1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "@(#)smb_negotiate.c 1.6 08/07/21 SMI" 27 28 /* 29 * Notes on the virtual circuit (VC) values in the SMB Negotiate 30 * response and SessionSetupAndx request. 31 * 32 * A virtual circuit (VC) represents a connection between a client and a 33 * server using a reliable, session oriented transport protocol, such as 34 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a 35 * single underlying transport connection, i.e. a single NetBIOS session, 36 * which limited performance for raw data transfers. 37 * 38 * The intention behind multiple VCs was to improve performance by 39 * allowing parallelism over each NetBIOS session. For example, raw data 40 * could be transmitted using a different VC from other types of SMB 41 * requests to remove the interleaving restriction while a raw transfer 42 * is in progress. So the MaxNumberVcs field was added to the negotiate 43 * response to make the number of VCs configurable and to allow servers 44 * to specify how many they were prepared to support per session 45 * connection. This turned out to be difficult to manage and, with 46 * technology improvements, it has become obsolete. 47 * 48 * Servers should set the MaxNumberVcs value in the Negotiate response 49 * to 1. Clients should probably ignore it. If a server receives a 50 * SessionSetupAndx with a VC value of 0, it should close all other 51 * VCs to that client. If it receives a non-zero VC, it should leave 52 * other VCs in tact. 53 * 54 */ 55 56 /* 57 * SMB: negotiate 58 * 59 * Client Request Description 60 * ============================ ======================================= 61 * 62 * UCHAR WordCount; Count of parameter words = 0 63 * USHORT ByteCount; Count of data bytes; min = 2 64 * struct { 65 * UCHAR BufferFormat; 0x02 -- Dialect 66 * UCHAR DialectName[]; ASCII null-terminated string 67 * } Dialects[]; 68 * 69 * The Client sends a list of dialects that it can communicate with. The 70 * response is a selection of one of those dialects (numbered 0 through n) 71 * or -1 (hex FFFF) indicating that none of the dialects were acceptable. 72 * The negotiate message is binding on the virtual circuit and must be 73 * sent. One and only one negotiate message may be sent, subsequent 74 * negotiate requests will be rejected with an error response and no action 75 * will be taken. 76 * 77 * The protocol does not impose any particular structure to the dialect 78 * strings. Implementors of particular protocols may choose to include, 79 * for example, version numbers in the string. 80 * 81 * If the server does not understand any of the dialect strings, or if PC 82 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is 83 * 84 * Server Response Description 85 * ============================ ======================================= 86 * 87 * UCHAR WordCount; Count of parameter words = 1 88 * USHORT DialectIndex; Index of selected dialect 89 * USHORT ByteCount; Count of data bytes = 0 90 * 91 * If the chosen dialect is greater than core up to and including 92 * LANMAN2.1, the protocol response format is 93 * 94 * Server Response Description 95 * ============================ ======================================= 96 * 97 * UCHAR WordCount; Count of parameter words = 13 98 * USHORT DialectIndex; Index of selected dialect 99 * USHORT SecurityMode; Security mode: 100 * bit 0: 0 = share, 1 = user 101 * bit 1: 1 = use challenge/response 102 * authentication 103 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024) 104 * USHORT MaxMpxCount; Max pending multiplexed requests 105 * USHORT MaxNumberVcs; Max VCs between client and server 106 * USHORT RawMode; Raw modes supported: 107 * bit 0: 1 = Read Raw supported 108 * bit 1: 1 = Write Raw supported 109 * ULONG SessionKey; Unique token identifying this session 110 * SMB_TIME ServerTime; Current time at server 111 * SMB_DATE ServerDate; Current date at server 112 * USHORT ServerTimeZone; Current time zone at server 113 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1 114 * USHORT Reserved; MBZ 115 * USHORT ByteCount Count of data bytes 116 * UCHAR EncryptionKey[]; The challenge encryption key 117 * STRING PrimaryDomain[]; The server's primary domain 118 * 119 * MaxBufferSize is the size of the largest message which the client can 120 * legitimately send to the server 121 * 122 * If bit0 of the Flags field is set in the negotiate response, this 123 * indicates the server supports the SMB_COM_LOCK_AND_READ and 124 * SMB_COM_WRITE_AND_UNLOCK client requests. 125 * 126 * If the SecurityMode field indicates the server is running in user mode, 127 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests 128 * before the server will allow the client to access resources. If the 129 * SecurityMode fields indicates the client should use challenge/response 130 * authentication, the client should use the authentication mechanism 131 * specified in section 2.10. 132 * 133 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs 134 * to the server when using multiplexed reads or writes (see sections 5.13 135 * and 5.25) 136 * 137 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different 138 * form of raw reads than documented here, and servers are better off 139 * setting RawMode in this response to 0 for such sessions. 140 * 141 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then 142 * PrimaryDomain string should be included in this response. 143 * 144 * If the negotiated dialect is NT LM 0.12, the response format is 145 * 146 * Server Response Description 147 * ========================== ========================================= 148 * 149 * UCHAR WordCount; Count of parameter words = 17 150 * USHORT DialectIndex; Index of selected dialect 151 * UCHAR SecurityMode; Security mode: 152 * bit 0: 0 = share, 1 = user 153 * bit 1: 1 = encrypt passwords 154 * USHORT MaxMpxCount; Max pending multiplexed requests 155 * USHORT MaxNumberVcs; Max VCs between client and server 156 * ULONG MaxBufferSize; Max transmit buffer size 157 * ULONG MaxRawSize; Maximum raw buffer size 158 * ULONG SessionKey; Unique token identifying this session 159 * ULONG Capabilities; Server capabilities 160 * ULONG SystemTimeLow; System (UTC) time of the server (low). 161 * ULONG SystemTimeHigh; System (UTC) time of the server (high). 162 * USHORT ServerTimeZone; Time zone of server (min from UTC) 163 * UCHAR EncryptionKeyLength; Length of encryption key. 164 * USHORT ByteCount; Count of data bytes 165 * UCHAR EncryptionKey[]; The challenge encryption key 166 * UCHAR OemDomainName[]; The name of the domain (in OEM chars) 167 * 168 * In addition to the definitions above, MaxBufferSize is the size of the 169 * largest message which the client can legitimately send to the server. 170 * If the client is using a connectionless protocol, MaxBufferSize must be 171 * set to the smaller of the server's internal buffer size and the amount 172 * of data which can be placed in a response packet. 173 * 174 * MaxRawSize specifies the maximum message size the server can send or 175 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW. 176 * 177 * Connectionless clients must set Sid to 0 in the SMB request header. 178 * 179 * Capabilities allows the server to tell the client what it supports. 180 * The bit definitions defined in cifs.h. Bit 0x2000 used to be set in 181 * the negotiate response capabilities but it caused problems with 182 * Windows 2000. It is probably not valid, it doesn't appear in the 183 * CIFS spec. 184 * 185 * 4.1.1.1 Errors 186 * 187 * SUCCESS/SUCCESS 188 * ERRSRV/ERRerror 189 */ 190 #include <sys/types.h> 191 #include <sys/strsubr.h> 192 #include <sys/socketvar.h> 193 #include <sys/socket.h> 194 #include <sys/random.h> 195 #include <netinet/in.h> 196 #include <smbsrv/smb_incl.h> 197 #include <smbsrv/smbinfo.h> 198 #include <smbsrv/smb_i18n.h> 199 200 201 /* 202 * Maximum buffer size for DOS: chosen to be the same as NT. 203 * Do not change this value, DOS is very sensitive to it. 204 */ 205 #define SMB_DOS_MAXBUF 0x1104 206 207 /* 208 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems 209 * with other values. DOS 6.1 seems to depend on a window value of 8700 to 210 * send the next set of data. If we return a window value of 40KB, after 211 * sending 8700 bytes of data, it will start the next set of data from 40KB 212 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses. 213 * September 2000. 214 * 215 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow 216 * for a larger TCP window sizei based on observations of Windows 2000 and 217 * performance testing. March 2003. 218 */ 219 static uint32_t smb_dos_tcp_rcvbuf = 8700; 220 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */ 221 222 static void smb_get_security_info(smb_request_t *, unsigned short *, 223 unsigned char *, unsigned char *, uint32_t *); 224 225 /* 226 * Function: int smb_com_negotiate(struct smb_request *) 227 */ 228 smb_sdrc_t 229 smb_pre_negotiate(smb_request_t *sr) 230 { 231 DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr); 232 return (SDRC_SUCCESS); 233 } 234 235 void 236 smb_post_negotiate(smb_request_t *sr) 237 { 238 DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr); 239 } 240 241 smb_sdrc_t 242 smb_com_negotiate(smb_request_t *sr) 243 { 244 int dialect = 0; 245 int this_dialect; 246 unsigned char keylen; 247 int sel_pos = -1; 248 int pos; 249 char key[32]; 250 char *p; 251 timestruc_t time_val; 252 unsigned short secmode; 253 uint32_t sesskey; 254 uint32_t capabilities = 0; 255 int rc; 256 unsigned short max_mpx_count; 257 int16_t tz_correction; 258 char ipaddr_buf[INET_ADDRSTRLEN]; 259 260 if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) { 261 /* The protocol has already been negotiated. */ 262 smbsr_error(sr, 0, ERRSRV, ERRerror); 263 return (SDRC_ERROR); 264 } 265 266 for (pos = 0; 267 sr->smb_data.chain_offset < sr->smb_data.max_bytes; 268 pos++) { 269 if (smb_mbc_decodef(&sr->smb_data, "%L", sr, &p) != 0) { 270 smbsr_error(sr, 0, ERRSRV, ERRerror); 271 return (SDRC_ERROR); 272 } 273 274 this_dialect = smb_xlate_dialect_str_to_cd(p); 275 276 if (this_dialect < 0) 277 continue; 278 279 if (dialect < this_dialect) { 280 dialect = this_dialect; 281 sel_pos = pos; 282 } 283 } 284 if (sel_pos < 0) { 285 smbsr_error(sr, 0, ERRSRV, ERRerror); 286 return (SDRC_ERROR); 287 } 288 289 smb_get_security_info(sr, &secmode, (unsigned char *)key, 290 &keylen, &sesskey); 291 292 (void) microtime(&time_val); 293 tz_correction = sr->sr_gmtoff / 60; 294 295 switch (dialect) { 296 case DIALECT_UNKNOWN: 297 case PC_NETWORK_PROGRAM_1_0: /* core */ 298 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 299 (const void *)&smb_dos_tcp_rcvbuf, 300 sizeof (smb_dos_tcp_rcvbuf)); 301 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0); 302 break; 303 304 case Windows_for_Workgroups_3_1a: 305 case PCLAN1_0: 306 case MICROSOFT_NETWORKS_1_03: 307 case MICROSOFT_NETWORKS_3_0: 308 case LANMAN1_0: 309 case LM1_2X002: 310 case DOS_LM1_2X002: 311 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 312 (const void *)&smb_dos_tcp_rcvbuf, 313 sizeof (smb_dos_tcp_rcvbuf)); 314 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 315 rc = smbsr_encode_result(sr, 13, VAR_BCC, 316 "bwwwwwwlYww2.w#c", 317 13, /* wct */ 318 sel_pos, /* dialect index */ 319 secmode, /* security mode */ 320 SMB_DOS_MAXBUF, /* max buffer size */ 321 1, /* max MPX (temporary) */ 322 1, /* max VCs (temporary, ambiguous) */ 323 3, /* raw mode (s/b 3) */ 324 sesskey, /* session key */ 325 time_val.tv_sec, /* server time/date */ 326 tz_correction, 327 (short)keylen, /* Encryption Key Length */ 328 /* reserved field handled 2. */ 329 VAR_BCC, 330 (int)keylen, 331 key); /* encryption key */ 332 break; 333 334 case DOS_LANMAN2_1: 335 case LANMAN2_1: 336 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 337 (const void *)&smb_dos_tcp_rcvbuf, 338 sizeof (smb_dos_tcp_rcvbuf)); 339 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 340 rc = smbsr_encode_result(sr, 13, VAR_BCC, 341 "bwwwwwwlYww2.w#cs", 342 13, /* wct */ 343 sel_pos, /* dialect index */ 344 secmode, /* security mode */ 345 SMB_DOS_MAXBUF, /* max buffer size */ 346 1, /* max MPX (temporary) */ 347 1, /* max VCs (temporary, ambiguous) */ 348 3, /* raw mode (s/b 3) */ 349 sesskey, /* session key */ 350 time_val.tv_sec, /* server time/date */ 351 tz_correction, 352 (short)keylen, /* Encryption Key Length */ 353 /* reserved field handled 2. */ 354 VAR_BCC, 355 (int)keylen, 356 key, /* encryption key */ 357 sr->sr_cfg->skc_resource_domain); 358 break; 359 360 case NT_LM_0_12: 361 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 362 (const void *)&smb_nt_tcp_rcvbuf, 363 sizeof (smb_nt_tcp_rcvbuf)); 364 capabilities = CAP_LARGE_FILES 365 | CAP_NT_SMBS 366 | CAP_STATUS32 367 | CAP_NT_FIND 368 | CAP_RAW_MODE 369 | CAP_LEVEL_II_OPLOCKS 370 | CAP_LOCK_AND_READ 371 | CAP_RPC_REMOTE_APIS 372 | CAP_LARGE_READX; 373 374 /* 375 * UNICODE support is required to enable support for long 376 * share names and long file names and streams. 377 */ 378 379 capabilities |= CAP_UNICODE; 380 381 382 /* 383 * Turn off Extended Security Negotiation 384 */ 385 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC; 386 387 /* 388 * Allow SMB signatures if security challenge response enabled 389 */ 390 if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && 391 sr->sr_cfg->skc_signing_enable) { 392 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 393 if (sr->sr_cfg->skc_signing_required) 394 secmode |= 395 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 396 397 sr->session->secmode = secmode; 398 } 399 400 (void) inet_ntop(AF_INET, (char *)&sr->session->ipaddr, 401 ipaddr_buf, sizeof (ipaddr_buf)); 402 403 max_mpx_count = sr->sr_cfg->skc_maxworkers; 404 405 rc = smbsr_encode_result(sr, 17, VAR_BCC, 406 "bwbwwllllTwbw#cZ", 407 17, /* wct */ 408 sel_pos, /* dialect index */ 409 secmode, /* security mode */ 410 max_mpx_count, /* max MPX (temporary) */ 411 1, /* max VCs (temporary, ambiguous) */ 412 (DWORD)smb_maxbufsize, /* max buffer size */ 413 0xFFFF, /* max raw size */ 414 sesskey, /* session key */ 415 capabilities, 416 &time_val, /* system time */ 417 tz_correction, 418 keylen, /* Encryption Key Length */ 419 VAR_BCC, 420 (int)keylen, 421 key, /* encryption key */ 422 sr->sr_cfg->skc_resource_domain); 423 break; 424 425 default: 426 smbsr_error(sr, 0, ERRSRV, ERRerror); 427 return (SDRC_ERROR); 428 } 429 430 if (rc != 0) 431 return (SDRC_ERROR); 432 433 /* 434 * Save the agreed dialect. Note that this value is also 435 * used to detect and reject attempts to re-negotiate. 436 */ 437 sr->session->dialect = dialect; 438 sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED; 439 return (SDRC_SUCCESS); 440 } 441 442 static void 443 smb_get_security_info( 444 struct smb_request *sr, 445 unsigned short *secmode, 446 unsigned char *key, 447 unsigned char *keylen, 448 uint32_t *sesskey) 449 { 450 uchar_t tmp_key[8]; 451 452 (void) random_get_pseudo_bytes(tmp_key, 8); 453 bcopy(tmp_key, &sr->session->challenge_key, 8); 454 sr->session->challenge_len = 8; 455 *keylen = 8; 456 bcopy(tmp_key, key, 8); 457 458 sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE| 459 NEGOTIATE_SECURITY_USER_LEVEL; 460 461 (void) random_get_pseudo_bytes(tmp_key, 4); 462 sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 | 463 tmp_key[2] << 16 | tmp_key[3] << 24; 464 465 *secmode = sr->session->secmode; 466 *sesskey = sr->session->sesskey; 467 } 468