2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2011-2012
5 Copyright (C) Michael Adam 2012
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "system/filesys.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "dbwrap/dbwrap.h"
26 #include "dbwrap/dbwrap_rbt.h"
27 #include "dbwrap/dbwrap_open.h"
31 #include "../lib/tsocket/tsocket.h"
32 #include "../libcli/security/security.h"
34 #include "lib/util/util_tdb.h"
35 #include "librpc/gen_ndr/ndr_smbXsrv.h"
38 struct smbXsrv_session_table {
40 struct db_context *db_ctx;
43 uint32_t num_sessions;
46 struct db_context *db_ctx;
50 static struct db_context *smbXsrv_session_global_db_ctx = NULL;
52 NTSTATUS smbXsrv_session_global_init(void)
54 const char *global_path = NULL;
55 struct db_context *db_ctx = NULL;
57 if (smbXsrv_session_global_db_ctx != NULL) {
62 * This contains secret information like session keys!
64 global_path = lock_path("smbXsrv_session_global.tdb");
66 db_ctx = db_open(NULL, global_path,
70 TDB_INCOMPATIBLE_HASH,
71 O_RDWR | O_CREAT, 0600,
76 status = map_nt_error_from_unix_common(errno);
81 smbXsrv_session_global_db_ctx = db_ctx;
88 * We need to store the keys in big endian so that dbwrap_rbt's memcmp
89 * has the same result as integer comparison between the uint32_t
92 * TODO: implement string based key
95 #define SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE sizeof(uint32_t)
97 static TDB_DATA smbXsrv_session_global_id_to_key(uint32_t id,
102 RSIVAL(key_buf, 0, id);
104 key = make_tdb_data(key_buf, SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE);
109 static NTSTATUS smbXsrv_session_global_key_to_id(TDB_DATA key, uint32_t *id)
112 return NT_STATUS_INVALID_PARAMETER;
115 if (key.dsize != SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE){
116 return NT_STATUS_INTERNAL_DB_CORRUPTION;
119 *id = RIVAL(key.dptr, 0);
124 #define SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE sizeof(uint32_t)
126 static TDB_DATA smbXsrv_session_local_id_to_key(uint32_t id,
131 RSIVAL(key_buf, 0, id);
133 key = make_tdb_data(key_buf, SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE);
138 static NTSTATUS smbXsrv_session_local_key_to_id(TDB_DATA key, uint32_t *id)
141 return NT_STATUS_INVALID_PARAMETER;
144 if (key.dsize != SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE){
145 return NT_STATUS_INTERNAL_DB_CORRUPTION;
148 *id = RIVAL(key.dptr, 0);
153 static NTSTATUS smbXsrv_session_table_init(struct smbXsrv_connection *conn,
157 struct smbXsrv_session_table *table;
160 table = talloc_zero(conn, struct smbXsrv_session_table);
162 return NT_STATUS_NO_MEMORY;
165 table->local.db_ctx = db_open_rbt(conn);
166 if (table->local.db_ctx == NULL) {
168 return NT_STATUS_NO_MEMORY;
170 table->local.lowest_id = lowest_id;
171 table->local.highest_id = highest_id;
173 status = smbXsrv_session_global_init();
174 if (!NT_STATUS_IS_OK(status)) {
179 table->global.db_ctx = smbXsrv_session_global_db_ctx;
181 conn->session_table = table;
185 struct smb1srv_session_local_allocate_state {
186 const uint32_t lowest_id;
187 const uint32_t highest_id;
193 static int smb1srv_session_local_allocate_traverse(struct db_record *rec,
196 struct smb1srv_session_local_allocate_state *state =
197 (struct smb1srv_session_local_allocate_state *)private_data;
198 TDB_DATA key = dbwrap_record_get_key(rec);
202 status = smbXsrv_session_local_key_to_id(key, &id);
203 if (!NT_STATUS_IS_OK(status)) {
205 state->status = status;
209 if (id <= state->last_id) {
211 state->status = NT_STATUS_INTERNAL_DB_CORRUPTION;
216 if (id > state->useable_id) {
217 state->status = NT_STATUS_OK;
221 state->useable_id +=1;
225 static NTSTATUS smb1srv_session_local_allocate_id(struct db_context *db,
229 struct db_record **_rec,
232 struct smb1srv_session_local_allocate_state state = {
233 .lowest_id = lowest_id,
234 .highest_id = highest_id,
236 .useable_id = lowest_id,
237 .status = NT_STATUS_INTERNAL_ERROR,
247 if (lowest_id > highest_id) {
248 return NT_STATUS_INSUFFICIENT_RESOURCES;
251 range = (highest_id - lowest_id) + 1;
253 for (i = 0; i < range; i++) {
255 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
258 struct db_record *rec = NULL;
260 id = generate_random() % range;
263 if (id < lowest_id) {
266 if (id > highest_id) {
270 key = smbXsrv_session_local_id_to_key(id, key_buf);
272 rec = dbwrap_fetch_locked(db, mem_ctx, key);
274 return NT_STATUS_INSUFFICIENT_RESOURCES;
277 val = dbwrap_record_get_value(rec);
278 if (val.dsize != 0) {
288 status = dbwrap_traverse_read(db, smb1srv_session_local_allocate_traverse,
290 if (!NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_DB_CORRUPTION)) {
292 * Here we really expect NT_STATUS_INTERNAL_DB_CORRUPTION!
294 * If we get anything else it is an error, because it
295 * means we did not manage to find a free slot in
298 return NT_STATUS_INSUFFICIENT_RESOURCES;
301 if (NT_STATUS_IS_OK(state.status)) {
303 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
306 struct db_record *rec = NULL;
308 id = state.useable_id;
310 key = smbXsrv_session_local_id_to_key(id, key_buf);
312 rec = dbwrap_fetch_locked(db, mem_ctx, key);
314 return NT_STATUS_INSUFFICIENT_RESOURCES;
317 val = dbwrap_record_get_value(rec);
318 if (val.dsize != 0) {
320 return NT_STATUS_INTERNAL_DB_CORRUPTION;
331 struct smbXsrv_session_local_fetch_state {
332 struct smbXsrv_session *session;
336 static void smbXsrv_session_local_fetch_parser(TDB_DATA key, TDB_DATA data,
339 struct smbXsrv_session_local_fetch_state *state =
340 (struct smbXsrv_session_local_fetch_state *)private_data;
343 if (data.dsize != sizeof(ptr)) {
344 state->status = NT_STATUS_INTERNAL_DB_ERROR;
348 memcpy(&ptr, data.dptr, data.dsize);
349 state->session = talloc_get_type_abort(ptr, struct smbXsrv_session);
350 state->status = NT_STATUS_OK;
353 static NTSTATUS smbXsrv_session_local_lookup(struct smbXsrv_session_table *table,
354 uint32_t session_local_id,
356 struct smbXsrv_session **_session)
358 struct smbXsrv_session_local_fetch_state state = {
360 .status = NT_STATUS_INTERNAL_ERROR,
362 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
368 if (session_local_id == 0) {
369 return NT_STATUS_USER_SESSION_DELETED;
373 /* this might happen before the end of negprot */
374 return NT_STATUS_USER_SESSION_DELETED;
377 if (table->local.db_ctx == NULL) {
378 return NT_STATUS_INTERNAL_ERROR;
381 key = smbXsrv_session_local_id_to_key(session_local_id, key_buf);
383 status = dbwrap_parse_record(table->local.db_ctx, key,
384 smbXsrv_session_local_fetch_parser,
386 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
387 return NT_STATUS_USER_SESSION_DELETED;
388 } else if (!NT_STATUS_IS_OK(status)) {
391 if (!NT_STATUS_IS_OK(state.status)) {
395 state.session->idle_time = now;
397 if (!NT_STATUS_IS_OK(state.session->status)) {
398 *_session = state.session;
399 return state.session->status;
402 if (now > state.session->global->expiration_time) {
403 state.session->status = NT_STATUS_NETWORK_SESSION_EXPIRED;
406 *_session = state.session;
407 return state.session->status;
410 static int smbXsrv_session_global_destructor(struct smbXsrv_session_global0 *global)
415 static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
419 struct smbXsrv_session_global0 **_g);
421 static NTSTATUS smbXsrv_session_global_allocate(struct db_context *db,
423 struct smbXsrv_session_global0 **_global)
426 struct smbXsrv_session_global0 *global = NULL;
427 uint32_t last_free = 0;
428 const uint32_t min_tries = 3;
432 global = talloc_zero(mem_ctx, struct smbXsrv_session_global0);
433 if (global == NULL) {
434 return NT_STATUS_NO_MEMORY;
436 talloc_set_destructor(global, smbXsrv_session_global_destructor);
438 for (i = 0; i < UINT32_MAX; i++) {
439 bool is_free = false;
440 bool was_free = false;
442 uint8_t key_buf[SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE];
445 if (i >= min_tries && last_free != 0) {
448 id = generate_random();
450 if (id >= UINT16_MAX) {
452 * For now we truncate to 16bit,
453 * as that's what all callers
454 * expect (uint16_t vuid).
456 id = id & UINT16_MAX;
461 if (id == UINT32_MAX) {
465 key = smbXsrv_session_global_id_to_key(id, key_buf);
467 global->db_rec = dbwrap_fetch_locked(db, mem_ctx, key);
468 if (global->db_rec == NULL) {
470 return NT_STATUS_INSUFFICIENT_RESOURCES;
473 smbXsrv_session_global_verify_record(global->db_rec,
479 TALLOC_FREE(global->db_rec);
483 if (!was_free && i < min_tries) {
485 * The session_id is free now,
486 * but was not free before.
488 * This happens if a smbd crashed
489 * and did not cleanup the record.
491 * If this is one of our first tries,
492 * then we try to find a real free one.
494 if (last_free == 0) {
497 TALLOC_FREE(global->db_rec);
500 global->session_global_id = id;
506 /* should not be reached */
508 return NT_STATUS_INTERNAL_ERROR;
511 static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
515 struct smbXsrv_session_global0 **_g)
519 struct smbXsrv_session_globalB global_blob;
520 enum ndr_err_code ndr_err;
521 struct smbXsrv_session_global0 *global = NULL;
523 TALLOC_CTX *frame = talloc_stackframe();
534 val = dbwrap_record_get_value(db_rec);
535 if (val.dsize == 0) {
544 blob = data_blob_const(val.dptr, val.dsize);
546 ndr_err = ndr_pull_struct_blob_all(&blob, frame, &global_blob,
547 (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_globalB);
548 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
553 DEBUG(0,("smbXsrv_session_global_verify_record\n"));
554 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
556 if (global_blob.version != SMBXSRV_VERSION_0) {
561 global = global_blob.info.info0;
563 exists = serverid_exists(&global->channels[0].server_id);
566 dbwrap_record_delete(db_rec);
572 *_g = talloc_move(mem_ctx, &global);
577 static NTSTATUS smbXsrv_session_global_store(struct smbXsrv_connection *sconn,
578 struct smbXsrv_session_global0 *global)
580 struct smbXsrv_session_globalB global_blob;
581 DATA_BLOB blob = data_blob_null;
584 enum ndr_err_code ndr_err;
587 * TODO: if we use other versions than '0'
588 * we would add glue code here, that would be able to
589 * store the information in the old format.
592 if (global->db_rec == NULL) {
593 return NT_STATUS_INTERNAL_ERROR;
596 val = dbwrap_record_get_value(global->db_rec);
598 ZERO_STRUCT(global_blob);
599 global_blob.version = smbXsrv_version_global_current();
600 if (val.dsize >= 8) {
601 global_blob.seqnum = IVAL(val.dptr, 4);
603 global_blob.seqnum += 1;
604 global_blob.info.info0 = global;
606 ndr_err = ndr_push_struct_blob(&blob, global->db_rec, &global_blob,
607 (ndr_push_flags_fn_t)ndr_push_smbXsrv_session_globalB);
608 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
609 //status = ndr_err_code;
610 TALLOC_FREE(global->db_rec);
615 val = make_tdb_data(blob.data, blob.length);
616 status = dbwrap_record_store(global->db_rec, val, TDB_REPLACE);
617 TALLOC_FREE(global->db_rec);
618 if (!NT_STATUS_IS_OK(status)) {
625 static int smbXsrv_session_destructor(struct smbXsrv_session *session)
627 struct smbXsrv_session_table *table;
628 struct db_record *local_rec = NULL;
629 struct db_record *global_rec = NULL;
632 if (session->table == NULL) {
636 table = session->table;
637 session->table = NULL;
639 session->connection = NULL;
641 local_rec = session->db_rec;
642 session->db_rec = NULL;
643 if (local_rec == NULL) {
644 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
647 key = smbXsrv_session_local_id_to_key(session->local_id,
650 local_rec = dbwrap_fetch_locked(table->local.db_ctx,
654 if (local_rec != NULL) {
655 status = dbwrap_record_delete(local_rec);
658 global_rec = session->global->db_rec;
659 session->global->db_rec = NULL;
660 if (global_rec == NULL) {
661 uint8_t key_buf[SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE];
664 key = smbXsrv_session_global_id_to_key(
665 session->global->session_global_id,
668 global_rec = dbwrap_fetch_locked(table->global.db_ctx,
669 session->global, key);
672 if (global_rec != NULL) {
673 status = dbwrap_record_delete(global_rec);
675 TALLOC_FREE(session->global);
680 NTSTATUS smbXsrv_session_create(struct smbXsrv_connection *conn,
682 struct smbXsrv_session **_session)
684 struct smbXsrv_session_table *table = conn->session_table;
685 uint32_t max_sessions = table->local.highest_id - table->local.lowest_id;
686 struct db_record *local_rec = NULL;
687 struct smbXsrv_session *session = NULL;
690 struct smbXsrv_session_global0 *global = NULL;
691 struct smbXsrv_channel_global0 *channels = NULL;
694 //system("sleep 999999");
696 if (table->local.num_sessions >= max_sessions) {
697 return NT_STATUS_INSUFFICIENT_RESOURCES;
698 // TODO smb1 return NT_STATUS_TOO_MANY_SESSIONS;
701 session = talloc_zero(conn, struct smbXsrv_session);
702 if (session == NULL) {
703 return NT_STATUS_NO_MEMORY;
705 session->table = table;
706 session->idle_time = now;
707 session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
708 session->connection = conn;
710 status = smbXsrv_session_global_allocate(table->global.db_ctx,
713 if (!NT_STATUS_IS_OK(status)) {
714 talloc_free(session);
717 session->global = global;
719 talloc_set_destructor(session, smbXsrv_session_destructor);
721 if (conn->protocol >= PROTOCOL_SMB2_02) {
722 uint16_t dialect = SMB2_DIALECT_REVISION_2FF;
723 uint64_t id = global->session_global_id;
724 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
727 global->session_wire_id = id;
729 switch (conn->protocol) {
730 case PROTOCOL_SMB2_02:
731 dialect = SMB2_DIALECT_REVISION_202;
733 case PROTOCOL_SMB2_10:
734 dialect = SMB2_DIALECT_REVISION_210;
736 case PROTOCOL_SMB2_22:
737 dialect = SMB2_DIALECT_REVISION_222;
739 case PROTOCOL_SMB2_24:
740 dialect = SMB2_DIALECT_REVISION_224;
742 case PROTOCOL_SMB3_00:
743 dialect = SMB3_DIALECT_REVISION_300;
746 talloc_free(session);
747 return NT_STATUS_INTERNAL_ERROR;
749 global->connection_dialect = dialect;
751 session->local_id = global->session_global_id;
753 key = smbXsrv_session_local_id_to_key(session->local_id, key_buf);
755 local_rec = dbwrap_fetch_locked(table->local.db_ctx,
757 if (local_rec == NULL) {
758 return NT_STATUS_NO_MEMORY;
761 val = dbwrap_record_get_value(local_rec);
762 if (val.dsize != 0) {
763 return NT_STATUS_INTERNAL_DB_CORRUPTION;
767 status = smb1srv_session_local_allocate_id(table->local.db_ctx,
768 table->local.lowest_id,
769 table->local.highest_id,
773 if (!NT_STATUS_IS_OK(status)) {
777 global->session_wire_id = session->local_id;
781 val = make_tdb_data((uint8_t const *)&ptr, sizeof(ptr));
782 status = dbwrap_record_store(local_rec, val, TDB_REPLACE);
783 TALLOC_FREE(local_rec);
784 if (!NT_STATUS_IS_OK(status)) {
785 talloc_free(session);
789 global->creation_time = now;
790 global->expiration_time = GENSEC_EXPIRE_TIME_INFINITY;
792 global->num_channels = 1;
793 channels = talloc_zero_array(global,
794 struct smbXsrv_channel_global0,
795 global->num_channels);
796 if (channels == NULL) {
797 talloc_free(session);
798 return NT_STATUS_NO_MEMORY;
800 global->channels = channels;
802 channels[0].server_id = messaging_server_id(conn->msg_ctx);
803 channels[0].local_address = tsocket_address_string(conn->local_address,
805 if (channels[0].local_address == NULL) {
806 talloc_free(session);
807 return NT_STATUS_NO_MEMORY;
809 channels[0].remote_address = tsocket_address_string(conn->remote_address,
811 if (channels[0].remote_address == NULL) {
812 talloc_free(session);
813 return NT_STATUS_NO_MEMORY;
815 channels[0].remote_name = talloc_strdup(channels, conn->remote_hostname);
816 if (channels[0].remote_name == NULL) {
817 talloc_free(session);
818 return NT_STATUS_NO_MEMORY;
820 channels[0].signing_key = data_blob_null;
822 status = smbXsrv_session_global_store(conn,
824 if (!NT_STATUS_IS_OK(status)) {
825 talloc_free(session);
830 struct smbXsrv_sessionB session_blob;
832 ZERO_STRUCT(session_blob);
833 session_blob.version = SMBXSRV_VERSION_0;
834 session_blob.info.info0 = session;
836 NDR_PRINT_DEBUG(smbXsrv_sessionB, &session_blob);
843 NTSTATUS smbXsrv_session_update(struct smbXsrv_session *session)
845 struct smbXsrv_session_table *table = session->table;
847 uint8_t key_buf[SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE];
850 if (session->global->db_rec != NULL) {
851 return NT_STATUS_INTERNAL_ERROR;
854 key = smbXsrv_session_global_id_to_key(
855 session->global->session_global_id,
858 session->global->db_rec = dbwrap_fetch_locked(table->global.db_ctx,
859 session->global, key);
860 if (session->global->db_rec == NULL) {
861 // TODO proper return code?
862 return NT_STATUS_NO_MEMORY;
865 status = smbXsrv_session_global_store(session->connection,
867 if (!NT_STATUS_IS_OK(status)) {
873 struct smbXsrv_sessionB session_blob;
875 ZERO_STRUCT(session_blob);
876 session_blob.version = SMBXSRV_VERSION_0;
877 session_blob.info.info0 = session;
879 NDR_PRINT_DEBUG(smbXsrv_sessionB, &session_blob);
885 NTSTATUS smb1srv_session_table_init(struct smbXsrv_connection *conn)
888 * Allow a range from 100..65534.
890 return smbXsrv_session_table_init(conn, 100, UINT16_MAX - 1);
893 NTSTATUS smb1srv_session_lookup(struct smbXsrv_connection *conn,
894 uint16_t vuid, NTTIME now,
895 struct smbXsrv_session **session)
897 struct smbXsrv_session_table *table = conn->session_table;
898 uint32_t local_id = vuid;
900 return smbXsrv_session_local_lookup(table, local_id, now, session);
903 NTSTATUS smb2srv_session_table_init(struct smbXsrv_connection *conn)
906 * For now use the same range as SMB1.
908 * Allow a range from 100..65534.
910 return smbXsrv_session_table_init(conn, 100, UINT16_MAX - 1);
913 NTSTATUS smb2srv_session_lookup(struct smbXsrv_connection *conn,
914 uint64_t session_id, NTTIME now,
915 struct smbXsrv_session **session)
917 struct smbXsrv_session_table *table = conn->session_table;
918 uint32_t local_id = session_id & UINT32_MAX;
919 uint64_t local_zeros = session_id & 0xFFFFFFFF00000000LLU;
921 if (local_zeros != 0) {
922 return NT_STATUS_USER_SESSION_DELETED;
925 return smbXsrv_session_local_lookup(table, local_id, now, session);