1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 /* 29 * Notes on the virtual circuit (VC) values in the SMB Negotiate 30 * response and SessionSetupAndx request. 31 * 32 * A virtual circuit (VC) represents a connection between a client and a 33 * server using a reliable, session oriented transport protocol, such as 34 * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a 35 * single underlying transport connection, i.e. a single NetBIOS session, 36 * which limited performance for raw data transfers. 37 * 38 * The intention behind multiple VCs was to improve performance by 39 * allowing parallelism over each NetBIOS session. For example, raw data 40 * could be transmitted using a different VC from other types of SMB 41 * requests to remove the interleaving restriction while a raw transfer 42 * is in progress. So the MaxNumberVcs field was added to the negotiate 43 * response to make the number of VCs configurable and to allow servers 44 * to specify how many they were prepared to support per session 45 * connection. This turned out to be difficult to manage and, with 46 * technology improvements, it has become obsolete. 47 * 48 * Servers should set the MaxNumberVcs value in the Negotiate response 49 * to 1. Clients should probably ignore it. If a server receives a 50 * SessionSetupAndx with a VC value of 0, it should close all other 51 * VCs to that client. If it receives a non-zero VC, it should leave 52 * other VCs in tact. 53 * 54 */ 55 56 /* 57 * SMB: negotiate 58 * 59 * Client Request Description 60 * ============================ ======================================= 61 * 62 * UCHAR WordCount; Count of parameter words = 0 63 * USHORT ByteCount; Count of data bytes; min = 2 64 * struct { 65 * UCHAR BufferFormat; 0x02 -- Dialect 66 * UCHAR DialectName[]; ASCII null-terminated string 67 * } Dialects[]; 68 * 69 * The Client sends a list of dialects that it can communicate with. The 70 * response is a selection of one of those dialects (numbered 0 through n) 71 * or -1 (hex FFFF) indicating that none of the dialects were acceptable. 72 * The negotiate message is binding on the virtual circuit and must be 73 * sent. One and only one negotiate message may be sent, subsequent 74 * negotiate requests will be rejected with an error response and no action 75 * will be taken. 76 * 77 * The protocol does not impose any particular structure to the dialect 78 * strings. Implementors of particular protocols may choose to include, 79 * for example, version numbers in the string. 80 * 81 * If the server does not understand any of the dialect strings, or if PC 82 * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is 83 * 84 * Server Response Description 85 * ============================ ======================================= 86 * 87 * UCHAR WordCount; Count of parameter words = 1 88 * USHORT DialectIndex; Index of selected dialect 89 * USHORT ByteCount; Count of data bytes = 0 90 * 91 * If the chosen dialect is greater than core up to and including 92 * LANMAN2.1, the protocol response format is 93 * 94 * Server Response Description 95 * ============================ ======================================= 96 * 97 * UCHAR WordCount; Count of parameter words = 13 98 * USHORT DialectIndex; Index of selected dialect 99 * USHORT SecurityMode; Security mode: 100 * bit 0: 0 = share, 1 = user 101 * bit 1: 1 = use challenge/response 102 * authentication 103 * USHORT MaxBufferSize; Max transmit buffer size (>= 1024) 104 * USHORT MaxMpxCount; Max pending multiplexed requests 105 * USHORT MaxNumberVcs; Max VCs between client and server 106 * USHORT RawMode; Raw modes supported: 107 * bit 0: 1 = Read Raw supported 108 * bit 1: 1 = Write Raw supported 109 * ULONG SessionKey; Unique token identifying this session 110 * SMB_TIME ServerTime; Current time at server 111 * SMB_DATE ServerDate; Current date at server 112 * USHORT ServerTimeZone; Current time zone at server 113 * USHORT EncryptionKeyLength; MBZ if this is not LM2.1 114 * USHORT Reserved; MBZ 115 * USHORT ByteCount Count of data bytes 116 * UCHAR EncryptionKey[]; The challenge encryption key 117 * STRING PrimaryDomain[]; The server's primary domain 118 * 119 * MaxBufferSize is the size of the largest message which the client can 120 * legitimately send to the server 121 * 122 * If bit0 of the Flags field is set in the negotiate response, this 123 * indicates the server supports the SMB_COM_LOCK_AND_READ and 124 * SMB_COM_WRITE_AND_UNLOCK client requests. 125 * 126 * If the SecurityMode field indicates the server is running in user mode, 127 * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests 128 * before the server will allow the client to access resources. If the 129 * SecurityMode fields indicates the client should use challenge/response 130 * authentication, the client should use the authentication mechanism 131 * specified in section 2.10. 132 * 133 * Clients should submit no more than MaxMpxCount distinct unanswered SMBs 134 * to the server when using multiplexed reads or writes (see sections 5.13 135 * and 5.25) 136 * 137 * Clients using the "MICROSOFT NETWORKS 1.03" dialect use a different 138 * form of raw reads than documented here, and servers are better off 139 * setting RawMode in this response to 0 for such sessions. 140 * 141 * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then 142 * PrimaryDomain string should be included in this response. 143 * 144 * If the negotiated dialect is NT LM 0.12, the response format is 145 * 146 * Server Response Description 147 * ========================== ========================================= 148 * 149 * UCHAR WordCount; Count of parameter words = 17 150 * USHORT DialectIndex; Index of selected dialect 151 * UCHAR SecurityMode; Security mode: 152 * bit 0: 0 = share, 1 = user 153 * bit 1: 1 = encrypt passwords 154 * USHORT MaxMpxCount; Max pending multiplexed requests 155 * USHORT MaxNumberVcs; Max VCs between client and server 156 * ULONG MaxBufferSize; Max transmit buffer size 157 * ULONG MaxRawSize; Maximum raw buffer size 158 * ULONG SessionKey; Unique token identifying this session 159 * ULONG Capabilities; Server capabilities 160 * ULONG SystemTimeLow; System (UTC) time of the server (low). 161 * ULONG SystemTimeHigh; System (UTC) time of the server (high). 162 * USHORT ServerTimeZone; Time zone of server (min from UTC) 163 * UCHAR EncryptionKeyLength; Length of encryption key. 164 * USHORT ByteCount; Count of data bytes 165 * UCHAR EncryptionKey[]; The challenge encryption key 166 * UCHAR OemDomainName[]; The name of the domain (in OEM chars) 167 * 168 * In addition to the definitions above, MaxBufferSize is the size of the 169 * largest message which the client can legitimately send to the server. 170 * If the client is using a connectionless protocol, MaxBufferSize must be 171 * set to the smaller of the server's internal buffer size and the amount 172 * of data which can be placed in a response packet. 173 * 174 * MaxRawSize specifies the maximum message size the server can send or 175 * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW. 176 * 177 * Connectionless clients must set Sid to 0 in the SMB request header. 178 * 179 * Capabilities allows the server to tell the client what it supports. 180 * The bit definitions defined in cifs.h. Bit 0x2000 used to be set in 181 * the negotiate response capabilities but it caused problems with 182 * Windows 2000. It is probably not valid, it doesn't appear in the 183 * CIFS spec. 184 * 185 * 4.1.1.1 Errors 186 * 187 * SUCCESS/SUCCESS 188 * ERRSRV/ERRerror 189 */ 190 #include <sys/types.h> 191 #include <sys/strsubr.h> 192 #include <sys/socketvar.h> 193 #include <sys/socket.h> 194 #include <sys/random.h> 195 #include <netinet/in.h> 196 #include <smbsrv/smb_incl.h> 197 #include <smbsrv/smbinfo.h> 198 #include <smbsrv/smb_i18n.h> 199 200 201 /* 202 * Maximum buffer size for DOS: chosen to be the same as NT. 203 * Do not change this value, DOS is very sensitive to it. 204 */ 205 #define SMB_DOS_MAXBUF 0x1104 206 207 /* 208 * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems 209 * with other values. DOS 6.1 seems to depend on a window value of 8700 to 210 * send the next set of data. If we return a window value of 40KB, after 211 * sending 8700 bytes of data, it will start the next set of data from 40KB 212 * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses. 213 * September 2000. 214 * 215 * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow 216 * for a larger TCP window sizei based on observations of Windows 2000 and 217 * performance testing. March 2003. 218 */ 219 static uint32_t smb_dos_tcp_rcvbuf = 8700; 220 static uint32_t smb_nt_tcp_rcvbuf = 1048560; /* scale factor of 4 */ 221 222 static void smb_get_security_info(smb_request_t *, unsigned short *, 223 unsigned char *, unsigned char *, uint32_t *); 224 225 /* 226 * Function: int smb_com_negotiate(struct smb_request *) 227 */ 228 smb_sdrc_t 229 smb_pre_negotiate(smb_request_t *sr) 230 { 231 DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr); 232 return (SDRC_SUCCESS); 233 } 234 235 void 236 smb_post_negotiate(smb_request_t *sr) 237 { 238 DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr); 239 } 240 241 smb_sdrc_t 242 smb_com_negotiate(smb_request_t *sr) 243 { 244 int dialect = 0; 245 int this_dialect; 246 unsigned char keylen; 247 int sel_pos = -1; 248 int pos; 249 char key[32]; 250 char *p; 251 timestruc_t time_val; 252 unsigned short secmode; 253 uint32_t sesskey; 254 uint32_t capabilities = 0; 255 int rc; 256 unsigned short max_mpx_count; 257 WORD tz_correction; 258 char ipaddr_buf[INET_ADDRSTRLEN]; 259 260 if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) { 261 /* The protocol has already been negotiated. */ 262 smbsr_error(sr, 0, ERRSRV, ERRerror); 263 return (SDRC_ERROR); 264 } 265 266 for (pos = 0; 267 sr->smb_data.chain_offset < sr->smb_data.max_bytes; 268 pos++) { 269 if (smb_decode_mbc(&sr->smb_data, "%L", sr, &p) != 0) { 270 smbsr_error(sr, 0, ERRSRV, ERRerror); 271 return (SDRC_ERROR); 272 } 273 274 this_dialect = smb_xlate_dialect_str_to_cd(p); 275 276 if (this_dialect < 0) 277 continue; 278 279 if (dialect < this_dialect) { 280 dialect = this_dialect; 281 sel_pos = pos; 282 } 283 } 284 if (sel_pos < 0) { 285 smbsr_error(sr, 0, ERRSRV, ERRerror); 286 return (SDRC_ERROR); 287 } 288 289 smb_get_security_info(sr, &secmode, (unsigned char *)key, 290 &keylen, &sesskey); 291 292 (void) microtime(&time_val); 293 /* tz correct. (min) */ 294 tz_correction = -(WORD)(sr->sr_gmtoff / 60); 295 296 switch (dialect) { 297 case DIALECT_UNKNOWN: 298 case PC_NETWORK_PROGRAM_1_0: /* core */ 299 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 300 (const void *)&smb_dos_tcp_rcvbuf, 301 sizeof (smb_dos_tcp_rcvbuf)); 302 rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0); 303 break; 304 305 case Windows_for_Workgroups_3_1a: 306 case PCLAN1_0: 307 case MICROSOFT_NETWORKS_1_03: 308 case MICROSOFT_NETWORKS_3_0: 309 case LANMAN1_0: 310 case LM1_2X002: 311 case DOS_LM1_2X002: 312 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 313 (const void *)&smb_dos_tcp_rcvbuf, 314 sizeof (smb_dos_tcp_rcvbuf)); 315 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 316 rc = smbsr_encode_result(sr, 13, VAR_BCC, 317 "(wct) b" "(dix) w" "(sec) w" "(mbs) w" 318 "(mmc) w" "(mnv) w" "(raw) w" "(key) l" 319 "(tim/dat) Y" "(tz) w" "(ekl) w" 320 "(mbz) 2.""(bcc) w" "(key) #c", 321 13, /* wct */ 322 sel_pos, /* dialect index */ 323 secmode, /* security mode */ 324 SMB_DOS_MAXBUF, /* max buffer size */ 325 1, /* max MPX (temporary) */ 326 1, /* max VCs (temporary, ambiguous) */ 327 3, /* raw mode (s/b 3) */ 328 sesskey, /* session key */ 329 time_val.tv_sec, /* server time/date */ 330 tz_correction, /* see smb_get_gmtoff */ 331 (short)keylen, /* Encryption Key Length */ 332 /* reserved field handled 2. */ 333 VAR_BCC, 334 (int)keylen, 335 key); /* encryption key */ 336 break; 337 338 case DOS_LANMAN2_1: 339 case LANMAN2_1: 340 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 341 (const void *)&smb_dos_tcp_rcvbuf, 342 sizeof (smb_dos_tcp_rcvbuf)); 343 sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK; 344 rc = smbsr_encode_result(sr, 13, VAR_BCC, 345 "(wct) b" "(dix) w" "(sec) w" "(mbs) w" 346 "(mmc) w" "(mnv) w" "(raw) w" "(key) l" 347 "(tim/dat) Y" "(tz) w" "(ekl) w" 348 "(mbz) 2.""(bcc) w" "(key) #c" "(dom) s", 349 13, /* wct */ 350 sel_pos, /* dialect index */ 351 secmode, /* security mode */ 352 SMB_DOS_MAXBUF, /* max buffer size */ 353 1, /* max MPX (temporary) */ 354 1, /* max VCs (temporary, ambiguous) */ 355 3, /* raw mode (s/b 3) */ 356 sesskey, /* session key */ 357 time_val.tv_sec, /* server time/date */ 358 tz_correction, 359 (short)keylen, /* Encryption Key Length */ 360 /* reserved field handled 2. */ 361 VAR_BCC, 362 (int)keylen, 363 key, /* encryption key */ 364 sr->sr_cfg->skc_resource_domain); 365 break; 366 367 case NT_LM_0_12: 368 (void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF, 369 (const void *)&smb_nt_tcp_rcvbuf, 370 sizeof (smb_nt_tcp_rcvbuf)); 371 capabilities = CAP_LARGE_FILES 372 | CAP_NT_SMBS 373 | CAP_STATUS32 374 | CAP_NT_FIND 375 | CAP_RAW_MODE 376 | CAP_LEVEL_II_OPLOCKS 377 | CAP_LOCK_AND_READ 378 | CAP_RPC_REMOTE_APIS 379 | CAP_LARGE_READX; 380 381 /* 382 * UNICODE support is required to enable support for long 383 * share names and long file names and streams. 384 */ 385 386 capabilities |= CAP_UNICODE; 387 388 389 /* 390 * Turn off Extended Security Negotiation 391 */ 392 sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC; 393 394 /* 395 * Allow SMB signatures if security challenge response enabled 396 */ 397 if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && 398 sr->sr_cfg->skc_signing_enable) { 399 secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED; 400 if (sr->sr_cfg->skc_signing_required) 401 secmode |= 402 NEGOTIATE_SECURITY_SIGNATURES_REQUIRED; 403 404 sr->session->secmode = secmode; 405 } 406 407 (void) inet_ntop(AF_INET, (char *)&sr->session->ipaddr, 408 ipaddr_buf, sizeof (ipaddr_buf)); 409 410 max_mpx_count = sr->sr_cfg->skc_maxworkers; 411 412 rc = smbsr_encode_result(sr, 17, VAR_BCC, 413 "(wct) b" "(dix) w" "(sec) b" "(mmc) w" 414 "(mnv) w" "(mbs) l" "(raw) l" "(key) l" 415 "(cap) l" "(tim) T" "(tz) w" "(ekl) b" 416 "(bcc) w" "(key) #c" "(dom) Z", 417 17, /* wct */ 418 sel_pos, /* dialect index */ 419 secmode, /* security mode */ 420 max_mpx_count, /* max MPX (temporary) */ 421 1, /* max VCs (temporary, ambiguous) */ 422 (DWORD)smb_maxbufsize, /* max buffer size */ 423 0xFFFF, /* max raw size */ 424 sesskey, /* session key */ 425 capabilities, 426 &time_val, /* system time */ 427 tz_correction, 428 keylen, /* Encryption Key Length */ 429 VAR_BCC, 430 (int)keylen, 431 key, /* encryption key */ 432 sr->sr_cfg->skc_resource_domain); 433 break; 434 435 default: 436 smbsr_error(sr, 0, ERRSRV, ERRerror); 437 return (SDRC_ERROR); 438 } 439 440 if (rc != 0) 441 return (SDRC_ERROR); 442 443 /* 444 * Save the agreed dialect. Note that this value is also 445 * used to detect and reject attempts to re-negotiate. 446 */ 447 sr->session->dialect = dialect; 448 sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED; 449 return (SDRC_SUCCESS); 450 } 451 452 static void 453 smb_get_security_info( 454 struct smb_request *sr, 455 unsigned short *secmode, 456 unsigned char *key, 457 unsigned char *keylen, 458 uint32_t *sesskey) 459 { 460 uchar_t tmp_key[8]; 461 462 (void) random_get_pseudo_bytes(tmp_key, 8); 463 bcopy(tmp_key, &sr->session->challenge_key, 8); 464 sr->session->challenge_len = 8; 465 *keylen = 8; 466 bcopy(tmp_key, key, 8); 467 468 sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE| 469 NEGOTIATE_SECURITY_USER_LEVEL; 470 471 (void) random_get_pseudo_bytes(tmp_key, 4); 472 sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 | 473 tmp_key[2] << 16 | tmp_key[3] << 24; 474 475 *secmode = sr->session->secmode; 476 *sesskey = sr->session->sesskey; 477 } 478