1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2018 Nexenta Systems, Inc. All rights reserved. 14 * Copyright 2019 RackTop Systems. 15 */ 16 17 /* 18 * Dispatch function for SMB2_NEGOTIATE 19 */ 20 21 #include <smbsrv/smb2_kproto.h> 22 #include <smbsrv/smb2.h> 23 24 static int smb2_negotiate_common(smb_request_t *, uint16_t); 25 26 /* List of supported capabilities. Can be patched for testing. */ 27 uint32_t smb2srv_capabilities = 28 SMB2_CAP_DFS | 29 SMB2_CAP_LEASING | 30 SMB2_CAP_LARGE_MTU | 31 SMB2_CAP_PERSISTENT_HANDLES | 32 SMB2_CAP_ENCRYPTION; 33 34 /* These are the only capabilities defined for SMB2.X */ 35 #define SMB_2X_CAPS (SMB2_CAP_DFS | SMB2_CAP_LEASING | SMB2_CAP_LARGE_MTU) 36 37 /* 38 * These are not intended as customer tunables, but dev. & test folks 39 * might want to adjust them (with caution). 40 * 41 * smb2_tcp_bufsize is the TCP buffer size, applied to the network socket 42 * with setsockopt SO_SNDBUF, SO_RCVBUF. These set the TCP window size. 43 * This is also used as a "sanity limit" for internal send/reply message 44 * allocations. Note that with compounding SMB2 messages may contain 45 * multiple requests/responses. This size should be large enough for 46 * at least a few SMB2 requests, and at least 2X smb2_max_rwsize. 47 * 48 * smb2_max_rwsize is what we put in the SMB2 negotiate response to tell 49 * the client the largest read and write request size we'll support. 50 * For now, we're using contiguous allocations, so keep this at 64KB 51 * so that (even with message overhead) allocations stay below 128KB, 52 * avoiding kmem_alloc -> page_create_va thrashing. 53 * 54 * smb2_max_trans is the largest "transact" send or receive, which is 55 * used for directory listings and info set/get operations. 56 */ 57 uint32_t smb2_tcp_bufsize = (1<<22); /* 4MB */ 58 uint32_t smb2_max_rwsize = (1<<16); /* 64KB */ 59 uint32_t smb2_max_trans = (1<<16); /* 64KB */ 60 61 /* 62 * With clients (e.g. HP scanners) that don't advertise SMB2_CAP_LARGE_MTU 63 * (including all clients using dialect < SMB 2.1), use a "conservative" value 64 * for max r/w size because some older clients misbehave with larger values. 65 * 64KB is recommended in the [MS-SMB2] spec. (3.3.5.3.1 SMB 2.1 or SMB 3.x 66 * Support) as the minimum so we'll use that. 67 */ 68 uint32_t smb2_old_rwsize = (1<<16); /* 64KB */ 69 70 /* 71 * List of all SMB2 versions we implement. Note that the 72 * versions we support may be limited by the 73 * _cfg.skc_max_protocol and min_protocol settings. 74 */ 75 static uint16_t smb2_versions[] = { 76 0x202, /* SMB 2.002 */ 77 0x210, /* SMB 2.1 */ 78 0x300, /* SMB 3.0 */ 79 0x302, /* SMB 3.02 */ 80 }; 81 static uint16_t smb2_nversions = 82 sizeof (smb2_versions) / sizeof (smb2_versions[0]); 83 84 static boolean_t 85 smb2_supported_version(smb_session_t *s, uint16_t version) 86 { 87 int i; 88 89 if (version > s->s_cfg.skc_max_protocol || 90 version < s->s_cfg.skc_min_protocol) 91 return (B_FALSE); 92 for (i = 0; i < smb2_nversions; i++) 93 if (version == smb2_versions[i]) 94 return (B_TRUE); 95 return (B_FALSE); 96 } 97 98 /* 99 * Helper for the (SMB1) smb_com_negotiate(). This is the 100 * very unusual protocol interaction where an SMB1 negotiate 101 * gets an SMB2 negotiate response. This is the normal way 102 * clients first find out if the server supports SMB2. 103 * 104 * Note: This sends an SMB2 reply _itself_ and then returns 105 * SDRC_NO_REPLY so the caller will not send an SMB1 reply. 106 * Also, this is called directly from the reader thread, so 107 * we know this is the only thread using this session. 108 * 109 * The caller frees this request. 110 */ 111 smb_sdrc_t 112 smb1_negotiate_smb2(smb_request_t *sr) 113 { 114 smb_session_t *s = sr->session; 115 smb_arg_negotiate_t *negprot = sr->sr_negprot; 116 uint16_t smb2_version; 117 int rc; 118 119 /* 120 * Note: In the SMB1 negotiate command handler, we 121 * agreed with one of the SMB2 dialects. If that 122 * dialect was "SMB 2.002", we'll respond here with 123 * version 0x202 and negotiation is done. If that 124 * dialect was "SMB 2.???", we'll respond here with 125 * the "wildcard" version 0x2FF, and the client will 126 * come back with an SMB2 negotiate. 127 */ 128 switch (negprot->ni_dialect) { 129 case DIALECT_SMB2002: /* SMB 2.002 (a.k.a. SMB2.0) */ 130 smb2_version = SMB_VERS_2_002; 131 s->dialect = smb2_version; 132 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 133 /* Allow normal SMB2 requests now. */ 134 s->newrq_func = smb2sr_newrq; 135 break; 136 case DIALECT_SMB2XXX: /* SMB 2.??? (wildcard vers) */ 137 /* 138 * Expecting an SMB2 negotiate next, so keep the 139 * initial s->newrq_func. 140 */ 141 smb2_version = 0x2FF; 142 break; 143 default: 144 return (SDRC_DROP_VC); 145 } 146 147 /* 148 * Clients that negotiate SMB2 from SMB1 have not yet had the 149 * opportunity to provide us with a secmode. However, any 150 * client that negotiates SMB2 should support signing, so 151 * this should be fiction good enough to pass the signing 152 * check in smb2_negotiate_common(). Even if the client 153 * doesn't support signing and we require it, we'll fail them 154 * later when they fail to sign the packet. For 2.???, 155 * we'll check the real secmode when the 2nd negotiate comes. 156 */ 157 s->cli_secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 158 159 /* 160 * We did not decode an SMB2 header, so make sure 161 * the SMB2 header fields are initialized. 162 * (Most are zero from smb_request_alloc.) 163 * Also, the SMB1 common dispatch code reserved space 164 * for an SMB1 header, which we need to undo here. 165 */ 166 sr->smb2_reply_hdr = sr->reply.chain_offset = 0; 167 sr->smb2_cmd_code = SMB2_NEGOTIATE; 168 169 rc = smb2_negotiate_common(sr, smb2_version); 170 smb2_send_reply(sr); 171 if (rc != 0) 172 return (SDRC_DROP_VC); 173 174 /* 175 * We sent the reply, so tell the SMB1 dispatch 176 * it should NOT (also) send a reply. 177 */ 178 return (SDRC_NO_REPLY); 179 } 180 181 static uint16_t 182 smb2_find_best_dialect(smb_session_t *s, uint16_t cl_versions[], 183 uint16_t version_cnt) 184 { 185 uint16_t best_version = 0; 186 int i; 187 188 for (i = 0; i < version_cnt; i++) 189 if (smb2_supported_version(s, cl_versions[i]) && 190 best_version < cl_versions[i]) 191 best_version = cl_versions[i]; 192 193 return (best_version); 194 } 195 196 /* 197 * SMB2 Negotiate gets special handling. This is called directly by 198 * the reader thread (see smbsr_newrq_initial) with what _should_ be 199 * an SMB2 Negotiate. Only the "\feSMB" header has been checked 200 * when this is called, so this needs to check the SMB command, 201 * if it's Negotiate execute it, then send the reply, etc. 202 * 203 * Since this is called directly from the reader thread, we 204 * know this is the only thread currently using this session. 205 * This has to duplicate some of what smb2sr_work does as a 206 * result of bypassing the normal dispatch mechanism. 207 * 208 * The caller always frees this request. 209 * 210 * Return value is 0 for success, and anything else will 211 * terminate the reader thread (drop the connection). 212 */ 213 int 214 smb2_newrq_negotiate(smb_request_t *sr) 215 { 216 smb_session_t *s = sr->session; 217 int rc; 218 uint16_t struct_size; 219 uint16_t best_version; 220 uint16_t version_cnt; 221 uint16_t cl_versions[8]; 222 223 sr->smb2_cmd_hdr = sr->command.chain_offset; 224 rc = smb2_decode_header(sr); 225 if (rc != 0) 226 return (rc); 227 228 if ((sr->smb2_cmd_code != SMB2_NEGOTIATE) || 229 (sr->smb2_next_command != 0)) 230 return (-1); 231 232 /* 233 * Decode SMB2 Negotiate (fixed-size part) 234 */ 235 rc = smb_mbc_decodef( 236 &sr->command, "www..l16c8.", 237 &struct_size, /* w */ 238 &version_cnt, /* w */ 239 &s->cli_secmode, /* w */ 240 /* reserved (..) */ 241 &s->capabilities, /* l */ 242 s->clnt_uuid); /* 16c */ 243 /* start_time 8. */ 244 if (rc != 0) 245 return (rc); 246 if (struct_size != 36 || version_cnt > 8) 247 return (-1); 248 249 /* 250 * Decode SMB2 Negotiate (variable part) 251 */ 252 rc = smb_mbc_decodef(&sr->command, 253 "#w", version_cnt, cl_versions); 254 if (rc != 0) 255 return (rc); 256 257 DTRACE_SMB2_START(op__Negotiate, smb_request_t *, sr); 258 259 /* 260 * The client offers an array of protocol versions it 261 * supports, which we have decoded into cl_versions[]. 262 * We walk the array and pick the highest supported. 263 */ 264 best_version = smb2_find_best_dialect(s, cl_versions, version_cnt); 265 if (best_version == 0) { 266 cmn_err(CE_NOTE, "clnt %s no supported dialect", 267 sr->session->ip_addr_str); 268 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 269 rc = -1; 270 goto errout; 271 } 272 s->dialect = best_version; 273 274 /* Allow normal SMB2 requests now. */ 275 s->s_state = SMB_SESSION_STATE_NEGOTIATED; 276 s->newrq_func = smb2sr_newrq; 277 278 rc = smb2_negotiate_common(sr, best_version); 279 280 errout: 281 /* sr->smb2_status was set */ 282 DTRACE_SMB2_DONE(op__Negotiate, smb_request_t *, sr); 283 284 smb2_send_reply(sr); 285 286 return (rc); 287 } 288 289 /* 290 * Common parts of SMB2 Negotiate, used for both the 291 * SMB1-to-SMB2 style, and straight SMB2 style. 292 * Do negotiation decisions and encode the reply. 293 * The caller does the network send. 294 * 295 * Return value is 0 for success, and anything else will 296 * terminate the reader thread (drop the connection). 297 */ 298 static int 299 smb2_negotiate_common(smb_request_t *sr, uint16_t version) 300 { 301 timestruc_t boot_tv, now_tv; 302 smb_session_t *s = sr->session; 303 int rc; 304 uint32_t max_rwsize; 305 uint16_t secmode; 306 307 sr->smb2_status = 0; 308 309 /* 310 * Negotiation itself. First the Security Mode. 311 */ 312 secmode = SMB2_NEGOTIATE_SIGNING_ENABLED; 313 if (sr->sr_cfg->skc_signing_required) { 314 secmode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; 315 /* Make sure client at least enables signing. */ 316 if ((s->cli_secmode & secmode) == 0) { 317 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 318 } 319 } 320 s->srv_secmode = secmode; 321 322 s->cmd_max_bytes = smb2_tcp_bufsize; 323 s->reply_max_bytes = smb2_tcp_bufsize; 324 325 /* 326 * "The number of credits held by the client MUST be considered 327 * as 1 when the connection is established." [MS-SMB2] 328 * We leave credits at 1 until the first successful 329 * session setup is completed. 330 */ 331 s->s_cur_credits = s->s_max_credits = 1; 332 sr->smb2_credit_response = 1; 333 334 boot_tv.tv_sec = smb_get_boottime(); 335 boot_tv.tv_nsec = 0; 336 now_tv.tv_sec = gethrestime_sec(); 337 now_tv.tv_nsec = 0; 338 339 /* 340 * SMB2 negotiate reply 341 */ 342 sr->smb2_hdr_flags = SMB2_FLAGS_SERVER_TO_REDIR; 343 (void) smb2_encode_header(sr, B_FALSE); 344 if (sr->smb2_status != 0) { 345 smb2sr_put_error(sr, sr->smb2_status); 346 /* smb2_send_reply(sr); in caller */ 347 return (-1); /* will drop */ 348 } 349 350 /* 351 * If the version is 0x2FF, we haven't completed negotiate. 352 * Don't initialize until we have our final request. 353 */ 354 if (version != 0x2FF) 355 smb2_sign_init_mech(s); 356 357 /* 358 * [MS-SMB2] 3.3.5.4 Receiving an SMB2 NEGOTIATE Request 359 * 360 * The SMB2.x capabilities are returned without regard for 361 * what capabilities the client provided in the request. 362 * The SMB3.x capabilities returned are the traditional 363 * logical AND of server and client capabilities. 364 * 365 * One additional check: If KCF is missing something we 366 * require for encryption, turn off that capability. 367 */ 368 if (s->dialect < SMB_VERS_2_1) { 369 /* SMB 2.002 */ 370 s->srv_cap = smb2srv_capabilities & SMB2_CAP_DFS; 371 } else if (s->dialect < SMB_VERS_3_0) { 372 /* SMB 2.x */ 373 s->srv_cap = smb2srv_capabilities & SMB_2X_CAPS; 374 } else { 375 /* SMB 3.0 or later */ 376 s->srv_cap = smb2srv_capabilities & 377 (SMB_2X_CAPS | s->capabilities); 378 if ((s->srv_cap & SMB2_CAP_ENCRYPTION) != 0 && 379 smb3_encrypt_init_mech(s) != 0) { 380 s->srv_cap &= ~SMB2_CAP_ENCRYPTION; 381 } 382 } 383 384 /* 385 * See notes above smb2_max_rwsize, smb2_old_rwsize 386 */ 387 if (s->capabilities & SMB2_CAP_LARGE_MTU) 388 max_rwsize = smb2_max_rwsize; 389 else 390 max_rwsize = smb2_old_rwsize; 391 392 rc = smb_mbc_encodef( 393 &sr->reply, 394 "wwww#cllllTTwwl#c", 395 65, /* StructSize */ /* w */ 396 s->srv_secmode, /* w */ 397 version, /* w */ 398 0, /* reserved */ /* w */ 399 UUID_LEN, /* # */ 400 &s->s_cfg.skc_machine_uuid, /* c */ 401 s->srv_cap, /* l */ 402 smb2_max_trans, /* l */ 403 max_rwsize, /* l */ 404 max_rwsize, /* l */ 405 &now_tv, /* T */ 406 &boot_tv, /* T */ 407 128, /* SecBufOff */ /* w */ 408 sr->sr_cfg->skc_negtok_len, /* w */ 409 0, /* reserved */ /* l */ 410 sr->sr_cfg->skc_negtok_len, /* # */ 411 sr->sr_cfg->skc_negtok); /* c */ 412 413 /* smb2_send_reply(sr); in caller */ 414 415 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 416 SO_SNDBUF, (const void *)&smb2_tcp_bufsize, 417 sizeof (smb2_tcp_bufsize), CRED()); 418 (void) ksocket_setsockopt(s->sock, SOL_SOCKET, 419 SO_RCVBUF, (const void *)&smb2_tcp_bufsize, 420 sizeof (smb2_tcp_bufsize), CRED()); 421 422 return (rc); 423 } 424 425 /* 426 * SMB2 Dispatch table handler, which will run if we see an 427 * SMB2_NEGOTIATE after the initial negotiation is done. 428 * That would be a protocol error. 429 */ 430 smb_sdrc_t 431 smb2_negotiate(smb_request_t *sr) 432 { 433 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 434 return (SDRC_ERROR); 435 } 436 437 /* 438 * VALIDATE_NEGOTIATE_INFO [MS-SMB2] 2.2.32.6 439 */ 440 uint32_t 441 smb2_nego_validate(smb_request_t *sr, smb_fsctl_t *fsctl) 442 { 443 smb_session_t *s = sr->session; 444 int rc; 445 446 /* 447 * The spec. says to parse the VALIDATE_NEGOTIATE_INFO here 448 * and verify that the original negotiate was not modified. 449 * The only tampering we need worry about is secmode, and 450 * we're not taking that from the client, so don't bother. 451 * 452 * One interesting requirement here is that we MUST reply 453 * with exactly the same information as we returned in our 454 * original reply to the SMB2 negotiate on this session. 455 * If we don't the client closes the connection. 456 */ 457 458 /* dialects[8] taken from cl_versions[8] in smb2_newrq_negotiate */ 459 uint32_t capabilities; 460 uint16_t secmode, num_dialects, dialects[8]; 461 uint8_t clnt_guid[16]; 462 463 if (fsctl->InputCount < 24) 464 goto drop; 465 466 (void) smb_mbc_decodef(fsctl->in_mbc, "l16cww", 467 &capabilities, /* l */ 468 &clnt_guid, /* 16c */ 469 &secmode, /* w */ 470 &num_dialects); /* w */ 471 472 if (num_dialects == 0 || num_dialects > 8) 473 goto drop; 474 if (secmode != s->cli_secmode) 475 goto drop; 476 if (capabilities != s->capabilities) 477 goto drop; 478 if (memcmp(clnt_guid, s->clnt_uuid, sizeof (clnt_guid)) != 0) 479 goto drop; 480 481 if (fsctl->InputCount < (24 + num_dialects * sizeof (*dialects))) 482 goto drop; 483 484 rc = smb_mbc_decodef(fsctl->in_mbc, "#w", num_dialects, dialects); 485 if (rc != 0) 486 goto drop; 487 488 if (smb2_find_best_dialect(s, dialects, num_dialects) != s->dialect) 489 goto drop; 490 491 rc = smb_mbc_encodef( 492 fsctl->out_mbc, "l#cww", 493 s->srv_cap, /* l */ 494 UUID_LEN, /* # */ 495 &s->s_cfg.skc_machine_uuid, /* c */ 496 s->srv_secmode, /* w */ 497 s->dialect); /* w */ 498 if (rc == 0) 499 return (rc); 500 501 drop: 502 smb_session_disconnect(s); 503 return (NT_STATUS_ACCESS_DENIED); 504 } 505