1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved. 14 * Copyright 2020 RackTop Systems, Inc. 15 */ 16 17 18 #include <smbsrv/smb2_kproto.h> 19 #include <smbsrv/smb_kstat.h> 20 #include <smbsrv/smb2.h> 21 22 #define SMB2_ASYNCID(sr) (sr->smb2_messageid ^ (1ULL << 62)) 23 24 smb_sdrc_t smb2_invalid_cmd(smb_request_t *); 25 static void smb2_tq_work(void *); 26 static void smb2sr_run_postwork(smb_request_t *); 27 static int smb3_decrypt_msg(smb_request_t *); 28 29 static const smb_disp_entry_t 30 smb2_disp_table[SMB2__NCMDS] = { 31 32 /* text-name, pre, func, post, cmd-code, dialect, flags */ 33 34 { "smb2_negotiate", NULL, 35 smb2_negotiate, NULL, 0, 0, 36 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID }, 37 38 { "smb2_session_setup", NULL, 39 smb2_session_setup, NULL, 0, 0, 40 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID }, 41 42 { "smb2_logoff", NULL, 43 smb2_logoff, NULL, 0, 0, 44 SDDF_SUPPRESS_TID }, 45 46 { "smb2_tree_connect", NULL, 47 smb2_tree_connect, NULL, 0, 0, 48 SDDF_SUPPRESS_TID }, 49 50 { "smb2_tree_disconn", NULL, 51 smb2_tree_disconn, NULL, 0, 0 }, 52 53 { "smb2_create", NULL, 54 smb2_create, NULL, 0, 0 }, 55 56 { "smb2_close", NULL, 57 smb2_close, NULL, 0, 0 }, 58 59 { "smb2_flush", NULL, 60 smb2_flush, NULL, 0, 0 }, 61 62 { "smb2_read", NULL, 63 smb2_read, NULL, 0, 0 }, 64 65 { "smb2_write", NULL, 66 smb2_write, NULL, 0, 0 }, 67 68 { "smb2_lock", NULL, 69 smb2_lock, NULL, 0, 0 }, 70 71 { "smb2_ioctl", NULL, 72 smb2_ioctl, NULL, 0, 0 }, 73 74 { "smb2_cancel", NULL, 75 smb2_cancel, NULL, 0, 0, 76 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 77 78 { "smb2_echo", NULL, 79 smb2_echo, NULL, 0, 0, 80 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 81 82 { "smb2_query_dir", NULL, 83 smb2_query_dir, NULL, 0, 0 }, 84 85 { "smb2_change_notify", NULL, 86 smb2_change_notify, NULL, 0, 0 }, 87 88 { "smb2_query_info", NULL, 89 smb2_query_info, NULL, 0, 0 }, 90 91 { "smb2_set_info", NULL, 92 smb2_set_info, NULL, 0, 0 }, 93 94 { "smb2_oplock_break_ack", NULL, 95 smb2_oplock_break_ack, NULL, 0, 0 }, 96 97 { "smb2_invalid_cmd", NULL, 98 smb2_invalid_cmd, NULL, 0, 0, 99 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 100 }; 101 102 smb_sdrc_t 103 smb2_invalid_cmd(smb_request_t *sr) 104 { 105 #ifdef DEBUG 106 cmn_err(CE_NOTE, "clnt %s bad SMB2 cmd code", 107 sr->session->ip_addr_str); 108 #endif 109 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 110 return (SDRC_DROP_VC); 111 } 112 113 /* 114 * This is the SMB2 handler for new smb requests, called from 115 * smb_session_reader after SMB negotiate is done. For most SMB2 116 * requests, we just enqueue them for the smb_session_worker to 117 * execute via the task queue, so they can block for resources 118 * without stopping the reader thread. A few protocol messages 119 * are special cases and are handled directly here in the reader 120 * thread so they don't wait for taskq scheduling. 121 * 122 * This function must either enqueue the new request for 123 * execution via the task queue, or execute it directly 124 * and then free it. If this returns non-zero, the caller 125 * will drop the session. 126 */ 127 int 128 smb2sr_newrq(smb_request_t *sr) 129 { 130 struct mbuf_chain *mbc = &sr->command; 131 uint32_t magic; 132 int rc, skip; 133 134 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0) 135 goto drop; 136 137 /* 0xFD S M B */ 138 if (magic == SMB3_ENCRYPTED_MAGIC) { 139 if (smb3_decrypt_msg(sr) != 0) 140 goto drop; 141 /* 142 * Should now be looking at an un-encrypted 143 * SMB2 message header. 144 */ 145 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0) 146 goto drop; 147 } 148 149 if (magic != SMB2_PROTOCOL_MAGIC) 150 goto drop; 151 152 /* 153 * Walk the SMB2 commands in this compound message and 154 * keep track of the range of message IDs it uses. 155 */ 156 for (;;) { 157 if (smb2_decode_header(sr) != 0) 158 goto drop; 159 160 /* 161 * Cancel requests are special: They refer to 162 * an earlier message ID (or an async. ID), 163 * never a new ID, and are never compounded. 164 * This is intentionally not "goto drop" 165 * because rc may be zero (success). 166 */ 167 if (sr->smb2_cmd_code == SMB2_CANCEL) { 168 rc = smb2_newrq_cancel(sr); 169 smb_request_free(sr); 170 return (rc); 171 } 172 173 /* 174 * Keep track of the total credits in this compound 175 * and the first (real) message ID (not: 0, -1) 176 * While we're looking, verify that all (real) IDs 177 * are (first <= ID < (first + msg_credits)) 178 */ 179 if (sr->smb2_credit_charge == 0) 180 sr->smb2_credit_charge = 1; 181 sr->smb2_total_credits += sr->smb2_credit_charge; 182 183 if (sr->smb2_messageid != 0 && 184 sr->smb2_messageid != UINT64_MAX) { 185 186 if (sr->smb2_first_msgid == 0) 187 sr->smb2_first_msgid = sr->smb2_messageid; 188 189 if (sr->smb2_messageid < sr->smb2_first_msgid || 190 sr->smb2_messageid >= (sr->smb2_first_msgid + 191 sr->smb2_total_credits)) { 192 long long id = (long long) sr->smb2_messageid; 193 cmn_err(CE_WARN, "clnt %s msg ID 0x%llx " 194 "out of sequence in compound", 195 sr->session->ip_addr_str, id); 196 } 197 } 198 199 /* Normal loop exit on next == zero */ 200 if (sr->smb2_next_command == 0) 201 break; 202 203 /* Abundance of caution... */ 204 if (sr->smb2_next_command < SMB2_HDR_SIZE) 205 goto drop; 206 207 /* Advance to the next header. */ 208 skip = sr->smb2_next_command - SMB2_HDR_SIZE; 209 if (MBC_ROOM_FOR(mbc, skip) == 0) 210 goto drop; 211 mbc->chain_offset += skip; 212 } 213 /* Rewind back to the top. */ 214 mbc->chain_offset = 0; 215 216 /* 217 * Submit the request to the task queue, which calls 218 * smb2_tq_work when the workload permits. 219 */ 220 sr->sr_time_submitted = gethrtime(); 221 sr->sr_state = SMB_REQ_STATE_SUBMITTED; 222 smb_srqueue_waitq_enter(sr->session->s_srqueue); 223 (void) taskq_dispatch(sr->sr_server->sv_worker_pool, 224 smb2_tq_work, sr, TQ_SLEEP); 225 return (0); 226 227 drop: 228 smb_request_free(sr); 229 return (-1); 230 } 231 232 static void 233 smb2_tq_work(void *arg) 234 { 235 smb_request_t *sr; 236 smb_srqueue_t *srq; 237 238 sr = (smb_request_t *)arg; 239 SMB_REQ_VALID(sr); 240 241 srq = sr->session->s_srqueue; 242 smb_srqueue_waitq_to_runq(srq); 243 sr->sr_worker = curthread; 244 sr->sr_time_active = gethrtime(); 245 246 /* 247 * Always dispatch to the work function, because cancelled 248 * requests need an error reply (NT_STATUS_CANCELLED). 249 */ 250 mutex_enter(&sr->sr_mutex); 251 if (sr->sr_state == SMB_REQ_STATE_SUBMITTED) 252 sr->sr_state = SMB_REQ_STATE_ACTIVE; 253 mutex_exit(&sr->sr_mutex); 254 255 smb2sr_work(sr); 256 257 smb_srqueue_runq_exit(srq); 258 } 259 260 static int 261 smb3_decrypt_msg(smb_request_t *sr) 262 { 263 int save_offset; 264 265 if (sr->session->dialect < SMB_VERS_3_0) { 266 cmn_err(CE_WARN, "encrypted message in SMB 2.x"); 267 return (-1); 268 } 269 270 sr->encrypted = B_TRUE; 271 save_offset = sr->command.chain_offset; 272 if (smb3_decode_tform_header(sr) != 0) { 273 cmn_err(CE_WARN, "bad transform header"); 274 return (-1); 275 } 276 sr->command.chain_offset = save_offset; 277 278 sr->tform_ssn = smb_session_lookup_ssnid(sr->session, 279 sr->smb3_tform_ssnid); 280 if (sr->tform_ssn == NULL) { 281 cmn_err(CE_WARN, "transform header: session not found"); 282 return (-1); 283 } 284 285 if (smb3_decrypt_sr(sr) != 0) { 286 cmn_err(CE_WARN, "smb3 decryption failed"); 287 return (-1); 288 } 289 290 return (0); 291 } 292 293 /* 294 * SMB2 credits determine how many simultaneous commands the 295 * client may issue, and bounds the range of message IDs those 296 * commands may use. With multi-credit support, commands may 297 * use ranges of message IDs, where the credits used by each 298 * command are proportional to their data transfer size. 299 * 300 * Every command may request an increase or decrease of 301 * the currently granted credits, based on the difference 302 * between the credit request and the credit charge. 303 * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits 304 * 305 * Most commands have credit_request=1, credit_charge=1, 306 * which keeps the credit grant unchanged. 307 * 308 * All we're really doing here (for now) is reducing the 309 * credit_response if the client requests a credit increase 310 * that would take their credit over the maximum, and 311 * limiting the decrease so they don't run out of credits. 312 * 313 * Later, this could do something dynamic based on load. 314 * 315 * One other non-obvious bit about credits: We keep the 316 * session s_max_credits low until the 1st authentication, 317 * at which point we'll set the normal maximum_credits. 318 * Some clients ask for more credits with session setup, 319 * and we need to handle that requested increase _after_ 320 * the command-specific handler returns so it won't be 321 * restricted to the lower (pre-auth) limit. 322 */ 323 static inline void 324 smb2_credit_decrease(smb_request_t *sr) 325 { 326 smb_session_t *session = sr->session; 327 uint16_t cur, d; 328 329 ASSERT3U(sr->smb2_credit_request, <, sr->smb2_credit_charge); 330 331 mutex_enter(&session->s_credits_mutex); 332 cur = session->s_cur_credits; 333 ASSERT(cur > 0); 334 335 /* Handle credit decrease. */ 336 d = sr->smb2_credit_charge - sr->smb2_credit_request; 337 338 /* 339 * Prevent underflow of current credits, and 340 * enforce a minimum of one credit, per: 341 * [MS-SMB2] 3.3.1.2 342 */ 343 if (d >= cur) { 344 /* 345 * Tried to give up more credits than we should. 346 * Reduce the decrement. 347 */ 348 d = cur - 1; 349 cur = 1; 350 DTRACE_PROBE1(smb2__credit__neg, smb_request_t *, sr); 351 } else { 352 cur -= d; 353 } 354 355 ASSERT3U(d, <=, sr->smb2_credit_charge); 356 sr->smb2_credit_response = sr->smb2_credit_charge - d; 357 358 DTRACE_PROBE3(smb2__credit__decrease, 359 smb_request_t *, sr, int, (int)cur, 360 int, (int)session->s_cur_credits); 361 362 session->s_cur_credits = cur; 363 mutex_exit(&session->s_credits_mutex); 364 } 365 366 /* 367 * Second half of SMB2 credit handling (increases) 368 */ 369 static inline void 370 smb2_credit_increase(smb_request_t *sr) 371 { 372 smb_session_t *session = sr->session; 373 uint16_t cur, d; 374 375 ASSERT3U(sr->smb2_credit_request, >, sr->smb2_credit_charge); 376 377 mutex_enter(&session->s_credits_mutex); 378 cur = session->s_cur_credits; 379 380 /* Handle credit increase. */ 381 d = sr->smb2_credit_request - sr->smb2_credit_charge; 382 383 /* 384 * If new credits would be above max, 385 * reduce the credit grant. 386 */ 387 if (d > (session->s_max_credits - cur)) { 388 d = session->s_max_credits - cur; 389 cur = session->s_max_credits; 390 DTRACE_PROBE1(smb2__credit__max, smb_request_t *, sr); 391 } else { 392 cur += d; 393 } 394 sr->smb2_credit_response = sr->smb2_credit_charge + d; 395 396 DTRACE_PROBE3(smb2__credit__increase, 397 smb_request_t *, sr, int, (int)cur, 398 int, (int)session->s_cur_credits); 399 400 session->s_cur_credits = cur; 401 mutex_exit(&session->s_credits_mutex); 402 } 403 404 /* 405 * Record some statistics: latency, rx bytes, tx bytes 406 * per: server, session & kshare. 407 */ 408 static inline void 409 smb2_record_stats(smb_request_t *sr, smb_disp_stats_t *sds, boolean_t tx_only) 410 { 411 hrtime_t dt; 412 int64_t rxb; 413 int64_t txb; 414 415 dt = gethrtime() - sr->sr_time_start; 416 rxb = (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr); 417 txb = (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr); 418 419 if (!tx_only) { 420 smb_server_inc_req(sr->sr_server); 421 smb_latency_add_sample(&sds->sdt_lat, dt); 422 atomic_add_64(&sds->sdt_rxb, rxb); 423 } 424 atomic_add_64(&sds->sdt_txb, txb); 425 } 426 427 /* 428 * smb2sr_work 429 * 430 * This function processes each SMB command in the current request 431 * (which may be a compound request) building a reply containing 432 * SMB reply messages, one-to-one with the SMB commands. Some SMB 433 * commands (change notify, blocking locks) may require both an 434 * "interim response" and a later "async response" at completion. 435 * In such cases, we'll encode the interim response in the reply 436 * compound we're building, and put the (now async) command on a 437 * list of commands that need further processing. After we've 438 * finished processing the commands in this compound and building 439 * the compound reply, we'll send the compound reply, and finally 440 * process the list of async commands. 441 * 442 * As we work our way through the compound request and reply, 443 * we need to keep track of the bounds of the current request 444 * and reply. For the request, this uses an MBC_SHADOW_CHAIN 445 * that begins at smb2_cmd_hdr. The reply is appended to the 446 * sr->reply chain starting at smb2_reply_hdr. 447 * 448 * This function must always free the smb request, or arrange 449 * for it to be completed and free'd later (if SDRC_SR_KEPT). 450 */ 451 void 452 smb2sr_work(struct smb_request *sr) 453 { 454 const smb_disp_entry_t *sdd; 455 smb_disp_stats_t *sds; 456 smb_session_t *session; 457 uint32_t msg_len; 458 uint16_t cmd_idx; 459 int rc = 0; 460 boolean_t disconnect = B_FALSE; 461 boolean_t related; 462 463 session = sr->session; 464 465 ASSERT(sr->smb2_async == B_FALSE); 466 ASSERT(sr->tid_tree == 0); 467 ASSERT(sr->uid_user == 0); 468 ASSERT(sr->fid_ofile == 0); 469 sr->smb_fid = (uint16_t)-1; 470 sr->smb2_status = 0; 471 472 /* temporary until we identify a user */ 473 sr->user_cr = zone_kcred(); 474 475 cmd_start: 476 /* 477 * Note that we don't check sr_state here and abort the 478 * compound if cancelled (etc.) because some SMB2 command 479 * handlers need to do work even when cancelled. 480 * 481 * We treat some status codes as if "sticky", meaning 482 * once they're set after some command handler returns, 483 * all remaining commands get this status without even 484 * calling the command-specific handler. 485 */ 486 if (sr->smb2_status != NT_STATUS_CANCELLED && 487 sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES) 488 sr->smb2_status = 0; 489 490 /* 491 * Decode the request header 492 * 493 * Most problems with decoding will result in the error 494 * STATUS_INVALID_PARAMETER. If the decoding problem 495 * prevents continuing, we'll close the connection. 496 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted... 497 */ 498 sr->smb2_cmd_hdr = sr->command.chain_offset; 499 if ((rc = smb2_decode_header(sr)) != 0) { 500 cmn_err(CE_WARN, "clnt %s bad SMB2 header", 501 session->ip_addr_str); 502 disconnect = B_TRUE; 503 goto cleanup; 504 } 505 506 /* 507 * The SMB2_FLAGS_SERVER_TO_REDIR should only appear 508 * in messages from the server back to the client. 509 */ 510 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) { 511 cmn_err(CE_WARN, "clnt %s bad SMB2 flags", 512 session->ip_addr_str); 513 disconnect = B_TRUE; 514 goto cleanup; 515 } 516 related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS); 517 sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR; 518 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 519 /* Probably an async cancel. */ 520 DTRACE_PROBE1(smb2__dispatch__async, smb_request_t *, sr); 521 } else if (sr->smb2_async) { 522 /* Previous command in compound went async. */ 523 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND; 524 sr->smb2_async_id = SMB2_ASYNCID(sr); 525 } 526 527 /* 528 * In case we bail out with an error before we get to the 529 * section that computes the credit grant, initialize the 530 * response header fields so that credits won't change. 531 * Note: SMB 2.02 clients may send credit charge zero. 532 */ 533 if (sr->smb2_credit_charge == 0) 534 sr->smb2_credit_charge = 1; 535 sr->smb2_credit_response = sr->smb2_credit_charge; 536 537 /* 538 * Write a tentative reply header. 539 * 540 * We could just leave this blank, but if we're using the 541 * mdb module feature that extracts packets, it's useful 542 * to have the header mostly correct here. 543 * 544 * If we have already exhausted the output space, then the 545 * client is trying something funny. Log it and kill 'em. 546 */ 547 sr->smb2_next_reply = 0; 548 ASSERT((sr->reply.chain_offset & 7) == 0); 549 sr->smb2_reply_hdr = sr->reply.chain_offset; 550 if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) { 551 cmn_err(CE_WARN, "clnt %s excessive reply", 552 session->ip_addr_str); 553 disconnect = B_TRUE; 554 goto cleanup; 555 } 556 557 /* 558 * Figure out the length of data following the SMB2 header. 559 * It ends at either the next SMB2 header if there is one 560 * (smb2_next_command != 0) or at the end of the message. 561 */ 562 if (sr->smb2_next_command != 0) { 563 /* [MS-SMB2] says this is 8-byte aligned */ 564 msg_len = sr->smb2_next_command; 565 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) || 566 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) { 567 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd", 568 session->ip_addr_str); 569 disconnect = B_TRUE; 570 goto cleanup; 571 } 572 } else { 573 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr; 574 } 575 576 /* 577 * Setup a shadow chain for this SMB2 command, starting 578 * with the header and ending at either the next command 579 * or the end of the message. The signing check below 580 * needs the entire SMB2 command. After that's done, we 581 * advance chain_offset to the end of the header where 582 * the command specific handlers continue decoding. 583 */ 584 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command, 585 sr->smb2_cmd_hdr, msg_len); 586 587 /* 588 * We will consume the data for this request from smb_data. 589 * That effectively consumes msg_len bytes from sr->command 590 * but doesn't update its chain_offset, so we need to update 591 * that here to make later received bytes accounting work. 592 */ 593 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len; 594 ASSERT(sr->command.chain_offset <= sr->command.max_bytes); 595 596 /* 597 * Validate the commmand code, get dispatch table entries. 598 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted... 599 * 600 * The last slot in the dispatch table is used to handle 601 * invalid commands. Same for statistics. 602 */ 603 if (sr->smb2_cmd_code < SMB2_INVALID_CMD) 604 cmd_idx = sr->smb2_cmd_code; 605 else 606 cmd_idx = SMB2_INVALID_CMD; 607 sdd = &smb2_disp_table[cmd_idx]; 608 sds = &session->s_server->sv_disp_stats2[cmd_idx]; 609 610 /* 611 * If this command is NOT "related" to the previous, 612 * clear out the UID, TID, FID state that might be 613 * left over from the previous command. 614 * 615 * If the command IS related, any new IDs are ignored, 616 * and we simply continue with the previous user, tree, 617 * and open file. 618 */ 619 if (!related) { 620 /* 621 * Drop user, tree, file; carefully ordered to 622 * avoid dangling references: file, tree, user 623 */ 624 if (sr->fid_ofile != NULL) { 625 smb_ofile_release(sr->fid_ofile); 626 sr->fid_ofile = NULL; 627 } 628 if (sr->tid_tree != NULL) { 629 smb_tree_release(sr->tid_tree); 630 sr->tid_tree = NULL; 631 } 632 if (sr->uid_user != NULL) { 633 smb_user_release(sr->uid_user); 634 sr->uid_user = NULL; 635 sr->user_cr = zone_kcred(); 636 } 637 } 638 639 /* 640 * Make sure we have a user and tree as needed 641 * according to the flags for the this command. 642 * Note that we may have inherited these. 643 */ 644 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) { 645 /* 646 * This command requires a user session. 647 */ 648 if (related) { 649 /* 650 * Previous command should have given us a user. 651 * [MS-SMB2] 3.3.5.2 Handling Related Requests 652 */ 653 if (sr->uid_user == NULL) { 654 smb2sr_put_error(sr, 655 NT_STATUS_INVALID_PARAMETER); 656 goto cmd_done; 657 } 658 sr->smb2_ssnid = sr->uid_user->u_ssnid; 659 } else { 660 /* 661 * Lookup the UID 662 * [MS-SMB2] 3.3.5.2 Verifying the Session 663 */ 664 ASSERT(sr->uid_user == NULL); 665 /* 666 * [MS-SMB2] 3.3.5.2.7 Handling Compounded Requests 667 * 668 * If this is an encrypted compound request, 669 * ensure that the ssnid in the request 670 * is the same as the tform ssnid if this 671 * message is not related. 672 * 673 * The reasons this is done seem to apply equally 674 * to uncompounded requests, so we apply it to all. 675 */ 676 677 if (sr->encrypted && 678 sr->smb2_ssnid != sr->smb3_tform_ssnid) { 679 disconnect = B_TRUE; 680 goto cleanup; /* just do this for now */ 681 } 682 683 sr->uid_user = smb_session_lookup_ssnid(session, 684 sr->smb2_ssnid); 685 if (sr->uid_user == NULL) { 686 smb2sr_put_error(sr, 687 NT_STATUS_USER_SESSION_DELETED); 688 goto cmd_done; 689 } 690 691 /* 692 * [MS-SMB2] 3.3.5.2.9 Verifying the Session 693 * 694 * If we're talking 3.x, 695 * RejectUnencryptedAccess is TRUE, 696 * Session.EncryptData is TRUE, 697 * and the message wasn't encrypted, 698 * return ACCESS_DENIED. 699 * 700 * Note that Session.EncryptData can only be TRUE when 701 * we're talking 3.x. 702 */ 703 704 if (sr->uid_user->u_encrypt == 705 SMB_CONFIG_REQUIRED && 706 !sr->encrypted) { 707 smb2sr_put_error(sr, 708 NT_STATUS_ACCESS_DENIED); 709 goto cmd_done; 710 } 711 712 sr->user_cr = smb_user_getcred(sr->uid_user); 713 } 714 ASSERT(sr->uid_user != NULL); 715 716 /* 717 * Encrypt if: 718 * - The cmd is not SESSION_SETUP or NEGOTIATE; AND 719 * - Session.EncryptData is TRUE 720 * 721 * Those commands suppress UID, so they can't be the cmd here. 722 */ 723 if (sr->uid_user->u_encrypt != SMB_CONFIG_DISABLED && 724 sr->tform_ssn == NULL) { 725 smb_user_hold_internal(sr->uid_user); 726 sr->tform_ssn = sr->uid_user; 727 sr->smb3_tform_ssnid = sr->smb2_ssnid; 728 } 729 } 730 731 if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) { 732 /* 733 * This command requires a tree connection. 734 */ 735 if (related) { 736 /* 737 * Previous command should have given us a tree. 738 * [MS-SMB2] 3.3.5.2 Handling Related Requests 739 */ 740 if (sr->tid_tree == NULL) { 741 smb2sr_put_error(sr, 742 NT_STATUS_INVALID_PARAMETER); 743 goto cmd_done; 744 } 745 sr->smb_tid = sr->tid_tree->t_tid; 746 } else { 747 /* 748 * Lookup the TID 749 * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect 750 */ 751 ASSERT(sr->tid_tree == NULL); 752 sr->tid_tree = smb_session_lookup_tree(session, 753 sr->smb_tid); 754 if (sr->tid_tree == NULL) { 755 smb2sr_put_error(sr, 756 NT_STATUS_NETWORK_NAME_DELETED); 757 goto cmd_done; 758 } 759 760 /* 761 * [MS-SMB2] 3.3.5.2.11 Verifying the Tree Connect 762 * 763 * If we support 3.x, RejectUnencryptedAccess is TRUE, 764 * if Tcon.EncryptData is TRUE or 765 * global EncryptData is TRUE and 766 * the message wasn't encrypted, or 767 * if Tcon.EncryptData is TRUE or 768 * global EncryptData is TRUE or 769 * the request was encrypted and 770 * the connection doesn't support encryption, 771 * return ACCESS_DENIED. 772 * 773 * If RejectUnencryptedAccess is TRUE, we force 774 * max_protocol to at least 3.0. Additionally, 775 * if the tree requires encryption, we don't care 776 * what we support, we still enforce encryption. 777 */ 778 if (sr->tid_tree->t_encrypt == SMB_CONFIG_REQUIRED && 779 (!sr->encrypted || 780 (session->srv_cap & SMB2_CAP_ENCRYPTION) == 0)) { 781 smb2sr_put_error(sr, 782 NT_STATUS_ACCESS_DENIED); 783 goto cmd_done; 784 } 785 } 786 ASSERT(sr->tid_tree != NULL); 787 788 /* 789 * Encrypt if: 790 * - The cmd is not TREE_CONNECT; AND 791 * - Tree.EncryptData is TRUE 792 * 793 * TREE_CONNECT suppresses TID, so that can't be the cmd here. 794 * NOTE: assumes we can't have a tree without a user 795 */ 796 if (sr->tid_tree->t_encrypt != SMB_CONFIG_DISABLED && 797 sr->tform_ssn == NULL) { 798 smb_user_hold_internal(sr->uid_user); 799 sr->tform_ssn = sr->uid_user; 800 sr->smb3_tform_ssnid = sr->smb2_ssnid; 801 } 802 } 803 804 /* 805 * SMB2 signature verification, two parts: 806 * (a) Require SMB2_FLAGS_SIGNED (for most request types) 807 * (b) If SMB2_FLAGS_SIGNED is set, check the signature. 808 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature 809 */ 810 811 /* 812 * No user session means no signature check. That's OK, 813 * i.e. for commands marked SDDF_SUPPRESS_UID above. 814 * Note, this also means we won't sign the reply. 815 */ 816 if (sr->uid_user == NULL) 817 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED; 818 819 /* 820 * The SDDF_SUPPRESS_UID dispatch is set for requests that 821 * don't need a UID (user). These also don't require a 822 * signature check here. 823 * 824 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature 825 * 826 * If the packet was successfully decrypted, the message 827 * signature has already been verified, so we can skip this. 828 */ 829 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 && 830 !sr->encrypted && sr->uid_user != NULL && 831 (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) { 832 /* 833 * If the request is signed, check the signature. 834 * Otherwise, if signing is required, deny access. 835 */ 836 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) { 837 rc = smb2_sign_check_request(sr); 838 if (rc != 0) { 839 DTRACE_PROBE1(smb2__sign__check, 840 smb_request_t *, sr); 841 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); 842 goto cmd_done; 843 } 844 } else if ( 845 (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) { 846 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); 847 goto cmd_done; 848 } 849 } 850 851 /* 852 * Now that the signing check is done with smb_data, 853 * advance past the SMB2 header we decoded earlier. 854 * This leaves sr->smb_data correctly positioned 855 * for command-specific decoding in the dispatch 856 * function called next. 857 */ 858 sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE; 859 860 /* 861 * Credit adjustments (decrease) 862 * 863 * If we've gone async, credit adjustments were done 864 * when we sent the interim reply. 865 */ 866 if (!sr->smb2_async) { 867 if (sr->smb2_credit_request < sr->smb2_credit_charge) { 868 smb2_credit_decrease(sr); 869 } 870 } 871 872 /* 873 * The real work: call the SMB2 command handler 874 * (except for "sticky" smb2_status - see above) 875 */ 876 sr->sr_time_start = gethrtime(); 877 rc = SDRC_SUCCESS; 878 if (sr->smb2_status == 0) { 879 /* NB: not using pre_op */ 880 rc = (*sdd->sdt_function)(sr); 881 /* NB: not using post_op */ 882 } else { 883 smb2sr_put_error(sr, sr->smb2_status); 884 } 885 886 /* 887 * When the sdt_function returns SDRC_SR_KEPT, it means 888 * this SR may have been passed to another thread so we 889 * MUST NOT touch it anymore. 890 */ 891 if (rc == SDRC_SR_KEPT) 892 return; 893 894 MBC_FLUSH(&sr->raw_data); 895 896 /* 897 * Credit adjustments (increase) 898 */ 899 if (!sr->smb2_async) { 900 if (sr->smb2_credit_request > sr->smb2_credit_charge) { 901 smb2_credit_increase(sr); 902 } 903 } 904 905 cmd_done: 906 switch (rc) { 907 case SDRC_SUCCESS: 908 break; 909 default: 910 /* 911 * SMB2 does not use the other dispatch return codes. 912 * If we see something else, log an event so we'll 913 * know something is returning bogus status codes. 914 * If you see these in the log, use dtrace to find 915 * the code returning something else. 916 */ 917 #ifdef DEBUG 918 cmn_err(CE_NOTE, "handler for %u returned 0x%x", 919 sr->smb2_cmd_code, rc); 920 #endif 921 smb2sr_put_error(sr, NT_STATUS_INTERNAL_ERROR); 922 break; 923 case SDRC_ERROR: 924 /* 925 * Many command handlers return SDRC_ERROR for any 926 * problems decoding the request, and don't bother 927 * setting smb2_status. For those cases, the best 928 * status return would be "invalid parameter". 929 */ 930 if (sr->smb2_status == 0) 931 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 932 smb2sr_put_error(sr, sr->smb2_status); 933 break; 934 case SDRC_DROP_VC: 935 disconnect = B_TRUE; 936 goto cleanup; 937 938 case SDRC_NO_REPLY: 939 /* will free sr */ 940 goto cleanup; 941 } 942 943 /* 944 * Pad the reply to align(8) if there will be another. 945 * (We don't compound async replies.) 946 */ 947 if (!sr->smb2_async && sr->smb2_next_command != 0) 948 (void) smb_mbc_put_align(&sr->reply, 8); 949 950 /* 951 * Record some statistics. Uses: 952 * rxb = command.chain_offset - smb2_cmd_hdr; 953 * txb = reply.chain_offset - smb2_reply_hdr; 954 * which at this point represent the current cmd/reply. 955 * 956 * Note: If async, this does txb only, and 957 * skips the smb_latency_add_sample() calls. 958 */ 959 smb2_record_stats(sr, sds, sr->smb2_async); 960 961 /* 962 * If there's a next command, figure out where it starts, 963 * and fill in the next header offset for the reply. 964 * Note: We sanity checked smb2_next_command above. 965 */ 966 if (sr->smb2_next_command != 0) { 967 sr->command.chain_offset = 968 sr->smb2_cmd_hdr + sr->smb2_next_command; 969 sr->smb2_next_reply = 970 sr->reply.chain_offset - sr->smb2_reply_hdr; 971 } else { 972 ASSERT(sr->smb2_next_reply == 0); 973 } 974 975 /* 976 * Overwrite the (now final) SMB2 header for this response. 977 */ 978 (void) smb2_encode_header(sr, B_TRUE); 979 980 /* 981 * Cannot move this into smb2_session_setup() - encoded header required. 982 */ 983 if (session->dialect >= SMB_VERS_3_11 && 984 sr->smb2_cmd_code == SMB2_SESSION_SETUP && 985 sr->smb2_status == NT_STATUS_MORE_PROCESSING_REQUIRED) { 986 if (smb31_preauth_sha512_calc(sr, &sr->reply, 987 sr->uid_user->u_preauth_hashval, 988 sr->uid_user->u_preauth_hashval) != 0) 989 cmn_err(CE_WARN, "(3) Preauth hash calculation " 990 "failed"); 991 } 992 993 /* Don't sign if we're going to encrypt */ 994 if (sr->tform_ssn == NULL && 995 (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) 996 smb2_sign_reply(sr); 997 998 /* 999 * Non-async runs the whole compound before send. 1000 * When we've gone async, send each individually. 1001 */ 1002 if (!sr->smb2_async && sr->smb2_next_command != 0) 1003 goto cmd_start; 1004 1005 /* 1006 * If we have a durable handle, and this operation updated 1007 * the nvlist, write it out (before smb2_send_reply). 1008 */ 1009 if (sr->dh_nvl_dirty) { 1010 sr->dh_nvl_dirty = B_FALSE; 1011 smb2_dh_update_nvfile(sr); 1012 } 1013 1014 smb2_send_reply(sr); 1015 if (sr->smb2_async && sr->smb2_next_command != 0) { 1016 MBC_FLUSH(&sr->reply); /* New reply buffer. */ 1017 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes); 1018 goto cmd_start; 1019 } 1020 1021 cleanup: 1022 if (disconnect) 1023 smb_session_disconnect(session); 1024 1025 /* 1026 * Do "postwork" for oplock (and maybe other things) 1027 */ 1028 if (sr->sr_postwork != NULL) 1029 smb2sr_run_postwork(sr); 1030 1031 mutex_enter(&sr->sr_mutex); 1032 sr->sr_state = SMB_REQ_STATE_COMPLETED; 1033 mutex_exit(&sr->sr_mutex); 1034 1035 smb_request_free(sr); 1036 } 1037 1038 /* 1039 * Build interim responses for the current and all following 1040 * requests in this compound, then send the compound response, 1041 * leaving the SR state so that smb2sr_work() can continue its 1042 * processing of this compound in "async mode". 1043 * 1044 * If we agree to "go async", this should return STATUS_SUCCESS. 1045 * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and 1046 * all requests following this request. (See the comments re. 1047 * "sticky" smb2_status values in smb2sr_work). 1048 * 1049 * Note: the Async ID we assign here is arbitrary, and need only 1050 * be unique among pending async responses on this connection, so 1051 * this just uses a modified messageID, which is already unique. 1052 * 1053 * Credits: All credit changes should happen via the interim 1054 * responses, so we have to manage credits here. After this 1055 * returns to smb2sr_work, the final replies for all these 1056 * commands will have smb2_credit_response = smb2_credit_charge 1057 * (meaning no further changes to the clients' credits). 1058 */ 1059 uint32_t 1060 smb2sr_go_async(smb_request_t *sr) 1061 { 1062 smb_session_t *session; 1063 smb_disp_stats_t *sds; 1064 uint16_t cmd_idx; 1065 int32_t saved_com_offset; 1066 uint32_t saved_cmd_hdr; 1067 uint16_t saved_cred_resp; 1068 uint32_t saved_hdr_flags; 1069 uint32_t saved_reply_hdr; 1070 uint32_t msg_len; 1071 boolean_t disconnect = B_FALSE; 1072 1073 if (sr->smb2_async) { 1074 /* already went async in some previous cmd. */ 1075 return (NT_STATUS_SUCCESS); 1076 } 1077 sr->smb2_async = B_TRUE; 1078 1079 /* The "server" session always runs async. */ 1080 session = sr->session; 1081 if (session->sock == NULL) 1082 return (NT_STATUS_SUCCESS); 1083 1084 sds = NULL; 1085 saved_com_offset = sr->command.chain_offset; 1086 saved_cmd_hdr = sr->smb2_cmd_hdr; 1087 saved_cred_resp = sr->smb2_credit_response; 1088 saved_hdr_flags = sr->smb2_hdr_flags; 1089 saved_reply_hdr = sr->smb2_reply_hdr; 1090 1091 /* 1092 * The command-specific handler should not yet have put any 1093 * data in the reply except for the (place holder) header. 1094 */ 1095 if (sr->reply.chain_offset != sr->smb2_reply_hdr + SMB2_HDR_SIZE) { 1096 ASSERT3U(sr->reply.chain_offset, ==, 1097 sr->smb2_reply_hdr + SMB2_HDR_SIZE); 1098 return (NT_STATUS_INTERNAL_ERROR); 1099 } 1100 1101 /* 1102 * Rewind to the start of the current header in both the 1103 * command and reply bufers, so the loop below can just 1104 * decode/encode just in every pass. This means the 1105 * current command header is decoded again, but that 1106 * avoids having to special-case the first loop pass. 1107 */ 1108 sr->command.chain_offset = sr->smb2_cmd_hdr; 1109 sr->reply.chain_offset = sr->smb2_reply_hdr; 1110 1111 /* 1112 * This command processing loop is a simplified version of 1113 * smb2sr_work() that just puts an "interim response" for 1114 * every command in the compound (NT_STATUS_PENDING). 1115 */ 1116 cmd_start: 1117 sr->smb2_status = NT_STATUS_PENDING; 1118 1119 /* 1120 * Decode the request header 1121 */ 1122 sr->smb2_cmd_hdr = sr->command.chain_offset; 1123 if ((smb2_decode_header(sr)) != 0) { 1124 cmn_err(CE_WARN, "clnt %s bad SMB2 header", 1125 session->ip_addr_str); 1126 disconnect = B_TRUE; 1127 goto cleanup; 1128 } 1129 sr->smb2_hdr_flags |= (SMB2_FLAGS_SERVER_TO_REDIR | 1130 SMB2_FLAGS_ASYNC_COMMAND); 1131 sr->smb2_async_id = SMB2_ASYNCID(sr); 1132 1133 /* 1134 * In case we bail out... 1135 */ 1136 if (sr->smb2_credit_charge == 0) 1137 sr->smb2_credit_charge = 1; 1138 sr->smb2_credit_response = sr->smb2_credit_charge; 1139 1140 /* 1141 * Write a tentative reply header. 1142 */ 1143 sr->smb2_next_reply = 0; 1144 ASSERT((sr->reply.chain_offset & 7) == 0); 1145 sr->smb2_reply_hdr = sr->reply.chain_offset; 1146 if ((smb2_encode_header(sr, B_FALSE)) != 0) { 1147 cmn_err(CE_WARN, "clnt %s excessive reply", 1148 session->ip_addr_str); 1149 disconnect = B_TRUE; 1150 goto cleanup; 1151 } 1152 1153 /* 1154 * Figure out the length of data... 1155 */ 1156 if (sr->smb2_next_command != 0) { 1157 /* [MS-SMB2] says this is 8-byte aligned */ 1158 msg_len = sr->smb2_next_command; 1159 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) || 1160 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) { 1161 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd", 1162 session->ip_addr_str); 1163 disconnect = B_TRUE; 1164 goto cleanup; 1165 } 1166 } else { 1167 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr; 1168 } 1169 1170 /* 1171 * We just skip any data, so no shadow chain etc. 1172 */ 1173 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len; 1174 ASSERT(sr->command.chain_offset <= sr->command.max_bytes); 1175 1176 /* 1177 * Validate the commmand code... 1178 */ 1179 if (sr->smb2_cmd_code < SMB2_INVALID_CMD) 1180 cmd_idx = sr->smb2_cmd_code; 1181 else 1182 cmd_idx = SMB2_INVALID_CMD; 1183 sds = &session->s_server->sv_disp_stats2[cmd_idx]; 1184 1185 /* 1186 * Don't change (user, tree, file) because we want them 1187 * exactly as they were when we entered. That also means 1188 * we may not have the right user in sr->uid_user for 1189 * signature checks, so leave that until smb2sr_work 1190 * runs these commands "for real". Therefore, here 1191 * we behave as if: (sr->uid_user == NULL) 1192 */ 1193 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED; 1194 1195 /* 1196 * Credit adjustments (decrease) 1197 * 1198 * NOTE: interim responses are not signed. 1199 * Any attacker can modify the credit grant 1200 * in the response. Because of this property, 1201 * it is no worse to assume the credit charge and grant 1202 * are sane without verifying the signature, 1203 * and that saves us a whole lot of work. 1204 * If the credits WERE modified, we'll find out 1205 * when we verify the signature later, 1206 * which nullifies any changes caused here. 1207 * 1208 * Skip this on the first command, because the 1209 * credit decrease was done by the caller. 1210 */ 1211 if (sr->smb2_cmd_hdr != saved_cmd_hdr) { 1212 if (sr->smb2_credit_request < sr->smb2_credit_charge) { 1213 smb2_credit_decrease(sr); 1214 } 1215 } 1216 1217 /* 1218 * The real work: ... (would be here) 1219 */ 1220 smb2sr_put_error(sr, sr->smb2_status); 1221 1222 /* 1223 * Credit adjustments (increase) 1224 */ 1225 if (sr->smb2_credit_request > sr->smb2_credit_charge) { 1226 smb2_credit_increase(sr); 1227 } 1228 1229 /* cmd_done: label */ 1230 1231 /* 1232 * Pad the reply to align(8) if there will be another. 1233 * This (interim) reply uses compounding. 1234 */ 1235 if (sr->smb2_next_command != 0) 1236 (void) smb_mbc_put_align(&sr->reply, 8); 1237 1238 /* 1239 * Record some statistics. Uses: 1240 * rxb = command.chain_offset - smb2_cmd_hdr; 1241 * txb = reply.chain_offset - smb2_reply_hdr; 1242 * which at this point represent the current cmd/reply. 1243 * 1244 * Note: We're doing smb_latency_add_sample() for all 1245 * remaining commands NOW, which means we won't include 1246 * the async part of their work in latency statistics. 1247 * That's intentional, as the async part of a command 1248 * would otherwise skew our latency statistics. 1249 */ 1250 smb2_record_stats(sr, sds, B_FALSE); 1251 1252 /* 1253 * If there's a next command, figure out where it starts, 1254 * and fill in the next header offset for the reply. 1255 * Note: We sanity checked smb2_next_command above. 1256 */ 1257 if (sr->smb2_next_command != 0) { 1258 sr->command.chain_offset = 1259 sr->smb2_cmd_hdr + sr->smb2_next_command; 1260 sr->smb2_next_reply = 1261 sr->reply.chain_offset - sr->smb2_reply_hdr; 1262 } else { 1263 ASSERT(sr->smb2_next_reply == 0); 1264 } 1265 1266 /* 1267 * Overwrite the (now final) SMB2 header for this response. 1268 */ 1269 (void) smb2_encode_header(sr, B_TRUE); 1270 1271 /* 1272 * Process whole compound before sending. 1273 */ 1274 if (sr->smb2_next_command != 0) 1275 goto cmd_start; 1276 smb2_send_reply(sr); 1277 1278 ASSERT(!disconnect); 1279 1280 cleanup: 1281 /* 1282 * Restore caller's command processing state. 1283 */ 1284 sr->smb2_cmd_hdr = saved_cmd_hdr; 1285 sr->command.chain_offset = saved_cmd_hdr; 1286 (void) smb2_decode_header(sr); 1287 sr->command.chain_offset = saved_com_offset; 1288 1289 sr->smb2_credit_response = saved_cred_resp; 1290 sr->smb2_hdr_flags = saved_hdr_flags; 1291 sr->smb2_status = NT_STATUS_SUCCESS; 1292 1293 /* 1294 * In here, the "disconnect" flag just means we had an 1295 * error decoding or encoding something. Rather than 1296 * actually disconnect here, let's assume whatever 1297 * problem we encountered will be seen by the caller 1298 * as they continue processing the compound, and just 1299 * restore everything and return an error. 1300 */ 1301 if (disconnect) { 1302 sr->smb2_async = B_FALSE; 1303 sr->smb2_reply_hdr = saved_reply_hdr; 1304 sr->reply.chain_offset = sr->smb2_reply_hdr; 1305 (void) smb2_encode_header(sr, B_FALSE); 1306 return (NT_STATUS_INVALID_PARAMETER); 1307 } 1308 1309 /* 1310 * The compound reply buffer we sent is now gone. 1311 * Setup a new reply buffer for the caller. 1312 */ 1313 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND; 1314 sr->smb2_async_id = SMB2_ASYNCID(sr); 1315 sr->smb2_next_reply = 0; 1316 MBC_FLUSH(&sr->reply); 1317 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes); 1318 ASSERT(sr->reply.chain_offset == 0); 1319 sr->smb2_reply_hdr = 0; 1320 (void) smb2_encode_header(sr, B_FALSE); 1321 1322 return (NT_STATUS_SUCCESS); 1323 } 1324 1325 int 1326 smb3_decode_tform_header(smb_request_t *sr) 1327 { 1328 uint16_t flags; 1329 int rc; 1330 uint32_t protocolid; 1331 1332 rc = smb_mbc_decodef( 1333 &sr->command, "l16c16cl..wq", 1334 &protocolid, /* l */ 1335 sr->smb2_sig, /* 16c */ 1336 sr->nonce, /* 16c */ 1337 &sr->msgsize, /* l */ 1338 /* reserved .. */ 1339 &flags, /* w */ 1340 &sr->smb3_tform_ssnid); /* q */ 1341 if (rc) 1342 return (rc); 1343 1344 ASSERT3U(protocolid, ==, SMB3_ENCRYPTED_MAGIC); 1345 1346 if (flags != 1) { 1347 #ifdef DEBUG 1348 cmn_err(CE_NOTE, "flags field not 1: %x", flags); 1349 #endif 1350 return (-1); 1351 } 1352 1353 /* 1354 * MsgSize is the amount of data the client tell us to decrypt. 1355 * Make sure this value is not too big and not too small. 1356 */ 1357 if (sr->msgsize < SMB2_HDR_SIZE || 1358 sr->msgsize > sr->session->cmd_max_bytes || 1359 sr->msgsize > sr->command.max_bytes - SMB3_TFORM_HDR_SIZE) 1360 return (-1); 1361 1362 return (rc); 1363 } 1364 1365 int 1366 smb3_encode_tform_header(smb_request_t *sr, struct mbuf_chain *mbc) 1367 { 1368 int rc; 1369 1370 /* Signature and Nonce are added in smb3_encrypt_sr */ 1371 rc = smb_mbc_encodef( 1372 mbc, "l32.lwwq", 1373 SMB3_ENCRYPTED_MAGIC, /* l */ 1374 /* signature(16), nonce(16) 32. */ 1375 sr->msgsize, /* l */ 1376 0, /* reserved w */ 1377 1, /* flags w */ 1378 sr->smb3_tform_ssnid); /* q */ 1379 1380 return (rc); 1381 } 1382 1383 int 1384 smb2_decode_header(smb_request_t *sr) 1385 { 1386 uint32_t pid, tid; 1387 uint16_t hdr_len; 1388 int rc; 1389 1390 rc = smb_mbc_decodef( 1391 &sr->command, "Nwww..wwllqllq16c", 1392 &hdr_len, /* w */ 1393 &sr->smb2_credit_charge, /* w */ 1394 &sr->smb2_chan_seq, /* w */ 1395 /* reserved .. */ 1396 &sr->smb2_cmd_code, /* w */ 1397 &sr->smb2_credit_request, /* w */ 1398 &sr->smb2_hdr_flags, /* l */ 1399 &sr->smb2_next_command, /* l */ 1400 &sr->smb2_messageid, /* q */ 1401 &pid, /* l */ 1402 &tid, /* l */ 1403 &sr->smb2_ssnid, /* q */ 1404 sr->smb2_sig); /* 16c */ 1405 if (rc) 1406 return (rc); 1407 1408 if (hdr_len != SMB2_HDR_SIZE) 1409 return (-1); 1410 1411 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 1412 sr->smb2_async_id = pid | 1413 ((uint64_t)tid) << 32; 1414 sr->smb_pid = 0; 1415 sr->smb_tid = 0; 1416 } else { 1417 sr->smb2_async_id = 0; 1418 sr->smb_pid = pid; 1419 sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */ 1420 } 1421 1422 return (rc); 1423 } 1424 1425 int 1426 smb2_encode_header(smb_request_t *sr, boolean_t overwrite) 1427 { 1428 uint64_t pid_tid_aid; /* pid+tid, or async id */ 1429 int rc; 1430 1431 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 1432 pid_tid_aid = sr->smb2_async_id; 1433 } else { 1434 pid_tid_aid = sr->smb_pid | 1435 ((uint64_t)sr->smb_tid) << 32; 1436 } 1437 1438 if (overwrite) { 1439 rc = smb_mbc_poke(&sr->reply, 1440 sr->smb2_reply_hdr, 1441 "Nwwlwwllqqq16c", 1442 SMB2_HDR_SIZE, /* w */ 1443 sr->smb2_credit_charge, /* w */ 1444 sr->smb2_status, /* l */ 1445 sr->smb2_cmd_code, /* w */ 1446 sr->smb2_credit_response, /* w */ 1447 sr->smb2_hdr_flags, /* l */ 1448 sr->smb2_next_reply, /* l */ 1449 sr->smb2_messageid, /* q */ 1450 pid_tid_aid, /* q */ 1451 sr->smb2_ssnid, /* q */ 1452 sr->smb2_sig); /* 16c */ 1453 } else { 1454 rc = smb_mbc_encodef(&sr->reply, 1455 "Nwwlwwllqqq16c", 1456 SMB2_HDR_SIZE, /* w */ 1457 sr->smb2_credit_charge, /* w */ 1458 sr->smb2_status, /* l */ 1459 sr->smb2_cmd_code, /* w */ 1460 sr->smb2_credit_response, /* w */ 1461 sr->smb2_hdr_flags, /* l */ 1462 sr->smb2_next_reply, /* l */ 1463 sr->smb2_messageid, /* q */ 1464 pid_tid_aid, /* q */ 1465 sr->smb2_ssnid, /* q */ 1466 sr->smb2_sig); /* 16c */ 1467 } 1468 1469 return (rc); 1470 } 1471 1472 void 1473 smb2_send_reply(smb_request_t *sr) 1474 { 1475 struct mbuf_chain enc_reply; 1476 smb_session_t *session = sr->session; 1477 void *tmpbuf; 1478 size_t buflen; 1479 struct mbuf_chain tmp; 1480 1481 /* 1482 * [MS-SMB2] 3.3.4.1.4 Encrypting the Message 1483 * 1484 * When the connection supports encryption and the dialect 1485 * is 3.x, encrypt if: 1486 * - The request was encrypted OR 1487 * - The cmd is not SESSION_SETUP or NEGOTIATE AND 1488 * -- Session.EncryptData is TRUE OR 1489 * -- The cmd is not TREE_CONNECT AND 1490 * --- Tree.EncryptData is TRUE 1491 * 1492 * This boils down to sr->tform_ssn != NULL, and the rest 1493 * is enforced when tform_ssn is set. 1494 */ 1495 1496 if ((session->capabilities & SMB2_CAP_ENCRYPTION) == 0 || 1497 sr->tform_ssn == NULL) { 1498 (void) smb_session_send(sr->session, 0, &sr->reply); 1499 return; 1500 } 1501 1502 sr->msgsize = sr->reply.chain_offset; 1503 (void) MBC_SHADOW_CHAIN(&tmp, &sr->reply, 1504 0, sr->msgsize); 1505 1506 buflen = SMB3_TFORM_HDR_SIZE + sr->msgsize; 1507 1508 /* taken from smb_request_init_command_mbuf */ 1509 tmpbuf = kmem_alloc(buflen, KM_SLEEP); 1510 MBC_ATTACH_BUF(&enc_reply, tmpbuf, buflen); 1511 enc_reply.flags = 0; 1512 enc_reply.shadow_of = NULL; 1513 1514 if (smb3_encode_tform_header(sr, &enc_reply) != 0) { 1515 cmn_err(CE_WARN, "couldn't encode transform header"); 1516 goto errout; 1517 } 1518 if (smb3_encrypt_sr(sr, &tmp, &enc_reply) != 0) { 1519 cmn_err(CE_WARN, "smb3 encryption failed"); 1520 goto errout; 1521 } 1522 1523 (void) smb_session_send(sr->session, 0, &enc_reply); 1524 kmem_free(tmpbuf, buflen); 1525 return; 1526 1527 errout: 1528 kmem_free(tmpbuf, buflen); 1529 smb_session_disconnect(sr->session); 1530 } 1531 1532 /* 1533 * This wrapper function exists to help catch calls to smbsr_status() 1534 * (which is SMB1-specific) in common code. See smbsr_status(). 1535 * If the log message below is seen, put a dtrace probe on this 1536 * function with a stack() action to see who is calling the SMB1 1537 * "put error" from common code, and fix it. 1538 */ 1539 void 1540 smbsr_status_smb2(smb_request_t *sr, DWORD status) 1541 { 1542 const char *name; 1543 1544 if (sr->smb2_cmd_code < SMB2__NCMDS) 1545 name = smb2_disp_table[sr->smb2_cmd_code].sdt_name; 1546 else 1547 name = "<unknown>"; 1548 #ifdef DEBUG 1549 cmn_err(CE_NOTE, "smbsr_status called for %s", name); 1550 #endif 1551 1552 smb2sr_put_error_data(sr, status, NULL); 1553 } 1554 1555 void 1556 smb2sr_put_errno(struct smb_request *sr, int errnum) 1557 { 1558 uint32_t status = smb_errno2status(errnum); 1559 smb2sr_put_error_data(sr, status, NULL); 1560 } 1561 1562 void 1563 smb2sr_put_error(smb_request_t *sr, uint32_t status) 1564 { 1565 smb2sr_put_error_data(sr, status, NULL); 1566 } 1567 1568 /* 1569 * Build an SMB2 error response. [MS-SMB2] 2.2.2 1570 */ 1571 void 1572 smb2sr_put_error_data(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc) 1573 { 1574 DWORD len; 1575 1576 /* 1577 * The common dispatch code writes this when it 1578 * updates the SMB2 header before sending. 1579 */ 1580 sr->smb2_status = status; 1581 1582 /* Rewind to the end of the SMB header. */ 1583 sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE; 1584 1585 /* 1586 * NB: Must provide at least one byte of error data, 1587 * per [MS-SMB2] 2.2.2 1588 */ 1589 if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) { 1590 (void) smb_mbc_encodef( 1591 &sr->reply, 1592 "wwlC", 1593 9, /* StructSize */ /* w */ 1594 0, /* reserved */ /* w */ 1595 len, /* l */ 1596 mbc); /* C */ 1597 } else { 1598 (void) smb_mbc_encodef( 1599 &sr->reply, 1600 "wwl.", 1601 9, /* StructSize */ /* w */ 1602 0, /* reserved */ /* w */ 1603 0); /* l. */ 1604 } 1605 } 1606 1607 /* 1608 * Build an SMB2 error context response (dialect 3.1.1). 1609 */ 1610 void 1611 smb2sr_put_error_ctx(smb_request_t *sr, uint32_t status, uint32_t errid, 1612 mbuf_chain_t *mbc) 1613 { 1614 DWORD len; 1615 1616 /* 1617 * The common dispatch code writes this when it 1618 * updates the SMB2 header before sending. 1619 */ 1620 sr->smb2_status = status; 1621 1622 /* Rewind to the end of the SMB header. */ 1623 sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE; 1624 1625 /* 1626 * Error Context is 8-byte header plus encaps. data (ErrorContextData), 1627 * which can be zero-length. 1628 */ 1629 if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) { 1630 (void) smb_mbc_encodef( 1631 &sr->reply, 1632 "wbblllC", 1633 9, /* StructSize */ /* w */ 1634 1, /* ErrorContextCount */ /* b */ 1635 0, /* reserved */ /* b */ 1636 8+len, /* ByteCount */ /* l */ 1637 len, /* ErrorDataLength */ /* l */ 1638 errid, /* ErrorId */ /* l */ 1639 mbc); /* C */ 1640 } else { 1641 (void) smb_mbc_encodef( 1642 &sr->reply, 1643 "wbblll", 1644 9, /* StructSize */ /* w */ 1645 1, /* ErrorContextCount */ /* b */ 1646 0, /* reserved */ /* b */ 1647 8, /* ByteCount */ /* l */ 1648 0, /* ErrorDataLength */ /* l */ 1649 errid); /* ErrorId */ /* l */ 1650 } 1651 } 1652 1653 /* 1654 * Build an SMB2 error context response with SMB2_ERROR_ID_DEFAULT ErrorId. 1655 * 1656 * This only handles the case we currently need, encapsulating a 1657 * single error data section inside an SMB2_ERROR_ID_DEFAULT 1658 * error context type (which is type zero, and that's what 1659 * the zero on the end of this function name refers to). 1660 */ 1661 void 1662 smb2sr_put_error_ctx0(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc) 1663 { 1664 return (smb2sr_put_error_ctx(sr, status, SMB2_ERROR_ID_DEFAULT, mbc)); 1665 } 1666 1667 /* 1668 * smb2sr_lookup_fid 1669 * 1670 * Setup sr->fid_ofile, either inherited from a related command, 1671 * or obtained via FID lookup. Similar inheritance logic as in 1672 * smb2sr_work. 1673 */ 1674 uint32_t 1675 smb2sr_lookup_fid(smb_request_t *sr, smb2fid_t *fid) 1676 { 1677 boolean_t related = sr->smb2_hdr_flags & 1678 SMB2_FLAGS_RELATED_OPERATIONS; 1679 1680 if (related) { 1681 if (sr->fid_ofile == NULL) 1682 return (NT_STATUS_INVALID_PARAMETER); 1683 sr->smb_fid = sr->fid_ofile->f_fid; 1684 return (0); 1685 } 1686 1687 /* 1688 * If we could be sure this is called only once per cmd, 1689 * we could simply ASSERT(sr->fid_ofile == NULL) here. 1690 * However, there are cases where it can be called again 1691 * handling the same command, so let's tolerate that. 1692 */ 1693 if (sr->fid_ofile == NULL) { 1694 sr->smb_fid = (uint16_t)fid->temporal; 1695 sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid); 1696 } 1697 if (sr->fid_ofile == NULL || 1698 sr->fid_ofile->f_persistid != fid->persistent) 1699 return (NT_STATUS_FILE_CLOSED); 1700 1701 return (0); 1702 } 1703 1704 /* 1705 * smb2_dispatch_stats_init 1706 * 1707 * Initializes dispatch statistics for SMB2. 1708 * See also smb_dispatch_stats_init(), which fills in 1709 * the lower part of the statistics array, from zero 1710 * through SMB_COM_NUM; 1711 */ 1712 void 1713 smb2_dispatch_stats_init(smb_server_t *sv) 1714 { 1715 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1716 smb_kstat_req_t *ksr; 1717 int i; 1718 1719 ksr = ((smbsrv_kstats_t *)sv->sv_ksp->ks_data)->ks_reqs2; 1720 1721 for (i = 0; i < SMB2__NCMDS; i++, ksr++) { 1722 smb_latency_init(&sds[i].sdt_lat); 1723 (void) strlcpy(ksr->kr_name, smb2_disp_table[i].sdt_name, 1724 sizeof (ksr->kr_name)); 1725 } 1726 } 1727 1728 /* 1729 * smb2_dispatch_stats_fini 1730 * 1731 * Frees and destroyes the resources used for statistics. 1732 */ 1733 void 1734 smb2_dispatch_stats_fini(smb_server_t *sv) 1735 { 1736 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1737 int i; 1738 1739 for (i = 0; i < SMB2__NCMDS; i++) 1740 smb_latency_destroy(&sds[i].sdt_lat); 1741 } 1742 1743 void 1744 smb2_dispatch_stats_update(smb_server_t *sv, 1745 smb_kstat_req_t *ksr, int first, int nreq) 1746 { 1747 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1748 int i; 1749 int last; 1750 1751 last = first + nreq - 1; 1752 1753 if ((first < SMB2__NCMDS) && (last < SMB2__NCMDS)) { 1754 for (i = first; i <= last; i++, ksr++) { 1755 ksr->kr_rxb = sds[i].sdt_rxb; 1756 ksr->kr_txb = sds[i].sdt_txb; 1757 mutex_enter(&sds[i].sdt_lat.ly_mutex); 1758 ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq; 1759 ksr->kr_sum = sds[i].sdt_lat.ly_a_sum; 1760 ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean; 1761 ksr->kr_a_stddev = 1762 sds[i].sdt_lat.ly_a_stddev; 1763 ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean; 1764 ksr->kr_d_stddev = 1765 sds[i].sdt_lat.ly_d_stddev; 1766 sds[i].sdt_lat.ly_d_mean = 0; 1767 sds[i].sdt_lat.ly_d_nreq = 0; 1768 sds[i].sdt_lat.ly_d_stddev = 0; 1769 sds[i].sdt_lat.ly_d_sum = 0; 1770 mutex_exit(&sds[i].sdt_lat.ly_mutex); 1771 } 1772 } 1773 } 1774 1775 /* 1776 * Append new_sr to the postwork queue. sr->smb2_cmd_code encodes 1777 * the action that should be run by this sr. 1778 * 1779 * This queue is rarely used (and normally empty) so we're OK 1780 * using a simple "walk to tail and insert" here. 1781 */ 1782 void 1783 smb2sr_append_postwork(smb_request_t *top_sr, smb_request_t *new_sr) 1784 { 1785 smb_request_t *last_sr; 1786 1787 ASSERT(top_sr->session->dialect >= SMB_VERS_2_BASE); 1788 1789 last_sr = top_sr; 1790 while (last_sr->sr_postwork != NULL) 1791 last_sr = last_sr->sr_postwork; 1792 1793 last_sr->sr_postwork = new_sr; 1794 } 1795 1796 /* 1797 * Run any "post work" that was appended to the main SR while it 1798 * was running. This is called after the request has been sent 1799 * for the main SR, and used in cases i.e. the oplock code, where 1800 * we need to send something to the client only _after_ the main 1801 * sr request has gone out. 1802 */ 1803 static void 1804 smb2sr_run_postwork(smb_request_t *top_sr) 1805 { 1806 smb_request_t *post_sr; /* the one we're running */ 1807 smb_request_t *next_sr; 1808 1809 while ((post_sr = top_sr->sr_postwork) != NULL) { 1810 next_sr = post_sr->sr_postwork; 1811 top_sr->sr_postwork = next_sr; 1812 post_sr->sr_postwork = NULL; 1813 1814 post_sr->sr_worker = top_sr->sr_worker; 1815 post_sr->sr_state = SMB_REQ_STATE_ACTIVE; 1816 1817 switch (post_sr->smb2_cmd_code) { 1818 case SMB2_OPLOCK_BREAK: 1819 smb_oplock_send_brk(post_sr); 1820 break; 1821 default: 1822 ASSERT(0); 1823 } 1824 1825 /* 1826 * If we have a durable handle, and this operation 1827 * updated the nvlist, write it out. 1828 */ 1829 if (post_sr->dh_nvl_dirty) { 1830 post_sr->dh_nvl_dirty = B_FALSE; 1831 smb2_dh_update_nvfile(post_sr); 1832 } 1833 1834 post_sr->sr_state = SMB_REQ_STATE_COMPLETED; 1835 smb_request_free(post_sr); 1836 } 1837 } 1838