1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * Notes on the virtual circuit (VC) values in the SMB Negotiate 27 * response and SessionSetupAndx request. 28 * 29 * A virtual circuit (VC) represents a connection between a client and a 30 * server using a reliable, session oriented transport protocol, such as 31 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a 32 * single underlying transport connection, i.e. a single NetBIOS session, 33 * which limited performance for raw data transfers. 34 * 35 * The intention behind multiple VCs was to improve performance by 36 * allowing parallelism over each NetBIOS session. For example, raw data 37 * could be transmitted using a different VC from other types of SMB 38 * requests to remove the interleaving restriction while a raw transfer 39 * is in progress. So the MaxNumberVcs field was added to the negotiate 40 * response to make the number of VCs configurable and to allow servers 41 * to specify how many they were prepared to support per session 42 * connection. This turned out to be difficult to manage and, with 43 * technology improvements, it has become obsolete. 44 * 45 * Servers should set the MaxNumberVcs value in the Negotiate response 46 * to 1. Clients should probably ignore it. If a server receives a 47 * SessionSetupAndx with a VC value of 0, it should close all other 48 * VCs to that client. If it receives a non-zero VC, it should leave 49 * other VCs in tact. 50 * 51 */ 52 53 /* 54 * SMB: negotiate 55 * 56 * Client Request Description 57 * ============================ ======================================= 58 * 59 * UCHAR WordCount; Count of parameter words = 0 60 * USHORT ByteCount; Count of data bytes; min = 2 61 * struct { 62 * UCHAR BufferFormat; 0x02 -- Dialect 63 * UCHAR DialectName[]; ASCII null-terminated string 64 * } Dialects[]; 65 * 66 * The Client sends a list of dialects that it can communicate with. The 67 * response is a selection of one of those dialects (numbered 0 through n) 68 * or -1 (hex FFFF) indicating that none of the dialects were acceptable. 69 * The negotiate message is binding on the virtual circuit and must be 70 * sent. One and only one negotiate message may be sent, subsequent 71 * negotiate requests will be rejected with an error response and no action 72 * will be taken. 73 * 74 * The protocol does not impose any particular structure to the dialect 75 * strings. Implementors of particular protocols may choose to include, 76 * for example, version numbers in the string. 77 * 78 * If the server does not understand any of the dialect strings, or if PC 79 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is 80 * 81 * Server Response Description 82 * ============================ ======================================= 83 * 84 * UCHAR WordCount; Count of parameter words = 1 85 * USHORT DialectIndex; Index of selected dialect 86 * USHORT ByteCount; Count of data bytes = 0 87 * 88 * If the chosen dialect is greater than core up to and including 89 * LANMAN2.1, the protocol response format is 90 * 91 * Server Response Description 92 * ============================ ======================================= 93 * 94 * UCHAR WordCount; Count of parameter words = 13 95 * USHORT DialectIndex; Index of selected dialect 96 * USHORT SecurityMode; Security mode: 97 * bit 0: 0 = share, 1 = user 98 * bit 1: 1 = use challenge/response 99 * authentication 100 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024) 101 * USHORT MaxMpxCount; Max pending multiplexed requests 102 * USHORT MaxNumberVcs; Max VCs between client and server 103 * USHORT RawMode; Raw modes supported: 104 * bit 0: 1 = Read Raw supported 105 * bit 1: 1 = Write Raw supported 106 * ULONG SessionKey; Unique token identifying this session 107 * SMB_TIME ServerTime; Current time at server 108 * SMB_DATE ServerDate; Current date at server 109 * USHORT ServerTimeZone; Current time zone at server 110 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1 111 * USHORT Reserved; MBZ 112 * USHORT ByteCount Count of data bytes 113 * UCHAR EncryptionKey[]; The challenge encryption key 114 * STRING PrimaryDomain[]; The server's primary domain 115 * 116 * MaxBufferSize is the size of the largest message which the client can 117 * legitimately send to the server 118 * 119 * If bit0 of the Flags field is set in the negotiate response, this 120 * indicates the server supports the SMB_COM_LOCK_AND_READ and 121 * SMB_COM_WRITE_AND_UNLOCK client requests. 122 * 123 * If the SecurityMode field indicates the server is running in user mode, 124 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests 125 * before the server will allow the client to access resources. If the 126 * SecurityMode fields indicates the client should use challenge/response 127 * authentication, the client should use the authentication mechanism 128 * specified in section 2.10. 129 * 130 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs 131 * to the server when using multiplexed reads or writes (see sections 5.13 132 * and 5.25) 133 * 134 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different 135 * form of raw reads than documented here, and servers are better off 136 * setting RawMode in this response to 0 for such sessions. 137 * 138 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then 139 * PrimaryDomain string should be included in this response. 140 * 141 * If the negotiated dialect is NT LM 0.12, the response format is 142 * 143 * Server Response Description 144 * ========================== ========================================= 145 * 146 * UCHAR WordCount; Count of parameter words = 17 147 * USHORT DialectIndex; Index of selected dialect 148 * UCHAR SecurityMode; Security mode: 149 * bit 0: 0 = share, 1 = user 150 * bit 1: 1 = encrypt passwords 151 * USHORT MaxMpxCount; Max pending multiplexed requests 152 * USHORT MaxNumberVcs; Max VCs between client and server 153 * ULONG MaxBufferSize; Max transmit buffer size 154 * ULONG MaxRawSize; Maximum raw buffer size 155 * ULONG SessionKey; Unique token identifying this session 156 * ULONG Capabilities; Server capabilities 157 * ULONG SystemTimeLow; System (UTC) time of the server (low). 158 * ULONG SystemTimeHigh; System (UTC) time of the server (high). 159 * USHORT ServerTimeZone; Time zone of server (min from UTC) 160 * UCHAR EncryptionKeyLength; Length of encryption key. 161 * USHORT ByteCount; Count of data bytes 162 * UCHAR EncryptionKey[]; The challenge encryption key 163 * UCHAR OemDomainName[]; The name of the domain (in OEM chars) 164 * 165 * In addition to the definitions above, MaxBufferSize is the size of the 166 * largest message which the client can legitimately send to the server. 167 * If the client is using a connectionless protocol, MaxBufferSize must be 168 * set to the smaller of the server's internal buffer size and the amount 169 * of data which can be placed in a response packet. 170 * 171 * MaxRawSize specifies the maximum message size the server can send or 172 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW. 173 * 174 * Connectionless clients must set Sid to 0 in the SMB request header. 175 * 176 * Capabilities allows the server to tell the client what it supports. 177 * The bit definitions defined in smb.h. Bit 0x2000 used to be set in 178 * the negotiate response capabilities but it caused problems with 179 * Windows 2000. It is probably not valid, it doesn't appear in the 180 * CIFS spec. 181 * 182 * 4.1.1.1 Errors 183 * 184 * SUCCESS/SUCCESS 185 * ERRSRV/ERRerror 186 */ 187 #include <sys/types.h> 188 #include <sys/strsubr.h> 189 #include <sys/socketvar.h> 190 #include <sys/socket.h> 191 #include <sys/random.h> 192 #include <netinet/in.h> 193 #include <smbsrv/smb_kproto.h> 194 #include <smbsrv/smbinfo.h> 195 196 static smb_xlate_t smb_dialect[] = { 197 { DIALECT_UNKNOWN, "DIALECT_UNKNOWN" }, 198 { PC_NETWORK_PROGRAM_1_0, "PC NETWORK PROGRAM 1.0" }, 199 { PCLAN1_0, "PCLAN1.0" }, 200 { MICROSOFT_NETWORKS_1_03, "MICROSOFT NETWORKS 1.03" }, 201 { MICROSOFT_NETWORKS_3_0, "MICROSOFT NETWORKS 3.0" }, 202 { LANMAN1_0, "LANMAN1.0" }, 203 { LM1_2X002, "LM1.2X002" }, 204 { DOS_LM1_2X002, "DOS LM1.2X002" }, 205 { DOS_LANMAN2_1, "DOS LANMAN2.1" }, 206 { LANMAN2_1, "LANMAN2.1" }, 207 { Windows_for_Workgroups_3_1a, "Windows for Workgroups 3.1a" }, 208 { NT_LM_0_12, "NT LM 0.12" } 209 }; 210 211 /* 212 * Maximum buffer size for DOS: chosen to be the same as NT. 213 * Do not change this value, DOS is very sensitive to it. 214 */ 215 #define SMB_DOS_MAXBUF 0x1104 216 217 /* 218 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems 219 * with other values. DOS 6.1 seems to depend on a window value of 8700 to 220 * send the next set of data. If we return a window value of 40KB, after 221 * sending 8700 bytes of data, it will start the next set of data from 40KB 222 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses. 223 * September 2000. 224 * 225 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow 226 * for a larger TCP window sizei based on observations of Windows 2000 and 227 * performance testing. March 2003. 228 */ 229 static uint32_t smb_dos_tcp_rcvbuf = 8700; 230 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */ 231 232 static void smb_negotiate_genkey(smb_request_t *); 233 static int smb_xlate_dialect(const char *); 234 235 int smb_cap_passthru = 1; 236 237 smb_sdrc_t 238 smb_pre_negotiate(smb_request_t *sr) 239 { 240 smb_arg_negotiate_t *negprot; 241 int dialect; 242 int pos; 243 int rc = 0; 244 245 negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t)); 246 negprot->ni_index = -1; 247 sr->sr_negprot = negprot; 248 249 for (pos = 0; smbsr_decode_data_avail(sr); pos++) { 250 if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) { 251 smbsr_error(sr, 0, ERRSRV, ERRerror); 252 rc = -1; 253 break; 254 } 255 256 if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0) 257 continue; 258 259 if (negprot->ni_dialect < dialect) { 260 negprot->ni_dialect = dialect; 261 negprot->ni_index = pos; 262 } 263 } 264 265 DTRACE_SMB_2(op__Negotiate__start, smb_request_t *, sr, 266 smb_arg_negotiate_t, negprot); 267 smb_rwx_rwenter(&sr->session->s_lock, RW_WRITER); 268 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR); 269 } 270 271 void 272 smb_post_negotiate(smb_request_t *sr) 273 { 274 smb_arg_negotiate_t *negprot = sr->sr_negprot; 275 276 DTRACE_SMB_2(op__Negotiate__done, smb_request_t *, sr, 277 smb_arg_negotiate_t, negprot); 278 smb_rwx_rwexit(&sr->session->s_lock); 279 280 bzero(negprot, sizeof (smb_arg_negotiate_t)); 281 } 282 283 smb_sdrc_t 284 smb_com_negotiate(smb_request_t *sr) 285 { 286 smb_arg_negotiate_t *negprot = sr->sr_negprot; 287 uint16_t secmode; 288 uint16_t rawmode = 0; 289 uint32_t sesskey; 290 char ipaddr_buf[INET6_ADDRSTRLEN]; 291 char *nbdomain; 292 uint8_t *wcbuf; 293 int wclen; 294 smb_msgbuf_t mb; 295 int rc; 296 297 if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) { 298 /* The protocol has already been negotiated. */ 299 smbsr_error(sr, 0, ERRSRV, ERRerror); 300 return (SDRC_ERROR); 301 } 302 303 sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE | 304 NEGOTIATE_SECURITY_USER_LEVEL; 305 secmode = sr->session->secmode; 306 307 smb_negotiate_genkey(sr); 308 sesskey = sr->session->sesskey; 309 310 (void) microtime(&negprot->ni_servertime); 311 negprot->ni_tzcorrection = sr->sr_gmtoff / 60; 312 negprot->ni_maxmpxcount = sr->sr_cfg->skc_maxworkers; 313 nbdomain = sr->sr_cfg->skc_nbdomain; 314 315 /* 316 * UNICODE support is required for long share names, 317 * long file names and streams. 318 */ 319 negprot->ni_capabilities = CAP_LARGE_FILES 320 | CAP_UNICODE 321 | CAP_NT_SMBS 322 | CAP_STATUS32 323 | CAP_NT_FIND 324 | CAP_LEVEL_II_OPLOCKS 325 | CAP_LOCK_AND_READ 326 | CAP_RPC_REMOTE_APIS 327 | CAP_LARGE_READX 328 | CAP_LARGE_WRITEX 329 | CAP_DFS; 330 331 if (smb_raw_mode) { 332 negprot->ni_capabilities |= CAP_RAW_MODE; 333 rawmode = 3; 334 } 335 336 if (smb_cap_passthru) 337 negprot->ni_capabilities |= CAP_INFOLEVEL_PASSTHRU; 338 else 339 cmn_err(CE_NOTE, "smbsrv: cap passthru is %s", 340 (negprot->ni_capabilities & CAP_INFOLEVEL_PASSTHRU) ? 341 "enabled" : "disabled"); 342 343 (void) smb_inet_ntop(&sr->session->ipaddr, ipaddr_buf, 344 SMB_IPSTRLEN(sr->session->ipaddr.a_family)); 345 346 switch (negprot->ni_dialect) { 347 case PC_NETWORK_PROGRAM_1_0: /* core */ 348 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 349 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 350 sizeof (smb_dos_tcp_rcvbuf), CRED()); 351 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, 352 negprot->ni_index, 0); 353 break; 354 355 case Windows_for_Workgroups_3_1a: 356 case PCLAN1_0: 357 case MICROSOFT_NETWORKS_1_03: 358 case MICROSOFT_NETWORKS_3_0: 359 case LANMAN1_0: 360 case LM1_2X002: 361 case DOS_LM1_2X002: 362 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 363 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 364 sizeof (smb_dos_tcp_rcvbuf), CRED()); 365 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 366 rc = smbsr_encode_result(sr, 13, VAR_BCC, 367 "bwwwwwwlYww2.w#c", 368 13, /* wct */ 369 negprot->ni_index, /* dialect index */ 370 secmode, /* security mode */ 371 SMB_DOS_MAXBUF, /* max buffer size */ 372 1, /* max MPX */ 373 1, /* max VCs */ 374 rawmode, /* read/write raw (s/b 3) */ 375 sesskey, /* session key */ 376 negprot->ni_servertime.tv_sec, /* server date/time */ 377 negprot->ni_tzcorrection, 378 (uint16_t)negprot->ni_keylen, /* encryption key length */ 379 /* reserved field handled 2. */ 380 VAR_BCC, 381 (int)negprot->ni_keylen, 382 negprot->ni_key); /* encryption key */ 383 break; 384 385 case DOS_LANMAN2_1: 386 case LANMAN2_1: 387 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 388 SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf, 389 sizeof (smb_dos_tcp_rcvbuf), CRED()); 390 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 391 rc = smbsr_encode_result(sr, 13, VAR_BCC, 392 "bwwwwwwlYww2.w#cs", 393 13, /* wct */ 394 negprot->ni_index, /* dialect index */ 395 secmode, /* security mode */ 396 SMB_DOS_MAXBUF, /* max buffer size */ 397 1, /* max MPX */ 398 1, /* max VCs */ 399 rawmode, /* read/write raw (s/b 3) */ 400 sesskey, /* session key */ 401 negprot->ni_servertime.tv_sec, /* server date/time */ 402 negprot->ni_tzcorrection, 403 (uint16_t)negprot->ni_keylen, /* encryption key length */ 404 /* reserved field handled 2. */ 405 VAR_BCC, 406 (int)negprot->ni_keylen, 407 negprot->ni_key, /* encryption key */ 408 nbdomain); 409 break; 410 411 case NT_LM_0_12: 412 (void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET, 413 SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf, 414 sizeof (smb_nt_tcp_rcvbuf), CRED()); 415 416 /* 417 * Turn off Extended Security Negotiation 418 */ 419 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC; 420 421 /* 422 * Allow SMB signatures if security challenge response enabled 423 */ 424 if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && 425 sr->sr_cfg->skc_signing_enable) { 426 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 427 if (sr->sr_cfg->skc_signing_required) 428 secmode |= 429 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 430 431 sr->session->secmode = secmode; 432 } 433 434 /* 435 * nbdomain is not expected to be aligned. 436 * Use temporary buffer to avoid alignment padding 437 */ 438 wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t); 439 wcbuf = smb_srm_zalloc(sr, wclen); 440 smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE); 441 if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) { 442 smb_msgbuf_term(&mb); 443 smbsr_error(sr, 0, ERRSRV, ERRerror); 444 return (SDRC_ERROR); 445 } 446 447 rc = smbsr_encode_result(sr, 17, VAR_BCC, 448 "bwbwwllllTwbw#c#c", 449 17, /* wct */ 450 negprot->ni_index, /* dialect index */ 451 secmode, /* security mode */ 452 negprot->ni_maxmpxcount, /* max MPX */ 453 1, /* max VCs */ 454 (DWORD)smb_maxbufsize, /* max buffer size */ 455 0xFFFF, /* max raw size */ 456 sesskey, /* session key */ 457 negprot->ni_capabilities, 458 &negprot->ni_servertime, /* system time */ 459 negprot->ni_tzcorrection, 460 negprot->ni_keylen, /* encryption key length */ 461 VAR_BCC, 462 (int)negprot->ni_keylen, 463 negprot->ni_key, /* encryption key */ 464 wclen, 465 wcbuf); /* nbdomain (unicode) */ 466 467 smb_msgbuf_term(&mb); 468 break; 469 470 default: 471 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0); 472 return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR); 473 } 474 475 if (rc != 0) 476 return (SDRC_ERROR); 477 478 /* 479 * Save the agreed dialect. Note that this value is also 480 * used to detect and reject attempts to re-negotiate. 481 */ 482 sr->session->dialect = negprot->ni_dialect; 483 sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED; 484 return (SDRC_SUCCESS); 485 } 486 487 static void 488 smb_negotiate_genkey(smb_request_t *sr) 489 { 490 smb_arg_negotiate_t *negprot = sr->sr_negprot; 491 uint8_t tmp_key[8]; 492 493 (void) random_get_pseudo_bytes(tmp_key, 8); 494 bcopy(tmp_key, &sr->session->challenge_key, 8); 495 sr->session->challenge_len = 8; 496 negprot->ni_keylen = 8; 497 bcopy(tmp_key, negprot->ni_key, 8); 498 499 (void) random_get_pseudo_bytes(tmp_key, 4); 500 sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 | 501 tmp_key[2] << 16 | tmp_key[3] << 24; 502 } 503 504 static int 505 smb_xlate_dialect(const char *dialect) 506 { 507 smb_xlate_t *dp; 508 int i; 509 510 for (i = 0; i < sizeof (smb_dialect) / sizeof (smb_dialect[0]); ++i) { 511 dp = &smb_dialect[i]; 512 513 if (strcmp(dp->str, dialect) == 0) 514 return (dp->code); 515 } 516 517 return (-1); 518 } 519