xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb2_negotiate.c (revision 94047d49916b669576decf2f622a1ee718646882) 
1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
14  */
15 
16 /*
17  * Dispatch function for SMB2_NEGOTIATE
18  */
19 
20 #include <smbsrv/smb2_kproto.h>
21 #include <smbsrv/smb2.h>
22 
23 static int smb2_negotiate_common(smb_request_t *, uint16_t);
24 
25 uint32_t smb2srv_capabilities =
26 	SMB2_CAP_DFS |
27 	SMB2_CAP_LEASING |
28 	SMB2_CAP_LARGE_MTU;
29 
30 /*
31  * These are not intended as customer tunables, but dev. & test folks
32  * might want to adjust them (with caution).
33  *
34  * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket
35  * with setsockopt SO_SNDBUF, SO_RCVBUF.  These set the TCP window size.
36  * This is also used as a "sanity limit" for internal send/reply message
37  * allocations.  Note that with compounding SMB2 messages may contain
38  * multiple requests/responses.  This size should be large enough for
39  * at least a few SMB2 requests, and at least 2X smb2_max_rwsize.
40  *
41  * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell
42  * the client the largest read and write request size we'll support.
43  * For now, we're using contiguous allocations, so keep this at 64KB
44  * so that (even with message overhead) allocations stay below 128KB,
45  * avoiding kmem_alloc -> page_create_va thrashing.
46  *
47  * smb2_max_trans is the largest "transact" send or receive, which is
48  * used for directory listings and info set/get operations.
49  */
50 uint32_t smb2_tcp_bufsize = (1<<22);	/* 4MB */
51 uint32_t smb2_max_rwsize = (1<<16);	/* 64KB */
52 uint32_t smb2_max_trans  = (1<<16);	/* 64KB */
53 
54 /*
55  * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU
56  * (including all clients using dialect < SMB 2.1), use a "conservative" value
57  * for max r/w size because some older clients misbehave with larger values.
58  * 64KB is recommended in the [MS-SMB2] spec.  (3.3.5.3.1 SMB 2.1 or SMB 3.x
59  * Support) as the minimum so we'll use that.
60  */
61 uint32_t smb2_old_rwsize = (1<<16);	/* 64KB */
62 
63 /*
64  * List of all SMB2 versions we implement.  Note that the
65  * highest version we support may be limited by the
66  * _cfg.skc_max_protocol setting.
67  */
68 static uint16_t smb2_versions[] = {
69 	0x202,	/* SMB 2.002 */
70 	0x210,	/* SMB 2.1 */
71 	0x300,	/* SMB 3.0 */
72 };
73 static uint16_t smb2_nversions =
74     sizeof (smb2_versions) / sizeof (smb2_versions[0]);
75 
76 static boolean_t
77 smb2_supported_version(smb_session_t *s, uint16_t version)
78 {
79 	int i;
80 
81 	if (version > s->s_cfg.skc_max_protocol)
82 		return (B_FALSE);
83 	for (i = 0; i < smb2_nversions; i++)
84 		if (version == smb2_versions[i])
85 			return (B_TRUE);
86 	return (B_FALSE);
87 }
88 
89 /*
90  * Helper for the (SMB1) smb_com_negotiate().  This is the
91  * very unusual protocol interaction where an SMB1 negotiate
92  * gets an SMB2 negotiate response.  This is the normal way
93  * clients first find out if the server supports SMB2.
94  *
95  * Note: This sends an SMB2 reply _itself_ and then returns
96  * SDRC_NO_REPLY so the caller will not send an SMB1 reply.
97  * Also, this is called directly from the reader thread, so
98  * we know this is the only thread using this session.
99  *
100  * The caller frees this request.
101  */
102 smb_sdrc_t
103 smb1_negotiate_smb2(smb_request_t *sr)
104 {
105 	smb_session_t *s = sr->session;
106 	smb_arg_negotiate_t *negprot = sr->sr_negprot;
107 	uint16_t smb2_version;
108 	uint16_t secmode2;
109 	int rc;
110 
111 	/*
112 	 * Note: In the SMB1 negotiate command handler, we
113 	 * agreed with one of the SMB2 dialects.  If that
114 	 * dialect was "SMB 2.002", we'll respond here with
115 	 * version 0x202 and negotiation is done.  If that
116 	 * dialect was "SMB 2.???", we'll respond here with
117 	 * the "wildcard" version 0x2FF, and the client will
118 	 * come back with an SMB2 negotiate.
119 	 */
120 	switch (negprot->ni_dialect) {
121 	case DIALECT_SMB2002:	/* SMB 2.002 (a.k.a. SMB2.0) */
122 		smb2_version = 0x202;
123 		s->dialect = smb2_version;
124 		s->s_state = SMB_SESSION_STATE_NEGOTIATED;
125 		/* Allow normal SMB2 requests now. */
126 		s->newrq_func = smb2sr_newrq;
127 
128 		/*
129 		 * Translate SMB1 sec. mode to SMB2.
130 		 */
131 		secmode2 = 0;
132 		if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)
133 			secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED;
134 		if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)
135 			secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
136 		s->secmode = secmode2;
137 		break;
138 	case DIALECT_SMB2XXX:	/* SMB 2.??? (wildcard vers) */
139 		/*
140 		 * Expecting an SMB2 negotiate next, so keep the
141 		 * initial s->newrq_func.  Note that secmode is
142 		 * fiction good enough to pass the signing check
143 		 * in smb2_negotiate_common().  We'll check the
144 		 * real secmode when the 2nd negotiate comes.
145 		 */
146 		smb2_version = 0x2FF;
147 		s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
148 		break;
149 	default:
150 		return (SDRC_DROP_VC);
151 	}
152 
153 	/*
154 	 * We did not decode an SMB2 header, so make sure
155 	 * the SMB2 header fields are initialized.
156 	 * (Most are zero from smb_request_alloc.)
157 	 * Also, the SMB1 common dispatch code reserved space
158 	 * for an SMB1 header, which we need to undo here.
159 	 */
160 	sr->smb2_reply_hdr = sr->reply.chain_offset = 0;
161 	sr->smb2_cmd_code = SMB2_NEGOTIATE;
162 
163 	rc = smb2_negotiate_common(sr, smb2_version);
164 	smb2_send_reply(sr);
165 	if (rc != 0)
166 		return (SDRC_DROP_VC);
167 
168 	/*
169 	 * We sent the reply, so tell the SMB1 dispatch
170 	 * it should NOT (also) send a reply.
171 	 */
172 	return (SDRC_NO_REPLY);
173 }
174 
175 /*
176  * SMB2 Negotiate gets special handling.  This is called directly by
177  * the reader thread (see smbsr_newrq_initial) with what _should_ be
178  * an SMB2 Negotiate.  Only the "\feSMB" header has been checked
179  * when this is called, so this needs to check the SMB command,
180  * if it's Negotiate execute it, then send the reply, etc.
181  *
182  * Since this is called directly from the reader thread, we
183  * know this is the only thread currently using this session.
184  * This has to duplicate some of what smb2sr_work does as a
185  * result of bypassing the normal dispatch mechanism.
186  *
187  * The caller always frees this request.
188  *
189  * Return value is 0 for success, and anything else will
190  * terminate the reader thread (drop the connection).
191  */
192 int
193 smb2_newrq_negotiate(smb_request_t *sr)
194 {
195 	smb_session_t *s = sr->session;
196 	int i, rc;
197 	uint16_t struct_size;
198 	uint16_t best_version;
199 	uint16_t version_cnt;
200 	uint16_t cl_versions[8];
201 
202 	sr->smb2_cmd_hdr = sr->command.chain_offset;
203 	rc = smb2_decode_header(sr);
204 	if (rc != 0)
205 		return (rc);
206 
207 	if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) ||
208 	    (sr->smb2_next_command != 0))
209 		return (-1);
210 
211 	/*
212 	 * Decode SMB2 Negotiate (fixed-size part)
213 	 */
214 	rc = smb_mbc_decodef(
215 	    &sr->command, "www..l16.8.",
216 	    &struct_size,	/* w */
217 	    &version_cnt,	/* w */
218 	    &s->secmode,	/* w */
219 	    /* reserved		(..) */
220 	    &s->capabilities);	/* l */
221 	    /* clnt_uuid	 16. */
222 	    /* start_time	  8. */
223 	if (rc != 0)
224 		return (rc);
225 	if (struct_size != 36 || version_cnt > 8)
226 		return (-1);
227 
228 	/*
229 	 * Decode SMB2 Negotiate (variable part)
230 	 */
231 	rc = smb_mbc_decodef(&sr->command,
232 	    "#w", version_cnt, cl_versions);
233 	if (rc != 0)
234 		return (rc);
235 
236 	DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr);
237 
238 	/*
239 	 * The client offers an array of protocol versions it
240 	 * supports, which we have decoded into cl_versions[].
241 	 * We walk the array and pick the highest supported.
242 	 */
243 	best_version = 0;
244 	for (i = 0; i < version_cnt; i++)
245 		if (smb2_supported_version(s, cl_versions[i]) &&
246 		    best_version < cl_versions[i])
247 			best_version = cl_versions[i];
248 	if (best_version == 0)
249 		return (SDRC_DROP_VC);
250 	s->dialect = best_version;
251 
252 	/* Allow normal SMB2 requests now. */
253 	s->s_state = SMB_SESSION_STATE_NEGOTIATED;
254 	s->newrq_func = smb2sr_newrq;
255 
256 	rc = smb2_negotiate_common(sr, best_version);
257 
258 	/* sr->smb2_status was set */
259 	DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr);
260 
261 	smb2_send_reply(sr);
262 
263 	return (rc);
264 }
265 
266 /*
267  * Common parts of SMB2 Negotiate, used for both the
268  * SMB1-to-SMB2 style, and straight SMB2 style.
269  * Do negotiation decisions and encode the reply.
270  * The caller does the network send.
271  *
272  * Return value is 0 for success, and anything else will
273  * terminate the reader thread (drop the connection).
274  */
275 static int
276 smb2_negotiate_common(smb_request_t *sr, uint16_t version)
277 {
278 	timestruc_t boot_tv, now_tv;
279 	smb_session_t *s = sr->session;
280 	int rc;
281 	uint32_t max_rwsize;
282 	uint16_t secmode;
283 
284 	sr->smb2_status = 0;
285 
286 	/*
287 	 * Negotiation itself.  First the Security Mode.
288 	 * The caller stashed the client's secmode in s->secmode,
289 	 * which we validate, and then replace with the server's
290 	 * secmode, which is all we care about after this.
291 	 */
292 	secmode = SMB2_NEGOTIATE_SIGNING_ENABLED;
293 	if (sr->sr_cfg->skc_signing_required) {
294 		secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
295 		/* Make sure client at least enables signing. */
296 		if ((s->secmode & secmode) == 0) {
297 			sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
298 		}
299 	}
300 	s->secmode = secmode;
301 
302 	s->cmd_max_bytes = smb2_tcp_bufsize;
303 	s->reply_max_bytes = smb2_tcp_bufsize;
304 
305 	/*
306 	 * "The number of credits held by the client MUST be considered
307 	 * as 1 when the connection is established." [MS-SMB2]
308 	 * We leave credits at 1 until the first successful
309 	 * session setup is completed.
310 	 */
311 	s->s_cur_credits = s->s_max_credits = 1;
312 	sr->smb2_credit_response = 1;
313 
314 	boot_tv.tv_sec = smb_get_boottime();
315 	boot_tv.tv_nsec = 0;
316 	now_tv.tv_sec = gethrestime_sec();
317 	now_tv.tv_nsec = 0;
318 
319 	/*
320 	 * SMB2 negotiate reply
321 	 */
322 	sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR;
323 	(void) smb2_encode_header(sr, B_FALSE);
324 	if (sr->smb2_status != 0) {
325 		smb2sr_put_error(sr, sr->smb2_status);
326 		/* smb2_send_reply(sr); in caller */
327 		return (-1); /* will drop */
328 	}
329 
330 	/*
331 	 * If the version is 0x2FF, we haven't completed negotiate.
332 	 * Don't initialize until we have our final request.
333 	 */
334 	if (version != 0x2FF)
335 		smb2_sign_init_mech(s);
336 
337 	/*
338 	 * See notes above smb2_max_rwsize, smb2_old_rwsize
339 	 */
340 	if (s->capabilities & SMB2_CAP_LARGE_MTU)
341 		max_rwsize = smb2_max_rwsize;
342 	else
343 		max_rwsize = smb2_old_rwsize;
344 
345 	rc = smb_mbc_encodef(
346 	    &sr->reply,
347 	    "wwww#cllllTTwwl#c",
348 	    65,	/* StructSize */	/* w */
349 	    s->secmode,			/* w */
350 	    version,			/* w */
351 	    0, /* reserved */		/* w */
352 	    UUID_LEN,			/* # */
353 	    &s->s_cfg.skc_machine_uuid, /* c */
354 	    smb2srv_capabilities,	/* l */
355 	    smb2_max_trans,		/* l */
356 	    max_rwsize,			/* l */
357 	    max_rwsize,			/* l */
358 	    &now_tv,			/* T */
359 	    &boot_tv,			/* T */
360 	    128, /* SecBufOff */	/* w */
361 	    sr->sr_cfg->skc_negtok_len,	/* w */
362 	    0,	/* reserved */		/* l */
363 	    sr->sr_cfg->skc_negtok_len,	/* # */
364 	    sr->sr_cfg->skc_negtok);	/* c */
365 
366 	/* smb2_send_reply(sr); in caller */
367 
368 	(void) ksocket_setsockopt(s->sock, SOL_SOCKET,
369 	    SO_SNDBUF, (const void *)&smb2_tcp_bufsize,
370 	    sizeof (smb2_tcp_bufsize), CRED());
371 	(void) ksocket_setsockopt(s->sock, SOL_SOCKET,
372 	    SO_RCVBUF, (const void *)&smb2_tcp_bufsize,
373 	    sizeof (smb2_tcp_bufsize), CRED());
374 
375 	return (rc);
376 }
377 
378 /*
379  * SMB2 Dispatch table handler, which will run if we see an
380  * SMB2_NEGOTIATE after the initial negotiation is done.
381  * That would be a protocol error.
382  */
383 smb_sdrc_t
384 smb2_negotiate(smb_request_t *sr)
385 {
386 	sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
387 	return (SDRC_ERROR);
388 }
389 
390 /*
391  * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6
392  */
393 uint32_t
394 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl)
395 {
396 	smb_session_t *s = sr->session;
397 	int rc;
398 
399 	/*
400 	 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here
401 	 * and verify that the original negotiate was not modified.
402 	 * The only tampering we need worry about is secmode, and
403 	 * we're not taking that from the client, so don't bother.
404 	 *
405 	 * One interesting requirement here is that we MUST reply
406 	 * with exactly the same information as we returned in our
407 	 * original reply to the SMB2 negotiate on this session.
408 	 * If we don't the client closes the connection.
409 	 */
410 
411 	rc = smb_mbc_encodef(
412 	    fsctl->out_mbc, "l#cww",
413 	    smb2srv_capabilities,	/* l */
414 	    UUID_LEN,			/* # */
415 	    &s->s_cfg.skc_machine_uuid, /* c */
416 	    s->secmode,			/* w */
417 	    s->dialect);		/* w */
418 	if (rc)
419 		return (NT_STATUS_INTERNAL_ERROR);
420 
421 	return (0);
422 }
423