1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
14 */
15
16 /*
17 * Dispatch function for SMB2_NEGOTIATE
18 */
19
20 #include <smbsrv/smb2_kproto.h>
21 #include <smbsrv/smb2.h>
22
23 static int smb2_negotiate_common(smb_request_t *, uint16_t);
24
25 uint32_t smb2srv_capabilities =
26 SMB2_CAP_DFS |
27 SMB2_CAP_LARGE_MTU;
28
29 /*
30 * These are not intended as customer tunables, but dev. & test folks
31 * might want to adjust them (with caution).
32 *
33 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
34 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size.
35 * This is also used as a "sanity limit" for internal send/reply message
36 * allocations. Note that with compounding SMB2 messages may contain
37 * multiple requests/responses. This size should be large enough for
38 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
39 *
40 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
41 * the client the largest read and write request size we'll support.
42 * One megabyte is a compromise between efficiency on fast networks
43 * and memory consumption (for the buffers) on the server side.
44 *
45 * smb2_max_trans is the largest "transact" send or receive, which is
46 * used for directory listings and info set/get operations.
47 */
48 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */
49 uint32_t smb2_max_rwsize = (1<<20); /* 1MB */
50 uint32_t smb2_max_trans = (1<<16); /* 64KB */
51
52 /*
53 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
54 * (including all clients using dialect < SMB 2.1), use a "conservative" value
55 * for max r/w size because some older clients misbehave with larger values.
56 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x
57 * Support) as the minimum so we'll use that.
58 */
59 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */
60
61 /*
62 * List of all SMB2 versions we implement. Note that the
63 * highest version we support may be limited by the
64 * _cfg.skc_max_protocol setting.
65 */
66 static uint16_t smb2_versions[] = {
67 0x202, /* SMB 2.002 */
68 0x210, /* SMB 2.1 */
69 };
70 static uint16_t smb2_nversions =
71 sizeof (smb2_versions) / sizeof (smb2_versions[0]);
72
73 static boolean_t
74 smb2_supported_version(smb_session_t *s, uint16_t version)
75 {
76 int i;
77
78 if (version > s->s_cfg.skc_max_protocol)
79 return (B_FALSE);
80 for (i = 0; i < smb2_nversions; i++)
81 if (version == smb2_versions[i])
82 return (B_TRUE);
83 return (B_FALSE);
84 }
85
86 /*
87 * Helper for the (SMB1) smb_com_negotiate(). This is the
88 * very unusual protocol interaction where an SMB1 negotiate
89 * gets an SMB2 negotiate response. This is the normal way
90 * clients first find out if the server supports SMB2.
91 *
92 * Note: This sends an SMB2 reply _itself_ and then returns
93 * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
94 * Also, this is called directly from the reader thread, so
95 * we know this is the only thread using this session.
96 *
97 * The caller frees this request.
98 */
99 smb_sdrc_t
100 smb1_negotiate_smb2(smb_request_t *sr)
101 {
102 smb_session_t *s = sr->session;
103 smb_arg_negotiate_t *negprot = sr->sr_negprot;
104 uint16_t smb2_version;
105 uint16_t secmode2;
106 int rc;
107
108 /*
109 * Note: In the SMB1 negotiate command handler, we
110 * agreed with one of the SMB2 dialects. If that
111 * dialect was "SMB 2.002", we'll respond here with
112 * version 0x202 and negotiation is done. If that
113 * dialect was "SMB 2.???", we'll respond here with
114 * the "wildcard" version 0x2FF, and the client will
115 * come back with an SMB2 negotiate.
116 */
117 switch (negprot->ni_dialect) {
118 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */
119 smb2_version = 0x202;
120 s->dialect = smb2_version;
121 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
122 /* Allow normal SMB2 requests now. */
123 s->newrq_func = smb2sr_newrq;
124
125 /*
126 * Translate SMB1 sec. mode to SMB2.
127 */
128 secmode2 = 0;
129 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)
130 secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED;
131 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)
132 secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
133 s->secmode = secmode2;
134 break;
135 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */
136 /*
137 * Expecting an SMB2 negotiate next, so keep the
138 * initial s->newrq_func. Note that secmode is
139 * fiction good enough to pass the signing check
140 * in smb2_negotiate_common(). We'll check the
141 * real secmode when the 2nd negotiate comes.
142 */
143 smb2_version = 0x2FF;
144 s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
145 break;
146 default:
147 return (SDRC_DROP_VC);
148 }
149
150 /*
151 * We did not decode an SMB2 header, so make sure
152 * the SMB2 header fields are initialized.
153 * (Most are zero from smb_request_alloc.)
154 * Also, the SMB1 common dispatch code reserved space
155 * for an SMB1 header, which we need to undo here.
156 */
157 sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
158 sr->smb2_cmd_code = SMB2_NEGOTIATE;
159
160 rc = smb2_negotiate_common(sr, smb2_version);
161 if (rc != 0)
162 return (SDRC_DROP_VC);
163
164 return (SDRC_NO_REPLY);
165 }
166
167 /*
168 * SMB2 Negotiate gets special handling. This is called directly by
169 * the reader thread (see smbsr_newrq_initial) with what _should_ be
170 * an SMB2 Negotiate. Only the "\feSMB" header has been checked
171 * when this is called, so this needs to check the SMB command,
172 * if it's Negotiate execute it, then send the reply, etc.
173 *
174 * Since this is called directly from the reader thread, we
175 * know this is the only thread currently using this session.
176 * This has to duplicate some of what smb2sr_work does as a
177 * result of bypassing the normal dispatch mechanism.
178 *
179 * The caller always frees this request.
180 */
181 int
182 smb2_newrq_negotiate(smb_request_t *sr)
183 {
184 smb_session_t *s = sr->session;
185 int i, rc;
186 uint16_t struct_size;
187 uint16_t best_version;
188 uint16_t version_cnt;
189 uint16_t cl_versions[8];
190
191 sr->smb2_cmd_hdr = sr->command.chain_offset;
192 rc = smb2_decode_header(sr);
193 if (rc != 0)
194 return (rc);
195
196 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
197 (sr->smb2_next_command != 0))
198 return (SDRC_DROP_VC);
199
200 /*
201 * Decode SMB2 Negotiate (fixed-size part)
202 */
203 rc = smb_mbc_decodef(
204 &sr->command, "www..l16.8.",
205 &struct_size, /* w */
206 &version_cnt, /* w */
207 &s->secmode, /* w */
208 /* reserved (..) */
209 &s->capabilities); /* l */
210 /* clnt_uuid 16. */
211 /* start_time 8. */
212 if (rc != 0)
213 return (rc);
214 if (struct_size != 36 || version_cnt > 8)
215 return (SDRC_DROP_VC);
216
217 /*
218 * Decode SMB2 Negotiate (variable part)
219 */
220 rc = smb_mbc_decodef(&sr->command,
221 "#w", version_cnt, cl_versions);
222 if (rc != 0)
223 return (SDRC_DROP_VC);
224
225 /*
226 * The client offers an array of protocol versions it
227 * supports, which we have decoded into cl_versions[].
228 * We walk the array and pick the highest supported.
229 */
230 best_version = 0;
231 for (i = 0; i < version_cnt; i++)
232 if (smb2_supported_version(s, cl_versions[i]) &&
233 best_version < cl_versions[i])
234 best_version = cl_versions[i];
235 if (best_version == 0)
236 return (SDRC_DROP_VC);
237 s->dialect = best_version;
238
239 /* Allow normal SMB2 requests now. */
240 s->s_state = SMB_SESSION_STATE_NEGOTIATED;
241 s->newrq_func = smb2sr_newrq;
242
243 rc = smb2_negotiate_common(sr, best_version);
244 if (rc != 0)
245 return (SDRC_DROP_VC);
246
247 return (0);
248 }
249
250 /*
251 * Common parts of SMB2 Negotiate, used for both the
252 * SMB1-to-SMB2 style, and straight SMB2 style.
253 * Do negotiation decisions, encode, send the reply.
254 */
255 static int
256 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
257 {
258 timestruc_t boot_tv, now_tv;
259 smb_session_t *s = sr->session;
260 int rc;
261 uint32_t max_rwsize;
262 uint16_t secmode;
263
264 sr->smb2_status = 0;
265
266 /*
267 * Negotiation itself. First the Security Mode.
268 * The caller stashed the client's secmode in s->secmode,
269 * which we validate, and then replace with the server's
270 * secmode, which is all we care about after this.
271 */
272 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
273 if (sr->sr_cfg->skc_signing_required) {
274 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
275 /* Make sure client at least enables signing. */
276 if ((s->secmode & secmode) == 0) {
277 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
278 }
279 }
280 s->secmode = secmode;
281
282 s->cmd_max_bytes = smb2_tcp_bufsize;
283 s->reply_max_bytes = smb2_tcp_bufsize;
284
285 /*
286 * "The number of credits held by the client MUST be considered
287 * as 1 when the connection is established." [MS-SMB2]
288 * We leave credits at 1 until the first successful
289 * session setup is completed.
290 */
291 s->s_cur_credits = s->s_max_credits = 1;
292 sr->smb2_credit_response = 1;
293
294 boot_tv.tv_sec = smb_get_boottime();
295 boot_tv.tv_nsec = 0;
296 now_tv.tv_sec = gethrestime_sec();
297 now_tv.tv_nsec = 0;
298
299 /*
300 * SMB2 negotiate reply
301 */
302 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
303 (void) smb2_encode_header(sr, B_FALSE);
304 if (sr->smb2_status != 0) {
305 smb2sr_put_error(sr, sr->smb2_status);
306 smb2_send_reply(sr);
307 return (-1); /* will drop */
308 }
309
310 /*
311 * See notes above smb2_max_rwsize, smb2_old_rwsize
312 */
313 if (s->capabilities & SMB2_CAP_LARGE_MTU)
314 max_rwsize = smb2_max_rwsize;
315 else
316 max_rwsize = smb2_old_rwsize;
317
318 rc = smb_mbc_encodef(
319 &sr->reply,
320 "wwww#cllllTTwwl#c",
321 65, /* StructSize */ /* w */
322 s->secmode, /* w */
323 version, /* w */
324 0, /* reserved */ /* w */
325 UUID_LEN, /* # */
326 &s->s_cfg.skc_machine_uuid, /* c */
327 smb2srv_capabilities, /* l */
328 smb2_max_trans, /* l */
329 max_rwsize, /* l */
330 max_rwsize, /* l */
331 &now_tv, /* T */
332 &boot_tv, /* T */
333 128, /* SecBufOff */ /* w */
334 sr->sr_cfg->skc_negtok_len, /* w */
335 0, /* reserved */ /* l */
336 sr->sr_cfg->skc_negtok_len, /* # */
337 sr->sr_cfg->skc_negtok); /* c */
338
339 smb2_send_reply(sr);
340
341 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
342 SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
343 sizeof (smb2_tcp_bufsize), CRED());
344 (void) ksocket_setsockopt(s->sock, SOL_SOCKET,
345 SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
346 sizeof (smb2_tcp_bufsize), CRED());
347
348 return (rc);
349 }
350
351 /*
352 * SMB2 Dispatch table handler, which will run if we see an
353 * SMB2_NEGOTIATE after the initial negotiation is done.
354 * That would be a protocol error.
355 */
356 smb_sdrc_t
357 smb2_negotiate(smb_request_t *sr)
358 {
359 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
360 return (SDRC_ERROR);
361 }
362
363 /*
364 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
365 */
366 uint32_t
367 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl)
368 {
369 smb_session_t *s = sr->session;
370 int rc;
371
372 /*
373 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
374 * and verify that the original negotiate was not modified.
375 * The only tampering we need worry about is secmode, and
376 * we're not taking that from the client, so don't bother.
377 *
378 * One interesting requirement here is that we MUST reply
379 * with exactly the same information as we returned in our
380 * original reply to the SMB2 negotiate on this session.
381 * If we don't the client closes the connection.
382 */
383
384 rc = smb_mbc_encodef(
385 fsctl->out_mbc, "l#cww",
386 smb2srv_capabilities, /* l */
387 UUID_LEN, /* # */
388 &s->s_cfg.skc_machine_uuid, /* c */
389 s->secmode, /* w */
390 s->dialect); /* w */
391 if (rc)
392 return (NT_STATUS_INTERNAL_ERROR);
393
394 return (0);
395 }