Print this page
NEX-20371 SMB2 message sizes cause lock contention in page_create_va
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
NEX-19944 SMB2 server should require signed Validate Negotiate requests
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-17589 Get "too high" smbd error when copy big file to cifs share (redo)
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-17289 Minimal SMB 3.0.2 support
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-17001 illumos 9500 HP scanner needs smaller SMB2 rwsize
9500 HP scanner needs smaller SMB2 rwsize
Reviewed by: Yuri Pankov <yuripv@yuripv.net>
Reviewed by: Andy Fiddaman <omnios@citrus-it.net>
Reviewed by: Bill Sommerfeld <sommerfeld@hamachi.org>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Gordon Ross <gordon.w.ross@gmail.com>
NEX-15959 SMB 2.1 negotiation failure after NEX-9808
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-15959 SMB 2.1 negotiation failure after NEX-9808
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-9808 SMB3 persistent handles
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-15578 SMB2 durable handle redesign
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-5665 SMB2 oplock leases
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-9808 SMB3 persistent handles
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-15578 SMB2 durable handle redesign
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-5665 SMB2 oplock leases
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-10231 SMB logon fails in fksmbd (small fix)
NEX-10019 SMB server min_protocol setting
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-10231 SMB logon fails in fksmbd
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
NEX-1643 dtrace provider for smbsrv
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
NEX-9864 Some SMB cancel races remain after NEX-5845
Revert (part of) "NEX-5845 rework SMB immediate cancel"
reverts (part of) commit 7a5da69f6d42b17ebcc95ca3d02925d07a01343e.
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-5273 SMB 3 Encryption
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-5844 want SMB2 ioctl FSCTL_SRV_COPYCHUNK
NEX-6124 smb_fsop_read/write should allow file != sr->fid_ofile
NEX-6125 smbtorture invalid response with smb2.ioctl
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
NEX-4598 SMB2 credit shortage with Mac client
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-3738 Should support SMB2_CAP_LARGE_MTU
Reviewed by: Alek Pinchuk <alek@nexenta.com>
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-3610 CLONE NEX-3591 SMB3 signing
Reviewed by: Gordon Ross <gwr@nexenta.com>
Reviewed by: Dan Fields <dan.fields@nexenta.com>
NEX-3611 CLONE NEX-3550 Replace smb2_enable with max_protocol
Reviewed by: Yuri Pankov <Yuri.Pankov@nexenta.com>
NEX-2976 SMB2 client may fail to connect when server requires signing
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
NEX-2781 SMB2 credit handling needs work
NEX-2353 Codenomicon: SMB2 TC # 448950 - PANIC in SMB2.Compounded-commands...
SUP-887 Mac client hangs when accessing an SMB2 share on a nexenta 4.0 system
SMB-137 assertion failed: (sr->reply.chain_offset & 7) == 0, file: ../../common/fs/smbsrv/smb2_dispatch.c, line: 727
SMB-55 SMB2 signing
NEX-1059 Shared folder is not available in Windows 7/8/2012 when SMB2 is enabled in Workgroup mode
(Implement "Secure Negotiation")
NEX-1050 enable_smb2 should be smb2_enable
SMB-11 SMB2 message parse & dispatch
SMB-12 SMB2 Negotiate Protocol
SMB-13 SMB2 Session Setup
SMB-14 SMB2 Logoff
SMB-15 SMB2 Tree Connect
SMB-16 SMB2 Tree Disconnect
SMB-17 SMB2 Create
SMB-18 SMB2 Close
SMB-19 SMB2 Flush
SMB-20 SMB2 Read
SMB-21 SMB2 Write
SMB-22 SMB2 Lock/Unlock
SMB-23 SMB2 Ioctl
SMB-24 SMB2 Cancel
SMB-25 SMB2 Echo
SMB-26 SMB2 Query Dir
SMB-27 SMB2 Change Notify
SMB-28 SMB2 Query Info
SMB-29 SMB2 Set Info
SMB-30 SMB2 Oplocks
SMB-53 SMB2 Create Context options
(SMB2 code review cleanup 1, 2, 3)
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c
+++ new/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c
1 1 /*
2 2 * This file and its contents are supplied under the terms of the
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
3 3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 4 * You may only use this file in accordance with the terms of version
5 5 * 1.0 of the CDDL.
6 6 *
7 7 * A full copy of the text of the CDDL should have accompanied this
8 8 * source. A copy of the CDDL is also available via the Internet at
9 9 * http://www.illumos.org/license/CDDL.
10 10 */
11 11
12 12 /*
13 - * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
13 + * Copyright 2019 Nexenta Systems, Inc. All rights reserved.
14 14 */
15 15
16 16 /*
17 17 * Dispatch function for SMB2_NEGOTIATE
18 18 */
19 19
20 20 #include <smbsrv/smb2_kproto.h>
21 21 #include <smbsrv/smb2.h>
22 22
23 23 static int smb2_negotiate_common(smb_request_t *, uint16_t);
24 24
25 25 uint32_t smb2srv_capabilities =
26 26 SMB2_CAP_DFS |
27 - SMB2_CAP_LARGE_MTU;
27 + SMB2_CAP_LEASING |
28 + SMB2_CAP_LARGE_MTU |
29 + SMB2_CAP_PERSISTENT_HANDLES |
30 + SMB2_CAP_ENCRYPTION;
28 31
32 +/* These are the only capabilities defined for SMB2.X */
33 +#define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU)
34 +
29 35 /*
30 36 * These are not intended as customer tunables, but dev. & test folks
31 37 * might want to adjust them (with caution).
32 38 *
33 39 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
34 40 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size.
35 41 * This is also used as a "sanity limit" for internal send/reply message
36 42 * allocations. Note that with compounding SMB2 messages may contain
37 43 * multiple requests/responses. This size should be large enough for
38 44 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
39 45 *
40 46 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
41 47 * the client the largest read and write request size we'll support.
42 - * One megabyte is a compromise between efficiency on fast networks
43 - * and memory consumption (for the buffers) on the server side.
48 + * For now, we're using contiguous allocations, so keep this at 64KB
49 + * so that (even with message overhead) allocations stay below 128KB,
50 + * avoiding kmem_alloc -> page_create_va thrashing.
44 51 *
45 52 * smb2_max_trans is the largest "transact" send or receive, which is
46 53 * used for directory listings and info set/get operations.
47 54 */
48 55 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */
49 -uint32_t smb2_max_rwsize = (1<<20); /* 1MB */
56 +uint32_t smb2_max_rwsize = (1<<16); /* 64KB */
50 57 uint32_t smb2_max_trans = (1<<16); /* 64KB */
51 58
52 59 /*
60 + * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
61 + * (including all clients using dialect < SMB 2.1), use a "conservative" value
62 + * for max r/w size because some older clients misbehave with larger values.
63 + * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
64 + * Support) as the minimum so we'll use that.
65 + */
66 +uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
67 +
68 +/*
53 69 * List of all SMB2 versions we implement. Note that the
54 - * highest version we support may be limited by the
55 - * _cfg.skc_max_protocol setting.
70 + * versions we support may be limited by the
71 + * _cfg.skc_max_protocol and min_protocol settings.
56 72 */
57 73 static uint16_t smb2_versions[] = {
58 74 0x202, /* SMB 2.002 */
59 75 0x210, /* SMB 2.1 */
76 + 0x300, /* SMB 3.0 */
77 + 0x302, /* SMB 3.02 */
60 78 };
61 79 static uint16_t smb2_nversions =
62 80 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
63 81
64 82 static boolean_t
65 83 smb2_supported_version(smb_session_t *s, uint16_t version)
66 84 {
67 85 int i;
68 86
69 - if (version > s->s_cfg.skc_max_protocol)
87 + if (version > s->s_cfg.skc_max_protocol ||
88 + version < s->s_cfg.skc_min_protocol)
70 89 return (B_FALSE);
71 90 for (i = 0; i < smb2_nversions; i++)
72 91 if (version == smb2_versions[i])
73 92 return (B_TRUE);
74 93 return (B_FALSE);
75 94 }
76 95
77 96 /*
78 97 * Helper for the (SMB1) smb_com_negotiate(). This is the
79 98 * very unusual protocol interaction where an SMB1 negotiate
80 99 * gets an SMB2 negotiate response. This is the normal way
81 100 * clients first find out if the server supports SMB2.
82 101 *
83 102 * Note: This sends an SMB2 reply _itself_ and then returns
84 103 * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
85 104 * Also, this is called directly from the reader thread, so
|
↓ open down ↓ |
6 lines elided |
↑ open up ↑ |
86 105 * we know this is the only thread using this session.
87 106 *
88 107 * The caller frees this request.
89 108 */
90 109 smb_sdrc_t
91 110 smb1_negotiate_smb2(smb_request_t *sr)
92 111 {
93 112 smb_session_t *s = sr->session;
94 113 smb_arg_negotiate_t *negprot = sr->sr_negprot;
95 114 uint16_t smb2_version;
96 - uint16_t secmode2;
97 115 int rc;
98 116
99 117 /*
100 118 * Note: In the SMB1 negotiate command handler, we
101 119 * agreed with one of the SMB2 dialects. If that
102 120 * dialect was "SMB 2.002", we'll respond here with
103 121 * version 0x202 and negotiation is done. If that
104 122 * dialect was "SMB 2.???", we'll respond here with
105 123 * the "wildcard" version 0x2FF, and the client will
106 124 * come back with an SMB2 negotiate.
107 125 */
108 126 switch (negprot->ni_dialect) {
109 127 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */
110 - smb2_version = 0x202;
128 + smb2_version = SMB_VERS_2_002;
111 129 s->dialect = smb2_version;
112 130 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
113 131 /* Allow normal SMB2 requests now. */
114 132 s->newrq_func = smb2sr_newrq;
115 -
116 - /*
117 - * Translate SMB1 sec. mode to SMB2.
118 - */
119 - secmode2 = 0;
120 - if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)
121 - secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED;
122 - if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)
123 - secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
124 - s->secmode = secmode2;
125 133 break;
126 134 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */
127 135 /*
128 136 * Expecting an SMB2 negotiate next, so keep the
129 - * initial s->newrq_func. Note that secmode is
130 - * fiction good enough to pass the signing check
131 - * in smb2_negotiate_common(). We'll check the
132 - * real secmode when the 2nd negotiate comes.
137 + * initial s->newrq_func.
133 138 */
134 139 smb2_version = 0x2FF;
135 - s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
136 140 break;
137 141 default:
138 142 return (SDRC_DROP_VC);
139 143 }
140 144
141 145 /*
146 + * Clients that negotiate SMB2 from SMB1 have not yet had the
147 + * opportunity to provide us with a secmode. However, any
148 + * client that negotiates SMB2 should support signing, so
149 + * this should be fiction good enough to pass the signing
150 + * check in smb2_negotiate_common(). Even if the client
151 + * doesn't support signing and we require it, we'll fail them
152 + * later when they fail to sign the packet. For 2.???,
153 + * we'll check the real secmode when the 2nd negotiate comes.
154 + */
155 + s->cli_secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
156 +
157 + /*
142 158 * We did not decode an SMB2 header, so make sure
143 159 * the SMB2 header fields are initialized.
144 160 * (Most are zero from smb_request_alloc.)
145 161 * Also, the SMB1 common dispatch code reserved space
146 162 * for an SMB1 header, which we need to undo here.
147 163 */
148 164 sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
149 165 sr->smb2_cmd_code = SMB2_NEGOTIATE;
150 166
151 167 rc = smb2_negotiate_common(sr, smb2_version);
168 + smb2_send_reply(sr);
152 169 if (rc != 0)
153 170 return (SDRC_DROP_VC);
154 171
172 + /*
173 + * We sent the reply, so tell the SMB1 dispatch
174 + * it should NOT (also) send a reply.
175 + */
155 176 return (SDRC_NO_REPLY);
156 177 }
157 178
179 +static uint16_t
180 +smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[],
181 + uint16_t version_cnt)
182 +{
183 + uint16_t best_version = 0;
184 + int i;
185 +
186 + for (i = 0; i < version_cnt; i++)
187 + if (smb2_supported_version(s, cl_versions[i]) &&
188 + best_version < cl_versions[i])
189 + best_version = cl_versions[i];
190 +
191 + return (best_version);
192 +}
193 +
158 194 /*
159 195 * SMB2 Negotiate gets special handling. This is called directly by
160 196 * the reader thread (see smbsr_newrq_initial) with what _should_ be
161 197 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
162 198 * when this is called, so this needs to check the SMB command,
163 199 * if it's Negotiate execute it, then send the reply, etc.
164 200 *
165 201 * Since this is called directly from the reader thread, we
166 202 * know this is the only thread currently using this session.
167 203 * This has to duplicate some of what smb2sr_work does as a
168 204 * result of bypassing the normal dispatch mechanism.
169 205 *
170 206 * The caller always frees this request.
207 + *
208 + * Return value is 0 for success, and anything else will
209 + * terminate the reader thread (drop the connection).
171 210 */
172 211 int
173 212 smb2_newrq_negotiate(smb_request_t *sr)
174 213 {
175 214 smb_session_t *s = sr->session;
176 - int i, rc;
215 + int rc;
177 216 uint16_t struct_size;
178 217 uint16_t best_version;
179 218 uint16_t version_cnt;
180 219 uint16_t cl_versions[8];
181 220
182 221 sr->smb2_cmd_hdr = sr->command.chain_offset;
183 222 rc = smb2_decode_header(sr);
184 223 if (rc != 0)
185 224 return (rc);
186 225
187 226 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
188 227 (sr->smb2_next_command != 0))
189 - return (SDRC_DROP_VC);
228 + return (-1);
190 229
191 230 /*
192 231 * Decode SMB2 Negotiate (fixed-size part)
193 232 */
194 233 rc = smb_mbc_decodef(
195 - &sr->command, "www..l16.8.",
234 + &sr->command, "www..l16c8.",
196 235 &struct_size, /* w */
197 236 &version_cnt, /* w */
198 - &s->secmode, /* w */
199 - /* reserved (..) */
200 - &s->capabilities); /* l */
201 - /* clnt_uuid 16. */
237 + &s->cli_secmode, /* w */
238 + /* reserved (..) */
239 + &s->capabilities, /* l */
240 + s->clnt_uuid); /* 16c */
202 241 /* start_time 8. */
203 242 if (rc != 0)
204 243 return (rc);
205 244 if (struct_size != 36 || version_cnt > 8)
206 - return (SDRC_DROP_VC);
245 + return (-1);
207 246
208 247 /*
209 248 * Decode SMB2 Negotiate (variable part)
210 249 */
211 250 rc = smb_mbc_decodef(&sr->command,
212 251 "#w", version_cnt, cl_versions);
213 252 if (rc != 0)
214 - return (SDRC_DROP_VC);
253 + return (rc);
215 254
255 + DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr);
256 +
216 257 /*
217 258 * The client offers an array of protocol versions it
218 259 * supports, which we have decoded into cl_versions[].
219 260 * We walk the array and pick the highest supported.
220 261 */
221 - best_version = 0;
222 - for (i = 0; i < version_cnt; i++)
223 - if (smb2_supported_version(s, cl_versions[i]) &&
224 - best_version < cl_versions[i])
225 - best_version = cl_versions[i];
226 - if (best_version == 0)
227 - return (SDRC_DROP_VC);
262 + best_version = smb2_find_best_dialect(s, cl_versions, version_cnt);
263 + if (best_version == 0) {
264 + cmn_err(CE_NOTE, "clnt %s no supported dialect",
265 + sr->session->ip_addr_str);
266 + sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
267 + rc = -1;
268 + goto errout;
269 + }
228 270 s->dialect = best_version;
229 271
230 272 /* Allow normal SMB2 requests now. */
231 273 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
232 274 s->newrq_func = smb2sr_newrq;
233 275
234 276 rc = smb2_negotiate_common(sr, best_version);
235 - if (rc != 0)
236 - return (SDRC_DROP_VC);
237 277
238 - return (0);
278 +errout:
279 + /* sr->smb2_status was set */
280 + DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
281 +
282 + smb2_send_reply(sr);
283 +
284 + return (rc);
239 285 }
240 286
241 287 /*
242 288 * Common parts of SMB2 Negotiate, used for both the
243 289 * SMB1-to-SMB2 style, and straight SMB2 style.
244 - * Do negotiation decisions, encode, send the reply.
290 + * Do negotiation decisions and encode the reply.
291 + * The caller does the network send.
292 + *
293 + * Return value is 0 for success, and anything else will
294 + * terminate the reader thread (drop the connection).
245 295 */
246 296 static int
247 297 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
248 298 {
249 299 timestruc_t boot_tv, now_tv;
250 300 smb_session_t *s = sr->session;
251 301 int rc;
302 + uint32_t max_rwsize;
252 303 uint16_t secmode;
253 304
254 305 sr->smb2_status = 0;
255 306
256 307 /*
257 308 * Negotiation itself. First the Security Mode.
258 - * The caller stashed the client's secmode in s->secmode,
259 - * which we validate, and then replace with the server's
260 - * secmode, which is all we care about after this.
261 309 */
262 310 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
263 311 if (sr->sr_cfg->skc_signing_required) {
264 312 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
265 313 /* Make sure client at least enables signing. */
266 - if ((s->secmode & secmode) == 0) {
314 + if ((s->cli_secmode & secmode) == 0) {
267 315 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
268 316 }
269 317 }
270 - s->secmode = secmode;
318 + s->srv_secmode = secmode;
271 319
272 320 s->cmd_max_bytes = smb2_tcp_bufsize;
273 321 s->reply_max_bytes = smb2_tcp_bufsize;
274 322
275 323 /*
276 324 * "The number of credits held by the client MUST be considered
277 325 * as 1 when the connection is established." [MS-SMB2]
278 326 * We leave credits at 1 until the first successful
279 327 * session setup is completed.
280 328 */
281 329 s->s_cur_credits = s->s_max_credits = 1;
282 330 sr->smb2_credit_response = 1;
283 331
284 332 boot_tv.tv_sec = smb_get_boottime();
285 333 boot_tv.tv_nsec = 0;
|
↓ open down ↓ |
5 lines elided |
↑ open up ↑ |
286 334 now_tv.tv_sec = gethrestime_sec();
287 335 now_tv.tv_nsec = 0;
288 336
289 337 /*
290 338 * SMB2 negotiate reply
291 339 */
292 340 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
293 341 (void) smb2_encode_header(sr, B_FALSE);
294 342 if (sr->smb2_status != 0) {
295 343 smb2sr_put_error(sr, sr->smb2_status);
296 - smb2_send_reply(sr);
344 + /* smb2_send_reply(sr); in caller */
297 345 return (-1); /* will drop */
298 346 }
299 347
348 + /*
349 + * If the version is 0x2FF, we haven't completed negotiate.
350 + * Don't initialize until we have our final request.
351 + */
352 + if (version != 0x2FF)
353 + smb2_sign_init_mech(s);
354 +
355 + /*
356 + * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request
357 + *
358 + * The SMB2.x capabilities are returned without regard for
359 + * what capabilities the client provided in the request.
360 + * The SMB3.x capabilities returned are the traditional
361 + * logical AND of server and client capabilities.
362 + *
363 + * One additional check: If KCF is missing something we
364 + * require for encryption, turn off that capability.
365 + */
366 + if (s->dialect < SMB_VERS_3_0) {
367 + /* SMB 2.x */
368 + s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS;
369 + } else {
370 + /* SMB 3.0 or later */
371 + s->srv_cap = smb2srv_capabilities &
372 + (SMB_2X_CAPS | s->capabilities);
373 + if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 &&
374 + smb3_encrypt_init_mech(s) != 0) {
375 + s->srv_cap &= ~SMB2_CAP_ENCRYPTION;
376 + }
377 + }
378 +
379 + /*
380 + * See notes above smb2_max_rwsize, smb2_old_rwsize
381 + */
382 + if (s->capabilities & SMB2_CAP_LARGE_MTU)
383 + max_rwsize = smb2_max_rwsize;
384 + else
385 + max_rwsize = smb2_old_rwsize;
386 +
300 387 rc = smb_mbc_encodef(
301 388 &sr->reply,
302 389 "wwww#cllllTTwwl#c",
303 390 65, /* StructSize */ /* w */
304 - s->secmode, /* w */
391 + s->srv_secmode, /* w */
305 392 version, /* w */
306 393 0, /* reserved */ /* w */
307 394 UUID_LEN, /* # */
308 395 &s->s_cfg.skc_machine_uuid, /* c */
309 - smb2srv_capabilities, /* l */
396 + s->srv_cap, /* l */
310 397 smb2_max_trans, /* l */
311 - smb2_max_rwsize, /* l */
312 - smb2_max_rwsize, /* l */
398 + max_rwsize, /* l */
399 + max_rwsize, /* l */
313 400 &now_tv, /* T */
314 401 &boot_tv, /* T */
315 402 128, /* SecBufOff */ /* w */
316 403 sr->sr_cfg->skc_negtok_len, /* w */
317 404 0, /* reserved */ /* l */
318 405 sr->sr_cfg->skc_negtok_len, /* # */
319 406 sr->sr_cfg->skc_negtok); /* c */
320 407
321 - smb2_send_reply(sr);
408 + /* smb2_send_reply(sr); in caller */
322 409
323 410 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
324 411 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
325 412 sizeof (smb2_tcp_bufsize), CRED());
326 413 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
327 414 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
328 415 sizeof (smb2_tcp_bufsize), CRED());
329 416
330 417 return (rc);
331 418 }
332 419
333 420 /*
334 421 * SMB2 Dispatch table handler, which will run if we see an
335 422 * SMB2_NEGOTIATE after the initial negotiation is done.
336 423 * That would be a protocol error.
337 424 */
338 425 smb_sdrc_t
|
↓ open down ↓ |
7 lines elided |
↑ open up ↑ |
339 426 smb2_negotiate(smb_request_t *sr)
340 427 {
341 428 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
342 429 return (SDRC_ERROR);
343 430 }
344 431
345 432 /*
346 433 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
347 434 */
348 435 uint32_t
349 -smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl)
436 +smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl)
350 437 {
351 438 smb_session_t *s = sr->session;
352 439 int rc;
353 440
354 441 /*
355 442 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
356 443 * and verify that the original negotiate was not modified.
357 - * The only tampering we need worry about is secmode, and
358 - * we're not taking that from the client, so don't bother.
444 + * The request MUST be signed, and we MUST validate the signature.
359 445 *
360 446 * One interesting requirement here is that we MUST reply
361 447 * with exactly the same information as we returned in our
362 448 * original reply to the SMB2 negotiate on this session.
363 449 * If we don't the client closes the connection.
364 450 */
365 451
452 + /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */
453 + uint32_t capabilities;
454 + uint16_t secmode, num_dialects, dialects[8];
455 + uint8_t clnt_guid[16];
456 +
457 + if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0)
458 + goto drop;
459 +
460 + if (fsctl->InputCount < 24)
461 + goto drop;
462 +
463 + (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww",
464 + &capabilities, /* l */
465 + &clnt_guid, /* 16c */
466 + &secmode, /* w */
467 + &num_dialects); /* w */
468 +
469 + if (num_dialects == 0 || num_dialects > 8)
470 + goto drop;
471 + if (secmode != s->cli_secmode)
472 + goto drop;
473 + if (capabilities != s->capabilities)
474 + goto drop;
475 + if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0)
476 + goto drop;
477 +
478 + if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects)))
479 + goto drop;
480 +
481 + rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects);
482 + if (rc != 0)
483 + goto drop;
484 +
485 + if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect)
486 + goto drop;
487 +
366 488 rc = smb_mbc_encodef(
367 489 fsctl->out_mbc, "l#cww",
368 - smb2srv_capabilities, /* l */
490 + s->srv_cap, /* l */
369 491 UUID_LEN, /* # */
370 492 &s->s_cfg.skc_machine_uuid, /* c */
371 - s->secmode, /* w */
493 + s->srv_secmode, /* w */
372 494 s->dialect); /* w */
373 - if (rc)
374 - return (NT_STATUS_INTERNAL_ERROR);
495 + if (rc == 0)
496 + return (rc);
375 497
376 - return (0);
498 +drop:
499 + smb_session_disconnect(s);
500 + return (NT_STATUS_ACCESS_DENIED);
377 501 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX