1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
14 */
15
16 /*
17 * Dispatch function for SMB2_NEGOTIATE
18 */
19
20 #include <smbsrv/smb2_kproto.h>
21 #include <smbsrv/smb2.h>
22
23 static int smb2_negotiate_common(smb_request_t *, uint16_t);
24
25 uint32_t smb2srv_capabilities =
26 SMB2_CAP_DFS |
27 SMB2_CAP_LARGE_MTU;
28
29 /*
30 * These are not intended as customer tunables, but dev. & test folks
31 * might want to adjust them (with caution).
32 *
33 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
34 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size.
35 * This is also used as a "sanity limit" for internal send/reply message
36 * allocations. Note that with compounding SMB2 messages may contain
37 * multiple requests/responses. This size should be large enough for
38 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
39 *
40 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
41 * the client the largest read and write request size we'll support.
42 * One megabyte is a compromise between efficiency on fast networks
43 * and memory consumption (for the buffers) on the server side.
44 *
45 * smb2_max_trans is the largest "transact" send or receive, which is
46 * used for directory listings and info set/get operations.
47 */
48 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */
49 uint32_t smb2_max_rwsize = (1<<20); /* 1MB */
50 uint32_t smb2_max_trans = (1<<16); /* 64KB */
51
52 /*
53 * List of all SMB2 versions we implement. Note that the
54 * highest version we support may be limited by the
55 * _cfg.skc_max_protocol setting.
56 */
57 static uint16_t smb2_versions[] = {
58 0x202, /* SMB 2.002 */
59 0x210, /* SMB 2.1 */
60 };
61 static uint16_t smb2_nversions =
62 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
63
64 static boolean_t
65 smb2_supported_version(smb_session_t *s, uint16_t version)
66 {
67 int i;
68
69 if (version > s->s_cfg.skc_max_protocol)
70 return (B_FALSE);
71 for (i = 0; i < smb2_nversions; i++)
72 if (version == smb2_versions[i])
73 return (B_TRUE);
74 return (B_FALSE);
75 }
76
77 /*
78 * Helper for the (SMB1) smb_com_negotiate(). This is the
79 * very unusual protocol interaction where an SMB1 negotiate
80 * gets an SMB2 negotiate response. This is the normal way
81 * clients first find out if the server supports SMB2.
82 *
83 * Note: This sends an SMB2 reply _itself_ and then returns
84 * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
85 * Also, this is called directly from the reader thread, so
86 * we know this is the only thread using this session.
87 *
88 * The caller frees this request.
89 */
90 smb_sdrc_t
91 smb1_negotiate_smb2(smb_request_t *sr)
92 {
93 smb_session_t *s = sr->session;
94 smb_arg_negotiate_t *negprot = sr->sr_negprot;
95 uint16_t smb2_version;
96 uint16_t secmode2;
97 int rc;
98
99 /*
100 * Note: In the SMB1 negotiate command handler, we
101 * agreed with one of the SMB2 dialects. If that
102 * dialect was "SMB 2.002", we'll respond here with
103 * version 0x202 and negotiation is done. If that
104 * dialect was "SMB 2.???", we'll respond here with
105 * the "wildcard" version 0x2FF, and the client will
106 * come back with an SMB2 negotiate.
107 */
108 switch (negprot->ni_dialect) {
109 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */
110 smb2_version = 0x202;
111 s->dialect = smb2_version;
112 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
113 /* Allow normal SMB2 requests now. */
114 s->newrq_func = smb2sr_newrq;
115
116 /*
117 * Translate SMB1 sec. mode to SMB2.
118 */
119 secmode2 = 0;
120 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)
121 secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED;
122 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)
123 secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
124 s->secmode = secmode2;
125 break;
126 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */
127 /*
128 * Expecting an SMB2 negotiate next, so keep the
129 * initial s->newrq_func. Note that secmode is
130 * fiction good enough to pass the signing check
131 * in smb2_negotiate_common(). We'll check the
132 * real secmode when the 2nd negotiate comes.
133 */
134 smb2_version = 0x2FF;
135 s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
136 break;
137 default:
138 return (SDRC_DROP_VC);
139 }
140
141 /*
142 * We did not decode an SMB2 header, so make sure
143 * the SMB2 header fields are initialized.
144 * (Most are zero from smb_request_alloc.)
145 * Also, the SMB1 common dispatch code reserved space
146 * for an SMB1 header, which we need to undo here.
147 */
148 sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
149 sr->smb2_cmd_code = SMB2_NEGOTIATE;
150
151 rc = smb2_negotiate_common(sr, smb2_version);
152 if (rc != 0)
153 return (SDRC_DROP_VC);
154
155 return (SDRC_NO_REPLY);
156 }
157
158 /*
159 * SMB2 Negotiate gets special handling. This is called directly by
160 * the reader thread (see smbsr_newrq_initial) with what _should_ be
161 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
162 * when this is called, so this needs to check the SMB command,
163 * if it's Negotiate execute it, then send the reply, etc.
164 *
165 * Since this is called directly from the reader thread, we
166 * know this is the only thread currently using this session.
167 * This has to duplicate some of what smb2sr_work does as a
168 * result of bypassing the normal dispatch mechanism.
169 *
170 * The caller always frees this request.
171 */
172 int
173 smb2_newrq_negotiate(smb_request_t *sr)
174 {
175 smb_session_t *s = sr->session;
176 int i, rc;
177 uint16_t struct_size;
178 uint16_t best_version;
179 uint16_t version_cnt;
180 uint16_t cl_versions[8];
181
182 sr->smb2_cmd_hdr = sr->command.chain_offset;
183 rc = smb2_decode_header(sr);
184 if (rc != 0)
185 return (rc);
186
187 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
188 (sr->smb2_next_command != 0))
189 return (SDRC_DROP_VC);
190
191 /*
192 * Decode SMB2 Negotiate (fixed-size part)
193 */
194 rc = smb_mbc_decodef(
195 &sr->command, "www..l16.8.",
196 &struct_size, /* w */
197 &version_cnt, /* w */
198 &s->secmode, /* w */
199 /* reserved (..) */
200 &s->capabilities); /* l */
201 /* clnt_uuid 16. */
202 /* start_time 8. */
203 if (rc != 0)
204 return (rc);
205 if (struct_size != 36 || version_cnt > 8)
206 return (SDRC_DROP_VC);
207
208 /*
209 * Decode SMB2 Negotiate (variable part)
210 */
211 rc = smb_mbc_decodef(&sr->command,
212 "#w", version_cnt, cl_versions);
213 if (rc != 0)
214 return (SDRC_DROP_VC);
215
216 /*
217 * The client offers an array of protocol versions it
218 * supports, which we have decoded into cl_versions[].
219 * We walk the array and pick the highest supported.
220 */
221 best_version = 0;
222 for (i = 0; i < version_cnt; i++)
223 if (smb2_supported_version(s, cl_versions[i]) &&
224 best_version < cl_versions[i])
225 best_version = cl_versions[i];
226 if (best_version == 0)
227 return (SDRC_DROP_VC);
228 s->dialect = best_version;
229
230 /* Allow normal SMB2 requests now. */
231 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
232 s->newrq_func = smb2sr_newrq;
233
234 rc = smb2_negotiate_common(sr, best_version);
235 if (rc != 0)
236 return (SDRC_DROP_VC);
237
238 return (0);
239 }
240
241 /*
242 * Common parts of SMB2 Negotiate, used for both the
243 * SMB1-to-SMB2 style, and straight SMB2 style.
244 * Do negotiation decisions, encode, send the reply.
245 */
246 static int
247 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
248 {
249 timestruc_t boot_tv, now_tv;
250 smb_session_t *s = sr->session;
251 int rc;
252 uint16_t secmode;
253
254 sr->smb2_status = 0;
255
256 /*
257 * Negotiation itself. First the Security Mode.
258 * The caller stashed the client's secmode in s->secmode,
259 * which we validate, and then replace with the server's
260 * secmode, which is all we care about after this.
261 */
262 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
263 if (sr->sr_cfg->skc_signing_required) {
264 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
265 /* Make sure client at least enables signing. */
266 if ((s->secmode & secmode) == 0) {
267 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
268 }
269 }
270 s->secmode = secmode;
271
272 s->cmd_max_bytes = smb2_tcp_bufsize;
273 s->reply_max_bytes = smb2_tcp_bufsize;
274
275 /*
276 * "The number of credits held by the client MUST be considered
277 * as 1 when the connection is established." [MS-SMB2]
278 * We leave credits at 1 until the first successful
279 * session setup is completed.
280 */
281 s->s_cur_credits = s->s_max_credits = 1;
282 sr->smb2_credit_response = 1;
283
284 boot_tv.tv_sec = smb_get_boottime();
285 boot_tv.tv_nsec = 0;
286 now_tv.tv_sec = gethrestime_sec();
287 now_tv.tv_nsec = 0;
288
289 /*
290 * SMB2 negotiate reply
291 */
292 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
293 (void) smb2_encode_header(sr, B_FALSE);
294 if (sr->smb2_status != 0) {
295 smb2sr_put_error(sr, sr->smb2_status);
296 smb2_send_reply(sr);
297 return (-1); /* will drop */
298 }
299
300 rc = smb_mbc_encodef(
301 &sr->reply,
302 "wwww#cllllTTwwl#c",
303 65, /* StructSize */ /* w */
304 s->secmode, /* w */
305 version, /* w */
306 0, /* reserved */ /* w */
307 UUID_LEN, /* # */
308 &s->s_cfg.skc_machine_uuid, /* c */
309 smb2srv_capabilities, /* l */
310 smb2_max_trans, /* l */
311 smb2_max_rwsize, /* l */
312 smb2_max_rwsize, /* l */
313 &now_tv, /* T */
314 &boot_tv, /* T */
315 128, /* SecBufOff */ /* w */
316 sr->sr_cfg->skc_negtok_len, /* w */
317 0, /* reserved */ /* l */
318 sr->sr_cfg->skc_negtok_len, /* # */
319 sr->sr_cfg->skc_negtok); /* c */
320
321 smb2_send_reply(sr);
322
323 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
324 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
325 sizeof (smb2_tcp_bufsize), CRED());
326 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
327 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
328 sizeof (smb2_tcp_bufsize), CRED());
329
330 return (rc);
331 }
332
333 /*
334 * SMB2 Dispatch table handler, which will run if we see an
335 * SMB2_NEGOTIATE after the initial negotiation is done.
336 * That would be a protocol error.
337 */
338 smb_sdrc_t
339 smb2_negotiate(smb_request_t *sr)
340 {
341 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
342 return (SDRC_ERROR);
343 }
344
345 /*
346 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
347 */
348 uint32_t
349 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl)
350 {
351 smb_session_t *s = sr->session;
352 int rc;
353
354 /*
355 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
356 * and verify that the original negotiate was not modified.
357 * The only tampering we need worry about is secmode, and
358 * we're not taking that from the client, so don't bother.
359 *
360 * One interesting requirement here is that we MUST reply
361 * with exactly the same information as we returned in our
362 * original reply to the SMB2 negotiate on this session.
363 * If we don't the client closes the connection.
364 */
365
366 rc = smb_mbc_encodef(
367 fsctl->out_mbc, "l#cww",
368 smb2srv_capabilities, /* l */
369 UUID_LEN, /* # */
370 &s->s_cfg.skc_machine_uuid, /* c */
371 s->secmode, /* w */
372 s->dialect); /* w */
373 if (rc)
374 return (NT_STATUS_INTERNAL_ERROR);
375
376 return (0);
377 }
|
1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved.
14 */
15
16 /*
17 * Dispatch function for SMB2_NEGOTIATE
18 */
19
20 #include <smbsrv/smb2_kproto.h>
21 #include <smbsrv/smb2.h>
22
23 static int smb2_negotiate_common(smb_request_t *, uint16_t);
24
25 uint32_t smb2srv_capabilities =
26 SMB2_CAP_DFS |
27 SMB2_CAP_LEASING |
28 SMB2_CAP_LARGE_MTU |
29 SMB2_CAP_PERSISTENT_HANDLES |
30 SMB2_CAP_ENCRYPTION;
31
32 /* These are the only capabilities defined for SMB2.X */
33 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU)
34
35 /*
36 * These are not intended as customer tunables, but dev. & test folks
37 * might want to adjust them (with caution).
38 *
39 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
40 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size.
41 * This is also used as a "sanity limit" for internal send/reply message
42 * allocations. Note that with compounding SMB2 messages may contain
43 * multiple requests/responses. This size should be large enough for
44 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
45 *
46 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
47 * the client the largest read and write request size we'll support.
48 * For now, we're using contiguous allocations, so keep this at 64KB
49 * so that (even with message overhead) allocations stay below 128KB,
50 * avoiding kmem_alloc -> page_create_va thrashing.
51 *
52 * smb2_max_trans is the largest "transact" send or receive, which is
53 * used for directory listings and info set/get operations.
54 */
55 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */
56 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */
57 uint32_t smb2_max_trans = (1<<16); /* 64KB */
58
59 /*
60 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
61 * (including all clients using dialect < SMB 2.1), use a "conservative" value
62 * for max r/w size because some older clients misbehave with larger values.
63 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
64 * Support) as the minimum so we'll use that.
65 */
66 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
67
68 /*
69 * List of all SMB2 versions we implement. Note that the
70 * versions we support may be limited by the
71 * _cfg.skc_max_protocol and min_protocol settings.
72 */
73 static uint16_t smb2_versions[] = {
74 0x202, /* SMB 2.002 */
75 0x210, /* SMB 2.1 */
76 0x300, /* SMB 3.0 */
77 0x302, /* SMB 3.02 */
78 };
79 static uint16_t smb2_nversions =
80 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
81
82 static boolean_t
83 smb2_supported_version(smb_session_t *s, uint16_t version)
84 {
85 int i;
86
87 if (version > s->s_cfg.skc_max_protocol ||
88 version < s->s_cfg.skc_min_protocol)
89 return (B_FALSE);
90 for (i = 0; i < smb2_nversions; i++)
91 if (version == smb2_versions[i])
92 return (B_TRUE);
93 return (B_FALSE);
94 }
95
96 /*
97 * Helper for the (SMB1) smb_com_negotiate(). This is the
98 * very unusual protocol interaction where an SMB1 negotiate
99 * gets an SMB2 negotiate response. This is the normal way
100 * clients first find out if the server supports SMB2.
101 *
102 * Note: This sends an SMB2 reply _itself_ and then returns
103 * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
104 * Also, this is called directly from the reader thread, so
105 * we know this is the only thread using this session.
106 *
107 * The caller frees this request.
108 */
109 smb_sdrc_t
110 smb1_negotiate_smb2(smb_request_t *sr)
111 {
112 smb_session_t *s = sr->session;
113 smb_arg_negotiate_t *negprot = sr->sr_negprot;
114 uint16_t smb2_version;
115 int rc;
116
117 /*
118 * Note: In the SMB1 negotiate command handler, we
119 * agreed with one of the SMB2 dialects. If that
120 * dialect was "SMB 2.002", we'll respond here with
121 * version 0x202 and negotiation is done. If that
122 * dialect was "SMB 2.???", we'll respond here with
123 * the "wildcard" version 0x2FF, and the client will
124 * come back with an SMB2 negotiate.
125 */
126 switch (negprot->ni_dialect) {
127 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */
128 smb2_version = SMB_VERS_2_002;
129 s->dialect = smb2_version;
130 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
131 /* Allow normal SMB2 requests now. */
132 s->newrq_func = smb2sr_newrq;
133 break;
134 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */
135 /*
136 * Expecting an SMB2 negotiate next, so keep the
137 * initial s->newrq_func.
138 */
139 smb2_version = 0x2FF;
140 break;
141 default:
142 return (SDRC_DROP_VC);
143 }
144
145 /*
146 * Clients that negotiate SMB2 from SMB1 have not yet had the
147 * opportunity to provide us with a secmode. However, any
148 * client that negotiates SMB2 should support signing, so
149 * this should be fiction good enough to pass the signing
150 * check in smb2_negotiate_common(). Even if the client
151 * doesn't support signing and we require it, we'll fail them
152 * later when they fail to sign the packet. For 2.???,
153 * we'll check the real secmode when the 2nd negotiate comes.
154 */
155 s->cli_secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
156
157 /*
158 * We did not decode an SMB2 header, so make sure
159 * the SMB2 header fields are initialized.
160 * (Most are zero from smb_request_alloc.)
161 * Also, the SMB1 common dispatch code reserved space
162 * for an SMB1 header, which we need to undo here.
163 */
164 sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
165 sr->smb2_cmd_code = SMB2_NEGOTIATE;
166
167 rc = smb2_negotiate_common(sr, smb2_version);
168 smb2_send_reply(sr);
169 if (rc != 0)
170 return (SDRC_DROP_VC);
171
172 /*
173 * We sent the reply, so tell the SMB1 dispatch
174 * it should NOT (also) send a reply.
175 */
176 return (SDRC_NO_REPLY);
177 }
178
179 static uint16_t
180 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[],
181 uint16_t version_cnt)
182 {
183 uint16_t best_version = 0;
184 int i;
185
186 for (i = 0; i < version_cnt; i++)
187 if (smb2_supported_version(s, cl_versions[i]) &&
188 best_version < cl_versions[i])
189 best_version = cl_versions[i];
190
191 return (best_version);
192 }
193
194 /*
195 * SMB2 Negotiate gets special handling. This is called directly by
196 * the reader thread (see smbsr_newrq_initial) with what _should_ be
197 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
198 * when this is called, so this needs to check the SMB command,
199 * if it's Negotiate execute it, then send the reply, etc.
200 *
201 * Since this is called directly from the reader thread, we
202 * know this is the only thread currently using this session.
203 * This has to duplicate some of what smb2sr_work does as a
204 * result of bypassing the normal dispatch mechanism.
205 *
206 * The caller always frees this request.
207 *
208 * Return value is 0 for success, and anything else will
209 * terminate the reader thread (drop the connection).
210 */
211 int
212 smb2_newrq_negotiate(smb_request_t *sr)
213 {
214 smb_session_t *s = sr->session;
215 int rc;
216 uint16_t struct_size;
217 uint16_t best_version;
218 uint16_t version_cnt;
219 uint16_t cl_versions[8];
220
221 sr->smb2_cmd_hdr = sr->command.chain_offset;
222 rc = smb2_decode_header(sr);
223 if (rc != 0)
224 return (rc);
225
226 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
227 (sr->smb2_next_command != 0))
228 return (-1);
229
230 /*
231 * Decode SMB2 Negotiate (fixed-size part)
232 */
233 rc = smb_mbc_decodef(
234 &sr->command, "www..l16c8.",
235 &struct_size, /* w */
236 &version_cnt, /* w */
237 &s->cli_secmode, /* w */
238 /* reserved (..) */
239 &s->capabilities, /* l */
240 s->clnt_uuid); /* 16c */
241 /* start_time 8. */
242 if (rc != 0)
243 return (rc);
244 if (struct_size != 36 || version_cnt > 8)
245 return (-1);
246
247 /*
248 * Decode SMB2 Negotiate (variable part)
249 */
250 rc = smb_mbc_decodef(&sr->command,
251 "#w", version_cnt, cl_versions);
252 if (rc != 0)
253 return (rc);
254
255 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr);
256
257 /*
258 * The client offers an array of protocol versions it
259 * supports, which we have decoded into cl_versions[].
260 * We walk the array and pick the highest supported.
261 */
262 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
263 if (best_version == 0) {
264 cmn_err(CE_NOTE, "clnt %s no supported dialect",
265 sr->session->ip_addr_str);
266 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
267 rc = -1;
268 goto errout;
269 }
270 s->dialect = best_version;
271
272 /* Allow normal SMB2 requests now. */
273 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
274 s->newrq_func = smb2sr_newrq;
275
276 rc = smb2_negotiate_common(sr, best_version);
277
278 errout:
279 /* sr->smb2_status was set */
280 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
281
282 smb2_send_reply(sr);
283
284 return (rc);
285 }
286
287 /*
288 * Common parts of SMB2 Negotiate, used for both the
289 * SMB1-to-SMB2 style, and straight SMB2 style.
290 * Do negotiation decisions and encode the reply.
291 * The caller does the network send.
292 *
293 * Return value is 0 for success, and anything else will
294 * terminate the reader thread (drop the connection).
295 */
296 static int
297 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
298 {
299 timestruc_t boot_tv, now_tv;
300 smb_session_t *s = sr->session;
301 int rc;
302 uint32_t max_rwsize;
303 uint16_t secmode;
304
305 sr->smb2_status = 0;
306
307 /*
308 * Negotiation itself. First the Security Mode.
309 */
310 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
311 if (sr->sr_cfg->skc_signing_required) {
312 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
313 /* Make sure client at least enables signing. */
314 if ((s->cli_secmode & secmode) == 0) {
315 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
316 }
317 }
318 s->srv_secmode = secmode;
319
320 s->cmd_max_bytes = smb2_tcp_bufsize;
321 s->reply_max_bytes = smb2_tcp_bufsize;
322
323 /*
324 * "The number of credits held by the client MUST be considered
325 * as 1 when the connection is established." [MS-SMB2]
326 * We leave credits at 1 until the first successful
327 * session setup is completed.
328 */
329 s->s_cur_credits = s->s_max_credits = 1;
330 sr->smb2_credit_response = 1;
331
332 boot_tv.tv_sec = smb_get_boottime();
333 boot_tv.tv_nsec = 0;
334 now_tv.tv_sec = gethrestime_sec();
335 now_tv.tv_nsec = 0;
336
337 /*
338 * SMB2 negotiate reply
339 */
340 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
341 (void) smb2_encode_header(sr, B_FALSE);
342 if (sr->smb2_status != 0) {
343 smb2sr_put_error(sr, sr->smb2_status);
344 /* smb2_send_reply(sr); in caller */
345 return (-1); /* will drop */
346 }
347
348 /*
349 * If the version is 0x2FF, we haven't completed negotiate.
350 * Don't initialize until we have our final request.
351 */
352 if (version != 0x2FF)
353 smb2_sign_init_mech(s);
354
355 /*
356 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
357 *
358 * The SMB2.x capabilities are returned without regard for
359 * what capabilities the client provided in the request.
360 * The SMB3.x capabilities returned are the traditional
361 * logical AND of server and client capabilities.
362 *
363 * One additional check: If KCF is missing something we
364 * require for encryption, turn off that capability.
365 */
366 if (s->dialect < SMB_VERS_3_0) {
367 /* SMB 2.x */
368 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
369 } else {
370 /* SMB 3.0 or later */
371 s->srv_cap = smb2srv_capabilities &
372 (SMB_2X_CAPS | s->capabilities);
373 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
374 smb3_encrypt_init_mech(s) != 0) {
375 s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
376 }
377 }
378
379 /*
380 * See notes above smb2_max_rwsize, smb2_old_rwsize
381 */
382 if (s->capabilities & SMB2_CAP_LARGE_MTU)
383 max_rwsize = smb2_max_rwsize;
384 else
385 max_rwsize = smb2_old_rwsize;
386
387 rc = smb_mbc_encodef(
388 &sr->reply,
389 "wwww#cllllTTwwl#c",
390 65, /* StructSize */ /* w */
391 s->srv_secmode, /* w */
392 version, /* w */
393 0, /* reserved */ /* w */
394 UUID_LEN, /* # */
395 &s->s_cfg.skc_machine_uuid, /* c */
396 s->srv_cap, /* l */
397 smb2_max_trans, /* l */
398 max_rwsize, /* l */
399 max_rwsize, /* l */
400 &now_tv, /* T */
401 &boot_tv, /* T */
402 128, /* SecBufOff */ /* w */
403 sr->sr_cfg->skc_negtok_len, /* w */
404 0, /* reserved */ /* l */
405 sr->sr_cfg->skc_negtok_len, /* # */
406 sr->sr_cfg->skc_negtok); /* c */
407
408 /* smb2_send_reply(sr); in caller */
409
410 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
411 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
412 sizeof (smb2_tcp_bufsize), CRED());
413 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
414 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
415 sizeof (smb2_tcp_bufsize), CRED());
416
417 return (rc);
418 }
419
420 /*
421 * SMB2 Dispatch table handler, which will run if we see an
422 * SMB2_NEGOTIATE after the initial negotiation is done.
423 * That would be a protocol error.
424 */
425 smb_sdrc_t
426 smb2_negotiate(smb_request_t *sr)
427 {
428 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
429 return (SDRC_ERROR);
430 }
431
432 /*
433 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
434 */
435 uint32_t
436 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl)
437 {
438 smb_session_t *s = sr->session;
439 int rc;
440
441 /*
442 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
443 * and verify that the original negotiate was not modified.
444 * The request MUST be signed, and we MUST validate the signature.
445 *
446 * One interesting requirement here is that we MUST reply
447 * with exactly the same information as we returned in our
448 * original reply to the SMB2 negotiate on this session.
449 * If we don't the client closes the connection.
450 */
451
452 /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */
453 uint32_t capabilities;
454 uint16_t secmode, num_dialects, dialects[8];
455 uint8_t clnt_guid[16];
456
457 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0)
458 goto drop;
459
460 if (fsctl->InputCount < 24)
461 goto drop;
462
463 (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww",
464 &capabilities, /* l */
465 &clnt_guid, /* 16c */
466 &secmode, /* w */
467 &num_dialects); /* w */
468
469 if (num_dialects == 0 || num_dialects > 8)
470 goto drop;
471 if (secmode != s->cli_secmode)
472 goto drop;
473 if (capabilities != s->capabilities)
474 goto drop;
475 if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0)
476 goto drop;
477
478 if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects)))
479 goto drop;
480
481 rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects);
482 if (rc != 0)
483 goto drop;
484
485 if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect)
486 goto drop;
487
488 rc = smb_mbc_encodef(
489 fsctl->out_mbc, "l#cww",
490 s->srv_cap, /* l */
491 UUID_LEN, /* # */
492 &s->s_cfg.skc_machine_uuid, /* c */
493 s->srv_secmode, /* w */
494 s->dialect); /* w */
495 if (rc == 0)
496 return (rc);
497
498 drop:
499 smb_session_disconnect(s);
500 return (NT_STATUS_ACCESS_DENIED);
501 }
|