection");
915 * smbd_server_connection_terminate() should not return!
917 smb_panic(__location__
);
920 if (!NT_STATUS_IS_OK(status
)) {
921 status
= smbd_smb2_request_error(req
, status
);
922 if (NT_STATUS_IS_OK(status
)) {
927 * The connection was passed to another process
929 smbd_server_connection_terminate(xconn
, nt_errstr(status
));
931 * smbd_server_connection_terminate() should not return!
933 smb_panic(__location__
);
938 * We're the first connection...
940 status
= smbd_smb2_request_done(req
, state
->outbody
, &state
->outdyn
);
941 if (NT_STATUS_IS_OK(status
)) {
943 * This allows us to support starting smbd under
944 * callgrind and only start the overhead and
945 * instrumentation after the SMB2 negprot,
946 * this allows us to profile only useful
947 * stuff and not all the smbd startup, forking
948 * and multichannel handling.
950 * valgrind --tool=callgrind --instr-atstart=no smbd
952 #ifdef CALLGRIND_START_INSTRUMENTATION
953 CALLGRIND_START_INSTRUMENTATION
;
959 * The connection was passed to another process
961 smbd_server_connection_terminate(xconn
, nt_errstr(status
));
963 * smbd_server_connection_terminate() should not return!
965 smb_panic(__location__
);
969 /****************************************************************************
970 Generate the spnego negprot reply blob. Return the number of bytes used.
971 ****************************************************************************/
973 DATA_BLOB
negprot_spnego(TALLOC_CTX
*ctx
, struct smbXsrv_connection
*xconn
)
975 DATA_BLOB blob
= data_blob_null
;
976 DATA_BLOB blob_out
= data_blob_null
;
983 struct gensec_security
*gensec_security
;
985 /* See if we can get an SPNEGO blob */
986 status
= auth_generic_prepare(talloc_tos(),
987 xconn
->remote_address
,
988 xconn
->local_address
,
993 * Despite including it above, there is no need to set a
994 * remote address or similar as we are just interested in the
995 * SPNEGO blob, we never keep this context.
998 if (NT_STATUS_IS_OK(status
)) {
999 status
= gensec_start_mech_by_oid(gensec_security
, GENSEC_OID_SPNEGO
);
1000 if (NT_STATUS_IS_OK(status
)) {
1001 status
= gensec_update(gensec_security
, ctx
,
1002 data_blob_null
, &blob
);
1003 /* If we get the list of OIDs, the 'OK' answer
1004 * is NT_STATUS_MORE_PROCESSING_REQUIRED */
1005 if (!NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
1006 DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
1007 blob
= data_blob_null
;
1010 TALLOC_FREE(gensec_security
);
1013 #if defined(WITH_SMB1SERVER)
1014 xconn
->smb1
.negprot
.spnego
= true;
1017 /* strangely enough, NT does not sent the single OID NTLMSSP when
1018 not a ADS member, it sends no OIDs at all
1020 OLD COMMENT : "we can't do this until we teach our session setup parser to know
1021 about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
1023 Our sessionsetup code now handles raw NTLMSSP connects, so we can go
1024 back to doing what W2K3 does here. This is needed to make PocketPC 2003
1025 CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
1030 if (blob
.length
== 0 || blob
.data
== NULL
) {
1031 return data_blob_null
;
1034 blob_out
= data_blob_talloc(ctx
, NULL
, 16 + blob
.length
);
1035 if (blob_out
.data
== NULL
) {
1036 data_blob_free(&blob
);
1037 return data_blob_null
;
1040 memset(blob_out
.data
, '\0', 16);
1042 checked_strlcpy(unix_name
, lp_netbios_name(), sizeof(unix_name
));
1043 (void)strlower_m(unix_name
);
1044 push_ascii_nstring(dos_name
, unix_name
);
1045 strlcpy((char *)blob_out
.data
, dos_name
, 17);
1048 /* Fix valgrind 'uninitialized bytes' issue. */
1049 slen
= strlen(dos_name
);
1051 memset(blob_out
.data
+slen
, '\0', 16 - slen
);
1055 memcpy(&blob_out
.data
[16], blob
.data
, blob
.length
);
1057 data_blob_free(&blob
);
1063 * MS-CIFS, 2.2.4.52.2 SMB_COM_NEGOTIATE Response:
1064 * If the server does not support any of the listed dialects, it MUST return a
1065 * DialectIndex of 0XFFFF
1067 #define NO_PROTOCOL_CHOSEN 0xffff
1069 #define PROT_SMB_2_002 0x1000
1070 #define PROT_SMB_2_FF 0x2000
1072 /* List of supported SMB1 protocols, most desired first.
1073 * This is for enabling multi-protocol negotiation in SMB2 when SMB1
1076 static const struct {
1077 const char *proto_name
;
1078 const char *short_name
;
1079 NTSTATUS (*proto_reply_fn
)(struct smb_request
*req
, uint16_t choice
);
1081 } supported_protocols
[] = {
1082 {"SMB 2.???", "SMB2_FF", reply_smb20ff
, PROTOCOL_SMB2_10
},
1083 {"SMB 2.002", "SMB2_02", reply_smb2002
, PROTOCOL_SMB2_02
},
1087 /****************************************************************************
1089 conn POINTER CAN BE NULL HERE !
1090 ****************************************************************************/
1092 NTSTATUS
smb2_multi_protocol_reply_negprot(struct smb_request
*req
)
1095 bool choice_set
= false;
1101 size_t converted_size
;
1102 struct smbXsrv_connection
*xconn
= req
->xconn
;
1103 struct smbd_server_connection
*sconn
= req
->sconn
;
1108 START_PROFILE(SMBnegprot
);
1110 if (req
->buflen
== 0) {
1111 DEBUG(0, ("negprot got no protocols\n"));
1112 reply_nterror(req
, NT_STATUS_INVALID_PARAMETER
);
1113 END_PROFILE(SMBnegprot
);
1114 return NT_STATUS_INVALID_PARAMETER
;
1117 if (req
->buf
[req
->buflen
-1] != '\0') {
1118 DEBUG(0, ("negprot protocols not 0-terminated\n"));
1119 reply_nterror(req
, NT_STATUS_INVALID_PARAMETER
);
1120 END_PROFILE(SMBnegprot
);
1121 return NT_STATUS_INVALID_PARAMETER
;
1124 p
= (const char *)req
->buf
+ 1;
1129 while (smbreq_bufrem(req
, p
) > 0) {
1133 tmp
= talloc_realloc(talloc_tos(), cliprotos
, char *,
1136 DEBUG(0, ("talloc failed\n"));
1137 TALLOC_FREE(cliprotos
);
1138 reply_nterror(req
, NT_STATUS_NO_MEMORY
);
1139 END_PROFILE(SMBnegprot
);
1140 return NT_STATUS_NO_MEMORY
;
1145 if (!pull_ascii_talloc(cliprotos
, &cliprotos
[num_cliprotos
], p
,
1147 DEBUG(0, ("pull_ascii_talloc failed\n"));
1148 TALLOC_FREE(cliprotos
);
1149 reply_nterror(req
, NT_STATUS_NO_MEMORY
);
1150 END_PROFILE(SMBnegprot
);
1151 return NT_STATUS_NO_MEMORY
;
1154 DEBUG(3, ("Requested protocol [%s]\n",
1155 cliprotos
[num_cliprotos
]));
1161 /* possibly reload - change of architecture */
1162 reload_services(sconn
, conn_snum_used
, true);
1165 * Anything higher than PROTOCOL_SMB2_10 still
1166 * needs to go via "SMB 2.???", which is marked
1167 * as PROTOCOL_SMB2_10.
1169 * The real negotiation happens via reply_smb20ff()
1170 * using SMB2 Negotiation.
1172 max_proto
= lp_server_max_protocol();
1173 if (max_proto
> PROTOCOL_SMB2_10
) {
1174 max_proto
= PROTOCOL_SMB2_10
;
1176 min_proto
= lp_server_min_protocol();
1177 if (min_proto
> PROTOCOL_SMB2_10
) {
1178 min_proto
= PROTOCOL_SMB2_10
;
1181 /* Check for protocols, most desirable first */
1182 for (protocol
= 0; supported_protocols
[protocol
].proto_name
; protocol
++) {
1184 if ((supported_protocols
[protocol
].protocol_level
<= max_proto
) &&
1185 (supported_protocols
[protocol
].protocol_level
>= min_proto
))
1186 while (i
< num_cliprotos
) {
1187 if (strequal(cliprotos
[i
],supported_protocols
[protocol
].proto_name
)) {
1201 DBG_NOTICE("No protocol supported !\n");
1202 reply_smb1_outbuf(req
, 1, 0);
1203 SSVAL(req
->outbuf
, smb_vwv0
, NO_PROTOCOL_CHOSEN
);
1205 ok
= smb1_srv_send(xconn
, (char *)req
->outbuf
, false, 0, false);
1207 DBG_NOTICE("smb1_srv_send failed\n");
1209 exit_server_cleanly("no protocol supported\n");
1212 set_remote_proto(supported_protocols
[protocol
].short_name
);
1213 reload_services(sconn
, conn_snum_used
, true);
1214 status
= supported_protocols
[protocol
].proto_reply_fn(req
, choice
);
1215 if (!NT_STATUS_IS_OK(status
)) {
1216 exit_server_cleanly("negprot function failed\n");
1219 DEBUG(3,("Selected protocol %s\n",supported_protocols
[protocol
].proto_name
));
1221 DBG_INFO("negprot index=%zu\n", choice
);
1223 TALLOC_FREE(cliprotos
);
1225 END_PROFILE(SMBnegprot
);
1226 return NT_STATUS_OK
;