source3/smbd/smb2_negprot.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Core SMB2 server
   4
   5    Copyright (C) Stefan Metzmacher 2009
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "smbd/smbd.h"
  23 #include "smbd/globals.h"
  24 #include "../libcli/smb/smb_common.h"
  25 #include "../lib/tsocket/tsocket.h"
  26
  27 /*
  28  * this is the entry point if SMB2 is selected via
  29  * the SMB negprot and the given dialect.
  30  */
  31 static void reply_smb20xx(struct smb_request *req, uint16_t dialect)
  32 {
  33         uint8_t *smb2_inbuf;
  34         uint8_t *smb2_hdr;
  35         uint8_t *smb2_body;
  36         uint8_t *smb2_dyn;
  37         size_t len = 4 + SMB2_HDR_BODY + 0x24 + 2;
  38
  39         smb2_inbuf = talloc_zero_array(talloc_tos(), uint8_t, len);
  40         if (smb2_inbuf == NULL) {
  41                 DEBUG(0, ("Could not push spnego blob\n"));
  42                 reply_nterror(req, NT_STATUS_NO_MEMORY);
  43                 return;
  44         }
  45         smb2_hdr = smb2_inbuf + 4;
  46         smb2_body = smb2_hdr + SMB2_HDR_BODY;
  47         smb2_dyn = smb2_body + 0x24;
  48
  49         SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID,   SMB2_MAGIC);
  50         SIVAL(smb2_hdr, SMB2_HDR_LENGTH,        SMB2_HDR_BODY);
  51
  52         SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
  53         SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
  54
  55         SSVAL(smb2_dyn,  0x00, dialect);
  56
  57         req->outbuf = NULL;
  58
  59         smbd_smb2_first_negprot(req->sconn, smb2_inbuf, len);
  60         return;
  61 }
  62
  63 /*
  64  * this is the entry point if SMB2 is selected via
  65  * the SMB negprot and the "SMB 2.002" dialect.
  66  */
  67 void reply_smb2002(struct smb_request *req, uint16_t choice)
  68 {
  69         reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
  70 }
  71
  72 /*
  73  * this is the entry point if SMB2 is selected via
  74  * the SMB negprot and the "SMB 2.???" dialect.
  75  */
  76 void reply_smb20ff(struct smb_request *req, uint16_t choice)
  77 {
  78         req->sconn->smb2.negprot_2ff = true;
  79         reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
  80 }
  81
  82 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
  83 {
  84         NTSTATUS status;
  85         const uint8_t *inbody;
  86         const uint8_t *indyn = NULL;
  87         int i = req->current_idx;
  88         DATA_BLOB outbody;
  89         DATA_BLOB outdyn;
  90         DATA_BLOB negprot_spnego_blob;
  91         uint16_t security_offset;
  92         DATA_BLOB security_buffer;
  93         size_t expected_dyn_size = 0;
  94         size_t c;
  95         uint16_t security_mode;
  96         uint16_t dialect_count;
  97         uint16_t dialect = 0;
  98         uint32_t capabilities;
  99         enum protocol_types protocol = PROTOCOL_NONE;
 100         uint32_t max_limit;
 101         uint32_t max_trans = lp_smb2_max_trans();
 102         uint32_t max_read = lp_smb2_max_read();
 103         uint32_t max_write = lp_smb2_max_write();
 104
 105         status = smbd_smb2_request_verify_sizes(req, 0x24);
 106         if (!NT_STATUS_IS_OK(status)) {
 107                 return smbd_smb2_request_error(req, status);
 108         }
 109         inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
 110
 111         dialect_count = SVAL(inbody, 0x02);
 112         if (dialect_count == 0) {
 113                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 114         }
 115
 116         expected_dyn_size = dialect_count * 2;
 117         if (req->in.vector[i+2].iov_len < expected_dyn_size) {
 118                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 119         }
 120         indyn = (const uint8_t *)req->in.vector[i+2].iov_base;
 121
 122         for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
 123                 if (lp_srv_maxprotocol() < PROTOCOL_SMB3_00) {
 124                         break;
 125                 }
 126                 if (lp_srv_minprotocol() > PROTOCOL_SMB3_00) {
 127                         break;
 128                 }
 129
 130                 dialect = SVAL(indyn, c*2);
 131                 if (dialect == SMB3_DIALECT_REVISION_300) {
 132                         protocol = PROTOCOL_SMB3_00;
 133                         break;
 134                 }
 135         }
 136
 137         for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
 138                 if (lp_srv_maxprotocol() < PROTOCOL_SMB2_24) {
 139                         break;
 140                 }
 141                 if (lp_srv_minprotocol() > PROTOCOL_SMB2_24) {
 142                         break;
 143                 }
 144
 145                 dialect = SVAL(indyn, c*2);
 146                 if (dialect == SMB2_DIALECT_REVISION_224) {
 147                         protocol = PROTOCOL_SMB2_24;
 148                         break;
 149                 }
 150         }
 151
 152         for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
 153                 if (lp_srv_maxprotocol() < PROTOCOL_SMB2_22) {
 154                         break;
 155                 }
 156                 if (lp_srv_minprotocol() > PROTOCOL_SMB2_22) {
 157                         break;
 158                 }
 159
 160                 dialect = SVAL(indyn, c*2);
 161                 if (dialect == SMB2_DIALECT_REVISION_222) {
 162                         protocol = PROTOCOL_SMB2_22;
 163                         break;
 164                 }
 165         }
 166
 167         for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
 168                 if (lp_srv_maxprotocol() < PROTOCOL_SMB2_10) {
 169                         break;
 170                 }
 171                 if (lp_srv_minprotocol() > PROTOCOL_SMB2_10) {
 172                         break;
 173                 }
 174
 175                 dialect = SVAL(indyn, c*2);
 176                 if (dialect == SMB2_DIALECT_REVISION_210) {
 177                         protocol = PROTOCOL_SMB2_10;
 178                         break;
 179                 }
 180         }
 181
 182         for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
 183                 if (lp_srv_maxprotocol() < PROTOCOL_SMB2_02) {
 184                         break;
 185                 }
 186                 if (lp_srv_minprotocol() > PROTOCOL_SMB2_02) {
 187                         break;
 188                 }
 189
 190                 dialect = SVAL(indyn, c*2);
 191                 if (dialect == SMB2_DIALECT_REVISION_202) {
 192                         protocol = PROTOCOL_SMB2_02;
 193                         break;
 194                 }
 195         }
 196
 197         for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
 198                 if (lp_srv_maxprotocol() < PROTOCOL_SMB2_10) {
 199                         break;
 200                 }
 201
 202                 dialect = SVAL(indyn, c*2);
 203                 if (dialect == SMB2_DIALECT_REVISION_2FF) {
 204                         if (req->sconn->smb2.negprot_2ff) {
 205                                 req->sconn->smb2.negprot_2ff = false;
 206                                 protocol = PROTOCOL_SMB2_10;
 207                                 break;
 208                         }
 209                 }
 210         }
 211
 212         if (protocol == PROTOCOL_NONE) {
 213                 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
 214         }
 215
 216         if (get_remote_arch() != RA_SAMBA) {
 217                 set_remote_arch(RA_VISTA);
 218         }
 219
 220         /* negprot_spnego() returns a the server guid in the first 16 bytes */
 221         negprot_spnego_blob = negprot_spnego(req, req->sconn);
 222         if (negprot_spnego_blob.data == NULL) {
 223                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
 224         }
 225
 226         if (negprot_spnego_blob.length < 16) {
 227                 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
 228         }
 229
 230         security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
 231         if (lp_server_signing() == SMB_SIGNING_REQUIRED) {
 232                 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
 233         }
 234
 235         capabilities = 0;
 236         if (lp_host_msdfs()) {
 237                 capabilities |= SMB2_CAP_DFS;
 238         }
 239
 240         /*
 241          * 0x10000 (65536) is the maximum allowed message size
 242          * for SMB 2.0
 243          */
 244         max_limit = 0x10000;
 245
 246         if (protocol >= PROTOCOL_SMB2_10) {
 247                 /* largeMTU is only available on port 445 */
 248                 if (TCP_SMB_PORT ==
 249                     tsocket_address_inet_port(req->sconn->local_address))
 250                 {
 251
 252                         capabilities |= SMB2_CAP_LARGE_MTU;
 253                         req->sconn->smb2.supports_multicredit = true;
 254
 255                         /* SMB2.1 has 1 MB of allowed size */
 256                         max_limit = 0x100000; /* 1MB */
 257                 }
 258         }
 259
 260         /*
 261          * the defaults are 1MB, but we'll limit this to max_limit based on
 262          * the dialect (64kb for SMB2.0, 1MB for SMB2.1 with LargeMTU)
 263          *
 264          * user configured values exceeding the limits will be overwritten,
 265          * only smaller values will be accepted
 266          */
 267
 268         max_trans = MIN(max_limit, lp_smb2_max_trans());
 269         max_read = MIN(max_limit, lp_smb2_max_read());
 270         max_write = MIN(max_limit, lp_smb2_max_write());
 271
 272         security_offset = SMB2_HDR_BODY + 0x40;
 273
 274 #if 1
 275         /* Try SPNEGO auth... */
 276         security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
 277                                           negprot_spnego_blob.length - 16);
 278 #else
 279         /* for now we want raw NTLMSSP */
 280         security_buffer = data_blob_const(NULL, 0);
 281 #endif
 282
 283         outbody = data_blob_talloc(req->out.vector, NULL, 0x40);
 284         if (outbody.data == NULL) {
 285                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
 286         }
 287
 288         SSVAL(outbody.data, 0x00, 0x40 + 1);    /* struct size */
 289         SSVAL(outbody.data, 0x02,
 290               security_mode);                   /* security mode */
 291         SSVAL(outbody.data, 0x04, dialect);     /* dialect revision */
 292         SSVAL(outbody.data, 0x06, 0);           /* reserved */
 293         memcpy(outbody.data + 0x08,
 294                negprot_spnego_blob.data, 16);   /* server guid */
 295         SIVAL(outbody.data, 0x18,
 296               capabilities);                    /* capabilities */
 297         SIVAL(outbody.data, 0x1C, max_trans);   /* max transact size */
 298         SIVAL(outbody.data, 0x20, max_read);    /* max read size */
 299         SIVAL(outbody.data, 0x24, max_write);   /* max write size */
 300         SBVAL(outbody.data, 0x28, 0);           /* system time */
 301         SBVAL(outbody.data, 0x30, 0);           /* server start time */
 302         SSVAL(outbody.data, 0x38,
 303               security_offset);                 /* security buffer offset */
 304         SSVAL(outbody.data, 0x3A,
 305               security_buffer.length);          /* security buffer length */
 306         SIVAL(outbody.data, 0x3C, 0);           /* reserved */
 307
 308         outdyn = security_buffer;
 309
 310         req->sconn->using_smb2 = true;
 311
 312         if (dialect != SMB2_DIALECT_REVISION_2FF) {
 313                 set_Protocol(protocol);
 314
 315                 req->sconn->smb2.max_trans = max_trans;
 316                 req->sconn->smb2.max_read  = max_read;
 317                 req->sconn->smb2.max_write = max_write;
 318         }
 319
 320         return smbd_smb2_request_done(req, outbody, &outdyn);
 321 }