mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
4142bde7e5
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
328 lines
10 KiB
C
328 lines
10 KiB
C
/*
|
|
Unix SMB2 implementation.
|
|
|
|
Copyright (C) Andrew Bartlett 2001-2005
|
|
Copyright (C) Stefan Metzmacher 2005
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "auth/credentials/credentials.h"
|
|
#include "auth/auth.h"
|
|
#include "auth/gensec/gensec.h"
|
|
#include "libcli/raw/libcliraw.h"
|
|
#include "libcli/raw/raw_proto.h"
|
|
#include "libcli/smb2/smb2.h"
|
|
#include "libcli/smb2/smb2_calls.h"
|
|
#include "smb_server/smb_server.h"
|
|
#include "smb_server/smb2/smb2_server.h"
|
|
#include "samba/service_stream.h"
|
|
#include "param/param.h"
|
|
|
|
static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB *_blob)
|
|
{
|
|
struct gensec_security *gensec_security;
|
|
DATA_BLOB null_data_blob = data_blob(NULL, 0);
|
|
DATA_BLOB blob;
|
|
NTSTATUS nt_status;
|
|
struct cli_credentials *server_credentials;
|
|
|
|
server_credentials =
|
|
cli_credentials_init_server(req, req->smb_conn->lp_ctx);
|
|
if (server_credentials == NULL) {
|
|
DBG_DEBUG("Failed to obtain server credentials, "
|
|
"perhaps a standalone server?\n");
|
|
/*
|
|
* Create anon server credentials for for the
|
|
* spoolss.notify test.
|
|
*/
|
|
server_credentials = cli_credentials_init_anon(req);
|
|
if (server_credentials == NULL) {
|
|
smbsrv_terminate_connection(req->smb_conn,
|
|
"Failed to init server credentials\n");
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
|
|
req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials);
|
|
|
|
nt_status = samba_server_gensec_start(req,
|
|
req->smb_conn->connection->event.ctx,
|
|
req->smb_conn->connection->msg_ctx,
|
|
req->smb_conn->lp_ctx,
|
|
server_credentials,
|
|
"cifs",
|
|
&gensec_security);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
|
|
smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
|
|
return nt_status;
|
|
}
|
|
|
|
gensec_set_target_service(gensec_security, "cifs");
|
|
|
|
gensec_set_credentials(gensec_security, server_credentials);
|
|
|
|
nt_status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
|
|
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
DEBUG(0, ("Failed to start SPNEGO: %s\n", nt_errstr(nt_status)));
|
|
smbsrv_terminate_connection(req->smb_conn, "Failed to start SPNEGO\n");
|
|
return nt_status;
|
|
}
|
|
|
|
nt_status = gensec_update(gensec_security, req,
|
|
null_data_blob, &blob);
|
|
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
|
|
DEBUG(0, ("Failed to get SPNEGO to give us the first token: %s\n", nt_errstr(nt_status)));
|
|
smbsrv_terminate_connection(req->smb_conn, "Failed to start SPNEGO - no first token\n");
|
|
return nt_status;
|
|
}
|
|
|
|
*_blob = blob;
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2_negprot *io)
|
|
{
|
|
NTSTATUS status;
|
|
struct timeval current_time;
|
|
struct timeval boot_time;
|
|
uint16_t i;
|
|
uint16_t dialect = 0;
|
|
enum smb_signing_setting signing_setting;
|
|
struct loadparm_context *lp_ctx = req->smb_conn->lp_ctx;
|
|
|
|
/* we only do one dialect for now */
|
|
if (io->in.dialect_count < 1) {
|
|
return NT_STATUS_NOT_SUPPORTED;
|
|
}
|
|
for (i=0; i < io->in.dialect_count; i++) {
|
|
dialect = io->in.dialects[i];
|
|
if (dialect == SMB2_DIALECT_REVISION_202) {
|
|
break;
|
|
}
|
|
}
|
|
if (dialect != SMB2_DIALECT_REVISION_202) {
|
|
DEBUG(0,("Got unexpected SMB2 dialect %u\n", dialect));
|
|
return NT_STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
req->smb_conn->negotiate.protocol = PROTOCOL_SMB2_02;
|
|
|
|
current_time = timeval_current(); /* TODO: handle timezone?! */
|
|
boot_time = timeval_current(); /* TODO: fix me */
|
|
|
|
ZERO_STRUCT(io->out);
|
|
|
|
signing_setting = lpcfg_server_signing(lp_ctx);
|
|
if (signing_setting == SMB_SIGNING_DEFAULT) {
|
|
/*
|
|
* If we are a domain controller, SMB signing is
|
|
* really important, as it can prevent a number of
|
|
* attacks on communications between us and the
|
|
* clients
|
|
*
|
|
* However, it really sucks (no sendfile, CPU
|
|
* overhead) performance-wise when used on a
|
|
* file server, so disable it by default
|
|
* on non-DCs
|
|
*/
|
|
|
|
if (lpcfg_server_role(lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
|
|
signing_setting = SMB_SIGNING_REQUIRED;
|
|
} else {
|
|
signing_setting = SMB_SIGNING_OFF;
|
|
}
|
|
}
|
|
|
|
switch (signing_setting) {
|
|
case SMB_SIGNING_DEFAULT:
|
|
case SMB_SIGNING_IPC_DEFAULT:
|
|
smb_panic(__location__);
|
|
break;
|
|
case SMB_SIGNING_OFF:
|
|
io->out.security_mode = 0;
|
|
break;
|
|
case SMB_SIGNING_DESIRED:
|
|
case SMB_SIGNING_IF_REQUIRED:
|
|
io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
|
|
break;
|
|
case SMB_SIGNING_REQUIRED:
|
|
io->out.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED | SMB2_NEGOTIATE_SIGNING_REQUIRED;
|
|
/* force signing on immediately */
|
|
req->smb_conn->smb2_signing_required = true;
|
|
break;
|
|
}
|
|
io->out.dialect_revision = dialect;
|
|
io->out.capabilities = 0;
|
|
io->out.max_transact_size = lpcfg_parm_ulong(req->smb_conn->lp_ctx, NULL,
|
|
"smb2", "max transaction size", 0x10000);
|
|
io->out.max_read_size = lpcfg_parm_ulong(req->smb_conn->lp_ctx, NULL,
|
|
"smb2", "max read size", 0x10000);
|
|
io->out.max_write_size = lpcfg_parm_ulong(req->smb_conn->lp_ctx, NULL,
|
|
"smb2", "max write size", 0x10000);
|
|
io->out.system_time = timeval_to_nttime(¤t_time);
|
|
io->out.server_start_time = timeval_to_nttime(&boot_time);
|
|
io->out.reserved2 = 0;
|
|
status = smb2srv_negprot_secblob(req, &io->out.secblob);
|
|
NT_STATUS_NOT_OK_RETURN(status);
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static void smb2srv_negprot_send(struct smb2srv_request *req, struct smb2_negprot *io)
|
|
{
|
|
NTSTATUS status;
|
|
|
|
if (NT_STATUS_IS_ERR(req->status)) {
|
|
smb2srv_send_error(req, req->status); /* TODO: is this correct? */
|
|
return;
|
|
}
|
|
|
|
status = smb2srv_setup_reply(req, 0x40, true, io->out.secblob.length);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
|
|
talloc_free(req);
|
|
return;
|
|
}
|
|
|
|
SSVAL(req->out.body, 0x02, io->out.security_mode);
|
|
SIVAL(req->out.body, 0x04, io->out.dialect_revision);
|
|
SIVAL(req->out.body, 0x06, io->out.reserved);
|
|
status = smbcli_push_guid(req->out.body, 0x08, &io->out.server_guid);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
|
|
talloc_free(req);
|
|
return;
|
|
}
|
|
SIVAL(req->out.body, 0x18, io->out.capabilities);
|
|
SIVAL(req->out.body, 0x1C, io->out.max_transact_size);
|
|
SIVAL(req->out.body, 0x20, io->out.max_read_size);
|
|
SIVAL(req->out.body, 0x24, io->out.max_write_size);
|
|
push_nttime(req->out.body, 0x28, io->out.system_time);
|
|
push_nttime(req->out.body, 0x30, io->out.server_start_time);
|
|
SIVAL(req->out.body, 0x3C, io->out.reserved2);
|
|
status = smb2_push_o16s16_blob(&req->out, 0x38, io->out.secblob);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
|
|
talloc_free(req);
|
|
return;
|
|
}
|
|
|
|
smb2srv_send_reply(req);
|
|
}
|
|
|
|
void smb2srv_negprot_recv(struct smb2srv_request *req)
|
|
{
|
|
struct smb2_negprot *io;
|
|
int i;
|
|
|
|
if (req->in.body_size < 0x26) {
|
|
smbsrv_terminate_connection(req->smb_conn, "Bad body size in SMB2 negprot");
|
|
return;
|
|
}
|
|
|
|
io = talloc(req, struct smb2_negprot);
|
|
if (!io) {
|
|
smbsrv_terminate_connection(req->smb_conn, nt_errstr(NT_STATUS_NO_MEMORY));
|
|
talloc_free(req);
|
|
return;
|
|
}
|
|
|
|
io->in.dialect_count = SVAL(req->in.body, 0x02);
|
|
io->in.security_mode = SVAL(req->in.body, 0x04);
|
|
io->in.reserved = SVAL(req->in.body, 0x06);
|
|
io->in.capabilities = IVAL(req->in.body, 0x08);
|
|
req->status = smbcli_pull_guid(req->in.body, 0xC, &io->in.client_guid);
|
|
if (!NT_STATUS_IS_OK(req->status)) {
|
|
smbsrv_terminate_connection(req->smb_conn, "Bad GUID in SMB2 negprot");
|
|
talloc_free(req);
|
|
return;
|
|
}
|
|
io->in.start_time = smbcli_pull_nttime(req->in.body, 0x1C);
|
|
|
|
io->in.dialects = talloc_array(req, uint16_t, io->in.dialect_count);
|
|
if (io->in.dialects == NULL) {
|
|
smbsrv_terminate_connection(req->smb_conn, nt_errstr(NT_STATUS_NO_MEMORY));
|
|
talloc_free(req);
|
|
return;
|
|
}
|
|
for (i=0;i<io->in.dialect_count;i++) {
|
|
io->in.dialects[i] = SVAL(req->in.body, 0x24+i*2);
|
|
}
|
|
|
|
req->status = smb2srv_negprot_backend(req, io);
|
|
|
|
if (req->control_flags & SMB2SRV_REQ_CTRL_FLAG_NOT_REPLY) {
|
|
talloc_free(req);
|
|
return;
|
|
}
|
|
smb2srv_negprot_send(req, io);
|
|
}
|
|
|
|
/*
|
|
* reply to a SMB negprot request with dialect "SMB 2.002"
|
|
*/
|
|
void smb2srv_reply_smb_negprot(struct smbsrv_request *smb_req)
|
|
{
|
|
struct smb2srv_request *req;
|
|
uint32_t body_fixed_size = 0x26;
|
|
|
|
req = talloc_zero(smb_req->smb_conn, struct smb2srv_request);
|
|
if (!req) goto nomem;
|
|
req->smb_conn = smb_req->smb_conn;
|
|
req->request_time = smb_req->request_time;
|
|
talloc_steal(req, smb_req);
|
|
|
|
req->in.size = NBT_HDR_SIZE+SMB2_HDR_BODY+body_fixed_size;
|
|
req->in.allocated = req->in.size;
|
|
req->in.buffer = talloc_array(req, uint8_t, req->in.allocated);
|
|
if (!req->in.buffer) goto nomem;
|
|
req->in.hdr = req->in.buffer + NBT_HDR_SIZE;
|
|
req->in.body = req->in.hdr + SMB2_HDR_BODY;
|
|
req->in.body_size = body_fixed_size;
|
|
req->in.dynamic = NULL;
|
|
|
|
smb2srv_setup_bufinfo(req);
|
|
|
|
SIVAL(req->in.hdr, 0, SMB2_MAGIC);
|
|
SSVAL(req->in.hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
|
|
SSVAL(req->in.hdr, SMB2_HDR_EPOCH, 0);
|
|
SIVAL(req->in.hdr, SMB2_HDR_STATUS, 0);
|
|
SSVAL(req->in.hdr, SMB2_HDR_OPCODE, SMB2_OP_NEGPROT);
|
|
SSVAL(req->in.hdr, SMB2_HDR_CREDIT, 0);
|
|
SIVAL(req->in.hdr, SMB2_HDR_FLAGS, 0);
|
|
SIVAL(req->in.hdr, SMB2_HDR_NEXT_COMMAND, 0);
|
|
SBVAL(req->in.hdr, SMB2_HDR_MESSAGE_ID, 0);
|
|
SIVAL(req->in.hdr, SMB2_HDR_PID, 0);
|
|
SIVAL(req->in.hdr, SMB2_HDR_TID, 0);
|
|
SBVAL(req->in.hdr, SMB2_HDR_SESSION_ID, 0);
|
|
memset(req->in.hdr+SMB2_HDR_SIGNATURE, 0, 16);
|
|
|
|
/* this seems to be a bug, they use 0x24 but the length is 0x26 */
|
|
SSVAL(req->in.body, 0x00, 0x24);
|
|
|
|
SSVAL(req->in.body, 0x02, 1);
|
|
memset(req->in.body+0x04, 0, 32);
|
|
SSVAL(req->in.body, 0x24, SMB2_DIALECT_REVISION_202);
|
|
|
|
smb2srv_negprot_recv(req);
|
|
return;
|
|
nomem:
|
|
smbsrv_terminate_connection(smb_req->smb_conn, nt_errstr(NT_STATUS_NO_MEMORY));
|
|
talloc_free(req);
|
|
return;
|
|
}
|