1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 * Copyright (C) Bill Nagel <wnagel@tycoint.com>, Exacq Technologies
10 *
11 * This software is licensed as described in the file COPYING, which
12 * you should have received as part of this distribution. The terms
13 * are also available at https://curl.se/docs/copyright.html.
14 *
15 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
16 * copies of the Software, and permit persons to whom the Software is
17 * furnished to do so, under the terms of the COPYING file.
18 *
19 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20 * KIND, either express or implied.
21 *
22 * SPDX-License-Identifier: curl
23 *
24 ***************************************************************************/
25
26 #include "curl_setup.h"
27
28 #if !defined(CURL_DISABLE_SMB) && defined(USE_CURL_NTLM_CORE)
29
30 #include "smb.h"
31 #include "urldata.h"
32 #include "sendf.h"
33 #include "multiif.h"
34 #include "cfilters.h"
35 #include "connect.h"
36 #include "progress.h"
37 #include "transfer.h"
38 #include "vtls/vtls.h"
39 #include "curl_ntlm_core.h"
40 #include "escape.h"
41 #include "curl_endian.h"
42
43 /* The last 3 #include files should be in this order */
44 #include "curl_printf.h"
45 #include "curl_memory.h"
46 #include "memdebug.h"
47
48 /*
49 * Definitions for SMB protocol data structures
50 */
51 #if defined(_MSC_VER) || defined(__ILEC400__)
52 # define PACK
53 # pragma pack(push)
54 # pragma pack(1)
55 #elif defined(__GNUC__)
56 # define PACK __attribute__((packed))
57 #else
58 # define PACK
59 #endif
60
61 #define SMB_COM_CLOSE 0x04
62 #define SMB_COM_READ_ANDX 0x2e
63 #define SMB_COM_WRITE_ANDX 0x2f
64 #define SMB_COM_TREE_DISCONNECT 0x71
65 #define SMB_COM_NEGOTIATE 0x72
66 #define SMB_COM_SETUP_ANDX 0x73
67 #define SMB_COM_TREE_CONNECT_ANDX 0x75
68 #define SMB_COM_NT_CREATE_ANDX 0xa2
69 #define SMB_COM_NO_ANDX_COMMAND 0xff
70
71 #define SMB_WC_CLOSE 0x03
72 #define SMB_WC_READ_ANDX 0x0c
73 #define SMB_WC_WRITE_ANDX 0x0e
74 #define SMB_WC_SETUP_ANDX 0x0d
75 #define SMB_WC_TREE_CONNECT_ANDX 0x04
76 #define SMB_WC_NT_CREATE_ANDX 0x18
77
78 #define SMB_FLAGS_CANONICAL_PATHNAMES 0x10
79 #define SMB_FLAGS_CASELESS_PATHNAMES 0x08
80 #define SMB_FLAGS2_UNICODE_STRINGS 0x8000
81 #define SMB_FLAGS2_IS_LONG_NAME 0x0040
82 #define SMB_FLAGS2_KNOWS_LONG_NAME 0x0001
83
84 #define SMB_CAP_LARGE_FILES 0x08
85 #define SMB_GENERIC_WRITE 0x40000000
86 #define SMB_GENERIC_READ 0x80000000
87 #define SMB_FILE_SHARE_ALL 0x07
88 #define SMB_FILE_OPEN 0x01
89 #define SMB_FILE_OVERWRITE_IF 0x05
90
91 #define SMB_ERR_NOACCESS 0x00050001
92
93 struct smb_header {
94 unsigned char nbt_type;
95 unsigned char nbt_flags;
96 unsigned short nbt_length;
97 unsigned char magic[4];
98 unsigned char command;
99 unsigned int status;
100 unsigned char flags;
101 unsigned short flags2;
102 unsigned short pid_high;
103 unsigned char signature[8];
104 unsigned short pad;
105 unsigned short tid;
106 unsigned short pid;
107 unsigned short uid;
108 unsigned short mid;
109 } PACK;
110
111 struct smb_negotiate_response {
112 struct smb_header h;
113 unsigned char word_count;
114 unsigned short dialect_index;
115 unsigned char security_mode;
116 unsigned short max_mpx_count;
117 unsigned short max_number_vcs;
118 unsigned int max_buffer_size;
119 unsigned int max_raw_size;
120 unsigned int session_key;
121 unsigned int capabilities;
122 unsigned int system_time_low;
123 unsigned int system_time_high;
124 unsigned short server_time_zone;
125 unsigned char encryption_key_length;
126 unsigned short byte_count;
127 char bytes[1];
128 } PACK;
129
130 struct andx {
131 unsigned char command;
132 unsigned char pad;
133 unsigned short offset;
134 } PACK;
135
136 struct smb_setup {
137 unsigned char word_count;
138 struct andx andx;
139 unsigned short max_buffer_size;
140 unsigned short max_mpx_count;
141 unsigned short vc_number;
142 unsigned int session_key;
143 unsigned short lengths[2];
144 unsigned int pad;
145 unsigned int capabilities;
146 unsigned short byte_count;
147 char bytes[1024];
148 } PACK;
149
150 struct smb_tree_connect {
151 unsigned char word_count;
152 struct andx andx;
153 unsigned short flags;
154 unsigned short pw_len;
155 unsigned short byte_count;
156 char bytes[1024];
157 } PACK;
158
159 struct smb_nt_create {
160 unsigned char word_count;
161 struct andx andx;
162 unsigned char pad;
163 unsigned short name_length;
164 unsigned int flags;
165 unsigned int root_fid;
166 unsigned int access;
167 curl_off_t allocation_size;
168 unsigned int ext_file_attributes;
169 unsigned int share_access;
170 unsigned int create_disposition;
171 unsigned int create_options;
172 unsigned int impersonation_level;
173 unsigned char security_flags;
174 unsigned short byte_count;
175 char bytes[1024];
176 } PACK;
177
178 struct smb_nt_create_response {
179 struct smb_header h;
180 unsigned char word_count;
181 struct andx andx;
182 unsigned char op_lock_level;
183 unsigned short fid;
184 unsigned int create_disposition;
185
186 curl_off_t create_time;
187 curl_off_t last_access_time;
188 curl_off_t last_write_time;
189 curl_off_t last_change_time;
190 unsigned int ext_file_attributes;
191 curl_off_t allocation_size;
192 curl_off_t end_of_file;
193 } PACK;
194
195 struct smb_read {
196 unsigned char word_count;
197 struct andx andx;
198 unsigned short fid;
199 unsigned int offset;
200 unsigned short max_bytes;
201 unsigned short min_bytes;
202 unsigned int timeout;
203 unsigned short remaining;
204 unsigned int offset_high;
205 unsigned short byte_count;
206 } PACK;
207
208 struct smb_write {
209 struct smb_header h;
210 unsigned char word_count;
211 struct andx andx;
212 unsigned short fid;
213 unsigned int offset;
214 unsigned int timeout;
215 unsigned short write_mode;
216 unsigned short remaining;
217 unsigned short pad;
218 unsigned short data_length;
219 unsigned short data_offset;
220 unsigned int offset_high;
221 unsigned short byte_count;
222 unsigned char pad2;
223 } PACK;
224
225 struct smb_close {
226 unsigned char word_count;
227 unsigned short fid;
228 unsigned int last_mtime;
229 unsigned short byte_count;
230 } PACK;
231
232 struct smb_tree_disconnect {
233 unsigned char word_count;
234 unsigned short byte_count;
235 } PACK;
236
237 #if defined(_MSC_VER) || defined(__ILEC400__)
238 # pragma pack(pop)
239 #endif
240
241 /* Local API functions */
242 static CURLcode smb_setup_connection(struct Curl_easy *data,
243 struct connectdata *conn);
244 static CURLcode smb_connect(struct Curl_easy *data, bool *done);
245 static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
246 static CURLcode smb_do(struct Curl_easy *data, bool *done);
247 static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
248 static CURLcode smb_disconnect(struct Curl_easy *data,
249 struct connectdata *conn, bool dead);
250 static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
251 curl_socket_t *socks);
252 static CURLcode smb_parse_url_path(struct Curl_easy *data,
253 struct connectdata *conn);
254
255 /*
256 * SMB handler interface
257 */
258 const struct Curl_handler Curl_handler_smb = {
259 "smb", /* scheme */
260 smb_setup_connection, /* setup_connection */
261 smb_do, /* do_it */
262 ZERO_NULL, /* done */
263 ZERO_NULL, /* do_more */
264 smb_connect, /* connect_it */
265 smb_connection_state, /* connecting */
266 smb_request_state, /* doing */
267 smb_getsock, /* proto_getsock */
268 smb_getsock, /* doing_getsock */
269 ZERO_NULL, /* domore_getsock */
270 ZERO_NULL, /* perform_getsock */
271 smb_disconnect, /* disconnect */
272 ZERO_NULL, /* write_resp */
273 ZERO_NULL, /* write_resp_hd */
274 ZERO_NULL, /* connection_check */
275 ZERO_NULL, /* attach connection */
276 ZERO_NULL, /* follow */
277 PORT_SMB, /* defport */
278 CURLPROTO_SMB, /* protocol */
279 CURLPROTO_SMB, /* family */
280 PROTOPT_NONE /* flags */
281 };
282
283 #ifdef USE_SSL
284 /*
285 * SMBS handler interface
286 */
287 const struct Curl_handler Curl_handler_smbs = {
288 "smbs", /* scheme */
289 smb_setup_connection, /* setup_connection */
290 smb_do, /* do_it */
291 ZERO_NULL, /* done */
292 ZERO_NULL, /* do_more */
293 smb_connect, /* connect_it */
294 smb_connection_state, /* connecting */
295 smb_request_state, /* doing */
296 smb_getsock, /* proto_getsock */
297 smb_getsock, /* doing_getsock */
298 ZERO_NULL, /* domore_getsock */
299 ZERO_NULL, /* perform_getsock */
300 smb_disconnect, /* disconnect */
301 ZERO_NULL, /* write_resp */
302 ZERO_NULL, /* write_resp_hd */
303 ZERO_NULL, /* connection_check */
304 ZERO_NULL, /* attach connection */
305 ZERO_NULL, /* follow */
306 PORT_SMBS, /* defport */
307 CURLPROTO_SMBS, /* protocol */
308 CURLPROTO_SMB, /* family */
309 PROTOPT_SSL /* flags */
310 };
311 #endif
312
313 #define MAX_PAYLOAD_SIZE 0x8000
314 #define MAX_MESSAGE_SIZE (MAX_PAYLOAD_SIZE + 0x1000)
315 #define CLIENTNAME "curl"
316 #define SERVICENAME "?????"
317
318 /* SMB is mostly little endian */
319 #if (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \
320 defined(__OS400__)
smb_swap16(unsigned short x)321 static unsigned short smb_swap16(unsigned short x)
322 {
323 return (unsigned short) ((x << 8) | ((x >> 8) & 0xff));
324 }
325
smb_swap32(unsigned int x)326 static unsigned int smb_swap32(unsigned int x)
327 {
328 return (x << 24) | ((x << 8) & 0xff0000) | ((x >> 8) & 0xff00) |
329 ((x >> 24) & 0xff);
330 }
331
smb_swap64(curl_off_t x)332 static curl_off_t smb_swap64(curl_off_t x)
333 {
334 return ((curl_off_t) smb_swap32((unsigned int) x) << 32) |
335 smb_swap32((unsigned int) (x >> 32));
336 }
337
338 #else
339 # define smb_swap16(x) (x)
340 # define smb_swap32(x) (x)
341 # define smb_swap64(x) (x)
342 #endif
343
344 /* SMB request state */
345 enum smb_req_state {
346 SMB_REQUESTING,
347 SMB_TREE_CONNECT,
348 SMB_OPEN,
349 SMB_DOWNLOAD,
350 SMB_UPLOAD,
351 SMB_CLOSE,
352 SMB_TREE_DISCONNECT,
353 SMB_DONE
354 };
355
356 /* SMB request data */
357 struct smb_request {
358 enum smb_req_state state;
359 char *path;
360 unsigned short tid; /* Even if we connect to the same tree as another */
361 unsigned short fid; /* request, the tid will be different */
362 CURLcode result;
363 };
364
conn_state(struct Curl_easy * data,enum smb_conn_state newstate)365 static void conn_state(struct Curl_easy *data, enum smb_conn_state newstate)
366 {
367 struct smb_conn *smbc = &data->conn->proto.smbc;
368 #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
369 /* For debug purposes */
370 static const char * const names[] = {
371 "SMB_NOT_CONNECTED",
372 "SMB_CONNECTING",
373 "SMB_NEGOTIATE",
374 "SMB_SETUP",
375 "SMB_CONNECTED",
376 /* LAST */
377 };
378
379 if(smbc->state != newstate)
380 infof(data, "SMB conn %p state change from %s to %s",
381 (void *)smbc, names[smbc->state], names[newstate]);
382 #endif
383
384 smbc->state = newstate;
385 }
386
request_state(struct Curl_easy * data,enum smb_req_state newstate)387 static void request_state(struct Curl_easy *data,
388 enum smb_req_state newstate)
389 {
390 struct smb_request *req = data->req.p.smb;
391 #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
392 /* For debug purposes */
393 static const char * const names[] = {
394 "SMB_REQUESTING",
395 "SMB_TREE_CONNECT",
396 "SMB_OPEN",
397 "SMB_DOWNLOAD",
398 "SMB_UPLOAD",
399 "SMB_CLOSE",
400 "SMB_TREE_DISCONNECT",
401 "SMB_DONE",
402 /* LAST */
403 };
404
405 if(req->state != newstate)
406 infof(data, "SMB request %p state change from %s to %s",
407 (void *)req, names[req->state], names[newstate]);
408 #endif
409
410 req->state = newstate;
411 }
412
413 /* this should setup things in the connection, not in the easy
414 handle */
smb_setup_connection(struct Curl_easy * data,struct connectdata * conn)415 static CURLcode smb_setup_connection(struct Curl_easy *data,
416 struct connectdata *conn)
417 {
418 struct smb_request *req;
419
420 /* Initialize the request state */
421 data->req.p.smb = req = calloc(1, sizeof(struct smb_request));
422 if(!req)
423 return CURLE_OUT_OF_MEMORY;
424
425 /* Parse the URL path */
426 return smb_parse_url_path(data, conn);
427 }
428
smb_connect(struct Curl_easy * data,bool * done)429 static CURLcode smb_connect(struct Curl_easy *data, bool *done)
430 {
431 struct connectdata *conn = data->conn;
432 struct smb_conn *smbc = &conn->proto.smbc;
433 char *slash;
434
435 (void) done;
436
437 /* Check we have a username and password to authenticate with */
438 if(!data->state.aptr.user)
439 return CURLE_LOGIN_DENIED;
440
441 /* Initialize the connection state */
442 smbc->state = SMB_CONNECTING;
443 smbc->recv_buf = malloc(MAX_MESSAGE_SIZE);
444 if(!smbc->recv_buf)
445 return CURLE_OUT_OF_MEMORY;
446 smbc->send_buf = malloc(MAX_MESSAGE_SIZE);
447 if(!smbc->send_buf)
448 return CURLE_OUT_OF_MEMORY;
449
450 /* Multiple requests are allowed with this connection */
451 connkeep(conn, "SMB default");
452
453 /* Parse the username, domain, and password */
454 slash = strchr(conn->user, '/');
455 if(!slash)
456 slash = strchr(conn->user, '\\');
457
458 if(slash) {
459 smbc->user = slash + 1;
460 smbc->domain = strdup(conn->user);
461 if(!smbc->domain)
462 return CURLE_OUT_OF_MEMORY;
463 smbc->domain[slash - conn->user] = 0;
464 }
465 else {
466 smbc->user = conn->user;
467 smbc->domain = strdup(conn->host.name);
468 if(!smbc->domain)
469 return CURLE_OUT_OF_MEMORY;
470 }
471
472 return CURLE_OK;
473 }
474
smb_recv_message(struct Curl_easy * data,void ** msg)475 static CURLcode smb_recv_message(struct Curl_easy *data, void **msg)
476 {
477 struct connectdata *conn = data->conn;
478 struct smb_conn *smbc = &conn->proto.smbc;
479 char *buf = smbc->recv_buf;
480 ssize_t bytes_read;
481 size_t nbt_size;
482 size_t msg_size;
483 size_t len = MAX_MESSAGE_SIZE - smbc->got;
484 CURLcode result;
485
486 result = Curl_xfer_recv(data, buf + smbc->got, len, &bytes_read);
487 if(result)
488 return result;
489
490 if(!bytes_read)
491 return CURLE_OK;
492
493 smbc->got += bytes_read;
494
495 /* Check for a 32-bit nbt header */
496 if(smbc->got < sizeof(unsigned int))
497 return CURLE_OK;
498
499 nbt_size = Curl_read16_be((const unsigned char *)
500 (buf + sizeof(unsigned short))) +
501 sizeof(unsigned int);
502 if(smbc->got < nbt_size)
503 return CURLE_OK;
504
505 msg_size = sizeof(struct smb_header);
506 if(nbt_size >= msg_size + 1) {
507 /* Add the word count */
508 msg_size += 1 + ((unsigned char) buf[msg_size]) * sizeof(unsigned short);
509 if(nbt_size >= msg_size + sizeof(unsigned short)) {
510 /* Add the byte count */
511 msg_size += sizeof(unsigned short) +
512 Curl_read16_le((const unsigned char *)&buf[msg_size]);
513 if(nbt_size < msg_size)
514 return CURLE_READ_ERROR;
515 }
516 }
517
518 *msg = buf;
519
520 return CURLE_OK;
521 }
522
smb_pop_message(struct connectdata * conn)523 static void smb_pop_message(struct connectdata *conn)
524 {
525 struct smb_conn *smbc = &conn->proto.smbc;
526
527 smbc->got = 0;
528 }
529
smb_format_message(struct Curl_easy * data,struct smb_header * h,unsigned char cmd,size_t len)530 static void smb_format_message(struct Curl_easy *data, struct smb_header *h,
531 unsigned char cmd, size_t len)
532 {
533 struct connectdata *conn = data->conn;
534 struct smb_conn *smbc = &conn->proto.smbc;
535 struct smb_request *req = data->req.p.smb;
536 unsigned int pid;
537
538 memset(h, 0, sizeof(*h));
539 h->nbt_length = htons((unsigned short) (sizeof(*h) - sizeof(unsigned int) +
540 len));
541 memcpy((char *)h->magic, "\xffSMB", 4);
542 h->command = cmd;
543 h->flags = SMB_FLAGS_CANONICAL_PATHNAMES | SMB_FLAGS_CASELESS_PATHNAMES;
544 h->flags2 = smb_swap16(SMB_FLAGS2_IS_LONG_NAME | SMB_FLAGS2_KNOWS_LONG_NAME);
545 h->uid = smb_swap16(smbc->uid);
546 h->tid = smb_swap16(req->tid);
547 pid = (unsigned int)Curl_getpid();
548 h->pid_high = smb_swap16((unsigned short)(pid >> 16));
549 h->pid = smb_swap16((unsigned short) pid);
550 }
551
smb_send(struct Curl_easy * data,size_t len,size_t upload_size)552 static CURLcode smb_send(struct Curl_easy *data, size_t len,
553 size_t upload_size)
554 {
555 struct connectdata *conn = data->conn;
556 struct smb_conn *smbc = &conn->proto.smbc;
557 size_t bytes_written;
558 CURLcode result;
559
560 result = Curl_xfer_send(data, smbc->send_buf, len, FALSE, &bytes_written);
561 if(result)
562 return result;
563
564 if(bytes_written != len) {
565 smbc->send_size = len;
566 smbc->sent = bytes_written;
567 }
568
569 smbc->upload_size = upload_size;
570
571 return CURLE_OK;
572 }
573
smb_flush(struct Curl_easy * data)574 static CURLcode smb_flush(struct Curl_easy *data)
575 {
576 struct connectdata *conn = data->conn;
577 struct smb_conn *smbc = &conn->proto.smbc;
578 size_t bytes_written;
579 size_t len = smbc->send_size - smbc->sent;
580 CURLcode result;
581
582 if(!smbc->send_size)
583 return CURLE_OK;
584
585 result = Curl_xfer_send(data, smbc->send_buf + smbc->sent, len, FALSE,
586 &bytes_written);
587 if(result)
588 return result;
589
590 if(bytes_written != len)
591 smbc->sent += bytes_written;
592 else
593 smbc->send_size = 0;
594
595 return CURLE_OK;
596 }
597
smb_send_message(struct Curl_easy * data,unsigned char cmd,const void * msg,size_t msg_len)598 static CURLcode smb_send_message(struct Curl_easy *data, unsigned char cmd,
599 const void *msg, size_t msg_len)
600 {
601 struct connectdata *conn = data->conn;
602 struct smb_conn *smbc = &conn->proto.smbc;
603
604 smb_format_message(data, (struct smb_header *)smbc->send_buf,
605 cmd, msg_len);
606 DEBUGASSERT((sizeof(struct smb_header) + msg_len) <= MAX_MESSAGE_SIZE);
607 memcpy(smbc->send_buf + sizeof(struct smb_header), msg, msg_len);
608
609 return smb_send(data, sizeof(struct smb_header) + msg_len, 0);
610 }
611
smb_send_negotiate(struct Curl_easy * data)612 static CURLcode smb_send_negotiate(struct Curl_easy *data)
613 {
614 const char *msg = "\x00\x0c\x00\x02NT LM 0.12";
615
616 return smb_send_message(data, SMB_COM_NEGOTIATE, msg, 15);
617 }
618
smb_send_setup(struct Curl_easy * data)619 static CURLcode smb_send_setup(struct Curl_easy *data)
620 {
621 struct connectdata *conn = data->conn;
622 struct smb_conn *smbc = &conn->proto.smbc;
623 struct smb_setup msg;
624 char *p = msg.bytes;
625 unsigned char lm_hash[21];
626 unsigned char lm[24];
627 unsigned char nt_hash[21];
628 unsigned char nt[24];
629
630 const size_t byte_count = sizeof(lm) + sizeof(nt) +
631 strlen(smbc->user) + strlen(smbc->domain) +
632 strlen(CURL_OS) + strlen(CLIENTNAME) + 4; /* 4 null chars */
633 if(byte_count > sizeof(msg.bytes))
634 return CURLE_FILESIZE_EXCEEDED;
635
636 Curl_ntlm_core_mk_lm_hash(conn->passwd, lm_hash);
637 Curl_ntlm_core_lm_resp(lm_hash, smbc->challenge, lm);
638 Curl_ntlm_core_mk_nt_hash(conn->passwd, nt_hash);
639 Curl_ntlm_core_lm_resp(nt_hash, smbc->challenge, nt);
640
641 memset(&msg, 0, sizeof(msg) - sizeof(msg.bytes));
642 msg.word_count = SMB_WC_SETUP_ANDX;
643 msg.andx.command = SMB_COM_NO_ANDX_COMMAND;
644 msg.max_buffer_size = smb_swap16(MAX_MESSAGE_SIZE);
645 msg.max_mpx_count = smb_swap16(1);
646 msg.vc_number = smb_swap16(1);
647 msg.session_key = smb_swap32(smbc->session_key);
648 msg.capabilities = smb_swap32(SMB_CAP_LARGE_FILES);
649 msg.lengths[0] = smb_swap16(sizeof(lm));
650 msg.lengths[1] = smb_swap16(sizeof(nt));
651 memcpy(p, lm, sizeof(lm));
652 p += sizeof(lm);
653 memcpy(p, nt, sizeof(nt));
654 p += sizeof(nt);
655 p += msnprintf(p, byte_count - sizeof(nt) - sizeof(lm),
656 "%s%c" /* user */
657 "%s%c" /* domain */
658 "%s%c" /* OS */
659 "%s", /* client name */
660 smbc->user, 0, smbc->domain, 0, CURL_OS, 0, CLIENTNAME);
661 p++; /* count the final null termination */
662 DEBUGASSERT(byte_count == (size_t)(p - msg.bytes));
663 msg.byte_count = smb_swap16((unsigned short)byte_count);
664
665 return smb_send_message(data, SMB_COM_SETUP_ANDX, &msg,
666 sizeof(msg) - sizeof(msg.bytes) + byte_count);
667 }
668
smb_send_tree_connect(struct Curl_easy * data)669 static CURLcode smb_send_tree_connect(struct Curl_easy *data)
670 {
671 struct smb_tree_connect msg;
672 struct connectdata *conn = data->conn;
673 struct smb_conn *smbc = &conn->proto.smbc;
674 char *p = msg.bytes;
675
676 const size_t byte_count = strlen(conn->host.name) + strlen(smbc->share) +
677 strlen(SERVICENAME) + 5; /* 2 nulls and 3 backslashes */
678 if(byte_count > sizeof(msg.bytes))
679 return CURLE_FILESIZE_EXCEEDED;
680
681 memset(&msg, 0, sizeof(msg) - sizeof(msg.bytes));
682 msg.word_count = SMB_WC_TREE_CONNECT_ANDX;
683 msg.andx.command = SMB_COM_NO_ANDX_COMMAND;
684 msg.pw_len = 0;
685
686 p += msnprintf(p, byte_count,
687 "\\\\%s\\" /* hostname */
688 "%s%c" /* share */
689 "%s", /* service */
690 conn->host.name, smbc->share, 0, SERVICENAME);
691 p++; /* count the final null termination */
692 DEBUGASSERT(byte_count == (size_t)(p - msg.bytes));
693 msg.byte_count = smb_swap16((unsigned short)byte_count);
694
695 return smb_send_message(data, SMB_COM_TREE_CONNECT_ANDX, &msg,
696 sizeof(msg) - sizeof(msg.bytes) + byte_count);
697 }
698
smb_send_open(struct Curl_easy * data)699 static CURLcode smb_send_open(struct Curl_easy *data)
700 {
701 struct smb_request *req = data->req.p.smb;
702 struct smb_nt_create msg;
703 const size_t byte_count = strlen(req->path) + 1;
704
705 if(byte_count > sizeof(msg.bytes))
706 return CURLE_FILESIZE_EXCEEDED;
707
708 memset(&msg, 0, sizeof(msg) - sizeof(msg.bytes));
709 msg.word_count = SMB_WC_NT_CREATE_ANDX;
710 msg.andx.command = SMB_COM_NO_ANDX_COMMAND;
711 msg.name_length = smb_swap16((unsigned short)(byte_count - 1));
712 msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
713 if(data->state.upload) {
714 msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
715 msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
716 }
717 else {
718 msg.access = smb_swap32(SMB_GENERIC_READ);
719 msg.create_disposition = smb_swap32(SMB_FILE_OPEN);
720 }
721 msg.byte_count = smb_swap16((unsigned short) byte_count);
722 strcpy(msg.bytes, req->path);
723
724 return smb_send_message(data, SMB_COM_NT_CREATE_ANDX, &msg,
725 sizeof(msg) - sizeof(msg.bytes) + byte_count);
726 }
727
smb_send_close(struct Curl_easy * data)728 static CURLcode smb_send_close(struct Curl_easy *data)
729 {
730 struct smb_request *req = data->req.p.smb;
731 struct smb_close msg;
732
733 memset(&msg, 0, sizeof(msg));
734 msg.word_count = SMB_WC_CLOSE;
735 msg.fid = smb_swap16(req->fid);
736
737 return smb_send_message(data, SMB_COM_CLOSE, &msg, sizeof(msg));
738 }
739
smb_send_tree_disconnect(struct Curl_easy * data)740 static CURLcode smb_send_tree_disconnect(struct Curl_easy *data)
741 {
742 struct smb_tree_disconnect msg;
743
744 memset(&msg, 0, sizeof(msg));
745
746 return smb_send_message(data, SMB_COM_TREE_DISCONNECT, &msg, sizeof(msg));
747 }
748
smb_send_read(struct Curl_easy * data)749 static CURLcode smb_send_read(struct Curl_easy *data)
750 {
751 struct smb_request *req = data->req.p.smb;
752 curl_off_t offset = data->req.offset;
753 struct smb_read msg;
754
755 memset(&msg, 0, sizeof(msg));
756 msg.word_count = SMB_WC_READ_ANDX;
757 msg.andx.command = SMB_COM_NO_ANDX_COMMAND;
758 msg.fid = smb_swap16(req->fid);
759 msg.offset = smb_swap32((unsigned int) offset);
760 msg.offset_high = smb_swap32((unsigned int) (offset >> 32));
761 msg.min_bytes = smb_swap16(MAX_PAYLOAD_SIZE);
762 msg.max_bytes = smb_swap16(MAX_PAYLOAD_SIZE);
763
764 return smb_send_message(data, SMB_COM_READ_ANDX, &msg, sizeof(msg));
765 }
766
smb_send_write(struct Curl_easy * data)767 static CURLcode smb_send_write(struct Curl_easy *data)
768 {
769 struct connectdata *conn = data->conn;
770 struct smb_conn *smbc = &conn->proto.smbc;
771 struct smb_write *msg;
772 struct smb_request *req = data->req.p.smb;
773 curl_off_t offset = data->req.offset;
774 curl_off_t upload_size = data->req.size - data->req.bytecount;
775
776 msg = (struct smb_write *)smbc->send_buf;
777 if(upload_size >= MAX_PAYLOAD_SIZE - 1) /* There is one byte of padding */
778 upload_size = MAX_PAYLOAD_SIZE - 1;
779
780 memset(msg, 0, sizeof(*msg));
781 msg->word_count = SMB_WC_WRITE_ANDX;
782 msg->andx.command = SMB_COM_NO_ANDX_COMMAND;
783 msg->fid = smb_swap16(req->fid);
784 msg->offset = smb_swap32((unsigned int) offset);
785 msg->offset_high = smb_swap32((unsigned int) (offset >> 32));
786 msg->data_length = smb_swap16((unsigned short) upload_size);
787 msg->data_offset = smb_swap16(sizeof(*msg) - sizeof(unsigned int));
788 msg->byte_count = smb_swap16((unsigned short) (upload_size + 1));
789
790 smb_format_message(data, &msg->h, SMB_COM_WRITE_ANDX,
791 sizeof(*msg) - sizeof(msg->h) + (size_t) upload_size);
792
793 return smb_send(data, sizeof(*msg), (size_t) upload_size);
794 }
795
smb_send_and_recv(struct Curl_easy * data,void ** msg)796 static CURLcode smb_send_and_recv(struct Curl_easy *data, void **msg)
797 {
798 struct connectdata *conn = data->conn;
799 struct smb_conn *smbc = &conn->proto.smbc;
800 CURLcode result;
801 *msg = NULL; /* if it returns early */
802
803 /* Check if there is data in the transfer buffer */
804 if(!smbc->send_size && smbc->upload_size) {
805 size_t nread = smbc->upload_size > (size_t)MAX_MESSAGE_SIZE ?
806 (size_t)MAX_MESSAGE_SIZE : smbc->upload_size;
807 bool eos;
808
809 result = Curl_client_read(data, smbc->send_buf, nread, &nread, &eos);
810 if(result && result != CURLE_AGAIN)
811 return result;
812 if(!nread)
813 return CURLE_OK;
814
815 smbc->upload_size -= nread;
816 smbc->send_size = nread;
817 smbc->sent = 0;
818 }
819
820 /* Check if there is data to send */
821 if(smbc->send_size) {
822 result = smb_flush(data);
823 if(result)
824 return result;
825 }
826
827 /* Check if there is still data to be sent */
828 if(smbc->send_size || smbc->upload_size)
829 return CURLE_AGAIN;
830
831 return smb_recv_message(data, msg);
832 }
833
smb_connection_state(struct Curl_easy * data,bool * done)834 static CURLcode smb_connection_state(struct Curl_easy *data, bool *done)
835 {
836 struct connectdata *conn = data->conn;
837 struct smb_conn *smbc = &conn->proto.smbc;
838 struct smb_negotiate_response *nrsp;
839 struct smb_header *h;
840 CURLcode result;
841 void *msg = NULL;
842
843 if(smbc->state == SMB_CONNECTING) {
844 #ifdef USE_SSL
845 if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
846 bool ssl_done = FALSE;
847 result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done);
848 if(result && result != CURLE_AGAIN)
849 return result;
850 if(!ssl_done)
851 return CURLE_OK;
852 }
853 #endif
854
855 result = smb_send_negotiate(data);
856 if(result) {
857 connclose(conn, "SMB: failed to send negotiate message");
858 return result;
859 }
860
861 conn_state(data, SMB_NEGOTIATE);
862 }
863
864 /* Send the previous message and check for a response */
865 result = smb_send_and_recv(data, &msg);
866 if(result && result != CURLE_AGAIN) {
867 connclose(conn, "SMB: failed to communicate");
868 return result;
869 }
870
871 if(!msg)
872 return CURLE_OK;
873
874 h = msg;
875
876 switch(smbc->state) {
877 case SMB_NEGOTIATE:
878 if((smbc->got < sizeof(*nrsp) + sizeof(smbc->challenge) - 1) ||
879 h->status) {
880 connclose(conn, "SMB: negotiation failed");
881 return CURLE_COULDNT_CONNECT;
882 }
883 nrsp = msg;
884 memcpy(smbc->challenge, nrsp->bytes, sizeof(smbc->challenge));
885 smbc->session_key = smb_swap32(nrsp->session_key);
886 result = smb_send_setup(data);
887 if(result) {
888 connclose(conn, "SMB: failed to send setup message");
889 return result;
890 }
891 conn_state(data, SMB_SETUP);
892 break;
893
894 case SMB_SETUP:
895 if(h->status) {
896 connclose(conn, "SMB: authentication failed");
897 return CURLE_LOGIN_DENIED;
898 }
899 smbc->uid = smb_swap16(h->uid);
900 conn_state(data, SMB_CONNECTED);
901 *done = TRUE;
902 break;
903
904 default:
905 smb_pop_message(conn);
906 return CURLE_OK; /* ignore */
907 }
908
909 smb_pop_message(conn);
910
911 return CURLE_OK;
912 }
913
914 /*
915 * Convert a timestamp from the Windows world (100 nsec units from 1 Jan 1601)
916 * to POSIX time. Cap the output to fit within a time_t.
917 */
get_posix_time(time_t * out,curl_off_t timestamp)918 static void get_posix_time(time_t *out, curl_off_t timestamp)
919 {
920 timestamp -= CURL_OFF_T_C(116444736000000000);
921 timestamp /= 10000000;
922 #if SIZEOF_TIME_T < SIZEOF_CURL_OFF_T
923 if(timestamp > TIME_T_MAX)
924 *out = TIME_T_MAX;
925 else if(timestamp < TIME_T_MIN)
926 *out = TIME_T_MIN;
927 else
928 #endif
929 *out = (time_t) timestamp;
930 }
931
smb_request_state(struct Curl_easy * data,bool * done)932 static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
933 {
934 struct connectdata *conn = data->conn;
935 struct smb_request *req = data->req.p.smb;
936 struct smb_header *h;
937 struct smb_conn *smbc = &conn->proto.smbc;
938 enum smb_req_state next_state = SMB_DONE;
939 unsigned short len;
940 unsigned short off;
941 CURLcode result;
942 void *msg = NULL;
943 const struct smb_nt_create_response *smb_m;
944
945 if(data->state.upload && (data->state.infilesize < 0)) {
946 failf(data, "SMB upload needs to know the size up front");
947 return CURLE_SEND_ERROR;
948 }
949
950 /* Start the request */
951 if(req->state == SMB_REQUESTING) {
952 result = smb_send_tree_connect(data);
953 if(result) {
954 connclose(conn, "SMB: failed to send tree connect message");
955 return result;
956 }
957
958 request_state(data, SMB_TREE_CONNECT);
959 }
960
961 /* Send the previous message and check for a response */
962 result = smb_send_and_recv(data, &msg);
963 if(result && result != CURLE_AGAIN) {
964 connclose(conn, "SMB: failed to communicate");
965 return result;
966 }
967
968 if(!msg)
969 return CURLE_OK;
970
971 h = msg;
972
973 switch(req->state) {
974 case SMB_TREE_CONNECT:
975 if(h->status) {
976 req->result = CURLE_REMOTE_FILE_NOT_FOUND;
977 if(h->status == smb_swap32(SMB_ERR_NOACCESS))
978 req->result = CURLE_REMOTE_ACCESS_DENIED;
979 break;
980 }
981 req->tid = smb_swap16(h->tid);
982 next_state = SMB_OPEN;
983 break;
984
985 case SMB_OPEN:
986 if(h->status || smbc->got < sizeof(struct smb_nt_create_response)) {
987 req->result = CURLE_REMOTE_FILE_NOT_FOUND;
988 if(h->status == smb_swap32(SMB_ERR_NOACCESS))
989 req->result = CURLE_REMOTE_ACCESS_DENIED;
990 next_state = SMB_TREE_DISCONNECT;
991 break;
992 }
993 smb_m = (const struct smb_nt_create_response*) msg;
994 req->fid = smb_swap16(smb_m->fid);
995 data->req.offset = 0;
996 if(data->state.upload) {
997 data->req.size = data->state.infilesize;
998 Curl_pgrsSetUploadSize(data, data->req.size);
999 next_state = SMB_UPLOAD;
1000 }
1001 else {
1002 data->req.size = smb_swap64(smb_m->end_of_file);
1003 if(data->req.size < 0) {
1004 req->result = CURLE_WEIRD_SERVER_REPLY;
1005 next_state = SMB_CLOSE;
1006 }
1007 else {
1008 Curl_pgrsSetDownloadSize(data, data->req.size);
1009 if(data->set.get_filetime)
1010 get_posix_time(&data->info.filetime, smb_m->last_change_time);
1011 next_state = SMB_DOWNLOAD;
1012 }
1013 }
1014 break;
1015
1016 case SMB_DOWNLOAD:
1017 if(h->status || smbc->got < sizeof(struct smb_header) + 14) {
1018 req->result = CURLE_RECV_ERROR;
1019 next_state = SMB_CLOSE;
1020 break;
1021 }
1022 len = Curl_read16_le(((const unsigned char *) msg) +
1023 sizeof(struct smb_header) + 11);
1024 off = Curl_read16_le(((const unsigned char *) msg) +
1025 sizeof(struct smb_header) + 13);
1026 if(len > 0) {
1027 if(off + sizeof(unsigned int) + len > smbc->got) {
1028 failf(data, "Invalid input packet");
1029 result = CURLE_RECV_ERROR;
1030 }
1031 else
1032 result = Curl_client_write(data, CLIENTWRITE_BODY,
1033 (char *)msg + off + sizeof(unsigned int),
1034 len);
1035 if(result) {
1036 req->result = result;
1037 next_state = SMB_CLOSE;
1038 break;
1039 }
1040 }
1041 data->req.offset += len;
1042 next_state = (len < MAX_PAYLOAD_SIZE) ? SMB_CLOSE : SMB_DOWNLOAD;
1043 break;
1044
1045 case SMB_UPLOAD:
1046 if(h->status || smbc->got < sizeof(struct smb_header) + 6) {
1047 req->result = CURLE_UPLOAD_FAILED;
1048 next_state = SMB_CLOSE;
1049 break;
1050 }
1051 len = Curl_read16_le(((const unsigned char *) msg) +
1052 sizeof(struct smb_header) + 5);
1053 data->req.bytecount += len;
1054 data->req.offset += len;
1055 Curl_pgrsSetUploadCounter(data, data->req.bytecount);
1056 if(data->req.bytecount >= data->req.size)
1057 next_state = SMB_CLOSE;
1058 else
1059 next_state = SMB_UPLOAD;
1060 break;
1061
1062 case SMB_CLOSE:
1063 /* We do not care if the close failed, proceed to tree disconnect anyway */
1064 next_state = SMB_TREE_DISCONNECT;
1065 break;
1066
1067 case SMB_TREE_DISCONNECT:
1068 next_state = SMB_DONE;
1069 break;
1070
1071 default:
1072 smb_pop_message(conn);
1073 return CURLE_OK; /* ignore */
1074 }
1075
1076 smb_pop_message(conn);
1077
1078 switch(next_state) {
1079 case SMB_OPEN:
1080 result = smb_send_open(data);
1081 break;
1082
1083 case SMB_DOWNLOAD:
1084 result = smb_send_read(data);
1085 break;
1086
1087 case SMB_UPLOAD:
1088 result = smb_send_write(data);
1089 break;
1090
1091 case SMB_CLOSE:
1092 result = smb_send_close(data);
1093 break;
1094
1095 case SMB_TREE_DISCONNECT:
1096 result = smb_send_tree_disconnect(data);
1097 break;
1098
1099 case SMB_DONE:
1100 result = req->result;
1101 *done = TRUE;
1102 break;
1103
1104 default:
1105 break;
1106 }
1107
1108 if(result) {
1109 connclose(conn, "SMB: failed to send message");
1110 return result;
1111 }
1112
1113 request_state(data, next_state);
1114
1115 return CURLE_OK;
1116 }
1117
smb_disconnect(struct Curl_easy * data,struct connectdata * conn,bool dead)1118 static CURLcode smb_disconnect(struct Curl_easy *data,
1119 struct connectdata *conn, bool dead)
1120 {
1121 struct smb_conn *smbc = &conn->proto.smbc;
1122 (void) dead;
1123 (void) data;
1124 Curl_safefree(smbc->share);
1125 Curl_safefree(smbc->domain);
1126 Curl_safefree(smbc->recv_buf);
1127 Curl_safefree(smbc->send_buf);
1128 return CURLE_OK;
1129 }
1130
smb_getsock(struct Curl_easy * data,struct connectdata * conn,curl_socket_t * socks)1131 static int smb_getsock(struct Curl_easy *data,
1132 struct connectdata *conn, curl_socket_t *socks)
1133 {
1134 (void)data;
1135 socks[0] = conn->sock[FIRSTSOCKET];
1136 return GETSOCK_READSOCK(0) | GETSOCK_WRITESOCK(0);
1137 }
1138
smb_do(struct Curl_easy * data,bool * done)1139 static CURLcode smb_do(struct Curl_easy *data, bool *done)
1140 {
1141 struct connectdata *conn = data->conn;
1142 struct smb_conn *smbc = &conn->proto.smbc;
1143
1144 *done = FALSE;
1145 if(smbc->share) {
1146 return CURLE_OK;
1147 }
1148 return CURLE_URL_MALFORMAT;
1149 }
1150
smb_parse_url_path(struct Curl_easy * data,struct connectdata * conn)1151 static CURLcode smb_parse_url_path(struct Curl_easy *data,
1152 struct connectdata *conn)
1153 {
1154 struct smb_request *req = data->req.p.smb;
1155 struct smb_conn *smbc = &conn->proto.smbc;
1156 char *path;
1157 char *slash;
1158
1159 /* URL decode the path */
1160 CURLcode result = Curl_urldecode(data->state.up.path, 0, &path, NULL,
1161 REJECT_CTRL);
1162 if(result)
1163 return result;
1164
1165 /* Parse the path for the share */
1166 smbc->share = strdup((*path == '/' || *path == '\\') ? path + 1 : path);
1167 free(path);
1168 if(!smbc->share)
1169 return CURLE_OUT_OF_MEMORY;
1170
1171 slash = strchr(smbc->share, '/');
1172 if(!slash)
1173 slash = strchr(smbc->share, '\\');
1174
1175 /* The share must be present */
1176 if(!slash) {
1177 Curl_safefree(smbc->share);
1178 failf(data, "missing share in URL path for SMB");
1179 return CURLE_URL_MALFORMAT;
1180 }
1181
1182 /* Parse the path for the file path converting any forward slashes into
1183 backslashes */
1184 *slash++ = 0;
1185 req->path = slash;
1186
1187 for(; *slash; slash++) {
1188 if(*slash == '/')
1189 *slash = '\\';
1190 }
1191 return CURLE_OK;
1192 }
1193
1194 #endif /* CURL_DISABLE_SMB && USE_CURL_NTLM_CORE &&
1195 SIZEOF_CURL_OFF_T > 4 */
1196