1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 14 */ 15 16 /* 17 * Dispatch function for SMB2_NEGOTIATE 18 */ 19 20 #include <smbsrv/smb2_kproto.h> 21 #include <smbsrv/smb2.h> 22 23 static int smb2_negotiate_common(smb_request_t *, uint16_t); 24 25 uint32_t smb2srv_capabilities = 26 SMB2_CAP_DFS | 27 SMB2_CAP_LARGE_MTU; 28 29 /* 30 * These are not intended as customer tunables, but dev. & test folks 31 * might want to adjust them (with caution). 32 * 33 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 34 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 35 * This is also used as a "sanity limit" for internal send/reply message 36 * allocations. Note that with compounding SMB2 messages may contain 37 * multiple requests/responses. This size should be large enough for 38 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 39 * 40 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 41 * the client the largest read and write request size we'll support. 42 * For now, we're using contiguous allocations, so keep this at 64KB 43 * so that (even with message overhead) allocations stay below 128KB, 44 * avoiding kmem_alloc -> page_create_va thrashing. 45 * 46 * smb2_max_trans is the largest "transact" send or receive, which is 47 * used for directory listings and info set/get operations. 48 */ 49 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 50 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */ 51 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 52 53 /* 54 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU 55 * (including all clients using dialect < SMB 2.1), use a "conservative" value 56 * for max r/w size because some older clients misbehave with larger values. 57 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x 58 * Support) as the minimum so we'll use that. 59 */ 60 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */ 61 62 /* 63 * List of all SMB2 versions we implement. Note that the 64 * highest version we support may be limited by the 65 * _cfg.skc_max_protocol setting. 66 */ 67 static uint16_t smb2_versions[] = { 68 0x202, /* SMB 2.002 */ 69 0x210, /* SMB 2.1 */ 70 }; 71 static uint16_t smb2_nversions = 72 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 73 74 static boolean_t 75 smb2_supported_version(smb_session_t *s, uint16_t version) 76 { 77 int i; 78 79 if (version > s->s_cfg.skc_max_protocol) 80 return (B_FALSE); 81 for (i = 0; i < smb2_nversions; i++) 82 if (version == smb2_versions[i]) 83 return (B_TRUE); 84 return (B_FALSE); 85 } 86 87 /* 88 * Helper for the (SMB1) smb_com_negotiate(). This is the 89 * very unusual protocol interaction where an SMB1 negotiate 90 * gets an SMB2 negotiate response. This is the normal way 91 * clients first find out if the server supports SMB2. 92 * 93 * Note: This sends an SMB2 reply _itself_ and then returns 94 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 95 * Also, this is called directly from the reader thread, so 96 * we know this is the only thread using this session. 97 * 98 * The caller frees this request. 99 */ 100 smb_sdrc_t 101 smb1_negotiate_smb2(smb_request_t *sr) 102 { 103 smb_session_t *s = sr->session; 104 smb_arg_negotiate_t *negprot = sr->sr_negprot; 105 uint16_t smb2_version; 106 uint16_t secmode2; 107 int rc; 108 109 /* 110 * Note: In the SMB1 negotiate command handler, we 111 * agreed with one of the SMB2 dialects. If that 112 * dialect was "SMB 2.002", we'll respond here with 113 * version 0x202 and negotiation is done. If that 114 * dialect was "SMB 2.???", we'll respond here with 115 * the "wildcard" version 0x2FF, and the client will 116 * come back with an SMB2 negotiate. 117 */ 118 switch (negprot->ni_dialect) { 119 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 120 smb2_version = 0x202; 121 s->dialect = smb2_version; 122 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 123 /* Allow normal SMB2 requests now. */ 124 s->newrq_func = smb2sr_newrq; 125 126 /* 127 * Translate SMB1 sec. mode to SMB2. 128 */ 129 secmode2 = 0; 130 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) 131 secmode2 |= SMB2_NEGOTIATE_SIGNING_ENABLED; 132 if (s->secmode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) 133 secmode2 |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 134 s->secmode = secmode2; 135 break; 136 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 137 /* 138 * Expecting an SMB2 negotiate next, so keep the 139 * initial s->newrq_func. Note that secmode is 140 * fiction good enough to pass the signing check 141 * in smb2_negotiate_common(). We'll check the 142 * real secmode when the 2nd negotiate comes. 143 */ 144 smb2_version = 0x2FF; 145 s->secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 146 break; 147 default: 148 return (SDRC_DROP_VC); 149 } 150 151 /* 152 * We did not decode an SMB2 header, so make sure 153 * the SMB2 header fields are initialized. 154 * (Most are zero from smb_request_alloc.) 155 * Also, the SMB1 common dispatch code reserved space 156 * for an SMB1 header, which we need to undo here. 157 */ 158 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 159 sr->smb2_cmd_code = SMB2_NEGOTIATE; 160 161 rc = smb2_negotiate_common(sr, smb2_version); 162 smb2_send_reply(sr); 163 if (rc != 0) 164 return (SDRC_DROP_VC); 165 166 /* 167 * We sent the reply, so tell the SMB1 dispatch 168 * it should NOT (also) send a reply. 169 */ 170 return (SDRC_NO_REPLY); 171 } 172 173 /* 174 * SMB2 Negotiate gets special handling. This is called directly by 175 * the reader thread (see smbsr_newrq_initial) with what _should_ be 176 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 177 * when this is called, so this needs to check the SMB command, 178 * if it's Negotiate execute it, then send the reply, etc. 179 * 180 * Since this is called directly from the reader thread, we 181 * know this is the only thread currently using this session. 182 * This has to duplicate some of what smb2sr_work does as a 183 * result of bypassing the normal dispatch mechanism. 184 * 185 * The caller always frees this request. 186 * 187 * Return value is 0 for success, and anything else will 188 * terminate the reader thread (drop the connection). 189 */ 190 int 191 smb2_newrq_negotiate(smb_request_t *sr) 192 { 193 smb_session_t *s = sr->session; 194 int i, rc; 195 uint16_t struct_size; 196 uint16_t best_version; 197 uint16_t version_cnt; 198 uint16_t cl_versions[8]; 199 200 sr->smb2_cmd_hdr = sr->command.chain_offset; 201 rc = smb2_decode_header(sr); 202 if (rc != 0) 203 return (rc); 204 205 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 206 (sr->smb2_next_command != 0)) 207 return (-1); 208 209 /* 210 * Decode SMB2 Negotiate (fixed-size part) 211 */ 212 rc = smb_mbc_decodef( 213 &sr->command, "www..l16.8.", 214 &struct_size, /* w */ 215 &version_cnt, /* w */ 216 &s->secmode, /* w */ 217 /* reserved (..) */ 218 &s->capabilities); /* l */ 219 /* clnt_uuid 16. */ 220 /* start_time 8. */ 221 if (rc != 0) 222 return (rc); 223 if (struct_size != 36 || version_cnt > 8) 224 return (-1); 225 226 /* 227 * Decode SMB2 Negotiate (variable part) 228 */ 229 rc = smb_mbc_decodef(&sr->command, 230 "#w", version_cnt, cl_versions); 231 if (rc != 0) 232 return (rc); 233 234 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr); 235 236 /* 237 * The client offers an array of protocol versions it 238 * supports, which we have decoded into cl_versions[]. 239 * We walk the array and pick the highest supported. 240 */ 241 best_version = 0; 242 for (i = 0; i < version_cnt; i++) 243 if (smb2_supported_version(s, cl_versions[i]) && 244 best_version < cl_versions[i]) 245 best_version = cl_versions[i]; 246 if (best_version == 0) 247 return (SDRC_DROP_VC); 248 s->dialect = best_version; 249 250 /* Allow normal SMB2 requests now. */ 251 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 252 s->newrq_func = smb2sr_newrq; 253 254 rc = smb2_negotiate_common(sr, best_version); 255 256 /* sr->smb2_status was set */ 257 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr); 258 259 smb2_send_reply(sr); 260 261 return (rc); 262 } 263 264 /* 265 * Common parts of SMB2 Negotiate, used for both the 266 * SMB1-to-SMB2 style, and straight SMB2 style. 267 * Do negotiation decisions and encode the reply. 268 * The caller does the network send. 269 * 270 * Return value is 0 for success, and anything else will 271 * terminate the reader thread (drop the connection). 272 */ 273 static int 274 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 275 { 276 timestruc_t boot_tv, now_tv; 277 smb_session_t *s = sr->session; 278 int rc; 279 uint32_t max_rwsize; 280 uint16_t secmode; 281 282 sr->smb2_status = 0; 283 284 /* 285 * Negotiation itself. First the Security Mode. 286 * The caller stashed the client's secmode in s->secmode, 287 * which we validate, and then replace with the server's 288 * secmode, which is all we care about after this. 289 */ 290 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 291 if (sr->sr_cfg->skc_signing_required) { 292 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 293 /* Make sure client at least enables signing. */ 294 if ((s->secmode & secmode) == 0) { 295 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 296 } 297 } 298 s->secmode = secmode; 299 300 s->cmd_max_bytes = smb2_tcp_bufsize; 301 s->reply_max_bytes = smb2_tcp_bufsize; 302 303 /* 304 * "The number of credits held by the client MUST be considered 305 * as 1 when the connection is established." [MS-SMB2] 306 * We leave credits at 1 until the first successful 307 * session setup is completed. 308 */ 309 s->s_cur_credits = s->s_max_credits = 1; 310 sr->smb2_credit_response = 1; 311 312 boot_tv.tv_sec = smb_get_boottime(); 313 boot_tv.tv_nsec = 0; 314 now_tv.tv_sec = gethrestime_sec(); 315 now_tv.tv_nsec = 0; 316 317 /* 318 * SMB2 negotiate reply 319 */ 320 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 321 (void) smb2_encode_header(sr, B_FALSE); 322 if (sr->smb2_status != 0) { 323 smb2sr_put_error(sr, sr->smb2_status); 324 /* smb2_send_reply(sr); in caller */ 325 return (-1); /* will drop */ 326 } 327 328 /* 329 * See notes above smb2_max_rwsize, smb2_old_rwsize 330 */ 331 if (s->capabilities & SMB2_CAP_LARGE_MTU) 332 max_rwsize = smb2_max_rwsize; 333 else 334 max_rwsize = smb2_old_rwsize; 335 336 rc = smb_mbc_encodef( 337 &sr->reply, 338 "wwww#cllllTTwwl#c", 339 65, /* StructSize */ /* w */ 340 s->secmode, /* w */ 341 version, /* w */ 342 0, /* reserved */ /* w */ 343 UUID_LEN, /* # */ 344 &s->s_cfg.skc_machine_uuid, /* c */ 345 smb2srv_capabilities, /* l */ 346 smb2_max_trans, /* l */ 347 max_rwsize, /* l */ 348 max_rwsize, /* l */ 349 &now_tv, /* T */ 350 &boot_tv, /* T */ 351 128, /* SecBufOff */ /* w */ 352 sr->sr_cfg->skc_negtok_len, /* w */ 353 0, /* reserved */ /* l */ 354 sr->sr_cfg->skc_negtok_len, /* # */ 355 sr->sr_cfg->skc_negtok); /* c */ 356 357 /* smb2_send_reply(sr); in caller */ 358 359 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 360 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 361 sizeof (smb2_tcp_bufsize), CRED()); 362 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 363 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 364 sizeof (smb2_tcp_bufsize), CRED()); 365 366 return (rc); 367 } 368 369 /* 370 * SMB2 Dispatch table handler, which will run if we see an 371 * SMB2_NEGOTIATE after the initial negotiation is done. 372 * That would be a protocol error. 373 */ 374 smb_sdrc_t 375 smb2_negotiate(smb_request_t *sr) 376 { 377 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 378 return (SDRC_ERROR); 379 } 380 381 /* 382 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 383 */ 384 uint32_t 385 smb2_fsctl_vneginfo(smb_request_t *sr, smb_fsctl_t *fsctl) 386 { 387 smb_session_t *s = sr->session; 388 int rc; 389 390 /* 391 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 392 * and verify that the original negotiate was not modified. 393 * The only tampering we need worry about is secmode, and 394 * we're not taking that from the client, so don't bother. 395 * 396 * One interesting requirement here is that we MUST reply 397 * with exactly the same information as we returned in our 398 * original reply to the SMB2 negotiate on this session. 399 * If we don't the client closes the connection. 400 */ 401 402 rc = smb_mbc_encodef( 403 fsctl->out_mbc, "l#cww", 404 smb2srv_capabilities, /* l */ 405 UUID_LEN, /* # */ 406 &s->s_cfg.skc_machine_uuid, /* c */ 407 s->secmode, /* w */ 408 s->dialect); /* w */ 409 if (rc) 410 return (NT_STATUS_INTERNAL_ERROR); 411 412 return (0); 413 } 414