1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2018 Nexenta Systems, Inc. All rights reserved. 14 */ 15 16 /* 17 * Dispatch function for SMB2_NEGOTIATE 18 */ 19 20 #include <smbsrv/smb2_kproto.h> 21 #include <smbsrv/smb2.h> 22 23 static int smb2_negotiate_common(smb_request_t *, uint16_t); 24 25 uint32_t smb2srv_capabilities = 26 SMB2_CAP_DFS | 27 SMB2_CAP_LEASING | 28 SMB2_CAP_LARGE_MTU | 29 SMB2_CAP_PERSISTENT_HANDLES | 30 SMB2_CAP_ENCRYPTION; 31 32 /* These are the only capabilities defined for SMB2.X */ 33 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU) 34 35 /* 36 * These are not intended as customer tunables, but dev. & test folks 37 * might want to adjust them (with caution). 38 * 39 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 40 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 41 * This is also used as a "sanity limit" for internal send/reply message 42 * allocations. Note that with compounding SMB2 messages may contain 43 * multiple requests/responses. This size should be large enough for 44 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 45 * 46 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 47 * the client the largest read and write request size we'll support. 48 * For now, we're using contiguous allocations, so keep this at 64KB 49 * so that (even with message overhead) allocations stay below 128KB, 50 * avoiding kmem_alloc -> page_create_va thrashing. 51 * 52 * smb2_max_trans is the largest "transact" send or receive, which is 53 * used for directory listings and info set/get operations. 54 */ 55 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 56 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */ 57 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 58 59 /* 60 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU 61 * (including all clients using dialect < SMB 2.1), use a "conservative" value 62 * for max r/w size because some older clients misbehave with larger values. 63 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x 64 * Support) as the minimum so we'll use that. 65 */ 66 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */ 67 68 /* 69 * List of all SMB2 versions we implement. Note that the 70 * versions we support may be limited by the 71 * _cfg.skc_max_protocol and min_protocol settings. 72 */ 73 static uint16_t smb2_versions[] = { 74 0x202, /* SMB 2.002 */ 75 0x210, /* SMB 2.1 */ 76 0x300, /* SMB 3.0 */ 77 0x302, /* SMB 3.02 */ 78 }; 79 static uint16_t smb2_nversions = 80 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 81 82 static boolean_t 83 smb2_supported_version(smb_session_t *s, uint16_t version) 84 { 85 int i; 86 87 if (version > s->s_cfg.skc_max_protocol || 88 version < s->s_cfg.skc_min_protocol) 89 return (B_FALSE); 90 for (i = 0; i < smb2_nversions; i++) 91 if (version == smb2_versions[i]) 92 return (B_TRUE); 93 return (B_FALSE); 94 } 95 96 /* 97 * Helper for the (SMB1) smb_com_negotiate(). This is the 98 * very unusual protocol interaction where an SMB1 negotiate 99 * gets an SMB2 negotiate response. This is the normal way 100 * clients first find out if the server supports SMB2. 101 * 102 * Note: This sends an SMB2 reply _itself_ and then returns 103 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 104 * Also, this is called directly from the reader thread, so 105 * we know this is the only thread using this session. 106 * 107 * The caller frees this request. 108 */ 109 smb_sdrc_t 110 smb1_negotiate_smb2(smb_request_t *sr) 111 { 112 smb_session_t *s = sr->session; 113 smb_arg_negotiate_t *negprot = sr->sr_negprot; 114 uint16_t smb2_version; 115 int rc; 116 117 /* 118 * Note: In the SMB1 negotiate command handler, we 119 * agreed with one of the SMB2 dialects. If that 120 * dialect was "SMB 2.002", we'll respond here with 121 * version 0x202 and negotiation is done. If that 122 * dialect was "SMB 2.???", we'll respond here with 123 * the "wildcard" version 0x2FF, and the client will 124 * come back with an SMB2 negotiate. 125 */ 126 switch (negprot->ni_dialect) { 127 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 128 smb2_version = SMB_VERS_2_002; 129 s->dialect = smb2_version; 130 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 131 /* Allow normal SMB2 requests now. */ 132 s->newrq_func = smb2sr_newrq; 133 break; 134 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 135 /* 136 * Expecting an SMB2 negotiate next, so keep the 137 * initial s->newrq_func. 138 */ 139 smb2_version = 0x2FF; 140 break; 141 default: 142 return (SDRC_DROP_VC); 143 } 144 145 /* 146 * Clients that negotiate SMB2 from SMB1 have not yet had the 147 * opportunity to provide us with a secmode. However, any 148 * client that negotiates SMB2 should support signing, so 149 * this should be fiction good enough to pass the signing 150 * check in smb2_negotiate_common(). Even if the client 151 * doesn't support signing and we require it, we'll fail them 152 * later when they fail to sign the packet. For 2.???, 153 * we'll check the real secmode when the 2nd negotiate comes. 154 */ 155 s->cli_secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 156 157 /* 158 * We did not decode an SMB2 header, so make sure 159 * the SMB2 header fields are initialized. 160 * (Most are zero from smb_request_alloc.) 161 * Also, the SMB1 common dispatch code reserved space 162 * for an SMB1 header, which we need to undo here. 163 */ 164 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 165 sr->smb2_cmd_code = SMB2_NEGOTIATE; 166 167 rc = smb2_negotiate_common(sr, smb2_version); 168 smb2_send_reply(sr); 169 if (rc != 0) 170 return (SDRC_DROP_VC); 171 172 /* 173 * We sent the reply, so tell the SMB1 dispatch 174 * it should NOT (also) send a reply. 175 */ 176 return (SDRC_NO_REPLY); 177 } 178 179 static uint16_t 180 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[], 181 uint16_t version_cnt) 182 { 183 uint16_t best_version = 0; 184 int i; 185 186 for (i = 0; i < version_cnt; i++) 187 if (smb2_supported_version(s, cl_versions[i]) && 188 best_version < cl_versions[i]) 189 best_version = cl_versions[i]; 190 191 return (best_version); 192 } 193 194 /* 195 * SMB2 Negotiate gets special handling. This is called directly by 196 * the reader thread (see smbsr_newrq_initial) with what _should_ be 197 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 198 * when this is called, so this needs to check the SMB command, 199 * if it's Negotiate execute it, then send the reply, etc. 200 * 201 * Since this is called directly from the reader thread, we 202 * know this is the only thread currently using this session. 203 * This has to duplicate some of what smb2sr_work does as a 204 * result of bypassing the normal dispatch mechanism. 205 * 206 * The caller always frees this request. 207 * 208 * Return value is 0 for success, and anything else will 209 * terminate the reader thread (drop the connection). 210 */ 211 int 212 smb2_newrq_negotiate(smb_request_t *sr) 213 { 214 smb_session_t *s = sr->session; 215 int rc; 216 uint16_t struct_size; 217 uint16_t best_version; 218 uint16_t version_cnt; 219 uint16_t cl_versions[8]; 220 221 sr->smb2_cmd_hdr = sr->command.chain_offset; 222 rc = smb2_decode_header(sr); 223 if (rc != 0) 224 return (rc); 225 226 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 227 (sr->smb2_next_command != 0)) 228 return (-1); 229 230 /* 231 * Decode SMB2 Negotiate (fixed-size part) 232 */ 233 rc = smb_mbc_decodef( 234 &sr->command, "www..l16c8.", 235 &struct_size, /* w */ 236 &version_cnt, /* w */ 237 &s->cli_secmode, /* w */ 238 /* reserved (..) */ 239 &s->capabilities, /* l */ 240 s->clnt_uuid); /* 16c */ 241 /* start_time 8. */ 242 if (rc != 0) 243 return (rc); 244 if (struct_size != 36 || version_cnt > 8) 245 return (-1); 246 247 /* 248 * Decode SMB2 Negotiate (variable part) 249 */ 250 rc = smb_mbc_decodef(&sr->command, 251 "#w", version_cnt, cl_versions); 252 if (rc != 0) 253 return (rc); 254 255 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr); 256 257 /* 258 * The client offers an array of protocol versions it 259 * supports, which we have decoded into cl_versions[]. 260 * We walk the array and pick the highest supported. 261 */ 262 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt); 263 if (best_version == 0) { 264 cmn_err(CE_NOTE, "clnt %s no supported dialect", 265 sr->session->ip_addr_str); 266 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 267 rc = -1; 268 goto errout; 269 } 270 s->dialect = best_version; 271 272 /* Allow normal SMB2 requests now. */ 273 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 274 s->newrq_func = smb2sr_newrq; 275 276 rc = smb2_negotiate_common(sr, best_version); 277 278 errout: 279 /* sr->smb2_status was set */ 280 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr); 281 282 smb2_send_reply(sr); 283 284 return (rc); 285 } 286 287 /* 288 * Common parts of SMB2 Negotiate, used for both the 289 * SMB1-to-SMB2 style, and straight SMB2 style. 290 * Do negotiation decisions and encode the reply. 291 * The caller does the network send. 292 * 293 * Return value is 0 for success, and anything else will 294 * terminate the reader thread (drop the connection). 295 */ 296 static int 297 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 298 { 299 timestruc_t boot_tv, now_tv; 300 smb_session_t *s = sr->session; 301 int rc; 302 uint32_t max_rwsize; 303 uint16_t secmode; 304 305 sr->smb2_status = 0; 306 307 /* 308 * Negotiation itself. First the Security Mode. 309 */ 310 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 311 if (sr->sr_cfg->skc_signing_required) { 312 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 313 /* Make sure client at least enables signing. */ 314 if ((s->cli_secmode & secmode) == 0) { 315 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 316 } 317 } 318 s->srv_secmode = secmode; 319 320 s->cmd_max_bytes = smb2_tcp_bufsize; 321 s->reply_max_bytes = smb2_tcp_bufsize; 322 323 /* 324 * "The number of credits held by the client MUST be considered 325 * as 1 when the connection is established." [MS-SMB2] 326 * We leave credits at 1 until the first successful 327 * session setup is completed. 328 */ 329 s->s_cur_credits = s->s_max_credits = 1; 330 sr->smb2_credit_response = 1; 331 332 boot_tv.tv_sec = smb_get_boottime(); 333 boot_tv.tv_nsec = 0; 334 now_tv.tv_sec = gethrestime_sec(); 335 now_tv.tv_nsec = 0; 336 337 /* 338 * SMB2 negotiate reply 339 */ 340 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 341 (void) smb2_encode_header(sr, B_FALSE); 342 if (sr->smb2_status != 0) { 343 smb2sr_put_error(sr, sr->smb2_status); 344 /* smb2_send_reply(sr); in caller */ 345 return (-1); /* will drop */ 346 } 347 348 /* 349 * If the version is 0x2FF, we haven't completed negotiate. 350 * Don't initialize until we have our final request. 351 */ 352 if (version != 0x2FF) 353 smb2_sign_init_mech(s); 354 355 /* 356 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request 357 * 358 * The SMB2.x capabilities are returned without regard for 359 * what capabilities the client provided in the request. 360 * The SMB3.x capabilities returned are the traditional 361 * logical AND of server and client capabilities. 362 * 363 * One additional check: If KCF is missing something we 364 * require for encryption, turn off that capability. 365 */ 366 if (s->dialect < SMB_VERS_3_0) { 367 /* SMB 2.x */ 368 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS; 369 } else { 370 /* SMB 3.0 or later */ 371 s->srv_cap = smb2srv_capabilities & 372 (SMB_2X_CAPS | s->capabilities); 373 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 && 374 smb3_encrypt_init_mech(s) != 0) { 375 s->srv_cap &= ~SMB2_CAP_ENCRYPTION; 376 } 377 } 378 379 /* 380 * See notes above smb2_max_rwsize, smb2_old_rwsize 381 */ 382 if (s->capabilities & SMB2_CAP_LARGE_MTU) 383 max_rwsize = smb2_max_rwsize; 384 else 385 max_rwsize = smb2_old_rwsize; 386 387 rc = smb_mbc_encodef( 388 &sr->reply, 389 "wwww#cllllTTwwl#c", 390 65, /* StructSize */ /* w */ 391 s->srv_secmode, /* w */ 392 version, /* w */ 393 0, /* reserved */ /* w */ 394 UUID_LEN, /* # */ 395 &s->s_cfg.skc_machine_uuid, /* c */ 396 s->srv_cap, /* l */ 397 smb2_max_trans, /* l */ 398 max_rwsize, /* l */ 399 max_rwsize, /* l */ 400 &now_tv, /* T */ 401 &boot_tv, /* T */ 402 128, /* SecBufOff */ /* w */ 403 sr->sr_cfg->skc_negtok_len, /* w */ 404 0, /* reserved */ /* l */ 405 sr->sr_cfg->skc_negtok_len, /* # */ 406 sr->sr_cfg->skc_negtok); /* c */ 407 408 /* smb2_send_reply(sr); in caller */ 409 410 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 411 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 412 sizeof (smb2_tcp_bufsize), CRED()); 413 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 414 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 415 sizeof (smb2_tcp_bufsize), CRED()); 416 417 return (rc); 418 } 419 420 /* 421 * SMB2 Dispatch table handler, which will run if we see an 422 * SMB2_NEGOTIATE after the initial negotiation is done. 423 * That would be a protocol error. 424 */ 425 smb_sdrc_t 426 smb2_negotiate(smb_request_t *sr) 427 { 428 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 429 return (SDRC_ERROR); 430 } 431 432 /* 433 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 434 */ 435 uint32_t 436 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) 437 { 438 smb_session_t *s = sr->session; 439 int rc; 440 441 /* 442 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 443 * and verify that the original negotiate was not modified. 444 * The only tampering we need worry about is secmode, and 445 * we're not taking that from the client, so don't bother. 446 * 447 * One interesting requirement here is that we MUST reply 448 * with exactly the same information as we returned in our 449 * original reply to the SMB2 negotiate on this session. 450 * If we don't the client closes the connection. 451 */ 452 453 /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */ 454 uint32_t capabilities; 455 uint16_t secmode, num_dialects, dialects[8]; 456 uint8_t clnt_guid[16]; 457 458 if (fsctl->InputCount < 24) 459 goto drop; 460 461 (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww", 462 &capabilities, /* l */ 463 &clnt_guid, /* 16c */ 464 &secmode, /* w */ 465 &num_dialects); /* w */ 466 467 if (num_dialects == 0 || num_dialects > 8) 468 goto drop; 469 if (secmode != s->cli_secmode) 470 goto drop; 471 if (capabilities != s->capabilities) 472 goto drop; 473 if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0) 474 goto drop; 475 476 if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects))) 477 goto drop; 478 479 rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects); 480 if (rc != 0) 481 goto drop; 482 483 if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect) 484 goto drop; 485 486 rc = smb_mbc_encodef( 487 fsctl->out_mbc, "l#cww", 488 s->srv_cap, /* l */ 489 UUID_LEN, /* # */ 490 &s->s_cfg.skc_machine_uuid, /* c */ 491 s->srv_secmode, /* w */ 492 s->dialect); /* w */ 493 if (rc == 0) 494 return (rc); 495 496 drop: 497 smb_session_disconnect(s); 498 return (NT_STATUS_ACCESS_DENIED); 499 } 500