xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_negotiate.c (revision e8d80663e4f91871f843bb8ad9108dc0b76dfcf3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * Notes on the virtual circuit (VC) values in the SMB Negotiate
27  * response and SessionSetupAndx request.
28  *
29  * A virtual circuit (VC) represents a connection between a client and a
30  * server using a reliable, session oriented transport protocol, such as
31  * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
32  * single underlying transport connection, i.e. a single NetBIOS session,
33  * which limited performance for raw data transfers.
34  *
35  * The intention behind multiple VCs was to improve performance by
36  * allowing parallelism over each NetBIOS session. For example, raw data
37  * could be transmitted using a different VC from other types of SMB
38  * requests to remove the interleaving restriction while a raw transfer
39  * is in progress. So the MaxNumberVcs field was added to the negotiate
40  * response to make the number of VCs configurable and to allow servers
41  * to specify how many they were prepared to support per session
42  * connection. This turned out to be difficult to manage and, with
43  * technology improvements, it has become obsolete.
44  *
45  * Servers should set the MaxNumberVcs value in the Negotiate response
46  * to 1. Clients should probably ignore it. If a server receives a
47  * SessionSetupAndx with a VC value of 0, it should close all other
48  * VCs to that client. If it receives a non-zero VC, it should leave
49  * other VCs in tact.
50  *
51  */
52 
53 /*
54  * SMB: negotiate
55  *
56  * Client Request                Description
57  * ============================  =======================================
58  *
59  * UCHAR WordCount;              Count of parameter words = 0
60  * USHORT ByteCount;             Count of data bytes; min = 2
61  * struct {
62  *    UCHAR BufferFormat;        0x02 -- Dialect
63  *    UCHAR DialectName[];       ASCII null-terminated string
64  * } Dialects[];
65  *
66  * The Client sends a list of dialects that it can communicate with.  The
67  * response is a selection of one of those dialects (numbered 0 through n)
68  * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
69  * The negotiate message is binding on the virtual circuit and must be
70  * sent.  One and only one negotiate message may be sent, subsequent
71  * negotiate requests will be rejected with an error response and no action
72  * will be taken.
73  *
74  * The protocol does not impose any particular structure to the dialect
75  * strings.  Implementors of particular protocols may choose to include,
76  * for example, version numbers in the string.
77  *
78  * If the server does not understand any of the dialect strings, or if PC
79  * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
80  *
81  * Server Response               Description
82  * ============================  =======================================
83  *
84  * UCHAR WordCount;              Count of parameter words = 1
85  * USHORT DialectIndex;          Index of selected dialect
86  * USHORT ByteCount;             Count of data bytes = 0
87  *
88  * If the chosen dialect is greater than core up to and including
89  * LANMAN2.1, the protocol response format is
90  *
91  * Server Response               Description
92  * ============================  =======================================
93  *
94  * UCHAR WordCount;              Count of parameter words = 13
95  * USHORT  DialectIndex;         Index of selected dialect
96  * USHORT  SecurityMode;         Security mode:
97  *                               bit 0: 0 = share, 1 = user
98  *                               bit 1: 1 = use challenge/response
99  *                               authentication
100  * USHORT  MaxBufferSize;        Max transmit buffer size (>= 1024)
101  * USHORT  MaxMpxCount;          Max pending multiplexed requests
102  * USHORT  MaxNumberVcs;         Max VCs between client and server
103  * USHORT  RawMode;              Raw modes supported:
104  *                                bit 0: 1 = Read Raw supported
105  *                                bit 1: 1 = Write Raw supported
106  * ULONG SessionKey;             Unique token identifying this session
107  * SMB_TIME ServerTime;          Current time at server
108  * SMB_DATE ServerDate;          Current date at server
109  * USHORT ServerTimeZone;        Current time zone at server
110  * USHORT  EncryptionKeyLength;  MBZ if this is not LM2.1
111  * USHORT  Reserved;             MBZ
112  * USHORT  ByteCount             Count of data bytes
113  * UCHAR EncryptionKey[];        The challenge encryption key
114  * STRING PrimaryDomain[];       The server's primary domain
115  *
116  * MaxBufferSize is the size of the largest message which the client can
117  * legitimately send to the server
118  *
119  * If  bit0 of the Flags field is set in the negotiate response, this
120  * indicates the server supports the SMB_COM_LOCK_AND_READ and
121  * SMB_COM_WRITE_AND_UNLOCK client requests.
122  *
123  * If the SecurityMode field indicates the server is running in user mode,
124  * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
125  * before the server will allow the client to access resources.   If the
126  * SecurityMode fields indicates the client should use challenge/response
127  * authentication, the client should use the authentication mechanism
128  * specified in section 2.10.
129  *
130  * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
131  * to the server when using multiplexed reads or writes (see sections 5.13
132  * and 5.25)
133  *
134  * Clients using the  "MICROSOFT NETWORKS 1.03" dialect use a different
135  * form of raw reads than documented here, and servers are better off
136  * setting RawMode in this response to 0 for such sessions.
137  *
138  * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
139  * PrimaryDomain string should be included in this response.
140  *
141  * If the negotiated dialect is NT LM 0.12, the response format is
142  *
143  * Server Response            Description
144  * ========================== =========================================
145  *
146  * UCHAR WordCount;           Count of parameter words = 17
147  * USHORT DialectIndex;       Index of selected dialect
148  * UCHAR SecurityMode;        Security mode:
149  *                             bit 0: 0 = share, 1 = user
150  *                             bit 1: 1 = encrypt passwords
151  * USHORT MaxMpxCount;        Max pending multiplexed requests
152  * USHORT MaxNumberVcs;       Max VCs between client and server
153  * ULONG MaxBufferSize;       Max transmit buffer size
154  * ULONG MaxRawSize;          Maximum raw buffer size
155  * ULONG SessionKey;          Unique token identifying this session
156  * ULONG Capabilities;        Server capabilities
157  * ULONG SystemTimeLow;       System (UTC) time of the server (low).
158  * ULONG SystemTimeHigh;      System (UTC) time of the server (high).
159  * USHORT ServerTimeZone;     Time zone of server (min from UTC)
160  * UCHAR EncryptionKeyLength; Length of encryption key.
161  * USHORT ByteCount;          Count of data bytes
162  * UCHAR EncryptionKey[];     The challenge encryption key
163  * UCHAR OemDomainName[];     The name of the domain (in OEM chars)
164  *
165  * In addition to the definitions above, MaxBufferSize is the size of the
166  * largest message which the client can legitimately send to the server.
167  * If the client is using a connectionless protocol,  MaxBufferSize must be
168  * set to the smaller of the server's internal buffer size and the amount
169  * of data which can be placed in a response packet.
170  *
171  * MaxRawSize specifies the maximum message size the server can send or
172  * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
173  *
174  * Connectionless clients must set Sid to 0 in the SMB request header.
175  *
176  * Capabilities allows the server to tell the client what it supports.
177  * The bit definitions defined in smb.h. Bit 0x2000 used to be set in
178  * the negotiate response capabilities but it caused problems with
179  * Windows 2000. It is probably not valid, it doesn't appear in the
180  * CIFS spec.
181  *
182  * 4.1.1.1   Errors
183  *
184  * SUCCESS/SUCCESS
185  * ERRSRV/ERRerror
186  */
187 #include <sys/types.h>
188 #include <sys/strsubr.h>
189 #include <sys/socketvar.h>
190 #include <sys/socket.h>
191 #include <sys/random.h>
192 #include <netinet/in.h>
193 #include <smbsrv/smb_kproto.h>
194 #include <smbsrv/smbinfo.h>
195 
196 static smb_xlate_t smb_dialect[] = {
197 	{ DIALECT_UNKNOWN,		"DIALECT_UNKNOWN" },
198 	{ PC_NETWORK_PROGRAM_1_0,	"PC NETWORK PROGRAM 1.0" },
199 	{ PCLAN1_0,			"PCLAN1.0" },
200 	{ MICROSOFT_NETWORKS_1_03,	"MICROSOFT NETWORKS 1.03" },
201 	{ MICROSOFT_NETWORKS_3_0,	"MICROSOFT NETWORKS 3.0" },
202 	{ LANMAN1_0,			"LANMAN1.0" },
203 	{ LM1_2X002,			"LM1.2X002" },
204 	{ DOS_LM1_2X002,		"DOS LM1.2X002" },
205 	{ DOS_LANMAN2_1,		"DOS LANMAN2.1" },
206 	{ LANMAN2_1,			"LANMAN2.1" },
207 	{ Windows_for_Workgroups_3_1a,	"Windows for Workgroups 3.1a" },
208 	{ NT_LM_0_12,			"NT LM 0.12" }
209 };
210 
211 /*
212  * Maximum buffer size for DOS: chosen to be the same as NT.
213  * Do not change this value, DOS is very sensitive to it.
214  */
215 #define	SMB_DOS_MAXBUF			0x1104
216 
217 /*
218  * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
219  * with other values. DOS 6.1 seems to depend on a window value of 8700 to
220  * send the next set of data. If we return a window value of 40KB, after
221  * sending 8700 bytes of data, it will start the next set of data from 40KB
222  * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
223  * September 2000.
224  *
225  * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
226  * for a larger TCP window sizei based on observations of Windows 2000 and
227  * performance testing. March 2003.
228  */
229 static uint32_t	smb_dos_tcp_rcvbuf = 8700;
230 static uint32_t	smb_nt_tcp_rcvbuf = 1048560;	/* scale factor of 4 */
231 
232 static void smb_negotiate_genkey(smb_request_t *);
233 static int smb_xlate_dialect(const char *);
234 
235 int smb_cap_passthru = 1;
236 
237 smb_sdrc_t
238 smb_pre_negotiate(smb_request_t *sr)
239 {
240 	smb_arg_negotiate_t	*negprot;
241 	int			dialect;
242 	int			pos;
243 	int			rc = 0;
244 
245 	negprot = smb_srm_zalloc(sr, sizeof (smb_arg_negotiate_t));
246 	negprot->ni_index = -1;
247 	sr->sr_negprot = negprot;
248 
249 	for (pos = 0; smbsr_decode_data_avail(sr); pos++) {
250 		if (smbsr_decode_data(sr, "%L", sr, &negprot->ni_name) != 0) {
251 			smbsr_error(sr, 0, ERRSRV, ERRerror);
252 			rc = -1;
253 			break;
254 		}
255 
256 		if ((dialect = smb_xlate_dialect(negprot->ni_name)) < 0)
257 			continue;
258 
259 		if (negprot->ni_dialect < dialect) {
260 			negprot->ni_dialect = dialect;
261 			negprot->ni_index = pos;
262 		}
263 	}
264 
265 	DTRACE_SMB_2(op__Negotiate__start, smb_request_t *, sr,
266 	    smb_arg_negotiate_t, negprot);
267 	smb_rwx_rwenter(&sr->session->s_lock, RW_WRITER);
268 	return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
269 }
270 
271 void
272 smb_post_negotiate(smb_request_t *sr)
273 {
274 	smb_arg_negotiate_t	*negprot = sr->sr_negprot;
275 
276 	DTRACE_SMB_2(op__Negotiate__done, smb_request_t *, sr,
277 	    smb_arg_negotiate_t, negprot);
278 	smb_rwx_rwexit(&sr->session->s_lock);
279 
280 	bzero(negprot, sizeof (smb_arg_negotiate_t));
281 }
282 
283 smb_sdrc_t
284 smb_com_negotiate(smb_request_t *sr)
285 {
286 	smb_arg_negotiate_t	*negprot = sr->sr_negprot;
287 	uint16_t		secmode;
288 	uint16_t		rawmode = 0;
289 	uint32_t		sesskey;
290 	char			ipaddr_buf[INET6_ADDRSTRLEN];
291 	char			*nbdomain;
292 	uint8_t			*wcbuf;
293 	int			wclen;
294 	smb_msgbuf_t		mb;
295 	int			rc;
296 
297 	if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
298 		/* The protocol has already been negotiated. */
299 		smbsr_error(sr, 0, ERRSRV, ERRerror);
300 		return (SDRC_ERROR);
301 	}
302 
303 	sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE |
304 	    NEGOTIATE_SECURITY_USER_LEVEL;
305 	secmode = sr->session->secmode;
306 
307 	smb_negotiate_genkey(sr);
308 	sesskey = sr->session->sesskey;
309 
310 	(void) microtime(&negprot->ni_servertime);
311 	negprot->ni_tzcorrection = sr->sr_gmtoff / 60;
312 	negprot->ni_maxmpxcount = sr->sr_cfg->skc_maxworkers;
313 	nbdomain = sr->sr_cfg->skc_nbdomain;
314 
315 	/*
316 	 * UNICODE support is required for long share names,
317 	 * long file names and streams.
318 	 */
319 	negprot->ni_capabilities = CAP_LARGE_FILES
320 	    | CAP_UNICODE
321 	    | CAP_NT_SMBS
322 	    | CAP_STATUS32
323 	    | CAP_NT_FIND
324 	    | CAP_LEVEL_II_OPLOCKS
325 	    | CAP_LOCK_AND_READ
326 	    | CAP_RPC_REMOTE_APIS
327 	    | CAP_LARGE_READX
328 	    | CAP_LARGE_WRITEX
329 	    | CAP_DFS;
330 
331 	if (smb_raw_mode) {
332 		negprot->ni_capabilities |= CAP_RAW_MODE;
333 		rawmode = 3;
334 	}
335 
336 	if (smb_cap_passthru)
337 		negprot->ni_capabilities |= CAP_INFOLEVEL_PASSTHRU;
338 	else
339 		cmn_err(CE_NOTE, "smbsrv: cap passthru is %s",
340 		    (negprot->ni_capabilities & CAP_INFOLEVEL_PASSTHRU) ?
341 		    "enabled" : "disabled");
342 
343 	(void) smb_inet_ntop(&sr->session->ipaddr, ipaddr_buf,
344 	    SMB_IPSTRLEN(sr->session->ipaddr.a_family));
345 
346 	switch (negprot->ni_dialect) {
347 	case PC_NETWORK_PROGRAM_1_0:	/* core */
348 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
349 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
350 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
351 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1,
352 		    negprot->ni_index, 0);
353 		break;
354 
355 	case Windows_for_Workgroups_3_1a:
356 	case PCLAN1_0:
357 	case MICROSOFT_NETWORKS_1_03:
358 	case MICROSOFT_NETWORKS_3_0:
359 	case LANMAN1_0:
360 	case LM1_2X002:
361 	case DOS_LM1_2X002:
362 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
363 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
364 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
365 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
366 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
367 		    "bwwwwwwlYww2.w#c",
368 		    13,				/* wct */
369 		    negprot->ni_index,		/* dialect index */
370 		    secmode,			/* security mode */
371 		    SMB_DOS_MAXBUF,		/* max buffer size */
372 		    1,				/* max MPX */
373 		    1,				/* max VCs */
374 		    rawmode,			/* read/write raw (s/b 3) */
375 		    sesskey,			/* session key */
376 		    negprot->ni_servertime.tv_sec, /* server date/time */
377 		    negprot->ni_tzcorrection,
378 		    (uint16_t)negprot->ni_keylen, /* encryption key length */
379 						/* reserved field handled 2. */
380 		    VAR_BCC,
381 		    (int)negprot->ni_keylen,
382 		    negprot->ni_key);		/* encryption key */
383 		break;
384 
385 	case DOS_LANMAN2_1:
386 	case LANMAN2_1:
387 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
388 		    SO_RCVBUF, (const void *)&smb_dos_tcp_rcvbuf,
389 		    sizeof (smb_dos_tcp_rcvbuf), CRED());
390 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
391 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
392 		    "bwwwwwwlYww2.w#cs",
393 		    13,				/* wct */
394 		    negprot->ni_index,		/* dialect index */
395 		    secmode,			/* security mode */
396 		    SMB_DOS_MAXBUF,		/* max buffer size */
397 		    1,				/* max MPX */
398 		    1,				/* max VCs */
399 		    rawmode,			/* read/write raw (s/b 3) */
400 		    sesskey,			/* session key */
401 		    negprot->ni_servertime.tv_sec, /* server date/time */
402 		    negprot->ni_tzcorrection,
403 		    (uint16_t)negprot->ni_keylen, /* encryption key length */
404 						/* reserved field handled 2. */
405 		    VAR_BCC,
406 		    (int)negprot->ni_keylen,
407 		    negprot->ni_key,		/* encryption key */
408 		    nbdomain);
409 		break;
410 
411 	case NT_LM_0_12:
412 		(void) ksocket_setsockopt(sr->session->sock, SOL_SOCKET,
413 		    SO_RCVBUF, (const void *)&smb_nt_tcp_rcvbuf,
414 		    sizeof (smb_nt_tcp_rcvbuf), CRED());
415 
416 		/*
417 		 * Turn off Extended Security Negotiation
418 		 */
419 		sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
420 
421 		/*
422 		 * Allow SMB signatures if security challenge response enabled
423 		 */
424 		if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
425 		    sr->sr_cfg->skc_signing_enable) {
426 			secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
427 			if (sr->sr_cfg->skc_signing_required)
428 				secmode |=
429 				    NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
430 
431 			sr->session->secmode = secmode;
432 		}
433 
434 		/*
435 		 * nbdomain is not expected to be aligned.
436 		 * Use temporary buffer to avoid alignment padding
437 		 */
438 		wclen = smb_wcequiv_strlen(nbdomain) + sizeof (smb_wchar_t);
439 		wcbuf = smb_srm_zalloc(sr, wclen);
440 		smb_msgbuf_init(&mb, wcbuf, wclen, SMB_MSGBUF_UNICODE);
441 		if (smb_msgbuf_encode(&mb, "U", nbdomain) < 0) {
442 			smb_msgbuf_term(&mb);
443 			smbsr_error(sr, 0, ERRSRV, ERRerror);
444 			return (SDRC_ERROR);
445 		}
446 
447 		rc = smbsr_encode_result(sr, 17, VAR_BCC,
448 		    "bwbwwllllTwbw#c#c",
449 		    17,				/* wct */
450 		    negprot->ni_index,		/* dialect index */
451 		    secmode,			/* security mode */
452 		    negprot->ni_maxmpxcount,	/* max MPX */
453 		    1,				/* max VCs */
454 		    (DWORD)smb_maxbufsize,	/* max buffer size */
455 		    0xFFFF,			/* max raw size */
456 		    sesskey,			/* session key */
457 		    negprot->ni_capabilities,
458 		    &negprot->ni_servertime,	/* system time */
459 		    negprot->ni_tzcorrection,
460 		    negprot->ni_keylen,		/* encryption key length */
461 		    VAR_BCC,
462 		    (int)negprot->ni_keylen,
463 		    negprot->ni_key,		/* encryption key */
464 		    wclen,
465 		    wcbuf);			/* nbdomain (unicode) */
466 
467 		smb_msgbuf_term(&mb);
468 		break;
469 
470 	default:
471 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, -1, 0);
472 		return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
473 	}
474 
475 	if (rc != 0)
476 		return (SDRC_ERROR);
477 
478 	/*
479 	 * Save the agreed dialect. Note that this value is also
480 	 * used to detect and reject attempts to re-negotiate.
481 	 */
482 	sr->session->dialect = negprot->ni_dialect;
483 	sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED;
484 	return (SDRC_SUCCESS);
485 }
486 
487 static void
488 smb_negotiate_genkey(smb_request_t *sr)
489 {
490 	smb_arg_negotiate_t	*negprot = sr->sr_negprot;
491 	uint8_t			tmp_key[8];
492 
493 	(void) random_get_pseudo_bytes(tmp_key, 8);
494 	bcopy(tmp_key, &sr->session->challenge_key, 8);
495 	sr->session->challenge_len = 8;
496 	negprot->ni_keylen = 8;
497 	bcopy(tmp_key, negprot->ni_key, 8);
498 
499 	(void) random_get_pseudo_bytes(tmp_key, 4);
500 	sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
501 	    tmp_key[2] << 16 | tmp_key[3] << 24;
502 }
503 
504 static int
505 smb_xlate_dialect(const char *dialect)
506 {
507 	smb_xlate_t	*dp;
508 	int		i;
509 
510 	for (i = 0; i < sizeof (smb_dialect) / sizeof (smb_dialect[0]); ++i) {
511 		dp = &smb_dialect[i];
512 
513 		if (strcmp(dp->str, dialect) == 0)
514 			return (dp->code);
515 	}
516 
517 	return (-1);
518 }
519