source3/smbd/smb2_sesssetup.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Core SMB2 server
   4
   5    Copyright (C) Stefan Metzmacher 2009
   6    Copyright (C) Jeremy Allison 2010
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "smbd/smbd.h"
  24 #include "smbd/globals.h"
  25 #include "../libcli/smb/smb_common.h"
  26 #include "../libcli/auth/spnego.h"
  27 #include "../libcli/auth/ntlmssp.h"
  28 #include "ntlmssp_wrap.h"
  29 #include "../librpc/gen_ndr/krb5pac.h"
  30 #include "libads/kerberos_proto.h"
  31 #include "../lib/util/asn1.h"
  32 #include "auth.h"
  33 #include "../lib/tsocket/tsocket.h"
  34 #include "../libcli/security/security.h"
  35
  36 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
  37                                         uint64_t in_session_id,
  38                                         uint8_t in_security_mode,
  39                                         DATA_BLOB in_security_buffer,
  40                                         uint16_t *out_session_flags,
  41                                         DATA_BLOB *out_security_buffer,
  42                                         uint64_t *out_session_id);
  43
  44 NTSTATUS smbd_smb2_request_process_sesssetup(struct smbd_smb2_request *smb2req)
  45 {
  46         const uint8_t *inhdr;
  47         const uint8_t *inbody;
  48         int i = smb2req->current_idx;
  49         uint8_t *outhdr;
  50         DATA_BLOB outbody;
  51         DATA_BLOB outdyn;
  52         size_t expected_body_size = 0x19;
  53         size_t body_size;
  54         uint64_t in_session_id;
  55         uint8_t in_security_mode;
  56         uint16_t in_security_offset;
  57         uint16_t in_security_length;
  58         DATA_BLOB in_security_buffer;
  59         uint16_t out_session_flags;
  60         uint64_t out_session_id;
  61         uint16_t out_security_offset;
  62         DATA_BLOB out_security_buffer;
  63         NTSTATUS status;
  64
  65         inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base;
  66
  67         if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
  68                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  69         }
  70
  71         inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base;
  72
  73         body_size = SVAL(inbody, 0x00);
  74         if (body_size != expected_body_size) {
  75                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  76         }
  77
  78         in_security_offset = SVAL(inbody, 0x0C);
  79         in_security_length = SVAL(inbody, 0x0E);
  80
  81         if (in_security_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
  82                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  83         }
  84
  85         if (in_security_length > smb2req->in.vector[i+2].iov_len) {
  86                 return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
  87         }
  88
  89         in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
  90         in_security_mode = CVAL(inbody, 0x03);
  91         in_security_buffer.data = (uint8_t *)smb2req->in.vector[i+2].iov_base;
  92         in_security_buffer.length = in_security_length;
  93
  94         status = smbd_smb2_session_setup(smb2req,
  95                                          in_session_id,
  96                                          in_security_mode,
  97                                          in_security_buffer,
  98                                          &out_session_flags,
  99                                          &out_security_buffer,
 100                                          &out_session_id);
 101         if (!NT_STATUS_IS_OK(status) &&
 102             !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 103                 status = nt_status_squash(status);
 104                 return smbd_smb2_request_error(smb2req, status);
 105         }
 106
 107         out_security_offset = SMB2_HDR_BODY + 0x08;
 108
 109         outhdr = (uint8_t *)smb2req->out.vector[i].iov_base;
 110
 111         outbody = data_blob_talloc(smb2req->out.vector, NULL, 0x08);
 112         if (outbody.data == NULL) {
 113                 return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY);
 114         }
 115
 116         SBVAL(outhdr, SMB2_HDR_SESSION_ID, out_session_id);
 117
 118         SSVAL(outbody.data, 0x00, 0x08 + 1);    /* struct size */
 119         SSVAL(outbody.data, 0x02,
 120               out_session_flags);               /* session flags */
 121         SSVAL(outbody.data, 0x04,
 122               out_security_offset);             /* security buffer offset */
 123         SSVAL(outbody.data, 0x06,
 124               out_security_buffer.length);      /* security buffer length */
 125
 126         outdyn = out_security_buffer;
 127
 128         return smbd_smb2_request_done_ex(smb2req, status, outbody, &outdyn,
 129                                          __location__);
 130 }
 131
 132 static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
 133 {
 134         if (session->sconn == NULL) {
 135                 return 0;
 136         }
 137
 138         /* first free all tcons */
 139         while (session->tcons.list) {
 140                 talloc_free(session->tcons.list);
 141         }
 142
 143         idr_remove(session->sconn->smb2.sessions.idtree, session->vuid);
 144         DLIST_REMOVE(session->sconn->smb2.sessions.list, session);
 145         invalidate_vuid(session->sconn, session->vuid);
 146
 147         session->vuid = 0;
 148         session->status = NT_STATUS_USER_SESSION_DELETED;
 149         session->sconn = NULL;
 150
 151         return 0;
 152 }
 153
 154 #ifdef HAVE_KRB5
 155 static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 156                                         struct smbd_smb2_request *smb2req,
 157                                         uint8_t in_security_mode,
 158                                         const DATA_BLOB *secblob,
 159                                         const char *mechOID,
 160                                         uint16_t *out_session_flags,
 161                                         DATA_BLOB *out_security_buffer,
 162                                         uint64_t *out_session_id)
 163 {
 164         DATA_BLOB ap_rep = data_blob_null;
 165         DATA_BLOB ap_rep_wrapped = data_blob_null;
 166         DATA_BLOB ticket = data_blob_null;
 167         DATA_BLOB session_key = data_blob_null;
 168         DATA_BLOB secblob_out = data_blob_null;
 169         uint8 tok_id[2];
 170         struct PAC_LOGON_INFO *logon_info = NULL;
 171         char *principal = NULL;
 172         char *user = NULL;
 173         char *domain = NULL;
 174         struct passwd *pw = NULL;
 175         NTSTATUS status;
 176         char *real_username;
 177         fstring tmp;
 178         bool username_was_mapped = false;
 179         bool map_domainuser_to_guest = false;
 180
 181         if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
 182                 status = NT_STATUS_LOGON_FAILURE;
 183                 goto fail;
 184         }
 185
 186         status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket,
 187                                    &principal, &logon_info, &ap_rep,
 188                                    &session_key, true);
 189
 190         if (!NT_STATUS_IS_OK(status)) {
 191                 DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n",
 192                         nt_errstr(status)));
 193                 if (!NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
 194                         status = NT_STATUS_LOGON_FAILURE;
 195                 }
 196                 goto fail;
 197         }
 198
 199         status = get_user_from_kerberos_info(talloc_tos(),
 200                                              session->sconn->remote_hostname,
 201                                              principal, logon_info,
 202                                              &username_was_mapped,
 203                                              &map_domainuser_to_guest,
 204                                              &user, &domain,
 205                                              &real_username, &pw);
 206         if (!NT_STATUS_IS_OK(status)) {
 207                 goto fail;
 208         }
 209
 210         /* save the PAC data if we have it */
 211         if (logon_info) {
 212                 netsamlogon_cache_store(user, &logon_info->info3);
 213         }
 214
 215         /* setup the string used by %U */
 216         sub_set_smb_name(real_username);
 217
 218         /* reload services so that the new %U is taken into account */
 219         reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
 220
 221         status = make_session_info_krb5(session,
 222                                         user, domain, real_username, pw,
 223                                         logon_info, map_domainuser_to_guest,
 224                                         username_was_mapped,
 225                                         &session_key,
 226                                         &session->session_info);
 227         if (!NT_STATUS_IS_OK(status)) {
 228                 DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
 229                 goto fail;
 230         }
 231
 232         if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 233              lp_server_signing() == Required) {
 234                 session->do_signing = true;
 235         }
 236
 237         if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 238                 /* we map anonymous to guest internally */
 239                 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 240                 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 241                 /* force no signing */
 242                 session->do_signing = false;
 243         }
 244
 245         session->session_key = session->session_info->session_key;
 246
 247         session->compat_vuser = talloc_zero(session, user_struct);
 248         if (session->compat_vuser == NULL) {
 249                 status = NT_STATUS_NO_MEMORY;
 250                 goto fail;
 251         }
 252         session->compat_vuser->auth_ntlmssp_state = NULL;
 253         session->compat_vuser->homes_snum = -1;
 254         session->compat_vuser->session_info = session->session_info;
 255         session->compat_vuser->session_keystr = NULL;
 256         session->compat_vuser->vuid = session->vuid;
 257         DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
 258
 259         /* This is a potentially untrusted username */
 260         alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
 261         session->session_info->unix_info->sanitized_username =
 262                                 talloc_strdup(session->session_info, tmp);
 263
 264         if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 265                 session->compat_vuser->homes_snum =
 266                         register_homes_share(session->session_info->unix_info->unix_name);
 267         }
 268
 269         if (!session_claim(session->sconn, session->compat_vuser)) {
 270                 DEBUG(1, ("smb2: Failed to claim session "
 271                         "for vuid=%d\n",
 272                         session->compat_vuser->vuid));
 273                 goto fail;
 274         }
 275
 276         session->status = NT_STATUS_OK;
 277
 278         /*
 279          * we attach the session to the request
 280          * so that the response can be signed
 281          */
 282         smb2req->session = session;
 283         if (session->do_signing) {
 284                 smb2req->do_signing = true;
 285         }
 286
 287         global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
 288         status = NT_STATUS_OK;
 289
 290         /* wrap that up in a nice GSS-API wrapping */
 291         ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
 292                                 TOK_ID_KRB_AP_REP);
 293
 294         secblob_out = spnego_gen_auth_response(
 295                                         talloc_tos(),
 296                                         &ap_rep_wrapped,
 297                                         status,
 298                                         mechOID);
 299
 300         *out_security_buffer = data_blob_talloc(smb2req,
 301                                                 secblob_out.data,
 302                                                 secblob_out.length);
 303         if (secblob_out.data && out_security_buffer->data == NULL) {
 304                 status = NT_STATUS_NO_MEMORY;
 305                 goto fail;
 306         }
 307
 308         data_blob_free(&ap_rep);
 309         data_blob_free(&ap_rep_wrapped);
 310         data_blob_free(&ticket);
 311         data_blob_free(&session_key);
 312         data_blob_free(&secblob_out);
 313
 314         *out_session_id = session->vuid;
 315
 316         return NT_STATUS_OK;
 317
 318   fail:
 319
 320         data_blob_free(&ap_rep);
 321         data_blob_free(&ap_rep_wrapped);
 322         data_blob_free(&ticket);
 323         data_blob_free(&session_key);
 324         data_blob_free(&secblob_out);
 325
 326         ap_rep_wrapped = data_blob_null;
 327         secblob_out = spnego_gen_auth_response(
 328                                         talloc_tos(),
 329                                         &ap_rep_wrapped,
 330                                         status,
 331                                         mechOID);
 332
 333         *out_security_buffer = data_blob_talloc(smb2req,
 334                                                 secblob_out.data,
 335                                                 secblob_out.length);
 336         data_blob_free(&secblob_out);
 337         return status;
 338 }
 339 #endif
 340
 341 static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 342                                         struct smbd_smb2_request *smb2req,
 343                                         uint8_t in_security_mode,
 344                                         DATA_BLOB in_security_buffer,
 345                                         uint16_t *out_session_flags,
 346                                         DATA_BLOB *out_security_buffer,
 347                                         uint64_t *out_session_id)
 348 {
 349         DATA_BLOB secblob_in = data_blob_null;
 350         DATA_BLOB chal_out = data_blob_null;
 351         char *kerb_mech = NULL;
 352         NTSTATUS status;
 353
 354         /* Ensure we have no old NTLM state around. */
 355         TALLOC_FREE(session->auth_ntlmssp_state);
 356
 357         status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
 358                         &secblob_in, &kerb_mech);
 359         if (!NT_STATUS_IS_OK(status)) {
 360                 goto out;
 361         }
 362
 363 #ifdef HAVE_KRB5
 364         if (kerb_mech && ((lp_security()==SEC_ADS) ||
 365                                 USE_KERBEROS_KEYTAB) ) {
 366                 status = smbd_smb2_session_setup_krb5(session,
 367                                 smb2req,
 368                                 in_security_mode,
 369                                 &secblob_in,
 370                                 kerb_mech,
 371                                 out_session_flags,
 372                                 out_security_buffer,
 373                                 out_session_id);
 374
 375                 goto out;
 376         }
 377 #endif
 378
 379         if (kerb_mech) {
 380                 /* The mechtoken is a krb5 ticket, but
 381                  * we need to fall back to NTLM. */
 382
 383                 DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
 384                         "but set to downgrade to NTLMSSP\n"));
 385
 386                 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 387         } else {
 388                 /* Fall back to NTLMSSP. */
 389                 status = auth_ntlmssp_prepare(session->sconn->remote_address,
 390                                             &session->auth_ntlmssp_state);
 391                 if (!NT_STATUS_IS_OK(status)) {
 392                         goto out;
 393                 }
 394
 395                 auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
 396
 397                 status = auth_ntlmssp_start(session->auth_ntlmssp_state);
 398                 if (!NT_STATUS_IS_OK(status)) {
 399                         goto out;
 400                 }
 401
 402                 status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 403                                              talloc_tos(),
 404                                              secblob_in,
 405                                              &chal_out);
 406         }
 407
 408         if (!NT_STATUS_IS_OK(status) &&
 409                         !NT_STATUS_EQUAL(status,
 410                                 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 411                 goto out;
 412         }
 413
 414         *out_security_buffer = spnego_gen_auth_response(smb2req,
 415                                                 &chal_out,
 416                                                 status,
 417                                                 OID_NTLMSSP);
 418         if (out_security_buffer->data == NULL) {
 419                 status = NT_STATUS_NO_MEMORY;
 420                 goto out;
 421         }
 422         *out_session_id = session->vuid;
 423
 424   out:
 425
 426         data_blob_free(&secblob_in);
 427         data_blob_free(&chal_out);
 428         TALLOC_FREE(kerb_mech);
 429         if (!NT_STATUS_IS_OK(status) &&
 430                         !NT_STATUS_EQUAL(status,
 431                                 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 432                 TALLOC_FREE(session->auth_ntlmssp_state);
 433                 TALLOC_FREE(session);
 434         }
 435         return status;
 436 }
 437
 438 static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *session,
 439                                         struct smbd_smb2_request *smb2req,
 440                                         uint8_t in_security_mode,
 441                                         DATA_BLOB in_security_buffer,
 442                                         uint16_t *out_session_flags,
 443                                         uint64_t *out_session_id)
 444 {
 445         fstring tmp;
 446
 447         if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 448             lp_server_signing() == Required) {
 449                 session->do_signing = true;
 450         }
 451
 452         if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 453                 /* we map anonymous to guest internally */
 454                 *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 455                 *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
 456                 /* force no signing */
 457                 session->do_signing = false;
 458         }
 459
 460         session->session_key = session->session_info->session_key;
 461
 462         session->compat_vuser = talloc_zero(session, user_struct);
 463         if (session->compat_vuser == NULL) {
 464                 TALLOC_FREE(session->auth_ntlmssp_state);
 465                 TALLOC_FREE(session);
 466                 return NT_STATUS_NO_MEMORY;
 467         }
 468         session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state;
 469         session->compat_vuser->homes_snum = -1;
 470         session->compat_vuser->session_info = session->session_info;
 471         session->compat_vuser->session_keystr = NULL;
 472         session->compat_vuser->vuid = session->vuid;
 473         DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
 474
 475         /* This is a potentially untrusted username */
 476         alpha_strcpy(tmp,
 477                      auth_ntlmssp_get_username(session->auth_ntlmssp_state),
 478                      ". _-$",
 479                      sizeof(tmp));
 480         session->session_info->unix_info->sanitized_username = talloc_strdup(
 481                 session->session_info, tmp);
 482
 483         if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 484                 session->compat_vuser->homes_snum =
 485                         register_homes_share(session->session_info->unix_info->unix_name);
 486         }
 487
 488         if (!session_claim(session->sconn, session->compat_vuser)) {
 489                 DEBUG(1, ("smb2: Failed to claim session "
 490                         "for vuid=%d\n",
 491                         session->compat_vuser->vuid));
 492                 TALLOC_FREE(session->auth_ntlmssp_state);
 493                 TALLOC_FREE(session);
 494                 return NT_STATUS_LOGON_FAILURE;
 495         }
 496
 497
 498         session->status = NT_STATUS_OK;
 499
 500         /*
 501          * we attach the session to the request
 502          * so that the response can be signed
 503          */
 504         smb2req->session = session;
 505         if (session->do_signing) {
 506                 smb2req->do_signing = true;
 507         }
 508
 509         global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
 510
 511         *out_session_id = session->vuid;
 512
 513         return NT_STATUS_OK;
 514 }
 515
 516 static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 517                                         struct smbd_smb2_request *smb2req,
 518                                         uint8_t in_security_mode,
 519                                         DATA_BLOB in_security_buffer,
 520                                         uint16_t *out_session_flags,
 521                                         DATA_BLOB *out_security_buffer,
 522                                         uint64_t *out_session_id)
 523 {
 524         DATA_BLOB auth = data_blob_null;
 525         DATA_BLOB auth_out = data_blob_null;
 526         NTSTATUS status;
 527
 528         if (!spnego_parse_auth(talloc_tos(), in_security_buffer, &auth)) {
 529                 TALLOC_FREE(session);
 530                 return NT_STATUS_LOGON_FAILURE;
 531         }
 532
 533         if (auth.data[0] == ASN1_APPLICATION(0)) {
 534                 /* Might be a second negTokenTarg packet */
 535                 DATA_BLOB secblob_in = data_blob_null;
 536                 char *kerb_mech = NULL;
 537
 538                 status = parse_spnego_mechanisms(talloc_tos(),
 539                                 in_security_buffer,
 540                                 &secblob_in, &kerb_mech);
 541                 if (!NT_STATUS_IS_OK(status)) {
 542                         TALLOC_FREE(session);
 543                         return status;
 544                 }
 545
 546 #ifdef HAVE_KRB5
 547                 if (kerb_mech && ((lp_security()==SEC_ADS) ||
 548                                         USE_KERBEROS_KEYTAB) ) {
 549                         status = smbd_smb2_session_setup_krb5(session,
 550                                         smb2req,
 551                                         in_security_mode,
 552                                         &secblob_in,
 553                                         kerb_mech,
 554                                         out_session_flags,
 555                                         out_security_buffer,
 556                                         out_session_id);
 557
 558                         data_blob_free(&secblob_in);
 559                         TALLOC_FREE(kerb_mech);
 560                         if (!NT_STATUS_IS_OK(status)) {
 561                                 TALLOC_FREE(session);
 562                         }
 563                         return status;
 564                 }
 565 #endif
 566
 567                 /* Can't blunder into NTLMSSP auth if we have
 568                  * a krb5 ticket. */
 569
 570                 if (kerb_mech) {
 571                         DEBUG(3,("smb2: network "
 572                                 "misconfiguration, client sent us a "
 573                                 "krb5 ticket and kerberos security "
 574                                 "not enabled\n"));
 575                         TALLOC_FREE(session);
 576                         data_blob_free(&secblob_in);
 577                         TALLOC_FREE(kerb_mech);
 578                         return NT_STATUS_LOGON_FAILURE;
 579                 }
 580
 581                 data_blob_free(&secblob_in);
 582         }
 583
 584         if (session->auth_ntlmssp_state == NULL) {
 585                 status = auth_ntlmssp_prepare(session->sconn->remote_address,
 586                                             &session->auth_ntlmssp_state);
 587                 if (!NT_STATUS_IS_OK(status)) {
 588                         data_blob_free(&auth);
 589                         TALLOC_FREE(session);
 590                         return status;
 591                 }
 592
 593                 auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
 594
 595                 status = auth_ntlmssp_start(session->auth_ntlmssp_state);
 596                 if (!NT_STATUS_IS_OK(status)) {
 597                         data_blob_free(&auth);
 598                         TALLOC_FREE(session);
 599                         return status;
 600                 }
 601         }
 602
 603         status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 604                                      talloc_tos(), auth,
 605                                      &auth_out);
 606         /* If status is NT_STATUS_OK then we need to get the token.
 607          * Map to guest is now internal to auth_ntlmssp */
 608         if (NT_STATUS_IS_OK(status)) {
 609                 status = auth_ntlmssp_steal_session_info(session,
 610                                 session->auth_ntlmssp_state,
 611                                 &session->session_info);
 612         }
 613
 614         if (!NT_STATUS_IS_OK(status) &&
 615                         !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 616                 TALLOC_FREE(session->auth_ntlmssp_state);
 617                 data_blob_free(&auth);
 618                 TALLOC_FREE(session);
 619                 return status;
 620         }
 621
 622         data_blob_free(&auth);
 623
 624         *out_security_buffer = spnego_gen_auth_response(smb2req,
 625                                 &auth_out, status, NULL);
 626
 627         if (out_security_buffer->data == NULL) {
 628                 TALLOC_FREE(session->auth_ntlmssp_state);
 629                 TALLOC_FREE(session);
 630                 return NT_STATUS_NO_MEMORY;
 631         }
 632
 633         *out_session_id = session->vuid;
 634
 635         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 636                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 637         }
 638
 639         /* We're done - claim the session. */
 640         return smbd_smb2_common_ntlmssp_auth_return(session,
 641                                                 smb2req,
 642                                                 in_security_mode,
 643                                                 in_security_buffer,
 644                                                 out_session_flags,
 645                                                 out_session_id);
 646 }
 647
 648 static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 649                                         struct smbd_smb2_request *smb2req,
 650                                         uint8_t in_security_mode,
 651                                         DATA_BLOB in_security_buffer,
 652                                         uint16_t *out_session_flags,
 653                                         DATA_BLOB *out_security_buffer,
 654                                         uint64_t *out_session_id)
 655 {
 656         NTSTATUS status;
 657
 658         if (session->auth_ntlmssp_state == NULL) {
 659                 status = auth_ntlmssp_prepare(session->sconn->remote_address,
 660                                             &session->auth_ntlmssp_state);
 661                 if (!NT_STATUS_IS_OK(status)) {
 662                         TALLOC_FREE(session);
 663                         return status;
 664                 }
 665
 666                 auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
 667
 668                 status = auth_ntlmssp_start(session->auth_ntlmssp_state);
 669                 if (!NT_STATUS_IS_OK(status)) {
 670                         TALLOC_FREE(session);
 671                         return status;
 672                 }
 673         }
 674
 675         /* RAW NTLMSSP */
 676         status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 677                                      smb2req,
 678                                      in_security_buffer,
 679                                      out_security_buffer);
 680
 681         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 682                 *out_session_id = session->vuid;
 683                 return status;
 684         }
 685
 686         status = auth_ntlmssp_steal_session_info(session,
 687                                                  session->auth_ntlmssp_state,
 688                                                  &session->session_info);
 689
 690         if (!NT_STATUS_IS_OK(status)) {
 691                 TALLOC_FREE(session->auth_ntlmssp_state);
 692                 TALLOC_FREE(session);
 693                 return status;
 694         }
 695         *out_session_id = session->vuid;
 696
 697         return smbd_smb2_common_ntlmssp_auth_return(session,
 698                                                 smb2req,
 699                                                 in_security_mode,
 700                                                 in_security_buffer,
 701                                                 out_session_flags,
 702                                                 out_session_id);
 703 }
 704
 705 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
 706                                         uint64_t in_session_id,
 707                                         uint8_t in_security_mode,
 708                                         DATA_BLOB in_security_buffer,
 709                                         uint16_t *out_session_flags,
 710                                         DATA_BLOB *out_security_buffer,
 711                                         uint64_t *out_session_id)
 712 {
 713         struct smbd_smb2_session *session;
 714
 715         *out_session_flags = 0;
 716         *out_session_id = 0;
 717
 718         if (in_session_id == 0) {
 719                 int id;
 720
 721                 /* create a new session */
 722                 session = talloc_zero(smb2req->sconn, struct smbd_smb2_session);
 723                 if (session == NULL) {
 724                         return NT_STATUS_NO_MEMORY;
 725                 }
 726                 session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 727                 id = idr_get_new_random(smb2req->sconn->smb2.sessions.idtree,
 728                                         session,
 729                                         smb2req->sconn->smb2.sessions.limit);
 730                 if (id == -1) {
 731                         return NT_STATUS_INSUFFICIENT_RESOURCES;
 732                 }
 733                 session->vuid = id;
 734
 735                 session->tcons.idtree = idr_init(session);
 736                 if (session->tcons.idtree == NULL) {
 737                         return NT_STATUS_NO_MEMORY;
 738                 }
 739                 session->tcons.limit = 0x0000FFFE;
 740                 session->tcons.list = NULL;
 741
 742                 DLIST_ADD_END(smb2req->sconn->smb2.sessions.list, session,
 743                               struct smbd_smb2_session *);
 744                 session->sconn = smb2req->sconn;
 745                 talloc_set_destructor(session, smbd_smb2_session_destructor);
 746         } else {
 747                 void *p;
 748
 749                 /* lookup an existing session */
 750                 p = idr_find(smb2req->sconn->smb2.sessions.idtree, in_session_id);
 751                 if (p == NULL) {
 752                         return NT_STATUS_USER_SESSION_DELETED;
 753                 }
 754                 session = talloc_get_type_abort(p, struct smbd_smb2_session);
 755         }
 756
 757         if (NT_STATUS_IS_OK(session->status)) {
 758                 return NT_STATUS_REQUEST_NOT_ACCEPTED;
 759         }
 760
 761         if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
 762                 return smbd_smb2_spnego_negotiate(session,
 763                                                 smb2req,
 764                                                 in_security_mode,
 765                                                 in_security_buffer,
 766                                                 out_session_flags,
 767                                                 out_security_buffer,
 768                                                 out_session_id);
 769         } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
 770                 return smbd_smb2_spnego_auth(session,
 771                                                 smb2req,
 772                                                 in_security_mode,
 773                                                 in_security_buffer,
 774                                                 out_session_flags,
 775                                                 out_security_buffer,
 776                                                 out_session_id);
 777         } else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
 778                 return smbd_smb2_raw_ntlmssp_auth(session,
 779                                                 smb2req,
 780                                                 in_security_mode,
 781                                                 in_security_buffer,
 782                                                 out_session_flags,
 783                                                 out_security_buffer,
 784                                                 out_session_id);
 785         }
 786
 787         /* Unknown packet type. */
 788         DEBUG(1,("Unknown packet type %u in smb2 sessionsetup\n",
 789                 (unsigned int)in_security_buffer.data[0] ));
 790         TALLOC_FREE(session->auth_ntlmssp_state);
 791         TALLOC_FREE(session);
 792         return NT_STATUS_LOGON_FAILURE;
 793 }
 794
 795 NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
 796 {
 797         const uint8_t *inbody;
 798         int i = req->current_idx;
 799         DATA_BLOB outbody;
 800         size_t expected_body_size = 0x04;
 801         size_t body_size;
 802
 803         if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
 804                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 805         }
 806
 807         inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
 808
 809         body_size = SVAL(inbody, 0x00);
 810         if (body_size != expected_body_size) {
 811                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
 812         }
 813
 814         /*
 815          * TODO: cancel all outstanding requests on the session
 816          *       and delete all tree connections.
 817          */
 818         smbd_smb2_session_destructor(req->session);
 819         /*
 820          * we may need to sign the response, so we need to keep
 821          * the session until the response is sent to the wire.
 822          */
 823         talloc_steal(req, req->session);
 824
 825         outbody = data_blob_talloc(req->out.vector, NULL, 0x04);
 826         if (outbody.data == NULL) {
 827                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
 828         }
 829
 830         SSVAL(outbody.data, 0x00, 0x04);        /* struct size */
 831         SSVAL(outbody.data, 0x02, 0);           /* reserved */
 832
 833         return smbd_smb2_request_done(req, outbody, NULL);
 834 }