Context Navigation

source: vendor/3.6.9/source3/smbd/sesssetup.c

Visit:

Last change on this file was 746, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated vendor to 3.6.9
File size: 48.8 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	handle SMBsessionsetup
4	Copyright (C) Andrew Tridgell 1998-2001
5	Copyright (C) Andrew Bartlett 2001
6	Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7	Copyright (C) Luke Howard 2003
8	Copyright (C) Volker Lendecke 2007
9	Copyright (C) Jeremy Allison 2007
10
11	This program is free software; you can redistribute it and/or modify
12	it under the terms of the GNU General Public License as published by
13	the Free Software Foundation; either version 3 of the License, or
14	(at your option) any later version.
15
16	This program is distributed in the hope that it will be useful,
17	but WITHOUT ANY WARRANTY; without even the implied warranty of
18	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	GNU General Public License for more details.
20
21	You should have received a copy of the GNU General Public License
22	along with this program. If not, see <http://www.gnu.org/licenses/>.
23	*/
24
25	#include "includes.h"
26	#include "../lib/tsocket/tsocket.h"
27	#include "smbd/smbd.h"
28	#include "smbd/globals.h"
29	#include "../libcli/auth/spnego.h"
30	#include "../libcli/auth/ntlmssp.h"
31	#include "ntlmssp_wrap.h"
32	#include "../librpc/gen_ndr/krb5pac.h"
33	#include "libads/kerberos_proto.h"
34	#include "../lib/util/asn1.h"
35	#include "auth.h"
36	#include "messages.h"
37	#include "smbprofile.h"
38
39	/* For split krb5 SPNEGO blobs. */
40	struct pending_auth_data {
41	struct pending_auth_data prev, next;
42	uint16 vuid; /* Tag for this entry. */
43	uint16 smbpid; /* Alternate tag for this entry. */
44	size_t needed_len;
45	DATA_BLOB partial_data;
46	};
47
48	/*
49	on a logon error possibly map the error to success if "map to guest"
50	is set approriately
51	*/
52	NTSTATUS do_map_to_guest(NTSTATUS status,
53	struct auth_serversupplied_info **server_info,
54	const char user, const char domain)
55	{
56	user = user ? user : "";
57	domain = domain ? domain : "";
58
59	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
60	if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) \|\|
61	(lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
62	DEBUG(3,("No such user %s [%s] - using guest account\n",
63	user, domain));
64	status = make_server_info_guest(NULL, server_info);
65	}
66	}
67
68	if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
69	if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
70	DEBUG(3,("Registered username %s for guest access\n",
71	user));
72	status = make_server_info_guest(NULL, server_info);
73	}
74	}
75
76	return status;
77	}
78
79	/****************************************************************************
80	Add the standard 'Samba' signature to the end of the session setup.
81	****************************************************************************/
82
83	static int push_signature(uint8 **outbuf)
84	{
85	char *lanman;
86	int result, tmp;
87
88	result = 0;
89
90	tmp = message_push_string(outbuf, "Unix", STR_TERMINATE);
91
92	if (tmp == -1) return -1;
93	result += tmp;
94
95	if (asprintf(&lanman, "Samba %s", samba_version_string()) != -1) {
96	tmp = message_push_string(outbuf, lanman, STR_TERMINATE);
97	SAFE_FREE(lanman);
98	}
99	else {
100	tmp = message_push_string(outbuf, "Samba", STR_TERMINATE);
101	}
102
103	if (tmp == -1) return -1;
104	result += tmp;
105
106	tmp = message_push_string(outbuf, lp_workgroup(), STR_TERMINATE);
107
108	if (tmp == -1) return -1;
109	result += tmp;
110
111	return result;
112	}
113
114	/****************************************************************************
115	Send a security blob via a session setup reply.
116	****************************************************************************/
117
118	static void reply_sesssetup_blob(struct smb_request *req,
119	DATA_BLOB blob,
120	NTSTATUS nt_status)
121	{
122	if (!NT_STATUS_IS_OK(nt_status) &&
123	!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
124	reply_nterror(req, nt_status_squash(nt_status));
125	return;
126	}
127
128	nt_status = nt_status_squash(nt_status);
129	SIVAL(req->outbuf, smb_rcls, NT_STATUS_V(nt_status));
130	SSVAL(req->outbuf, smb_vwv0, 0xFF); /* no chaining possible */
131	SSVAL(req->outbuf, smb_vwv3, blob.length);
132
133	if ((message_push_blob(&req->outbuf, blob) == -1)
134	\|\| (push_signature(&req->outbuf) == -1)) {
135	reply_nterror(req, NT_STATUS_NO_MEMORY);
136	}
137	}
138
139	/****************************************************************************
140	Do a 'guest' logon, getting back the
141	****************************************************************************/
142
143	static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_info)
144	{
145	struct auth_context *auth_context;
146	struct auth_usersupplied_info *user_info = NULL;
147
148	NTSTATUS nt_status;
149	static unsigned char chal[8] = { 0, };
150
151	DEBUG(3,("Got anonymous request\n"));
152
153	nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal);
154	if (!NT_STATUS_IS_OK(nt_status)) {
155	return nt_status;
156	}
157
158	if (!make_user_info_guest(&user_info)) {
159	TALLOC_FREE(auth_context);
160	return NT_STATUS_NO_MEMORY;
161	}
162
163	nt_status = auth_context->check_ntlm_password(auth_context,
164	user_info,
165	server_info);
166	TALLOC_FREE(auth_context);
167	free_user_info(&user_info);
168	return nt_status;
169	}
170
171
172	#ifdef HAVE_KRB5
173
174	#if 0
175	/* Experiment that failed. See "only happens with a KDC" comment below. */
176	/****************************************************************************
177	Cerate a clock skew error blob for a Windows client.
178	****************************************************************************/
179
180	static bool make_krb5_skew_error(DATA_BLOB *pblob_out)
181	{
182	krb5_context context = NULL;
183	krb5_error_code kerr = 0;
184	krb5_data reply;
185	krb5_principal host_princ = NULL;
186	char *host_princ_s = NULL;
187	bool ret = False;
188
189	*pblob_out = data_blob_null;
190
191	initialize_krb5_error_table();
192	kerr = krb5_init_context(&context);
193	if (kerr) {
194	return False;
195	}
196	/* Create server principal. */
197	asprintf(&host_princ_s, "%s$@%s", global_myname(), lp_realm());
198	if (!host_princ_s) {
199	goto out;
200	}
201	strlower_m(host_princ_s);
202
203	kerr = smb_krb5_parse_name(context, host_princ_s, &host_princ);
204	if (kerr) {
205	DEBUG(10,("make_krb5_skew_error: smb_krb5_parse_name failed "
206	"for name %s: Error %s\n",
207	host_princ_s, error_message(kerr) ));
208	goto out;
209	}
210
211	kerr = smb_krb5_mk_error(context, KRB5KRB_AP_ERR_SKEW,
212	host_princ, &reply);
213	if (kerr) {
214	DEBUG(10,("make_krb5_skew_error: smb_krb5_mk_error "
215	"failed: Error %s\n",
216	error_message(kerr) ));
217	goto out;
218	}
219
220	*pblob_out = data_blob(reply.data, reply.length);
221	kerberos_free_data_contents(context,&reply);
222	ret = True;
223
224	out:
225
226	if (host_princ_s) {
227	SAFE_FREE(host_princ_s);
228	}
229	if (host_princ) {
230	krb5_free_principal(context, host_princ);
231	}
232	krb5_free_context(context);
233	return ret;
234	}
235	#endif
236
237	/****************************************************************************
238	Reply to a session setup spnego negotiate packet for kerberos.
239	****************************************************************************/
240
241	static void reply_spnego_kerberos(struct smb_request *req,
242	DATA_BLOB *secblob,
243	const char *mechOID,
244	uint16 vuid,
245	bool *p_invalidate_vuid)
246	{
247	TALLOC_CTX *mem_ctx;
248	DATA_BLOB ticket;
249	struct passwd *pw;
250	int sess_vuid = req->vuid;
251	NTSTATUS ret = NT_STATUS_OK;
252	DATA_BLOB ap_rep, ap_rep_wrapped, response;
253	struct auth_serversupplied_info *server_info = NULL;
254	DATA_BLOB session_key = data_blob_null;
255	uint8 tok_id[2];
256	DATA_BLOB nullblob = data_blob_null;
257	bool map_domainuser_to_guest = False;
258	bool username_was_mapped;
259	struct PAC_LOGON_INFO *logon_info = NULL;
260	struct smbd_server_connection *sconn = req->sconn;
261	char *principal;
262	char *user;
263	char *domain;
264	char *real_username;
265
266	ZERO_STRUCT(ticket);
267	ZERO_STRUCT(ap_rep);
268	ZERO_STRUCT(ap_rep_wrapped);
269	ZERO_STRUCT(response);
270
271	/* Normally we will always invalidate the intermediate vuid. */
272	*p_invalidate_vuid = True;
273
274	mem_ctx = talloc_init("reply_spnego_kerberos");
275	if (mem_ctx == NULL) {
276	reply_nterror(req, nt_status_squash(NT_STATUS_NO_MEMORY));
277	return;
278	}
279
280	if (!spnego_parse_krb5_wrap(mem_ctx, *secblob, &ticket, tok_id)) {
281	talloc_destroy(mem_ctx);
282	reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
283	return;
284	}
285
286	ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket,
287	&principal, &logon_info, &ap_rep,
288	&session_key, True);
289
290	data_blob_free(&ticket);
291
292	if (!NT_STATUS_IS_OK(ret)) {
293	#if 0
294	/* Experiment that failed.
295	* See "only happens with a KDC" comment below. */
296
297	if (NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
298
299	/*
300	* Windows in this case returns
301	* NT_STATUS_MORE_PROCESSING_REQUIRED
302	* with a negTokenTarg blob containing an krb5_error
303	* struct ASN1 encoded containing KRB5KRB_AP_ERR_SKEW.
304	* The client then fixes its clock and continues rather
305	* than giving an error. JRA.
306	* -- Looks like this only happens with a KDC. JRA.
307	*/
308
309	bool ok = make_krb5_skew_error(&ap_rep);
310	if (!ok) {
311	talloc_destroy(mem_ctx);
312	return ERROR_NT(nt_status_squash(
313	NT_STATUS_LOGON_FAILURE));
314	}
315	ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep,
316	TOK_ID_KRB_ERROR);
317	response = spnego_gen_auth_response(&ap_rep_wrapped,
318	ret, OID_KERBEROS5_OLD);
319	reply_sesssetup_blob(conn, inbuf, outbuf, response,
320	NT_STATUS_MORE_PROCESSING_REQUIRED);
321
322	/*
323	* In this one case we don't invalidate the
324	* intermediate vuid as we're expecting the client
325	* to re-use it for the next sessionsetupX packet. JRA.
326	*/
327
328	*p_invalidate_vuid = False;
329
330	data_blob_free(&ap_rep);
331	data_blob_free(&ap_rep_wrapped);
332	data_blob_free(&response);
333	talloc_destroy(mem_ctx);
334	return -1; /* already replied */
335	}
336	#else
337	if (!NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
338	ret = NT_STATUS_LOGON_FAILURE;
339	}
340	#endif
341	DEBUG(1,("Failed to verify incoming ticket with error %s!\n",
342	nt_errstr(ret)));
343	talloc_destroy(mem_ctx);
344	reply_nterror(req, nt_status_squash(ret));
345	return;
346	}
347
348	ret = get_user_from_kerberos_info(talloc_tos(),
349	sconn->client_id.name,
350	principal, logon_info,
351	&username_was_mapped,
352	&map_domainuser_to_guest,
353	&user, &domain,
354	&real_username, &pw);
355	if (!NT_STATUS_IS_OK(ret)) {
356	data_blob_free(&ap_rep);
357	data_blob_free(&session_key);
358	talloc_destroy(mem_ctx);
359	reply_nterror(req,nt_status_squash(NT_STATUS_LOGON_FAILURE));
360	return;
361	}
362
363	/* save the PAC data if we have it */
364	if (logon_info) {
365	netsamlogon_cache_store(user, &logon_info->info3);
366	}
367
368	/* setup the string used by %U */
369	sub_set_smb_name(real_username);
370
371	/* reload services so that the new %U is taken into account */
372	reload_services(sconn->msg_ctx, sconn->sock, True);
373
374	ret = make_server_info_krb5(mem_ctx,
375	user, domain, real_username, pw,
376	logon_info, map_domainuser_to_guest,
377	&server_info);
378	if (!NT_STATUS_IS_OK(ret)) {
379	DEBUG(1, ("make_server_info_krb5 failed!\n"));
380	data_blob_free(&ap_rep);
381	data_blob_free(&session_key);
382	TALLOC_FREE(mem_ctx);
383	reply_nterror(req, nt_status_squash(ret));
384	return;
385	}
386
387	server_info->nss_token \|= username_was_mapped;
388
389	/* we need to build the token for the user. make_server_info_guest()
390	already does this */
391
392	if ( !server_info->security_token ) {
393	ret = create_local_token( server_info );
394	if ( !NT_STATUS_IS_OK(ret) ) {
395	DEBUG(10,("failed to create local token: %s\n",
396	nt_errstr(ret)));
397	data_blob_free(&ap_rep);
398	data_blob_free(&session_key);
399	TALLOC_FREE( mem_ctx );
400	TALLOC_FREE( server_info );
401	reply_nterror(req, nt_status_squash(ret));
402	return;
403	}
404	}
405
406	if (!is_partial_auth_vuid(sconn, sess_vuid)) {
407	sess_vuid = register_initial_vuid(sconn);
408	}
409
410	data_blob_free(&server_info->user_session_key);
411	/* Set the kerberos-derived session key onto the server_info */
412	server_info->user_session_key = session_key;
413	talloc_steal(server_info, session_key.data);
414
415	session_key = data_blob_null;
416
417	/* register_existing_vuid keeps the server info */
418	/* register_existing_vuid takes ownership of session_key on success,
419	* no need to free after this on success. A better interface would copy
420	* it.... */
421
422	sess_vuid = register_existing_vuid(sconn, sess_vuid,
423	server_info, nullblob, user);
424
425	reply_outbuf(req, 4, 0);
426	SSVAL(req->outbuf,smb_uid,sess_vuid);
427
428	if (sess_vuid == UID_FIELD_INVALID ) {
429	ret = NT_STATUS_LOGON_FAILURE;
430	} else {
431	/* current_user_info is changed on new vuid */
432	reload_services(sconn->msg_ctx, sconn->sock, True);
433
434	SSVAL(req->outbuf, smb_vwv3, 0);
435
436	if (server_info->guest) {
437	SSVAL(req->outbuf,smb_vwv2,1);
438	}
439
440	SSVAL(req->outbuf, smb_uid, sess_vuid);
441
442	/* Successful logon. Keep this vuid. */
443	*p_invalidate_vuid = False;
444	}
445
446	/* wrap that up in a nice GSS-API wrapping */
447	if (NT_STATUS_IS_OK(ret)) {
448	ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
449	TOK_ID_KRB_AP_REP);
450	} else {
451	ap_rep_wrapped = data_blob_null;
452	}
453	response = spnego_gen_auth_response(talloc_tos(), &ap_rep_wrapped, ret,
454	mechOID);
455	reply_sesssetup_blob(req, response, ret);
456
457	data_blob_free(&ap_rep);
458	data_blob_free(&ap_rep_wrapped);
459	data_blob_free(&response);
460	TALLOC_FREE(mem_ctx);
461	}
462
463	#endif
464
465	/****************************************************************************
466	Send a session setup reply, wrapped in SPNEGO.
467	Get vuid and check first.
468	End the NTLMSSP exchange context if we are OK/complete fail
469	This should be split into two functions, one to handle each
470	leg of the NTLM auth steps.
471	***************************************************************************/
472
473	static void reply_spnego_ntlmssp(struct smb_request *req,
474	uint16 vuid,
475	struct auth_ntlmssp_state **auth_ntlmssp_state,
476	DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status,
477	const char *OID,
478	bool wrap)
479	{
480	bool do_invalidate = true;
481	DATA_BLOB response;
482	struct auth_serversupplied_info *session_info = NULL;
483	struct smbd_server_connection *sconn = req->sconn;
484
485	if (NT_STATUS_IS_OK(nt_status)) {
486	nt_status = auth_ntlmssp_steal_session_info(talloc_tos(),
487	(*auth_ntlmssp_state), &session_info);
488	} else {
489	/* Note that this session_info won't have a session
490	* key. But for map to guest, that's exactly the right
491	* thing - we can't reasonably guess the key the
492	* client wants, as the password was wrong */
493	nt_status = do_map_to_guest(nt_status,
494	&session_info,
495	auth_ntlmssp_get_username(*auth_ntlmssp_state),
496	auth_ntlmssp_get_domain(*auth_ntlmssp_state));
497	}
498
499	reply_outbuf(req, 4, 0);
500
501	SSVAL(req->outbuf, smb_uid, vuid);
502
503	if (NT_STATUS_IS_OK(nt_status)) {
504	DATA_BLOB nullblob = data_blob_null;
505
506	if (!is_partial_auth_vuid(sconn, vuid)) {
507	nt_status = NT_STATUS_LOGON_FAILURE;
508	goto out;
509	}
510
511	/* register_existing_vuid keeps the server info */
512	if (register_existing_vuid(sconn, vuid,
513	session_info, nullblob,
514	auth_ntlmssp_get_username(*auth_ntlmssp_state)) !=
515	vuid) {
516	/* The problem is, *auth_ntlmssp_state points
517	* into the vuser this will have
518	* talloc_free()'ed in
519	* register_existing_vuid() */
520	do_invalidate = false;
521	nt_status = NT_STATUS_LOGON_FAILURE;
522	goto out;
523	}
524
525	/* current_user_info is changed on new vuid */
526	reload_services(sconn->msg_ctx, sconn->sock, True);
527
528	SSVAL(req->outbuf, smb_vwv3, 0);
529
530	if (session_info->guest) {
531	SSVAL(req->outbuf,smb_vwv2,1);
532	}
533	}
534
535	out:
536
537	if (wrap) {
538	response = spnego_gen_auth_response(talloc_tos(),
539	ntlmssp_blob,
540	nt_status, OID);
541	} else {
542	response = *ntlmssp_blob;
543	}
544
545	reply_sesssetup_blob(req, response, nt_status);
546	if (wrap) {
547	data_blob_free(&response);
548	}
549
550	/* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
551	and the other end, that we are not finished yet. */
552
553	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
554	/* NB. This is NOT an error case. JRA */
555	if (do_invalidate) {
556	TALLOC_FREE(*auth_ntlmssp_state);
557	if (!NT_STATUS_IS_OK(nt_status)) {
558	/* Kill the intermediate vuid */
559	invalidate_vuid(sconn, vuid);
560	}
561	}
562	}
563	}
564
565	/****************************************************************************
566	Is this a krb5 mechanism ?
567	****************************************************************************/
568
569	NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
570	DATA_BLOB blob_in,
571	DATA_BLOB *pblob_out,
572	char **kerb_mechOID)
573	{
574	char *OIDs[ASN1_MAX_OIDS];
575	int i;
576	NTSTATUS ret = NT_STATUS_OK;
577
578	*kerb_mechOID = NULL;
579
580	/* parse out the OIDs and the first sec blob */
581	if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out) \|\|
582	(OIDs[0] == NULL)) {
583	return NT_STATUS_LOGON_FAILURE;
584	}
585
586	/* only look at the first OID for determining the mechToken --
587	according to RFC2478, we should choose the one we want
588	and renegotiate, but i smell a client bug here..
589
590	Problem observed when connecting to a member (samba box)
591	of an AD domain as a user in a Samba domain. Samba member
592	server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
593	client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
594	NTLMSSP mechtoken. --jerry */
595
596	#ifdef HAVE_KRB5
597	if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 \|\|
598	strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
599	*kerb_mechOID = talloc_strdup(ctx, OIDs[0]);
600	if (*kerb_mechOID == NULL) {
601	ret = NT_STATUS_NO_MEMORY;
602	}
603	}
604	#endif
605
606	for (i=0;OIDs[i];i++) {
607	DEBUG(5,("parse_spnego_mechanisms: Got OID %s\n", OIDs[i]));
608	talloc_free(OIDs[i]);
609	}
610	return ret;
611	}
612
613	/****************************************************************************
614	Fall back from krb5 to NTLMSSP.
615	****************************************************************************/
616
617	static void reply_spnego_downgrade_to_ntlmssp(struct smb_request *req,
618	uint16 vuid)
619	{
620	DATA_BLOB response;
621
622	reply_outbuf(req, 4, 0);
623	SSVAL(req->outbuf,smb_uid,vuid);
624
625	DEBUG(3,("reply_spnego_downgrade_to_ntlmssp: Got krb5 ticket in SPNEGO "
626	"but set to downgrade to NTLMSSP\n"));
627
628	response = spnego_gen_auth_response(talloc_tos(), NULL,
629	NT_STATUS_MORE_PROCESSING_REQUIRED,
630	OID_NTLMSSP);
631	reply_sesssetup_blob(req, response, NT_STATUS_MORE_PROCESSING_REQUIRED);
632	data_blob_free(&response);
633	}
634
635	/****************************************************************************
636	Reply to a session setup spnego negotiate packet.
637	****************************************************************************/
638
639	static void reply_spnego_negotiate(struct smb_request *req,
640	uint16 vuid,
641	DATA_BLOB blob1,
642	struct auth_ntlmssp_state **auth_ntlmssp_state)
643	{
644	DATA_BLOB secblob;
645	DATA_BLOB chal;
646	char *kerb_mech = NULL;
647	NTSTATUS status;
648	struct smbd_server_connection *sconn = req->sconn;
649
650	status = parse_spnego_mechanisms(talloc_tos(),
651	blob1, &secblob, &kerb_mech);
652	if (!NT_STATUS_IS_OK(status)) {
653	/* Kill the intermediate vuid */
654	invalidate_vuid(sconn, vuid);
655	reply_nterror(req, nt_status_squash(status));
656	return;
657	}
658
659	DEBUG(3,("reply_spnego_negotiate: Got secblob of size %lu\n",
660	(unsigned long)secblob.length));
661
662	#ifdef HAVE_KRB5
663	if (kerb_mech && ((lp_security()==SEC_ADS) \|\|
664	USE_KERBEROS_KEYTAB) ) {
665	bool destroy_vuid = True;
666	reply_spnego_kerberos(req, &secblob, kerb_mech,
667	vuid, &destroy_vuid);
668	data_blob_free(&secblob);
669	if (destroy_vuid) {
670	/* Kill the intermediate vuid */
671	invalidate_vuid(sconn, vuid);
672	}
673	TALLOC_FREE(kerb_mech);
674	return;
675	}
676	#endif
677
678	TALLOC_FREE(*auth_ntlmssp_state);
679
680	if (kerb_mech) {
681	data_blob_free(&secblob);
682	/* The mechtoken is a krb5 ticket, but
683	* we need to fall back to NTLM. */
684	reply_spnego_downgrade_to_ntlmssp(req, vuid);
685	TALLOC_FREE(kerb_mech);
686	return;
687	}
688
689	status = auth_ntlmssp_start(auth_ntlmssp_state);
690	if (!NT_STATUS_IS_OK(status)) {
691	/* Kill the intermediate vuid */
692	invalidate_vuid(sconn, vuid);
693	reply_nterror(req, nt_status_squash(status));
694	return;
695	}
696
697	status = auth_ntlmssp_update(*auth_ntlmssp_state,
698	secblob, &chal);
699
700	data_blob_free(&secblob);
701
702	reply_spnego_ntlmssp(req, vuid, auth_ntlmssp_state,
703	&chal, status, OID_NTLMSSP, true);
704
705	data_blob_free(&chal);
706
707	/* already replied */
708	return;
709	}
710
711	/****************************************************************************
712	Reply to a session setup spnego auth packet.
713	****************************************************************************/
714
715	static void reply_spnego_auth(struct smb_request *req,
716	uint16 vuid,
717	DATA_BLOB blob1,
718	struct auth_ntlmssp_state **auth_ntlmssp_state)
719	{
720	DATA_BLOB auth = data_blob_null;
721	DATA_BLOB auth_reply = data_blob_null;
722	DATA_BLOB secblob = data_blob_null;
723	NTSTATUS status = NT_STATUS_LOGON_FAILURE;
724	struct smbd_server_connection *sconn = req->sconn;
725
726	if (!spnego_parse_auth(talloc_tos(), blob1, &auth)) {
727	#if 0
728	file_save("auth.dat", blob1.data, blob1.length);
729	#endif
730	/* Kill the intermediate vuid */
731	invalidate_vuid(sconn, vuid);
732
733	reply_nterror(req, nt_status_squash(
734	NT_STATUS_LOGON_FAILURE));
735	return;
736	}
737
738	if (auth.length > 0 && auth.data[0] == ASN1_APPLICATION(0)) {
739	/* Might be a second negTokenTarg packet */
740	char *kerb_mech = NULL;
741
742	status = parse_spnego_mechanisms(talloc_tos(),
743	auth, &secblob, &kerb_mech);
744
745	if (!NT_STATUS_IS_OK(status)) {
746	/* Kill the intermediate vuid */
747	invalidate_vuid(sconn, vuid);
748	reply_nterror(req, nt_status_squash(status));
749	return;
750	}
751
752	DEBUG(3,("reply_spnego_auth: Got secblob of size %lu\n",
753	(unsigned long)secblob.length));
754	#ifdef HAVE_KRB5
755	if (kerb_mech && ((lp_security()==SEC_ADS) \|\|
756	USE_KERBEROS_KEYTAB)) {
757	bool destroy_vuid = True;
758	reply_spnego_kerberos(req, &secblob, kerb_mech,
759	vuid, &destroy_vuid);
760	data_blob_free(&secblob);
761	data_blob_free(&auth);
762	if (destroy_vuid) {
763	/* Kill the intermediate vuid */
764	invalidate_vuid(sconn, vuid);
765	}
766	TALLOC_FREE(kerb_mech);
767	return;
768	}
769	#endif
770	/* Can't blunder into NTLMSSP auth if we have
771	* a krb5 ticket. */
772
773	if (kerb_mech) {
774	/* Kill the intermediate vuid */
775	invalidate_vuid(sconn, vuid);
776	DEBUG(3,("reply_spnego_auth: network "
777	"misconfiguration, client sent us a "
778	"krb5 ticket and kerberos security "
779	"not enabled\n"));
780	reply_nterror(req, nt_status_squash(
781	NT_STATUS_LOGON_FAILURE));
782	TALLOC_FREE(kerb_mech);
783	}
784	}
785
786	/* If we get here it wasn't a negTokenTarg auth packet. */
787	data_blob_free(&secblob);
788
789	if (!*auth_ntlmssp_state) {
790	status = auth_ntlmssp_start(auth_ntlmssp_state);
791	if (!NT_STATUS_IS_OK(status)) {
792	/* Kill the intermediate vuid */
793	invalidate_vuid(sconn, vuid);
794	reply_nterror(req, nt_status_squash(status));
795	return;
796	}
797	}
798
799	status = auth_ntlmssp_update(*auth_ntlmssp_state,
800	auth, &auth_reply);
801
802	data_blob_free(&auth);
803
804	/* Don't send the mechid as we've already sent this (RFC4178). */
805
806	reply_spnego_ntlmssp(req, vuid,
807	auth_ntlmssp_state,
808	&auth_reply, status, NULL, true);
809
810	data_blob_free(&auth_reply);
811
812	/* and tell smbd that we have already replied to this packet */
813	return;
814	}
815
816	/****************************************************************************
817	Delete an entry on the list.
818	****************************************************************************/
819
820	static void delete_partial_auth(struct smbd_server_connection *sconn,
821	struct pending_auth_data *pad)
822	{
823	if (!pad) {
824	return;
825	}
826	DLIST_REMOVE(sconn->smb1.pd_list, pad);
827	data_blob_free(&pad->partial_data);
828	SAFE_FREE(pad);
829	}
830
831	/****************************************************************************
832	Search for a partial SPNEGO auth fragment matching an smbpid.
833	****************************************************************************/
834
835	static struct pending_auth_data *get_pending_auth_data(
836	struct smbd_server_connection *sconn,
837	uint16_t smbpid)
838	{
839	struct pending_auth_data *pad;
840	/*
841	* NOTE: using the smbpid here is completely wrong...
842	* see [MS-SMB]
843	* 3.3.5.3 Receiving an SMB_COM_SESSION_SETUP_ANDX Request
844	*/
845	for (pad = sconn->smb1.pd_list; pad; pad = pad->next) {
846	if (pad->smbpid == smbpid) {
847	break;
848	}
849	}
850	return pad;
851	}
852
853	/****************************************************************************
854	Check the size of an SPNEGO blob. If we need more return
855	NT_STATUS_MORE_PROCESSING_REQUIRED, else return NT_STATUS_OK. Don't allow
856	the blob to be more than 64k.
857	****************************************************************************/
858
859	static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn,
860	uint16 smbpid, uint16 vuid,
861	DATA_BLOB *pblob)
862	{
863	struct pending_auth_data *pad = NULL;
864	ASN1_DATA *data;
865	size_t needed_len = 0;
866
867	pad = get_pending_auth_data(sconn, smbpid);
868
869	/* Ensure we have some data. */
870	if (pblob->length == 0) {
871	/* Caller can cope. */
872	DEBUG(2,("check_spnego_blob_complete: zero blob length !\n"));
873	delete_partial_auth(sconn, pad);
874	return NT_STATUS_OK;
875	}
876
877	/* Were we waiting for more data ? */
878	if (pad) {
879	DATA_BLOB tmp_blob;
880	size_t copy_len = MIN(65536, pblob->length);
881
882	/* Integer wrap paranoia.... */
883
884	if (pad->partial_data.length + copy_len <
885	pad->partial_data.length \|\|
886	pad->partial_data.length + copy_len < copy_len) {
887
888	DEBUG(2,("check_spnego_blob_complete: integer wrap "
889	"pad->partial_data.length = %u, "
890	"copy_len = %u\n",
891	(unsigned int)pad->partial_data.length,
892	(unsigned int)copy_len ));
893
894	delete_partial_auth(sconn, pad);
895	return NT_STATUS_INVALID_PARAMETER;
896	}
897
898	DEBUG(10,("check_spnego_blob_complete: "
899	"pad->partial_data.length = %u, "
900	"pad->needed_len = %u, "
901	"copy_len = %u, "
902	"pblob->length = %u,\n",
903	(unsigned int)pad->partial_data.length,
904	(unsigned int)pad->needed_len,
905	(unsigned int)copy_len,
906	(unsigned int)pblob->length ));
907
908	tmp_blob = data_blob(NULL,
909	pad->partial_data.length + copy_len);
910
911	/* Concatenate the two (up to copy_len) bytes. */
912	memcpy(tmp_blob.data,
913	pad->partial_data.data,
914	pad->partial_data.length);
915	memcpy(tmp_blob.data + pad->partial_data.length,
916	pblob->data,
917	copy_len);
918
919	/* Replace the partial data. */
920	data_blob_free(&pad->partial_data);
921	pad->partial_data = tmp_blob;
922	ZERO_STRUCT(tmp_blob);
923
924	/* Are we done ? */
925	if (pblob->length >= pad->needed_len) {
926	/* Yes, replace pblob. */
927	data_blob_free(pblob);
928	*pblob = pad->partial_data;
929	ZERO_STRUCT(pad->partial_data);
930	delete_partial_auth(sconn, pad);
931	return NT_STATUS_OK;
932	}
933
934	/* Still need more data. */
935	pad->needed_len -= copy_len;
936	return NT_STATUS_MORE_PROCESSING_REQUIRED;
937	}
938
939	if ((pblob->data[0] != ASN1_APPLICATION(0)) &&
940	(pblob->data[0] != ASN1_CONTEXT(1))) {
941	/* Not something we can determine the
942	* length of.
943	*/
944	return NT_STATUS_OK;
945	}
946
947	/* This is a new SPNEGO sessionsetup - see if
948	* the data given in this blob is enough.
949	*/
950
951	data = asn1_init(NULL);
952	if (data == NULL) {
953	return NT_STATUS_NO_MEMORY;
954	}
955
956	asn1_load(data, *pblob);
957	if (asn1_start_tag(data, pblob->data[0])) {
958	/* asn1_start_tag checks if the given
959	length of the blob is enough to complete
960	the tag. If it returns true we know
961	there is nothing to do - the blob is
962	complete. */
963	asn1_free(data);
964	return NT_STATUS_OK;
965	}
966
967	if (data->nesting == NULL) {
968	/* Incorrect tag, allocation failed,
969	or reading the tag length failed.
970	Let the caller catch. */
971	asn1_free(data);
972	return NT_STATUS_OK;
973	}
974
975	/* Here we know asn1_start_tag() has set data->has_error to true.
976	asn1_tag_remaining() will have failed due to the given blob
977	being too short. We need to work out how short. */
978
979	/* Integer wrap paranoia.... */
980
981	if (data->nesting->taglen + data->nesting->start < data->nesting->taglen \|\|
982	data->nesting->taglen + data->nesting->start < data->nesting->start) {
983
984	DEBUG(2,("check_spnego_blob_complete: integer wrap "
985	"data.nesting->taglen = %u, "
986	"data.nesting->start = %u\n",
987	(unsigned int)data->nesting->taglen,
988	(unsigned int)data->nesting->start ));
989
990	asn1_free(data);
991	return NT_STATUS_INVALID_PARAMETER;
992	}
993
994	/* Total length of the needed asn1 is the tag length
995	* plus the current offset. */
996
997	needed_len = data->nesting->taglen + data->nesting->start;
998	asn1_free(data);
999
1000	DEBUG(10,("check_spnego_blob_complete: needed_len = %u, "
1001	"pblob->length = %u\n",
1002	(unsigned int)needed_len,
1003	(unsigned int)pblob->length ));
1004
1005	if (needed_len <= pblob->length) {
1006	/* Nothing to do - blob is complete. */
1007	/* THIS SHOULD NOT HAPPEN - asn1_start_tag()
1008	above should have caught this !!! */
1009	DEBUG(0,("check_spnego_blob_complete: logic "
1010	"error (needed_len = %u, "
1011	"pblob->length = %u).\n",
1012	(unsigned int)needed_len,
1013	(unsigned int)pblob->length ));
1014	return NT_STATUS_OK;
1015	}
1016
1017	/* Refuse the blob if it's bigger than 64k. */
1018	if (needed_len > 65536) {
1019	DEBUG(2,("check_spnego_blob_complete: needed_len "
1020	"too large (%u)\n",
1021	(unsigned int)needed_len ));
1022	return NT_STATUS_INVALID_PARAMETER;
1023	}
1024
1025	/* We must store this blob until complete. */
1026	if (!(pad = SMB_MALLOC_P(struct pending_auth_data))) {
1027	return NT_STATUS_NO_MEMORY;
1028	}
1029	pad->needed_len = needed_len - pblob->length;
1030	pad->partial_data = data_blob(pblob->data, pblob->length);
1031	if (pad->partial_data.data == NULL) {
1032	SAFE_FREE(pad);
1033	return NT_STATUS_NO_MEMORY;
1034	}
1035	pad->smbpid = smbpid;
1036	pad->vuid = vuid;
1037	DLIST_ADD(sconn->smb1.pd_list, pad);
1038
1039	return NT_STATUS_MORE_PROCESSING_REQUIRED;
1040	}
1041
1042	/****************************************************************************
1043	Reply to a session setup command.
1044	conn POINTER CAN BE NULL HERE !
1045	****************************************************************************/
1046
1047	static void reply_sesssetup_and_X_spnego(struct smb_request *req)
1048	{
1049	const uint8 *p;
1050	DATA_BLOB blob1;
1051	size_t bufrem;
1052	char *tmp;
1053	const char *native_os;
1054	const char *native_lanman;
1055	const char *primary_domain;
1056	const char *p2;
1057	uint16 data_blob_len = SVAL(req->vwv+7, 0);
1058	enum remote_arch_types ra_type = get_remote_arch();
1059	int vuid = req->vuid;
1060	user_struct *vuser = NULL;
1061	NTSTATUS status = NT_STATUS_OK;
1062	uint16 smbpid = req->smbpid;
1063	struct smbd_server_connection *sconn = req->sconn;
1064
1065	DEBUG(3,("Doing spnego session setup\n"));
1066
1067	if (global_client_caps == 0) {
1068	global_client_caps = IVAL(req->vwv+10, 0);
1069
1070	if (!(global_client_caps & CAP_STATUS32)) {
1071	remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
1072	}
1073
1074	}
1075
1076	p = req->buf;
1077
1078	if (data_blob_len == 0) {
1079	/* an invalid request */
1080	reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1081	return;
1082	}
1083
1084	bufrem = smbreq_bufrem(req, p);
1085	/* pull the spnego blob */
1086	blob1 = data_blob(p, MIN(bufrem, data_blob_len));
1087
1088	#if 0
1089	file_save("negotiate.dat", blob1.data, blob1.length);
1090	#endif
1091
1092	p2 = (char *)req->buf + blob1.length;
1093
1094	p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1095	STR_TERMINATE);
1096	native_os = tmp ? tmp : "";
1097
1098	p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1099	STR_TERMINATE);
1100	native_lanman = tmp ? tmp : "";
1101
1102	p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1103	STR_TERMINATE);
1104	primary_domain = tmp ? tmp : "";
1105
1106	DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n",
1107	native_os, native_lanman, primary_domain));
1108
1109	if ( ra_type == RA_WIN2K ) {
1110	/* Vista sets neither the OS or lanman strings */
1111
1112	if ( !strlen(native_os) && !strlen(native_lanman) )
1113	set_remote_arch(RA_VISTA);
1114
1115	/* Windows 2003 doesn't set the native lanman string,
1116	but does set primary domain which is a bug I think */
1117
1118	if ( !strlen(native_lanman) ) {
1119	ra_lanman_string( primary_domain );
1120	} else {
1121	ra_lanman_string( native_lanman );
1122	}
1123	} else if ( ra_type == RA_VISTA ) {
1124	if ( strncmp(native_os, "Mac OS X", 8) == 0 ) {
1125	set_remote_arch(RA_OSX);
1126	}
1127	}
1128
1129	/* Did we get a valid vuid ? */
1130	if (!is_partial_auth_vuid(sconn, vuid)) {
1131	/* No, then try and see if this is an intermediate sessionsetup
1132	* for a large SPNEGO packet. */
1133	struct pending_auth_data *pad;
1134	pad = get_pending_auth_data(sconn, smbpid);
1135	if (pad) {
1136	DEBUG(10,("reply_sesssetup_and_X_spnego: found "
1137	"pending vuid %u\n",
1138	(unsigned int)pad->vuid ));
1139	vuid = pad->vuid;
1140	}
1141	}
1142
1143	/* Do we have a valid vuid now ? */
1144	if (!is_partial_auth_vuid(sconn, vuid)) {
1145	/* No, start a new authentication setup. */
1146	vuid = register_initial_vuid(sconn);
1147	if (vuid == UID_FIELD_INVALID) {
1148	data_blob_free(&blob1);
1149	reply_nterror(req, nt_status_squash(
1150	NT_STATUS_INVALID_PARAMETER));
1151	return;
1152	}
1153	}
1154
1155	vuser = get_partial_auth_user_struct(sconn, vuid);
1156	/* This MUST be valid. */
1157	if (!vuser) {
1158	smb_panic("reply_sesssetup_and_X_spnego: invalid vuid.");
1159	}
1160
1161	/* Large (greater than 4k) SPNEGO blobs are split into multiple
1162	* sessionsetup requests as the Windows limit on the security blob
1163	* field is 4k. Bug #4400. JRA.
1164	*/
1165
1166	status = check_spnego_blob_complete(sconn, smbpid, vuid, &blob1);
1167	if (!NT_STATUS_IS_OK(status)) {
1168	if (!NT_STATUS_EQUAL(status,
1169	NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1170	/* Real error - kill the intermediate vuid */
1171	invalidate_vuid(sconn, vuid);
1172	}
1173	data_blob_free(&blob1);
1174	reply_nterror(req, nt_status_squash(status));
1175	return;
1176	}
1177
1178	if (blob1.data[0] == ASN1_APPLICATION(0)) {
1179
1180	/* its a negTokenTarg packet */
1181
1182	reply_spnego_negotiate(req, vuid, blob1,
1183	&vuser->auth_ntlmssp_state);
1184	data_blob_free(&blob1);
1185	return;
1186	}
1187
1188	if (blob1.data[0] == ASN1_CONTEXT(1)) {
1189
1190	/* its a auth packet */
1191
1192	reply_spnego_auth(req, vuid, blob1,
1193	&vuser->auth_ntlmssp_state);
1194	data_blob_free(&blob1);
1195	return;
1196	}
1197
1198	if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
1199	DATA_BLOB chal;
1200
1201	if (!vuser->auth_ntlmssp_state) {
1202	status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
1203	if (!NT_STATUS_IS_OK(status)) {
1204	/* Kill the intermediate vuid */
1205	invalidate_vuid(sconn, vuid);
1206	data_blob_free(&blob1);
1207	reply_nterror(req, nt_status_squash(status));
1208	return;
1209	}
1210	}
1211
1212	status = auth_ntlmssp_update(vuser->auth_ntlmssp_state,
1213	blob1, &chal);
1214
1215	data_blob_free(&blob1);
1216
1217	reply_spnego_ntlmssp(req, vuid,
1218	&vuser->auth_ntlmssp_state,
1219	&chal, status, OID_NTLMSSP, false);
1220	data_blob_free(&chal);
1221	return;
1222	}
1223
1224	/* what sort of packet is this? */
1225	DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));
1226
1227	data_blob_free(&blob1);
1228
1229	reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1230	}
1231
1232	/****************************************************************************
1233	On new VC == 0, shutdown all old connections and users.
1234	It seems that only NT4.x does this. At W2K and above (XP etc.).
1235	a new session setup with VC==0 is ignored.
1236	****************************************************************************/
1237
1238	struct shutdown_state {
1239	const char *ip;
1240	struct messaging_context *msg_ctx;
1241	};
1242
1243	static int shutdown_other_smbds(const struct connections_key *key,
1244	const struct connections_data *crec,
1245	void *private_data)
1246	{
1247	struct shutdown_state state = (struct shutdown_state )private_data;
1248
1249	DEBUG(10, ("shutdown_other_smbds: %s, %s\n",
1250	procid_str(talloc_tos(), &crec->pid), crec->addr));
1251
1252	if (!process_exists(crec->pid)) {
1253	DEBUG(10, ("process does not exist\n"));
1254	return 0;
1255	}
1256
1257	if (procid_is_me(&crec->pid)) {
1258	DEBUG(10, ("It's me\n"));
1259	return 0;
1260	}
1261
1262	if (strcmp(state->ip, crec->addr) != 0) {
1263	DEBUG(10, ("%s does not match %s\n", state->ip, crec->addr));
1264	return 0;
1265	}
1266
1267	DEBUG(1, ("shutdown_other_smbds: shutting down pid %u "
1268	"(IP %s)\n", (unsigned int)procid_to_pid(&crec->pid),
1269	state->ip));
1270
1271	messaging_send(state->msg_ctx, crec->pid, MSG_SHUTDOWN,
1272	&data_blob_null);
1273	return 0;
1274	}
1275
1276	static void setup_new_vc_session(struct smbd_server_connection *sconn)
1277	{
1278	DEBUG(2,("setup_new_vc_session: New VC == 0, if NT4.x "
1279	"compatible we would close all old resources.\n"));
1280	#if 0
1281	conn_close_all();
1282	invalidate_all_vuids();
1283	#endif
1284	if (lp_reset_on_zero_vc()) {
1285	char *addr;
1286	struct shutdown_state state;
1287
1288	addr = tsocket_address_inet_addr_string(
1289	sconn->remote_address, talloc_tos());
1290	if (addr == NULL) {
1291	return;
1292	}
1293	state.ip = addr;
1294	state.msg_ctx = sconn->msg_ctx;
1295	connections_forall_read(shutdown_other_smbds, &state);
1296	TALLOC_FREE(addr);
1297	}
1298	}
1299
1300	/****************************************************************************
1301	Reply to a session setup command.
1302	****************************************************************************/
1303
1304	void reply_sesssetup_and_X(struct smb_request *req)
1305	{
1306	int sess_vuid;
1307	int smb_bufsize;
1308	DATA_BLOB lm_resp;
1309	DATA_BLOB nt_resp;
1310	DATA_BLOB plaintext_password;
1311	char *tmp;
1312	const char *user;
1313	fstring sub_user; /* Sanitised username for substituion */
1314	const char *domain;
1315	const char *native_os;
1316	const char *native_lanman;
1317	const char *primary_domain;
1318	struct auth_usersupplied_info *user_info = NULL;
1319	struct auth_serversupplied_info *server_info = NULL;
1320	uint16 smb_flag2 = req->flags2;
1321
1322	NTSTATUS nt_status;
1323	struct smbd_server_connection *sconn = req->sconn;
1324
1325	bool doencrypt = sconn->smb1.negprot.encrypted_passwords;
1326
1327	START_PROFILE(SMBsesssetupX);
1328
1329	ZERO_STRUCT(lm_resp);
1330	ZERO_STRUCT(nt_resp);
1331	ZERO_STRUCT(plaintext_password);
1332
1333	DEBUG(3,("wct=%d flg2=0x%x\n", req->wct, req->flags2));
1334
1335	/* a SPNEGO session setup has 12 command words, whereas a normal
1336	NT1 session setup has 13. See the cifs spec. */
1337	if (req->wct == 12 &&
1338	(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
1339
1340	if (!sconn->smb1.negprot.spnego) {
1341	DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt "
1342	"at SPNEGO session setup when it was not "
1343	"negotiated.\n"));
1344	reply_nterror(req, nt_status_squash(
1345	NT_STATUS_LOGON_FAILURE));
1346	END_PROFILE(SMBsesssetupX);
1347	return;
1348	}
1349
1350	if (SVAL(req->vwv+4, 0) == 0) {
1351	setup_new_vc_session(req->sconn);
1352	}
1353
1354	reply_sesssetup_and_X_spnego(req);
1355	END_PROFILE(SMBsesssetupX);
1356	return;
1357	}
1358
1359	smb_bufsize = SVAL(req->vwv+2, 0);
1360
1361	if (get_Protocol() < PROTOCOL_NT1) {
1362	uint16 passlen1 = SVAL(req->vwv+7, 0);
1363
1364	/* Never do NT status codes with protocols before NT1 as we
1365	* don't get client caps. */
1366	remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
1367
1368	if ((passlen1 > MAX_PASS_LEN) \|\| (passlen1 > req->buflen)) {
1369	reply_nterror(req, nt_status_squash(
1370	NT_STATUS_INVALID_PARAMETER));
1371	END_PROFILE(SMBsesssetupX);
1372	return;
1373	}
1374
1375	if (doencrypt) {
1376	lm_resp = data_blob(req->buf, passlen1);
1377	} else {
1378	plaintext_password = data_blob(req->buf, passlen1+1);
1379	/* Ensure null termination */
1380	plaintext_password.data[passlen1] = 0;
1381	}
1382
1383	srvstr_pull_req_talloc(talloc_tos(), req, &tmp,
1384	req->buf + passlen1, STR_TERMINATE);
1385	user = tmp ? tmp : "";
1386
1387	domain = "";
1388
1389	} else {
1390	uint16 passlen1 = SVAL(req->vwv+7, 0);
1391	uint16 passlen2 = SVAL(req->vwv+8, 0);
1392	enum remote_arch_types ra_type = get_remote_arch();
1393	const uint8_t *p = req->buf;
1394	const uint8_t *save_p = req->buf;
1395	uint16 byte_count;
1396
1397
1398	if(global_client_caps == 0) {
1399	global_client_caps = IVAL(req->vwv+11, 0);
1400
1401	if (!(global_client_caps & CAP_STATUS32)) {
1402	remove_from_common_flags2(
1403	FLAGS2_32_BIT_ERROR_CODES);
1404	}
1405
1406	/* client_caps is used as final determination if
1407	* client is NT or Win95. This is needed to return
1408	* the correct error codes in some circumstances.
1409	*/
1410
1411	if(ra_type == RA_WINNT \|\| ra_type == RA_WIN2K \|\|
1412	ra_type == RA_WIN95) {
1413	if(!(global_client_caps & (CAP_NT_SMBS\|
1414	CAP_STATUS32))) {
1415	set_remote_arch( RA_WIN95);
1416	}
1417	}
1418	}
1419
1420	if (!doencrypt) {
1421	/* both Win95 and WinNT stuff up the password
1422	* lengths for non-encrypting systems. Uggh.
1423
1424	if passlen1==24 its a win95 system, and its setting
1425	the password length incorrectly. Luckily it still
1426	works with the default code because Win95 will null
1427	terminate the password anyway
1428
1429	if passlen1>0 and passlen2>0 then maybe its a NT box
1430	and its setting passlen2 to some random value which
1431	really stuffs things up. we need to fix that one. */
1432
1433	if (passlen1 > 0 && passlen2 > 0 && passlen2 != 24 &&
1434	passlen2 != 1) {
1435	passlen2 = 0;
1436	}
1437	}
1438
1439	/* check for nasty tricks */
1440	if (passlen1 > MAX_PASS_LEN
1441	\|\| passlen1 > smbreq_bufrem(req, p)) {
1442	reply_nterror(req, nt_status_squash(
1443	NT_STATUS_INVALID_PARAMETER));
1444	END_PROFILE(SMBsesssetupX);
1445	return;
1446	}
1447
1448	if (passlen2 > MAX_PASS_LEN
1449	\|\| passlen2 > smbreq_bufrem(req, p+passlen1)) {
1450	reply_nterror(req, nt_status_squash(
1451	NT_STATUS_INVALID_PARAMETER));
1452	END_PROFILE(SMBsesssetupX);
1453	return;
1454	}
1455
1456	/* Save the lanman2 password and the NT md4 password. */
1457
1458	if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) {
1459	doencrypt = False;
1460	}
1461
1462	if (doencrypt) {
1463	lm_resp = data_blob(p, passlen1);
1464	nt_resp = data_blob(p+passlen1, passlen2);
1465	} else if (lp_security() != SEC_SHARE) {
1466	/*
1467	* In share level we should ignore any passwords, so
1468	* only read them if we're not.
1469	*/
1470	char *pass = NULL;
1471	bool unic= smb_flag2 & FLAGS2_UNICODE_STRINGS;
1472
1473	if (unic && (passlen2 == 0) && passlen1) {
1474	/* Only a ascii plaintext password was sent. */
1475	(void)srvstr_pull_talloc(talloc_tos(),
1476	req->inbuf,
1477	req->flags2,
1478	&pass,
1479	req->buf,
1480	passlen1,
1481	STR_TERMINATE\|STR_ASCII);
1482	} else {
1483	(void)srvstr_pull_talloc(talloc_tos(),
1484	req->inbuf,
1485	req->flags2,
1486	&pass,
1487	req->buf,
1488	unic ? passlen2 : passlen1,
1489	STR_TERMINATE);
1490	}
1491	if (!pass) {
1492	reply_nterror(req, nt_status_squash(
1493	NT_STATUS_INVALID_PARAMETER));
1494	END_PROFILE(SMBsesssetupX);
1495	return;
1496	}
1497	plaintext_password = data_blob(pass, strlen(pass)+1);
1498	}
1499
1500	p += passlen1 + passlen2;
1501
1502	p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1503	STR_TERMINATE);
1504	user = tmp ? tmp : "";
1505
1506	p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1507	STR_TERMINATE);
1508	domain = tmp ? tmp : "";
1509
1510	p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1511	STR_TERMINATE);
1512	native_os = tmp ? tmp : "";
1513
1514	p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1515	STR_TERMINATE);
1516	native_lanman = tmp ? tmp : "";
1517
1518	/* not documented or decoded by Ethereal but there is one more
1519	* string in the extra bytes which is the same as the
1520	* PrimaryDomain when using extended security. Windows NT 4
1521	* and 2003 use this string to store the native lanman string.
1522	* Windows 9x does not include a string here at all so we have
1523	* to check if we have any extra bytes left */
1524
1525	byte_count = SVAL(req->vwv+13, 0);
1526	if ( PTR_DIFF(p, save_p) < byte_count) {
1527	p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1528	STR_TERMINATE);
1529	primary_domain = tmp ? tmp : "";
1530	} else {
1531	primary_domain = talloc_strdup(talloc_tos(), "null");
1532	}
1533
1534	DEBUG(3,("Domain=[%s] NativeOS=[%s] NativeLanMan=[%s] "
1535	"PrimaryDomain=[%s]\n",
1536	domain, native_os, native_lanman, primary_domain));
1537
1538	if ( ra_type == RA_WIN2K ) {
1539	if ( strlen(native_lanman) == 0 )
1540	ra_lanman_string( primary_domain );
1541	else
1542	ra_lanman_string( native_lanman );
1543	}
1544
1545	}
1546
1547	if (SVAL(req->vwv+4, 0) == 0) {
1548	setup_new_vc_session(req->sconn);
1549	}
1550
1551	DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n",
1552	domain, user, get_remote_machine_name()));
1553
1554	if (*user) {
1555	if (sconn->smb1.negprot.spnego) {
1556
1557	/* This has to be here, because this is a perfectly
1558	* valid behaviour for guest logons :-( */
1559
1560	DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt "
1561	"at 'normal' session setup after "
1562	"negotiating spnego.\n"));
1563	reply_nterror(req, nt_status_squash(
1564	NT_STATUS_LOGON_FAILURE));
1565	END_PROFILE(SMBsesssetupX);
1566	return;
1567	}
1568	fstrcpy(sub_user, user);
1569	} else {
1570	fstrcpy(sub_user, lp_guestaccount());
1571	}
1572
1573	sub_set_smb_name(sub_user);
1574
1575	reload_services(sconn->msg_ctx, sconn->sock, True);
1576
1577	if (lp_security() == SEC_SHARE) {
1578	char *sub_user_mapped = NULL;
1579	/* In share level we should ignore any passwords */
1580
1581	data_blob_free(&lm_resp);
1582	data_blob_free(&nt_resp);
1583	data_blob_clear_free(&plaintext_password);
1584
1585	(void)map_username(talloc_tos(), sub_user, &sub_user_mapped);
1586	if (!sub_user_mapped) {
1587	reply_nterror(req, NT_STATUS_NO_MEMORY);
1588	END_PROFILE(SMBsesssetupX);
1589	return;
1590	}
1591	fstrcpy(sub_user, sub_user_mapped);
1592	add_session_user(sconn, sub_user);
1593	add_session_workgroup(sconn, domain);
1594	/* Then force it to null for the benfit of the code below */
1595	user = "";
1596	}
1597
1598	if (!*user) {
1599
1600	nt_status = check_guest_password(&server_info);
1601
1602	} else if (doencrypt) {
1603	struct auth_context *negprot_auth_context = NULL;
1604	negprot_auth_context = sconn->smb1.negprot.auth_context;
1605	if (!negprot_auth_context) {
1606	DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted "
1607	"session setup without negprot denied!\n"));
1608	reply_nterror(req, nt_status_squash(
1609	NT_STATUS_LOGON_FAILURE));
1610	END_PROFILE(SMBsesssetupX);
1611	return;
1612	}
1613	nt_status = make_user_info_for_reply_enc(&user_info, user,
1614	domain,
1615	lm_resp, nt_resp);
1616	if (NT_STATUS_IS_OK(nt_status)) {
1617	nt_status = negprot_auth_context->check_ntlm_password(
1618	negprot_auth_context,
1619	user_info,
1620	&server_info);
1621	}
1622	} else {
1623	struct auth_context *plaintext_auth_context = NULL;
1624
1625	nt_status = make_auth_context_subsystem(
1626	talloc_tos(), &plaintext_auth_context);
1627
1628	if (NT_STATUS_IS_OK(nt_status)) {
1629	uint8_t chal[8];
1630
1631	plaintext_auth_context->get_ntlm_challenge(
1632	plaintext_auth_context, chal);
1633
1634	if (!make_user_info_for_reply(&user_info,
1635	user, domain, chal,
1636	plaintext_password)) {
1637	nt_status = NT_STATUS_NO_MEMORY;
1638	}
1639
1640	if (NT_STATUS_IS_OK(nt_status)) {
1641	nt_status = plaintext_auth_context->check_ntlm_password(
1642	plaintext_auth_context,
1643	user_info,
1644	&server_info);
1645
1646	TALLOC_FREE(plaintext_auth_context);
1647	}
1648	}
1649	}
1650
1651	free_user_info(&user_info);
1652
1653	if (!NT_STATUS_IS_OK(nt_status)) {
1654	nt_status = do_map_to_guest(nt_status, &server_info,
1655	user, domain);
1656	}
1657
1658	if (!NT_STATUS_IS_OK(nt_status)) {
1659	data_blob_free(&nt_resp);
1660	data_blob_free(&lm_resp);
1661	data_blob_clear_free(&plaintext_password);
1662	reply_nterror(req, nt_status_squash(nt_status));
1663	END_PROFILE(SMBsesssetupX);
1664	return;
1665	}
1666
1667	/* Ensure we can't possible take a code path leading to a
1668	* null defref. */
1669	if (!server_info) {
1670	reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1671	END_PROFILE(SMBsesssetupX);
1672	return;
1673	}
1674
1675	if (!server_info->security_token) {
1676	nt_status = create_local_token(server_info);
1677
1678	if (!NT_STATUS_IS_OK(nt_status)) {
1679	DEBUG(10, ("create_local_token failed: %s\n",
1680	nt_errstr(nt_status)));
1681	data_blob_free(&nt_resp);
1682	data_blob_free(&lm_resp);
1683	data_blob_clear_free(&plaintext_password);
1684	reply_nterror(req, nt_status_squash(nt_status));
1685	END_PROFILE(SMBsesssetupX);
1686	return;
1687	}
1688	}
1689
1690	data_blob_clear_free(&plaintext_password);
1691
1692	/* it's ok - setup a reply */
1693	reply_outbuf(req, 3, 0);
1694	if (get_Protocol() >= PROTOCOL_NT1) {
1695	push_signature(&req->outbuf);
1696	/* perhaps grab OS version here?? */
1697	}
1698
1699	if (server_info->guest) {
1700	SSVAL(req->outbuf,smb_vwv2,1);
1701	}
1702
1703	/* register the name and uid as being validated, so further connections
1704	to a uid can get through without a password, on the same VC */
1705
1706	if (lp_security() == SEC_SHARE) {
1707	sess_vuid = UID_FIELD_INVALID;
1708	TALLOC_FREE(server_info);
1709	} else {
1710	/* Ignore the initial vuid. */
1711	sess_vuid = register_initial_vuid(sconn);
1712	if (sess_vuid == UID_FIELD_INVALID) {
1713	data_blob_free(&nt_resp);
1714	data_blob_free(&lm_resp);
1715	reply_nterror(req, nt_status_squash(
1716	NT_STATUS_LOGON_FAILURE));
1717	END_PROFILE(SMBsesssetupX);
1718	return;
1719	}
1720	/* register_existing_vuid keeps the server info */
1721	sess_vuid = register_existing_vuid(sconn, sess_vuid,
1722	server_info,
1723	nt_resp.data ? nt_resp : lm_resp,
1724	sub_user);
1725	if (sess_vuid == UID_FIELD_INVALID) {
1726	data_blob_free(&nt_resp);
1727	data_blob_free(&lm_resp);
1728	reply_nterror(req, nt_status_squash(
1729	NT_STATUS_LOGON_FAILURE));
1730	END_PROFILE(SMBsesssetupX);
1731	return;
1732	}
1733
1734	/* current_user_info is changed on new vuid */
1735	reload_services(sconn->msg_ctx, sconn->sock, True);
1736	}
1737
1738	data_blob_free(&nt_resp);
1739	data_blob_free(&lm_resp);
1740
1741	SSVAL(req->outbuf,smb_uid,sess_vuid);
1742	SSVAL(req->inbuf,smb_uid,sess_vuid);
1743	req->vuid = sess_vuid;
1744
1745	if (!sconn->smb1.sessions.done_sesssetup) {
1746	sconn->smb1.sessions.max_send =
1747	MIN(sconn->smb1.sessions.max_send,smb_bufsize);
1748	}
1749	sconn->smb1.sessions.done_sesssetup = true;
1750
1751	END_PROFILE(SMBsesssetupX);
1752	chain_reply(req);
1753	return;
1754	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: