1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
14  */
15 
16 /*
17  * Dispatch function for SMB2_NEGOTIATE
18  */
19 
20 #include <smbsrv/smb2_kproto.h>
21 #include <smbsrv/smb2.h>
22 
23 static int smb2_negotiate_common(smb_request_t *, uint16_t);
24 
25 uint32_t smb2srv_capabilities =
26 	SMB2_CAP_DFS |
27 	SMB2_CAP_LARGE_MTU;
28 
29 /*
30  * These are not intended as customer tunables, but dev. & test folks
31  * might want to adjust them (with caution).
32  *
33  * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
34  * with setsockopt SO_SNDBUF, SO_RCVBUF.  These set the TCP window size.
35  * This is also used as a "sanity limit" for internal send/reply message
36  * allocations.  Note that with compounding SMB2 messages may contain
37  * multiple requests/responses.  This size should be large enough for
38  * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
39  *
40  * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
41  * the client the largest read and write request size we'll support.
42  * One megabyte is a compromise between efficiency on fast networks
43  * and memory consumption (for the buffers) on the server side.
44  *
45  * smb2_max_trans is the largest "transact" send or receive, which is
46  * used for directory listings and info set/get operations.
47  */
48 uint32_t smb2_tcp_bufsize = (1<<22);	/* 4MB */
49 uint32_t smb2_max_rwsize = (1<<20);	/* 1MB */
50 uint32_t smb2_max_trans  = (1<<16);	/* 64KB */
51 
52 /*
53  * List of all SMB2 versions we implement.  Note that the
54  * highest version we support may be limited by the
55  * _cfg.skc_max_protocol setting.
56  */
57 static uint16_t smb2_versions[] = {
58 	0x202,	/* SMB 2.002 */
59 	0x210,	/* SMB 2.1 */
60 };
61 static uint16_t smb2_nversions =
62     sizeof (smb2_versions) / sizeof (smb2_versions[0]);
63 
64 static boolean_t
65 smb2_supported_version(smb_session_t *s, uint16_t version)
66 {
67 	int i;
68 
69 	if (version > s->s_cfg.skc_max_protocol)
70 		return (B_FALSE);
71 	for (i = 0; i < smb2_nversions; i++)
72 		if (version == smb2_versions[i])
73 			return (B_TRUE);
74 	return (B_FALSE);
75 }
76 
77 /*
78  * Helper for the (SMB1) smb_com_negotiate().  This is the
79  * very unusual protocol interaction where an SMB1 negotiate
80  * gets an SMB2 negotiate response.  This is the normal way
81  * clients first find out if the server supports SMB2.
82  *
83  * Note: This sends an SMB2 reply _itself_ and then returns
84  * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
85  * Also, this is called directly from the reader thread, so
86  * we know this is the only thread using this session.
87  *
88  * The caller frees this request.
89  */
90 smb_sdrc_t
91 smb1_negotiate_smb2(smb_request_t *sr)
92 {
93 	smb_session_t *s = sr->session;
94 	smb_arg_negotiate_t *negprot = sr->sr_negprot;
95 	uint16_t smb2_version;
96 	uint16_t secmode2;
97 	int rc;
98 
99 	/*
100 	 * Note: In the SMB1 negotiate command handler, we
101 	 * agreed with one of the SMB2 dialects.  If that
102 	 * dialect was "SMB 2.002", we'll respond here with
103 	 * version 0x202 and negotiation is done.  If that
104 	 * dialect was "SMB 2.???", we'll respond here with
105 	 * the "wildcard" version 0x2FF, and the client will
106 	 * come back with an SMB2 negotiate.
107 	 */
108 	switch (negprot->ni_dialect) {
109 	case DIALECT_SMB2002:	/* SMB 2.002 (a.k.a. SMB2.0) */
110 		smb2_version = 0x202;
111 		s->dialect = smb2_version;
112 		s->s_state = SMB_SESSION_STATE_NEGOTIATED;
113 		/* Allow normal SMB2 requests now. */
114 		s->newrq_func = smb2sr_newrq;
115 
116 		/*
117 		 * Translate SMB1 sec. mode to SMB2.
118 		 */
119 		secmode2 = 0;
120 		if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)
121 			secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED;
122 		if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)
123 			secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
124 		s->secmode = secmode2;
125 		break;
126 	case DIALECT_SMB2XXX:	/* SMB 2.??? (wildcard vers) */
127 		/*
128 		 * Expecting an SMB2 negotiate next, so keep the
129 		 * initial s->newrq_func.  Note that secmode is
130 		 * fiction good enough to pass the signing check
131 		 * in smb2_negotiate_common().  We'll check the
132 		 * real secmode when the 2nd negotiate comes.
133 		 */
134 		smb2_version = 0x2FF;
135 		s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
136 		break;
137 	default:
138 		return (SDRC_DROP_VC);
139 	}
140 
141 	/*
142 	 * We did not decode an SMB2 header, so make sure
143 	 * the SMB2 header fields are initialized.
144 	 * (Most are zero from smb_request_alloc.)
145 	 * Also, the SMB1 common dispatch code reserved space
146 	 * for an SMB1 header, which we need to undo here.
147 	 */
148 	sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
149 	sr->smb2_cmd_code = SMB2_NEGOTIATE;
150 
151 	rc = smb2_negotiate_common(sr, smb2_version);
152 	if (rc != 0)
153 		return (SDRC_DROP_VC);
154 
155 	return (SDRC_NO_REPLY);
156 }
157 
158 /*
159  * SMB2 Negotiate gets special handling.  This is called directly by
160  * the reader thread (see smbsr_newrq_initial) with what _should_ be
161  * an SMB2 Negotiate.  Only the "\feSMB" header has been checked
162  * when this is called, so this needs to check the SMB command,
163  * if it's Negotiate execute it, then send the reply, etc.
164  *
165  * Since this is called directly from the reader thread, we
166  * know this is the only thread currently using this session.
167  * This has to duplicate some of what smb2sr_work does as a
168  * result of bypassing the normal dispatch mechanism.
169  *
170  * The caller always frees this request.
171  */
172 int
173 smb2_newrq_negotiate(smb_request_t *sr)
174 {
175 	smb_session_t *s = sr->session;
176 	int i, rc;
177 	uint16_t struct_size;
178 	uint16_t best_version;
179 	uint16_t version_cnt;
180 	uint16_t cl_versions[8];
181 
182 	sr->smb2_cmd_hdr = sr->command.chain_offset;
183 	rc = smb2_decode_header(sr);
184 	if (rc != 0)
185 		return (rc);
186 
187 	if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
188 	    (sr->smb2_next_command != 0))
189 		return (SDRC_DROP_VC);
190 
191 	/*
192 	 * Decode SMB2 Negotiate (fixed-size part)
193 	 */
194 	rc = smb_mbc_decodef(
195 	    &sr->command, "www..l16.8.",
196 	    &struct_size,	/* w */
197 	    &version_cnt,	/* w */
198 	    &s->secmode,	/* w */
199 	    /* reserved 	(..) */
200 	    &s->capabilities);	/* l */
201 	    /* clnt_uuid	 16. */
202 	    /* start_time	  8. */
203 	if (rc != 0)
204 		return (rc);
205 	if (struct_size != 36 || version_cnt > 8)
206 		return (SDRC_DROP_VC);
207 
208 	/*
209 	 * Decode SMB2 Negotiate (variable part)
210 	 */
211 	rc = smb_mbc_decodef(&sr->command,
212 	    "#w", version_cnt, cl_versions);
213 	if (rc != 0)
214 		return (SDRC_DROP_VC);
215 
216 	/*
217 	 * The client offers an array of protocol versions it
218 	 * supports, which we have decoded into cl_versions[].
219 	 * We walk the array and pick the highest supported.
220 	 */
221 	best_version = 0;
222 	for (i = 0; i < version_cnt; i++)
223 		if (smb2_supported_version(s, cl_versions[i]) &&
224 		    best_version < cl_versions[i])
225 			best_version = cl_versions[i];
226 	if (best_version == 0)
227 		return (SDRC_DROP_VC);
228 	s->dialect = best_version;
229 
230 	/* Allow normal SMB2 requests now. */
231 	s->s_state = SMB_SESSION_STATE_NEGOTIATED;
232 	s->newrq_func = smb2sr_newrq;
233 
234 	rc = smb2_negotiate_common(sr, best_version);
235 	if (rc != 0)
236 		return (SDRC_DROP_VC);
237 
238 	return (0);
239 }
240 
241 /*
242  * Common parts of SMB2 Negotiate, used for both the
243  * SMB1-to-SMB2 style, and straight SMB2 style.
244  * Do negotiation decisions, encode, send the reply.
245  */
246 static int
247 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
248 {
249 	timestruc_t boot_tv, now_tv;
250 	smb_session_t *s = sr->session;
251 	int rc;
252 	uint16_t secmode;
253 
254 	sr->smb2_status = 0;
255 
256 	/*
257 	 * Negotiation itself.  First the Security Mode.
258 	 * The caller stashed the client's secmode in s->secmode,
259 	 * which we validate, and then replace with the server's
260 	 * secmode, which is all we care about after this.
261 	 */
262 	secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
263 	if (sr->sr_cfg->skc_signing_required) {
264 		secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
265 		/* Make sure client at least enables signing. */
266 		if ((s->secmode & secmode) == 0) {
267 			sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
268 		}
269 	}
270 	s->secmode = secmode;
271 
272 	s->cmd_max_bytes = smb2_tcp_bufsize;
273 	s->reply_max_bytes = smb2_tcp_bufsize;
274 
275 	/*
276 	 * "The number of credits held by the client MUST be considered
277 	 * as 1 when the connection is established." [MS-SMB2]
278 	 * We leave credits at 1 until the first successful
279 	 * session setup is completed.
280 	 */
281 	s->s_cur_credits = s->s_max_credits = 1;
282 	sr->smb2_credit_response = 1;
283 
284 	boot_tv.tv_sec = smb_get_boottime();
285 	boot_tv.tv_nsec = 0;
286 	now_tv.tv_sec = gethrestime_sec();
287 	now_tv.tv_nsec = 0;
288 
289 	/*
290 	 * SMB2 negotiate reply
291 	 */
292 	sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
293 	(void) smb2_encode_header(sr, B_FALSE);
294 	if (sr->smb2_status != 0) {
295 		smb2sr_put_error(sr, sr->smb2_status);
296 		smb2_send_reply(sr);
297 		return (-1); /* will drop */
298 	}
299 
300 	rc = smb_mbc_encodef(
301 	    &sr->reply,
302 	    "wwww#cllllTTwwl#c",
303 	    65,	/* StructSize */	/* w */
304 	    s->secmode,			/* w */
305 	    version,			/* w */
306 	    0, /* reserved */		/* w */
307 	    UUID_LEN,			/* # */
308 	    &s->s_cfg.skc_machine_uuid, /* c */
309 	    smb2srv_capabilities,	/* l */
310 	    smb2_max_trans,		/* l */
311 	    smb2_max_rwsize,		/* l */
312 	    smb2_max_rwsize,		/* l */
313 	    &now_tv,			/* T */
314 	    &boot_tv,			/* T */
315 	    128, /* SecBufOff */	/* w */
316 	    sr->sr_cfg->skc_negtok_len,	/* w */
317 	    0,	/* reserved */		/* l */
318 	    sr->sr_cfg->skc_negtok_len,	/* # */
319 	    sr->sr_cfg->skc_negtok);	/* c */
320 
321 	smb2_send_reply(sr);
322 
323 	(void) ksocket_setsockopt(s->sock, SOL_SOCKET,
324 	    SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
325 	    sizeof (smb2_tcp_bufsize), CRED());
326 	(void) ksocket_setsockopt(s->sock, SOL_SOCKET,
327 	    SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
328 	    sizeof (smb2_tcp_bufsize), CRED());
329 
330 	return (rc);
331 }
332 
333 /*
334  * SMB2 Dispatch table handler, which will run if we see an
335  * SMB2_NEGOTIATE after the initial negotiation is done.
336  * That would be a protocol error.
337  */
338 smb_sdrc_t
339 smb2_negotiate(smb_request_t *sr)
340 {
341 	sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
342 	return (SDRC_ERROR);
343 }
344 
345 /*
346  * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
347  */
348 uint32_t
349 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl)
350 {
351 	smb_session_t *s = sr->session;
352 	int rc;
353 
354 	/*
355 	 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
356 	 * and verify that the original negotiate was not modified.
357 	 * The only tampering we need worry about is secmode, and
358 	 * we're not taking that from the client, so don't bother.
359 	 *
360 	 * One interesting requirement here is that we MUST reply
361 	 * with exactly the same information as we returned in our
362 	 * original reply to the SMB2 negotiate on this session.
363 	 * If we don't the client closes the connection.
364 	 */
365 
366 	rc = smb_mbc_encodef(
367 	    fsctl->out_mbc, "l#cww",
368 	    smb2srv_capabilities,	/* l */
369 	    UUID_LEN,			/* # */
370 	    &s->s_cfg.skc_machine_uuid, /* c */
371 	    s->secmode,			/* w */
372 	    s->dialect);		/* w */
373 	if (rc)
374 		return (NT_STATUS_INTERNAL_ERROR);
375 
376 	return (0);
377 }
378