diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
| commit | 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch) | |
| tree | 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /source3/smbd/smb1_sesssetup.c | |
| parent | Initial commit. (diff) | |
| download | samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip | |
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/smbd/smb1_sesssetup.c')
| -rw-r--r-- | source3/smbd/smb1_sesssetup.c | 1118 |
1 files changed, 1118 insertions, 0 deletions
diff --git a/source3/smbd/smb1_sesssetup.c b/source3/smbd/smb1_sesssetup.c new file mode 100644 index 0000000..6c668ff --- /dev/null +++ b/source3/smbd/smb1_sesssetup.c @@ -0,0 +1,1118 @@ +/* + Unix SMB/CIFS implementation. + handle SMBsessionsetup + Copyright (C) Andrew Tridgell 1998-2001 + Copyright (C) Andrew Bartlett 2001 + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002 + Copyright (C) Luke Howard 2003 + Copyright (C) Volker Lendecke 2007 + Copyright (C) Jeremy Allison 2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "../lib/tsocket/tsocket.h" +#include "lib/util/server_id.h" +#include "smbd/smbd.h" +#include "smbd/globals.h" +#include "auth.h" +#include "messages.h" +#include "smbprofile.h" +#include "../libcli/security/security.h" +#include "auth/gensec/gensec.h" +#include "../libcli/smb/smb_signing.h" +#include "lib/util/string_wrappers.h" +#include "source3/lib/substitute.h" + +/**************************************************************************** + Add the standard 'Samba' signature to the end of the session setup. +****************************************************************************/ + +static int push_signature(uint8_t **outbuf) +{ + char *lanman; + int result, tmp; + fstring native_os; + + result = 0; + + fstr_sprintf(native_os, "Windows %d.%d", SAMBA_MAJOR_NBT_ANNOUNCE_VERSION, + SAMBA_MINOR_NBT_ANNOUNCE_VERSION); + + tmp = message_push_string(outbuf, native_os, STR_TERMINATE); + + if (tmp == -1) return -1; + result += tmp; + + if (asprintf(&lanman, "Samba %s", samba_version_string()) != -1) { + tmp = message_push_string(outbuf, lanman, STR_TERMINATE); + SAFE_FREE(lanman); + } + else { + tmp = message_push_string(outbuf, "Samba", STR_TERMINATE); + } + + if (tmp == -1) return -1; + result += tmp; + + tmp = message_push_string(outbuf, lp_workgroup(), STR_TERMINATE); + + if (tmp == -1) return -1; + result += tmp; + + return result; +} + +/**************************************************************************** + Reply to a session setup command. + conn POINTER CAN BE NULL HERE ! +****************************************************************************/ + +static void reply_sesssetup_and_X_spnego(struct smb_request *req) +{ + const uint8_t *p; + DATA_BLOB in_blob; + DATA_BLOB out_blob = data_blob_null; + size_t bufrem; + char *tmp = NULL; + const char *native_os; + const char *native_lanman; + const char *primary_domain; + uint16_t data_blob_len = SVAL(req->vwv+7, 0); + enum remote_arch_types ra_type = get_remote_arch(); + uint64_t vuid = req->vuid; + NTSTATUS status = NT_STATUS_OK; + struct smbXsrv_connection *xconn = req->xconn; + struct smbd_server_connection *sconn = req->sconn; + uint16_t action = 0; + bool is_authenticated = false; + NTTIME now = timeval_to_nttime(&req->request_time); + struct smbXsrv_session *session = NULL; + uint16_t smb_bufsize = SVAL(req->vwv+2, 0); + uint32_t client_caps = IVAL(req->vwv+10, 0); + struct smbXsrv_session_auth0 *auth; + + DEBUG(3,("Doing spnego session setup\n")); + + if (!xconn->smb1.sessions.done_sesssetup) { + global_client_caps = client_caps; + + if (!(global_client_caps & CAP_STATUS32)) { + remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES); + } + } + + p = req->buf; + + if (data_blob_len == 0) { + /* an invalid request */ + reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE)); + return; + } + + bufrem = smbreq_bufrem(req, p); + /* pull the spnego blob */ + in_blob = data_blob_const(p, MIN(bufrem, data_blob_len)); + +#if 0 + file_save("negotiate.dat", in_blob.data, in_blob.length); +#endif + + p = req->buf + in_blob.length; + + p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p, + STR_TERMINATE); + native_os = tmp ? tmp : ""; + + p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p, + STR_TERMINATE); + native_lanman = tmp ? tmp : ""; + + p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p, + STR_TERMINATE); + primary_domain = tmp ? tmp : ""; + + DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n", + native_os, native_lanman, primary_domain)); + + if ( ra_type == RA_WIN2K ) { + /* Vista sets neither the OS or lanman strings */ + + if ( !strlen(native_os) && !strlen(native_lanman) ) + set_remote_arch(RA_VISTA); + + /* Windows 2003 doesn't set the native lanman string, + but does set primary domain which is a bug I think */ + + if ( !strlen(native_lanman) ) { + ra_lanman_string( primary_domain ); + } else { + ra_lanman_string( native_lanman ); + } + } else if ( ra_type == RA_VISTA ) { + if ( strncmp(native_os, "Mac OS X", 8) == 0 ) { + set_remote_arch(RA_OSX); + } + } + + if (vuid != 0) { + status = smb1srv_session_lookup(xconn, + vuid, now, + &session); + if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) { + reply_force_doserror(req, ERRSRV, ERRbaduid); + return; + } + if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) { + status = NT_STATUS_OK; + } + if (NT_STATUS_IS_OK(status)) { + session->status = NT_STATUS_MORE_PROCESSING_REQUIRED; + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + TALLOC_FREE(session->pending_auth); + } + if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + reply_nterror(req, nt_status_squash(status)); + return; + } + } + + if (session == NULL) { + /* create a new session */ + status = smbXsrv_session_create(xconn, + now, &session); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, nt_status_squash(status)); + return; + } + } + + status = smbXsrv_session_find_auth(session, xconn, now, &auth); + if (!NT_STATUS_IS_OK(status)) { + status = smbXsrv_session_create_auth(session, xconn, now, + 0, /* flags */ + 0, /* security */ + &auth); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, nt_status_squash(status)); + return; + } + } + + if (auth->gensec == NULL) { + status = auth_generic_prepare(session, + xconn->remote_address, + xconn->local_address, + "SMB", + &auth->gensec); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(session); + reply_nterror(req, nt_status_squash(status)); + return; + } + + gensec_want_feature(auth->gensec, GENSEC_FEATURE_SESSION_KEY); + gensec_want_feature(auth->gensec, GENSEC_FEATURE_UNIX_TOKEN); + gensec_want_feature(auth->gensec, GENSEC_FEATURE_SMB_TRANSPORT); + + status = gensec_start_mech_by_oid(auth->gensec, + GENSEC_OID_SPNEGO); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to start SPNEGO handler!\n")); + TALLOC_FREE(session);; + reply_nterror(req, nt_status_squash(status)); + return; + } + } + + become_root(); + status = gensec_update(auth->gensec, + talloc_tos(), + in_blob, &out_blob); + unbecome_root(); + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + TALLOC_FREE(session); + reply_nterror(req, nt_status_squash(status)); + return; + } + + if (NT_STATUS_IS_OK(status) && session->global->auth_session_info == NULL) { + struct auth_session_info *session_info = NULL; + + status = gensec_session_info(auth->gensec, + session, + &session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("Failed to generate session_info " + "(user and group token) for session setup: %s\n", + nt_errstr(status))); + data_blob_free(&out_blob); + TALLOC_FREE(session); + reply_nterror(req, nt_status_squash(status)); + return; + } + + if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { + action |= SMB_SETUP_GUEST; + } + + session->global->signing_algo = SMB2_SIGNING_MD5_SMB1; + session->global->encryption_cipher = 0; + session->global->channels[0].signing_algo = + session->global->signing_algo; + session->global->channels[0].encryption_cipher = + session->global->encryption_cipher; + + if (session_info->session_key.length > 0) { + struct smbXsrv_session *x = session; + + status = smb2_signing_key_sign_create(x->global, + x->global->signing_algo, + &session_info->session_key, + NULL, /* no derivation */ + &x->global->signing_key); + if (!NT_STATUS_IS_OK(status)) { + data_blob_free(&out_blob); + TALLOC_FREE(session); + reply_nterror(req, status); + return; + } + x->global->signing_key_blob = x->global->signing_key->blob; + + /* + * clear the session key + * the first tcon will add setup the application key + */ + data_blob_clear_free(&session_info->session_key); + } + + sconn->num_users++; + + if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { + is_authenticated = true; + session->homes_snum = + register_homes_share(session_info->unix_info->unix_name); + } + + if (smb1_srv_is_signing_negotiated(xconn) && + is_authenticated && + smb2_signing_key_valid(session->global->signing_key)) + { + /* + * Try and turn on server signing on the first non-guest + * sessionsetup. + */ + smb1_srv_set_signing(xconn, + session->global->signing_key->blob, + data_blob_null); + } + + set_current_user_info(session_info->unix_info->sanitized_username, + session_info->unix_info->unix_name, + session_info->info->domain_name); + + session->status = NT_STATUS_OK; + session->global->auth_session_info = talloc_move(session->global, + &session_info); + session->global->auth_session_info_seqnum += 1; + session->global->channels[0].auth_session_info_seqnum = + session->global->auth_session_info_seqnum; + session->global->auth_time = now; + if (client_caps & CAP_DYNAMIC_REAUTH) { + session->global->expiration_time = + gensec_expire_time(auth->gensec); + } else { + session->global->expiration_time = + GENSEC_EXPIRE_TIME_INFINITY; + } + + if (!session_claim(session)) { + DEBUG(1, ("smb1: Failed to claim session for vuid=%llu\n", + (unsigned long long)session->global->session_wire_id)); + data_blob_free(&out_blob); + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_LOGON_FAILURE); + return; + } + + status = smbXsrv_session_update(session); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("smb1: Failed to update session for vuid=%llu - %s\n", + (unsigned long long)session->global->session_wire_id, + nt_errstr(status))); + data_blob_free(&out_blob); + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_LOGON_FAILURE); + return; + } + + if (!xconn->smb1.sessions.done_sesssetup) { + if (smb_bufsize < SMB_BUFFER_SIZE_MIN) { + reply_force_doserror(req, ERRSRV, ERRerror); + return; + } + xconn->smb1.sessions.max_send = smb_bufsize; + xconn->smb1.sessions.done_sesssetup = true; + } + + /* current_user_info is changed on new vuid */ + reload_services(sconn, conn_snum_used, true); + } else if (NT_STATUS_IS_OK(status)) { + struct auth_session_info *session_info = NULL; + + status = gensec_session_info(auth->gensec, + session, + &session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("Failed to generate session_info " + "(user and group token) for session setup: %s\n", + nt_errstr(status))); + data_blob_free(&out_blob); + TALLOC_FREE(session); + reply_nterror(req, nt_status_squash(status)); + return; + } + + if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { + action |= SMB_SETUP_GUEST; + } + + /* + * Keep the application key + */ + data_blob_clear_free(&session_info->session_key); + session_info->session_key = + session->global->auth_session_info->session_key; + talloc_steal(session_info, session_info->session_key.data); + TALLOC_FREE(session->global->auth_session_info); + + if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { + session->homes_snum = + register_homes_share(session_info->unix_info->unix_name); + } + + set_current_user_info(session_info->unix_info->sanitized_username, + session_info->unix_info->unix_name, + session_info->info->domain_name); + + session->status = NT_STATUS_OK; + session->global->auth_session_info = talloc_move(session->global, + &session_info); + session->global->auth_session_info_seqnum += 1; + session->global->channels[0].auth_session_info_seqnum = + session->global->auth_session_info_seqnum; + session->global->auth_time = now; + if (client_caps & CAP_DYNAMIC_REAUTH) { + session->global->expiration_time = + gensec_expire_time(auth->gensec); + } else { + session->global->expiration_time = + GENSEC_EXPIRE_TIME_INFINITY; + } + + status = smbXsrv_session_update(session); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("smb1: Failed to update session for vuid=%llu - %s\n", + (unsigned long long)session->global->session_wire_id, + nt_errstr(status))); + data_blob_free(&out_blob); + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_LOGON_FAILURE); + return; + } + + conn_clear_vuid_caches(sconn, session->global->session_wire_id); + + /* current_user_info is changed on new vuid */ + reload_services(sconn, conn_snum_used, true); + } + + vuid = session->global->session_wire_id; + + reply_smb1_outbuf(req, 4, 0); + + SSVAL(req->outbuf, smb_uid, vuid); + SIVAL(req->outbuf, smb_rcls, NT_STATUS_V(status)); + SSVAL(req->outbuf, smb_vwv0, 0xFF); /* no chaining possible */ + SSVAL(req->outbuf, smb_vwv2, action); + SSVAL(req->outbuf, smb_vwv3, out_blob.length); + + if (message_push_blob(&req->outbuf, out_blob) == -1) { + data_blob_free(&out_blob); + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } + data_blob_free(&out_blob); + + if (push_signature(&req->outbuf) == -1) { + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } +} + +/**************************************************************************** + On new VC == 0, shutdown *all* old connections and users. + It seems that only NT4.x does this. At W2K and above (XP etc.). + a new session setup with VC==0 is ignored. +****************************************************************************/ + +struct shutdown_state { + const char *ip; + size_t ip_length; + struct messaging_context *msg_ctx; +}; + +static int shutdown_other_smbds(struct smbXsrv_session_global0 *session, + void *private_data) +{ + struct shutdown_state *state = (struct shutdown_state *)private_data; + struct server_id self_pid = messaging_server_id(state->msg_ctx); + struct server_id pid = session->channels[0].server_id; + const char *addr = session->channels[0].remote_address; + const char *port_colon; + size_t addr_len; + struct server_id_buf tmp; + + DEBUG(10, ("shutdown_other_smbds: %s, %s\n", + server_id_str_buf(pid, &tmp), addr)); + + if (!process_exists(pid)) { + DEBUG(10, ("process does not exist\n")); + return 0; + } + + if (server_id_equal(&pid, &self_pid)) { + DEBUG(10, ("It's me\n")); + return 0; + } + + port_colon = strrchr(addr, ':'); + if (port_colon == NULL) { + DBG_DEBUG("addr %s in contains no port\n", addr); + return 0; + } + addr_len = port_colon - addr; + + if ((addr_len != state->ip_length) || + (strncmp(addr, state->ip, state->ip_length) != 0)) { + DEBUG(10, ("%s (%zu) does not match %s (%zu)\n", + state->ip, state->ip_length, addr, addr_len)); + return 0; + } + + DEBUG(1, ("shutdown_other_smbds: shutting down pid %u " + "(IP %s)\n", (unsigned int)procid_to_pid(&pid), + state->ip)); + + messaging_send(state->msg_ctx, pid, MSG_SHUTDOWN, + &data_blob_null); + return 0; +} + +static void setup_new_vc_session(struct smbd_server_connection *sconn) +{ + DEBUG(2,("setup_new_vc_session: New VC == 0, if NT4.x " + "compatible we would close all old resources.\n")); + + if (lp_reset_on_zero_vc()) { + char *addr; + const char *port_colon; + struct shutdown_state state; + + addr = tsocket_address_string( + sconn->remote_address, talloc_tos()); + if (addr == NULL) { + return; + } + state.ip = addr; + + port_colon = strrchr(addr, ':'); + if (port_colon == NULL) { + return; + } + state.ip_length = port_colon - addr; + state.msg_ctx = sconn->msg_ctx; + smbXsrv_session_global_traverse(shutdown_other_smbds, &state); + TALLOC_FREE(addr); + } +} + +/**************************************************************************** + Reply to a session setup command. +****************************************************************************/ + +struct reply_sesssetup_and_X_state { + struct smb_request *req; + struct auth4_context *auth_context; + struct auth_usersupplied_info *user_info; + const char *user; + const char *domain; + DATA_BLOB lm_resp; + DATA_BLOB nt_resp; + DATA_BLOB plaintext_password; +}; + +static int reply_sesssetup_and_X_state_destructor( + struct reply_sesssetup_and_X_state *state) +{ + data_blob_clear_free(&state->nt_resp); + data_blob_clear_free(&state->lm_resp); + data_blob_clear_free(&state->plaintext_password); + return 0; +} + +void reply_sesssetup_and_X(struct smb_request *req) +{ + struct reply_sesssetup_and_X_state *state = NULL; + uint64_t sess_vuid; + uint16_t smb_bufsize; + char *tmp = NULL; + fstring sub_user; /* Sanitised username for substitution */ + const char *native_os; + const char *native_lanman; + const char *primary_domain; + struct auth_session_info *session_info = NULL; + uint16_t smb_flag2 = req->flags2; + uint16_t action = 0; + bool is_authenticated = false; + NTTIME now = timeval_to_nttime(&req->request_time); + struct smbXsrv_session *session = NULL; + NTSTATUS nt_status; + struct smbXsrv_connection *xconn = req->xconn; + struct smbd_server_connection *sconn = req->sconn; + bool doencrypt = xconn->smb1.negprot.encrypted_passwords; + bool signing_allowed = false; + bool signing_mandatory = smb1_signing_is_mandatory( + xconn->smb1.signing_state); + + START_PROFILE(SMBsesssetupX); + + DEBUG(3,("wct=%d flg2=0x%x\n", req->wct, req->flags2)); + + state = talloc_zero(req, struct reply_sesssetup_and_X_state); + if (state == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBsesssetupX); + return; + } + state->req = req; + talloc_set_destructor(state, reply_sesssetup_and_X_state_destructor); + + if (req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES) { + signing_allowed = true; + } + if (req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED) { + signing_mandatory = true; + } + + /* + * We can call smb1_srv_set_signing_negotiated() each time. + * It finds out when it needs to turn into a noop + * itself. + */ + smb1_srv_set_signing_negotiated(xconn, + signing_allowed, + signing_mandatory); + + /* a SPNEGO session setup has 12 command words, whereas a normal + NT1 session setup has 13. See the cifs spec. */ + if (req->wct == 12 && + (req->flags2 & FLAGS2_EXTENDED_SECURITY)) { + + if (!xconn->smb1.negprot.spnego) { + DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt " + "at SPNEGO session setup when it was not " + "negotiated.\n")); + reply_nterror(req, nt_status_squash( + NT_STATUS_LOGON_FAILURE)); + END_PROFILE(SMBsesssetupX); + return; + } + + if (SVAL(req->vwv+4, 0) == 0) { + setup_new_vc_session(req->sconn); + } + + reply_sesssetup_and_X_spnego(req); + END_PROFILE(SMBsesssetupX); + return; + } + + smb_bufsize = SVAL(req->vwv+2, 0); + + if (xconn->protocol < PROTOCOL_NT1) { + uint16_t passlen1 = SVAL(req->vwv+7, 0); + + /* Never do NT status codes with protocols before NT1 as we + * don't get client caps. */ + remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES); + + if ((passlen1 > MAX_PASS_LEN) || (passlen1 > req->buflen)) { + reply_nterror(req, nt_status_squash( + NT_STATUS_INVALID_PARAMETER)); + END_PROFILE(SMBsesssetupX); + return; + } + + if (doencrypt) { + state->lm_resp = data_blob_talloc(state, + req->buf, + passlen1); + } else { + state->plaintext_password = data_blob_talloc(state, + req->buf, + passlen1+1); + /* Ensure null termination */ + state->plaintext_password.data[passlen1] = 0; + } + + srvstr_pull_req_talloc(state, req, &tmp, + req->buf + passlen1, STR_TERMINATE); + state->user = tmp ? tmp : ""; + + state->domain = ""; + + } else { + uint16_t passlen1 = SVAL(req->vwv+7, 0); + uint16_t passlen2 = SVAL(req->vwv+8, 0); + enum remote_arch_types ra_type = get_remote_arch(); + const uint8_t *p = req->buf; + const uint8_t *save_p = req->buf; + uint16_t byte_count; + + if (!xconn->smb1.sessions.done_sesssetup) { + global_client_caps = IVAL(req->vwv+11, 0); + + if (!(global_client_caps & CAP_STATUS32)) { + remove_from_common_flags2( + FLAGS2_32_BIT_ERROR_CODES); + } + + /* client_caps is used as final determination if + * client is NT or Win95. This is needed to return + * the correct error codes in some circumstances. + */ + + if(ra_type == RA_WINNT || ra_type == RA_WIN2K || + ra_type == RA_WIN95) { + if(!(global_client_caps & (CAP_NT_SMBS| + CAP_STATUS32))) { + set_remote_arch( RA_WIN95); + } + } + } + + if (!doencrypt) { + /* both Win95 and WinNT stuff up the password + * lengths for non-encrypting systems. Uggh. + + if passlen1==24 its a win95 system, and its setting + the password length incorrectly. Luckily it still + works with the default code because Win95 will null + terminate the password anyway + + if passlen1>0 and passlen2>0 then maybe its a NT box + and its setting passlen2 to some random value which + really stuffs things up. we need to fix that one. */ + + if (passlen1 > 0 && passlen2 > 0 && passlen2 != 24 && + passlen2 != 1) { + passlen2 = 0; + } + } + + /* check for nasty tricks */ + if (passlen1 > MAX_PASS_LEN + || passlen1 > smbreq_bufrem(req, p)) { + reply_nterror(req, nt_status_squash( + NT_STATUS_INVALID_PARAMETER)); + END_PROFILE(SMBsesssetupX); + return; + } + + if (passlen2 > MAX_PASS_LEN + || passlen2 > smbreq_bufrem(req, p+passlen1)) { + reply_nterror(req, nt_status_squash( + NT_STATUS_INVALID_PARAMETER)); + END_PROFILE(SMBsesssetupX); + return; + } + + /* Save the lanman2 password and the NT md4 password. */ + + if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) { + doencrypt = False; + } + + if (doencrypt) { + state->lm_resp = data_blob_talloc(state, p, passlen1); + state->nt_resp = data_blob_talloc(state, p+passlen1, passlen2); + } else { + char *pass = NULL; + bool unic= smb_flag2 & FLAGS2_UNICODE_STRINGS; + + if (unic && (passlen2 == 0) && passlen1) { + /* Only a ascii plaintext password was sent. */ + (void)srvstr_pull_talloc(state, + req->inbuf, + req->flags2, + &pass, + req->buf, + passlen1, + STR_TERMINATE|STR_ASCII); + } else { + (void)srvstr_pull_talloc(state, + req->inbuf, + req->flags2, + &pass, + req->buf, + unic ? passlen2 : passlen1, + STR_TERMINATE); + } + if (!pass) { + reply_nterror(req, nt_status_squash( + NT_STATUS_INVALID_PARAMETER)); + END_PROFILE(SMBsesssetupX); + return; + } + state->plaintext_password = data_blob_talloc(state, + pass, + strlen(pass)+1); + } + + p += passlen1 + passlen2; + + p += srvstr_pull_req_talloc(state, req, &tmp, p, + STR_TERMINATE); + state->user = tmp ? tmp : ""; + + p += srvstr_pull_req_talloc(state, req, &tmp, p, + STR_TERMINATE); + state->domain = tmp ? tmp : ""; + + p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p, + STR_TERMINATE); + native_os = tmp ? tmp : ""; + + p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p, + STR_TERMINATE); + native_lanman = tmp ? tmp : ""; + + /* not documented or decoded by Ethereal but there is one more + * string in the extra bytes which is the same as the + * PrimaryDomain when using extended security. Windows NT 4 + * and 2003 use this string to store the native lanman string. + * Windows 9x does not include a string here at all so we have + * to check if we have any extra bytes left */ + + byte_count = SVAL(req->vwv+13, 0); + if ( PTR_DIFF(p, save_p) < byte_count) { + p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p, + STR_TERMINATE); + primary_domain = tmp ? tmp : ""; + } else { + primary_domain = talloc_strdup(talloc_tos(), "null"); + } + + DEBUG(3,("Domain=[%s] NativeOS=[%s] NativeLanMan=[%s] " + "PrimaryDomain=[%s]\n", + state->domain, native_os, native_lanman, primary_domain)); + + if ( ra_type == RA_WIN2K ) { + if ( strlen(native_lanman) == 0 ) + ra_lanman_string( primary_domain ); + else + ra_lanman_string( native_lanman ); + } + + } + + if (SVAL(req->vwv+4, 0) == 0) { + setup_new_vc_session(req->sconn); + } + + DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n", + state->domain, state->user, get_remote_machine_name())); + + if (*state->user) { + if (xconn->smb1.negprot.spnego) { + + /* This has to be here, because this is a perfectly + * valid behaviour for guest logons :-( */ + + DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt " + "at 'normal' session setup after " + "negotiating spnego.\n")); + reply_nterror(req, nt_status_squash( + NT_STATUS_LOGON_FAILURE)); + END_PROFILE(SMBsesssetupX); + return; + } + fstrcpy(sub_user, state->user); + } else { + fstrcpy(sub_user, ""); + } + + if (!*state->user) { + DEBUG(3,("Got anonymous request\n")); + + nt_status = make_auth4_context(state, &state->auth_context); + if (NT_STATUS_IS_OK(nt_status)) { + uint8_t chal[8]; + + state->auth_context->get_ntlm_challenge( + state->auth_context, chal); + + if (!make_user_info_guest(state, + sconn->remote_address, + sconn->local_address, + "SMB", &state->user_info)) { + nt_status = NT_STATUS_NO_MEMORY; + } + + if (NT_STATUS_IS_OK(nt_status)) { + state->user_info->auth_description = "guest"; + } + } + } else if (doencrypt) { + state->auth_context = xconn->smb1.negprot.auth_context; + if (state->auth_context == NULL) { + DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted " + "session setup without negprot denied!\n")); + reply_nterror(req, nt_status_squash( + NT_STATUS_LOGON_FAILURE)); + END_PROFILE(SMBsesssetupX); + return; + } + nt_status = make_user_info_for_reply_enc(state, + &state->user_info, + state->user, + state->domain, + sconn->remote_address, + sconn->local_address, + "SMB", + state->lm_resp, + state->nt_resp); + + if (NT_STATUS_IS_OK(nt_status)) { + state->user_info->auth_description = "bare-NTLM"; + } + } else { + nt_status = make_auth4_context(state, &state->auth_context); + if (NT_STATUS_IS_OK(nt_status)) { + uint8_t chal[8]; + + state->auth_context->get_ntlm_challenge( + state->auth_context, chal); + + if (!make_user_info_for_reply(state, + &state->user_info, + state->user, + state->domain, + sconn->remote_address, + sconn->local_address, + "SMB", + chal, + state->plaintext_password)) { + nt_status = NT_STATUS_NO_MEMORY; + } + + if (NT_STATUS_IS_OK(nt_status)) { + state->user_info->auth_description = "plaintext"; + } + } + } + + if (!NT_STATUS_IS_OK(nt_status)) { + reply_nterror(req, nt_status_squash(nt_status)); + END_PROFILE(SMBsesssetupX); + return; + } + + nt_status = auth_check_password_session_info(state->auth_context, + req, state->user_info, + &session_info); + TALLOC_FREE(state->user_info); + if (!NT_STATUS_IS_OK(nt_status)) { + reply_nterror(req, nt_status_squash(nt_status)); + END_PROFILE(SMBsesssetupX); + return; + } + + /* it's ok - setup a reply */ + reply_smb1_outbuf(req, 3, 0); + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + + if (xconn->protocol >= PROTOCOL_NT1) { + push_signature(&req->outbuf); + /* perhaps grab OS version here?? */ + } + + if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { + action |= SMB_SETUP_GUEST; + } + + /* register the name and uid as being validated, so further connections + to a uid can get through without a password, on the same VC */ + + nt_status = smbXsrv_session_create(xconn, + now, &session); + if (!NT_STATUS_IS_OK(nt_status)) { + reply_nterror(req, nt_status_squash(nt_status)); + END_PROFILE(SMBsesssetupX); + return; + } + + session->global->signing_algo = SMB2_SIGNING_MD5_SMB1; + session->global->encryption_cipher = 0; + session->global->channels[0].signing_algo = + session->global->signing_algo; + session->global->channels[0].encryption_cipher = + session->global->encryption_cipher; + + if (session_info->session_key.length > 0) { + struct smbXsrv_session *x = session; + uint8_t session_key[16]; + NTSTATUS status; + + status = smb2_signing_key_sign_create(x->global, + x->global->signing_algo, + &session_info->session_key, + NULL, /* no derivation */ + &x->global->signing_key); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(session); + reply_nterror(req, status); + END_PROFILE(SMBsesssetupX); + return; + } + x->global->signing_key_blob = x->global->signing_key->blob; + + /* + * The application key is truncated/padded to 16 bytes + */ + ZERO_STRUCT(session_key); + memcpy(session_key, session->global->signing_key_blob.data, + MIN(session->global->signing_key_blob.length, + sizeof(session_key))); + session->global->application_key_blob = + data_blob_talloc(session->global, + session_key, + sizeof(session_key)); + ZERO_STRUCT(session_key); + if (session->global->application_key_blob.data == NULL) { + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBsesssetupX); + return; + } + talloc_keep_secret(session->global->application_key_blob.data); + + /* + * Place the application key into the session_info + */ + data_blob_clear_free(&session_info->session_key); + session_info->session_key = data_blob_dup_talloc(session_info, + session->global->application_key_blob); + if (session_info->session_key.data == NULL) { + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBsesssetupX); + return; + } + talloc_keep_secret(session_info->session_key.data); + } + + sconn->num_users++; + + if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { + is_authenticated = true; + session->homes_snum = + register_homes_share(session_info->unix_info->unix_name); + } + + if (smb1_srv_is_signing_negotiated(xconn) && + is_authenticated && + smb2_signing_key_valid(session->global->signing_key)) + { + /* + * Try and turn on server signing on the first non-guest + * sessionsetup. + */ + smb1_srv_set_signing(xconn, + session->global->signing_key->blob, + state->nt_resp.data ? state->nt_resp : state->lm_resp); + } + + set_current_user_info(session_info->unix_info->sanitized_username, + session_info->unix_info->unix_name, + session_info->info->domain_name); + + session->status = NT_STATUS_OK; + session->global->auth_session_info = talloc_move(session->global, + &session_info); + session->global->auth_session_info_seqnum += 1; + session->global->channels[0].auth_session_info_seqnum = + session->global->auth_session_info_seqnum; + session->global->auth_time = now; + session->global->expiration_time = GENSEC_EXPIRE_TIME_INFINITY; + + nt_status = smbXsrv_session_update(session); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("smb1: Failed to update session for vuid=%llu - %s\n", + (unsigned long long)session->global->session_wire_id, + nt_errstr(nt_status))); + TALLOC_FREE(session); + reply_nterror(req, nt_status_squash(nt_status)); + END_PROFILE(SMBsesssetupX); + return; + } + + if (!session_claim(session)) { + DEBUG(1, ("smb1: Failed to claim session for vuid=%llu\n", + (unsigned long long)session->global->session_wire_id)); + TALLOC_FREE(session); + reply_nterror(req, NT_STATUS_LOGON_FAILURE); + END_PROFILE(SMBsesssetupX); + return; + } + + /* current_user_info is changed on new vuid */ + reload_services(sconn, conn_snum_used, true); + + sess_vuid = session->global->session_wire_id; + + SSVAL(req->outbuf,smb_vwv2,action); + SSVAL(req->outbuf,smb_uid,sess_vuid); + SSVAL(discard_const_p(char, req->inbuf),smb_uid,sess_vuid); + req->vuid = sess_vuid; + + if (!xconn->smb1.sessions.done_sesssetup) { + if (smb_bufsize < SMB_BUFFER_SIZE_MIN) { + reply_force_doserror(req, ERRSRV, ERRerror); + END_PROFILE(SMBsesssetupX); + return; + } + xconn->smb1.sessions.max_send = smb_bufsize; + xconn->smb1.sessions.done_sesssetup = true; + } + + TALLOC_FREE(state); + END_PROFILE(SMBsesssetupX); +} |