static NTSTATUS smb1srv_session_local_allocate_id(struct db_context *db,
uint32_t lowest_id,
uint32_t highest_id,
TALLOC_CTX *mem_ctx,
struct db_record **_rec,
uint32_t *_id)
{
struct smb1srv_session_local_allocate_state state = {
.lowest_id = lowest_id,
.highest_id = highest_id,
.last_id = 0,
.useable_id = lowest_id,
.status = NT_STATUS_INTERNAL_ERROR,
};
uint32_t i;
uint32_t range;
NTSTATUS status;
int count = 0;
*_rec = NULL;
*_id = 0;
if (lowest_id > highest_id) {
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
/*
* first we try randomly
*/
range = (highest_id - lowest_id) + 1;
for (i = 0; i < (range / 2); i++) {
uint32_t id;
TDB_DATA val;
struct db_record *rec = NULL;
id = generate_random() % range;
id += lowest_id;
if (id < lowest_id) {
id = lowest_id;
}
if (id > highest_id) {
id = highest_id;
}
rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx);
if (rec == NULL) {
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
val = dbwrap_record_get_value(rec);
if (val.dsize != 0) {
TALLOC_FREE(rec);
continue;
}
*_rec = rec;
*_id = id;
return NT_STATUS_OK;
}
/*
* if the range is almost full,
* we traverse the whole table
* (this relies on sorted behavior of dbwrap_rbt)
*/
status = dbwrap_traverse_read(db, smb1srv_session_local_allocate_traverse,
&state, &count);
if (NT_STATUS_IS_OK(status)) {
if (NT_STATUS_IS_OK(state.status)) {
return NT_STATUS_INTERNAL_ERROR;
}
if (!NT_STATUS_EQUAL(state.status, NT_STATUS_INTERNAL_ERROR)) {
return state.status;
}
if (state.useable_id <= state.highest_id) {
state.status = NT_STATUS_OK;
} else {
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
} else if (!NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_DB_CORRUPTION)) {
/*
* Here we really expect NT_STATUS_INTERNAL_DB_CORRUPTION!
*
* If we get anything else it is an error, because it
* means we did not manage to find a free slot in
* the db.
*/
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
if (NT_STATUS_IS_OK(state.status)) {
uint32_t id;
TDB_DATA val;
struct db_record *rec = NULL;
id = state.useable_id;
rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx);
if (rec == NULL) {
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
val = dbwrap_record_get_value(rec);
if (val.dsize != 0) {
TALLOC_FREE(rec);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
*_rec = rec;
*_id = id;
return NT_STATUS_OK;
}
return state.status;
}
struct smbXsrv_session_local_fetch_state {
struct smbXsrv_session *session;
NTSTATUS status;
};
static void smbXsrv_session_local_fetch_parser(TDB_DATA key, TDB_DATA data,
void *private_data)
{
struct smbXsrv_session_local_fetch_state *state =
(struct smbXsrv_session_local_fetch_state *)private_data;
void *ptr;
if (data.dsize != sizeof(ptr)) {
state->status = NT_STATUS_INTERNAL_DB_ERROR;
return;
}
memcpy(&ptr, data.dptr, data.dsize);
state->session = talloc_get_type_abort(ptr, struct smbXsrv_session);
state->status = NT_STATUS_OK;
}
static NTSTATUS smbXsrv_session_local_lookup(struct smbXsrv_session_table *table,
/* conn: optional */
struct smbXsrv_connection *conn,
uint32_t session_local_id,
NTTIME now,
struct smbXsrv_session **_session)
{
struct smbXsrv_session_local_fetch_state state = {
.session = NULL,
.status = NT_STATUS_INTERNAL_ERROR,
};
uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
TDB_DATA key;
NTSTATUS status;
*_session = NULL;
if (session_local_id == 0) {
return NT_STATUS_USER_SESSION_DELETED;
}
if (table == NULL) {
/* this might happen before the end of negprot */
return NT_STATUS_USER_SESSION_DELETED;
}
if (table->local.db_ctx == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
key = smbXsrv_session_local_id_to_key(session_local_id, key_buf);
status = dbwrap_parse_record(table->local.db_ctx, key,
smbXsrv_session_local_fetch_parser,
&state);
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return NT_STATUS_USER_SESSION_DELETED;
} else if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!NT_STATUS_IS_OK(state.status)) {
return state.status;
}
if (NT_STATUS_EQUAL(state.session->status, NT_STATUS_USER_SESSION_DELETED)) {
return NT_STATUS_USER_SESSION_DELETED;
}
/*
* If a connection is specified check if the session is
* valid on the channel.
*/
if (conn != NULL) {
struct smbXsrv_channel_global0 *c = NULL;
status = smbXsrv_session_find_channel(state.session, conn, &c);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
state.session->idle_time = now;
if (!NT_STATUS_IS_OK(state.session->status)) {
*_session = state.session;
return state.session->status;
}
if (now > state.session->global->expiration_time) {
state.session->status = NT_STATUS_NETWORK_SESSION_EXPIRED;
}
*_session = state.session;
return state.session->status;
}
static int smbXsrv_session_global_destructor(struct smbXsrv_session_global0 *global)
{
return 0;
}
static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
bool *is_free,
bool *was_free,
TALLOC_CTX *mem_ctx,
struct smbXsrv_session_global0 **_g);
static NTSTATUS smbXsrv_session_global_allocate(struct db_context *db,
TALLOC_CTX *mem_ctx,
struct smbXsrv_session_global0 **_global)
{
uint32_t i;
struct smbXsrv_session_global0 *global = NULL;
uint32_t last_free = 0;
const uint32_t min_tries = 3;
*_global = NULL;
global = talloc_zero(mem_ctx, struct smbXsrv_session_global0);
if (global == NULL) {
return NT_STATUS_NO_MEMORY;
}
talloc_set_destructor(global, smbXsrv_session_global_destructor);
/*
* Here we just randomly try the whole 32-bit space
*
* We use just 32-bit, because we want to reuse the
* ID for SRVSVC.
*/
for (i = 0; i < UINT32_MAX; i++) {
bool is_free = false;
bool was_free = false;
uint32_t id;
if (i >= min_tries && last_free != 0) {
id = last_free;
} else {
id = generate_random();
}
if (id == 0) {
id++;
}
if (id == UINT32_MAX) {
id--;
}
global->db_rec = smbXsrv_session_global_fetch_locked(db, id,
mem_ctx);
if (global->db_rec == NULL) {
talloc_free(global);
return NT_STATUS_INSUFFICIENT_RESOURCES;
}
smbXsrv_session_global_verify_record(global->db_rec,
&is_free,
&was_free,
NULL, NULL);
if (!is_free) {
TALLOC_FREE(global->db_rec);
continue;
}
if (!was_free && i < min_tries) {
/*
* The session_id is free now,
* but was not free before.
*
* This happens if a smbd crashed
* and did not cleanup the record.
*
* If this is one of our first tries,
* then we try to find a real free one.
*/
if (last_free == 0) {
last_free = id;
}
TALLOC_FREE(global->db_rec);
continue;
}
global->session_global_id = id;
*_global = global;
return NT_STATUS_OK;
}
/* should not be reached */
talloc_free(global);
return NT_STATUS_INTERNAL_ERROR;
}
static NTSTATUS smbd_smb2_bind_auth_return(struct smbXsrv_session *session,
struct smbXsrv_session_auth0 **_auth,
struct smbd_smb2_request *smb2req,
struct auth_session_info *session_info,
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
NTSTATUS status;
struct smbXsrv_session *x = session;
struct smbXsrv_session_auth0 *auth = *_auth;
struct smbXsrv_connection *xconn = smb2req->xconn;
struct smbXsrv_channel_global0 *c = NULL;
uint8_t session_key[16];
size_t i;
struct _derivation {
DATA_BLOB label;
DATA_BLOB context;
};
struct {
struct _derivation signing;
} derivation = { };
bool ok;
*_auth = NULL;
if (xconn->protocol >= PROTOCOL_SMB3_10) {
struct smbXsrv_preauth *preauth;
struct _derivation *d;
DATA_BLOB p;
struct hc_sha512state sctx;
preauth = talloc_move(smb2req, &auth->preauth);
samba_SHA512_Init(&sctx);
samba_SHA512_Update(&sctx, preauth->sha512_value,
sizeof(preauth->sha512_value));
for (i = 1; i < smb2req->in.vector_count; i++) {
samba_SHA512_Update(&sctx,
smb2req->in.vector[i].iov_base,
smb2req->in.vector[i].iov_len);
}
samba_SHA512_Final(preauth->sha512_value, &sctx);
p = data_blob_const(preauth->sha512_value,
sizeof(preauth->sha512_value));
d = &derivation.signing;
d->label = data_blob_string_const_null("SMBSigningKey");
d->context = p;
} else if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d;
d = &derivation.signing;
d->label = data_blob_string_const_null("SMB2AESCMAC");
d->context = data_blob_string_const_null("SmbSign");
}
status = smbXsrv_session_find_channel(session, xconn, &c);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
ok = security_token_is_sid(session_info->security_token,
&x->global->auth_session_info->security_token->sids[0]);
if (!ok) {
return NT_STATUS_NOT_SUPPORTED;
}
if (session_info->session_key.length == 0) {
/* See [MS-SMB2] 3.3.5.2.4 for the return code. */
return NT_STATUS_NOT_SUPPORTED;
}
ZERO_STRUCT(session_key);
memcpy(session_key, session_info->session_key.data,
MIN(session_info->session_key.length, sizeof(session_key)));
c->signing_key = data_blob_talloc(x->global,
session_key,
sizeof(session_key));
if (c->signing_key.data == NULL) {
ZERO_STRUCT(session_key);
return NT_STATUS_NO_MEMORY;
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.signing;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
c->signing_key.data);
}
ZERO_STRUCT(session_key);
TALLOC_FREE(auth);
status = smbXsrv_session_update(session);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("smb2: Failed to update session for vuid=%llu - %s\n",
(unsigned long long)session->compat->vuid,
nt_errstr(status)));
return NT_STATUS_LOGON_FAILURE;
}
*out_session_id = session->global->session_wire_id;
return NT_STATUS_OK;
}
