/*
we have a full request in our receive buffer - match it to a pending request
and process
*/
static NTSTATUS smbcli_transport_finish_recv(void *private_data, DATA_BLOB blob)
{
struct smbcli_transport *transport = talloc_get_type(private_data,
struct smbcli_transport);
uint8_t *buffer, *hdr, *vwv;
int len;
uint16_t wct=0, mid = 0, op = 0;
struct smbcli_request *req = NULL;
buffer = blob.data;
len = blob.length;
hdr = buffer+NBT_HDR_SIZE;
vwv = hdr + HDR_VWV;
/* see if it could be an oplock break request */
if (smbcli_handle_oplock_break(transport, len, hdr, vwv)) {
talloc_free(buffer);
return NT_STATUS_OK;
}
/* at this point we need to check for a readbraw reply, as
these can be any length */
if (transport->readbraw_pending) {
transport->readbraw_pending = 0;
/* it must match the first entry in the pending queue
as the client is not allowed to have outstanding
readbraw requests */
req = transport->pending_recv;
if (!req) goto error;
req->in.buffer = buffer;
talloc_steal(req, buffer);
req->in.size = len;
req->in.allocated = req->in.size;
goto async;
}
if (len >= MIN_SMB_SIZE) {
/* extract the mid for matching to pending requests */
mid = SVAL(hdr, HDR_MID);
wct = CVAL(hdr, HDR_WCT);
op = CVAL(hdr, HDR_COM);
}
/* match the incoming request against the list of pending requests */
for (req=transport->pending_recv; req; req=req->next) {
if (req->mid == mid) break;
}
/* see if it's a ntcancel reply for the current MID */
req = smbcli_handle_ntcancel_reply(req, len, hdr);
if (!req) {
DEBUG(1,("Discarding unmatched reply with mid %d op %d\n", mid, op));
goto error;
}
/* fill in the 'in' portion of the matching request */
req->in.buffer = buffer;
talloc_steal(req, buffer);
req->in.size = len;
req->in.allocated = req->in.size;
/* handle NBT session replies */
if (req->in.size >= 4 && req->in.buffer[0] != 0) {
req->status = NT_STATUS_OK;
goto async;
}
/* handle non-SMB replies */
if (req->in.size < NBT_HDR_SIZE + MIN_SMB_SIZE) {
req->state = SMBCLI_REQUEST_ERROR;
goto error;
}
if (req->in.size < NBT_HDR_SIZE + MIN_SMB_SIZE + VWV(wct)) {
DEBUG(2,("bad reply size for mid %d\n", mid));
req->status = NT_STATUS_UNSUCCESSFUL;
req->state = SMBCLI_REQUEST_ERROR;
goto error;
}
req->in.hdr = hdr;
req->in.vwv = vwv;
req->in.wct = wct;
if (req->in.size >= NBT_HDR_SIZE + MIN_SMB_SIZE + VWV(wct)) {
req->in.data = req->in.vwv + VWV(wct) + 2;
req->in.data_size = SVAL(req->in.vwv, VWV(wct));
if (req->in.size < NBT_HDR_SIZE + MIN_SMB_SIZE + VWV(wct) + req->in.data_size) {
DEBUG(3,("bad data size for mid %d\n", mid));
/* blergh - w2k3 gives a bogus data size values in some
openX replies */
req->in.data_size = req->in.size - (NBT_HDR_SIZE + MIN_SMB_SIZE + VWV(wct));
}
}
req->in.ptr = req->in.data;
req->flags2 = SVAL(req->in.hdr, HDR_FLG2);
smb_setup_bufinfo(req);
if (!(req->flags2 & FLAGS2_32_BIT_ERROR_CODES)) {
int eclass = CVAL(req->in.hdr,HDR_RCLS);
int code = SVAL(req->in.hdr,HDR_ERR);
if (eclass == 0 && code == 0) {
transport->error.e.nt_status = NT_STATUS_OK;
} else {
transport->error.e.nt_status = NT_STATUS_DOS(eclass, code);
}
} else {
transport->error.e.nt_status = NT_STATUS(IVAL(req->in.hdr, HDR_RCLS));
}
req->status = transport->error.e.nt_status;
if (NT_STATUS_IS_OK(req->status)) {
transport->error.etype = ETYPE_NONE;
} else {
transport->error.etype = ETYPE_SMB;
}
if (!smbcli_request_check_sign_mac(req)) {
transport->error.etype = ETYPE_SOCKET;
transport->error.e.socket_error = SOCKET_READ_BAD_SIG;
req->state = SMBCLI_REQUEST_ERROR;
req->status = NT_STATUS_ACCESS_DENIED;
goto error;
};
async:
/* if this request has an async handler then call that to
notify that the reply has been received. This might destroy
the request so it must happen last */
req->state = SMBCLI_REQUEST_DONE;
if (req->recv_helper.fn) {
/*
* let the recv helper decide in
* what state the request really is
*/
req->state = req->recv_helper.fn(req);
/* if more parts are needed, wait for them */
if (req->state <= SMBCLI_REQUEST_RECV) {
return NT_STATUS_OK;
}
}
DLIST_REMOVE(transport->pending_recv, req);
if (req->async.fn) {
req->async.fn(req);
}
return NT_STATUS_OK;
error:
if (req) {
DLIST_REMOVE(transport->pending_recv, req);
req->state = SMBCLI_REQUEST_ERROR;
if (req->async.fn) {
req->async.fn(req);
}
} else {
talloc_free(buffer);
}
return NT_STATUS_OK;
}
/*
handler for completion of a smbcli_request sub-request
*/
static void request_handler(struct smbcli_request *req)
{
struct composite_context *c = (struct composite_context *)req->async.private_data;
struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
struct smbcli_session *session = req->session;
DATA_BLOB session_key = data_blob(NULL, 0);
DATA_BLOB null_data_blob = data_blob(NULL, 0);
NTSTATUS session_key_err, nt_status;
struct smbcli_request *check_req = NULL;
const char *os = NULL;
const char *lanman = NULL;
if (req->sign_caller_checks) {
req->do_not_free = true;
check_req = req;
}
state->remote_status = smb_raw_sesssetup_recv(req, state, &state->setup);
c->status = state->remote_status;
state->req = NULL;
/*
* we only need to check the signature if the
* NT_STATUS_OK is returned
*/
if (!NT_STATUS_IS_OK(state->remote_status)) {
talloc_free(check_req);
check_req = NULL;
}
switch (state->setup.old.level) {
case RAW_SESSSETUP_OLD:
state->io->out.vuid = state->setup.old.out.vuid;
/* This doesn't work, as this only happens on old
* protocols, where this comparison won't match. */
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we neet to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_old(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
os = state->setup.old.out.os;
lanman = state->setup.old.out.lanman;
break;
case RAW_SESSSETUP_NT1:
state->io->out.vuid = state->setup.nt1.out.vuid;
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we neet to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_nt1(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
os = state->setup.nt1.out.os;
lanman = state->setup.nt1.out.lanman;
break;
case RAW_SESSSETUP_SPNEGO:
state->io->out.vuid = state->setup.spnego.out.vuid;
if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
/* we need to reset the vuid for a new try */
session->vuid = 0;
if (cli_credentials_wrong_password(state->io->in.credentials)) {
nt_status = session_setup_spnego(c, session,
state->io,
&state->req);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_req);
c->status = nt_status;
composite_continue_smb(c, state->req, request_handler, c);
return;
}
}
}
if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(c->status)) {
break;
}
if (NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
/* The status value here, from the earlier pass at GENSEC is
* vital to the security of the system. Even if the other end
* accepts, if GENSEC claims 'MORE_PROCESSING_REQUIRED' then
* you must keep feeding it blobs, or else the remote
* host/attacker might avoid mutal authentication
* requirements */
state->gensec_status = gensec_update(session->gensec, state,
state->setup.spnego.out.secblob,
&state->setup.spnego.in.secblob);
c->status = state->gensec_status;
if (!NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
!NT_STATUS_IS_OK(c->status)) {
break;
}
} else {
state->setup.spnego.in.secblob = data_blob(NULL, 0);
}
if (NT_STATUS_IS_OK(state->remote_status)) {
if (state->setup.spnego.in.secblob.length) {
c->status = NT_STATUS_INTERNAL_ERROR;
break;
}
session_key_err = gensec_session_key(session->gensec, session, &session->user_session_key);
if (NT_STATUS_IS_OK(session_key_err)) {
smbcli_transport_simple_set_signing(session->transport, session->user_session_key, null_data_blob);
}
}
if (state->setup.spnego.in.secblob.length) {
/*
* set the session->vuid value only for calling
* smb_raw_sesssetup_send()
*/
uint16_t vuid = session->vuid;
session->vuid = state->io->out.vuid;
state->req = smb_raw_sesssetup_send(session, &state->setup);
session->vuid = vuid;
if (state->req) {
state->req->sign_caller_checks = true;
}
composite_continue_smb(c, state->req, request_handler, c);
return;
}
os = state->setup.spnego.out.os;
lanman = state->setup.spnego.out.lanman;
break;
case RAW_SESSSETUP_SMB2:
c->status = NT_STATUS_INTERNAL_ERROR;
break;
}
if (check_req) {
check_req->sign_caller_checks = false;
if (!smbcli_request_check_sign_mac(check_req)) {
c->status = NT_STATUS_ACCESS_DENIED;
}
talloc_free(check_req);
check_req = NULL;
}
/* enforce the local signing required flag */
if (NT_STATUS_IS_OK(c->status) && !cli_credentials_is_anonymous(state->io->in.credentials)) {
if (!session->transport->negotiate.sign_info.doing_signing
&& session->transport->negotiate.sign_info.mandatory_signing) {
DEBUG(0, ("SMB signing required, but server does not support it\n"));
c->status = NT_STATUS_ACCESS_DENIED;
}
}
if (!NT_STATUS_IS_OK(c->status)) {
composite_error(c, c->status);
return;
}
if (os) {
session->os = talloc_strdup(session, os);
if (composite_nomem(session->os, c)) return;
} else {
session->os = NULL;
}
if (lanman) {
session->lanman = talloc_strdup(session, lanman);
if (composite_nomem(session->lanman, c)) return;
} else {
session->lanman = NULL;
}
composite_done(c);
}
