1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 14 */ 15 16 /* 17 * Dispatch function for SMB2_NEGOTIATE 18 */ 19 20 #include <smbsrv/smb2_kproto.h> 21 #include <smbsrv/smb2.h> 22 23 static int smb2_negotiate_common(smb_request_t *, uint16_t); 24 25 uint32_t smb2srv_capabilities = 26 SMB2_CAP_DFS | 27 SMB2_CAP_LARGE_MTU; 28 29 /* 30 * These are not intended as customer tunables, but dev. & test folks 31 * might want to adjust them (with caution). 32 * 33 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 34 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 35 * This is also used as a "sanity limit" for internal send/reply message 36 * allocations. Note that with compounding SMB2 messages may contain 37 * multiple requests/responses. This size should be large enough for 38 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 39 * 40 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 41 * the client the largest read and write request size we'll support. 42 * For now, we're using contiguous allocations, so keep this at 64KB 43 * so that (even with message overhead) allocations stay below 128KB, 44 * avoiding kmem_alloc -> page_create_va thrashing. 45 * 46 * smb2_max_trans is the largest "transact" send or receive, which is 47 * used for directory listings and info set/get operations. 48 */ 49 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 50 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */ 51 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 52 53 /* 54 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU 55 * (including all clients using dialect < SMB 2.1), use a "conservative" value 56 * for max r/w size because some older clients misbehave with larger values. 57 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x 58 * Support) as the minimum so we'll use that. 59 */ 60 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */ 61 62 /* 63 * List of all SMB2 versions we implement. Note that the 64 * highest version we support may be limited by the 65 * _cfg.skc_max_protocol setting. 66 */ 67 static uint16_t smb2_versions[] = { 68 0x202, /* SMB 2.002 */ 69 0x210, /* SMB 2.1 */ 70 }; 71 static uint16_t smb2_nversions = 72 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 73 74 static boolean_t 75 smb2_supported_version(smb_session_t *s, uint16_t version) 76 { 77 int i; 78 79 if (version > s->s_cfg.skc_max_protocol) 80 return (B_FALSE); 81 for (i = 0; i < smb2_nversions; i++) 82 if (version == smb2_versions[i]) 83 return (B_TRUE); 84 return (B_FALSE); 85 } 86 87 /* 88 * Helper for the (SMB1) smb_com_negotiate(). This is the 89 * very unusual protocol interaction where an SMB1 negotiate 90 * gets an SMB2 negotiate response. This is the normal way 91 * clients first find out if the server supports SMB2. 92 * 93 * Note: This sends an SMB2 reply _itself_ and then returns 94 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 95 * Also, this is called directly from the reader thread, so 96 * we know this is the only thread using this session. 97 * 98 * The caller frees this request. 99 */ 100 smb_sdrc_t 101 smb1_negotiate_smb2(smb_request_t *sr) 102 { 103 smb_session_t *s = sr->session; 104 smb_arg_negotiate_t *negprot = sr->sr_negprot; 105 uint16_t smb2_version; 106 uint16_t secmode2; 107 int rc; 108 109 /* 110 * Note: In the SMB1 negotiate command handler, we 111 * agreed with one of the SMB2 dialects. If that 112 * dialect was "SMB 2.002", we'll respond here with 113 * version 0x202 and negotiation is done. If that 114 * dialect was "SMB 2.???", we'll respond here with 115 * the "wildcard" version 0x2FF, and the client will 116 * come back with an SMB2 negotiate. 117 */ 118 switch (negprot->ni_dialect) { 119 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 120 smb2_version = 0x202; 121 s->dialect = smb2_version; 122 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 123 /* Allow normal SMB2 requests now. */ 124 s->newrq_func = smb2sr_newrq; 125 126 /* 127 * Translate SMB1 sec. mode to SMB2. 128 */ 129 secmode2 = 0; 130 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) 131 secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED; 132 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) 133 secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 134 s->secmode = secmode2; 135 break; 136 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 137 /* 138 * Expecting an SMB2 negotiate next, so keep the 139 * initial s->newrq_func. Note that secmode is 140 * fiction good enough to pass the signing check 141 * in smb2_negotiate_common(). We'll check the 142 * real secmode when the 2nd negotiate comes. 143 */ 144 smb2_version = 0x2FF; 145 s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 146 break; 147 default: 148 return (SDRC_DROP_VC); 149 } 150 151 /* 152 * We did not decode an SMB2 header, so make sure 153 * the SMB2 header fields are initialized. 154 * (Most are zero from smb_request_alloc.) 155 * Also, the SMB1 common dispatch code reserved space 156 * for an SMB1 header, which we need to undo here. 157 */ 158 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 159 sr->smb2_cmd_code = SMB2_NEGOTIATE; 160 161 rc = smb2_negotiate_common(sr, smb2_version); 162 if (rc != 0) 163 return (SDRC_DROP_VC); 164 165 return (SDRC_NO_REPLY); 166 } 167 168 /* 169 * SMB2 Negotiate gets special handling. This is called directly by 170 * the reader thread (see smbsr_newrq_initial) with what _should_ be 171 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 172 * when this is called, so this needs to check the SMB command, 173 * if it's Negotiate execute it, then send the reply, etc. 174 * 175 * Since this is called directly from the reader thread, we 176 * know this is the only thread currently using this session. 177 * This has to duplicate some of what smb2sr_work does as a 178 * result of bypassing the normal dispatch mechanism. 179 * 180 * The caller always frees this request. 181 */ 182 int 183 smb2_newrq_negotiate(smb_request_t *sr) 184 { 185 smb_session_t *s = sr->session; 186 int i, rc; 187 uint16_t struct_size; 188 uint16_t best_version; 189 uint16_t version_cnt; 190 uint16_t cl_versions[8]; 191 192 sr->smb2_cmd_hdr = sr->command.chain_offset; 193 rc = smb2_decode_header(sr); 194 if (rc != 0) 195 return (rc); 196 197 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 198 (sr->smb2_next_command != 0)) 199 return (SDRC_DROP_VC); 200 201 /* 202 * Decode SMB2 Negotiate (fixed-size part) 203 */ 204 rc = smb_mbc_decodef( 205 &sr->command, "www..l16.8.", 206 &struct_size, /* w */ 207 &version_cnt, /* w */ 208 &s->secmode, /* w */ 209 /* reserved (..) */ 210 &s->capabilities); /* l */ 211 /* clnt_uuid 16. */ 212 /* start_time 8. */ 213 if (rc != 0) 214 return (rc); 215 if (struct_size != 36 || version_cnt > 8) 216 return (SDRC_DROP_VC); 217 218 /* 219 * Decode SMB2 Negotiate (variable part) 220 */ 221 rc = smb_mbc_decodef(&sr->command, 222 "#w", version_cnt, cl_versions); 223 if (rc != 0) 224 return (SDRC_DROP_VC); 225 226 /* 227 * The client offers an array of protocol versions it 228 * supports, which we have decoded into cl_versions[]. 229 * We walk the array and pick the highest supported. 230 */ 231 best_version = 0; 232 for (i = 0; i < version_cnt; i++) 233 if (smb2_supported_version(s, cl_versions[i]) && 234 best_version < cl_versions[i]) 235 best_version = cl_versions[i]; 236 if (best_version == 0) 237 return (SDRC_DROP_VC); 238 s->dialect = best_version; 239 240 /* Allow normal SMB2 requests now. */ 241 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 242 s->newrq_func = smb2sr_newrq; 243 244 rc = smb2_negotiate_common(sr, best_version); 245 if (rc != 0) 246 return (SDRC_DROP_VC); 247 248 return (0); 249 } 250 251 /* 252 * Common parts of SMB2 Negotiate, used for both the 253 * SMB1-to-SMB2 style, and straight SMB2 style. 254 * Do negotiation decisions, encode, send the reply. 255 */ 256 static int 257 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 258 { 259 timestruc_t boot_tv, now_tv; 260 smb_session_t *s = sr->session; 261 int rc; 262 uint32_t max_rwsize; 263 uint16_t secmode; 264 265 sr->smb2_status = 0; 266 267 /* 268 * Negotiation itself. First the Security Mode. 269 * The caller stashed the client's secmode in s->secmode, 270 * which we validate, and then replace with the server's 271 * secmode, which is all we care about after this. 272 */ 273 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 274 if (sr->sr_cfg->skc_signing_required) { 275 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 276 /* Make sure client at least enables signing. */ 277 if ((s->secmode & secmode) == 0) { 278 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 279 } 280 } 281 s->secmode = secmode; 282 283 s->cmd_max_bytes = smb2_tcp_bufsize; 284 s->reply_max_bytes = smb2_tcp_bufsize; 285 286 /* 287 * "The number of credits held by the client MUST be considered 288 * as 1 when the connection is established." [MS-SMB2] 289 * We leave credits at 1 until the first successful 290 * session setup is completed. 291 */ 292 s->s_cur_credits = s->s_max_credits = 1; 293 sr->smb2_credit_response = 1; 294 295 boot_tv.tv_sec = smb_get_boottime(); 296 boot_tv.tv_nsec = 0; 297 now_tv.tv_sec = gethrestime_sec(); 298 now_tv.tv_nsec = 0; 299 300 /* 301 * SMB2 negotiate reply 302 */ 303 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 304 (void) smb2_encode_header(sr, B_FALSE); 305 if (sr->smb2_status != 0) { 306 smb2sr_put_error(sr, sr->smb2_status); 307 smb2_send_reply(sr); 308 return (-1); /* will drop */ 309 } 310 311 /* 312 * See notes above smb2_max_rwsize, smb2_old_rwsize 313 */ 314 if (s->capabilities & SMB2_CAP_LARGE_MTU) 315 max_rwsize = smb2_max_rwsize; 316 else 317 max_rwsize = smb2_old_rwsize; 318 319 rc = smb_mbc_encodef( 320 &sr->reply, 321 "wwww#cllllTTwwl#c", 322 65, /* StructSize */ /* w */ 323 s->secmode, /* w */ 324 version, /* w */ 325 0, /* reserved */ /* w */ 326 UUID_LEN, /* # */ 327 &s->s_cfg.skc_machine_uuid, /* c */ 328 smb2srv_capabilities, /* l */ 329 smb2_max_trans, /* l */ 330 max_rwsize, /* l */ 331 max_rwsize, /* l */ 332 &now_tv, /* T */ 333 &boot_tv, /* T */ 334 128, /* SecBufOff */ /* w */ 335 sr->sr_cfg->skc_negtok_len, /* w */ 336 0, /* reserved */ /* l */ 337 sr->sr_cfg->skc_negtok_len, /* # */ 338 sr->sr_cfg->skc_negtok); /* c */ 339 340 smb2_send_reply(sr); 341 342 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 343 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 344 sizeof (smb2_tcp_bufsize), CRED()); 345 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 346 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 347 sizeof (smb2_tcp_bufsize), CRED()); 348 349 return (rc); 350 } 351 352 /* 353 * SMB2 Dispatch table handler, which will run if we see an 354 * SMB2_NEGOTIATE after the initial negotiation is done. 355 * That would be a protocol error. 356 */ 357 smb_sdrc_t 358 smb2_negotiate(smb_request_t *sr) 359 { 360 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 361 return (SDRC_ERROR); 362 } 363 364 /* 365 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 366 */ 367 uint32_t 368 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl) 369 { 370 smb_session_t *s = sr->session; 371 int rc; 372 373 /* 374 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 375 * and verify that the original negotiate was not modified. 376 * The only tampering we need worry about is secmode, and 377 * we're not taking that from the client, so don't bother. 378 * 379 * One interesting requirement here is that we MUST reply 380 * with exactly the same information as we returned in our 381 * original reply to the SMB2 negotiate on this session. 382 * If we don't the client closes the connection. 383 */ 384 385 rc = smb_mbc_encodef( 386 fsctl->out_mbc, "l#cww", 387 smb2srv_capabilities, /* l */ 388 UUID_LEN, /* # */ 389 &s->s_cfg.skc_machine_uuid, /* c */ 390 s->secmode, /* w */ 391 s->dialect); /* w */ 392 if (rc) 393 return (NT_STATUS_INTERNAL_ERROR); 394 395 return (0); 396 } 397