static NTSTATUS smb1srv_session_local_allocate_id(struct db_context *db, uint32_t lowest_id, uint32_t highest_id, TALLOC_CTX *mem_ctx, struct db_record **_rec, uint32_t *_id) { struct smb1srv_session_local_allocate_state state = { .lowest_id = lowest_id, .highest_id = highest_id, .last_id = 0, .useable_id = lowest_id, .status = NT_STATUS_INTERNAL_ERROR, }; uint32_t i; uint32_t range; NTSTATUS status; int count = 0; *_rec = NULL; *_id = 0; if (lowest_id > highest_id) { return NT_STATUS_INSUFFICIENT_RESOURCES; } /* * first we try randomly */ range = (highest_id - lowest_id) + 1; for (i = 0; i < (range / 2); i++) { uint32_t id; TDB_DATA val; struct db_record *rec = NULL; id = generate_random() % range; id += lowest_id; if (id < lowest_id) { id = lowest_id; } if (id > highest_id) { id = highest_id; } rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx); if (rec == NULL) { return NT_STATUS_INSUFFICIENT_RESOURCES; } val = dbwrap_record_get_value(rec); if (val.dsize != 0) { TALLOC_FREE(rec); continue; } *_rec = rec; *_id = id; return NT_STATUS_OK; } /* * if the range is almost full, * we traverse the whole table * (this relies on sorted behavior of dbwrap_rbt) */ status = dbwrap_traverse_read(db, smb1srv_session_local_allocate_traverse, &state, &count); if (NT_STATUS_IS_OK(status)) { if (NT_STATUS_IS_OK(state.status)) { return NT_STATUS_INTERNAL_ERROR; } if (!NT_STATUS_EQUAL(state.status, NT_STATUS_INTERNAL_ERROR)) { return state.status; } if (state.useable_id <= state.highest_id) { state.status = NT_STATUS_OK; } else { return NT_STATUS_INSUFFICIENT_RESOURCES; } } else if (!NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_DB_CORRUPTION)) { /* * Here we really expect NT_STATUS_INTERNAL_DB_CORRUPTION! * * If we get anything else it is an error, because it * means we did not manage to find a free slot in * the db. */ return NT_STATUS_INSUFFICIENT_RESOURCES; } if (NT_STATUS_IS_OK(state.status)) { uint32_t id; TDB_DATA val; struct db_record *rec = NULL; id = state.useable_id; rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx); if (rec == NULL) { return NT_STATUS_INSUFFICIENT_RESOURCES; } val = dbwrap_record_get_value(rec); if (val.dsize != 0) { TALLOC_FREE(rec); return NT_STATUS_INTERNAL_DB_CORRUPTION; } *_rec = rec; *_id = id; return NT_STATUS_OK; } return state.status; } struct smbXsrv_session_local_fetch_state { struct smbXsrv_session *session; NTSTATUS status; }; static void smbXsrv_session_local_fetch_parser(TDB_DATA key, TDB_DATA data, void *private_data) { struct smbXsrv_session_local_fetch_state *state = (struct smbXsrv_session_local_fetch_state *)private_data; void *ptr; if (data.dsize != sizeof(ptr)) { state->status = NT_STATUS_INTERNAL_DB_ERROR; return; } memcpy(&ptr, data.dptr, data.dsize); state->session = talloc_get_type_abort(ptr, struct smbXsrv_session); state->status = NT_STATUS_OK; } static NTSTATUS smbXsrv_session_local_lookup(struct smbXsrv_session_table *table, /* conn: optional */ struct smbXsrv_connection *conn, uint32_t session_local_id, NTTIME now, struct smbXsrv_session **_session) { struct smbXsrv_session_local_fetch_state state = { .session = NULL, .status = NT_STATUS_INTERNAL_ERROR, }; uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE]; TDB_DATA key; NTSTATUS status; *_session = NULL; if (session_local_id == 0) { return NT_STATUS_USER_SESSION_DELETED; } if (table == NULL) { /* this might happen before the end of negprot */ return NT_STATUS_USER_SESSION_DELETED; } if (table->local.db_ctx == NULL) { return NT_STATUS_INTERNAL_ERROR; } key = smbXsrv_session_local_id_to_key(session_local_id, key_buf); status = dbwrap_parse_record(table->local.db_ctx, key, smbXsrv_session_local_fetch_parser, &state); if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { return NT_STATUS_USER_SESSION_DELETED; } else if (!NT_STATUS_IS_OK(status)) { return status; } if (!NT_STATUS_IS_OK(state.status)) { return state.status; } if (NT_STATUS_EQUAL(state.session->status, NT_STATUS_USER_SESSION_DELETED)) { return NT_STATUS_USER_SESSION_DELETED; } /* * If a connection is specified check if the session is * valid on the channel. */ if (conn != NULL) { struct smbXsrv_channel_global0 *c = NULL; status = smbXsrv_session_find_channel(state.session, conn, &c); if (!NT_STATUS_IS_OK(status)) { return status; } } state.session->idle_time = now; if (!NT_STATUS_IS_OK(state.session->status)) { *_session = state.session; return state.session->status; } if (now > state.session->global->expiration_time) { state.session->status = NT_STATUS_NETWORK_SESSION_EXPIRED; } *_session = state.session; return state.session->status; } static int smbXsrv_session_global_destructor(struct smbXsrv_session_global0 *global) { return 0; } static void smbXsrv_session_global_verify_record(struct db_record *db_rec, bool *is_free, bool *was_free, TALLOC_CTX *mem_ctx, struct smbXsrv_session_global0 **_g); static NTSTATUS smbXsrv_session_global_allocate(struct db_context *db, TALLOC_CTX *mem_ctx, struct smbXsrv_session_global0 **_global) { uint32_t i; struct smbXsrv_session_global0 *global = NULL; uint32_t last_free = 0; const uint32_t min_tries = 3; *_global = NULL; global = talloc_zero(mem_ctx, struct smbXsrv_session_global0); if (global == NULL) { return NT_STATUS_NO_MEMORY; } talloc_set_destructor(global, smbXsrv_session_global_destructor); /* * Here we just randomly try the whole 32-bit space * * We use just 32-bit, because we want to reuse the * ID for SRVSVC. */ for (i = 0; i < UINT32_MAX; i++) { bool is_free = false; bool was_free = false; uint32_t id; if (i >= min_tries && last_free != 0) { id = last_free; } else { id = generate_random(); } if (id == 0) { id++; } if (id == UINT32_MAX) { id--; } global->db_rec = smbXsrv_session_global_fetch_locked(db, id, mem_ctx); if (global->db_rec == NULL) { talloc_free(global); return NT_STATUS_INSUFFICIENT_RESOURCES; } smbXsrv_session_global_verify_record(global->db_rec, &is_free, &was_free, NULL, NULL); if (!is_free) { TALLOC_FREE(global->db_rec); continue; } if (!was_free && i < min_tries) { /* * The session_id is free now, * but was not free before. * * This happens if a smbd crashed * and did not cleanup the record. * * If this is one of our first tries, * then we try to find a real free one. */ if (last_free == 0) { last_free = id; } TALLOC_FREE(global->db_rec); continue; } global->session_global_id = id; *_global = global; return NT_STATUS_OK; } /* should not be reached */ talloc_free(global); return NT_STATUS_INTERNAL_ERROR; }
static NTSTATUS smbd_smb2_bind_auth_return(struct smbXsrv_session *session, struct smbXsrv_session_auth0 **_auth, struct smbd_smb2_request *smb2req, struct auth_session_info *session_info, uint16_t *out_session_flags, uint64_t *out_session_id) { NTSTATUS status; struct smbXsrv_session *x = session; struct smbXsrv_session_auth0 *auth = *_auth; struct smbXsrv_connection *xconn = smb2req->xconn; struct smbXsrv_channel_global0 *c = NULL; uint8_t session_key[16]; size_t i; struct _derivation { DATA_BLOB label; DATA_BLOB context; }; struct { struct _derivation signing; } derivation = { }; bool ok; *_auth = NULL; if (xconn->protocol >= PROTOCOL_SMB3_10) { struct smbXsrv_preauth *preauth; struct _derivation *d; DATA_BLOB p; struct hc_sha512state sctx; preauth = talloc_move(smb2req, &auth->preauth); samba_SHA512_Init(&sctx); samba_SHA512_Update(&sctx, preauth->sha512_value, sizeof(preauth->sha512_value)); for (i = 1; i < smb2req->in.vector_count; i++) { samba_SHA512_Update(&sctx, smb2req->in.vector[i].iov_base, smb2req->in.vector[i].iov_len); } samba_SHA512_Final(preauth->sha512_value, &sctx); p = data_blob_const(preauth->sha512_value, sizeof(preauth->sha512_value)); d = &derivation.signing; d->label = data_blob_string_const_null("SMBSigningKey"); d->context = p; } else if (xconn->protocol >= PROTOCOL_SMB2_24) { struct _derivation *d; d = &derivation.signing; d->label = data_blob_string_const_null("SMB2AESCMAC"); d->context = data_blob_string_const_null("SmbSign"); } status = smbXsrv_session_find_channel(session, xconn, &c); if (!NT_STATUS_IS_OK(status)) { return status; } ok = security_token_is_sid(session_info->security_token, &x->global->auth_session_info->security_token->sids[0]); if (!ok) { return NT_STATUS_NOT_SUPPORTED; } if (session_info->session_key.length == 0) { /* See [MS-SMB2] 3.3.5.2.4 for the return code. */ return NT_STATUS_NOT_SUPPORTED; } ZERO_STRUCT(session_key); memcpy(session_key, session_info->session_key.data, MIN(session_info->session_key.length, sizeof(session_key))); c->signing_key = data_blob_talloc(x->global, session_key, sizeof(session_key)); if (c->signing_key.data == NULL) { ZERO_STRUCT(session_key); return NT_STATUS_NO_MEMORY; } if (xconn->protocol >= PROTOCOL_SMB2_24) { struct _derivation *d = &derivation.signing; smb2_key_derivation(session_key, sizeof(session_key), d->label.data, d->label.length, d->context.data, d->context.length, c->signing_key.data); } ZERO_STRUCT(session_key); TALLOC_FREE(auth); status = smbXsrv_session_update(session); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n", (unsigned long long)session->compat->vuid, nt_errstr(status))); return NT_STATUS_LOGON_FAILURE; } *out_session_id = session->global->session_wire_id; return NT_STATUS_OK; }