xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_negotiate.c (revision d0f40dc6a997c84bacf5f9ba83d57a95495c399b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Notes on the virtual circuit (VC) values in the SMB Negotiate
28  * response and SessionSetupAndx request.
29  *
30  * A virtual circuit (VC) represents a connection between a client and a
31  * server using a reliable, session oriented transport protocol, such as
32  * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
33  * single underlying transport connection, i.e. a single NetBIOS session,
34  * which limited performance for raw data transfers.
35  *
36  * The intention behind multiple VCs was to improve performance by
37  * allowing parallelism over each NetBIOS session. For example, raw data
38  * could be transmitted using a different VC from other types of SMB
39  * requests to remove the interleaving restriction while a raw transfer
40  * is in progress. So the MaxNumberVcs field was added to the negotiate
41  * response to make the number of VCs configurable and to allow servers
42  * to specify how many they were prepared to support per session
43  * connection. This turned out to be difficult to manage and, with
44  * technology improvements, it has become obsolete.
45  *
46  * Servers should set the MaxNumberVcs value in the Negotiate response
47  * to 1. Clients should probably ignore it. If a server receives a
48  * SessionSetupAndx with a VC value of 0, it should close all other
49  * VCs to that client. If it receives a non-zero VC, it should leave
50  * other VCs in tact.
51  *
52  */
53 
54 /*
55  * SMB: negotiate
56  *
57  * Client Request                Description
58  * ============================  =======================================
59  *
60  * UCHAR WordCount;              Count of parameter words = 0
61  * USHORT ByteCount;             Count of data bytes; min = 2
62  * struct {
63  *    UCHAR BufferFormat;        0x02 -- Dialect
64  *    UCHAR DialectName[];       ASCII null-terminated string
65  * } Dialects[];
66  *
67  * The Client sends a list of dialects that it can communicate with.  The
68  * response is a selection of one of those dialects (numbered 0 through n)
69  * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
70  * The negotiate message is binding on the virtual circuit and must be
71  * sent.  One and only one negotiate message may be sent, subsequent
72  * negotiate requests will be rejected with an error response and no action
73  * will be taken.
74  *
75  * The protocol does not impose any particular structure to the dialect
76  * strings.  Implementors of particular protocols may choose to include,
77  * for example, version numbers in the string.
78  *
79  * If the server does not understand any of the dialect strings, or if PC
80  * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
81  *
82  * Server Response               Description
83  * ============================  =======================================
84  *
85  * UCHAR WordCount;              Count of parameter words = 1
86  * USHORT DialectIndex;          Index of selected dialect
87  * USHORT ByteCount;             Count of data bytes = 0
88  *
89  * If the chosen dialect is greater than core up to and including
90  * LANMAN2.1, the protocol response format is
91  *
92  * Server Response               Description
93  * ============================  =======================================
94  *
95  * UCHAR WordCount;              Count of parameter words = 13
96  * USHORT  DialectIndex;         Index of selected dialect
97  * USHORT  SecurityMode;         Security mode:
98  *                               bit 0: 0 = share, 1 = user
99  *                               bit 1: 1 = use challenge/response
100  *                               authentication
101  * USHORT  MaxBufferSize;        Max transmit buffer size (>= 1024)
102  * USHORT  MaxMpxCount;          Max pending multiplexed requests
103  * USHORT  MaxNumberVcs;         Max VCs between client and server
104  * USHORT  RawMode;              Raw modes supported:
105  *                                bit 0: 1 = Read Raw supported
106  *                                bit 1: 1 = Write Raw supported
107  * ULONG SessionKey;             Unique token identifying this session
108  * SMB_TIME ServerTime;          Current time at server
109  * SMB_DATE ServerDate;          Current date at server
110  * USHORT ServerTimeZone;        Current time zone at server
111  * USHORT  EncryptionKeyLength;  MBZ if this is not LM2.1
112  * USHORT  Reserved;             MBZ
113  * USHORT  ByteCount             Count of data bytes
114  * UCHAR EncryptionKey[];        The challenge encryption key
115  * STRING PrimaryDomain[];       The server's primary domain
116  *
117  * MaxBufferSize is the size of the largest message which the client can
118  * legitimately send to the server
119  *
120  * If  bit0 of the Flags field is set in the negotiate response, this
121  * indicates the server supports the SMB_COM_LOCK_AND_READ and
122  * SMB_COM_WRITE_AND_UNLOCK client requests.
123  *
124  * If the SecurityMode field indicates the server is running in user mode,
125  * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
126  * before the server will allow the client to access resources.   If the
127  * SecurityMode fields indicates the client should use challenge/response
128  * authentication, the client should use the authentication mechanism
129  * specified in section 2.10.
130  *
131  * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
132  * to the server when using multiplexed reads or writes (see sections 5.13
133  * and 5.25)
134  *
135  * Clients using the  "MICROSOFT NETWORKS 1.03" dialect use a different
136  * form of raw reads than documented here, and servers are better off
137  * setting RawMode in this response to 0 for such sessions.
138  *
139  * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
140  * PrimaryDomain string should be included in this response.
141  *
142  * If the negotiated dialect is NT LM 0.12, the response format is
143  *
144  * Server Response            Description
145  * ========================== =========================================
146  *
147  * UCHAR WordCount;           Count of parameter words = 17
148  * USHORT DialectIndex;       Index of selected dialect
149  * UCHAR SecurityMode;        Security mode:
150  *                             bit 0: 0 = share, 1 = user
151  *                             bit 1: 1 = encrypt passwords
152  * USHORT MaxMpxCount;        Max pending multiplexed requests
153  * USHORT MaxNumberVcs;       Max VCs between client and server
154  * ULONG MaxBufferSize;       Max transmit buffer size
155  * ULONG MaxRawSize;          Maximum raw buffer size
156  * ULONG SessionKey;          Unique token identifying this session
157  * ULONG Capabilities;        Server capabilities
158  * ULONG SystemTimeLow;       System (UTC) time of the server (low).
159  * ULONG SystemTimeHigh;      System (UTC) time of the server (high).
160  * USHORT ServerTimeZone;     Time zone of server (min from UTC)
161  * UCHAR EncryptionKeyLength; Length of encryption key.
162  * USHORT ByteCount;          Count of data bytes
163  * UCHAR EncryptionKey[];     The challenge encryption key
164  * UCHAR OemDomainName[];     The name of the domain (in OEM chars)
165  *
166  * In addition to the definitions above, MaxBufferSize is the size of the
167  * largest message which the client can legitimately send to the server.
168  * If the client is using a connectionless protocol,  MaxBufferSize must be
169  * set to the smaller of the server's internal buffer size and the amount
170  * of data which can be placed in a response packet.
171  *
172  * MaxRawSize specifies the maximum message size the server can send or
173  * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
174  *
175  * Connectionless clients must set Sid to 0 in the SMB request header.
176  *
177  * Capabilities allows the server to tell the client what it supports.
178  * The bit definitions defined in smb.h. Bit 0x2000 used to be set in
179  * the negotiate response capabilities but it caused problems with
180  * Windows 2000. It is probably not valid, it doesn't appear in the
181  * CIFS spec.
182  *
183  * 4.1.1.1   Errors
184  *
185  * SUCCESS/SUCCESS
186  * ERRSRV/ERRerror
187  */
188 #include <sys/types.h>
189 #include <sys/strsubr.h>
190 #include <sys/socketvar.h>
191 #include <sys/socket.h>
192 #include <sys/random.h>
193 #include <netinet/in.h>
194 #include <smbsrv/smb_kproto.h>
195 #include <smbsrv/smbinfo.h>
196 
197 /*
198  * Maximum buffer size for DOS: chosen to be the same as NT.
199  * Do not change this value, DOS is very sensitive to it.
200  */
201 #define	SMB_DOS_MAXBUF			0x1104
202 
203 /*
204  * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
205  * with other values. DOS 6.1 seems to depend on a window value of 8700 to
206  * send the next set of data. If we return a window value of 40KB, after
207  * sending 8700 bytes of data, it will start the next set of data from 40KB
208  * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
209  * September 2000.
210  *
211  * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
212  * for a larger TCP window sizei based on observations of Windows 2000 and
213  * performance testing. March 2003.
214  */
215 static uint32_t	smb_dos_tcp_rcvbuf = 8700;
216 static uint32_t	smb_nt_tcp_rcvbuf = 1048560;	/* scale factor of 4 */
217 
218 static void smb_get_security_info(smb_request_t *, unsigned short *,
219     unsigned char *, unsigned char *, uint32_t *);
220 
221 int smb_cap_passthru = 1;
222 
223 /*
224  * Function: int smb_com_negotiate(struct smb_request *)
225  */
226 smb_sdrc_t
227 smb_pre_negotiate(smb_request_t *sr)
228 {
229 	DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr);
230 	smb_rwx_rwenter(&sr->session->s_lock, RW_WRITER);
231 	return (SDRC_SUCCESS);
232 }
233 
234 void
235 smb_post_negotiate(smb_request_t *sr)
236 {
237 	DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr);
238 	smb_rwx_rwexit(&sr->session->s_lock);
239 }
240 
241 smb_sdrc_t
242 smb_com_negotiate(smb_request_t *sr)
243 {
244 	int			dialect = 0;
245 	int			this_dialect;
246 	unsigned char		keylen;
247 	int			sel_pos = -1;
248 	int			pos;
249 	char 			key[32];
250 	char			*p;
251 	timestruc_t		time_val;
252 	unsigned short		secmode;
253 	uint32_t		sesskey;
254 	uint32_t		capabilities = 0;
255 	int			rc;
256 	unsigned short		max_mpx_count;
257 	int16_t			tz_correction;
258 	char			ipaddr_buf[INET6_ADDRSTRLEN];
259 	char			*tmpbuf;
260 	int			buflen;
261 	smb_msgbuf_t		mb;
262 
263 	if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
264 		/* The protocol has already been negotiated. */
265 		smbsr_error(sr, 0, ERRSRV, ERRerror);
266 		return (SDRC_ERROR);
267 	}
268 
269 	for (pos = 0;
270 	    sr->smb_data.chain_offset < sr->smb_data.max_bytes;
271 	    pos++) {
272 		if (smb_mbc_decodef(&sr->smb_data, "%L", sr, &p) != 0) {
273 			smbsr_error(sr, 0, ERRSRV, ERRerror);
274 			return (SDRC_ERROR);
275 		}
276 
277 		this_dialect = smb_xlate_dialect_str_to_cd(p);
278 
279 		if (this_dialect < 0)
280 			continue;
281 
282 		if (dialect < this_dialect) {
283 			dialect = this_dialect;
284 			sel_pos = pos;
285 		}
286 	}
287 
288 	smb_get_security_info(sr, &secmode, (unsigned char *)key,
289 	    &keylen, &sesskey);
290 
291 	(void) microtime(&time_val);
292 	tz_correction = sr->sr_gmtoff / 60;
293 
294 	switch (dialect) {
295 	case PC_NETWORK_PROGRAM_1_0:	/* core */
296 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
297 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
298 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
299 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0);
300 		break;
301 
302 	case Windows_for_Workgroups_3_1a:
303 	case PCLAN1_0:
304 	case MICROSOFT_NETWORKS_1_03:
305 	case MICROSOFT_NETWORKS_3_0:
306 	case LANMAN1_0:
307 	case LM1_2X002:
308 	case DOS_LM1_2X002:
309 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
310 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
311 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
312 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
313 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
314 		    "bwwwwwwlYww2.w#c",
315 		    13,		/* wct */
316 		    sel_pos,	/* dialect index */
317 		    secmode,		/* security mode */
318 		    SMB_DOS_MAXBUF,	/* max buffer size */
319 		    1,		/* max MPX (temporary) */
320 		    1,		/* max VCs (temporary, ambiguous) */
321 		    3,		/* raw mode (s/b 3) */
322 		    sesskey,	/* session key */
323 		    time_val.tv_sec, /* server time/date */
324 		    tz_correction,
325 		    (short)keylen,	/* Encryption Key Length */
326 				/* reserved field handled 2. */
327 		    VAR_BCC,
328 		    (int)keylen,
329 		    key);		/* encryption key */
330 		break;
331 
332 	case DOS_LANMAN2_1:
333 	case LANMAN2_1:
334 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
335 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
336 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
337 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
338 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
339 		    "bwwwwwwlYww2.w#cs",
340 		    13,		/* wct */
341 		    sel_pos,	/* dialect index */
342 		    secmode,		/* security mode */
343 		    SMB_DOS_MAXBUF,	/* max buffer size */
344 		    1,		/* max MPX (temporary) */
345 		    1,		/* max VCs (temporary, ambiguous) */
346 		    3,		/* raw mode (s/b 3) */
347 		    sesskey,	/* session key */
348 		    time_val.tv_sec, /* server time/date */
349 		    tz_correction,
350 		    (short)keylen,	/* Encryption Key Length */
351 				/* reserved field handled 2. */
352 		    VAR_BCC,
353 		    (int)keylen,
354 		    key,		/* encryption key */
355 		    sr->sr_cfg->skc_nbdomain);
356 		break;
357 
358 	case NT_LM_0_12:
359 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
360 		    SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
361 		    sizeof (smb_nt_tcp_rcvbuf), CRED());
362 		/*
363 		 * UNICODE support is required for long share names,
364 		 * long file names and streams.
365 		 */
366 		capabilities = CAP_LARGE_FILES
367 		    | CAP_UNICODE
368 		    | CAP_NT_SMBS
369 		    | CAP_STATUS32
370 		    | CAP_NT_FIND
371 		    | CAP_RAW_MODE
372 		    | CAP_LEVEL_II_OPLOCKS
373 		    | CAP_LOCK_AND_READ
374 		    | CAP_RPC_REMOTE_APIS
375 		    | CAP_LARGE_READX
376 		    | CAP_LARGE_WRITEX
377 		    | CAP_DFS;
378 
379 		if (smb_cap_passthru)
380 			capabilities |= CAP_INFOLEVEL_PASSTHRU;
381 		else
382 			cmn_err(CE_NOTE, "smbsrv: cap passthru is %s",
383 			    (capabilities & CAP_INFOLEVEL_PASSTHRU) ?
384 			    "enabled" : "disabled");
385 
386 		/*
387 		 * Turn off Extended Security Negotiation
388 		 */
389 		sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
390 
391 		/*
392 		 * Allow SMB signatures if security challenge response enabled
393 		 */
394 		if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
395 		    sr->sr_cfg->skc_signing_enable) {
396 			secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
397 			if (sr->sr_cfg->skc_signing_required)
398 				secmode |=
399 				    NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
400 
401 			sr->session->secmode = secmode;
402 		}
403 		(void) smb_inet_ntop(&sr->session->ipaddr, ipaddr_buf,
404 		    SMB_IPSTRLEN(sr->session->ipaddr.a_family));
405 
406 		max_mpx_count = sr->sr_cfg->skc_maxworkers;
407 
408 		/*
409 		 * skc_nbdomain is not expected to be aligned.
410 		 * Use temporary buffer to avoid alignment padding
411 		 */
412 		buflen = smb_wcequiv_strlen(sr->sr_cfg->skc_nbdomain) +
413 		    sizeof (smb_wchar_t);
414 		tmpbuf = kmem_zalloc(buflen, KM_SLEEP);
415 		smb_msgbuf_init(&mb, (uint8_t *)tmpbuf, buflen,
416 		    SMB_MSGBUF_UNICODE);
417 		if (smb_msgbuf_encode(&mb, "U",
418 		    sr->sr_cfg->skc_nbdomain) < 0) {
419 			smb_msgbuf_term(&mb);
420 			kmem_free(tmpbuf, buflen);
421 			smbsr_error(sr, 0, ERRSRV, ERRerror);
422 			return (SDRC_ERROR);
423 		}
424 
425 		rc = smbsr_encode_result(sr, 17, VAR_BCC,
426 		    "bwbwwllllTwbw#c#c",
427 		    17,		/* wct */
428 		    sel_pos,	/* dialect index */
429 		    secmode,	/* security mode */
430 		    max_mpx_count,		/* max MPX (temporary) */
431 		    1,		/* max VCs (temporary, ambiguous) */
432 		    (DWORD)smb_maxbufsize,	/* max buffer size */
433 		    0xFFFF,	/* max raw size */
434 		    sesskey,	/* session key */
435 		    capabilities,
436 		    &time_val,	/* system time */
437 		    tz_correction,
438 		    keylen,	/* Encryption Key Length */
439 		    VAR_BCC,
440 		    (int)keylen,
441 		    key,	/* encryption key */
442 		    buflen,
443 		    tmpbuf);	/* skc_nbdomain */
444 
445 		smb_msgbuf_term(&mb);
446 		kmem_free(tmpbuf, buflen);
447 		break;
448 
449 	default:
450 		sel_pos = -1;
451 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0);
452 		return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
453 	}
454 
455 	if (rc != 0)
456 		return (SDRC_ERROR);
457 
458 	/*
459 	 * Save the agreed dialect. Note that this value is also
460 	 * used to detect and reject attempts to re-negotiate.
461 	 */
462 	sr->session->dialect = dialect;
463 	sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED;
464 	return (SDRC_SUCCESS);
465 }
466 
467 static void
468 smb_get_security_info(
469     struct smb_request *sr,
470     unsigned short *secmode,
471     unsigned char *key,
472     unsigned char *keylen,
473     uint32_t *sesskey)
474 {
475 	uchar_t tmp_key[8];
476 
477 	(void) random_get_pseudo_bytes(tmp_key, 8);
478 	bcopy(tmp_key, &sr->session->challenge_key, 8);
479 	sr->session->challenge_len = 8;
480 	*keylen = 8;
481 	bcopy(tmp_key, key, 8);
482 
483 	sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE|
484 	    NEGOTIATE_SECURITY_USER_LEVEL;
485 
486 	(void) random_get_pseudo_bytes(tmp_key, 4);
487 	sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
488 	    tmp_key[2] << 16 | tmp_key[3] << 24;
489 
490 	*secmode = sr->session->secmode;
491 	*sesskey = sr->session->sesskey;
492 }
493