1a90cf9f2SGordon Ross /*
2a90cf9f2SGordon Ross * This file and its contents are supplied under the terms of the
3a90cf9f2SGordon Ross * Common Development and Distribution License ("CDDL"), version 1.0.
4a90cf9f2SGordon Ross * You may only use this file in accordance with the terms of version
5a90cf9f2SGordon Ross * 1.0 of the CDDL.
6a90cf9f2SGordon Ross *
7a90cf9f2SGordon Ross * A full copy of the text of the CDDL should have accompanied this
8a90cf9f2SGordon Ross * source. A copy of the CDDL is also available via the Internet at
9a90cf9f2SGordon Ross * http://www.illumos.org/license/CDDL.
10a90cf9f2SGordon Ross */
11a90cf9f2SGordon Ross
12a90cf9f2SGordon Ross /*
13897907ceSGordon Ross * Copyright 2015-2021 Tintri by DDN, Inc. All rights reserved.
1472b35b05SGordon Ross * Copyright 2022 RackTop Systems, Inc.
15a90cf9f2SGordon Ross */
16a90cf9f2SGordon Ross
17a90cf9f2SGordon Ross
18a90cf9f2SGordon Ross #include <smbsrv/smb2_kproto.h>
19a90cf9f2SGordon Ross #include <smbsrv/smb_kstat.h>
20a90cf9f2SGordon Ross #include <smbsrv/smb2.h>
21a90cf9f2SGordon Ross
22148d1a41SMatt Barden #define SMB2_ASYNCID(sr) (sr->smb2_messageid ^ (1ULL << 62))
23a90cf9f2SGordon Ross
24a90cf9f2SGordon Ross smb_sdrc_t smb2_invalid_cmd(smb_request_t *);
25a90cf9f2SGordon Ross static void smb2_tq_work(void *);
2694047d49SGordon Ross static void smb2sr_run_postwork(smb_request_t *);
271160dcf7SMatt Barden static int smb3_decrypt_msg(smb_request_t *);
28a90cf9f2SGordon Ross
29adb064afSToomas Soome static const smb_disp_entry_t
30a90cf9f2SGordon Ross smb2_disp_table[SMB2__NCMDS] = {
31a90cf9f2SGordon Ross
32a90cf9f2SGordon Ross /* text-name, pre, func, post, cmd-code, dialect, flags */
33a90cf9f2SGordon Ross
34a90cf9f2SGordon Ross { "smb2_negotiate", NULL,
35a90cf9f2SGordon Ross smb2_negotiate, NULL, 0, 0,
36a90cf9f2SGordon Ross SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
37a90cf9f2SGordon Ross
38a90cf9f2SGordon Ross { "smb2_session_setup", NULL,
39a90cf9f2SGordon Ross smb2_session_setup, NULL, 0, 0,
40a90cf9f2SGordon Ross SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
41a90cf9f2SGordon Ross
42a90cf9f2SGordon Ross { "smb2_logoff", NULL,
43a90cf9f2SGordon Ross smb2_logoff, NULL, 0, 0,
44a90cf9f2SGordon Ross SDDF_SUPPRESS_TID },
45a90cf9f2SGordon Ross
46a90cf9f2SGordon Ross { "smb2_tree_connect", NULL,
47a90cf9f2SGordon Ross smb2_tree_connect, NULL, 0, 0,
48a90cf9f2SGordon Ross SDDF_SUPPRESS_TID },
49a90cf9f2SGordon Ross
50a90cf9f2SGordon Ross { "smb2_tree_disconn", NULL,
51a90cf9f2SGordon Ross smb2_tree_disconn, NULL, 0, 0 },
52a90cf9f2SGordon Ross
53a90cf9f2SGordon Ross { "smb2_create", NULL,
54a90cf9f2SGordon Ross smb2_create, NULL, 0, 0 },
55a90cf9f2SGordon Ross
56a90cf9f2SGordon Ross { "smb2_close", NULL,
57a90cf9f2SGordon Ross smb2_close, NULL, 0, 0 },
58a90cf9f2SGordon Ross
59a90cf9f2SGordon Ross { "smb2_flush", NULL,
60a90cf9f2SGordon Ross smb2_flush, NULL, 0, 0 },
61a90cf9f2SGordon Ross
62a90cf9f2SGordon Ross { "smb2_read", NULL,
63a90cf9f2SGordon Ross smb2_read, NULL, 0, 0 },
64a90cf9f2SGordon Ross
65a90cf9f2SGordon Ross { "smb2_write", NULL,
66a90cf9f2SGordon Ross smb2_write, NULL, 0, 0 },
67a90cf9f2SGordon Ross
68a90cf9f2SGordon Ross { "smb2_lock", NULL,
69a90cf9f2SGordon Ross smb2_lock, NULL, 0, 0 },
70a90cf9f2SGordon Ross
71a90cf9f2SGordon Ross { "smb2_ioctl", NULL,
72a90cf9f2SGordon Ross smb2_ioctl, NULL, 0, 0 },
73a90cf9f2SGordon Ross
74a90cf9f2SGordon Ross { "smb2_cancel", NULL,
755677e049SGordon Ross smb2_cancel, NULL, 0, 0,
765677e049SGordon Ross SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
77a90cf9f2SGordon Ross
78a90cf9f2SGordon Ross { "smb2_echo", NULL,
79a90cf9f2SGordon Ross smb2_echo, NULL, 0, 0,
80a90cf9f2SGordon Ross SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
81a90cf9f2SGordon Ross
82a90cf9f2SGordon Ross { "smb2_query_dir", NULL,
83a90cf9f2SGordon Ross smb2_query_dir, NULL, 0, 0 },
84a90cf9f2SGordon Ross
85a90cf9f2SGordon Ross { "smb2_change_notify", NULL,
86a90cf9f2SGordon Ross smb2_change_notify, NULL, 0, 0 },
87a90cf9f2SGordon Ross
88a90cf9f2SGordon Ross { "smb2_query_info", NULL,
89a90cf9f2SGordon Ross smb2_query_info, NULL, 0, 0 },
90a90cf9f2SGordon Ross
91a90cf9f2SGordon Ross { "smb2_set_info", NULL,
92a90cf9f2SGordon Ross smb2_set_info, NULL, 0, 0 },
93a90cf9f2SGordon Ross
94a90cf9f2SGordon Ross { "smb2_oplock_break_ack", NULL,
95a90cf9f2SGordon Ross smb2_oplock_break_ack, NULL, 0, 0 },
96a90cf9f2SGordon Ross
97a90cf9f2SGordon Ross { "smb2_invalid_cmd", NULL,
98a90cf9f2SGordon Ross smb2_invalid_cmd, NULL, 0, 0,
99a90cf9f2SGordon Ross SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
100a90cf9f2SGordon Ross };
101a90cf9f2SGordon Ross
102a90cf9f2SGordon Ross smb_sdrc_t
smb2_invalid_cmd(smb_request_t * sr)103a90cf9f2SGordon Ross smb2_invalid_cmd(smb_request_t *sr)
104a90cf9f2SGordon Ross {
105a90cf9f2SGordon Ross #ifdef DEBUG
106a90cf9f2SGordon Ross cmn_err(CE_NOTE, "clnt %s bad SMB2 cmd code",
107a90cf9f2SGordon Ross sr->session->ip_addr_str);
108a90cf9f2SGordon Ross #endif
109a90cf9f2SGordon Ross sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
110a90cf9f2SGordon Ross return (SDRC_DROP_VC);
111a90cf9f2SGordon Ross }
112a90cf9f2SGordon Ross
113a90cf9f2SGordon Ross /*
114a90cf9f2SGordon Ross * This is the SMB2 handler for new smb requests, called from
115a90cf9f2SGordon Ross * smb_session_reader after SMB negotiate is done. For most SMB2
116a90cf9f2SGordon Ross * requests, we just enqueue them for the smb_session_worker to
117a90cf9f2SGordon Ross * execute via the task queue, so they can block for resources
118a90cf9f2SGordon Ross * without stopping the reader thread. A few protocol messages
119a90cf9f2SGordon Ross * are special cases and are handled directly here in the reader
120a90cf9f2SGordon Ross * thread so they don't wait for taskq scheduling.
121a90cf9f2SGordon Ross *
122a90cf9f2SGordon Ross * This function must either enqueue the new request for
123a90cf9f2SGordon Ross * execution via the task queue, or execute it directly
124a90cf9f2SGordon Ross * and then free it. If this returns non-zero, the caller
125a90cf9f2SGordon Ross * will drop the session.
126a90cf9f2SGordon Ross */
127a90cf9f2SGordon Ross int
smb2sr_newrq(smb_request_t * sr)128a90cf9f2SGordon Ross smb2sr_newrq(smb_request_t *sr)
129a90cf9f2SGordon Ross {
1305677e049SGordon Ross struct mbuf_chain *mbc = &sr->command;
1319788d6deSGordon Ross taskqid_t tqid;
132a90cf9f2SGordon Ross uint32_t magic;
1335677e049SGordon Ross int rc, skip;
1345677e049SGordon Ross
1355677e049SGordon Ross if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
1365677e049SGordon Ross goto drop;
1375677e049SGordon Ross
1381160dcf7SMatt Barden /* 0xFD S M B */
1391160dcf7SMatt Barden if (magic == SMB3_ENCRYPTED_MAGIC) {
1401160dcf7SMatt Barden if (smb3_decrypt_msg(sr) != 0)
1411160dcf7SMatt Barden goto drop;
1421160dcf7SMatt Barden /*
1431160dcf7SMatt Barden * Should now be looking at an un-encrypted
1441160dcf7SMatt Barden * SMB2 message header.
1451160dcf7SMatt Barden */
1461160dcf7SMatt Barden if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
1471160dcf7SMatt Barden goto drop;
1481160dcf7SMatt Barden }
1491160dcf7SMatt Barden
1505677e049SGordon Ross if (magic != SMB2_PROTOCOL_MAGIC)
1515677e049SGordon Ross goto drop;
152a90cf9f2SGordon Ross
153a90cf9f2SGordon Ross /*
1545677e049SGordon Ross * Walk the SMB2 commands in this compound message and
1555677e049SGordon Ross * keep track of the range of message IDs it uses.
156a90cf9f2SGordon Ross */
1575677e049SGordon Ross for (;;) {
1585677e049SGordon Ross if (smb2_decode_header(sr) != 0)
1595677e049SGordon Ross goto drop;
1605677e049SGordon Ross
1615677e049SGordon Ross /*
1625677e049SGordon Ross * Cancel requests are special: They refer to
1635677e049SGordon Ross * an earlier message ID (or an async. ID),
1645677e049SGordon Ross * never a new ID, and are never compounded.
1655677e049SGordon Ross * This is intentionally not "goto drop"
1665677e049SGordon Ross * because rc may be zero (success).
1675677e049SGordon Ross */
1685677e049SGordon Ross if (sr->smb2_cmd_code == SMB2_CANCEL) {
1695677e049SGordon Ross rc = smb2_newrq_cancel(sr);
1705677e049SGordon Ross smb_request_free(sr);
1715677e049SGordon Ross return (rc);
1725677e049SGordon Ross }
1735677e049SGordon Ross
1745677e049SGordon Ross /*
1755677e049SGordon Ross * Keep track of the total credits in this compound
1765677e049SGordon Ross * and the first (real) message ID (not: 0, -1)
1775677e049SGordon Ross * While we're looking, verify that all (real) IDs
1785677e049SGordon Ross * are (first <= ID < (first + msg_credits))
1795677e049SGordon Ross */
1805677e049SGordon Ross if (sr->smb2_credit_charge == 0)
1815677e049SGordon Ross sr->smb2_credit_charge = 1;
1825677e049SGordon Ross sr->smb2_total_credits += sr->smb2_credit_charge;
1835677e049SGordon Ross
1845677e049SGordon Ross if (sr->smb2_messageid != 0 &&
1855677e049SGordon Ross sr->smb2_messageid != UINT64_MAX) {
1865677e049SGordon Ross
1875677e049SGordon Ross if (sr->smb2_first_msgid == 0)
1885677e049SGordon Ross sr->smb2_first_msgid = sr->smb2_messageid;
1895677e049SGordon Ross
1905677e049SGordon Ross if (sr->smb2_messageid < sr->smb2_first_msgid ||
1915677e049SGordon Ross sr->smb2_messageid >= (sr->smb2_first_msgid +
1925677e049SGordon Ross sr->smb2_total_credits)) {
1935677e049SGordon Ross long long id = (long long) sr->smb2_messageid;
1945677e049SGordon Ross cmn_err(CE_WARN, "clnt %s msg ID 0x%llx "
1955677e049SGordon Ross "out of sequence in compound",
1965677e049SGordon Ross sr->session->ip_addr_str, id);
1975677e049SGordon Ross }
1985677e049SGordon Ross }
1995677e049SGordon Ross
2005677e049SGordon Ross /* Normal loop exit on next == zero */
2015677e049SGordon Ross if (sr->smb2_next_command == 0)
2025677e049SGordon Ross break;
2035677e049SGordon Ross
2045677e049SGordon Ross /* Abundance of caution... */
2055677e049SGordon Ross if (sr->smb2_next_command < SMB2_HDR_SIZE)
2065677e049SGordon Ross goto drop;
2075677e049SGordon Ross
2085677e049SGordon Ross /* Advance to the next header. */
2095677e049SGordon Ross skip = sr->smb2_next_command - SMB2_HDR_SIZE;
2105677e049SGordon Ross if (MBC_ROOM_FOR(mbc, skip) == 0)
2115677e049SGordon Ross goto drop;
2125677e049SGordon Ross mbc->chain_offset += skip;
213a90cf9f2SGordon Ross }
2145677e049SGordon Ross /* Rewind back to the top. */
2155677e049SGordon Ross mbc->chain_offset = 0;
216a90cf9f2SGordon Ross
217a90cf9f2SGordon Ross /*
218a90cf9f2SGordon Ross * Submit the request to the task queue, which calls
219a90cf9f2SGordon Ross * smb2_tq_work when the workload permits.
220a90cf9f2SGordon Ross */
221a90cf9f2SGordon Ross sr->sr_time_submitted = gethrtime();
222a90cf9f2SGordon Ross sr->sr_state = SMB_REQ_STATE_SUBMITTED;
223a90cf9f2SGordon Ross smb_srqueue_waitq_enter(sr->session->s_srqueue);
2249788d6deSGordon Ross tqid = taskq_dispatch(sr->sr_server->sv_worker_pool,
225a90cf9f2SGordon Ross smb2_tq_work, sr, TQ_SLEEP);
2269788d6deSGordon Ross VERIFY(tqid != TASKQID_INVALID);
2279788d6deSGordon Ross
228a90cf9f2SGordon Ross return (0);
2295677e049SGordon Ross
2305677e049SGordon Ross drop:
2315677e049SGordon Ross smb_request_free(sr);
2325677e049SGordon Ross return (-1);
233a90cf9f2SGordon Ross }
234a90cf9f2SGordon Ross
235a90cf9f2SGordon Ross static void
smb2_tq_work(void * arg)236a90cf9f2SGordon Ross smb2_tq_work(void *arg)
237a90cf9f2SGordon Ross {
238a90cf9f2SGordon Ross smb_request_t *sr;
239a90cf9f2SGordon Ross smb_srqueue_t *srq;
240a90cf9f2SGordon Ross
241a90cf9f2SGordon Ross sr = (smb_request_t *)arg;
242a90cf9f2SGordon Ross SMB_REQ_VALID(sr);
243a90cf9f2SGordon Ross
244a90cf9f2SGordon Ross srq = sr->session->s_srqueue;
245a90cf9f2SGordon Ross smb_srqueue_waitq_to_runq(srq);
246a90cf9f2SGordon Ross sr->sr_worker = curthread;
247a90cf9f2SGordon Ross sr->sr_time_active = gethrtime();
248a90cf9f2SGordon Ross
249a90cf9f2SGordon Ross /*
2505677e049SGordon Ross * Always dispatch to the work function, because cancelled
2515677e049SGordon Ross * requests need an error reply (NT_STATUS_CANCELLED).
252a90cf9f2SGordon Ross */
2535677e049SGordon Ross mutex_enter(&sr->sr_mutex);
2545677e049SGordon Ross if (sr->sr_state == SMB_REQ_STATE_SUBMITTED)
2555677e049SGordon Ross sr->sr_state = SMB_REQ_STATE_ACTIVE;
2565677e049SGordon Ross mutex_exit(&sr->sr_mutex);
2575677e049SGordon Ross
258a90cf9f2SGordon Ross smb2sr_work(sr);
259a90cf9f2SGordon Ross
260a90cf9f2SGordon Ross smb_srqueue_runq_exit(srq);
261a90cf9f2SGordon Ross }
262a90cf9f2SGordon Ross
263ab017dbaSGordon Ross /*
2644f0ce1daSGordon Ross * Wrapper to setup a new mchain for the plaintext request that will
2654f0ce1daSGordon Ross * replace the encrypted one. Returns non-zero to drop the connection.
2664f0ce1daSGordon Ross * Error return values here are just for visibility in dtrace.
267ab017dbaSGordon Ross */
2681160dcf7SMatt Barden static int
smb3_decrypt_msg(smb_request_t * sr)2691160dcf7SMatt Barden smb3_decrypt_msg(smb_request_t *sr)
2701160dcf7SMatt Barden {
2714f0ce1daSGordon Ross struct mbuf_chain clear_mbc = {0};
2724f0ce1daSGordon Ross struct mbuf_chain tmp_mbc;
2734f0ce1daSGordon Ross mbuf_t *m;
2744f0ce1daSGordon Ross int clearsize;
2754f0ce1daSGordon Ross int rc;
2761160dcf7SMatt Barden
2771160dcf7SMatt Barden if (sr->session->dialect < SMB_VERS_3_0) {
278ab017dbaSGordon Ross /* Encrypted message in SMB 2.x */
2791160dcf7SMatt Barden return (-1);
2801160dcf7SMatt Barden }
281ab017dbaSGordon Ross if ((sr->session->srv_cap & SMB2_CAP_ENCRYPTION) == 0) {
282ab017dbaSGordon Ross /* Should have srv_cap SMB2_CAP_ENCRYPTION flag set! */
283ab017dbaSGordon Ross return (-2);
284ab017dbaSGordon Ross }
2851160dcf7SMatt Barden
2861160dcf7SMatt Barden sr->encrypted = B_TRUE;
2874f0ce1daSGordon Ross if (sr->command.max_bytes <
2884f0ce1daSGordon Ross (SMB3_TFORM_HDR_SIZE + SMB2_HDR_SIZE)) {
2894f0ce1daSGordon Ross /* Short transform header */
290ab017dbaSGordon Ross return (-3);
2911160dcf7SMatt Barden }
2924f0ce1daSGordon Ross clearsize = sr->command.max_bytes - SMB3_TFORM_HDR_SIZE;
2931160dcf7SMatt Barden
2944f0ce1daSGordon Ross clear_mbc.max_bytes = clearsize;
2954f0ce1daSGordon Ross m = smb_mbuf_alloc_chain(clearsize);
2964f0ce1daSGordon Ross MBC_ATTACH_MBUF(&clear_mbc, m);
2971160dcf7SMatt Barden
2984f0ce1daSGordon Ross rc = smb3_decrypt_sr(sr, &sr->command, &clear_mbc);
2994f0ce1daSGordon Ross if (rc != 0) {
3004f0ce1daSGordon Ross MBC_FLUSH(&clear_mbc);
3014f0ce1daSGordon Ross return (rc);
3021160dcf7SMatt Barden }
3031160dcf7SMatt Barden
3044f0ce1daSGordon Ross /* Swap clear_mbc in place of command */
3054f0ce1daSGordon Ross tmp_mbc = sr->command;
3064f0ce1daSGordon Ross sr->command = clear_mbc;
3074f0ce1daSGordon Ross MBC_FLUSH(&tmp_mbc); // free old sr->command
3084f0ce1daSGordon Ross
3091160dcf7SMatt Barden return (0);
3101160dcf7SMatt Barden }
3111160dcf7SMatt Barden
312148d1a41SMatt Barden /*
313148d1a41SMatt Barden * SMB2 credits determine how many simultaneous commands the
314148d1a41SMatt Barden * client may issue, and bounds the range of message IDs those
315148d1a41SMatt Barden * commands may use. With multi-credit support, commands may
316148d1a41SMatt Barden * use ranges of message IDs, where the credits used by each
317148d1a41SMatt Barden * command are proportional to their data transfer size.
318148d1a41SMatt Barden *
319148d1a41SMatt Barden * Every command may request an increase or decrease of
320148d1a41SMatt Barden * the currently granted credits, based on the difference
321148d1a41SMatt Barden * between the credit request and the credit charge.
322148d1a41SMatt Barden * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits
323148d1a41SMatt Barden *
324148d1a41SMatt Barden * Most commands have credit_request=1, credit_charge=1,
325148d1a41SMatt Barden * which keeps the credit grant unchanged.
326148d1a41SMatt Barden *
327148d1a41SMatt Barden * All we're really doing here (for now) is reducing the
328148d1a41SMatt Barden * credit_response if the client requests a credit increase
329148d1a41SMatt Barden * that would take their credit over the maximum, and
330148d1a41SMatt Barden * limiting the decrease so they don't run out of credits.
331148d1a41SMatt Barden *
332148d1a41SMatt Barden * Later, this could do something dynamic based on load.
333148d1a41SMatt Barden *
334148d1a41SMatt Barden * One other non-obvious bit about credits: We keep the
335148d1a41SMatt Barden * session s_max_credits low until the 1st authentication,
336148d1a41SMatt Barden * at which point we'll set the normal maximum_credits.
337148d1a41SMatt Barden * Some clients ask for more credits with session setup,
338148d1a41SMatt Barden * and we need to handle that requested increase _after_
339148d1a41SMatt Barden * the command-specific handler returns so it won't be
340148d1a41SMatt Barden * restricted to the lower (pre-auth) limit.
341148d1a41SMatt Barden */
342148d1a41SMatt Barden static inline void
smb2_credit_decrease(smb_request_t * sr)343148d1a41SMatt Barden smb2_credit_decrease(smb_request_t *sr)
344148d1a41SMatt Barden {
345148d1a41SMatt Barden smb_session_t *session = sr->session;
346148d1a41SMatt Barden uint16_t cur, d;
347148d1a41SMatt Barden
34817451336SGordon Ross ASSERT3U(sr->smb2_credit_request, <, sr->smb2_credit_charge);
34917451336SGordon Ross
350148d1a41SMatt Barden mutex_enter(&session->s_credits_mutex);
351148d1a41SMatt Barden cur = session->s_cur_credits;
35217451336SGordon Ross ASSERT(cur > 0);
353148d1a41SMatt Barden
354148d1a41SMatt Barden /* Handle credit decrease. */
355148d1a41SMatt Barden d = sr->smb2_credit_charge - sr->smb2_credit_request;
356148d1a41SMatt Barden
357148d1a41SMatt Barden /*
35817451336SGordon Ross * Prevent underflow of current credits, and
35917451336SGordon Ross * enforce a minimum of one credit, per:
360148d1a41SMatt Barden * [MS-SMB2] 3.3.1.2
361148d1a41SMatt Barden */
36217451336SGordon Ross if (d >= cur) {
36317451336SGordon Ross /*
36417451336SGordon Ross * Tried to give up more credits than we should.
36517451336SGordon Ross * Reduce the decrement.
36617451336SGordon Ross */
36717451336SGordon Ross d = cur - 1;
368148d1a41SMatt Barden cur = 1;
36917451336SGordon Ross DTRACE_PROBE1(smb2__credit__neg, smb_request_t *, sr);
37017451336SGordon Ross } else {
37117451336SGordon Ross cur -= d;
372148d1a41SMatt Barden }
373148d1a41SMatt Barden
37417451336SGordon Ross ASSERT3U(d, <=, sr->smb2_credit_charge);
37517451336SGordon Ross sr->smb2_credit_response = sr->smb2_credit_charge - d;
37617451336SGordon Ross
377148d1a41SMatt Barden DTRACE_PROBE3(smb2__credit__decrease,
378148d1a41SMatt Barden smb_request_t *, sr, int, (int)cur,
379148d1a41SMatt Barden int, (int)session->s_cur_credits);
380148d1a41SMatt Barden
381148d1a41SMatt Barden session->s_cur_credits = cur;
382148d1a41SMatt Barden mutex_exit(&session->s_credits_mutex);
383148d1a41SMatt Barden }
384148d1a41SMatt Barden
385148d1a41SMatt Barden /*
386148d1a41SMatt Barden * Second half of SMB2 credit handling (increases)
387148d1a41SMatt Barden */
388148d1a41SMatt Barden static inline void
smb2_credit_increase(smb_request_t * sr)389148d1a41SMatt Barden smb2_credit_increase(smb_request_t *sr)
390148d1a41SMatt Barden {
391148d1a41SMatt Barden smb_session_t *session = sr->session;
392148d1a41SMatt Barden uint16_t cur, d;
393148d1a41SMatt Barden
39417451336SGordon Ross ASSERT3U(sr->smb2_credit_request, >, sr->smb2_credit_charge);
39517451336SGordon Ross
396148d1a41SMatt Barden mutex_enter(&session->s_credits_mutex);
397148d1a41SMatt Barden cur = session->s_cur_credits;
398148d1a41SMatt Barden
399148d1a41SMatt Barden /* Handle credit increase. */
400148d1a41SMatt Barden d = sr->smb2_credit_request - sr->smb2_credit_charge;
401148d1a41SMatt Barden
402148d1a41SMatt Barden /*
403148d1a41SMatt Barden * If new credits would be above max,
404148d1a41SMatt Barden * reduce the credit grant.
405148d1a41SMatt Barden */
40617451336SGordon Ross if (d > (session->s_max_credits - cur)) {
40717451336SGordon Ross d = session->s_max_credits - cur;
408148d1a41SMatt Barden cur = session->s_max_credits;
40917451336SGordon Ross DTRACE_PROBE1(smb2__credit__max, smb_request_t *, sr);
41017451336SGordon Ross } else {
41117451336SGordon Ross cur += d;
412148d1a41SMatt Barden }
41317451336SGordon Ross sr->smb2_credit_response = sr->smb2_credit_charge + d;
414148d1a41SMatt Barden
415148d1a41SMatt Barden DTRACE_PROBE3(smb2__credit__increase,
416148d1a41SMatt Barden smb_request_t *, sr, int, (int)cur,
417148d1a41SMatt Barden int, (int)session->s_cur_credits);
418148d1a41SMatt Barden
419148d1a41SMatt Barden session->s_cur_credits = cur;
420148d1a41SMatt Barden mutex_exit(&session->s_credits_mutex);
421148d1a41SMatt Barden }
422148d1a41SMatt Barden
423148d1a41SMatt Barden /*
424148d1a41SMatt Barden * Record some statistics: latency, rx bytes, tx bytes
425148d1a41SMatt Barden * per: server, session & kshare.
426148d1a41SMatt Barden */
427148d1a41SMatt Barden static inline void
smb2_record_stats(smb_request_t * sr,smb_disp_stats_t * sds,boolean_t tx_only)428148d1a41SMatt Barden smb2_record_stats(smb_request_t *sr, smb_disp_stats_t *sds, boolean_t tx_only)
429148d1a41SMatt Barden {
430148d1a41SMatt Barden hrtime_t dt;
431148d1a41SMatt Barden int64_t rxb;
432148d1a41SMatt Barden int64_t txb;
433148d1a41SMatt Barden
434148d1a41SMatt Barden dt = gethrtime() - sr->sr_time_start;
435148d1a41SMatt Barden rxb = (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr);
436148d1a41SMatt Barden txb = (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr);
437148d1a41SMatt Barden
438148d1a41SMatt Barden if (!tx_only) {
439148d1a41SMatt Barden smb_server_inc_req(sr->sr_server);
440148d1a41SMatt Barden smb_latency_add_sample(&sds->sdt_lat, dt);
441148d1a41SMatt Barden atomic_add_64(&sds->sdt_rxb, rxb);
442148d1a41SMatt Barden }
443148d1a41SMatt Barden atomic_add_64(&sds->sdt_txb, txb);
444148d1a41SMatt Barden }
445148d1a41SMatt Barden
446a90cf9f2SGordon Ross /*
447a90cf9f2SGordon Ross * smb2sr_work
448a90cf9f2SGordon Ross *
449a90cf9f2SGordon Ross * This function processes each SMB command in the current request
450a90cf9f2SGordon Ross * (which may be a compound request) building a reply containing
451a90cf9f2SGordon Ross * SMB reply messages, one-to-one with the SMB commands. Some SMB
452a90cf9f2SGordon Ross * commands (change notify, blocking locks) may require both an
453a90cf9f2SGordon Ross * "interim response" and a later "async response" at completion.
454a90cf9f2SGordon Ross * In such cases, we'll encode the interim response in the reply
455a90cf9f2SGordon Ross * compound we're building, and put the (now async) command on a
456a90cf9f2SGordon Ross * list of commands that need further processing. After we've
457a90cf9f2SGordon Ross * finished processing the commands in this compound and building
458a90cf9f2SGordon Ross * the compound reply, we'll send the compound reply, and finally
459a90cf9f2SGordon Ross * process the list of async commands.
460a90cf9f2SGordon Ross *
461a90cf9f2SGordon Ross * As we work our way through the compound request and reply,
462a90cf9f2SGordon Ross * we need to keep track of the bounds of the current request
463a90cf9f2SGordon Ross * and reply. For the request, this uses an MBC_SHADOW_CHAIN
464a90cf9f2SGordon Ross * that begins at smb2_cmd_hdr. The reply is appended to the
465a90cf9f2SGordon Ross * sr->reply chain starting at smb2_reply_hdr.
466a90cf9f2SGordon Ross *
467bfe5e737SGordon Ross * This function must always free the smb request, or arrange
468bfe5e737SGordon Ross * for it to be completed and free'd later (if SDRC_SR_KEPT).
469a90cf9f2SGordon Ross */
470a90cf9f2SGordon Ross void
smb2sr_work(struct smb_request * sr)471a90cf9f2SGordon Ross smb2sr_work(struct smb_request *sr)
472a90cf9f2SGordon Ross {
473a90cf9f2SGordon Ross const smb_disp_entry_t *sdd;
474a90cf9f2SGordon Ross smb_disp_stats_t *sds;
475a90cf9f2SGordon Ross smb_session_t *session;
476a90cf9f2SGordon Ross uint32_t msg_len;
477a90cf9f2SGordon Ross uint16_t cmd_idx;
478a90cf9f2SGordon Ross int rc = 0;
479a90cf9f2SGordon Ross boolean_t disconnect = B_FALSE;
480a90cf9f2SGordon Ross boolean_t related;
481a90cf9f2SGordon Ross
482a90cf9f2SGordon Ross session = sr->session;
483a90cf9f2SGordon Ross
484148d1a41SMatt Barden ASSERT(sr->smb2_async == B_FALSE);
485a90cf9f2SGordon Ross ASSERT(sr->tid_tree == 0);
486a90cf9f2SGordon Ross ASSERT(sr->uid_user == 0);
487a90cf9f2SGordon Ross ASSERT(sr->fid_ofile == 0);
488a90cf9f2SGordon Ross sr->smb_fid = (uint16_t)-1;
489a90cf9f2SGordon Ross sr->smb2_status = 0;
490a90cf9f2SGordon Ross
491a90cf9f2SGordon Ross /* temporary until we identify a user */
492a90cf9f2SGordon Ross sr->user_cr = zone_kcred();
493a90cf9f2SGordon Ross
494a90cf9f2SGordon Ross cmd_start:
495a90cf9f2SGordon Ross /*
4965677e049SGordon Ross * Note that we don't check sr_state here and abort the
4975677e049SGordon Ross * compound if cancelled (etc.) because some SMB2 command
4985677e049SGordon Ross * handlers need to do work even when cancelled.
499a90cf9f2SGordon Ross *
500a90cf9f2SGordon Ross * We treat some status codes as if "sticky", meaning
501a90cf9f2SGordon Ross * once they're set after some command handler returns,
502a90cf9f2SGordon Ross * all remaining commands get this status without even
5035677e049SGordon Ross * calling the command-specific handler.
504a90cf9f2SGordon Ross */
505a90cf9f2SGordon Ross if (sr->smb2_status != NT_STATUS_CANCELLED &&
506a90cf9f2SGordon Ross sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES)
507a90cf9f2SGordon Ross sr->smb2_status = 0;
508a90cf9f2SGordon Ross
5095677e049SGordon Ross /*
5105677e049SGordon Ross * Decode the request header
5115677e049SGordon Ross *
5125677e049SGordon Ross * Most problems with decoding will result in the error
5135677e049SGordon Ross * STATUS_INVALID_PARAMETER. If the decoding problem
5145677e049SGordon Ross * prevents continuing, we'll close the connection.
5155677e049SGordon Ross * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
5165677e049SGordon Ross */
517a90cf9f2SGordon Ross sr->smb2_cmd_hdr = sr->command.chain_offset;
518a90cf9f2SGordon Ross if ((rc = smb2_decode_header(sr)) != 0) {
519a90cf9f2SGordon Ross cmn_err(CE_WARN, "clnt %s bad SMB2 header",
520a90cf9f2SGordon Ross session->ip_addr_str);
521a90cf9f2SGordon Ross disconnect = B_TRUE;
522a90cf9f2SGordon Ross goto cleanup;
523a90cf9f2SGordon Ross }
524a90cf9f2SGordon Ross
525a90cf9f2SGordon Ross /*
526a90cf9f2SGordon Ross * The SMB2_FLAGS_SERVER_TO_REDIR should only appear
527a90cf9f2SGordon Ross * in messages from the server back to the client.
528a90cf9f2SGordon Ross */
529a90cf9f2SGordon Ross if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) {
530a90cf9f2SGordon Ross cmn_err(CE_WARN, "clnt %s bad SMB2 flags",
531a90cf9f2SGordon Ross session->ip_addr_str);
532a90cf9f2SGordon Ross disconnect = B_TRUE;
533a90cf9f2SGordon Ross goto cleanup;
534a90cf9f2SGordon Ross }
535a90cf9f2SGordon Ross related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS);
536148d1a41SMatt Barden sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR;
537148d1a41SMatt Barden if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
538148d1a41SMatt Barden /* Probably an async cancel. */
539148d1a41SMatt Barden DTRACE_PROBE1(smb2__dispatch__async, smb_request_t *, sr);
540148d1a41SMatt Barden } else if (sr->smb2_async) {
541148d1a41SMatt Barden /* Previous command in compound went async. */
542148d1a41SMatt Barden sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
543148d1a41SMatt Barden sr->smb2_async_id = SMB2_ASYNCID(sr);
544148d1a41SMatt Barden }
545a90cf9f2SGordon Ross
546a90cf9f2SGordon Ross /*
547a90cf9f2SGordon Ross * In case we bail out with an error before we get to the
548a90cf9f2SGordon Ross * section that computes the credit grant, initialize the
549a90cf9f2SGordon Ross * response header fields so that credits won't change.
550a90cf9f2SGordon Ross * Note: SMB 2.02 clients may send credit charge zero.
551a90cf9f2SGordon Ross */
552a90cf9f2SGordon Ross if (sr->smb2_credit_charge == 0)
553a90cf9f2SGordon Ross sr->smb2_credit_charge = 1;
554a90cf9f2SGordon Ross sr->smb2_credit_response = sr->smb2_credit_charge;
555a90cf9f2SGordon Ross
556a90cf9f2SGordon Ross /*
557148d1a41SMatt Barden * Write a tentative reply header.
558148d1a41SMatt Barden *
559148d1a41SMatt Barden * We could just leave this blank, but if we're using the
560148d1a41SMatt Barden * mdb module feature that extracts packets, it's useful
561148d1a41SMatt Barden * to have the header mostly correct here.
562148d1a41SMatt Barden *
563148d1a41SMatt Barden * If we have already exhausted the output space, then the
564148d1a41SMatt Barden * client is trying something funny. Log it and kill 'em.
565a90cf9f2SGordon Ross */
566148d1a41SMatt Barden sr->smb2_next_reply = 0;
567148d1a41SMatt Barden ASSERT((sr->reply.chain_offset & 7) == 0);
568a90cf9f2SGordon Ross sr->smb2_reply_hdr = sr->reply.chain_offset;
569a90cf9f2SGordon Ross if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) {
570a90cf9f2SGordon Ross cmn_err(CE_WARN, "clnt %s excessive reply",
571a90cf9f2SGordon Ross session->ip_addr_str);
572a90cf9f2SGordon Ross disconnect = B_TRUE;
573a90cf9f2SGordon Ross goto cleanup;
574a90cf9f2SGordon Ross }
575a90cf9f2SGordon Ross
576a90cf9f2SGordon Ross /*
577a90cf9f2SGordon Ross * Figure out the length of data following the SMB2 header.
578a90cf9f2SGordon Ross * It ends at either the next SMB2 header if there is one
579a90cf9f2SGordon Ross * (smb2_next_command != 0) or at the end of the message.
580a90cf9f2SGordon Ross */
581a90cf9f2SGordon Ross if (sr->smb2_next_command != 0) {
582a90cf9f2SGordon Ross /* [MS-SMB2] says this is 8-byte aligned */
583a90cf9f2SGordon Ross msg_len = sr->smb2_next_command;
584a90cf9f2SGordon Ross if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
585a90cf9f2SGordon Ross ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
586a90cf9f2SGordon Ross cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
587a90cf9f2SGordon Ross session->ip_addr_str);
588a90cf9f2SGordon Ross disconnect = B_TRUE;
589a90cf9f2SGordon Ross goto cleanup;
590a90cf9f2SGordon Ross }
591a90cf9f2SGordon Ross } else {
592a90cf9f2SGordon Ross msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
593a90cf9f2SGordon Ross }
594a90cf9f2SGordon Ross
595a90cf9f2SGordon Ross /*
596a90cf9f2SGordon Ross * Setup a shadow chain for this SMB2 command, starting
597a90cf9f2SGordon Ross * with the header and ending at either the next command
598a90cf9f2SGordon Ross * or the end of the message. The signing check below
599a90cf9f2SGordon Ross * needs the entire SMB2 command. After that's done, we
600a90cf9f2SGordon Ross * advance chain_offset to the end of the header where
601a90cf9f2SGordon Ross * the command specific handlers continue decoding.
602a90cf9f2SGordon Ross */
603a90cf9f2SGordon Ross (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
604a90cf9f2SGordon Ross sr->smb2_cmd_hdr, msg_len);
605a90cf9f2SGordon Ross
606ac2bf314SMatt Barden /*
607ac2bf314SMatt Barden * We will consume the data for this request from smb_data.
608ac2bf314SMatt Barden * That effectively consumes msg_len bytes from sr->command
609ac2bf314SMatt Barden * but doesn't update its chain_offset, so we need to update
610ac2bf314SMatt Barden * that here to make later received bytes accounting work.
611ac2bf314SMatt Barden */
612ac2bf314SMatt Barden sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
613ac2bf314SMatt Barden ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
614ac2bf314SMatt Barden
615a90cf9f2SGordon Ross /*
616a90cf9f2SGordon Ross * Validate the commmand code, get dispatch table entries.
617a90cf9f2SGordon Ross * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
618a90cf9f2SGordon Ross *
619a90cf9f2SGordon Ross * The last slot in the dispatch table is used to handle
620a90cf9f2SGordon Ross * invalid commands. Same for statistics.
621a90cf9f2SGordon Ross */
622a90cf9f2SGordon Ross if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
623a90cf9f2SGordon Ross cmd_idx = sr->smb2_cmd_code;
624a90cf9f2SGordon Ross else
625a90cf9f2SGordon Ross cmd_idx = SMB2_INVALID_CMD;
626a90cf9f2SGordon Ross sdd = &smb2_disp_table[cmd_idx];
627a90cf9f2SGordon Ross sds = &session->s_server->sv_disp_stats2[cmd_idx];
628a90cf9f2SGordon Ross
629a90cf9f2SGordon Ross /*
630a90cf9f2SGordon Ross * If this command is NOT "related" to the previous,
631a90cf9f2SGordon Ross * clear out the UID, TID, FID state that might be
632a90cf9f2SGordon Ross * left over from the previous command.
633a90cf9f2SGordon Ross *
634a90cf9f2SGordon Ross * If the command IS related, any new IDs are ignored,
635a90cf9f2SGordon Ross * and we simply continue with the previous user, tree,
636a90cf9f2SGordon Ross * and open file.
637a90cf9f2SGordon Ross */
638a90cf9f2SGordon Ross if (!related) {
639a90cf9f2SGordon Ross /*
640a90cf9f2SGordon Ross * Drop user, tree, file; carefully ordered to
641a90cf9f2SGordon Ross * avoid dangling references: file, tree, user
642a90cf9f2SGordon Ross */
643a90cf9f2SGordon Ross if (sr->fid_ofile != NULL) {
644a90cf9f2SGordon Ross smb_ofile_release(sr->fid_ofile);
645a90cf9f2SGordon Ross sr->fid_ofile = NULL;
646a90cf9f2SGordon Ross }
647a90cf9f2SGordon Ross if (sr->tid_tree != NULL) {
648a90cf9f2SGordon Ross smb_tree_release(sr->tid_tree);
649a90cf9f2SGordon Ross sr->tid_tree = NULL;
650a90cf9f2SGordon Ross }
651a90cf9f2SGordon Ross if (sr->uid_user != NULL) {
652a90cf9f2SGordon Ross smb_user_release(sr->uid_user);
653a90cf9f2SGordon Ross sr->uid_user = NULL;
654a90cf9f2SGordon Ross sr->user_cr = zone_kcred();
655a90cf9f2SGordon Ross }
656a90cf9f2SGordon Ross }
657a90cf9f2SGordon Ross
658a90cf9f2SGordon Ross /*
659a90cf9f2SGordon Ross * Make sure we have a user and tree as needed
660a90cf9f2SGordon Ross * according to the flags for the this command.
661a90cf9f2SGordon Ross * Note that we may have inherited these.
662a90cf9f2SGordon Ross */
663a90cf9f2SGordon Ross if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) {
664a90cf9f2SGordon Ross /*
665a90cf9f2SGordon Ross * This command requires a user session.
666a90cf9f2SGordon Ross */
667a90cf9f2SGordon Ross if (related) {
668a90cf9f2SGordon Ross /*
669a90cf9f2SGordon Ross * Previous command should have given us a user.
670a90cf9f2SGordon Ross * [MS-SMB2] 3.3.5.2 Handling Related Requests
671a90cf9f2SGordon Ross */
672a90cf9f2SGordon Ross if (sr->uid_user == NULL) {
673a90cf9f2SGordon Ross smb2sr_put_error(sr,
674a90cf9f2SGordon Ross NT_STATUS_INVALID_PARAMETER);
675a90cf9f2SGordon Ross goto cmd_done;
676a90cf9f2SGordon Ross }
677811599a4SMatt Barden sr->smb2_ssnid = sr->uid_user->u_ssnid;
678a90cf9f2SGordon Ross } else {
679a90cf9f2SGordon Ross /*
680a90cf9f2SGordon Ross * Lookup the UID
681a90cf9f2SGordon Ross * [MS-SMB2] 3.3.5.2 Verifying the Session
682a90cf9f2SGordon Ross */
683a90cf9f2SGordon Ross ASSERT(sr->uid_user == NULL);
6841160dcf7SMatt Barden /*
6851160dcf7SMatt Barden * [MS-SMB2] 3.3.5.2.7 Handling Compounded Requests
6861160dcf7SMatt Barden *
6871160dcf7SMatt Barden * If this is an encrypted compound request,
6881160dcf7SMatt Barden * ensure that the ssnid in the request
6891160dcf7SMatt Barden * is the same as the tform ssnid if this
6901160dcf7SMatt Barden * message is not related.
6911160dcf7SMatt Barden *
6921160dcf7SMatt Barden * The reasons this is done seem to apply equally
6931160dcf7SMatt Barden * to uncompounded requests, so we apply it to all.
6941160dcf7SMatt Barden */
6951160dcf7SMatt Barden
6961160dcf7SMatt Barden if (sr->encrypted &&
6974f0ce1daSGordon Ross sr->smb2_ssnid != sr->th_ssnid) {
6981160dcf7SMatt Barden disconnect = B_TRUE;
6991160dcf7SMatt Barden goto cleanup; /* just do this for now */
7001160dcf7SMatt Barden }
7011160dcf7SMatt Barden
702811599a4SMatt Barden sr->uid_user = smb_session_lookup_ssnid(session,
703811599a4SMatt Barden sr->smb2_ssnid);
704a90cf9f2SGordon Ross if (sr->uid_user == NULL) {
705a90cf9f2SGordon Ross smb2sr_put_error(sr,
706a90cf9f2SGordon Ross NT_STATUS_USER_SESSION_DELETED);
707a90cf9f2SGordon Ross goto cmd_done;
708a90cf9f2SGordon Ross }
7091160dcf7SMatt Barden
7101160dcf7SMatt Barden /*
7111160dcf7SMatt Barden * [MS-SMB2] 3.3.5.2.9 Verifying the Session
7121160dcf7SMatt Barden *
7131160dcf7SMatt Barden * If we're talking 3.x,
7141160dcf7SMatt Barden * RejectUnencryptedAccess is TRUE,
7151160dcf7SMatt Barden * Session.EncryptData is TRUE,
7161160dcf7SMatt Barden * and the message wasn't encrypted,
7171160dcf7SMatt Barden * return ACCESS_DENIED.
7181160dcf7SMatt Barden *
7191160dcf7SMatt Barden * Note that Session.EncryptData can only be TRUE when
7201160dcf7SMatt Barden * we're talking 3.x.
7211160dcf7SMatt Barden */
722ab017dbaSGordon Ross if (sr->uid_user->u_encrypt == SMB_CONFIG_REQUIRED &&
7231160dcf7SMatt Barden !sr->encrypted) {
7241160dcf7SMatt Barden smb2sr_put_error(sr,
7251160dcf7SMatt Barden NT_STATUS_ACCESS_DENIED);
7261160dcf7SMatt Barden goto cmd_done;
7271160dcf7SMatt Barden }
7281160dcf7SMatt Barden
729a90cf9f2SGordon Ross sr->user_cr = smb_user_getcred(sr->uid_user);
730a90cf9f2SGordon Ross }
731a90cf9f2SGordon Ross ASSERT(sr->uid_user != NULL);
7321160dcf7SMatt Barden
7331160dcf7SMatt Barden /*
7341160dcf7SMatt Barden * Encrypt if:
7351160dcf7SMatt Barden * - The cmd is not SESSION_SETUP or NEGOTIATE; AND
7361160dcf7SMatt Barden * - Session.EncryptData is TRUE
7371160dcf7SMatt Barden *
7381160dcf7SMatt Barden * Those commands suppress UID, so they can't be the cmd here.
7391160dcf7SMatt Barden */
7401160dcf7SMatt Barden if (sr->uid_user->u_encrypt != SMB_CONFIG_DISABLED &&
7414f0ce1daSGordon Ross sr->th_sid_user == NULL) {
7421160dcf7SMatt Barden smb_user_hold_internal(sr->uid_user);
7434f0ce1daSGordon Ross sr->th_sid_user = sr->uid_user;
7444f0ce1daSGordon Ross sr->th_ssnid = sr->smb2_ssnid;
7451160dcf7SMatt Barden }
746a90cf9f2SGordon Ross }
747a90cf9f2SGordon Ross
748a90cf9f2SGordon Ross if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) {
749a90cf9f2SGordon Ross /*
750a90cf9f2SGordon Ross * This command requires a tree connection.
751a90cf9f2SGordon Ross */
752a90cf9f2SGordon Ross if (related) {
753a90cf9f2SGordon Ross /*
754a90cf9f2SGordon Ross * Previous command should have given us a tree.
755a90cf9f2SGordon Ross * [MS-SMB2] 3.3.5.2 Handling Related Requests
756a90cf9f2SGordon Ross */
757a90cf9f2SGordon Ross if (sr->tid_tree == NULL) {
758a90cf9f2SGordon Ross smb2sr_put_error(sr,
759a90cf9f2SGordon Ross NT_STATUS_INVALID_PARAMETER);
760a90cf9f2SGordon Ross goto cmd_done;
761a90cf9f2SGordon Ross }
762a90cf9f2SGordon Ross sr->smb_tid = sr->tid_tree->t_tid;
763a90cf9f2SGordon Ross } else {
764a90cf9f2SGordon Ross /*
765a90cf9f2SGordon Ross * Lookup the TID
766a90cf9f2SGordon Ross * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect
767a90cf9f2SGordon Ross */
768a90cf9f2SGordon Ross ASSERT(sr->tid_tree == NULL);
769a90cf9f2SGordon Ross sr->tid_tree = smb_session_lookup_tree(session,
770a90cf9f2SGordon Ross sr->smb_tid);
771a90cf9f2SGordon Ross if (sr->tid_tree == NULL) {
772a90cf9f2SGordon Ross smb2sr_put_error(sr,
773a90cf9f2SGordon Ross NT_STATUS_NETWORK_NAME_DELETED);
774a90cf9f2SGordon Ross goto cmd_done;
775a90cf9f2SGordon Ross }
7761160dcf7SMatt Barden
7771160dcf7SMatt Barden /*
7781160dcf7SMatt Barden * [MS-SMB2] 3.3.5.2.11 Verifying the Tree Connect
7791160dcf7SMatt Barden *
7801160dcf7SMatt Barden * If we support 3.x, RejectUnencryptedAccess is TRUE,
7811160dcf7SMatt Barden * if Tcon.EncryptData is TRUE or
7821160dcf7SMatt Barden * global EncryptData is TRUE and
7831160dcf7SMatt Barden * the message wasn't encrypted, or
7841160dcf7SMatt Barden * if Tcon.EncryptData is TRUE or
7851160dcf7SMatt Barden * global EncryptData is TRUE or
7861160dcf7SMatt Barden * the request was encrypted and
7871160dcf7SMatt Barden * the connection doesn't support encryption,
7881160dcf7SMatt Barden * return ACCESS_DENIED.
7891160dcf7SMatt Barden *
7901160dcf7SMatt Barden * If RejectUnencryptedAccess is TRUE, we force
7911160dcf7SMatt Barden * max_protocol to at least 3.0. Additionally,
7921160dcf7SMatt Barden * if the tree requires encryption, we don't care
7931160dcf7SMatt Barden * what we support, we still enforce encryption.
7944f0ce1daSGordon Ross * Since smb3_decrypt_msg() does check session->srv_cap,
7954f0ce1daSGordon Ross * we only need to check sr->encrypted here.
7961160dcf7SMatt Barden */
7971160dcf7SMatt Barden if (sr->tid_tree->t_encrypt == SMB_CONFIG_REQUIRED &&
7984f0ce1daSGordon Ross !sr->encrypted) {
7991160dcf7SMatt Barden smb2sr_put_error(sr,
8001160dcf7SMatt Barden NT_STATUS_ACCESS_DENIED);
8011160dcf7SMatt Barden goto cmd_done;
8021160dcf7SMatt Barden }
803a90cf9f2SGordon Ross }
804a90cf9f2SGordon Ross ASSERT(sr->tid_tree != NULL);
8051160dcf7SMatt Barden
8061160dcf7SMatt Barden /*
8071160dcf7SMatt Barden * Encrypt if:
8081160dcf7SMatt Barden * - The cmd is not TREE_CONNECT; AND
8091160dcf7SMatt Barden * - Tree.EncryptData is TRUE
8101160dcf7SMatt Barden *
8111160dcf7SMatt Barden * TREE_CONNECT suppresses TID, so that can't be the cmd here.
8121160dcf7SMatt Barden * NOTE: assumes we can't have a tree without a user
8131160dcf7SMatt Barden */
8141160dcf7SMatt Barden if (sr->tid_tree->t_encrypt != SMB_CONFIG_DISABLED &&
8154f0ce1daSGordon Ross sr->th_sid_user == NULL) {
8161160dcf7SMatt Barden smb_user_hold_internal(sr->uid_user);
8174f0ce1daSGordon Ross sr->th_sid_user = sr->uid_user;
8184f0ce1daSGordon Ross sr->th_ssnid = sr->smb2_ssnid;
8191160dcf7SMatt Barden }
820a90cf9f2SGordon Ross }
821a90cf9f2SGordon Ross
822a90cf9f2SGordon Ross /*
823a90cf9f2SGordon Ross * SMB2 signature verification, two parts:
824a90cf9f2SGordon Ross * (a) Require SMB2_FLAGS_SIGNED (for most request types)
825a90cf9f2SGordon Ross * (b) If SMB2_FLAGS_SIGNED is set, check the signature.
826a90cf9f2SGordon Ross * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
827a90cf9f2SGordon Ross */
828a90cf9f2SGordon Ross
829a90cf9f2SGordon Ross /*
830a90cf9f2SGordon Ross * No user session means no signature check. That's OK,
831a90cf9f2SGordon Ross * i.e. for commands marked SDDF_SUPPRESS_UID above.
832a90cf9f2SGordon Ross * Note, this also means we won't sign the reply.
833a90cf9f2SGordon Ross */
834a90cf9f2SGordon Ross if (sr->uid_user == NULL)
835a90cf9f2SGordon Ross sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
836a90cf9f2SGordon Ross
837a90cf9f2SGordon Ross /*
838a90cf9f2SGordon Ross * The SDDF_SUPPRESS_UID dispatch is set for requests that
839a90cf9f2SGordon Ross * don't need a UID (user). These also don't require a
840a90cf9f2SGordon Ross * signature check here.
8411160dcf7SMatt Barden *
8421160dcf7SMatt Barden * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
8431160dcf7SMatt Barden *
8441160dcf7SMatt Barden * If the packet was successfully decrypted, the message
8451160dcf7SMatt Barden * signature has already been verified, so we can skip this.
846a90cf9f2SGordon Ross */
847a90cf9f2SGordon Ross if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 &&
8481160dcf7SMatt Barden !sr->encrypted && sr->uid_user != NULL &&
8494ad35fa3SMatt Barden (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) {
850a90cf9f2SGordon Ross /*
8514ad35fa3SMatt Barden * If the request is signed, check the signature.
8524ad35fa3SMatt Barden * Otherwise, if signing is required, deny access.
853a90cf9f2SGordon Ross */
8544ad35fa3SMatt Barden if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) {
8552841912eSGordon Ross if (smb2_sign_check_request(sr) != 0) {
8562841912eSGordon Ross smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
8574ad35fa3SMatt Barden DTRACE_PROBE1(smb2__sign__check,
8584ad35fa3SMatt Barden smb_request_t *, sr);
8594ad35fa3SMatt Barden goto cmd_done;
8604ad35fa3SMatt Barden }
8614ad35fa3SMatt Barden } else if (
8624ad35fa3SMatt Barden (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) {
863a90cf9f2SGordon Ross smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
864a90cf9f2SGordon Ross goto cmd_done;
865a90cf9f2SGordon Ross }
866a90cf9f2SGordon Ross }
867a90cf9f2SGordon Ross
868a90cf9f2SGordon Ross /*
869a90cf9f2SGordon Ross * Now that the signing check is done with smb_data,
870a90cf9f2SGordon Ross * advance past the SMB2 header we decoded earlier.
871a90cf9f2SGordon Ross * This leaves sr->smb_data correctly positioned
872a90cf9f2SGordon Ross * for command-specific decoding in the dispatch
873a90cf9f2SGordon Ross * function called next.
874a90cf9f2SGordon Ross */
875a90cf9f2SGordon Ross sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE;
876a90cf9f2SGordon Ross
877a90cf9f2SGordon Ross /*
878148d1a41SMatt Barden * Credit adjustments (decrease)
879a90cf9f2SGordon Ross *
880148d1a41SMatt Barden * If we've gone async, credit adjustments were done
881148d1a41SMatt Barden * when we sent the interim reply.
882a90cf9f2SGordon Ross */
883148d1a41SMatt Barden if (!sr->smb2_async) {
884148d1a41SMatt Barden if (sr->smb2_credit_request < sr->smb2_credit_charge) {
885148d1a41SMatt Barden smb2_credit_decrease(sr);
886a90cf9f2SGordon Ross }
887a90cf9f2SGordon Ross }
888a90cf9f2SGordon Ross
889a90cf9f2SGordon Ross /*
890a90cf9f2SGordon Ross * The real work: call the SMB2 command handler
891a90cf9f2SGordon Ross * (except for "sticky" smb2_status - see above)
892a90cf9f2SGordon Ross */
893a90cf9f2SGordon Ross sr->sr_time_start = gethrtime();
894a90cf9f2SGordon Ross rc = SDRC_SUCCESS;
895a90cf9f2SGordon Ross if (sr->smb2_status == 0) {
896a90cf9f2SGordon Ross /* NB: not using pre_op */
897a90cf9f2SGordon Ross rc = (*sdd->sdt_function)(sr);
898a90cf9f2SGordon Ross /* NB: not using post_op */
8995677e049SGordon Ross } else {
9005677e049SGordon Ross smb2sr_put_error(sr, sr->smb2_status);
901a90cf9f2SGordon Ross }
902a90cf9f2SGordon Ross
903a90cf9f2SGordon Ross /*
904148d1a41SMatt Barden * When the sdt_function returns SDRC_SR_KEPT, it means
905148d1a41SMatt Barden * this SR may have been passed to another thread so we
906148d1a41SMatt Barden * MUST NOT touch it anymore.
907a90cf9f2SGordon Ross */
908148d1a41SMatt Barden if (rc == SDRC_SR_KEPT)
909148d1a41SMatt Barden return;
910a90cf9f2SGordon Ross
911148d1a41SMatt Barden MBC_FLUSH(&sr->raw_data);
912a90cf9f2SGordon Ross
913148d1a41SMatt Barden /*
914148d1a41SMatt Barden * Credit adjustments (increase)
915148d1a41SMatt Barden */
916148d1a41SMatt Barden if (!sr->smb2_async) {
917148d1a41SMatt Barden if (sr->smb2_credit_request > sr->smb2_credit_charge) {
918148d1a41SMatt Barden smb2_credit_increase(sr);
919a90cf9f2SGordon Ross }
920a90cf9f2SGordon Ross }
921a90cf9f2SGordon Ross
922a90cf9f2SGordon Ross cmd_done:
923a90cf9f2SGordon Ross switch (rc) {
924a90cf9f2SGordon Ross case SDRC_SUCCESS:
925a90cf9f2SGordon Ross break;
926a90cf9f2SGordon Ross default:
927a90cf9f2SGordon Ross /*
928a90cf9f2SGordon Ross * SMB2 does not use the other dispatch return codes.
929a90cf9f2SGordon Ross * If we see something else, log an event so we'll
930a90cf9f2SGordon Ross * know something is returning bogus status codes.
931a90cf9f2SGordon Ross * If you see these in the log, use dtrace to find
932a90cf9f2SGordon Ross * the code returning something else.
933a90cf9f2SGordon Ross */
934a90cf9f2SGordon Ross #ifdef DEBUG
935a90cf9f2SGordon Ross cmn_err(CE_NOTE, "handler for %u returned 0x%x",
936a90cf9f2SGordon Ross sr->smb2_cmd_code, rc);
937a90cf9f2SGordon Ross #endif
938541826a8SAndrew Stormont smb2sr_put_error(sr, NT_STATUS_INTERNAL_ERROR);
93993bc28dbSGordon Ross break;
940a90cf9f2SGordon Ross case SDRC_ERROR:
94193bc28dbSGordon Ross /*
94293bc28dbSGordon Ross * Many command handlers return SDRC_ERROR for any
94393bc28dbSGordon Ross * problems decoding the request, and don't bother
94493bc28dbSGordon Ross * setting smb2_status. For those cases, the best
94593bc28dbSGordon Ross * status return would be "invalid parameter".
94693bc28dbSGordon Ross */
947a90cf9f2SGordon Ross if (sr->smb2_status == 0)
94893bc28dbSGordon Ross sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
949541826a8SAndrew Stormont smb2sr_put_error(sr, sr->smb2_status);
950a90cf9f2SGordon Ross break;
951a90cf9f2SGordon Ross case SDRC_DROP_VC:
952a90cf9f2SGordon Ross disconnect = B_TRUE;
953a90cf9f2SGordon Ross goto cleanup;
9545677e049SGordon Ross
9555677e049SGordon Ross case SDRC_NO_REPLY:
9565677e049SGordon Ross /* will free sr */
9575677e049SGordon Ross goto cleanup;
958a90cf9f2SGordon Ross }
959a90cf9f2SGordon Ross
960148d1a41SMatt Barden /*
961148d1a41SMatt Barden * Pad the reply to align(8) if there will be another.
962148d1a41SMatt Barden * (We don't compound async replies.)
963148d1a41SMatt Barden */
964148d1a41SMatt Barden if (!sr->smb2_async && sr->smb2_next_command != 0)
965148d1a41SMatt Barden (void) smb_mbc_put_align(&sr->reply, 8);
966148d1a41SMatt Barden
967148d1a41SMatt Barden /*
968148d1a41SMatt Barden * Record some statistics. Uses:
969148d1a41SMatt Barden * rxb = command.chain_offset - smb2_cmd_hdr;
970148d1a41SMatt Barden * txb = reply.chain_offset - smb2_reply_hdr;
971148d1a41SMatt Barden * which at this point represent the current cmd/reply.
972148d1a41SMatt Barden *
973148d1a41SMatt Barden * Note: If async, this does txb only, and
974148d1a41SMatt Barden * skips the smb_latency_add_sample() calls.
975148d1a41SMatt Barden */
976148d1a41SMatt Barden smb2_record_stats(sr, sds, sr->smb2_async);
977148d1a41SMatt Barden
978a90cf9f2SGordon Ross /*
979a90cf9f2SGordon Ross * If there's a next command, figure out where it starts,
980148d1a41SMatt Barden * and fill in the next header offset for the reply.
981148d1a41SMatt Barden * Note: We sanity checked smb2_next_command above.
982*07e52310SGordon Ross * Once we've gone async, replies are not compounded.
983a90cf9f2SGordon Ross */
984a90cf9f2SGordon Ross if (sr->smb2_next_command != 0) {
985a90cf9f2SGordon Ross sr->command.chain_offset =
986a90cf9f2SGordon Ross sr->smb2_cmd_hdr + sr->smb2_next_command;
987*07e52310SGordon Ross }
988*07e52310SGordon Ross if (sr->smb2_next_command != 0 && !sr->smb2_async) {
989a90cf9f2SGordon Ross sr->smb2_next_reply =
990a90cf9f2SGordon Ross sr->reply.chain_offset - sr->smb2_reply_hdr;
991a90cf9f2SGordon Ross } else {
992148d1a41SMatt Barden ASSERT(sr->smb2_next_reply == 0);
993a90cf9f2SGordon Ross }
994a90cf9f2SGordon Ross
995a90cf9f2SGordon Ross /*
996148d1a41SMatt Barden * Overwrite the (now final) SMB2 header for this response.
997a90cf9f2SGordon Ross */
998a90cf9f2SGordon Ross (void) smb2_encode_header(sr, B_TRUE);
999a90cf9f2SGordon Ross
10004e065a9fSAlexander Stetsenko /*
10014e065a9fSAlexander Stetsenko * Cannot move this into smb2_session_setup() - encoded header required.
10024e065a9fSAlexander Stetsenko */
10034e065a9fSAlexander Stetsenko if (session->dialect >= SMB_VERS_3_11 &&
10044e065a9fSAlexander Stetsenko sr->smb2_cmd_code == SMB2_SESSION_SETUP &&
10054e065a9fSAlexander Stetsenko sr->smb2_status == NT_STATUS_MORE_PROCESSING_REQUIRED) {
10064e065a9fSAlexander Stetsenko if (smb31_preauth_sha512_calc(sr, &sr->reply,
10074e065a9fSAlexander Stetsenko sr->uid_user->u_preauth_hashval,
10084e065a9fSAlexander Stetsenko sr->uid_user->u_preauth_hashval) != 0)
10094e065a9fSAlexander Stetsenko cmn_err(CE_WARN, "(3) Preauth hash calculation "
10104e065a9fSAlexander Stetsenko "failed");
10114e065a9fSAlexander Stetsenko }
10124e065a9fSAlexander Stetsenko
10131160dcf7SMatt Barden /* Don't sign if we're going to encrypt */
10144f0ce1daSGordon Ross if (sr->th_sid_user == NULL &&
10151160dcf7SMatt Barden (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0)
1016a90cf9f2SGordon Ross smb2_sign_reply(sr);
1017a90cf9f2SGordon Ross
1018a90cf9f2SGordon Ross /*
1019148d1a41SMatt Barden * Non-async runs the whole compound before send.
1020148d1a41SMatt Barden * When we've gone async, send each individually.
1021a90cf9f2SGordon Ross */
1022148d1a41SMatt Barden if (!sr->smb2_async && sr->smb2_next_command != 0)
1023148d1a41SMatt Barden goto cmd_start;
10248d94f651SGordon Ross
10258d94f651SGordon Ross /*
10268d94f651SGordon Ross * If we have a durable handle, and this operation updated
10278d94f651SGordon Ross * the nvlist, write it out (before smb2_send_reply).
10288d94f651SGordon Ross */
10298d94f651SGordon Ross if (sr->dh_nvl_dirty) {
10308d94f651SGordon Ross sr->dh_nvl_dirty = B_FALSE;
10318d94f651SGordon Ross smb2_dh_update_nvfile(sr);
10328d94f651SGordon Ross }
10338d94f651SGordon Ross
1034a90cf9f2SGordon Ross smb2_send_reply(sr);
1035148d1a41SMatt Barden if (sr->smb2_async && sr->smb2_next_command != 0) {
1036148d1a41SMatt Barden MBC_FLUSH(&sr->reply); /* New reply buffer. */
1037148d1a41SMatt Barden ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1038148d1a41SMatt Barden goto cmd_start;
1039a90cf9f2SGordon Ross }
1040a90cf9f2SGordon Ross
1041a90cf9f2SGordon Ross cleanup:
1042148d1a41SMatt Barden if (disconnect)
1043148d1a41SMatt Barden smb_session_disconnect(session);
1044a90cf9f2SGordon Ross
10458d94f651SGordon Ross /*
10468d94f651SGordon Ross * Do "postwork" for oplock (and maybe other things)
10478d94f651SGordon Ross */
104894047d49SGordon Ross if (sr->sr_postwork != NULL)
104994047d49SGordon Ross smb2sr_run_postwork(sr);
105094047d49SGordon Ross
1051a90cf9f2SGordon Ross mutex_enter(&sr->sr_mutex);
1052a90cf9f2SGordon Ross sr->sr_state = SMB_REQ_STATE_COMPLETED;
1053a90cf9f2SGordon Ross mutex_exit(&sr->sr_mutex);
1054a90cf9f2SGordon Ross
1055a90cf9f2SGordon Ross smb_request_free(sr);
1056a90cf9f2SGordon Ross }
1057a90cf9f2SGordon Ross
1058a90cf9f2SGordon Ross /*
1059148d1a41SMatt Barden * Build interim responses for the current and all following
1060148d1a41SMatt Barden * requests in this compound, then send the compound response,
1061148d1a41SMatt Barden * leaving the SR state so that smb2sr_work() can continue its
1062148d1a41SMatt Barden * processing of this compound in "async mode".
1063a90cf9f2SGordon Ross *
1064148d1a41SMatt Barden * If we agree to "go async", this should return STATUS_SUCCESS.
1065148d1a41SMatt Barden * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and
1066148d1a41SMatt Barden * all requests following this request. (See the comments re.
1067148d1a41SMatt Barden * "sticky" smb2_status values in smb2sr_work).
1068148d1a41SMatt Barden *
1069148d1a41SMatt Barden * Note: the Async ID we assign here is arbitrary, and need only
1070148d1a41SMatt Barden * be unique among pending async responses on this connection, so
1071148d1a41SMatt Barden * this just uses a modified messageID, which is already unique.
1072148d1a41SMatt Barden *
1073148d1a41SMatt Barden * Credits: All credit changes should happen via the interim
1074148d1a41SMatt Barden * responses, so we have to manage credits here. After this
1075148d1a41SMatt Barden * returns to smb2sr_work, the final replies for all these
1076148d1a41SMatt Barden * commands will have smb2_credit_response = smb2_credit_charge
1077148d1a41SMatt Barden * (meaning no further changes to the clients' credits).
1078a90cf9f2SGordon Ross */
1079148d1a41SMatt Barden uint32_t
smb2sr_go_async(smb_request_t * sr)1080148d1a41SMatt Barden smb2sr_go_async(smb_request_t *sr)
1081a90cf9f2SGordon Ross {
1082148d1a41SMatt Barden smb_session_t *session;
1083148d1a41SMatt Barden smb_disp_stats_t *sds;
1084148d1a41SMatt Barden uint16_t cmd_idx;
1085148d1a41SMatt Barden int32_t saved_com_offset;
1086148d1a41SMatt Barden uint32_t saved_cmd_hdr;
1087148d1a41SMatt Barden uint16_t saved_cred_resp;
1088148d1a41SMatt Barden uint32_t saved_hdr_flags;
1089148d1a41SMatt Barden uint32_t saved_reply_hdr;
1090148d1a41SMatt Barden uint32_t msg_len;
1091148d1a41SMatt Barden boolean_t disconnect = B_FALSE;
1092148d1a41SMatt Barden
1093148d1a41SMatt Barden if (sr->smb2_async) {
1094148d1a41SMatt Barden /* already went async in some previous cmd. */
1095148d1a41SMatt Barden return (NT_STATUS_SUCCESS);
1096148d1a41SMatt Barden }
1097148d1a41SMatt Barden sr->smb2_async = B_TRUE;
1098148d1a41SMatt Barden
1099148d1a41SMatt Barden /* The "server" session always runs async. */
1100148d1a41SMatt Barden session = sr->session;
1101148d1a41SMatt Barden if (session->sock == NULL)
1102148d1a41SMatt Barden return (NT_STATUS_SUCCESS);
1103148d1a41SMatt Barden
1104148d1a41SMatt Barden sds = NULL;
1105148d1a41SMatt Barden saved_com_offset = sr->command.chain_offset;
1106148d1a41SMatt Barden saved_cmd_hdr = sr->smb2_cmd_hdr;
1107148d1a41SMatt Barden saved_cred_resp = sr->smb2_credit_response;
1108148d1a41SMatt Barden saved_hdr_flags = sr->smb2_hdr_flags;
1109148d1a41SMatt Barden saved_reply_hdr = sr->smb2_reply_hdr;
1110a90cf9f2SGordon Ross
1111a90cf9f2SGordon Ross /*
1112148d1a41SMatt Barden * The command-specific handler should not yet have put any
1113148d1a41SMatt Barden * data in the reply except for the (place holder) header.
1114a90cf9f2SGordon Ross */
1115148d1a41SMatt Barden if (sr->reply.chain_offset != sr->smb2_reply_hdr + SMB2_HDR_SIZE) {
1116148d1a41SMatt Barden ASSERT3U(sr->reply.chain_offset, ==,
1117148d1a41SMatt Barden sr->smb2_reply_hdr + SMB2_HDR_SIZE);
1118148d1a41SMatt Barden return (NT_STATUS_INTERNAL_ERROR);
1119148d1a41SMatt Barden }
1120a90cf9f2SGordon Ross
1121a90cf9f2SGordon Ross /*
1122148d1a41SMatt Barden * Rewind to the start of the current header in both the
1123148d1a41SMatt Barden * command and reply bufers, so the loop below can just
1124148d1a41SMatt Barden * decode/encode just in every pass. This means the
1125148d1a41SMatt Barden * current command header is decoded again, but that
1126148d1a41SMatt Barden * avoids having to special-case the first loop pass.
1127a90cf9f2SGordon Ross */
1128148d1a41SMatt Barden sr->command.chain_offset = sr->smb2_cmd_hdr;
1129148d1a41SMatt Barden sr->reply.chain_offset = sr->smb2_reply_hdr;
1130a90cf9f2SGordon Ross
1131a90cf9f2SGordon Ross /*
1132148d1a41SMatt Barden * This command processing loop is a simplified version of
1133148d1a41SMatt Barden * smb2sr_work() that just puts an "interim response" for
1134148d1a41SMatt Barden * every command in the compound (NT_STATUS_PENDING).
1135a90cf9f2SGordon Ross */
1136148d1a41SMatt Barden cmd_start:
1137148d1a41SMatt Barden sr->smb2_status = NT_STATUS_PENDING;
1138a90cf9f2SGordon Ross
1139bfe5e737SGordon Ross /*
1140148d1a41SMatt Barden * Decode the request header
1141bfe5e737SGordon Ross */
1142148d1a41SMatt Barden sr->smb2_cmd_hdr = sr->command.chain_offset;
1143148d1a41SMatt Barden if ((smb2_decode_header(sr)) != 0) {
1144148d1a41SMatt Barden cmn_err(CE_WARN, "clnt %s bad SMB2 header",
1145148d1a41SMatt Barden session->ip_addr_str);
1146148d1a41SMatt Barden disconnect = B_TRUE;
1147148d1a41SMatt Barden goto cleanup;
1148148d1a41SMatt Barden }
11494e065a9fSAlexander Stetsenko sr->smb2_hdr_flags |= (SMB2_FLAGS_SERVER_TO_REDIR |
11504e065a9fSAlexander Stetsenko SMB2_FLAGS_ASYNC_COMMAND);
1151148d1a41SMatt Barden sr->smb2_async_id = SMB2_ASYNCID(sr);
1152bfe5e737SGordon Ross
1153a90cf9f2SGordon Ross /*
1154148d1a41SMatt Barden * In case we bail out...
1155a90cf9f2SGordon Ross */
1156148d1a41SMatt Barden if (sr->smb2_credit_charge == 0)
1157148d1a41SMatt Barden sr->smb2_credit_charge = 1;
1158148d1a41SMatt Barden sr->smb2_credit_response = sr->smb2_credit_charge;
1159a90cf9f2SGordon Ross
1160a90cf9f2SGordon Ross /*
1161148d1a41SMatt Barden * Write a tentative reply header.
1162a90cf9f2SGordon Ross */
1163148d1a41SMatt Barden sr->smb2_next_reply = 0;
1164148d1a41SMatt Barden ASSERT((sr->reply.chain_offset & 7) == 0);
1165148d1a41SMatt Barden sr->smb2_reply_hdr = sr->reply.chain_offset;
1166148d1a41SMatt Barden if ((smb2_encode_header(sr, B_FALSE)) != 0) {
1167148d1a41SMatt Barden cmn_err(CE_WARN, "clnt %s excessive reply",
1168148d1a41SMatt Barden session->ip_addr_str);
1169148d1a41SMatt Barden disconnect = B_TRUE;
1170148d1a41SMatt Barden goto cleanup;
1171a90cf9f2SGordon Ross }
1172a90cf9f2SGordon Ross
1173a90cf9f2SGordon Ross /*
1174148d1a41SMatt Barden * Figure out the length of data...
1175a90cf9f2SGordon Ross */
1176148d1a41SMatt Barden if (sr->smb2_next_command != 0) {
1177148d1a41SMatt Barden /* [MS-SMB2] says this is 8-byte aligned */
1178148d1a41SMatt Barden msg_len = sr->smb2_next_command;
1179148d1a41SMatt Barden if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
1180148d1a41SMatt Barden ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
1181148d1a41SMatt Barden cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
1182148d1a41SMatt Barden session->ip_addr_str);
1183148d1a41SMatt Barden disconnect = B_TRUE;
1184148d1a41SMatt Barden goto cleanup;
1185148d1a41SMatt Barden }
1186148d1a41SMatt Barden } else {
1187148d1a41SMatt Barden msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
1188bfe5e737SGordon Ross }
1189a90cf9f2SGordon Ross
1190148d1a41SMatt Barden /*
1191148d1a41SMatt Barden * We just skip any data, so no shadow chain etc.
1192148d1a41SMatt Barden */
1193148d1a41SMatt Barden sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
1194148d1a41SMatt Barden ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
1195bfe5e737SGordon Ross
1196148d1a41SMatt Barden /*
1197148d1a41SMatt Barden * Validate the commmand code...
1198148d1a41SMatt Barden */
1199148d1a41SMatt Barden if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
1200148d1a41SMatt Barden cmd_idx = sr->smb2_cmd_code;
1201148d1a41SMatt Barden else
1202148d1a41SMatt Barden cmd_idx = SMB2_INVALID_CMD;
1203148d1a41SMatt Barden sds = &session->s_server->sv_disp_stats2[cmd_idx];
1204bfe5e737SGordon Ross
1205a90cf9f2SGordon Ross /*
1206148d1a41SMatt Barden * Don't change (user, tree, file) because we want them
1207148d1a41SMatt Barden * exactly as they were when we entered. That also means
1208148d1a41SMatt Barden * we may not have the right user in sr->uid_user for
1209148d1a41SMatt Barden * signature checks, so leave that until smb2sr_work
1210148d1a41SMatt Barden * runs these commands "for real". Therefore, here
1211148d1a41SMatt Barden * we behave as if: (sr->uid_user == NULL)
1212a90cf9f2SGordon Ross */
1213148d1a41SMatt Barden sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
1214a90cf9f2SGordon Ross
1215a90cf9f2SGordon Ross /*
1216148d1a41SMatt Barden * Credit adjustments (decrease)
1217148d1a41SMatt Barden *
1218148d1a41SMatt Barden * NOTE: interim responses are not signed.
1219148d1a41SMatt Barden * Any attacker can modify the credit grant
1220148d1a41SMatt Barden * in the response. Because of this property,
1221148d1a41SMatt Barden * it is no worse to assume the credit charge and grant
1222148d1a41SMatt Barden * are sane without verifying the signature,
1223148d1a41SMatt Barden * and that saves us a whole lot of work.
1224148d1a41SMatt Barden * If the credits WERE modified, we'll find out
1225148d1a41SMatt Barden * when we verify the signature later,
1226148d1a41SMatt Barden * which nullifies any changes caused here.
1227148d1a41SMatt Barden *
1228148d1a41SMatt Barden * Skip this on the first command, because the
1229148d1a41SMatt Barden * credit decrease was done by the caller.
1230a90cf9f2SGordon Ross */
1231148d1a41SMatt Barden if (sr->smb2_cmd_hdr != saved_cmd_hdr) {
1232148d1a41SMatt Barden if (sr->smb2_credit_request < sr->smb2_credit_charge) {
1233148d1a41SMatt Barden smb2_credit_decrease(sr);
1234148d1a41SMatt Barden }
1235148d1a41SMatt Barden }
1236a90cf9f2SGordon Ross
1237a90cf9f2SGordon Ross /*
1238148d1a41SMatt Barden * The real work: ... (would be here)
1239a90cf9f2SGordon Ross */
1240148d1a41SMatt Barden smb2sr_put_error(sr, sr->smb2_status);
1241a90cf9f2SGordon Ross
1242148d1a41SMatt Barden /*
1243148d1a41SMatt Barden * Credit adjustments (increase)
1244148d1a41SMatt Barden */
1245148d1a41SMatt Barden if (sr->smb2_credit_request > sr->smb2_credit_charge) {
1246148d1a41SMatt Barden smb2_credit_increase(sr);
1247148d1a41SMatt Barden }
1248a90cf9f2SGordon Ross
1249148d1a41SMatt Barden /* cmd_done: label */
1250a90cf9f2SGordon Ross
1251a90cf9f2SGordon Ross /*
1252148d1a41SMatt Barden * Pad the reply to align(8) if there will be another.
1253148d1a41SMatt Barden * This (interim) reply uses compounding.
1254a90cf9f2SGordon Ross */
1255148d1a41SMatt Barden if (sr->smb2_next_command != 0)
1256148d1a41SMatt Barden (void) smb_mbc_put_align(&sr->reply, 8);
1257a90cf9f2SGordon Ross
1258148d1a41SMatt Barden /*
1259148d1a41SMatt Barden * Record some statistics. Uses:
1260148d1a41SMatt Barden * rxb = command.chain_offset - smb2_cmd_hdr;
1261148d1a41SMatt Barden * txb = reply.chain_offset - smb2_reply_hdr;
1262148d1a41SMatt Barden * which at this point represent the current cmd/reply.
1263148d1a41SMatt Barden *
1264148d1a41SMatt Barden * Note: We're doing smb_latency_add_sample() for all
1265148d1a41SMatt Barden * remaining commands NOW, which means we won't include
1266148d1a41SMatt Barden * the async part of their work in latency statistics.
1267148d1a41SMatt Barden * That's intentional, as the async part of a command
1268148d1a41SMatt Barden * would otherwise skew our latency statistics.
1269148d1a41SMatt Barden */
1270148d1a41SMatt Barden smb2_record_stats(sr, sds, B_FALSE);
1271a90cf9f2SGordon Ross
1272148d1a41SMatt Barden /*
1273148d1a41SMatt Barden * If there's a next command, figure out where it starts,
1274148d1a41SMatt Barden * and fill in the next header offset for the reply.
1275148d1a41SMatt Barden * Note: We sanity checked smb2_next_command above.
1276148d1a41SMatt Barden */
1277148d1a41SMatt Barden if (sr->smb2_next_command != 0) {
1278148d1a41SMatt Barden sr->command.chain_offset =
1279148d1a41SMatt Barden sr->smb2_cmd_hdr + sr->smb2_next_command;
1280148d1a41SMatt Barden sr->smb2_next_reply =
1281148d1a41SMatt Barden sr->reply.chain_offset - sr->smb2_reply_hdr;
1282148d1a41SMatt Barden } else {
1283148d1a41SMatt Barden ASSERT(sr->smb2_next_reply == 0);
1284148d1a41SMatt Barden }
1285a90cf9f2SGordon Ross
1286148d1a41SMatt Barden /*
1287148d1a41SMatt Barden * Overwrite the (now final) SMB2 header for this response.
1288148d1a41SMatt Barden */
1289148d1a41SMatt Barden (void) smb2_encode_header(sr, B_TRUE);
1290a90cf9f2SGordon Ross
1291148d1a41SMatt Barden /*
1292148d1a41SMatt Barden * Process whole compound before sending.
1293148d1a41SMatt Barden */
1294a90cf9f2SGordon Ross if (sr->smb2_next_command != 0)
1295148d1a41SMatt Barden goto cmd_start;
1296148d1a41SMatt Barden smb2_send_reply(sr);
1297a90cf9f2SGordon Ross
1298148d1a41SMatt Barden ASSERT(!disconnect);
1299a90cf9f2SGordon Ross
1300148d1a41SMatt Barden cleanup:
1301a90cf9f2SGordon Ross /*
1302148d1a41SMatt Barden * Restore caller's command processing state.
1303a90cf9f2SGordon Ross */
1304148d1a41SMatt Barden sr->smb2_cmd_hdr = saved_cmd_hdr;
1305148d1a41SMatt Barden sr->command.chain_offset = saved_cmd_hdr;
1306148d1a41SMatt Barden (void) smb2_decode_header(sr);
1307148d1a41SMatt Barden sr->command.chain_offset = saved_com_offset;
1308a90cf9f2SGordon Ross
1309148d1a41SMatt Barden sr->smb2_credit_response = saved_cred_resp;
1310148d1a41SMatt Barden sr->smb2_hdr_flags = saved_hdr_flags;
1311148d1a41SMatt Barden sr->smb2_status = NT_STATUS_SUCCESS;
1312a90cf9f2SGordon Ross
1313148d1a41SMatt Barden /*
1314148d1a41SMatt Barden * In here, the "disconnect" flag just means we had an
1315148d1a41SMatt Barden * error decoding or encoding something. Rather than
1316148d1a41SMatt Barden * actually disconnect here, let's assume whatever
1317148d1a41SMatt Barden * problem we encountered will be seen by the caller
1318148d1a41SMatt Barden * as they continue processing the compound, and just
1319148d1a41SMatt Barden * restore everything and return an error.
1320148d1a41SMatt Barden */
1321148d1a41SMatt Barden if (disconnect) {
1322148d1a41SMatt Barden sr->smb2_async = B_FALSE;
1323148d1a41SMatt Barden sr->smb2_reply_hdr = saved_reply_hdr;
1324148d1a41SMatt Barden sr->reply.chain_offset = sr->smb2_reply_hdr;
1325148d1a41SMatt Barden (void) smb2_encode_header(sr, B_FALSE);
1326148d1a41SMatt Barden return (NT_STATUS_INVALID_PARAMETER);
1327148d1a41SMatt Barden }
1328a90cf9f2SGordon Ross
1329148d1a41SMatt Barden /*
1330148d1a41SMatt Barden * The compound reply buffer we sent is now gone.
1331148d1a41SMatt Barden * Setup a new reply buffer for the caller.
1332148d1a41SMatt Barden */
1333148d1a41SMatt Barden sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
1334148d1a41SMatt Barden sr->smb2_async_id = SMB2_ASYNCID(sr);
1335148d1a41SMatt Barden sr->smb2_next_reply = 0;
1336148d1a41SMatt Barden MBC_FLUSH(&sr->reply);
1337148d1a41SMatt Barden ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1338148d1a41SMatt Barden ASSERT(sr->reply.chain_offset == 0);
1339148d1a41SMatt Barden sr->smb2_reply_hdr = 0;
1340148d1a41SMatt Barden (void) smb2_encode_header(sr, B_FALSE);
1341a90cf9f2SGordon Ross
1342148d1a41SMatt Barden return (NT_STATUS_SUCCESS);
1343a90cf9f2SGordon Ross }
1344a90cf9f2SGordon Ross
1345a90cf9f2SGordon Ross int
smb2_decode_header(smb_request_t * sr)1346a90cf9f2SGordon Ross smb2_decode_header(smb_request_t *sr)
1347a90cf9f2SGordon Ross {
1348a90cf9f2SGordon Ross uint32_t pid, tid;
1349a90cf9f2SGordon Ross uint16_t hdr_len;
1350a90cf9f2SGordon Ross int rc;
1351a90cf9f2SGordon Ross
1352a90cf9f2SGordon Ross rc = smb_mbc_decodef(
1353a90cf9f2SGordon Ross &sr->command, "Nwww..wwllqllq16c",
1354a90cf9f2SGordon Ross &hdr_len, /* w */
1355a90cf9f2SGordon Ross &sr->smb2_credit_charge, /* w */
1356a90cf9f2SGordon Ross &sr->smb2_chan_seq, /* w */
1357a90cf9f2SGordon Ross /* reserved .. */
1358a90cf9f2SGordon Ross &sr->smb2_cmd_code, /* w */
1359a90cf9f2SGordon Ross &sr->smb2_credit_request, /* w */
1360a90cf9f2SGordon Ross &sr->smb2_hdr_flags, /* l */
1361a90cf9f2SGordon Ross &sr->smb2_next_command, /* l */
1362a90cf9f2SGordon Ross &sr->smb2_messageid, /* q */
1363a90cf9f2SGordon Ross &pid, /* l */
1364a90cf9f2SGordon Ross &tid, /* l */
1365148d1a41SMatt Barden &sr->smb2_ssnid, /* q */
1366a90cf9f2SGordon Ross sr->smb2_sig); /* 16c */
1367a90cf9f2SGordon Ross if (rc)
1368a90cf9f2SGordon Ross return (rc);
1369a90cf9f2SGordon Ross
1370a90cf9f2SGordon Ross if (hdr_len != SMB2_HDR_SIZE)
1371a90cf9f2SGordon Ross return (-1);
1372a90cf9f2SGordon Ross
1373a90cf9f2SGordon Ross if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1374a90cf9f2SGordon Ross sr->smb2_async_id = pid |
1375a90cf9f2SGordon Ross ((uint64_t)tid) << 32;
1376148d1a41SMatt Barden sr->smb_pid = 0;
1377148d1a41SMatt Barden sr->smb_tid = 0;
1378a90cf9f2SGordon Ross } else {
1379148d1a41SMatt Barden sr->smb2_async_id = 0;
1380a90cf9f2SGordon Ross sr->smb_pid = pid;
1381a90cf9f2SGordon Ross sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */
1382a90cf9f2SGordon Ross }
1383a90cf9f2SGordon Ross
1384a90cf9f2SGordon Ross return (rc);
1385a90cf9f2SGordon Ross }
1386a90cf9f2SGordon Ross
1387a90cf9f2SGordon Ross int
smb2_encode_header(smb_request_t * sr,boolean_t overwrite)1388a90cf9f2SGordon Ross smb2_encode_header(smb_request_t *sr, boolean_t overwrite)
1389a90cf9f2SGordon Ross {
1390a90cf9f2SGordon Ross uint64_t pid_tid_aid; /* pid+tid, or async id */
1391a90cf9f2SGordon Ross int rc;
1392a90cf9f2SGordon Ross
1393a90cf9f2SGordon Ross if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1394a90cf9f2SGordon Ross pid_tid_aid = sr->smb2_async_id;
1395a90cf9f2SGordon Ross } else {
1396a90cf9f2SGordon Ross pid_tid_aid = sr->smb_pid |
1397a90cf9f2SGordon Ross ((uint64_t)sr->smb_tid) << 32;
1398a90cf9f2SGordon Ross }
1399a90cf9f2SGordon Ross
1400a90cf9f2SGordon Ross if (overwrite) {
1401a90cf9f2SGordon Ross rc = smb_mbc_poke(&sr->reply,
1402a90cf9f2SGordon Ross sr->smb2_reply_hdr,
1403a90cf9f2SGordon Ross "Nwwlwwllqqq16c",
1404a90cf9f2SGordon Ross SMB2_HDR_SIZE, /* w */
1405a90cf9f2SGordon Ross sr->smb2_credit_charge, /* w */
1406a90cf9f2SGordon Ross sr->smb2_status, /* l */
1407a90cf9f2SGordon Ross sr->smb2_cmd_code, /* w */
1408a90cf9f2SGordon Ross sr->smb2_credit_response, /* w */
1409148d1a41SMatt Barden sr->smb2_hdr_flags, /* l */
1410a90cf9f2SGordon Ross sr->smb2_next_reply, /* l */
1411a90cf9f2SGordon Ross sr->smb2_messageid, /* q */
1412a90cf9f2SGordon Ross pid_tid_aid, /* q */
1413811599a4SMatt Barden sr->smb2_ssnid, /* q */
1414a90cf9f2SGordon Ross sr->smb2_sig); /* 16c */
1415a90cf9f2SGordon Ross } else {
1416a90cf9f2SGordon Ross rc = smb_mbc_encodef(&sr->reply,
1417a90cf9f2SGordon Ross "Nwwlwwllqqq16c",
1418a90cf9f2SGordon Ross SMB2_HDR_SIZE, /* w */
1419a90cf9f2SGordon Ross sr->smb2_credit_charge, /* w */
1420a90cf9f2SGordon Ross sr->smb2_status, /* l */
1421a90cf9f2SGordon Ross sr->smb2_cmd_code, /* w */
1422a90cf9f2SGordon Ross sr->smb2_credit_response, /* w */
1423148d1a41SMatt Barden sr->smb2_hdr_flags, /* l */
1424a90cf9f2SGordon Ross sr->smb2_next_reply, /* l */
1425a90cf9f2SGordon Ross sr->smb2_messageid, /* q */
1426a90cf9f2SGordon Ross pid_tid_aid, /* q */
1427811599a4SMatt Barden sr->smb2_ssnid, /* q */
1428a90cf9f2SGordon Ross sr->smb2_sig); /* 16c */
1429a90cf9f2SGordon Ross }
1430a90cf9f2SGordon Ross
1431a90cf9f2SGordon Ross return (rc);
1432a90cf9f2SGordon Ross }
1433a90cf9f2SGordon Ross
1434a90cf9f2SGordon Ross void
smb2_send_reply(smb_request_t * sr)1435a90cf9f2SGordon Ross smb2_send_reply(smb_request_t *sr)
1436a90cf9f2SGordon Ross {
14371160dcf7SMatt Barden struct mbuf_chain enc_reply;
14381160dcf7SMatt Barden smb_session_t *session = sr->session;
14394f0ce1daSGordon Ross mbuf_t *m;
14401160dcf7SMatt Barden
14411160dcf7SMatt Barden /*
14421160dcf7SMatt Barden * [MS-SMB2] 3.3.4.1.4 Encrypting the Message
14431160dcf7SMatt Barden *
14441160dcf7SMatt Barden * When the connection supports encryption and the dialect
14451160dcf7SMatt Barden * is 3.x, encrypt if:
14461160dcf7SMatt Barden * - The request was encrypted OR
14471160dcf7SMatt Barden * - The cmd is not SESSION_SETUP or NEGOTIATE AND
14481160dcf7SMatt Barden * -- Session.EncryptData is TRUE OR
14491160dcf7SMatt Barden * -- The cmd is not TREE_CONNECT AND
14501160dcf7SMatt Barden * --- Tree.EncryptData is TRUE
14511160dcf7SMatt Barden *
14524f0ce1daSGordon Ross * This boils down to sr->th_sid_user != NULL, and the rest
14534f0ce1daSGordon Ross * is enforced when th_sid_user is set.
14541160dcf7SMatt Barden */
14551160dcf7SMatt Barden
14561160dcf7SMatt Barden if ((session->capabilities & SMB2_CAP_ENCRYPTION) == 0 ||
14574f0ce1daSGordon Ross sr->th_sid_user == NULL) {
14582c834067SSpencer Berger (void) smb_session_send(sr->session, 0, &sr->reply);
14591160dcf7SMatt Barden return;
14601160dcf7SMatt Barden }
14611160dcf7SMatt Barden
1462897907ceSGordon Ross /*
14634f0ce1daSGordon Ross * Encrypted send
14644f0ce1daSGordon Ross *
14654f0ce1daSGordon Ross * Not doing in-place encryption because we may have
14664f0ce1daSGordon Ross * loaned buffers (eg. from ZFS) that are read-only.
14674f0ce1daSGordon Ross *
14684f0ce1daSGordon Ross * Setup the transform header in its own mblk,
14694f0ce1daSGordon Ross * with leading space for the netbios header.
1470897907ceSGordon Ross */
14714f0ce1daSGordon Ross MBC_INIT(&enc_reply, SMB3_TFORM_HDR_SIZE);
14724f0ce1daSGordon Ross m = enc_reply.chain;
14734f0ce1daSGordon Ross m->m_len = SMB3_TFORM_HDR_SIZE;
14741160dcf7SMatt Barden
14754f0ce1daSGordon Ross sr->th_msglen = sr->reply.chain_offset;
14764f0ce1daSGordon Ross m->m_next = smb_mbuf_alloc_chain(sr->th_msglen);
14774f0ce1daSGordon Ross enc_reply.max_bytes += sr->th_msglen;
14781160dcf7SMatt Barden
14794f0ce1daSGordon Ross if (smb3_encrypt_sr(sr, &sr->reply, &enc_reply) != 0) {
14801160dcf7SMatt Barden cmn_err(CE_WARN, "smb3 encryption failed");
14814f0ce1daSGordon Ross smb_session_disconnect(sr->session);
14824f0ce1daSGordon Ross } else {
14834f0ce1daSGordon Ross (void) smb_session_send(sr->session, 0, &enc_reply);
14841160dcf7SMatt Barden }
1485897907ceSGordon Ross MBC_FLUSH(&enc_reply);
1486a90cf9f2SGordon Ross }
1487a90cf9f2SGordon Ross
1488a90cf9f2SGordon Ross /*
1489a90cf9f2SGordon Ross * This wrapper function exists to help catch calls to smbsr_status()
1490a90cf9f2SGordon Ross * (which is SMB1-specific) in common code. See smbsr_status().
1491a90cf9f2SGordon Ross * If the log message below is seen, put a dtrace probe on this
1492a90cf9f2SGordon Ross * function with a stack() action to see who is calling the SMB1
1493a90cf9f2SGordon Ross * "put error" from common code, and fix it.
1494a90cf9f2SGordon Ross */
1495a90cf9f2SGordon Ross void
smbsr_status_smb2(smb_request_t * sr,DWORD status)1496a90cf9f2SGordon Ross smbsr_status_smb2(smb_request_t *sr, DWORD status)
1497a90cf9f2SGordon Ross {
1498a90cf9f2SGordon Ross const char *name;
1499a90cf9f2SGordon Ross
1500a90cf9f2SGordon Ross if (sr->smb2_cmd_code < SMB2__NCMDS)
1501a90cf9f2SGordon Ross name = smb2_disp_table[sr->smb2_cmd_code].sdt_name;
1502a90cf9f2SGordon Ross else
1503a90cf9f2SGordon Ross name = "<unknown>";
1504a90cf9f2SGordon Ross #ifdef DEBUG
1505a90cf9f2SGordon Ross cmn_err(CE_NOTE, "smbsr_status called for %s", name);
1506a90cf9f2SGordon Ross #endif
1507a90cf9f2SGordon Ross
1508a90cf9f2SGordon Ross smb2sr_put_error_data(sr, status, NULL);
1509a90cf9f2SGordon Ross }
1510a90cf9f2SGordon Ross
1511a90cf9f2SGordon Ross void
smb2sr_put_errno(struct smb_request * sr,int errnum)1512a90cf9f2SGordon Ross smb2sr_put_errno(struct smb_request *sr, int errnum)
1513a90cf9f2SGordon Ross {
1514a90cf9f2SGordon Ross uint32_t status = smb_errno2status(errnum);
1515a90cf9f2SGordon Ross smb2sr_put_error_data(sr, status, NULL);
1516a90cf9f2SGordon Ross }
1517a90cf9f2SGordon Ross
1518a90cf9f2SGordon Ross void
smb2sr_put_error(smb_request_t * sr,uint32_t status)1519a90cf9f2SGordon Ross smb2sr_put_error(smb_request_t *sr, uint32_t status)
1520a90cf9f2SGordon Ross {
1521a90cf9f2SGordon Ross smb2sr_put_error_data(sr, status, NULL);
1522a90cf9f2SGordon Ross }
1523a90cf9f2SGordon Ross
1524a90cf9f2SGordon Ross /*
1525a90cf9f2SGordon Ross * Build an SMB2 error response. [MS-SMB2] 2.2.2
1526a90cf9f2SGordon Ross */
1527a90cf9f2SGordon Ross void
smb2sr_put_error_data(smb_request_t * sr,uint32_t status,mbuf_chain_t * mbc)1528a90cf9f2SGordon Ross smb2sr_put_error_data(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc)
1529a90cf9f2SGordon Ross {
1530a90cf9f2SGordon Ross DWORD len;
1531a90cf9f2SGordon Ross
1532a90cf9f2SGordon Ross /*
1533a90cf9f2SGordon Ross * The common dispatch code writes this when it
1534a90cf9f2SGordon Ross * updates the SMB2 header before sending.
1535a90cf9f2SGordon Ross */
1536a90cf9f2SGordon Ross sr->smb2_status = status;
1537a90cf9f2SGordon Ross
1538a90cf9f2SGordon Ross /* Rewind to the end of the SMB header. */
1539a90cf9f2SGordon Ross sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE;
1540a90cf9f2SGordon Ross
1541a90cf9f2SGordon Ross /*
1542a90cf9f2SGordon Ross * NB: Must provide at least one byte of error data,
1543a90cf9f2SGordon Ross * per [MS-SMB2] 2.2.2
1544a90cf9f2SGordon Ross */
1545a90cf9f2SGordon Ross if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) {
1546a90cf9f2SGordon Ross (void) smb_mbc_encodef(
1547a90cf9f2SGordon Ross &sr->reply,
1548a90cf9f2SGordon Ross "wwlC",
1549a90cf9f2SGordon Ross 9, /* StructSize */ /* w */
1550a90cf9f2SGordon Ross 0, /* reserved */ /* w */
1551a90cf9f2SGordon Ross len, /* l */
1552a90cf9f2SGordon Ross mbc); /* C */
1553a90cf9f2SGordon Ross } else {
1554a90cf9f2SGordon Ross (void) smb_mbc_encodef(
1555a90cf9f2SGordon Ross &sr->reply,
1556a90cf9f2SGordon Ross "wwl.",
1557a90cf9f2SGordon Ross 9, /* StructSize */ /* w */
1558a90cf9f2SGordon Ross 0, /* reserved */ /* w */
1559a90cf9f2SGordon Ross 0); /* l. */
1560a90cf9f2SGordon Ross }
1561a90cf9f2SGordon Ross }
1562a90cf9f2SGordon Ross
15634e065a9fSAlexander Stetsenko /*
15644e065a9fSAlexander Stetsenko * Build an SMB2 error context response (dialect 3.1.1).
15654e065a9fSAlexander Stetsenko */
15664e065a9fSAlexander Stetsenko void
smb2sr_put_error_ctx(smb_request_t * sr,uint32_t status,uint32_t errid,mbuf_chain_t * mbc)15674e065a9fSAlexander Stetsenko smb2sr_put_error_ctx(smb_request_t *sr, uint32_t status, uint32_t errid,
15684e065a9fSAlexander Stetsenko mbuf_chain_t *mbc)
15694e065a9fSAlexander Stetsenko {
15704e065a9fSAlexander Stetsenko DWORD len;
15714e065a9fSAlexander Stetsenko
15724e065a9fSAlexander Stetsenko /*
15734e065a9fSAlexander Stetsenko * The common dispatch code writes this when it
15744e065a9fSAlexander Stetsenko * updates the SMB2 header before sending.
15754e065a9fSAlexander Stetsenko */
15764e065a9fSAlexander Stetsenko sr->smb2_status = status;
15774e065a9fSAlexander Stetsenko
15784e065a9fSAlexander Stetsenko /* Rewind to the end of the SMB header. */
15794e065a9fSAlexander Stetsenko sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE;
15804e065a9fSAlexander Stetsenko
15814e065a9fSAlexander Stetsenko /*
15824e065a9fSAlexander Stetsenko * Error Context is 8-byte header plus encaps. data (ErrorContextData),
15834e065a9fSAlexander Stetsenko * which can be zero-length.
15844e065a9fSAlexander Stetsenko */
15854e065a9fSAlexander Stetsenko if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) {
15864e065a9fSAlexander Stetsenko (void) smb_mbc_encodef(
15874e065a9fSAlexander Stetsenko &sr->reply,
15884e065a9fSAlexander Stetsenko "wbblllC",
15894e065a9fSAlexander Stetsenko 9, /* StructSize */ /* w */
15904e065a9fSAlexander Stetsenko 1, /* ErrorContextCount */ /* b */
15914e065a9fSAlexander Stetsenko 0, /* reserved */ /* b */
15924e065a9fSAlexander Stetsenko 8+len, /* ByteCount */ /* l */
15934e065a9fSAlexander Stetsenko len, /* ErrorDataLength */ /* l */
15944e065a9fSAlexander Stetsenko errid, /* ErrorId */ /* l */
15954e065a9fSAlexander Stetsenko mbc); /* C */
15964e065a9fSAlexander Stetsenko } else {
15974e065a9fSAlexander Stetsenko (void) smb_mbc_encodef(
15984e065a9fSAlexander Stetsenko &sr->reply,
15994e065a9fSAlexander Stetsenko "wbblll",
16004e065a9fSAlexander Stetsenko 9, /* StructSize */ /* w */
16014e065a9fSAlexander Stetsenko 1, /* ErrorContextCount */ /* b */
16024e065a9fSAlexander Stetsenko 0, /* reserved */ /* b */
16034e065a9fSAlexander Stetsenko 8, /* ByteCount */ /* l */
16044e065a9fSAlexander Stetsenko 0, /* ErrorDataLength */ /* l */
16054e065a9fSAlexander Stetsenko errid); /* ErrorId */ /* l */
16064e065a9fSAlexander Stetsenko }
16074e065a9fSAlexander Stetsenko }
16084e065a9fSAlexander Stetsenko
16094e065a9fSAlexander Stetsenko /*
16104e065a9fSAlexander Stetsenko * Build an SMB2 error context response with SMB2_ERROR_ID_DEFAULT ErrorId.
16114e065a9fSAlexander Stetsenko *
16124e065a9fSAlexander Stetsenko * This only handles the case we currently need, encapsulating a
16134e065a9fSAlexander Stetsenko * single error data section inside an SMB2_ERROR_ID_DEFAULT
16144e065a9fSAlexander Stetsenko * error context type (which is type zero, and that's what
16154e065a9fSAlexander Stetsenko * the zero on the end of this function name refers to).
16164e065a9fSAlexander Stetsenko */
16174e065a9fSAlexander Stetsenko void
smb2sr_put_error_ctx0(smb_request_t * sr,uint32_t status,mbuf_chain_t * mbc)16184e065a9fSAlexander Stetsenko smb2sr_put_error_ctx0(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc)
16194e065a9fSAlexander Stetsenko {
16204e065a9fSAlexander Stetsenko return (smb2sr_put_error_ctx(sr, status, SMB2_ERROR_ID_DEFAULT, mbc));
16214e065a9fSAlexander Stetsenko }
16224e065a9fSAlexander Stetsenko
1623a90cf9f2SGordon Ross /*
1624a90cf9f2SGordon Ross * smb2sr_lookup_fid
1625a90cf9f2SGordon Ross *
1626a90cf9f2SGordon Ross * Setup sr->fid_ofile, either inherited from a related command,
1627a90cf9f2SGordon Ross * or obtained via FID lookup. Similar inheritance logic as in
1628a90cf9f2SGordon Ross * smb2sr_work.
1629a90cf9f2SGordon Ross */
1630a90cf9f2SGordon Ross uint32_t
smb2sr_lookup_fid(smb_request_t * sr,smb2fid_t * fid)1631a90cf9f2SGordon Ross smb2sr_lookup_fid(smb_request_t *sr, smb2fid_t *fid)
1632a90cf9f2SGordon Ross {
1633a90cf9f2SGordon Ross boolean_t related = sr->smb2_hdr_flags &
1634a90cf9f2SGordon Ross SMB2_FLAGS_RELATED_OPERATIONS;
1635a90cf9f2SGordon Ross
1636a90cf9f2SGordon Ross if (related) {
1637a90cf9f2SGordon Ross if (sr->fid_ofile == NULL)
1638a90cf9f2SGordon Ross return (NT_STATUS_INVALID_PARAMETER);
1639a90cf9f2SGordon Ross sr->smb_fid = sr->fid_ofile->f_fid;
1640a90cf9f2SGordon Ross return (0);
1641a90cf9f2SGordon Ross }
1642a90cf9f2SGordon Ross
1643a90cf9f2SGordon Ross /*
1644a90cf9f2SGordon Ross * If we could be sure this is called only once per cmd,
1645a90cf9f2SGordon Ross * we could simply ASSERT(sr->fid_ofile == NULL) here.
1646a90cf9f2SGordon Ross * However, there are cases where it can be called again
1647a90cf9f2SGordon Ross * handling the same command, so let's tolerate that.
1648a90cf9f2SGordon Ross */
1649a90cf9f2SGordon Ross if (sr->fid_ofile == NULL) {
1650a90cf9f2SGordon Ross sr->smb_fid = (uint16_t)fid->temporal;
1651a90cf9f2SGordon Ross sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid);
1652a90cf9f2SGordon Ross }
1653811599a4SMatt Barden if (sr->fid_ofile == NULL ||
1654811599a4SMatt Barden sr->fid_ofile->f_persistid != fid->persistent)
1655a90cf9f2SGordon Ross return (NT_STATUS_FILE_CLOSED);
1656a90cf9f2SGordon Ross
1657a90cf9f2SGordon Ross return (0);
1658a90cf9f2SGordon Ross }
1659a90cf9f2SGordon Ross
1660a90cf9f2SGordon Ross /*
1661a90cf9f2SGordon Ross * smb2_dispatch_stats_init
1662a90cf9f2SGordon Ross *
1663a90cf9f2SGordon Ross * Initializes dispatch statistics for SMB2.
1664a90cf9f2SGordon Ross * See also smb_dispatch_stats_init(), which fills in
1665a90cf9f2SGordon Ross * the lower part of the statistics array, from zero
1666a90cf9f2SGordon Ross * through SMB_COM_NUM;
1667a90cf9f2SGordon Ross */
1668a90cf9f2SGordon Ross void
smb2_dispatch_stats_init(smb_server_t * sv)1669a90cf9f2SGordon Ross smb2_dispatch_stats_init(smb_server_t *sv)
1670a90cf9f2SGordon Ross {
1671a90cf9f2SGordon Ross smb_disp_stats_t *sds = sv->sv_disp_stats2;
1672a90cf9f2SGordon Ross smb_kstat_req_t *ksr;
1673a90cf9f2SGordon Ross int i;
1674a90cf9f2SGordon Ross
1675a90cf9f2SGordon Ross ksr = ((smbsrv_kstats_t *)sv->sv_ksp->ks_data)->ks_reqs2;
1676a90cf9f2SGordon Ross
1677a90cf9f2SGordon Ross for (i = 0; i < SMB2__NCMDS; i++, ksr++) {
1678a90cf9f2SGordon Ross smb_latency_init(&sds[i].sdt_lat);
1679a90cf9f2SGordon Ross (void) strlcpy(ksr->kr_name, smb2_disp_table[i].sdt_name,
1680a90cf9f2SGordon Ross sizeof (ksr->kr_name));
1681a90cf9f2SGordon Ross }
1682a90cf9f2SGordon Ross }
1683a90cf9f2SGordon Ross
1684a90cf9f2SGordon Ross /*
1685a90cf9f2SGordon Ross * smb2_dispatch_stats_fini
1686a90cf9f2SGordon Ross *
1687a90cf9f2SGordon Ross * Frees and destroyes the resources used for statistics.
1688a90cf9f2SGordon Ross */
1689a90cf9f2SGordon Ross void
smb2_dispatch_stats_fini(smb_server_t * sv)1690a90cf9f2SGordon Ross smb2_dispatch_stats_fini(smb_server_t *sv)
1691a90cf9f2SGordon Ross {
1692a90cf9f2SGordon Ross smb_disp_stats_t *sds = sv->sv_disp_stats2;
1693a90cf9f2SGordon Ross int i;
1694a90cf9f2SGordon Ross
1695a90cf9f2SGordon Ross for (i = 0; i < SMB2__NCMDS; i++)
1696a90cf9f2SGordon Ross smb_latency_destroy(&sds[i].sdt_lat);
1697a90cf9f2SGordon Ross }
1698a90cf9f2SGordon Ross
1699a90cf9f2SGordon Ross void
smb2_dispatch_stats_update(smb_server_t * sv,smb_kstat_req_t * ksr,int first,int nreq)1700a90cf9f2SGordon Ross smb2_dispatch_stats_update(smb_server_t *sv,
1701a90cf9f2SGordon Ross smb_kstat_req_t *ksr, int first, int nreq)
1702a90cf9f2SGordon Ross {
1703a90cf9f2SGordon Ross smb_disp_stats_t *sds = sv->sv_disp_stats2;
1704a90cf9f2SGordon Ross int i;
1705a90cf9f2SGordon Ross int last;
1706a90cf9f2SGordon Ross
1707a90cf9f2SGordon Ross last = first + nreq - 1;
1708a90cf9f2SGordon Ross
1709a90cf9f2SGordon Ross if ((first < SMB2__NCMDS) && (last < SMB2__NCMDS)) {
1710a90cf9f2SGordon Ross for (i = first; i <= last; i++, ksr++) {
1711a90cf9f2SGordon Ross ksr->kr_rxb = sds[i].sdt_rxb;
1712a90cf9f2SGordon Ross ksr->kr_txb = sds[i].sdt_txb;
1713a90cf9f2SGordon Ross mutex_enter(&sds[i].sdt_lat.ly_mutex);
1714a90cf9f2SGordon Ross ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq;
1715a90cf9f2SGordon Ross ksr->kr_sum = sds[i].sdt_lat.ly_a_sum;
1716a90cf9f2SGordon Ross ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean;
1717a90cf9f2SGordon Ross ksr->kr_a_stddev =
1718a90cf9f2SGordon Ross sds[i].sdt_lat.ly_a_stddev;
1719a90cf9f2SGordon Ross ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean;
1720a90cf9f2SGordon Ross ksr->kr_d_stddev =
1721a90cf9f2SGordon Ross sds[i].sdt_lat.ly_d_stddev;
1722a90cf9f2SGordon Ross sds[i].sdt_lat.ly_d_mean = 0;
1723a90cf9f2SGordon Ross sds[i].sdt_lat.ly_d_nreq = 0;
1724a90cf9f2SGordon Ross sds[i].sdt_lat.ly_d_stddev = 0;
1725a90cf9f2SGordon Ross sds[i].sdt_lat.ly_d_sum = 0;
1726a90cf9f2SGordon Ross mutex_exit(&sds[i].sdt_lat.ly_mutex);
1727a90cf9f2SGordon Ross }
1728a90cf9f2SGordon Ross }
1729a90cf9f2SGordon Ross }
173094047d49SGordon Ross
173194047d49SGordon Ross /*
173294047d49SGordon Ross * Append new_sr to the postwork queue. sr->smb2_cmd_code encodes
173394047d49SGordon Ross * the action that should be run by this sr.
173494047d49SGordon Ross *
173594047d49SGordon Ross * This queue is rarely used (and normally empty) so we're OK
173694047d49SGordon Ross * using a simple "walk to tail and insert" here.
173794047d49SGordon Ross */
173894047d49SGordon Ross void
smb2sr_append_postwork(smb_request_t * top_sr,smb_request_t * new_sr)173994047d49SGordon Ross smb2sr_append_postwork(smb_request_t *top_sr, smb_request_t *new_sr)
174094047d49SGordon Ross {
174194047d49SGordon Ross smb_request_t *last_sr;
174294047d49SGordon Ross
174394047d49SGordon Ross ASSERT(top_sr->session->dialect >= SMB_VERS_2_BASE);
174494047d49SGordon Ross
174594047d49SGordon Ross last_sr = top_sr;
174694047d49SGordon Ross while (last_sr->sr_postwork != NULL)
174794047d49SGordon Ross last_sr = last_sr->sr_postwork;
174894047d49SGordon Ross
174994047d49SGordon Ross last_sr->sr_postwork = new_sr;
175094047d49SGordon Ross }
175194047d49SGordon Ross
175294047d49SGordon Ross /*
175394047d49SGordon Ross * Run any "post work" that was appended to the main SR while it
175494047d49SGordon Ross * was running. This is called after the request has been sent
175594047d49SGordon Ross * for the main SR, and used in cases i.e. the oplock code, where
175694047d49SGordon Ross * we need to send something to the client only _after_ the main
175794047d49SGordon Ross * sr request has gone out.
175894047d49SGordon Ross */
175994047d49SGordon Ross static void
smb2sr_run_postwork(smb_request_t * top_sr)176094047d49SGordon Ross smb2sr_run_postwork(smb_request_t *top_sr)
176194047d49SGordon Ross {
176294047d49SGordon Ross smb_request_t *post_sr; /* the one we're running */
176394047d49SGordon Ross smb_request_t *next_sr;
176494047d49SGordon Ross
176594047d49SGordon Ross while ((post_sr = top_sr->sr_postwork) != NULL) {
176694047d49SGordon Ross next_sr = post_sr->sr_postwork;
176794047d49SGordon Ross top_sr->sr_postwork = next_sr;
176894047d49SGordon Ross post_sr->sr_postwork = NULL;
176994047d49SGordon Ross
177094047d49SGordon Ross post_sr->sr_worker = top_sr->sr_worker;
177194047d49SGordon Ross post_sr->sr_state = SMB_REQ_STATE_ACTIVE;
177294047d49SGordon Ross
177394047d49SGordon Ross switch (post_sr->smb2_cmd_code) {
177494047d49SGordon Ross case SMB2_OPLOCK_BREAK:
177572b35b05SGordon Ross smb_oplock_send_break(post_sr);
177694047d49SGordon Ross break;
177794047d49SGordon Ross default:
177894047d49SGordon Ross ASSERT(0);
177994047d49SGordon Ross }
17808d94f651SGordon Ross
17818d94f651SGordon Ross /*
17828d94f651SGordon Ross * If we have a durable handle, and this operation
17838d94f651SGordon Ross * updated the nvlist, write it out.
17848d94f651SGordon Ross */
17858d94f651SGordon Ross if (post_sr->dh_nvl_dirty) {
17868d94f651SGordon Ross post_sr->dh_nvl_dirty = B_FALSE;
17878d94f651SGordon Ross smb2_dh_update_nvfile(post_sr);
17888d94f651SGordon Ross }
17898d94f651SGordon Ross
179094047d49SGordon Ross post_sr->sr_state = SMB_REQ_STATE_COMPLETED;
179194047d49SGordon Ross smb_request_free(post_sr);
179294047d49SGordon Ross }
179394047d49SGordon Ross }
1794