Microsoft/NT4
Microsoft/NT4
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
NT4/private/ntos/srv/smbadmin.c
Microsoft ce47f986d8 First commit
2020-09-30 17:12:29 +02:00

2658 lines
74 KiB
C
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
smbadmin.c
Abstract:
This module contains routines for processing the administrative SMBs:
negotiate, session setup, tree connect, and logoff.
Author:
David Treadwell (davidtr) 30-Oct-1989
Revision History:
--*/
#include "precomp.h"
#pragma hdrstop
#define ENCRYPT_TEXT_LENGTH 20
VOID
GetEncryptionKey (
OUT CHAR EncryptionKey[MSV1_0_CHALLENGE_LENGTH]
);
VOID SRVFASTCALL
BlockingSessionSetupAndX (
IN OUT PWORK_CONTEXT WorkContext
);
VOID SRVFASTCALL
BlockingSessionSetup (
IN OUT PWORK_CONTEXT WorkContext
);
//
// EncryptionKeyCount is a monotonically increasing count of the number
// of times GetEncryptionKey has been called. This number is added to
// the system time to ensure that we do not use the same seed twice in
// generating a random challenge.
//
STATIC
ULONG EncryptionKeyCount = 0;
#ifdef ALLOC_PRAGMA
#pragma alloc_text( PAGE, SrvSmbNegotiate )
#pragma alloc_text( PAGE, SrvSmbProcessExit )
#pragma alloc_text( PAGE, SrvSmbSessionSetupAndX )
#pragma alloc_text( PAGE, BlockingSessionSetupAndX )
#pragma alloc_text( PAGE, SrvSmbSessionSetup )
#pragma alloc_text( PAGE, BlockingSessionSetup )
#pragma alloc_text( PAGE, SrvSmbLogoffAndX )
#pragma alloc_text( PAGE, GetEncryptionKey )
#endif
SMB_PROCESSOR_RETURN_TYPE
SrvSmbNegotiate (
SMB_PROCESSOR_PARAMETERS
)
/*++
Routine Description:
Processes a negotiate SMB.
Arguments:
SMB_PROCESSOR_PARAMETERS - See smbprocs.h for a description
of the parameters to SMB processor routines.
Return Value:
SMB_PROCESSOR_RETURN_TYPE - See smbprocs.h
--*/
{
PREQ_NEGOTIATE request;
PRESP_NT_NEGOTIATE ntResponse;
PRESP_NEGOTIATE response;
PRESP_OLD_NEGOTIATE respOldNegotiate;
PCONNECTION connection;
PENDPOINT endpoint;
PPAGED_CONNECTION pagedConnection;
USHORT byteCount;
PSZ s;
SMB_DIALECT bestDialect, serverDialect, firstDialect;
USHORT consumerDialectChosen, consumerDialect;
LARGE_INTEGER serverTime;
SMB_DATE date;
SMB_TIME time;
ULONG capabilities;
PAGED_CODE( );
IF_SMB_DEBUG(ADMIN1) {
SrvPrint2( "Negotiate request header at 0x%lx, "
"response header at 0x%lx\n",
WorkContext->RequestHeader, WorkContext->ResponseHeader );
SrvPrint2( "Negotiate request parameters at 0x%lx, "
"response parameters at 0x%lx\n",
WorkContext->RequestParameters,
WorkContext->ResponseParameters );
}
//
// Set up input and output buffers for parameters.
//
request = (PREQ_NEGOTIATE)WorkContext->RequestParameters;
response = (PRESP_NEGOTIATE)WorkContext->ResponseParameters;
ntResponse = (PRESP_NT_NEGOTIATE)WorkContext->ResponseParameters;
//
// Make sure that this is the first negotiate command sent.
// SrvStartListen() sets the dialect to illegal, so if it has changed
// then a negotiate SMB has already been sent.
//
connection = WorkContext->Connection;
pagedConnection = connection->PagedConnection;
endpoint = connection->Endpoint;
if ( connection->SmbDialect != SmbDialectIllegal ) {
IF_DEBUG(SMB_ERRORS) {
SrvPrint0( "SrvSmbNegotiate: Command already sent.\n" );
}
SrvSetSmbError( WorkContext, STATUS_INVALID_SMB );
return SmbStatusSendResponse;
}
//
// Find out which (if any) of the sent dialect strings matches the
// dialect strings known by this server. The ByteCount is verified
// to be legitimate in SrvProcessSmb, so it is not possible to walk
// off the end of the SMB here.
//
bestDialect = SmbDialectIllegal;
consumerDialectChosen = (USHORT)0xFFFF;
if( endpoint->IsPrimaryName ) {
firstDialect = FIRST_DIALECT;
} else {
firstDialect = FIRST_DIALECT_EMULATED;
}
for ( s = (PSZ)request->Buffer, consumerDialect = 0;
s < SmbGetUshort( &request->ByteCount ) + (PSZ)request->Buffer;
s += strlen(s) + 1, consumerDialect++ ) {
if ( *s++ != SMB_FORMAT_DIALECT ) {
IF_DEBUG(SMB_ERRORS) {
SrvPrint0( "SrvSmbNegotiate: Invalid dialect format code.\n" );
}
SrvLogInvalidSmb( WorkContext );
SrvSetSmbError( WorkContext, STATUS_INVALID_SMB );
return SmbStatusSendResponse;
}
for ( serverDialect = firstDialect;
serverDialect < bestDialect;
serverDialect++ ) {
if ( !strcmp( s, StrDialects[serverDialect] ) ) {
IF_SMB_DEBUG(ADMIN2) {
SrvPrint2( "Matched: %s and %s\n",
StrDialects[serverDialect], s );
}
bestDialect = serverDialect;
consumerDialectChosen = consumerDialect;
}
}
}
connection->SmbDialect = bestDialect;
if( bestDialect <= SmbDialectNtLanMan ) {
connection->IpxDropDuplicateCount = MIN_IPXDROPDUP;
} else {
connection->IpxDropDuplicateCount = MAX_IPXDROPDUP;
}
IF_SMB_DEBUG(ADMIN1) {
SrvPrint2( "Choosing dialect #%ld, string = %s\n",
consumerDialectChosen, StrDialects[bestDialect] );
}
//
// Determine the current system time on the server. We use this
// to determine the time zone of the server and to tell the client
// the current time of day on the server.
//
KeQuerySystemTime( &serverTime );
//
// If the consumer only knows the core protocol, return short (old)
// form of the negotiate response. Also, if no dialect is acceptable,
// return 0xFFFF as the selected dialect.
//
if ( bestDialect == SmbDialectPcNet10 ||
consumerDialectChosen == (USHORT)0xFFFF ) {
respOldNegotiate = (PRESP_OLD_NEGOTIATE)response;
respOldNegotiate->WordCount = 1;
SmbPutUshort( &respOldNegotiate->DialectIndex, consumerDialectChosen );
SmbPutUshort( &respOldNegotiate->ByteCount, 0 );
WorkContext->ResponseParameters = NEXT_LOCATION(
respOldNegotiate,
RESP_OLD_NEGOTIATE,
0
);
}
else if ( bestDialect > SmbDialectNtLanMan ) {
//
// Send the OS/2 LAN Man SMB response.
//
WorkContext->ResponseHeader->Flags =
(UCHAR)(WorkContext->RequestHeader->Flags | SMB_FLAGS_LOCK_AND_READ_OK);
response->WordCount = 13;
SmbPutUshort( &response->DialectIndex, consumerDialectChosen );
//
// Indicate that we're user-level security and that we
// want encrypted passwords.
//
SmbPutUshort(
&response->SecurityMode,
NEGOTIATE_USER_SECURITY | NEGOTIATE_ENCRYPT_PASSWORDS
);
//
// Get an encryption key for this connection.
//
GetEncryptionKey( pagedConnection->EncryptionKey );
SmbPutUshort( &response->EncryptionKeyLength, MSV1_0_CHALLENGE_LENGTH );
SmbPutUshort( &response->Reserved, 0 );
byteCount = MSV1_0_CHALLENGE_LENGTH;
RtlCopyMemory(
response->Buffer,
pagedConnection->EncryptionKey,
MSV1_0_CHALLENGE_LENGTH
);
if ( endpoint->IsConnectionless ) {
ULONG adapterNumber;
ULONG maxBufferSize;
//
// Our server max buffer size is the smaller of the
// server receive buffer size and the ipx transport
// indicated max packet size.
//
adapterNumber =
WorkContext->ClientAddress->DatagramOptions.LocalTarget.NicId;
maxBufferSize = GetIpxMaxBufferSize(
endpoint,
adapterNumber,
SrvReceiveBufferLength
);
SmbPutUshort(
&response->MaxBufferSize,
(USHORT)maxBufferSize
);
} else {
SmbPutUshort(
&response->MaxBufferSize,
(USHORT)SrvReceiveBufferLength
);
}
SmbPutUshort( &response->MaxMpxCount, SrvMaxMpxCount );
SmbPutUshort( &response->MaxNumberVcs, (USHORT)SrvMaxNumberVcs );
SmbPutUlong( &response->SessionKey, 0 );
//
// If this is an MS-NET 1.03 client or before, then tell him that we
// don't support raw writes. MS-NET 1.03 does different things with
// raw writes that are more trouble than they're worth, and since
// raw is simply a performance issue, we don't support it.
//
if ( bestDialect >= SmbDialectMsNet103 ) {
SmbPutUshort(
&response->RawMode,
(USHORT)(SrvEnableRawMode ?
NEGOTIATE_READ_RAW_SUPPORTED :
0)
);
} else {
SmbPutUshort(
&response->RawMode,
(USHORT)(SrvEnableRawMode ?
NEGOTIATE_READ_RAW_SUPPORTED |
NEGOTIATE_WRITE_RAW_SUPPORTED :
0)
);
}
SmbPutUlong( &response->SessionKey, 0 );
SrvTimeToDosTime( &serverTime, &date, &time );
SmbPutDate( &response->ServerDate, date );
SmbPutTime( &response->ServerTime, time );
//
// Get time zone bias. We compute this during session
// setup rather than once during server startup because
// we might switch from daylight time to standard time
// or vice versa during normal server operation.
//
SmbPutUshort( &response->ServerTimeZone,
SrvGetOs2TimeZone(&serverTime) );
if ( bestDialect == SmbDialectLanMan21 ||
bestDialect == SmbDialectDosLanMan21 ) {
//
// Append the domain to the SMB.
//
RtlCopyMemory(
response->Buffer + byteCount,
endpoint->OemDomainName.Buffer,
endpoint->OemDomainName.Length + sizeof(CHAR)
);
byteCount += endpoint->OemDomainName.Length + sizeof(CHAR);
}
SmbPutUshort( &response->ByteCount, byteCount );
WorkContext->ResponseParameters = NEXT_LOCATION(
response,
RESP_NEGOTIATE,
byteCount
);
} else {
//
// NT or better protocol has been negotiated.
//
ntResponse->WordCount = 17;
SmbPutUshort( &ntResponse->DialectIndex, consumerDialectChosen );
// !!! This says that we don't want encrypted passwords.
SmbPutUshort( &ntResponse->MaxMpxCount, SrvMaxMpxCount );
SmbPutUshort( &ntResponse->MaxNumberVcs, (USHORT)SrvMaxNumberVcs );
SmbPutUlong( &ntResponse->MaxRawSize, 64 * 1024 ); // !!!
SmbPutUlong( &ntResponse->SessionKey, 0 );
capabilities = CAP_RAW_MODE |
CAP_UNICODE |
CAP_LARGE_FILES |
CAP_NT_SMBS |
CAP_NT_FIND |
CAP_RPC_REMOTE_APIS |
CAP_NT_STATUS |
CAP_LEVEL_II_OPLOCKS |
CAP_LOCK_AND_READ;
//
// If we're supporting Dfs operations, let the client know about it.
//
if( SrvDfsFastIoDeviceControl ) {
capabilities |= CAP_DFS;
}
if ( endpoint->IsConnectionless ) {
ULONG adapterNumber;
ULONG maxBufferSize;
capabilities |= CAP_MPX_MODE;
//
// Our server max buffer size is the smaller of the
// server receive buffer size and the ipx transport
// indicated max packet size.
//
adapterNumber =
WorkContext->ClientAddress->DatagramOptions.LocalTarget.NicId;
maxBufferSize = GetIpxMaxBufferSize(
endpoint,
adapterNumber,
SrvReceiveBufferLength
);
SmbPutUlong(
&ntResponse->MaxBufferSize,
maxBufferSize
);
} else {
SmbPutUlong(
&ntResponse->MaxBufferSize,
SrvReceiveBufferLength
);
if( SrvSupportsBulkTransfer ) {
capabilities |= CAP_BULK_TRANSFER;
if( SrvSupportsCompression ) {
capabilities |= CAP_COMPRESSED_DATA;
}
}
capabilities |= CAP_LARGE_READX;
}
SmbPutUlong( &ntResponse->Capabilities, capabilities );
//
// Stick the servers system time and timezone in the negotiate
// response.
//
SmbPutUlong( &ntResponse->SystemTimeLow, serverTime.LowPart );
SmbPutUlong( &ntResponse->SystemTimeHigh, serverTime.HighPart );
SmbPutUshort( &ntResponse->ServerTimeZone,
SrvGetOs2TimeZone(&serverTime) );
//
// Indicate that we're user-level security and that we
// want encrypted passwords.
//
ntResponse->SecurityMode =
NEGOTIATE_USER_SECURITY | NEGOTIATE_ENCRYPT_PASSWORDS;
//
// Get an encryption key for this connection.
//
GetEncryptionKey( pagedConnection->EncryptionKey );
RtlCopyMemory(
ntResponse->Buffer,
pagedConnection->EncryptionKey,
MSV1_0_CHALLENGE_LENGTH
);
ASSERT ( MSV1_0_CHALLENGE_LENGTH <= 0xff ) ;
ntResponse->EncryptionKeyLength = MSV1_0_CHALLENGE_LENGTH;
byteCount = MSV1_0_CHALLENGE_LENGTH;
{
USHORT domainLength;
PWCH buffer = (PWCHAR)( ntResponse->Buffer+byteCount );
PWCH ptr;
//
// append either the Lanman domain or the Kerberos
// domain.
//
if((ptr = KerberosRealm.Buffer)
&&
(bestDialect <= SmbDialectCairo)
)
{
domainLength = KerberosRealm.MaximumLength;
}
else
{
domainLength = endpoint->DomainName.Length +
sizeof(UNICODE_NULL);
ptr = endpoint->DomainName.Buffer;
}
RtlCopyMemory(
buffer,
ptr,
domainLength
);
byteCount += domainLength;
}
SmbPutUshort( &ntResponse->ByteCount, byteCount );
WorkContext->ResponseParameters = NEXT_LOCATION(
ntResponse,
RESP_NT_NEGOTIATE,
byteCount
);
} // else (NT protocol has been negotiated).
IF_DEBUG(TRACE2) SrvPrint0( "SrvSmbNegotiate complete.\n" );
return SmbStatusSendResponse;
} // SrvSmbNegotiate
SMB_PROCESSOR_RETURN_TYPE
SrvSmbProcessExit (
SMB_PROCESSOR_PARAMETERS
)
/*++
Routine Description:
Processes a Process Exit SMB.
Arguments:
SMB_PROCESSOR_PARAMETERS - See smbprocs.h for a description
of the parameters to SMB processor routines.
Return Value:
SMB_PROCESSOR_RETURN_TYPE - See smbprocs.h
--*/
{
PREQ_PROCESS_EXIT request;
PRESP_PROCESS_EXIT response;
PSESSION session;
USHORT pid;
PAGED_CODE( );
IF_SMB_DEBUG(ADMIN1) {
SrvPrint2( "Process exit request header at 0x%lx, "
"response header at 0x%lx\n",
WorkContext->RequestHeader,
WorkContext->ResponseHeader );
SrvPrint2( "Process exit request parameters at 0x%lx, "
"response parameters at 0x%lx\n",
WorkContext->RequestParameters,
WorkContext->ResponseParameters );
}
//
// Set up parameters.
//
request = (PREQ_PROCESS_EXIT)(WorkContext->RequestParameters);
response = (PRESP_PROCESS_EXIT)(WorkContext->ResponseParameters);
//
// If a session block has not already been assigned to the current
// work context, verify the UID. If verified, the address of the
// session block corresponding to this user is stored in the
// WorkContext block and the session block is referenced.
//
session = SrvVerifyUid(
WorkContext,
SmbGetAlignedUshort( &WorkContext->RequestHeader->Uid )
);
if ( session == NULL ) {
IF_DEBUG(SMB_ERRORS) {
SrvPrint1( "SrvSmbProcessExit: Invalid UID: 0x%lx\n",
SmbGetAlignedUshort( &WorkContext->RequestHeader->Uid ) );
}
SrvSetSmbError( WorkContext, STATUS_SMB_BAD_UID );
return SmbStatusSendResponse;
}
//
// Close all files with the same PID as in the header for this request.
//
pid = SmbGetAlignedUshort( &WorkContext->RequestHeader->Pid );
IF_SMB_DEBUG(ADMIN1) SrvPrint1( "Closing files with PID = %lx\n", pid );
SrvCloseRfcbsOnSessionOrPid( session, &pid );
//
// Close all searches with the same PID as in the header for this request.
//
IF_SMB_DEBUG(ADMIN1) SrvPrint1( "Closing searches with PID = %lx\n", pid );
SrvCloseSearches(
session->Connection,
(PSEARCH_FILTER_ROUTINE)SrvSearchOnPid,
(PVOID) pid,
NULL
);
//
// Close any cached directories for this client
//
SrvCloseCachedDirectoryEntries( session->Connection );
//
// Build the response SMB.
//
response->WordCount = 0;
SmbPutUshort( &response->ByteCount, 0 );
WorkContext->ResponseParameters = NEXT_LOCATION(
response,
RESP_PROCESS_EXIT,
0
);
return SmbStatusSendResponse;
} // SrvSmbProcessExit
SMB_PROCESSOR_RETURN_TYPE
SrvSmbSessionSetupAndX(
SMB_PROCESSOR_PARAMETERS
)
/*++
Routine Description:
Processes a session setup and X SMB.
Arguments:
SMB_PROCESSOR_PARAMETERS - See smbprocs.h for a description
of the parameters to SMB processor routines.
Return Value:
SMB_PROCESSOR_RETURN_TYPE - See smbprocs.h
--*/
{
PAGED_CODE();
//
// This SMB must be processed in a blocking thread.
//
WorkContext->FspRestartRoutine = BlockingSessionSetupAndX;
SrvQueueWorkToBlockingThread( WorkContext );
return SmbStatusInProgress;
} // SrvSmbSessionSetupAndX
VOID SRVFASTCALL
BlockingSessionSetupAndX(
IN OUT PWORK_CONTEXT WorkContext
)
/*++
Routine Description:
Processes a session setup and X SMB.
Arguments:
SMB_PROCESSOR_PARAMETERS - See smbprocs.h for a description
of the parameters to SMB processor routines.
Return Value:
SMB_PROCESSOR_RETURN_TYPE - See smbprocs.h
NOTE:
We have disabled CAP_KERBEROS_BLOB until we decide exactly
how we want to do security negotiation. Since NT 4.0 does
not ship kerberos, it is premature to turn it on now
--*/
{
PREQ_SESSION_SETUP_ANDX request;
PREQ_NT_SESSION_SETUP_ANDX ntRequest;
PRESP_SESSION_SETUP_ANDX response;
NTSTATUS status;
PSESSION session;
PCONNECTION connection;
PENDPOINT endpoint;
PPAGED_CONNECTION pagedConnection;
PTABLE_ENTRY entry;
SHORT uidIndex;
USHORT reqAndXOffset;
UCHAR nextCommand;
PSZ userName;
UNICODE_STRING nameString;
UNICODE_STRING domainString;
PCHAR caseInsensitivePassword;
CLONG caseInsensitivePasswordLength;
PCHAR caseSensitivePassword;
CLONG caseSensitivePasswordLength;
USHORT action = 0;
USHORT byteCount;
USHORT nameLength;
BOOLEAN locksHeld;
BOOLEAN isUnicode, IsKerb;
PAGED_CODE();
//
// If the connection has closed (timed out), abort.
//
connection = WorkContext->Connection;
if ( GET_BLOCK_STATE(connection) != BlockStateActive ) {
IF_DEBUG(ERRORS) {
SrvPrint0( "SrvSmbSessionSetupAndX: Connection closing\n" );
}
SrvEndSmbProcessing( WorkContext, SmbStatusNoResponse );
return;
}
IF_SMB_DEBUG(ADMIN1) {
SrvPrint2( "Session setup request header at 0x%lx, "
"response header at 0x%lx\n",
WorkContext->RequestHeader, WorkContext->ResponseHeader );
SrvPrint2( "Session setup request parameters at 0x%lx, "
"response parameters at 0x%lx\n",
WorkContext->RequestParameters,
WorkContext->ResponseParameters );
}
//
// Initialize local variables for error cleanup.
//
nameString.Buffer = NULL;
domainString.Buffer = NULL;
session = NULL;
locksHeld = FALSE;
//
// Set up parameters.
//
request = (PREQ_SESSION_SETUP_ANDX)(WorkContext->RequestParameters);
ntRequest = (PREQ_NT_SESSION_SETUP_ANDX)(WorkContext->RequestParameters);
response = (PRESP_SESSION_SETUP_ANDX)(WorkContext->ResponseParameters);
connection = WorkContext->Connection;
pagedConnection = connection->PagedConnection;
//
// First verify that the SMB format is correct.
//
if ( (connection->SmbDialect <= SmbDialectNtLanMan &&
request->WordCount != 13) ||
(connection->SmbDialect > SmbDialectNtLanMan &&
request->WordCount != 10 ) ||
(connection->SmbDialect == SmbDialectIllegal ) ) {
//
// The SMB word count is invalid.
//
IF_DEBUG(SMB_ERRORS) {
if ( connection->SmbDialect == SmbDialectIllegal ) {
SrvPrint1("BlockingSessionSetupAndX: Client %Z is using an "
"illegal dialect.\n", &connection->OemClientMachineNameString );
}
}
status = STATUS_INVALID_SMB;
goto error_exit1;
}
//
// Convert the client name to unicode
//
if ( pagedConnection->ClientMachineNameString.Length == 0 ) {
UNICODE_STRING clientMachineName;
clientMachineName.Buffer = pagedConnection->ClientMachineName;
clientMachineName.MaximumLength =
(USHORT)(COMPUTER_NAME_LENGTH+1)*sizeof(WCHAR);
(VOID)RtlOemStringToUnicodeString(
&clientMachineName,
&connection->OemClientMachineNameString,
FALSE
);
//
// Add the double backslashes to the length
//
pagedConnection->ClientMachineNameString.Length =
(USHORT)(clientMachineName.Length + 2*sizeof(WCHAR));
}
//
// If this is LanMan 2.1 or better, the session setup response may
// be longer than the request. Allocate an extra SMB buffer. The
// buffer is freed after we have finished sending the SMB response.
//
// !!! Try to be smarter before grabbing the extra buffer.
//
if ( connection->SmbDialect <= SmbDialectDosLanMan21 &&
!WorkContext->UsingExtraSmbBuffer) {
status = SrvAllocateExtraSmbBuffer( WorkContext );
if ( !NT_SUCCESS(status) ) {
goto error_exit;
}
response = (PRESP_SESSION_SETUP_ANDX)(WorkContext->ResponseParameters);
RtlCopyMemory(
WorkContext->ResponseHeader,
WorkContext->RequestHeader,
sizeof( SMB_HEADER )
);
}
//
// Get the client capabilities
//
if ( connection->SmbDialect <= SmbDialectNtLanMan ) {
connection->ClientCapabilities =
SmbGetUlong( &ntRequest->Capabilities ) &
( CAP_UNICODE |
CAP_LARGE_FILES |
CAP_NT_SMBS |
CAP_NT_FIND |
CAP_NT_STATUS |
#ifdef CAP_KERBEROS_BLOB
CAP_KERBEROS_BLOB |
#endif
CAP_LEVEL_II_OPLOCKS );
if ( connection->ClientCapabilities & CAP_NT_SMBS ) {
connection->ClientCapabilities |= CAP_NT_FIND;
}
}
//
// Get the account name, and additional information from the SMB buffer.
//
if ( connection->SmbDialect <= SmbDialectNtLanMan) {
//
// The NT-NT SMB protocol passes both case sensitive (Unicode,
// mixed case) and case insensitive (ANSI, uppercased) passwords.
// Get pointers to them to pass to SrvValidateUser.
//
caseInsensitivePasswordLength =
(CLONG)SmbGetUshort( &ntRequest->CaseInsensitivePasswordLength );
caseInsensitivePassword = (PCHAR)(ntRequest->Buffer);
caseSensitivePasswordLength =
(CLONG)SmbGetUshort( &ntRequest->CaseSensitivePasswordLength );
caseSensitivePassword =
caseInsensitivePassword + caseInsensitivePasswordLength;
userName = (PSZ)(caseSensitivePassword + caseSensitivePasswordLength);
} else {
//
// Downlevel clients do not pass the case sensitive password;
// just get the case insensitive password and use NULL as the
// case sensitive password. LSA will do the right thing with
// it.
//
caseInsensitivePasswordLength =
(CLONG)SmbGetUshort( &request->PasswordLength );
caseInsensitivePassword = (PCHAR)request->Buffer;
caseSensitivePasswordLength = 0;
caseSensitivePassword = NULL;
userName = (PSZ)(request->Buffer + caseInsensitivePasswordLength);
}
isUnicode = SMB_IS_UNICODE( WorkContext );
if ( isUnicode ) {
userName = ALIGN_SMB_WSTR( userName );
}
nameLength = SrvGetStringLength(
userName,
END_OF_REQUEST_SMB( WorkContext ),
isUnicode,
FALSE // don't include null terminator
);
if ( nameLength == (USHORT)-1 ) {
status = STATUS_INVALID_SMB;
goto error_exit;
}
status = SrvMakeUnicodeString(
isUnicode,
&nameString,
userName,
&nameLength );
if ( !NT_SUCCESS( status ) ) {
goto error_exit;
}
//
// If client information strings exists, extract the information
// from the SMB buffer.
//
if ( connection->SmbDialect <= SmbDialectDosLanMan21) {
PCHAR smbInformation;
USHORT length;
PWCH infoBuffer;
smbInformation = userName + nameLength +
( isUnicode ? sizeof( WCHAR ) : 1 );
//
// Now copy the strings to the allocated buffer.
//
if ( isUnicode ) {
smbInformation = ALIGN_SMB_WSTR( smbInformation );
}
length = SrvGetStringLength(
smbInformation,
END_OF_REQUEST_SMB( WorkContext ),
isUnicode,
FALSE // don't include null terminator
);
if ( length == (USHORT)-1) {
status = STATUS_INVALID_SMB;
goto error_exit;
}
//
// DOS clients send an empty domain name if they don't know
// their domain name (e.g., during logon). OS/2 clients send
// a name of "?". This confuses the LSA. Convert such a name
// to an empty name.
//
if ( isUnicode ) {
if ( (length == sizeof(WCHAR)) &&
(*(PWCH)smbInformation == '?') ) {
length = 0;
}
} else {
if ( (length == 1) && (*smbInformation == '?') ) {
length = 0;
}
}
status = SrvMakeUnicodeString(
isUnicode,
&domainString,
smbInformation,
&length
);
if ( !NT_SUCCESS( status ) ) {
goto error_exit;
}
smbInformation += length + ( isUnicode ? sizeof(WCHAR) : 1 );
//
// Get the client type strings if we do not already have this
// information.
//
if ( connection->ClientOSType.Buffer == NULL) {
//
// Calculate the size of the client LAN Man type and OS type
// strings. and allocate a buffer large enough to store
// them all.
//
if ( connection->SmbDialect <= SmbDialectNtLanMan ) {
length = (USHORT)( (PUCHAR)&ntRequest->ByteCount +
sizeof( USHORT ) +
SmbGetUshort( &ntRequest->ByteCount ) -
smbInformation);
} else {
length = (USHORT)( (PUCHAR)&request->ByteCount +
sizeof( USHORT ) +
SmbGetUshort( &request->ByteCount ) -
smbInformation);
}
//
// If the SMB buffer is ANSI, adjust the size of the buffer we
// are allocating to Unicode size.
//
if ( !isUnicode ) {
length *= sizeof( WCHAR );
}
infoBuffer = ALLOCATE_NONPAGED_POOL( length, BlockTypeDataBuffer );
if ( infoBuffer == NULL ) {
status = STATUS_INSUFF_SERVER_RESOURCES;
goto error_exit;
}
connection->ClientOSType.Buffer = (PWCH)infoBuffer;
//
// Copy the client OS type to the new buffer.
//
length = SrvGetString(
&connection->ClientOSType,
smbInformation,
END_OF_REQUEST_SMB( WorkContext ),
isUnicode
);
if ( length == (USHORT)-1) {
DEALLOCATE_NONPAGED_POOL( infoBuffer );
status = STATUS_INVALID_SMB;
goto error_exit;
}
smbInformation += length;
connection->ClientLanManType.Buffer = (PWCH)(
(PCHAR)connection->ClientOSType.Buffer +
connection->ClientOSType.MaximumLength);
//
// Copy the client LAN Manager type to the new buffer.
//
length = SrvGetString(
&connection->ClientLanManType,
smbInformation,
END_OF_REQUEST_SMB( WorkContext ),
isUnicode
);
if ( length == (USHORT)-1) {
DEALLOCATE_NONPAGED_POOL( infoBuffer );
status = STATUS_INVALID_SMB;
goto error_exit;
}
}
} else {
domainString.Length = 0;
}
//
// Allocate a Session block.
//
SrvAllocateSession( &session, &nameString, &domainString );
if ( !isUnicode && domainString.Buffer != NULL ) {
RtlFreeUnicodeString( &domainString );
domainString.Buffer = NULL;
}
if ( session == NULL ) {
//
// Unable to allocate a Session block. Return an error status.
//
status = STATUS_INSUFF_SERVER_RESOURCES;
goto error_exit;
}
//
// If using uppercase pathnames, indicate in the session block. DOS
// always uses uppercase paths.
//
if ( (WorkContext->RequestHeader->Flags &
SMB_FLAGS_CANONICALIZED_PATHS) != 0 ||
IS_DOS_DIALECT( connection->SmbDialect ) ) {
session->UsingUppercasePaths = TRUE;
} else {
session->UsingUppercasePaths = FALSE;
}
//
// Enter data from request SMB into the session block. If MaxMpx is 1
// disable oplocks on this connection.
//
endpoint = connection->Endpoint;
if ( endpoint->IsConnectionless ) {
ULONG adapterNumber;
//
// Our session max buffer size is the smaller of the
// client buffer size and the ipx transport
// indicated max packet size.
//
adapterNumber =
WorkContext->ClientAddress->DatagramOptions.LocalTarget.NicId;
session->MaxBufferSize =
(USHORT)GetIpxMaxBufferSize(
endpoint,
adapterNumber,
(ULONG)SmbGetUshort(&request->MaxBufferSize)
);
} else {
session->MaxBufferSize = SmbGetUshort( &request->MaxBufferSize );
}
session->MaxMpxCount = SmbGetUshort( &request->MaxMpxCount );
if ( session->MaxMpxCount < 2 ) {
connection->OplocksAlwaysDisabled = TRUE;
}
//
// Ready to validate the credentials. We have either a Kerberos
// ticket, or something alleging to be a Kerberos ticket, or we
// have Lanman-style credentials. Check which and call the proper
// routine.
//
#ifdef CAP_KERBEROS_BLOB
if (SrvHaveKerberos) {
IsKerb =
(connection->ClientCapabilities & (CAP_NT_SMBS | CAP_KERBEROS_BLOB)) ==
(CAP_NT_SMBS | CAP_KERBEROS_BLOB);
} else
#endif
{
IsKerb = FALSE;
}
if(IsKerb)
{
//
// Kerberos it is
//
status = SrvValidateBlob( // We have a Kerberos Blob
session,
connection,
&nameString,
caseSensitivePassword, // Where the blob is
&caseSensitivePasswordLength);
if(byteCount = (USHORT)caseSensitivePasswordLength)
{
//
// Have something to return. Stick it in
//
RtlCopyMemory(response->Buffer,
caseSensitivePassword,
caseSensitivePasswordLength);
SmbPutUshort( &response->ByteCount, byteCount );
if(!NT_SUCCESS(status))
{
goto error_exit;
}
}
}
else
{
byteCount = 0;
status = SrvValidateUser(
&session->UserHandle,
session,
connection,
&nameString,
caseInsensitivePassword,
caseInsensitivePasswordLength,
caseSensitivePassword,
caseSensitivePasswordLength,
&action
);
}
if ( !isUnicode ) {
RtlFreeUnicodeString( &nameString );
nameString.Buffer = NULL;
}
//
// If a bad name/password combination was sent, return an error.
//
if ( !NT_SUCCESS(status) ) {
IF_DEBUG(ERRORS) {
SrvPrint0( "BlockingSessionSetupAndX: Bad user/password "
"combination.\n" );
}
SrvStatistics.LogonErrors++;
goto error_exit;
}
IF_SMB_DEBUG(ADMIN1) {
SrvPrint1( "Validated user: %s\n", userName );
}
//
// If the client thinks that it is the first user on this
// connection, get rid of other connections (may be due to rebooting
// of client). Also get rid of other sessions on this connection
// with the same user name--this handles a DOS "weirdness" where
// it sends multiple session setups if a tree connect fails.
//
// *** If VcNumber is non-zero, we do nothing special. This is the
// case even though the SrvMaxVcNumber configurable variable
// should always be equal to one. If a second VC is established
// between machines, a new session must also be established.
// This duplicates the LM 2.0 server's behavior.
//
if ( SmbGetUshort( &request->VcNumber ) == 0 ) {
SrvCloseConnectionsFromClient( connection );
SrvCloseSessionsOnConnection( connection, &session->UserName );
}
//
// Making a new session visible is a multiple-step operation. It
// must be inserted in the global ordered tree connect list and the
// containing connection's session table, and the connection must be
// referenced. We need to make these operations appear atomic, so
// that the session cannot be accessed elsewhere before we're done
// setting it up. In order to do this, we hold all necessary locks
// the entire time we're doing the operations. The first operation
// is protected by the global ordered list lock
// (SrvOrderedListLock), while the other operations are protected by
// the per-connection lock. We take out the ordered list lock
// first, then the connection lock. This ordering is required by
// lock levels (see lock.h).
//
ASSERT( SrvSessionList.Lock == &SrvOrderedListLock );
ACQUIRE_LOCK( SrvSessionList.Lock );
ACQUIRE_LOCK( &connection->Lock );
locksHeld = TRUE;
//
// Ready to try to find a UID for the session. Check to see if the
// connection is being closed, and if so, terminate this operation.
//
if ( GET_BLOCK_STATE(connection) != BlockStateActive ) {
IF_DEBUG(ERRORS) {
SrvPrint0( "BlockingSessionSetupAndX: Connection closing\n" );
}
status = STATUS_INVALID_PARAMETER;
goto error_exit;
}
//
// If this client speaks a dialect above LM 1.0, find a UID that can
// be used for this session. Otherwise, just use location 0 of the
// table because those clients will not send a UID in SMBs and they
// can have only one session.
//
if ( connection->SmbDialect < SmbDialectLanMan10 ) {
if ( pagedConnection->SessionTable.FirstFreeEntry == -1
&&
SrvGrowTable(
&pagedConnection->SessionTable,
SrvInitialSessionTableSize,
SrvMaxSessionTableSize ) == FALSE
) {
//
// No free entries in the user table. Reject the request.
//
IF_DEBUG(ERRORS) {
SrvPrint0( "BlockingSessionSetupAndX: No more UIDs available.\n" );
}
SrvLogTableFullError( SRV_TABLE_SESSION );
status = STATUS_SMB_TOO_MANY_UIDS;
goto error_exit;
}
uidIndex = pagedConnection->SessionTable.FirstFreeEntry;
} else { // if ( dialect < SmbDialectLanMan10 )
//
// If this client already has a session at this server, abort.
// The session should have been closed by the call to
// SrvCloseSessionsOnConnection above. (We could try to work
// around the existence of the session by closing it, but that
// would involve releasing the locks, closing the session, and
// retrying. This case shouldn't happen.)
//
if ( pagedConnection->SessionTable.Table[0].Owner != NULL ) {
IF_DEBUG(ERRORS) {
SrvPrint0( "BlockingSessionSetupAndX: Core client already "
"has session.\n" );
}
status = STATUS_SMB_TOO_MANY_UIDS;
goto error_exit;
}
//
// Use location 0 of the session table.
//
IF_SMB_DEBUG(ADMIN2) {
SrvPrint0( "Client LM 1.0 or before--using location 0 of session "
"table.\n" );
}
uidIndex = 0;
}
//
// Remove the UID slot from the free list and set its owner and
// sequence number. Create a UID for the session. Increment count
// of sessions.
//
entry = &pagedConnection->SessionTable.Table[uidIndex];
pagedConnection->SessionTable.FirstFreeEntry = entry->NextFreeEntry;
DEBUG entry->NextFreeEntry = -2;
if ( pagedConnection->SessionTable.LastFreeEntry == uidIndex ) {
pagedConnection->SessionTable.LastFreeEntry = -1;
}
INCREMENT_UID_SEQUENCE( entry->SequenceNumber );
if ( uidIndex == 0 && entry->SequenceNumber == 0 ) {
INCREMENT_UID_SEQUENCE( entry->SequenceNumber );
}
session->Uid = MAKE_UID( uidIndex, entry->SequenceNumber );
entry->Owner = session;
pagedConnection->CurrentNumberOfSessions++;
IF_SMB_DEBUG(ADMIN1) {
SrvPrint2( "Found UID. Index = 0x%lx, sequence = 0x%lx\n",
UID_INDEX( session->Uid ),
UID_SEQUENCE( session->Uid ) );
}
//
// Insert the session on the global session list.
//
SrvInsertEntryOrderedList( &SrvSessionList, session );
//
// Reference the connection block to account for the new session.
//
SrvReferenceConnection( connection );
session->Connection = connection;
RELEASE_LOCK( &connection->Lock );
RELEASE_LOCK( SrvSessionList.Lock );
//
// Session successfully created. Insert the session in the global
// list of active sessions. Remember its address in the work
// context block.
//
// *** Note that the reference count on the session block is
// initially set to 2, to allow for the active status on the
// block and the pointer that we're maintaining. In other
// words, this is a referenced pointer, and the pointer must be
// dereferenced when processing of this SMB is complete.
//
WorkContext->Session = session;
//
// Build response SMB, making sure to save request fields first in
// case the response overwrites the request. Save the
// newly-assigned UID in both the request SMB and the response SMB
// so that subsequent command processors and the client,
// respectively, can see it.
//
nextCommand = request->AndXCommand;
reqAndXOffset = SmbGetUshort( &request->AndXOffset );
SmbPutAlignedUshort( &WorkContext->RequestHeader->Uid, session->Uid );
SmbPutAlignedUshort( &WorkContext->ResponseHeader->Uid, session->Uid );
response->WordCount = 3;
response->AndXCommand = nextCommand;
response->AndXReserved = 0;
//
// If appropriate, append the Native OS and Native LAN Man strings
// to the response.
//
if (!IsKerb && (connection->SmbDialect <= SmbDialectDosLanMan21) )
{
ULONG stringLength;
if ( isUnicode ) {
PWCH buffer = ALIGN_SMB_WSTR( response->Buffer );
byteCount = (USHORT)(SrvNativeOS.Length + sizeof(UNICODE_NULL));
RtlCopyMemory(
buffer,
SrvNativeOS.Buffer,
byteCount
);
stringLength = SrvNativeLanMan.Length + sizeof(UNICODE_NULL);
RtlCopyMemory(
(PCHAR)buffer + byteCount,
SrvNativeLanMan.Buffer,
stringLength
);
byteCount += (USHORT)stringLength;
} else {
byteCount = SrvOemNativeOS.Length + sizeof(CHAR);
RtlCopyMemory(
response->Buffer,
SrvOemNativeOS.Buffer,
byteCount
);
stringLength = SrvOemNativeLanMan.Length + sizeof(CHAR);
RtlCopyMemory(
(PVOID) (response->Buffer + byteCount),
SrvOemNativeLanMan.Buffer,
stringLength
);
byteCount += (USHORT)stringLength;
}
if ( connection->SmbDialect <= SmbDialectNtLanMan ) {
if ( isUnicode ) {
PWCH buffer = ALIGN_SMB_WSTR( response->Buffer + byteCount );
stringLength = endpoint->DomainName.Length + sizeof(UNICODE_NULL);
RtlCopyMemory(
buffer,
endpoint->DomainName.Buffer,
stringLength
);
byteCount = (USHORT)(((PCHAR)buffer - response->Buffer) +
stringLength);
} else {
stringLength = endpoint->OemDomainName.Length + sizeof(CHAR);
RtlCopyMemory(
(PVOID) (response->Buffer + byteCount),
endpoint->OemDomainName.Buffer,
stringLength
);
byteCount += (USHORT)stringLength;
}
}
}
SmbPutUshort( &response->AndXOffset, GET_ANDX_OFFSET(
WorkContext->ResponseHeader,
WorkContext->ResponseParameters,
RESP_SESSION_SETUP_ANDX,
byteCount
) );
//
// Normally, turning on bit 0 of Action indicates that the user was
// logged on as GUEST. However, NT does not have automatic guest
// logon--a user ID and password are required for every single logon
// (though the password may have null length). Therefore, the
// server need not concern itself with what kind of account the
// client gets.
//
// Bit 1 tells the client that the user was logged on
// using the lm session key instead of the user session key.
//
SmbPutUshort( &response->Action, action );
SmbPutUshort( &response->ByteCount, byteCount );
WorkContext->ResponseParameters = (PCHAR)WorkContext->ResponseHeader +
SmbGetUshort( &response->AndXOffset );
//
// Test for legal followon command.
//
switch ( nextCommand ) {
case SMB_COM_TREE_CONNECT_ANDX:
case SMB_COM_OPEN:
case SMB_COM_OPEN_ANDX:
case SMB_COM_CREATE:
case SMB_COM_CREATE_NEW:
case SMB_COM_CREATE_DIRECTORY:
case SMB_COM_DELETE:
case SMB_COM_DELETE_DIRECTORY:
case SMB_COM_FIND:
case SMB_COM_FIND_UNIQUE:
case SMB_COM_COPY:
case SMB_COM_RENAME:
case SMB_COM_NT_RENAME:
case SMB_COM_CHECK_DIRECTORY:
case SMB_COM_QUERY_INFORMATION:
case SMB_COM_SET_INFORMATION:
case SMB_COM_QUERY_INFORMATION_SRV:
case SMB_COM_OPEN_PRINT_FILE:
case SMB_COM_GET_PRINT_QUEUE:
case SMB_COM_TRANSACTION:
case SMB_COM_NO_ANDX_COMMAND:
break;
default: // Illegal followon command
IF_DEBUG(SMB_ERRORS) {
SrvPrint1( "BlockingSessionSetupAndX: Illegal followon command: "
"0x%lx\n", nextCommand );
}
status = STATUS_INVALID_SMB;
goto error_exit1;
}
//
// If there is an AndX command, set up to process it. Otherwise,
// indicate completion to the caller.
//
if ( nextCommand != SMB_COM_NO_ANDX_COMMAND ) {
WorkContext->NextCommand = nextCommand;
WorkContext->RequestParameters = (PCHAR)WorkContext->RequestHeader +
reqAndXOffset;
SrvProcessSmb( WorkContext );
return;
}
IF_DEBUG(TRACE2) SrvPrint0( "BlockingSessionSetupAndX complete.\n" );
goto normal_exit;
error_exit:
if ( locksHeld ) {
RELEASE_LOCK( &connection->Lock );
RELEASE_LOCK( SrvSessionList.Lock );
}
if ( session != NULL ) {
SrvFreeSession( session );
}
if ( !isUnicode ) {
if ( domainString.Buffer != NULL ) {
RtlFreeUnicodeString( &domainString );
}
if ( nameString.Buffer != NULL ) {
RtlFreeUnicodeString( &nameString );
}
}
error_exit1:
SrvSetSmbError( WorkContext, status );
normal_exit:
SrvEndSmbProcessing( WorkContext, SmbStatusSendResponse );
return;
} // BlockingSessionSetupAndX
SMB_TRANS_STATUS
SrvSmbSessionSetup (
IN OUT PWORK_CONTEXT WorkContext
)
/*++
Routine Description:
Processes a session setup in a Trans2 SMB.
Arguments:
WorkContext - Supplies the address of a Work Context Block
describing the current request. See smbtypes.h for a more
complete description of the valid fields.
Return Value:
SMB_TRANS_STATUS - Indicates whether an error occurred. See
smbtypes.h for a more complete description.
--*/
{
PAGED_CODE();
//
// This SMB must be processed in a blocking thread.
//
WorkContext->FspRestartRoutine = BlockingSessionSetup;
SrvQueueWorkToBlockingThread( WorkContext );
return SmbTransStatusInProgress;
} // SrvSmbSessionSetup
VOID SRVFASTCALL
BlockingSessionSetup (
IN OUT PWORK_CONTEXT WorkContext
)
/*++
Routine Description:
Processes a session setup in a Trans2 SMB.
Arguments:
WorkContext - Supplies the address of a Work Context Block
describing the current request. See smbtypes.h for a more
complete description of the valid fields.
Return Value:
SMB_TRANS_STATUS - Indicates whether an error occurred. See
smbtypes.h for a more complete description.
--*/
{
//
// The OS/2 redirector never sends a remote FS control request.
// If we get one, simply reply that we cannot handle it.
//
NTSTATUS status;
PSESSION session = NULL;
PTABLE_ENTRY entry;
SHORT uidIndex;
PREQ_CAIRO_TRANS2_SESSION_SETUP request;
PRESP_CAIRO_TRANS2_SESSION_SETUP response;
PCONNECTION connection;
PPAGED_CONNECTION pagedConnection;
PTRANSACTION transaction;
PCHAR Blob;
CLONG BlobLength;
PSZ userName;
UNICODE_STRING nameString;
UNICODE_STRING domainString;
USHORT nameLength;
ULONG capabilities;
BOOLEAN locksHeld = FALSE;
USHORT SessId;
PAGED_CODE();
nameString.Buffer = NULL;
nameString.Length = 0;
nameString.MaximumLength = 0;
domainString.Buffer = NULL;
domainString.Length = 0;
domainString.MaximumLength = 0;
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint0( "SrvSmbSessionSetup\n");
}
transaction = WorkContext->Parameters.Transaction;
request = (PREQ_CAIRO_TRANS2_SESSION_SETUP)transaction->InData;
response = (PRESP_CAIRO_TRANS2_SESSION_SETUP)transaction->OutData;
connection = WorkContext->Connection;
pagedConnection = connection->PagedConnection;
//
// Verify that enough parameter bytes were sent and that we're allowed
// to return enough parameter bytes.
//
if ( (transaction->DataCount < sizeof(REQ_CAIRO_TRANS2_SESSION_SETUP)) ||
(transaction->MaxDataCount < sizeof(RESP_CAIRO_TRANS2_SESSION_SETUP)) ) {
//
// Not enough parameter bytes were sent.
//
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint2( "SrvSmbSessionSetup: bad InData byte counts: "
"%ld %ld\n",
transaction->DataCount,
transaction->MaxDataCount );
}
SrvSetSmbError( WorkContext, STATUS_INVALID_SMB );
SrvCompleteExecuteTransaction( WorkContext, SmbTransStatusErrorWithoutData );
return;
}
//
// Convert the client name to unicode
//
if ( pagedConnection->ClientMachineNameString.Length == 0 ) {
UNICODE_STRING clientMachineName;
clientMachineName.Buffer = pagedConnection->ClientMachineName;
clientMachineName.MaximumLength =
(USHORT)(COMPUTER_NAME_LENGTH+1)*sizeof(WCHAR);
(VOID)RtlOemStringToUnicodeString(
&clientMachineName,
&connection->OemClientMachineNameString,
FALSE
);
//
// Add the double backslashes to the length
//
pagedConnection->ClientMachineNameString.Length =
(USHORT)(clientMachineName.Length + 2*sizeof(WCHAR));
}
//
// get the capabilities of the client
//
ASSERT(connection->SmbDialect <= SmbDialectNtLanMan);
connection->ClientCapabilities =
SmbGetUlong( &request->Capabilities ) &
( CAP_UNICODE |
CAP_LARGE_FILES |
CAP_NT_SMBS |
CAP_NT_FIND |
CAP_NT_STATUS |
CAP_LEVEL_II_OPLOCKS );
if ( connection->ClientCapabilities & CAP_NT_SMBS ) {
connection->ClientCapabilities |= CAP_NT_FIND;
}
//
// now get the blob, and its length ( I guess I never really thought
// a blob would have a length )
//
BlobLength = request->BufferLength;
Blob = request->Buffer;
//
// get the username, which right now comes right after the Kerberos blob
//
userName = request->Buffer+request->BufferLength;
if ( SMB_IS_UNICODE( WorkContext ) ) {
userName = ALIGN_SMB_WSTR( userName );
}
nameLength = SrvGetStringLength(
userName,
transaction->InData + transaction->DataCount,
SMB_IS_UNICODE( WorkContext ),
FALSE
);
if ( nameLength == (USHORT)-1 ) {
status = STATUS_INVALID_SMB;
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint0( "SESSSETUP -- namelength == -1\n");
}
goto error_exit;
}
status = SrvMakeUnicodeString(
SMB_IS_UNICODE( WorkContext ),
&nameString,
userName,
&nameLength );
if ( !NT_SUCCESS( status ) ) {
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint1( "SESSSETUP -- failed making unicode string for name, %lC\n",status);
}
goto error_exit;
}
//
// Allocate a Session block.
//
SrvAllocateSession( &session, &nameString, &domainString );
if ( !SMB_IS_UNICODE( WorkContext ) && domainString.Buffer != NULL ) {
RtlFreeUnicodeString( &domainString );
domainString.Buffer = NULL;
}
if ( session == NULL ) {
//
// Unable to allocate a Session block. Return an error status.
//
status = STATUS_INSUFFICIENT_RESOURCES;
goto error_exit;
}
//
// If using uppercase pathnames, indicate in the session block. DOS
// always uses uppercase paths.
//
if ( (WorkContext->RequestHeader->Flags &
SMB_FLAGS_CANONICALIZED_PATHS) != 0 ||
IS_DOS_DIALECT( connection->SmbDialect ) ) {
session->UsingUppercasePaths = TRUE;
} else {
session->UsingUppercasePaths = FALSE;
}
//
// set the pointer in the transaction to the session
//
transaction->Session = session;
//
// Enter data from request SMB into the session block.
//
session->MaxBufferSize = SmbGetUshort( &request->MaxBufferSize );
//
// Try to find legitimate name/password combination.
//
// ASM
// There are a couple of special cases we test for, both
// related to the CAIRO dialect. Under this dialect, the
// SessionSetup can be using either Kerberos authentication
// or LM authentication. Eventually, Kerberos authentication will
// use a TRANSACT message do disambiguate the cases, but for
// now, we need to look at this message to tell the difference.
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint0( "SESSSETUP -- going to validate the blob\n");
}
status = SrvValidateBlob( // We have a Kerberos Blob
session,
connection,
&nameString,
Blob, // Where the blob is
&BlobLength
);
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint1( "SESSSETUP -- blob validated, %lC\n",status);
}
//
// free if unused the unicode namestring buffer
//
if ( !SMB_IS_UNICODE( WorkContext ) ) {
RtlFreeUnicodeString( &nameString );
nameString.Buffer = NULL;
}
if(NT_SUCCESS(status)
||
BlobLength)
{
if(!NT_SUCCESS(status))
{
transaction->cMaxBufferSize = (CLONG)session->MaxBufferSize;
session->Connection = 0;
SessId = 0;
}
else
{
//
// If the client thinks that it is the first user on this
// connection, get rid of other connections (may be due to rebooting
// of client). Also get rid of other sessions on this connection
// with the same user name--this handles a DOS "weirdness" where
// it sends multiple session setups if a tree connect fails.
//
// *** If VcNumber is non-zero, we do nothing special. This is the
// case even though the SrvMaxVcNumber configurable variable
// should always be equal to one. If a second VC is established
// between machines, a new session must also be established.
// This duplicates the LM 2.0 server's behavior.
//
if ( SmbGetUshort( &request->VcNumber ) == 0 ) {
SrvCloseConnectionsFromClient( connection );
SrvCloseSessionsOnConnection( connection, &session->UserName );
}
//
// Making a new session visible is a multiple-step operation. It
// must be inserted in the global ordered tree connect list and the
// containing connection's session table, and the connection must be
// referenced. We need to make these operations appear atomic, so
// that the session cannot be accessed elsewhere before we're done
// setting it up. In order to do this, we hold all necessary locks
// the entire time we're doing the operations. The first operation
// is protected by the global ordered list lock
// (SrvOrderedListLock), while the other operations are protected by
// the per-connection lock. We take out the ordered list lock
// first, then the connection lock. This ordering is required by
// lock levels (see lock.h).
//
ASSERT( SrvSessionList.Lock == &SrvOrderedListLock );
ACQUIRE_LOCK( SrvSessionList.Lock );
ACQUIRE_LOCK( &connection->Lock );
locksHeld = TRUE;
//
// Ready to try to find a UID for the session. Check to see if the
// connection is being closed, and if so, terminate this operation.
//
if ( GET_BLOCK_STATE(connection) != BlockStateActive ) {
IF_DEBUG(ERRORS) {
SrvPrint0( "SrvSmbSessionSetupAndX: Connection closing\n" );
}
status = STATUS_INVALID_PARAMETER;
goto error_exit;
}
//
// If this client speaks a dialect above LM 1.0, find a UID that can
// be used for this session. Otherwise, just use location 0 of the
// table because those clients will not send a UID in SMBs and they
// can have only one session.
//
if ( pagedConnection->SessionTable.FirstFreeEntry == -1
&&
SrvGrowTable(
&pagedConnection->SessionTable,
SrvInitialSessionTableSize,
SrvMaxSessionTableSize ) == FALSE
) {
//
// No free entries in the user table. Reject the request.
//
IF_DEBUG(ERRORS) {
SrvPrint0( "SrvSmbSessionSetup: No more UIDs available.\n" );
}
status = STATUS_SMB_TOO_MANY_UIDS;
goto error_exit;
}
uidIndex = pagedConnection->SessionTable.FirstFreeEntry;
//
// Remove the UID slot from the free list and set its owner and
// sequence number. Create a UID for the session. Increment count
// of sessions.
//
entry = &pagedConnection->SessionTable.Table[uidIndex];
pagedConnection->SessionTable.FirstFreeEntry = entry->NextFreeEntry;
DEBUG entry->NextFreeEntry = -2;
if ( pagedConnection->SessionTable.LastFreeEntry == uidIndex ) {
pagedConnection->SessionTable.LastFreeEntry = -1;
}
INCREMENT_UID_SEQUENCE( entry->SequenceNumber );
session->Uid = MAKE_UID( uidIndex, entry->SequenceNumber );
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint1( "SESSSETUP -- made uid %x\n",session->Uid);
}
entry->Owner = session;
pagedConnection->CurrentNumberOfSessions++;
IF_SMB_DEBUG(ADMIN1) {
SrvPrint2( "Found UID. Index = 0x%lx, sequence = 0x%lx\n",
UID_INDEX( session->Uid ),
UID_SEQUENCE( session->Uid ) );
}
//
// Insert the session on the global session list.
//
SrvInsertEntryOrderedList( &SrvSessionList, session );
//
// Reference the connection block to account for the new session.
//
SrvReferenceConnection( connection );
session->Connection = connection;
RELEASE_LOCK( &connection->Lock );
RELEASE_LOCK( SrvSessionList.Lock );
//
// Session successfully created. Insert the session in the global
// list of active sessions. Remember its address in the work
// context block.
//
// *** Note that the reference count on the session block is
// initially set to 2, to allow for the active status on the
// block and the pointer that we're maintaining. In other
// words, this is a referenced pointer, and the pointer must be
// dereferenced when processing of this SMB is complete.
//
// It seems that perhaps we need another reference since we are
// doing this using a trans2 instead of a sessionsetup
//
SrvReferenceSession( session );
WorkContext->Session = session;
SessId = session->Uid;
}
status = S_OK;
}
else
{
//
// it failed
//
IF_DEBUG(ERRORS) {
SrvPrint0( "SrvSmbSessionSetupAndX: Bad user/password "
"combination.\n" );
}
SrvStatistics.LogonErrors++;
goto error_exit;
}
//
// Build response SMB, making sure to save request fields first in
// case the response overwrites the request. Save the
// newly-assigned UID in both the request SMB and the response SMB
// so that subsequent command processors and the client,
// respectively, can see it.
//
SmbPutAlignedUshort( &WorkContext->RequestHeader->Uid, SessId );
SmbPutAlignedUshort( &WorkContext->ResponseHeader->Uid, SessId );
SmbPutUshort( &response->Uid, SessId);
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint1( "SESSSETUP -- put uid for rdr = %x\n",response->Uid);
}
response->WordCount = 0;
//
// If appropriate, append the Native OS and Native LAN Man strings
// to the response.
//
RtlCopyMemory( response->Buffer,
Blob,
BlobLength );
//
// Normally, turning on bit 0 of Action indicates that the user was
// logged on as GUEST. However, NT does not have automatic guest
// logon--a user ID and password are required for every single logon
// (though the password may have null length). Therefore, the
// server need not concern itself with what kind of account the
// client gets.
//
SmbPutUlong( &response->BufferLength, BlobLength );
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint0( "SESSSETUP -- all done\n");
}
SrvCompleteExecuteTransaction( WorkContext, SmbTransStatusSuccess );
return;
error_exit:
if ( locksHeld ) {
RELEASE_LOCK( &connection->Lock );
RELEASE_LOCK( SrvSessionList.Lock );
}
if ( session != NULL ) {
// !!! Need to close token handle!
transaction->Session = NULL;
SrvFreeSession( session );
}
if ( domainString.Buffer != NULL && !SMB_IS_UNICODE(WorkContext) ) {
RtlFreeUnicodeString( &domainString );
}
if ( nameString.Buffer != NULL && !SMB_IS_UNICODE(WorkContext) ) {
RtlFreeUnicodeString( &nameString );
}
IF_SMB_DEBUG(TRANSACTION1) {
SrvPrint1( "SESSSETUP -- all done, status = %lC\n",status);
}
SrvSetSmbError( WorkContext, status );
SrvCompleteExecuteTransaction( WorkContext, SmbTransStatusErrorWithoutData );
return;
} // BlockingSessionSetup
SMB_PROCESSOR_RETURN_TYPE
SrvSmbLogoffAndX (
SMB_PROCESSOR_PARAMETERS
)
/*++
Routine Description:
Processes a Logoff and X SMB.
Arguments:
SMB_PROCESSOR_PARAMETERS - See smbprocs.h for a description
of the parameters to SMB processor routines.
Return Value:
SMB_PROCESSOR_RETURN_TYPE - See smbprocs.h
--*/
{
PREQ_LOGOFF_ANDX request;
PRESP_LOGOFF_ANDX response;
PSESSION session;
USHORT reqAndXOffset;
UCHAR nextCommand;
PAGED_CODE( );
IF_SMB_DEBUG(ADMIN1) {
SrvPrint2( "Logoff request header at 0x%lx, "
"response header at 0x%lx\n",
WorkContext->RequestHeader, WorkContext->ResponseHeader );
SrvPrint2( "Logoff request parameters at 0x%lx, "
"response parameters at 0x%lx\n",
WorkContext->RequestParameters,
WorkContext->ResponseParameters );
}
//
// Set up parameters.
//
request = (PREQ_LOGOFF_ANDX)(WorkContext->RequestParameters);
response = (PRESP_LOGOFF_ANDX)(WorkContext->ResponseParameters);
//
// If a session block has not already been assigned to the current
// work context, verify the UID. If verified, the address of the
// session block corresponding to this user is stored in the
// WorkContext block and the session block is referenced.
//
session = SrvVerifyUid(
WorkContext,
SmbGetAlignedUshort( &WorkContext->RequestHeader->Uid )
);
if ( session == NULL ) {
IF_DEBUG(SMB_ERRORS) {
SrvPrint1( "SrvSmbLogoffAndX: Invalid UID: 0x%lx\n",
SmbGetAlignedUshort( &WorkContext->RequestHeader->Uid ) );
}
SrvSetSmbError( WorkContext, STATUS_SMB_BAD_UID );
return SmbStatusSendResponse;
}
//
// If we need to visit the license server, get over to a blocking
// thread to ensure that we don't consume the nonblocking threads
//
if( WorkContext->UsingBlockingThread == 0 &&
session->IsLSNotified == TRUE ) {
//
// Insert the work item at the tail of the blocking work queue
//
SrvInsertWorkQueueTail(
&SrvBlockingWorkQueue,
(PQUEUEABLE_BLOCK_HEADER)WorkContext
);
return SmbStatusInProgress;
}
//
// Do the actual logoff.
//
SrvCloseSession( session );
SrvStatistics.SessionsLoggedOff++;
//
// Dereference the session, since it's no longer valid, but we may
// end up processing a chained command. Clear the session pointer
// in the work context block to indicate that we've done this.
//
SrvDereferenceSession( session );
WorkContext->Session = NULL;
//
// Build the response SMB, making sure to save request fields first
// in case the response overwrites the request.
//
reqAndXOffset = SmbGetUshort( &request->AndXOffset );
nextCommand = request->AndXCommand;
response->WordCount = 2;
response->AndXCommand = request->AndXCommand;
response->AndXReserved = 0;
SmbPutUshort( &response->AndXOffset, GET_ANDX_OFFSET(
WorkContext->ResponseHeader,
WorkContext->ResponseParameters,
RESP_LOGOFF_ANDX,
0
) );
SmbPutUshort( &response->ByteCount, 0 );
WorkContext->ResponseParameters = (PCHAR)WorkContext->ResponseHeader +
SmbGetUshort( &response->AndXOffset );
//
// Test for legal followon command.
//
switch ( nextCommand ) {
case SMB_COM_SESSION_SETUP_ANDX:
case SMB_COM_NO_ANDX_COMMAND:
break;
default:
IF_DEBUG(SMB_ERRORS) {
SrvPrint1( "SrvSmbLogoffAndX: Illegal followon command: 0x%lx\n",
nextCommand );
}
SrvSetSmbError( WorkContext, STATUS_INVALID_SMB );
return SmbStatusSendResponse;
}
//
// If there is an AndX command, set up to process it. Otherwise,
// indicate completion to the caller.
//
if ( nextCommand != SMB_COM_NO_ANDX_COMMAND ) {
WorkContext->NextCommand = nextCommand;
WorkContext->RequestParameters = (PCHAR)WorkContext->RequestHeader +
reqAndXOffset;
return SmbStatusMoreCommands;
}
IF_DEBUG(TRACE2) SrvPrint0( "SrvSmbLogoffAndX complete.\n" );
return SmbStatusSendResponse;
} // SrvSmbLogoffAndX
STATIC
VOID
GetEncryptionKey (
OUT CHAR EncryptionKey[MSV1_0_CHALLENGE_LENGTH]
)
/*++
Routine Description:
Creates an encryption key to use as a challenge for a logon.
*** Although the MSV1_0 authentication package has a function that
returns an encryption key, we do not use that function in order
to avoid a trip through LPC and into LSA.
Arguments:
EncryptionKey - a pointer to a buffer which receives the encryption
key.
Return Value:
NTSTATUS - result of operation.
--*/
{
union {
LARGE_INTEGER time;
UCHAR bytes[8];
} u;
ULONG seed;
ULONG challenge[2];
ULONG result3;
//
// Create a pseudo-random 8-byte number by munging the system time
// for use as a random number seed.
//
// Start by getting the system time.
//
ASSERT( MSV1_0_CHALLENGE_LENGTH == 2 * sizeof(ULONG) );
KeQuerySystemTime( &u.time );
//
// To ensure that we don't use the same system time twice, add in the
// count of the number of times this routine has been called. Then
// increment the counter.
//
// *** Since we don't use the low byte of the system time (it doesn't
// take on enough different values, because of the timer
// resolution), we increment the counter by 0x100.
//
// *** We don't interlock the counter because we don't really care
// if it's not 100% accurate.
//
u.time.LowPart += EncryptionKeyCount;
EncryptionKeyCount += 0x100;
//
// Now use parts of the system time as a seed for the random
// number generator.
//
// *** Because the middle two bytes of the low part of the system
// time change most rapidly, we use those in forming the seed.
//
seed = ((u.bytes[1] + 1) << 0) |
((u.bytes[2] + 0) << 8) |
((u.bytes[2] - 1) << 16) |
((u.bytes[1] + 0) << 24);
//
// Now get two random numbers. RtlRandom does not return negative
// numbers, so we pseudo-randomly negate them.
//
challenge[0] = RtlRandom( &seed );
challenge[1] = RtlRandom( &seed );
result3 = RtlRandom( &seed );
if ( (result3 & 0x1) != 0 ) {
challenge[0] |= 0x80000000;
}
if ( (result3 & 0x2) != 0 ) {
challenge[1] |= 0x80000000;
}
//
// Return the challenge.
//
RtlCopyMemory( EncryptionKey, challenge, MSV1_0_CHALLENGE_LENGTH );
return;
#if 0
//
// This is the old code, which uses LSA to get the challenge.
//
PMSV1_0_LM20_CHALLENGE_REQUEST challengeRequest;
ULONG challengeRequestLength;
PMSV1_0_LM20_CHALLENGE_RESPONSE challengeResponse;
ULONG challengeResponseLength;
NTSTATUS protocolStatus;
NTSTATUS freeStatus;
NTSTATUS status;
PAGED_CODE( );
challengeRequest = NULL;
challengeRequestLength = sizeof(MSV1_0_LM20_CHALLENGE_REQUEST);
status = NtAllocateVirtualMemory(
NtCurrentProcess( ),
(PVOID *)&challengeRequest,
0,
&challengeRequestLength,
MEM_COMMIT,
PAGE_READWRITE
);
if ( !NT_SUCCESS(status) ) {
INTERNAL_ERROR(
ERROR_LEVEL_EXPECTED,
"GetEncryptionKey: NtAllocateVirtualMemory failed: %X\n.",
status,
NULL
);
SrvLogError(
SrvDeviceObject,
EVENT_SRV_NO_VIRTUAL_MEMORY,
status,
&challengeRequestLength,
sizeof(ULONG),
NULL,
0
);
return status;
}
challengeRequest->MessageType = MsV1_0Lm20ChallengeRequest;
//
// Get the "challenge" that clients will use to encrypt
// passwords. This challenge is used for all logons on this
// VC.
//
status = LsaCallAuthenticationPackage(
SrvLsaHandle,
SrvAuthenticationPackage,
challengeRequest,
challengeRequestLength,
(PVOID *)&challengeResponse,
&challengeResponseLength,
&protocolStatus
);
freeStatus = NtFreeVirtualMemory(
NtCurrentProcess( ),
(PVOID *)&challengeRequest,
&challengeRequestLength,
MEM_RELEASE
);
ASSERT( NT_SUCCESS(freeStatus) );
if ( NT_SUCCESS(status) ) {
status = protocolStatus;
}
if ( !NT_SUCCESS(status) ) {
INTERNAL_ERROR(
ERROR_LEVEL_UNEXPECTED,
"GetEncryptionKey: LsaCallAuthenticationPackage failed: %X\n.",
status,
NULL
);
SrvLogServiceFailure( SRV_SVC_LSA_CALL_AUTH_PACKAGE, status );
return status;
}
//
// Copy the challenge into the output buffer.
//
RtlCopyMemory(
EncryptionKey,
challengeResponse->ChallengeToClient,
MSV1_0_CHALLENGE_LENGTH
);
//
// Free the LSA response buffer.
//
status = LsaFreeReturnBuffer( challengeResponse );
ASSERT( NT_SUCCESS(status) );
return STATUS_SUCCESS;
#endif
} // GetEncryptionKey
Reference in New Issue View Git Blame Copy Permalink