Print this page
NEX-10019 SMB server min_protocol setting
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-1643 dtrace provider for smbsrv
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
NEX-5273 SMB 3 Encryption
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-4598 SMB2 credit shortage with Mac client
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-4539 Allow patching smb1srv_capabilities
Reviewed by: Bayard Bell <bayard.bell@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
SUP-672 Zero-padded IP address strings returned by SMB server...
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
NEX-3611 CLONE NEX-3550 Replace smb2_enable with max_protocol
Reviewed by: Yuri Pankov <Yuri.Pankov@nexenta.com>
NEX-2781 SMB2 credit handling needs work
NEX-1050 enable_smb2 should be smb2_enable
SMB-11 SMB2 message parse & dispatch
SMB-12 SMB2 Negotiate Protocol
SMB-13 SMB2 Session Setup
SMB-14 SMB2 Logoff
SMB-15 SMB2 Tree Connect
SMB-16 SMB2 Tree Disconnect
SMB-17 SMB2 Create
SMB-18 SMB2 Close
SMB-19 SMB2 Flush
SMB-20 SMB2 Read
SMB-21 SMB2 Write
SMB-22 SMB2 Lock/Unlock
SMB-23 SMB2 Ioctl
SMB-24 SMB2 Cancel
SMB-25 SMB2 Echo
SMB-26 SMB2 Query Dir
SMB-27 SMB2 Change Notify
SMB-28 SMB2 Query Info
SMB-29 SMB2 Set Info
SMB-30 SMB2 Oplocks
SMB-53 SMB2 Create Context options
(SMB2 code review cleanup 1, 2, 3)
SMB-69 read-raw, write-raw are dead code
SMB-56 extended security NTLMSSP, inbound
SMB-50 User-mode SMB server
Includes work by these authors:
Thomas Keiser <thomas.keiser@nexenta.com>
Albert Lee <trisk@nexenta.com>
SMB-65 SMB server in non-global zones (data structure changes)
Many things move to the smb_server_t object, and
many functions gain an sv arg (which server).
re #7126 rb4153 smbd panic with missing negotiate challenge
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
+++ new/usr/src/uts/common/fs/smbsrv/smb_negotiate.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 - * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
23 + * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
24 24 */
25 25
26 26 /*
27 27 * Notes on the virtual circuit (VC) values in the SMB Negotiate
28 28 * response and SessionSetupAndx request.
29 29 *
30 30 * A virtual circuit (VC) represents a connection between a client and a
31 31 * server using a reliable, session oriented transport protocol, such as
32 32 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
33 33 * single underlying transport connection, i.e. a single NetBIOS session,
34 34 * which limited performance for raw data transfers.
35 35 *
36 36 * The intention behind multiple VCs was to improve performance by
37 37 * allowing parallelism over each NetBIOS session. For example, raw data
38 38 * could be transmitted using a different VC from other types of SMB
39 39 * requests to remove the interleaving restriction while a raw transfer
40 40 * is in progress. So the MaxNumberVcs field was added to the negotiate
41 41 * response to make the number of VCs configurable and to allow servers
42 42 * to specify how many they were prepared to support per session
43 43 * connection. This turned out to be difficult to manage and, with
44 44 * technology improvements, it has become obsolete.
45 45 *
46 46 * Servers should set the MaxNumberVcs value in the Negotiate response
47 47 * to 1. Clients should probably ignore it. If a server receives a
48 48 * SessionSetupAndx with a VC value of 0, it should close all other
49 49 * VCs to that client. If it receives a non-zero VC, it should leave
50 50 * other VCs in tact.
51 51 *
52 52 */
53 53
54 54 /*
55 55 * SMB: negotiate
56 56 *
57 57 * Client Request Description
58 58 * ============================ =======================================
59 59 *
60 60 * UCHAR WordCount; Count of parameter words = 0
61 61 * USHORT ByteCount; Count of data bytes; min = 2
62 62 * struct {
63 63 * UCHAR BufferFormat; 0x02 -- Dialect
64 64 * UCHAR DialectName[]; ASCII null-terminated string
65 65 * } Dialects[];
66 66 *
67 67 * The Client sends a list of dialects that it can communicate with. The
68 68 * response is a selection of one of those dialects (numbered 0 through n)
69 69 * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
70 70 * The negotiate message is binding on the virtual circuit and must be
71 71 * sent. One and only one negotiate message may be sent, subsequent
72 72 * negotiate requests will be rejected with an error response and no action
73 73 * will be taken.
74 74 *
75 75 * The protocol does not impose any particular structure to the dialect
76 76 * strings. Implementors of particular protocols may choose to include,
77 77 * for example, version numbers in the string.
78 78 *
79 79 * If the server does not understand any of the dialect strings, or if PC
80 80 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
81 81 *
82 82 * Server Response Description
83 83 * ============================ =======================================
84 84 *
85 85 * UCHAR WordCount; Count of parameter words = 1
86 86 * USHORT DialectIndex; Index of selected dialect
87 87 * USHORT ByteCount; Count of data bytes = 0
88 88 *
89 89 * If the chosen dialect is greater than core up to and including
90 90 * LANMAN2.1, the protocol response format is
91 91 *
92 92 * Server Response Description
93 93 * ============================ =======================================
94 94 *
95 95 * UCHAR WordCount; Count of parameter words = 13
96 96 * USHORT DialectIndex; Index of selected dialect
97 97 * USHORT SecurityMode; Security mode:
98 98 * bit 0: 0 = share, 1 = user
99 99 * bit 1: 1 = use challenge/response
100 100 * authentication
101 101 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024)
102 102 * USHORT MaxMpxCount; Max pending multiplexed requests
103 103 * USHORT MaxNumberVcs; Max VCs between client and server
104 104 * USHORT RawMode; Raw modes supported:
105 105 * bit 0: 1 = Read Raw supported
106 106 * bit 1: 1 = Write Raw supported
107 107 * ULONG SessionKey; Unique token identifying this session
108 108 * SMB_TIME ServerTime; Current time at server
109 109 * SMB_DATE ServerDate; Current date at server
110 110 * USHORT ServerTimeZone; Current time zone at server
111 111 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1
112 112 * USHORT Reserved; MBZ
113 113 * USHORT ByteCount Count of data bytes
114 114 * UCHAR EncryptionKey[]; The challenge encryption key
115 115 * STRING PrimaryDomain[]; The server's primary domain
116 116 *
117 117 * MaxBufferSize is the size of the largest message which the client can
118 118 * legitimately send to the server
119 119 *
120 120 * If bit0 of the Flags field is set in the negotiate response, this
121 121 * indicates the server supports the SMB_COM_LOCK_AND_READ and
122 122 * SMB_COM_WRITE_AND_UNLOCK client requests.
123 123 *
124 124 * If the SecurityMode field indicates the server is running in user mode,
125 125 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
126 126 * before the server will allow the client to access resources. If the
127 127 * SecurityMode fields indicates the client should use challenge/response
128 128 * authentication, the client should use the authentication mechanism
129 129 * specified in section 2.10.
130 130 *
131 131 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
132 132 * to the server when using multiplexed reads or writes (see sections 5.13
133 133 * and 5.25)
134 134 *
135 135 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different
136 136 * form of raw reads than documented here, and servers are better off
137 137 * setting RawMode in this response to 0 for such sessions.
138 138 *
139 139 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
140 140 * PrimaryDomain string should be included in this response.
141 141 *
142 142 * If the negotiated dialect is NT LM 0.12, the response format is
143 143 *
144 144 * Server Response Description
145 145 * ========================== =========================================
146 146 *
147 147 * UCHAR WordCount; Count of parameter words = 17
148 148 * USHORT DialectIndex; Index of selected dialect
149 149 * UCHAR SecurityMode; Security mode:
150 150 * bit 0: 0 = share, 1 = user
151 151 * bit 1: 1 = encrypt passwords
152 152 * USHORT MaxMpxCount; Max pending multiplexed requests
153 153 * USHORT MaxNumberVcs; Max VCs between client and server
154 154 * ULONG MaxBufferSize; Max transmit buffer size
155 155 * ULONG MaxRawSize; Maximum raw buffer size
156 156 * ULONG SessionKey; Unique token identifying this session
157 157 * ULONG Capabilities; Server capabilities
158 158 * ULONG SystemTimeLow; System (UTC) time of the server (low).
159 159 * ULONG SystemTimeHigh; System (UTC) time of the server (high).
160 160 * USHORT ServerTimeZone; Time zone of server (min from UTC)
161 161 * UCHAR EncryptionKeyLength; Length of encryption key.
162 162 * USHORT ByteCount; Count of data bytes
163 163 * UCHAR EncryptionKey[]; The challenge encryption key
164 164 * UCHAR OemDomainName[]; The name of the domain (in OEM chars)
165 165 *
166 166 * In addition to the definitions above, MaxBufferSize is the size of the
167 167 * largest message which the client can legitimately send to the server.
168 168 * If the client is using a connectionless protocol, MaxBufferSize must be
169 169 * set to the smaller of the server's internal buffer size and the amount
170 170 * of data which can be placed in a response packet.
171 171 *
172 172 * MaxRawSize specifies the maximum message size the server can send or
173 173 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
174 174 *
175 175 * Connectionless clients must set Sid to 0 in the SMB request header.
176 176 *
177 177 * Capabilities allows the server to tell the client what it supports.
178 178 * The bit definitions defined in smb.h. Bit 0x2000 used to be set in
179 179 * the negotiate response capabilities but it caused problems with
180 180 * Windows 2000. It is probably not valid, it doesn't appear in the
181 181 * CIFS spec.
182 182 *
183 183 * 4.1.1.1 Errors
184 184 *
185 185 * SUCCESS/SUCCESS
186 186 * ERRSRV/ERRerror
187 187 */
188 188 #include <sys/types.h>
189 189 #include <sys/socket.h>
190 190 #include <netinet/in.h>
191 191 #include <smbsrv/smb_kproto.h>
192 192 #include <smbsrv/smbinfo.h>
193 193
194 194 static const smb_xlate_t smb_dialect[] = {
195 195 { DIALECT_UNKNOWN, "DIALECT_UNKNOWN" },
196 196 { PC_NETWORK_PROGRAM_1_0, "PC NETWORK PROGRAM 1.0" },
197 197 { PCLAN1_0, "PCLAN1.0" },
198 198 { MICROSOFT_NETWORKS_1_03, "MICROSOFT NETWORKS 1.03" },
199 199 { MICROSOFT_NETWORKS_3_0, "MICROSOFT NETWORKS 3.0" },
200 200 { LANMAN1_0, "LANMAN1.0" },
201 201 { LM1_2X002, "LM1.2X002" },
202 202 { DOS_LM1_2X002, "DOS LM1.2X002" },
203 203 { DOS_LANMAN2_1, "DOS LANMAN2.1" },
204 204 { LANMAN2_1, "LANMAN2.1" },
205 205 { Windows_for_Workgroups_3_1a, "Windows for Workgroups 3.1a" },
206 206 { NT_LM_0_12, "NT LM 0.12" },
207 207 { DIALECT_SMB2002, "SMB 2.002" },
208 208 { DIALECT_SMB2XXX, "SMB 2.???" },
209 209 };
210 210 static int smb_ndialects = sizeof (smb_dialect) / sizeof (smb_dialect[0]);
211 211
212 212 /*
213 213 * Maximum buffer size for DOS: chosen to be the same as NT.
214 214 * Do not change this value, DOS is very sensitive to it.
215 215 */
216 216 #define SMB_DOS_MAXBUF 0x1104
217 217
218 218 /*
219 219 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
220 220 * with other values. DOS 6.1 seems to depend on a window value of 8700 to
221 221 * send the next set of data. If we return a window value of 40KB, after
222 222 * sending 8700 bytes of data, it will start the next set of data from 40KB
223 223 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
224 224 * September 2000.
225 225 *
226 226 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
227 227 * for a larger TCP window sizei based on observations of Windows 2000 and
228 228 * performance testing. March 2003.
229 229 */
230 230 static uint32_t smb_dos_tcp_rcvbuf = 8700;
231 231 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */
232 232
233 233 /*
234 234 * Maximum number of simultaneously pending SMB requests allowed on
235 235 * one connection. This is like "credits" in SMB2, but SMB1 uses a
236 236 * fixed limit, having no way to request an increase like SMB2 does.
237 237 * Note: Some older clients only handle the low byte of this value,
238 238 * so this value should be less than 256.
239 239 */
240 240 static uint16_t smb_maxmpxcount = 64;
241 241
242 242 static int smb_xlate_dialect(const char *);
243 243
244 244 /*
245 245 * "Capabilities" offered by SMB1 Negotiate Protocol.
246 246 * See smb.h for descriptions.
247 247 *
248 248 * CAP_RAW_MODE, CAP_MPX_MODE are obsolete.
249 249 * UNICODE support is required for long share names,
250 250 * long file names and streams.
251 251 *
252 252 * For testing, one can patch this, i.e. remove the high bit to
253 253 * temporarily disable extended security, etc.
254 254 */
255 255 uint32_t smb1srv_capabilities =
256 256 CAP_UNICODE |
257 257 CAP_LARGE_FILES |
258 258 CAP_NT_SMBS |
259 259 CAP_RPC_REMOTE_APIS |
260 260 CAP_STATUS32 |
261 261 CAP_LEVEL_II_OPLOCKS |
262 262 CAP_LOCK_AND_READ |
263 263 CAP_NT_FIND |
264 264 CAP_DFS |
265 265 CAP_INFOLEVEL_PASSTHRU |
266 266 CAP_LARGE_READX |
267 267 CAP_LARGE_WRITEX |
268 268 CAP_EXTENDED_SECURITY;
269 269
270 270 /*
271 271 * SMB Negotiate gets special handling. This is called directly by
272 272 * the reader thread (see smbsr_newrq_initial) with what _should_ be
|
↓ open down ↓ |
239 lines elided |
↑ open up ↑ |
273 273 * an SMB1 Negotiate. Only the "\ffSMB" header has been checked
274 274 * when this is called, so this needs to check the SMB command,
275 275 * if it's Negotiate execute it, then send the reply, etc.
276 276 *
277 277 * Since this is called directly from the reader thread, we
278 278 * know this is the only thread currently using this session.
279 279 * This has to duplicate some of what smb1sr_work does as a
280 280 * result of bypassing the normal dispatch mechanism.
281 281 *
282 282 * The caller always frees this request.
283 + *
284 + * Return value is 0 for success, and anything else will
285 + * terminate the reader thread (drop the connection).
283 286 */
284 287 int
285 288 smb1_newrq_negotiate(smb_request_t *sr)
286 289 {
287 290 smb_sdrc_t sdrc;
288 291 uint16_t pid_hi, pid_lo;
289 292
290 293 /*
291 294 * Decode the header
292 295 */
293 296 if (smb_mbc_decodef(&sr->command, SMB_HEADER_ED_FMT,
294 297 &sr->smb_com,
295 298 &sr->smb_rcls,
296 299 &sr->smb_reh,
297 300 &sr->smb_err,
298 301 &sr->smb_flg,
299 302 &sr->smb_flg2,
300 303 &pid_hi,
301 304 sr->smb_sig,
302 305 &sr->smb_tid,
303 306 &pid_lo,
304 307 &sr->smb_uid,
305 308 &sr->smb_mid) != 0)
306 309 return (-1);
307 310 if (sr->smb_com != SMB_COM_NEGOTIATE)
308 311 return (-1);
309 312
310 313 sr->smb_pid = (pid_hi << 16) | pid_lo;
311 314
312 315 /*
313 316 * Reserve space for the reply header.
314 317 */
315 318 (void) smb_mbc_encodef(&sr->reply, "#.", SMB_HEADER_LEN);
316 319 sr->first_smb_com = sr->smb_com;
317 320
318 321 if (smb_mbc_decodef(&sr->command, "b", &sr->smb_wct) != 0)
319 322 return (-1);
320 323 (void) MBC_SHADOW_CHAIN(&sr->smb_vwv, &sr->command,
321 324 sr->command.chain_offset, sr->smb_wct * 2);
322 325
323 326 if (smb_mbc_decodef(&sr->command, "#.w", sr->smb_wct*2, &sr->smb_bcc))
324 327 return (-1);
325 328 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
326 329 sr->command.chain_offset, sr->smb_bcc);
327 330
328 331 sr->command.chain_offset += sr->smb_bcc;
329 332 if (sr->command.chain_offset > sr->command.max_bytes)
330 333 return (-1);
331 334
332 335 /* Store pointers for later */
333 336 sr->cur_reply_offset = sr->reply.chain_offset;
334 337
335 338 sdrc = smb_pre_negotiate(sr);
336 339 if (sdrc == SDRC_SUCCESS)
337 340 sdrc = smb_com_negotiate(sr);
338 341 smb_post_negotiate(sr);
339 342
340 343 if (sdrc != SDRC_NO_REPLY)
341 344 smbsr_send_reply(sr);
342 345 if (sdrc == SDRC_DROP_VC)
343 346 return (-1);
344 347
345 348 return (0);
346 349 }
347 350
348 351 smb_sdrc_t
349 352 smb_pre_negotiate(smb_request_t *sr)
350 353 {
351 354 smb_kmod_cfg_t *skc;
352 355 smb_arg_negotiate_t *negprot;
353 356 int dialect;
354 357 int pos;
355 358 int rc = 0;
356 359
357 360 skc = &sr->session->s_cfg;
358 361 negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t));
359 362 negprot->ni_index = -1;
360 363 sr->sr_negprot = negprot;
361 364
362 365 for (pos = 0; smbsr_decode_data_avail(sr); pos++) {
363 366 if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) {
364 367 smbsr_error(sr, 0, ERRSRV, ERRerror);
365 368 rc = -1;
366 369 break;
367 370 }
368 371
|
↓ open down ↓ |
76 lines elided |
↑ open up ↑ |
369 372 if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0)
370 373 continue;
371 374
372 375 /*
373 376 * Conditionally recognize the SMB2 dialects.
374 377 */
375 378 if (dialect >= DIALECT_SMB2002 &&
376 379 skc->skc_max_protocol < SMB_VERS_2_BASE)
377 380 continue;
378 381
382 + /*
383 + * We may not support SMB1; skip those dialects if true.
384 + */
385 + if (dialect < DIALECT_SMB2002 &&
386 + skc->skc_min_protocol > SMB_VERS_1)
387 + continue;
388 +
389 + if (dialect == DIALECT_SMB2002 &&
390 + skc->skc_min_protocol > SMB_VERS_2_002)
391 + continue;
392 +
379 393 if (negprot->ni_dialect < dialect) {
380 394 negprot->ni_dialect = dialect;
381 395 negprot->ni_index = pos;
382 396 }
383 397 }
384 398
385 - DTRACE_SMB_2(op__Negotiate__start, smb_request_t *, sr,
386 - smb_arg_negotiate_t, negprot);
399 + DTRACE_SMB_START(op__Negotiate, smb_request_t *, sr);
387 400
388 401 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
389 402 }
390 403
391 404 void
392 405 smb_post_negotiate(smb_request_t *sr)
393 406 {
394 407 smb_arg_negotiate_t *negprot = sr->sr_negprot;
395 408
396 - DTRACE_SMB_2(op__Negotiate__done, smb_request_t *, sr,
397 - smb_arg_negotiate_t, negprot);
409 + DTRACE_SMB_DONE(op__Negotiate, smb_request_t *, sr);
398 410
399 411 bzero(negprot, sizeof (smb_arg_negotiate_t));
400 412 }
401 413
402 414 smb_sdrc_t
403 415 smb_com_negotiate(smb_request_t *sr)
404 416 {
405 417 smb_session_t *session = sr->session;
406 418 smb_arg_negotiate_t *negprot = sr->sr_negprot;
407 419 uint16_t secmode;
408 420 uint32_t sesskey;
409 421 char *nbdomain;
410 422 uint8_t *wcbuf;
|
↓ open down ↓ |
3 lines elided |
↑ open up ↑ |
411 423 int wclen;
412 424 smb_msgbuf_t mb;
413 425 int rc;
414 426
415 427 if (session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
416 428 /* The protocol has already been negotiated. */
417 429 smbsr_error(sr, 0, ERRSRV, ERRerror);
418 430 return (SDRC_ERROR);
419 431 }
420 432
433 + if (negprot->ni_index < 0) {
434 + cmn_err(CE_NOTE, "clnt %s no supported dialect",
435 + sr->session->ip_addr_str);
436 + smbsr_error(sr, 0, ERRSRV, ERRerror);
437 + return (SDRC_DROP_VC);
438 + }
439 +
421 440 /*
422 441 * Special case for negotiating SMB2 from SMB1. The client
423 442 * includes the "SMB 2..." dialects in the SMB1 negotiate,
424 443 * and if SMB2 is enabled, we choose one of those and then
425 444 * send an SMB2 reply to that SMB1 request. Yes, it's very
426 445 * strange, but this SMB1 request can have an SMB2 reply!
427 446 * To accomplish this, we let the SMB2 code send the reply
428 447 * and return the special code SDRC_NO_REPLY to the SMB1
429 448 * dispatch logic so it will NOT send an SMB1 reply.
430 449 * (Or possibly send an SMB1 error reply.)
431 450 */
432 451 if (negprot->ni_dialect >= DIALECT_SMB2002) {
433 452 rc = smb1_negotiate_smb2(sr);
434 453 ASSERT(rc == SDRC_NO_REPLY ||
435 454 rc == SDRC_DROP_VC || rc == SDRC_ERROR);
436 455 return (rc);
437 456 }
438 457
439 - session->secmode = NEGOTIATE_ENCRYPT_PASSWORDS |
458 + session->srv_secmode = NEGOTIATE_ENCRYPT_PASSWORDS |
440 459 NEGOTIATE_USER_SECURITY;
441 - secmode = session->secmode;
460 + secmode = session->srv_secmode;
442 461 sesskey = session->sesskey;
443 462
444 463 negprot->ni_servertime.tv_sec = gethrestime_sec();
445 464 negprot->ni_servertime.tv_nsec = 0;
446 465 negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
447 466 negprot->ni_maxmpxcount = smb_maxmpxcount;
448 467 negprot->ni_keylen = SMB_CHALLENGE_SZ;
449 468 bcopy(&session->challenge_key, negprot->ni_key, SMB_CHALLENGE_SZ);
450 469 nbdomain = sr->sr_cfg->skc_nbdomain;
451 470
452 471 negprot->ni_capabilities = smb1srv_capabilities;
453 472
454 473 switch (negprot->ni_dialect) {
455 474 case PC_NETWORK_PROGRAM_1_0: /* core */
456 475 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
457 476 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
458 477 sizeof (smb_dos_tcp_rcvbuf), CRED());
459 478 rc = smbsr_encode_result(sr, 1, 0, "bww", 1,
460 479 negprot->ni_index, 0);
461 480 break;
462 481
463 482 case Windows_for_Workgroups_3_1a:
464 483 case PCLAN1_0:
465 484 case MICROSOFT_NETWORKS_1_03:
466 485 case MICROSOFT_NETWORKS_3_0:
467 486 case LANMAN1_0:
468 487 case LM1_2X002:
469 488 case DOS_LM1_2X002:
470 489 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
471 490 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
472 491 sizeof (smb_dos_tcp_rcvbuf), CRED());
473 492 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
474 493 rc = smbsr_encode_result(sr, 13, VAR_BCC,
475 494 "bwwwwwwlYww2.w#c",
476 495 13, /* wct */
477 496 negprot->ni_index, /* dialect index */
478 497 secmode, /* security mode */
479 498 SMB_DOS_MAXBUF, /* max buffer size */
480 499 1, /* max MPX */
481 500 1, /* max VCs */
482 501 0, /* read/write raw */
483 502 sesskey, /* session key */
484 503 negprot->ni_servertime.tv_sec, /* server date/time */
485 504 negprot->ni_tzcorrection,
486 505 (uint16_t)negprot->ni_keylen, /* encryption key length */
487 506 /* reserved field handled 2. */
488 507 VAR_BCC,
489 508 (int)negprot->ni_keylen,
490 509 negprot->ni_key); /* encryption key */
491 510 break;
492 511
493 512 case DOS_LANMAN2_1:
494 513 case LANMAN2_1:
495 514 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
496 515 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
497 516 sizeof (smb_dos_tcp_rcvbuf), CRED());
498 517 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
499 518 rc = smbsr_encode_result(sr, 13, VAR_BCC,
500 519 "bwwwwwwlYww2.w#cs",
501 520 13, /* wct */
502 521 negprot->ni_index, /* dialect index */
503 522 secmode, /* security mode */
504 523 SMB_DOS_MAXBUF, /* max buffer size */
505 524 1, /* max MPX */
506 525 1, /* max VCs */
507 526 0, /* read/write raw */
508 527 sesskey, /* session key */
509 528 negprot->ni_servertime.tv_sec, /* server date/time */
510 529 negprot->ni_tzcorrection,
511 530 (uint16_t)negprot->ni_keylen, /* encryption key length */
512 531 /* reserved field handled 2. */
513 532 VAR_BCC,
514 533 (int)negprot->ni_keylen,
515 534 negprot->ni_key, /* encryption key */
516 535 nbdomain);
517 536 break;
518 537
519 538 case NT_LM_0_12:
520 539 (void) ksocket_setsockopt(session->sock, SOL_SOCKET,
521 540 SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
522 541 sizeof (smb_nt_tcp_rcvbuf), CRED());
523 542
|
↓ open down ↓ |
72 lines elided |
↑ open up ↑ |
524 543 /*
525 544 * Allow SMB signatures if using encrypted passwords
526 545 */
527 546 if ((secmode & NEGOTIATE_ENCRYPT_PASSWORDS) &&
528 547 sr->sr_cfg->skc_signing_enable) {
529 548 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
530 549 if (sr->sr_cfg->skc_signing_required)
531 550 secmode |=
532 551 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
533 552
534 - session->secmode = secmode;
553 + session->srv_secmode = secmode;
535 554 }
536 555
537 556 /*
538 557 * Does the client want Extended Security?
539 558 * (and if we have it enabled)
540 559 * If so, handle as if a different dialect.
541 560 */
542 561 if ((sr->smb_flg2 & SMB_FLAGS2_EXT_SEC) != 0 &&
543 562 (negprot->ni_capabilities & CAP_EXTENDED_SECURITY) != 0)
544 563 goto NT_LM_0_12_ext_sec;
545 564
546 565 /* Else deny knowledge of extended security. */
547 566 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
548 567 negprot->ni_capabilities &= ~CAP_EXTENDED_SECURITY;
549 568
550 569 /*
551 570 * nbdomain is not expected to be aligned.
552 571 * Use temporary buffer to avoid alignment padding
553 572 */
554 573 wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t);
555 574 wcbuf = smb_srm_zalloc(sr, wclen);
556 575 smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE);
557 576 if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) {
558 577 smb_msgbuf_term(&mb);
559 578 smbsr_error(sr, 0, ERRSRV, ERRerror);
560 579 return (SDRC_ERROR);
561 580 }
562 581
563 582 rc = smbsr_encode_result(sr, 17, VAR_BCC,
564 583 "bwbwwllllTwbw#c#c",
565 584 17, /* wct */
566 585 negprot->ni_index, /* dialect index */
567 586 secmode, /* security mode */
568 587 negprot->ni_maxmpxcount, /* max MPX */
569 588 1, /* max VCs */
570 589 (DWORD)smb_maxbufsize, /* max buffer size */
571 590 0xFFFF, /* max raw size */
572 591 sesskey, /* session key */
573 592 negprot->ni_capabilities,
574 593 &negprot->ni_servertime, /* system time */
575 594 negprot->ni_tzcorrection,
576 595 negprot->ni_keylen, /* encryption key length */
577 596 VAR_BCC,
578 597 (int)negprot->ni_keylen,
579 598 negprot->ni_key, /* encryption key */
580 599 wclen,
581 600 wcbuf); /* nbdomain (unicode) */
582 601
583 602 smb_msgbuf_term(&mb);
584 603 break;
585 604
586 605 NT_LM_0_12_ext_sec:
587 606 /*
588 607 * This is the "Extended Security" variant of
589 608 * dialect NT_LM_0_12.
590 609 */
591 610 rc = smbsr_encode_result(sr, 17, VAR_BCC,
592 611 "bwbwwllllTwbw#c#c",
593 612 17, /* wct */
594 613 negprot->ni_index, /* dialect index */
595 614 secmode, /* security mode */
596 615 negprot->ni_maxmpxcount, /* max MPX */
597 616 1, /* max VCs */
598 617 (DWORD)smb_maxbufsize, /* max buffer size */
599 618 0xFFFF, /* max raw size */
600 619 sesskey, /* session key */
601 620 negprot->ni_capabilities,
602 621 &negprot->ni_servertime, /* system time */
603 622 negprot->ni_tzcorrection,
604 623 0, /* encryption key length (MBZ) */
605 624 VAR_BCC,
606 625 UUID_LEN,
607 626 sr->sr_cfg->skc_machine_uuid,
608 627 sr->sr_cfg->skc_negtok_len,
609 628 sr->sr_cfg->skc_negtok);
610 629 break;
611 630
612 631
613 632 default:
614 633 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0);
615 634 break;
616 635 }
617 636
618 637 if (rc != 0)
619 638 return (SDRC_ERROR);
620 639
621 640 /*
622 641 * Save the agreed dialect. Note that the state is also
623 642 * used to detect and reject attempts to re-negotiate.
624 643 */
625 644 session->dialect = negprot->ni_dialect;
626 645 session->s_state = SMB_SESSION_STATE_NEGOTIATED;
627 646
628 647 /* Allow normal SMB1 requests now. */
629 648 session->newrq_func = smb1sr_newrq;
630 649
631 650 return (SDRC_SUCCESS);
632 651 }
633 652
634 653 static int
635 654 smb_xlate_dialect(const char *dialect)
636 655 {
637 656 const smb_xlate_t *dp;
638 657 int i;
639 658
640 659 for (i = 0; i < smb_ndialects; ++i) {
641 660 dp = &smb_dialect[i];
642 661
643 662 if (strcmp(dp->str, dialect) == 0)
644 663 return (dp->code);
645 664 }
646 665
647 666 return (-1);
648 667 }
|
↓ open down ↓ |
104 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX