1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2013 Nexenta Systems, Inc. All rights reserved.
24 */
25
26 /*
27 * Notes on the virtual circuit (VC) values in the SMB Negotiate
28 * response and SessionSetupAndx request.
29 *
30 * A virtual circuit (VC) represents a connection between a client and a
31 * server using a reliable, session oriented transport protocol, such as
32 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
33 * single underlying transport connection, i.e. a single NetBIOS session,
34 * which limited performance for raw data transfers.
35 *
36 * The intention behind multiple VCs was to improve performance by
37 * allowing parallelism over each NetBIOS session. For example, raw data
38 * could be transmitted using a different VC from other types of SMB
39 * requests to remove the interleaving restriction while a raw transfer
40 * is in progress. So the MaxNumberVcs field was added to the negotiate
41 * response to make the number of VCs configurable and to allow servers
42 * to specify how many they were prepared to support per session
43 * connection. This turned out to be difficult to manage and, with
44 * technology improvements, it has become obsolete.
45 *
46 * Servers should set the MaxNumberVcs value in the Negotiate response
47 * to 1. Clients should probably ignore it. If a server receives a
48 * SessionSetupAndx with a VC value of 0, it should close all other
49 * VCs to that client. If it receives a non-zero VC, it should leave
50 * other VCs in tact.
51 *
52 */
53
54 /*
55 * SMB: negotiate
56 *
57 * Client Request Description
58 * ============================ =======================================
59 *
60 * UCHAR WordCount; Count of parameter words = 0
61 * USHORT ByteCount; Count of data bytes; min = 2
62 * struct {
63 * UCHAR BufferFormat; 0x02 -- Dialect
64 * UCHAR DialectName[]; ASCII null-terminated string
65 * } Dialects[];
66 *
67 * The Client sends a list of dialects that it can communicate with. The
68 * response is a selection of one of those dialects (numbered 0 through n)
69 * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
70 * The negotiate message is binding on the virtual circuit and must be
71 * sent. One and only one negotiate message may be sent, subsequent
72 * negotiate requests will be rejected with an error response and no action
73 * will be taken.
74 *
75 * The protocol does not impose any particular structure to the dialect
76 * strings. Implementors of particular protocols may choose to include,
77 * for example, version numbers in the string.
78 *
79 * If the server does not understand any of the dialect strings, or if PC
80 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
81 *
82 * Server Response Description
83 * ============================ =======================================
84 *
85 * UCHAR WordCount; Count of parameter words = 1
86 * USHORT DialectIndex; Index of selected dialect
87 * USHORT ByteCount; Count of data bytes = 0
88 *
89 * If the chosen dialect is greater than core up to and including
90 * LANMAN2.1, the protocol response format is
91 *
92 * Server Response Description
93 * ============================ =======================================
94 *
95 * UCHAR WordCount; Count of parameter words = 13
96 * USHORT DialectIndex; Index of selected dialect
97 * USHORT SecurityMode; Security mode:
98 * bit 0: 0 = share, 1 = user
99 * bit 1: 1 = use challenge/response
100 * authentication
101 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024)
102 * USHORT MaxMpxCount; Max pending multiplexed requests
103 * USHORT MaxNumberVcs; Max VCs between client and server
104 * USHORT RawMode; Raw modes supported:
105 * bit 0: 1 = Read Raw supported
106 * bit 1: 1 = Write Raw supported
107 * ULONG SessionKey; Unique token identifying this session
108 * SMB_TIME ServerTime; Current time at server
109 * SMB_DATE ServerDate; Current date at server
110 * USHORT ServerTimeZone; Current time zone at server
111 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1
112 * USHORT Reserved; MBZ
113 * USHORT ByteCount Count of data bytes
114 * UCHAR EncryptionKey[]; The challenge encryption key
115 * STRING PrimaryDomain[]; The server's primary domain
116 *
117 * MaxBufferSize is the size of the largest message which the client can
118 * legitimately send to the server
119 *
120 * If bit0 of the Flags field is set in the negotiate response, this
121 * indicates the server supports the SMB_COM_LOCK_AND_READ and
122 * SMB_COM_WRITE_AND_UNLOCK client requests.
123 *
124 * If the SecurityMode field indicates the server is running in user mode,
125 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
126 * before the server will allow the client to access resources. If the
127 * SecurityMode fields indicates the client should use challenge/response
128 * authentication, the client should use the authentication mechanism
129 * specified in section 2.10.
130 *
131 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
132 * to the server when using multiplexed reads or writes (see sections 5.13
133 * and 5.25)
134 *
135 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different
136 * form of raw reads than documented here, and servers are better off
137 * setting RawMode in this response to 0 for such sessions.
138 *
139 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
140 * PrimaryDomain string should be included in this response.
141 *
142 * If the negotiated dialect is NT LM 0.12, the response format is
143 *
144 * Server Response Description
145 * ========================== =========================================
146 *
147 * UCHAR WordCount; Count of parameter words = 17
148 * USHORT DialectIndex; Index of selected dialect
149 * UCHAR SecurityMode; Security mode:
150 * bit 0: 0 = share, 1 = user
151 * bit 1: 1 = encrypt passwords
152 * USHORT MaxMpxCount; Max pending multiplexed requests
153 * USHORT MaxNumberVcs; Max VCs between client and server
154 * ULONG MaxBufferSize; Max transmit buffer size
155 * ULONG MaxRawSize; Maximum raw buffer size
156 * ULONG SessionKey; Unique token identifying this session
157 * ULONG Capabilities; Server capabilities
158 * ULONG SystemTimeLow; System (UTC) time of the server (low).
159 * ULONG SystemTimeHigh; System (UTC) time of the server (high).
160 * USHORT ServerTimeZone; Time zone of server (min from UTC)
161 * UCHAR EncryptionKeyLength; Length of encryption key.
162 * USHORT ByteCount; Count of data bytes
163 * UCHAR EncryptionKey[]; The challenge encryption key
164 * UCHAR OemDomainName[]; The name of the domain (in OEM chars)
165 *
166 * In addition to the definitions above, MaxBufferSize is the size of the
167 * largest message which the client can legitimately send to the server.
168 * If the client is using a connectionless protocol, MaxBufferSize must be
169 * set to the smaller of the server's internal buffer size and the amount
170 * of data which can be placed in a response packet.
171 *
172 * MaxRawSize specifies the maximum message size the server can send or
173 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
174 *
175 * Connectionless clients must set Sid to 0 in the SMB request header.
176 *
177 * Capabilities allows the server to tell the client what it supports.
178 * The bit definitions defined in smb.h. Bit 0x2000 used to be set in
179 * the negotiate response capabilities but it caused problems with
180 * Windows 2000. It is probably not valid, it doesn't appear in the
181 * CIFS spec.
182 *
183 * 4.1.1.1 Errors
184 *
185 * SUCCESS/SUCCESS
186 * ERRSRV/ERRerror
187 */
188 #include <sys/types.h>
189 #include <sys/socket.h>
190 #include <netinet/in.h>
191 #include <smbsrv/smb_kproto.h>
192 #include <smbsrv/smbinfo.h>
193
194 static const smb_xlate_t smb_dialect[] = {
195 { DIALECT_UNKNOWN, "DIALECT_UNKNOWN" },
196 { PC_NETWORK_PROGRAM_1_0, "PC NETWORK PROGRAM 1.0" },
197 { PCLAN1_0, "PCLAN1.0" },
198 { MICROSOFT_NETWORKS_1_03, "MICROSOFT NETWORKS 1.03" },
199 { MICROSOFT_NETWORKS_3_0, "MICROSOFT NETWORKS 3.0" },
200 { LANMAN1_0, "LANMAN1.0" },
201 { LM1_2X002, "LM1.2X002" },
202 { DOS_LM1_2X002, "DOS LM1.2X002" },
203 { DOS_LANMAN2_1, "DOS LANMAN2.1" },
204 { LANMAN2_1, "LANMAN2.1" },
205 { Windows_for_Workgroups_3_1a, "Windows for Workgroups 3.1a" },
206 { NT_LM_0_12, "NT LM 0.12" }
207 };
208
209 /*
210 * Maximum buffer size for DOS: chosen to be the same as NT.
211 * Do not change this value, DOS is very sensitive to it.
212 */
213 #define SMB_DOS_MAXBUF 0x1104
214
215 /*
216 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
217 * with other values. DOS 6.1 seems to depend on a window value of 8700 to
218 * send the next set of data. If we return a window value of 40KB, after
219 * sending 8700 bytes of data, it will start the next set of data from 40KB
220 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
221 * September 2000.
222 *
223 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
224 * for a larger TCP window sizei based on observations of Windows 2000 and
225 * performance testing. March 2003.
226 */
227 static uint32_t smb_dos_tcp_rcvbuf = 8700;
228 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */
229
230 static int smb_xlate_dialect(const char *);
231
232 int smb_cap_passthru = 1;
233
234 smb_sdrc_t
smb_pre_negotiate(smb_request_t * sr)235 smb_pre_negotiate(smb_request_t *sr)
236 {
237 smb_arg_negotiate_t *negprot;
238 int dialect;
239 int pos;
240 int rc = 0;
241
242 negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t));
243 negprot->ni_index = -1;
244 sr->sr_negprot = negprot;
245
246 for (pos = 0; smbsr_decode_data_avail(sr); pos++) {
247 if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) {
248 smbsr_error(sr, 0, ERRSRV, ERRerror);
249 rc = -1;
250 break;
251 }
252
253 if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0)
254 continue;
255
256 if (negprot->ni_dialect < dialect) {
257 negprot->ni_dialect = dialect;
258 negprot->ni_index = pos;
259 }
260 }
261
262 DTRACE_SMB_2(op__Negotiate__start, smb_request_t *, sr,
263 smb_arg_negotiate_t, negprot);
264 smb_rwx_rwenter(&sr->session->s_lock, RW_WRITER);
265 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
266 }
267
268 void
smb_post_negotiate(smb_request_t * sr)269 smb_post_negotiate(smb_request_t *sr)
270 {
271 smb_arg_negotiate_t *negprot = sr->sr_negprot;
272
273 DTRACE_SMB_2(op__Negotiate__done, smb_request_t *, sr,
274 smb_arg_negotiate_t, negprot);
275 smb_rwx_rwexit(&sr->session->s_lock);
276
277 bzero(negprot, sizeof (smb_arg_negotiate_t));
278 }
279
280 smb_sdrc_t
smb_com_negotiate(smb_request_t * sr)281 smb_com_negotiate(smb_request_t *sr)
282 {
283 smb_arg_negotiate_t *negprot = sr->sr_negprot;
284 uint16_t secmode;
285 uint16_t rawmode = 0;
286 uint32_t sesskey;
287 char ipaddr_buf[INET6_ADDRSTRLEN];
288 char *nbdomain;
289 uint8_t *wcbuf;
290 int wclen;
291 smb_msgbuf_t mb;
292 int rc;
293
294 if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
295 /* The protocol has already been negotiated. */
296 smbsr_error(sr, 0, ERRSRV, ERRerror);
297 return (SDRC_ERROR);
298 }
299
300 sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE |
301 NEGOTIATE_SECURITY_USER_LEVEL;
302 secmode = sr->session->secmode;
303 sesskey = sr->session->sesskey;
304
305 (void) microtime(&negprot->ni_servertime);
306 negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
307 negprot->ni_maxmpxcount = sr->sr_cfg->skc_maxworkers;
308 negprot->ni_keylen = SMB_CHALLENGE_SZ;
309 bcopy(&sr->session->challenge_key, negprot->ni_key, SMB_CHALLENGE_SZ);
310 nbdomain = sr->sr_cfg->skc_nbdomain;
311
312 /*
313 * UNICODE support is required for long share names,
314 * long file names and streams. Note: CAP_RAW_MODE
315 * is not supported because it does nothing to help
316 * modern clients and causes nasty complications.
317 */
318 negprot->ni_capabilities = CAP_LARGE_FILES
319 | CAP_UNICODE
320 | CAP_NT_SMBS
321 | CAP_STATUS32
322 | CAP_NT_FIND
323 | CAP_LEVEL_II_OPLOCKS
324 | CAP_LOCK_AND_READ
325 | CAP_RPC_REMOTE_APIS
326 | CAP_LARGE_READX
327 | CAP_LARGE_WRITEX
328 | CAP_DFS;
329
330 if (smb_cap_passthru)
331 negprot->ni_capabilities |= CAP_INFOLEVEL_PASSTHRU;
332 else
333 cmn_err(CE_NOTE, "smbsrv: cap passthru is %s",
334 (negprot->ni_capabilities & CAP_INFOLEVEL_PASSTHRU) ?
335 "enabled" : "disabled");
336
337 (void) smb_inet_ntop(&sr->session->ipaddr, ipaddr_buf,
338 SMB_IPSTRLEN(sr->session->ipaddr.a_family));
339
340 switch (negprot->ni_dialect) {
341 case PC_NETWORK_PROGRAM_1_0: /* core */
342 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
343 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
344 sizeof (smb_dos_tcp_rcvbuf), CRED());
345 rc = smbsr_encode_result(sr, 1, 0, "bww", 1,
346 negprot->ni_index, 0);
347 break;
348
349 case Windows_for_Workgroups_3_1a:
350 case PCLAN1_0:
351 case MICROSOFT_NETWORKS_1_03:
352 case MICROSOFT_NETWORKS_3_0:
353 case LANMAN1_0:
354 case LM1_2X002:
355 case DOS_LM1_2X002:
356 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
357 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
358 sizeof (smb_dos_tcp_rcvbuf), CRED());
359 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
360 rc = smbsr_encode_result(sr, 13, VAR_BCC,
361 "bwwwwwwlYww2.w#c",
362 13, /* wct */
363 negprot->ni_index, /* dialect index */
364 secmode, /* security mode */
365 SMB_DOS_MAXBUF, /* max buffer size */
366 1, /* max MPX */
367 1, /* max VCs */
368 rawmode, /* read/write raw (s/b 3) */
369 sesskey, /* session key */
370 negprot->ni_servertime.tv_sec, /* server date/time */
371 negprot->ni_tzcorrection,
372 (uint16_t)negprot->ni_keylen, /* encryption key length */
373 /* reserved field handled 2. */
374 VAR_BCC,
375 (int)negprot->ni_keylen,
376 negprot->ni_key); /* encryption key */
377 break;
378
379 case DOS_LANMAN2_1:
380 case LANMAN2_1:
381 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
382 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
383 sizeof (smb_dos_tcp_rcvbuf), CRED());
384 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
385 rc = smbsr_encode_result(sr, 13, VAR_BCC,
386 "bwwwwwwlYww2.w#cs",
387 13, /* wct */
388 negprot->ni_index, /* dialect index */
389 secmode, /* security mode */
390 SMB_DOS_MAXBUF, /* max buffer size */
391 1, /* max MPX */
392 1, /* max VCs */
393 rawmode, /* read/write raw (s/b 3) */
394 sesskey, /* session key */
395 negprot->ni_servertime.tv_sec, /* server date/time */
396 negprot->ni_tzcorrection,
397 (uint16_t)negprot->ni_keylen, /* encryption key length */
398 /* reserved field handled 2. */
399 VAR_BCC,
400 (int)negprot->ni_keylen,
401 negprot->ni_key, /* encryption key */
402 nbdomain);
403 break;
404
405 case NT_LM_0_12:
406 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
407 SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
408 sizeof (smb_nt_tcp_rcvbuf), CRED());
409
410 /*
411 * Turn off Extended Security Negotiation
412 */
413 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
414
415 /*
416 * Allow SMB signatures if security challenge response enabled
417 */
418 if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
419 sr->sr_cfg->skc_signing_enable) {
420 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
421 if (sr->sr_cfg->skc_signing_required)
422 secmode |=
423 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
424
425 sr->session->secmode = secmode;
426 }
427
428 /*
429 * nbdomain is not expected to be aligned.
430 * Use temporary buffer to avoid alignment padding
431 */
432 wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t);
433 wcbuf = smb_srm_zalloc(sr, wclen);
434 smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE);
435 if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) {
436 smb_msgbuf_term(&mb);
437 smbsr_error(sr, 0, ERRSRV, ERRerror);
438 return (SDRC_ERROR);
439 }
440
441 rc = smbsr_encode_result(sr, 17, VAR_BCC,
442 "bwbwwllllTwbw#c#c",
443 17, /* wct */
444 negprot->ni_index, /* dialect index */
445 secmode, /* security mode */
446 negprot->ni_maxmpxcount, /* max MPX */
447 1, /* max VCs */
448 (DWORD)smb_maxbufsize, /* max buffer size */
449 0xFFFF, /* max raw size */
450 sesskey, /* session key */
451 negprot->ni_capabilities,
452 &negprot->ni_servertime, /* system time */
453 negprot->ni_tzcorrection,
454 negprot->ni_keylen, /* encryption key length */
455 VAR_BCC,
456 (int)negprot->ni_keylen,
457 negprot->ni_key, /* encryption key */
458 wclen,
459 wcbuf); /* nbdomain (unicode) */
460
461 smb_msgbuf_term(&mb);
462 break;
463
464 default:
465 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0);
466 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
467 }
468
469 if (rc != 0)
470 return (SDRC_ERROR);
471
472 /*
473 * Save the agreed dialect. Note that this value is also
474 * used to detect and reject attempts to re-negotiate.
475 */
476 sr->session->dialect = negprot->ni_dialect;
477 sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED;
478 return (SDRC_SUCCESS);
479 }
480
481 static int
smb_xlate_dialect(const char * dialect)482 smb_xlate_dialect(const char *dialect)
483 {
484 const smb_xlate_t *dp;
485 int i;
486
487 for (i = 0; i < sizeof (smb_dialect) / sizeof (smb_dialect[0]); ++i) {
488 dp = &smb_dialect[i];
489
490 if (strcmp(dp->str, dialect) == 0)
491 return (dp->code);
492 }
493
494 return (-1);
495 }
496