1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2017 Nexenta Systems, Inc. All rights reserved. 24 */ 25 26 /* 27 * Notes on the virtual circuit (VC) values in the SMB Negotiate 28 * response and SessionSetupAndx request. 29 * 30 * A virtual circuit (VC) represents a connection between a client and a 31 * server using a reliable, session oriented transport protocol, such as 32 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a 33 * single underlying transport connection, i.e. a single NetBIOS session, 34 * which limited performance for raw data transfers. 35 * 36 * The intention behind multiple VCs was to improve performance by 37 * allowing parallelism over each NetBIOS session. For example, raw data 38 * could be transmitted using a different VC from other types of SMB 39 * requests to remove the interleaving restriction while a raw transfer 40 * is in progress. So the MaxNumberVcs field was added to the negotiate 41 * response to make the number of VCs configurable and to allow servers 42 * to specify how many they were prepared to support per session 43 * connection. This turned out to be difficult to manage and, with 44 * technology improvements, it has become obsolete. 45 * 46 * Servers should set the MaxNumberVcs value in the Negotiate response 47 * to 1. Clients should probably ignore it. If a server receives a 48 * SessionSetupAndx with a VC value of 0, it should close all other 49 * VCs to that client. If it receives a non-zero VC, it should leave 50 * other VCs in tact. 51 * 52 */ 53 54 /* 55 * SMB: negotiate 56 * 57 * Client Request Description 58 * ============================ ======================================= 59 * 60 * UCHAR WordCount; Count of parameter words = 0 61 * USHORT ByteCount; Count of data bytes; min = 2 62 * struct { 63 * UCHAR BufferFormat; 0x02 -- Dialect 64 * UCHAR DialectName[]; ASCII null-terminated string 65 * } Dialects[]; 66 * 67 * The Client sends a list of dialects that it can communicate with. The 68 * response is a selection of one of those dialects (numbered 0 through n) 69 * or -1 (hex FFFF) indicating that none of the dialects were acceptable. 70 * The negotiate message is binding on the virtual circuit and must be 71 * sent. One and only one negotiate message may be sent, subsequent 72 * negotiate requests will be rejected with an error response and no action 73 * will be taken. 74 * 75 * The protocol does not impose any particular structure to the dialect 76 * strings. Implementors of particular protocols may choose to include, 77 * for example, version numbers in the string. 78 * 79 * If the server does not understand any of the dialect strings, or if PC 80 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is 81 * 82 * Server Response Description 83 * ============================ ======================================= 84 * 85 * UCHAR WordCount; Count of parameter words = 1 86 * USHORT DialectIndex; Index of selected dialect 87 * USHORT ByteCount; Count of data bytes = 0 88 * 89 * If the chosen dialect is greater than core up to and including 90 * LANMAN2.1, the protocol response format is 91 * 92 * Server Response Description 93 * ============================ ======================================= 94 * 95 * UCHAR WordCount; Count of parameter words = 13 96 * USHORT DialectIndex; Index of selected dialect 97 * USHORT SecurityMode; Security mode: 98 * bit 0: 0 = share, 1 = user 99 * bit 1: 1 = use challenge/response 100 * authentication 101 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024) 102 * USHORT MaxMpxCount; Max pending multiplexed requests 103 * USHORT MaxNumberVcs; Max VCs between client and server 104 * USHORT RawMode; Raw modes supported: 105 * bit 0: 1 = Read Raw supported 106 * bit 1: 1 = Write Raw supported 107 * ULONG SessionKey; Unique token identifying this session 108 * SMB_TIME ServerTime; Current time at server 109 * SMB_DATE ServerDate; Current date at server 110 * USHORT ServerTimeZone; Current time zone at server 111 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1 112 * USHORT Reserved; MBZ 113 * USHORT ByteCount Count of data bytes 114 * UCHAR EncryptionKey[]; The challenge encryption key 115 * STRING PrimaryDomain[]; The server's primary domain 116 * 117 * MaxBufferSize is the size of the largest message which the client can 118 * legitimately send to the server 119 * 120 * If bit0 of the Flags field is set in the negotiate response, this 121 * indicates the server supports the SMB_COM_LOCK_AND_READ and 122 * SMB_COM_WRITE_AND_UNLOCK client requests. 123 * 124 * If the SecurityMode field indicates the server is running in user mode, 125 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests 126 * before the server will allow the client to access resources. If the 127 * SecurityMode fields indicates the client should use challenge/response 128 * authentication, the client should use the authentication mechanism 129 * specified in section 2.10. 130 * 131 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs 132 * to the server when using multiplexed reads or writes (see sections 5.13 133 * and 5.25) 134 * 135 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different 136 * form of raw reads than documented here, and servers are better off 137 * setting RawMode in this response to 0 for such sessions. 138 * 139 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then 140 * PrimaryDomain string should be included in this response. 141 * 142 * If the negotiated dialect is NT LM 0.12, the response format is 143 * 144 * Server Response Description 145 * ========================== ========================================= 146 * 147 * UCHAR WordCount; Count of parameter words = 17 148 * USHORT DialectIndex; Index of selected dialect 149 * UCHAR SecurityMode; Security mode: 150 * bit 0: 0 = share, 1 = user 151 * bit 1: 1 = encrypt passwords 152 * USHORT MaxMpxCount; Max pending multiplexed requests 153 * USHORT MaxNumberVcs; Max VCs between client and server 154 * ULONG MaxBufferSize; Max transmit buffer size 155 * ULONG MaxRawSize; Maximum raw buffer size 156 * ULONG SessionKey; Unique token identifying this session 157 * ULONG Capabilities; Server capabilities 158 * ULONG SystemTimeLow; System (UTC) time of the server (low). 159 * ULONG SystemTimeHigh; System (UTC) time of the server (high). 160 * USHORT ServerTimeZone; Time zone of server (min from UTC) 161 * UCHAR EncryptionKeyLength; Length of encryption key. 162 * USHORT ByteCount; Count of data bytes 163 * UCHAR EncryptionKey[]; The challenge encryption key 164 * UCHAR OemDomainName[]; The name of the domain (in OEM chars) 165 * 166 * In addition to the definitions above, MaxBufferSize is the size of the 167 * largest message which the client can legitimately send to the server. 168 * If the client is using a connectionless protocol, MaxBufferSize must be 169 * set to the smaller of the server's internal buffer size and the amount 170 * of data which can be placed in a response packet. 171 * 172 * MaxRawSize specifies the maximum message size the server can send or 173 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW. 174 * 175 * Connectionless clients must set Sid to 0 in the SMB request header. 176 * 177 * Capabilities allows the server to tell the client what it supports. 178 * The bit definitions defined in smb.h. Bit 0x2000 used to be set in 179 * the negotiate response capabilities but it caused problems with 180 * Windows 2000. It is probably not valid, it doesn't appear in the 181 * CIFS spec. 182 * 183 * 4.1.1.1 Errors 184 * 185 * SUCCESS/SUCCESS 186 * ERRSRV/ERRerror 187 */ 188 #include <sys/types.h> 189 #include <sys/socket.h> 190 #include <netinet/in.h> 191 #include <smbsrv/smb_kproto.h> 192 #include <smbsrv/smbinfo.h> 193 194 static const smb_xlate_t smb_dialect[] = { 195 { DIALECT_UNKNOWN, "DIALECT_UNKNOWN" }, 196 { PC_NETWORK_PROGRAM_1_0, "PC NETWORK PROGRAM 1.0" }, 197 { PCLAN1_0, "PCLAN1.0" }, 198 { MICROSOFT_NETWORKS_1_03, "MICROSOFT NETWORKS 1.03" }, 199 { MICROSOFT_NETWORKS_3_0, "MICROSOFT NETWORKS 3.0" }, 200 { LANMAN1_0, "LANMAN1.0" }, 201 { LM1_2X002, "LM1.2X002" }, 202 { DOS_LM1_2X002, "DOS LM1.2X002" }, 203 { DOS_LANMAN2_1, "DOS LANMAN2.1" }, 204 { LANMAN2_1, "LANMAN2.1" }, 205 { Windows_for_Workgroups_3_1a, "Windows for Workgroups 3.1a" }, 206 { NT_LM_0_12, "NT LM 0.12" }, 207 { DIALECT_SMB2002, "SMB 2.002" }, 208 { DIALECT_SMB2XXX, "SMB 2.???" }, 209 }; 210 static int smb_ndialects = sizeof (smb_dialect) / sizeof (smb_dialect[0]); 211 212 /* 213 * Maximum buffer size for DOS: chosen to be the same as NT. 214 * Do not change this value, DOS is very sensitive to it. 215 */ 216 #define SMB_DOS_MAXBUF 0x1104 217 218 /* 219 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems 220 * with other values. DOS 6.1 seems to depend on a window value of 8700 to 221 * send the next set of data. If we return a window value of 40KB, after 222 * sending 8700 bytes of data, it will start the next set of data from 40KB 223 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses. 224 * September 2000. 225 * 226 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow 227 * for a larger TCP window sizei based on observations of Windows 2000 and 228 * performance testing. March 2003. 229 */ 230 static uint32_t smb_dos_tcp_rcvbuf = 8700; 231 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */ 232 233 /* 234 * Maximum number of simultaneously pending SMB requests allowed on 235 * one connection. This is like "credits" in SMB2, but SMB1 uses a 236 * fixed limit, having no way to request an increase like SMB2 does. 237 * Note: Some older clients only handle the low byte of this value, 238 * so this value should be less than 256. 239 */ 240 static uint16_t smb_maxmpxcount = 64; 241 242 static int smb_xlate_dialect(const char *); 243 244 /* 245 * "Capabilities" offered by SMB1 Negotiate Protocol. 246 * See smb.h for descriptions. 247 * 248 * CAP_RAW_MODE, CAP_MPX_MODE are obsolete. 249 * UNICODE support is required for long share names, 250 * long file names and streams. 251 * 252 * For testing, one can patch this, i.e. remove the high bit to 253 * temporarily disable extended security, etc. 254 */ 255 uint32_t smb1srv_capabilities = 256 CAP_UNICODE | 257 CAP_LARGE_FILES | 258 CAP_NT_SMBS | 259 CAP_RPC_REMOTE_APIS | 260 CAP_STATUS32 | 261 CAP_LEVEL_II_OPLOCKS | 262 CAP_LOCK_AND_READ | 263 CAP_NT_FIND | 264 CAP_DFS | 265 CAP_INFOLEVEL_PASSTHRU | 266 CAP_LARGE_READX | 267 CAP_LARGE_WRITEX | 268 CAP_EXTENDED_SECURITY; 269 270 /* 271 * SMB Negotiate gets special handling. This is called directly by 272 * the reader thread (see smbsr_newrq_initial) with what _should_ be 273 * an SMB1 Negotiate. Only the "\ffSMB" header has been checked 274 * when this is called, so this needs to check the SMB command, 275 * if it's Negotiate execute it, then send the reply, etc. 276 * 277 * Since this is called directly from the reader thread, we 278 * know this is the only thread currently using this session. 279 * This has to duplicate some of what smb1sr_work does as a 280 * result of bypassing the normal dispatch mechanism. 281 * 282 * The caller always frees this request. 283 * 284 * Return value is 0 for success, and anything else will 285 * terminate the reader thread (drop the connection). 286 */ 287 int 288 smb1_newrq_negotiate(smb_request_t *sr) 289 { 290 smb_sdrc_t sdrc; 291 uint16_t pid_hi, pid_lo; 292 293 /* 294 * Decode the header 295 */ 296 if (smb_mbc_decodef(&sr->command, SMB_HEADER_ED_FMT, 297 &sr->smb_com, 298 &sr->smb_rcls, 299 &sr->smb_reh, 300 &sr->smb_err, 301 &sr->smb_flg, 302 &sr->smb_flg2, 303 &pid_hi, 304 sr->smb_sig, 305 &sr->smb_tid, 306 &pid_lo, 307 &sr->smb_uid, 308 &sr->smb_mid) != 0) 309 return (-1); 310 if (sr->smb_com != SMB_COM_NEGOTIATE) 311 return (-1); 312 313 sr->smb_pid = (pid_hi << 16) | pid_lo; 314 315 /* 316 * Reserve space for the reply header. 317 */ 318 (void) smb_mbc_encodef(&sr->reply, "#.", SMB_HEADER_LEN); 319 sr->first_smb_com = sr->smb_com; 320 321 if (smb_mbc_decodef(&sr->command, "b", &sr->smb_wct) != 0) 322 return (-1); 323 (void) MBC_SHADOW_CHAIN(&sr->smb_vwv, &sr->command, 324 sr->command.chain_offset, sr->smb_wct * 2); 325 326 if (smb_mbc_decodef(&sr->command, "#.w", sr->smb_wct*2, &sr->smb_bcc)) 327 return (-1); 328 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command, 329 sr->command.chain_offset, sr->smb_bcc); 330 331 sr->command.chain_offset += sr->smb_bcc; 332 if (sr->command.chain_offset > sr->command.max_bytes) 333 return (-1); 334 335 /* Store pointers for later */ 336 sr->cur_reply_offset = sr->reply.chain_offset; 337 338 sdrc = smb_pre_negotiate(sr); 339 if (sdrc == SDRC_SUCCESS) 340 sdrc = smb_com_negotiate(sr); 341 smb_post_negotiate(sr); 342 343 if (sdrc != SDRC_NO_REPLY) 344 smbsr_send_reply(sr); 345 if (sdrc == SDRC_DROP_VC) 346 return (-1); 347 348 return (0); 349 } 350 351 smb_sdrc_t 352 smb_pre_negotiate(smb_request_t *sr) 353 { 354 smb_kmod_cfg_t *skc; 355 smb_arg_negotiate_t *negprot; 356 int dialect; 357 int pos; 358 int rc = 0; 359 360 skc = &sr->session->s_cfg; 361 negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t)); 362 negprot->ni_index = -1; 363 sr->sr_negprot = negprot; 364 365 for (pos = 0; smbsr_decode_data_avail(sr); pos++) { 366 if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) { 367 smbsr_error(sr, 0, ERRSRV, ERRerror); 368 rc = -1; 369 break; 370 } 371 372 if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0) 373 continue; 374 375 /* 376 * Conditionally recognize the SMB2 dialects. 377 */ 378 if (dialect >= DIALECT_SMB2002 && 379 skc->skc_max_protocol < SMB_VERS_2_BASE) 380 continue; 381 382 /* 383 * We may not support SMB1; skip those dialects if true. 384 */ 385 if (dialect < DIALECT_SMB2002 && 386 skc->skc_min_protocol > SMB_VERS_1) 387 continue; 388 389 if (dialect == DIALECT_SMB2002 && 390 skc->skc_min_protocol > SMB_VERS_2_002) 391 continue; 392 393 if (negprot->ni_dialect < dialect) { 394 negprot->ni_dialect = dialect; 395 negprot->ni_index = pos; 396 } 397 } 398 399 DTRACE_SMB_START(op__Negotiate, smb_request_t *, sr); 400 401 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR); 402 } 403 404 void 405 smb_post_negotiate(smb_request_t *sr) 406 { 407 smb_arg_negotiate_t *negprot = sr->sr_negprot; 408 409 DTRACE_SMB_DONE(op__Negotiate, smb_request_t *, sr); 410 411 bzero(negprot, sizeof (smb_arg_negotiate_t)); 412 } 413 414 smb_sdrc_t 415 smb_com_negotiate(smb_request_t *sr) 416 { 417 smb_session_t *session = sr->session; 418 smb_arg_negotiate_t *negprot = sr->sr_negprot; 419 uint16_t secmode; 420 uint32_t sesskey; 421 char *nbdomain; 422 uint8_t *wcbuf; 423 int wclen; 424 smb_msgbuf_t mb; 425 int rc; 426 427 if (session->s_state != SMB_SESSION_STATE_ESTABLISHED) { 428 /* The protocol has already been negotiated. */ 429 smbsr_error(sr, 0, ERRSRV, ERRerror); 430 return (SDRC_ERROR); 431 } 432 433 if (negprot->ni_index < 0) { 434 cmn_err(CE_NOTE, "clnt %s no supported dialect", 435 sr->session->ip_addr_str); 436 smbsr_error(sr, 0, ERRSRV, ERRerror); 437 return (SDRC_DROP_VC); 438 } 439 440 /* 441 * Special case for negotiating SMB2 from SMB1. The client 442 * includes the "SMB 2..." dialects in the SMB1 negotiate, 443 * and if SMB2 is enabled, we choose one of those and then 444 * send an SMB2 reply to that SMB1 request. Yes, it's very 445 * strange, but this SMB1 request can have an SMB2 reply! 446 * To accomplish this, we let the SMB2 code send the reply 447 * and return the special code SDRC_NO_REPLY to the SMB1 448 * dispatch logic so it will NOT send an SMB1 reply. 449 * (Or possibly send an SMB1 error reply.) 450 */ 451 if (negprot->ni_dialect >= DIALECT_SMB2002) { 452 rc = smb1_negotiate_smb2(sr); 453 ASSERT(rc == SDRC_NO_REPLY || 454 rc == SDRC_DROP_VC || rc == SDRC_ERROR); 455 return (rc); 456 } 457 458 session->srv_secmode = NEGOTIATE_ENCRYPT_PASSWORDS | 459 NEGOTIATE_USER_SECURITY; 460 secmode = session->srv_secmode; 461 sesskey = session->sesskey; 462 463 negprot->ni_servertime.tv_sec = gethrestime_sec(); 464 negprot->ni_servertime.tv_nsec = 0; 465 negprot->ni_tzcorrection = sr->sr_gmtoff / 60; 466 negprot->ni_maxmpxcount = smb_maxmpxcount; 467 negprot->ni_keylen = SMB_CHALLENGE_SZ; 468 bcopy(&session->challenge_key, negprot->ni_key, SMB_CHALLENGE_SZ); 469 nbdomain = sr->sr_cfg->skc_nbdomain; 470 471 negprot->ni_capabilities = smb1srv_capabilities; 472 473 switch (negprot->ni_dialect) { 474 case PC_NETWORK_PROGRAM_1_0: /* core */ 475 (void) ksocket_setsockopt(session->sock, SOL_SOCKET, 476 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 477 sizeof (smb_dos_tcp_rcvbuf), CRED()); 478 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, 479 negprot->ni_index, 0); 480 break; 481 482 case Windows_for_Workgroups_3_1a: 483 case PCLAN1_0: 484 case MICROSOFT_NETWORKS_1_03: 485 case MICROSOFT_NETWORKS_3_0: 486 case LANMAN1_0: 487 case LM1_2X002: 488 case DOS_LM1_2X002: 489 (void) ksocket_setsockopt(session->sock, SOL_SOCKET, 490 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 491 sizeof (smb_dos_tcp_rcvbuf), CRED()); 492 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 493 rc = smbsr_encode_result(sr, 13, VAR_BCC, 494 "bwwwwwwlYww2.w#c", 495 13, /* wct */ 496 negprot->ni_index, /* dialect index */ 497 secmode, /* security mode */ 498 SMB_DOS_MAXBUF, /* max buffer size */ 499 1, /* max MPX */ 500 1, /* max VCs */ 501 0, /* read/write raw */ 502 sesskey, /* session key */ 503 negprot->ni_servertime.tv_sec, /* server date/time */ 504 negprot->ni_tzcorrection, 505 (uint16_t)negprot->ni_keylen, /* encryption key length */ 506 /* reserved field handled 2. */ 507 VAR_BCC, 508 (int)negprot->ni_keylen, 509 negprot->ni_key); /* encryption key */ 510 break; 511 512 case DOS_LANMAN2_1: 513 case LANMAN2_1: 514 (void) ksocket_setsockopt(session->sock, SOL_SOCKET, 515 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 516 sizeof (smb_dos_tcp_rcvbuf), CRED()); 517 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 518 rc = smbsr_encode_result(sr, 13, VAR_BCC, 519 "bwwwwwwlYww2.w#cs", 520 13, /* wct */ 521 negprot->ni_index, /* dialect index */ 522 secmode, /* security mode */ 523 SMB_DOS_MAXBUF, /* max buffer size */ 524 1, /* max MPX */ 525 1, /* max VCs */ 526 0, /* read/write raw */ 527 sesskey, /* session key */ 528 negprot->ni_servertime.tv_sec, /* server date/time */ 529 negprot->ni_tzcorrection, 530 (uint16_t)negprot->ni_keylen, /* encryption key length */ 531 /* reserved field handled 2. */ 532 VAR_BCC, 533 (int)negprot->ni_keylen, 534 negprot->ni_key, /* encryption key */ 535 nbdomain); 536 break; 537 538 case NT_LM_0_12: 539 (void) ksocket_setsockopt(session->sock, SOL_SOCKET, 540 SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf, 541 sizeof (smb_nt_tcp_rcvbuf), CRED()); 542 543 /* 544 * Allow SMB signatures if using encrypted passwords 545 */ 546 if ((secmode & NEGOTIATE_ENCRYPT_PASSWORDS) && 547 sr->sr_cfg->skc_signing_enable) { 548 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 549 if (sr->sr_cfg->skc_signing_required) 550 secmode |= 551 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 552 553 session->srv_secmode = secmode; 554 } 555 556 /* 557 * Does the client want Extended Security? 558 * (and if we have it enabled) 559 * If so, handle as if a different dialect. 560 */ 561 if ((sr->smb_flg2 & SMB_FLAGS2_EXT_SEC) != 0 && 562 (negprot->ni_capabilities & CAP_EXTENDED_SECURITY) != 0) 563 goto NT_LM_0_12_ext_sec; 564 565 /* Else deny knowledge of extended security. */ 566 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC; 567 negprot->ni_capabilities &= ~CAP_EXTENDED_SECURITY; 568 569 /* 570 * nbdomain is not expected to be aligned. 571 * Use temporary buffer to avoid alignment padding 572 */ 573 wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t); 574 wcbuf = smb_srm_zalloc(sr, wclen); 575 smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE); 576 if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) { 577 smb_msgbuf_term(&mb); 578 smbsr_error(sr, 0, ERRSRV, ERRerror); 579 return (SDRC_ERROR); 580 } 581 582 rc = smbsr_encode_result(sr, 17, VAR_BCC, 583 "bwbwwllllTwbw#c#c", 584 17, /* wct */ 585 negprot->ni_index, /* dialect index */ 586 secmode, /* security mode */ 587 negprot->ni_maxmpxcount, /* max MPX */ 588 1, /* max VCs */ 589 (DWORD)smb_maxbufsize, /* max buffer size */ 590 0xFFFF, /* max raw size */ 591 sesskey, /* session key */ 592 negprot->ni_capabilities, 593 &negprot->ni_servertime, /* system time */ 594 negprot->ni_tzcorrection, 595 negprot->ni_keylen, /* encryption key length */ 596 VAR_BCC, 597 (int)negprot->ni_keylen, 598 negprot->ni_key, /* encryption key */ 599 wclen, 600 wcbuf); /* nbdomain (unicode) */ 601 602 smb_msgbuf_term(&mb); 603 break; 604 605 NT_LM_0_12_ext_sec: 606 /* 607 * This is the "Extended Security" variant of 608 * dialect NT_LM_0_12. 609 */ 610 rc = smbsr_encode_result(sr, 17, VAR_BCC, 611 "bwbwwllllTwbw#c#c", 612 17, /* wct */ 613 negprot->ni_index, /* dialect index */ 614 secmode, /* security mode */ 615 negprot->ni_maxmpxcount, /* max MPX */ 616 1, /* max VCs */ 617 (DWORD)smb_maxbufsize, /* max buffer size */ 618 0xFFFF, /* max raw size */ 619 sesskey, /* session key */ 620 negprot->ni_capabilities, 621 &negprot->ni_servertime, /* system time */ 622 negprot->ni_tzcorrection, 623 0, /* encryption key length (MBZ) */ 624 VAR_BCC, 625 UUID_LEN, 626 sr->sr_cfg->skc_machine_uuid, 627 sr->sr_cfg->skc_negtok_len, 628 sr->sr_cfg->skc_negtok); 629 break; 630 631 632 default: 633 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0); 634 break; 635 } 636 637 if (rc != 0) 638 return (SDRC_ERROR); 639 640 /* 641 * Save the agreed dialect. Note that the state is also 642 * used to detect and reject attempts to re-negotiate. 643 */ 644 session->dialect = negprot->ni_dialect; 645 session->s_state = SMB_SESSION_STATE_NEGOTIATED; 646 647 /* Allow normal SMB1 requests now. */ 648 session->newrq_func = smb1sr_newrq; 649 650 return (SDRC_SUCCESS); 651 } 652 653 static int 654 smb_xlate_dialect(const char *dialect) 655 { 656 const smb_xlate_t *dp; 657 int i; 658 659 for (i = 0; i < smb_ndialects; ++i) { 660 dp = &smb_dialect[i]; 661 662 if (strcmp(dp->str, dialect) == 0) 663 return (dp->code); 664 } 665 666 return (-1); 667 } 668