1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved. 14 * Copyright 2022 RackTop Systems, Inc. 15 */ 16 17 18 #include <smbsrv/smb2_kproto.h> 19 #include <smbsrv/smb_kstat.h> 20 #include <smbsrv/smb2.h> 21 22 #define SMB2_ASYNCID(sr) (sr->smb2_messageid ^ (1ULL << 62)) 23 24 smb_sdrc_t smb2_invalid_cmd(smb_request_t *); 25 static void smb2_tq_work(void *); 26 static void smb2sr_run_postwork(smb_request_t *); 27 static int smb3_decrypt_msg(smb_request_t *); 28 29 static const smb_disp_entry_t 30 smb2_disp_table[SMB2__NCMDS] = { 31 32 /* text-name, pre, func, post, cmd-code, dialect, flags */ 33 34 { "smb2_negotiate", NULL, 35 smb2_negotiate, NULL, 0, 0, 36 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID }, 37 38 { "smb2_session_setup", NULL, 39 smb2_session_setup, NULL, 0, 0, 40 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID }, 41 42 { "smb2_logoff", NULL, 43 smb2_logoff, NULL, 0, 0, 44 SDDF_SUPPRESS_TID }, 45 46 { "smb2_tree_connect", NULL, 47 smb2_tree_connect, NULL, 0, 0, 48 SDDF_SUPPRESS_TID }, 49 50 { "smb2_tree_disconn", NULL, 51 smb2_tree_disconn, NULL, 0, 0 }, 52 53 { "smb2_create", NULL, 54 smb2_create, NULL, 0, 0 }, 55 56 { "smb2_close", NULL, 57 smb2_close, NULL, 0, 0 }, 58 59 { "smb2_flush", NULL, 60 smb2_flush, NULL, 0, 0 }, 61 62 { "smb2_read", NULL, 63 smb2_read, NULL, 0, 0 }, 64 65 { "smb2_write", NULL, 66 smb2_write, NULL, 0, 0 }, 67 68 { "smb2_lock", NULL, 69 smb2_lock, NULL, 0, 0 }, 70 71 { "smb2_ioctl", NULL, 72 smb2_ioctl, NULL, 0, 0 }, 73 74 { "smb2_cancel", NULL, 75 smb2_cancel, NULL, 0, 0, 76 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 77 78 { "smb2_echo", NULL, 79 smb2_echo, NULL, 0, 0, 80 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 81 82 { "smb2_query_dir", NULL, 83 smb2_query_dir, NULL, 0, 0 }, 84 85 { "smb2_change_notify", NULL, 86 smb2_change_notify, NULL, 0, 0 }, 87 88 { "smb2_query_info", NULL, 89 smb2_query_info, NULL, 0, 0 }, 90 91 { "smb2_set_info", NULL, 92 smb2_set_info, NULL, 0, 0 }, 93 94 { "smb2_oplock_break_ack", NULL, 95 smb2_oplock_break_ack, NULL, 0, 0 }, 96 97 { "smb2_invalid_cmd", NULL, 98 smb2_invalid_cmd, NULL, 0, 0, 99 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 100 }; 101 102 smb_sdrc_t 103 smb2_invalid_cmd(smb_request_t *sr) 104 { 105 #ifdef DEBUG 106 cmn_err(CE_NOTE, "clnt %s bad SMB2 cmd code", 107 sr->session->ip_addr_str); 108 #endif 109 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 110 return (SDRC_DROP_VC); 111 } 112 113 /* 114 * This is the SMB2 handler for new smb requests, called from 115 * smb_session_reader after SMB negotiate is done. For most SMB2 116 * requests, we just enqueue them for the smb_session_worker to 117 * execute via the task queue, so they can block for resources 118 * without stopping the reader thread. A few protocol messages 119 * are special cases and are handled directly here in the reader 120 * thread so they don't wait for taskq scheduling. 121 * 122 * This function must either enqueue the new request for 123 * execution via the task queue, or execute it directly 124 * and then free it. If this returns non-zero, the caller 125 * will drop the session. 126 */ 127 int 128 smb2sr_newrq(smb_request_t *sr) 129 { 130 struct mbuf_chain *mbc = &sr->command; 131 uint32_t magic; 132 int rc, skip; 133 134 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0) 135 goto drop; 136 137 /* 0xFD S M B */ 138 if (magic == SMB3_ENCRYPTED_MAGIC) { 139 if (smb3_decrypt_msg(sr) != 0) 140 goto drop; 141 /* 142 * Should now be looking at an un-encrypted 143 * SMB2 message header. 144 */ 145 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0) 146 goto drop; 147 } 148 149 if (magic != SMB2_PROTOCOL_MAGIC) 150 goto drop; 151 152 /* 153 * Walk the SMB2 commands in this compound message and 154 * keep track of the range of message IDs it uses. 155 */ 156 for (;;) { 157 if (smb2_decode_header(sr) != 0) 158 goto drop; 159 160 /* 161 * Cancel requests are special: They refer to 162 * an earlier message ID (or an async. ID), 163 * never a new ID, and are never compounded. 164 * This is intentionally not "goto drop" 165 * because rc may be zero (success). 166 */ 167 if (sr->smb2_cmd_code == SMB2_CANCEL) { 168 rc = smb2_newrq_cancel(sr); 169 smb_request_free(sr); 170 return (rc); 171 } 172 173 /* 174 * Keep track of the total credits in this compound 175 * and the first (real) message ID (not: 0, -1) 176 * While we're looking, verify that all (real) IDs 177 * are (first <= ID < (first + msg_credits)) 178 */ 179 if (sr->smb2_credit_charge == 0) 180 sr->smb2_credit_charge = 1; 181 sr->smb2_total_credits += sr->smb2_credit_charge; 182 183 if (sr->smb2_messageid != 0 && 184 sr->smb2_messageid != UINT64_MAX) { 185 186 if (sr->smb2_first_msgid == 0) 187 sr->smb2_first_msgid = sr->smb2_messageid; 188 189 if (sr->smb2_messageid < sr->smb2_first_msgid || 190 sr->smb2_messageid >= (sr->smb2_first_msgid + 191 sr->smb2_total_credits)) { 192 long long id = (long long) sr->smb2_messageid; 193 cmn_err(CE_WARN, "clnt %s msg ID 0x%llx " 194 "out of sequence in compound", 195 sr->session->ip_addr_str, id); 196 } 197 } 198 199 /* Normal loop exit on next == zero */ 200 if (sr->smb2_next_command == 0) 201 break; 202 203 /* Abundance of caution... */ 204 if (sr->smb2_next_command < SMB2_HDR_SIZE) 205 goto drop; 206 207 /* Advance to the next header. */ 208 skip = sr->smb2_next_command - SMB2_HDR_SIZE; 209 if (MBC_ROOM_FOR(mbc, skip) == 0) 210 goto drop; 211 mbc->chain_offset += skip; 212 } 213 /* Rewind back to the top. */ 214 mbc->chain_offset = 0; 215 216 /* 217 * Submit the request to the task queue, which calls 218 * smb2_tq_work when the workload permits. 219 */ 220 sr->sr_time_submitted = gethrtime(); 221 sr->sr_state = SMB_REQ_STATE_SUBMITTED; 222 smb_srqueue_waitq_enter(sr->session->s_srqueue); 223 (void) taskq_dispatch(sr->sr_server->sv_worker_pool, 224 smb2_tq_work, sr, TQ_SLEEP); 225 return (0); 226 227 drop: 228 smb_request_free(sr); 229 return (-1); 230 } 231 232 static void 233 smb2_tq_work(void *arg) 234 { 235 smb_request_t *sr; 236 smb_srqueue_t *srq; 237 238 sr = (smb_request_t *)arg; 239 SMB_REQ_VALID(sr); 240 241 srq = sr->session->s_srqueue; 242 smb_srqueue_waitq_to_runq(srq); 243 sr->sr_worker = curthread; 244 sr->sr_time_active = gethrtime(); 245 246 /* 247 * Always dispatch to the work function, because cancelled 248 * requests need an error reply (NT_STATUS_CANCELLED). 249 */ 250 mutex_enter(&sr->sr_mutex); 251 if (sr->sr_state == SMB_REQ_STATE_SUBMITTED) 252 sr->sr_state = SMB_REQ_STATE_ACTIVE; 253 mutex_exit(&sr->sr_mutex); 254 255 smb2sr_work(sr); 256 257 smb_srqueue_runq_exit(srq); 258 } 259 260 /* 261 * Any non-zero return code and we'll drop the connection. 262 * Other than that, return codes are just informative eg. 263 * when looking at dtrace logs, which return did we take? 264 */ 265 static int 266 smb3_decrypt_msg(smb_request_t *sr) 267 { 268 int save_offset; 269 270 if (sr->session->dialect < SMB_VERS_3_0) { 271 /* Encrypted message in SMB 2.x */ 272 return (-1); 273 } 274 if ((sr->session->srv_cap & SMB2_CAP_ENCRYPTION) == 0) { 275 /* Should have srv_cap SMB2_CAP_ENCRYPTION flag set! */ 276 return (-2); 277 } 278 279 sr->encrypted = B_TRUE; 280 save_offset = sr->command.chain_offset; 281 if (smb3_decode_tform_header(sr) != 0) { 282 /* Bad transform header */ 283 return (-3); 284 } 285 sr->command.chain_offset = save_offset; 286 287 sr->tform_ssn = smb_session_lookup_ssnid(sr->session, 288 sr->smb3_tform_ssnid); 289 if (sr->tform_ssn == NULL) { 290 /* Session not found */ 291 return (-4); 292 } 293 294 if (smb3_decrypt_sr(sr) != 0) { 295 /* Decryption failed */ 296 return (-5); 297 } 298 299 return (0); 300 } 301 302 /* 303 * SMB2 credits determine how many simultaneous commands the 304 * client may issue, and bounds the range of message IDs those 305 * commands may use. With multi-credit support, commands may 306 * use ranges of message IDs, where the credits used by each 307 * command are proportional to their data transfer size. 308 * 309 * Every command may request an increase or decrease of 310 * the currently granted credits, based on the difference 311 * between the credit request and the credit charge. 312 * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits 313 * 314 * Most commands have credit_request=1, credit_charge=1, 315 * which keeps the credit grant unchanged. 316 * 317 * All we're really doing here (for now) is reducing the 318 * credit_response if the client requests a credit increase 319 * that would take their credit over the maximum, and 320 * limiting the decrease so they don't run out of credits. 321 * 322 * Later, this could do something dynamic based on load. 323 * 324 * One other non-obvious bit about credits: We keep the 325 * session s_max_credits low until the 1st authentication, 326 * at which point we'll set the normal maximum_credits. 327 * Some clients ask for more credits with session setup, 328 * and we need to handle that requested increase _after_ 329 * the command-specific handler returns so it won't be 330 * restricted to the lower (pre-auth) limit. 331 */ 332 static inline void 333 smb2_credit_decrease(smb_request_t *sr) 334 { 335 smb_session_t *session = sr->session; 336 uint16_t cur, d; 337 338 ASSERT3U(sr->smb2_credit_request, <, sr->smb2_credit_charge); 339 340 mutex_enter(&session->s_credits_mutex); 341 cur = session->s_cur_credits; 342 ASSERT(cur > 0); 343 344 /* Handle credit decrease. */ 345 d = sr->smb2_credit_charge - sr->smb2_credit_request; 346 347 /* 348 * Prevent underflow of current credits, and 349 * enforce a minimum of one credit, per: 350 * [MS-SMB2] 3.3.1.2 351 */ 352 if (d >= cur) { 353 /* 354 * Tried to give up more credits than we should. 355 * Reduce the decrement. 356 */ 357 d = cur - 1; 358 cur = 1; 359 DTRACE_PROBE1(smb2__credit__neg, smb_request_t *, sr); 360 } else { 361 cur -= d; 362 } 363 364 ASSERT3U(d, <=, sr->smb2_credit_charge); 365 sr->smb2_credit_response = sr->smb2_credit_charge - d; 366 367 DTRACE_PROBE3(smb2__credit__decrease, 368 smb_request_t *, sr, int, (int)cur, 369 int, (int)session->s_cur_credits); 370 371 session->s_cur_credits = cur; 372 mutex_exit(&session->s_credits_mutex); 373 } 374 375 /* 376 * Second half of SMB2 credit handling (increases) 377 */ 378 static inline void 379 smb2_credit_increase(smb_request_t *sr) 380 { 381 smb_session_t *session = sr->session; 382 uint16_t cur, d; 383 384 ASSERT3U(sr->smb2_credit_request, >, sr->smb2_credit_charge); 385 386 mutex_enter(&session->s_credits_mutex); 387 cur = session->s_cur_credits; 388 389 /* Handle credit increase. */ 390 d = sr->smb2_credit_request - sr->smb2_credit_charge; 391 392 /* 393 * If new credits would be above max, 394 * reduce the credit grant. 395 */ 396 if (d > (session->s_max_credits - cur)) { 397 d = session->s_max_credits - cur; 398 cur = session->s_max_credits; 399 DTRACE_PROBE1(smb2__credit__max, smb_request_t *, sr); 400 } else { 401 cur += d; 402 } 403 sr->smb2_credit_response = sr->smb2_credit_charge + d; 404 405 DTRACE_PROBE3(smb2__credit__increase, 406 smb_request_t *, sr, int, (int)cur, 407 int, (int)session->s_cur_credits); 408 409 session->s_cur_credits = cur; 410 mutex_exit(&session->s_credits_mutex); 411 } 412 413 /* 414 * Record some statistics: latency, rx bytes, tx bytes 415 * per: server, session & kshare. 416 */ 417 static inline void 418 smb2_record_stats(smb_request_t *sr, smb_disp_stats_t *sds, boolean_t tx_only) 419 { 420 hrtime_t dt; 421 int64_t rxb; 422 int64_t txb; 423 424 dt = gethrtime() - sr->sr_time_start; 425 rxb = (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr); 426 txb = (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr); 427 428 if (!tx_only) { 429 smb_server_inc_req(sr->sr_server); 430 smb_latency_add_sample(&sds->sdt_lat, dt); 431 atomic_add_64(&sds->sdt_rxb, rxb); 432 } 433 atomic_add_64(&sds->sdt_txb, txb); 434 } 435 436 /* 437 * smb2sr_work 438 * 439 * This function processes each SMB command in the current request 440 * (which may be a compound request) building a reply containing 441 * SMB reply messages, one-to-one with the SMB commands. Some SMB 442 * commands (change notify, blocking locks) may require both an 443 * "interim response" and a later "async response" at completion. 444 * In such cases, we'll encode the interim response in the reply 445 * compound we're building, and put the (now async) command on a 446 * list of commands that need further processing. After we've 447 * finished processing the commands in this compound and building 448 * the compound reply, we'll send the compound reply, and finally 449 * process the list of async commands. 450 * 451 * As we work our way through the compound request and reply, 452 * we need to keep track of the bounds of the current request 453 * and reply. For the request, this uses an MBC_SHADOW_CHAIN 454 * that begins at smb2_cmd_hdr. The reply is appended to the 455 * sr->reply chain starting at smb2_reply_hdr. 456 * 457 * This function must always free the smb request, or arrange 458 * for it to be completed and free'd later (if SDRC_SR_KEPT). 459 */ 460 void 461 smb2sr_work(struct smb_request *sr) 462 { 463 const smb_disp_entry_t *sdd; 464 smb_disp_stats_t *sds; 465 smb_session_t *session; 466 uint32_t msg_len; 467 uint16_t cmd_idx; 468 int rc = 0; 469 boolean_t disconnect = B_FALSE; 470 boolean_t related; 471 472 session = sr->session; 473 474 ASSERT(sr->smb2_async == B_FALSE); 475 ASSERT(sr->tid_tree == 0); 476 ASSERT(sr->uid_user == 0); 477 ASSERT(sr->fid_ofile == 0); 478 sr->smb_fid = (uint16_t)-1; 479 sr->smb2_status = 0; 480 481 /* temporary until we identify a user */ 482 sr->user_cr = zone_kcred(); 483 484 cmd_start: 485 /* 486 * Note that we don't check sr_state here and abort the 487 * compound if cancelled (etc.) because some SMB2 command 488 * handlers need to do work even when cancelled. 489 * 490 * We treat some status codes as if "sticky", meaning 491 * once they're set after some command handler returns, 492 * all remaining commands get this status without even 493 * calling the command-specific handler. 494 */ 495 if (sr->smb2_status != NT_STATUS_CANCELLED && 496 sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES) 497 sr->smb2_status = 0; 498 499 /* 500 * Decode the request header 501 * 502 * Most problems with decoding will result in the error 503 * STATUS_INVALID_PARAMETER. If the decoding problem 504 * prevents continuing, we'll close the connection. 505 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted... 506 */ 507 sr->smb2_cmd_hdr = sr->command.chain_offset; 508 if ((rc = smb2_decode_header(sr)) != 0) { 509 cmn_err(CE_WARN, "clnt %s bad SMB2 header", 510 session->ip_addr_str); 511 disconnect = B_TRUE; 512 goto cleanup; 513 } 514 515 /* 516 * The SMB2_FLAGS_SERVER_TO_REDIR should only appear 517 * in messages from the server back to the client. 518 */ 519 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) { 520 cmn_err(CE_WARN, "clnt %s bad SMB2 flags", 521 session->ip_addr_str); 522 disconnect = B_TRUE; 523 goto cleanup; 524 } 525 related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS); 526 sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR; 527 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 528 /* Probably an async cancel. */ 529 DTRACE_PROBE1(smb2__dispatch__async, smb_request_t *, sr); 530 } else if (sr->smb2_async) { 531 /* Previous command in compound went async. */ 532 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND; 533 sr->smb2_async_id = SMB2_ASYNCID(sr); 534 } 535 536 /* 537 * In case we bail out with an error before we get to the 538 * section that computes the credit grant, initialize the 539 * response header fields so that credits won't change. 540 * Note: SMB 2.02 clients may send credit charge zero. 541 */ 542 if (sr->smb2_credit_charge == 0) 543 sr->smb2_credit_charge = 1; 544 sr->smb2_credit_response = sr->smb2_credit_charge; 545 546 /* 547 * Write a tentative reply header. 548 * 549 * We could just leave this blank, but if we're using the 550 * mdb module feature that extracts packets, it's useful 551 * to have the header mostly correct here. 552 * 553 * If we have already exhausted the output space, then the 554 * client is trying something funny. Log it and kill 'em. 555 */ 556 sr->smb2_next_reply = 0; 557 ASSERT((sr->reply.chain_offset & 7) == 0); 558 sr->smb2_reply_hdr = sr->reply.chain_offset; 559 if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) { 560 cmn_err(CE_WARN, "clnt %s excessive reply", 561 session->ip_addr_str); 562 disconnect = B_TRUE; 563 goto cleanup; 564 } 565 566 /* 567 * Figure out the length of data following the SMB2 header. 568 * It ends at either the next SMB2 header if there is one 569 * (smb2_next_command != 0) or at the end of the message. 570 */ 571 if (sr->smb2_next_command != 0) { 572 /* [MS-SMB2] says this is 8-byte aligned */ 573 msg_len = sr->smb2_next_command; 574 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) || 575 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) { 576 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd", 577 session->ip_addr_str); 578 disconnect = B_TRUE; 579 goto cleanup; 580 } 581 } else { 582 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr; 583 } 584 585 /* 586 * Setup a shadow chain for this SMB2 command, starting 587 * with the header and ending at either the next command 588 * or the end of the message. The signing check below 589 * needs the entire SMB2 command. After that's done, we 590 * advance chain_offset to the end of the header where 591 * the command specific handlers continue decoding. 592 */ 593 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command, 594 sr->smb2_cmd_hdr, msg_len); 595 596 /* 597 * We will consume the data for this request from smb_data. 598 * That effectively consumes msg_len bytes from sr->command 599 * but doesn't update its chain_offset, so we need to update 600 * that here to make later received bytes accounting work. 601 */ 602 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len; 603 ASSERT(sr->command.chain_offset <= sr->command.max_bytes); 604 605 /* 606 * Validate the commmand code, get dispatch table entries. 607 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted... 608 * 609 * The last slot in the dispatch table is used to handle 610 * invalid commands. Same for statistics. 611 */ 612 if (sr->smb2_cmd_code < SMB2_INVALID_CMD) 613 cmd_idx = sr->smb2_cmd_code; 614 else 615 cmd_idx = SMB2_INVALID_CMD; 616 sdd = &smb2_disp_table[cmd_idx]; 617 sds = &session->s_server->sv_disp_stats2[cmd_idx]; 618 619 /* 620 * If this command is NOT "related" to the previous, 621 * clear out the UID, TID, FID state that might be 622 * left over from the previous command. 623 * 624 * If the command IS related, any new IDs are ignored, 625 * and we simply continue with the previous user, tree, 626 * and open file. 627 */ 628 if (!related) { 629 /* 630 * Drop user, tree, file; carefully ordered to 631 * avoid dangling references: file, tree, user 632 */ 633 if (sr->fid_ofile != NULL) { 634 smb_ofile_release(sr->fid_ofile); 635 sr->fid_ofile = NULL; 636 } 637 if (sr->tid_tree != NULL) { 638 smb_tree_release(sr->tid_tree); 639 sr->tid_tree = NULL; 640 } 641 if (sr->uid_user != NULL) { 642 smb_user_release(sr->uid_user); 643 sr->uid_user = NULL; 644 sr->user_cr = zone_kcred(); 645 } 646 } 647 648 /* 649 * Make sure we have a user and tree as needed 650 * according to the flags for the this command. 651 * Note that we may have inherited these. 652 */ 653 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) { 654 /* 655 * This command requires a user session. 656 */ 657 if (related) { 658 /* 659 * Previous command should have given us a user. 660 * [MS-SMB2] 3.3.5.2 Handling Related Requests 661 */ 662 if (sr->uid_user == NULL) { 663 smb2sr_put_error(sr, 664 NT_STATUS_INVALID_PARAMETER); 665 goto cmd_done; 666 } 667 sr->smb2_ssnid = sr->uid_user->u_ssnid; 668 } else { 669 /* 670 * Lookup the UID 671 * [MS-SMB2] 3.3.5.2 Verifying the Session 672 */ 673 ASSERT(sr->uid_user == NULL); 674 /* 675 * [MS-SMB2] 3.3.5.2.7 Handling Compounded Requests 676 * 677 * If this is an encrypted compound request, 678 * ensure that the ssnid in the request 679 * is the same as the tform ssnid if this 680 * message is not related. 681 * 682 * The reasons this is done seem to apply equally 683 * to uncompounded requests, so we apply it to all. 684 */ 685 686 if (sr->encrypted && 687 sr->smb2_ssnid != sr->smb3_tform_ssnid) { 688 disconnect = B_TRUE; 689 goto cleanup; /* just do this for now */ 690 } 691 692 sr->uid_user = smb_session_lookup_ssnid(session, 693 sr->smb2_ssnid); 694 if (sr->uid_user == NULL) { 695 smb2sr_put_error(sr, 696 NT_STATUS_USER_SESSION_DELETED); 697 goto cmd_done; 698 } 699 700 /* 701 * [MS-SMB2] 3.3.5.2.9 Verifying the Session 702 * 703 * If we're talking 3.x, 704 * RejectUnencryptedAccess is TRUE, 705 * Session.EncryptData is TRUE, 706 * and the message wasn't encrypted, 707 * return ACCESS_DENIED. 708 * 709 * Note that Session.EncryptData can only be TRUE when 710 * we're talking 3.x. 711 */ 712 if (sr->uid_user->u_encrypt == SMB_CONFIG_REQUIRED && 713 !sr->encrypted) { 714 smb2sr_put_error(sr, 715 NT_STATUS_ACCESS_DENIED); 716 goto cmd_done; 717 } 718 719 sr->user_cr = smb_user_getcred(sr->uid_user); 720 } 721 ASSERT(sr->uid_user != NULL); 722 723 /* 724 * Encrypt if: 725 * - The cmd is not SESSION_SETUP or NEGOTIATE; AND 726 * - Session.EncryptData is TRUE 727 * 728 * Those commands suppress UID, so they can't be the cmd here. 729 */ 730 if (sr->uid_user->u_encrypt != SMB_CONFIG_DISABLED && 731 sr->tform_ssn == NULL) { 732 smb_user_hold_internal(sr->uid_user); 733 sr->tform_ssn = sr->uid_user; 734 sr->smb3_tform_ssnid = sr->smb2_ssnid; 735 } 736 } 737 738 if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) { 739 /* 740 * This command requires a tree connection. 741 */ 742 if (related) { 743 /* 744 * Previous command should have given us a tree. 745 * [MS-SMB2] 3.3.5.2 Handling Related Requests 746 */ 747 if (sr->tid_tree == NULL) { 748 smb2sr_put_error(sr, 749 NT_STATUS_INVALID_PARAMETER); 750 goto cmd_done; 751 } 752 sr->smb_tid = sr->tid_tree->t_tid; 753 } else { 754 /* 755 * Lookup the TID 756 * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect 757 */ 758 ASSERT(sr->tid_tree == NULL); 759 sr->tid_tree = smb_session_lookup_tree(session, 760 sr->smb_tid); 761 if (sr->tid_tree == NULL) { 762 smb2sr_put_error(sr, 763 NT_STATUS_NETWORK_NAME_DELETED); 764 goto cmd_done; 765 } 766 767 /* 768 * [MS-SMB2] 3.3.5.2.11 Verifying the Tree Connect 769 * 770 * If we support 3.x, RejectUnencryptedAccess is TRUE, 771 * if Tcon.EncryptData is TRUE or 772 * global EncryptData is TRUE and 773 * the message wasn't encrypted, or 774 * if Tcon.EncryptData is TRUE or 775 * global EncryptData is TRUE or 776 * the request was encrypted and 777 * the connection doesn't support encryption, 778 * return ACCESS_DENIED. 779 * 780 * If RejectUnencryptedAccess is TRUE, we force 781 * max_protocol to at least 3.0. Additionally, 782 * if the tree requires encryption, we don't care 783 * what we support, we still enforce encryption. 784 */ 785 if (sr->tid_tree->t_encrypt == SMB_CONFIG_REQUIRED && 786 (!sr->encrypted || 787 (session->srv_cap & SMB2_CAP_ENCRYPTION) == 0)) { 788 smb2sr_put_error(sr, 789 NT_STATUS_ACCESS_DENIED); 790 goto cmd_done; 791 } 792 } 793 ASSERT(sr->tid_tree != NULL); 794 795 /* 796 * Encrypt if: 797 * - The cmd is not TREE_CONNECT; AND 798 * - Tree.EncryptData is TRUE 799 * 800 * TREE_CONNECT suppresses TID, so that can't be the cmd here. 801 * NOTE: assumes we can't have a tree without a user 802 */ 803 if (sr->tid_tree->t_encrypt != SMB_CONFIG_DISABLED && 804 sr->tform_ssn == NULL) { 805 smb_user_hold_internal(sr->uid_user); 806 sr->tform_ssn = sr->uid_user; 807 sr->smb3_tform_ssnid = sr->smb2_ssnid; 808 } 809 } 810 811 /* 812 * SMB2 signature verification, two parts: 813 * (a) Require SMB2_FLAGS_SIGNED (for most request types) 814 * (b) If SMB2_FLAGS_SIGNED is set, check the signature. 815 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature 816 */ 817 818 /* 819 * No user session means no signature check. That's OK, 820 * i.e. for commands marked SDDF_SUPPRESS_UID above. 821 * Note, this also means we won't sign the reply. 822 */ 823 if (sr->uid_user == NULL) 824 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED; 825 826 /* 827 * The SDDF_SUPPRESS_UID dispatch is set for requests that 828 * don't need a UID (user). These also don't require a 829 * signature check here. 830 * 831 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature 832 * 833 * If the packet was successfully decrypted, the message 834 * signature has already been verified, so we can skip this. 835 */ 836 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 && 837 !sr->encrypted && sr->uid_user != NULL && 838 (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) { 839 /* 840 * If the request is signed, check the signature. 841 * Otherwise, if signing is required, deny access. 842 */ 843 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) { 844 if (smb2_sign_check_request(sr) != 0) { 845 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); 846 DTRACE_PROBE1(smb2__sign__check, 847 smb_request_t *, sr); 848 goto cmd_done; 849 } 850 } else if ( 851 (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) { 852 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); 853 goto cmd_done; 854 } 855 } 856 857 /* 858 * Now that the signing check is done with smb_data, 859 * advance past the SMB2 header we decoded earlier. 860 * This leaves sr->smb_data correctly positioned 861 * for command-specific decoding in the dispatch 862 * function called next. 863 */ 864 sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE; 865 866 /* 867 * Credit adjustments (decrease) 868 * 869 * If we've gone async, credit adjustments were done 870 * when we sent the interim reply. 871 */ 872 if (!sr->smb2_async) { 873 if (sr->smb2_credit_request < sr->smb2_credit_charge) { 874 smb2_credit_decrease(sr); 875 } 876 } 877 878 /* 879 * The real work: call the SMB2 command handler 880 * (except for "sticky" smb2_status - see above) 881 */ 882 sr->sr_time_start = gethrtime(); 883 rc = SDRC_SUCCESS; 884 if (sr->smb2_status == 0) { 885 /* NB: not using pre_op */ 886 rc = (*sdd->sdt_function)(sr); 887 /* NB: not using post_op */ 888 } else { 889 smb2sr_put_error(sr, sr->smb2_status); 890 } 891 892 /* 893 * When the sdt_function returns SDRC_SR_KEPT, it means 894 * this SR may have been passed to another thread so we 895 * MUST NOT touch it anymore. 896 */ 897 if (rc == SDRC_SR_KEPT) 898 return; 899 900 MBC_FLUSH(&sr->raw_data); 901 902 /* 903 * Credit adjustments (increase) 904 */ 905 if (!sr->smb2_async) { 906 if (sr->smb2_credit_request > sr->smb2_credit_charge) { 907 smb2_credit_increase(sr); 908 } 909 } 910 911 cmd_done: 912 switch (rc) { 913 case SDRC_SUCCESS: 914 break; 915 default: 916 /* 917 * SMB2 does not use the other dispatch return codes. 918 * If we see something else, log an event so we'll 919 * know something is returning bogus status codes. 920 * If you see these in the log, use dtrace to find 921 * the code returning something else. 922 */ 923 #ifdef DEBUG 924 cmn_err(CE_NOTE, "handler for %u returned 0x%x", 925 sr->smb2_cmd_code, rc); 926 #endif 927 smb2sr_put_error(sr, NT_STATUS_INTERNAL_ERROR); 928 break; 929 case SDRC_ERROR: 930 /* 931 * Many command handlers return SDRC_ERROR for any 932 * problems decoding the request, and don't bother 933 * setting smb2_status. For those cases, the best 934 * status return would be "invalid parameter". 935 */ 936 if (sr->smb2_status == 0) 937 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 938 smb2sr_put_error(sr, sr->smb2_status); 939 break; 940 case SDRC_DROP_VC: 941 disconnect = B_TRUE; 942 goto cleanup; 943 944 case SDRC_NO_REPLY: 945 /* will free sr */ 946 goto cleanup; 947 } 948 949 /* 950 * Pad the reply to align(8) if there will be another. 951 * (We don't compound async replies.) 952 */ 953 if (!sr->smb2_async && sr->smb2_next_command != 0) 954 (void) smb_mbc_put_align(&sr->reply, 8); 955 956 /* 957 * Record some statistics. Uses: 958 * rxb = command.chain_offset - smb2_cmd_hdr; 959 * txb = reply.chain_offset - smb2_reply_hdr; 960 * which at this point represent the current cmd/reply. 961 * 962 * Note: If async, this does txb only, and 963 * skips the smb_latency_add_sample() calls. 964 */ 965 smb2_record_stats(sr, sds, sr->smb2_async); 966 967 /* 968 * If there's a next command, figure out where it starts, 969 * and fill in the next header offset for the reply. 970 * Note: We sanity checked smb2_next_command above. 971 */ 972 if (sr->smb2_next_command != 0) { 973 sr->command.chain_offset = 974 sr->smb2_cmd_hdr + sr->smb2_next_command; 975 sr->smb2_next_reply = 976 sr->reply.chain_offset - sr->smb2_reply_hdr; 977 } else { 978 ASSERT(sr->smb2_next_reply == 0); 979 } 980 981 /* 982 * Overwrite the (now final) SMB2 header for this response. 983 */ 984 (void) smb2_encode_header(sr, B_TRUE); 985 986 /* 987 * Cannot move this into smb2_session_setup() - encoded header required. 988 */ 989 if (session->dialect >= SMB_VERS_3_11 && 990 sr->smb2_cmd_code == SMB2_SESSION_SETUP && 991 sr->smb2_status == NT_STATUS_MORE_PROCESSING_REQUIRED) { 992 if (smb31_preauth_sha512_calc(sr, &sr->reply, 993 sr->uid_user->u_preauth_hashval, 994 sr->uid_user->u_preauth_hashval) != 0) 995 cmn_err(CE_WARN, "(3) Preauth hash calculation " 996 "failed"); 997 } 998 999 /* Don't sign if we're going to encrypt */ 1000 if (sr->tform_ssn == NULL && 1001 (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) 1002 smb2_sign_reply(sr); 1003 1004 /* 1005 * Non-async runs the whole compound before send. 1006 * When we've gone async, send each individually. 1007 */ 1008 if (!sr->smb2_async && sr->smb2_next_command != 0) 1009 goto cmd_start; 1010 1011 /* 1012 * If we have a durable handle, and this operation updated 1013 * the nvlist, write it out (before smb2_send_reply). 1014 */ 1015 if (sr->dh_nvl_dirty) { 1016 sr->dh_nvl_dirty = B_FALSE; 1017 smb2_dh_update_nvfile(sr); 1018 } 1019 1020 smb2_send_reply(sr); 1021 if (sr->smb2_async && sr->smb2_next_command != 0) { 1022 MBC_FLUSH(&sr->reply); /* New reply buffer. */ 1023 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes); 1024 goto cmd_start; 1025 } 1026 1027 cleanup: 1028 if (disconnect) 1029 smb_session_disconnect(session); 1030 1031 /* 1032 * Do "postwork" for oplock (and maybe other things) 1033 */ 1034 if (sr->sr_postwork != NULL) 1035 smb2sr_run_postwork(sr); 1036 1037 mutex_enter(&sr->sr_mutex); 1038 sr->sr_state = SMB_REQ_STATE_COMPLETED; 1039 mutex_exit(&sr->sr_mutex); 1040 1041 smb_request_free(sr); 1042 } 1043 1044 /* 1045 * Build interim responses for the current and all following 1046 * requests in this compound, then send the compound response, 1047 * leaving the SR state so that smb2sr_work() can continue its 1048 * processing of this compound in "async mode". 1049 * 1050 * If we agree to "go async", this should return STATUS_SUCCESS. 1051 * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and 1052 * all requests following this request. (See the comments re. 1053 * "sticky" smb2_status values in smb2sr_work). 1054 * 1055 * Note: the Async ID we assign here is arbitrary, and need only 1056 * be unique among pending async responses on this connection, so 1057 * this just uses a modified messageID, which is already unique. 1058 * 1059 * Credits: All credit changes should happen via the interim 1060 * responses, so we have to manage credits here. After this 1061 * returns to smb2sr_work, the final replies for all these 1062 * commands will have smb2_credit_response = smb2_credit_charge 1063 * (meaning no further changes to the clients' credits). 1064 */ 1065 uint32_t 1066 smb2sr_go_async(smb_request_t *sr) 1067 { 1068 smb_session_t *session; 1069 smb_disp_stats_t *sds; 1070 uint16_t cmd_idx; 1071 int32_t saved_com_offset; 1072 uint32_t saved_cmd_hdr; 1073 uint16_t saved_cred_resp; 1074 uint32_t saved_hdr_flags; 1075 uint32_t saved_reply_hdr; 1076 uint32_t msg_len; 1077 boolean_t disconnect = B_FALSE; 1078 1079 if (sr->smb2_async) { 1080 /* already went async in some previous cmd. */ 1081 return (NT_STATUS_SUCCESS); 1082 } 1083 sr->smb2_async = B_TRUE; 1084 1085 /* The "server" session always runs async. */ 1086 session = sr->session; 1087 if (session->sock == NULL) 1088 return (NT_STATUS_SUCCESS); 1089 1090 sds = NULL; 1091 saved_com_offset = sr->command.chain_offset; 1092 saved_cmd_hdr = sr->smb2_cmd_hdr; 1093 saved_cred_resp = sr->smb2_credit_response; 1094 saved_hdr_flags = sr->smb2_hdr_flags; 1095 saved_reply_hdr = sr->smb2_reply_hdr; 1096 1097 /* 1098 * The command-specific handler should not yet have put any 1099 * data in the reply except for the (place holder) header. 1100 */ 1101 if (sr->reply.chain_offset != sr->smb2_reply_hdr + SMB2_HDR_SIZE) { 1102 ASSERT3U(sr->reply.chain_offset, ==, 1103 sr->smb2_reply_hdr + SMB2_HDR_SIZE); 1104 return (NT_STATUS_INTERNAL_ERROR); 1105 } 1106 1107 /* 1108 * Rewind to the start of the current header in both the 1109 * command and reply bufers, so the loop below can just 1110 * decode/encode just in every pass. This means the 1111 * current command header is decoded again, but that 1112 * avoids having to special-case the first loop pass. 1113 */ 1114 sr->command.chain_offset = sr->smb2_cmd_hdr; 1115 sr->reply.chain_offset = sr->smb2_reply_hdr; 1116 1117 /* 1118 * This command processing loop is a simplified version of 1119 * smb2sr_work() that just puts an "interim response" for 1120 * every command in the compound (NT_STATUS_PENDING). 1121 */ 1122 cmd_start: 1123 sr->smb2_status = NT_STATUS_PENDING; 1124 1125 /* 1126 * Decode the request header 1127 */ 1128 sr->smb2_cmd_hdr = sr->command.chain_offset; 1129 if ((smb2_decode_header(sr)) != 0) { 1130 cmn_err(CE_WARN, "clnt %s bad SMB2 header", 1131 session->ip_addr_str); 1132 disconnect = B_TRUE; 1133 goto cleanup; 1134 } 1135 sr->smb2_hdr_flags |= (SMB2_FLAGS_SERVER_TO_REDIR | 1136 SMB2_FLAGS_ASYNC_COMMAND); 1137 sr->smb2_async_id = SMB2_ASYNCID(sr); 1138 1139 /* 1140 * In case we bail out... 1141 */ 1142 if (sr->smb2_credit_charge == 0) 1143 sr->smb2_credit_charge = 1; 1144 sr->smb2_credit_response = sr->smb2_credit_charge; 1145 1146 /* 1147 * Write a tentative reply header. 1148 */ 1149 sr->smb2_next_reply = 0; 1150 ASSERT((sr->reply.chain_offset & 7) == 0); 1151 sr->smb2_reply_hdr = sr->reply.chain_offset; 1152 if ((smb2_encode_header(sr, B_FALSE)) != 0) { 1153 cmn_err(CE_WARN, "clnt %s excessive reply", 1154 session->ip_addr_str); 1155 disconnect = B_TRUE; 1156 goto cleanup; 1157 } 1158 1159 /* 1160 * Figure out the length of data... 1161 */ 1162 if (sr->smb2_next_command != 0) { 1163 /* [MS-SMB2] says this is 8-byte aligned */ 1164 msg_len = sr->smb2_next_command; 1165 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) || 1166 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) { 1167 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd", 1168 session->ip_addr_str); 1169 disconnect = B_TRUE; 1170 goto cleanup; 1171 } 1172 } else { 1173 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr; 1174 } 1175 1176 /* 1177 * We just skip any data, so no shadow chain etc. 1178 */ 1179 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len; 1180 ASSERT(sr->command.chain_offset <= sr->command.max_bytes); 1181 1182 /* 1183 * Validate the commmand code... 1184 */ 1185 if (sr->smb2_cmd_code < SMB2_INVALID_CMD) 1186 cmd_idx = sr->smb2_cmd_code; 1187 else 1188 cmd_idx = SMB2_INVALID_CMD; 1189 sds = &session->s_server->sv_disp_stats2[cmd_idx]; 1190 1191 /* 1192 * Don't change (user, tree, file) because we want them 1193 * exactly as they were when we entered. That also means 1194 * we may not have the right user in sr->uid_user for 1195 * signature checks, so leave that until smb2sr_work 1196 * runs these commands "for real". Therefore, here 1197 * we behave as if: (sr->uid_user == NULL) 1198 */ 1199 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED; 1200 1201 /* 1202 * Credit adjustments (decrease) 1203 * 1204 * NOTE: interim responses are not signed. 1205 * Any attacker can modify the credit grant 1206 * in the response. Because of this property, 1207 * it is no worse to assume the credit charge and grant 1208 * are sane without verifying the signature, 1209 * and that saves us a whole lot of work. 1210 * If the credits WERE modified, we'll find out 1211 * when we verify the signature later, 1212 * which nullifies any changes caused here. 1213 * 1214 * Skip this on the first command, because the 1215 * credit decrease was done by the caller. 1216 */ 1217 if (sr->smb2_cmd_hdr != saved_cmd_hdr) { 1218 if (sr->smb2_credit_request < sr->smb2_credit_charge) { 1219 smb2_credit_decrease(sr); 1220 } 1221 } 1222 1223 /* 1224 * The real work: ... (would be here) 1225 */ 1226 smb2sr_put_error(sr, sr->smb2_status); 1227 1228 /* 1229 * Credit adjustments (increase) 1230 */ 1231 if (sr->smb2_credit_request > sr->smb2_credit_charge) { 1232 smb2_credit_increase(sr); 1233 } 1234 1235 /* cmd_done: label */ 1236 1237 /* 1238 * Pad the reply to align(8) if there will be another. 1239 * This (interim) reply uses compounding. 1240 */ 1241 if (sr->smb2_next_command != 0) 1242 (void) smb_mbc_put_align(&sr->reply, 8); 1243 1244 /* 1245 * Record some statistics. Uses: 1246 * rxb = command.chain_offset - smb2_cmd_hdr; 1247 * txb = reply.chain_offset - smb2_reply_hdr; 1248 * which at this point represent the current cmd/reply. 1249 * 1250 * Note: We're doing smb_latency_add_sample() for all 1251 * remaining commands NOW, which means we won't include 1252 * the async part of their work in latency statistics. 1253 * That's intentional, as the async part of a command 1254 * would otherwise skew our latency statistics. 1255 */ 1256 smb2_record_stats(sr, sds, B_FALSE); 1257 1258 /* 1259 * If there's a next command, figure out where it starts, 1260 * and fill in the next header offset for the reply. 1261 * Note: We sanity checked smb2_next_command above. 1262 */ 1263 if (sr->smb2_next_command != 0) { 1264 sr->command.chain_offset = 1265 sr->smb2_cmd_hdr + sr->smb2_next_command; 1266 sr->smb2_next_reply = 1267 sr->reply.chain_offset - sr->smb2_reply_hdr; 1268 } else { 1269 ASSERT(sr->smb2_next_reply == 0); 1270 } 1271 1272 /* 1273 * Overwrite the (now final) SMB2 header for this response. 1274 */ 1275 (void) smb2_encode_header(sr, B_TRUE); 1276 1277 /* 1278 * Process whole compound before sending. 1279 */ 1280 if (sr->smb2_next_command != 0) 1281 goto cmd_start; 1282 smb2_send_reply(sr); 1283 1284 ASSERT(!disconnect); 1285 1286 cleanup: 1287 /* 1288 * Restore caller's command processing state. 1289 */ 1290 sr->smb2_cmd_hdr = saved_cmd_hdr; 1291 sr->command.chain_offset = saved_cmd_hdr; 1292 (void) smb2_decode_header(sr); 1293 sr->command.chain_offset = saved_com_offset; 1294 1295 sr->smb2_credit_response = saved_cred_resp; 1296 sr->smb2_hdr_flags = saved_hdr_flags; 1297 sr->smb2_status = NT_STATUS_SUCCESS; 1298 1299 /* 1300 * In here, the "disconnect" flag just means we had an 1301 * error decoding or encoding something. Rather than 1302 * actually disconnect here, let's assume whatever 1303 * problem we encountered will be seen by the caller 1304 * as they continue processing the compound, and just 1305 * restore everything and return an error. 1306 */ 1307 if (disconnect) { 1308 sr->smb2_async = B_FALSE; 1309 sr->smb2_reply_hdr = saved_reply_hdr; 1310 sr->reply.chain_offset = sr->smb2_reply_hdr; 1311 (void) smb2_encode_header(sr, B_FALSE); 1312 return (NT_STATUS_INVALID_PARAMETER); 1313 } 1314 1315 /* 1316 * The compound reply buffer we sent is now gone. 1317 * Setup a new reply buffer for the caller. 1318 */ 1319 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND; 1320 sr->smb2_async_id = SMB2_ASYNCID(sr); 1321 sr->smb2_next_reply = 0; 1322 MBC_FLUSH(&sr->reply); 1323 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes); 1324 ASSERT(sr->reply.chain_offset == 0); 1325 sr->smb2_reply_hdr = 0; 1326 (void) smb2_encode_header(sr, B_FALSE); 1327 1328 return (NT_STATUS_SUCCESS); 1329 } 1330 1331 int 1332 smb3_decode_tform_header(smb_request_t *sr) 1333 { 1334 uint16_t flags; 1335 int rc; 1336 uint32_t protocolid; 1337 1338 rc = smb_mbc_decodef( 1339 &sr->command, "l16c16cl..wq", 1340 &protocolid, /* l */ 1341 sr->smb2_sig, /* 16c */ 1342 sr->nonce, /* 16c */ 1343 &sr->msgsize, /* l */ 1344 /* reserved .. */ 1345 &flags, /* w */ 1346 &sr->smb3_tform_ssnid); /* q */ 1347 if (rc) 1348 return (rc); 1349 1350 ASSERT3U(protocolid, ==, SMB3_ENCRYPTED_MAGIC); 1351 1352 if (flags != 1) { 1353 #ifdef DEBUG 1354 cmn_err(CE_NOTE, "flags field not 1: %x", flags); 1355 #endif 1356 return (-1); 1357 } 1358 1359 /* 1360 * MsgSize is the amount of data the client tell us to decrypt. 1361 * Make sure this value is not too big and not too small. 1362 */ 1363 if (sr->msgsize < SMB2_HDR_SIZE || 1364 sr->msgsize > sr->session->cmd_max_bytes || 1365 sr->msgsize > sr->command.max_bytes - SMB3_TFORM_HDR_SIZE) 1366 return (-1); 1367 1368 return (rc); 1369 } 1370 1371 int 1372 smb3_encode_tform_header(smb_request_t *sr, struct mbuf_chain *mbc) 1373 { 1374 int rc; 1375 1376 /* Signature and Nonce are added in smb3_encrypt_sr */ 1377 rc = smb_mbc_encodef( 1378 mbc, "l32.lwwq", 1379 SMB3_ENCRYPTED_MAGIC, /* l */ 1380 /* signature(16), nonce(16) 32. */ 1381 sr->msgsize, /* l */ 1382 0, /* reserved w */ 1383 1, /* flags w */ 1384 sr->smb3_tform_ssnid); /* q */ 1385 1386 return (rc); 1387 } 1388 1389 int 1390 smb2_decode_header(smb_request_t *sr) 1391 { 1392 uint32_t pid, tid; 1393 uint16_t hdr_len; 1394 int rc; 1395 1396 rc = smb_mbc_decodef( 1397 &sr->command, "Nwww..wwllqllq16c", 1398 &hdr_len, /* w */ 1399 &sr->smb2_credit_charge, /* w */ 1400 &sr->smb2_chan_seq, /* w */ 1401 /* reserved .. */ 1402 &sr->smb2_cmd_code, /* w */ 1403 &sr->smb2_credit_request, /* w */ 1404 &sr->smb2_hdr_flags, /* l */ 1405 &sr->smb2_next_command, /* l */ 1406 &sr->smb2_messageid, /* q */ 1407 &pid, /* l */ 1408 &tid, /* l */ 1409 &sr->smb2_ssnid, /* q */ 1410 sr->smb2_sig); /* 16c */ 1411 if (rc) 1412 return (rc); 1413 1414 if (hdr_len != SMB2_HDR_SIZE) 1415 return (-1); 1416 1417 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 1418 sr->smb2_async_id = pid | 1419 ((uint64_t)tid) << 32; 1420 sr->smb_pid = 0; 1421 sr->smb_tid = 0; 1422 } else { 1423 sr->smb2_async_id = 0; 1424 sr->smb_pid = pid; 1425 sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */ 1426 } 1427 1428 return (rc); 1429 } 1430 1431 int 1432 smb2_encode_header(smb_request_t *sr, boolean_t overwrite) 1433 { 1434 uint64_t pid_tid_aid; /* pid+tid, or async id */ 1435 int rc; 1436 1437 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 1438 pid_tid_aid = sr->smb2_async_id; 1439 } else { 1440 pid_tid_aid = sr->smb_pid | 1441 ((uint64_t)sr->smb_tid) << 32; 1442 } 1443 1444 if (overwrite) { 1445 rc = smb_mbc_poke(&sr->reply, 1446 sr->smb2_reply_hdr, 1447 "Nwwlwwllqqq16c", 1448 SMB2_HDR_SIZE, /* w */ 1449 sr->smb2_credit_charge, /* w */ 1450 sr->smb2_status, /* l */ 1451 sr->smb2_cmd_code, /* w */ 1452 sr->smb2_credit_response, /* w */ 1453 sr->smb2_hdr_flags, /* l */ 1454 sr->smb2_next_reply, /* l */ 1455 sr->smb2_messageid, /* q */ 1456 pid_tid_aid, /* q */ 1457 sr->smb2_ssnid, /* q */ 1458 sr->smb2_sig); /* 16c */ 1459 } else { 1460 rc = smb_mbc_encodef(&sr->reply, 1461 "Nwwlwwllqqq16c", 1462 SMB2_HDR_SIZE, /* w */ 1463 sr->smb2_credit_charge, /* w */ 1464 sr->smb2_status, /* l */ 1465 sr->smb2_cmd_code, /* w */ 1466 sr->smb2_credit_response, /* w */ 1467 sr->smb2_hdr_flags, /* l */ 1468 sr->smb2_next_reply, /* l */ 1469 sr->smb2_messageid, /* q */ 1470 pid_tid_aid, /* q */ 1471 sr->smb2_ssnid, /* q */ 1472 sr->smb2_sig); /* 16c */ 1473 } 1474 1475 return (rc); 1476 } 1477 1478 void 1479 smb2_send_reply(smb_request_t *sr) 1480 { 1481 struct mbuf_chain enc_reply; 1482 smb_session_t *session = sr->session; 1483 void *tmpbuf; 1484 size_t buflen; 1485 struct mbuf_chain tmp; 1486 1487 /* 1488 * [MS-SMB2] 3.3.4.1.4 Encrypting the Message 1489 * 1490 * When the connection supports encryption and the dialect 1491 * is 3.x, encrypt if: 1492 * - The request was encrypted OR 1493 * - The cmd is not SESSION_SETUP or NEGOTIATE AND 1494 * -- Session.EncryptData is TRUE OR 1495 * -- The cmd is not TREE_CONNECT AND 1496 * --- Tree.EncryptData is TRUE 1497 * 1498 * This boils down to sr->tform_ssn != NULL, and the rest 1499 * is enforced when tform_ssn is set. 1500 */ 1501 1502 if ((session->capabilities & SMB2_CAP_ENCRYPTION) == 0 || 1503 sr->tform_ssn == NULL) { 1504 (void) smb_session_send(sr->session, 0, &sr->reply); 1505 return; 1506 } 1507 1508 sr->msgsize = sr->reply.chain_offset; 1509 (void) MBC_SHADOW_CHAIN(&tmp, &sr->reply, 1510 0, sr->msgsize); 1511 1512 buflen = SMB3_TFORM_HDR_SIZE + sr->msgsize; 1513 1514 /* taken from smb_request_init_command_mbuf */ 1515 tmpbuf = kmem_alloc(buflen, KM_SLEEP); 1516 MBC_ATTACH_BUF(&enc_reply, tmpbuf, buflen); 1517 enc_reply.flags = 0; 1518 enc_reply.shadow_of = NULL; 1519 1520 if (smb3_encode_tform_header(sr, &enc_reply) != 0) { 1521 cmn_err(CE_WARN, "couldn't encode transform header"); 1522 goto errout; 1523 } 1524 if (smb3_encrypt_sr(sr, &tmp, &enc_reply) != 0) { 1525 cmn_err(CE_WARN, "smb3 encryption failed"); 1526 goto errout; 1527 } 1528 1529 (void) smb_session_send(sr->session, 0, &enc_reply); 1530 kmem_free(tmpbuf, buflen); 1531 return; 1532 1533 errout: 1534 kmem_free(tmpbuf, buflen); 1535 smb_session_disconnect(sr->session); 1536 } 1537 1538 /* 1539 * This wrapper function exists to help catch calls to smbsr_status() 1540 * (which is SMB1-specific) in common code. See smbsr_status(). 1541 * If the log message below is seen, put a dtrace probe on this 1542 * function with a stack() action to see who is calling the SMB1 1543 * "put error" from common code, and fix it. 1544 */ 1545 void 1546 smbsr_status_smb2(smb_request_t *sr, DWORD status) 1547 { 1548 const char *name; 1549 1550 if (sr->smb2_cmd_code < SMB2__NCMDS) 1551 name = smb2_disp_table[sr->smb2_cmd_code].sdt_name; 1552 else 1553 name = "<unknown>"; 1554 #ifdef DEBUG 1555 cmn_err(CE_NOTE, "smbsr_status called for %s", name); 1556 #endif 1557 1558 smb2sr_put_error_data(sr, status, NULL); 1559 } 1560 1561 void 1562 smb2sr_put_errno(struct smb_request *sr, int errnum) 1563 { 1564 uint32_t status = smb_errno2status(errnum); 1565 smb2sr_put_error_data(sr, status, NULL); 1566 } 1567 1568 void 1569 smb2sr_put_error(smb_request_t *sr, uint32_t status) 1570 { 1571 smb2sr_put_error_data(sr, status, NULL); 1572 } 1573 1574 /* 1575 * Build an SMB2 error response. [MS-SMB2] 2.2.2 1576 */ 1577 void 1578 smb2sr_put_error_data(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc) 1579 { 1580 DWORD len; 1581 1582 /* 1583 * The common dispatch code writes this when it 1584 * updates the SMB2 header before sending. 1585 */ 1586 sr->smb2_status = status; 1587 1588 /* Rewind to the end of the SMB header. */ 1589 sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE; 1590 1591 /* 1592 * NB: Must provide at least one byte of error data, 1593 * per [MS-SMB2] 2.2.2 1594 */ 1595 if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) { 1596 (void) smb_mbc_encodef( 1597 &sr->reply, 1598 "wwlC", 1599 9, /* StructSize */ /* w */ 1600 0, /* reserved */ /* w */ 1601 len, /* l */ 1602 mbc); /* C */ 1603 } else { 1604 (void) smb_mbc_encodef( 1605 &sr->reply, 1606 "wwl.", 1607 9, /* StructSize */ /* w */ 1608 0, /* reserved */ /* w */ 1609 0); /* l. */ 1610 } 1611 } 1612 1613 /* 1614 * Build an SMB2 error context response (dialect 3.1.1). 1615 */ 1616 void 1617 smb2sr_put_error_ctx(smb_request_t *sr, uint32_t status, uint32_t errid, 1618 mbuf_chain_t *mbc) 1619 { 1620 DWORD len; 1621 1622 /* 1623 * The common dispatch code writes this when it 1624 * updates the SMB2 header before sending. 1625 */ 1626 sr->smb2_status = status; 1627 1628 /* Rewind to the end of the SMB header. */ 1629 sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE; 1630 1631 /* 1632 * Error Context is 8-byte header plus encaps. data (ErrorContextData), 1633 * which can be zero-length. 1634 */ 1635 if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) { 1636 (void) smb_mbc_encodef( 1637 &sr->reply, 1638 "wbblllC", 1639 9, /* StructSize */ /* w */ 1640 1, /* ErrorContextCount */ /* b */ 1641 0, /* reserved */ /* b */ 1642 8+len, /* ByteCount */ /* l */ 1643 len, /* ErrorDataLength */ /* l */ 1644 errid, /* ErrorId */ /* l */ 1645 mbc); /* C */ 1646 } else { 1647 (void) smb_mbc_encodef( 1648 &sr->reply, 1649 "wbblll", 1650 9, /* StructSize */ /* w */ 1651 1, /* ErrorContextCount */ /* b */ 1652 0, /* reserved */ /* b */ 1653 8, /* ByteCount */ /* l */ 1654 0, /* ErrorDataLength */ /* l */ 1655 errid); /* ErrorId */ /* l */ 1656 } 1657 } 1658 1659 /* 1660 * Build an SMB2 error context response with SMB2_ERROR_ID_DEFAULT ErrorId. 1661 * 1662 * This only handles the case we currently need, encapsulating a 1663 * single error data section inside an SMB2_ERROR_ID_DEFAULT 1664 * error context type (which is type zero, and that's what 1665 * the zero on the end of this function name refers to). 1666 */ 1667 void 1668 smb2sr_put_error_ctx0(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc) 1669 { 1670 return (smb2sr_put_error_ctx(sr, status, SMB2_ERROR_ID_DEFAULT, mbc)); 1671 } 1672 1673 /* 1674 * smb2sr_lookup_fid 1675 * 1676 * Setup sr->fid_ofile, either inherited from a related command, 1677 * or obtained via FID lookup. Similar inheritance logic as in 1678 * smb2sr_work. 1679 */ 1680 uint32_t 1681 smb2sr_lookup_fid(smb_request_t *sr, smb2fid_t *fid) 1682 { 1683 boolean_t related = sr->smb2_hdr_flags & 1684 SMB2_FLAGS_RELATED_OPERATIONS; 1685 1686 if (related) { 1687 if (sr->fid_ofile == NULL) 1688 return (NT_STATUS_INVALID_PARAMETER); 1689 sr->smb_fid = sr->fid_ofile->f_fid; 1690 return (0); 1691 } 1692 1693 /* 1694 * If we could be sure this is called only once per cmd, 1695 * we could simply ASSERT(sr->fid_ofile == NULL) here. 1696 * However, there are cases where it can be called again 1697 * handling the same command, so let's tolerate that. 1698 */ 1699 if (sr->fid_ofile == NULL) { 1700 sr->smb_fid = (uint16_t)fid->temporal; 1701 sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid); 1702 } 1703 if (sr->fid_ofile == NULL || 1704 sr->fid_ofile->f_persistid != fid->persistent) 1705 return (NT_STATUS_FILE_CLOSED); 1706 1707 return (0); 1708 } 1709 1710 /* 1711 * smb2_dispatch_stats_init 1712 * 1713 * Initializes dispatch statistics for SMB2. 1714 * See also smb_dispatch_stats_init(), which fills in 1715 * the lower part of the statistics array, from zero 1716 * through SMB_COM_NUM; 1717 */ 1718 void 1719 smb2_dispatch_stats_init(smb_server_t *sv) 1720 { 1721 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1722 smb_kstat_req_t *ksr; 1723 int i; 1724 1725 ksr = ((smbsrv_kstats_t *)sv->sv_ksp->ks_data)->ks_reqs2; 1726 1727 for (i = 0; i < SMB2__NCMDS; i++, ksr++) { 1728 smb_latency_init(&sds[i].sdt_lat); 1729 (void) strlcpy(ksr->kr_name, smb2_disp_table[i].sdt_name, 1730 sizeof (ksr->kr_name)); 1731 } 1732 } 1733 1734 /* 1735 * smb2_dispatch_stats_fini 1736 * 1737 * Frees and destroyes the resources used for statistics. 1738 */ 1739 void 1740 smb2_dispatch_stats_fini(smb_server_t *sv) 1741 { 1742 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1743 int i; 1744 1745 for (i = 0; i < SMB2__NCMDS; i++) 1746 smb_latency_destroy(&sds[i].sdt_lat); 1747 } 1748 1749 void 1750 smb2_dispatch_stats_update(smb_server_t *sv, 1751 smb_kstat_req_t *ksr, int first, int nreq) 1752 { 1753 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1754 int i; 1755 int last; 1756 1757 last = first + nreq - 1; 1758 1759 if ((first < SMB2__NCMDS) && (last < SMB2__NCMDS)) { 1760 for (i = first; i <= last; i++, ksr++) { 1761 ksr->kr_rxb = sds[i].sdt_rxb; 1762 ksr->kr_txb = sds[i].sdt_txb; 1763 mutex_enter(&sds[i].sdt_lat.ly_mutex); 1764 ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq; 1765 ksr->kr_sum = sds[i].sdt_lat.ly_a_sum; 1766 ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean; 1767 ksr->kr_a_stddev = 1768 sds[i].sdt_lat.ly_a_stddev; 1769 ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean; 1770 ksr->kr_d_stddev = 1771 sds[i].sdt_lat.ly_d_stddev; 1772 sds[i].sdt_lat.ly_d_mean = 0; 1773 sds[i].sdt_lat.ly_d_nreq = 0; 1774 sds[i].sdt_lat.ly_d_stddev = 0; 1775 sds[i].sdt_lat.ly_d_sum = 0; 1776 mutex_exit(&sds[i].sdt_lat.ly_mutex); 1777 } 1778 } 1779 } 1780 1781 /* 1782 * Append new_sr to the postwork queue. sr->smb2_cmd_code encodes 1783 * the action that should be run by this sr. 1784 * 1785 * This queue is rarely used (and normally empty) so we're OK 1786 * using a simple "walk to tail and insert" here. 1787 */ 1788 void 1789 smb2sr_append_postwork(smb_request_t *top_sr, smb_request_t *new_sr) 1790 { 1791 smb_request_t *last_sr; 1792 1793 ASSERT(top_sr->session->dialect >= SMB_VERS_2_BASE); 1794 1795 last_sr = top_sr; 1796 while (last_sr->sr_postwork != NULL) 1797 last_sr = last_sr->sr_postwork; 1798 1799 last_sr->sr_postwork = new_sr; 1800 } 1801 1802 /* 1803 * Run any "post work" that was appended to the main SR while it 1804 * was running. This is called after the request has been sent 1805 * for the main SR, and used in cases i.e. the oplock code, where 1806 * we need to send something to the client only _after_ the main 1807 * sr request has gone out. 1808 */ 1809 static void 1810 smb2sr_run_postwork(smb_request_t *top_sr) 1811 { 1812 smb_request_t *post_sr; /* the one we're running */ 1813 smb_request_t *next_sr; 1814 1815 while ((post_sr = top_sr->sr_postwork) != NULL) { 1816 next_sr = post_sr->sr_postwork; 1817 top_sr->sr_postwork = next_sr; 1818 post_sr->sr_postwork = NULL; 1819 1820 post_sr->sr_worker = top_sr->sr_worker; 1821 post_sr->sr_state = SMB_REQ_STATE_ACTIVE; 1822 1823 switch (post_sr->smb2_cmd_code) { 1824 case SMB2_OPLOCK_BREAK: 1825 smb_oplock_send_break(post_sr); 1826 break; 1827 default: 1828 ASSERT(0); 1829 } 1830 1831 /* 1832 * If we have a durable handle, and this operation 1833 * updated the nvlist, write it out. 1834 */ 1835 if (post_sr->dh_nvl_dirty) { 1836 post_sr->dh_nvl_dirty = B_FALSE; 1837 smb2_dh_update_nvfile(post_sr); 1838 } 1839 1840 post_sr->sr_state = SMB_REQ_STATE_COMPLETED; 1841 smb_request_free(post_sr); 1842 } 1843 } 1844