xref: /titanic_50/usr/src/uts/common/fs/smbsrv/smb_negotiate.c (revision 142c9f13e148d687426ed2d4e8bd93717eeaebbc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * Notes on the virtual circuit (VC) values in the SMB Negotiate
30  * response and SessionSetupAndx request.
31  *
32  * A virtual circuit (VC) represents a connection between a client and a
33  * server using a reliable, session oriented transport protocol, such as
34  * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
35  * single underlying transport connection, i.e. a single NetBIOS session,
36  * which limited performance for raw data transfers.
37  *
38  * The intention behind multiple VCs was to improve performance by
39  * allowing parallelism over each NetBIOS session. For example, raw data
40  * could be transmitted using a different VC from other types of SMB
41  * requests to remove the interleaving restriction while a raw transfer
42  * is in progress. So the MaxNumberVcs field was added to the negotiate
43  * response to make the number of VCs configurable and to allow servers
44  * to specify how many they were prepared to support per session
45  * connection. This turned out to be difficult to manage and, with
46  * technology improvements, it has become obsolete.
47  *
48  * Servers should set the MaxNumberVcs value in the Negotiate response
49  * to 1. Clients should probably ignore it. If a server receives a
50  * SessionSetupAndx with a VC value of 0, it should close all other
51  * VCs to that client. If it receives a non-zero VC, it should leave
52  * other VCs in tact.
53  *
54  */
55 
56 /*
57  * SMB: negotiate
58  *
59  * Client Request                Description
60  * ============================  =======================================
61  *
62  * UCHAR WordCount;              Count of parameter words = 0
63  * USHORT ByteCount;             Count of data bytes; min = 2
64  * struct {
65  *    UCHAR BufferFormat;        0x02 -- Dialect
66  *    UCHAR DialectName[];       ASCII null-terminated string
67  * } Dialects[];
68  *
69  * The Client sends a list of dialects that it can communicate with.  The
70  * response is a selection of one of those dialects (numbered 0 through n)
71  * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
72  * The negotiate message is binding on the virtual circuit and must be
73  * sent.  One and only one negotiate message may be sent, subsequent
74  * negotiate requests will be rejected with an error response and no action
75  * will be taken.
76  *
77  * The protocol does not impose any particular structure to the dialect
78  * strings.  Implementors of particular protocols may choose to include,
79  * for example, version numbers in the string.
80  *
81  * If the server does not understand any of the dialect strings, or if PC
82  * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
83  *
84  * Server Response               Description
85  * ============================  =======================================
86  *
87  * UCHAR WordCount;              Count of parameter words = 1
88  * USHORT DialectIndex;          Index of selected dialect
89  * USHORT ByteCount;             Count of data bytes = 0
90  *
91  * If the chosen dialect is greater than core up to and including
92  * LANMAN2.1, the protocol response format is
93  *
94  * Server Response               Description
95  * ============================  =======================================
96  *
97  * UCHAR WordCount;              Count of parameter words = 13
98  * USHORT  DialectIndex;         Index of selected dialect
99  * USHORT  SecurityMode;         Security mode:
100  *                               bit 0: 0 = share, 1 = user
101  *                               bit 1: 1 = use challenge/response
102  *                               authentication
103  * USHORT  MaxBufferSize;        Max transmit buffer size (>= 1024)
104  * USHORT  MaxMpxCount;          Max pending multiplexed requests
105  * USHORT  MaxNumberVcs;         Max VCs between client and server
106  * USHORT  RawMode;              Raw modes supported:
107  *                                bit 0: 1 = Read Raw supported
108  *                                bit 1: 1 = Write Raw supported
109  * ULONG SessionKey;             Unique token identifying this session
110  * SMB_TIME ServerTime;          Current time at server
111  * SMB_DATE ServerDate;          Current date at server
112  * USHORT ServerTimeZone;        Current time zone at server
113  * USHORT  EncryptionKeyLength;  MBZ if this is not LM2.1
114  * USHORT  Reserved;             MBZ
115  * USHORT  ByteCount             Count of data bytes
116  * UCHAR EncryptionKey[];        The challenge encryption key
117  * STRING PrimaryDomain[];       The server's primary domain
118  *
119  * MaxBufferSize is the size of the largest message which the client can
120  * legitimately send to the server
121  *
122  * If  bit0 of the Flags field is set in the negotiate response, this
123  * indicates the server supports the SMB_COM_LOCK_AND_READ and
124  * SMB_COM_WRITE_AND_UNLOCK client requests.
125  *
126  * If the SecurityMode field indicates the server is running in user mode,
127  * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
128  * before the server will allow the client to access resources.   If the
129  * SecurityMode fields indicates the client should use challenge/response
130  * authentication, the client should use the authentication mechanism
131  * specified in section 2.10.
132  *
133  * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
134  * to the server when using multiplexed reads or writes (see sections 5.13
135  * and 5.25)
136  *
137  * Clients using the  "MICROSOFT NETWORKS 1.03" dialect use a different
138  * form of raw reads than documented here, and servers are better off
139  * setting RawMode in this response to 0 for such sessions.
140  *
141  * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
142  * PrimaryDomain string should be included in this response.
143  *
144  * If the negotiated dialect is NT LM 0.12, the response format is
145  *
146  * Server Response            Description
147  * ========================== =========================================
148  *
149  * UCHAR WordCount;           Count of parameter words = 17
150  * USHORT DialectIndex;       Index of selected dialect
151  * UCHAR SecurityMode;        Security mode:
152  *                             bit 0: 0 = share, 1 = user
153  *                             bit 1: 1 = encrypt passwords
154  * USHORT MaxMpxCount;        Max pending multiplexed requests
155  * USHORT MaxNumberVcs;       Max VCs between client and server
156  * ULONG MaxBufferSize;       Max transmit buffer size
157  * ULONG MaxRawSize;          Maximum raw buffer size
158  * ULONG SessionKey;          Unique token identifying this session
159  * ULONG Capabilities;        Server capabilities
160  * ULONG SystemTimeLow;       System (UTC) time of the server (low).
161  * ULONG SystemTimeHigh;      System (UTC) time of the server (high).
162  * USHORT ServerTimeZone;     Time zone of server (min from UTC)
163  * UCHAR EncryptionKeyLength; Length of encryption key.
164  * USHORT ByteCount;          Count of data bytes
165  * UCHAR EncryptionKey[];     The challenge encryption key
166  * UCHAR OemDomainName[];     The name of the domain (in OEM chars)
167  *
168  * In addition to the definitions above, MaxBufferSize is the size of the
169  * largest message which the client can legitimately send to the server.
170  * If the client is using a connectionless protocol,  MaxBufferSize must be
171  * set to the smaller of the server's internal buffer size and the amount
172  * of data which can be placed in a response packet.
173  *
174  * MaxRawSize specifies the maximum message size the server can send or
175  * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
176  *
177  * Connectionless clients must set Sid to 0 in the SMB request header.
178  *
179  * Capabilities allows the server to tell the client what it supports.
180  * The bit definitions defined in cifs.h. Bit 0x2000 used to be set in
181  * the negotiate response capabilities but it caused problems with
182  * Windows 2000. It is probably not valid, it doesn't appear in the
183  * CIFS spec.
184  *
185  * 4.1.1.1   Errors
186  *
187  * SUCCESS/SUCCESS
188  * ERRSRV/ERRerror
189  */
190 #include <sys/types.h>
191 #include <sys/strsubr.h>
192 #include <sys/socketvar.h>
193 #include <sys/socket.h>
194 #include <sys/random.h>
195 #include <netinet/in.h>
196 #include <smbsrv/smb_incl.h>
197 #include <smbsrv/smbinfo.h>
198 #include <smbsrv/smb_i18n.h>
199 
200 
201 /*
202  * Maximum buffer size for DOS: chosen to be the same as NT.
203  * Do not change this value, DOS is very sensitive to it.
204  */
205 #define	SMB_DOS_MAXBUF			0x1104
206 
207 /*
208  * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
209  * with other values. DOS 6.1 seems to depend on a window value of 8700 to
210  * send the next set of data. If we return a window value of 40KB, after
211  * sending 8700 bytes of data, it will start the next set of data from 40KB
212  * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
213  * September 2000.
214  *
215  * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
216  * for a larger TCP window sizei based on observations of Windows 2000 and
217  * performance testing. March 2003.
218  */
219 static uint32_t	smb_dos_tcp_rcvbuf = 8700;
220 static uint32_t	smb_nt_tcp_rcvbuf = 1048560;	/* scale factor of 4 */
221 
222 static void smb_get_security_info(smb_request_t *, unsigned short *,
223     unsigned char *, unsigned char *, uint32_t *);
224 
225 /*
226  * Function: int smb_com_negotiate(struct smb_request *)
227  */
228 smb_sdrc_t
229 smb_pre_negotiate(smb_request_t *sr)
230 {
231 	DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr);
232 	return (SDRC_SUCCESS);
233 }
234 
235 void
236 smb_post_negotiate(smb_request_t *sr)
237 {
238 	DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr);
239 }
240 
241 smb_sdrc_t
242 smb_com_negotiate(smb_request_t *sr)
243 {
244 	int			dialect = 0;
245 	int			this_dialect;
246 	unsigned char		keylen;
247 	int			sel_pos = -1;
248 	int			pos;
249 	char 			key[32];
250 	char			*p;
251 	timestruc_t		time_val;
252 	unsigned short		secmode;
253 	uint32_t		sesskey;
254 	uint32_t		capabilities = 0;
255 	int			rc;
256 	unsigned short		max_mpx_count;
257 	WORD			tz_correction;
258 	char			ipaddr_buf[INET_ADDRSTRLEN];
259 
260 	if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
261 		/* The protocol has already been negotiated. */
262 		smbsr_error(sr, 0, ERRSRV, ERRerror);
263 		return (SDRC_ERROR);
264 	}
265 
266 	for (pos = 0;
267 	    sr->smb_data.chain_offset < sr->smb_data.max_bytes;
268 	    pos++) {
269 		if (smb_decode_mbc(&sr->smb_data, "%L", sr, &p) != 0) {
270 			smbsr_error(sr, 0, ERRSRV, ERRerror);
271 			return (SDRC_ERROR);
272 		}
273 
274 		this_dialect = smb_xlate_dialect_str_to_cd(p);
275 
276 		if (this_dialect < 0)
277 			continue;
278 
279 		if (dialect < this_dialect) {
280 			dialect = this_dialect;
281 			sel_pos = pos;
282 		}
283 	}
284 	if (sel_pos < 0) {
285 		smbsr_error(sr, 0, ERRSRV, ERRerror);
286 		return (SDRC_ERROR);
287 	}
288 
289 	smb_get_security_info(sr, &secmode, (unsigned char *)key,
290 	    &keylen, &sesskey);
291 
292 	(void) microtime(&time_val);
293 	/* tz correct. (min) */
294 	tz_correction = -(WORD)(sr->sr_gmtoff / 60);
295 
296 	switch (dialect) {
297 	case DIALECT_UNKNOWN:
298 	case PC_NETWORK_PROGRAM_1_0:	/* core */
299 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
300 		    (const void *)&smb_dos_tcp_rcvbuf,
301 		    sizeof (smb_dos_tcp_rcvbuf));
302 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0);
303 		break;
304 
305 	case Windows_for_Workgroups_3_1a:
306 	case PCLAN1_0:
307 	case MICROSOFT_NETWORKS_1_03:
308 	case MICROSOFT_NETWORKS_3_0:
309 	case LANMAN1_0:
310 	case LM1_2X002:
311 	case DOS_LM1_2X002:
312 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
313 		    (const void *)&smb_dos_tcp_rcvbuf,
314 		    sizeof (smb_dos_tcp_rcvbuf));
315 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
316 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
317 		    "(wct) b" "(dix) w" "(sec) w" "(mbs) w"
318 		    "(mmc) w" "(mnv) w" "(raw) w" "(key) l"
319 		    "(tim/dat) Y"       "(tz)  w" "(ekl) w"
320 		    "(mbz) 2.""(bcc) w" "(key) #c",
321 		    13,		/* wct */
322 		    sel_pos,	/* dialect index */
323 		    secmode,		/* security mode */
324 		    SMB_DOS_MAXBUF,	/* max buffer size */
325 		    1,		/* max MPX (temporary) */
326 		    1,		/* max VCs (temporary, ambiguous) */
327 		    3,		/* raw mode (s/b 3) */
328 		    sesskey,	/* session key */
329 		    time_val.tv_sec, /* server time/date */
330 		    tz_correction,  /* see smb_get_gmtoff */
331 		    (short)keylen,	/* Encryption Key Length */
332 				/* reserved field handled 2. */
333 		    VAR_BCC,
334 		    (int)keylen,
335 		    key);		/* encryption key */
336 		break;
337 
338 	case DOS_LANMAN2_1:
339 	case LANMAN2_1:
340 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
341 		    (const void *)&smb_dos_tcp_rcvbuf,
342 		    sizeof (smb_dos_tcp_rcvbuf));
343 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
344 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
345 		    "(wct) b" "(dix) w" "(sec) w" "(mbs) w"
346 		    "(mmc) w" "(mnv) w" "(raw) w" "(key) l"
347 		    "(tim/dat) Y"       "(tz)  w" "(ekl) w"
348 		    "(mbz) 2.""(bcc) w" "(key) #c" "(dom) s",
349 		    13,		/* wct */
350 		    sel_pos,	/* dialect index */
351 		    secmode,		/* security mode */
352 		    SMB_DOS_MAXBUF,	/* max buffer size */
353 		    1,		/* max MPX (temporary) */
354 		    1,		/* max VCs (temporary, ambiguous) */
355 		    3,		/* raw mode (s/b 3) */
356 		    sesskey,	/* session key */
357 		    time_val.tv_sec, /* server time/date */
358 		    tz_correction,
359 		    (short)keylen,	/* Encryption Key Length */
360 				/* reserved field handled 2. */
361 		    VAR_BCC,
362 		    (int)keylen,
363 		    key,		/* encryption key */
364 		    sr->sr_cfg->skc_resource_domain);
365 		break;
366 
367 	case NT_LM_0_12:
368 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
369 		    (const void *)&smb_nt_tcp_rcvbuf,
370 		    sizeof (smb_nt_tcp_rcvbuf));
371 		capabilities = CAP_LARGE_FILES
372 		    | CAP_NT_SMBS
373 		    | CAP_STATUS32
374 		    | CAP_NT_FIND
375 		    | CAP_RAW_MODE
376 		    | CAP_LEVEL_II_OPLOCKS
377 		    | CAP_LOCK_AND_READ
378 		    | CAP_RPC_REMOTE_APIS
379 		    | CAP_LARGE_READX;
380 
381 		/*
382 		 * UNICODE support is required to enable support for long
383 		 * share names and long file names and streams.
384 		 */
385 
386 		capabilities |= CAP_UNICODE;
387 
388 
389 		/*
390 		 * Turn off Extended Security Negotiation
391 		 */
392 		sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
393 
394 		/*
395 		 * Allow SMB signatures if security challenge response enabled
396 		 */
397 		if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
398 		    sr->sr_cfg->skc_signing_enable) {
399 			secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
400 			if (sr->sr_cfg->skc_signing_required)
401 				secmode |=
402 				    NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
403 
404 			sr->session->secmode = secmode;
405 		}
406 
407 		(void) inet_ntop(AF_INET, (char *)&sr->session->ipaddr,
408 		    ipaddr_buf, sizeof (ipaddr_buf));
409 
410 		max_mpx_count = sr->sr_cfg->skc_maxworkers;
411 
412 		rc = smbsr_encode_result(sr, 17, VAR_BCC,
413 		    "(wct) b" "(dix) w" "(sec) b" "(mmc) w"
414 		    "(mnv) w" "(mbs) l" "(raw) l" "(key) l"
415 		    "(cap) l" "(tim) T" "(tz) w" "(ekl) b"
416 		    "(bcc) w" "(key) #c" "(dom) Z",
417 		    17,		/* wct */
418 		    sel_pos,	/* dialect index */
419 		    secmode,	/* security mode */
420 		    max_mpx_count,		/* max MPX (temporary) */
421 		    1,		/* max VCs (temporary, ambiguous) */
422 		    (DWORD)smb_maxbufsize,	/* max buffer size */
423 		    0xFFFF,	/* max raw size */
424 		    sesskey,	/* session key */
425 		    capabilities,
426 		    &time_val,			/* system time */
427 		    tz_correction,
428 		    keylen,			/* Encryption Key Length */
429 		    VAR_BCC,
430 		    (int)keylen,
431 		    key,			/* encryption key */
432 		    sr->sr_cfg->skc_resource_domain);
433 		break;
434 
435 	default:
436 		smbsr_error(sr, 0, ERRSRV, ERRerror);
437 		return (SDRC_ERROR);
438 	}
439 
440 	if (rc != 0)
441 		return (SDRC_ERROR);
442 
443 	/*
444 	 * Save the agreed dialect. Note that this value is also
445 	 * used to detect and reject attempts to re-negotiate.
446 	 */
447 	sr->session->dialect = dialect;
448 	sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED;
449 	return (SDRC_SUCCESS);
450 }
451 
452 static void
453 smb_get_security_info(
454     struct smb_request *sr,
455     unsigned short *secmode,
456     unsigned char *key,
457     unsigned char *keylen,
458     uint32_t *sesskey)
459 {
460 	uchar_t tmp_key[8];
461 
462 	(void) random_get_pseudo_bytes(tmp_key, 8);
463 	bcopy(tmp_key, &sr->session->challenge_key, 8);
464 	sr->session->challenge_len = 8;
465 	*keylen = 8;
466 	bcopy(tmp_key, key, 8);
467 
468 	sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE|
469 	    NEGOTIATE_SECURITY_USER_LEVEL;
470 
471 	(void) random_get_pseudo_bytes(tmp_key, 4);
472 	sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
473 	    tmp_key[2] << 16 | tmp_key[3] << 24;
474 
475 	*secmode = sr->session->secmode;
476 	*sesskey = sr->session->sesskey;
477 }
478