xref: /titanic_50/usr/src/uts/common/fs/smbsrv/smb_negotiate.c (revision ff3124eff995e6cd8ebd8c6543648e0670920034)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 /*
29  * Notes on the virtual circuit (VC) values in the SMB Negotiate
30  * response and SessionSetupAndx request.
31  *
32  * A virtual circuit (VC) represents a connection between a client and a
33  * server using a reliable, session oriented transport protocol, such as
34  * NetBIOS or TCP/IP. Originally, each SMB session was restricted to a
35  * single underlying transport connection, i.e. a single NetBIOS session,
36  * which limited performance for raw data transfers.
37  *
38  * The intention behind multiple VCs was to improve performance by
39  * allowing parallelism over each NetBIOS session. For example, raw data
40  * could be transmitted using a different VC from other types of SMB
41  * requests to remove the interleaving restriction while a raw transfer
42  * is in progress. So the MaxNumberVcs field was added to the negotiate
43  * response to make the number of VCs configurable and to allow servers
44  * to specify how many they were prepared to support per session
45  * connection. This turned out to be difficult to manage and, with
46  * technology improvements, it has become obsolete.
47  *
48  * Servers should set the MaxNumberVcs value in the Negotiate response
49  * to 1. Clients should probably ignore it. If a server receives a
50  * SessionSetupAndx with a VC value of 0, it should close all other
51  * VCs to that client. If it receives a non-zero VC, it should leave
52  * other VCs in tact.
53  *
54  */
55 
56 /*
57  * SMB: negotiate
58  *
59  * Client Request                Description
60  * ============================  =======================================
61  *
62  * UCHAR WordCount;              Count of parameter words = 0
63  * USHORT ByteCount;             Count of data bytes; min = 2
64  * struct {
65  *    UCHAR BufferFormat;        0x02 -- Dialect
66  *    UCHAR DialectName[];       ASCII null-terminated string
67  * } Dialects[];
68  *
69  * The Client sends a list of dialects that it can communicate with.  The
70  * response is a selection of one of those dialects (numbered 0 through n)
71  * or -1 (hex FFFF) indicating that none of the dialects were acceptable.
72  * The negotiate message is binding on the virtual circuit and must be
73  * sent.  One and only one negotiate message may be sent, subsequent
74  * negotiate requests will be rejected with an error response and no action
75  * will be taken.
76  *
77  * The protocol does not impose any particular structure to the dialect
78  * strings.  Implementors of particular protocols may choose to include,
79  * for example, version numbers in the string.
80  *
81  * If the server does not understand any of the dialect strings, or if PC
82  * NETWORK PROGRAM 1.0 is the chosen dialect, the response format is
83  *
84  * Server Response               Description
85  * ============================  =======================================
86  *
87  * UCHAR WordCount;              Count of parameter words = 1
88  * USHORT DialectIndex;          Index of selected dialect
89  * USHORT ByteCount;             Count of data bytes = 0
90  *
91  * If the chosen dialect is greater than core up to and including
92  * LANMAN2.1, the protocol response format is
93  *
94  * Server Response               Description
95  * ============================  =======================================
96  *
97  * UCHAR WordCount;              Count of parameter words = 13
98  * USHORT  DialectIndex;         Index of selected dialect
99  * USHORT  SecurityMode;         Security mode:
100  *                               bit 0: 0 = share, 1 = user
101  *                               bit 1: 1 = use challenge/response
102  *                               authentication
103  * USHORT  MaxBufferSize;        Max transmit buffer size (>= 1024)
104  * USHORT  MaxMpxCount;          Max pending multiplexed requests
105  * USHORT  MaxNumberVcs;         Max VCs between client and server
106  * USHORT  RawMode;              Raw modes supported:
107  *                                bit 0: 1 = Read Raw supported
108  *                                bit 1: 1 = Write Raw supported
109  * ULONG SessionKey;             Unique token identifying this session
110  * SMB_TIME ServerTime;          Current time at server
111  * SMB_DATE ServerDate;          Current date at server
112  * USHORT ServerTimeZone;        Current time zone at server
113  * USHORT  EncryptionKeyLength;  MBZ if this is not LM2.1
114  * USHORT  Reserved;             MBZ
115  * USHORT  ByteCount             Count of data bytes
116  * UCHAR EncryptionKey[];        The challenge encryption key
117  * STRING PrimaryDomain[];       The server's primary domain
118  *
119  * MaxBufferSize is the size of the largest message which the client can
120  * legitimately send to the server
121  *
122  * If  bit0 of the Flags field is set in the negotiate response, this
123  * indicates the server supports the SMB_COM_LOCK_AND_READ and
124  * SMB_COM_WRITE_AND_UNLOCK client requests.
125  *
126  * If the SecurityMode field indicates the server is running in user mode,
127  * the client must send appropriate SMB_COM_SESSION_SETUP_ANDX requests
128  * before the server will allow the client to access resources.   If the
129  * SecurityMode fields indicates the client should use challenge/response
130  * authentication, the client should use the authentication mechanism
131  * specified in section 2.10.
132  *
133  * Clients should submit no more than MaxMpxCount distinct unanswered SMBs
134  * to the server when using multiplexed reads or writes (see sections 5.13
135  * and 5.25)
136  *
137  * Clients using the  "MICROSOFT NETWORKS 1.03" dialect use a different
138  * form of raw reads than documented here, and servers are better off
139  * setting RawMode in this response to 0 for such sessions.
140  *
141  * If the negotiated dialect is "DOS LANMAN2.1" or "LANMAN2.1", then
142  * PrimaryDomain string should be included in this response.
143  *
144  * If the negotiated dialect is NT LM 0.12, the response format is
145  *
146  * Server Response            Description
147  * ========================== =========================================
148  *
149  * UCHAR WordCount;           Count of parameter words = 17
150  * USHORT DialectIndex;       Index of selected dialect
151  * UCHAR SecurityMode;        Security mode:
152  *                             bit 0: 0 = share, 1 = user
153  *                             bit 1: 1 = encrypt passwords
154  * USHORT MaxMpxCount;        Max pending multiplexed requests
155  * USHORT MaxNumberVcs;       Max VCs between client and server
156  * ULONG MaxBufferSize;       Max transmit buffer size
157  * ULONG MaxRawSize;          Maximum raw buffer size
158  * ULONG SessionKey;          Unique token identifying this session
159  * ULONG Capabilities;        Server capabilities
160  * ULONG SystemTimeLow;       System (UTC) time of the server (low).
161  * ULONG SystemTimeHigh;      System (UTC) time of the server (high).
162  * USHORT ServerTimeZone;     Time zone of server (min from UTC)
163  * UCHAR EncryptionKeyLength; Length of encryption key.
164  * USHORT ByteCount;          Count of data bytes
165  * UCHAR EncryptionKey[];     The challenge encryption key
166  * UCHAR OemDomainName[];     The name of the domain (in OEM chars)
167  *
168  * In addition to the definitions above, MaxBufferSize is the size of the
169  * largest message which the client can legitimately send to the server.
170  * If the client is using a connectionless protocol,  MaxBufferSize must be
171  * set to the smaller of the server's internal buffer size and the amount
172  * of data which can be placed in a response packet.
173  *
174  * MaxRawSize specifies the maximum message size the server can send or
175  * receive for SMB_COM_WRITE_RAW or SMB_COM_READ_RAW.
176  *
177  * Connectionless clients must set Sid to 0 in the SMB request header.
178  *
179  * Capabilities allows the server to tell the client what it supports.
180  * The bit definitions defined in cifs.h. Bit 0x2000 used to be set in
181  * the negotiate response capabilities but it caused problems with
182  * Windows 2000. It is probably not valid, it doesn't appear in the
183  * CIFS spec.
184  *
185  * 4.1.1.1   Errors
186  *
187  * SUCCESS/SUCCESS
188  * ERRSRV/ERRerror
189  */
190 #include <sys/types.h>
191 #include <sys/strsubr.h>
192 #include <sys/socketvar.h>
193 #include <sys/socket.h>
194 #include <sys/random.h>
195 #include <netinet/in.h>
196 #include <smbsrv/smb_incl.h>
197 #include <smbsrv/smbinfo.h>
198 #include <smbsrv/smb_i18n.h>
199 
200 
201 /*
202  * Maximum buffer size for DOS: chosen to be the same as NT.
203  * Do not change this value, DOS is very sensitive to it.
204  */
205 #define	SMB_DOS_MAXBUF			0x1104
206 
207 /*
208  * The DOS TCP rcvbuf is set to 8700 because DOS 6.1 seems to have problems
209  * with other values. DOS 6.1 seems to depend on a window value of 8700 to
210  * send the next set of data. If we return a window value of 40KB, after
211  * sending 8700 bytes of data, it will start the next set of data from 40KB
212  * instead of 8.7k. Why 8.7k? We have no idea; it is the value that NT uses.
213  * September 2000.
214  *
215  * IR104720 Increased smb_nt_tcp_rcvbuf from 40KB to just under 1MB to allow
216  * for a larger TCP window sizei based on observations of Windows 2000 and
217  * performance testing. March 2003.
218  */
219 static uint32_t	smb_dos_tcp_rcvbuf = 8700;
220 static uint32_t	smb_nt_tcp_rcvbuf = 1048560;	/* scale factor of 4 */
221 
222 static void smb_get_security_info(smb_request_t *, unsigned short *,
223     unsigned char *, unsigned char *, uint32_t *);
224 
225 /*
226  * Function: int smb_com_negotiate(struct smb_request *)
227  */
228 smb_sdrc_t
229 smb_pre_negotiate(smb_request_t *sr)
230 {
231 	DTRACE_SMB_1(op__Negotiate__start, smb_request_t *, sr);
232 	return (SDRC_SUCCESS);
233 }
234 
235 void
236 smb_post_negotiate(smb_request_t *sr)
237 {
238 	DTRACE_SMB_1(op__Negotiate__done, smb_request_t *, sr);
239 }
240 
241 smb_sdrc_t
242 smb_com_negotiate(smb_request_t *sr)
243 {
244 	int			dialect = 0;
245 	int			this_dialect;
246 	unsigned char		keylen;
247 	int			sel_pos = -1;
248 	int			pos;
249 	char 			key[32];
250 	char			*p;
251 	timestruc_t		time_val;
252 	unsigned short		secmode;
253 	uint32_t		sesskey;
254 	uint32_t		capabilities = 0;
255 	int			rc;
256 	unsigned short		max_mpx_count;
257 	WORD			tz_correction;
258 	char			ipaddr_buf[INET_ADDRSTRLEN];
259 
260 	if (sr->session->s_state != SMB_SESSION_STATE_ESTABLISHED) {
261 		/* The protocol has already been negotiated. */
262 		smbsr_error(sr, 0, ERRSRV, ERRerror);
263 		return (SDRC_ERROR);
264 	}
265 
266 	for (pos = 0;
267 	    sr->smb_data.chain_offset < sr->smb_data.max_bytes;
268 	    pos++) {
269 		if (smb_mbc_decodef(&sr->smb_data, "%L", sr, &p) != 0) {
270 			smbsr_error(sr, 0, ERRSRV, ERRerror);
271 			return (SDRC_ERROR);
272 		}
273 
274 		this_dialect = smb_xlate_dialect_str_to_cd(p);
275 
276 		if (this_dialect < 0)
277 			continue;
278 
279 		if (dialect < this_dialect) {
280 			dialect = this_dialect;
281 			sel_pos = pos;
282 		}
283 	}
284 	if (sel_pos < 0) {
285 		smbsr_error(sr, 0, ERRSRV, ERRerror);
286 		return (SDRC_ERROR);
287 	}
288 
289 	smb_get_security_info(sr, &secmode, (unsigned char *)key,
290 	    &keylen, &sesskey);
291 
292 	(void) microtime(&time_val);
293 	/* tz correct. (min) */
294 	tz_correction = -(WORD)(sr->sr_gmtoff / 60);
295 
296 	switch (dialect) {
297 	case DIALECT_UNKNOWN:
298 	case PC_NETWORK_PROGRAM_1_0:	/* core */
299 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
300 		    (const void *)&smb_dos_tcp_rcvbuf,
301 		    sizeof (smb_dos_tcp_rcvbuf));
302 		rc = smbsr_encode_result(sr, 1, 0, "bww", 1, sel_pos, 0);
303 		break;
304 
305 	case Windows_for_Workgroups_3_1a:
306 	case PCLAN1_0:
307 	case MICROSOFT_NETWORKS_1_03:
308 	case MICROSOFT_NETWORKS_3_0:
309 	case LANMAN1_0:
310 	case LM1_2X002:
311 	case DOS_LM1_2X002:
312 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
313 		    (const void *)&smb_dos_tcp_rcvbuf,
314 		    sizeof (smb_dos_tcp_rcvbuf));
315 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
316 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
317 		    "bwwwwwwlYww2.w#c",
318 		    13,		/* wct */
319 		    sel_pos,	/* dialect index */
320 		    secmode,		/* security mode */
321 		    SMB_DOS_MAXBUF,	/* max buffer size */
322 		    1,		/* max MPX (temporary) */
323 		    1,		/* max VCs (temporary, ambiguous) */
324 		    3,		/* raw mode (s/b 3) */
325 		    sesskey,	/* session key */
326 		    time_val.tv_sec, /* server time/date */
327 		    tz_correction,  /* see smb_get_gmtoff */
328 		    (short)keylen,	/* Encryption Key Length */
329 				/* reserved field handled 2. */
330 		    VAR_BCC,
331 		    (int)keylen,
332 		    key);		/* encryption key */
333 		break;
334 
335 	case DOS_LANMAN2_1:
336 	case LANMAN2_1:
337 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
338 		    (const void *)&smb_dos_tcp_rcvbuf,
339 		    sizeof (smb_dos_tcp_rcvbuf));
340 		sr->smb_flg |= SMB_FLAGS_LOCK_AND_READ_OK;
341 		rc = smbsr_encode_result(sr, 13, VAR_BCC,
342 		    "bwwwwwwlYww2.w#cs",
343 		    13,		/* wct */
344 		    sel_pos,	/* dialect index */
345 		    secmode,		/* security mode */
346 		    SMB_DOS_MAXBUF,	/* max buffer size */
347 		    1,		/* max MPX (temporary) */
348 		    1,		/* max VCs (temporary, ambiguous) */
349 		    3,		/* raw mode (s/b 3) */
350 		    sesskey,	/* session key */
351 		    time_val.tv_sec, /* server time/date */
352 		    tz_correction,
353 		    (short)keylen,	/* Encryption Key Length */
354 				/* reserved field handled 2. */
355 		    VAR_BCC,
356 		    (int)keylen,
357 		    key,		/* encryption key */
358 		    sr->sr_cfg->skc_resource_domain);
359 		break;
360 
361 	case NT_LM_0_12:
362 		(void) sosetsockopt(sr->session->sock, SOL_SOCKET, SO_RCVBUF,
363 		    (const void *)&smb_nt_tcp_rcvbuf,
364 		    sizeof (smb_nt_tcp_rcvbuf));
365 		capabilities = CAP_LARGE_FILES
366 		    | CAP_NT_SMBS
367 		    | CAP_STATUS32
368 		    | CAP_NT_FIND
369 		    | CAP_RAW_MODE
370 		    | CAP_LEVEL_II_OPLOCKS
371 		    | CAP_LOCK_AND_READ
372 		    | CAP_RPC_REMOTE_APIS
373 		    | CAP_LARGE_READX;
374 
375 		/*
376 		 * UNICODE support is required to enable support for long
377 		 * share names and long file names and streams.
378 		 */
379 
380 		capabilities |= CAP_UNICODE;
381 
382 
383 		/*
384 		 * Turn off Extended Security Negotiation
385 		 */
386 		sr->smb_flg2 &= ~SMB_FLAGS2_EXT_SEC;
387 
388 		/*
389 		 * Allow SMB signatures if security challenge response enabled
390 		 */
391 		if ((secmode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) &&
392 		    sr->sr_cfg->skc_signing_enable) {
393 			secmode |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
394 			if (sr->sr_cfg->skc_signing_required)
395 				secmode |=
396 				    NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
397 
398 			sr->session->secmode = secmode;
399 		}
400 
401 		(void) inet_ntop(AF_INET, (char *)&sr->session->ipaddr,
402 		    ipaddr_buf, sizeof (ipaddr_buf));
403 
404 		max_mpx_count = sr->sr_cfg->skc_maxworkers;
405 
406 		rc = smbsr_encode_result(sr, 17, VAR_BCC,
407 		    "bwbwwllllTwbw#cZ",
408 		    17,		/* wct */
409 		    sel_pos,	/* dialect index */
410 		    secmode,	/* security mode */
411 		    max_mpx_count,		/* max MPX (temporary) */
412 		    1,		/* max VCs (temporary, ambiguous) */
413 		    (DWORD)smb_maxbufsize,	/* max buffer size */
414 		    0xFFFF,	/* max raw size */
415 		    sesskey,	/* session key */
416 		    capabilities,
417 		    &time_val,			/* system time */
418 		    tz_correction,
419 		    keylen,			/* Encryption Key Length */
420 		    VAR_BCC,
421 		    (int)keylen,
422 		    key,			/* encryption key */
423 		    sr->sr_cfg->skc_resource_domain);
424 		break;
425 
426 	default:
427 		smbsr_error(sr, 0, ERRSRV, ERRerror);
428 		return (SDRC_ERROR);
429 	}
430 
431 	if (rc != 0)
432 		return (SDRC_ERROR);
433 
434 	/*
435 	 * Save the agreed dialect. Note that this value is also
436 	 * used to detect and reject attempts to re-negotiate.
437 	 */
438 	sr->session->dialect = dialect;
439 	sr->session->s_state = SMB_SESSION_STATE_NEGOTIATED;
440 	return (SDRC_SUCCESS);
441 }
442 
443 static void
444 smb_get_security_info(
445     struct smb_request *sr,
446     unsigned short *secmode,
447     unsigned char *key,
448     unsigned char *keylen,
449     uint32_t *sesskey)
450 {
451 	uchar_t tmp_key[8];
452 
453 	(void) random_get_pseudo_bytes(tmp_key, 8);
454 	bcopy(tmp_key, &sr->session->challenge_key, 8);
455 	sr->session->challenge_len = 8;
456 	*keylen = 8;
457 	bcopy(tmp_key, key, 8);
458 
459 	sr->session->secmode = NEGOTIATE_SECURITY_CHALLENGE_RESPONSE|
460 	    NEGOTIATE_SECURITY_USER_LEVEL;
461 
462 	(void) random_get_pseudo_bytes(tmp_key, 4);
463 	sr->session->sesskey = tmp_key[0] | tmp_key[1] << 8 |
464 	    tmp_key[2] << 16 | tmp_key[3] << 24;
465 
466 	*secmode = sr->session->secmode;
467 	*sesskey = sr->session->sesskey;
468 }
469