1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2015 Nexenta Systems, Inc. All rights reserved. 14 */ 15 16 /* 17 * Dispatch function for SMB2_NEGOTIATE 18 */ 19 20 #include <smbsrv/smb2_kproto.h> 21 #include <smbsrv/smb2.h> 22 23 static int smb2_negotiate_common(smb_request_t *, uint16_t); 24 25 uint32_t smb2srv_capabilities = 26 SMB2_CAP_DFS | 27 SMB2_CAP_LARGE_MTU; 28 29 /* 30 * These are not intended as customer tunables, but dev. & test folks 31 * might want to adjust them (with caution). 32 * 33 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 34 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 35 * This is also used as a "sanity limit" for internal send/reply message 36 * allocations. Note that with compounding SMB2 messages may contain 37 * multiple requests/responses. This size should be large enough for 38 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 39 * 40 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 41 * the client the largest read and write request size we'll support. 42 * One megabyte is a compromise between efficiency on fast networks 43 * and memory consumption (for the buffers) on the server side. 44 * 45 * smb2_max_trans is the largest "transact" send or receive, which is 46 * used for directory listings and info set/get operations. 47 */ 48 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 49 uint32_t smb2_max_rwsize = (1<<20); /* 1MB */ 50 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 51 52 /* 53 * List of all SMB2 versions we implement. Note that the 54 * highest version we support may be limited by the 55 * _cfg.skc_max_protocol setting. 56 */ 57 static uint16_t smb2_versions[] = { 58 0x202, /* SMB 2.002 */ 59 0x210, /* SMB 2.1 */ 60 }; 61 static uint16_t smb2_nversions = 62 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 63 64 static boolean_t 65 smb2_supported_version(smb_session_t *s, uint16_t version) 66 { 67 int i; 68 69 if (version > s->s_cfg.skc_max_protocol) 70 return (B_FALSE); 71 for (i = 0; i < smb2_nversions; i++) 72 if (version == smb2_versions[i]) 73 return (B_TRUE); 74 return (B_FALSE); 75 } 76 77 /* 78 * Helper for the (SMB1) smb_com_negotiate(). This is the 79 * very unusual protocol interaction where an SMB1 negotiate 80 * gets an SMB2 negotiate response. This is the normal way 81 * clients first find out if the server supports SMB2. 82 * 83 * Note: This sends an SMB2 reply _itself_ and then returns 84 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 85 * Also, this is called directly from the reader thread, so 86 * we know this is the only thread using this session. 87 * 88 * The caller frees this request. 89 */ 90 smb_sdrc_t 91 smb1_negotiate_smb2(smb_request_t *sr) 92 { 93 smb_session_t *s = sr->session; 94 smb_arg_negotiate_t *negprot = sr->sr_negprot; 95 uint16_t smb2_version; 96 uint16_t secmode2; 97 int rc; 98 99 /* 100 * Note: In the SMB1 negotiate command handler, we 101 * agreed with one of the SMB2 dialects. If that 102 * dialect was "SMB 2.002", we'll respond here with 103 * version 0x202 and negotiation is done. If that 104 * dialect was "SMB 2.???", we'll respond here with 105 * the "wildcard" version 0x2FF, and the client will 106 * come back with an SMB2 negotiate. 107 */ 108 switch (negprot->ni_dialect) { 109 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 110 smb2_version = 0x202; 111 s->dialect = smb2_version; 112 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 113 /* Allow normal SMB2 requests now. */ 114 s->newrq_func = smb2sr_newrq; 115 116 /* 117 * Translate SMB1 sec. mode to SMB2. 118 */ 119 secmode2 = 0; 120 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) 121 secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED; 122 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) 123 secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 124 s->secmode = secmode2; 125 break; 126 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 127 /* 128 * Expecting an SMB2 negotiate next, so keep the 129 * initial s->newrq_func. Note that secmode is 130 * fiction good enough to pass the signing check 131 * in smb2_negotiate_common(). We'll check the 132 * real secmode when the 2nd negotiate comes. 133 */ 134 smb2_version = 0x2FF; 135 s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 136 break; 137 default: 138 return (SDRC_DROP_VC); 139 } 140 141 /* 142 * We did not decode an SMB2 header, so make sure 143 * the SMB2 header fields are initialized. 144 * (Most are zero from smb_request_alloc.) 145 * Also, the SMB1 common dispatch code reserved space 146 * for an SMB1 header, which we need to undo here. 147 */ 148 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 149 sr->smb2_cmd_code = SMB2_NEGOTIATE; 150 151 rc = smb2_negotiate_common(sr, smb2_version); 152 if (rc != 0) 153 return (SDRC_DROP_VC); 154 155 return (SDRC_NO_REPLY); 156 } 157 158 /* 159 * SMB2 Negotiate gets special handling. This is called directly by 160 * the reader thread (see smbsr_newrq_initial) with what _should_ be 161 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 162 * when this is called, so this needs to check the SMB command, 163 * if it's Negotiate execute it, then send the reply, etc. 164 * 165 * Since this is called directly from the reader thread, we 166 * know this is the only thread currently using this session. 167 * This has to duplicate some of what smb2sr_work does as a 168 * result of bypassing the normal dispatch mechanism. 169 * 170 * The caller always frees this request. 171 */ 172 int 173 smb2_newrq_negotiate(smb_request_t *sr) 174 { 175 smb_session_t *s = sr->session; 176 int i, rc; 177 uint16_t struct_size; 178 uint16_t best_version; 179 uint16_t version_cnt; 180 uint16_t cl_versions[8]; 181 182 sr->smb2_cmd_hdr = sr->command.chain_offset; 183 rc = smb2_decode_header(sr); 184 if (rc != 0) 185 return (rc); 186 187 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 188 (sr->smb2_next_command != 0)) 189 return (SDRC_DROP_VC); 190 191 /* 192 * Decode SMB2 Negotiate (fixed-size part) 193 */ 194 rc = smb_mbc_decodef( 195 &sr->command, "www..l16.8.", 196 &struct_size, /* w */ 197 &version_cnt, /* w */ 198 &s->secmode, /* w */ 199 /* reserved (..) */ 200 &s->capabilities); /* l */ 201 /* clnt_uuid 16. */ 202 /* start_time 8. */ 203 if (rc != 0) 204 return (rc); 205 if (struct_size != 36 || version_cnt > 8) 206 return (SDRC_DROP_VC); 207 208 /* 209 * Decode SMB2 Negotiate (variable part) 210 */ 211 rc = smb_mbc_decodef(&sr->command, 212 "#w", version_cnt, cl_versions); 213 if (rc != 0) 214 return (SDRC_DROP_VC); 215 216 /* 217 * The client offers an array of protocol versions it 218 * supports, which we have decoded into cl_versions[]. 219 * We walk the array and pick the highest supported. 220 */ 221 best_version = 0; 222 for (i = 0; i < version_cnt; i++) 223 if (smb2_supported_version(s, cl_versions[i]) && 224 best_version < cl_versions[i]) 225 best_version = cl_versions[i]; 226 if (best_version == 0) 227 return (SDRC_DROP_VC); 228 s->dialect = best_version; 229 230 /* Allow normal SMB2 requests now. */ 231 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 232 s->newrq_func = smb2sr_newrq; 233 234 rc = smb2_negotiate_common(sr, best_version); 235 if (rc != 0) 236 return (SDRC_DROP_VC); 237 238 return (0); 239 } 240 241 /* 242 * Common parts of SMB2 Negotiate, used for both the 243 * SMB1-to-SMB2 style, and straight SMB2 style. 244 * Do negotiation decisions, encode, send the reply. 245 */ 246 static int 247 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 248 { 249 timestruc_t boot_tv, now_tv; 250 smb_session_t *s = sr->session; 251 int rc; 252 uint16_t secmode; 253 254 sr->smb2_status = 0; 255 256 /* 257 * Negotiation itself. First the Security Mode. 258 * The caller stashed the client's secmode in s->secmode, 259 * which we validate, and then replace with the server's 260 * secmode, which is all we care about after this. 261 */ 262 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 263 if (sr->sr_cfg->skc_signing_required) { 264 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 265 /* Make sure client at least enables signing. */ 266 if ((s->secmode & secmode) == 0) { 267 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 268 } 269 } 270 s->secmode = secmode; 271 272 s->cmd_max_bytes = smb2_tcp_bufsize; 273 s->reply_max_bytes = smb2_tcp_bufsize; 274 275 /* 276 * "The number of credits held by the client MUST be considered 277 * as 1 when the connection is established." [MS-SMB2] 278 * We leave credits at 1 until the first successful 279 * session setup is completed. 280 */ 281 s->s_cur_credits = s->s_max_credits = 1; 282 sr->smb2_credit_response = 1; 283 284 boot_tv.tv_sec = smb_get_boottime(); 285 boot_tv.tv_nsec = 0; 286 now_tv.tv_sec = gethrestime_sec(); 287 now_tv.tv_nsec = 0; 288 289 /* 290 * SMB2 negotiate reply 291 */ 292 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 293 (void) smb2_encode_header(sr, B_FALSE); 294 if (sr->smb2_status != 0) { 295 smb2sr_put_error(sr, sr->smb2_status); 296 smb2_send_reply(sr); 297 return (-1); /* will drop */ 298 } 299 300 rc = smb_mbc_encodef( 301 &sr->reply, 302 "wwww#cllllTTwwl#c", 303 65, /* StructSize */ /* w */ 304 s->secmode, /* w */ 305 version, /* w */ 306 0, /* reserved */ /* w */ 307 UUID_LEN, /* # */ 308 &s->s_cfg.skc_machine_uuid, /* c */ 309 smb2srv_capabilities, /* l */ 310 smb2_max_trans, /* l */ 311 smb2_max_rwsize, /* l */ 312 smb2_max_rwsize, /* l */ 313 &now_tv, /* T */ 314 &boot_tv, /* T */ 315 128, /* SecBufOff */ /* w */ 316 sr->sr_cfg->skc_negtok_len, /* w */ 317 0, /* reserved */ /* l */ 318 sr->sr_cfg->skc_negtok_len, /* # */ 319 sr->sr_cfg->skc_negtok); /* c */ 320 321 smb2_send_reply(sr); 322 323 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 324 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 325 sizeof (smb2_tcp_bufsize), CRED()); 326 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 327 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 328 sizeof (smb2_tcp_bufsize), CRED()); 329 330 return (rc); 331 } 332 333 /* 334 * SMB2 Dispatch table handler, which will run if we see an 335 * SMB2_NEGOTIATE after the initial negotiation is done. 336 * That would be a protocol error. 337 */ 338 smb_sdrc_t 339 smb2_negotiate(smb_request_t *sr) 340 { 341 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 342 return (SDRC_ERROR); 343 } 344 345 /* 346 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 347 */ 348 uint32_t 349 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl) 350 { 351 smb_session_t *s = sr->session; 352 int rc; 353 354 /* 355 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 356 * and verify that the original negotiate was not modified. 357 * The only tampering we need worry about is secmode, and 358 * we're not taking that from the client, so don't bother. 359 * 360 * One interesting requirement here is that we MUST reply 361 * with exactly the same information as we returned in our 362 * original reply to the SMB2 negotiate on this session. 363 * If we don't the client closes the connection. 364 */ 365 366 rc = smb_mbc_encodef( 367 fsctl->out_mbc, "l#cww", 368 smb2srv_capabilities, /* l */ 369 UUID_LEN, /* # */ 370 &s->s_cfg.skc_machine_uuid, /* c */ 371 s->secmode, /* w */ 372 s->dialect); /* w */ 373 if (rc) 374 return (NT_STATUS_INTERNAL_ERROR); 375 376 return (0); 377 } 378