]> git.ipfire.org Git - thirdparty/samba.git/blob
da567951c0bf
[thirdparty/samba.git] /
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
29 #include "auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "lib/util/string_wrappers.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_SMB2
35
36 extern fstring remote_proto;
37
38 /*
39 * this is the entry point if SMB2 is selected via
40 * the SMB negprot and the given dialect.
41 */
42 static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect)
43 {
44 uint8_t *smb2_inpdu;
45 uint8_t *smb2_hdr;
46 uint8_t *smb2_body;
47 uint8_t *smb2_dyn;
48 size_t len = SMB2_HDR_BODY + 0x24 + 2;
49
50 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
51 if (smb2_inpdu == NULL) {
52 DEBUG(0, ("Could not push spnego blob\n"));
53 reply_nterror(req, NT_STATUS_NO_MEMORY);
54 return NT_STATUS_NO_MEMORY;
55 }
56 smb2_hdr = smb2_inpdu;
57 smb2_body = smb2_hdr + SMB2_HDR_BODY;
58 smb2_dyn = smb2_body + 0x24;
59
60 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
61 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
62
63 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
64 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
65
66 SSVAL(smb2_dyn, 0x00, dialect);
67
68 req->outbuf = NULL;
69
70 return smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
71 }
72
73 /*
74 * this is the entry point if SMB2 is selected via
75 * the SMB negprot and the "SMB 2.002" dialect.
76 */
77 NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice)
78 {
79 return reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
80 }
81
82 /*
83 * this is the entry point if SMB2 is selected via
84 * the SMB negprot and the "SMB 2.???" dialect.
85 */
86 NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice)
87 {
88 struct smbXsrv_connection *xconn = req->xconn;
89 xconn->smb2.allow_2ff = true;
90 return reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
91 }
92
93 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
94 const int dialect_count,
95 uint16_t *dialect)
96 {
97 struct {
98 enum protocol_types proto;
99 uint16_t dialect;
100 } pd[] = {
101 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
102 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
103 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
104 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
105 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
106 };
107 size_t i;
108
109 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
110 int c = 0;
111
112 if (lp_server_max_protocol() < pd[i].proto) {
113 continue;
114 }
115 if (lp_server_min_protocol() > pd[i].proto) {
116 continue;
117 }
118
119 for (c = 0; c < dialect_count; c++) {
120 *dialect = SVAL(indyn, c*2);
121 if (*dialect == pd[i].dialect) {
122 return pd[i].proto;
123 }
124 }
125 }
126
127 return PROTOCOL_NONE;
128 }
129
130 struct smbd_smb2_request_process_negprot_state {
131 struct smbd_smb2_request *req;
132 DATA_BLOB outbody;
133 DATA_BLOB outdyn;
134 };
135
136 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq);
137
138 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
139 {
140 struct smbd_smb2_request_process_negprot_state *state = NULL;
141 struct smbXsrv_connection *xconn = req->xconn;
142 struct tevent_req *subreq = NULL;
143 NTSTATUS status;
144 const uint8_t *inbody;
145 const uint8_t *indyn = NULL;
146 DATA_BLOB outbody;
147 DATA_BLOB outdyn;
148 DATA_BLOB negprot_spnego_blob;
149 uint16_t security_offset;
150 DATA_BLOB security_buffer;
151 size_t expected_dyn_size = 0;
152 size_t c;
153 uint16_t security_mode;
154 uint16_t dialect_count;
155 uint16_t in_security_mode;
156 uint32_t in_capabilities;
157 DATA_BLOB in_guid_blob;
158 struct GUID in_guid;
159 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
160 struct smb2_negotiate_context *in_preauth = NULL;
161 struct smb2_negotiate_context *in_cipher = NULL;
162 struct smb2_negotiate_context *in_sign_algo = NULL;
163 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
164 struct smb2_negotiate_context *in_posix = NULL;
165 const struct smb311_capabilities default_smb3_capabilities =
166 smb311_capabilities_parse("server",
167 lp_server_smb3_signing_algorithms(),
168 lp_server_smb3_encryption_algorithms());
169 DATA_BLOB out_negotiate_context_blob = data_blob_null;
170 uint32_t out_negotiate_context_offset = 0;
171 uint16_t out_negotiate_context_count = 0;
172 uint16_t dialect = 0;
173 uint32_t capabilities;
174 DATA_BLOB out_guid_blob;
175 struct GUID out_guid;
176 enum protocol_types protocol = PROTOCOL_NONE;
177 uint32_t max_limit;
178 uint32_t max_trans = lp_smb2_max_trans();
179 uint32_t max_read = lp_smb2_max_read();
180 uint32_t max_write = lp_smb2_max_write();
181 NTTIME now = timeval_to_nttime(&req->request_time);
182 bool ok;
183
184 status = smbd_smb2_request_verify_sizes(req, 0x24);
185 if (!NT_STATUS_IS_OK(status)) {
186 return smbd_smb2_request_error(req, status);
187 }
188 inbody = SMBD_SMB2_IN_BODY_PTR(req);
189
190 dialect_count = SVAL(inbody, 0x02);
191
192 in_security_mode = SVAL(inbody, 0x04);
193 in_capabilities = IVAL(inbody, 0x08);
194 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
195
196 if (dialect_count == 0) {
197 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
198 }
199
200 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
201 if (!NT_STATUS_IS_OK(status)) {
202 return smbd_smb2_request_error(req, status);
203 }
204
205 expected_dyn_size = dialect_count * 2;
206 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
207 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
208 }
209 indyn = SMBD_SMB2_IN_DYN_PTR(req);
210
211 protocol = smbd_smb2_protocol_dialect_match(indyn,
212 dialect_count,
213 &dialect);
214
215 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
216 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
217 break;
218 }
219
220 dialect = SVAL(indyn, c*2);
221 if (dialect == SMB2_DIALECT_REVISION_2FF) {
222 if (xconn->smb2.allow_2ff) {
223 xconn->smb2.allow_2ff = false;
224 protocol = PROTOCOL_SMB2_10;
225 break;
226 }
227 }
228 }
229
230 if (protocol == PROTOCOL_NONE) {
231 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
232 }
233
234 if (protocol >= PROTOCOL_SMB3_11) {
235 uint32_t in_negotiate_context_offset = 0;
236 uint16_t in_negotiate_context_count = 0;
237 DATA_BLOB in_negotiate_context_blob = data_blob_null;
238 size_t ofs;
239
240 in_negotiate_context_offset = IVAL(inbody, 0x1C);
241 in_negotiate_context_count = SVAL(inbody, 0x20);
242
243 ofs = SMB2_HDR_BODY;
244 ofs += SMBD_SMB2_IN_BODY_LEN(req);
245 ofs += expected_dyn_size;
246 if ((ofs % 8) != 0) {
247 ofs += 8 - (ofs % 8);
248 }
249
250 if (in_negotiate_context_offset != ofs) {
251 return smbd_smb2_request_error(req,
252 NT_STATUS_INVALID_PARAMETER);
253 }
254
255 ofs -= SMB2_HDR_BODY;
256 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
257
258 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
259 return smbd_smb2_request_error(req,
260 NT_STATUS_INVALID_PARAMETER);
261 }
262
263 in_negotiate_context_blob = data_blob_const(indyn,
264 SMBD_SMB2_IN_DYN_LEN(req));
265
266 in_negotiate_context_blob.data += ofs;
267 in_negotiate_context_blob.length -= ofs;
268
269 status = smb2_negotiate_context_parse(req,
270 in_negotiate_context_blob,
271 in_negotiate_context_count,
272 &in_c);
273 if (!NT_STATUS_IS_OK(status)) {
274 return smbd_smb2_request_error(req, status);
275 }
276
277 if (lp_smb2_unix_extensions()) {
278 in_posix = smb2_negotiate_context_find(&in_c,
279 SMB2_POSIX_EXTENSIONS_AVAILABLE);
280
281 if (in_posix != NULL) {
282 const uint8_t *inbuf = in_posix->data.data;
283 size_t inbuflen = in_posix->data.length;
284 bool posix_found = false;
285 /*
286 * For now the server only supports one variant.
287 * Check it's the right one.
288 */
289 if ((inbuflen % 16) != 0) {
290 return smbd_smb2_request_error(req,
291 NT_STATUS_INVALID_PARAMETER);
292 }
293 SMB_ASSERT(strlen(SMB2_CREATE_TAG_POSIX) == 16);
294 for (ofs=0; ofs<inbuflen; ofs+=16) {
295 if (memcmp(inbuf+ofs,
296 SMB2_CREATE_TAG_POSIX,
297 16) == 0) {
298 posix_found = true;
299 break;
300 }
301 }
302 if (posix_found) {
303 DBG_DEBUG("Client requested SMB2 unix "
304 "extensions\n");
305 } else {
306 DBG_DEBUG("Client requested unknown "
307 "SMB2 unix extensions:\n");
308 dump_data(10, inbuf, inbuflen);
309 in_posix = NULL;
310 }
311 }
312 }
313 }
314
315 if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
316 (protocol >= PROTOCOL_SMB2_10) &&
317 !GUID_all_zero(&in_guid))
318 {
319 ok = remote_arch_cache_update(&in_guid);
320 if (!ok) {
321 return smbd_smb2_request_error(
322 req, NT_STATUS_UNSUCCESSFUL);
323 }
324 }
325
326 switch (get_remote_arch()) {
327 case RA_VISTA:
328 case RA_SAMBA:
329 case RA_CIFSFS:
330 case RA_OSX:
331 break;
332 default:
333 set_remote_arch(RA_VISTA);
334 break;
335 }
336
337 fstr_sprintf(remote_proto, "SMB%X_%02X",
338 (dialect >> 8) & 0xFF, dialect & 0xFF);
339
340 reload_services(req->sconn, conn_snum_used, true);
341 DEBUG(3,("Selected protocol %s\n", remote_proto));
342
343 in_preauth = smb2_negotiate_context_find(&in_c,
344 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
345 if (protocol >= PROTOCOL_SMB3_11 && in_preauth == NULL) {
346 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
347 }
348 in_cipher = smb2_negotiate_context_find(&in_c,
349 SMB2_ENCRYPTION_CAPABILITIES);
350 in_sign_algo = smb2_negotiate_context_find(&in_c,
351 SMB2_SIGNING_CAPABILITIES);
352
353 /* negprot_spnego() returns a the server guid in the first 16 bytes */
354 negprot_spnego_blob = negprot_spnego(req, xconn);
355 if (negprot_spnego_blob.data == NULL) {
356 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
357 }
358
359 if (negprot_spnego_blob.length < 16) {
360 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
361 }
362
363 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
364 /*
365 * We use xconn->smb2.signing_mandatory set up via
366 * srv_init_signing() -> smb2_srv_init_signing().
367 * This calls lpcfg_server_signing_allowed() to get the correct
368 * defaults, e.g. signing_required for an ad_dc.
369 */
370 if (xconn->smb2.signing_mandatory) {
371 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
372 }
373
374 capabilities = 0;
375 if (lp_host_msdfs()) {
376 capabilities |= SMB2_CAP_DFS;
377 }
378
379 if (protocol >= PROTOCOL_SMB2_10 &&
380 lp_smb2_leases() &&
381 lp_oplocks(GLOBAL_SECTION_SNUM) &&
382 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
383 {
384 capabilities |= SMB2_CAP_LEASING;
385 }
386
387 if ((protocol >= PROTOCOL_SMB3_00) &&
388 (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) &&
389 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
390 capabilities |= SMB2_CAP_ENCRYPTION;
391 }
392
393 /*
394 * 0x10000 (65536) is the maximum allowed message size
395 * for SMB 2.0
396 */
397 max_limit = 0x10000;
398
399 if (protocol >= PROTOCOL_SMB2_10) {
400 int p = 0;
401
402 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
403 p = tsocket_address_inet_port(req->sconn->local_address);
404 }
405
406 /* largeMTU is not supported over NBT (tcp port 139) */
407 if (p != NBT_SMB_PORT) {
408 capabilities |= SMB2_CAP_LARGE_MTU;
409 xconn->smb2.credits.multicredit = true;
410
411 /*
412 * We allow up to almost 16MB.
413 *
414 * The maximum PDU size is 0xFFFFFF (16776960)
415 * and we need some space for the header.
416 */
417 max_limit = 0xFFFF00;
418 }
419 }
420
421 /*
422 * the defaults are 8MB, but we'll limit this to max_limit based on
423 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
424 *
425 * user configured values exceeding the limits will be overwritten,
426 * only smaller values will be accepted
427 */
428
429 max_trans = MIN(max_limit, lp_smb2_max_trans());
430 max_read = MIN(max_limit, lp_smb2_max_read());
431 max_write = MIN(max_limit, lp_smb2_max_write());
432
433 if (in_preauth != NULL) {
434 size_t needed = 4;
435 uint16_t hash_count;
436 uint16_t salt_length;
437 uint16_t selected_preauth = 0;
438 const uint8_t *p;
439 uint8_t buf[38];
440 size_t i;
441
442 if (in_preauth->data.length < needed) {
443 return smbd_smb2_request_error(req,
444 NT_STATUS_INVALID_PARAMETER);
445 }
446
447 hash_count = SVAL(in_preauth->data.data, 0);
448 salt_length = SVAL(in_preauth->data.data, 2);
449
450 if (hash_count == 0) {
451 return smbd_smb2_request_error(req,
452 NT_STATUS_INVALID_PARAMETER);
453 }
454
455 p = in_preauth->data.data + needed;
456 needed += hash_count * 2;
457 needed += salt_length;
458
459 if (in_preauth->data.length < needed) {
460 return smbd_smb2_request_error(req,
461 NT_STATUS_INVALID_PARAMETER);
462 }
463
464 for (i=0; i < hash_count; i++) {
465 uint16_t v;
466
467 v = SVAL(p, 0);
468 p += 2;
469
470 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
471 selected_preauth = v;
472 break;
473 }
474 }
475
476 if (selected_preauth == 0) {
477 return smbd_smb2_request_error(req,
478 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
479 }
480
481 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
482 SSVAL(buf, 2, 32); /* SaltLength */
483 SSVAL(buf, 4, selected_preauth);
484 generate_random_buffer(buf + 6, 32);
485
486 status = smb2_negotiate_context_add(
487 req,
488 &out_c,
489 SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
490 buf,
491 sizeof(buf));
492 if (!NT_STATUS_IS_OK(status)) {
493 return smbd_smb2_request_error(req, status);
494 }
495
496 req->preauth = &req->xconn->smb2.preauth;
497 }
498
499 if (protocol >= PROTOCOL_SMB3_00) {
500 xconn->smb2.server.sign_algo = SMB2_SIGNING_AES128_CMAC;
501 } else {
502 xconn->smb2.server.sign_algo = SMB2_SIGNING_HMAC_SHA256;
503 }
504
505 if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
506 const struct smb3_encryption_capabilities *srv_ciphers =
507 &default_smb3_capabilities.encryption;
508 uint16_t srv_preferred_idx = UINT16_MAX;
509 size_t needed = 2;
510 uint16_t cipher_count;
511 const uint8_t *p;
512 uint8_t buf[4];
513 size_t i;
514
515 capabilities &= ~SMB2_CAP_ENCRYPTION;
516
517 if (in_cipher->data.length < needed) {
518 return smbd_smb2_request_error(req,
519 NT_STATUS_INVALID_PARAMETER);
520 }
521
522 cipher_count = SVAL(in_cipher->data.data, 0);
523 if (cipher_count == 0) {
524 return smbd_smb2_request_error(req,
525 NT_STATUS_INVALID_PARAMETER);
526 }
527
528 p = in_cipher->data.data + needed;
529 needed += cipher_count * 2;
530
531 if (in_cipher->data.length < needed) {
532 return smbd_smb2_request_error(req,
533 NT_STATUS_INVALID_PARAMETER);
534 }
535
536 for (i=0; i < cipher_count; i++) {
537 uint16_t si;
538 uint16_t v;
539
540 v = SVAL(p, 0);
541 p += 2;
542
543 for (si = 0; si < srv_ciphers->num_algos; si++) {
544 if (srv_ciphers->algos[si] != v) {
545 continue;
546 }
547
548 /*
549 * The server ciphers are listed
550 * with the lowest idx being preferred.
551 */
552 if (si < srv_preferred_idx) {
553 srv_preferred_idx = si;
554 }
555 break;
556 }
557 }
558
559 if (srv_preferred_idx != UINT16_MAX) {
560 xconn->smb2.server.cipher =
561 srv_ciphers->algos[srv_preferred_idx];
562 }
563
564 SSVAL(buf, 0, 1); /* ChiperCount */
565 SSVAL(buf, 2, xconn->smb2.server.cipher);
566
567 status = smb2_negotiate_context_add(
568 req,
569 &out_c,
570 SMB2_ENCRYPTION_CAPABILITIES,
571 buf,
572 sizeof(buf));
573 if (!NT_STATUS_IS_OK(status)) {
574 return smbd_smb2_request_error(req, status);
575 }
576 }
577
578 if (capabilities & SMB2_CAP_ENCRYPTION) {
579 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
580 }
581
582 if (in_sign_algo != NULL) {
583 const struct smb3_signing_capabilities *srv_sign_algos =
584 &default_smb3_capabilities.signing;
585 uint16_t srv_preferred_idx = UINT16_MAX;
586 size_t needed = 2;
587 uint16_t sign_algo_count;
588 const uint8_t *p;
589 size_t i;
590
591 if (in_sign_algo->data.length < needed) {
592 return smbd_smb2_request_error(req,
593 NT_STATUS_INVALID_PARAMETER);
594 }
595
596 sign_algo_count = SVAL(in_sign_algo->data.data, 0);
597 if (sign_algo_count == 0) {
598 return smbd_smb2_request_error(req,
599 NT_STATUS_INVALID_PARAMETER);
600 }
601
602 p = in_sign_algo->data.data + needed;
603 needed += sign_algo_count * 2;
604
605 if (in_sign_algo->data.length < needed) {
606 return smbd_smb2_request_error(req,
607 NT_STATUS_INVALID_PARAMETER);
608 }
609
610 for (i=0; i < sign_algo_count; i++) {
611 uint16_t si;
612 uint16_t v;
613
614 v = SVAL(p, 0);
615 p += 2;
616
617 for (si = 0; si < srv_sign_algos->num_algos; si++) {
618 if (srv_sign_algos->algos[si] != v) {
619 continue;
620 }
621
622 /*
623 * The server sign_algos are listed
624 * with the lowest idx being preferred.
625 */
626 if (si < srv_preferred_idx) {
627 srv_preferred_idx = si;
628 }
629 break;
630 }
631 }
632
633 /*
634 * If we found a match announce it
635 * otherwise we'll keep the default
636 * of SMB2_SIGNING_AES128_CMAC
637 */
638 if (srv_preferred_idx != UINT16_MAX) {
639 uint8_t buf[4];
640
641 xconn->smb2.server.sign_algo =
642 srv_sign_algos->algos[srv_preferred_idx];
643
644 SSVAL(buf, 0, 1); /* SigningAlgorithmCount */
645 SSVAL(buf, 2, xconn->smb2.server.sign_algo);
646
647 status = smb2_negotiate_context_add(
648 req,
649 &out_c,
650 SMB2_SIGNING_CAPABILITIES,
651 buf,
652 sizeof(buf));
653 if (!NT_STATUS_IS_OK(status)) {
654 return smbd_smb2_request_error(req, status);
655 }
656 }
657 }
658
659 status = smb311_capabilities_check(&default_smb3_capabilities,
660 "smb2srv_negprot",
661 DBGLVL_NOTICE,
662 NT_STATUS_INVALID_PARAMETER,
663 "server",
664 protocol,
665 xconn->smb2.server.sign_algo,
666 xconn->smb2.server.cipher);
667 if (!NT_STATUS_IS_OK(status)) {
668 return smbd_smb2_request_error(req, status);
669 }
670
671 if (protocol >= PROTOCOL_SMB3_00 &&
672 xconn->client->server_multi_channel_enabled)
673 {
674 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
675 capabilities |= SMB2_CAP_MULTI_CHANNEL;
676 }
677 }
678
679 security_offset = SMB2_HDR_BODY + 0x40;
680
681 #if 1
682 /* Try SPNEGO auth... */
683 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
684 negprot_spnego_blob.length - 16);
685 #else
686 /* for now we want raw NTLMSSP */
687 security_buffer = data_blob_const(NULL, 0);
688 #endif
689
690 if (in_posix != NULL) {
691 /* Client correctly negotiated SMB2 unix extensions. */
692 const uint8_t *buf = (const uint8_t *)SMB2_CREATE_TAG_POSIX;
693 status = smb2_negotiate_context_add(
694 req,
695 &out_c,
696 SMB2_POSIX_EXTENSIONS_AVAILABLE,
697 buf,
698 16);
699 if (!NT_STATUS_IS_OK(status)) {
700 return smbd_smb2_request_error(req, status);
701 }
702 xconn->smb2.server.posix_extensions_negotiated = true;
703 }
704
705 if (out_c.num_contexts != 0) {
706 status = smb2_negotiate_context_push(req,
707 &out_negotiate_context_blob,
708 out_c);
709 if (!NT_STATUS_IS_OK(status)) {
710 return smbd_smb2_request_error(req, status);
711 }
712 }
713
714 if (out_negotiate_context_blob.length != 0) {
715 static const uint8_t zeros[8];
716 size_t pad = 0;
717 size_t ofs;
718
719 outdyn = data_blob_dup_talloc(req, security_buffer);
720 if (outdyn.length != security_buffer.length) {
721 return smbd_smb2_request_error(req,
722 NT_STATUS_NO_MEMORY);
723 }
724
725 ofs = security_offset + security_buffer.length;
726 if ((ofs % 8) != 0) {
727 pad = 8 - (ofs % 8);
728 }
729 ofs += pad;
730
731 ok = data_blob_append(req, &outdyn, zeros, pad);
732 if (!ok) {
733 return smbd_smb2_request_error(req,
734 NT_STATUS_NO_MEMORY);
735 }
736
737 ok = data_blob_append(req, &outdyn,
738 out_negotiate_context_blob.data,
739 out_negotiate_context_blob.length);
740 if (!ok) {
741 return smbd_smb2_request_error(req,
742 NT_STATUS_NO_MEMORY);
743 }
744
745 out_negotiate_context_offset = ofs;
746 out_negotiate_context_count = out_c.num_contexts;
747 } else {
748 outdyn = security_buffer;
749 }
750
751 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
752 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
753 if (!NT_STATUS_IS_OK(status)) {
754 return smbd_smb2_request_error(req, status);
755 }
756
757 outbody = smbd_smb2_generate_outbody(req, 0x40);
758 if (outbody.data == NULL) {
759 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
760 }
761
762 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
763 SSVAL(outbody.data, 0x02,
764 security_mode); /* security mode */
765 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
766 SSVAL(outbody.data, 0x06,
767 out_negotiate_context_count); /* reserved/NegotiateContextCount */
768 memcpy(outbody.data + 0x08,
769 out_guid_blob.data, 16); /* server guid */
770 SIVAL(outbody.data, 0x18,
771 capabilities); /* capabilities */
772 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
773 SIVAL(outbody.data, 0x20, max_read); /* max read size */
774 SIVAL(outbody.data, 0x24, max_write); /* max write size */
775 SBVAL(outbody.data, 0x28, now); /* system time */
776 SBVAL(outbody.data, 0x30, 0); /* server start time */
777 SSVAL(outbody.data, 0x38,
778 security_offset); /* security buffer offset */
779 SSVAL(outbody.data, 0x3A,
780 security_buffer.length); /* security buffer length */
781 SIVAL(outbody.data, 0x3C,
782 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
783
784 req->sconn->using_smb2 = true;
785
786 if (dialect == SMB2_DIALECT_REVISION_2FF) {
787 return smbd_smb2_request_done(req, outbody, &outdyn);
788 }
789
790 status = smbXsrv_connection_init_tables(xconn, protocol);
791 if (!NT_STATUS_IS_OK(status)) {
792 return smbd_smb2_request_error(req, status);
793 }
794
795 xconn->smb2.client.capabilities = in_capabilities;
796 xconn->smb2.client.security_mode = in_security_mode;
797 xconn->smb2.client.guid = in_guid;
798 xconn->smb2.client.num_dialects = dialect_count;
799 xconn->smb2.client.dialects = talloc_array(xconn,
800 uint16_t,
801 dialect_count);
802 if (xconn->smb2.client.dialects == NULL) {
803 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
804 }
805 for (c=0; c < dialect_count; c++) {
806 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
807 }
808
809 xconn->smb2.server.capabilities = capabilities;
810 xconn->smb2.server.security_mode = security_mode;
811 xconn->smb2.server.guid = out_guid;
812 xconn->smb2.server.dialect = dialect;
813 xconn->smb2.server.max_trans = max_trans;
814 xconn->smb2.server.max_read = max_read;
815 xconn->smb2.server.max_write = max_write;
816
817 if (xconn->protocol < PROTOCOL_SMB2_10) {
818 /*
819 * SMB2_02 doesn't support client guids
820 */
821 return smbd_smb2_request_done(req, outbody, &outdyn);
822 }
823
824 if (!xconn->client->server_multi_channel_enabled) {
825 /*
826 * Only deal with the client guid database
827 * if multi-channel is enabled.
828 *
829 * But we still need to setup
830 * xconn->client->global->client_guid to
831 * the correct value.
832 */
833 xconn->client->global->client_guid =
834 xconn->smb2.client.guid;
835 return smbd_smb2_request_done(req, outbody, &outdyn);
836 }
837
838 if (xconn->smb2.client.guid_verified) {
839 /*
840 * The connection was passed from another
841 * smbd process.
842 */
843 return smbd_smb2_request_done(req, outbody, &outdyn);
844 }
845
846 state = talloc_zero(req, struct smbd_smb2_request_process_negprot_state);
847 if (state == NULL) {
848 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
849 }
850 *state = (struct smbd_smb2_request_process_negprot_state) {
851 .req = req,
852 .outbody = outbody,
853 .outdyn = outdyn,
854 };
855
856 subreq = smb2srv_client_mc_negprot_send(state,
857 req->xconn->client->raw_ev_ctx,
858 req);
859 if (subreq == NULL) {
860 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
861 }
862 tevent_req_set_callback(subreq,
863 smbd_smb2_request_process_negprot_mc_done,
864 state);
865 return NT_STATUS_OK;
866 }
867
868 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq)
869 {
870 struct smbd_smb2_request_process_negprot_state *state =
871 tevent_req_callback_data(subreq,
872 struct smbd_smb2_request_process_negprot_state);
873 struct smbd_smb2_request *req = state->req;
874 struct smbXsrv_connection *xconn = req->xconn;
875 NTSTATUS status;
876
877 status = smb2srv_client_mc_negprot_recv(subreq);
878 TALLOC_FREE(subreq);
879 if (NT_STATUS_EQUAL(status, NT_STATUS_MESSAGE_RETRIEVED)) {
880 /*
881 * The connection was passed to another process
882 */
883 smbd_server_connection_terminate(xconn,
884 "passed connection");
885 /*
886 * smbd_server_connection_terminate() should not return!
887 */
888 smb_panic(__location__);
889 return;
890 }
891 if (!NT_STATUS_IS_OK(status)) {
892 status = smbd_smb2_request_error(req, status);
893 if (NT_STATUS_IS_OK(status)) {
894 return;
895 }
896
897 /*
898 * The connection was passed to another process
899 */
900 smbd_server_connection_terminate(xconn, nt_errstr(status));
901 /*
902 * smbd_server_connection_terminate() should not return!
903 */
904 smb_panic(__location__);
905 return;
906 }
907
908 /*
909 * We're the first connection...
910 */
911 status = smbd_smb2_request_done(req, state->outbody, &state->outdyn);
912 if (NT_STATUS_IS_OK(status)) {
913 return;
914 }
915
916 /*
917 * The connection was passed to another process
918 */
919 smbd_server_connection_terminate(xconn, nt_errstr(status));
920 /*
921 * smbd_server_connection_terminate() should not return!
922 */
923 smb_panic(__location__);
924 return;
925 }
926
927 /****************************************************************************
928 Generate the spnego negprot reply blob. Return the number of bytes used.
929 ****************************************************************************/
930
931 DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn)
932 {
933 DATA_BLOB blob = data_blob_null;
934 DATA_BLOB blob_out = data_blob_null;
935 nstring dos_name;
936 fstring unix_name;
937 NTSTATUS status;
938 #ifdef DEVELOPER
939 size_t slen;
940 #endif
941 struct gensec_security *gensec_security;
942
943 /* See if we can get an SPNEGO blob */
944 status = auth_generic_prepare(talloc_tos(),
945 xconn->remote_address,
946 xconn->local_address,
947 "SMB",
948 &gensec_security);
949
950 /*
951 * Despite including it above, there is no need to set a
952 * remote address or similar as we are just interested in the
953 * SPNEGO blob, we never keep this context.
954 */
955
956 if (NT_STATUS_IS_OK(status)) {
957 status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
958 if (NT_STATUS_IS_OK(status)) {
959 status = gensec_update(gensec_security, ctx,
960 data_blob_null, &blob);
961 /* If we get the list of OIDs, the 'OK' answer
962 * is NT_STATUS_MORE_PROCESSING_REQUIRED */
963 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
964 DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
965 blob = data_blob_null;
966 }
967 }
968 TALLOC_FREE(gensec_security);
969 }
970
971 #if defined(WITH_SMB1SERVER)
972 xconn->smb1.negprot.spnego = true;
973 #endif
974
975 /* strangely enough, NT does not sent the single OID NTLMSSP when
976 not a ADS member, it sends no OIDs at all
977
978 OLD COMMENT : "we can't do this until we teach our sesssion setup parser to know
979 about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
980
981 Our sessionsetup code now handles raw NTLMSSP connects, so we can go
982 back to doing what W2K3 does here. This is needed to make PocketPC 2003
983 CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
984 for details. JRA.
985
986 */
987
988 if (blob.length == 0 || blob.data == NULL) {
989 return data_blob_null;
990 }
991
992 blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
993 if (blob_out.data == NULL) {
994 data_blob_free(&blob);
995 return data_blob_null;
996 }
997
998 memset(blob_out.data, '\0', 16);
999
1000 checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name));
1001 (void)strlower_m(unix_name);
1002 push_ascii_nstring(dos_name, unix_name);
1003 strlcpy((char *)blob_out.data, dos_name, 17);
1004
1005 #ifdef DEVELOPER
1006 /* Fix valgrind 'uninitialized bytes' issue. */
1007 slen = strlen(dos_name);
1008 if (slen < 16) {
1009 memset(blob_out.data+slen, '\0', 16 - slen);
1010 }
1011 #endif
1012
1013 memcpy(&blob_out.data[16], blob.data, blob.length);
1014
1015 data_blob_free(&blob);
1016
1017 return blob_out;
1018 }
1019
1020 /*
1021 * MS-CIFS, 2.2.4.52.2 SMB_COM_NEGOTIATE Response:
1022 * If the server does not support any of the listed dialects, it MUST return a
1023 * DialectIndex of 0XFFFF
1024 */
1025 #define NO_PROTOCOL_CHOSEN 0xffff
1026
1027 #define PROT_SMB_2_002 0x1000
1028 #define PROT_SMB_2_FF 0x2000
1029
1030 /* List of supported SMB1 protocols, most desired first.
1031 * This is for enabling multi-protocol negotiation in SMB2 when SMB1
1032 * is disabled.
1033 */
1034 static const struct {
1035 const char *proto_name;
1036 const char *short_name;
1037 NTSTATUS (*proto_reply_fn)(struct smb_request *req, uint16_t choice);
1038 int protocol_level;
1039 } supported_protocols[] = {
1040 {"SMB 2.???", "SMB2_FF", reply_smb20ff, PROTOCOL_SMB2_10},
1041 {"SMB 2.002", "SMB2_02", reply_smb2002, PROTOCOL_SMB2_02},
1042 {NULL,NULL,NULL,0},
1043 };
1044
1045 /****************************************************************************
1046 Reply to a negprot.
1047 conn POINTER CAN BE NULL HERE !
1048 ****************************************************************************/
1049
1050 NTSTATUS smb2_multi_protocol_reply_negprot(struct smb_request *req)
1051 {
1052 size_t choice = 0;
1053 bool choice_set = false;
1054 int protocol;
1055 const char *p;
1056 int protocols = 0;
1057 int num_cliprotos;
1058 char **cliprotos;
1059 size_t i;
1060 size_t converted_size;
1061 struct smbXsrv_connection *xconn = req->xconn;
1062 struct smbd_server_connection *sconn = req->sconn;
1063 int max_proto;
1064 int min_proto;
1065 NTSTATUS status;
1066
1067 START_PROFILE(SMBnegprot);
1068
1069 if (req->buflen == 0) {
1070 DEBUG(0, ("negprot got no protocols\n"));
1071 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1072 END_PROFILE(SMBnegprot);
1073 return NT_STATUS_INVALID_PARAMETER;
1074 }
1075
1076 if (req->buf[req->buflen-1] != '\0') {
1077 DEBUG(0, ("negprot protocols not 0-terminated\n"));
1078 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1079 END_PROFILE(SMBnegprot);
1080 return NT_STATUS_INVALID_PARAMETER;
1081 }
1082
1083 p = (const char *)req->buf + 1;
1084
1085 num_cliprotos = 0;
1086 cliprotos = NULL;
1087
1088 while (smbreq_bufrem(req, p) > 0) {
1089
1090 char **tmp;
1091
1092 tmp = talloc_realloc(talloc_tos(), cliprotos, char *,
1093 num_cliprotos+1);
1094 if (tmp == NULL) {
1095 DEBUG(0, ("talloc failed\n"));
1096 TALLOC_FREE(cliprotos);
1097 reply_nterror(req, NT_STATUS_NO_MEMORY);
1098 END_PROFILE(SMBnegprot);
1099 return NT_STATUS_NO_MEMORY;
1100 }
1101
1102 cliprotos = tmp;
1103
1104 if (!pull_ascii_talloc(cliprotos, &cliprotos[num_cliprotos], p,
1105 &converted_size)) {
1106 DEBUG(0, ("pull_ascii_talloc failed\n"));
1107 TALLOC_FREE(cliprotos);
1108 reply_nterror(req, NT_STATUS_NO_MEMORY);
1109 END_PROFILE(SMBnegprot);
1110 return NT_STATUS_NO_MEMORY;
1111 }
1112
1113 DEBUG(3, ("Requested protocol [%s]\n",
1114 cliprotos[num_cliprotos]));
1115
1116 num_cliprotos += 1;
1117 p += strlen(p) + 2;
1118 }
1119
1120 for (i=0; i<num_cliprotos; i++) {
1121 if (strcsequal(cliprotos[i], "SMB 2.002")) {
1122 protocols |= PROT_SMB_2_002;
1123 } else if (strcsequal(cliprotos[i], "SMB 2.???")) {
1124 protocols |= PROT_SMB_2_FF;
1125 }
1126 }
1127
1128 /* possibly reload - change of architecture */
1129 reload_services(sconn, conn_snum_used, true);
1130
1131 /*
1132 * Anything higher than PROTOCOL_SMB2_10 still
1133 * needs to go via "SMB 2.???", which is marked
1134 * as PROTOCOL_SMB2_10.
1135 *
1136 * The real negotiation happens via reply_smb20ff()
1137 * using SMB2 Negotiation.
1138 */
1139 max_proto = lp_server_max_protocol();
1140 if (max_proto > PROTOCOL_SMB2_10) {
1141 max_proto = PROTOCOL_SMB2_10;
1142 }
1143 min_proto = lp_server_min_protocol();
1144 if (min_proto > PROTOCOL_SMB2_10) {
1145 min_proto = PROTOCOL_SMB2_10;
1146 }
1147
1148 /* Check for protocols, most desirable first */
1149 for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
1150 i = 0;
1151 if ((supported_protocols[protocol].protocol_level <= max_proto) &&
1152 (supported_protocols[protocol].protocol_level >= min_proto))
1153 while (i < num_cliprotos) {
1154 if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
1155 choice = i;
1156 choice_set = true;
1157 }
1158 i++;
1159 }
1160 if (choice_set) {
1161 break;
1162 }
1163 }
1164
1165 if (!choice_set) {
1166 bool ok;
1167
1168 DBG_NOTICE("No protocol supported !\n");
1169 reply_smb1_outbuf(req, 1, 0);
1170 SSVAL(req->outbuf, smb_vwv0, NO_PROTOCOL_CHOSEN);
1171
1172 ok = smb1_srv_send(xconn, (char *)req->outbuf,
1173 false, 0, false, NULL);
1174 if (!ok) {
1175 DBG_NOTICE("smb1_srv_send failed\n");
1176 }
1177 exit_server_cleanly("no protocol supported\n");
1178 }
1179
1180 fstrcpy(remote_proto,supported_protocols[protocol].short_name);
1181 reload_services(sconn, conn_snum_used, true);
1182 status = supported_protocols[protocol].proto_reply_fn(req, choice);
1183 if (!NT_STATUS_IS_OK(status)) {
1184 exit_server_cleanly("negprot function failed\n");
1185 }
1186
1187 DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
1188
1189 DBG_INFO("negprot index=%zu\n", choice);
1190
1191 TALLOC_FREE(cliprotos);
1192
1193 END_PROFILE(SMBnegprot);
1194 return NT_STATUS_OK;
1195 }