2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
30 extern fstring remote_proto;
33 * this is the entry point if SMB2 is selected via
34 * the SMB negprot and the given dialect.
36 static void reply_smb20xx(struct smb_request *req, uint16_t dialect)
42 size_t len = SMB2_HDR_BODY + 0x24 + 2;
44 smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
45 if (smb2_inpdu == NULL) {
46 DEBUG(0, ("Could not push spnego blob\n"));
47 reply_nterror(req, NT_STATUS_NO_MEMORY);
50 smb2_hdr = smb2_inpdu;
51 smb2_body = smb2_hdr + SMB2_HDR_BODY;
52 smb2_dyn = smb2_body + 0x24;
54 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
55 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
57 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
58 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
60 SSVAL(smb2_dyn, 0x00, dialect);
64 smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
69 * this is the entry point if SMB2 is selected via
70 * the SMB negprot and the "SMB 2.002" dialect.
72 void reply_smb2002(struct smb_request *req, uint16_t choice)
74 reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
78 * this is the entry point if SMB2 is selected via
79 * the SMB negprot and the "SMB 2.???" dialect.
81 void reply_smb20ff(struct smb_request *req, uint16_t choice)
83 struct smbXsrv_connection *xconn = req->xconn;
84 xconn->smb2.allow_2ff = true;
85 reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
88 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
89 const int dialect_count,
93 enum protocol_types proto;
96 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
97 { PROTOCOL_SMB3_10, SMB3_DIALECT_REVISION_310 },
98 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
99 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
100 { PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224 },
101 { PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222 },
102 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
103 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
107 for (i = 0; i < ARRAY_SIZE(pd); i ++) {
110 if (lp_server_max_protocol() < pd[i].proto) {
113 if (lp_server_min_protocol() > pd[i].proto) {
117 for (c = 0; c < dialect_count; c++) {
118 *dialect = SVAL(indyn, c*2);
119 if (*dialect == pd[i].dialect) {
125 return PROTOCOL_NONE;
128 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
130 struct smbXsrv_connection *xconn = req->xconn;
131 struct smbXsrv_client_global0 *global0 = NULL;
133 const uint8_t *inbody;
134 const uint8_t *indyn = NULL;
137 DATA_BLOB negprot_spnego_blob;
138 uint16_t security_offset;
139 DATA_BLOB security_buffer;
140 size_t expected_dyn_size = 0;
142 uint16_t security_mode;
143 uint16_t dialect_count;
144 uint16_t in_security_mode;
145 uint32_t in_capabilities;
146 DATA_BLOB in_guid_blob;
148 struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
149 struct smb2_negotiate_context *in_preauth = NULL;
150 struct smb2_negotiate_context *in_cipher = NULL;
151 struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
152 DATA_BLOB out_negotiate_context_blob = data_blob_null;
153 uint32_t out_negotiate_context_offset = 0;
154 uint16_t out_negotiate_context_count = 0;
155 uint16_t dialect = 0;
156 uint32_t capabilities;
157 DATA_BLOB out_guid_blob;
158 struct GUID out_guid;
159 enum protocol_types protocol = PROTOCOL_NONE;
161 uint32_t max_trans = lp_smb2_max_trans();
162 uint32_t max_read = lp_smb2_max_read();
163 uint32_t max_write = lp_smb2_max_write();
164 NTTIME now = timeval_to_nttime(&req->request_time);
165 bool signing_required = true;
168 status = smbd_smb2_request_verify_sizes(req, 0x24);
169 if (!NT_STATUS_IS_OK(status)) {
170 return smbd_smb2_request_error(req, status);
172 inbody = SMBD_SMB2_IN_BODY_PTR(req);
174 dialect_count = SVAL(inbody, 0x02);
176 in_security_mode = SVAL(inbody, 0x04);
177 in_capabilities = IVAL(inbody, 0x08);
178 in_guid_blob = data_blob_const(inbody + 0x0C, 16);
180 if (dialect_count == 0) {
181 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
184 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
185 if (!NT_STATUS_IS_OK(status)) {
186 return smbd_smb2_request_error(req, status);
189 expected_dyn_size = dialect_count * 2;
190 if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
191 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
193 indyn = SMBD_SMB2_IN_DYN_PTR(req);
195 protocol = smbd_smb2_protocol_dialect_match(indyn,
199 for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
200 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
204 dialect = SVAL(indyn, c*2);
205 if (dialect == SMB2_DIALECT_REVISION_2FF) {
206 if (xconn->smb2.allow_2ff) {
207 xconn->smb2.allow_2ff = false;
208 protocol = PROTOCOL_SMB2_10;
214 if (protocol == PROTOCOL_NONE) {
215 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
218 if (protocol >= PROTOCOL_SMB3_10) {
219 uint32_t in_negotiate_context_offset = 0;
220 uint16_t in_negotiate_context_count = 0;
221 DATA_BLOB in_negotiate_context_blob = data_blob_null;
224 in_negotiate_context_offset = IVAL(inbody, 0x1C);
225 in_negotiate_context_count = SVAL(inbody, 0x20);
228 ofs += SMBD_SMB2_IN_BODY_LEN(req);
229 ofs += expected_dyn_size;
230 if ((ofs % 8) != 0) {
231 ofs += 8 - (ofs % 8);
234 if (in_negotiate_context_offset != ofs) {
235 return smbd_smb2_request_error(req,
236 NT_STATUS_INVALID_PARAMETER);
239 ofs -= SMB2_HDR_BODY;
240 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
242 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
243 return smbd_smb2_request_error(req,
244 NT_STATUS_INVALID_PARAMETER);
247 in_negotiate_context_blob = data_blob_const(indyn,
248 SMBD_SMB2_IN_DYN_LEN(req));
250 in_negotiate_context_blob.data += ofs;
251 in_negotiate_context_blob.length -= ofs;
253 status = smb2_negotiate_context_parse(req,
254 in_negotiate_context_blob, &in_c);
255 if (!NT_STATUS_IS_OK(status)) {
256 return smbd_smb2_request_error(req, status);
259 if (in_negotiate_context_count != in_c.num_contexts) {
260 return smbd_smb2_request_error(req,
261 NT_STATUS_INVALID_PARAMETER);
265 if ((dialect != SMB2_DIALECT_REVISION_2FF) &&
266 (protocol >= PROTOCOL_SMB2_10) &&
267 !GUID_all_zero(&in_guid))
269 ok = remote_arch_cache_update(&in_guid);
271 return smbd_smb2_request_error(
272 req, NT_STATUS_UNSUCCESSFUL);
276 switch (get_remote_arch()) {
283 set_remote_arch(RA_VISTA);
287 fstr_sprintf(remote_proto, "SMB%X_%02X",
288 (dialect >> 8) & 0xFF, dialect & 0xFF);
290 reload_services(req->sconn, conn_snum_used, true);
291 DEBUG(3,("Selected protocol %s\n", remote_proto));
293 in_preauth = smb2_negotiate_context_find(&in_c,
294 SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
295 if (protocol >= PROTOCOL_SMB3_10 && in_preauth == NULL) {
296 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
298 in_cipher = smb2_negotiate_context_find(&in_c,
299 SMB2_ENCRYPTION_CAPABILITIES);
301 /* negprot_spnego() returns a the server guid in the first 16 bytes */
302 negprot_spnego_blob = negprot_spnego(req, xconn);
303 if (negprot_spnego_blob.data == NULL) {
304 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
307 if (negprot_spnego_blob.length < 16) {
308 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
311 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
313 * We use xconn->smb1.signing_state as that's already present
314 * and used lpcfg_server_signing_allowed() to get the correct
315 * defaults, e.g. signing_required for an ad_dc.
317 signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state);
318 if (signing_required) {
319 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
323 if (lp_host_msdfs()) {
324 capabilities |= SMB2_CAP_DFS;
327 if (protocol >= PROTOCOL_SMB2_10 &&
329 lp_oplocks(GLOBAL_SECTION_SNUM) &&
330 !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
332 capabilities |= SMB2_CAP_LEASING;
335 if ((protocol >= PROTOCOL_SMB2_24) &&
336 (lp_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
337 (in_capabilities & SMB2_CAP_ENCRYPTION)) {
338 capabilities |= SMB2_CAP_ENCRYPTION;
342 * 0x10000 (65536) is the maximum allowed message size
347 if (protocol >= PROTOCOL_SMB2_10) {
350 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
351 p = tsocket_address_inet_port(req->sconn->local_address);
354 /* largeMTU is not supported over NBT (tcp port 139) */
355 if (p != NBT_SMB_PORT) {
356 capabilities |= SMB2_CAP_LARGE_MTU;
357 xconn->smb2.credits.multicredit = true;
360 * We allow up to almost 16MB.
362 * The maximum PDU size is 0xFFFFFF (16776960)
363 * and we need some space for the header.
365 max_limit = 0xFFFF00;
370 * the defaults are 8MB, but we'll limit this to max_limit based on
371 * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
373 * user configured values exceeding the limits will be overwritten,
374 * only smaller values will be accepted
377 max_trans = MIN(max_limit, lp_smb2_max_trans());
378 max_read = MIN(max_limit, lp_smb2_max_read());
379 max_write = MIN(max_limit, lp_smb2_max_write());
381 if (in_preauth != NULL) {
384 uint16_t salt_length;
385 uint16_t selected_preauth = 0;
391 if (in_preauth->data.length < needed) {
392 return smbd_smb2_request_error(req,
393 NT_STATUS_INVALID_PARAMETER);
396 hash_count = SVAL(in_preauth->data.data, 0);
397 salt_length = SVAL(in_preauth->data.data, 2);
399 if (hash_count == 0) {
400 return smbd_smb2_request_error(req,
401 NT_STATUS_INVALID_PARAMETER);
404 p = in_preauth->data.data + needed;
405 needed += hash_count * 2;
406 needed += salt_length;
408 if (in_preauth->data.length < needed) {
409 return smbd_smb2_request_error(req,
410 NT_STATUS_INVALID_PARAMETER);
413 for (i=0; i < hash_count; i++) {
419 if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
420 selected_preauth = v;
425 if (selected_preauth == 0) {
426 return smbd_smb2_request_error(req,
427 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
430 SSVAL(buf, 0, 1); /* HashAlgorithmCount */
431 SSVAL(buf, 2, 32); /* SaltLength */
432 SSVAL(buf, 4, selected_preauth);
433 generate_random_buffer(buf + 6, 32);
435 b = data_blob_const(buf, sizeof(buf));
436 status = smb2_negotiate_context_add(req, &out_c,
437 SMB2_PREAUTH_INTEGRITY_CAPABILITIES, b);
438 if (!NT_STATUS_IS_OK(status)) {
439 return smbd_smb2_request_error(req, status);
442 req->preauth = &req->xconn->smb2.preauth;
445 if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) {
447 uint16_t cipher_count;
452 bool aes_128_ccm_supported = false;
453 bool aes_128_gcm_supported = false;
455 capabilities &= ~SMB2_CAP_ENCRYPTION;
457 if (in_cipher->data.length < needed) {
458 return smbd_smb2_request_error(req,
459 NT_STATUS_INVALID_PARAMETER);
462 cipher_count = SVAL(in_cipher->data.data, 0);
464 if (cipher_count == 0) {
465 return smbd_smb2_request_error(req,
466 NT_STATUS_INVALID_PARAMETER);
469 p = in_cipher->data.data + needed;
470 needed += cipher_count * 2;
472 if (in_cipher->data.length < needed) {
473 return smbd_smb2_request_error(req,
474 NT_STATUS_INVALID_PARAMETER);
477 for (i=0; i < cipher_count; i++) {
483 if (v == SMB2_ENCRYPTION_AES128_GCM) {
484 aes_128_gcm_supported = true;
486 if (v == SMB2_ENCRYPTION_AES128_CCM) {
487 aes_128_ccm_supported = true;
492 * For now we preferr CCM because our implementation
493 * is faster than GCM, see bug #11451.
495 if (aes_128_ccm_supported) {
496 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
497 } else if (aes_128_gcm_supported) {
498 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_GCM;
501 SSVAL(buf, 0, 1); /* ChiperCount */
502 SSVAL(buf, 2, xconn->smb2.server.cipher);
504 b = data_blob_const(buf, sizeof(buf));
505 status = smb2_negotiate_context_add(req, &out_c,
506 SMB2_ENCRYPTION_CAPABILITIES, b);
507 if (!NT_STATUS_IS_OK(status)) {
508 return smbd_smb2_request_error(req, status);
512 if (capabilities & SMB2_CAP_ENCRYPTION) {
513 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
516 if (protocol >= PROTOCOL_SMB2_22 &&
517 xconn->client->server_multi_channel_enabled)
519 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
520 capabilities |= SMB2_CAP_MULTI_CHANNEL;
524 security_offset = SMB2_HDR_BODY + 0x40;
527 /* Try SPNEGO auth... */
528 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
529 negprot_spnego_blob.length - 16);
531 /* for now we want raw NTLMSSP */
532 security_buffer = data_blob_const(NULL, 0);
535 if (out_c.num_contexts != 0) {
536 status = smb2_negotiate_context_push(req,
537 &out_negotiate_context_blob,
539 if (!NT_STATUS_IS_OK(status)) {
540 return smbd_smb2_request_error(req, status);
544 if (out_negotiate_context_blob.length != 0) {
545 static const uint8_t zeros[8];
549 outdyn = data_blob_dup_talloc(req, security_buffer);
550 if (outdyn.length != security_buffer.length) {
551 return smbd_smb2_request_error(req,
552 NT_STATUS_NO_MEMORY);
555 ofs = security_offset + security_buffer.length;
556 if ((ofs % 8) != 0) {
561 ok = data_blob_append(req, &outdyn, zeros, pad);
563 return smbd_smb2_request_error(req,
564 NT_STATUS_NO_MEMORY);
567 ok = data_blob_append(req, &outdyn,
568 out_negotiate_context_blob.data,
569 out_negotiate_context_blob.length);
571 return smbd_smb2_request_error(req,
572 NT_STATUS_NO_MEMORY);
575 out_negotiate_context_offset = ofs;
576 out_negotiate_context_count = out_c.num_contexts;
578 outdyn = security_buffer;
581 out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
582 status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
583 if (!NT_STATUS_IS_OK(status)) {
584 return smbd_smb2_request_error(req, status);
587 outbody = smbd_smb2_generate_outbody(req, 0x40);
588 if (outbody.data == NULL) {
589 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
592 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
593 SSVAL(outbody.data, 0x02,
594 security_mode); /* security mode */
595 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
596 SSVAL(outbody.data, 0x06,
597 out_negotiate_context_count); /* reserved/NegotiateContextCount */
598 memcpy(outbody.data + 0x08,
599 out_guid_blob.data, 16); /* server guid */
600 SIVAL(outbody.data, 0x18,
601 capabilities); /* capabilities */
602 SIVAL(outbody.data, 0x1C, max_trans); /* max transact size */
603 SIVAL(outbody.data, 0x20, max_read); /* max read size */
604 SIVAL(outbody.data, 0x24, max_write); /* max write size */
605 SBVAL(outbody.data, 0x28, now); /* system time */
606 SBVAL(outbody.data, 0x30, 0); /* server start time */
607 SSVAL(outbody.data, 0x38,
608 security_offset); /* security buffer offset */
609 SSVAL(outbody.data, 0x3A,
610 security_buffer.length); /* security buffer length */
611 SIVAL(outbody.data, 0x3C,
612 out_negotiate_context_offset); /* reserved/NegotiateContextOffset */
614 req->sconn->using_smb2 = true;
616 if (dialect == SMB2_DIALECT_REVISION_2FF) {
617 return smbd_smb2_request_done(req, outbody, &outdyn);
620 status = smbXsrv_connection_init_tables(xconn, protocol);
621 if (!NT_STATUS_IS_OK(status)) {
622 return smbd_smb2_request_error(req, status);
625 xconn->smb2.client.capabilities = in_capabilities;
626 xconn->smb2.client.security_mode = in_security_mode;
627 xconn->smb2.client.guid = in_guid;
628 xconn->smb2.client.num_dialects = dialect_count;
629 xconn->smb2.client.dialects = talloc_array(xconn,
632 if (xconn->smb2.client.dialects == NULL) {
633 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
635 for (c=0; c < dialect_count; c++) {
636 xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
639 xconn->smb2.server.capabilities = capabilities;
640 xconn->smb2.server.security_mode = security_mode;
641 xconn->smb2.server.guid = out_guid;
642 xconn->smb2.server.dialect = dialect;
643 xconn->smb2.server.max_trans = max_trans;
644 xconn->smb2.server.max_read = max_read;
645 xconn->smb2.server.max_write = max_write;
647 if (xconn->protocol < PROTOCOL_SMB2_10) {
649 * SMB2_02 doesn't support client guids
651 return smbd_smb2_request_done(req, outbody, &outdyn);
654 if (!xconn->client->server_multi_channel_enabled) {
656 * Only deal with the client guid database
657 * if multi-channel is enabled.
659 return smbd_smb2_request_done(req, outbody, &outdyn);
662 if (xconn->smb2.client.guid_verified) {
664 * The connection was passed from another
667 return smbd_smb2_request_done(req, outbody, &outdyn);
670 status = smb2srv_client_lookup_global(xconn->client,
671 xconn->smb2.client.guid,
674 * TODO: check for races...
676 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECTID_NOT_FOUND)) {
678 * This stores the new client information in
679 * smbXsrv_client_global.tdb
681 xconn->client->global->client_guid =
682 xconn->smb2.client.guid;
683 status = smbXsrv_client_update(xconn->client);
684 if (!NT_STATUS_IS_OK(status)) {
688 xconn->smb2.client.guid_verified = true;
689 } else if (NT_STATUS_IS_OK(status)) {
690 status = smb2srv_client_connection_pass(req,
692 if (!NT_STATUS_IS_OK(status)) {
693 return smbd_smb2_request_error(req, status);
696 smbd_server_connection_terminate(xconn,
697 "passed connection");
698 return NT_STATUS_OBJECTID_EXISTS;
700 return smbd_smb2_request_error(req, status);
703 return smbd_smb2_request_done(req, outbody, &outdyn);