1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Notes on the virtual circuit (VC) values in the SMB Negotiate 28 * response and SessionSetupAndx request. 29 * 30 * A virtual circuit (VC) represents a connection between a client and a 31 * server using a reliable, session oriented transport protocol, such as 32 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a 33 * single underlying transport connection, i.e. a single NetBIOS session, 34 * which limited performance for raw data transfers. 35 * 36 * The intention behind multiple VCs was to improve performance by 37 * allowing parallelism over each NetBIOS session. For example, raw data 38 * could be transmitted using a different VC from other types of SMB 39 * requests to remove the interleaving restriction while a raw transfer 40 * is in progress. So the MaxNumberVcs field was added to the negotiate 41 * response to make the number of VCs configurable and to allow servers 42 * to specify how many they were prepared to support per session 43 * connection. This turned out to be difficult to manage and, with 44 * technology improvements, it has become obsolete. 45 * 46 * Servers should set the MaxNumberVcs value in the Negotiate response 47 * to 1. Clients should probably ignore it. If a server receives a 48 * SessionSetupAndx with a VC value of 0, it should close all other 49 * VCs to that client. If it receives a non-zero VC, it should leave 50 * other VCs in tact. 51 * 52 */ 53 54 /* 55 * SMB: negotiate 56 * 57 * Client Request Description 58 * ============================ ======================================= 59 * 60 * UCHAR WordCount; Count of parameter words = 0 61 * USHORT ByteCount; Count of data bytes; min = 2 62 * struct { 63 * UCHAR BufferFormat; 0x02 -- Dialect 64 * UCHAR DialectName[]; ASCII null-terminated string 65 * } Dialects[]; 66 * 67 * The Client sends a list of dialects that it can communicate with. The 68 * response is a selection of one of those dialects (numbered 0 through n) 69 * or -1 (hex FFFF) indicating that none of the dialects were acceptable. 70 * The negotiate message is binding on the virtual circuit and must be 71 * sent. One and only one negotiate message may be sent, subsequent 72 * negotiate requests will be rejected with an error response and no action 73 * will be taken. 74 * 75 * The protocol does not impose any particular structure to the dialect 76 * strings. Implementors of particular protocols may choose to include, 77 * for example, version numbers in the string. 78 * 79 * If the server does not understand any of the dialect strings, or if PC 80 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is 81 * 82 * Server Response Description 83 * ============================ ======================================= 84 * 85 * UCHAR WordCount; Count of parameter words = 1 86 * USHORT DialectIndex; Index of selected dialect 87 * USHORT ByteCount; Count of data bytes = 0 88 * 89 * If the chosen dialect is greater than core up to and including 90 * LANMAN2.1, the protocol response format is 91 * 92 * Server Response Description 93 * ============================ ======================================= 94 * 95 * UCHAR WordCount; Count of parameter words = 13 96 * USHORT DialectIndex; Index of selected dialect 97 * USHORT SecurityMode; Security mode: 98 * bit 0: 0 = share, 1 = user 99 * bit 1: 1 = use challenge/response 100 * authentication 101 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024) 102 * USHORT MaxMpxCount; Max pending multiplexed requests 103 * USHORT MaxNumberVcs; Max VCs between client and server 104 * USHORT RawMode; Raw modes supported: 105 * bit 0: 1 = Read Raw supported 106 * bit 1: 1 = Write Raw supported 107 * ULONG SessionKey; Unique token identifying this session 108 * SMB_TIME ServerTime; Current time at server 109 * SMB_DATE ServerDate; Current date at server 110 * USHORT ServerTimeZone; Current time zone at server 111 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1 112 * USHORT Reserved; MBZ 113 * USHORT ByteCount Count of data bytes 114 * UCHAR EncryptionKey[]; The challenge encryption key 115 * STRING PrimaryDomain[]; The server's primary domain 116 * 117 * MaxBufferSize is the size of the largest message which the client can 118 * legitimately send to the server 119 * 120 * If bit0 of the Flags field is set in the negotiate response, this 121 * indicates the server supports the SMB_COM_LOCK_AND_READ and 122 * SMB_COM_WRITE_AND_UNLOCK client requests. 123 * 124 * If the SecurityMode field indicates the server is running in user mode, 125 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests 126 * before the server will allow the client to access resources. If the 127 * SecurityMode fields indicates the client should use challenge/response 128 * authentication, the client should use the authentication mechanism 129 * specified in section 2.10. 130 * 131 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs 132 * to the server when using multiplexed reads or writes (see sections 5.13 133 * and 5.25) 134 * 135 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different 136 * form of raw reads than documented here, and servers are better off 137 * setting RawMode in this response to 0 for such sessions. 138 * 139 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then 140 * PrimaryDomain string should be included in this response. 141 * 142 * If the negotiated dialect is NT LM 0.12, the response format is 143 * 144 * Server Response Description 145 * ========================== ========================================= 146 * 147 * UCHAR WordCount; Count of parameter words = 17 148 * USHORT DialectIndex; Index of selected dialect 149 * UCHAR SecurityMode; Security mode: 150 * bit 0: 0 = share, 1 = user 151 * bit 1: 1 = encrypt passwords 152 * USHORT MaxMpxCount; Max pending multiplexed requests 153 * USHORT MaxNumberVcs; Max VCs between client and server 154 * ULONG MaxBufferSize; Max transmit buffer size 155 * ULONG MaxRawSize; Maximum raw buffer size 156 * ULONG SessionKey; Unique token identifying this session 157 * ULONG Capabilities; Server capabilities 158 * ULONG SystemTimeLow; System (UTC) time of the server (low). 159 * ULONG SystemTimeHigh; System (UTC) time of the server (high). 160 * USHORT ServerTimeZone; Time zone of server (min from UTC) 161 * UCHAR EncryptionKeyLength; Length of encryption key. 162 * USHORT ByteCount; Count of data bytes 163 * UCHAR EncryptionKey[]; The challenge encryption key 164 * UCHAR OemDomainName[]; The name of the domain (in OEM chars) 165 * 166 * In addition to the definitions above, MaxBufferSize is the size of the 167 * largest message which the client can legitimately send to the server. 168 * If the client is using a connectionless protocol, MaxBufferSize must be 169 * set to the smaller of the server's internal buffer size and the amount 170 * of data which can be placed in a response packet. 171 * 172 * MaxRawSize specifies the maximum message size the server can send or 173 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW. 174 * 175 * Connectionless clients must set Sid to 0 in the SMB request header. 176 * 177 * Capabilities allows the server to tell the client what it supports. 178 * The bit definitions defined in smb.h. Bit 0x2000 used to be set in 179 * the negotiate response capabilities but it caused problems with 180 * Windows 2000. It is probably not valid, it doesn't appear in the 181 * CIFS spec. 182 * 183 * 4.1.1.1 Errors 184 * 185 * SUCCESS/SUCCESS 186 * ERRSRV/ERRerror 187 */ 188 #include <sys/types.h> 189 #include <sys/strsubr.h> 190 #include <sys/socketvar.h> 191 #include <sys/socket.h> 192 #include <sys/random.h> 193 #include <netinet/in.h> 194 #include <smbsrv/smb_kproto.h> 195 #include <smbsrv/smbinfo.h> 196 197 /* 198 * Maximum buffer size for DOS: chosen to be the same as NT. 199 * Do not change this value, DOS is very sensitive to it. 200 */ 201 #define SMB_DOS_MAXBUF 0x1104 202 203 /* 204 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems 205 * with other values. DOS 6.1 seems to depend on a window value of 8700 to 206 * send the next set of data. If we return a window value of 40KB, after 207 * sending 8700 bytes of data, it will start the next set of data from 40KB 208 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses. 209 * September 2000. 210 * 211 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow 212 * for a larger TCP window sizei based on observations of Windows 2000 and 213 * performance testing. March 2003. 214 */ 215 static uint32_t smb_dos_tcp_rcvbuf = 8700; 216 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */ 217 218 static void smb_get_security_info(smb_request_t *, unsigned short *, 219 unsigned char *, unsigned char *, uint32_t *); 220 221 /* 222 * Function: int smb_com_negotiate(struct smb_request *) 223 */ 224 smb_sdrc_t 225 smb_pre_negotiate(smb_request_t *sr) 226 { 227 DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr); 228 smb_rwx_rwenter(&sr->session->s_lock, RW_WRITER); 229 return (SDRC_SUCCESS); 230 } 231 232 void 233 smb_post_negotiate(smb_request_t *sr) 234 { 235 DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr); 236 smb_rwx_rwexit(&sr->session->s_lock); 237 } 238 239 smb_sdrc_t 240 smb_com_negotiate(smb_request_t *sr) 241 { 242 int dialect = 0; 243 int this_dialect; 244 unsigned char keylen; 245 int sel_pos = -1; 246 int pos; 247 char key[32]; 248 char *p; 249 timestruc_t time_val; 250 unsigned short secmode; 251 uint32_t sesskey; 252 uint32_t capabilities = 0; 253 int rc; 254 unsigned short max_mpx_count; 255 int16_t tz_correction; 256 char ipaddr_buf[INET6_ADDRSTRLEN]; 257 char *tmpbuf; 258 int buflen; 259 smb_msgbuf_t mb; 260 261 if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) { 262 /* The protocol has already been negotiated. */ 263 smbsr_error(sr, 0, ERRSRV, ERRerror); 264 return (SDRC_ERROR); 265 } 266 267 for (pos = 0; 268 sr->smb_data.chain_offset < sr->smb_data.max_bytes; 269 pos++) { 270 if (smb_mbc_decodef(&sr->smb_data, "%L", sr, &p) != 0) { 271 smbsr_error(sr, 0, ERRSRV, ERRerror); 272 return (SDRC_ERROR); 273 } 274 275 this_dialect = smb_xlate_dialect_str_to_cd(p); 276 277 if (this_dialect < 0) 278 continue; 279 280 if (dialect < this_dialect) { 281 dialect = this_dialect; 282 sel_pos = pos; 283 } 284 } 285 286 smb_get_security_info(sr, &secmode, (unsigned char *)key, 287 &keylen, &sesskey); 288 289 (void) microtime(&time_val); 290 tz_correction = sr->sr_gmtoff / 60; 291 292 switch (dialect) { 293 case PC_NETWORK_PROGRAM_1_0: /* core */ 294 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 295 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 296 sizeof (smb_dos_tcp_rcvbuf), CRED()); 297 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0); 298 break; 299 300 case Windows_for_Workgroups_3_1a: 301 case PCLAN1_0: 302 case MICROSOFT_NETWORKS_1_03: 303 case MICROSOFT_NETWORKS_3_0: 304 case LANMAN1_0: 305 case LM1_2X002: 306 case DOS_LM1_2X002: 307 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 308 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 309 sizeof (smb_dos_tcp_rcvbuf), CRED()); 310 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 311 rc = smbsr_encode_result(sr, 13, VAR_BCC, 312 "bwwwwwwlYww2.w#c", 313 13, /* wct */ 314 sel_pos, /* dialect index */ 315 secmode, /* security mode */ 316 SMB_DOS_MAXBUF, /* max buffer size */ 317 1, /* max MPX (temporary) */ 318 1, /* max VCs (temporary, ambiguous) */ 319 3, /* raw mode (s/b 3) */ 320 sesskey, /* session key */ 321 time_val.tv_sec, /* server time/date */ 322 tz_correction, 323 (short)keylen, /* Encryption Key Length */ 324 /* reserved field handled 2. */ 325 VAR_BCC, 326 (int)keylen, 327 key); /* encryption key */ 328 break; 329 330 case DOS_LANMAN2_1: 331 case LANMAN2_1: 332 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 333 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 334 sizeof (smb_dos_tcp_rcvbuf), CRED()); 335 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 336 rc = smbsr_encode_result(sr, 13, VAR_BCC, 337 "bwwwwwwlYww2.w#cs", 338 13, /* wct */ 339 sel_pos, /* dialect index */ 340 secmode, /* security mode */ 341 SMB_DOS_MAXBUF, /* max buffer size */ 342 1, /* max MPX (temporary) */ 343 1, /* max VCs (temporary, ambiguous) */ 344 3, /* raw mode (s/b 3) */ 345 sesskey, /* session key */ 346 time_val.tv_sec, /* server time/date */ 347 tz_correction, 348 (short)keylen, /* Encryption Key Length */ 349 /* reserved field handled 2. */ 350 VAR_BCC, 351 (int)keylen, 352 key, /* encryption key */ 353 sr->sr_cfg->skc_nbdomain); 354 break; 355 356 case NT_LM_0_12: 357 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 358 SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf, 359 sizeof (smb_nt_tcp_rcvbuf), CRED()); 360 /* 361 * UNICODE support is required for long share names, 362 * long file names and streams. 363 */ 364 capabilities = CAP_LARGE_FILES 365 | CAP_UNICODE 366 | CAP_NT_SMBS 367 | CAP_STATUS32 368 | CAP_NT_FIND 369 | CAP_RAW_MODE 370 | CAP_LEVEL_II_OPLOCKS 371 | CAP_LOCK_AND_READ 372 | CAP_RPC_REMOTE_APIS 373 | CAP_LARGE_READX 374 | CAP_LARGE_WRITEX; 375 376 /* 377 * Turn off Extended Security Negotiation 378 */ 379 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC; 380 381 /* 382 * Allow SMB signatures if security challenge response enabled 383 */ 384 if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && 385 sr->sr_cfg->skc_signing_enable) { 386 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 387 if (sr->sr_cfg->skc_signing_required) 388 secmode |= 389 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 390 391 sr->session->secmode = secmode; 392 } 393 (void) smb_inet_ntop(&sr->session->ipaddr, ipaddr_buf, 394 SMB_IPSTRLEN(sr->session->ipaddr.a_family)); 395 396 max_mpx_count = sr->sr_cfg->skc_maxworkers; 397 398 /* 399 * skc_nbdomain is not expected to be aligned. 400 * Use temporary buffer to avoid alignment padding 401 */ 402 buflen = smb_wcequiv_strlen(sr->sr_cfg->skc_nbdomain) + 403 sizeof (smb_wchar_t); 404 tmpbuf = kmem_zalloc(buflen, KM_SLEEP); 405 smb_msgbuf_init(&mb, (uint8_t *)tmpbuf, buflen, 406 SMB_MSGBUF_UNICODE); 407 if (smb_msgbuf_encode(&mb, "U", 408 sr->sr_cfg->skc_nbdomain) < 0) { 409 smb_msgbuf_term(&mb); 410 kmem_free(tmpbuf, buflen); 411 smbsr_error(sr, 0, ERRSRV, ERRerror); 412 return (SDRC_ERROR); 413 } 414 415 rc = smbsr_encode_result(sr, 17, VAR_BCC, 416 "bwbwwllllTwbw#c#c", 417 17, /* wct */ 418 sel_pos, /* dialect index */ 419 secmode, /* security mode */ 420 max_mpx_count, /* max MPX (temporary) */ 421 1, /* max VCs (temporary, ambiguous) */ 422 (DWORD)smb_maxbufsize, /* max buffer size */ 423 0xFFFF, /* max raw size */ 424 sesskey, /* session key */ 425 capabilities, 426 &time_val, /* system time */ 427 tz_correction, 428 keylen, /* Encryption Key Length */ 429 VAR_BCC, 430 (int)keylen, 431 key, /* encryption key */ 432 buflen, 433 tmpbuf); /* skc_nbdomain */ 434 435 smb_msgbuf_term(&mb); 436 kmem_free(tmpbuf, buflen); 437 break; 438 439 default: 440 sel_pos = -1; 441 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0); 442 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR); 443 } 444 445 if (rc != 0) 446 return (SDRC_ERROR); 447 448 /* 449 * Save the agreed dialect. Note that this value is also 450 * used to detect and reject attempts to re-negotiate. 451 */ 452 sr->session->dialect = dialect; 453 sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED; 454 return (SDRC_SUCCESS); 455 } 456 457 static void 458 smb_get_security_info( 459 struct smb_request *sr, 460 unsigned short *secmode, 461 unsigned char *key, 462 unsigned char *keylen, 463 uint32_t *sesskey) 464 { 465 uchar_t tmp_key[8]; 466 467 (void) random_get_pseudo_bytes(tmp_key, 8); 468 bcopy(tmp_key, &sr->session->challenge_key, 8); 469 sr->session->challenge_len = 8; 470 *keylen = 8; 471 bcopy(tmp_key, key, 8); 472 473 sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE| 474 NEGOTIATE_SECURITY_USER_LEVEL; 475 476 (void) random_get_pseudo_bytes(tmp_key, 4); 477 sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 | 478 tmp_key[2] << 16 | tmp_key[3] << 24; 479 480 *secmode = sr->session->secmode; 481 *sesskey = sr->session->sesskey; 482 } 483