*/
#include "includes.h"
+#include "smbd/smbd.h"
#include "smbd/globals.h"
#include "../libcli/smb/smb_common.h"
#include "../libcli/auth/spnego.h"
-#include "../libcli/auth/ntlmssp.h"
+#include "../auth/gensec/gensec.h"
+#include "../auth/ntlmssp/ntlmssp.h"
#include "ntlmssp_wrap.h"
#include "../librpc/gen_ndr/krb5pac.h"
#include "libads/kerberos_proto.h"
+#include "../lib/util/asn1.h"
+#include "auth.h"
+#include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
uint64_t in_session_id,
uint8_t *outhdr;
DATA_BLOB outbody;
DATA_BLOB outdyn;
- size_t expected_body_size = 0x19;
- size_t body_size;
uint64_t in_session_id;
uint8_t in_security_mode;
uint16_t in_security_offset;
uint16_t out_session_flags;
uint64_t out_session_id;
uint16_t out_security_offset;
- DATA_BLOB out_security_buffer;
+ DATA_BLOB out_security_buffer = data_blob_null;
NTSTATUS status;
- inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base;
-
- if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(smb2req, 0x19);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(smb2req, status);
}
-
+ inhdr = (const uint8_t *)smb2req->in.vector[i+0].iov_base;
inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base;
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
- }
-
in_security_offset = SVAL(inbody, 0x0C);
in_security_length = SVAL(inbody, 0x0E);
- if (in_security_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
+ if (in_security_offset != (SMB2_HDR_BODY + smb2req->in.vector[i+1].iov_len)) {
return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER);
}
return 0;
}
-static NTSTATUS setup_ntlmssp_server_info(struct smbd_smb2_session *session,
- NTSTATUS status)
-{
- if (NT_STATUS_IS_OK(status)) {
- status = auth_ntlmssp_steal_server_info(session,
- session->auth_ntlmssp_state,
- &session->server_info);
- } else {
- /* Note that this server_info won't have a session
- * key. But for map to guest, that's exactly the right
- * thing - we can't reasonably guess the key the
- * client wants, as the password was wrong */
- status = do_map_to_guest(status,
- &session->server_info,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
- }
- return status;
-}
-
#ifdef HAVE_KRB5
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
struct passwd *pw = NULL;
NTSTATUS status;
char *real_username;
- fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
+ bool guest = false;
if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
status = NT_STATUS_LOGON_FAILURE;
}
status = get_user_from_kerberos_info(talloc_tos(),
- smb2req->sconn->client_id.name,
+ session->sconn->remote_hostname,
principal, logon_info,
&username_was_mapped,
&map_domainuser_to_guest,
sub_set_smb_name(real_username);
/* reload services so that the new %U is taken into account */
- reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
+ reload_services(smb2req->sconn, conn_snum_used, true);
- status = make_server_info_krb5(session,
+ status = make_session_info_krb5(session,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
- &session->server_info);
+ username_was_mapped,
+ &session_key,
+ &session->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
goto fail;
}
-
- session->server_info->nss_token |= username_was_mapped;
-
- /* we need to build the token for the user. make_server_info_guest()
- already does this */
-
- if (!session->server_info->security_token ) {
- status = create_local_token(session->server_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10,("smb2: failed to create local token: %s\n",
- nt_errstr(status)));
- goto fail;
- }
- }
-
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
- lp_server_signing() == Required) {
+ lp_server_signing() == SMB_SIGNING_REQUIRED) {
session->do_signing = true;
}
- if (session->server_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* force no signing */
session->do_signing = false;
+ guest = true;
}
- data_blob_free(&session->server_info->user_session_key);
- session->server_info->user_session_key =
- data_blob_talloc(
- session->server_info,
- session_key.data,
- session_key.length);
- if (session_key.length > 0) {
- if (session->server_info->user_session_key.data == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto fail;
- }
- }
- session->session_key = session->server_info->user_session_key;
+ session->session_key = session->session_info->session_key;
session->compat_vuser = talloc_zero(session, user_struct);
if (session->compat_vuser == NULL) {
}
session->compat_vuser->auth_ntlmssp_state = NULL;
session->compat_vuser->homes_snum = -1;
- session->compat_vuser->server_info = session->server_info;
+ session->compat_vuser->session_info = session->session_info;
session->compat_vuser->session_keystr = NULL;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
- session->server_info->sanitized_username =
- talloc_strdup(session->server_info, tmp);
-
- if (!session->server_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
- register_homes_share(session->server_info->unix_name);
+ register_homes_share(session->session_info->unix_info->unix_name);
}
if (!session_claim(session->sconn, session->compat_vuser)) {
* so that the response can be signed
*/
smb2req->session = session;
- if (session->do_signing) {
+ if (!guest) {
smb2req->do_signing = true;
}
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
/* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_generic_prepare(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- secblob_in,
- &chal_out);
+ gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+
+ status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = gensec_update(session->auth_ntlmssp_state->gensec_security,
+ talloc_tos(), NULL,
+ secblob_in,
+ &chal_out);
}
if (!NT_STATUS_IS_OK(status) &&
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
- fstring tmp;
+ bool guest = false;
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
- lp_server_signing() == Required) {
+ lp_server_signing() == SMB_SIGNING_REQUIRED) {
session->do_signing = true;
}
- if (session->server_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* force no signing */
session->do_signing = false;
+ guest = true;
}
- session->session_key = session->server_info->user_session_key;
+ session->session_key = session->session_info->session_key;
session->compat_vuser = talloc_zero(session, user_struct);
if (session->compat_vuser == NULL) {
}
session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state;
session->compat_vuser->homes_snum = -1;
- session->compat_vuser->server_info = session->server_info;
+ session->compat_vuser->session_info = session->session_info;
session->compat_vuser->session_keystr = NULL;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- ". _-$",
- sizeof(tmp));
- session->server_info->sanitized_username = talloc_strdup(
- session->server_info, tmp);
-
- if (!session->compat_vuser->server_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
- register_homes_share(session->server_info->unix_name);
+ register_homes_share(session->session_info->unix_info->unix_name);
}
if (!session_claim(session->sconn, session->compat_vuser)) {
* so that the response can be signed
*/
smb2req->session = session;
- if (session->do_signing) {
+ if (!guest) {
smb2req->do_signing = true;
}
}
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_generic_prepare(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth);
+ TALLOC_FREE(session);
+ return status;
+ }
+
+ gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+
+ status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
}
}
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- auth,
- &auth_out);
- /* We need to call setup_ntlmssp_server_info() if status==NT_STATUS_OK,
- or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
- as this can trigger map to guest. */
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- status = setup_ntlmssp_server_info(session, status);
+ status = gensec_update(session->auth_ntlmssp_state->gensec_security,
+ talloc_tos(), NULL,
+ auth,
+ &auth_out);
+ /* If status is NT_STATUS_OK then we need to get the token.
+ * Map to guest is now internal to auth_ntlmssp */
+ if (NT_STATUS_IS_OK(status)) {
+ status = gensec_session_info(session->auth_ntlmssp_state->gensec_security,
+ session,
+ &session->session_info);
}
if (!NT_STATUS_IS_OK(status) &&
uint64_t *out_session_id)
{
NTSTATUS status;
- DATA_BLOB secblob_out = data_blob_null;
+
+ *out_security_buffer = data_blob_null;
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_generic_prepare(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
- }
- /* RAW NTLMSSP */
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- in_security_buffer,
- &secblob_out);
+ gensec_want_feature(session->auth_ntlmssp_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
- if (NT_STATUS_IS_OK(status) ||
- NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- *out_security_buffer = data_blob_talloc(smb2req,
- secblob_out.data,
- secblob_out.length);
- if (secblob_out.data && out_security_buffer->data == NULL) {
- TALLOC_FREE(session->auth_ntlmssp_state);
+ if (session->sconn->use_gensec_hook) {
+ status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+ } else {
+ status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
- return NT_STATUS_NO_MEMORY;
+ return status;
}
}
+ /* RAW NTLMSSP */
+ status = gensec_update(session->auth_ntlmssp_state->gensec_security,
+ smb2req, NULL,
+ in_security_buffer,
+ out_security_buffer);
+
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*out_session_id = session->vuid;
return status;
}
- status = setup_ntlmssp_server_info(session, status);
+ status = gensec_session_info(session->auth_ntlmssp_state->gensec_security,
+ session,
+ &session->session_info);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session->auth_ntlmssp_state);
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
- return smbd_smb2_spnego_negotiate(session,
+ /* Handle either raw NTLMSSP or hand off the whole blob to
+ * GENSEC. The processing at this layer is essentially
+ * identical regardless. In particular, both rely only on the
+ * status code (not the contents of the packet) and do not
+ * wrap the result */
+ if (session->sconn->use_gensec_hook
+ || ntlmssp_blob_matches_magic(&in_security_buffer)) {
+ return smbd_smb2_raw_ntlmssp_auth(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
- } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
- return smbd_smb2_spnego_auth(session,
+ } else if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
+ return smbd_smb2_spnego_negotiate(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
- } else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
- return smbd_smb2_raw_ntlmssp_auth(session,
+ } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
+ return smbd_smb2_spnego_auth(session,
smb2req,
in_security_mode,
in_security_buffer,
return NT_STATUS_LOGON_FAILURE;
}
-NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
-{
- const uint8_t *inhdr;
- const uint8_t *outhdr;
- int i = req->current_idx;
- uint64_t in_session_id;
- void *p;
- struct smbd_smb2_session *session;
- bool chained_fixup = false;
-
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
-
- in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
-
- if (in_session_id == (0xFFFFFFFFFFFFFFFFLL)) {
- if (req->async) {
- /*
- * async request - fill in session_id from
- * already setup request out.vector[].iov_base.
- */
- outhdr = (const uint8_t *)req->out.vector[i].iov_base;
- in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
- } else if (i > 2) {
- /*
- * Chained request - fill in session_id from
- * the previous request out.vector[].iov_base.
- */
- outhdr = (const uint8_t *)req->out.vector[i-3].iov_base;
- in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
- chained_fixup = true;
- }
- }
-
- /* lookup an existing session */
- p = idr_find(req->sconn->smb2.sessions.idtree, in_session_id);
- if (p == NULL) {
- return NT_STATUS_USER_SESSION_DELETED;
- }
- session = talloc_get_type_abort(p, struct smbd_smb2_session);
-
- if (!NT_STATUS_IS_OK(session->status)) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
- set_current_user_info(session->server_info->sanitized_username,
- session->server_info->unix_name,
- session->server_info->info3->base.domain.string);
-
- req->session = session;
-
- if (chained_fixup) {
- /* Fix up our own outhdr. */
- outhdr = (const uint8_t *)req->out.vector[i].iov_base;
- SBVAL(outhdr, SMB2_HDR_SESSION_ID, in_session_id);
- }
- return NT_STATUS_OK;
-}
-
NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
{
- const uint8_t *inbody;
- int i = req->current_idx;
+ NTSTATUS status;
DATA_BLOB outbody;
- size_t expected_body_size = 0x04;
- size_t body_size;
-
- if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
- }
- inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
-
- body_size = SVAL(inbody, 0x00);
- if (body_size != expected_body_size) {
- return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ status = smbd_smb2_request_verify_sizes(req, 0x04);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
}
/*