2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5 Copyright (C) Stefan Metzmacher 2011
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "system/network.h"
23 #include "../lib/async_req/async_sock.h"
24 #include "../lib/util/tevent_ntstatus.h"
25 #include "../lib/util/tevent_unix.h"
26 #include "lib/util/util_net.h"
27 #include "lib/util/dlinklist.h"
28 #include "lib/util/iov_buf.h"
29 #include "../libcli/smb/smb_common.h"
30 #include "../libcli/smb/smb_seal.h"
31 #include "../libcli/smb/smb_signing.h"
32 #include "../libcli/smb/read_smb.h"
33 #include "smbXcli_base.h"
34 #include "librpc/ndr/libndr.h"
35 #include "libcli/smb/smb2_negotiate_context.h"
36 #include "lib/crypto/sha512.h"
37 #include "lib/crypto/aes.h"
38 #include "lib/crypto/aes_ccm_128.h"
39 #include "lib/crypto/aes_gcm_128.h"
43 struct smbXcli_session;
48 struct sockaddr_storage local_ss;
49 struct sockaddr_storage remote_ss;
50 const char *remote_name;
52 struct tevent_queue *outgoing;
53 struct tevent_req **pending;
54 struct tevent_req *read_smb_req;
55 struct tevent_req *suicide_req;
57 enum protocol_types min_protocol;
58 enum protocol_types max_protocol;
59 enum protocol_types protocol;
62 bool mandatory_signing;
65 * The incoming dispatch function should return:
66 * - NT_STATUS_RETRY, if more incoming PDUs are expected.
67 * - NT_STATUS_OK, if no more processing is desired, e.g.
68 * the dispatch function called
70 * - All other return values disconnect the connection.
72 NTSTATUS (*dispatch_incoming)(struct smbXcli_conn *conn,
78 uint32_t capabilities;
83 uint32_t capabilities;
86 uint16_t security_mode;
95 const char *workgroup;
101 uint32_t capabilities;
106 struct smb_signing_state *signing;
107 struct smb_trans_enc_state *trans_enc;
109 struct tevent_req *read_braw_req;
114 uint32_t capabilities;
115 uint16_t security_mode;
120 uint32_t capabilities;
121 uint16_t security_mode;
123 uint32_t max_trans_size;
124 uint32_t max_read_size;
125 uint32_t max_write_size;
133 uint16_t cur_credits;
134 uint16_t max_credits;
136 uint32_t cc_chunk_len;
137 uint32_t cc_max_chunks;
141 uint8_t preauth_sha512[64];
144 struct smbXcli_session *sessions;
147 struct smb2cli_session {
149 uint16_t session_flags;
150 DATA_BLOB application_key;
151 DATA_BLOB signing_key;
154 DATA_BLOB encryption_key;
155 DATA_BLOB decryption_key;
156 uint64_t nonce_high_random;
157 uint64_t nonce_high_max;
160 uint16_t channel_sequence;
164 struct smbXcli_session {
165 struct smbXcli_session *prev, *next;
166 struct smbXcli_conn *conn;
170 DATA_BLOB application_key;
174 struct smb2cli_session *smb2;
177 DATA_BLOB signing_key;
178 uint8_t preauth_sha512[64];
182 * this should be a short term hack
183 * until the upper layers have implemented
186 bool disconnect_expired;
189 struct smbXcli_tcon {
191 uint32_t fs_attributes;
195 uint16_t optional_support;
196 uint32_t maximal_access;
197 uint32_t guest_maximal_access;
206 uint32_t capabilities;
207 uint32_t maximal_access;
213 struct smbXcli_req_state {
214 struct tevent_context *ev;
215 struct smbXcli_conn *conn;
216 struct smbXcli_session *session; /* maybe NULL */
217 struct smbXcli_tcon *tcon; /* maybe NULL */
219 uint8_t length_hdr[4];
225 struct tevent_req *write_req;
228 /* Space for the header including the wct */
229 uint8_t hdr[HDR_VWV];
232 * For normal requests, smb1cli_req_send chooses a mid.
233 * SecondaryV trans requests need to use the mid of the primary
234 * request, so we need a place to store it.
235 * Assume it is set if != 0.
240 uint8_t bytecount_buf[2];
242 #define MAX_SMB_IOV 10
243 /* length_hdr, hdr, words, byte_count, buffers */
244 struct iovec iov[1 + 3 + MAX_SMB_IOV];
249 struct tevent_req **chained_requests;
252 NTSTATUS recv_status;
253 /* always an array of 3 talloc elements */
254 struct iovec *recv_iov;
258 const uint8_t *fixed;
263 uint8_t transform[SMB2_TF_HDR_SIZE];
264 uint8_t hdr[SMB2_HDR_BODY];
265 uint8_t pad[7]; /* padding space for compounding */
268 * always an array of 3 talloc elements
269 * (without a SMB2_TRANSFORM header!)
273 struct iovec *recv_iov;
276 * the expected max for the response dyn_len
278 uint32_t max_dyn_len;
280 uint16_t credit_charge;
284 uint64_t encryption_session_id;
286 bool signing_skipped;
289 uint16_t cancel_flags;
295 static int smbXcli_conn_destructor(struct smbXcli_conn *conn)
298 * NT_STATUS_OK, means we do not notify the callers
300 smbXcli_conn_disconnect(conn, NT_STATUS_OK);
302 while (conn->sessions) {
303 conn->sessions->conn = NULL;
304 DLIST_REMOVE(conn->sessions, conn->sessions);
307 if (conn->smb1.trans_enc) {
308 TALLOC_FREE(conn->smb1.trans_enc);
314 struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
316 const char *remote_name,
317 enum smb_signing_setting signing_state,
318 uint32_t smb1_capabilities,
319 struct GUID *client_guid,
320 uint32_t smb2_capabilities)
322 struct smbXcli_conn *conn = NULL;
324 struct sockaddr *sa = NULL;
328 conn = talloc_zero(mem_ctx, struct smbXcli_conn);
335 conn->remote_name = talloc_strdup(conn, remote_name);
336 if (conn->remote_name == NULL) {
340 ss = (void *)&conn->local_ss;
341 sa = (struct sockaddr *)ss;
342 sa_length = sizeof(conn->local_ss);
343 ret = getsockname(fd, sa, &sa_length);
347 ss = (void *)&conn->remote_ss;
348 sa = (struct sockaddr *)ss;
349 sa_length = sizeof(conn->remote_ss);
350 ret = getpeername(fd, sa, &sa_length);
355 conn->outgoing = tevent_queue_create(conn, "smbXcli_outgoing");
356 if (conn->outgoing == NULL) {
359 conn->pending = NULL;
361 conn->min_protocol = PROTOCOL_NONE;
362 conn->max_protocol = PROTOCOL_NONE;
363 conn->protocol = PROTOCOL_NONE;
365 switch (signing_state) {
366 case SMB_SIGNING_OFF:
368 conn->allow_signing = false;
369 conn->desire_signing = false;
370 conn->mandatory_signing = false;
372 case SMB_SIGNING_DEFAULT:
373 case SMB_SIGNING_IF_REQUIRED:
374 /* if the server requires it */
375 conn->allow_signing = true;
376 conn->desire_signing = false;
377 conn->mandatory_signing = false;
379 case SMB_SIGNING_DESIRED:
380 /* if the server desires it */
381 conn->allow_signing = true;
382 conn->desire_signing = true;
383 conn->mandatory_signing = false;
385 case SMB_SIGNING_REQUIRED:
387 conn->allow_signing = true;
388 conn->desire_signing = true;
389 conn->mandatory_signing = true;
393 conn->smb1.client.capabilities = smb1_capabilities;
394 conn->smb1.client.max_xmit = UINT16_MAX;
396 conn->smb1.capabilities = conn->smb1.client.capabilities;
397 conn->smb1.max_xmit = 1024;
401 /* initialise signing */
402 conn->smb1.signing = smb_signing_init(conn,
404 conn->desire_signing,
405 conn->mandatory_signing);
406 if (!conn->smb1.signing) {
410 conn->smb2.client.security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
411 if (conn->mandatory_signing) {
412 conn->smb2.client.security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
415 conn->smb2.client.guid = *client_guid;
417 conn->smb2.client.capabilities = smb2_capabilities;
419 conn->smb2.cur_credits = 1;
420 conn->smb2.max_credits = 0;
421 conn->smb2.io_priority = 1;
424 * Samba and Windows servers accept a maximum of 16 MiB with a maximum
425 * chunk length of 1 MiB.
427 conn->smb2.cc_chunk_len = 1024 * 1024;
428 conn->smb2.cc_max_chunks = 16;
430 talloc_set_destructor(conn, smbXcli_conn_destructor);
438 bool smbXcli_conn_is_connected(struct smbXcli_conn *conn)
444 if (conn->sock_fd == -1) {
451 enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn)
453 return conn->protocol;
456 bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
458 if (conn->protocol >= PROTOCOL_SMB2_02) {
462 if (conn->smb1.capabilities & CAP_UNICODE) {
469 void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
471 set_socket_options(conn->sock_fd, options);
474 const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn)
476 return &conn->local_ss;
479 const struct sockaddr_storage *smbXcli_conn_remote_sockaddr(struct smbXcli_conn *conn)
481 return &conn->remote_ss;
484 const char *smbXcli_conn_remote_name(struct smbXcli_conn *conn)
486 return conn->remote_name;
489 uint16_t smbXcli_conn_max_requests(struct smbXcli_conn *conn)
491 if (conn->protocol >= PROTOCOL_SMB2_02) {
498 return conn->smb1.server.max_mux;
501 NTTIME smbXcli_conn_server_system_time(struct smbXcli_conn *conn)
503 if (conn->protocol >= PROTOCOL_SMB2_02) {
504 return conn->smb2.server.system_time;
507 return conn->smb1.server.system_time;
510 const DATA_BLOB *smbXcli_conn_server_gss_blob(struct smbXcli_conn *conn)
512 if (conn->protocol >= PROTOCOL_SMB2_02) {
513 return &conn->smb2.server.gss_blob;
516 return &conn->smb1.server.gss_blob;
519 const struct GUID *smbXcli_conn_server_guid(struct smbXcli_conn *conn)
521 if (conn->protocol >= PROTOCOL_SMB2_02) {
522 return &conn->smb2.server.guid;
525 return &conn->smb1.server.guid;
528 struct smbXcli_conn_samba_suicide_state {
529 struct smbXcli_conn *conn;
532 struct tevent_req *write_req;
535 static void smbXcli_conn_samba_suicide_cleanup(struct tevent_req *req,
536 enum tevent_req_state req_state);
537 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq);
539 struct tevent_req *smbXcli_conn_samba_suicide_send(TALLOC_CTX *mem_ctx,
540 struct tevent_context *ev,
541 struct smbXcli_conn *conn,
544 struct tevent_req *req, *subreq;
545 struct smbXcli_conn_samba_suicide_state *state;
547 req = tevent_req_create(mem_ctx, &state,
548 struct smbXcli_conn_samba_suicide_state);
553 SIVAL(state->buf, 4, 0x74697865);
554 SCVAL(state->buf, 8, exitcode);
555 _smb_setlen_nbt(state->buf, sizeof(state->buf)-4);
557 if (conn->suicide_req != NULL) {
558 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
559 return tevent_req_post(req, ev);
562 state->iov.iov_base = state->buf;
563 state->iov.iov_len = sizeof(state->buf);
565 subreq = writev_send(state, ev, conn->outgoing, conn->sock_fd,
566 false, &state->iov, 1);
567 if (tevent_req_nomem(subreq, req)) {
568 return tevent_req_post(req, ev);
570 tevent_req_set_callback(subreq, smbXcli_conn_samba_suicide_done, req);
571 state->write_req = subreq;
573 tevent_req_set_cleanup_fn(req, smbXcli_conn_samba_suicide_cleanup);
576 * We need to use tevent_req_defer_callback()
577 * in order to allow smbXcli_conn_disconnect()
578 * to do a safe cleanup.
580 tevent_req_defer_callback(req, ev);
581 conn->suicide_req = req;
586 static void smbXcli_conn_samba_suicide_cleanup(struct tevent_req *req,
587 enum tevent_req_state req_state)
589 struct smbXcli_conn_samba_suicide_state *state = tevent_req_data(
590 req, struct smbXcli_conn_samba_suicide_state);
592 TALLOC_FREE(state->write_req);
594 if (state->conn == NULL) {
598 if (state->conn->suicide_req == req) {
599 state->conn->suicide_req = NULL;
604 static void smbXcli_conn_samba_suicide_done(struct tevent_req *subreq)
606 struct tevent_req *req = tevent_req_callback_data(
607 subreq, struct tevent_req);
608 struct smbXcli_conn_samba_suicide_state *state = tevent_req_data(
609 req, struct smbXcli_conn_samba_suicide_state);
613 state->write_req = NULL;
615 nwritten = writev_recv(subreq, &err);
617 if (nwritten == -1) {
618 /* here, we need to notify all pending requests */
619 NTSTATUS status = map_nt_error_from_unix_common(err);
620 smbXcli_conn_disconnect(state->conn, status);
623 tevent_req_done(req);
626 NTSTATUS smbXcli_conn_samba_suicide_recv(struct tevent_req *req)
628 return tevent_req_simple_recv_ntstatus(req);
631 NTSTATUS smbXcli_conn_samba_suicide(struct smbXcli_conn *conn,
634 TALLOC_CTX *frame = talloc_stackframe();
635 struct tevent_context *ev;
636 struct tevent_req *req;
637 NTSTATUS status = NT_STATUS_NO_MEMORY;
640 if (smbXcli_conn_has_async_calls(conn)) {
642 * Can't use sync call while an async call is in flight
644 status = NT_STATUS_INVALID_PARAMETER_MIX;
647 ev = samba_tevent_context_init(frame);
651 req = smbXcli_conn_samba_suicide_send(frame, ev, conn, exitcode);
655 ok = tevent_req_poll_ntstatus(req, ev, &status);
659 status = smbXcli_conn_samba_suicide_recv(req);
665 uint32_t smb1cli_conn_capabilities(struct smbXcli_conn *conn)
667 return conn->smb1.capabilities;
670 uint32_t smb1cli_conn_max_xmit(struct smbXcli_conn *conn)
672 return conn->smb1.max_xmit;
675 bool smb1cli_conn_req_possible(struct smbXcli_conn *conn)
677 size_t pending = talloc_array_length(conn->pending);
678 uint16_t possible = conn->smb1.server.max_mux;
680 if (pending >= possible) {
687 uint32_t smb1cli_conn_server_session_key(struct smbXcli_conn *conn)
689 return conn->smb1.server.session_key;
692 const uint8_t *smb1cli_conn_server_challenge(struct smbXcli_conn *conn)
694 return conn->smb1.server.challenge;
697 uint16_t smb1cli_conn_server_security_mode(struct smbXcli_conn *conn)
699 return conn->smb1.server.security_mode;
702 bool smb1cli_conn_server_readbraw(struct smbXcli_conn *conn)
704 return conn->smb1.server.readbraw;
707 bool smb1cli_conn_server_writebraw(struct smbXcli_conn *conn)
709 return conn->smb1.server.writebraw;
712 bool smb1cli_conn_server_lockread(struct smbXcli_conn *conn)
714 return conn->smb1.server.lockread;
717 bool smb1cli_conn_server_writeunlock(struct smbXcli_conn *conn)
719 return conn->smb1.server.writeunlock;
722 int smb1cli_conn_server_time_zone(struct smbXcli_conn *conn)
724 return conn->smb1.server.time_zone;
727 bool smb1cli_conn_activate_signing(struct smbXcli_conn *conn,
728 const DATA_BLOB user_session_key,
729 const DATA_BLOB response)
731 return smb_signing_activate(conn->smb1.signing,
736 bool smb1cli_conn_check_signing(struct smbXcli_conn *conn,
737 const uint8_t *buf, uint32_t seqnum)
739 const uint8_t *hdr = buf + NBT_HDR_SIZE;
740 size_t len = smb_len_nbt(buf);
742 return smb_signing_check_pdu(conn->smb1.signing, hdr, len, seqnum);
745 bool smb1cli_conn_signing_is_active(struct smbXcli_conn *conn)
747 return smb_signing_is_active(conn->smb1.signing);
750 void smb1cli_conn_set_encryption(struct smbXcli_conn *conn,
751 struct smb_trans_enc_state *es)
753 /* Replace the old state, if any. */
754 if (conn->smb1.trans_enc) {
755 TALLOC_FREE(conn->smb1.trans_enc);
757 conn->smb1.trans_enc = es;
760 bool smb1cli_conn_encryption_on(struct smbXcli_conn *conn)
762 return common_encryption_on(conn->smb1.trans_enc);
766 static NTSTATUS smb1cli_pull_raw_error(const uint8_t *hdr)
768 uint32_t flags2 = SVAL(hdr, HDR_FLG2);
769 NTSTATUS status = NT_STATUS(IVAL(hdr, HDR_RCLS));
771 if (NT_STATUS_IS_OK(status)) {
775 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
779 return NT_STATUS_DOS(CVAL(hdr, HDR_RCLS), SVAL(hdr, HDR_ERR));
783 * Is the SMB command able to hold an AND_X successor
784 * @param[in] cmd The SMB command in question
785 * @retval Can we add a chained request after "cmd"?
787 bool smb1cli_is_andx_req(uint8_t cmd)
807 static uint16_t smb1cli_alloc_mid(struct smbXcli_conn *conn)
809 size_t num_pending = talloc_array_length(conn->pending);
812 if (conn->protocol == PROTOCOL_NONE) {
814 * This is what windows sends on the SMB1 Negprot request
815 * and some vendors reuse the SMB1 MID as SMB2 sequence number.
823 result = conn->smb1.mid++;
824 if ((result == 0) || (result == 0xffff)) {
828 for (i=0; i<num_pending; i++) {
829 if (result == smb1cli_req_mid(conn->pending[i])) {
834 if (i == num_pending) {
840 void smbXcli_req_unset_pending(struct tevent_req *req)
842 struct smbXcli_req_state *state =
844 struct smbXcli_req_state);
845 struct smbXcli_conn *conn = state->conn;
846 size_t num_pending = talloc_array_length(conn->pending);
849 TALLOC_FREE(state->write_req);
851 if (state->smb1.mid != 0) {
853 * This is a [nt]trans[2] request which waits
854 * for more than one reply.
859 tevent_req_set_cleanup_fn(req, NULL);
861 if (num_pending == 1) {
863 * The pending read_smb tevent_req is a child of
864 * conn->pending. So if nothing is pending anymore, we need to
865 * delete the socket read fde.
867 TALLOC_FREE(conn->pending);
868 conn->read_smb_req = NULL;
872 for (i=0; i<num_pending; i++) {
873 if (req == conn->pending[i]) {
877 if (i == num_pending) {
879 * Something's seriously broken. Just returning here is the
880 * right thing nevertheless, the point of this routine is to
881 * remove ourselves from conn->pending.
887 * Remove ourselves from the conn->pending array
889 for (; i < (num_pending - 1); i++) {
890 conn->pending[i] = conn->pending[i+1];
894 * No NULL check here, we're shrinking by sizeof(void *), and
895 * talloc_realloc just adjusts the size for this.
897 conn->pending = talloc_realloc(NULL, conn->pending, struct tevent_req *,
902 static void smbXcli_req_cleanup(struct tevent_req *req,
903 enum tevent_req_state req_state)
905 struct smbXcli_req_state *state =
907 struct smbXcli_req_state);
909 TALLOC_FREE(state->write_req);
912 case TEVENT_REQ_RECEIVED:
914 * Make sure we really remove it from
915 * the pending array on destruction.
918 smbXcli_req_unset_pending(req);
925 static bool smb1cli_req_cancel(struct tevent_req *req);
926 static bool smb2cli_req_cancel(struct tevent_req *req);
928 static bool smbXcli_req_cancel(struct tevent_req *req)
930 struct smbXcli_req_state *state =
932 struct smbXcli_req_state);
934 if (!smbXcli_conn_is_connected(state->conn)) {
938 if (state->conn->protocol == PROTOCOL_NONE) {
942 if (state->conn->protocol >= PROTOCOL_SMB2_02) {
943 return smb2cli_req_cancel(req);
946 return smb1cli_req_cancel(req);
949 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn);
951 bool smbXcli_req_set_pending(struct tevent_req *req)
953 struct smbXcli_req_state *state =
955 struct smbXcli_req_state);
956 struct smbXcli_conn *conn;
957 struct tevent_req **pending;
962 if (!smbXcli_conn_is_connected(conn)) {
966 num_pending = talloc_array_length(conn->pending);
968 pending = talloc_realloc(conn, conn->pending, struct tevent_req *,
970 if (pending == NULL) {
973 pending[num_pending] = req;
974 conn->pending = pending;
975 tevent_req_set_cleanup_fn(req, smbXcli_req_cleanup);
976 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
978 if (!smbXcli_conn_receive_next(conn)) {
980 * the caller should notify the current request
982 * And all other pending requests get notified
983 * by smbXcli_conn_disconnect().
985 smbXcli_req_unset_pending(req);
986 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
993 static void smbXcli_conn_received(struct tevent_req *subreq);
995 static bool smbXcli_conn_receive_next(struct smbXcli_conn *conn)
997 size_t num_pending = talloc_array_length(conn->pending);
998 struct tevent_req *req;
999 struct smbXcli_req_state *state;
1001 if (conn->read_smb_req != NULL) {
1005 if (num_pending == 0) {
1006 if (conn->smb2.mid < UINT64_MAX) {
1007 /* no more pending requests, so we are done for now */
1012 * If there are no more SMB2 requests possible,
1013 * because we are out of message ids,
1014 * we need to disconnect.
1016 smbXcli_conn_disconnect(conn, NT_STATUS_CONNECTION_ABORTED);
1020 req = conn->pending[0];
1021 state = tevent_req_data(req, struct smbXcli_req_state);
1024 * We're the first ones, add the read_smb request that waits for the
1025 * answer from the server
1027 conn->read_smb_req = read_smb_send(conn->pending,
1030 if (conn->read_smb_req == NULL) {
1033 tevent_req_set_callback(conn->read_smb_req, smbXcli_conn_received, conn);
1037 void smbXcli_conn_disconnect(struct smbXcli_conn *conn, NTSTATUS status)
1039 struct smbXcli_session *session;
1040 int sock_fd = conn->sock_fd;
1042 tevent_queue_stop(conn->outgoing);
1046 session = conn->sessions;
1047 if (talloc_array_length(conn->pending) == 0) {
1049 * if we do not have pending requests
1050 * there is no need to update the channel_sequence
1054 for (; session; session = session->next) {
1055 smb2cli_session_increment_channel_sequence(session);
1058 if (conn->suicide_req != NULL) {
1060 * smbXcli_conn_samba_suicide_send()
1061 * used tevent_req_defer_callback() already.
1063 if (!NT_STATUS_IS_OK(status)) {
1064 tevent_req_nterror(conn->suicide_req, status);
1066 conn->suicide_req = NULL;
1070 * Cancel all pending requests. We do not do a for-loop walking
1071 * conn->pending because that array changes in
1072 * smbXcli_req_unset_pending.
1074 while (talloc_array_length(conn->pending) > 0) {
1075 struct tevent_req *req;
1076 struct smbXcli_req_state *state;
1077 struct tevent_req **chain;
1081 req = conn->pending[0];
1082 state = tevent_req_data(req, struct smbXcli_req_state);
1084 if (state->smb1.chained_requests == NULL) {
1086 * We're dead. No point waiting for trans2
1089 state->smb1.mid = 0;
1091 smbXcli_req_unset_pending(req);
1093 if (NT_STATUS_IS_OK(status)) {
1094 /* do not notify the callers */
1099 * we need to defer the callback, because we may notify
1100 * more then one caller.
1102 tevent_req_defer_callback(req, state->ev);
1103 tevent_req_nterror(req, status);
1107 chain = talloc_move(conn, &state->smb1.chained_requests);
1108 num_chained = talloc_array_length(chain);
1110 for (i=0; i<num_chained; i++) {
1112 state = tevent_req_data(req, struct smbXcli_req_state);
1115 * We're dead. No point waiting for trans2
1118 state->smb1.mid = 0;
1120 smbXcli_req_unset_pending(req);
1122 if (NT_STATUS_IS_OK(status)) {
1123 /* do not notify the callers */
1128 * we need to defer the callback, because we may notify
1129 * more than one caller.
1131 tevent_req_defer_callback(req, state->ev);
1132 tevent_req_nterror(req, status);
1137 if (sock_fd != -1) {
1143 * Fetch a smb request's mid. Only valid after the request has been sent by
1144 * smb1cli_req_send().
1146 uint16_t smb1cli_req_mid(struct tevent_req *req)
1148 struct smbXcli_req_state *state =
1149 tevent_req_data(req,
1150 struct smbXcli_req_state);
1152 if (state->smb1.mid != 0) {
1153 return state->smb1.mid;
1156 return SVAL(state->smb1.hdr, HDR_MID);
1159 void smb1cli_req_set_mid(struct tevent_req *req, uint16_t mid)
1161 struct smbXcli_req_state *state =
1162 tevent_req_data(req,
1163 struct smbXcli_req_state);
1165 state->smb1.mid = mid;
1168 uint32_t smb1cli_req_seqnum(struct tevent_req *req)
1170 struct smbXcli_req_state *state =
1171 tevent_req_data(req,
1172 struct smbXcli_req_state);
1174 return state->smb1.seqnum;
1177 void smb1cli_req_set_seqnum(struct tevent_req *req, uint32_t seqnum)
1179 struct smbXcli_req_state *state =
1180 tevent_req_data(req,
1181 struct smbXcli_req_state);
1183 state->smb1.seqnum = seqnum;
1186 static size_t smbXcli_iov_len(const struct iovec *iov, int count)
1188 ssize_t ret = iov_buflen(iov, count);
1190 /* Ignore the overflow case for now ... */
1194 static uint8_t *smbXcli_iov_concat(TALLOC_CTX *mem_ctx,
1195 const struct iovec *iov,
1201 buflen = iov_buflen(iov, count);
1206 buf = talloc_array(mem_ctx, uint8_t, buflen);
1211 iov_buf(iov, count, buf, buflen);
1216 static void smb1cli_req_flags(enum protocol_types protocol,
1217 uint32_t smb1_capabilities,
1218 uint8_t smb_command,
1219 uint8_t additional_flags,
1220 uint8_t clear_flags,
1222 uint16_t additional_flags2,
1223 uint16_t clear_flags2,
1227 uint16_t flags2 = 0;
1229 if (protocol >= PROTOCOL_LANMAN1) {
1230 flags |= FLAG_CASELESS_PATHNAMES;
1231 flags |= FLAG_CANONICAL_PATHNAMES;
1234 if (protocol >= PROTOCOL_LANMAN2) {
1235 flags2 |= FLAGS2_LONG_PATH_COMPONENTS;
1236 flags2 |= FLAGS2_EXTENDED_ATTRIBUTES;
1239 if (protocol >= PROTOCOL_NT1) {
1240 flags2 |= FLAGS2_IS_LONG_NAME;
1242 if (smb1_capabilities & CAP_UNICODE) {
1243 flags2 |= FLAGS2_UNICODE_STRINGS;
1245 if (smb1_capabilities & CAP_STATUS32) {
1246 flags2 |= FLAGS2_32_BIT_ERROR_CODES;
1248 if (smb1_capabilities & CAP_EXTENDED_SECURITY) {
1249 flags2 |= FLAGS2_EXTENDED_SECURITY;
1253 flags |= additional_flags;
1254 flags &= ~clear_flags;
1255 flags2 |= additional_flags2;
1256 flags2 &= ~clear_flags2;
1262 static void smb1cli_req_cancel_done(struct tevent_req *subreq);
1264 static bool smb1cli_req_cancel(struct tevent_req *req)
1266 struct smbXcli_req_state *state =
1267 tevent_req_data(req,
1268 struct smbXcli_req_state);
1273 struct tevent_req *subreq;
1276 flags = CVAL(state->smb1.hdr, HDR_FLG);
1277 flags2 = SVAL(state->smb1.hdr, HDR_FLG2);
1278 pid = SVAL(state->smb1.hdr, HDR_PID);
1279 pid |= SVAL(state->smb1.hdr, HDR_PIDHIGH)<<16;
1280 mid = SVAL(state->smb1.hdr, HDR_MID);
1282 subreq = smb1cli_req_create(state, state->ev,
1292 0, NULL); /* bytes */
1293 if (subreq == NULL) {
1296 smb1cli_req_set_mid(subreq, mid);
1298 status = smb1cli_req_chain_submit(&subreq, 1);
1299 if (!NT_STATUS_IS_OK(status)) {
1300 TALLOC_FREE(subreq);
1303 smb1cli_req_set_mid(subreq, 0);
1305 tevent_req_set_callback(subreq, smb1cli_req_cancel_done, NULL);
1310 static void smb1cli_req_cancel_done(struct tevent_req *subreq)
1312 /* we do not care about the result */
1313 TALLOC_FREE(subreq);
1316 struct tevent_req *smb1cli_req_create(TALLOC_CTX *mem_ctx,
1317 struct tevent_context *ev,
1318 struct smbXcli_conn *conn,
1319 uint8_t smb_command,
1320 uint8_t additional_flags,
1321 uint8_t clear_flags,
1322 uint16_t additional_flags2,
1323 uint16_t clear_flags2,
1324 uint32_t timeout_msec,
1326 struct smbXcli_tcon *tcon,
1327 struct smbXcli_session *session,
1328 uint8_t wct, uint16_t *vwv,
1330 struct iovec *bytes_iov)
1332 struct tevent_req *req;
1333 struct smbXcli_req_state *state;
1335 uint16_t flags2 = 0;
1340 if (iov_count > MAX_SMB_IOV) {
1342 * Should not happen :-)
1347 req = tevent_req_create(mem_ctx, &state,
1348 struct smbXcli_req_state);
1354 state->session = session;
1358 uid = session->smb1.session_id;
1362 tid = tcon->smb1.tcon_id;
1364 if (tcon->fs_attributes & FILE_CASE_SENSITIVE_SEARCH) {
1365 clear_flags |= FLAG_CASELESS_PATHNAMES;
1367 /* Default setting, case insensitive. */
1368 additional_flags |= FLAG_CASELESS_PATHNAMES;
1371 if (smbXcli_conn_dfs_supported(conn) &&
1372 smbXcli_tcon_is_dfs_share(tcon))
1374 additional_flags2 |= FLAGS2_DFS_PATHNAMES;
1378 state->smb1.recv_cmd = 0xFF;
1379 state->smb1.recv_status = NT_STATUS_INTERNAL_ERROR;
1380 state->smb1.recv_iov = talloc_zero_array(state, struct iovec, 3);
1381 if (state->smb1.recv_iov == NULL) {
1386 smb1cli_req_flags(conn->protocol,
1387 conn->smb1.capabilities,
1396 SIVAL(state->smb1.hdr, 0, SMB_MAGIC);
1397 SCVAL(state->smb1.hdr, HDR_COM, smb_command);
1398 SIVAL(state->smb1.hdr, HDR_RCLS, NT_STATUS_V(NT_STATUS_OK));
1399 SCVAL(state->smb1.hdr, HDR_FLG, flags);
1400 SSVAL(state->smb1.hdr, HDR_FLG2, flags2);
1401 SSVAL(state->smb1.hdr, HDR_PIDHIGH, pid >> 16);
1402 SSVAL(state->smb1.hdr, HDR_TID, tid);
1403 SSVAL(state->smb1.hdr, HDR_PID, pid);
1404 SSVAL(state->smb1.hdr, HDR_UID, uid);
1405 SSVAL(state->smb1.hdr, HDR_MID, 0); /* this comes later */
1406 SCVAL(state->smb1.hdr, HDR_WCT, wct);
1408 state->smb1.vwv = vwv;
1410 num_bytes = iov_buflen(bytes_iov, iov_count);
1411 if (num_bytes == -1) {
1413 * I'd love to add a check for num_bytes<=UINT16_MAX here, but
1414 * the smbclient->samba connections can lie and transfer more.
1420 SSVAL(state->smb1.bytecount_buf, 0, num_bytes);
1422 state->smb1.iov[0].iov_base = (void *)state->length_hdr;
1423 state->smb1.iov[0].iov_len = sizeof(state->length_hdr);
1424 state->smb1.iov[1].iov_base = (void *)state->smb1.hdr;
1425 state->smb1.iov[1].iov_len = sizeof(state->smb1.hdr);
1426 state->smb1.iov[2].iov_base = (void *)state->smb1.vwv;
1427 state->smb1.iov[2].iov_len = wct * sizeof(uint16_t);
1428 state->smb1.iov[3].iov_base = (void *)state->smb1.bytecount_buf;
1429 state->smb1.iov[3].iov_len = sizeof(uint16_t);
1431 if (iov_count != 0) {
1432 memcpy(&state->smb1.iov[4], bytes_iov,
1433 iov_count * sizeof(*bytes_iov));
1435 state->smb1.iov_count = iov_count + 4;
1437 if (timeout_msec > 0) {
1438 struct timeval endtime;
1440 endtime = timeval_current_ofs_msec(timeout_msec);
1441 if (!tevent_req_set_endtime(req, ev, endtime)) {
1446 switch (smb_command) {
1450 state->one_way = true;
1453 state->one_way = true;
1454 state->smb1.one_way_seqnum = true;
1458 (CVAL(vwv+3, 0) == LOCKING_ANDX_OPLOCK_RELEASE)) {
1459 state->one_way = true;
1467 static NTSTATUS smb1cli_conn_signv(struct smbXcli_conn *conn,
1468 struct iovec *iov, int iov_count,
1470 bool one_way_seqnum)
1472 TALLOC_CTX *frame = NULL;
1476 * Obvious optimization: Make cli_calculate_sign_mac work with struct
1477 * iovec directly. MD5Update would do that just fine.
1480 if (iov_count < 4) {
1481 return NT_STATUS_INVALID_PARAMETER_MIX;
1483 if (iov[0].iov_len != NBT_HDR_SIZE) {
1484 return NT_STATUS_INVALID_PARAMETER_MIX;
1486 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1487 return NT_STATUS_INVALID_PARAMETER_MIX;
1489 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1490 return NT_STATUS_INVALID_PARAMETER_MIX;
1492 if (iov[3].iov_len != sizeof(uint16_t)) {
1493 return NT_STATUS_INVALID_PARAMETER_MIX;
1496 frame = talloc_stackframe();
1498 buf = smbXcli_iov_concat(frame, &iov[1], iov_count - 1);
1500 return NT_STATUS_NO_MEMORY;
1503 *seqnum = smb_signing_next_seqnum(conn->smb1.signing,
1505 smb_signing_sign_pdu(conn->smb1.signing,
1506 buf, talloc_get_size(buf),
1508 memcpy(iov[1].iov_base, buf, iov[1].iov_len);
1511 return NT_STATUS_OK;
1514 static void smb1cli_req_writev_done(struct tevent_req *subreq);
1515 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1516 TALLOC_CTX *tmp_mem,
1519 static NTSTATUS smb1cli_req_writev_submit(struct tevent_req *req,
1520 struct smbXcli_req_state *state,
1521 struct iovec *iov, int iov_count)
1523 struct tevent_req *subreq;
1529 if (!smbXcli_conn_is_connected(state->conn)) {
1530 return NT_STATUS_CONNECTION_DISCONNECTED;
1533 if (state->conn->protocol > PROTOCOL_NT1) {
1534 return NT_STATUS_REVISION_MISMATCH;
1537 if (iov_count < 4) {
1538 return NT_STATUS_INVALID_PARAMETER_MIX;
1540 if (iov[0].iov_len != NBT_HDR_SIZE) {
1541 return NT_STATUS_INVALID_PARAMETER_MIX;
1543 if (iov[1].iov_len != (MIN_SMB_SIZE-sizeof(uint16_t))) {
1544 return NT_STATUS_INVALID_PARAMETER_MIX;
1546 if (iov[2].iov_len > (0xFF * sizeof(uint16_t))) {
1547 return NT_STATUS_INVALID_PARAMETER_MIX;
1549 if (iov[3].iov_len != sizeof(uint16_t)) {
1550 return NT_STATUS_INVALID_PARAMETER_MIX;
1553 cmd = CVAL(iov[1].iov_base, HDR_COM);
1554 if (cmd == SMBreadBraw) {
1555 if (smbXcli_conn_has_async_calls(state->conn)) {
1556 return NT_STATUS_INVALID_PARAMETER_MIX;
1558 state->conn->smb1.read_braw_req = req;
1561 if (state->smb1.mid != 0) {
1562 mid = state->smb1.mid;
1564 mid = smb1cli_alloc_mid(state->conn);
1566 SSVAL(iov[1].iov_base, HDR_MID, mid);
1568 nbtlen = iov_buflen(&iov[1], iov_count-1);
1569 if ((nbtlen == -1) || (nbtlen > 0x1FFFF)) {
1570 return NT_STATUS_INVALID_PARAMETER_MIX;
1573 _smb_setlen_nbt(iov[0].iov_base, nbtlen);
1575 status = smb1cli_conn_signv(state->conn, iov, iov_count,
1576 &state->smb1.seqnum,
1577 state->smb1.one_way_seqnum);
1579 if (!NT_STATUS_IS_OK(status)) {
1584 * If we supported multiple encrytion contexts
1585 * here we'd look up based on tid.
1587 if (common_encryption_on(state->conn->smb1.trans_enc)) {
1588 char *buf, *enc_buf;
1590 buf = (char *)smbXcli_iov_concat(talloc_tos(), iov, iov_count);
1592 return NT_STATUS_NO_MEMORY;
1594 status = common_encrypt_buffer(state->conn->smb1.trans_enc,
1595 (char *)buf, &enc_buf);
1597 if (!NT_STATUS_IS_OK(status)) {
1598 DEBUG(0, ("Error in encrypting client message: %s\n",
1599 nt_errstr(status)));
1602 buf = (char *)talloc_memdup(state, enc_buf,
1603 smb_len_nbt(enc_buf)+4);
1606 return NT_STATUS_NO_MEMORY;
1608 iov[0].iov_base = (void *)buf;
1609 iov[0].iov_len = talloc_get_size(buf);
1613 if (state->conn->dispatch_incoming == NULL) {
1614 state->conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
1617 if (!smbXcli_req_set_pending(req)) {
1618 return NT_STATUS_NO_MEMORY;
1621 tevent_req_set_cancel_fn(req, smbXcli_req_cancel);
1623 subreq = writev_send(state, state->ev, state->conn->outgoing,
1624 state->conn->sock_fd, false, iov, iov_count);
1625 if (subreq == NULL) {
1626 return NT_STATUS_NO_MEMORY;
1628 tevent_req_set_callback(subreq, smb1cli_req_writev_done, req);
1629 state->write_req = subreq;
1631 return NT_STATUS_OK;
1634 struct tevent_req *smb1cli_req_send(TALLOC_CTX *mem_ctx,
1635 struct tevent_context *ev,
1636 struct smbXcli_conn *conn,
1637 uint8_t smb_command,
1638 uint8_t additional_flags,
1639 uint8_t clear_flags,
1640 uint16_t additional_flags2,
1641 uint16_t clear_flags2,
1642 uint32_t timeout_msec,
1644 struct smbXcli_tcon *tcon,
1645 struct smbXcli_session *session,
1646 uint8_t wct, uint16_t *vwv,
1648 const uint8_t *bytes)
1650 struct tevent_req *req;
1654 iov.iov_base = discard_const_p(void, bytes);
1655 iov.iov_len = num_bytes;
1657 req = smb1cli_req_create(mem_ctx, ev, conn, smb_command,
1658 additional_flags, clear_flags,
1659 additional_flags2, clear_flags2,
1666 if (!tevent_req_is_in_progress(req)) {
1667 return tevent_req_post(req, ev);
1669 status = smb1cli_req_chain_submit(&req, 1);
1670 if (tevent_req_nterror(req, status)) {
1671 return tevent_req_post(req, ev);
1676 static void smb1cli_req_writev_done(struct tevent_req *subreq)
1678 struct tevent_req *req =
1679 tevent_req_callback_data(subreq,
1681 struct smbXcli_req_state *state =
1682 tevent_req_data(req,
1683 struct smbXcli_req_state);
1687 state->write_req = NULL;
1689 nwritten = writev_recv(subreq, &err);
1690 TALLOC_FREE(subreq);
1691 if (nwritten == -1) {
1692 /* here, we need to notify all pending requests */
1693 NTSTATUS status = map_nt_error_from_unix_common(err);
1694 smbXcli_conn_disconnect(state->conn, status);
1698 if (state->one_way) {
1699 state->inbuf = NULL;
1700 tevent_req_done(req);
1705 static void smbXcli_conn_received(struct tevent_req *subreq)
1707 struct smbXcli_conn *conn =
1708 tevent_req_callback_data(subreq,
1709 struct smbXcli_conn);
1710 TALLOC_CTX *frame = talloc_stackframe();
1716 if (subreq != conn->read_smb_req) {
1717 DEBUG(1, ("Internal error: cli_smb_received called with "
1718 "unexpected subreq\n"));
1719 smbXcli_conn_disconnect(conn, NT_STATUS_INTERNAL_ERROR);
1723 conn->read_smb_req = NULL;
1725 received = read_smb_recv(subreq, frame, &inbuf, &err);
1726 TALLOC_FREE(subreq);
1727 if (received == -1) {
1728 status = map_nt_error_from_unix_common(err);
1729 smbXcli_conn_disconnect(conn, status);
1734 status = conn->dispatch_incoming(conn, frame, inbuf);
1736 if (NT_STATUS_IS_OK(status)) {
1738 * We should not do any more processing
1739 * as the dispatch function called
1740 * tevent_req_done().
1745 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
1747 * We got an error, so notify all pending requests
1749 smbXcli_conn_disconnect(conn, status);
1754 * We got NT_STATUS_RETRY, so we may ask for a
1755 * next incoming pdu.
1757 if (!smbXcli_conn_receive_next(conn)) {
1758 smbXcli_conn_disconnect(conn, NT_STATUS_NO_MEMORY);
1762 static NTSTATUS smb1cli_inbuf_parse_chain(uint8_t *buf, TALLOC_CTX *mem_ctx,
1763 struct iovec **piov, int *pnum_iov)
1774 size_t min_size = MIN_SMB_SIZE;
1776 buflen = smb_len_tcp(buf);
1779 hdr = buf + NBT_HDR_SIZE;
1781 status = smb1cli_pull_raw_error(hdr);
1782 if (NT_STATUS_IS_ERR(status)) {
1784 * This is an ugly hack to support OS/2
1785 * which skips the byte_count in the DATA block
1786 * on some error responses.
1790 min_size -= sizeof(uint16_t);
1793 if (buflen < min_size) {
1794 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1798 * This returns iovec elements in the following order:
1813 iov = talloc_array(mem_ctx, struct iovec, num_iov);
1815 return NT_STATUS_NO_MEMORY;
1817 iov[0].iov_base = hdr;
1818 iov[0].iov_len = HDR_WCT;
1821 cmd = CVAL(hdr, HDR_COM);
1825 size_t len = buflen - taken;
1827 struct iovec *iov_tmp;
1834 * we need at least WCT
1836 needed = sizeof(uint8_t);
1838 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1839 __location__, (int)len, (int)needed));
1844 * Now we check if the specified words are there
1846 wct = CVAL(hdr, wct_ofs);
1847 needed += wct * sizeof(uint16_t);
1849 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1850 __location__, (int)len, (int)needed));
1854 if ((num_iov == 1) &&
1856 NT_STATUS_IS_ERR(status))
1859 * This is an ugly hack to support OS/2
1860 * which skips the byte_count in the DATA block
1861 * on some error responses.
1865 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1867 if (iov_tmp == NULL) {
1869 return NT_STATUS_NO_MEMORY;
1872 cur = &iov[num_iov];
1876 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1878 cur[1].iov_base = cur[0].iov_base;
1885 * we need at least BCC
1887 needed += sizeof(uint16_t);
1889 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1890 __location__, (int)len, (int)needed));
1895 * Now we check if the specified bytes are there
1897 bcc_ofs = wct_ofs + sizeof(uint8_t) + wct * sizeof(uint16_t);
1898 bcc = SVAL(hdr, bcc_ofs);
1899 needed += bcc * sizeof(uint8_t);
1901 DEBUG(10, ("%s: %d bytes left, expected at least %d\n",
1902 __location__, (int)len, (int)needed));
1907 * we allocate 2 iovec structures for words and bytes
1909 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
1911 if (iov_tmp == NULL) {
1913 return NT_STATUS_NO_MEMORY;
1916 cur = &iov[num_iov];
1919 cur[0].iov_len = wct * sizeof(uint16_t);
1920 cur[0].iov_base = hdr + (wct_ofs + sizeof(uint8_t));
1921 cur[1].iov_len = bcc * sizeof(uint8_t);
1922 cur[1].iov_base = hdr + (bcc_ofs + sizeof(uint16_t));
1926 if (!smb1cli_is_andx_req(cmd)) {
1928 * If the current command does not have AndX chanining
1934 if (wct == 0 && bcc == 0) {
1936 * An empty response also ends the chain,
1937 * most likely with an error.
1943 DEBUG(10, ("%s: wct[%d] < 2 for cmd[0x%02X]\n",
1944 __location__, (int)wct, (int)cmd));
1947 cmd = CVAL(cur[0].iov_base, 0);
1950 * If it is the end of the chain we are also done.
1954 wct_ofs = SVAL(cur[0].iov_base, 2);
1956 if (wct_ofs < taken) {
1957 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1959 if (wct_ofs > buflen) {
1960 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1964 * we consumed everything up to the start of the next
1970 remaining = buflen - taken;
1972 if (remaining > 0 && num_iov >= 3) {
1974 * The last DATA block gets the remaining
1975 * bytes, this is needed to support
1976 * CAP_LARGE_WRITEX and CAP_LARGE_READX.
1978 iov[num_iov-1].iov_len += remaining;
1982 *pnum_iov = num_iov;
1983 return NT_STATUS_OK;
1987 return NT_STATUS_INVALID_NETWORK_RESPONSE;
1990 static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
1991 TALLOC_CTX *tmp_mem,
1994 struct tevent_req *req;
1995 struct smbXcli_req_state *state;
2002 uint8_t *inhdr = inbuf + NBT_HDR_SIZE;
2003 size_t len = smb_len_tcp(inbuf);
2004 struct iovec *iov = NULL;
2006 struct tevent_req **chain = NULL;
2007 size_t num_chained = 0;
2008 size_t num_responses = 0;
2010 if (conn->smb1.read_braw_req != NULL) {
2011 req = conn->smb1.read_braw_req;
2012 conn->smb1.read_braw_req = NULL;
2013 state = tevent_req_data(req, struct smbXcli_req_state);
2015 smbXcli_req_unset_pending(req);
2017 if (state->smb1.recv_iov == NULL) {
2019 * For requests with more than
2020 * one response, we have to readd the
2023 state->smb1.recv_iov = talloc_zero_array(state,
2026 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2027 return NT_STATUS_OK;
2031 state->smb1.recv_iov[0].iov_base = (void *)(inhdr);
2032 state->smb1.recv_iov[0].iov_len = len;
2033 ZERO_STRUCT(state->smb1.recv_iov[1]);
2034 ZERO_STRUCT(state->smb1.recv_iov[2]);
2036 state->smb1.recv_cmd = SMBreadBraw;
2037 state->smb1.recv_status = NT_STATUS_OK;
2038 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
2040 tevent_req_done(req);
2041 return NT_STATUS_OK;
2044 if ((IVAL(inhdr, 0) != SMB_MAGIC) /* 0xFF"SMB" */
2045 && (SVAL(inhdr, 0) != 0x45ff)) /* 0xFF"E" */ {
2046 DEBUG(10, ("Got non-SMB PDU\n"));
2047 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2051 * If we supported multiple encrytion contexts
2052 * here we'd look up based on tid.
2054 if (common_encryption_on(conn->smb1.trans_enc)
2055 && (CVAL(inbuf, 0) == 0)) {
2056 uint16_t enc_ctx_num;
2058 status = get_enc_ctx_num(inbuf, &enc_ctx_num);
2059 if (!NT_STATUS_IS_OK(status)) {
2060 DEBUG(10, ("get_enc_ctx_num returned %s\n",
2061 nt_errstr(status)));
2065 if (enc_ctx_num != conn->smb1.trans_enc->enc_ctx_num) {
2066 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
2068 conn->smb1.trans_enc->enc_ctx_num));
2069 return NT_STATUS_INVALID_HANDLE;
2072 status = common_decrypt_buffer(conn->smb1.trans_enc,
2074 if (!NT_STATUS_IS_OK(status)) {
2075 DEBUG(10, ("common_decrypt_buffer returned %s\n",
2076 nt_errstr(status)));
2079 inhdr = inbuf + NBT_HDR_SIZE;
2080 len = smb_len_nbt(inbuf);
2083 mid = SVAL(inhdr, HDR_MID);
2084 num_pending = talloc_array_length(conn->pending);
2086 for (i=0; i<num_pending; i++) {
2087 if (mid == smb1cli_req_mid(conn->pending[i])) {
2091 if (i == num_pending) {
2092 /* Dump unexpected reply */
2093 return NT_STATUS_RETRY;
2096 oplock_break = false;
2098 if (mid == 0xffff) {
2100 * Paranoia checks that this is really an oplock break request.
2102 oplock_break = (len == 51); /* hdr + 8 words */
2103 oplock_break &= ((CVAL(inhdr, HDR_FLG) & FLAG_REPLY) == 0);
2104 oplock_break &= (CVAL(inhdr, HDR_COM) == SMBlockingX);
2105 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(6)) == 0);
2106 oplock_break &= (SVAL(inhdr, HDR_VWV+VWV(7)) == 0);
2108 if (!oplock_break) {
2109 /* Dump unexpected reply */
2110 return NT_STATUS_RETRY;
2114 req = conn->pending[i];
2115 state = tevent_req_data(req, struct smbXcli_req_state);
2117 if (!oplock_break /* oplock breaks are not signed */
2118 && !smb_signing_check_pdu(conn->smb1.signing,
2119 inhdr, len, state->smb1.seqnum+1)) {
2120 DEBUG(10, ("cli_check_sign_mac failed\n"));
2121 return NT_STATUS_ACCESS_DENIED;
2124 status = smb1cli_inbuf_parse_chain(inbuf, tmp_mem,
2126 if (!NT_STATUS_IS_OK(status)) {
2127 DEBUG(10,("smb1cli_inbuf_parse_chain - %s\n",
2128 nt_errstr(status)));
2132 cmd = CVAL(inhdr, HDR_COM);
2133 status = smb1cli_pull_raw_error(inhdr);
2135 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
2136 (state->session != NULL) && state->session->disconnect_expired)
2139 * this should be a short term hack
2140 * until the upper layers have implemented
2141 * re-authentication.
2146 if (state->smb1.chained_requests == NULL) {
2148 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2151 smbXcli_req_unset_pending(req);
2153 if (state->smb1.recv_iov == NULL) {
2155 * For requests with more than
2156 * one response, we have to readd the
2159 state->smb1.recv_iov = talloc_zero_array(state,
2162 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2163 return NT_STATUS_OK;
2167 state->smb1.recv_cmd = cmd;
2168 state->smb1.recv_status = status;
2169 state->inbuf = talloc_move(state->smb1.recv_iov, &inbuf);
2171 state->smb1.recv_iov[0] = iov[0];
2172 state->smb1.recv_iov[1] = iov[1];
2173 state->smb1.recv_iov[2] = iov[2];
2175 if (talloc_array_length(conn->pending) == 0) {
2176 tevent_req_done(req);
2177 return NT_STATUS_OK;
2180 tevent_req_defer_callback(req, state->ev);
2181 tevent_req_done(req);
2182 return NT_STATUS_RETRY;
2185 chain = talloc_move(tmp_mem, &state->smb1.chained_requests);
2186 num_chained = talloc_array_length(chain);
2187 num_responses = (num_iov - 1)/2;
2189 if (num_responses > num_chained) {
2190 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2193 for (i=0; i<num_chained; i++) {
2194 size_t iov_idx = 1 + (i*2);
2195 struct iovec *cur = &iov[iov_idx];
2199 state = tevent_req_data(req, struct smbXcli_req_state);
2201 smbXcli_req_unset_pending(req);
2204 * as we finish multiple requests here
2205 * we need to defer the callbacks as
2206 * they could destroy our current stack state.
2208 tevent_req_defer_callback(req, state->ev);
2210 if (i >= num_responses) {
2211 tevent_req_nterror(req, NT_STATUS_REQUEST_ABORTED);
2215 if (state->smb1.recv_iov == NULL) {
2217 * For requests with more than
2218 * one response, we have to readd the
2221 state->smb1.recv_iov = talloc_zero_array(state,
2224 if (tevent_req_nomem(state->smb1.recv_iov, req)) {
2229 state->smb1.recv_cmd = cmd;
2231 if (i == (num_responses - 1)) {
2233 * The last request in the chain gets the status
2235 state->smb1.recv_status = status;
2237 cmd = CVAL(cur[0].iov_base, 0);
2238 state->smb1.recv_status = NT_STATUS_OK;
2241 state->inbuf = inbuf;
2244 * Note: here we use talloc_reference() in a way
2245 * that does not expose it to the caller.
2247 inbuf_ref = talloc_reference(state->smb1.recv_iov, inbuf);
2248 if (tevent_req_nomem(inbuf_ref, req)) {
2252 /* copy the related buffers */
2253 state->smb1.recv_iov[0] = iov[0];
2254 state->smb1.recv_iov[1] = cur[0];
2255 state->smb1.recv_iov[2] = cur[1];
2257 tevent_req_done(req);
2260 return NT_STATUS_RETRY;
2263 NTSTATUS smb1cli_req_recv(struct tevent_req *req,
2264 TALLOC_CTX *mem_ctx,
2265 struct iovec **piov,
2269 uint32_t *pvwv_offset,
2270 uint32_t *pnum_bytes,
2272 uint32_t *pbytes_offset,
2274 const struct smb1cli_req_expected_response *expected,
2275 size_t num_expected)
2277 struct smbXcli_req_state *state =
2278 tevent_req_data(req,
2279 struct smbXcli_req_state);
2280 NTSTATUS status = NT_STATUS_OK;
2281 struct iovec *recv_iov = NULL;
2282 uint8_t *hdr = NULL;
2284 uint32_t vwv_offset = 0;
2285 uint16_t *vwv = NULL;
2286 uint32_t num_bytes = 0;
2287 uint32_t bytes_offset = 0;
2288 uint8_t *bytes = NULL;
2290 bool found_status = false;
2291 bool found_size = false;
2305 if (pvwv_offset != NULL) {
2308 if (pnum_bytes != NULL) {
2311 if (pbytes != NULL) {
2314 if (pbytes_offset != NULL) {
2317 if (pinbuf != NULL) {
2321 if (state->inbuf != NULL) {
2322 recv_iov = state->smb1.recv_iov;
2323 state->smb1.recv_iov = NULL;
2324 if (state->smb1.recv_cmd != SMBreadBraw) {
2325 hdr = (uint8_t *)recv_iov[0].iov_base;
2326 wct = recv_iov[1].iov_len/2;
2327 vwv = (uint16_t *)recv_iov[1].iov_base;
2328 vwv_offset = PTR_DIFF(vwv, hdr);
2329 num_bytes = recv_iov[2].iov_len;
2330 bytes = (uint8_t *)recv_iov[2].iov_base;
2331 bytes_offset = PTR_DIFF(bytes, hdr);
2335 if (tevent_req_is_nterror(req, &status)) {
2336 for (i=0; i < num_expected; i++) {
2337 if (NT_STATUS_EQUAL(status, expected[i].status)) {
2338 found_status = true;
2344 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
2350 if (num_expected == 0) {
2351 found_status = true;
2355 status = state->smb1.recv_status;
2357 for (i=0; i < num_expected; i++) {
2358 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
2362 found_status = true;
2363 if (expected[i].wct == 0) {
2368 if (expected[i].wct == wct) {
2374 if (!found_status) {
2379 return NT_STATUS_INVALID_NETWORK_RESPONSE;
2383 *piov = talloc_move(mem_ctx, &recv_iov);
2395 if (pvwv_offset != NULL) {
2396 *pvwv_offset = vwv_offset;
2398 if (pnum_bytes != NULL) {
2399 *pnum_bytes = num_bytes;
2401 if (pbytes != NULL) {
2404 if (pbytes_offset != NULL) {
2405 *pbytes_offset = bytes_offset;
2407 if (pinbuf != NULL) {
2408 *pinbuf = state->inbuf;
2414 size_t smb1cli_req_wct_ofs(struct tevent_req **reqs, int num_reqs)
2421 for (i=0; i<num_reqs; i++) {
2422 struct smbXcli_req_state *state;
2423 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2424 wct_ofs += smbXcli_iov_len(state->smb1.iov+2,
2425 state->smb1.iov_count-2);
2426 wct_ofs = (wct_ofs + 3) & ~3;
2431 NTSTATUS smb1cli_req_chain_submit(struct tevent_req **reqs, int num_reqs)
2433 struct smbXcli_req_state *first_state =
2434 tevent_req_data(reqs[0],
2435 struct smbXcli_req_state);
2436 struct smbXcli_req_state *state;
2438 size_t chain_padding = 0;
2440 struct iovec *iov = NULL;
2441 struct iovec *this_iov;
2445 if (num_reqs == 1) {
2446 return smb1cli_req_writev_submit(reqs[0], first_state,
2447 first_state->smb1.iov,
2448 first_state->smb1.iov_count);
2452 for (i=0; i<num_reqs; i++) {
2453 if (!tevent_req_is_in_progress(reqs[i])) {
2454 return NT_STATUS_INTERNAL_ERROR;
2457 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2459 if (state->smb1.iov_count < 4) {
2460 return NT_STATUS_INVALID_PARAMETER_MIX;
2465 * The NBT and SMB header
2478 iovlen += state->smb1.iov_count - 2;
2481 iov = talloc_zero_array(first_state, struct iovec, iovlen);
2483 return NT_STATUS_NO_MEMORY;
2486 first_state->smb1.chained_requests = (struct tevent_req **)talloc_memdup(
2487 first_state, reqs, sizeof(*reqs) * num_reqs);
2488 if (first_state->smb1.chained_requests == NULL) {
2490 return NT_STATUS_NO_MEMORY;
2493 wct_offset = HDR_WCT;
2496 for (i=0; i<num_reqs; i++) {
2497 size_t next_padding = 0;
2500 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2502 if (i < num_reqs-1) {
2503 if (!smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))
2504 || CVAL(state->smb1.hdr, HDR_WCT) < 2) {
2506 TALLOC_FREE(first_state->smb1.chained_requests);
2507 return NT_STATUS_INVALID_PARAMETER_MIX;
2511 wct_offset += smbXcli_iov_len(state->smb1.iov+2,
2512 state->smb1.iov_count-2) + 1;
2513 if ((wct_offset % 4) != 0) {
2514 next_padding = 4 - (wct_offset % 4);
2516 wct_offset += next_padding;
2517 vwv = state->smb1.vwv;
2519 if (i < num_reqs-1) {
2520 struct smbXcli_req_state *next_state =
2521 tevent_req_data(reqs[i+1],
2522 struct smbXcli_req_state);
2523 SCVAL(vwv+0, 0, CVAL(next_state->smb1.hdr, HDR_COM));
2525 SSVAL(vwv+1, 0, wct_offset);
2526 } else if (smb1cli_is_andx_req(CVAL(state->smb1.hdr, HDR_COM))) {
2527 /* properly end the chain */
2528 SCVAL(vwv+0, 0, 0xff);
2529 SCVAL(vwv+0, 1, 0xff);
2535 * The NBT and SMB header
2537 this_iov[0] = state->smb1.iov[0];
2538 this_iov[1] = state->smb1.iov[1];
2542 * This one is a bit subtle. We have to add
2543 * chain_padding bytes between the requests, and we
2544 * have to also include the wct field of the
2545 * subsequent requests. We use the subsequent header
2546 * for the padding, it contains the wct field in its
2549 this_iov[0].iov_len = chain_padding+1;
2550 this_iov[0].iov_base = (void *)&state->smb1.hdr[
2551 sizeof(state->smb1.hdr) - this_iov[0].iov_len];
2552 memset(this_iov[0].iov_base, 0, this_iov[0].iov_len-1);
2557 * copy the words and bytes
2559 memcpy(this_iov, state->smb1.iov+2,
2560 sizeof(struct iovec) * (state->smb1.iov_count-2));
2561 this_iov += state->smb1.iov_count - 2;
2562 chain_padding = next_padding;
2565 nbt_len = iov_buflen(&iov[1], iovlen-1);
2566 if ((nbt_len == -1) || (nbt_len > first_state->conn->smb1.max_xmit)) {
2568 TALLOC_FREE(first_state->smb1.chained_requests);
2569 return NT_STATUS_INVALID_PARAMETER_MIX;
2572 status = smb1cli_req_writev_submit(reqs[0], first_state, iov, iovlen);
2573 if (!NT_STATUS_IS_OK(status)) {
2575 TALLOC_FREE(first_state->smb1.chained_requests);
2579 return NT_STATUS_OK;
2582 bool smbXcli_conn_has_async_calls(struct smbXcli_conn *conn)
2584 return ((tevent_queue_length(conn->outgoing) != 0)
2585 || (talloc_array_length(conn->pending) != 0));
2588 bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn)
2590 if (conn->protocol >= PROTOCOL_SMB2_02) {
2591 return (smb2cli_conn_server_capabilities(conn) & SMB2_CAP_DFS);
2594 return (smb1cli_conn_capabilities(conn) & CAP_DFS);
2597 bool smb2cli_conn_req_possible(struct smbXcli_conn *conn, uint32_t *max_dyn_len)
2599 uint16_t credits = 1;
2601 if (conn->smb2.cur_credits == 0) {
2602 if (max_dyn_len != NULL) {
2608 if (conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
2609 credits = conn->smb2.cur_credits;
2612 if (max_dyn_len != NULL) {
2613 *max_dyn_len = credits * 65536;
2619 uint32_t smb2cli_conn_server_capabilities(struct smbXcli_conn *conn)
2621 return conn->smb2.server.capabilities;
2624 uint16_t smb2cli_conn_server_security_mode(struct smbXcli_conn *conn)
2626 return conn->smb2.server.security_mode;
2629 uint32_t smb2cli_conn_max_trans_size(struct smbXcli_conn *conn)
2631 return conn->smb2.server.max_trans_size;
2634 uint32_t smb2cli_conn_max_read_size(struct smbXcli_conn *conn)
2636 return conn->smb2.server.max_read_size;
2639 uint32_t smb2cli_conn_max_write_size(struct smbXcli_conn *conn)
2641 return conn->smb2.server.max_write_size;
2644 void smb2cli_conn_set_max_credits(struct smbXcli_conn *conn,
2645 uint16_t max_credits)
2647 conn->smb2.max_credits = max_credits;
2650 uint8_t smb2cli_conn_get_io_priority(struct smbXcli_conn *conn)
2652 if (conn->protocol < PROTOCOL_SMB3_11) {
2656 return conn->smb2.io_priority;
2659 void smb2cli_conn_set_io_priority(struct smbXcli_conn *conn,
2660 uint8_t io_priority)
2662 conn->smb2.io_priority = io_priority;
2665 uint32_t smb2cli_conn_cc_chunk_len(struct smbXcli_conn *conn)
2667 return conn->smb2.cc_chunk_len;
2670 void smb2cli_conn_set_cc_chunk_len(struct smbXcli_conn *conn,
2673 conn->smb2.cc_chunk_len = chunk_len;
2676 uint32_t smb2cli_conn_cc_max_chunks(struct smbXcli_conn *conn)
2678 return conn->smb2.cc_max_chunks;
2681 void smb2cli_conn_set_cc_max_chunks(struct smbXcli_conn *conn,
2682 uint32_t max_chunks)
2684 conn->smb2.cc_max_chunks = max_chunks;
2687 static void smb2cli_req_cancel_done(struct tevent_req *subreq);
2689 static bool smb2cli_req_cancel(struct tevent_req *req)
2691 struct smbXcli_req_state *state =
2692 tevent_req_data(req,
2693 struct smbXcli_req_state);
2694 struct smbXcli_tcon *tcon = state->tcon;
2695 struct smbXcli_session *session = state->session;
2696 uint8_t *fixed = state->smb2.pad;
2697 uint16_t fixed_len = 4;
2698 struct tevent_req *subreq;
2699 struct smbXcli_req_state *substate;
2702 SSVAL(fixed, 0, 0x04);
2705 subreq = smb2cli_req_create(state, state->ev,
2713 if (subreq == NULL) {
2716 substate = tevent_req_data(subreq, struct smbXcli_req_state);
2718 SIVAL(substate->smb2.hdr, SMB2_HDR_FLAGS, state->smb2.cancel_flags);
2719 SBVAL(substate->smb2.hdr, SMB2_HDR_MESSAGE_ID, state->smb2.cancel_mid);
2720 SBVAL(substate->smb2.hdr, SMB2_HDR_ASYNC_ID, state->smb2.cancel_aid);
2722 status = smb2cli_req_compound_submit(&subreq, 1);
2723 if (!NT_STATUS_IS_OK(status)) {
2724 TALLOC_FREE(subreq);
2728 tevent_req_set_callback(subreq, smb2cli_req_cancel_done, NULL);
2733 static void smb2cli_req_cancel_done(struct tevent_req *subreq)
2735 /* we do not care about the result */
2736 TALLOC_FREE(subreq);
2739 struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
2740 struct tevent_context *ev,
2741 struct smbXcli_conn *conn,
2743 uint32_t additional_flags,
2744 uint32_t clear_flags,
2745 uint32_t timeout_msec,
2746 struct smbXcli_tcon *tcon,
2747 struct smbXcli_session *session,
2748 const uint8_t *fixed,
2752 uint32_t max_dyn_len)
2754 struct tevent_req *req;
2755 struct smbXcli_req_state *state;
2759 bool use_channel_sequence = false;
2760 uint16_t channel_sequence = 0;
2761 bool use_replay_flag = false;
2763 req = tevent_req_create(mem_ctx, &state,
2764 struct smbXcli_req_state);
2771 state->session = session;
2774 if (conn->smb2.server.capabilities & SMB2_CAP_PERSISTENT_HANDLES) {
2775 use_channel_sequence = true;
2776 } else if (conn->smb2.server.capabilities & SMB2_CAP_MULTI_CHANNEL) {
2777 use_channel_sequence = true;
2780 if (smbXcli_conn_protocol(conn) >= PROTOCOL_SMB3_00) {
2781 use_replay_flag = true;
2784 if (smbXcli_conn_protocol(conn) >= PROTOCOL_SMB3_11) {
2785 flags |= SMB2_PRIORITY_VALUE_TO_MASK(conn->smb2.io_priority);
2789 uid = session->smb2->session_id;
2791 if (use_channel_sequence) {
2792 channel_sequence = session->smb2->channel_sequence;
2795 if (use_replay_flag && session->smb2->replay_active) {
2796 additional_flags |= SMB2_HDR_FLAG_REPLAY_OPERATION;
2799 state->smb2.should_sign = session->smb2->should_sign;
2800 state->smb2.should_encrypt = session->smb2->should_encrypt;
2802 if (cmd == SMB2_OP_SESSSETUP &&
2803 session->smb2_channel.signing_key.length == 0 &&
2804 session->smb2->signing_key.length != 0)
2807 * a session bind needs to be signed
2809 state->smb2.should_sign = true;
2812 if (cmd == SMB2_OP_SESSSETUP &&
2813 session->smb2_channel.signing_key.length == 0) {
2814 state->smb2.should_encrypt = false;
2817 if (additional_flags & SMB2_HDR_FLAG_SIGNED) {
2818 if (session->smb2_channel.signing_key.length == 0) {
2819 tevent_req_nterror(req, NT_STATUS_NO_USER_SESSION_KEY);
2823 additional_flags &= ~SMB2_HDR_FLAG_SIGNED;
2824 state->smb2.should_sign = true;
2829 tid = tcon->smb2.tcon_id;
2831 if (tcon->smb2.should_sign) {
2832 state->smb2.should_sign = true;
2834 if (tcon->smb2.should_encrypt) {
2835 state->smb2.should_encrypt = true;
2839 if (state->smb2.should_encrypt) {
2840 state->smb2.should_sign = false;
2843 state->smb2.recv_iov = talloc_zero_array(state, struct iovec, 3);
2844 if (state->smb2.recv_iov == NULL) {
2849 flags |= additional_flags;
2850 flags &= ~clear_flags;
2852 state->smb2.fixed = fixed;
2853 state->smb2.fixed_len = fixed_len;
2854 state->smb2.dyn = dyn;
2855 state->smb2.dyn_len = dyn_len;
2856 state->smb2.max_dyn_len = max_dyn_len;
2858 if (state->smb2.should_encrypt) {
2859 SIVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
2860 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID, uid);
2863 SIVAL(state->smb2.hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
2864 SSVAL(state->smb2.hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
2865 SSVAL(state->smb2.hdr, SMB2_HDR_OPCODE, cmd);
2866 SSVAL(state->smb2.hdr, SMB2_HDR_CHANNEL_SEQUENCE, channel_sequence);
2867 SIVAL(state->smb2.hdr, SMB2_HDR_FLAGS, flags);
2868 SIVAL(state->smb2.hdr, SMB2_HDR_PID, 0); /* reserved */
2869 SIVAL(state->smb2.hdr, SMB2_HDR_TID, tid);
2870 SBVAL(state->smb2.hdr, SMB2_HDR_SESSION_ID, uid);
2873 case SMB2_OP_CANCEL:
2874 state->one_way = true;
2878 * If this is a dummy request, it will have
2879 * UINT64_MAX as message id.
2880 * If we send on break acknowledgement,
2881 * this gets overwritten later.
2883 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, UINT64_MAX);
2887 if (timeout_msec > 0) {
2888 struct timeval endtime;
2890 endtime = timeval_current_ofs_msec(timeout_msec);
2891 if (!tevent_req_set_endtime(req, ev, endtime)) {
2899 void smb2cli_req_set_notify_async(struct tevent_req *req)
2901 struct smbXcli_req_state *state =
2902 tevent_req_data(req,
2903 struct smbXcli_req_state);
2905 state->smb2.notify_async = true;
2908 static void smb2cli_req_writev_done(struct tevent_req *subreq);
2909 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
2910 TALLOC_CTX *tmp_mem,
2913 NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
2916 struct smbXcli_req_state *state;
2917 struct tevent_req *subreq;
2919 int i, num_iov, nbt_len;
2921 const DATA_BLOB *encryption_key = NULL;
2922 uint64_t encryption_session_id = 0;
2923 uint64_t nonce_high = UINT64_MAX;
2924 uint64_t nonce_low = UINT64_MAX;
2927 * 1 for the nbt length, optional TRANSFORM
2928 * per request: HDR, fixed, dyn, padding
2929 * -1 because the last one does not need padding
2932 iov = talloc_array(reqs[0], struct iovec, 1 + 1 + 4*num_reqs - 1);
2934 return NT_STATUS_NO_MEMORY;
2941 * the session of the first request that requires encryption
2942 * specifies the encryption key.
2944 for (i=0; i<num_reqs; i++) {
2945 if (!tevent_req_is_in_progress(reqs[i])) {
2946 return NT_STATUS_INTERNAL_ERROR;
2949 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
2951 if (!smbXcli_conn_is_connected(state->conn)) {
2952 return NT_STATUS_CONNECTION_DISCONNECTED;
2955 if ((state->conn->protocol != PROTOCOL_NONE) &&
2956 (state->conn->protocol < PROTOCOL_SMB2_02)) {
2957 return NT_STATUS_REVISION_MISMATCH;
2960 if (state->session == NULL) {
2964 if (!state->smb2.should_encrypt) {
2968 encryption_key = &state->session->smb2->encryption_key;
2969 if (encryption_key->length == 0) {
2970 return NT_STATUS_INVALID_PARAMETER_MIX;
2973 encryption_session_id = state->session->smb2->session_id;
2975 state->session->smb2->nonce_low += 1;
2976 if (state->session->smb2->nonce_low == 0) {
2977 state->session->smb2->nonce_high += 1;
2978 state->session->smb2->nonce_low += 1;
2982 * CCM and GCM algorithms must never have their
2983 * nonce wrap, or the security of the whole
2984 * communication and the keys is destroyed.
2985 * We must drop the connection once we have
2986 * transfered too much data.
2988 * NOTE: We assume nonces greater than 8 bytes.
2990 if (state->session->smb2->nonce_high >=
2991 state->session->smb2->nonce_high_max)
2993 return NT_STATUS_ENCRYPTION_FAILED;
2996 nonce_high = state->session->smb2->nonce_high_random;
2997 nonce_high += state->session->smb2->nonce_high;
2998 nonce_low = state->session->smb2->nonce_low;
3001 iov[num_iov].iov_base = state->smb2.transform;
3002 iov[num_iov].iov_len = sizeof(state->smb2.transform);
3005 SBVAL(state->smb2.transform, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
3006 SBVAL(state->smb2.transform, SMB2_TF_NONCE,
3008 SBVAL(state->smb2.transform, SMB2_TF_NONCE+8,
3010 SBVAL(state->smb2.transform, SMB2_TF_SESSION_ID,
3011 encryption_session_id);
3013 nbt_len += SMB2_TF_HDR_SIZE;
3017 for (i=0; i<num_reqs; i++) {
3026 const DATA_BLOB *signing_key = NULL;
3028 if (!tevent_req_is_in_progress(reqs[i])) {
3029 return NT_STATUS_INTERNAL_ERROR;
3032 state = tevent_req_data(reqs[i], struct smbXcli_req_state);
3034 if (!smbXcli_conn_is_connected(state->conn)) {
3035 return NT_STATUS_CONNECTION_DISCONNECTED;
3038 if ((state->conn->protocol != PROTOCOL_NONE) &&
3039 (state->conn->protocol < PROTOCOL_SMB2_02)) {
3040 return NT_STATUS_REVISION_MISMATCH;
3043 opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
3044 if (opcode == SMB2_OP_CANCEL) {
3048 avail = UINT64_MAX - state->conn->smb2.mid;
3050 return NT_STATUS_CONNECTION_ABORTED;
3053 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
3054 uint32_t max_dyn_len = 1;
3056 max_dyn_len = MAX(max_dyn_len, state->smb2.dyn_len);
3057 max_dyn_len = MAX(max_dyn_len, state->smb2.max_dyn_len);
3059 charge = (max_dyn_len - 1)/ 65536 + 1;
3064 charge = MAX(state->smb2.credit_charge, charge);
3066 avail = MIN(avail, state->conn->smb2.cur_credits);
3067 if (avail < charge) {
3068 return NT_STATUS_INTERNAL_ERROR;
3072 if (state->conn->smb2.max_credits > state->conn->smb2.cur_credits) {
3073 credits = state->conn->smb2.max_credits -
3074 state->conn->smb2.cur_credits;
3076 if (state->conn->smb2.max_credits >= state->conn->smb2.cur_credits) {
3080 mid = state->conn->smb2.mid;
3081 state->conn->smb2.mid += charge;
3082 state->conn->smb2.cur_credits -= charge;
3084 if (state->conn->smb2.server.capabilities & SMB2_CAP_LARGE_MTU) {
3085 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT_CHARGE, charge);
3087 SSVAL(state->smb2.hdr, SMB2_HDR_CREDIT, credits);
3088 SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
3090 state->smb2.cancel_flags = 0;
3091 state->smb2.cancel_mid = mid;
3092 state->smb2.cancel_aid = 0;
3095 if (state->session && encryption_key == NULL) {
3097 * We prefer the channel signing key if it is
3100 if (state->smb2.should_sign) {
3101 signing_key = &state->session->smb2_channel.signing_key;
3105 * If it is a channel binding, we already have the main
3106 * signing key and try that one.
3108 if (signing_key && signing_key->length == 0) {
3109 signing_key = &state->session->smb2->signing_key;
3113 * If we do not have any session key yet, we skip the
3114 * signing of SMB2_OP_SESSSETUP requests.
3116 if (signing_key && signing_key->length == 0) {
3122 iov[num_iov].iov_base = state->smb2.hdr;
3123 iov[num_iov].iov_len = sizeof(state->smb2.hdr);
3126 iov[num_iov].iov_base = discard_const(state->smb2.fixed);
3127 iov[num_iov].iov_len = state->smb2.fixed_len;
3130 if (state->smb2.dyn != NULL) {
3131 iov[num_iov].iov_base = discard_const(state->smb2.dyn);
3132 iov[num_iov].iov_len = state->smb2.dyn_len;
3136 reqlen = sizeof(state->smb2.hdr);
3137 reqlen += state->smb2.fixed_len;
3138 reqlen += state->smb2.dyn_len;
3140 if (i < num_reqs-1) {
3141 if ((reqlen % 8) > 0) {
3142 uint8_t pad = 8 - (reqlen % 8);
3143 iov[num_iov].iov_base = state->smb2.pad;
3144 iov[num_iov].iov_len = pad;
3148 SIVAL(state->smb2.hdr, SMB2_HDR_NEXT_COMMAND, reqlen);
3151 state->smb2.encryption_session_id = encryption_session_id;
3153 if (signing_key != NULL) {
3156 status = smb2_signing_sign_pdu(*signing_key,
3157 state->session->conn->protocol,
3158 &iov[hdr_iov], num_iov - hdr_iov);
3159 if (!NT_STATUS_IS_OK(status)) {
3166 ret = smbXcli_req_set_pending(reqs[i]);
3168 return NT_STATUS_NO_MEMORY;
3172 state = tevent_req_data(reqs[0], struct smbXcli_req_state);
3173 _smb_setlen_tcp(state->length_hdr, nbt_len);
3174 iov[0].iov_base = state->length_hdr;
3175 iov[0].iov_len = sizeof(state->length_hdr);
3177 if (encryption_key != NULL) {
3179 size_t buflen = nbt_len - SMB2_TF_HDR_SIZE;
3183 buf = talloc_array(iov, uint8_t, buflen);
3185 return NT_STATUS_NO_MEMORY;
3189 * We copy the buffers before encrypting them,
3190 * this is at least currently needed for the
3191 * to keep state->smb2.hdr.
3193 * Also the callers may expect there buffers
3196 for (vi = tf_iov + 1; vi < num_iov; vi++) {
3197 struct iovec *v = &iov[vi];
3198 const uint8_t *o = (const uint8_t *)v->iov_base;
3200 memcpy(buf, o, v->iov_len);
3201 v->iov_base = (void *)buf;
3205 status = smb2_signing_encrypt_pdu(*encryption_key,
3206 state->conn->smb2.server.cipher,
3207 &iov[tf_iov], num_iov - tf_iov);
3208 if (!NT_STATUS_IS_OK(status)) {
3213 if (state->conn->dispatch_incoming == NULL) {
3214 state->conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
3217 subreq = writev_send(state, state->ev, state->conn->outgoing,
3218 state->conn->sock_fd, false, iov, num_iov);
3219 if (subreq == NULL) {
3220 return NT_STATUS_NO_MEMORY;
3222 tevent_req_set_callback(subreq, smb2cli_req_writev_done, reqs[0]);
3223 state->write_req = subreq;
3225 return NT_STATUS_OK;
3228 void smb2cli_req_set_credit_charge(struct tevent_req *req, uint16_t charge)
3230 struct smbXcli_req_state *state =
3231 tevent_req_data(req,
3232 struct smbXcli_req_state);
3234 state->smb2.credit_charge = charge;
3237 struct tevent_req *smb2cli_req_send(TALLOC_CTX *mem_ctx,
3238 struct tevent_context *ev,
3239 struct smbXcli_conn *conn,
3241 uint32_t additional_flags,
3242 uint32_t clear_flags,
3243 uint32_t timeout_msec,
3244 struct smbXcli_tcon *tcon,
3245 struct smbXcli_session *session,
3246 const uint8_t *fixed,
3250 uint32_t max_dyn_len)
3252 struct tevent_req *req;
3255 req = smb2cli_req_create(mem_ctx, ev, conn, cmd,
3256 additional_flags, clear_flags,
3265 if (!tevent_req_is_in_progress(req)) {
3266 return tevent_req_post(req, ev);
3268 status = smb2cli_req_compound_submit(&req, 1);
3269 if (tevent_req_nterror(req, status)) {
3270 return tevent_req_post(req, ev);
3275 static void smb2cli_req_writev_done(struct tevent_req *subreq)
3277 struct tevent_req *req =
3278 tevent_req_callback_data(subreq,
3280 struct smbXcli_req_state *state =
3281 tevent_req_data(req,
3282 struct smbXcli_req_state);
3286 state->write_req = NULL;
3288 nwritten = writev_recv(subreq, &err);
3289 TALLOC_FREE(subreq);
3290 if (nwritten == -1) {
3291 /* here, we need to notify all pending requests */
3292 NTSTATUS status = map_nt_error_from_unix_common(err);
3293 smbXcli_conn_disconnect(state->conn, status);
3298 static struct smbXcli_session* smbXcli_session_by_uid(struct smbXcli_conn *conn,
3301 struct smbXcli_session *s = conn->sessions;
3303 for (; s; s = s->next) {
3304 if (s->smb2->session_id != uid) {
3313 static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
3316 TALLOC_CTX *mem_ctx,
3317 struct iovec **piov, int *pnum_iov)
3322 uint8_t *first_hdr = buf;
3323 size_t verified_buflen = 0;
3327 iov = talloc_array(mem_ctx, struct iovec, num_iov);
3329 return NT_STATUS_NO_MEMORY;
3332 while (taken < buflen) {
3333 size_t len = buflen - taken;
3334 uint8_t *hdr = first_hdr + taken;
3337 size_t next_command_ofs;
3339 struct iovec *iov_tmp;
3341 if (verified_buflen > taken) {
3342 len = verified_buflen - taken;
3349 DEBUG(10, ("%d bytes left, expected at least %d\n",
3353 if (IVAL(hdr, 0) == SMB2_TF_MAGIC) {
3354 struct smbXcli_session *s;
3356 struct iovec tf_iov[2];
3360 if (len < SMB2_TF_HDR_SIZE) {
3361 DEBUG(10, ("%d bytes left, expected at least %d\n",
3362 (int)len, SMB2_TF_HDR_SIZE));
3366 tf_len = SMB2_TF_HDR_SIZE;
3369 hdr = first_hdr + taken;
3370 enc_len = IVAL(tf, SMB2_TF_MSG_SIZE);
3371 uid = BVAL(tf, SMB2_TF_SESSION_ID);
3373 if (len < SMB2_TF_HDR_SIZE + enc_len) {
3374 DEBUG(10, ("%d bytes left, expected at least %d\n",
3376 (int)(SMB2_TF_HDR_SIZE + enc_len)));
3380 s = smbXcli_session_by_uid(conn, uid);
3382 DEBUG(10, ("unknown session_id %llu\n",
3383 (unsigned long long)uid));
3387 tf_iov[0].iov_base = (void *)tf;
3388 tf_iov[0].iov_len = tf_len;
3389 tf_iov[1].iov_base = (void *)hdr;
3390 tf_iov[1].iov_len = enc_len;
3392 status = smb2_signing_decrypt_pdu(s->smb2->decryption_key,
3393 conn->smb2.server.cipher,
3395 if (!NT_STATUS_IS_OK(status)) {
3400 verified_buflen = taken + enc_len;
3405 * We need the header plus the body length field
3408 if (len < SMB2_HDR_BODY + 2) {
3409 DEBUG(10, ("%d bytes left, expected at least %d\n",
3410 (int)len, SMB2_HDR_BODY));
3413 if (IVAL(hdr, 0) != SMB2_MAGIC) {
3414 DEBUG(10, ("Got non-SMB2 PDU: %x\n",
3418 if (SVAL(hdr, 4) != SMB2_HDR_BODY) {
3419 DEBUG(10, ("Got HDR len %d, expected %d\n",
3420 SVAL(hdr, 4), SMB2_HDR_BODY));
3425 next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
3426 body_size = SVAL(hdr, SMB2_HDR_BODY);
3428 if (next_command_ofs != 0) {
3429 if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
3432 if (next_command_ofs > full_size) {
3435 full_size = next_command_ofs;
3437 if (body_size < 2) {
3440 body_size &= 0xfffe;
3442 if (body_size > (full_size - SMB2_HDR_BODY)) {
3446 iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
3448 if (iov_tmp == NULL) {
3450 return NT_STATUS_NO_MEMORY;
3453 cur = &iov[num_iov];
3456 cur[0].iov_base = tf;
3457 cur[0].iov_len = tf_len;
3458 cur[1].iov_base = hdr;
3459 cur[1].iov_len = SMB2_HDR_BODY;
3460 cur[2].iov_base = hdr + SMB2_HDR_BODY;
3461 cur[2].iov_len = body_size;
3462 cur[3].iov_base = hdr + SMB2_HDR_BODY + body_size;
3463 cur[3].iov_len = full_size - (SMB2_HDR_BODY + body_size);
3469 *pnum_iov = num_iov;
3470 return NT_STATUS_OK;
3474 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3477 static struct tevent_req *smb2cli_conn_find_pending(struct smbXcli_conn *conn,
3480 size_t num_pending = talloc_array_length(conn->pending);
3483 for (i=0; i<num_pending; i++) {
3484 struct tevent_req *req = conn->pending[i];
3485 struct smbXcli_req_state *state =
3486 tevent_req_data(req,
3487 struct smbXcli_req_state);
3489 if (mid == BVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID)) {
3496 static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
3497 TALLOC_CTX *tmp_mem,
3500 struct tevent_req *req;
3501 struct smbXcli_req_state *state = NULL;
3506 struct smbXcli_session *last_session = NULL;
3507 size_t inbuf_len = smb_len_tcp(inbuf);
3509 status = smb2cli_inbuf_parse_compound(conn,
3510 inbuf + NBT_HDR_SIZE,
3514 if (!NT_STATUS_IS_OK(status)) {
3518 for (i=0; i<num_iov; i+=4) {
3519 uint8_t *inbuf_ref = NULL;
3520 struct iovec *cur = &iov[i];
3521 uint8_t *inhdr = (uint8_t *)cur[1].iov_base;
3522 uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
3523 uint32_t flags = IVAL(inhdr, SMB2_HDR_FLAGS);
3524 uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
3525 uint16_t req_opcode;
3527 uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
3528 uint32_t new_credits;
3529 struct smbXcli_session *session = NULL;
3530 const DATA_BLOB *signing_key = NULL;
3531 bool was_encrypted = false;
3533 new_credits = conn->smb2.cur_credits;
3534 new_credits += credits;
3535 if (new_credits > UINT16_MAX) {
3536 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3538 conn->smb2.cur_credits += credits;
3540 req = smb2cli_conn_find_pending(conn, mid);
3542 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3544 state = tevent_req_data(req, struct smbXcli_req_state);
3546 req_opcode = SVAL(state->smb2.hdr, SMB2_HDR_OPCODE);
3547 if (opcode != req_opcode) {
3548 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3550 req_flags = SVAL(state->smb2.hdr, SMB2_HDR_FLAGS);
3552 if (!(flags & SMB2_HDR_FLAG_REDIRECT)) {
3553 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3556 status = NT_STATUS(IVAL(inhdr, SMB2_HDR_STATUS));
3557 if ((flags & SMB2_HDR_FLAG_ASYNC) &&
3558 NT_STATUS_EQUAL(status, STATUS_PENDING)) {
3559 uint64_t async_id = BVAL(inhdr, SMB2_HDR_ASYNC_ID);
3561 if (state->smb2.got_async) {
3562 /* We only expect one STATUS_PENDING response */
3563 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3565 state->smb2.got_async = true;
3568 * async interim responses are not signed,
3569 * even if the SMB2_HDR_FLAG_SIGNED flag
3572 state->smb2.cancel_flags = SMB2_HDR_FLAG_ASYNC;
3573 state->smb2.cancel_mid = 0;
3574 state->smb2.cancel_aid = async_id;
3576 if (state->smb2.notify_async) {
3577 tevent_req_defer_callback(req, state->ev);
3578 tevent_req_notify_callback(req);
3583 session = state->session;
3584 if (req_flags & SMB2_HDR_FLAG_CHAINED) {
3585 session = last_session;
3587 last_session = session;
3589 if (state->smb2.should_sign) {
3590 if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
3591 return NT_STATUS_ACCESS_DENIED;
3595 if (flags & SMB2_HDR_FLAG_SIGNED) {
3596 uint64_t uid = BVAL(inhdr, SMB2_HDR_SESSION_ID);
3598 if (session == NULL) {
3599 session = smbXcli_session_by_uid(state->conn,
3603 if (session == NULL) {
3604 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3607 last_session = session;
3608 signing_key = &session->smb2_channel.signing_key;
3611 if (opcode == SMB2_OP_SESSSETUP) {
3613 * We prefer the channel signing key, if it is
3616 * If we do not have a channel signing key yet,
3617 * we try the main signing key, if it is not
3618 * the final response.
3620 if (signing_key && signing_key->length == 0 &&
3621 !NT_STATUS_IS_OK(status)) {
3622 signing_key = &session->smb2->signing_key;
3625 if (signing_key && signing_key->length == 0) {
3627 * If we do not have a session key to
3628 * verify the signature, we defer the
3629 * signing check to the caller.
3631 * The caller gets NT_STATUS_OK, it
3633 * smb2cli_session_set_session_key()
3635 * smb2cli_session_set_channel_key()
3636 * which will check the signature
3637 * with the channel signing key.
3643 if (cur[0].iov_len == SMB2_TF_HDR_SIZE) {
3644 const uint8_t *tf = (const uint8_t *)cur[0].iov_base;
3645 uint64_t uid = BVAL(tf, SMB2_TF_SESSION_ID);
3648 * If the response was encrypted in a SMB2_TRANSFORM
3649 * pdu, which belongs to the correct session,
3650 * we do not need to do signing checks
3652 * It could be the session the response belongs to
3653 * or the session that was used to encrypt the
3654 * SMB2_TRANSFORM request.
3656 if ((session && session->smb2->session_id == uid) ||
3657 (state->smb2.encryption_session_id == uid)) {
3659 was_encrypted = true;
3663 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
3665 * if the server returns NT_STATUS_USER_SESSION_DELETED
3666 * the response is not signed and we should
3667 * propagate the NT_STATUS_USER_SESSION_DELETED
3668 * status to the caller.
3670 state->smb2.signing_skipped = true;
3674 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3676 * if the server returns
3677 * NT_STATUS_INVALID_PARAMETER
3678 * the response might not be encrypted.
3680 if (state->smb2.should_encrypt && !was_encrypted) {
3681 state->smb2.signing_skipped = true;
3686 if (state->smb2.should_encrypt && !was_encrypted) {
3687 if (!state->smb2.signing_skipped) {
3688 return NT_STATUS_ACCESS_DENIED;
3692 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
3693 NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED) ||
3694 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
3696 * if the server returns
3697 * NT_STATUS_NETWORK_NAME_DELETED
3698 * NT_STATUS_FILE_CLOSED
3699 * NT_STATUS_INVALID_PARAMETER
3700 * the response might not be signed
3701 * as this happens before the signing checks.
3703 * If server echos the signature (or all zeros)
3704 * we should report the status from the server
3710 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3711 state->smb2.hdr+SMB2_HDR_SIGNATURE,
3714 state->smb2.signing_skipped = true;
3720 static const uint8_t zeros[16];
3722 cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
3726 state->smb2.signing_skipped = true;
3733 status = smb2_signing_check_pdu(*signing_key,
3734 state->conn->protocol,
3736 if (!NT_STATUS_IS_OK(status)) {
3738 * If the signing check fails, we disconnect
3745 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
3746 (session != NULL) && session->disconnect_expired)
3749 * this should be a short term hack
3750 * until the upper layers have implemented
3751 * re-authentication.
3756 smbXcli_req_unset_pending(req);
3759 * There might be more than one response
3760 * we need to defer the notifications
3762 if ((num_iov == 5) && (talloc_array_length(conn->pending) == 0)) {
3767 tevent_req_defer_callback(req, state->ev);
3771 * Note: here we use talloc_reference() in a way
3772 * that does not expose it to the caller.
3774 inbuf_ref = talloc_reference(state->smb2.recv_iov, inbuf);
3775 if (tevent_req_nomem(inbuf_ref, req)) {
3779 /* copy the related buffers */
3780 state->smb2.recv_iov[0] = cur[1];
3781 state->smb2.recv_iov[1] = cur[2];
3782 state->smb2.recv_iov[2] = cur[3];
3784 tevent_req_done(req);
3788 return NT_STATUS_RETRY;
3791 return NT_STATUS_OK;
3794 NTSTATUS smb2cli_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
3795 struct iovec **piov,
3796 const struct smb2cli_req_expected_response *expected,
3797 size_t num_expected)
3799 struct smbXcli_req_state *state =
3800 tevent_req_data(req,
3801 struct smbXcli_req_state);
3804 bool found_status = false;
3805 bool found_size = false;
3812 if (tevent_req_is_in_progress(req) && state->smb2.got_async) {
3813 return STATUS_PENDING;
3816 if (tevent_req_is_nterror(req, &status)) {
3817 for (i=0; i < num_expected; i++) {
3818 if (NT_STATUS_EQUAL(status, expected[i].status)) {
3819 found_status = true;
3825 return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
3831 if (num_expected == 0) {
3832 found_status = true;
3836 status = NT_STATUS(IVAL(state->smb2.recv_iov[0].iov_base, SMB2_HDR_STATUS));
3837 body_size = SVAL(state->smb2.recv_iov[1].iov_base, 0);
3839 for (i=0; i < num_expected; i++) {
3840 if (!NT_STATUS_EQUAL(status, expected[i].status)) {
3844 found_status = true;
3845 if (expected[i].body_size == 0) {
3850 if (expected[i].body_size == body_size) {
3856 if (!found_status) {
3860 if (state->smb2.signing_skipped) {
3861 if (num_expected > 0) {
3862 return NT_STATUS_ACCESS_DENIED;
3864 if (!NT_STATUS_IS_ERR(status)) {
3865 return NT_STATUS_ACCESS_DENIED;
3870 return NT_STATUS_INVALID_NETWORK_RESPONSE;
3874 *piov = talloc_move(mem_ctx, &state->smb2.recv_iov);
3880 NTSTATUS smb2cli_req_get_sent_iov(struct tevent_req *req,
3881 struct iovec *sent_iov)
3883 struct smbXcli_req_state *state =
3884 tevent_req_data(req,
3885 struct smbXcli_req_state);
3887 if (tevent_req_is_in_progress(req)) {
3888 return STATUS_PENDING;
3891 sent_iov[0].iov_base = state->smb2.hdr;
3892 sent_iov[0].iov_len = sizeof(state->smb2.hdr);
3894 sent_iov[1].iov_base = discard_const(state->smb2.fixed);
3895 sent_iov[1].iov_len = state->smb2.fixed_len;
3897 if (state->smb2.dyn != NULL) {
3898 sent_iov[2].iov_base = discard_const(state->smb2.dyn);
3899 sent_iov[2].iov_len = state->smb2.dyn_len;
3901 sent_iov[2].iov_base = NULL;
3902 sent_iov[2].iov_len = 0;
3905 return NT_STATUS_OK;
3908 static const struct {
3909 enum protocol_types proto;
3910 const char *smb1_name;
3911 } smb1cli_prots[] = {
3912 {PROTOCOL_CORE, "PC NETWORK PROGRAM 1.0"},
3913 {PROTOCOL_COREPLUS, "MICROSOFT NETWORKS 1.03"},
3914 {PROTOCOL_LANMAN1, "MICROSOFT NETWORKS 3.0"},
3915 {PROTOCOL_LANMAN1, "LANMAN1.0"},
3916 {PROTOCOL_LANMAN2, "LM1.2X002"},
3917 {PROTOCOL_LANMAN2, "DOS LANMAN2.1"},
3918 {PROTOCOL_LANMAN2, "LANMAN2.1"},
3919 {PROTOCOL_LANMAN2, "Samba"},
3920 {PROTOCOL_NT1, "NT LANMAN 1.0"},
3921 {PROTOCOL_NT1, "NT LM 0.12"},
3922 {PROTOCOL_SMB2_02, "SMB 2.002"},
3923 {PROTOCOL_SMB2_10, "SMB 2.???"},
3926 static const struct {
3927 enum protocol_types proto;
3928 uint16_t smb2_dialect;
3929 } smb2cli_prots[] = {
3930 {PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202},
3931 {PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210},
3932 {PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222},
3933 {PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224},
3934 {PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300},
3935 {PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302},
3936 {PROTOCOL_SMB3_10, SMB3_DIALECT_REVISION_310},
3937 {PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311},
3940 struct smbXcli_negprot_state {
3941 struct smbXcli_conn *conn;
3942 struct tevent_context *ev;
3943 uint32_t timeout_msec;
3950 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq);
3951 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state);
3952 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq);
3953 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state);
3954 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq);
3955 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
3959 struct tevent_req *smbXcli_negprot_send(TALLOC_CTX *mem_ctx,
3960 struct tevent_context *ev,
3961 struct smbXcli_conn *conn,
3962 uint32_t timeout_msec,
3963 enum protocol_types min_protocol,
3964 enum protocol_types max_protocol)
3966 struct tevent_req *req, *subreq;
3967 struct smbXcli_negprot_state *state;
3969 req = tevent_req_create(mem_ctx, &state,
3970 struct smbXcli_negprot_state);
3976 state->timeout_msec = timeout_msec;
3978 if (min_protocol == PROTOCOL_NONE) {
3979 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3980 return tevent_req_post(req, ev);
3983 if (max_protocol == PROTOCOL_NONE) {
3984 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3985 return tevent_req_post(req, ev);
3988 if (min_protocol > max_protocol) {
3989 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
3990 return tevent_req_post(req, ev);
3993 conn->min_protocol = min_protocol;
3994 conn->max_protocol = max_protocol;
3995 conn->protocol = PROTOCOL_NONE;
3997 if ((min_protocol < PROTOCOL_SMB2_02) &&
3998 (max_protocol < PROTOCOL_SMB2_02)) {
4002 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
4004 subreq = smbXcli_negprot_smb1_subreq(state);
4005 if (tevent_req_nomem(subreq, req)) {
4006 return tevent_req_post(req, ev);
4008 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
4012 if ((min_protocol >= PROTOCOL_SMB2_02) &&
4013 (max_protocol >= PROTOCOL_SMB2_02)) {
4017 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
4020 * As we're starting with an SMB2 negprot, emulate Windows
4021 * and ask for 31 credits in the initial SMB2 negprot.
4022 * If we don't and leave requested credits at
4023 * zero, MacOSX servers return zero credits on
4024 * the negprot reply and we fail to connect.
4026 smb2cli_conn_set_max_credits(conn,
4027 WINDOWS_CLIENT_PURE_SMB2_NEGPROT_INITIAL_CREDIT_ASK);
4029 subreq = smbXcli_negprot_smb2_subreq(state);
4030 if (tevent_req_nomem(subreq, req)) {
4031 return tevent_req_post(req, ev);
4033 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4038 * We send an SMB1 negprot with the SMB2 dialects
4039 * and expect a SMB1 or a SMB2 response.
4041 * smbXcli_negprot_dispatch_incoming() will fix the
4042 * callback to match protocol of the response.
4044 conn->dispatch_incoming = smbXcli_negprot_dispatch_incoming;
4046 subreq = smbXcli_negprot_smb1_subreq(state);
4047 if (tevent_req_nomem(subreq, req)) {
4048 return tevent_req_post(req, ev);
4050 tevent_req_set_callback(subreq, smbXcli_negprot_invalid_done, req);
4054 static void smbXcli_negprot_invalid_done(struct tevent_req *subreq)
4056 struct tevent_req *req =
4057 tevent_req_callback_data(subreq,
4062 * we just want the low level error
4064 status = tevent_req_simple_recv_ntstatus(subreq);
4065 TALLOC_FREE(subreq);
4066 if (tevent_req_nterror(req, status)) {
4070 /* this should never happen */
4071 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
4074 static struct tevent_req *smbXcli_negprot_smb1_subreq(struct smbXcli_negprot_state *state)
4077 DATA_BLOB bytes = data_blob_null;
4081 /* setup the protocol strings */
4082 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
4086 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
4090 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
4094 ok = data_blob_append(state, &bytes, &c, sizeof(c));
4100 * We now it is already ascii and
4101 * we want NULL termination.
4103 ok = data_blob_append(state, &bytes,
4104 smb1cli_prots[i].smb1_name,
4105 strlen(smb1cli_prots[i].smb1_name)+1);
4111 smb1cli_req_flags(state->conn->max_protocol,
4112 state->conn->smb1.client.capabilities,
4117 return smb1cli_req_send(state, state->ev, state->conn,
4121 state->timeout_msec,
4122 0xFFFE, 0, NULL, /* pid, tid, session */
4123 0, NULL, /* wct, vwv */
4124 bytes.length, bytes.data);
4127 static void smbXcli_negprot_smb1_done(struct tevent_req *subreq)
4129 struct tevent_req *req =
4130 tevent_req_callback_data(subreq,
4132 struct smbXcli_negprot_state *state =
4133 tevent_req_data(req,
4134 struct smbXcli_negprot_state);
4135 struct smbXcli_conn *conn = state->conn;
4136 struct iovec *recv_iov = NULL;
4145 size_t num_prots = 0;
4147 uint32_t client_capabilities = conn->smb1.client.capabilities;
4148 uint32_t both_capabilities;
4149 uint32_t server_capabilities = 0;
4150 uint32_t capabilities;
4151 uint32_t client_max_xmit = conn->smb1.client.max_xmit;
4152 uint32_t server_max_xmit = 0;
4154 uint32_t server_max_mux = 0;
4155 uint16_t server_security_mode = 0;
4156 uint32_t server_session_key = 0;
4157 bool server_readbraw = false;
4158 bool server_writebraw = false;
4159 bool server_lockread = false;
4160 bool server_writeunlock = false;
4161 struct GUID server_guid = GUID_zero();
4162 DATA_BLOB server_gss_blob = data_blob_null;
4163 uint8_t server_challenge[8];
4164 char *server_workgroup = NULL;
4165 char *server_name = NULL;
4166 int server_time_zone = 0;
4167 NTTIME server_system_time = 0;
4168 static const struct smb1cli_req_expected_response expected[] = {
4170 .status = NT_STATUS_OK,
4171 .wct = 0x11, /* NT1 */
4174 .status = NT_STATUS_OK,
4175 .wct = 0x0D, /* LM */
4178 .status = NT_STATUS_OK,
4179 .wct = 0x01, /* CORE */
4183 ZERO_STRUCT(server_challenge);
4185 status = smb1cli_req_recv(subreq, state,
4190 NULL, /* pvwv_offset */
4193 NULL, /* pbytes_offset */
4195 expected, ARRAY_SIZE(expected));
4196 TALLOC_FREE(subreq);
4197 if (tevent_req_nterror(req, status)) {
4201 flags = CVAL(inhdr, HDR_FLG);
4203 protnum = SVAL(vwv, 0);
4205 for (i=0; i < ARRAY_SIZE(smb1cli_prots); i++) {
4206 if (smb1cli_prots[i].proto < state->conn->min_protocol) {
4210 if (smb1cli_prots[i].proto > state->conn->max_protocol) {
4214 if (protnum != num_prots) {
4219 conn->protocol = smb1cli_prots[i].proto;
4223 if (conn->protocol == PROTOCOL_NONE) {
4224 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4228 if ((conn->protocol < PROTOCOL_NT1) && conn->mandatory_signing) {
4229 DEBUG(0,("smbXcli_negprot: SMB signing is mandatory "
4230 "and the selected protocol level doesn't support it.\n"));
4231 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4235 if (flags & FLAG_SUPPORT_LOCKREAD) {
4236 server_lockread = true;
4237 server_writeunlock = true;
4240 if (conn->protocol >= PROTOCOL_NT1) {
4241 const char *client_signing = NULL;
4242 bool server_mandatory = false;
4243 bool server_allowed = false;
4244 const char *server_signing = NULL;
4249 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4254 server_security_mode = CVAL(vwv + 1, 0);
4255 server_max_mux = SVAL(vwv + 1, 1);
4256 server_max_xmit = IVAL(vwv + 3, 1);
4257 server_session_key = IVAL(vwv + 7, 1);
4258 server_time_zone = SVALS(vwv + 15, 1);
4259 server_time_zone *= 60;
4260 /* this time arrives in real GMT */
4261 server_system_time = BVAL(vwv + 11, 1);
4262 server_capabilities = IVAL(vwv + 9, 1);
4264 key_len = CVAL(vwv + 16, 1);
4266 if (server_capabilities & CAP_RAW_MODE) {
4267 server_readbraw = true;
4268 server_writebraw = true;
4270 if (server_capabilities & CAP_LOCK_AND_READ) {
4271 server_lockread = true;
4274 if (server_capabilities & CAP_EXTENDED_SECURITY) {
4275 DATA_BLOB blob1, blob2;
4277 if (num_bytes < 16) {
4278 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4282 blob1 = data_blob_const(bytes, 16);
4283 status = GUID_from_data_blob(&blob1, &server_guid);
4284 if (tevent_req_nterror(req, status)) {
4288 blob1 = data_blob_const(bytes+16, num_bytes-16);
4289 blob2 = data_blob_dup_talloc(state, blob1);
4290 if (blob1.length > 0 &&
4291 tevent_req_nomem(blob2.data, req)) {
4294 server_gss_blob = blob2;
4296 DATA_BLOB blob1, blob2;
4298 if (num_bytes < key_len) {
4299 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4303 if (key_len != 0 && key_len != 8) {
4304 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4309 memcpy(server_challenge, bytes, 8);
4312 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4313 blob2 = data_blob_const(bytes+key_len, num_bytes-key_len);
4314 if (blob1.length > 0) {
4317 len = utf16_len_n(blob1.data,
4321 ok = convert_string_talloc(state,
4329 status = map_nt_error_from_unix_common(errno);
4330 tevent_req_nterror(req, status);
4335 blob2.data += blob1.length;
4336 blob2.length -= blob1.length;
4337 if (blob2.length > 0) {
4340 len = utf16_len_n(blob1.data,
4344 ok = convert_string_talloc(state,
4352 status = map_nt_error_from_unix_common(errno);
4353 tevent_req_nterror(req, status);
4359 client_signing = "disabled";
4360 if (conn->allow_signing) {
4361 client_signing = "allowed";
4363 if (conn->mandatory_signing) {
4364 client_signing = "required";
4367 server_signing = "not supported";
4368 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) {
4369 server_signing = "supported";
4370 server_allowed = true;
4371 } else if (conn->mandatory_signing) {
4373 * We have mandatory signing as client
4374 * lets assume the server will look at our
4375 * FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
4376 * flag in the session setup
4378 server_signing = "not announced";
4379 server_allowed = true;
4381 if (server_security_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
4382 server_signing = "required";
4383 server_mandatory = true;
4386 ok = smb_signing_set_negotiated(conn->smb1.signing,
4390 DEBUG(1,("cli_negprot: SMB signing is required, "
4391 "but client[%s] and server[%s] mismatch\n",
4392 client_signing, server_signing));
4393 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
4397 } else if (conn->protocol >= PROTOCOL_LANMAN1) {
4403 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4407 server_security_mode = SVAL(vwv + 1, 0);
4408 server_max_xmit = SVAL(vwv + 2, 0);
4409 server_max_mux = SVAL(vwv + 3, 0);
4410 server_readbraw = ((SVAL(vwv + 5, 0) & 0x1) != 0);
4411 server_writebraw = ((SVAL(vwv + 5, 0) & 0x2) != 0);
4412 server_session_key = IVAL(vwv + 6, 0);
4413 server_time_zone = SVALS(vwv + 10, 0);
4414 server_time_zone *= 60;
4415 /* this time is converted to GMT by make_unix_date */
4416 t = pull_dos_date((const uint8_t *)(vwv + 8), server_time_zone);
4417 unix_to_nt_time(&server_system_time, t);
4418 key_len = SVAL(vwv + 11, 0);
4420 if (num_bytes < key_len) {
4421 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4425 if (key_len != 0 && key_len != 8) {
4426 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4431 memcpy(server_challenge, bytes, 8);
4434 blob1 = data_blob_const(bytes+key_len, num_bytes-key_len);
4435 if (blob1.length > 0) {
4439 len = utf16_len_n(blob1.data,
4443 ok = convert_string_talloc(state,
4451 status = map_nt_error_from_unix_common(errno);
4452 tevent_req_nterror(req, status);
4458 /* the old core protocol */
4459 server_time_zone = get_time_zone(time(NULL));
4460 server_max_xmit = 1024;
4464 if (server_max_xmit < 1024) {
4465 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4469 if (server_max_mux < 1) {
4470 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4475 * Now calculate the negotiated capabilities
4476 * based on the mask for:
4477 * - client only flags
4478 * - flags used in both directions
4479 * - server only flags
4481 both_capabilities = client_capabilities & server_capabilities;
4482 capabilities = client_capabilities & SMB_CAP_CLIENT_MASK;
4483 capabilities |= both_capabilities & SMB_CAP_BOTH_MASK;
4484 capabilities |= server_capabilities & SMB_CAP_SERVER_MASK;
4486 max_xmit = MIN(client_max_xmit, server_max_xmit);
4488 conn->smb1.server.capabilities = server_capabilities;
4489 conn->smb1.capabilities = capabilities;
4491 conn->smb1.server.max_xmit = server_max_xmit;
4492 conn->smb1.max_xmit = max_xmit;
4494 conn->smb1.server.max_mux = server_max_mux;
4496 conn->smb1.server.security_mode = server_security_mode;
4498 conn->smb1.server.readbraw = server_readbraw;
4499 conn->smb1.server.writebraw = server_writebraw;
4500 conn->smb1.server.lockread = server_lockread;
4501 conn->smb1.server.writeunlock = server_writeunlock;
4503 conn->smb1.server.session_key = server_session_key;
4505 talloc_steal(conn, server_gss_blob.data);
4506 conn->smb1.server.gss_blob = server_gss_blob;
4507 conn->smb1.server.guid = server_guid;
4508 memcpy(conn->smb1.server.challenge, server_challenge, 8);
4509 conn->smb1.server.workgroup = talloc_move(conn, &server_workgroup);
4510 conn->smb1.server.name = talloc_move(conn, &server_name);
4512 conn->smb1.server.time_zone = server_time_zone;
4513 conn->smb1.server.system_time = server_system_time;
4515 tevent_req_done(req);
4518 static size_t smbXcli_padding_helper(uint32_t offset, size_t n)
4520 if ((offset & (n-1)) == 0) return 0;
4521 return n - (offset & (n-1));
4524 static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_state *state)
4528 uint16_t dialect_count = 0;
4529 DATA_BLOB dyn = data_blob_null;
4531 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4535 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4539 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4543 SSVAL(val, 0, smb2cli_prots[i].smb2_dialect);
4545 ok = data_blob_append(state, &dyn, val, sizeof(val));
4553 buf = state->smb2.fixed;
4555 SSVAL(buf, 2, dialect_count);
4556 SSVAL(buf, 4, state->conn->smb2.client.security_mode);
4557 SSVAL(buf, 6, 0); /* Reserved */
4558 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
4559 SIVAL(buf, 8, state->conn->smb2.client.capabilities);
4561 SIVAL(buf, 8, 0); /* Capabilities */
4563 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
4567 status = GUID_to_ndr_blob(&state->conn->smb2.client.guid,
4569 if (!NT_STATUS_IS_OK(status)) {
4572 memcpy(buf+12, blob.data, 16); /* ClientGuid */
4574 memset(buf+12, 0, 16); /* ClientGuid */
4577 if (state->conn->max_protocol >= PROTOCOL_SMB3_10) {
4579 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4583 const uint8_t zeros[8] = {0, };
4587 SSVAL(p, 0, 1); /* HashAlgorithmCount */
4588 SSVAL(p, 2, 32); /* SaltLength */
4589 SSVAL(p, 4, SMB2_PREAUTH_INTEGRITY_SHA512);
4590 generate_random_buffer(p + 6, 32);
4592 b = data_blob_const(p, 38);
4593 status = smb2_negotiate_context_add(state, &c,
4594 SMB2_PREAUTH_INTEGRITY_CAPABILITIES, b);
4595 if (!NT_STATUS_IS_OK(status)) {
4599 SSVAL(p, 0, 2); /* ChiperCount */
4601 * For now we preferr CCM because our implementation
4602 * is faster than GCM, see bug #11451.
4604 SSVAL(p, 2, SMB2_ENCRYPTION_AES128_CCM);
4605 SSVAL(p, 4, SMB2_ENCRYPTION_AES128_GCM);
4607 b = data_blob_const(p, 6);
4608 status = smb2_negotiate_context_add(state, &c,
4609 SMB2_ENCRYPTION_CAPABILITIES, b);
4610 if (!NT_STATUS_IS_OK(status)) {
4614 status = smb2_negotiate_context_push(state, &b, c);
4615 if (!NT_STATUS_IS_OK(status)) {
4619 offset = SMB2_HDR_BODY + sizeof(state->smb2.fixed) + dyn.length;
4620 pad = smbXcli_padding_helper(offset, 8);
4622 ok = data_blob_append(state, &dyn, zeros, pad);
4628 ok = data_blob_append(state, &dyn, b.data, b.length);
4633 SIVAL(buf, 28, offset); /* NegotiateContextOffset */
4634 SSVAL(buf, 32, c.num_contexts); /* NegotiateContextCount */
4635 SSVAL(buf, 34, 0); /* Reserved */
4637 SBVAL(buf, 28, 0); /* Reserved/ClientStartTime */
4640 return smb2cli_req_send(state, state->ev,
4641 state->conn, SMB2_OP_NEGPROT,
4643 state->timeout_msec,
4644 NULL, NULL, /* tcon, session */
4645 state->smb2.fixed, sizeof(state->smb2.fixed),
4646 dyn.data, dyn.length,
4647 UINT16_MAX); /* max_dyn_len */
4650 static void smbXcli_negprot_smb2_done(struct tevent_req *subreq)
4652 struct tevent_req *req =
4653 tevent_req_callback_data(subreq,
4655 struct smbXcli_negprot_state *state =
4656 tevent_req_data(req,
4657 struct smbXcli_negprot_state);
4658 struct smbXcli_conn *conn = state->conn;
4659 size_t security_offset, security_length;
4665 uint16_t dialect_revision;
4666 struct smb2_negotiate_contexts c = { .num_contexts = 0, };
4667 uint32_t negotiate_context_offset = 0;
4668 uint16_t negotiate_context_count = 0;
4669 DATA_BLOB negotiate_context_blob = data_blob_null;
4673 struct smb2_negotiate_context *preauth = NULL;
4674 uint16_t hash_count;
4675 uint16_t salt_length;
4676 uint16_t hash_selected;
4677 struct hc_sha512state sctx;
4678 struct smb2_negotiate_context *cipher = NULL;
4679 struct iovec sent_iov[3];
4680 static const struct smb2cli_req_expected_response expected[] = {
4682 .status = NT_STATUS_OK,
4687 status = smb2cli_req_recv(subreq, state, &iov,
4688 expected, ARRAY_SIZE(expected));
4689 if (tevent_req_nterror(req, status)) {
4693 body = (uint8_t *)iov[1].iov_base;
4695 dialect_revision = SVAL(body, 4);
4697 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
4698 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
4702 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
4706 if (smb2cli_prots[i].smb2_dialect != dialect_revision) {
4710 conn->protocol = smb2cli_prots[i].proto;
4714 if (conn->protocol == PROTOCOL_NONE) {
4715 TALLOC_FREE(subreq);
4717 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
4718 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4722 if (dialect_revision != SMB2_DIALECT_REVISION_2FF) {
4723 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4727 /* make sure we do not loop forever */
4728 state->conn->min_protocol = PROTOCOL_SMB2_02;
4731 * send a SMB2 negprot, in order to negotiate
4734 subreq = smbXcli_negprot_smb2_subreq(state);
4735 if (tevent_req_nomem(subreq, req)) {
4738 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4742 conn->smb2.server.security_mode = SVAL(body, 2);
4743 if (conn->protocol >= PROTOCOL_SMB3_10) {
4744 negotiate_context_count = SVAL(body, 6);
4747 blob = data_blob_const(body + 8, 16);
4748 status = GUID_from_data_blob(&blob, &conn->smb2.server.guid);
4749 if (tevent_req_nterror(req, status)) {
4753 conn->smb2.server.capabilities = IVAL(body, 24);
4754 conn->smb2.server.max_trans_size= IVAL(body, 28);
4755 conn->smb2.server.max_read_size = IVAL(body, 32);
4756 conn->smb2.server.max_write_size= IVAL(body, 36);
4757 conn->smb2.server.system_time = BVAL(body, 40);
4758 conn->smb2.server.start_time = BVAL(body, 48);
4760 security_offset = SVAL(body, 56);
4761 security_length = SVAL(body, 58);
4763 if (security_offset != SMB2_HDR_BODY + iov[1].iov_len) {
4764 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4768 if (security_length > iov[2].iov_len) {
4769 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4773 conn->smb2.server.gss_blob = data_blob_talloc(conn,
4776 if (tevent_req_nomem(conn->smb2.server.gss_blob.data, req)) {
4780 if (conn->protocol < PROTOCOL_SMB3_10) {
4781 TALLOC_FREE(subreq);
4783 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4784 conn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
4786 tevent_req_done(req);
4790 if (conn->smb2.server.capabilities & SMB2_CAP_ENCRYPTION) {
4791 tevent_req_nterror(req,
4792 NT_STATUS_INVALID_NETWORK_RESPONSE);
4796 negotiate_context_offset = IVAL(body, 60);
4797 if (negotiate_context_offset < security_offset) {
4798 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4802 ctx_ofs = negotiate_context_offset - security_offset;
4803 if (ctx_ofs > iov[2].iov_len) {
4804 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4807 avail = iov[2].iov_len - security_length;
4808 needed = iov[2].iov_len - ctx_ofs;
4809 if (needed > avail) {
4810 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4814 negotiate_context_blob.data = (uint8_t *)iov[2].iov_base;
4815 negotiate_context_blob.length = iov[2].iov_len;
4817 negotiate_context_blob.data += ctx_ofs;
4818 negotiate_context_blob.length -= ctx_ofs;
4820 status = smb2_negotiate_context_parse(state, negotiate_context_blob, &c);
4821 if (tevent_req_nterror(req, status)) {
4825 if (negotiate_context_count != c.num_contexts) {
4826 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4830 preauth = smb2_negotiate_context_find(&c,
4831 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
4832 if (preauth == NULL) {
4833 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4837 if (preauth->data.length < 6) {
4838 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4842 hash_count = SVAL(preauth->data.data, 0);
4843 salt_length = SVAL(preauth->data.data, 2);
4844 hash_selected = SVAL(preauth->data.data, 4);
4846 if (hash_count != 1) {
4847 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4851 if (preauth->data.length != (6 + salt_length)) {
4852 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4856 if (hash_selected != SMB2_PREAUTH_INTEGRITY_SHA512) {
4857 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
4861 cipher = smb2_negotiate_context_find(&c, SMB2_ENCRYPTION_CAPABILITIES);
4862 if (cipher != NULL) {
4863 uint16_t cipher_count;
4865 if (cipher->data.length < 2) {
4866 tevent_req_nterror(req,
4867 NT_STATUS_INVALID_NETWORK_RESPONSE);
4871 cipher_count = SVAL(cipher->data.data, 0);
4873 if (cipher_count > 1) {
4874 tevent_req_nterror(req,
4875 NT_STATUS_INVALID_NETWORK_RESPONSE);
4879 if (cipher->data.length != (2 + 2 * cipher_count)) {
4880 tevent_req_nterror(req,
4881 NT_STATUS_INVALID_NETWORK_RESPONSE);
4885 if (cipher_count == 1) {
4886 uint16_t cipher_selected;
4888 cipher_selected = SVAL(cipher->data.data, 2);
4890 switch (cipher_selected) {
4891 case SMB2_ENCRYPTION_AES128_GCM:
4892 case SMB2_ENCRYPTION_AES128_CCM:
4893 conn->smb2.server.cipher = cipher_selected;
4899 /* First we hash the request */
4900 smb2cli_req_get_sent_iov(subreq, sent_iov);
4901 samba_SHA512_Init(&sctx);
4902 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4903 sizeof(conn->smb2.preauth_sha512));
4904 for (i = 0; i < 3; i++) {
4905 samba_SHA512_Update(&sctx, sent_iov[i].iov_base, sent_iov[i].iov_len);
4907 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4908 TALLOC_FREE(subreq);
4910 /* And now we hash the response */
4911 samba_SHA512_Init(&sctx);
4912 samba_SHA512_Update(&sctx, conn->smb2.preauth_sha512,
4913 sizeof(conn->smb2.preauth_sha512));
4914 for (i = 0; i < 3; i++) {
4915 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
4917 samba_SHA512_Final(conn->smb2.preauth_sha512, &sctx);
4919 tevent_req_done(req);
4922 static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
4923 TALLOC_CTX *tmp_mem,
4926 size_t num_pending = talloc_array_length(conn->pending);
4927 struct tevent_req *subreq;
4928 struct smbXcli_req_state *substate;
4929 struct tevent_req *req;
4930 uint32_t protocol_magic;
4931 size_t inbuf_len = smb_len_nbt(inbuf);
4933 if (num_pending != 1) {
4934 return NT_STATUS_INTERNAL_ERROR;
4937 if (inbuf_len < 4) {
4938 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4941 subreq = conn->pending[0];
4942 substate = tevent_req_data(subreq, struct smbXcli_req_state);
4943 req = tevent_req_callback_data(subreq, struct tevent_req);
4945 protocol_magic = IVAL(inbuf, 4);
4947 switch (protocol_magic) {
4949 tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
4950 conn->dispatch_incoming = smb1cli_conn_dispatch_incoming;
4951 return smb1cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4954 if (substate->smb2.recv_iov == NULL) {
4956 * For the SMB1 negprot we have move it.
4958 substate->smb2.recv_iov = substate->smb1.recv_iov;
4959 substate->smb1.recv_iov = NULL;
4963 * we got an SMB2 answer, which consumed sequence number 0
4964 * so we need to use 1 as the next one.
4966 * we also need to set the current credits to 0
4967 * as we consumed the initial one. The SMB2 answer
4968 * hopefully grant us a new credit.
4971 conn->smb2.cur_credits = 0;
4972 tevent_req_set_callback(subreq, smbXcli_negprot_smb2_done, req);
4973 conn->dispatch_incoming = smb2cli_conn_dispatch_incoming;
4974 return smb2cli_conn_dispatch_incoming(conn, tmp_mem, inbuf);
4977 DEBUG(10, ("Got non-SMB PDU\n"));
4978 return NT_STATUS_INVALID_NETWORK_RESPONSE;
4981 NTSTATUS smbXcli_negprot_recv(struct tevent_req *req)
4983 return tevent_req_simple_recv_ntstatus(req);
4986 NTSTATUS smbXcli_negprot(struct smbXcli_conn *conn,
4987 uint32_t timeout_msec,
4988 enum protocol_types min_protocol,
4989 enum protocol_types max_protocol)
4991 TALLOC_CTX *frame = talloc_stackframe();
4992 struct tevent_context *ev;
4993 struct tevent_req *req;
4994 NTSTATUS status = NT_STATUS_NO_MEMORY;
4997 if (smbXcli_conn_has_async_calls(conn)) {
4999 * Can't use sync call while an async call is in flight
5001 status = NT_STATUS_INVALID_PARAMETER_MIX;
5004 ev = samba_tevent_context_init(frame);
5008 req = smbXcli_negprot_send(frame, ev, conn, timeout_msec,
5009 min_protocol, max_protocol);
5013 ok = tevent_req_poll_ntstatus(req, ev, &status);
5017 status = smbXcli_negprot_recv(req);
5023 struct smb2cli_validate_negotiate_info_state {
5024 struct smbXcli_conn *conn;
5025 DATA_BLOB in_input_buffer;
5026 DATA_BLOB in_output_buffer;
5027 DATA_BLOB out_input_buffer;
5028 DATA_BLOB out_output_buffer;
5032 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq);
5034 struct tevent_req *smb2cli_validate_negotiate_info_send(TALLOC_CTX *mem_ctx,
5035 struct tevent_context *ev,
5036 struct smbXcli_conn *conn,
5037 uint32_t timeout_msec,
5038 struct smbXcli_session *session,
5039 struct smbXcli_tcon *tcon)
5041 struct tevent_req *req;
5042 struct smb2cli_validate_negotiate_info_state *state;
5044 uint16_t dialect_count = 0;
5045 struct tevent_req *subreq;
5046 bool _save_should_sign;
5049 req = tevent_req_create(mem_ctx, &state,
5050 struct smb2cli_validate_negotiate_info_state);
5056 state->in_input_buffer = data_blob_talloc_zero(state,
5057 4 + 16 + 1 + 1 + 2);
5058 if (tevent_req_nomem(state->in_input_buffer.data, req)) {
5059 return tevent_req_post(req, ev);
5061 buf = state->in_input_buffer.data;
5063 if (state->conn->max_protocol >= PROTOCOL_SMB2_22) {
5064 SIVAL(buf, 0, conn->smb2.client.capabilities);
5066 SIVAL(buf, 0, 0); /* Capabilities */
5068 if (state->conn->max_protocol >= PROTOCOL_SMB2_10) {
5072 status = GUID_to_ndr_blob(&conn->smb2.client.guid,
5074 if (!NT_STATUS_IS_OK(status)) {
5077 memcpy(buf+4, blob.data, 16); /* ClientGuid */
5079 memset(buf+4, 0, 16); /* ClientGuid */
5081 if (state->conn->min_protocol >= PROTOCOL_SMB2_02) {
5082 SCVAL(buf, 20, conn->smb2.client.security_mode);
5086 SCVAL(buf, 21, 0); /* reserved */
5088 for (i=0; i < ARRAY_SIZE(smb2cli_prots); i++) {
5092 if (smb2cli_prots[i].proto < state->conn->min_protocol) {
5096 if (smb2cli_prots[i].proto > state->conn->max_protocol) {
5100 if (smb2cli_prots[i].proto == state->conn->protocol) {
5101 state->dialect = smb2cli_prots[i].smb2_dialect;
5104 ofs = state->in_input_buffer.length;
5105 ok = data_blob_realloc(state, &state->in_input_buffer,
5108 tevent_req_oom(req);
5109 return tevent_req_post(req, ev);
5112 buf = state->in_input_buffer.data;
5113 SSVAL(buf, ofs, smb2cli_prots[i].smb2_dialect);
5117 buf = state->in_input_buffer.data;
5118 SSVAL(buf, 22, dialect_count);
5120 _save_should_sign = smb2cli_tcon_is_signing_on(tcon);
5121 smb2cli_tcon_should_sign(tcon, true);
5122 subreq = smb2cli_ioctl_send(state, ev, conn,
5123 timeout_msec, session, tcon,
5124 UINT64_MAX, /* in_fid_persistent */
5125 UINT64_MAX, /* in_fid_volatile */
5126 FSCTL_VALIDATE_NEGOTIATE_INFO,
5127 0, /* in_max_input_length */
5128 &state->in_input_buffer,
5129 24, /* in_max_output_length */
5130 &state->in_output_buffer,
5131 SMB2_IOCTL_FLAG_IS_FSCTL);
5132 smb2cli_tcon_should_sign(tcon, _save_should_sign);
5133 if (tevent_req_nomem(subreq, req)) {
5134 return tevent_req_post(req, ev);
5136 tevent_req_set_callback(subreq,
5137 smb2cli_validate_negotiate_info_done,
5143 static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
5145 struct tevent_req *req =
5146 tevent_req_callback_data(subreq,
5148 struct smb2cli_validate_negotiate_info_state *state =
5149 tevent_req_data(req,
5150 struct smb2cli_validate_negotiate_info_state);
5153 uint32_t capabilities;
5154 DATA_BLOB guid_blob;
5155 struct GUID server_guid;
5156 uint16_t security_mode;
5159 status = smb2cli_ioctl_recv(subreq, state,
5160 &state->out_input_buffer,
5161 &state->out_output_buffer);
5162 TALLOC_FREE(subreq);
5163 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_CLOSED)) {
5165 * The response was signed, but not supported
5167 * Older Windows and Samba releases return
5168 * NT_STATUS_FILE_CLOSED.
5170 tevent_req_done(req);
5173 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_DEVICE_REQUEST)) {
5175 * The response was signed, but not supported
5177 * This is returned by the NTVFS based Samba 4.x file server
5180 tevent_req_done(req);
5183 if (NT_STATUS_EQUAL(status, NT_STATUS_FS_DRIVER_REQUIRED)) {
5185 * The response was signed, but not supported
5187 * This is returned by the NTVFS based Samba 4.x file server
5190 tevent_req_done(req);
5193 if (tevent_req_nterror(req, status)) {
5197 if (state->out_output_buffer.length != 24) {
5198 tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
5202 buf = state->out_output_buffer.data;
5204 capabilities = IVAL(buf, 0);
5205 guid_blob = data_blob_const(buf + 4, 16);
5206 status = GUID_from_data_blob(&guid_blob, &server_guid);
5207 if (tevent_req_nterror(req, status)) {
5210 security_mode = CVAL(buf, 20);
5211 dialect = SVAL(buf, 22);
5213 if (capabilities != state->conn->smb2.server.capabilities) {
5214 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5218 if (!GUID_equal(&server_guid, &state->conn->smb2.server.guid)) {
5219 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5223 if (security_mode != state->conn->smb2.server.security_mode) {
5224 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5228 if (dialect != state->dialect) {
5229 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
5233 tevent_req_done(req);
5236 NTSTATUS smb2cli_validate_negotiate_info_recv(struct tevent_req *req)
5238 return tevent_req_simple_recv_ntstatus(req);
5241 static int smbXcli_session_destructor(struct smbXcli_session *session)
5243 if (session->conn == NULL) {
5247 DLIST_REMOVE(session->conn->sessions, session);
5251 struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
5252 struct smbXcli_conn *conn)
5254 struct smbXcli_session *session;
5256 session = talloc_zero(mem_ctx, struct smbXcli_session);
5257 if (session == NULL) {
5260 session->smb2 = talloc_zero(session, struct smb2cli_session);
5261 if (session->smb2 == NULL) {
5262 talloc_free(session);
5265 talloc_set_destructor(session, smbXcli_session_destructor);
5267 DLIST_ADD_END(conn->sessions, session, struct smbXcli_session *);
5268 session->conn = conn;
5270 memcpy(session->smb2_channel.preauth_sha512,
5271 conn->smb2.preauth_sha512,
5272 sizeof(session->smb2_channel.preauth_sha512));
5277 struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
5278 struct smbXcli_session *src)
5280 struct smbXcli_session *session;
5282 session = talloc_zero(mem_ctx, struct smbXcli_session);
5283 if (session == NULL) {
5286 session->smb2 = talloc_zero(session, struct smb2cli_session);
5287 if (session->smb2 == NULL) {
5288 talloc_free(session);
5292 session->conn = src->conn;
5293 *session->smb2 = *src->smb2;
5294 session->smb2_channel = src->smb2_channel;
5295 session->disconnect_expired = src->disconnect_expired;
5297 DLIST_ADD_END(src->conn->sessions, session, struct smbXcli_session *);
5298 talloc_set_destructor(session, smbXcli_session_destructor);
5303 bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
5305 const DATA_BLOB *application_key;
5307 if (session->conn == NULL) {
5312 * If we have an application key we had a session key negotiated
5315 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5316 application_key = &session->smb2->application_key;
5318 application_key = &session->smb1.application_key;
5321 if (application_key->length == 0) {
5328 NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
5329 TALLOC_CTX *mem_ctx,
5332 const DATA_BLOB *application_key;
5334 *key = data_blob_null;
5336 if (session->conn == NULL) {
5337 return NT_STATUS_NO_USER_SESSION_KEY;
5340 if (session->conn->protocol >= PROTOCOL_SMB2_02) {
5341 application_key = &session->smb2->application_key;
5343 application_key = &session->smb1.application_key;
5346 if (application_key->length == 0) {
5347 return NT_STATUS_NO_USER_SESSION_KEY;
5350 *key = data_blob_dup_talloc(mem_ctx, *application_key);
5351 if (key->data == NULL) {
5352 return NT_STATUS_NO_MEMORY;
5355 return NT_STATUS_OK;
5358 void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session)
5360 session->disconnect_expired = true;
5363 uint16_t smb1cli_session_current_id(struct smbXcli_session *session)
5365 return session->smb1.session_id;
5368 void smb1cli_session_set_id(struct smbXcli_session *session,
5369 uint16_t session_id)
5371 session->smb1.session_id = session_id;
5374 NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
5375 const DATA_BLOB _session_key)
5377 struct smbXcli_conn *conn = session->conn;
5378 uint8_t session_key[16];
5381 return NT_STATUS_INVALID_PARAMETER_MIX;
5384 if (session->smb1.application_key.length != 0) {
5386 * TODO: do not allow this...
5388 * return NT_STATUS_INVALID_PARAMETER_MIX;
5390 data_blob_clear_free(&session->smb1.application_key);
5391 session->smb1.protected_key = false;
5394 if (_session_key.length == 0) {
5395 return NT_STATUS_OK;
5398 ZERO_STRUCT(session_key);
5399 memcpy(session_key, _session_key.data,
5400 MIN(_session_key.length, sizeof(session_key)));
5402 session->smb1.application_key = data_blob_talloc(session,
5404 sizeof(session_key));
5405 ZERO_STRUCT(session_key);
5406 if (session->smb1.application_key.data == NULL) {
5407 return NT_STATUS_NO_MEMORY;
5410 session->smb1.protected_key = false;
5412 return NT_STATUS_OK;
5415 NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session)
5417 if (session->smb1.protected_key) {
5418 /* already protected */
5419 return NT_STATUS_OK;
5422 if (session->smb1.application_key.length != 16) {
5423 return NT_STATUS_INVALID_PARAMETER_MIX;
5426 smb_key_derivation(session->smb1.application_key.data,
5427 session->smb1.application_key.length,
5428 session->smb1.application_key.data);
5430 session->smb1.protected_key = true;
5432 return NT_STATUS_OK;
5435 uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
5437 struct smbXcli_conn *conn = session->conn;
5438 uint8_t security_mode = 0;
5441 return security_mode;
5444 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
5445 if (conn->mandatory_signing) {
5446 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
5449 return security_mode;
5452 uint64_t smb2cli_session_current_id(struct smbXcli_session *session)
5454 return session->smb2->session_id;
5457 uint16_t smb2cli_session_get_flags(struct smbXcli_session *session)
5459 return session->smb2->session_flags;
5462 void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
5463 uint64_t session_id,
5464 uint16_t session_flags)
5466 session->smb2->session_id = session_id;
5467 session->smb2->session_flags = session_flags;
5470 void smb2cli_session_increment_channel_sequence(struct smbXcli_session *session)
5472 session->smb2->channel_sequence += 1;
5475 uint16_t smb2cli_session_reset_channel_sequence(struct smbXcli_session *session,
5476 uint16_t channel_sequence)
5480 prev_cs = session->smb2->channel_sequence;
5481 session->smb2->channel_sequence = channel_sequence;
5486 void smb2cli_session_start_replay(struct smbXcli_session *session)
5488 session->smb2->replay_active = true;
5491 void smb2cli_session_stop_replay(struct smbXcli_session *session)
5493 session->smb2->replay_active = false;
5496 NTSTATUS smb2cli_session_update_preauth(struct smbXcli_session *session,
5497 const struct iovec *iov)
5499 struct hc_sha512state sctx;
5502 if (session->conn == NULL) {
5503 return NT_STATUS_INTERNAL_ERROR;
5506 if (session->conn->protocol < PROTOCOL_SMB3_10) {
5507 return NT_STATUS_OK;
5510 if (session->smb2_channel.signing_key.length != 0) {
5511 return NT_STATUS_OK;
5514 samba_SHA512_Init(&sctx);
5515 samba_SHA512_Update(&sctx, session->smb2_channel.preauth_sha512,
5516 sizeof(session->smb2_channel.preauth_sha512));
5517 for (i = 0; i < 3; i++) {
5518 samba_SHA512_Update(&sctx, iov[i].iov_base, iov[i].iov_len);
5520 samba_SHA512_Final(session->smb2_channel.preauth_sha512, &sctx);
5522 return NT_STATUS_OK;
5525 NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
5526 const DATA_BLOB _session_key,
5527 const struct iovec *recv_iov)
5529 struct smbXcli_conn *conn = session->conn;
5530 uint16_t no_sign_flags;
5531 uint8_t session_key[16];
5532 bool check_signature = true;
5535 struct _derivation {
5540 struct _derivation signing;
5541 struct _derivation encryption;
5542 struct _derivation decryption;
5543 struct _derivation application;
5545 size_t nonce_size = 0;
5548 return NT_STATUS_INVALID_PARAMETER_MIX;
5551 if (recv_iov[0].iov_len != SMB2_HDR_BODY) {
5552 return NT_STATUS_INVALID_PARAMETER_MIX;
5555 no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
5557 if (session->smb2->session_flags & no_sign_flags) {
5558 session->smb2->should_sign = false;
5559 return NT_STATUS_OK;
5562 if (session->smb2->signing_key.length != 0) {
5563 return NT_STATUS_INVALID_PARAMETER_MIX;
5566 if (conn->protocol >= PROTOCOL_SMB3_10) {
5567 struct _derivation *d;
5570 p = data_blob_const(session->smb2_channel.preauth_sha512,
5571 sizeof(session->smb2_channel.preauth_sha512));
5573 d = &derivation.signing;
5574 d->label = data_blob_string_const_null("SMBSigningKey");
5577 d = &derivation.encryption;
5578 d->label = data_blob_string_const_null("SMBC2SCipherKey");
5581 d = &derivation.decryption;
5582 d->label = data_blob_string_const_null("SMBS2CCipherKey");
5585 d = &derivation.application;
5586 d->label = data_blob_string_const_null("SMBAppKey");
5589 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5590 struct _derivation *d;
5592 d = &derivation.signing;
5593 d->label = data_blob_string_const_null("SMB2AESCMAC");
5594 d->context = data_blob_string_const_null("SmbSign");
5596 d = &derivation.encryption;
5597 d->label = data_blob_string_const_null("SMB2AESCCM");
5598 d->context = data_blob_string_const_null("ServerIn ");
5600 d = &derivation.decryption;
5601 d->label = data_blob_string_const_null("SMB2AESCCM");
5602 d->context = data_blob_string_const_null("ServerOut");
5604 d = &derivation.application;
5605 d->label = data_blob_string_const_null("SMB2APP");
5606 d->context = data_blob_string_const_null("SmbRpc");
5609 ZERO_STRUCT(session_key);
5610 memcpy(session_key, _session_key.data,
5611 MIN(_session_key.length, sizeof(session_key)));
5613 session->smb2->signing_key = data_blob_talloc(session,
5615 sizeof(session_key));
5616 if (session->smb2->signing_key.data == NULL) {
5617 ZERO_STRUCT(session_key);
5618 return NT_STATUS_NO_MEMORY;
5621 if (conn->protocol >= PROTOCOL_SMB2_24) {
5622 struct _derivation *d = &derivation.signing;
5624 smb2_key_derivation(session_key, sizeof(session_key),
5625 d->label.data, d->label.length,
5626 d->context.data, d->context.length,
5627 session->smb2->signing_key.data);
5630 session->smb2->encryption_key = data_blob_dup_talloc(session,
5631 session->smb2->signing_key);
5632 if (session->smb2->encryption_key.data == NULL) {
5633 ZERO_STRUCT(session_key);
5634 return NT_STATUS_NO_MEMORY;
5637 if (conn->protocol >= PROTOCOL_SMB2_24) {
5638 struct _derivation *d = &derivation.encryption;
5640 smb2_key_derivation(session_key, sizeof(session_key),
5641 d->label.data, d->label.length,
5642 d->context.data, d->context.length,
5643 session->smb2->encryption_key.data);
5646 session->smb2->decryption_key = data_blob_dup_talloc(session,
5647 session->smb2->signing_key);
5648 if (session->smb2->decryption_key.data == NULL) {
5649 ZERO_STRUCT(session_key);
5650 return NT_STATUS_NO_MEMORY;
5653 if (conn->protocol >= PROTOCOL_SMB2_24) {
5654 struct _derivation *d = &derivation.decryption;
5656 smb2_key_derivation(session_key, sizeof(session_key),
5657 d->label.data, d->label.length,
5658 d->context.data, d->context.length,
5659 session->smb2->decryption_key.data);
5662 session->smb2->application_key = data_blob_dup_talloc(session,
5663 session->smb2->signing_key);
5664 if (session->smb2->application_key.data == NULL) {
5665 ZERO_STRUCT(session_key);
5666 return NT_STATUS_NO_MEMORY;
5669 if (conn->protocol >= PROTOCOL_SMB2_24) {
5670 struct _derivation *d = &derivation.application;
5672 smb2_key_derivation(session_key, sizeof(session_key),
5673 d->label.data, d->label.length,
5674 d->context.data, d->context.length,
5675 session->smb2->application_key.data);
5677 ZERO_STRUCT(session_key);
5679 session->smb2_channel.signing_key = data_blob_dup_talloc(session,
5680 session->smb2->signing_key);
5681 if (session->smb2_channel.signing_key.data == NULL) {
5682 return NT_STATUS_NO_MEMORY;
5685 check_signature = conn->mandatory_signing;
5687 hdr_flags = IVAL(recv_iov[0].iov_base, SMB2_HDR_FLAGS);
5688 if (hdr_flags & SMB2_HDR_FLAG_SIGNED) {
5690 * Sadly some vendors don't sign the
5691 * final SMB2 session setup response
5693 * At least Windows and Samba are always doing this
5694 * if there's a session key available.
5696 * We only check the signature if it's mandatory
5697 * or SMB2_HDR_FLAG_SIGNED is provided.
5699 check_signature = true;
5702 if (conn->protocol >= PROTOCOL_SMB3_10) {
5703 check_signature = true;
5706 if (check_signature) {
5707 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5708 session->conn->protocol,
5710 if (!NT_STATUS_IS_OK(status)) {
5715 session->smb2->should_sign = false;
5716 session->smb2->should_encrypt = false;
5718 if (conn->desire_signing) {
5719 session->smb2->should_sign = true;
5722 if (conn->smb2.server.security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) {
5723 session->smb2->should_sign = true;
5726 if (session->smb2->session_flags & SMB2_SESSION_FLAG_ENCRYPT_DATA) {
5727 session->smb2->should_encrypt = true;
5730 if (conn->protocol < PROTOCOL_SMB2_24) {
5731 session->smb2->should_encrypt = false;
5734 if (conn->smb2.server.cipher == 0) {
5735 session->smb2->should_encrypt = false;
5739 * CCM and GCM algorithms must never have their
5740 * nonce wrap, or the security of the whole
5741 * communication and the keys is destroyed.
5742 * We must drop the connection once we have
5743 * transfered too much data.
5745 * NOTE: We assume nonces greater than 8 bytes.
5747 generate_random_buffer((uint8_t *)&session->smb2->nonce_high_random,
5748 sizeof(session->smb2->nonce_high_random));
5749 switch (conn->smb2.server.cipher) {
5750 case SMB2_ENCRYPTION_AES128_CCM:
5751 nonce_size = AES_CCM_128_NONCE_SIZE;
5753 case SMB2_ENCRYPTION_AES128_GCM:
5754 nonce_size = AES_GCM_128_IV_SIZE;
5760 session->smb2->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size);
5761 session->smb2->nonce_high = 0;
5762 session->smb2->nonce_low = 0;
5764 return NT_STATUS_OK;
5767 NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
5768 struct smbXcli_session *session1,
5769 struct smbXcli_conn *conn,
5770 struct smbXcli_session **_session2)
5772 struct smbXcli_session *session2;
5774 if (session1->smb2->signing_key.length == 0) {
5775 return NT_STATUS_INVALID_PARAMETER_MIX;
5779 return NT_STATUS_INVALID_PARAMETER_MIX;
5782 session2 = talloc_zero(mem_ctx, struct smbXcli_session);
5783 if (session2 == NULL) {
5784 return NT_STATUS_NO_MEMORY;
5786 session2->smb2 = talloc_reference(session2, session1->smb2);
5787 if (session2->smb2 == NULL) {
5788 talloc_free(session2);
5789 return NT_STATUS_NO_MEMORY;
5792 talloc_set_destructor(session2, smbXcli_session_destructor);
5793 DLIST_ADD_END(conn->sessions, session2, struct smbXcli_session *);
5794 session2->conn = conn;
5796 memcpy(session2->smb2_channel.preauth_sha512,
5797 conn->smb2.preauth_sha512,
5798 sizeof(session2->smb2_channel.preauth_sha512));
5800 *_session2 = session2;
5801 return NT_STATUS_OK;
5804 NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
5805 const DATA_BLOB _channel_key,
5806 const struct iovec *recv_iov)
5808 struct smbXcli_conn *conn = session->conn;
5809 uint8_t channel_key[16];
5811 struct _derivation {
5816 struct _derivation signing;
5820 return NT_STATUS_INVALID_PARAMETER_MIX;
5823 if (session->smb2_channel.signing_key.length != 0) {
5824 return NT_STATUS_INVALID_PARAMETER_MIX;
5827 if (conn->protocol >= PROTOCOL_SMB3_10) {
5828 struct _derivation *d;
5831 p = data_blob_const(session->smb2_channel.preauth_sha512,
5832 sizeof(session->smb2_channel.preauth_sha512));
5834 d = &derivation.signing;
5835 d->label = data_blob_string_const_null("SMBSigningKey");
5837 } else if (conn->protocol >= PROTOCOL_SMB2_24) {
5838 struct _derivation *d;
5840 d = &derivation.signing;
5841 d->label = data_blob_string_const_null("SMB2AESCMAC");
5842 d->context = data_blob_string_const_null("SmbSign");
5845 ZERO_STRUCT(channel_key);
5846 memcpy(channel_key, _channel_key.data,
5847 MIN(_channel_key.length, sizeof(channel_key)));
5849 session->smb2_channel.signing_key = data_blob_talloc(session,
5851 sizeof(channel_key));
5852 if (session->smb2_channel.signing_key.data == NULL) {
5853 ZERO_STRUCT(channel_key);
5854 return NT_STATUS_NO_MEMORY;
5857 if (conn->protocol >= PROTOCOL_SMB2_24) {
5858 struct _derivation *d = &derivation.signing;
5860 smb2_key_derivation(channel_key, sizeof(channel_key),
5861 d->label.data, d->label.length,
5862 d->context.data, d->context.length,
5863 session->smb2_channel.signing_key.data);
5865 ZERO_STRUCT(channel_key);
5867 status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
5868 session->conn->protocol,
5870 if (!NT_STATUS_IS_OK(status)) {
5874 return NT_STATUS_OK;
5877 NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
5879 if (session->smb2->should_encrypt) {
5880 return NT_STATUS_OK;
5883 if (session->conn->protocol < PROTOCOL_SMB2_24) {
5884 return NT_STATUS_NOT_SUPPORTED;
5887 if (session->conn->smb2.server.cipher == 0) {
5888 return NT_STATUS_NOT_SUPPORTED;
5891 if (session->smb2->signing_key.data == NULL) {
5892 return NT_STATUS_NOT_SUPPORTED;
5894 session->smb2->should_encrypt = true;
5895 return NT_STATUS_OK;
5898 struct smbXcli_tcon *smbXcli_tcon_create(TALLOC_CTX *mem_ctx)
5900 struct smbXcli_tcon *tcon;
5902 tcon = talloc_zero(mem_ctx, struct smbXcli_tcon);
5910 void smbXcli_tcon_set_fs_attributes(struct smbXcli_tcon *tcon,
5911 uint32_t fs_attributes)
5913 tcon->fs_attributes = fs_attributes;
5916 uint32_t smbXcli_tcon_get_fs_attributes(struct smbXcli_tcon *tcon)
5918 return tcon->fs_attributes;
5921 bool smbXcli_tcon_is_dfs_share(struct smbXcli_tcon *tcon)
5927 if (tcon->is_smb1) {
5928 if (tcon->smb1.optional_support & SMB_SHARE_IN_DFS) {
5935 if (tcon->smb2.capabilities & SMB2_SHARE_CAP_DFS) {
5942 uint16_t smb1cli_tcon_current_id(struct smbXcli_tcon *tcon)
5944 return tcon->smb1.tcon_id;
5947 void smb1cli_tcon_set_id(struct smbXcli_tcon *tcon, uint16_t tcon_id)
5949 tcon->is_smb1 = true;
5950 tcon->smb1.tcon_id = tcon_id;
5953 bool smb1cli_tcon_set_values(struct smbXcli_tcon *tcon,
5955 uint16_t optional_support,
5956 uint32_t maximal_access,
5957 uint32_t guest_maximal_access,
5958 const char *service,
5959 const char *fs_type)
5961 tcon->is_smb1 = true;
5962 tcon->fs_attributes = 0;
5963 tcon->smb1.tcon_id = tcon_id;
5964 tcon->smb1.optional_support = optional_support;
5965 tcon->smb1.maximal_access = maximal_access;
5966 tcon->smb1.guest_maximal_access = guest_maximal_access;
5968 TALLOC_FREE(tcon->smb1.service);
5969 tcon->smb1.service = talloc_strdup(tcon, service);
5970 if (service != NULL && tcon->smb1.service == NULL) {
5974 TALLOC_FREE(tcon->smb1.fs_type);
5975 tcon->smb1.fs_type = talloc_strdup(tcon, fs_type);
5976 if (fs_type != NULL && tcon->smb1.fs_type == NULL) {
5983 uint32_t smb2cli_tcon_current_id(struct smbXcli_tcon *tcon)
5985 return tcon->smb2.tcon_id;
5988 uint32_t smb2cli_tcon_capabilities(struct smbXcli_tcon *tcon)
5990 return tcon->smb2.capabilities;
5993 uint32_t smb2cli_tcon_flags(struct smbXcli_tcon *tcon)
5995 return tcon->smb2.flags;
5998 void smb2cli_tcon_set_values(struct smbXcli_tcon *tcon,
5999 struct smbXcli_session *session,
6003 uint32_t capabilities,
6004 uint32_t maximal_access)
6006 tcon->is_smb1 = false;
6007 tcon->fs_attributes = 0;
6008 tcon->smb2.tcon_id = tcon_id;
6009 tcon->smb2.type = type;
6010 tcon->smb2.flags = flags;
6011 tcon->smb2.capabilities = capabilities;
6012 tcon->smb2.maximal_access = maximal_access;
6014 tcon->smb2.should_sign = false;
6015 tcon->smb2.should_encrypt = false;
6017 if (session == NULL) {
6021 tcon->smb2.should_sign = session->smb2->should_sign;
6022 tcon->smb2.should_encrypt = session->smb2->should_encrypt;
6024 if (flags & SMB2_SHAREFLAG_ENCRYPT_DATA) {
6025 tcon->smb2.should_encrypt = true;
6029 void smb2cli_tcon_should_sign(struct smbXcli_tcon *tcon,
6032 tcon->smb2.should_sign = should_sign;
6035 bool smb2cli_tcon_is_signing_on(struct smbXcli_tcon *tcon)
6037 if (tcon->smb2.should_encrypt) {
6041 return tcon->smb2.should_sign;
6044 void smb2cli_tcon_should_encrypt(struct smbXcli_tcon *tcon,
6045 bool should_encrypt)
6047 tcon->smb2.should_encrypt = should_encrypt;
6050 bool smb2cli_tcon_is_encryption_on(struct smbXcli_tcon *tcon)
6052 return tcon->smb2.should_encrypt;