search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: avoid a panic in close_directory()
[samba4-gss.git] / source3 / smbd / smb2_negprot.c
blobd44ce7c78632d2636bdf4a75e9a899c90cad0c5a
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
29 #include "auth.h"
30 #include "auth/gensec/gensec.h"
31 #include "lib/util/string_wrappers.h"
32 #include "source3/lib/substitute.h"
33 #ifdef HAVE_VALGRIND_CALLGRIND_H
34 #include <valgrind/callgrind.h>
35 #endif /* HAVE_VALGRIND_CALLGRIND_H */
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_SMB2
39
40 /*
41 * this is the entry point if SMB2 is selected via
42 * the SMB negprot and the given dialect.
43 */
44 static NTSTATUS reply_smb20xx(struct smb_request *req, uint16_t dialect)
45 {
46 uint8_t *smb2_inpdu;
47 uint8_t *smb2_hdr;
48 uint8_t *smb2_body;
49 uint8_t *smb2_dyn;
50 size_t len = SMB2_HDR_BODY + 0x24 + 2;
51
52 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
53 if (smb2_inpdu == NULL) {
54 DEBUG(0, ("Could not push spnego blob\n"));
55 reply_nterror(req, NT_STATUS_NO_MEMORY);
56 return NT_STATUS_NO_MEMORY;
57 }
58 smb2_hdr = smb2_inpdu;
59 smb2_body = smb2_hdr + SMB2_HDR_BODY;
60 smb2_dyn = smb2_body + 0x24;
61
62 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
63 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
64
65 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
66 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
67
68 SSVAL(smb2_dyn, 0x00, dialect);
69
70 req->outbuf = NULL;
71
72 return smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
73 }
74
75 /*
76 * this is the entry point if SMB2 is selected via
77 * the SMB negprot and the "SMB 2.002" dialect.
78 */
79 NTSTATUS reply_smb2002(struct smb_request *req, uint16_t choice)
80 {
81 return reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
82 }
83
84 /*
85 * this is the entry point if SMB2 is selected via
86 * the SMB negprot and the "SMB 2.???" dialect.
87 */
88 NTSTATUS reply_smb20ff(struct smb_request *req, uint16_t choice)
89 {
90 struct smbXsrv_connection *xconn = req->xconn;
91 xconn->smb2.allow_2ff = true;
92 return reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
93 }
94
95 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
96 const int dialect_count,
97 uint16_t *dialect)
98 {
99 static const struct {
100 enum protocol_types proto;
101 uint16_t dialect;
102 } pd[] = {
103 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
104 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
105 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
106 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
107 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
108 };
109 size_t i;
110
111 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
112 int c = 0;
113
114 if (lp_server_max_protocol() < pd[i].proto) {
115 continue;
116 }
117 if (lp_server_min_protocol() > pd[i].proto) {
118 continue;
119 }
120
121 for (c = 0; c < dialect_count; c++) {
122 *dialect = SVAL(indyn, c*2);
123 if (*dialect == pd[i].dialect) {
124 return pd[i].proto;
125 }
126 }
127 }
128
129 return PROTOCOL_NONE;
130 }
131
132 static NTSTATUS smb2_negotiate_context_process_posix(
133 const struct smb2_negotiate_contexts *in_c,
134 bool *posix)
135 {
136 struct smb2_negotiate_context *in_posix = NULL;
137 const uint8_t *inbuf = NULL;
138 size_t inbuflen;
139 bool posix_found = false;
140 size_t ofs;
141 int cmp;
142
143 *posix = false;
144
145 if (!lp_smb3_unix_extensions(GLOBAL_SECTION_SNUM)) {
146 return NT_STATUS_OK;
147 }
148
149 in_posix = smb2_negotiate_context_find(in_c,
150 SMB2_POSIX_EXTENSIONS_AVAILABLE);
151 if (in_posix == NULL) {
152 return NT_STATUS_OK;
153 }
154
155 inbuf = in_posix->data.data;
156 inbuflen = in_posix->data.length;
157
158 /*
159 * For now the server only supports one variant.
160 * Check it's the right one.
161 */
162 if ((inbuflen % 16) != 0) {
163 return NT_STATUS_INVALID_PARAMETER;
164 }
165
166 SMB_ASSERT(strlen(SMB2_CREATE_TAG_POSIX) == 16);
167
168 for (ofs = 0; ofs < inbuflen; ofs += 16) {
169 cmp = memcmp(inbuf+ofs, SMB2_CREATE_TAG_POSIX, 16);
170 if (cmp == 0) {
171 posix_found = true;
172 break;
173 }
174 }
175
176 if (!posix_found) {
177 DBG_DEBUG("Client requested unknown SMB3 Unix extensions:\n");
178 dump_data(10, inbuf, inbuflen);
179 return NT_STATUS_OK;
180 }
181
182 DBG_DEBUG("Client requested SMB3 Unix extensions\n");
183 *posix = true;
184 return NT_STATUS_OK;
185 }
186
187 struct smbd_smb2_request_process_negprot_state {
188 struct smbd_smb2_request *req;
189 DATA_BLOB outbody;
190 DATA_BLOB outdyn;
191 };
192
193 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq);
194
195 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
196 {
197 struct smbd_smb2_request_process_negprot_state *state = NULL;
198 struct smbXsrv_connection *xconn = req->xconn;
199 struct tevent_req *subreq = NULL;
200 NTSTATUS status;
201 const uint8_t *inbody;
202 const uint8_t *indyn = NULL;
203 DATA_BLOB outbody;
204 DATA_BLOB outdyn;
205 DATA_BLOB negprot_spnego_blob;
206 uint16_t security_offset;
207 DATA_BLOB security_buffer;
208 size_t expected_dyn_size = 0;
209 size_t c;
210 uint16_t security_mode;
211 uint16_t dialect_count;
212 uint16_t in_security_mode;
213 uint32_t in_capabilities;
214 DATA_BLOB in_guid_blob;
215 struct GUID in_guid;
216 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
217 struct smb2_negotiate_context *in_preauth = NULL;
218 struct smb2_negotiate_context *in_cipher = NULL;
219 struct smb2_negotiate_context *in_sign_algo = NULL;
220 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
221 const struct smb311_capabilities default_smb3_capabilities =
222 smb311_capabilities_parse("server",
223 lp_server_smb3_signing_algorithms(),
224 lp_server_smb3_encryption_algorithms());
225 DATA_BLOB out_negotiate_context_blob = data_blob_null;
226 uint32_t out_negotiate_context_offset = 0;
227 uint16_t out_negotiate_context_count = 0;
228 uint16_t dialect = 0;
229 uint32_t capabilities;
230 DATA_BLOB out_guid_blob;
231 struct GUID out_guid;
232 enum protocol_types protocol = PROTOCOL_NONE;
233 uint32_t max_limit;
234 uint32_t max_trans = lp_smb2_max_trans();
235 uint32_t max_read = lp_smb2_max_read();
236 uint32_t max_write = lp_smb2_max_write();
237 NTTIME now = timeval_to_nttime(&req->request_time);
238 bool posix = false;
239 bool ok;
240
241 status = smbd_smb2_request_verify_sizes(req, 0x24);
242 if (!NT_STATUS_IS_OK(status)) {
243 return smbd_smb2_request_error(req, status);
244 }
245 inbody = SMBD_SMB2_IN_BODY_PTR(req);
246
247 dialect_count = SVAL(inbody, 0x02);
248
249 in_security_mode = SVAL(inbody, 0x04);
250 in_capabilities = IVAL(inbody, 0x08);
251 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
252
253 if (dialect_count == 0) {
254 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
255 }
256
257 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
258 if (!NT_STATUS_IS_OK(status)) {
259 return smbd_smb2_request_error(req, status);
260 }
261
262 expected_dyn_size = dialect_count * 2;
263 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
264 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
265 }
266 indyn = SMBD_SMB2_IN_DYN_PTR(req);
267
268 protocol = smbd_smb2_protocol_dialect_match(indyn,
269 dialect_count,
270 &dialect);
271
272 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
273 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
274 break;
275 }
276
277 dialect = SVAL(indyn, c*2);
278 if (dialect == SMB2_DIALECT_REVISION_2FF) {
279 if (xconn->smb2.allow_2ff) {
280 xconn->smb2.allow_2ff = false;
281 protocol = PROTOCOL_SMB2_10;
282 break;
283 }
284 }
285 }
286
287 if (protocol == PROTOCOL_NONE) {
288 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
289 }
290
291 if (protocol >= PROTOCOL_SMB3_11) {
292 uint32_t in_negotiate_context_offset = 0;
293 uint16_t in_negotiate_context_count = 0;
294 DATA_BLOB in_negotiate_context_blob = data_blob_null;
295 size_t ofs;
296
297 in_negotiate_context_offset = IVAL(inbody, 0x1C);
298 in_negotiate_context_count = SVAL(inbody, 0x20);
299
300 ofs = SMB2_HDR_BODY;
301 ofs += SMBD_SMB2_IN_BODY_LEN(req);
302 ofs += expected_dyn_size;
303 if ((ofs % 8) != 0) {
304 ofs += 8 - (ofs % 8);
305 }
306
307 if (in_negotiate_context_offset != ofs) {
308 return smbd_smb2_request_error(req,
309 NT_STATUS_INVALID_PARAMETER);
310 }
311
312 ofs -= SMB2_HDR_BODY;
313 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
314
315 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
316 return smbd_smb2_request_error(req,
317 NT_STATUS_INVALID_PARAMETER);
318 }
319
320 in_negotiate_context_blob = data_blob_const(indyn,
321 SMBD_SMB2_IN_DYN_LEN(req));
322
323 in_negotiate_context_blob.data += ofs;
324 in_negotiate_context_blob.length -= ofs;
325
326 status = smb2_negotiate_context_parse(req,
327 in_negotiate_context_blob,
328 in_negotiate_context_count,
329 &in_c);
330 if (!NT_STATUS_IS_OK(status)) {
331 return smbd_smb2_request_error(req, status);
332 }
333
334 status = smb2_negotiate_context_process_posix(&in_c, &posix);
335 if (!NT_STATUS_IS_OK(status)) {
336 return smbd_smb2_request_error(req, status);
337 }
338 }
339
340 if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
341 (protocol >= PROTOCOL_SMB2_10) &&
342 !GUID_all_zero(&in_guid))
343 {
344 ok = remote_arch_cache_update(&in_guid);
345 if (!ok) {
346 return smbd_smb2_request_error(
347 req, NT_STATUS_UNSUCCESSFUL);
348 }
349 }
350
351 switch (get_remote_arch()) {
352 case RA_VISTA:
353 case RA_SAMBA:
354 case RA_CIFSFS:
355 case RA_OSX:
356 break;
357 default:
358 set_remote_arch(RA_VISTA);
359 break;
360 }
361
362 {
363 fstring proto;
364 fstr_sprintf(proto,
365 "SMB%X_%02X",
366 (dialect >> 8) & 0xFF, dialect & 0xFF);
367 set_remote_proto(proto);
368 DEBUG(3,("Selected protocol %s\n", proto));
369 }
370
371 reload_services(req->sconn, conn_snum_used, true);
372
373 in_preauth = smb2_negotiate_context_find(&in_c,
374 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
375 if (protocol >= PROTOCOL_SMB3_11 && in_preauth == NULL) {
376 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
377 }
378 in_cipher = smb2_negotiate_context_find(&in_c,
379 SMB2_ENCRYPTION_CAPABILITIES);
380 in_sign_algo = smb2_negotiate_context_find(&in_c,
381 SMB2_SIGNING_CAPABILITIES);
382
383 /* negprot_spnego() returns the server guid in the first 16 bytes */
384 negprot_spnego_blob = negprot_spnego(req, xconn);
385 if (negprot_spnego_blob.data == NULL) {
386 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
387 }
388
389 if (negprot_spnego_blob.length < 16) {
390 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
391 }
392
393 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
394 if (xconn->smb2.signing_mandatory) {
395 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
396 }
397
398 capabilities = 0;
399 if (lp_host_msdfs()) {
400 capabilities |= SMB2_CAP_DFS;
401 }
402
403 if (protocol >= PROTOCOL_SMB2_10 &&
404 lp_smb2_leases() &&
405 lp_oplocks(GLOBAL_SECTION_SNUM) &&
406 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
407 {
408 capabilities |= SMB2_CAP_LEASING;
409 }
410
411 if ((protocol >= PROTOCOL_SMB3_00) &&
412 (lp_server_smb_encrypt(-1) != SMB_ENCRYPTION_OFF) &&
413 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
414 capabilities |= SMB2_CAP_ENCRYPTION;
415 }
416
417 if (protocol >= PROTOCOL_SMB3_00 &&
418 in_capabilities & SMB2_CAP_DIRECTORY_LEASING &&
419 lp_smb3_directory_leases())
420 {
421 capabilities |= SMB2_CAP_DIRECTORY_LEASING;
422 }
423
424 /*
425 * 0x10000 (65536) is the maximum allowed message size
426 * for SMB 2.0
427 */
428 max_limit = 0x10000;
429
430 if (protocol >= PROTOCOL_SMB2_10) {
431 int p = 0;
432
433 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
434 p = tsocket_address_inet_port(req->sconn->local_address);
435 }
436
437 /* largeMTU is not supported over NBT (tcp port 139) */
438 if (p != NBT_SMB_PORT) {
439 capabilities |= SMB2_CAP_LARGE_MTU;
440 xconn->smb2.credits.multicredit = true;
441
442 /*
443 * We allow up to almost 16MB.
444 *
445 * The maximum PDU size is 0xFFFFFF (16776960)
446 * and we need some space for the header.
447 */
448 max_limit = 0xFFFF00;
449 }
450 }
451
452 /*
453 * the defaults are 8MB, but we'll limit this to max_limit based on
454 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
455 *
456 * user configured values exceeding the limits will be overwritten,
457 * only smaller values will be accepted
458 */
459
460 max_trans = MIN(max_limit, lp_smb2_max_trans());
461 max_read = MIN(max_limit, lp_smb2_max_read());
462 max_write = MIN(max_limit, lp_smb2_max_write());
463
464 if (in_preauth != NULL) {
465 size_t needed = 4;
466 uint16_t hash_count;
467 uint16_t salt_length;
468 uint16_t selected_preauth = 0;
469 const uint8_t *p;
470 uint8_t buf[38];
471 size_t i;
472
473 if (in_preauth->data.length < needed) {
474 return smbd_smb2_request_error(req,
475 NT_STATUS_INVALID_PARAMETER);
476 }
477
478 hash_count = SVAL(in_preauth->data.data, 0);
479 salt_length = SVAL(in_preauth->data.data, 2);
480
481 if (hash_count == 0) {
482 return smbd_smb2_request_error(req,
483 NT_STATUS_INVALID_PARAMETER);
484 }
485
486 p = in_preauth->data.data + needed;
487 needed += hash_count * 2;
488 needed += salt_length;
489
490 if (in_preauth->data.length < needed) {
491 return smbd_smb2_request_error(req,
492 NT_STATUS_INVALID_PARAMETER);
493 }
494
495 for (i=0; i < hash_count; i++) {
496 uint16_t v;
497
498 v = SVAL(p, 0);
499 p += 2;
500
501 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
502 selected_preauth = v;
503 break;
504 }
505 }
506
507 if (selected_preauth == 0) {
508 return smbd_smb2_request_error(req,
509 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
510 }
511
512 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
513 SSVAL(buf, 2, 32); /* SaltLength */
514 SSVAL(buf, 4, selected_preauth);
515 generate_random_buffer(buf + 6, 32);
516
517 status = smb2_negotiate_context_add(
518 req,
519 &out_c,
520 SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
521 buf,
522 sizeof(buf));
523 if (!NT_STATUS_IS_OK(status)) {
524 return smbd_smb2_request_error(req, status);
525 }
526
527 req->preauth = &req->xconn->smb2.preauth;
528 }
529
530 if (protocol >= PROTOCOL_SMB3_00) {
531 xconn->smb2.server.sign_algo = SMB2_SIGNING_AES128_CMAC;
532 } else {
533 xconn->smb2.server.sign_algo = SMB2_SIGNING_HMAC_SHA256;
534 }
535
536 if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
537 const struct smb3_encryption_capabilities *srv_ciphers =
538 &default_smb3_capabilities.encryption;
539 uint16_t srv_preferred_idx = UINT16_MAX;
540 size_t needed = 2;
541 uint16_t cipher_count;
542 const uint8_t *p;
543 uint8_t buf[4];
544 size_t i;
545
546 capabilities &= ~SMB2_CAP_ENCRYPTION;
547
548 if (in_cipher->data.length < needed) {
549 return smbd_smb2_request_error(req,
550 NT_STATUS_INVALID_PARAMETER);
551 }
552
553 cipher_count = SVAL(in_cipher->data.data, 0);
554 if (cipher_count == 0) {
555 return smbd_smb2_request_error(req,
556 NT_STATUS_INVALID_PARAMETER);
557 }
558
559 p = in_cipher->data.data + needed;
560 needed += cipher_count * 2;
561
562 if (in_cipher->data.length < needed) {
563 return smbd_smb2_request_error(req,
564 NT_STATUS_INVALID_PARAMETER);
565 }
566
567 for (i=0; i < cipher_count; i++) {
568 uint16_t si;
569 uint16_t v;
570
571 v = SVAL(p, 0);
572 p += 2;
573
574 for (si = 0; si < srv_ciphers->num_algos; si++) {
575 if (srv_ciphers->algos[si] != v) {
576 continue;
577 }
578
579 /*
580 * The server ciphers are listed
581 * with the lowest idx being preferred.
582 */
583 if (si < srv_preferred_idx) {
584 srv_preferred_idx = si;
585 }
586 break;
587 }
588 }
589
590 if (srv_preferred_idx != UINT16_MAX) {
591 xconn->smb2.server.cipher =
592 srv_ciphers->algos[srv_preferred_idx];
593 }
594
595 SSVAL(buf, 0, 1); /* ChiperCount */
596 SSVAL(buf, 2, xconn->smb2.server.cipher);
597
598 status = smb2_negotiate_context_add(
599 req,
600 &out_c,
601 SMB2_ENCRYPTION_CAPABILITIES,
602 buf,
603 sizeof(buf));
604 if (!NT_STATUS_IS_OK(status)) {
605 return smbd_smb2_request_error(req, status);
606 }
607 }
608
609 if (capabilities & SMB2_CAP_ENCRYPTION) {
610 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
611 }
612
613 if (in_sign_algo != NULL) {
614 const struct smb3_signing_capabilities *srv_sign_algos =
615 &default_smb3_capabilities.signing;
616 uint16_t srv_preferred_idx = UINT16_MAX;
617 size_t needed = 2;
618 uint16_t sign_algo_count;
619 const uint8_t *p;
620 size_t i;
621
622 if (in_sign_algo->data.length < needed) {
623 return smbd_smb2_request_error(req,
624 NT_STATUS_INVALID_PARAMETER);
625 }
626
627 sign_algo_count = SVAL(in_sign_algo->data.data, 0);
628 if (sign_algo_count == 0) {
629 return smbd_smb2_request_error(req,
630 NT_STATUS_INVALID_PARAMETER);
631 }
632
633 p = in_sign_algo->data.data + needed;
634 needed += sign_algo_count * 2;
635
636 if (in_sign_algo->data.length < needed) {
637 return smbd_smb2_request_error(req,
638 NT_STATUS_INVALID_PARAMETER);
639 }
640
641 for (i=0; i < sign_algo_count; i++) {
642 uint16_t si;
643 uint16_t v;
644
645 v = SVAL(p, 0);
646 p += 2;
647
648 for (si = 0; si < srv_sign_algos->num_algos; si++) {
649 if (srv_sign_algos->algos[si] != v) {
650 continue;
651 }
652
653 /*
654 * The server sign_algos are listed
655 * with the lowest idx being preferred.
656 */
657 if (si < srv_preferred_idx) {
658 srv_preferred_idx = si;
659 }
660 break;
661 }
662 }
663
664 /*
665 * If we found a match announce it
666 * otherwise we'll keep the default
667 * of SMB2_SIGNING_AES128_CMAC
668 */
669 if (srv_preferred_idx != UINT16_MAX) {
670 uint8_t buf[4];
671
672 xconn->smb2.server.sign_algo =
673 srv_sign_algos->algos[srv_preferred_idx];
674
675 SSVAL(buf, 0, 1); /* SigningAlgorithmCount */
676 SSVAL(buf, 2, xconn->smb2.server.sign_algo);
677
678 status = smb2_negotiate_context_add(
679 req,
680 &out_c,
681 SMB2_SIGNING_CAPABILITIES,
682 buf,
683 sizeof(buf));
684 if (!NT_STATUS_IS_OK(status)) {
685 return smbd_smb2_request_error(req, status);
686 }
687 }
688 }
689
690 status = smb311_capabilities_check(&default_smb3_capabilities,
691 "smb2srv_negprot",
692 DBGLVL_NOTICE,
693 NT_STATUS_INVALID_PARAMETER,
694 "server",
695 protocol,
696 xconn->smb2.server.sign_algo,
697 xconn->smb2.server.cipher);
698 if (!NT_STATUS_IS_OK(status)) {
699 return smbd_smb2_request_error(req, status);
700 }
701
702 if (protocol >= PROTOCOL_SMB3_00 &&
703 xconn->client->server_multi_channel_enabled)
704 {
705 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
706 capabilities |= SMB2_CAP_MULTI_CHANNEL;
707 }
708 }
709
710 security_offset = SMB2_HDR_BODY + 0x40;
711
712 #if 1
713 /* Try SPNEGO auth... */
714 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
715 negprot_spnego_blob.length - 16);
716 #else
717 /* for now we want raw NTLMSSP */
718 security_buffer = data_blob_const(NULL, 0);
719 #endif
720
721 if (posix) {
722 /* Client correctly negotiated SMB2 unix extensions. */
723 const uint8_t *buf = (const uint8_t *)SMB2_CREATE_TAG_POSIX;
724 status = smb2_negotiate_context_add(
725 req,
726 &out_c,
727 SMB2_POSIX_EXTENSIONS_AVAILABLE,
728 buf,
729 16);
730 if (!NT_STATUS_IS_OK(status)) {
731 return smbd_smb2_request_error(req, status);
732 }
733 xconn->smb2.server.posix_extensions_negotiated = true;
734 }
735
736 if (out_c.num_contexts != 0) {
737 status = smb2_negotiate_context_push(req,
738 &out_negotiate_context_blob,
739 out_c);
740 if (!NT_STATUS_IS_OK(status)) {
741 return smbd_smb2_request_error(req, status);
742 }
743 }
744
745 if (out_negotiate_context_blob.length != 0) {
746 static const uint8_t zeros[8];
747 size_t pad = 0;
748 size_t ofs;
749
750 outdyn = data_blob_dup_talloc(req, security_buffer);
751 if (outdyn.length != security_buffer.length) {
752 return smbd_smb2_request_error(req,
753 NT_STATUS_NO_MEMORY);
754 }
755
756 ofs = security_offset + security_buffer.length;
757 if ((ofs % 8) != 0) {
758 pad = 8 - (ofs % 8);
759 }
760 ofs += pad;
761
762 ok = data_blob_append(req, &outdyn, zeros, pad);
763 if (!ok) {
764 return smbd_smb2_request_error(req,
765 NT_STATUS_NO_MEMORY);
766 }
767
768 ok = data_blob_append(req, &outdyn,
769 out_negotiate_context_blob.data,
770 out_negotiate_context_blob.length);
771 if (!ok) {
772 return smbd_smb2_request_error(req,
773 NT_STATUS_NO_MEMORY);
774 }
775
776 out_negotiate_context_offset = ofs;
777 out_negotiate_context_count = out_c.num_contexts;
778 } else {
779 outdyn = security_buffer;
780 }
781
782 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
783 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
784 if (!NT_STATUS_IS_OK(status)) {
785 return smbd_smb2_request_error(req, status);
786 }
787
788 outbody = smbd_smb2_generate_outbody(req, 0x40);
789 if (outbody.data == NULL) {
790 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
791 }
792
793 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
794 SSVAL(outbody.data, 0x02,
795 security_mode); /* security mode */
796 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
797 SSVAL(outbody.data, 0x06,
798 out_negotiate_context_count); /* reserved/NegotiateContextCount */
799 memcpy(outbody.data + 0x08,
800 out_guid_blob.data, 16); /* server guid */
801 SIVAL(outbody.data, 0x18,
802 capabilities); /* capabilities */
803 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
804 SIVAL(outbody.data, 0x20, max_read); /* max read size */
805 SIVAL(outbody.data, 0x24, max_write); /* max write size */
806 SBVAL(outbody.data, 0x28, now); /* system time */
807 SBVAL(outbody.data, 0x30, 0); /* server start time */
808 SSVAL(outbody.data, 0x38,
809 security_offset); /* security buffer offset */
810 SSVAL(outbody.data, 0x3A,
811 security_buffer.length); /* security buffer length */
812 SIVAL(outbody.data, 0x3C,
813 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
814
815 if (dialect == SMB2_DIALECT_REVISION_2FF) {
816 return smbd_smb2_request_done(req, outbody, &outdyn);
817 }
818
819 status = smbXsrv_connection_init_tables(xconn, protocol);
820 if (!NT_STATUS_IS_OK(status)) {
821 return smbd_smb2_request_error(req, status);
822 }
823
824 xconn->smb2.client.capabilities = in_capabilities;
825 xconn->smb2.client.security_mode = in_security_mode;
826 xconn->smb2.client.guid = in_guid;
827 xconn->smb2.client.num_dialects = dialect_count;
828 xconn->smb2.client.dialects = talloc_array(xconn,
829 uint16_t,
830 dialect_count);
831 if (xconn->smb2.client.dialects == NULL) {
832 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
833 }
834 for (c=0; c < dialect_count; c++) {
835 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
836 }
837
838 xconn->smb2.server.capabilities = capabilities;
839 xconn->smb2.server.security_mode = security_mode;
840 xconn->smb2.server.guid = out_guid;
841 xconn->smb2.server.dialect = dialect;
842 xconn->smb2.server.max_trans = max_trans;
843 xconn->smb2.server.max_read = max_read;
844 xconn->smb2.server.max_write = max_write;
845
846 if (xconn->protocol < PROTOCOL_SMB2_10) {
847 /*
848 * SMB2_02 doesn't support client guids
849 */
850 return smbd_smb2_request_done(req, outbody, &outdyn);
851 }
852
853 if (!xconn->client->server_multi_channel_enabled) {
854 /*
855 * Only deal with the client guid database
856 * if multi-channel is enabled.
857 *
858 * But we still need to setup
859 * xconn->client->global->client_guid to
860 * the correct value.
861 */
862 xconn->client->global->client_guid =
863 xconn->smb2.client.guid;
864 return smbd_smb2_request_done(req, outbody, &outdyn);
865 }
866
867 if (xconn->smb2.client.guid_verified) {
868 /*
869 * The connection was passed from another
870 * smbd process.
871 */
872 return smbd_smb2_request_done(req, outbody, &outdyn);
873 }
874
875 state = talloc_zero(req, struct smbd_smb2_request_process_negprot_state);
876 if (state == NULL) {
877 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
878 }
879 *state = (struct smbd_smb2_request_process_negprot_state) {
880 .req = req,
881 .outbody = outbody,
882 .outdyn = outdyn,
883 };
884
885 subreq = smb2srv_client_mc_negprot_send(state,
886 req->xconn->client->raw_ev_ctx,
887 req);
888 if (subreq == NULL) {
889 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
890 }
891 tevent_req_set_callback(subreq,
892 smbd_smb2_request_process_negprot_mc_done,
893 state);
894 return NT_STATUS_OK;
895 }
896
897 static void smbd_smb2_request_process_negprot_mc_done(struct tevent_req *subreq)
898 {
899 struct smbd_smb2_request_process_negprot_state *state =
900 tevent_req_callback_data(subreq,
901 struct smbd_smb2_request_process_negprot_state);
902 struct smbd_smb2_request *req = state->req;
903 struct smbXsrv_connection *xconn = req->xconn;
904 NTSTATUS status;
905
906 status = smb2srv_client_mc_negprot_recv(subreq);
907 TALLOC_FREE(subreq);
908 if (NT_STATUS_EQUAL(status, NT_STATUS_MESSAGE_RETRIEVED)) {
909 /*
910 * The connection was passed to another process
911 *
912 * We mark the error as NT_STATUS_CONNECTION_IN_USE,
913 * in order to indicate to low level code if
914 * ctdbd_unregister_ips() or ctdbd_passed_ips()
915 * is more useful.
916 */
917 smbXsrv_connection_disconnect_transport(xconn,
918 NT_STATUS_CONNECTION_IN_USE);
919 smbd_server_connection_terminate(xconn,
920 "passed connection");
921 exit_server_cleanly("connection passed");
922 return;
923 }
924 if (!NT_STATUS_IS_OK(status)) {
925 status = smbd_smb2_request_error(req, status);
926 if (NT_STATUS_IS_OK(status)) {
927 return;
928 }
929
930 /*
931 * The connection was passed to another process
932 */
933 smbd_server_connection_terminate(xconn, nt_errstr(status));
934 exit_server_cleanly("connection passed");
935 return;
936 }
937
938 /*
939 * We're the first connection...
940 */
941 status = smbd_smb2_request_done(req, state->outbody, &state->outdyn);
942 if (NT_STATUS_IS_OK(status)) {
943 /*
944 * This allows us to support starting smbd under
945 * callgrind and only start the overhead and
946 * instrumentation after the SMB2 negprot,
947 * this allows us to profile only useful
948 * stuff and not all the smbd startup, forking
949 * and multichannel handling.
950 *
951 * valgrind --tool=callgrind --instr-atstart=no smbd
952 */
953 #ifdef CALLGRIND_START_INSTRUMENTATION
954 CALLGRIND_START_INSTRUMENTATION;
955 #endif
956 return;
957 }
958
959 /*
960 * The connection was passed to another process
961 */
962 smbd_server_connection_terminate(xconn, nt_errstr(status));
963 exit_server_cleanly("connection passed");
964 return;
965 }
966
967 /****************************************************************************
968 Generate the spnego negprot reply blob. Return the number of bytes used.
969 ****************************************************************************/
970
971 DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn)
972 {
973 DATA_BLOB blob = data_blob_null;
974 DATA_BLOB blob_out = data_blob_null;
975 nstring dos_name;
976 fstring unix_name;
977 NTSTATUS status;
978 #ifdef DEVELOPER
979 size_t slen;
980 #endif
981 struct gensec_security *gensec_security;
982
983 /* See if we can get an SPNEGO blob */
984 status = auth_generic_prepare(talloc_tos(),
985 xconn->remote_address,
986 xconn->local_address,
987 "SMB",
988 &gensec_security);
989
990 /*
991 * Despite including it above, there is no need to set a
992 * remote address or similar as we are just interested in the
993 * SPNEGO blob, we never keep this context.
994 */
995
996 if (NT_STATUS_IS_OK(status)) {
997 status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
998 if (NT_STATUS_IS_OK(status)) {
999 status = gensec_update(gensec_security, ctx,
1000 data_blob_null, &blob);
1001 /* If we get the list of OIDs, the 'OK' answer
1002 * is NT_STATUS_MORE_PROCESSING_REQUIRED */
1003 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1004 DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
1005 blob = data_blob_null;
1006 }
1007 }
1008 TALLOC_FREE(gensec_security);
1009 }
1010
1011 #if defined(WITH_SMB1SERVER)
1012 xconn->smb1.negprot.spnego = true;
1013 #endif
1014
1015 /* strangely enough, NT does not sent the single OID NTLMSSP when
1016 not a ADS member, it sends no OIDs at all
1017
1018 OLD COMMENT : "we can't do this until we teach our session setup parser to know
1019 about raw NTLMSSP (clients send no ASN.1 wrapping if we do this)"
1020
1021 Our sessionsetup code now handles raw NTLMSSP connects, so we can go
1022 back to doing what W2K3 does here. This is needed to make PocketPC 2003
1023 CIFS connections work with SPNEGO. See bugzilla bugs #1828 and #3133
1024 for details. JRA.
1025
1026 */
1027
1028 if (blob.length == 0 || blob.data == NULL) {
1029 return data_blob_null;
1030 }
1031
1032 blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
1033 if (blob_out.data == NULL) {
1034 data_blob_free(&blob);
1035 return data_blob_null;
1036 }
1037
1038 memset(blob_out.data, '\0', 16);
1039
1040 checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name));
1041 (void)strlower_m(unix_name);
1042 push_ascii_nstring(dos_name, unix_name);
1043 strlcpy((char *)blob_out.data, dos_name, 17);
1044
1045 #ifdef DEVELOPER
1046 /* Fix valgrind 'uninitialized bytes' issue. */
1047 slen = strlen(dos_name);
1048 if (slen < 16) {
1049 memset(blob_out.data+slen, '\0', 16 - slen);
1050 }
1051 #endif
1052
1053 memcpy(&blob_out.data[16], blob.data, blob.length);
1054
1055 data_blob_free(&blob);
1056
1057 return blob_out;
1058 }
1059
1060 /*
1061 * MS-CIFS, 2.2.4.52.2 SMB_COM_NEGOTIATE Response:
1062 * If the server does not support any of the listed dialects, it MUST return a
1063 * DialectIndex of 0XFFFF
1064 */
1065 #define NO_PROTOCOL_CHOSEN 0xffff
1066
1067 #define PROT_SMB_2_002 0x1000
1068 #define PROT_SMB_2_FF 0x2000
1069
1070 /* List of supported SMB1 protocols, most desired first.
1071 * This is for enabling multi-protocol negotiation in SMB2 when SMB1
1072 * is disabled.
1073 */
1074 static const struct {
1075 const char *proto_name;
1076 const char *short_name;
1077 NTSTATUS (*proto_reply_fn)(struct smb_request *req, uint16_t choice);
1078 int protocol_level;
1079 } supported_protocols[] = {
1080 {"SMB 2.???", "SMB2_FF", reply_smb20ff, PROTOCOL_SMB2_10},
1081 {"SMB 2.002", "SMB2_02", reply_smb2002, PROTOCOL_SMB2_02},
1082 {NULL,NULL,NULL,0},
1083 };
1084
1085 /****************************************************************************
1086 Reply to a negprot.
1087 conn POINTER CAN BE NULL HERE !
1088 ****************************************************************************/
1089
1090 NTSTATUS smb2_multi_protocol_reply_negprot(struct smb_request *req)
1091 {
1092 size_t choice = 0;
1093 bool choice_set = false;
1094 int protocol;
1095 const char *p;
1096 int num_cliprotos;
1097 char **cliprotos;
1098 size_t i;
1099 size_t converted_size;
1100 struct smbXsrv_connection *xconn = req->xconn;
1101 struct smbd_server_connection *sconn = req->sconn;
1102 int max_proto;
1103 int min_proto;
1104 NTSTATUS status;
1105
1106 START_PROFILE(SMBnegprot);
1107
1108 if (req->buflen == 0) {
1109 DEBUG(0, ("negprot got no protocols\n"));
1110 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1111 END_PROFILE(SMBnegprot);
1112 return NT_STATUS_INVALID_PARAMETER;
1113 }
1114
1115 if (req->buf[req->buflen-1] != '\0') {
1116 DEBUG(0, ("negprot protocols not 0-terminated\n"));
1117 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1118 END_PROFILE(SMBnegprot);
1119 return NT_STATUS_INVALID_PARAMETER;
1120 }
1121
1122 p = (const char *)req->buf + 1;
1123
1124 num_cliprotos = 0;
1125 cliprotos = NULL;
1126
1127 while (smbreq_bufrem(req, p) > 0) {
1128
1129 char **tmp;
1130
1131 tmp = talloc_realloc(talloc_tos(), cliprotos, char *,
1132 num_cliprotos+1);
1133 if (tmp == NULL) {
1134 DEBUG(0, ("talloc failed\n"));
1135 TALLOC_FREE(cliprotos);
1136 reply_nterror(req, NT_STATUS_NO_MEMORY);
1137 END_PROFILE(SMBnegprot);
1138 return NT_STATUS_NO_MEMORY;
1139 }
1140
1141 cliprotos = tmp;
1142
1143 if (!pull_ascii_talloc(cliprotos, &cliprotos[num_cliprotos], p,
1144 &converted_size)) {
1145 DEBUG(0, ("pull_ascii_talloc failed\n"));
1146 TALLOC_FREE(cliprotos);
1147 reply_nterror(req, NT_STATUS_NO_MEMORY);
1148 END_PROFILE(SMBnegprot);
1149 return NT_STATUS_NO_MEMORY;
1150 }
1151
1152 DEBUG(3, ("Requested protocol [%s]\n",
1153 cliprotos[num_cliprotos]));
1154
1155 num_cliprotos += 1;
1156 p += strlen(p) + 2;
1157 }
1158
1159 /* possibly reload - change of architecture */
1160 reload_services(sconn, conn_snum_used, true);
1161
1162 /*
1163 * Anything higher than PROTOCOL_SMB2_10 still
1164 * needs to go via "SMB 2.???", which is marked
1165 * as PROTOCOL_SMB2_10.
1166 *
1167 * The real negotiation happens via reply_smb20ff()
1168 * using SMB2 Negotiation.
1169 */
1170 max_proto = lp_server_max_protocol();
1171 if (max_proto > PROTOCOL_SMB2_10) {
1172 max_proto = PROTOCOL_SMB2_10;
1173 }
1174 min_proto = lp_server_min_protocol();
1175 if (min_proto > PROTOCOL_SMB2_10) {
1176 min_proto = PROTOCOL_SMB2_10;
1177 }
1178
1179 /* Check for protocols, most desirable first */
1180 for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
1181 i = 0;
1182 if ((supported_protocols[protocol].protocol_level <= max_proto) &&
1183 (supported_protocols[protocol].protocol_level >= min_proto))
1184 while (i < num_cliprotos) {
1185 if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) {
1186 choice = i;
1187 choice_set = true;
1188 }
1189 i++;
1190 }
1191 if (choice_set) {
1192 break;
1193 }
1194 }
1195
1196 if (!choice_set) {
1197 bool ok;
1198
1199 DBG_NOTICE("No protocol supported !\n");
1200 reply_smb1_outbuf(req, 1, 0);
1201 SSVAL(req->outbuf, smb_vwv0, NO_PROTOCOL_CHOSEN);
1202
1203 ok = smb1_srv_send(xconn, (char *)req->outbuf, false, 0, false);
1204 if (!ok) {
1205 DBG_NOTICE("smb1_srv_send failed\n");
1206 }
1207 exit_server_cleanly("no protocol supported\n");
1208 }
1209
1210 set_remote_proto(supported_protocols[protocol].short_name);
1211 reload_services(sconn, conn_snum_used, true);
1212 status = supported_protocols[protocol].proto_reply_fn(req, choice);
1213 if (!NT_STATUS_IS_OK(status)) {
1214 exit_server_cleanly("negprot function failed\n");
1215 }
1216
1217 DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
1218
1219 DBG_INFO("negprot index=%zu\n", choice);
1220
1221 TALLOC_FREE(cliprotos);
1222
1223 END_PROFILE(SMBnegprot);
1224 return NT_STATUS_OK;
1225 }
GSS-enabled samba4