1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 14 */ 15 16 /* 17 * Dispatch function for SMB2_NEGOTIATE 18 */ 19 20 #include <smbsrv/smb2_kproto.h> 21 #include <smbsrv/smb2.h> 22 23 static int smb2_negotiate_common(smb_request_t *, uint16_t); 24 25 uint32_t smb2srv_capabilities = 26 SMB2_CAP_DFS | 27 SMB2_CAP_LEASING | 28 SMB2_CAP_LARGE_MTU | 29 SMB2_CAP_PERSISTENT_HANDLES | 30 SMB2_CAP_ENCRYPTION; 31 32 /* These are the only capabilities defined for SMB2.X */ 33 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU) 34 35 /* 36 * These are not intended as customer tunables, but dev. & test folks 37 * might want to adjust them (with caution). 38 * 39 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 40 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 41 * This is also used as a "sanity limit" for internal send/reply message 42 * allocations. Note that with compounding SMB2 messages may contain 43 * multiple requests/responses. This size should be large enough for 44 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 45 * 46 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 47 * the client the largest read and write request size we'll support. 48 * For now, we're using contiguous allocations, so keep this at 64KB 49 * so that (even with message overhead) allocations stay below 128KB, 50 * avoiding kmem_alloc -> page_create_va thrashing. 51 * 52 * smb2_max_trans is the largest "transact" send or receive, which is 53 * used for directory listings and info set/get operations. 54 */ 55 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 56 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */ 57 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 58 59 /* 60 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU 61 * (including all clients using dialect < SMB 2.1), use a "conservative" value 62 * for max r/w size because some older clients misbehave with larger values. 63 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x 64 * Support) as the minimum so we'll use that. 65 */ 66 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */ 67 68 /* 69 * List of all SMB2 versions we implement. Note that the 70 * versions we support may be limited by the 71 * _cfg.skc_max_protocol and min_protocol settings. 72 */ 73 static uint16_t smb2_versions[] = { 74 0x202, /* SMB 2.002 */ 75 0x210, /* SMB 2.1 */ 76 0x300, /* SMB 3.0 */ 77 }; 78 static uint16_t smb2_nversions = 79 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 80 81 static boolean_t 82 smb2_supported_version(smb_session_t *s, uint16_t version) 83 { 84 int i; 85 86 if (version > s->s_cfg.skc_max_protocol || 87 version < s->s_cfg.skc_min_protocol) 88 return (B_FALSE); 89 for (i = 0; i < smb2_nversions; i++) 90 if (version == smb2_versions[i]) 91 return (B_TRUE); 92 return (B_FALSE); 93 } 94 95 /* 96 * Helper for the (SMB1) smb_com_negotiate(). This is the 97 * very unusual protocol interaction where an SMB1 negotiate 98 * gets an SMB2 negotiate response. This is the normal way 99 * clients first find out if the server supports SMB2. 100 * 101 * Note: This sends an SMB2 reply _itself_ and then returns 102 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 103 * Also, this is called directly from the reader thread, so 104 * we know this is the only thread using this session. 105 * 106 * The caller frees this request. 107 */ 108 smb_sdrc_t 109 smb1_negotiate_smb2(smb_request_t *sr) 110 { 111 smb_session_t *s = sr->session; 112 smb_arg_negotiate_t *negprot = sr->sr_negprot; 113 uint16_t smb2_version; 114 int rc; 115 116 /* 117 * Note: In the SMB1 negotiate command handler, we 118 * agreed with one of the SMB2 dialects. If that 119 * dialect was "SMB 2.002", we'll respond here with 120 * version 0x202 and negotiation is done. If that 121 * dialect was "SMB 2.???", we'll respond here with 122 * the "wildcard" version 0x2FF, and the client will 123 * come back with an SMB2 negotiate. 124 */ 125 switch (negprot->ni_dialect) { 126 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 127 smb2_version = SMB_VERS_2_002; 128 s->dialect = smb2_version; 129 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 130 /* Allow normal SMB2 requests now. */ 131 s->newrq_func = smb2sr_newrq; 132 break; 133 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 134 /* 135 * Expecting an SMB2 negotiate next, so keep the 136 * initial s->newrq_func. 137 */ 138 smb2_version = 0x2FF; 139 break; 140 default: 141 return (SDRC_DROP_VC); 142 } 143 144 /* 145 * Clients that negotiate SMB2 from SMB1 have not yet had the 146 * opportunity to provide us with a secmode. However, any 147 * client that negotiates SMB2 should support signing, so 148 * this should be fiction good enough to pass the signing 149 * check in smb2_negotiate_common(). Even if the client 150 * doesn't support signing and we require it, we'll fail them 151 * later when they fail to sign the packet. For 2.???, 152 * we'll check the real secmode when the 2nd negotiate comes. 153 */ 154 s->cli_secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 155 156 /* 157 * We did not decode an SMB2 header, so make sure 158 * the SMB2 header fields are initialized. 159 * (Most are zero from smb_request_alloc.) 160 * Also, the SMB1 common dispatch code reserved space 161 * for an SMB1 header, which we need to undo here. 162 */ 163 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 164 sr->smb2_cmd_code = SMB2_NEGOTIATE; 165 166 rc = smb2_negotiate_common(sr, smb2_version); 167 smb2_send_reply(sr); 168 if (rc != 0) 169 return (SDRC_DROP_VC); 170 171 /* 172 * We sent the reply, so tell the SMB1 dispatch 173 * it should NOT (also) send a reply. 174 */ 175 return (SDRC_NO_REPLY); 176 } 177 178 static uint16_t 179 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[], 180 uint16_t version_cnt) 181 { 182 uint16_t best_version = 0; 183 int i; 184 185 for (i = 0; i < version_cnt; i++) 186 if (smb2_supported_version(s, cl_versions[i]) && 187 best_version < cl_versions[i]) 188 best_version = cl_versions[i]; 189 190 return (best_version); 191 } 192 193 /* 194 * SMB2 Negotiate gets special handling. This is called directly by 195 * the reader thread (see smbsr_newrq_initial) with what _should_ be 196 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 197 * when this is called, so this needs to check the SMB command, 198 * if it's Negotiate execute it, then send the reply, etc. 199 * 200 * Since this is called directly from the reader thread, we 201 * know this is the only thread currently using this session. 202 * This has to duplicate some of what smb2sr_work does as a 203 * result of bypassing the normal dispatch mechanism. 204 * 205 * The caller always frees this request. 206 * 207 * Return value is 0 for success, and anything else will 208 * terminate the reader thread (drop the connection). 209 */ 210 int 211 smb2_newrq_negotiate(smb_request_t *sr) 212 { 213 smb_session_t *s = sr->session; 214 int rc; 215 uint16_t struct_size; 216 uint16_t best_version; 217 uint16_t version_cnt; 218 uint16_t cl_versions[8]; 219 220 sr->smb2_cmd_hdr = sr->command.chain_offset; 221 rc = smb2_decode_header(sr); 222 if (rc != 0) 223 return (rc); 224 225 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 226 (sr->smb2_next_command != 0)) 227 return (-1); 228 229 /* 230 * Decode SMB2 Negotiate (fixed-size part) 231 */ 232 rc = smb_mbc_decodef( 233 &sr->command, "www..l16c8.", 234 &struct_size, /* w */ 235 &version_cnt, /* w */ 236 &s->cli_secmode, /* w */ 237 /* reserved (..) */ 238 &s->capabilities, /* l */ 239 s->clnt_uuid); /* 16c */ 240 /* start_time 8. */ 241 if (rc != 0) 242 return (rc); 243 if (struct_size != 36 || version_cnt > 8) 244 return (-1); 245 246 /* 247 * Decode SMB2 Negotiate (variable part) 248 */ 249 rc = smb_mbc_decodef(&sr->command, 250 "#w", version_cnt, cl_versions); 251 if (rc != 0) 252 return (rc); 253 254 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr); 255 256 /* 257 * The client offers an array of protocol versions it 258 * supports, which we have decoded into cl_versions[]. 259 * We walk the array and pick the highest supported. 260 */ 261 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt); 262 if (best_version == 0) { 263 cmn_err(CE_NOTE, "clnt %s no supported dialect", 264 sr->session->ip_addr_str); 265 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 266 rc = -1; 267 goto errout; 268 } 269 s->dialect = best_version; 270 271 /* Allow normal SMB2 requests now. */ 272 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 273 s->newrq_func = smb2sr_newrq; 274 275 rc = smb2_negotiate_common(sr, best_version); 276 277 errout: 278 /* sr->smb2_status was set */ 279 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr); 280 281 smb2_send_reply(sr); 282 283 return (rc); 284 } 285 286 /* 287 * Common parts of SMB2 Negotiate, used for both the 288 * SMB1-to-SMB2 style, and straight SMB2 style. 289 * Do negotiation decisions and encode the reply. 290 * The caller does the network send. 291 * 292 * Return value is 0 for success, and anything else will 293 * terminate the reader thread (drop the connection). 294 */ 295 static int 296 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 297 { 298 timestruc_t boot_tv, now_tv; 299 smb_session_t *s = sr->session; 300 int rc; 301 uint32_t max_rwsize; 302 uint16_t secmode; 303 304 sr->smb2_status = 0; 305 306 /* 307 * Negotiation itself. First the Security Mode. 308 */ 309 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 310 if (sr->sr_cfg->skc_signing_required) { 311 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 312 /* Make sure client at least enables signing. */ 313 if ((s->cli_secmode & secmode) == 0) { 314 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 315 } 316 } 317 s->srv_secmode = secmode; 318 319 s->cmd_max_bytes = smb2_tcp_bufsize; 320 s->reply_max_bytes = smb2_tcp_bufsize; 321 322 /* 323 * "The number of credits held by the client MUST be considered 324 * as 1 when the connection is established." [MS-SMB2] 325 * We leave credits at 1 until the first successful 326 * session setup is completed. 327 */ 328 s->s_cur_credits = s->s_max_credits = 1; 329 sr->smb2_credit_response = 1; 330 331 boot_tv.tv_sec = smb_get_boottime(); 332 boot_tv.tv_nsec = 0; 333 now_tv.tv_sec = gethrestime_sec(); 334 now_tv.tv_nsec = 0; 335 336 /* 337 * SMB2 negotiate reply 338 */ 339 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 340 (void) smb2_encode_header(sr, B_FALSE); 341 if (sr->smb2_status != 0) { 342 smb2sr_put_error(sr, sr->smb2_status); 343 /* smb2_send_reply(sr); in caller */ 344 return (-1); /* will drop */ 345 } 346 347 /* 348 * If the version is 0x2FF, we haven't completed negotiate. 349 * Don't initialize until we have our final request. 350 */ 351 if (version != 0x2FF) 352 smb2_sign_init_mech(s); 353 354 /* 355 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request 356 * 357 * The SMB2.x capabilities are returned without regard for 358 * what capabilities the client provided in the request. 359 * The SMB3.x capabilities returned are the traditional 360 * logical AND of server and client capabilities. 361 * 362 * One additional check: If KCF is missing something we 363 * require for encryption, turn off that capability. 364 */ 365 if (s->dialect < SMB_VERS_3_0) { 366 /* SMB 2.x */ 367 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS; 368 } else { 369 /* SMB 3.0 or later */ 370 s->srv_cap = smb2srv_capabilities & 371 (SMB_2X_CAPS | s->capabilities); 372 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 && 373 smb3_encrypt_init_mech(s) != 0) { 374 s->srv_cap &= ~SMB2_CAP_ENCRYPTION; 375 } 376 } 377 378 /* 379 * See notes above smb2_max_rwsize, smb2_old_rwsize 380 */ 381 if (s->capabilities & SMB2_CAP_LARGE_MTU) 382 max_rwsize = smb2_max_rwsize; 383 else 384 max_rwsize = smb2_old_rwsize; 385 386 rc = smb_mbc_encodef( 387 &sr->reply, 388 "wwww#cllllTTwwl#c", 389 65, /* StructSize */ /* w */ 390 s->srv_secmode, /* w */ 391 version, /* w */ 392 0, /* reserved */ /* w */ 393 UUID_LEN, /* # */ 394 &s->s_cfg.skc_machine_uuid, /* c */ 395 s->srv_cap, /* l */ 396 smb2_max_trans, /* l */ 397 max_rwsize, /* l */ 398 max_rwsize, /* l */ 399 &now_tv, /* T */ 400 &boot_tv, /* T */ 401 128, /* SecBufOff */ /* w */ 402 sr->sr_cfg->skc_negtok_len, /* w */ 403 0, /* reserved */ /* l */ 404 sr->sr_cfg->skc_negtok_len, /* # */ 405 sr->sr_cfg->skc_negtok); /* c */ 406 407 /* smb2_send_reply(sr); in caller */ 408 409 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 410 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 411 sizeof (smb2_tcp_bufsize), CRED()); 412 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 413 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 414 sizeof (smb2_tcp_bufsize), CRED()); 415 416 return (rc); 417 } 418 419 /* 420 * SMB2 Dispatch table handler, which will run if we see an 421 * SMB2_NEGOTIATE after the initial negotiation is done. 422 * That would be a protocol error. 423 */ 424 smb_sdrc_t 425 smb2_negotiate(smb_request_t *sr) 426 { 427 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 428 return (SDRC_ERROR); 429 } 430 431 /* 432 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 433 */ 434 uint32_t 435 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) 436 { 437 smb_session_t *s = sr->session; 438 int rc; 439 440 /* 441 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 442 * and verify that the original negotiate was not modified. 443 * The only tampering we need worry about is secmode, and 444 * we're not taking that from the client, so don't bother. 445 * 446 * One interesting requirement here is that we MUST reply 447 * with exactly the same information as we returned in our 448 * original reply to the SMB2 negotiate on this session. 449 * If we don't the client closes the connection. 450 */ 451 452 /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */ 453 uint32_t capabilities; 454 uint16_t secmode, num_dialects, dialects[8]; 455 uint8_t clnt_guid[16]; 456 457 if (fsctl->InputCount < 24) 458 goto drop; 459 460 (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww", 461 &capabilities, /* l */ 462 &clnt_guid, /* 16c */ 463 &secmode, /* w */ 464 &num_dialects); /* w */ 465 466 if (num_dialects == 0 || num_dialects > 8) 467 goto drop; 468 if (secmode != s->cli_secmode) 469 goto drop; 470 if (capabilities != s->capabilities) 471 goto drop; 472 if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0) 473 goto drop; 474 475 if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects))) 476 goto drop; 477 478 rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects); 479 if (rc != 0) 480 goto drop; 481 482 if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect) 483 goto drop; 484 485 rc = smb_mbc_encodef( 486 fsctl->out_mbc, "l#cww", 487 s->srv_cap, /* l */ 488 UUID_LEN, /* # */ 489 &s->s_cfg.skc_machine_uuid, /* c */ 490 s->srv_secmode, /* w */ 491 s->dialect); /* w */ 492 if (rc == 0) 493 return (rc); 494 495 drop: 496 smb_session_disconnect(s); 497 return (NT_STATUS_ACCESS_DENIED); 498 } 499