Changeset 988 for vendor/current/source3/smbd/negprot.c
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- File:
-
- 1 edited
-
vendor/current/source3/smbd/negprot.c (modified) (35 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source3/smbd/negprot.c
r746 r988 22 22 #include "smbd/smbd.h" 23 23 #include "smbd/globals.h" 24 #include "../libcli/auth/spnego.h"25 24 #include "serverid.h" 26 25 #include "auth.h" 27 26 #include "messages.h" 28 27 #include "smbprofile.h" 28 #include "auth/gensec/gensec.h" 29 #include "../libcli/smb/smb_signing.h" 29 30 30 31 extern fstring remote_proto; 31 32 32 static void get_challenge(struct smb d_server_connection *sconn, uint8buff[8])33 static void get_challenge(struct smbXsrv_connection *xconn, uint8_t buff[8]) 33 34 { 34 35 NTSTATUS nt_status; … … 36 37 /* We might be called more than once, multiple negprots are 37 38 * permitted */ 38 if ( sconn->smb1.negprot.auth_context) {39 if (xconn->smb1.negprot.auth_context) { 39 40 DEBUG(3, ("get challenge: is this a secondary negprot? " 40 41 "sconn->negprot.auth_context is non-NULL!\n")); 41 TALLOC_FREE(sconn->smb1.negprot.auth_context);42 TALLOC_FREE(xconn->smb1.negprot.auth_context); 42 43 } 43 44 44 45 DEBUG(10, ("get challenge: creating negprot_global_auth_context\n")); 45 nt_status = make_auth _context_subsystem(46 sconn, &sconn->smb1.negprot.auth_context);46 nt_status = make_auth4_context( 47 xconn, &xconn->smb1.negprot.auth_context); 47 48 if (!NT_STATUS_IS_OK(nt_status)) { 48 49 DEBUG(0, ("make_auth_context_subsystem returned %s", … … 51 52 } 52 53 DEBUG(10, ("get challenge: getting challenge\n")); 53 sconn->smb1.negprot.auth_context->get_ntlm_challenge( 54 sconn->smb1.negprot.auth_context, buff); 55 } 56 57 /**************************************************************************** 58 Reply for the core protocol. 59 ****************************************************************************/ 60 61 static void reply_corep(struct smb_request *req, uint16 choice) 62 { 63 reply_outbuf(req, 1, 0); 64 SSVAL(req->outbuf, smb_vwv0, choice); 65 66 set_Protocol(PROTOCOL_CORE); 67 } 68 69 /**************************************************************************** 70 Reply for the coreplus protocol. 71 ****************************************************************************/ 72 73 static void reply_coreplus(struct smb_request *req, uint16 choice) 74 { 75 int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0); 76 77 reply_outbuf(req, 13, 0); 78 79 SSVAL(req->outbuf,smb_vwv0,choice); 80 SSVAL(req->outbuf,smb_vwv5,raw); /* tell redirector we support 81 readbraw and writebraw (possibly) */ 82 /* Reply, SMBlockread, SMBwritelock supported. */ 83 SCVAL(req->outbuf,smb_flg,FLAG_REPLY|FLAG_SUPPORT_LOCKREAD); 84 SSVAL(req->outbuf,smb_vwv1,0x1); /* user level security, don't 85 * encrypt */ 86 set_Protocol(PROTOCOL_COREPLUS); 54 xconn->smb1.negprot.auth_context->get_ntlm_challenge( 55 xconn->smb1.negprot.auth_context, buff); 87 56 } 88 57 … … 91 60 ****************************************************************************/ 92 61 93 static void reply_lanman1(struct smb_request *req, uint16 choice)62 static void reply_lanman1(struct smb_request *req, uint16_t choice) 94 63 { 95 int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);96 64 int secword=0; 97 65 time_t t = time(NULL); 98 struct smbd_server_connection *sconn = req->sconn; 99 100 sconn->smb1.negprot.encrypted_passwords = lp_encrypted_passwords(); 101 102 if (lp_security()>=SEC_USER) { 103 secword |= NEGOTIATE_SECURITY_USER_LEVEL; 104 } 105 if (sconn->smb1.negprot.encrypted_passwords) { 66 struct smbXsrv_connection *xconn = req->xconn; 67 uint16_t raw; 68 if (lp_async_smb_echo_handler()) { 69 raw = 0; 70 } else { 71 raw = (lp_read_raw()?1:0) | (lp_write_raw()?2:0); 72 } 73 74 xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); 75 76 secword |= NEGOTIATE_SECURITY_USER_LEVEL; 77 if (xconn->smb1.negprot.encrypted_passwords) { 106 78 secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; 107 79 } 108 80 109 reply_outbuf(req, 13, sconn->smb1.negprot.encrypted_passwords?8:0);81 reply_outbuf(req, 13, xconn->smb1.negprot.encrypted_passwords?8:0); 110 82 111 83 SSVAL(req->outbuf,smb_vwv0,choice); 112 84 SSVAL(req->outbuf,smb_vwv1,secword); 113 85 /* Create a token value and add it to the outgoing packet. */ 114 if ( sconn->smb1.negprot.encrypted_passwords) {115 get_challenge( sconn, (uint8*)smb_buf(req->outbuf));86 if (xconn->smb1.negprot.encrypted_passwords) { 87 get_challenge(xconn, (uint8_t *)smb_buf(req->outbuf)); 116 88 SSVAL(req->outbuf,smb_vwv11, 8); 117 89 } 118 90 119 s et_Protocol(PROTOCOL_LANMAN1);91 smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1); 120 92 121 93 /* Reply, SMBlockread, SMBwritelock supported. */ 122 SCVAL(req->outbuf,smb_flg, FLAG_REPLY|FLAG_SUPPORT_LOCKREAD);123 SSVAL(req->outbuf,smb_vwv2, sconn->smb1.negprot.max_recv);124 SSVAL(req->outbuf,smb_vwv3, lp_maxmux()); /* maxmux */125 SSVAL(req->outbuf,smb_vwv4, 1);126 SSVAL(req->outbuf,smb_vwv5, raw); /* tell redirector we support94 SCVAL(req->outbuf,smb_flg, FLAG_REPLY|FLAG_SUPPORT_LOCKREAD); 95 SSVAL(req->outbuf,smb_vwv2, xconn->smb1.negprot.max_recv); 96 SSVAL(req->outbuf,smb_vwv3, lp_max_mux()); /* maxmux */ 97 SSVAL(req->outbuf,smb_vwv4, 1); 98 SSVAL(req->outbuf,smb_vwv5, raw); /* tell redirector we support 127 99 readbraw writebraw (possibly) */ 128 SIVAL(req->outbuf,smb_vwv6, sys_getpid());100 SIVAL(req->outbuf,smb_vwv6, getpid()); 129 101 SSVAL(req->outbuf,smb_vwv10, set_server_zone_offset(t)/60); 130 102 … … 138 110 ****************************************************************************/ 139 111 140 static void reply_lanman2(struct smb_request *req, uint16 choice)112 static void reply_lanman2(struct smb_request *req, uint16_t choice) 141 113 { 142 int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);143 114 int secword=0; 144 115 time_t t = time(NULL); 145 struct smbd_server_connection *sconn = req->sconn; 146 147 sconn->smb1.negprot.encrypted_passwords = lp_encrypted_passwords(); 148 149 if (lp_security()>=SEC_USER) { 150 secword |= NEGOTIATE_SECURITY_USER_LEVEL; 151 } 152 if (sconn->smb1.negprot.encrypted_passwords) { 116 struct smbXsrv_connection *xconn = req->xconn; 117 uint16_t raw; 118 if (lp_async_smb_echo_handler()) { 119 raw = 0; 120 } else { 121 raw = (lp_read_raw()?1:0) | (lp_write_raw()?2:0); 122 } 123 124 xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); 125 126 secword |= NEGOTIATE_SECURITY_USER_LEVEL; 127 if (xconn->smb1.negprot.encrypted_passwords) { 153 128 secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; 154 129 } 155 130 156 reply_outbuf(req, 13, sconn->smb1.negprot.encrypted_passwords?8:0);157 158 SSVAL(req->outbuf,smb_vwv0, choice);159 SSVAL(req->outbuf,smb_vwv1, secword);160 SIVAL(req->outbuf,smb_vwv6, sys_getpid());131 reply_outbuf(req, 13, xconn->smb1.negprot.encrypted_passwords?8:0); 132 133 SSVAL(req->outbuf,smb_vwv0, choice); 134 SSVAL(req->outbuf,smb_vwv1, secword); 135 SIVAL(req->outbuf,smb_vwv6, getpid()); 161 136 162 137 /* Create a token value and add it to the outgoing packet. */ 163 if ( sconn->smb1.negprot.encrypted_passwords) {164 get_challenge( sconn, (uint8*)smb_buf(req->outbuf));138 if (xconn->smb1.negprot.encrypted_passwords) { 139 get_challenge(xconn, (uint8_t *)smb_buf(req->outbuf)); 165 140 SSVAL(req->outbuf,smb_vwv11, 8); 166 141 } 167 142 168 s et_Protocol(PROTOCOL_LANMAN2);143 smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2); 169 144 170 145 /* Reply, SMBlockread, SMBwritelock supported. */ 171 146 SCVAL(req->outbuf,smb_flg,FLAG_REPLY|FLAG_SUPPORT_LOCKREAD); 172 SSVAL(req->outbuf,smb_vwv2, sconn->smb1.negprot.max_recv);173 SSVAL(req->outbuf,smb_vwv3,lp_max mux());147 SSVAL(req->outbuf,smb_vwv2,xconn->smb1.negprot.max_recv); 148 SSVAL(req->outbuf,smb_vwv3,lp_max_mux()); 174 149 SSVAL(req->outbuf,smb_vwv4,1); 175 150 SSVAL(req->outbuf,smb_vwv5,raw); /* readbraw and/or writebraw */ … … 182 157 ****************************************************************************/ 183 158 184 DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smb d_server_connection *sconn)159 DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbXsrv_connection *xconn) 185 160 { 186 161 DATA_BLOB blob = data_blob_null; … … 188 163 nstring dos_name; 189 164 fstring unix_name; 165 NTSTATUS status; 190 166 #ifdef DEVELOPER 191 167 size_t slen; 192 168 #endif 193 const char *OIDs_krb5[] = {OID_KERBEROS5, 194 OID_KERBEROS5_OLD, 195 OID_NTLMSSP, 196 NULL}; 197 const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; 198 199 sconn->smb1.negprot.spnego = true; 169 struct gensec_security *gensec_security; 170 171 /* See if we can get an SPNEGO blob */ 172 status = auth_generic_prepare(talloc_tos(), 173 xconn->remote_address, 174 &gensec_security); 175 if (NT_STATUS_IS_OK(status)) { 176 status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO); 177 if (NT_STATUS_IS_OK(status)) { 178 status = gensec_update(gensec_security, ctx, 179 data_blob_null, &blob); 180 /* If we get the list of OIDs, the 'OK' answer 181 * is NT_STATUS_MORE_PROCESSING_REQUIRED */ 182 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { 183 DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n")); 184 blob = data_blob_null; 185 } 186 } 187 TALLOC_FREE(gensec_security); 188 } 189 190 xconn->smb1.negprot.spnego = true; 191 200 192 /* strangely enough, NT does not sent the single OID NTLMSSP when 201 193 not a ADS member, it sends no OIDs at all … … 211 203 */ 212 204 213 if (lp_security() != SEC_ADS && !USE_KERBEROS_KEYTAB) {214 #if 0215 /* Code for PocketPC client */216 blob = data_blob(guid, 16);217 #else218 /* Code for standalone WXP client */219 blob = spnego_gen_negTokenInit(ctx, OIDs_ntlm, NULL, "NONE");220 #endif221 } else if (!lp_send_spnego_principal()) {222 /* By default, Windows 2008 and later sends not_defined_in_RFC4178@please_ignore */223 blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, ADS_IGNORE_PRINCIPAL);224 } else {225 fstring myname;226 char *host_princ_s = NULL;227 name_to_fqdn(myname, global_myname());228 strlower_m(myname);229 if (asprintf(&host_princ_s, "cifs/%s@%s", myname, lp_realm())230 == -1) {231 return data_blob_null;232 }233 blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, host_princ_s);234 SAFE_FREE(host_princ_s);235 }236 237 205 if (blob.length == 0 || blob.data == NULL) { 238 206 return data_blob_null; … … 247 215 memset(blob_out.data, '\0', 16); 248 216 249 safe_strcpy(unix_name, global_myname(), sizeof(unix_name)-1);250 strlower_m(unix_name);217 checked_strlcpy(unix_name, lp_netbios_name(), sizeof(unix_name)); 218 (void)strlower_m(unix_name); 251 219 push_ascii_nstring(dos_name, unix_name); 252 220 strlcpy((char *)blob_out.data, dos_name, 17); … … 271 239 ****************************************************************************/ 272 240 273 static void reply_nt1(struct smb_request *req, uint16 choice)241 static void reply_nt1(struct smb_request *req, uint16_t choice) 274 242 { 275 243 /* dual names + lock_and_read + nt SMBs + remote API calls */ … … 281 249 struct timespec ts; 282 250 ssize_t ret; 283 struct smbd_server_connection *sconn = req->sconn; 284 285 sconn->smb1.negprot.encrypted_passwords = lp_encrypted_passwords(); 251 struct smbXsrv_connection *xconn = req->xconn; 252 bool signing_desired = false; 253 bool signing_required = false; 254 255 xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); 286 256 287 257 /* Check the flags field to see if this is Vista. … … 290 260 291 261 if ( (req->flags2 & FLAGS2_EXTENDED_SECURITY) && 292 ((req->flags2 & FLAGS2_ UNKNOWN_BIT4) == 0) )262 ((req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED) == 0) ) 293 263 { 294 if (get_remote_arch() != RA_SAMBA) { 264 if ((get_remote_arch() != RA_SAMBA) && 265 (get_remote_arch() != RA_CIFSFS)) { 295 266 set_remote_arch( RA_VISTA ); 296 267 } … … 302 273 supports it and we can do encrypted passwords */ 303 274 304 if (sconn->smb1.negprot.encrypted_passwords && 305 (lp_security() != SEC_SHARE) && 275 if (xconn->smb1.negprot.encrypted_passwords && 306 276 lp_use_spnego() && 307 277 (req->flags2 & FLAGS2_EXTENDED_SECURITY)) { … … 315 285 } 316 286 317 capabilities |= CAP_NT_SMBS|CAP_RPC_REMOTE_APIS|CAP_UNICODE; 287 capabilities |= CAP_NT_SMBS|CAP_RPC_REMOTE_APIS; 288 289 if (lp_unicode()) { 290 capabilities |= CAP_UNICODE; 291 } 318 292 319 293 if (lp_unix_extensions()) { … … 321 295 } 322 296 323 if (lp_large_readwrite() && (SMB_OFF_T_BITS == 64))297 if (lp_large_readwrite()) 324 298 capabilities |= CAP_LARGE_READX|CAP_LARGE_WRITEX|CAP_W2K_SMBS; 325 299 326 if (SMB_OFF_T_BITS == 64) 327 capabilities |= CAP_LARGE_FILES; 328 329 if (lp_readraw() && lp_writeraw()) 300 capabilities |= CAP_LARGE_FILES; 301 302 if (!lp_async_smb_echo_handler() && lp_read_raw() && lp_write_raw()) 330 303 capabilities |= CAP_RAW_MODE; 331 304 … … 336 309 capabilities |= CAP_DFS; 337 310 338 if (lp_security() >= SEC_USER) { 339 secword |= NEGOTIATE_SECURITY_USER_LEVEL; 340 } 341 if (sconn->smb1.negprot.encrypted_passwords) { 311 secword |= NEGOTIATE_SECURITY_USER_LEVEL; 312 if (xconn->smb1.negprot.encrypted_passwords) { 342 313 secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE; 343 314 } 344 315 345 if (lp_server_signing()) { 346 if (lp_security() >= SEC_USER) { 347 secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 348 /* No raw mode with smb signing. */ 349 capabilities &= ~CAP_RAW_MODE; 350 if (lp_server_signing() == Required) 351 secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 352 srv_set_signing_negotiated(sconn); 353 } else { 354 DEBUG(0,("reply_nt1: smb signing is incompatible with share level security !\n")); 355 if (lp_server_signing() == Required) { 356 exit_server_cleanly("reply_nt1: smb signing required and share level security selected."); 357 } 316 signing_desired = smb_signing_is_desired(xconn->smb1.signing_state); 317 signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state); 318 319 if (signing_desired) { 320 secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 321 /* No raw mode with smb signing. */ 322 capabilities &= ~CAP_RAW_MODE; 323 if (signing_required) { 324 secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 358 325 } 359 326 } … … 362 329 SCVAL(req->outbuf,smb_vwv1,secword); 363 330 364 s et_Protocol(PROTOCOL_NT1);365 366 SSVAL(req->outbuf,smb_vwv1+1, lp_maxmux()); /* maxmpx */367 SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */331 smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1); 332 333 SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */ 334 SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */ 368 335 SIVAL(req->outbuf,smb_vwv3+1, 369 sconn->smb1.negprot.max_recv); /* max buffer. LOTS! */370 SIVAL(req->outbuf,smb_vwv5+1, 0x10000); /* raw size. full 64k */371 SIVAL(req->outbuf,smb_vwv7+1, sys_getpid()); /* session key */372 SIVAL(req->outbuf,smb_vwv9+1, capabilities); /* capabilities */336 xconn->smb1.negprot.max_recv); /* max buffer. LOTS! */ 337 SIVAL(req->outbuf,smb_vwv5+1, 0x10000); /* raw size. full 64k */ 338 SIVAL(req->outbuf,smb_vwv7+1, getpid()); /* session key */ 339 SIVAL(req->outbuf,smb_vwv9+1, capabilities); /* capabilities */ 373 340 clock_gettime(CLOCK_REALTIME,&ts); 374 341 put_long_date_timespec(TIMESTAMP_SET_NT_OR_BETTER,(char *)req->outbuf+smb_vwv11+1,ts); … … 377 344 if (!negotiate_spnego) { 378 345 /* Create a token value and add it to the outgoing packet. */ 379 if ( sconn->smb1.negprot.encrypted_passwords) {380 uint8 chal[8];346 if (xconn->smb1.negprot.encrypted_passwords) { 347 uint8_t chal[8]; 381 348 /* note that we do not send a challenge at all if 382 349 we are using plaintext */ 383 get_challenge( sconn, chal);350 get_challenge(xconn, chal); 384 351 ret = message_push_blob( 385 352 &req->outbuf, data_blob_const(chal, sizeof(chal))); … … 399 366 return; 400 367 } 368 ret = message_push_string(&req->outbuf, lp_netbios_name(), 369 STR_UNICODE|STR_TERMINATE 370 |STR_NOALIGN); 371 if (ret == -1) { 372 DEBUG(0, ("Could not push netbios name string\n")); 373 reply_nterror(req, NT_STATUS_NO_MEMORY); 374 return; 375 } 401 376 DEBUG(3,("not using SPNEGO\n")); 402 377 } else { 403 DATA_BLOB spnego_blob = negprot_spnego(req, req->sconn);378 DATA_BLOB spnego_blob = negprot_spnego(req, xconn); 404 379 405 380 if (spnego_blob.data == NULL) { … … 468 443 protocol [LM1.2X002] 469 444 protocol [LANMAN2.1] 445 446 OSX: 447 protocol [NT LM 0.12] 448 protocol [SMB 2.002] 449 protocol [SMB 2.???] 470 450 */ 471 451 … … 474 454 * 475 455 * This appears to be the matrix of which protocol is used by which 476 * MS product. 477 Protocol WfWg Win95 WinNT Win2K OS/2 Vista 478 PC NETWORK PROGRAM 1.0 1 1 1 1 1 1 479 XENIX CORE 2 2 480 MICROSOFT NETWORKS 3.0 2 2 481 DOS LM1.2X002 3 3 482 MICROSOFT NETWORKS 1.03 3 483 DOS LANMAN2.1 4 4 484 LANMAN1.0 4 2 3 2 485 Windows for Workgroups 3.1a 5 5 5 3 3 486 LM1.2X002 6 4 4 4 487 LANMAN2.1 7 5 5 5 488 NT LM 0.12 6 8 6 6 489 SMB 2.001 7 456 * product. 457 Protocol WfWg Win95 WinNT Win2K OS/2 Vista OSX 458 PC NETWORK PROGRAM 1.0 1 1 1 1 1 1 459 XENIX CORE 2 2 460 MICROSOFT NETWORKS 3.0 2 2 461 DOS LM1.2X002 3 3 462 MICROSOFT NETWORKS 1.03 3 463 DOS LANMAN2.1 4 4 464 LANMAN1.0 4 2 3 2 465 Windows for Workgroups 3.1a 5 5 5 3 3 466 LM1.2X002 6 4 4 4 467 LANMAN2.1 7 5 5 5 468 NT LM 0.12 6 8 6 6 6 1 469 SMB 2.001 7 470 SMB 2.002 2 471 SMB 2.??? 3 490 472 * 491 473 * tim@fsg.com 09/29/95 … … 493 475 */ 494 476 495 #define ARCH_WFWG 0x3 /* This is a fudge because WfWg is like Win95 */ 496 #define ARCH_WIN95 0x2 497 #define ARCH_WINNT 0x4 498 #define ARCH_WIN2K 0xC /* Win2K is like NT */ 499 #define ARCH_OS2 0x14 /* Again OS/2 is like NT */ 500 #define ARCH_SAMBA 0x20 501 #define ARCH_CIFSFS 0x40 502 #define ARCH_VISTA 0x8C /* Vista is like XP/2K */ 503 504 #define ARCH_ALL 0x7F 477 #define PROT_PC_NETWORK_PROGRAM_1_0 0x0001 478 #define PROT_XENIX_CORE 0x0002 479 #define PROT_MICROSOFT_NETWORKS_3_0 0x0004 480 #define PROT_DOS_LM1_2X002 0x0008 481 #define PROT_MICROSOFT_NETWORKS_1_03 0x0010 482 #define PROT_DOS_LANMAN2_1 0x0020 483 #define PROT_LANMAN1_0 0x0040 484 #define PROT_WFWG 0x0080 485 #define PROT_LM1_2X002 0x0100 486 #define PROT_LANMAN2_1 0x0200 487 #define PROT_NT_LM_0_12 0x0400 488 #define PROT_SMB_2_001 0x0800 489 #define PROT_SMB_2_002 0x1000 490 #define PROT_SMB_2_FF 0x2000 491 #define PROT_SAMBA 0x4000 492 #define PROT_POSIX_2 0x8000 493 494 #define ARCH_WFWG ( PROT_PC_NETWORK_PROGRAM_1_0 | PROT_MICROSOFT_NETWORKS_3_0 | \ 495 PROT_DOS_LM1_2X002 | PROT_DOS_LANMAN2_1 | PROT_WFWG ) 496 #define ARCH_WIN95 ( ARCH_WFWG | PROT_NT_LM_0_12 ) 497 #define ARCH_WINNT ( PROT_PC_NETWORK_PROGRAM_1_0 | PROT_XENIX_CORE | \ 498 PROT_MICROSOFT_NETWORKS_1_03 | PROT_LANMAN1_0 | PROT_WFWG | \ 499 PROT_LM1_2X002 | PROT_LANMAN2_1 | PROT_NT_LM_0_12 ) 500 #define ARCH_WIN2K ( ARCH_WINNT & ~(PROT_XENIX_CORE | PROT_MICROSOFT_NETWORKS_1_03) ) 501 #define ARCH_OS2 ( ARCH_WINNT & ~(PROT_MICROSOFT_NETWORKS_1_03 | PROT_WFWG) ) 502 #define ARCH_VISTA ( ARCH_WIN2K | PROT_SMB_2_001 ) 503 #define ARCH_SAMBA ( PROT_SAMBA ) 504 #define ARCH_CIFSFS ( PROT_POSIX_2 ) 505 #define ARCH_OSX ( PROT_NT_LM_0_12 | PROT_SMB_2_002 | PROT_SMB_2_FF ) 505 506 506 507 /* List of supported protocols, most desired first */ … … 508 509 const char *proto_name; 509 510 const char *short_name; 510 void (*proto_reply_fn)(struct smb_request *req, uint16 choice);511 void (*proto_reply_fn)(struct smb_request *req, uint16_t choice); 511 512 int protocol_level; 512 513 } supported_protocols[] = { 513 {"SMB 2.002", "SMB2", reply_smb2002, PROTOCOL_SMB2}, 514 {"SMB 2.???", "SMB2_FF", reply_smb20ff, PROTOCOL_SMB2_10}, 515 {"SMB 2.002", "SMB2_02", reply_smb2002, PROTOCOL_SMB2_02}, 514 516 {"NT LANMAN 1.0", "NT1", reply_nt1, PROTOCOL_NT1}, 515 517 {"NT LM 0.12", "NT1", reply_nt1, PROTOCOL_NT1}, … … 521 523 {"LANMAN1.0", "LANMAN1", reply_lanman1, PROTOCOL_LANMAN1}, 522 524 {"MICROSOFT NETWORKS 3.0", "LANMAN1", reply_lanman1, PROTOCOL_LANMAN1}, 523 {"MICROSOFT NETWORKS 1.03", "COREPLUS", reply_coreplus, PROTOCOL_COREPLUS},524 {"PC NETWORK PROGRAM 1.0", "CORE", reply_corep, PROTOCOL_CORE},525 525 {NULL,NULL,NULL,0}, 526 526 }; … … 534 534 { 535 535 int choice= -1; 536 int chosen_level = -1; 536 537 int protocol; 537 538 const char *p; 538 int arch = ARCH_ALL;539 int protocols = 0; 539 540 int num_cliprotos; 540 541 char **cliprotos; 541 542 int i; 542 543 size_t converted_size; 544 struct smbXsrv_connection *xconn = req->xconn; 543 545 struct smbd_server_connection *sconn = req->sconn; 546 bool signing_required = true; 544 547 545 548 START_PROFILE(SMBnegprot); 546 549 547 if ( sconn->smb1.negprot.done) {550 if (xconn->smb1.negprot.done) { 548 551 END_PROFILE(SMBnegprot); 549 552 exit_server_cleanly("multiple negprot's are not permitted"); 550 553 } 551 sconn->smb1.negprot.done = true;554 xconn->smb1.negprot.done = true; 552 555 553 556 if (req->buflen == 0) { … … 574 577 char **tmp; 575 578 576 tmp = TALLOC_REALLOC_ARRAY(talloc_tos(), cliprotos, char *,579 tmp = talloc_realloc(talloc_tos(), cliprotos, char *, 577 580 num_cliprotos+1); 578 581 if (tmp == NULL) { … … 603 606 604 607 for (i=0; i<num_cliprotos; i++) { 605 if (strcsequal(cliprotos[i], "Windows for Workgroups 3.1a")) 606 arch &= ( ARCH_WFWG | ARCH_WIN95 | ARCH_WINNT 607 | ARCH_WIN2K ); 608 else if (strcsequal(cliprotos[i], "DOS LM1.2X002")) 609 arch &= ( ARCH_WFWG | ARCH_WIN95 ); 610 else if (strcsequal(cliprotos[i], "DOS LANMAN2.1")) 611 arch &= ( ARCH_WFWG | ARCH_WIN95 ); 612 else if (strcsequal(cliprotos[i], "NT LM 0.12")) 613 arch &= ( ARCH_WIN95 | ARCH_WINNT | ARCH_WIN2K 614 | ARCH_CIFSFS); 615 else if (strcsequal(cliprotos[i], "SMB 2.001")) 616 arch = ARCH_VISTA; 617 else if (strcsequal(cliprotos[i], "LANMAN2.1")) 618 arch &= ( ARCH_WINNT | ARCH_WIN2K | ARCH_OS2 ); 619 else if (strcsequal(cliprotos[i], "LM1.2X002")) 620 arch &= ( ARCH_WINNT | ARCH_WIN2K | ARCH_OS2 ); 621 else if (strcsequal(cliprotos[i], "MICROSOFT NETWORKS 1.03")) 622 arch &= ARCH_WINNT; 623 else if (strcsequal(cliprotos[i], "XENIX CORE")) 624 arch &= ( ARCH_WINNT | ARCH_OS2 ); 625 else if (strcsequal(cliprotos[i], "Samba")) { 626 arch = ARCH_SAMBA; 608 if (strcsequal(cliprotos[i], "Windows for Workgroups 3.1a")) { 609 protocols |= PROT_WFWG; 610 } else if (strcsequal(cliprotos[i], "DOS LM1.2X002")) { 611 protocols |= PROT_DOS_LM1_2X002; 612 } else if (strcsequal(cliprotos[i], "DOS LANMAN2.1")) { 613 protocols |= PROT_DOS_LANMAN2_1; 614 } else if (strcsequal(cliprotos[i], "LANMAN1.0")) { 615 protocols |= PROT_LANMAN1_0; 616 } else if (strcsequal(cliprotos[i], "NT LM 0.12")) { 617 protocols |= PROT_NT_LM_0_12; 618 } else if (strcsequal(cliprotos[i], "SMB 2.001")) { 619 protocols |= PROT_SMB_2_001; 620 } else if (strcsequal(cliprotos[i], "SMB 2.002")) { 621 protocols |= PROT_SMB_2_002; 622 } else if (strcsequal(cliprotos[i], "SMB 2.???")) { 623 protocols |= PROT_SMB_2_FF; 624 } else if (strcsequal(cliprotos[i], "LANMAN2.1")) { 625 protocols |= PROT_LANMAN2_1; 626 } else if (strcsequal(cliprotos[i], "LM1.2X002")) { 627 protocols |= PROT_LM1_2X002; 628 } else if (strcsequal(cliprotos[i], "MICROSOFT NETWORKS 1.03")) { 629 protocols |= PROT_MICROSOFT_NETWORKS_1_03; 630 } else if (strcsequal(cliprotos[i], "MICROSOFT NETWORKS 3.0")) { 631 protocols |= PROT_MICROSOFT_NETWORKS_3_0; 632 } else if (strcsequal(cliprotos[i], "PC NETWORK PROGRAM 1.0")) { 633 protocols |= PROT_PC_NETWORK_PROGRAM_1_0; 634 } else if (strcsequal(cliprotos[i], "XENIX CORE")) { 635 protocols |= PROT_XENIX_CORE; 636 } else if (strcsequal(cliprotos[i], "Samba")) { 637 protocols = PROT_SAMBA; 627 638 break; 628 639 } else if (strcsequal(cliprotos[i], "POSIX 2")) { 629 arch = ARCH_CIFSFS; 630 break; 631 } 632 } 633 634 /* CIFSFS can send one arch only, NT LM 0.12. */ 635 if (i == 1 && (arch & ARCH_CIFSFS)) { 636 arch = ARCH_CIFSFS; 637 } 638 639 switch ( arch ) { 640 protocols = PROT_POSIX_2; 641 break; 642 } 643 } 644 645 switch ( protocols ) { 646 /* Old CIFSFS can send one arch only, NT LM 0.12. */ 647 case PROT_NT_LM_0_12: 640 648 case ARCH_CIFSFS: 641 649 set_remote_arch(RA_CIFSFS); … … 651 659 break; 652 660 case ARCH_WINNT: 653 if(req->flags2 == FLAGS2_WIN2K_SIGNATURE) 654 set_remote_arch(RA_WIN2K); 655 else 656 set_remote_arch(RA_WINNT); 661 set_remote_arch(RA_WINNT); 657 662 break; 658 663 case ARCH_WIN2K: 659 /* Vista may have been set in the negprot so don't 660 override it here */ 661 if ( get_remote_arch() != RA_VISTA ) 662 set_remote_arch(RA_WIN2K); 664 set_remote_arch(RA_WIN2K); 663 665 break; 664 666 case ARCH_VISTA: … … 667 669 case ARCH_OS2: 668 670 set_remote_arch(RA_OS2); 671 break; 672 case ARCH_OSX: 673 set_remote_arch(RA_OSX); 669 674 break; 670 675 default: … … 674 679 675 680 /* possibly reload - change of architecture */ 676 reload_services(sconn ->msg_ctx, sconn->sock, True);681 reload_services(sconn, conn_snum_used, true); 677 682 678 683 /* moved from the netbios session setup code since we don't have that … … 680 685 window where we are listening to messages -- jerry */ 681 686 682 serverid_register( sconn_server_id(sconn),687 serverid_register(messaging_server_id(sconn->msg_ctx), 683 688 FLAG_MSG_GENERAL|FLAG_MSG_SMBD 684 689 |FLAG_MSG_PRINT_GENERAL); … … 687 692 for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) { 688 693 i = 0; 689 if ((supported_protocols[protocol].protocol_level <= lp_ maxprotocol()) &&690 (supported_protocols[protocol].protocol_level >= lp_ minprotocol()))694 if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) && 695 (supported_protocols[protocol].protocol_level >= lp_server_min_protocol())) 691 696 while (i < num_cliprotos) { 692 if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) 697 if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) { 693 698 choice = i; 699 chosen_level = supported_protocols[protocol].protocol_level; 700 } 694 701 i++; 695 702 } … … 700 707 if(choice != -1) { 701 708 fstrcpy(remote_proto,supported_protocols[protocol].short_name); 702 reload_services(sconn ->msg_ctx, sconn->sock, True);709 reload_services(sconn, conn_snum_used, true); 703 710 supported_protocols[protocol].proto_reply_fn(req, choice); 704 711 DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name)); … … 711 718 DEBUG( 5, ( "negprot index=%d\n", choice ) ); 712 719 713 if ((lp_server_signing() == Required) && (get_Protocol() < PROTOCOL_NT1)) { 720 /* We always have xconn->smb1.signing_state also for >= SMB2_02 */ 721 signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state); 722 if (signing_required && (chosen_level < PROTOCOL_NT1)) { 714 723 exit_server_cleanly("SMB signing is required and " 715 724 "client negotiated a downlevel protocol"); … … 718 727 TALLOC_FREE(cliprotos); 719 728 720 if (lp_async_smb_echo_handler() && ( get_Protocol() < PROTOCOL_SMB2) &&721 !fork_echo_handler( sconn)) {729 if (lp_async_smb_echo_handler() && (chosen_level < PROTOCOL_SMB2_02) && 730 !fork_echo_handler(xconn)) { 722 731 exit_server("Failed to fork echo handler"); 723 732 }
Note:
See TracChangeset
for help on using the changeset viewer.
