1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 14 */ 15 16 /* 17 * Dispatch function for SMB2_NEGOTIATE 18 */ 19 20 #include <smbsrv/smb2_kproto.h> 21 #include <smbsrv/smb2.h> 22 23 static int smb2_negotiate_common(smb_request_t *, uint16_t); 24 25 uint32_t smb2srv_capabilities = 26 SMB2_CAP_DFS | 27 SMB2_CAP_LEASING | 28 SMB2_CAP_LARGE_MTU; 29 30 /* 31 * These are not intended as customer tunables, but dev. & test folks 32 * might want to adjust them (with caution). 33 * 34 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 35 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 36 * This is also used as a "sanity limit" for internal send/reply message 37 * allocations. Note that with compounding SMB2 messages may contain 38 * multiple requests/responses. This size should be large enough for 39 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 40 * 41 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 42 * the client the largest read and write request size we'll support. 43 * For now, we're using contiguous allocations, so keep this at 64KB 44 * so that (even with message overhead) allocations stay below 128KB, 45 * avoiding kmem_alloc -> page_create_va thrashing. 46 * 47 * smb2_max_trans is the largest "transact" send or receive, which is 48 * used for directory listings and info set/get operations. 49 */ 50 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 51 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */ 52 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 53 54 /* 55 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU 56 * (including all clients using dialect < SMB 2.1), use a "conservative" value 57 * for max r/w size because some older clients misbehave with larger values. 58 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x 59 * Support) as the minimum so we'll use that. 60 */ 61 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */ 62 63 /* 64 * List of all SMB2 versions we implement. Note that the 65 * highest version we support may be limited by the 66 * _cfg.skc_max_protocol setting. 67 */ 68 static uint16_t smb2_versions[] = { 69 0x202, /* SMB 2.002 */ 70 0x210, /* SMB 2.1 */ 71 0x300, /* SMB 3.0 */ 72 }; 73 static uint16_t smb2_nversions = 74 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 75 76 static boolean_t 77 smb2_supported_version(smb_session_t *s, uint16_t version) 78 { 79 int i; 80 81 if (version > s->s_cfg.skc_max_protocol) 82 return (B_FALSE); 83 for (i = 0; i < smb2_nversions; i++) 84 if (version == smb2_versions[i]) 85 return (B_TRUE); 86 return (B_FALSE); 87 } 88 89 /* 90 * Helper for the (SMB1) smb_com_negotiate(). This is the 91 * very unusual protocol interaction where an SMB1 negotiate 92 * gets an SMB2 negotiate response. This is the normal way 93 * clients first find out if the server supports SMB2. 94 * 95 * Note: This sends an SMB2 reply _itself_ and then returns 96 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 97 * Also, this is called directly from the reader thread, so 98 * we know this is the only thread using this session. 99 * 100 * The caller frees this request. 101 */ 102 smb_sdrc_t 103 smb1_negotiate_smb2(smb_request_t *sr) 104 { 105 smb_session_t *s = sr->session; 106 smb_arg_negotiate_t *negprot = sr->sr_negprot; 107 uint16_t smb2_version; 108 uint16_t secmode2; 109 int rc; 110 111 /* 112 * Note: In the SMB1 negotiate command handler, we 113 * agreed with one of the SMB2 dialects. If that 114 * dialect was "SMB 2.002", we'll respond here with 115 * version 0x202 and negotiation is done. If that 116 * dialect was "SMB 2.???", we'll respond here with 117 * the "wildcard" version 0x2FF, and the client will 118 * come back with an SMB2 negotiate. 119 */ 120 switch (negprot->ni_dialect) { 121 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 122 smb2_version = 0x202; 123 s->dialect = smb2_version; 124 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 125 /* Allow normal SMB2 requests now. */ 126 s->newrq_func = smb2sr_newrq; 127 128 /* 129 * Translate SMB1 sec. mode to SMB2. 130 */ 131 secmode2 = 0; 132 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) 133 secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED; 134 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) 135 secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 136 s->secmode = secmode2; 137 break; 138 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 139 /* 140 * Expecting an SMB2 negotiate next, so keep the 141 * initial s->newrq_func. Note that secmode is 142 * fiction good enough to pass the signing check 143 * in smb2_negotiate_common(). We'll check the 144 * real secmode when the 2nd negotiate comes. 145 */ 146 smb2_version = 0x2FF; 147 s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 148 break; 149 default: 150 return (SDRC_DROP_VC); 151 } 152 153 /* 154 * We did not decode an SMB2 header, so make sure 155 * the SMB2 header fields are initialized. 156 * (Most are zero from smb_request_alloc.) 157 * Also, the SMB1 common dispatch code reserved space 158 * for an SMB1 header, which we need to undo here. 159 */ 160 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 161 sr->smb2_cmd_code = SMB2_NEGOTIATE; 162 163 rc = smb2_negotiate_common(sr, smb2_version); 164 smb2_send_reply(sr); 165 if (rc != 0) 166 return (SDRC_DROP_VC); 167 168 /* 169 * We sent the reply, so tell the SMB1 dispatch 170 * it should NOT (also) send a reply. 171 */ 172 return (SDRC_NO_REPLY); 173 } 174 175 /* 176 * SMB2 Negotiate gets special handling. This is called directly by 177 * the reader thread (see smbsr_newrq_initial) with what _should_ be 178 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 179 * when this is called, so this needs to check the SMB command, 180 * if it's Negotiate execute it, then send the reply, etc. 181 * 182 * Since this is called directly from the reader thread, we 183 * know this is the only thread currently using this session. 184 * This has to duplicate some of what smb2sr_work does as a 185 * result of bypassing the normal dispatch mechanism. 186 * 187 * The caller always frees this request. 188 * 189 * Return value is 0 for success, and anything else will 190 * terminate the reader thread (drop the connection). 191 */ 192 int 193 smb2_newrq_negotiate(smb_request_t *sr) 194 { 195 smb_session_t *s = sr->session; 196 int i, rc; 197 uint16_t struct_size; 198 uint16_t best_version; 199 uint16_t version_cnt; 200 uint16_t cl_versions[8]; 201 202 sr->smb2_cmd_hdr = sr->command.chain_offset; 203 rc = smb2_decode_header(sr); 204 if (rc != 0) 205 return (rc); 206 207 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 208 (sr->smb2_next_command != 0)) 209 return (-1); 210 211 /* 212 * Decode SMB2 Negotiate (fixed-size part) 213 */ 214 rc = smb_mbc_decodef( 215 &sr->command, "www..l16.8.", 216 &struct_size, /* w */ 217 &version_cnt, /* w */ 218 &s->secmode, /* w */ 219 /* reserved (..) */ 220 &s->capabilities); /* l */ 221 /* clnt_uuid 16. */ 222 /* start_time 8. */ 223 if (rc != 0) 224 return (rc); 225 if (struct_size != 36 || version_cnt > 8) 226 return (-1); 227 228 /* 229 * Decode SMB2 Negotiate (variable part) 230 */ 231 rc = smb_mbc_decodef(&sr->command, 232 "#w", version_cnt, cl_versions); 233 if (rc != 0) 234 return (rc); 235 236 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr); 237 238 /* 239 * The client offers an array of protocol versions it 240 * supports, which we have decoded into cl_versions[]. 241 * We walk the array and pick the highest supported. 242 */ 243 best_version = 0; 244 for (i = 0; i < version_cnt; i++) 245 if (smb2_supported_version(s, cl_versions[i]) && 246 best_version < cl_versions[i]) 247 best_version = cl_versions[i]; 248 if (best_version == 0) 249 return (SDRC_DROP_VC); 250 s->dialect = best_version; 251 252 /* Allow normal SMB2 requests now. */ 253 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 254 s->newrq_func = smb2sr_newrq; 255 256 rc = smb2_negotiate_common(sr, best_version); 257 258 /* sr->smb2_status was set */ 259 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr); 260 261 smb2_send_reply(sr); 262 263 return (rc); 264 } 265 266 /* 267 * Common parts of SMB2 Negotiate, used for both the 268 * SMB1-to-SMB2 style, and straight SMB2 style. 269 * Do negotiation decisions and encode the reply. 270 * The caller does the network send. 271 * 272 * Return value is 0 for success, and anything else will 273 * terminate the reader thread (drop the connection). 274 */ 275 static int 276 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 277 { 278 timestruc_t boot_tv, now_tv; 279 smb_session_t *s = sr->session; 280 int rc; 281 uint32_t max_rwsize; 282 uint16_t secmode; 283 284 sr->smb2_status = 0; 285 286 /* 287 * Negotiation itself. First the Security Mode. 288 * The caller stashed the client's secmode in s->secmode, 289 * which we validate, and then replace with the server's 290 * secmode, which is all we care about after this. 291 */ 292 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 293 if (sr->sr_cfg->skc_signing_required) { 294 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 295 /* Make sure client at least enables signing. */ 296 if ((s->secmode & secmode) == 0) { 297 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 298 } 299 } 300 s->secmode = secmode; 301 302 s->cmd_max_bytes = smb2_tcp_bufsize; 303 s->reply_max_bytes = smb2_tcp_bufsize; 304 305 /* 306 * "The number of credits held by the client MUST be considered 307 * as 1 when the connection is established." [MS-SMB2] 308 * We leave credits at 1 until the first successful 309 * session setup is completed. 310 */ 311 s->s_cur_credits = s->s_max_credits = 1; 312 sr->smb2_credit_response = 1; 313 314 boot_tv.tv_sec = smb_get_boottime(); 315 boot_tv.tv_nsec = 0; 316 now_tv.tv_sec = gethrestime_sec(); 317 now_tv.tv_nsec = 0; 318 319 /* 320 * SMB2 negotiate reply 321 */ 322 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 323 (void) smb2_encode_header(sr, B_FALSE); 324 if (sr->smb2_status != 0) { 325 smb2sr_put_error(sr, sr->smb2_status); 326 /* smb2_send_reply(sr); in caller */ 327 return (-1); /* will drop */ 328 } 329 330 /* 331 * If the version is 0x2FF, we haven't completed negotiate. 332 * Don't initialize until we have our final request. 333 */ 334 if (version != 0x2FF) 335 smb2_sign_init_mech(s); 336 337 /* 338 * See notes above smb2_max_rwsize, smb2_old_rwsize 339 */ 340 if (s->capabilities & SMB2_CAP_LARGE_MTU) 341 max_rwsize = smb2_max_rwsize; 342 else 343 max_rwsize = smb2_old_rwsize; 344 345 rc = smb_mbc_encodef( 346 &sr->reply, 347 "wwww#cllllTTwwl#c", 348 65, /* StructSize */ /* w */ 349 s->secmode, /* w */ 350 version, /* w */ 351 0, /* reserved */ /* w */ 352 UUID_LEN, /* # */ 353 &s->s_cfg.skc_machine_uuid, /* c */ 354 smb2srv_capabilities, /* l */ 355 smb2_max_trans, /* l */ 356 max_rwsize, /* l */ 357 max_rwsize, /* l */ 358 &now_tv, /* T */ 359 &boot_tv, /* T */ 360 128, /* SecBufOff */ /* w */ 361 sr->sr_cfg->skc_negtok_len, /* w */ 362 0, /* reserved */ /* l */ 363 sr->sr_cfg->skc_negtok_len, /* # */ 364 sr->sr_cfg->skc_negtok); /* c */ 365 366 /* smb2_send_reply(sr); in caller */ 367 368 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 369 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 370 sizeof (smb2_tcp_bufsize), CRED()); 371 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 372 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 373 sizeof (smb2_tcp_bufsize), CRED()); 374 375 return (rc); 376 } 377 378 /* 379 * SMB2 Dispatch table handler, which will run if we see an 380 * SMB2_NEGOTIATE after the initial negotiation is done. 381 * That would be a protocol error. 382 */ 383 smb_sdrc_t 384 smb2_negotiate(smb_request_t *sr) 385 { 386 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 387 return (SDRC_ERROR); 388 } 389 390 /* 391 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 392 */ 393 uint32_t 394 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl) 395 { 396 smb_session_t *s = sr->session; 397 int rc; 398 399 /* 400 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 401 * and verify that the original negotiate was not modified. 402 * The only tampering we need worry about is secmode, and 403 * we're not taking that from the client, so don't bother. 404 * 405 * One interesting requirement here is that we MUST reply 406 * with exactly the same information as we returned in our 407 * original reply to the SMB2 negotiate on this session. 408 * If we don't the client closes the connection. 409 */ 410 411 rc = smb_mbc_encodef( 412 fsctl->out_mbc, "l#cww", 413 smb2srv_capabilities, /* l */ 414 UUID_LEN, /* # */ 415 &s->s_cfg.skc_machine_uuid, /* c */ 416 s->secmode, /* w */ 417 s->dialect); /* w */ 418 if (rc) 419 return (NT_STATUS_INTERNAL_ERROR); 420 421 return (0); 422 } 423