added server side SMB2 signing
[kai/samba.git] / source4 / smb_server / smb2 / receive.c
1 /* 
2    Unix SMB2 implementation.
3    
4    Copyright (C) Andrew Tridgell        2005
5    Copyright (C) Stefan Metzmacher      2005
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/time.h"
23 #include "libcli/smb2/smb2.h"
24 #include "libcli/smb2/smb2_calls.h"
25 #include "smb_server/smb_server.h"
26 #include "smb_server/service_smb_proto.h"
27 #include "smb_server/smb2/smb2_server.h"
28 #include "smbd/service_stream.h"
29 #include "lib/stream/packet.h"
30 #include "ntvfs/ntvfs.h"
31 #include "param/param.h"
32 #include "auth/gensec/gensec.h"
33 #include "auth/auth.h"
34
35
36 /* fill in the bufinfo */
37 void smb2srv_setup_bufinfo(struct smb2srv_request *req)
38 {
39         req->in.bufinfo.mem_ctx    = req;
40         req->in.bufinfo.flags      = BUFINFO_FLAG_UNICODE | BUFINFO_FLAG_SMB2;
41         req->in.bufinfo.align_base = req->in.buffer;
42         if (req->in.dynamic) {
43                 req->in.bufinfo.data       = req->in.dynamic;
44                 req->in.bufinfo.data_size  = req->in.body_size - req->in.body_fixed;
45         } else {
46                 req->in.bufinfo.data       = NULL;
47                 req->in.bufinfo.data_size  = 0;
48         }
49 }
50
51 static int smb2srv_request_destructor(struct smb2srv_request *req)
52 {
53         DLIST_REMOVE(req->smb_conn->requests2.list, req);
54         if (req->pending_id) {
55                 idr_remove(req->smb_conn->requests2.idtree_req, req->pending_id);
56         }
57         return 0;
58 }
59
60 static int smb2srv_request_deny_destructor(struct smb2srv_request *req)
61 {
62         return -1;
63 }
64
65 struct smb2srv_request *smb2srv_init_request(struct smbsrv_connection *smb_conn)
66 {
67         struct smb2srv_request *req;
68
69         req = talloc_zero(smb_conn, struct smb2srv_request);
70         if (!req) return NULL;
71
72         req->smb_conn = smb_conn;
73
74         talloc_set_destructor(req, smb2srv_request_destructor);
75
76         return req;
77 }
78
79 NTSTATUS smb2srv_setup_reply(struct smb2srv_request *req, uint16_t body_fixed_size,
80                              bool body_dynamic_present, uint32_t body_dynamic_size)
81 {
82         uint32_t flags = 0x00000001;
83         uint32_t pid = IVAL(req->in.hdr, SMB2_HDR_PID);
84         uint32_t tid = IVAL(req->in.hdr, SMB2_HDR_TID);
85
86         if (req->pending_id) {
87                 flags |= 0x00000002;
88                 pid = req->pending_id;
89                 tid = 0;
90         }
91
92         if (body_dynamic_present) {
93                 if (body_dynamic_size == 0) {
94                         body_dynamic_size = 1;
95                 }
96         } else {
97                 body_dynamic_size = 0;
98         }
99
100         req->out.size           = SMB2_HDR_BODY+NBT_HDR_SIZE+body_fixed_size;
101
102         req->out.allocated      = req->out.size + body_dynamic_size;
103         req->out.buffer         = talloc_array(req, uint8_t, 
104                                                req->out.allocated);
105         NT_STATUS_HAVE_NO_MEMORY(req->out.buffer);
106
107         req->out.hdr            = req->out.buffer       + NBT_HDR_SIZE;
108         req->out.body           = req->out.hdr          + SMB2_HDR_BODY;
109         req->out.body_fixed     = body_fixed_size;
110         req->out.body_size      = body_fixed_size;
111         req->out.dynamic        = (body_dynamic_size ? req->out.body + body_fixed_size : NULL);
112
113         SIVAL(req->out.hdr, 0,                          SMB2_MAGIC);
114         SSVAL(req->out.hdr, SMB2_HDR_LENGTH,            SMB2_HDR_BODY);
115         SSVAL(req->out.hdr, SMB2_HDR_EPOCH,             0);
116         SIVAL(req->out.hdr, SMB2_HDR_STATUS,            NT_STATUS_V(req->status));
117         SSVAL(req->out.hdr, SMB2_HDR_OPCODE,            SVAL(req->in.hdr, SMB2_HDR_OPCODE));
118         SSVAL(req->out.hdr, SMB2_HDR_CREDIT,            0x0001);
119         SIVAL(req->out.hdr, SMB2_HDR_FLAGS,             flags);
120         SIVAL(req->out.hdr, SMB2_HDR_NEXT_COMMAND,      0);
121         SBVAL(req->out.hdr, SMB2_HDR_MESSAGE_ID,        req->seqnum);
122         SIVAL(req->out.hdr, SMB2_HDR_PID,               pid);
123         SIVAL(req->out.hdr, SMB2_HDR_TID,               tid);
124         SBVAL(req->out.hdr, SMB2_HDR_SESSION_ID,        BVAL(req->in.hdr, SMB2_HDR_SESSION_ID));
125         memset(req->out.hdr+SMB2_HDR_SIGNATURE, 0, 16);
126
127         /* set the length of the fixed body part and +1 if there's a dynamic part also */
128         SSVAL(req->out.body, 0, body_fixed_size + (body_dynamic_size?1:0));
129
130         /* 
131          * if we have a dynamic part, make sure the first byte
132          * which is always be part of the packet is initialized
133          */
134         if (body_dynamic_size) {
135                 req->out.size += 1;
136                 SCVAL(req->out.dynamic, 0, 0);
137         }
138
139         return NT_STATUS_OK;
140 }
141
142 static NTSTATUS smb2srv_reply(struct smb2srv_request *req);
143
144 static void smb2srv_chain_reply(struct smb2srv_request *p_req)
145 {
146         NTSTATUS status;
147         struct smb2srv_request *req;
148         uint32_t chain_offset;
149         uint32_t protocol_version;
150         uint16_t buffer_code;
151         uint32_t dynamic_size;
152
153         chain_offset = p_req->chain_offset;
154         p_req->chain_offset = 0;
155
156         if (p_req->in.size < (NBT_HDR_SIZE + chain_offset + SMB2_MIN_SIZE)) {
157                 DEBUG(2,("Invalid SMB2 chained packet at offset 0x%X\n",
158                         chain_offset));
159                 smbsrv_terminate_connection(p_req->smb_conn, "Invalid SMB2 chained packet");
160                 return;
161         }
162
163         protocol_version = IVAL(p_req->in.buffer, NBT_HDR_SIZE + chain_offset);
164         if (protocol_version != SMB2_MAGIC) {
165                 DEBUG(2,("Invalid SMB chained packet: protocol prefix: 0x%08X\n",
166                          protocol_version));
167                 smbsrv_terminate_connection(p_req->smb_conn, "NON-SMB2 chained packet");
168                 return;
169         }
170
171         req = smb2srv_init_request(p_req->smb_conn);
172         if (!req) {
173                 smbsrv_terminate_connection(p_req->smb_conn, "SMB2 chained packet - no memory");
174                 return;
175         }
176
177         req->in.buffer          = talloc_steal(req, p_req->in.buffer);
178         req->in.size            = p_req->in.size;
179         req->request_time       = p_req->request_time;
180         req->in.allocated       = req->in.size;
181
182         req->in.hdr             = req->in.buffer+ NBT_HDR_SIZE + chain_offset;
183         req->in.body            = req->in.hdr   + SMB2_HDR_BODY;
184         req->in.body_size       = req->in.size  - (NBT_HDR_SIZE+ chain_offset + SMB2_HDR_BODY);
185         req->in.dynamic         = NULL;
186
187         buffer_code             = SVAL(req->in.body, 0);
188         req->in.body_fixed      = (buffer_code & ~1);
189         dynamic_size            = req->in.body_size - req->in.body_fixed;
190
191         if (dynamic_size != 0 && (buffer_code & 1)) {
192                 req->in.dynamic = req->in.body + req->in.body_fixed;
193                 if (smb2_oob(&req->in, req->in.dynamic, dynamic_size)) {
194                         DEBUG(1,("SMB2 chained request invalid dynamic size 0x%x\n", 
195                                  dynamic_size));
196                         smb2srv_send_error(req, NT_STATUS_INVALID_PARAMETER);
197                         return;
198                 }
199         }
200
201         smb2srv_setup_bufinfo(req);
202
203         if (p_req->chained_file_handle) {
204                 memcpy(req->_chained_file_handle,
205                        p_req->_chained_file_handle,
206                        sizeof(req->_chained_file_handle));
207                 req->chained_file_handle = req->_chained_file_handle;
208         }
209
210         /* 
211          * TODO: - make sure the length field is 64
212          *       - make sure it's a request
213          */
214
215         status = smb2srv_reply(req);
216         if (!NT_STATUS_IS_OK(status)) {
217                 smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
218                 talloc_free(req);
219                 return;
220         }
221 }
222
223 void smb2srv_send_reply(struct smb2srv_request *req)
224 {
225         DATA_BLOB blob;
226         NTSTATUS status;
227
228         if (req->smb_conn->connection->event.fde == NULL) {
229                 /* the socket has been destroyed - no point trying to send a reply! */
230                 talloc_free(req);
231                 return;
232         }
233
234         if (req->out.size > NBT_HDR_SIZE) {
235                 _smb2_setlen(req->out.buffer, req->out.size - NBT_HDR_SIZE);
236         }
237
238         /* if the request was signed or doing_signing is true, then we
239            must sign the reply */
240         if (req->session &&
241             (req->smb_conn->doing_signing ||
242              (IVAL(req->in.hdr, SMB2_HDR_FLAGS) & SMB2_HDR_FLAG_SIGNED))) {
243                 status = smb2_sign_message(&req->out, 
244                                            req->session->session_info->session_key);
245                 if (!NT_STATUS_IS_OK(status)) {
246                         smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
247                         return;
248                 }               
249         }
250
251
252         blob = data_blob_const(req->out.buffer, req->out.size);
253         status = packet_send(req->smb_conn->packet, blob);
254         if (!NT_STATUS_IS_OK(status)) {
255                 smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
256         }
257         if (req->chain_offset) {
258                 smb2srv_chain_reply(req);
259                 return;
260         }
261         talloc_free(req);
262 }
263
264 void smb2srv_send_error(struct smb2srv_request *req, NTSTATUS error)
265 {
266         NTSTATUS status;
267
268         if (req->smb_conn->connection->event.fde == NULL) {
269                 /* the socket has been destroyed - no point trying to send an error! */
270                 talloc_free(req);
271                 return;
272         }
273
274         status = smb2srv_setup_reply(req, 8, true, 0);
275         if (!NT_STATUS_IS_OK(status)) {
276                 smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
277                 talloc_free(req);
278                 return;
279         }
280
281         SIVAL(req->out.hdr, SMB2_HDR_STATUS, NT_STATUS_V(error));
282
283         SSVAL(req->out.body, 0x02, 0);
284         SIVAL(req->out.body, 0x04, 0);
285
286         smb2srv_send_reply(req);
287 }
288
289 static NTSTATUS smb2srv_reply(struct smb2srv_request *req)
290 {
291         uint16_t opcode;
292         uint32_t tid;
293         uint64_t uid;
294         uint32_t flags;
295
296         opcode                  = SVAL(req->in.hdr, SMB2_HDR_OPCODE);
297         req->chain_offset       = IVAL(req->in.hdr, SMB2_HDR_NEXT_COMMAND);
298         req->seqnum             = BVAL(req->in.hdr, SMB2_HDR_MESSAGE_ID);
299         tid                     = IVAL(req->in.hdr, SMB2_HDR_TID);
300         uid                     = BVAL(req->in.hdr, SMB2_HDR_SESSION_ID);
301         flags                   = IVAL(req->in.hdr, SMB2_HDR_FLAGS);
302
303         req->session    = smbsrv_session_find(req->smb_conn, uid, req->request_time);
304         req->tcon       = smbsrv_smb2_tcon_find(req->session, tid, req->request_time);
305
306         errno = 0;
307
308         /* supporting signing is mandatory in SMB2, and is per-packet. So we 
309            should check the signature on any incoming packet that is signed, and 
310            should give a signed reply to any signed request */
311         if (flags & SMB2_HDR_FLAG_SIGNED) {
312                 NTSTATUS status;
313                 if (req->session == NULL) {
314                         /* we can't check signing with no session */
315                         smb2srv_send_error(req, NT_STATUS_ACCESS_DENIED);
316                         return NT_STATUS_OK;                    
317                 }
318                 status = smb2_check_signature(&req->in, 
319                                               req->session->session_info->session_key);
320                 if (!NT_STATUS_IS_OK(status)) {
321                         smb2srv_send_error(req, status);
322                         return NT_STATUS_OK;                    
323                 }
324         }
325
326         /* TODO: check the seqnum */
327
328         switch (opcode) {
329         case SMB2_OP_NEGPROT:
330                 smb2srv_negprot_recv(req);
331                 return NT_STATUS_OK;
332         case SMB2_OP_SESSSETUP:
333                 smb2srv_sesssetup_recv(req);
334                 return NT_STATUS_OK;
335         case SMB2_OP_LOGOFF:
336                 if (!req->session) goto nosession;
337                 smb2srv_logoff_recv(req);
338                 return NT_STATUS_OK;
339         case SMB2_OP_TCON:
340                 if (!req->session) goto nosession;
341                 smb2srv_tcon_recv(req);
342                 return NT_STATUS_OK;
343         case SMB2_OP_TDIS:
344                 if (!req->session) goto nosession;
345                 if (!req->tcon) goto notcon;
346                 smb2srv_tdis_recv(req);
347                 return NT_STATUS_OK;
348         case SMB2_OP_CREATE:
349                 if (!req->session) goto nosession;
350                 if (!req->tcon) goto notcon;
351                 smb2srv_create_recv(req);
352                 return NT_STATUS_OK;
353         case SMB2_OP_CLOSE:
354                 if (!req->session) goto nosession;
355                 if (!req->tcon) goto notcon;
356                 smb2srv_close_recv(req);
357                 return NT_STATUS_OK;
358         case SMB2_OP_FLUSH:
359                 if (!req->session) goto nosession;
360                 if (!req->tcon) goto notcon;
361                 smb2srv_flush_recv(req);
362                 return NT_STATUS_OK;
363         case SMB2_OP_READ:
364                 if (!req->session) goto nosession;
365                 if (!req->tcon) goto notcon;
366                 smb2srv_read_recv(req);
367                 return NT_STATUS_OK;
368         case SMB2_OP_WRITE:
369                 if (!req->session) goto nosession;
370                 if (!req->tcon) goto notcon;
371                 smb2srv_write_recv(req);
372                 return NT_STATUS_OK;
373         case SMB2_OP_LOCK:
374                 if (!req->session) goto nosession;
375                 if (!req->tcon) goto notcon;
376                 smb2srv_lock_recv(req);
377                 return NT_STATUS_OK;
378         case SMB2_OP_IOCTL:
379                 if (!req->session) goto nosession;
380                 if (!req->tcon) goto notcon;
381                 smb2srv_ioctl_recv(req);
382                 return NT_STATUS_OK;
383         case SMB2_OP_CANCEL:
384                 smb2srv_cancel_recv(req);
385                 return NT_STATUS_OK;
386         case SMB2_OP_KEEPALIVE:
387                 smb2srv_keepalive_recv(req);
388                 return NT_STATUS_OK;
389         case SMB2_OP_FIND:
390                 if (!req->session) goto nosession;
391                 if (!req->tcon) goto notcon;
392                 smb2srv_find_recv(req);
393                 return NT_STATUS_OK;
394         case SMB2_OP_NOTIFY:
395                 if (!req->session) goto nosession;
396                 if (!req->tcon) goto notcon;
397                 smb2srv_notify_recv(req);
398                 return NT_STATUS_OK;
399         case SMB2_OP_GETINFO:
400                 if (!req->session) goto nosession;
401                 if (!req->tcon) goto notcon;
402                 smb2srv_getinfo_recv(req);
403                 return NT_STATUS_OK;
404         case SMB2_OP_SETINFO:
405                 if (!req->session) goto nosession;
406                 if (!req->tcon) goto notcon;
407                 smb2srv_setinfo_recv(req);
408                 return NT_STATUS_OK;
409         case SMB2_OP_BREAK:
410                 if (!req->session) goto nosession;
411                 if (!req->tcon) goto notcon;
412                 smb2srv_break_recv(req);
413                 return NT_STATUS_OK;
414         }
415
416         DEBUG(1,("Invalid SMB2 opcode: 0x%04X\n", opcode));
417         smbsrv_terminate_connection(req->smb_conn, "Invalid SMB2 opcode");
418         return NT_STATUS_OK;
419
420 nosession:
421         smb2srv_send_error(req, NT_STATUS_USER_SESSION_DELETED);
422         return NT_STATUS_OK;
423 notcon:
424         smb2srv_send_error(req, NT_STATUS_NETWORK_NAME_DELETED);
425         return NT_STATUS_OK;
426 }
427
428 NTSTATUS smbsrv_recv_smb2_request(void *private, DATA_BLOB blob)
429 {
430         struct smbsrv_connection *smb_conn = talloc_get_type(private, struct smbsrv_connection);
431         struct smb2srv_request *req;
432         struct timeval cur_time = timeval_current();
433         uint32_t protocol_version;
434         uint16_t buffer_code;
435         uint32_t dynamic_size;
436
437         smb_conn->statistics.last_request_time = cur_time;
438
439         /* see if its a special NBT packet */
440         if (CVAL(blob.data,0) != 0) {
441                 DEBUG(2,("Special NBT packet on SMB2 connection"));
442                 smbsrv_terminate_connection(smb_conn, "Special NBT packet on SMB2 connection");
443                 return NT_STATUS_OK;
444         }
445
446         if (blob.length < (NBT_HDR_SIZE + SMB2_MIN_SIZE)) {
447                 DEBUG(2,("Invalid SMB2 packet length count %ld\n", (long)blob.length));
448                 smbsrv_terminate_connection(smb_conn, "Invalid SMB2 packet");
449                 return NT_STATUS_OK;
450         }
451
452         protocol_version = IVAL(blob.data, NBT_HDR_SIZE);
453         if (protocol_version != SMB2_MAGIC) {
454                 DEBUG(2,("Invalid SMB packet: protocol prefix: 0x%08X\n",
455                          protocol_version));
456                 smbsrv_terminate_connection(smb_conn, "NON-SMB2 packet");
457                 return NT_STATUS_OK;
458         }
459
460         req = smb2srv_init_request(smb_conn);
461         NT_STATUS_HAVE_NO_MEMORY(req);
462
463         req->in.buffer          = talloc_steal(req, blob.data);
464         req->in.size            = blob.length;
465         req->request_time       = cur_time;
466         req->in.allocated       = req->in.size;
467
468         req->in.hdr             = req->in.buffer+ NBT_HDR_SIZE;
469         req->in.body            = req->in.hdr   + SMB2_HDR_BODY;
470         req->in.body_size       = req->in.size  - (SMB2_HDR_BODY+NBT_HDR_SIZE);
471         req->in.dynamic         = NULL;
472
473         buffer_code             = SVAL(req->in.body, 0);
474         req->in.body_fixed      = (buffer_code & ~1);
475         dynamic_size            = req->in.body_size - req->in.body_fixed;
476
477         if (dynamic_size != 0 && (buffer_code & 1)) {
478                 req->in.dynamic = req->in.body + req->in.body_fixed;
479                 if (smb2_oob(&req->in, req->in.dynamic, dynamic_size)) {
480                         DEBUG(1,("SMB2 request invalid dynamic size 0x%x\n", 
481                                  dynamic_size));
482                         smb2srv_send_error(req, NT_STATUS_INVALID_PARAMETER);
483                         return NT_STATUS_OK;
484                 }
485         }
486
487         smb2srv_setup_bufinfo(req);
488
489         /* 
490          * TODO: - make sure the length field is 64
491          *       - make sure it's a request
492          */
493
494         return smb2srv_reply(req);
495 }
496
497 static NTSTATUS smb2srv_init_pending(struct smbsrv_connection *smb_conn)
498 {
499         smb_conn->requests2.idtree_req = idr_init(smb_conn);
500         NT_STATUS_HAVE_NO_MEMORY(smb_conn->requests2.idtree_req);
501         smb_conn->requests2.idtree_limit        = 0x00FFFFFF & (UINT32_MAX - 1);
502         smb_conn->requests2.list                = NULL;
503
504         return NT_STATUS_OK;
505 }
506
507 NTSTATUS smb2srv_queue_pending(struct smb2srv_request *req)
508 {
509         int id;
510
511         if (req->pending_id) {
512                 return NT_STATUS_INTERNAL_ERROR;
513         }
514
515         id = idr_get_new_above(req->smb_conn->requests2.idtree_req, req, 
516                                1, req->smb_conn->requests2.idtree_limit);
517         if (id == -1) {
518                 return NT_STATUS_INSUFFICIENT_RESOURCES;
519         }
520
521         DLIST_ADD_END(req->smb_conn->requests2.list, req, struct smb2srv_request *);
522         req->pending_id = id;
523
524         talloc_set_destructor(req, smb2srv_request_deny_destructor);
525         smb2srv_send_error(req, STATUS_PENDING);
526         talloc_set_destructor(req, smb2srv_request_destructor);
527
528         return NT_STATUS_OK;
529 }
530
531 void smb2srv_cancel_recv(struct smb2srv_request *req)
532 {
533         uint32_t pending_id;
534         uint32_t flags;
535         void *p;
536         struct smb2srv_request *r;
537
538         if (!req->session) goto done;
539
540         flags           = IVAL(req->in.hdr, SMB2_HDR_FLAGS);
541         pending_id      = IVAL(req->in.hdr, SMB2_HDR_PID);
542
543         if (!(flags & 0x00000002)) {
544                 /* TODO: what to do here? */
545                 goto done;
546         }
547  
548         p = idr_find(req->smb_conn->requests2.idtree_req, pending_id);
549         if (!p) goto done;
550
551         r = talloc_get_type(p, struct smb2srv_request);
552         if (!r) goto done;
553
554         if (!r->ntvfs) goto done;
555
556         ntvfs_cancel(r->ntvfs);
557
558 done:
559         /* we never generate a reply for a SMB2 Cancel */
560         talloc_free(req);
561 }
562
563 /*
564  * init the SMB2 protocol related stuff
565  */
566 NTSTATUS smbsrv_init_smb2_connection(struct smbsrv_connection *smb_conn)
567 {
568         NTSTATUS status;
569
570         /* now initialise a few default values associated with this smb socket */
571         smb_conn->negotiate.max_send = 0xFFFF;
572
573         /* this is the size that w2k uses, and it appears to be important for
574            good performance */
575         smb_conn->negotiate.max_recv = lp_max_xmit(smb_conn->lp_ctx);
576
577         smb_conn->negotiate.zone_offset = get_time_zone(time(NULL));
578
579         smb_conn->config.security = SEC_USER;
580         smb_conn->config.nt_status_support = true;
581
582         status = smbsrv_init_sessions(smb_conn, UINT64_MAX);
583         NT_STATUS_NOT_OK_RETURN(status);
584
585         status = smb2srv_init_pending(smb_conn);
586         NT_STATUS_NOT_OK_RETURN(status);
587
588         return NT_STATUS_OK;
589         
590 }