xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_negotiate.c (revision 74e12c43fe52f2c30f36e65a4d0fb0e8dfd7068a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
24  */
25 
26 /*
27  * Notes on the virtual circuit (VC) values in the SMB Negotiate
28  * response and SessionSetupAndx request.
29  *
30  * A virtual circuit (VC) represents a connection between a client and a
31  * server using a reliable, session oriented transport protocol, such as
32  * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
33  * single underlying transport connection, i.e. a single NetBIOS session,
34  * which limited performance for raw data transfers.
35  *
36  * The intention behind multiple VCs was to improve performance by
37  * allowing parallelism over each NetBIOS session. For example, raw data
38  * could be transmitted using a different VC from other types of SMB
39  * requests to remove the interleaving restriction while a raw transfer
40  * is in progress. So the MaxNumberVcs field was added to the negotiate
41  * response to make the number of VCs configurable and to allow servers
42  * to specify how many they were prepared to support per session
43  * connection. This turned out to be difficult to manage and, with
44  * technology improvements, it has become obsolete.
45  *
46  * Servers should set the MaxNumberVcs value in the Negotiate response
47  * to 1. Clients should probably ignore it. If a server receives a
48  * SessionSetupAndx with a VC value of 0, it should close all other
49  * VCs to that client. If it receives a non-zero VC, it should leave
50  * other VCs in tact.
51  *
52  */
53 
54 /*
55  * SMB: negotiate
56  *
57  * Client Request                Description
58  * ============================  =======================================
59  *
60  * UCHAR WordCount;              Count of parameter words = 0
61  * USHORT ByteCount;             Count of data bytes; min = 2
62  * struct {
63  *    UCHAR BufferFormat;        0x02 -- Dialect
64  *    UCHAR DialectName[];       ASCII null-terminated string
65  * } Dialects[];
66  *
67  * The Client sends a list of dialects that it can communicate with.  The
68  * response is a selection of one of those dialects (numbered 0 through n)
69  * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
70  * The negotiate message is binding on the virtual circuit and must be
71  * sent.  One and only one negotiate message may be sent, subsequent
72  * negotiate requests will be rejected with an error response and no action
73  * will be taken.
74  *
75  * The protocol does not impose any particular structure to the dialect
76  * strings.  Implementors of particular protocols may choose to include,
77  * for example, version numbers in the string.
78  *
79  * If the server does not understand any of the dialect strings, or if PC
80  * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
81  *
82  * Server Response               Description
83  * ============================  =======================================
84  *
85  * UCHAR WordCount;              Count of parameter words = 1
86  * USHORT DialectIndex;          Index of selected dialect
87  * USHORT ByteCount;             Count of data bytes = 0
88  *
89  * If the chosen dialect is greater than core up to and including
90  * LANMAN2.1, the protocol response format is
91  *
92  * Server Response               Description
93  * ============================  =======================================
94  *
95  * UCHAR WordCount;              Count of parameter words = 13
96  * USHORT  DialectIndex;         Index of selected dialect
97  * USHORT  SecurityMode;         Security mode:
98  *                               bit 0: 0 = share, 1 = user
99  *                               bit 1: 1 = use challenge/response
100  *                               authentication
101  * USHORT  MaxBufferSize;        Max transmit buffer size (>= 1024)
102  * USHORT  MaxMpxCount;          Max pending multiplexed requests
103  * USHORT  MaxNumberVcs;         Max VCs between client and server
104  * USHORT  RawMode;              Raw modes supported:
105  *                                bit 0: 1 = Read Raw supported
106  *                                bit 1: 1 = Write Raw supported
107  * ULONG SessionKey;             Unique token identifying this session
108  * SMB_TIME ServerTime;          Current time at server
109  * SMB_DATE ServerDate;          Current date at server
110  * USHORT ServerTimeZone;        Current time zone at server
111  * USHORT  EncryptionKeyLength;  MBZ if this is not LM2.1
112  * USHORT  Reserved;             MBZ
113  * USHORT  ByteCount             Count of data bytes
114  * UCHAR EncryptionKey[];        The challenge encryption key
115  * STRING PrimaryDomain[];       The server's primary domain
116  *
117  * MaxBufferSize is the size of the largest message which the client can
118  * legitimately send to the server
119  *
120  * If  bit0 of the Flags field is set in the negotiate response, this
121  * indicates the server supports the SMB_COM_LOCK_AND_READ and
122  * SMB_COM_WRITE_AND_UNLOCK client requests.
123  *
124  * If the SecurityMode field indicates the server is running in user mode,
125  * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
126  * before the server will allow the client to access resources.   If the
127  * SecurityMode fields indicates the client should use challenge/response
128  * authentication, the client should use the authentication mechanism
129  * specified in section 2.10.
130  *
131  * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
132  * to the server when using multiplexed reads or writes (see sections 5.13
133  * and 5.25)
134  *
135  * Clients using the  "MICROSOFT NETWORKS 1.03" dialect use a different
136  * form of raw reads than documented here, and servers are better off
137  * setting RawMode in this response to 0 for such sessions.
138  *
139  * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
140  * PrimaryDomain string should be included in this response.
141  *
142  * If the negotiated dialect is NT LM 0.12, the response format is
143  *
144  * Server Response            Description
145  * ========================== =========================================
146  *
147  * UCHAR WordCount;           Count of parameter words = 17
148  * USHORT DialectIndex;       Index of selected dialect
149  * UCHAR SecurityMode;        Security mode:
150  *                             bit 0: 0 = share, 1 = user
151  *                             bit 1: 1 = encrypt passwords
152  * USHORT MaxMpxCount;        Max pending multiplexed requests
153  * USHORT MaxNumberVcs;       Max VCs between client and server
154  * ULONG MaxBufferSize;       Max transmit buffer size
155  * ULONG MaxRawSize;          Maximum raw buffer size
156  * ULONG SessionKey;          Unique token identifying this session
157  * ULONG Capabilities;        Server capabilities
158  * ULONG SystemTimeLow;       System (UTC) time of the server (low).
159  * ULONG SystemTimeHigh;      System (UTC) time of the server (high).
160  * USHORT ServerTimeZone;     Time zone of server (min from UTC)
161  * UCHAR EncryptionKeyLength; Length of encryption key.
162  * USHORT ByteCount;          Count of data bytes
163  * UCHAR EncryptionKey[];     The challenge encryption key
164  * UCHAR OemDomainName[];     The name of the domain (in OEM chars)
165  *
166  * In addition to the definitions above, MaxBufferSize is the size of the
167  * largest message which the client can legitimately send to the server.
168  * If the client is using a connectionless protocol,  MaxBufferSize must be
169  * set to the smaller of the server's internal buffer size and the amount
170  * of data which can be placed in a response packet.
171  *
172  * MaxRawSize specifies the maximum message size the server can send or
173  * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
174  *
175  * Connectionless clients must set Sid to 0 in the SMB request header.
176  *
177  * Capabilities allows the server to tell the client what it supports.
178  * The bit definitions defined in smb.h. Bit 0x2000 used to be set in
179  * the negotiate response capabilities but it caused problems with
180  * Windows 2000. It is probably not valid, it doesn't appear in the
181  * CIFS spec.
182  *
183  * 4.1.1.1   Errors
184  *
185  * SUCCESS/SUCCESS
186  * ERRSRV/ERRerror
187  */
188 #include <sys/types.h>
189 #include <sys/socket.h>
190 #include <netinet/in.h>
191 #include <smbsrv/smb_kproto.h>
192 #include <smbsrv/smbinfo.h>
193 
194 static const smb_xlate_t smb_dialect[] = {
195 	{ DIALECT_UNKNOWN,		"DIALECT_UNKNOWN" },
196 	{ PC_NETWORK_PROGRAM_1_0,	"PC NETWORK PROGRAM 1.0" },
197 	{ PCLAN1_0,			"PCLAN1.0" },
198 	{ MICROSOFT_NETWORKS_1_03,	"MICROSOFT NETWORKS 1.03" },
199 	{ MICROSOFT_NETWORKS_3_0,	"MICROSOFT NETWORKS 3.0" },
200 	{ LANMAN1_0,			"LANMAN1.0" },
201 	{ LM1_2X002,			"LM1.2X002" },
202 	{ DOS_LM1_2X002,		"DOS LM1.2X002" },
203 	{ DOS_LANMAN2_1,		"DOS LANMAN2.1" },
204 	{ LANMAN2_1,			"LANMAN2.1" },
205 	{ Windows_for_Workgroups_3_1a,	"Windows for Workgroups 3.1a" },
206 	{ NT_LM_0_12,			"NT LM 0.12" },
207 	{ DIALECT_SMB2002,		"SMB 2.002" },
208 	{ DIALECT_SMB2XXX,		"SMB 2.???" },
209 };
210 static int smb_ndialects = sizeof (smb_dialect) / sizeof (smb_dialect[0]);
211 
212 /*
213  * Maximum buffer size for DOS: chosen to be the same as NT.
214  * Do not change this value, DOS is very sensitive to it.
215  */
216 #define	SMB_DOS_MAXBUF			0x1104
217 
218 /*
219  * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
220  * with other values. DOS 6.1 seems to depend on a window value of 8700 to
221  * send the next set of data. If we return a window value of 40KB, after
222  * sending 8700 bytes of data, it will start the next set of data from 40KB
223  * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
224  * September 2000.
225  *
226  * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
227  * for a larger TCP window sizei based on observations of Windows 2000 and
228  * performance testing. March 2003.
229  */
230 static uint32_t	smb_dos_tcp_rcvbuf = 8700;
231 static uint32_t	smb_nt_tcp_rcvbuf = 1048560;	/* scale factor of 4 */
232 
233 /*
234  * Maximum number of simultaneously pending SMB requests allowed on
235  * one connection.  This is like "credits" in SMB2, but SMB1 uses a
236  * fixed limit, having no way to request an increase like SMB2 does.
237  * Note: Some older clients only handle the low byte of this value,
238  * so this value should be less than 256.
239  */
240 static uint16_t smb_maxmpxcount = 64;
241 
242 static int smb_xlate_dialect(const char *);
243 
244 /*
245  * "Capabilities" offered by SMB1 Negotiate Protocol.
246  * See smb.h for descriptions.
247  *
248  * CAP_RAW_MODE, CAP_MPX_MODE are obsolete.
249  * UNICODE support is required for long share names,
250  * long file names and streams.
251  *
252  * For testing, one can patch this, i.e. remove the high bit to
253  * temporarily disable extended security, etc.
254  */
255 uint32_t smb1srv_capabilities =
256 	CAP_UNICODE |
257 	CAP_LARGE_FILES |
258 	CAP_NT_SMBS |
259 	CAP_RPC_REMOTE_APIS |
260 	CAP_STATUS32 |
261 	CAP_LEVEL_II_OPLOCKS |
262 	CAP_LOCK_AND_READ |
263 	CAP_NT_FIND |
264 	CAP_DFS |
265 	CAP_INFOLEVEL_PASSTHRU |
266 	CAP_LARGE_READX |
267 	CAP_LARGE_WRITEX |
268 	CAP_EXTENDED_SECURITY;
269 
270 /*
271  * SMB Negotiate gets special handling.  This is called directly by
272  * the reader thread (see smbsr_newrq_initial) with what _should_ be
273  * an SMB1 Negotiate.  Only the "\ffSMB" header has been checked
274  * when this is called, so this needs to check the SMB command,
275  * if it's Negotiate execute it, then send the reply, etc.
276  *
277  * Since this is called directly from the reader thread, we
278  * know this is the only thread currently using this session.
279  * This has to duplicate some of what smb1sr_work does as a
280  * result of bypassing the normal dispatch mechanism.
281  *
282  * The caller always frees this request.
283  *
284  * Return value is 0 for success, and anything else will
285  * terminate the reader thread (drop the connection).
286  */
287 int
288 smb1_newrq_negotiate(smb_request_t *sr)
289 {
290 	smb_sdrc_t	sdrc;
291 	uint16_t	pid_hi, pid_lo;
292 
293 	/*
294 	 * Decode the header
295 	 */
296 	if (smb_mbc_decodef(&sr->command, SMB_HEADER_ED_FMT,
297 	    &sr->smb_com,
298 	    &sr->smb_rcls,
299 	    &sr->smb_reh,
300 	    &sr->smb_err,
301 	    &sr->smb_flg,
302 	    &sr->smb_flg2,
303 	    &pid_hi,
304 	    sr->smb_sig,
305 	    &sr->smb_tid,
306 	    &pid_lo,
307 	    &sr->smb_uid,
308 	    &sr->smb_mid) != 0)
309 		return (-1);
310 	if (sr->smb_com != SMB_COM_NEGOTIATE)
311 		return (-1);
312 
313 	sr->smb_pid = (pid_hi << 16) | pid_lo;
314 
315 	/*
316 	 * Reserve space for the reply header.
317 	 */
318 	(void) smb_mbc_encodef(&sr->reply, "#.", SMB_HEADER_LEN);
319 	sr->first_smb_com = sr->smb_com;
320 
321 	if (smb_mbc_decodef(&sr->command, "b", &sr->smb_wct) != 0)
322 		return (-1);
323 	(void) MBC_SHADOW_CHAIN(&sr->smb_vwv, &sr->command,
324 	    sr->command.chain_offset, sr->smb_wct * 2);
325 
326 	if (smb_mbc_decodef(&sr->command, "#.w", sr->smb_wct*2, &sr->smb_bcc))
327 		return (-1);
328 	(void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
329 	    sr->command.chain_offset, sr->smb_bcc);
330 
331 	sr->command.chain_offset += sr->smb_bcc;
332 	if (sr->command.chain_offset > sr->command.max_bytes)
333 		return (-1);
334 
335 	/* Store pointers for later */
336 	sr->cur_reply_offset = sr->reply.chain_offset;
337 
338 	sdrc = smb_pre_negotiate(sr);
339 	if (sdrc == SDRC_SUCCESS)
340 		sdrc = smb_com_negotiate(sr);
341 	smb_post_negotiate(sr);
342 
343 	if (sdrc != SDRC_NO_REPLY)
344 		smbsr_send_reply(sr);
345 	if (sdrc == SDRC_DROP_VC)
346 		return (-1);
347 
348 	return (0);
349 }
350 
351 smb_sdrc_t
352 smb_pre_negotiate(smb_request_t *sr)
353 {
354 	smb_kmod_cfg_t		*skc;
355 	smb_arg_negotiate_t	*negprot;
356 	int			dialect;
357 	int			pos;
358 	int			rc = 0;
359 
360 	skc = &sr->session->s_cfg;
361 	negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t));
362 	negprot->ni_index = -1;
363 	sr->sr_negprot = negprot;
364 
365 	for (pos = 0; smbsr_decode_data_avail(sr); pos++) {
366 		if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) {
367 			smbsr_error(sr, 0, ERRSRV, ERRerror);
368 			rc = -1;
369 			break;
370 		}
371 
372 		if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0)
373 			continue;
374 
375 		/*
376 		 * Conditionally recognize the SMB2 dialects.
377 		 */
378 		if (dialect >= DIALECT_SMB2002 &&
379 		    skc->skc_max_protocol < SMB_VERS_2_BASE)
380 			continue;
381 
382 		/*
383 		 * We may not support SMB1; skip those dialects if true.
384 		 */
385 		if (dialect < DIALECT_SMB2002 &&
386 		    skc->skc_min_protocol > SMB_VERS_1)
387 			continue;
388 
389 		if (dialect == DIALECT_SMB2002 &&
390 		    skc->skc_min_protocol > SMB_VERS_2_002)
391 			continue;
392 
393 		if (negprot->ni_dialect < dialect) {
394 			negprot->ni_dialect = dialect;
395 			negprot->ni_index = pos;
396 		}
397 	}
398 
399 	DTRACE_SMB_START(op__Negotiate, smb_request_t *, sr);
400 
401 	return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
402 }
403 
404 void
405 smb_post_negotiate(smb_request_t *sr)
406 {
407 	smb_arg_negotiate_t	*negprot = sr->sr_negprot;
408 
409 	DTRACE_SMB_DONE(op__Negotiate, smb_request_t *, sr);
410 
411 	bzero(negprot, sizeof (smb_arg_negotiate_t));
412 }
413 
414 smb_sdrc_t
415 smb_com_negotiate(smb_request_t *sr)
416 {
417 	smb_session_t		*session = sr->session;
418 	smb_arg_negotiate_t	*negprot = sr->sr_negprot;
419 	uint16_t		secmode;
420 	uint32_t		sesskey;
421 	char			*nbdomain;
422 	uint8_t			*wcbuf;
423 	int			wclen;
424 	smb_msgbuf_t		mb;
425 	int			rc;
426 
427 	if (session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
428 		/* The protocol has already been negotiated. */
429 		smbsr_error(sr, 0, ERRSRV, ERRerror);
430 		return (SDRC_ERROR);
431 	}
432 
433 	if (negprot->ni_index < 0) {
434 		cmn_err(CE_NOTE, "clnt %s no supported dialect",
435 		    sr->session->ip_addr_str);
436 		smbsr_error(sr, 0, ERRSRV, ERRerror);
437 		return (SDRC_DROP_VC);
438 	}
439 
440 	/*
441 	 * Special case for negotiating SMB2 from SMB1.  The client
442 	 * includes the  "SMB 2..." dialects in the SMB1 negotiate,
443 	 * and if SMB2 is enabled, we choose one of those and then
444 	 * send an SMB2 reply to that SMB1 request.  Yes, it's very
445 	 * strange, but this SMB1 request can have an SMB2 reply!
446 	 * To accomplish this, we let the SMB2 code send the reply
447 	 * and return the special code SDRC_NO_REPLY to the SMB1
448 	 * dispatch logic so it will NOT send an SMB1 reply.
449 	 * (Or possibly send an SMB1 error reply.)
450 	 */
451 	if (negprot->ni_dialect >= DIALECT_SMB2002) {
452 		rc = smb1_negotiate_smb2(sr);
453 		ASSERT(rc == SDRC_NO_REPLY ||
454 		    rc == SDRC_DROP_VC || rc == SDRC_ERROR);
455 		return (rc);
456 	}
457 
458 	session->srv_secmode = NEGOTIATE_ENCRYPT_PASSWORDS |
459 	    NEGOTIATE_USER_SECURITY;
460 	secmode = session->srv_secmode;
461 	sesskey = session->sesskey;
462 
463 	negprot->ni_servertime.tv_sec = gethrestime_sec();
464 	negprot->ni_servertime.tv_nsec = 0;
465 	negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
466 	negprot->ni_maxmpxcount = smb_maxmpxcount;
467 	negprot->ni_keylen = SMB_CHALLENGE_SZ;
468 	bcopy(&session->challenge_key, negprot->ni_key, SMB_CHALLENGE_SZ);
469 	nbdomain = sr->sr_cfg->skc_nbdomain;
470 
471 	negprot->ni_capabilities = smb1srv_capabilities;
472 
473 	switch (negprot->ni_dialect) {
474 	case PC_NETWORK_PROGRAM_1_0:	/* core */
475 		(void) ksocket_setsockopt(session->sock, SOL_SOCKET,
476 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
477 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
478 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1,
479 		    negprot->ni_index, 0);
480 		break;
481 
482 	case Windows_for_Workgroups_3_1a:
483 	case PCLAN1_0:
484 	case MICROSOFT_NETWORKS_1_03:
485 	case MICROSOFT_NETWORKS_3_0:
486 	case LANMAN1_0:
487 	case LM1_2X002:
488 	case DOS_LM1_2X002:
489 		(void) ksocket_setsockopt(session->sock, SOL_SOCKET,
490 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
491 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
492 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
493 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
494 		    "bwwwwwwlYww2.w#c",
495 		    13,				/* wct */
496 		    negprot->ni_index,		/* dialect index */
497 		    secmode,			/* security mode */
498 		    SMB_DOS_MAXBUF,		/* max buffer size */
499 		    1,				/* max MPX */
500 		    1,				/* max VCs */
501 		    0,				/* read/write raw */
502 		    sesskey,			/* session key */
503 		    negprot->ni_servertime.tv_sec, /* server date/time */
504 		    negprot->ni_tzcorrection,
505 		    (uint16_t)negprot->ni_keylen, /* encryption key length */
506 						/* reserved field handled 2. */
507 		    VAR_BCC,
508 		    (int)negprot->ni_keylen,
509 		    negprot->ni_key);		/* encryption key */
510 		break;
511 
512 	case DOS_LANMAN2_1:
513 	case LANMAN2_1:
514 		(void) ksocket_setsockopt(session->sock, SOL_SOCKET,
515 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
516 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
517 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
518 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
519 		    "bwwwwwwlYww2.w#cs",
520 		    13,				/* wct */
521 		    negprot->ni_index,		/* dialect index */
522 		    secmode,			/* security mode */
523 		    SMB_DOS_MAXBUF,		/* max buffer size */
524 		    1,				/* max MPX */
525 		    1,				/* max VCs */
526 		    0,				/* read/write raw */
527 		    sesskey,			/* session key */
528 		    negprot->ni_servertime.tv_sec, /* server date/time */
529 		    negprot->ni_tzcorrection,
530 		    (uint16_t)negprot->ni_keylen, /* encryption key length */
531 						/* reserved field handled 2. */
532 		    VAR_BCC,
533 		    (int)negprot->ni_keylen,
534 		    negprot->ni_key,		/* encryption key */
535 		    nbdomain);
536 		break;
537 
538 	case NT_LM_0_12:
539 		(void) ksocket_setsockopt(session->sock, SOL_SOCKET,
540 		    SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
541 		    sizeof (smb_nt_tcp_rcvbuf), CRED());
542 
543 		/*
544 		 * Allow SMB signatures if using encrypted passwords
545 		 */
546 		if ((secmode & NEGOTIATE_ENCRYPT_PASSWORDS) &&
547 		    sr->sr_cfg->skc_signing_enable) {
548 			secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
549 			if (sr->sr_cfg->skc_signing_required)
550 				secmode |=
551 				    NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
552 
553 			session->srv_secmode = secmode;
554 		}
555 
556 		/*
557 		 * Does the client want Extended Security?
558 		 * (and if we have it enabled)
559 		 * If so, handle as if a different dialect.
560 		 */
561 		if ((sr->smb_flg2 & SMB_FLAGS2_EXT_SEC) != 0 &&
562 		    (negprot->ni_capabilities & CAP_EXTENDED_SECURITY) != 0)
563 			goto NT_LM_0_12_ext_sec;
564 
565 		/* Else deny knowledge of extended security. */
566 		sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
567 		negprot->ni_capabilities &= ~CAP_EXTENDED_SECURITY;
568 
569 		/*
570 		 * nbdomain is not expected to be aligned.
571 		 * Use temporary buffer to avoid alignment padding
572 		 */
573 		wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t);
574 		wcbuf = smb_srm_zalloc(sr, wclen);
575 		smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE);
576 		if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) {
577 			smb_msgbuf_term(&mb);
578 			smbsr_error(sr, 0, ERRSRV, ERRerror);
579 			return (SDRC_ERROR);
580 		}
581 
582 		rc = smbsr_encode_result(sr, 17, VAR_BCC,
583 		    "bwbwwllllTwbw#c#c",
584 		    17,				/* wct */
585 		    negprot->ni_index,		/* dialect index */
586 		    secmode,			/* security mode */
587 		    negprot->ni_maxmpxcount,	/* max MPX */
588 		    1,				/* max VCs */
589 		    (DWORD)smb_maxbufsize,	/* max buffer size */
590 		    0xFFFF,			/* max raw size */
591 		    sesskey,			/* session key */
592 		    negprot->ni_capabilities,
593 		    &negprot->ni_servertime,	/* system time */
594 		    negprot->ni_tzcorrection,
595 		    negprot->ni_keylen,		/* encryption key length */
596 		    VAR_BCC,
597 		    (int)negprot->ni_keylen,
598 		    negprot->ni_key,		/* encryption key */
599 		    wclen,
600 		    wcbuf);			/* nbdomain (unicode) */
601 
602 		smb_msgbuf_term(&mb);
603 		break;
604 
605 NT_LM_0_12_ext_sec:
606 		/*
607 		 * This is the "Extended Security" variant of
608 		 * dialect NT_LM_0_12.
609 		 */
610 		rc = smbsr_encode_result(sr, 17, VAR_BCC,
611 		    "bwbwwllllTwbw#c#c",
612 		    17,				/* wct */
613 		    negprot->ni_index,		/* dialect index */
614 		    secmode,			/* security mode */
615 		    negprot->ni_maxmpxcount,	/* max MPX */
616 		    1,				/* max VCs */
617 		    (DWORD)smb_maxbufsize,	/* max buffer size */
618 		    0xFFFF,			/* max raw size */
619 		    sesskey,			/* session key */
620 		    negprot->ni_capabilities,
621 		    &negprot->ni_servertime,	/* system time */
622 		    negprot->ni_tzcorrection,
623 		    0,		/* encryption key length (MBZ) */
624 		    VAR_BCC,
625 		    UUID_LEN,
626 		    sr->sr_cfg->skc_machine_uuid,
627 		    sr->sr_cfg->skc_negtok_len,
628 		    sr->sr_cfg->skc_negtok);
629 		break;
630 
631 
632 	default:
633 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0);
634 		break;
635 	}
636 
637 	if (rc != 0)
638 		return (SDRC_ERROR);
639 
640 	/*
641 	 * Save the agreed dialect. Note that the state is also
642 	 * used to detect and reject attempts to re-negotiate.
643 	 */
644 	session->dialect = negprot->ni_dialect;
645 	session->s_state = SMB_SESSION_STATE_NEGOTIATED;
646 
647 	/* Allow normal SMB1 requests now. */
648 	session->newrq_func = smb1sr_newrq;
649 
650 	return (SDRC_SUCCESS);
651 }
652 
653 static int
654 smb_xlate_dialect(const char *dialect)
655 {
656 	const smb_xlate_t *dp;
657 	int		i;
658 
659 	for (i = 0; i < smb_ndialects; ++i) {
660 		dp = &smb_dialect[i];
661 
662 		if (strcmp(dp->str, dialect) == 0)
663 			return (dp->code);
664 	}
665 
666 	return (-1);
667 }
668