Print this page
NEX-10019 SMB server min_protocol setting
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-1643 dtrace provider for smbsrv
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
NEX-5273 SMB 3 Encryption
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-4598 SMB2 credit shortage with Mac client
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-4539 Allow patching smb1srv_capabilities
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
SUP-672 Zero-padded IP address strings returned by SMB server...
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
NEX-3611 CLONE NEX-3550 Replace smb2_enable with max_protocol
Reviewed by: Yuri Pankov <Yuri.Pankov@nexenta.com>
NEX-2781 SMB2 credit handling needs work
NEX-1050 enable_smb2 should be smb2_enable
SMB-11 SMB2 message parse & dispatch
SMB-12 SMB2 Negotiate Protocol
SMB-13 SMB2 Session Setup
SMB-14 SMB2 Logoff
SMB-15 SMB2 Tree Connect
SMB-16 SMB2 Tree Disconnect
SMB-17 SMB2 Create
SMB-18 SMB2 Close
SMB-19 SMB2 Flush
SMB-20 SMB2 Read
SMB-21 SMB2 Write
SMB-22 SMB2 Lock/Unlock
SMB-23 SMB2 Ioctl
SMB-24 SMB2 Cancel
SMB-25 SMB2 Echo
SMB-26 SMB2 Query Dir
SMB-27 SMB2 Change Notify
SMB-28 SMB2 Query Info
SMB-29 SMB2 Set Info
SMB-30 SMB2 Oplocks
SMB-53 SMB2 Create Context options
(SMB2 code review cleanup 1, 2, 3)
SMB-69 read-raw, write-raw are dead code
SMB-56 extended security NTLMSSP, inbound
SMB-50 User-mode SMB server
Includes work by these authors:
Thomas Keiser <thomas.keiser@nexenta.com>
Albert Lee <trisk@nexenta.com>
SMB-65 SMB server in non-global zones (data structure changes)
Many things move to the smb_server_t object, and
many functions gain an sv arg (which server).
re #7126 rb4153 smbd panic with missing negotiate challenge
*** 18,28 ****
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
! * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Notes on the virtual circuit (VC) values in the SMB Negotiate
* response and SessionSetupAndx request.
--- 18,28 ----
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
! * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Notes on the virtual circuit (VC) values in the SMB Negotiate
* response and SessionSetupAndx request.
*** 278,287 ****
--- 278,290 ----
* know this is the only thread currently using this session.
* This has to duplicate some of what smb1sr_work does as a
* result of bypassing the normal dispatch mechanism.
*
* The caller always frees this request.
+ *
+ * Return value is 0 for success, and anything else will
+ * terminate the reader thread (drop the connection).
*/
int
smb1_newrq_negotiate(smb_request_t *sr)
{
smb_sdrc_t sdrc;
*** 374,402 ****
*/
if (dialect >= DIALECT_SMB2002 &&
skc->skc_max_protocol < SMB_VERS_2_BASE)
continue;
if (negprot->ni_dialect < dialect) {
negprot->ni_dialect = dialect;
negprot->ni_index = pos;
}
}
! DTRACE_SMB_2(op__Negotiate__start, smb_request_t *, sr,
! smb_arg_negotiate_t, negprot);
return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
}
void
smb_post_negotiate(smb_request_t *sr)
{
smb_arg_negotiate_t *negprot = sr->sr_negprot;
! DTRACE_SMB_2(op__Negotiate__done, smb_request_t *, sr,
! smb_arg_negotiate_t, negprot);
bzero(negprot, sizeof (smb_arg_negotiate_t));
}
smb_sdrc_t
--- 377,414 ----
*/
if (dialect >= DIALECT_SMB2002 &&
skc->skc_max_protocol < SMB_VERS_2_BASE)
continue;
+ /*
+ * We may not support SMB1; skip those dialects if true.
+ */
+ if (dialect < DIALECT_SMB2002 &&
+ skc->skc_min_protocol > SMB_VERS_1)
+ continue;
+
+ if (dialect == DIALECT_SMB2002 &&
+ skc->skc_min_protocol > SMB_VERS_2_002)
+ continue;
+
if (negprot->ni_dialect < dialect) {
negprot->ni_dialect = dialect;
negprot->ni_index = pos;
}
}
! DTRACE_SMB_START(op__Negotiate, smb_request_t *, sr);
return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
}
void
smb_post_negotiate(smb_request_t *sr)
{
smb_arg_negotiate_t *negprot = sr->sr_negprot;
! DTRACE_SMB_DONE(op__Negotiate, smb_request_t *, sr);
bzero(negprot, sizeof (smb_arg_negotiate_t));
}
smb_sdrc_t
*** 416,425 ****
--- 428,444 ----
/* The protocol has already been negotiated. */
smbsr_error(sr, 0, ERRSRV, ERRerror);
return (SDRC_ERROR);
}
+ if (negprot->ni_index < 0) {
+ cmn_err(CE_NOTE, "clnt %s no supported dialect",
+ sr->session->ip_addr_str);
+ smbsr_error(sr, 0, ERRSRV, ERRerror);
+ return (SDRC_DROP_VC);
+ }
+
/*
* Special case for negotiating SMB2 from SMB1. The client
* includes the "SMB 2..." dialects in the SMB1 negotiate,
* and if SMB2 is enabled, we choose one of those and then
* send an SMB2 reply to that SMB1 request. Yes, it's very
*** 434,446 ****
ASSERT(rc == SDRC_NO_REPLY ||
rc == SDRC_DROP_VC || rc == SDRC_ERROR);
return (rc);
}
! session->secmode = NEGOTIATE_ENCRYPT_PASSWORDS |
NEGOTIATE_USER_SECURITY;
! secmode = session->secmode;
sesskey = session->sesskey;
negprot->ni_servertime.tv_sec = gethrestime_sec();
negprot->ni_servertime.tv_nsec = 0;
negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
--- 453,465 ----
ASSERT(rc == SDRC_NO_REPLY ||
rc == SDRC_DROP_VC || rc == SDRC_ERROR);
return (rc);
}
! session->srv_secmode = NEGOTIATE_ENCRYPT_PASSWORDS |
NEGOTIATE_USER_SECURITY;
! secmode = session->srv_secmode;
sesskey = session->sesskey;
negprot->ni_servertime.tv_sec = gethrestime_sec();
negprot->ni_servertime.tv_nsec = 0;
negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
*** 529,539 ****
secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
if (sr->sr_cfg->skc_signing_required)
secmode |=
NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
! session->secmode = secmode;
}
/*
* Does the client want Extended Security?
* (and if we have it enabled)
--- 548,558 ----
secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
if (sr->sr_cfg->skc_signing_required)
secmode |=
NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
! session->srv_secmode = secmode;
}
/*
* Does the client want Extended Security?
* (and if we have it enabled)