1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * Notes on the virtual circuit (VC) values in the SMB Negotiate 30 * response and SessionSetupAndx request. 31 * 32 * A virtual circuit (VC) represents a connection between a client and a 33 * server using a reliable, session oriented transport protocol, such as 34 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a 35 * single underlying transport connection, i.e. a single NetBIOS session, 36 * which limited performance for raw data transfers. 37 * 38 * The intention behind multiple VCs was to improve performance by 39 * allowing parallelism over each NetBIOS session. For example, raw data 40 * could be transmitted using a different VC from other types of SMB 41 * requests to remove the interleaving restriction while a raw transfer 42 * is in progress. So the MaxNumberVcs field was added to the negotiate 43 * response to make the number of VCs configurable and to allow servers 44 * to specify how many they were prepared to support per session 45 * connection. This turned out to be difficult to manage and, with 46 * technology improvements, it has become obsolete. 47 * 48 * Servers should set the MaxNumberVcs value in the Negotiate response 49 * to 1. Clients should probably ignore it. If a server receives a 50 * SessionSetupAndx with a VC value of 0, it should close all other 51 * VCs to that client. If it receives a non-zero VC, it should leave 52 * other VCs in tact. 53 * 54 */ 55 56 /* 57 * SMB: negotiate 58 * 59 * Client Request Description 60 * ============================ ======================================= 61 * 62 * UCHAR WordCount; Count of parameter words = 0 63 * USHORT ByteCount; Count of data bytes; min = 2 64 * struct { 65 * UCHAR BufferFormat; 0x02 -- Dialect 66 * UCHAR DialectName[]; ASCII null-terminated string 67 * } Dialects[]; 68 * 69 * The Client sends a list of dialects that it can communicate with. The 70 * response is a selection of one of those dialects (numbered 0 through n) 71 * or -1 (hex FFFF) indicating that none of the dialects were acceptable. 72 * The negotiate message is binding on the virtual circuit and must be 73 * sent. One and only one negotiate message may be sent, subsequent 74 * negotiate requests will be rejected with an error response and no action 75 * will be taken. 76 * 77 * The protocol does not impose any particular structure to the dialect 78 * strings. Implementors of particular protocols may choose to include, 79 * for example, version numbers in the string. 80 * 81 * If the server does not understand any of the dialect strings, or if PC 82 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is 83 * 84 * Server Response Description 85 * ============================ ======================================= 86 * 87 * UCHAR WordCount; Count of parameter words = 1 88 * USHORT DialectIndex; Index of selected dialect 89 * USHORT ByteCount; Count of data bytes = 0 90 * 91 * If the chosen dialect is greater than core up to and including 92 * LANMAN2.1, the protocol response format is 93 * 94 * Server Response Description 95 * ============================ ======================================= 96 * 97 * UCHAR WordCount; Count of parameter words = 13 98 * USHORT DialectIndex; Index of selected dialect 99 * USHORT SecurityMode; Security mode: 100 * bit 0: 0 = share, 1 = user 101 * bit 1: 1 = use challenge/response 102 * authentication 103 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024) 104 * USHORT MaxMpxCount; Max pending multiplexed requests 105 * USHORT MaxNumberVcs; Max VCs between client and server 106 * USHORT RawMode; Raw modes supported: 107 * bit 0: 1 = Read Raw supported 108 * bit 1: 1 = Write Raw supported 109 * ULONG SessionKey; Unique token identifying this session 110 * SMB_TIME ServerTime; Current time at server 111 * SMB_DATE ServerDate; Current date at server 112 * USHORT ServerTimeZone; Current time zone at server 113 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1 114 * USHORT Reserved; MBZ 115 * USHORT ByteCount Count of data bytes 116 * UCHAR EncryptionKey[]; The challenge encryption key 117 * STRING PrimaryDomain[]; The server's primary domain 118 * 119 * MaxBufferSize is the size of the largest message which the client can 120 * legitimately send to the server 121 * 122 * If bit0 of the Flags field is set in the negotiate response, this 123 * indicates the server supports the SMB_COM_LOCK_AND_READ and 124 * SMB_COM_WRITE_AND_UNLOCK client requests. 125 * 126 * If the SecurityMode field indicates the server is running in user mode, 127 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests 128 * before the server will allow the client to access resources. If the 129 * SecurityMode fields indicates the client should use challenge/response 130 * authentication, the client should use the authentication mechanism 131 * specified in section 2.10. 132 * 133 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs 134 * to the server when using multiplexed reads or writes (see sections 5.13 135 * and 5.25) 136 * 137 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different 138 * form of raw reads than documented here, and servers are better off 139 * setting RawMode in this response to 0 for such sessions. 140 * 141 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then 142 * PrimaryDomain string should be included in this response. 143 * 144 * If the negotiated dialect is NT LM 0.12, the response format is 145 * 146 * Server Response Description 147 * ========================== ========================================= 148 * 149 * UCHAR WordCount; Count of parameter words = 17 150 * USHORT DialectIndex; Index of selected dialect 151 * UCHAR SecurityMode; Security mode: 152 * bit 0: 0 = share, 1 = user 153 * bit 1: 1 = encrypt passwords 154 * USHORT MaxMpxCount; Max pending multiplexed requests 155 * USHORT MaxNumberVcs; Max VCs between client and server 156 * ULONG MaxBufferSize; Max transmit buffer size 157 * ULONG MaxRawSize; Maximum raw buffer size 158 * ULONG SessionKey; Unique token identifying this session 159 * ULONG Capabilities; Server capabilities 160 * ULONG SystemTimeLow; System (UTC) time of the server (low). 161 * ULONG SystemTimeHigh; System (UTC) time of the server (high). 162 * USHORT ServerTimeZone; Time zone of server (min from UTC) 163 * UCHAR EncryptionKeyLength; Length of encryption key. 164 * USHORT ByteCount; Count of data bytes 165 * UCHAR EncryptionKey[]; The challenge encryption key 166 * UCHAR OemDomainName[]; The name of the domain (in OEM chars) 167 * 168 * In addition to the definitions above, MaxBufferSize is the size of the 169 * largest message which the client can legitimately send to the server. 170 * If the client is using a connectionless protocol, MaxBufferSize must be 171 * set to the smaller of the server's internal buffer size and the amount 172 * of data which can be placed in a response packet. 173 * 174 * MaxRawSize specifies the maximum message size the server can send or 175 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW. 176 * 177 * Connectionless clients must set Sid to 0 in the SMB request header. 178 * 179 * Capabilities allows the server to tell the client what it supports. 180 * The bit definitions defined in cifs.h. Bit 0x2000 used to be set in 181 * the negotiate response capabilities but it caused problems with 182 * Windows 2000. It is probably not valid, it doesn't appear in the 183 * CIFS spec. 184 * 185 * 4.1.1.1 Errors 186 * 187 * SUCCESS/SUCCESS 188 * ERRSRV/ERRerror 189 */ 190 #include <sys/types.h> 191 #include <sys/strsubr.h> 192 #include <sys/socketvar.h> 193 #include <sys/socket.h> 194 #include <sys/random.h> 195 #include <netinet/in.h> 196 #include <smbsrv/smb_incl.h> 197 #include <smbsrv/smbinfo.h> 198 #include <smbsrv/smb_i18n.h> 199 200 201 /* 202 * Maximum buffer size for DOS: chosen to be the same as NT. 203 * Do not change this value, DOS is very sensitive to it. 204 */ 205 #define SMB_DOS_MAXBUF 0x1104 206 207 /* 208 * Maximum buffer size for NT: configurable based on the client environment. 209 * IR104720 Experiments with Windows 2000 indicate that we achieve better 210 * SmbWriteX performance with a buffer size of 64KB instead of the 37KB 211 * used with Windows NT4.0. Previous experiments with NT4.0 resulted in 212 * directory listing problems so this buffer size is configurable based 213 * on the end-user environment. When in doubt use 37KB. 214 */ 215 int smb_maxbufsize = SMB_NT_MAXBUF(37); 216 217 /* 218 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems 219 * with other values. DOS 6.1 seems to depend on a window value of 8700 to 220 * send the next set of data. If we return a window value of 40KB, after 221 * sending 8700 bytes of data, it will start the next set of data from 40KB 222 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses. 223 * September 2000. 224 * 225 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow 226 * for a larger TCP window sizei based on observations of Windows 2000 and 227 * performance testing. March 2003. 228 */ 229 uint32_t smb_dos_tcp_rcvbuf = 8700; 230 uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */ 231 232 static void smb_get_security_info( 233 struct smb_request *sr, 234 unsigned short *secmode, 235 unsigned char *key, 236 unsigned char *keylen, 237 uint32_t *sesskey); 238 239 /* 240 * Function: int smb_com_negotiate(struct smb_request *) 241 */ 242 243 int 244 smb_com_negotiate(struct smb_request *sr) 245 { 246 int dialect = 0; 247 int this_dialect; 248 unsigned char keylen; 249 int sel_pos = -1; 250 int pos; 251 char key[32]; 252 char *p; 253 timestruc_t time_val; 254 unsigned short secmode; 255 uint32_t sesskey; 256 uint32_t capabilities = 0; 257 258 unsigned short max_mpx_count; 259 WORD tz_correction; 260 char ipaddr_buf[INET_ADDRSTRLEN]; 261 262 if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) { 263 /* The protocol has already been negotiated. */ 264 smbsr_raise_error(sr, ERRSRV, ERRerror); 265 /* NOTREACHED */ 266 } 267 268 for (pos = 0; 269 sr->smb_data.chain_offset < sr->smb_data.max_bytes; 270 pos++) { 271 if (smb_decode_mbc(&sr->smb_data, "%L", sr, &p) != 0) { 272 smbsr_raise_error(sr, ERRSRV, ERRerror); 273 /* NOTREACHED */ 274 } 275 276 this_dialect = smb_xlate_dialect_str_to_cd(p); 277 278 if (this_dialect < 0) 279 continue; 280 281 if (dialect < this_dialect) { 282 dialect = this_dialect; 283 sel_pos = pos; 284 } 285 } 286 if (sel_pos < 0) { 287 smbsr_raise_error(sr, ERRSRV, ERRerror); 288 /* NOTREACHED */ 289 } 290 291 smb_get_security_info(sr, &secmode, (unsigned char *)key, 292 &keylen, &sesskey); 293 294 (void) microtime(&time_val); 295 296 tz_correction = -(WORD)(smb_get_gmtoff() / 60); /* tz correct. (min) */ 297 298 switch (dialect) { 299 case DIALECT_UNKNOWN: 300 case PC_NETWORK_PROGRAM_1_0: /* core */ 301 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 302 (const void *)&smb_dos_tcp_rcvbuf, 303 sizeof (smb_dos_tcp_rcvbuf)); 304 smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0); 305 break; 306 307 case Windows_for_Workgroups_3_1a: 308 case PCLAN1_0: 309 case MICROSOFT_NETWORKS_1_03: 310 case MICROSOFT_NETWORKS_3_0: 311 case LANMAN1_0: 312 case LM1_2X002: 313 case DOS_LM1_2X002: 314 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 315 (const void *)&smb_dos_tcp_rcvbuf, 316 sizeof (smb_dos_tcp_rcvbuf)); 317 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 318 smbsr_encode_result(sr, 13, VAR_BCC, 319 "(wct) b" "(dix) w" "(sec) w" "(mbs) w" 320 "(mmc) w" "(mnv) w" "(raw) w" "(key) l" 321 "(tim/dat) Y" "(tz) w" "(ekl) w" 322 "(mbz) 2.""(bcc) w" "(key) #c", 323 13, /* wct */ 324 sel_pos, /* dialect index */ 325 secmode, /* security mode */ 326 SMB_DOS_MAXBUF, /* max buffer size */ 327 1, /* max MPX (temporary) */ 328 1, /* max VCs (temporary, ambiguous) */ 329 3, /* raw mode (s/b 3) */ 330 sesskey, /* session key */ 331 time_val.tv_sec, /* server time/date */ 332 tz_correction, /* see smb_get_gmtoff */ 333 (short)keylen, /* Encryption Key Length */ 334 /* reserved field handled 2. */ 335 VAR_BCC, 336 (int)keylen, 337 key); /* encryption key */ 338 break; 339 340 case DOS_LANMAN2_1: 341 case LANMAN2_1: 342 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 343 (const void *)&smb_dos_tcp_rcvbuf, 344 sizeof (smb_dos_tcp_rcvbuf)); 345 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 346 smbsr_encode_result(sr, 13, VAR_BCC, 347 "(wct) b" "(dix) w" "(sec) w" "(mbs) w" 348 "(mmc) w" "(mnv) w" "(raw) w" "(key) l" 349 "(tim/dat) Y" "(tz) w" "(ekl) w" 350 "(mbz) 2.""(bcc) w" "(key) #c" "(dom) s", 351 13, /* wct */ 352 sel_pos, /* dialect index */ 353 secmode, /* security mode */ 354 SMB_DOS_MAXBUF, /* max buffer size */ 355 1, /* max MPX (temporary) */ 356 1, /* max VCs (temporary, ambiguous) */ 357 3, /* raw mode (s/b 3) */ 358 sesskey, /* session key */ 359 time_val.tv_sec, /* server time/date */ 360 tz_correction, 361 (short)keylen, /* Encryption Key Length */ 362 /* reserved field handled 2. */ 363 VAR_BCC, 364 (int)keylen, 365 key, /* encryption key */ 366 smb_info.si.skc_resource_domain); 367 break; 368 369 case NT_LM_0_12: 370 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 371 (const void *)&smb_nt_tcp_rcvbuf, 372 sizeof (smb_nt_tcp_rcvbuf)); 373 capabilities = CAP_LARGE_FILES 374 | CAP_NT_SMBS 375 | CAP_STATUS32 376 | CAP_NT_FIND 377 | CAP_RAW_MODE 378 | CAP_LEVEL_II_OPLOCKS 379 | CAP_LOCK_AND_READ 380 | CAP_RPC_REMOTE_APIS 381 | CAP_LARGE_READX; 382 383 /* 384 * UNICODE support is required to enable support for long 385 * share names and long file names and streams. 386 */ 387 388 capabilities |= CAP_UNICODE; 389 390 391 /* 392 * Turn off Extended Security Negotiation 393 */ 394 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC; 395 396 /* 397 * Allow SMB signatures if security challenge response enabled 398 */ 399 if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && 400 smb_info.si.skc_signing_enable) { 401 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 402 if (smb_info.si.skc_signing_required) 403 secmode |= 404 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 405 406 sr->session->secmode = secmode; 407 } 408 409 (void) inet_ntop(AF_INET, (char *)&sr->session->ipaddr, 410 ipaddr_buf, sizeof (ipaddr_buf)); 411 /*LINTED E_ASSIGN_NARROW_CONV (uint16_t)*/ 412 max_mpx_count = smb_info.si.skc_maxworkers; 413 414 smbsr_encode_result(sr, 17, VAR_BCC, 415 "(wct) b" "(dix) w" "(sec) b" "(mmc) w" 416 "(mnv) w" "(mbs) l" "(raw) l" "(key) l" 417 "(cap) l" "(tim) T" "(tz) w" "(ekl) b" 418 "(bcc) w" "(key) #c" "(dom) Z", 419 17, /* wct */ 420 sel_pos, /* dialect index */ 421 secmode, /* security mode */ 422 max_mpx_count, /* max MPX (temporary) */ 423 1, /* max VCs (temporary, ambiguous) */ 424 (DWORD)smb_maxbufsize, /* max buffer size */ 425 0xFFFF, /* max raw size */ 426 sesskey, /* session key */ 427 capabilities, 428 &time_val, /* system time */ 429 tz_correction, 430 keylen, /* Encryption Key Length */ 431 VAR_BCC, 432 (int)keylen, 433 key, /* encryption key */ 434 smb_info.si.skc_resource_domain); 435 break; 436 437 default: 438 /* Just to make sure. */ 439 ASSERT(0); 440 smbsr_raise_error(sr, ERRSRV, ERRerror); 441 /* NOTREACHED */ 442 } 443 444 /* 445 * Save the agreed dialect. Note that this value is also 446 * used to detect and reject attempts to re-negotiate. 447 */ 448 sr->session->dialect = dialect; 449 sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED; 450 return (SDRC_NORMAL_REPLY); 451 } 452 453 static void 454 smb_get_security_info( 455 struct smb_request *sr, 456 unsigned short *secmode, 457 unsigned char *key, 458 unsigned char *keylen, 459 uint32_t *sesskey) 460 { 461 uchar_t tmp_key[8]; 462 463 (void) random_get_pseudo_bytes(tmp_key, 8); 464 bcopy(tmp_key, &sr->session->challenge_key, 8); 465 sr->session->challenge_len = 8; 466 *keylen = 8; 467 bcopy(tmp_key, key, 8); 468 469 sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE| 470 NEGOTIATE_SECURITY_USER_LEVEL; 471 472 (void) random_get_pseudo_bytes(tmp_key, 4); 473 sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 | 474 tmp_key[2] << 16 | tmp_key[3] << 24; 475 476 *secmode = sr->session->secmode; 477 *sesskey = sr->session->sesskey; 478 } 479